+In V3, the `datetimeReference` determines the timezone offset.

+ > As explained in [Running tests in an automated build workflow](luis-concept-devops-testing.md#running-tests-in-an-automated-build-workflow) you must publish the LUIS app version under test so that tools such as NLU.DevOps can access it. LUIS only supports two named publication slots, *staging* and *production* for a LUIS app, but you can also [publish a version directly](https://github.com/microsoft/botframework-cli/blob/master/packages/luis/README.md#bf-luisapplicationpublish) and query by version. Use direct version publishing in your automation workflows to avoid being limited to using the named publishing slots.

+Both V2 and V3 versions of the API are available with the container.

+| Preview - Dynamic list entities | 2 lists of \~1k per query prediction endpoint request |

+External entities are part of the V3 authoring API.

+* [Prediction score](luis-concept-prediction-score.md)

+ * General availability of our prediction endpoint V3.

+* Preview of V3 API migration guide

+> [!NOTE]

+> The trusted service feature is only available using the command line described above, and cannot be done using the Azure portal.

+- **C#**: [Package](https://www.nuget.org/packages/Azure.AI.ContentSafety) | [API reference](/dotnet/api/overview/azure/ai.contentsafety-readme) | [Samples](https://github.com/Azure-Samples/AzureAIContentSafety/tree/main/dotnet/1.0.0) | Quickstarts: [Text](./quickstart-text.md), [Image](./quickstart-image.md)

+- **Python**: [Package](https://pypi.org/project/azure-ai-contentsafety/) | [API reference](/python/api/overview/azure/ai-contentsafety-readme) | [Samples](https://github.com/Azure-Samples/AzureAIContentSafety/tree/main/python/1.0.0) | Quickstarts: [Text](./quickstart-text.md), [Image](./quickstart-image.md)

+- **Java**: [Package](https://oss.sonatype.org/#nexus-search;quick~contentsafety) | [API reference](/jav)

+description: Learn more about API version retirement in Azure OpenAI Services.

+Azure OpenAI API version [2024-02-15-preview](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2024-02-15-preview/inference.json)

+is currently the latest preview release.

+- [Assistants API](./assistants-reference.md). [**Added in 2024-02-15-preview**]

+- [DALL-E 3](./dall-e-quickstart.md). [**Added in 2023-12-01-preview**]

+To avoid service disruptions, you must update to use the latest preview version before the retirement date.

+We recommend first testing the upgrade to new API versions to confirm there's no impact to your application from the API update before making the change globally across your environment.

+If you're using the OpenAI Python client library or the REST API, you'll need to update your code directly to the latest preview API version.

+If you're using one of the Azure OpenAI SDKs for C#, Go, Java, or JavaScript you'll instead need to update to the latest version of the SDK. Each SDK release is hardcoded to work with specific versions of the Azure OpenAI API.

+- [Learn about working with Azure OpenAI models](./how-to/working-with-models.md)

+> * Automatic index refreshing is supported for Azure Blob storage only.

+> * If a document is deleted from input blob container, the corresponding chunk index records won't be removed by the scheduled refresh.

+After the data ingestion is set to a cadence other than once, Azure AI Search indexers will be created with a schedule equivalent to `0.5 * the cadence specified`. This means that at the specified cadence, the indexers will pull the documents that were added or modified from the storage container, reprocess and index them. This ensures that the updated data gets preprocessed and indexed in the final index at the desired cadence automatically. To update your data, you only need to upload the additional documents from the Azure portal. From the portal, select **Storage Account** > **Containers**. Select the name of the original container, then **Upload**. The index will pick up the files automatically after the scheduled refresh period. The intermediate assets created in the Azure AI Search resource will not be cleaned up after ingestion to allow for future runs. These assets are:

+Determining the right amount of provisioned throughput, or PTUs, you require for your workload is an essential step to optimizing performance and cost. This section describes how to use the Azure OpenAI capacity planning tool. The tool provides you with an estimate of the required PTU to meet the needs of your workload.

+To get a quick estimate for your workload, open the capacity planner in the [Azure OpenAI Studio](https://oai.azure.com). The capacity planner is under **Management** > **Quotas** > **Provisioned**.

+The **Provisioned** option and the capacity planner are only available in certain regions within the Quota pane, if you don't see this option setting the quota region to *Sweden Central* will make this option available. Enter the following parameters based on your workload.

+After you fill in the required details, select **Calculate** to view the suggested PTU for your scenario.

+Unlike Azure services where you're charged based on usage, the Azure OpenAI Provisioned Throughput feature is purchased as a renewable, monthly commitment. This commitment is charged to your subscription upon creation and at each monthly renewal. When you onboard to Provisioned Throughput, you need to create a commitment on each Azure OpenAI resource where you intend to create a provisioned deployment. The PTUs you purchase in this way are available for use when creating deployments on those resources.

+|Lifetime| Quota might be removed from your subscription if it isn't purchased via a commitment within five days of being granted|The minimum term is one month, with customer-selectable autorenewal behavior. A commitment isn't cancelable, and can't be moved to a new resource while it's active|

+|Scope |Quota is specific to a subscription and region, and is shared across all Azure OpenAI resources | Commitments are an attribute of an Azure OpenAI resource, and are scoped to deployments within that resource. A subscription might contain as many active commitments as there are resources.|

+Quota and commitments work together to govern the creation of deployments within your subscriptions. To create a provisioned deployment, two criteria must be met:

+- Quota must be available for the desired model within the desired region and subscription. This means you can't exceed your subscription/region-wide limit for the model.

+- At commitment creation. The charge is computed according to the current monthly PTU rate and the number of PTUs committed. You will receive a single up-front charge on your invoice.

+- At commitment renewal. If the renewal policy is set to autorenew, a new monthly charge is generated based on the PTUs committed in the new term. This charge appears as a single up-front charge on your invoice.

+- When new PTUs are added to an existing commitment. The charge is computed based on the number of PTUs added to the commitment, pro-rated hourly to the end of the existing commitment term. For example, if 300 PTUs are added to an existing commitment of 900 PTUs exactly halfway through its term, there is a charge at the time of the addition for the equivalent of 150 PTUs (300 PTUs pro-rated to the commitment expiration date). If the commitment is renewed, the following monthΓÇÖs charge will be for the new PTU total of 1,200 PTUs.

+As long as the number of deployed PTUs in a resource is covered by the resourceΓÇÖs commitment, then you'll only see the commitment charges. However, if the number of deployed PTUs in a resource becomes greater than the resourceΓÇÖs committed PTUs, the excess PTUs will be charged as overage at an hourly rate. Typically, the only way this overage will happen is if a commitment expires or is reduced at its renewal while the resource contains deployments. For example, if a 300 PTU commitment is allowed to expire on a resource that has 300 PTUs deployed, the deployed PTUs is no longer be covered by any commitment. Once the expiration date is reached, the subscription is charged an hourly overage fee based on the 300 excess PTUs.

+The hourly rate is higher than the monthly commitment rate and the charges exceed the monthly rate within a few days. There are two ways to end hourly overage charges:

+- Delete or scale-down deployments so that they donΓÇÖt use more PTUs than are committed.

+Prior to creating commitments, plan how the provisioned deployments will be used and which Azure OpenAI resources will host them. Commitments have a **one month minimum term and can't be decreased in size until the end of the term**. They also can't be moved to new resources once created. Finally, the sum of your committed PTUs can't be greater than your quota ΓÇô PTUs committed on a resource are no longer available to commit to on a different resource until the commitment expires. Having a clear plan on which resources will be used for provisioned deployments and the capacity you intend to apply to them (for at least a month) will help ensure an optimal experience with your provisioned throughput setup.

+- DonΓÇÖt create a commitment and deployment on a *temporary* resource for the purpose of validation. YouΓÇÖll be locked into using that resource for at least month. Instead, if the plan is to ultimately use the PTUs on a production resource, create the commitment and test deployment on that resource right from the start.

+- Calculate the number of PTUs to commit on a resource based on the number, model, and size of the deployments you intend to create, keeping in mind the minimum number of PTUs each model requires create a deployment.

+ - Example 1: GPT-4-32K requires a minimum of 200 PTUs to deploy. If you create a commitment of only 100 PTUs on a resource, you wonΓÇÖt have enough committed PTUs to deploy GPT-4-32K there

+ - Example 2: If you need to create multiple deployments on a resource, sum the PTUs required for each deployment. A production resource hosting deployments for 300 PTUs of GPT-4, and 500 PTUs of GPT-4-32K will require a commitment of at least 800 PTUs to cover both deployments.

+- Distribute or consolidate PTUs as needed. For example, total quota of 1000 PTUs can be distributed across resources as needed to support your deployments. It could be committed on a single resource to support one or more deployments adding up to 1000 PTUs, or distributed across multiple resources (for example, a dev and a prod resource) as long as the total number of committed PTUs is less than or equal to the quota of 1000.

+- Consider operational requirements in your plan. For example:

+### Managing Provisioned Throughput Commitments

+Provisioned throughput commitments are created and managed from the **Manage Commitments** view in Azure OpenAI Studio. You can navigate to this view by selecting **Manage Commitments** from the Quota pane:

+From the Manage Commitments view, you can do several things:

+- Purchase new commitments or edit existing commitments.

+- Monitor all commitments in your subscription.

+- Identify and take action on commitments that might cause unexpected billing.

+The sections below will take you through these tasks.

+### Purchase a Provisioned Throughput Commitment

+With your commitment plan ready, the next step is to create the commitments. Commitments are created manually via Azure OpenAI Studio and require the user creating the commitment to have either the [Contributor or Cognitive Services Contributor role](./role-based-access-control.md) at the subscription level.

+1. Launch the Provisioned Throughput purchase dialog by selecting **Quotas** > **Provisioned** > **Manage Commitments**.

+2. Select **Purchase commitment**.

+3. Select the Azure OpenAI resource and purchase the commitment. You will see your resources divided into resources with existing commitments, which you can edit and resources that don't currently have a commitment.

+| **Select a resource** | Choose the resource where you'll create the provisioned deployment. Once you have purchased the commitment, you will be unable to use the PTUs on another resource until the current commitment expires. |

+| **Select a commitment type** | Select Provisioned. (Provisioned is equivalent to Provisioned Managed) |

+| **Current uncommitted provisioned quota** | The number of PTUs currently available for you to commit to this resource. |

+| **Amount to commit (PTU)** | Choose the number of PTUs you're committing to. **This number can be increased during the commitment term, but can't be decreased**. Enter values in increments of 50 for the commitment type Provisioned. |

+| **Renewal settings** | Auto-renew at current PTUs <br> Auto-renew at lower PTUs <br> Do not auto-renew |

+4. Select Purchase. A confirmation dialog will be displayed. After you confirm, your PTUs will be committed, and you can use them to create a provisioned deployment. |

+> [!IMPORTANT]

+> A new commitment is billed up-front for the entire term. If the renewal settings are set to auto-renew, then you will be billed again on each renewal date based on the renewal settings.

+## Edit an existing Provisioned Throughput commitment

+From the Manage Commitments view, you can also edit an existing commitment. There are two types of changes you can make to an existing commitment:

+- You can add PTUs to the commitment.

+- You can change the renewal settings.

+To edit a commitment, select the current to edit, then select Edit commitment.

+Adding PTUs to an existing commitment will allow you to create larger or more numerous deployments within the resource. You can do this at any time during the term of your commitment.

+> [!IMPORTANT]

+> When you add PTUs to a commitment, they will be billed immediately, at a pro-rated amount from the current date to the end of the existing commitment term. Adding PTUs does not reset the commitment term.

+### Changing renewal settings

+Commitment renewal settings can be changed at any time before the expiration date of your commitment. Reasons you might want to change the renewal settings include ending your use of provisioned throughput by setting the commitment to not auto-renew, or to decrease usage of provisioned throughput by lowering the number of PTUs that will be committed in the next period.

+> [!IMPORTANT]

+> If you allow a commitment to expire or decrease in size such that the deployments under the resource require more PTUs than you have in your resource commitment, you will receive hourly overage charges for any excess PTUs. For example, a resource that has deployments that total 500 PTUs and a commitment for 300 PTUs will generate hourly overage charges for 200 PTUs.

+## Monitor commitments and prevent unexpected billings

+The manage commitments pane provides a subscription wide overview of all resources with commitments and PTU usage within a given Azure Subscription. Of particular importance interest are:

+- **PTUs Committed, Deployed and Usage** ΓÇô These figures provide the sizes of your commitments, and how much is in use by deployments. Maximize your investment by using all of your committed PTUs.

+- **Expiration policy and date** - The expiration date and policy tell you when a commitment will expire and what will happen when it does. A commitment set to auto-renew will generate a billing event on the renewal date. For commitments that are expiring, be sure you delete deployments from these resources prior to the expiration date to prevent hourly overage billingThe current renewal settings for a commitment.

+- **Notifications** - Alerts regarding important conditions like unused commitments, and configurations that might result in billing overages. Billing overages can be caused by situations such as when a commitment has expired and deployments are still present, but have shifted to hourly billing.

+## Common Commitment Management Scenarios

+To end use of provisioned throughput, and prevent hourly overage charges after commitment expiration, stop any charges after the current commitments are expired, two steps must be taken:

+It isn't possible in Azure OpenAI Studio to directly *move* a deployment or a commitment to a new resource. Instead, a new deployment needs to be created on the target resource and traffic moved to it. There will need to be a commitment purchased established on the new resource to accomplish this. Because commitments are charged up-front for a 30-day period, it's necessary to time this move with the expiration of the original commitment to minimize overlap with the new commitment and ΓÇ£double-billingΓÇ¥ during the overlap.

+There are two approaches that can be taken to implement this transition.

+|Before expiration of the existing commitment, delete its deployment | Downtime will start at this point and will last until the new deployment is created and traffic is moved. You'll minimize the duration by timing the deletion to happen as close to the expiration date/time as possible.|

+This option has no downtime by having both existing and new deployments live at the same time. This requires having quota available to create the new deployment, and will generate extra costs for the duration of the overlapped deployments.

+Both paying for an overage and resetting the original commitment will generate charges beyond the original expiration date. Paying overage charges might be cheaper than a new one-month commitment if you only need a day or two to complete the move. Compare the costs of both options to find the lowest-cost approach.

+In Azure OpenAI Studio, select **Quota** > **Provisioned** > **Manage commitments** and select a resource with an existing commitment to view/change it.

+The private endpoint resource is provisioned in a Microsoft managed tenant, while the linked resource is in your tenant. You can't access the private endpoint resource by just clicking the **private endpoint** link (in blue font) in the **Private access** tab of the **Networking page**. Instead, click elsewhere on the row, then the **Approve**` button above should be clickable.

+> [!NOTE]

+> The trusted service feature is only available using the command line described above, and cannot be done using the Azure portal.

+Azure OpenAI provides two methods for authentication. You can use either API Keys or Microsoft Entra ID.

+| ```deployment-id``` | string | Required | The deployment name you chose when you deployed the model.|

+| ```api-version``` | string | Required |The API version to use for this operation. This follows the YYYY-MM-DD format.|

+- `2023-03-15-preview` (retiring February, 4, 2024) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-03-15-preview/inference.json)

+- `2023-06-01-preview` (retiring February, 4, 2024) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-06-01-preview/inference.json)

+- `2023-07-01-preview` (retiring February, 4, 2024) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-07-01-preview/inference.json)

+- `2023-08-01-preview` (retiring February, 4, 2024) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-08-01-preview/inference.json)

+- `2023-09-01-preview` (retiring February, 4, 2024) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-09-01-preview/inference.json)

+- `2024-02-15-preview`[Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2024-12-15-preview/inference.json)

+| ```temperature``` | number | Optional | 1 | What sampling temperature to use, between 0 and 2. Higher values mean the model takes more risks. Try 0.9 for more creative applications, and 0 (`argmax sampling`) for ones with a well-defined answer. We generally recommend altering this or top_p but not both. |

+| ```logprobs``` | integer | Optional | null | Include the log probabilities on the logprobs most likely tokens, as well the chosen tokens. For example, if logprobs is 10, the API will return a list of the 10 most likely tokens. The API will always return the logprob of the sampled token, so there might be up to logprobs+1 elements in the response. This parameter cannot be used with `gpt-35-turbo`. |

+- `2023-03-15-preview` (retiring February, 4, 2024) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-03-15-preview/inference.json)

+- `2023-06-01-preview` (retiring February, 4, 2024) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-06-01-preview/inference.json)

+- `2023-07-01-preview` (retiring February, 4, 2024) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-07-01-preview/inference.json)

+- `2023-08-01-preview` (retiring February, 4, 2024) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-08-01-preview/inference.json)

+- `2023-09-01-preview` (retiring February, 4, 2024) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-09-01-preview/inference.json)

+- `2024-02-15-preview`[Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2024-02-15-preview/inference.json)

+| ```input```| string or array | Yes | N/A | Input text to get embeddings for, encoded as an array or string. The number of input tokens varies depending on what [model you're using](./concepts/models.md). Only `text-embedding-ada-002 (Version 2)` supports array input.|

+- `2023-03-15-preview` (retiring February, 4, 2024) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-03-15-preview/inference.json)

+- `2023-06-01-preview` (retiring February, 4, 2024) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-06-01-preview/inference.json)

+- `2023-07-01-preview` (retiring February, 4, 2024) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-07-01-preview/inference.json)

+- `2023-08-01-preview` (retiring February, 4, 2024) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-08-01-preview/inference.json)

+- `2023-09-01-preview` (retiring February, 4, 2024) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-09-01-preview/inference.json)

+- `2024-02-15-preview`[Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2024-02-15-preview/inference.json)

+| `content` | string or array | Yes | N/A | The content of the message. It must be a string, unless in a Vision-enabled scenario. If it's part of the `user` message, using the GPT-4 Turbo with Vision model, with the latest API version, then `content` must be an array of structures, where each item represents either text or an image: <ul><li> `text`: input text is represented as a structure with the following properties: </li> <ul> <li> `type` = "text" </li> <li> `text` = the input text </li> </ul> <li> `images`: an input image is represented as a structure with the following properties: </li><ul> <li> `type` = "image_url" </li> <li> `image_url` = a structure with the following properties: </li> <ul> <li> `url` = the image URL </li> <li>(optional) `detail` = `high`, `low`, or `auto` </li> </ul> </ul> </ul>|

+|```function_call```| | Optional | | `[Deprecated in 2023-12-01-preview replacement parameter is tools_choice]`Controls how the model responds to function calls. "none" means the model doesn't call a function, and responds to the end-user. `auto` means the model can pick between an end-user or calling a function. Specifying a particular function via {"name": "my_function"} forces the model to call that function. "none" is the default when no functions are present. `auto` is the default if functions are present. This parameter requires API version [`2023-07-01-preview`](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-07-01-preview/generated.json) |

+|```tool_choice```| string or object | Optional | none is the default when no functions are present. `auto` is the default if functions are present. | Controls which (if any) function is called by the model. None means the model won't call a function and instead generates a message. `auto` means the model can pick between generating a message or calling a function. Specifying a particular function via {"type: "function", "function": {"name": "my_function"}} forces the model to call that function. This parameter requires API version [`2023-12-01-preview`](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-12-01-preview/inference.json) or later.|

+- `2023-06-01-preview` (retiring February, 4, 2024) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-06-01-preview/inference.json)

+- `2023-07-01-preview` (retiring February, 4, 2024) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-07-01-preview/inference.json)

+- `2023-08-01-preview` (retiring February, 4, 2024) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-08-01-preview/inference.json)

+- `2023-09-01-preview` (retiring February, 4, 2024) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-09-01-preview/inference.json)

+- `2024-02-15-preview`[Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2024-02-15-preview/inference.json)

+- `2024-02-15-preview`[Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2024-02-15-preview/inference.json)

+- `2023-06-01-preview` (retiring February, 4, 2024) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-06-01-preview/inference.json)

+- `2023-07-01-preview` (retiring February, 4, 2024) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-07-01-preview/inference.json)

+- `2023-08-01-preview` (retiring February, 4, 2024) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-08-01-preview/inference.json)

+- `2024-02-15-preview`[Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2024-02-15-preview/inference.json)

+- `2023-06-01-preview` (retiring February, 4, 2024) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-06-01-preview/inference.json)

+- `2023-07-01-preview` (retiring February, 4, 2024) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-07-01-preview/inference.json)

+- `2023-08-01-preview` (retiring February, 4, 2024) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-08-01-preview/inference.json)

+- `2024-02-15-preview`[Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2024-02-15-preview/inference.json)

+- `2023-06-01-preview` (retiring February, 4, 2024) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-06-01-preview/inference.json)

+- `2023-07-01-preview` (retiring February, 4, 2024) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-07-01-preview/inference.json)

+- `2023-08-01-preview` (retiring February, 4, 2024) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-08-01-preview/inference.json)

+- `2023-09-01-preview` (retiring February, 4, 2024) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-09-01-preview/inference.json)

+- `2024-02-15-preview`[Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2024-02-15-preview/inference.json)

+- `2023-09-01-preview` (retiring February, 4, 2024) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-09-01-preview/inference.json)

+- `2024-02-15-preview`[Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2024-02-15-preview/inference.json)

+- `2024-02-15-preview`[Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2024-02-15-preview/inference.json)

+Learn about [Models, and fine-tuning with the REST API](/rest/api/azureopenai/fine-tuning).

+Azure AI services provides information and guidelines on how to responsibly use artificial intelligence in applications. Below are the links to articles that provide this guidance for the different services within the Azure AI services suite.

+## Vision

+- [Azure AI Vision - Image Analysis](/legal/cognitive-services/computer-vision/imageanalysis-transparency-note?context=/azure/ai-services/computer-vision/context/context)

+- [Azure AI Vision - OCR](/legal/cognitive-services/computer-vision/ocr-transparency-note?context=/azure/ai-services/computer-vision/context/context)

+- [Azure AI Vision - Face](/legal/cognitive-services/face/transparency-note?context=/azure/ai-services/computer-vision/context/context)

+- [Azure AI Vision - Spatial Analysis](/legal/cognitive-services/computer-vision/transparency-note-spatial-analysis?context=/azure/ai-services/computer-vision/context/context)

+- [Azure Custom Vision](/legal/cognitive-services/custom-vision/custom-vision-cvs-transparency-note?context=/azure/ai-services/custom-vision-service/context/context)

+- [Azure Video Indexer](/legal/azure-video-indexer/transparency-note?context=%2Fazure%2Fazure-video-indexer%2Fcontext%2Fcontext)

+## Language

+- [Azure AI Language](/legal/cognitive-services/language-service/transparency-note?context=/azure/ai-services/language-service/context/context)

+- [Azure AI Language - Custom text classification](/legal/cognitive-services/language-service/ctc-transparency-note?context=/azure/ai-services/language-service/context/context)

+- [Azure AI Language - Named entity recognition](/legal/cognitive-services/language-service/transparency-note-named-entity-recognition?context=/azure/ai-services/language-service/context/context)

+- [Azure AI Language - Custom named entity recognition](/legal/cognitive-services/language-service/cner-transparency-note?context=/azure/ai-services/language-service/context/context)

+- [Azure AI Language - Entity linking](/legal/cognitive-services/language-service/guidance-integration-responsible-use?context=/azure/ai-services/language-service/context/context)

+- [Azure AI Language - Language detection](/legal/cognitive-services/language-service/transparency-note-language-detection?context=/azure/ai-services/language-service/context/context)

+- [Azure AI Language - Key phrase extraction](/legal/cognitive-services/language-service/transparency-note-key-phrase-extraction?context=/azure/ai-services/language-service/context/context)

+- [Azure AI Language - Personally identifiable information detection](/legal/cognitive-services/language-service/transparency-note-personally-identifiable-information?context=/azure/ai-services/language-service/context/context)

+- [Azure AI Language - Question Answering](/legal/cognitive-services/language-service/transparency-note-question-answering?context=/azure/ai-services/language-service/context/context)

+- [Azure AI Language - Sentiment Analysis and opinion mining](/legal/cognitive-services/language-service/transparency-note-sentiment-analysis?context=/azure/ai-services/language-service/context/context)

+- [Azure AI Language - Text Analytics for health](/legal/cognitive-services/language-service/transparency-note-health?context=/azure/ai-services/language-service/context/context)

+- [Azure AI Language - Summarization](/legal/cognitive-services/language-service/transparency-note-extractive-summarization?context=/azure/ai-services/language-service/context/context)

+- [Language Understanding](/legal/cognitive-services/luis/luis-transparency-note?context=/azure/ai-services/LUIS/context/context)

+## Speech

+- [Azure AI Speech - Pronunciation Assessment](/legal/cognitive-services/speech-service/pronunciation-assessment/transparency-note-pronunciation-assessment?context=/azure/ai-services/speech-service/context/context)

+- [Azure AI Speech - Speaker Recognition](/legal/cognitive-services/speech-service/speaker-recognition/transparency-note-speaker-recognition?context=/azure/ai-services/speech-service/context/context)

+- [Azure AI Speech - Text to speech](/legal/cognitive-services/speech-service/custom-neural-voice/transparency-note-custom-neural-voice?context=/azure/ai-services/speech-service/context/context)

+- [Azure AI Speech - Speech to text](/legal/cognitive-services/speech-service/speech-to-text/transparency-note?context=/azure/ai-services/speech-service/context/context)

+## Search

+- [Azure AI Search](/legal/search/transparency-note?context=%2Fazure%2Fsearch%2Fcontext%2Fcontext&tabs=enrichment)

+## Other

+- [Azure OpenAI](/legal/cognitive-services/openai/transparency-note?context=/azure/ai-services/openai/context/context)

+- [Azure AI Content Safety](/legal/cognitive-services/content-safety/transparency-note?context=%2Fazure%2Fai-services%2Fcontent-safety%2Fcontext%2Fcontext)

+- [Azure AI Document Intelligence](/legal/cognitive-services/document-intelligence/transparency-note?toc=%2Fazure%2Fai-services%2Fdocument-intelligence%2Ftoc.json&bc=%2Fazure%2Fai-services%2Fdocument-intelligence%2Fbreadcrumb%2Ftoc.json)

+- [Anomaly Detector](/legal/cognitive-services/anomaly-detector/ad-transparency-note?context=/azure/ai-services/anomaly-detector/context/context)

+- [Personalizer](./personalizer/responsible-use-cases.md)

+- [QnA Maker](/legal/cognitive-services/qnamaker/transparency-note-qnamaker?context=/azure/ai-services/qnamaker/context/context)

+Create a file named `nfs-sc.yaml` and copy the manifest below. For a list of supported `mountOptions`, see [NFS mount options][nfs-file-share-mount-options].

+> [!NOTE]

+> `vers`, `minorversion`, `sec` are configured by the Azure File CSI driver. Specifying a value in your manifest for these properties aren't supported.

+[nfs-file-share-mount-options]: ../storage/files/storage-files-how-to-mount-nfs-shares.md#mount-options

+> Starting in AKS v1.27, you can create a dual-stack LoadBalancer service which will be provisioned with 1 IPv4 public IP and 1 IPv6 public IP. However, in older versions, only the first IP address for a service will be provisioned to the load balancer, so a dual-stack service only receives a public IP for its first-listed IP family. To provide a dual-stack service for a single deployment, please create two services targeting the same selector, one for IPv4 and one for IPv6.

+This article demonstrates how to:

+- Run your Java, Java EE, or Jakarta EE on Oracle WebLogic Server (WLS).

+- Stand up a WLS cluster using the Azure Marketplace offer.

+- Build the application Docker image to serve as auxiliary image to provide WebLogic Deploy Tooling (WDT) models and applications.

+- Deploy the containerized application to the existing WLS cluster on AKS with connection to Microsoft Azure SQL.

+This article uses the Azure Marketplace offer for WLS to accelerate your journey to AKS. The offer automatically provisions several Azure resources, including the following resources:

+- An Azure Container Registry instance

+- An AKS cluster

+- An Azure App Gateway Ingress Controller (AGIC) instance

+- The WebLogic Operator

+- A container image including the WebLogic runtime

+- A WLS cluster without an application

+Then, this article introduces building an auxiliary image step by step to update an existing WLS cluster. The auxiliary image provides application and WDT models.

+For full automation, you can select your application and configure datasource connection from Azure portal before the offer deployment. To see the offer, visit the [Azure portal](https://aka.ms/wlsaks).

+- Prepare a local machine with Unix-like operating system installed (for example, Ubuntu, Azure Linux, macOS, Windows Subsystem for Linux).

+ - [Azure CLI](/cli/azure). Use `az --version` to test whether az works. This document was tested with version 2.55.1.

+ - [Docker](https://docs.docker.com/get-docker). This document was tested with Docker version 20.10.7. Use `docker info` to test whether Docker Daemon is running.

+ - [kubectl](https://kubernetes-io-vnext-staging.netlify.com/docs/tasks/tools/install-kubectl/). Use `kubectl version` to test whether kubectl works. This document was tested with version v1.21.2.

+ - A Java JDK compatible with the version of WLS you intend to run. The article directs you to install a version of WLS that uses JDK 11. Azure recommends [Microsoft Build of OpenJDK](/java/openjdk/download). Ensure that your `JAVA_HOME` environment variable is set correctly in the shells in which you run the commands.

+ - [Maven](https://maven.apache.org/download.cgi) 3.5.0 or higher.

+ - Ensure that you have the zip/unzip utility installed. Use `zip/unzip -v` to test whether `zip/unzip` works.

+- All of the steps in this article, except for those involving Docker, can also be executed in the Azure Cloud Shell. To learn more about Azure Cloud Shell, see [What is Azure Cloud Shell?](/azure/cloud-shell/overview)

+1. In the search bar at the top of the Azure portal, enter *weblogic*. In the auto-suggested search results, in the **Marketplace** section, select **WebLogic Server on AKS**.

+ :::image type="content" source="media/howto-deploy-java-wls-app/marketplace-search-results.png" alt-text="Screenshot of the Azure portal that shows WLS in the search results." lightbox="media/howto-deploy-java-wls-app/marketplace-search-results.png":::

+ You can also go directly to the [WebLogic Server on AKS](https://aka.ms/wlsaks) offer.

+1. On the **Basics** pane, ensure the value shown in the **Subscription** field is the same one that you logged into in Azure. Make sure you have the roles listed in the prerequisites section.

+ :::image type="content" source="media/howto-deploy-java-wls-app/portal-start-experience.png" alt-text="Screenshot of the Azure portal that shows WebLogic Server on AKS." lightbox="media/howto-deploy-java-wls-app/portal-start-experience.png":::

+1. You must deploy the offer in an empty resource group. In the **Resource group** field, select **Create new** and then fill in a value for the resource group. Because resource groups must be unique within a subscription, pick a unique name. An easy way to have unique names is to use a combination of your initials, today's date, and some identifier - for example, `ejb0723wls`.

+1. Select **Next**.

+ :::image type="content" source="media/howto-deploy-java-wls-app/configure-single-sign-on.png" alt-text="Screenshot of the Azure portal that shows the configured SSO pane." lightbox="media/howto-deploy-java-wls-app/configure-single-sign-on.png":::

+1. Follow the steps in the info box starting with **Before moving forward, you must accept the Oracle Standard Terms and Restrictions.**

+1. Depending on whether or not the Oracle SSO account has an Oracle support entitlement, select the appropriate option for **Select the type of WebLogic Server Images.**. If the account has a support entitlement, select **Patched WebLogic Server Images**. Otherwise, select **General WebLogic Server Images**.

+1. Leave the value in **Select desired combination of WebLogic Server...** at its default value. You have a broad range of choices for WLS, JDK, and OS version.

+1. In the **Application** section, next to **Deploy an application?**, select **No**.

+The following steps make it so the WLS admin console and the sample app are exposed to the public Internet with a built-in Application Gateway ingress add-on. For a more information, see [What is Application Gateway Ingress Controller?](/azure/application-gateway/ingress-controller-overview)

+1. Select **Next** to see the **TLS/SSL** pane.

+1. Select **Next** to see the **Load balancing** pane.

+1. Next to **Load Balancing Options**, select **Application Gateway Ingress Controller**.

+1. Under the **Application Gateway Ingress Controller**, you should see all fields prepopulated with the defaults for **Virtual network** and **Subnet**. Leave the default values.

+1. For **Create ingress for Administration Console**, select **Yes**.

+ :::image type="content" source="media/howto-deploy-java-wls-app/configure-appgateway-ingress-admin-console.png" alt-text="Screenshot of the Azure portal that shows the Application Gateway Ingress Controller configuration on the Create Oracle WebLogic Server on Azure Kubernetes Service page." lightbox="media/howto-deploy-java-wls-app/configure-appgateway-ingress-admin-console.png":::

+1. Leave the default values for other fields.

+1. Select **Review + create**. Ensure the validation doesn't fail. If it fails, fix any validation problems, then select **Review + create** again.

+Depending on network conditions and other activity in your selected region, the deployment might take up to 50 minutes to complete.

+You can perform the steps in the section [Create an Azure SQL Database](#create-an-azure-sql-database) while you wait. Return to this section when you finish creating the database.

+Use the steps in this section to verify that the deployment was successful.

+If you navigated away from the **Deployment is in progress** page, the following steps show you how to get back to that page. If you're still on the page that shows **Your deployment is complete**, you can skip to step 5 after the next screenshot.

+1. In the corner of any Azure portal page, select the hamburger menu and select **Resource groups**.

+1. In the navigation pane, in the **Settings** section, select **Deployments**. You see an ordered list of the deployments to this resource group, with the most recent one first.

+ :::image type="content" source="media/howto-deploy-java-wls-app/resource-group-deployments.png" alt-text="Screenshot of the Azure portal that shows the resource group deployments list." lightbox="media/howto-deploy-java-wls-app/resource-group-deployments.png":::

+1. In the navigation pane, select **Outputs**. This list shows the output values from the deployment. Useful information is included in the outputs.

+1. The **clusterExternalUrl** value is the fully qualified, public Internet visible link to the sample app deployed in WLS on this AKS cluster. Select the copy icon next to the field value to copy the link to your clipboard. Save this value aside for later.

+1. The **shellCmdtoOutputWlsImageModelYaml** value is the base64 string of WDT model that built in the container image. Save this value aside for later.

+1. The **shellCmdtoOutputWlsImageProperties** value is base64 string of WDT model properties that built in the container image. Save this value aside for later.

+1. The **shellCmdtoConnectAks** value is the Azure CLI command to connect to this specific AKS cluster. This lets you use `kubectl` to administer the cluster.

+## Create an Azure SQL Database

+2. Create a schema for the sample application. Follow [Query the database](/azure/azure-sql/database/single-database-create-quickstart#query-the-database) to open the **Query editor** pane. Enter and run the following query:

+ ```sql

+ CREATE TABLE COFFEE (ID NUMERIC(19) NOT NULL, NAME VARCHAR(255) NULL, PRICE FLOAT(32) NULL, PRIMARY KEY (ID));

+ CREATE TABLE SEQUENCE (SEQ_NAME VARCHAR(50) NOT NULL, SEQ_COUNT NUMERIC(28) NULL, PRIMARY KEY (SEQ_NAME));

+ ```

+ After a successful run, you should see the message **Query succeeded: Affected rows: 0**. If you don't see this message, troubleshoot and resolve the problem before proceeding.

+The database, tables, AKS cluster, and WLS cluster are created. If you want, you can explore the admin console by opening a browser and navigating to the address of **adminConsoleExternalUrl**. Sign in with the values you entered during the WLS on AKS deployment.

+You can proceed to preparing AKS to host your WebLogic application.

+## Configure and deploy the sample application

+The offer provisions the WLS cluster via [model in image](https://oracle.github.io/weblogic-kubernetes-operator/samples/domains/model-in-image/). Currently, the WLS cluster has no application deployed.

+This section updates the WLS cluster by deploying a sample application using [auxiliary image](https://oracle.github.io/weblogic-kubernetes-operator/managing-domains/model-in-image/auxiliary-images/#using-docker-to-create-an-auxiliary-image).

+### Check out the application

+In this section, you clone the sample code for this guide. The sample is on GitHub in the [weblogic-on-azure](https://github.com/microsoft/weblogic-on-azure) repository in the *javaee/weblogic-cafe/* folder. Here's the file structure of the application.

+```text

+weblogic-cafe

+Γö£ΓöÇΓöÇ pom.xml

+ΓööΓöÇΓöÇ src

+ ΓööΓöÇΓöÇ main

+ Γö£ΓöÇΓöÇ java

+ │   └── cafe

+ │   ├── model

+ │   │   ├── CafeRepository.java

+ │   │   └── entity

+ │   │   └── Coffee.java

+ │   └── web

+ │   ├── rest

+ │   │   └── CafeResource.java

+ │   └── view

+ │   └── Cafe.java

+ Γö£ΓöÇΓöÇ resources

+ │   ├── META-INF

+ │   │   └── persistence.xml

+ │   └── cafe

+ │   └── web

+ │   ├── messages.properties

+ │   └── messages_es.properties

+ ΓööΓöÇΓöÇ webapp

+ Γö£ΓöÇΓöÇ WEB-INF

+ │   ├── beans.xml

+ │   ├── faces-config.xml

+ │   └── web.xml

+ Γö£ΓöÇΓöÇ index.xhtml

+ ΓööΓöÇΓöÇ resources

+ ΓööΓöÇΓöÇ components

+ ΓööΓöÇΓöÇ inputPrice.xhtml

+```

+Use the following commands to clone the repository:

+```bash

+cd <parent-directory-to-check-out-sample-code>

+export BASE_DIR=$PWD

+git clone --single-branch https://github.com/microsoft/weblogic-on-azure.git --branch 20240201 $BASE_DIR/weblogic-on-azure

+```

+If you see a message about being in "detached HEAD" state, this message is safe to ignore. It just means you checked out a tag.

+Use the following command to build *javaee/weblogic-cafe/*:

+```bash

+mvn clean package --file $BASE_DIR/weblogic-on-azure/javaee/weblogic-cafe/pom.xml

+```

+The package should be successfully generated and located at *$BASE_DIR/weblogic-on-azure/javaee/weblogic-cafe/target/weblogic-cafe.war*. If you don't see the package, you must troubleshoot and resolve the issue before you continue.

+### Use Docker to create an auxiliary image

+The steps in this section show you how to build an auxiliary image. This image includes the following components:

+- The *Model in Image* model files

+- Your application

+- The JDBC driver archive file

+- The WebLogic Deploy Tooling installation

+An *auxiliary image* is a Docker container image containing your app and configuration. The WebLogic Kubernetes Operator combines your auxiliary image with the `domain.spec.image` in the AKS cluster that contains the WebLogic Server, JDK, and operating system. For more information about auxiliary images, see [Auxiliary images](https://oracle.github.io/weblogic-kubernetes-operator/managing-domains/model-in-image/auxiliary-images/) in the Oracle documentation.

+This section requires a Linux terminal with Azure CLI and kubectl installed.

+Use the following steps to build the image:

+1. Use the following commands to create a directory to stage the models and application:

+ ```bash

+ mkdir -p ${BASE_DIR}/mystaging/models

+ cd ${BASE_DIR}/mystaging/models

+ ```

+1. Copy the **shellCmdtoOutputWlsImageModelYaml** value that you saved from the deployment outputs, paste it into the Bash window, and run the command. The command should look similar to the following example:

+ ```bash

+ echo -e IyBDb3B5cmlna...Cgo= | base64 -d > model.yaml

+ ```

+ This command produces a *${BASE_DIR}/mystaging/models/model.yaml* file with contents similar to the following example:

+ ```yaml

+ # Copyright (c) 2020, 2021, Oracle and/or its affiliates.

+ # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.

+ # Based on ./kubernetes/samples/scripts/create-weblogic-domain/model-in-image/model-images/model-in-image__WLS-v1/model.10.yaml

+ # in https://github.com/oracle/weblogic-kubernetes-operator.

+ domainInfo:

+ AdminUserName: "@@SECRET:__weblogic-credentials__:username@@"

+ AdminPassword: "@@SECRET:__weblogic-credentials__:password@@"

+ ServerStartMode: "prod"

+ topology:

+ Name: "@@ENV:CUSTOM_DOMAIN_NAME@@"

+ ProductionModeEnabled: true

+ AdminServerName: "admin-server"

+ Cluster:

+ "cluster-1":

+ DynamicServers:

+ ServerTemplate: "cluster-1-template"

+ ServerNamePrefix: "@@ENV:MANAGED_SERVER_PREFIX@@"

+ DynamicClusterSize: "@@PROP:CLUSTER_SIZE@@"

+ MaxDynamicClusterSize: "@@PROP:CLUSTER_SIZE@@"

+ MinDynamicClusterSize: "0"

+ CalculatedListenPorts: false

+ Server:

+ "admin-server":

+ ListenPort: 7001

+ ServerTemplate:

+ "cluster-1-template":

+ Cluster: "cluster-1"

+ ListenPort: 8001

+ SecurityConfiguration:

+ NodeManagerUsername: "@@SECRET:__weblogic-credentials__:username@@"

+ NodeManagerPasswordEncrypted: "@@SECRET:__weblogic-credentials__:password@@"

+ resources:

+ SelfTuning:

+ MinThreadsConstraint:

+ SampleMinThreads:

+ Target: "cluster-1"

+ Count: 1

+ MaxThreadsConstraint:

+ SampleMaxThreads:

+ Target: "cluster-1"

+ Count: 10

+ Work

+ SampleWM:

+ Target: "cluster-1"

+ MinThreadsConstraint: "SampleMinThreads"

+ MaxThreadsConstraint: "SampleMaxThreads"

+ ```

+1. In a similar way, copy the **shellCmdtoOutputWlsImageProperties** value, paste it into the Bash window, and run the command. The command should look similar to the following example:

+ ```bash

+ echo -e IyBDb3B5cml...pFPTUK | base64 -d > model.properties

+ ```

+ This command produces a *${BASE_DIR}/mystaging/models/model.properties* file with contents similar to the following example:

+ ```properties

+ # Copyright (c) 2021, Oracle Corporation and/or its affiliates.

+ # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.

+ # Based on ./kubernetes/samples/scripts/create-weblogic-domain/model-in-image/model-images/model-in-image__WLS-v1/model.10.properties

+ # in https://github.com/oracle/weblogic-kubernetes-operator.

+ CLUSTER_SIZE=5

+ ```

+1. Use the following steps to create the application model file.

+ 1. Use the following commands to copy *weblogic-cafe.war* and save it to *wlsdeploy/applications*:

+ ```bash

+ mkdir -p ${BASE_DIR}/mystaging/models/wlsdeploy/applications

+ cp $BASE_DIR/weblogic-on-azure/javaee/weblogic-cafe/target/weblogic-cafe.war ${BASE_DIR}/mystaging/models/wlsdeploy/applications/weblogic-cafe.war

+ ```

+ 1. Use the following commands to create the application model file with the contents shown. Save the model file to *${BASE_DIR}/mystaging/models/appmodel.yaml*.

+ ```bash

+ cat <<EOF >appmodel.yaml

+ appDeployments:

+ Application:

+ weblogic-cafe:

+ SourcePath: 'wlsdeploy/applications/weblogic-cafe.war'

+ ModuleType: ear

+ Target: 'cluster-1'

+ EOF

+ ```

+1. Use the following commands to download and install Microsoft SQL Server JDBC driver to *wlsdeploy/externalJDBCLibraries*:

+ ```bash

+ export DRIVER_VERSION="10.2.1.jre8"

+ export MSSQL_DRIVER_URL="https://repo.maven.apache.org/maven2/com/microsoft/sqlserver/mssql-jdbc/${DRIVER_VERSION}/mssql-jdbc-${DRIVER_VERSION}.jar"

+ mkdir ${BASE_DIR}/mystaging/models/wlsdeploy/externalJDBCLibraries

+ curl -m 120 -fL ${MSSQL_DRIVER_URL} -o ${BASE_DIR}/mystaging/models/wlsdeploy/externalJDBCLibraries/mssql-jdbc-${DRIVER_VERSION}.jar

+ ```

+1. Next, use the following commands to create the database connection model file with the contents shown. Save the model file to *${BASE_DIR}/mystaging/models/dbmodel.yaml*. The model uses placeholders (secret `sqlserver-secret`) for database username, password, and URL. Make sure the following fields are set correctly. The following model names the resource with `jdbc/WebLogicCafeDB`.

+ | Item Name | Field | Value |

+ |-|-||

+ | JNDI name | `resources.JDBCSystemResource.<resource-name>.JdbcResource.JDBCDataSourceParams.JNDIName` | `jdbc/WebLogicCafeDB` |

+ | Driver name | `resources.JDBCSystemResource.<resource-name>.JDBCDriverParams.DriverName` | `com.microsoft.sqlserver.jdbc.SQLServerDriver` |

+ | Database Url | `resources.JDBCSystemResource.<resource-name>.JDBCDriverParams.URL` | `@@SECRET:sqlserver-secret:url@@` |

+ | Database password | `resources.JDBCSystemResource.<resource-name>.JDBCDriverParams.PasswordEncrypted` | `@@SECRET:sqlserver-secret:password@@` |

+ | Database username | `resources.JDBCSystemResource.<resource-name>.JDBCDriverParams.Properties.user.Value` | `'@@SECRET:sqlserver-secret:user@@'` |

+ ```bash

+ cat <<EOF >dbmodel.yaml

+ resources:

+ JDBCSystemResource:

+ jdbc/WebLogicCafeDB:

+ Target: 'cluster-1'

+ JdbcResource:

+ JDBCDataSourceParams:

+ JNDIName: [

+ jdbc/WebLogicCafeDB

+ ]

+ GlobalTransactionsProtocol: None

+ JDBCDriverParams:

+ DriverName: com.microsoft.sqlserver.jdbc.SQLServerDriver

+ URL: '@@SECRET:sqlserver-secret:url@@'

+ PasswordEncrypted: '@@SECRET:sqlserver-secret:password@@'

+ Properties:

+ user:

+ Value: '@@SECRET:sqlserver-secret:user@@'

+ JDBCConnectionPoolParams:

+ TestTableName: SQL SELECT 1

+ TestConnectionsOnReserve: true

+ EOF

+ ```

+1. Use the following commands to create an application archive file and then remove the *wlsdeploy* folder, which you don't need anymore:

+ ```bash

+ cd ${BASE_DIR}/mystaging/models

+ zip -r archive.zip wlsdeploy

+ rm -f -r wlsdeploy

+ ```

+1. Use the following commands to download and install [WebLogic Deploy Tooling](https://oracle.github.io/weblogic-deploy-tooling/) (WDT) in the staging directory and remove its *weblogic-deploy/bin/\*.cmd* files, which aren't used in UNIX environments:

+ ```bash

+ cd ${BASE_DIR}/mystaging

+ curl -m 120 -fL https://github.com/oracle/weblogic-deploy-tooling/releases/latest/download/weblogic-deploy.zip -o weblogic-deploy.zip

+ unzip weblogic-deploy.zip -d .

+ rm ./weblogic-deploy/bin/*.cmd

+ ```

+1. Use the following command to remove the WDT installer:

+ ```bash

+ rm weblogic-deploy.zip

+ ```

+1. Use the following commands to build an auxiliary image using docker:

+ ```bash

+ cd ${BASE_DIR}/mystaging

+ cat <<EOF >Dockerfile

+ FROM busybox

+ ARG AUXILIARY_IMAGE_PATH=/auxiliary

+ ARG USER=oracle

+ ARG USERID=1000

+ ARG GROUP=root

+ ENV AUXILIARY_IMAGE_PATH=\${AUXILIARY_IMAGE_PATH}

+ RUN adduser -D -u \${USERID} -G \$GROUP \$USER

+ # ARG expansion in COPY command's --chown is available in docker version 19.03.1+.

+ # For older docker versions, change the Dockerfile to use separate COPY and 'RUN chown' commands.

+ COPY --chown=\$USER:\$GROUP ./ \${AUXILIARY_IMAGE_PATH}/

+ USER \$USER

+ EOF

+ ```

+1. Run the `docker buildx build` command using *${BASE_DIR}/mystaging/Dockerfile*, as shown in the following example:

+ ```bash

+ cd ${BASE_DIR}/mystaging

+ docker buildx build --platform linux/amd64 --build-arg AUXILIARY_IMAGE_PATH=/auxiliary --tag model-in-image:WLS-v1 .

+ ```

+ When you build the image successfully, the output looks similar to the following example:

+ ```output

+ [+] Building 12.0s (8/8) FINISHED docker:default

+ => [internal] load build definition from Dockerfile 0.8s

+ => => transferring dockerfile: 473B 0.0s

+ => [internal] load .dockerignore 1.1s

+ => => transferring context: 2B 0.0s

+ => [internal] load metadata for docker.io/library/busybox:latest 5.0s

+ => [1/3] FROM docker.io/library/busybox@sha256:6d9ac9237a84afe1516540f40a0f 0.0s

+ => [internal] load build context 0.3s

+ => => transferring context: 21.89kB 0.0s

+ => CACHED [2/3] RUN adduser -D -u 1000 -G root oracle 0.0s

+ => [3/3] COPY --chown=oracle:root ./ /auxiliary/ 1.5s

+ => exporting to image 1.3s

+ => => exporting layers 1.0s

+ => => writing image sha256:2477d502a19dcc0e841630ea567f50d7084782499fe3032a 0.1s

+ => => naming to docker.io/library/model-in-image:WLS-v1 0.2s

+ ```

+1. If you have successfully created the image, then it should now be in your local machineΓÇÖs Docker repository. You can verify the image creation by using the following command:

+ ```text

+ docker images model-in-image:WLS-v1

+ ```

+ This command should produce output similar to the following example:

+ ```output

+ REPOSITORY TAG IMAGE ID CREATED SIZE

+ model-in-image WLS-v1 76abc1afdcc6 2 hours ago 8.61MB

+ ```

+ After the image is created, it should have the WDT executables in */auxiliary/weblogic-deploy*, and WDT model, property, and archive files in */auxiliary/models*. Use the following command on the Docker image to verify this result:

+ ```bash

+ docker run -it --rm model-in-image:WLS-v1 find /auxiliary -maxdepth 2 -type f -print

+ ```

+ This command should produce output similar to the following example:

+ ```output

+ /auxiliary/models/dbmodel.yaml

+ /auxiliary/models/archive.zip

+ /auxiliary/models/model.properties

+ /auxiliary/models/model.yaml

+ /auxiliary/weblogic-deploy/VERSION.txt

+ /auxiliary/weblogic-deploy/LICENSE.txt

+ /auxiliary/Dockerfile

+ ```

+1. Use the following steps to push the auxiliary image to Azure Container Registry:

+ 1. Open the Azure portal and go to the resource group that you provisioned in the [Deploy WSL on AKS](#deploy-wls-on-aks) section.

+ 1. Select the resource of type **Container registry** from the resource list.

+ 1. Hover the mouse over the value next to **Login server** and select the copy icon next to the text.

+ 1. Save the value in the `ACR_LOGIN_SERVER` environment variable by using the following command:

+ ```bash

+ export ACR_LOGIN_SERVER=<value-from-clipboard>

+ ```

+ 1. Run the following commands to tag and push the image. Make sure Docker is running before executing these commands.

+ ```bash

+ export ACR_NAME=$(echo ${ACR_LOGIN_SERVER} | cut -d '.' -f 1)

+ az acr login -n $ACR_NAME

+ docker tag model-in-image:WLS-v1 $ACR_LOGIN_SERVER/wlsaks-auxiliary-image:1.0

+ docker push $ACR_LOGIN_SERVER/wlsaks-auxiliary-image:1.0

+ ```

+ 1. You can run `az acr repository show` to test whether the image is pushed to the remote repository successfully, as shown in the following example:

+ ```bash

+ az acr repository show --name ${ACR_NAME} --image wlsaks-auxiliary-image:1.0

+ ```

+ This command should produce output similar to the following example:

+ ```output

+ {

+ "changeableAttributes": {

+ "deleteEnabled": true,

+ "listEnabled": true,

+ "readEnabled": true,

+ "writeEnabled": true

+ },

+ "createdTime": "2024-01-24T06:14:19.4546321Z",

+ "digest": "sha256:a1befbefd0181a06c6fe00848e76f1743c1fecba2b42a975e9504ba2aaae51ea",

+ "lastUpdateTime": "2024-01-24T06:14:19.4546321Z",

+ "name": "1.0",

+ "quarantineState": "Passed",

+ "signed": false

+ }

+ ```

+### Apply the auxiliary image

+In the previous steps, you created the auxiliary image including models and WDT. Before you apply the auxiliary image to the WLS cluster, use the following steps to create the secret for the datasource URL, username, and password. The secret is used as part of the placeholder in the *dbmodel.yaml*.

+1. Connect to the AKS cluster by copying the **shellCmdtoConnectAks** value that you saved aside previously, pasting it into the Bash window, then running the command. The command should look similar to the following example:

+ ```bash

+ az account set --subscription <subscription>;

+ az aks get-credentials \

+ --resource-group <resource-group> \

+ --name <name>

+ ```

+ You should see output similar to the following example. If you don't see this output, troubleshoot and resolve the problem before continuing.

+ ```output

+ Merged "<name>" as current context in /Users/<username>/.kube/config

+ ```

+1. Use the following steps to get values for the variables shown in the following table. You use these values later to create the secret for the datasource connection.

+ | Variable | Description | Example |

+ ||--|--|

+ | `DB_CONNECTION_STRING` | The connection string of SQL server. | `jdbc:sqlserver://sqlserverforwlsaks.database.windows.net:1433;database=wlsaksquickstart0125` |

+ | `DB_USER` | The username to sign in to the SQL server. | `welogic@sqlserverforwlsaks` |

+ | `DB_PASSWORD` | The password to sign in to the sQL server. | `Secret123456` |

+ 1. Visit the SQL database resource in the Azure portal.

+ 1. In the navigation pane, under **Settings**, select **Connection strings**.

+ 1. Select the **JDBC** tab.

+ 1. Select the copy icon to copy the connection string to the clipboard.

+ 1. For `DB_CONNECTION_STRING`, use the entire connection string, but replace the placeholder `{your_password_here}` with your database password.

+ 1. For `DB_USER`, use the portion of the connection string from `azureuser` up to but not including `;password={your_password_here}`.

+ 1. For `DB_PASSWORD`, use the value you entered when you created the database.

+1. Use the following commands to create the [Kubernetes Secret](https://kubernetes.io/docs/concepts/configuration/secret/). This article uses the secret name `sqlserver-secret` for the secret of the datasource connection. If you use a different name, make sure the value is the same as the one in *dbmodel.yaml*.

+ In the following commands, be sure to set the variables `DB_CONNECTION_STRING`, `DB_USER`, and `DB_PASSWORD` correctly by replacing the placeholder examples with the values described in the previous steps. Be sure to enclose the value of the `DB_` variables in single quotes to prevent the shell from interfering with the values.

+ ```bash

+ export DB_CONNECTION_STRING='<example-jdbc:sqlserver://sqlserverforwlsaks.database.windows.net:1433;database=wlsaksquickstart0125>'

+ export DB_USER='<example-welogic@sqlserverforwlsaks>'

+ export DB_PASSWORD='<example-Secret123456>'

+ export WLS_DOMAIN_NS=sample-domain1-ns

+ export WLS_DOMAIN_UID=sample-domain1

+ export SECRET_NAME=sqlserver-secret

+ kubectl -n ${WLS_DOMAIN_NS} create secret generic \

+ ${SECRET_NAME} \

+ --from-literal=password='${DB_PASSWORD}' \

+ --from-literal=url='${DB_CONNECTION_STRING}' \

+ --from-literal=user='${DB_USER}'

+ kubectl -n ${WLS_DOMAIN_NS} label secret \

+ ${SECRET_NAME} \

+ weblogic.domainUID=${WLS_DOMAIN_UID}

+ ```

+ You must see the following output before you continue. If you don't see this output, troubleshoot and resolve the problem before you continue.

+ ```output

+ secret/sqlserver-secret created

+ secret/sqlserver-secret labeled

+ ```

+1. Apply the auxiliary image by patching the domain custom resource definition (CRD) using the `kubectl patch` command.

+ The auxiliary image is defined in `spec.configuration.model.auxiliaryImages`, as shown in the following example. For more information, see [auxiliary images](https://oracle.github.io/weblogic-kubernetes-operator/managing-domains/model-in-image/auxiliary-images/).

+ ```yaml

+ spec:

+ clusters:

+ - name: sample-domain1-cluster-1

+ configuration:

+ model:

+ auxiliaryImages:

+ - image: wlsaksacrafvzeyyswhxek.azurecr.io/wlsaks-auxiliary-image:1.0

+ imagePullPolicy: IfNotPresent

+ sourceModelHome: /auxiliary/models

+ sourceWDTInstallHome: /auxiliary/weblogic-deploy

+ ```

+ Use the following commands to increase the `restartVersion` value and use `kubectl patch` to apply the auxiliary image to the domain CRD using the definition shown:

+ ```bash

+ export VERSION=$(kubectl -n ${WLS_DOMAIN_NS} get domain ${WLS_DOMAIN_UID} -o=jsonpath='{.spec.restartVersion}' | tr -d "\"")

+ export VERSION=$((VERSION+1))

+ cat <<EOF >patch-file.json

+ [

+ {

+ "op": "replace",

+ "path": "/spec/restartVersion",

+ "value": "${VERSION}"

+ },

+ {

+ "op": "add",

+ "path": "/spec/configuration/model/auxiliaryImages",

+ "value": [{"image": "$ACR_LOGIN_SERVER/wlsaks-auxiliary-image:1.0", "imagePullPolicy": "IfNotPresent", "sourceModelHome": "/auxiliary/models", "sourceWDTInstallHome": "/auxiliary/weblogic-deploy"}]

+ },

+ {

+ "op": "add",

+ "path": "/spec/configuration/secrets",

+ "value": ["${SECRET_NAME}"]

+ }

+ ]

+ EOF

+ kubectl -n ${WLS_DOMAIN_NS} patch domain ${WLS_DOMAIN_UID} \

+ --type=json \

+ --patch-file patch-file.json

+ kubectl get pod -n ${WLS_DOMAIN_NS} -w

+ ```

+1. Wait until the admin server and managed servers show the values in the following output block before you proceed:

+ ```output

+ NAME READY STATUS RESTARTS AGE

+ sample-domain1-admin-server 1/1 Running 0 20m

+ sample-domain1-managed-server1 1/1 Running 0 19m

+ sample-domain1-managed-server2 1/1 Running 0 18m

+ ```

+ It might take 5-10 minutes for the system to reach this state. The following list provides an overview of what's happening while you wait:

+ - You should see the `sample-domain1-introspector` running first. This software looks for changes to the domain custom resource so it can take the necessary actions on the Kubernetes cluster.

+ - When changes are detected, the domain introspector kills and starts new pods to roll out the changes.

+ - Next, you should see the `sample-domain1-admin-server` pod terminate and restart.

+ - Then, you should see the two managed servers terminate and restart.

+ - Only when all three pods show the `1/1 Running` state, is it ok to proceed.

+Use the following steps to verify the functionality of the deployment by viewing the WLS admin console and the sample app:

+1. Paste the **adminConsoleExternalUrl** value into the address bar of an Internet-connected web browser. You should see the familiar WLS admin console login screen.

+1. Sign in with the username `weblogic` and the password you entered when deploying WLS from the Azure portal. Recall that this value is `wlsAksCluster2022`.

+1. In the **Domain Structure** box, select **Deployments**.

+1. In the **Deployments** table, there should be one row. The name should be the same value as the `Application` value in your *appmodel.yaml* file. Select the name.

+1. In the **Settings** panel, select the **Testing** tab.

+1. Select **weblogic-cafe**.

+1. In the **Settings for weblogic-cafe** panel, select the **Testing** tab.

+1. Expand the **+** icon next to **weblogic-cafe**. Your screen should look similar to the following example. In particular, you should see values similar to `http://sample-domain1-managed-server1:8001/weblogic-cafe/index.xhtml` in the **Test Point** column.

+ :::image type="content" source="media/howto-deploy-java-wls-app/weblogic-cafe-deployment.png" alt-text="Screenshot of weblogic-cafe test points." border="false":::

+ > The hyperlinks in the **Test Point** column are not selectable because we did notconfigure the admin console with the external URL on which it is running. This article shows the WLS admin console merely by way of demonstration. Don't use the WLS admin console for any durable configuration changes when running WLS on AKS. The cloud-native design of WLS on AKS requires that any durable configuration must be represented in the initial docker images or applied to the running AKS cluster using CI/CD techniques such as updating the model, as described in the [Oracle documentation](https://aka.ms/wls-aks-docs-update-model).

+1. Understand the `context-path` value of the sample app you deployed. If you deployed the recommended sample app, the `context-path` is `weblogic-cafe`.

+1. Construct a fully qualified URL for the sample app by appending the `context-path` to the **clusterExternalUrl** value. If you deployed the recommended sample app, the fully qualified URL should be something like `http://wlsgw202401-wls-aks-domain1.eastus.cloudapp.azure.com/weblogic-cafe/`.

+1. Paste the fully qualified URL in an Internet-connected web browser. If you deployed the recommended sample app, you should see results similar to the following screenshot:

+ :::image type="content" source="media/howto-deploy-java-wls-app/weblogic-cafe-app.png" alt-text="Screenshot of test web app." border="false":::

+To avoid Azure charges, you should clean up unnecessary resources. When you no longer need the cluster, use the [az group delete](/cli/azure/group#az-group-delete) command. The following command removes the resource group, container service, container registry, and all related resources:

+az group delete --name <db-resource-group-name> --yes --no-wait

+> [!div class="nextstepaction"]

+> [Migrate WebLogic Server applications to Azure Kubernetes Service](/azure/developer/java/migration/migrate-weblogic-to-azure-kubernetes-service)

+## Associate capacity reservation groups to node pools

+## Prerequisites to use capacity reservation groups with AKS

+- Use CLI version 2.56 or above and API version 2023-10-01 or higher.

+- The capacity reservation group should already exist and should contain minimum one capacity reservation, otherwise the node pool is added to the cluster with a warning and no capacity reservation group gets associated. For more information, see [capacity reservation groups][capacity-reservation-groups].

+- You need to create a user-assigned managed identity for the resource group that contains the capacity reservation group (CRG). System-assigned managed identities won't work for this feature. In the following example, replace the environment variables with your own values.

+ IDENTITY_NAME=myID

+ RG_NAME=myResourceGroup

+ CLUSTER_NAME=myAKSCluster

+ VM_SKU=Standard_D4s_v3

+ NODE_COUNT=2

+ LOCATION=westus2

+ az identity create --name $IDENTITY_NAME --resource-group $RG_NAME

+ IDENTITY_ID=$(az identity show --name $IDENTITY_NAME --resource-group $RG_NAME --query identity.id -o tsv)

+- You need to assign the `Contributor` role to the user-assigned identity created above. For more details, see [Steps to assign an Azure role](/azure/role-based-access-control/role-assignments-steps#privileged-administrator-roles).

+- Create a new cluster and assign the newly created identity.

+ az aks create --resource-group $RG_NAME --name $CLUSTER_NAME --location $LOCATION \

+ --node-vm-size $VM_SKU --node-count $NODE_COUNT \

+ --assign-identity $IDENTITY_ID --enable-managed-identity

+- You can also assign the user-managed identity on an existing managed cluster with update command.

+ ```azurecli-interactive

+ az aks update --resource-group $RG_NAME --name $CLUSTER_NAME --location $LOCATION \

+ --node-vm-size $VM_SKU --node-count $NODE_COUNT \

+ --assign-identity $IDENTITY_ID --enable-managed-identity

+ ```

+### Associate an existing capacity reservation group with a node pool

+Associate an existing capacity reservation group with a node pool using the [`az aks nodepool add`][az-aks-nodepool-add] command and specify a capacity reservation group with the `--crg-id` flag. The following example assumes you have a CRG named "myCRG".

+```azurecli-interactive

+RG_NAME=myResourceGroup

+CLUSTER_NAME=myAKSCluster

+NODEPOOL_NAME=myNodepool

+CRG_NAME=myCRG

+CRG_ID=$(az capacity reservation group show --capacity-reservation-group $CRG_NAME --resource-group $RG_NAME --query id -o tsv)

+az aks nodepool add --resource-group $RG_NAME --cluster-name $CLUSTER_NAME --name $NODEPOOL_NAME --crg-id $CRG_ID

+```

+### Associate an existing capacity reservation group with a system node pool

+To associate an existing capacity reservation group with a system node pool, associate the cluster with the user-assigned identity with the Contributor role on your CRG and the CRG itself during cluster creation. Use the [`az aks create`][az-aks-create] command with the `--assign-identity` and `--crg-id` flags.

+```azurecli-interactive

+IDENTITY_NAME=myID

+RG_NAME=myResourceGroup

+CLUSTER_NAME=myAKSCluster

+NODEPOOL_NAME=myNodepool

+CRG_NAME=myCRG

+CRG_ID=$(az capacity reservation group show --capacity-reservation-group $CRG_NAME --resource-group $RG_NAME --query id -o tsv)

+IDENTITY_ID=$(az identity show --name $IDENTITY_NAME --resource-group $RG_NAME --query identity.id -o tsv)

+az aks create --resource-group $RG_NAME --cluster-name $CLUSTER_NAME --crg-id $CRG_ID --assign-identity $IDENTITY_ID --enable-managed-identity

+```

+> Deleting a node pool implicitly dissociates that node pool from any associated capacity reservation group before the node pool is deleted. Deleting a cluster implicitly dissociates all node pools in that cluster from their associated capacity reservation groups.

+> You cannot update an existing node pool with a capacity reservation group. The recommended approach is to associate a capacity reservation group during the node pool creation.

+| **networkobservability_forward_count** | Total forwarded packet count | Direction, NodeName, Cluster | Yes | Yes |

+| **networkobservability_forward_bytes** | Total forwarded byte count | Direction, NodeName, Cluster | Yes | Yes |

+| **networkobservability_drop_count** | Total dropped packet count | Reason, Direction, NodeName, Cluster | Yes | Yes |

+| **networkobservability_drop_bytes** | Total dropped byte count | Reason, Direction, NodeName, Cluster | Yes | Yes |

+| **networkobservability_tcp_state** | TCP active socket count by TCP state. | State, NodeName, Cluster | Yes | Yes |

+| **networkobservability_tcp_connection_remote** | TCP active socket count by remote address. | Address, Port, NodeName, Cluster | Yes | No |

+| **networkobservability_tcp_connection_stats** | TCP connection statistics. (ex: Delayed ACKs, TCPKeepAlive, TCPSackFailures) | Statistic, NodeName, Cluster | Yes | Yes |

+| **networkobservability_tcp_flag_counters** | TCP packets count by flag. | Flag, NodeName, Cluster | Yes | Yes |

+| **networkobservability_ip_connection_stats** | IP connection statistics. | Statistic, NodeName, Cluster | Yes | No |

+| **networkobservability_udp_connection_stats** | UDP connection statistics. | Statistic, NodeName, Cluster | Yes | No |

+| **networkobservability_udp_active_sockets** | UDP active socket count | NodeName, Cluster | Yes | No |

+| **networkobservability_interface_stats** | Interface statistics. | InterfaceName, Statistic, NodeName, Cluster | Yes | Yes |

+ protocol: 'http'

+ "protocol": "http",

+> [!NOTE]

+> After you upload a private certificate to an app, the certificate is stored in a deployment unit that's bound to the App Service plan's resource group, region, and operating system combination, internally called a *webspace*. That way, the certificate is accessible to other apps in the same resource group and region combination. Private certificates uploaded or imported to App Service are shared with App Services in the same deployment unit.

+> [!NOTE]

+> After you upload a public certificate to an app, it is only accessible by the app it is uploaded to. Public certificates must be uploaded to each individual web app that needs access. For App Service Environment specific scenarios, refer to [the documentation for certificates and the App Service Environment](../app-service/environment/overview-certificates.md)

+>

+> You can upload up to 1000 public certificates per App Service Plan.

+description: This article provides an overview of the access restriction features in App Service.

+App access allows you to configure if access is available through the default (public) endpoint. You configure this behavior to either be `Disabled` or `Enabled`. When access is enabled, you can add [Site access](#site-access) restriction rules to control access from select virtual networks and IP addresses.

+If the setting isn't set (the property is `null`), the default behavior is to enable access unless a private endpoint exists which changes the behavior to disable access. In Azure portal, when the property isn't set, the radio button is also not set and you're then using default behavior.

+In the Azure Resource Manager API, the property controlling app access is called `publicNetworkAccess`. For internal load balancer (ILB) App Service Environment, the default entry point for apps is always internal to the virtual network. Enabling app access (`publicNetworkAccess`) doesn't grant direct public access to the apps; instead, it allows access from the default entry point, which corresponds to the internal IP address of the App Service Environment. If you disable app access on an ILB App Service Environment, you can only access the apps through private endpoints added to the individual apps.

+* **X-Forwarded-For**. [Standard header](https://developer.mozilla.org/docs/Web/HTTP/Headers/X-Forwarded-For) for identifying the originating IP address of a client connecting through a proxy server. Accepts valid IP addresses.

+Get started with [Azure App Service](overview.md) by deploying an app to the cloud using an Azure Resource Manager template (ARM template) and [Azure CLI](/cli/azure/get-started-with-azure-cli) in Cloud Shell. A Resource Manager template is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project. You incur no costs to complete this quickstart because you use a free App Service tier.

+To complete this quickstart, you'll need an Azure account with an active subscription. If you don't have an Azure account, you can [create one for free](https://azure.microsoft.com/free/).

+## Skip to the end

+If you're familiar with using ARM templates, you can skip to the end by selecting this [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.web%2Fapp-service-docs-windows%2Fazuredeploy.json) button. This button opens the ARM template in the Azure portal.

+In the Azure portal, select **Create new** to create a new Resource Group and then select the **Review + create** button to deploy the app.

+Get started with [Azure App Service](overview.md) by deploying an app to the cloud using an Azure Resource Manager template (ARM template) and [Azure CLI](/cli/azure/get-started-with-azure-cli) in Cloud Shell. A Resource Manager template is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project. You incur no costs to complete this quickstart because you use a free App Service tier.

+To complete this quickstart, you'll need an Azure account with an active subscription. If you don't have an Azure account, you can [create one for free](https://azure.microsoft.com/free/).

+## Skip to the end

+If you're familiar with using ARM templates, you can skip to the end by selecting this [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.web%2Fapp-service-docs-linux%2Fazuredeploy.json) button. This button opens the ARM template in the Azure portal.

+In the Azure portal, select **Create new** to create a new Resource Group and then select the **Review + create** button to deploy the app.

+Get started with [Azure App Service](overview.md) by deploying an app to the cloud using an Azure Resource Manager template (ARM template) and [Azure CLI](/cli/azure/get-started-with-azure-cli) in Cloud Shell. A Resource Manager template is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project. A premium plan is needed to deploy a Windows container app. See the [App Service pricing page](https://azure.microsoft.com/pricing/details/app-service/windows/#pricing) for pricing details.

+## Skip to the end

+If you're familiar with using ARM templates, you can skip to the end by selecting this [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.web%2Fapp-service-docs-windows-container%2Fazuredeploy.json) button. This button opens the ARM template in the Azure portal.

+In the Azure portal, select **Create new** to create a new Resource Group and then select the **Review + create** button to deploy the app.

+This template contains several parameters that are predefined for your convenience. See the table for parameter defaults and their descriptions:

+| webAppName | string | `webApp-<uniqueString>` | App name based on a [unique string value](../azure-resource-manager/templates/template-functions-string.md#uniquestring) |

+| appServicePlanName | string | `webAppPlan-<uniqueString>` | App Service Plan name based on a [unique string value](../azure-resource-manager/templates/template-functions-string.md#uniquestring) |

+| location | string | `[resourceGroup().location]` | [App region](../azure-resource-manager/templates/template-functions-resource.md#resourcegroup) |

+| sku | string | `F1` | Instance size (F1 = Free Tier) |

+| language | string | `.NET` | Programming language stack (.NET, php, node, html) |

+| helloWorld | boolean | `False` | True = Deploy "Hello World" app |

+| repoUrl | string | ` ` | External Git repo (optional) |

+This template contains several parameters that are predefined for your convenience. See the table for parameter defaults and their descriptions:

+| webAppName | string | `webApp-<uniqueString>` | App name based on a [unique string value](../azure-resource-manager/templates/template-functions-string.md#uniquestring) |

+| appServicePlanName | string | `webAppPlan-<uniqueString>` | App Service Plan name based on a [unique string value](../azure-resource-manager/templates/template-functions-string.md#uniquestring) |

+| location | string | `[resourceGroup().location]` | [App region](../azure-resource-manager/templates/template-functions-resource.md#resourcegroup)

+| sku | string | `F1` | Instance size (F1 = Free Tier) |

+| linuxFxVersion | string | `DOTNETCORE|3.0` | "Programming language stack &#124; Version" |

+| repoUrl | string | ` ` | External Git repo (optional) |

+This template contains several parameters that are predefined for your convenience. See the table for parameter defaults and their descriptions:

+| webAppName | string | `webApp-<uniqueString>` | App name based on a [unique string value](../azure-resource-manager/templates/template-functions-string.md#uniquestring) |

+| appServicePlanName | string | `webAppPlan-<uniqueString>` | App Service Plan name based on a [unique string value](../azure-resource-manager/templates/template-functions-string.md#uniquestring) |

+| location | string | `[resourceGroup().location]`| [App region](../azure-resource-manager/templates/template-functions-resource.md#resourcegroup) |

+| skuTier | string | `P1v3` | Instance size ([View available SKUs](configure-custom-container.md?tabs=debian&pivots=container-windows#customize-container-memory)) |

+| appSettings | string | `[{"name": "PORT","value": "8080"}]`| App Service listening port. Needs to be 8080. |

+| kind | string | `windows` | Operating System |

+| hyperv | string | `true` | Isolation mode |

+| windowsFxVersion | string | `DOCKER|mcr.microsoft.com/dotnet/samples:aspnetapp` | Container image |

+Run the following commands to deploy a .NET framework app on Windows.

+az group create --name myResourceGroup --location "southcentralus"

+--parameters language=".NET" helloWorld="true" webAppName="<app-name>" \

+Run the following commands to create a Python app on Linux:

+az group create --name myResourceGroup --location "southcentralus"

+To deploy a different language stack, update `linuxFxVersion` with appropriate values. Samples are shown in the table. To show current versions, run the following command in the Cloud Shell: `az webapp config show --resource-group myResourceGroup --name <app-name> --query linuxFxVersion`

+Run the following commands to deploy a [.NET app](https://mcr.microsoft.com/product/dotnet/samples/tags) on a Windows container.

+az group create --name myResourceGroup --location "southcentralus"

+> [!Note]

+> If you have to move a **Private Endpoint** to another subscription, you must first delete the existing **Private Endpoint** connection between the **Private Link** and **Private Endpoint**. Once this is completed, you have to re-create a new **Private Endpoint** connection in the new subscription to establish connection between **Private Link** and **Private Endpoint**.

+## February 12, 2024

+**Image tag**:`v1.27.0_2023-02-13`

+For complete release version information, review [Version log](version-log.md#february-12-2024).

+## February 12, 2024

+|Component|Value|

+|--|--|

+|Container images tag |`v1.27.0_2023-02-13`|

+|**CRD names and version:**| |

+|`activedirectoryconnectors.arcdata.microsoft.com`| v1beta1, v1beta2, v1, v2|

+|`datacontrollers.arcdata.microsoft.com`| v1beta1, v1 through v5|

+|`exporttasks.tasks.arcdata.microsoft.com`| v1beta1, v1, v2|

+|`failovergroups.sql.arcdata.microsoft.com`| v1beta1, v1beta2, v1, v2|

+|`kafkas.arcdata.microsoft.com`| v1beta1 through v1beta4|

+|`monitors.arcdata.microsoft.com`| v1beta1, v1, v3|

+|`postgresqls.arcdata.microsoft.com`| v1beta1 through v1beta6|

+|`postgresqlrestoretasks.tasks.postgresql.arcdata.microsoft.com`| v1beta1|

+|`sqlmanagedinstances.sql.arcdata.microsoft.com`| v1beta1, v1 through v13|

+|`sqlmanagedinstancemonitoringprofiles.arcdata.microsoft.com`| v1beta1, v1beta2|

+|`sqlmanagedinstancereprovisionreplicatasks.tasks.sql.arcdata.microsoft.com`| v1beta1|

+|`sqlmanagedinstancerestoretasks.tasks.sql.arcdata.microsoft.com`| v1beta1, v1|

+|`telemetrycollectors.arcdata.microsoft.com`| v1beta1 through v1beta5|

+|`telemetryrouters.arcdata.microsoft.com`| v1beta1 through v1beta5|

+|Azure Resource Manager (ARM) API version|2023-11-01-preview|

+|`arcdata` Azure CLI extension version|1.6.0 ([Download](https://aka.ms/az-cli-arcdata-ext))|

+|Arc-enabled Kubernetes helm chart extension version|1.27.0|

+|Azure Arc Extension for Azure Data Studio<br/>`arc`<br/>`azcli`|<br/>1.8.0 ([Download](https://aka.ms/ads-arcdata-ext))</br>1.8.0 ([Download](https://aka.ms/ads-azcli-ext))|

+|SQL Database version | 957 |

+Arc resource bridge can be manually upgraded from the management machine. You must meet all upgrade prerequisites before attempting to upgrade. The management machine must have the kubeconfig and [appliance configuration files](system-requirements.md#configuration-files) stored locally or you will not be able to run the upgrade.

+## Version 1.38 - February 2024

+Download for [Windows](https://download.microsoft.com/download/e/#installing-a-specific-version-of-the-agent)

+### New features

+- AlmaLinux 9 is now a [supported operating system](prerequisites.md#supported-operating-systems)

+### Fixed

+- The hybrid instance metadata service (HIMDS) now listens on the IPv6 local loopback address (::1)

+- Improved logging in the extension manager and policy engine

+- Improved reliability when fetching the latest operating system metadata

+- Reduced extension manager CPU usage

+- Removed the log zipping feature introduced in version 1.37 for extension manager and machine configuration agent logs. Log files are still rotated automatically.

+- Removed the scheduled tasks for automatic agent upgrades (introduced in agent version 1.30). We'll reintroduce this functionality when the automatic upgrade mechanism is available.

+- Introduced a new [proxy bypass](manage-agent.md#proxy-bypass-for-private-endpoints) option, `ArcData`, that covers the SQL Server enabled by Azure Arc endpoints. This enables you to use a private endpoint with Azure Arc-enabled servers with the public endpoints for SQL Server enabled by Azure Arc.

+- The [CPU limit for extension operations](agent-overview.md#agent-resource-governance) on Linux is now 30%. This increase helps improve reliability of extension install, upgrade, and uninstall operations.

+- Improved handling of upgrades when the previously installed extension version wasn't in a successful state.

+- New system metadata is collected to enhance your device inventory in Azure:

+ - More processor information

+* AlmaLinux 9

+ containerName = "TelemetryInfo",

+ connection = "CosmosDBConnectionSetting")

+[v1]: /rest/api/maps/data?view=rest-maps-1.0&preserve-view=true

+[Search]: /rest/api/maps/search?view=rest-maps-1.0&preserve-view=true

+[Features API]: /rest/api/maps-creator/features?view=rest-maps-creator-2023-03-01-preview&preserve-view=true

+[Routeset]: /rest/api/maps-creator/routeset/create?view=rest-maps-creator-2023-03-01-preview&preserve-view=true

+[Wayfinding service]: /rest/api/maps-creator/wayfinding?view=rest-maps-creator-2023-03-01-preview&preserve-view=true

+[Search]: /rest/api/maps/search?view=rest-maps-1.0&preserve-view=true

+[v1]: /rest/api/maps/data?view=rest-maps-1.0&preserve-view=true

+[dataset]: /rest/api/maps-creator/dataset?view=rest-maps-creator-2023-03-01-preview&preserve-view=true

+[Creator - map configuration Rest API]: /rest/api/maps-creator/map-configuration?view=rest-maps-creator-2023-03-01-preview&preserve-view=true

+[routeset]: /rest/api/maps-creator/routeset?view=rest-maps-creator-2023-03-01-preview&preserve-view=true

+[Style - Create]: /rest/api/maps-creator/style/create?view=rest-maps-creator-2023-03-01-preview&preserve-view=true

+[style]: /rest/api/maps-creator/style?view=rest-maps-creator-2023-03-01-preview&preserve-view=true

+[tileset]: /rest/api/maps-creator/tileset?view=rest-maps-creator-2023-03-01-preview&preserve-view=true

+[wayfinding path]: /rest/api/maps-creator/wayfinding/get-path?view=rest-maps-creator-2023-03-01-preview&preserve-view=true

+[wayfinding service]: /rest/api/maps-creator/wayfinding?view=rest-maps-creator-2023-03-01-preview&preserve-view=true

+[wayfinding]: /rest/api/maps-creator/wayfinding?view=rest-maps-creator-2023-03-01-preview&preserve-view=true

+[layer definition]: /rest/api/maps-creator/features/get-collection-definition?view=rest-maps-creator-2023-03-01-preview&preserve-view=true?tabs=HTTP

+[Search Inside Geometry]: /rest/api/maps/search/postsearchinsidegeometry?view=rest-maps-1.0&preserve-view=true

+[Search service]: /rest/api/maps/search?view=rest-maps-1.0&preserve-view=true

+[Azure Maps Search service]: /rest/api/maps/search?view=rest-maps-1.0&preserve-view=true

+[Get Search Address]: /rest/api/maps/search/get-search-address?view=rest-maps-1.0&preserve-view=true

+[Search - Get Search Address]: /rest/api/maps/search/get-search-address?view=rest-maps-1.0&preserve-view=true

+[tileset get]: /rest/api/maps-creator/tileset/get?view=rest-maps-creator-2023-03-01-preview&preserve-view=true

+[tileset]: /rest/api/maps-creator/tileset?view=rest-maps-creator-2023-03-01-preview&preserve-view=true

+[routeset]: /rest/api/maps-creator/routeset?view=rest-maps-creator-2023-03-01-preview&preserve-view=true

+[wayfinding API]: /rest/api/maps-creator/wayfinding?view=rest-maps-creator-2023-03-01-preview&preserve-view=true

+[Dataset Create API]: /rest/api/maps-creator/dataset/create?view=rest-maps-creator-2023-03-01-preview&preserve-view=true

+[Azure Maps Search service]: /rest/api/maps/search?view=rest-maps-1.0&preserve-view=true

+[Entity Types]: /rest/api/maps/search/getsearchaddressreverse?view=rest-maps-1.0&preserve-view=true#entitytype

+[Fuzzy Search URI Parameters]: /rest/api/maps/search/getsearchfuzzy?view=rest-maps-1.0&preserve-view=true#uri-parameters

+[Fuzzy Search]: /rest/api/maps/search/getsearchfuzzy?view=rest-maps-1.0&preserve-view=true

+[Get Search Address Reverse]: /rest/api/maps/search/getsearchaddressreverse?view=rest-maps-1.0&preserve-view=true

+[Get Search Address]: /rest/api/maps/search/getsearchaddress?view=rest-maps-1.0&preserve-view=true

+[point of interest result]: /rest/api/maps/search/getsearchpoi?view=rest-maps-1.0&preserve-view=true#searchpoiresponse

+[Post Search Address Reverse Batch]: /rest/api/maps/search/postsearchaddressreversebatch?view=rest-maps-1.0&preserve-view=true

+[Reverse Address Search Results]: /rest/api/maps/search/getsearchaddressreverse?view=rest-maps-1.0&preserve-view=true#searchaddressreverseresult

+[Reverse Address Search]: /rest/api/maps/search/getsearchaddressreverse?view=rest-maps-1.0&preserve-view=true

+[Reverse Search Parameters]: /rest/api/maps/search/getsearchaddressreverse?view=rest-maps-1.0&preserve-view=true#uri-parameters

+[Road Use Types]: /rest/api/maps/search/getsearchaddressreverse?view=rest-maps-1.0&preserve-view=true#uri-parameters

+[Search Address Reverse Cross Street]: /rest/api/maps/search/getsearchaddressreversecrossstreet?view=rest-maps-1.0&preserve-view=true

+[Search Address]: /rest/api/maps/search/getsearchaddress?view=rest-maps-1.0&preserve-view=true

+[Search Polygon API]: /rest/api/maps/search/getsearchpolygon?view=rest-maps-1.0&preserve-view=true

+[Search]: /rest/api/maps/search?view=rest-maps-1.0&preserve-view=true

+[URI Parameter reference]: /rest/api/maps/search/getsearchfuzzy?view=rest-maps-1.0&preserve-view=true#uri-parameters

+[Point of Interest]: /rest/api/maps/search/getsearchpoi?view=rest-maps-1.0&preserve-view=true

+> [Search service API documentation](/rest/api/maps/search?view=rest-maps-1.0&preserve-view=true)

+[Search service]: /rest/api/maps/search?view=rest-maps-1.0&preserve-view=true

+[Search Fuzzy]: /rest/api/maps/search/getsearchfuzzy?view=rest-maps-1.0&preserve-view=true

+[Search Address Reverse]: /rest/api/maps/search/getsearchaddressreverse?view=rest-maps-1.0&preserve-view=true

+[POI category search]: /rest/api/maps/search/getsearchpoicategory?view=rest-maps-1.0&preserve-view=true

+[Search Nearby]: /rest/api/maps/search/getsearchnearby?view=rest-maps-1.0&preserve-view=true

+[Get Search Address]: /rest/api/maps/search/getsearchaddress?view=rest-maps-1.0&preserve-view=true

+[Search Address]: /rest/api/maps/search/getsearchaddress?view=rest-maps-1.0&preserve-view=true

+[Search Polygon service]: /rest/api/maps/search/getsearchpolygon?view=rest-maps-1.0&preserve-view=true

+[Search POIs inside the geometry]: /rest/api/maps/search/postsearchinsidegeometry?view=rest-maps-1.0&preserve-view=true

+[map configuration API]: /rest/api/maps-creator/map-configuration?view=rest-maps-creator-2023-03-01-preview&preserve-view=true

+[Style Rest API]: /rest/api/maps-creator/style?view=rest-maps-creator-2023-03-01-preview&preserve-view=true

+[Reverse Address Search API]: /rest/api/maps/search/getsearchaddressreverse?view=rest-maps-1.0&preserve-view=true

+[Get Search Address Reverse API]: /rest/api/maps/search/getsearchaddressreverse?view=rest-maps-1.0&preserve-view=true

+> [Azure Maps Fuzzy Search API](/rest/api/maps/search/getsearchfuzzy?view=rest-maps-1.0&preserve-view=true)

+[Fuzzy search API]: /rest/api/maps/search/getsearchfuzzy?view=rest-maps-1.0&preserve-view=true

+[Get Search Fuzzy rest API]: /rest/api/maps/search/getsearchfuzzy?view=rest-maps-1.0&preserve-view=true

+[fuzzy search]: /rest/api/maps/search/get-search-fuzzy?view=rest-maps-1.0&preserve-view=true

+[Get Search Address Reverse Cross Street]: /rest/api/maps/search/get-search-address-reverse-cross-street?view=rest-maps-1.0&preserve-view=true

+[Get Search Address Reverse]: /rest/api/maps/search/get-search-address-reverse?view=rest-maps-1.0&preserve-view=true

+[Get Search Address Structured]: /rest/api/maps/search/get-search-address-structured?view=rest-maps-1.0&preserve-view=true

+[Get Search Address]: /rest/api/maps/search/get-search-address?view=rest-maps-1.0&preserve-view=true

+[Get Search Fuzzy]: /rest/api/maps/search/get-search-fuzzy?view=rest-maps-1.0&preserve-view=true

+[Get Search POI Category]: /rest/api/maps/search/get-search-poi-category?view=rest-maps-1.0&preserve-view=true

+[Get Search POI]: /rest/api/maps/search/get-search-poi?view=rest-maps-1.0&preserve-view=true

+[Get Search Polygon]: /rest/api/maps/search/get-search-polygon?view=rest-maps-1.0&preserve-view=true

+[nearby search]: /rest/api/maps/search/getsearchnearby?view=rest-maps-1.0&preserve-view=true

+[Post Search Address Batch]: /rest/api/maps/search/post-search-address-batch?view=rest-maps-1.0&preserve-view=true

+[Post Search Address Reverse Batch]: /rest/api/maps/search/post-search-address-reverse-batch?view=rest-maps-1.0&preserve-view=true

+[Post Search Along Route]: /rest/api/maps/search/post-search-along-route?view=rest-maps-1.0&preserve-view=true

+[Post Search Fuzzy Batch]: /rest/api/maps/search/post-search-fuzzy-batch?view=rest-maps-1.0&preserve-view=true

+[Post Search Inside Geometry]: /rest/api/maps/search/post-search-inside-geometry?view=rest-maps-1.0&preserve-view=true

+[Search within geometry]: /rest/api/maps/search/post-search-inside-geometry?view=rest-maps-1.0&preserve-view=true

+[Search]: /rest/api/maps/search?view=rest-maps-1.0&preserve-view=true

+[Get Search Address Reverse Cross Street]: /rest/api/maps/search/get-search-address-reverse-cross-street?view=rest-maps-1.0&preserve-view=true

+[Get Search Address Reverse]: /rest/api/maps/search/get-search-address-reverse?view=rest-maps-1.0&preserve-view=true

+[Get Search Address Structured]: /rest/api/maps/search/get-search-address-structured?view=rest-maps-1.0&preserve-view=true

+[Get Search Address]: /rest/api/maps/search/get-search-address?view=rest-maps-1.0&preserve-view=true

+[Get Search Fuzzy]: /rest/api/maps/search/get-search-fuzzy?view=rest-maps-1.0&preserve-view=true

+[Get Search Nearby]: /rest/api/maps/search/get-search-nearby?view=rest-maps-1.0&preserve-view=true

+[Get Search POI Category]: /rest/api/maps/search/get-search-poi-category?view=rest-maps-1.0&preserve-view=true

+[Get Search POI]: /rest/api/maps/search/get-search-poi?view=rest-maps-1.0&preserve-view=true

+[Post Search Address Batch]: /rest/api/maps/search/post-search-address-batch?view=rest-maps-1.0&preserve-view=true

+[Post Search Address Reverse Batch]: /rest/api/maps/search/post-search-address-reverse-batch?view=rest-maps-1.0&preserve-view=true

+[Post Search Along Route]: /rest/api/maps/search/post-search-along-route?view=rest-maps-1.0&preserve-view=true

+[Post Search Fuzzy Batch]: /rest/api/maps/search/post-search-fuzzy-batch?view=rest-maps-1.0&preserve-view=true

+[Post Search Inside Geometry]: /rest/api/maps/search/post-search-inside-geometry?view=rest-maps-1.0&preserve-view=true

+[Search]: /rest/api/maps/search?view=rest-maps-1.0&preserve-view=true

+[geocoding services]: /rest/api/maps/search?view=rest-maps-1.0&preserve-view=true

+[category search]: /rest/api/maps/search/getsearchpoicategory?view=rest-maps-1.0&preserve-view=true

+[Search service]: /rest/api/maps/search?view=rest-maps-1.0&preserve-view=true

+[Tileset service]: /rest/api/maps-creator/tileset?view=rest-maps-creator-2023-03-01-preview&preserve-view=true

+[tileset get]: /rest/api/maps-creator/tileset/get?view=rest-maps-creator-2023-03-01-preview&preserve-view=true

+[Post Search Inside Geometry API]: /rest/api/maps/search/postsearchinsidegeometry?view=rest-maps-1.0&preserve-view=true

+[Post Search Inside Geometry]: /rest/api/maps/search/postsearchinsidegeometry?view=rest-maps-1.0&preserve-view=true

+[Get Search Address Reverse]: /rest/api/maps/search/getsearchaddressreverse?view=rest-maps-1.0&preserve-view=true

+[Search Address Reverse]: /rest/api/maps/search/getsearchaddressreverse?view=rest-maps-1.0&preserve-view=true

+[Fuzzy Search service]: /rest/api/maps/search/get-search-fuzzy?view=rest-maps-1.0&preserve-view=true

+[Search API]: /rest/api/maps/search?view=rest-maps-1.0&preserve-view=true

+[v1]: /rest/api/maps/data?view=rest-maps-1.0&preserve-view=true

+[Search v1]: /rest/api/maps/search?view=rest-maps-1.0&preserve-view=true

+ Title: Monitor the health of log search alert rules

+description: This article how to monitor the health of a log search alert rule.

+#Customer-intent: As a alerts administrator, I want to know when there are issues with an alert rule, so I can act to resolve the issue or know when to contact Microsoft for support.

+# Monitor the health of log search alert rules

+[Azure Service Health](../../service-health/overview.md) monitors the health of your cloud resources, including log search alert rules. When a log search alert rule is healthy, the rule runs and the query executes successfully. This article explains how to view the health status of your log search alert rule, and tells you what to do if there are issues affecting your log search alert rules.

+Azure Service Health monitors:

+- [Resource health](../../service-health/resource-health-overview.md): information about the health of your individual cloud resources, such as a specific log search alert rule.

+- [Service health](../../service-health/service-health-overview.md): information about the health of the Azure services and regions you're using, which might affect your log search alert rule, including communications about outages, planned maintenance activities, and other health advisories.

+## Permissions required

+- To view the health of a log search alert rule, you need `read` permissions to the log search alert rule.

+- To set up health status alerts, you need `write` permissions to the log search alert rule, as provided by the [Monitoring Contributor built-in role](../roles-permissions-security.md#monitoring-contributor), for example.

+## View health and set up health status alerts for log search alert rules

+To view the health of your log search alert rule and set up health status alerts:

+1. In the [portal](https://portal.azure.com/), select **Monitor**, then **Alerts**.

+1. From the top command bar, select **Alert rules**. The page shows all your alert rules on all subscriptions.

+1. Select the log search alert rule that you want to monitor.

+1. From the left pane, under **Help**, select **Resource health**.

+

+ :::image type="content" source="media/log-search-alert-health/log-search-alert-resource-health.png" alt-text="Screenshot of the Resource health section in a log search alert rule.":::

+1. The **Resource health** screen shows:

+ - **Health history**: Indicates whether Azure Service Health detected query execution issues in the specific log search alert rule. Select the health event to view details about the event.

+ - **Azure service issues**: Displayed when a known issue with an Azure service might affect execution of the log search alert query. Select the message to view details about the service issue in Azure Service Health.

+ > [!NOTE]

+ > - Service health notifications do not indicate that your log search alert rule is necessarily affected by the known service issue. If your log search alert rule health status is **Available**, Azure Service Health did not detect issues in your alert rule.

+

+ :::image type="content" source="media/log-search-alert-health/log-search-alert-resource-health-page.png" alt-text="Screenshot of the Resource health page for a log search alert rule.":::

+This table describes the possible resource health status values for a log search alert rule:

+| Resource health status | Description |Recommended steps|

+|||

+|Available|There are no known issues affecting this log search alert rule.| |

+|Unknown|This log search alert rule is currently disabled or in an unknown state.|[Log alert was disabled](alerts-troubleshoot-log.md#log-alert-was-disabled).|

+|Unknown reason|This log search alert rule is currently unavailable due to an unknown reason.|Check if the alert rule was recently created. Health status is updated after the rule completes its first evaluation.|

+|Degraded due to unknown reason|This log search alert rule is currently degraded due to an unknown reason.| |

+|Setting up resource health|Setting up Resource health for this resource.|Check if the alert rule was recently created. Health status is updated after the rule completes its first evaluation.|

+|Semantic error |The query is failing because of a semantic error. |Review the query and try again.|

+|Syntax error |The query is failing because of a syntax error.| Review the query and try again.|

+|The response size is too large|The query is failing because its response size is too large.|Review your query and the [log queries limits](../service-limits.md#log-queries-and-language).|

+|Query consuming too many resources |The query is failing because it's consuming too many resources.|Review your query. View our [best practices for optimizing log queries](../logs/query-optimization.md).|

+|Query validation error|The query is failing because of a validation error. |Check if the table referenced in your query is set to [Compare the Basic and Analytics log data plans](../logs/basic-logs-configure.md#compare-the-basic-and-analytics-log-data-plans), which doesn't support alerts. |

+|Workspace not found |The target Log Analytics workspace for this alert rule couldn't be found. |The target specified in the scope of the alert rule was moved, renamed, or deleted. Recreate your alert rule with a valid Log Analytics workspace target.|

+|Application Insights resource not found|The target Application Insights resource for this alert rule couldn't be found. |The target specified in the scope of the alert rule was moved, renamed, or deleted. Recreate your alert rule with a valid Log Analytics workspace target. |

+|Query is throttled|The query is failing for the rule because of throttling (Error 429). |Review your query and the [log queries limits](../service-limits.md#user-query-throttling). |

+|Unauthorized to run query |The query is failing because the query doesn't have the correct permissions. | Permissions are based on the permissions of the last user that edited the rule. If you suspect that the query doesn't have access, any user with the required permissions can edit or update the rule. Once the rule is saved, the new permissions take effect.</br>If you're using managed identities, check that the identity has permissions on the target resource. See [managed identities](alerts-create-log-alert-rule.md#managed-id).|

+|NSP validation failed |The query is failing because of NSP validations issues.| Review your network security perimeter rules to ensure your alert rule is correctly configured.|

+|Active alerts limit exceeded |Alert evaluation failed due to exceeding the limit of fired (non- resolved) alerts per day. |See [Azure Monitor service limits](../service-limits.md). |

+|Dimension combinations limit exceeded | Alert evaluation failed due to exceeding the allowed limit of dimension combinations values meeting the threshold.|See [Azure Monitor service limits](../service-limits.md). |

+## Add a new resource health alert

+1. Select **Add resource health alert**.

+

+1. The **Create alert rule** wizard opens, with the **Scope** and **Condition** panes prepopulated. If necessary, you can edit and modify the scope and condition of the alert rule at this stage.

+1. Follow the rest of the steps in [Create or edit an activity log, service health, or resource health alert rule](../alerts/alerts-create-activity-log-alert-rule.md).

+## Next steps

+Learn more about:

+- [Querying log data in Azure Monitor Logs](../logs/get-started-queries.md).

+- [Create or edit a log alert rule](alerts-create-log-alert-rule.md)

+ > - Your annotations must have **Category** set to **Deployment** to appear in the Azure portal.

+ > - If you receive an error, "The request contains an entity body but no Content-Type header", try removing the replace parameters in the following line.

+ >

+ > `$body = (ConvertTo-Json $annotation -Compress)`

+

+ For more collectors, please see [Prometheus exporter for Windows metrics](https://github.com/prometheus-community/windows_exporter#windows_exporter).

+| QuickStarts | [Quickstart: Migrate from Operations Manager on-premises to Azure Monitor SCOM Managed Instance](/system-center/scom/migrate-to-operations-manager-managed-instance?tabs=mp-overrides) |

+ Aggregation metrics (for example, min, max) aren't supported for percentage volume consumed size.

+ Throughput limit reached is a boolean metric that denotes the volume is hitting its QoS limits. The value 1 means that the volume has reached its maximum throughput, and throughput for this volume will be throttled. The value 0 means this limit hasn't yet been reached.

+ > [!NOTE]

+ > The Throughput limit reached metrics is collected every 5 minutes and is displayed as a hit if it has been collected in the last 5 minutes.

+The populate availability zone features requires a `zone` property on the volume. You can set the zone property only when you create the Terraform-managed volume, but you can't modify it after the volume has been created. Adding the `zone` property after the volume has been created can cause data loss or loss of the volume if the specified zone value does not match the availability zone.

+1. Navigate to the Terraform module `terraform.tfstate` file. The `"zone"` property should be an empty string.

+1. In the Terraform-managed volume's configuration file (`main.tf`), locate the lifecycle configuration block for the volume resource. Modify the block with `ignore_changes = [zone]`. If no lifecycle configuration block exists, add it:

+1. In the Azure portal, locate the Terraform-managed volume. In the volume **Overview**, select **Populate availability zone** and make note of the availability zone. Do _not_ select save.

+1. In the volume's configuration file (`main.tf`), add a value for `zone`, entering the numerical value you retrieved in the previous step. For example, if the volume's availability zone is 1, enter `zone = 1`.

+1. Save the file.

+If you need to delete and recreate the volume in a different availability zone, remove the `ignore_changes = [zone]` line in the configuration file then run `terraform plan` followed by `terraform apply`.

+> ```bicep

+> ...

+> apiServerAccessProfile: {

+> enablePrivateCluster: true

+> }

+# Use Azure VMware Solution with Azure Elastic SAN (Integration in Preview)

+2. Run the [az connectedvmware vm create ](/cli/azure/connectedvmware/vm#az-connectedvmware-vm-create)Azure CLI command on the VM in Azure VMware Solution to update the machine type. 

+To enable through the Azure CLI, reference [az vmware placement-policy vm-host](/cli/azure/vmware/placement-policy/vm-host).

+[az vmware placement-policy vm-host](/cli/azure/vmware/placement-policy/vm-host)

+> [Tutorial: Add a custom domain to your Azure CDN endpoint](cdn-map-content-to-custom-domain.md)

+- When filtering by Azure subscriptions from the Targets and/or Experiments page, you may experience long load times if you have many subscriptions with large numbers of Azure resources. As a workaround, filter down to the single specific subscription in question to quickly find your desired Targets and/or Experiments.

+description: Learn more about Azure Communication Service best practices.

+zone_pivot_groups: acs-plat-web-native

+- [Improve and manage call quality](./voice-video-calling/manage-call-quality.md)

+- [Call Diagnostics](./voice-video-calling/call-diagnostics.md)

+- [Use the UI Library for enhance calling experiences](./ui-library/ui-library-overview.md)

+- Consumer consent must be collected by the direct (first) party sending the messages. If you're a third party helping the direct party sending messages, the opt-in flow must disclose the (third party) name.

+|Paper form | Upload the form and make sure it includes frequency, campaign information and consent process to get consent from consumer. |

+description: Learn how to improve and manage calling quality with Azure Communication Services.

+traffic that is less sensitive (like downloading a new app, where an extra second to download isn't a significant deal). QoS identifies and marks all packets in real-time streams using Windows Group Policy Objects and a routing feature called Port-based Access Control Lists, which instructs your network to give voice, video, and screen sharing their own dedicated network bandwidth.

+## Logs on native platforms

+Implementing **logging** as per the [logs file retrieval tutorial](../../tutorials/log-file-retrieval-tutorial.md) is critical to gathering details for native development. Detailed logs help in diagnosing issues specific to device models or OS versions. We encourage to the developers that start configuring the Logs API to get details around the call lifetime.

+If our calling samples don't meet your needs, or you decide to customize your solution please ensure you understand and implement the following capabilities in your custom calling scenarios.

+The following sections detail the tools to implement at different phases of a call:

+Because Azure Communication Services Voice and Video call run on web and mobile browsers your users may have multiple browser tabs running separate instances of the Azure

+Sometimes users can't hear each other; maybe the speaker is too quiet, the listener's device doesn't receive the audio packets, or there's an audio device issue blocking the sound. Users don't know when they're speaking too quietly, or when the other person can't hear them. You can use the input and output indicator to indicate if a userΓÇÖs volume is low or absent and prompt a user to speak louder or investigate an audio device issue through your user interface.

+During a group call with 2 or more participants a user's video quality can fluctuate due to changes in network conditions and their specific hardware limitations. By using the Optimal Video Count API, you can improve user call quality by understanding how many videos streams their local endpoint can render at a time without worsening quality. By implementing this feature, you can preserve the call quality and bandwidth of local endpoints that would otherwise attempt to render video poorly. The API exposes the property, optimalVideoCount, which dynamically changes in response to the network and hardware capabilities of a local endpoint. This information is available at runtime and updates throughout the call letting you adjust a userΓÇÖs visual experience as network and hardware conditions change.

+Review this documentation to start collecting call logs: [Enable logs via Diagnostic Settings in Azure Monitor.](../analytics/enable-logging.md)

+- If you don't have a Log Analytics workspace to send your data to, you'll need to [create one.](../../../azure-monitor/logs/quick-create-workspace.md)

+Once you begin storing log data in your log analytics workspace, you can visualize your search for individual calls and visualize the data in Call Diagnostics. Within your Azure Monitor account you simply need to navigate to your Azure Communication Services resource and locate the Call Diagnostics blade in your side pane.

+If you encounter quality or reliability issues you're unable to resolve and need support, you can submit a request for technical support. The more information you can provide in your request the better (native logs are crucial to optimize the response time), however you can still submit requests with partial information to start your inquiry. See: [How to create Azure support requests](/azure/azure-portal/supportability/how-to-create-azure-support-request).

+- If you're notified of license requirements while attempting to request technical support, you may need to choose a paid Azure support plan that best aligns to your needs. See: [Compare Support Plans](https://azure.microsoft.com/support/plans).

+- Continue to learn other best practices: [Best practices: Azure Communication Services calling SDKs](../best-practices.md)

+- Explore known issues: [Known issues in the SDKs and APIs](../known-issues.md)

+- Learn how to debug calls: [Call Diagnostics](call-diagnostics.md)

+- Learn how to use the Log Analytics workspace: [Log Analytics Tutorial](../../../../articles/azure-monitor/logs/log-analytics-tutorial.md)

+- Create your own queries in Log Analytics: [Get Started Queries](../../../../articles/azure-monitor/logs/get-started-queries.md)

+description: Learn about connectors that run natively with the runtime in Azure Logic Apps.

+For a smaller number of services, systems, and protocols, Azure Logic Apps provides a built-in version alongside the managed version. The number and range of built-in connectors vary based on whether you create a Consumption logic app workflow that runs in multitenant Azure Logic Apps or a Standard logic app workflow that runs in single-tenant Azure Logic Apps. In most cases, the built-in version provides better performance, capabilities, pricing, and so on. In a few cases, some built-in connectors are available only in one logic app workflow type and not the other.

+For example, a Standard workflow can use both managed connectors and built-in connectors for Azure Blob Storage, Azure Cosmos DB, Azure Event Hubs, Azure Service Bus, DB2, FTP, MQ, SFTP, and SQL Server. A Consumption workflow doesn't have the built-in versions. A Consumption workflow can use built-in connectors for Azure API Management, Azure App Services, and Batch, while a Standard workflow doesn't have these built-in connectors.

+Also, in Standard workflows, some [built-in connectors with specific attributes are informally known as *service providers*](../logic-apps/custom-connector-overview.md#service-provider-interface-implementation). Some built-in connectors support only a single way to authenticate a connection to the underlying service. Other built-in connectors can offer a choice, such as using a connection string, Microsoft Entra ID, or a managed identity. All built-in connectors run in the same process as the Azure Logic Apps runtime. For more information, review [Single-tenant versus multitenant and integration service environment (ISE)](../logic-apps/single-tenant-overview-compare.md).

+| Azure API Management<br>Azure App Services <br>Azure Functions <br>Azure Logic Apps <br>Batch <br>Control <br>Data Operations <br>Date Time <br>Flat File <br>HTTP <br>Inline Code <br>Integration Account <br>Liquid <br>Request <br>Schedule <br>Variables <br>XML | AS2 (v2) <br>Azure Automation* <br>Azure Blob Storage* <br>Azure Cosmos DB* <br>Azure File Storage* <br>Azure Functions <br>Azure Queue Storage* <br>Azure Table Storage* <br>Control <br>Data Operations <br>Date Time <br>DB2* <br>Event Grid Publisher* <br>Event Hubs* <br>File System* <br>Flat File <br>FTP* <br>HTTP <br>IBM Host File* <br>Inline Code <br>JDBC* <br>Key Vault* <br>Liquid operations <br>MQ* <br>Request <br>SAP* <br>Schedule <br>Service Bus* <br>SFTP* <br>SMTP* <br>SQL Server* <br>Variables <br>Workflow operations <br>XML operations |

+For Standard workflows, you can create your own built-in connector with the same [built-in connector extensibility model](../logic-apps/custom-connector-overview.md#built-in-connector-extensibility-model) that's used by service provider-based built-in connectors, such as Azure Blob Storage, Azure Event Hubs, Azure Service Bus, SQL Server, and more. This interface implementation is based on the [Azure Functions extensibility model](../azure-functions/functions-bindings-register.md) and provides the capability for you to create custom built-in connectors that anyone can use in Standard workflows.

+ [![File System icon][file-system-icon]][file-system-doc]

+ [**File System**][file-system-doc]<br>(*Standard workflow only*)

+ \

+ \

+ Connect to a file system on your network machine to create and manage files.

+ :::column-end:::

+ :::column:::

+ [![FTP icon][ftp-icon]][ftp-doc]

+ \

+ \

+ [**FTP**][ftp-doc]<br>(*Standard workflow only*)

+ [![SFTP-SSH icon][sftp-ssh-icon]][sftp-doc]

+ [**SFTP**][sftp-doc]<br>(*Standard workflow only*)

+ [![SMTP icon][smtp-icon]][smtp-doc]

+ [**SMTP**][smtp-doc]<br>(*Standard workflow only*)

+ [![Azure Automation icon][azure-automation-icon]][azure-automation-doc]

+ [**Azure Automation**][azure-automation-doc]<br>(*Standard workflow only*)

+ Connect to your Azure Automation accounts so you can create and manage Azure Automation jobs.

+ [![Azure Blob Storage icon][azure-blob-storage-icon]][azure-blob-storage-doc]

+ [**Azure Blob Storage**][azure-blob-storage-doc]<br>(*Standard workflow only*)

+ Connect to your Azure Blob Storage account so you can create and manage blob content.

+ [![Azure Cosmos DB icon][azure-cosmos-db-icon]][azure-cosmos-db-doc]

+ \

+ \

+ [**Azure Cosmos DB**][azure-cosmos-db-doc]<br>(*Standard workflow only*)

+ \

+ \

+ Connect to Azure Cosmos DB so that you can access and manage Azure Cosmos DB documents.

+ :::column-end:::

+ :::column:::

+ [![Azure Event Hubs icon][azure-event-hubs-icon]][azure-event-hubs-doc]

+ [**Azure Event Hubs**][azure-event-hubs-doc]<br>(*Standard workflow only*)

+ [![Azure File Storage icon][azure-file-storage-icon]][azure-file-storage-doc]

+ [**Azure File Storage**][azure-file-storage-doc]<br>(*Standard workflow only*)

+ [![Azure Key Vault icon][azure-key-vault-icon]][azure-key-vault-doc]

+ [**Azure Key Vault**][azure-key-vault-doc]<br>(*Standard workflow only*)

+ [![Azure Table Storage icon][azure-table-storage-icon]][azure-table-storage-doc]

+ [**Azure Table Storage**][azure-table-storage-doc]<br>(*Standard workflow only*)

+ [![Azure Queue Storage][azure-queue-storage-icon]][azure-queue-storage-doc]

+ [**Azure Queue Storage**][azure-queue-storage-doc]<br>(*Standard workflow only*)

+ [![IBM DB2 icon][ibm-db2-icon]][ibm-db2-doc]

+ [**IBM DB2**][ibm-db2-doc]<br>(*Standard workflow only*)

+ [![IBM Host File icon][ibm-host-file-icon]][ibm-host-file-doc]

+ [**IBM Host File**][ibm-host-file-doc]<br>(*Standard workflow only*)

+ [![IBM MQ icon][ibm-mq-icon]][ibm-mq-doc]

+ [**IBM MQ**][ibm-mq-doc]<br>(*Standard workflow only*)

+ :::column:::

+ [![JDBC icon][jdbc-icon]][jdbc-doc]

+ \

+ \

+ [**JDBC**][jdbc-doc]<br>(*Standard workflow only*)

+ \

+ \

+ Connect to a relational database using JDBC drivers.

+ :::column-end:::

+ :::column:::

+ [![SAP icon][sap-icon]][sap-doc]

+ \

+ \

+ [**SAP**][sap-doc]<br>(*Standard workflow only*)

+ \

+ \

+ Connect to SAP so you can send or receive messages and invoke actions.

+ :::column-end:::

+ :::column:::

+ :::column-end:::

+[azure-automation-icon]: ./media/apis-list/azure-automation.png

+[file-system-icon]: ./media/apis-list/file-system.png

+[jdbc-icon]: ./media/apis-list/jdbc.png

+[sap-icon]: ./media/apis-list/sap.png

+[azure-automation-doc]: /azure/logic-apps/connectors/built-in/reference/azureautomation/ "Connect to your Azure Automation accounts so you can create and manage Azure Automation jobs"

+[azure-blob-storage-doc]: /azure/logic-apps/connectors/built-in/reference/azureblob/ "Manage files in your blob container with Azure Blob storage"

+[azure-cosmos-db-doc]: /azure/logic-apps/connectors/built-in/reference/azurecosmosdb/ "Connect to Azure Cosmos DB so you can access and manage Azure Cosmos DB documents"

+[azure-event-hubs-doc]: /azure/logic-apps/connectors/built-in/reference/eventhub/ "Connect to Azure Event Hubs so that you can receive and send events between logic app workflows and Event Hubs"

+[azure-file-storage-doc]: /azure/logic-apps/connectors/built-in/reference/azurefile/ "Connect to Azure File Storage so you can create and manage files in your Azure storage account"

+[azure-key-vault-doc]: /azure/logic-apps/connectors/built-in/reference/keyvault/ "Connect to Azure Key Vault to securely store, access, and manage secrets"

+[azure-queue-storage-doc]: /azure/logic-apps/connectors/built-in/reference/azurequeues/ "Connect to Azure Storage so you can create and manage queue entries and queues"

+[azure-service-bus-doc]: /azure/logic-apps/connectors/built-in/reference/servicebus/ "Manage messages from Service Bus queues, topics, and topic subscriptions"

+[azure-table-storage-doc]: /azure/logic-apps/connectors/built-in/reference/azuretables/ "Connect to Azure Storage so you can create, update, and query tables and more"

+[event-grid-publisher-doc]: /azure/logic-apps/connectors/built-in/reference/eventgridpublisher/ "Connect to Azure Event Grid for event-based programming using pub-sub semantics"

+[file-system-doc]: /azure/logic-apps/connectors/built-in/reference/filesystem/ "Connect to a file system on your network machine to create and manage files"

+[ftp-doc]: /azure/logic-apps/connectors/built-in/reference/ftp/ "Connect to an FTP or FTPS server for FTP tasks, like uploading, getting, deleting files, and more"

+[ibm-db2-doc]: /azure/logic-apps/connectors/built-in/reference/db2/ "Connect to IBM DB2 in the cloud or on-premises. Update a row, get a table, and more"

+[ibm-host-file-doc]: /azure/logic-apps/connectors/built-in/reference/hostfile/ "Connect to your IBM host to work with offline files"

+[ibm-mq-doc]: /azure/logic-apps/connectors/built-in/reference/mq/ "Connect to IBM MQ on-premises or in Azure to send and receive messages"

+[jdbc-doc]: /azure/logic-apps/connectors/built-in/reference/jdbc/ "Connect to a relational database using JDBC drivers"

+[sap-doc]: /azure/logic-apps/connectors/built-in/reference/sap/ "Connect to SAP so you can send or receive messages and invoke actions"

+[sftp-doc]: /azure/logic-apps/connectors/built-in/reference/sftp/ "Connect to your SFTP account by using SSH. Upload, get, delete files, and more"

+[smtp-doc]: /azure/logic-apps/connectors/built-in/reference/smtp/ "Connect to your SMTP server so you can send email"

+[sql-server-doc]: /azure/logic-apps/connectors/built-in/reference/sql/ "Connect to Azure SQL Database or SQL Server. Create, update, get, and delete entries in an SQL database table"

+az containerapp create \

+# Use Azure Private Link in Azure Cosmos DB for MongoDB vCore

+- Access to an active Virtual network and Subnet.

+ - If you donΓÇÖt have a Virtual network, [create a virtual network using the Azure portal](../../../virtual-network/quick-create-portal.md)

+- Verify your access to Azure Cosmos DB for MongoDB vCore Private Endpoint.

+ - If you donΓÇÖt have access, you can request it by following the steps below.

+## Requesting Access to Azure Cosmos DB for MongoDB vCore Private Endpoint via Azure Portal

+To request access for a private endpoint for an existing Azure Cosmos DB for MongoDB vCore cluster, follow these steps using the Azure portal:

+1. Sign in to the [Azure portal](https://portal.azure.com), and search for **Preview Features** in the search bar.

+1. Choose **Azure Cosmos DB for MongoDB vCore Private Endpoint** from the available options list and click "register."

+1. You will receive a notification once access to the Private Endpoint is granted.

+## Create a private endpoint by using the Azure portal

+Follow these steps to create a private endpoint for an existing Azure Cosmos DB for MongoDB vCore cluster by using the Azure portal:

+1. Sign in to the [Azure portal](https://portal.azure.com), then select an Azure Cosmos DB for MongoDB vCore cluster.

+1. Select **Networking** from the list of settings, and then select **Visit Link Center** under the **Private Endpoints** section:

+1. In the **Create a private endpoint - Basics** pane, enter or select the following details:

+ | **Project details** | |

+ | Subscription | Select your subscription. |

+ | **Instance details** | |

+ | Region | Select the region where you want to deploy Private Link. Create the private endpoint in the same location where your virtual network exists.|

+1. Select **Next: Resource**.

+1. In the **Create a private endpoint - Resource** pane, enter or select the following details:

+ | Setting | Value |

+ | - | -- |

+ | Connection Method | Choose one of your resources or connect to someone else's resource with a resource ID or alias that is shared with you. |

+ | Subscription | Select the subscription containing the resource you're connecting to.|

+ | Resource Type | Select the resource type you're connecting to. |

+ | Resource | Select the resource type you're connecting to. |

+ | Target subresource | Select the type of subresource for the resource selected previously that your private endpoint should have the ability to access. |

+1. Select **Next: Virtual Network**.

+1. In the **Create a private endpoint - Virtual Network** pane, enter or select this information:

+ | Setting | Value |

+ | - | -- |

+ | Virtual network| Select your virtual network. |

+ | Subnet | Select your subnet. |

+1. Select **Next: DNS**.

+1. In the **Create a private endpoint - DNS** pane, enter or select this information:

+ | Setting | Value |

+ | - | -- |

+ | Integrate with private DNS zone | Select **Yes**. To connect privately with your private endpoint, you need a DNS record. We recommend that you integrate your private endpoint with a private DNS zone. You can also use your own DNS servers or create DNS records by using the host files on your virtual machines. When you select yes for this option, a private DNS zone group is also created. DNS zone group is a link between the private DNS zone and the private endpoint. This link helps you to auto update the private DNS zone when there's an update to the private endpoint. For example, when you add or remove regions, the private DNS zone is automatically updated. |

+ | Configuration name |Select your subscription and resource group. The private DNS zone is determined automatically. You can't change it by using the Azure portal.|

+1. Select **Next: Tags** > **Review + create**. On the **Review + create** page, Azure validates your configuration.

+1. When you see the **Validation passed** message, select **Create**.

+When you have an approved Private Endpoint for an Azure Cosmos DB account, in the Azure portal, the **All networks** option in the **Firewall and virtual networks** pane is unavailable.

+## View private endpoints by using the Azure portal

+Follow these steps to view a private endpoint for an existing Azure Cosmos DB account by using the Azure portal:

+1. Sign in to the [Azure portal](https://portal.azure.com), then select Private Link under Azure Services.

+1. Select **Private Endpoint** from the list of settings to view all Private endpoints.

+ Title: Java SDK (legacy) - Release notes and resources

+description: Review the Java API and SDK including release dates, retirement dates, and changes made between each version of this SDK for Azure Cosmos DB for NoSQL.

+ms.devlang: java

+# Azure Cosmos DB for NoSQL Java SDK (legacy): Release notes and resources

+This article covers the Azure Cosmos DB Sync Java SDK v2 for the API for NoSQL. This API only supports synchronous operations.

+> [!IMPORTANT]

+> This is *not* the latest Java SDK for Azure Cosmos DB! We **strongly recommend** using [Azure Cosmos DB Java SDK v4](sdk-java-v4.md) for your project. To upgrade, follow the instructions in the [Migrate to Azure Cosmos DB Java SDK v4](migrate-java-v4-sdk.md) guide and the [Reactor vs RxJava](https://github.com/Azure-Samples/azure-cosmos-java-sql-api-samples/blob/main/reactor-rxjava-guide.md) guide.

+> [!WARNING]

+> On February 29, 2024 the Azure Cosmos DB Sync Java SDK v2.x will be retired. Azure Cosmos DB will cease to provide further maintenance and support for this SDK after retirement. Please follow the instructions here to migrate to Azure Cosmos DB Java SDK v4.

+| | Links |

+|||

+|**SDK Download**|[Maven](https://search.maven.org/#search%7Cgav%7C1%7Cg%3A%22com.microsoft.azure%22%20AND%20a%3A%22azure-documentdb%22)|

+|**API documentation**|[Java API reference documentation](/java/api/com.microsoft.azure.documentdb)|

+|**Contribute to SDK**|[GitHub](https://github.com/Azure/azure-documentdb-java/)|

+|**Get started**|[Get started with the Java SDK](./quickstart-java.md)|

+|**Web app tutorial**|[Web application development with Azure Cosmos DB](tutorial-java-web-app.md)|

+|**Minimum supported runtime**|[Java Development Kit (JDK) 7+](/java/azure/jdk/)|

+## Release notes

+Here's the release notes for each version of the SDK.

+### 2.6.5

+- Removed test dependency `com.google.guava/guava` due to security vulnerabilities

+- Upgraded dependency `com.fasterxml.jackson.core/jackson-databind` to 2.14.0

+- Upgraded dependency `commons-codec/commons-codec` to 1.15

+- Upgraded dependency `org.json/json` to 20180130

+### 2.6.4

+- Fixed the retry policy for read timeouts

+### 2.6.3

+- Fixed a retry policy when `GoneException` is wrapped in `IllegalStateException`

+### 2.6.2

+- Added a new retry policy to retry on Read Timeouts

+- Upgraded dependency `com.fasterxml.jackson.core/jackson-databind` to 2.9.10.8

+- Upgraded dependency `org.apache.httpcomponents/httpclient` to 4.5.13

+### 2.6.1

+- Fixed a bug in handling a query through service interop.

+### 2.6.0

+- Added support for querying change feed from point in time.

+### 2.5.1

+- Fixes primary partition cache issue on documentCollection query.

+### 2.5.0

+- Added support for 449 retry custom configuration.

+### 2.4.7

+- Fixes connection pool timeout issue.

+- Fixes auth token refresh on internal retries.

+### 2.4.6

+- Updated correct client side replica policy tag on databaseAccount and made databaseAccount configuration reads from cache.

+### 2.4.5

+- If the user provides pkRangeId, this version avoids retry on invalid partition key range error

+### 2.4.4

+- Optimized partition key range cache refreshes.

+- Fixes the scenario where the SDK doesn't entertain partition split hint from server and results in incorrect client side routing caches refresh.

+### 2.4.2

+- Optimized collection cache refreshes.

+### 2.4.1

+- Added support to retrieve inner exception message from request diagnostic string.

+### 2.4.0

+- Introduced version API on PartitionKeyDefinition.

+### 2.3.0

+- Added separate timeout support for direct mode.

+### 2.2.3

+- Consuming null error message from service and producing document client exception.

+### 2.2.2

+- Socket connection improvement, adding SoKeepAlive default true.

+### 2.2.0

+- Added request diagnostics string support.

+### 2.1.3

+- Fixed bug in PartitionKey for Hash V2.

+### 2.1.2

+- Added support for composite indexes.

+- Fixed bug in global endpoint manager to force refresh.

+- Fixed bug for upsert operations with preconditions in direct mode.

+### 2.1.1

+- Fixed bug in gateway address cache.

+### 2.1.0

+- Multi-region writes support added for direct mode.

+- Added support for handling `IOExceptions` thrown as `ServiceUnavailable` exceptions, from a proxy.

+- Fixed a bug in endpoint discovery retry policy.

+- Fixed a bug to ensure null pointer exceptions aren't thrown in BaseDatabaseAccountConfigurationProvider.

+- Fixed a bug to ensure QueryIterator doesn't return nulls.

+- Fixed a bug to ensure large PartitionKey is allowed.

+### 2.0.0

+- Multi-region writes support added for gateway mode.

+### 1.16.4

+- Fixed a bug in Read partition Key ranges for a query.

+### 1.16.3

+- Fixed a bug in setting continuation token header size in DirectHttps mode.

+### 1.16.2

+- Added streaming failover support.

+- Added support for custom metadata.

+- Improved session handling logic.

+- Fixed a bug in partition key range cache.

+- Fixed an `NullPointerException` (NPE) bug in direct mode.

+### 1.16.1

+- Added support for Unique Index.

+- Added support for limiting continuation token size in feed-options.

+- Fixed a bug in Json Serialization (timestamp).

+- Fixed a bug in Json Serialization (enum).

+- Dependency on com.fasterxml.jackson.core:jackson-databind upgraded to 2.9.5.

+### 1.16.0

+- Improved Connection Pooling for Direct Mode.

+- Improved Prefetch improvement for nonorderby cross partition query.

+- Improved UUID generation.

+- Improved Session consistency logic.

+- Added support for multipolygon.

+- Added support for Partition Key Range Statistics for Collection.

+- Fixed a bug in Multi-region support.

+### 1.15.0

+- Improved Json Serialization performance.

+- This SDK version requires the latest version of [Azure Cosmos DB Emulator](https://aka.ms/cosmosdb-emulator).

+### 1.14.0

+- Internal changes for Microsoft friends libraries.

+### 1.13.0

+- Fixed an issue in reading single partition key ranges.

+- Fixed an issue in ResourceID parsing that affects database with short names.

+- Fixed an issue cause by partition key encoding.

+### 1.12.0

+- Critical bug fixes to request processing during partition splits.

+- Fixed an issue with the Strong and BoundedStaleness consistency levels.

+### 1.11.0

+- Added support for a new consistency level called ConsistentPrefix.

+- Fixed a bug in reading collection in session mode.

+### 1.10.0

+- Enabled support for partitioned collection with as low as 2,500 RU/sec and scale in increments of 100 RU/sec.

+- Fixes a bug in the native assembly, which can cause NullRef exception in some queries.

+### 1.9.6

+- Fixed a bug in the query engine configuration that might cause exceptions for queries in Gateway mode.

+- Fixed a few bugs in the session container that might cause an "Owner resource not found" exception for requests immediately after collection creation.

+### 1.9.5

+- Added support for aggregation queries (COUNT, MIN, MAX, SUM, and AVG).

+- Added support for change feed.

+- Added support for collection quota information through RequestOptions.setPopulateQuotaInfo.

+- Added support for stored procedure script logging through RequestOptions.setScriptLoggingEnabled.

+- Fixed a bug where query in DirectHttps mode might stop responding when encountering throttle failures.

+- Fixed a bug in session consistency mode.

+- Fixes a bug, which might cause NullReferenceException in HttpContext when request rate is high.

+- Improved performance of DirectHttps mode.

+### 1.9.4

+- Added simple client instance-based proxy support with ConnectionPolicy.setProxy() API.

+- Added DocumentClient.close() API to properly close down a DocumentClient instance.

+- Improved query performance in direct connectivity mode by deriving the query plan from the native assembly instead of the Gateway.

+- Set FAIL_ON_UNKNOWN_PROPERTIES = false so users don't need to define JsonIgnoreProperties in their Plain Old Java Object (POJO).

+- Refactored logging to use SLF4J.

+- Fixed a few other bugs in consistency reader.

+### 1.9.3

+- Fixed a bug in the connection management to prevent connection leaks in direct connectivity mode.

+- Fixed a bug in the TOP query where it might throw NullReference exception.

+- Improved performance by reducing the number of network calls for the internal caches.

+- Added status code, ActivityID, and Request URI in DocumentClientException for better troubleshooting.

+### 1.9.2

+- Fixed an issue in the connection management for stability.

+### 1.9.1

+- Added support for BoundedStaleness consistency level.

+- Added support for direct connectivity for CRUD operations for partitioned collections.

+- Fixed a bug in querying a database with SQL.

+- Fixed a bug in the session cache where session token might be set incorrectly.

+### 1.9.0

+- Added support for cross partition parallel queries.

+- Added support for TOP/ORDER BY queries for partitioned collections.

+- Added support for strong consistency.

+- Added support for name based requests when using direct connectivity.

+- Fixed to make ActivityId stay consistent across all request retries.

+- Fixed a bug related to the session cache when recreating a collection with the same name.

+- Added Polygon and LineString DataTypes while specifying collection indexing policy for geo-fencing spatial queries.

+- Fixed issues with Java Doc for Java 1.8.

+### 1.8.1

+- Fixed a bug in PartitionKeyDefinitionMap to cache single partition collections and not make extra fetch partition key requests.

+- Fixed a bug to not retry when an incorrect partition key value is provided.

+### 1.8.0

+- Added the support for multi-region database accounts.

+- Added support for automatic retry on throttled requests with options to customize the max retry attempts and max retry wait time. For more information, see RetryOptions and ConnectionPolicy.getRetryOptions().

+- Deprecated IPartitionResolver based custom partitioning code. Use partitioned collections for higher storage and throughput.

+### 1.7.1

+- Added retry policy support for rate limiting.

+### 1.7.0

+- Added time to live (TTL) support for documents.

+### 1.6.0

+- Implemented [partitioned collections](../partitioning-overview.md) and [user-defined performance levels](../performance-levels.md).

+### 1.5.1

+- Fixed a bug in HashPartitionResolver to generate hash values in little-endian to be consistent with other software development kits (SDKs).

+### 1.5.0

+- Add Hash & Range partition resolvers to assist with sharding applications across multiple partitions.

+### 1.4.0

+- Implement Upsert. New upsertXXX methods added to support Upsert feature.

+- Implement ID Based Routing. No public API changes, all changes internal.

+### 1.3.0

+- Release skipped to bring version number in alignment with other SDKs

+### 1.2.0

+- Supports GeoSpatial Index.

+- Validates ID property for all resources. Ids for resources can't contain `?`, `/`, `#`, `\`, characters, or end with a space.

+- Adds new header "index transformation progress" to ResourceResponse.

+### 1.1.0

+- Implements V2 indexing policy

+### 1.0.0

+- GA SDK

+## Release and retirement dates

+Microsoft provides notification at least **12 months** in advance of retiring an SDK in order to smooth the transition to a newer/supported version. New features and functionality and optimizations are only added to the current SDK. We recommend that you always upgrade to the latest SDK version as early as possible.

+> [!WARNING]

+> After 30 might 2020, Azure Cosmos DB will no longer make bug fixes, add new features, and provide support to versions 1.x of the Azure Cosmos DB Java SDK for API for NoSQL. If you prefer not to upgrade, requests sent from version 1.x of the SDK will continue to be served by the Azure Cosmos DB service.

+>

+> After 29 February 2016, Azure Cosmos DB will no longer make bug fixes, add new features, and provide support to versions 0.x of the Azure Cosmos DB Java SDK for API for NoSQL. If you prefer not to upgrade, requests sent from version 0.x of the SDK will continue to be served by the Azure Cosmos DB service.

+| Version | Release Date | Retirement Date |

+| | | |

+| [2.6.1](#261) |Dec 17, 2020 |Feb 29, 2024|

+| [2.6.0](#260) |July 16, 2020 |Feb 29, 2024|

+| [2.5.1](#251) |June 03, 2020 |Feb 29, 2024|

+| [2.5.0](#250) |May 12, 2020 |Feb 29, 2024|

+| [2.4.7](#247) |Feb 20, 2020 |Feb 29, 2024|

+| [2.4.6](#246) |Jan 24, 2020 |Feb 29, 2024|

+| [2.4.5](#245) |Nov 10, 2019 |Feb 29, 2024|

+| [2.4.4](#244) |Oct 24, 2019 |Feb 29, 2024|

+| [2.4.2](#242) |Sep 26, 2019 |Feb 29, 2024|

+| [2.4.1](#241) |Jul 18, 2019 |Feb 29, 2024|

+| [2.4.0](#240) |May 04, 2019 |Feb 29, 2024|

+| [2.3.0](#230) |Apr 24, 2019 |Feb 29, 2024|

+| [2.2.3](#223) |Apr 16, 2019 |Feb 29, 2024|

+| [2.2.2](#222) |Apr 05, 2019 |Feb 29, 2024|

+| [2.2.0](#220) |Mar 27, 2019 |Feb 29, 2024|

+| [2.1.3](#213) |Mar 13, 2019 |Feb 29, 2024|

+| [2.1.2](#212) |Mar 09, 2019 |Feb 29, 2024|

+| [2.1.1](#211) |Dec 13, 2018 |Feb 29, 2024|

+| [2.1.0](#210) |Nov 20, 2018 |Feb 29, 2024|

+| [2.0.0](#200) |Sept 21, 2018 |Feb 29, 2024|

+| [1.16.4](#1164) |Sept 10, 2018 |May 30, 2020 |

+| [1.16.3](#1163) |Sept 09, 2018 |May 30, 2020 |

+| [1.16.2](#1162) |June 29, 2018 |May 30, 2020 |

+| [1.16.1](#1161) |May 16, 2018 |May 30, 2020 |

+| [1.16.0](#1160) |March 15, 2018 |May 30, 2020 |

+| [1.15.0](#1150) |Nov 14, 2017 |May 30, 2020 |

+| [1.14.0](#1140) |Oct 28, 2017 |May 30, 2020 |

+| [1.13.0](#1130) |August 25, 2017 |May 30, 2020 |

+| [1.12.0](#1120) |July 11, 2017 |May 30, 2020 |

+| [1.11.0](#1110) |May 10, 2017 |May 30, 2020 |

+| [1.10.0](#1100) |March 11, 2017 |May 30, 2020 |

+| [1.9.6](#196) |February 21, 2017 |May 30, 2020 |

+| [1.9.5](#195) |January 31, 2017 |May 30, 2020 |

+| [1.9.4](#194) |November 24, 2016 |May 30, 2020 |

+| [1.9.3](#193) |October 30, 2016 |May 30, 2020 |

+| [1.9.2](#192) |October 28, 2016 |May 30, 2020 |

+| [1.9.1](#191) |October 26, 2016 |May 30, 2020 |

+| [1.9.0](#190) |October 03, 2016 |May 30, 2020 |

+| [1.8.1](#181) |June 30, 2016 |May 30, 2020 |

+| [1.8.0](#180) |June 14, 2016 |May 30, 2020 |

+| [1.7.1](#171) |April 30, 2016 |May 30, 2020 |

+| [1.7.0](#170) |April 27, 2016 |May 30, 2020 |

+| [1.6.0](#160) |March 29, 2016 |May 30, 2020 |

+| [1.5.1](#151) |December 31, 2015 |May 30, 2020 |

+| [1.5.0](#150) |December 04, 2015 |May 30, 2020 |

+| [1.4.0](#140) |October 05, 2015 |May 30, 2020 |

+| [1.3.0](#130) |October 05, 2015 |May 30, 2020 |

+| [1.2.0](#120) |August 05, 2015 |May 30, 2020 |

+| [1.1.0](#110) |July 09, 2015 |May 30, 2020 |

+| 1.0.1 |May 12, 2015 |May 30, 2020 |

+| [1.0.0](#100) |April 07, 2015 |May 30, 2020 |

+| 0.9.5-prelease |Mar 09, 2015 |February 29, 2016 |

+| 0.9.4-prelease |February 17, 2015 |February 29, 2016 |

+| 0.9.3-prelease |January 13, 2015 |February 29, 2016 |

+| 0.9.2-prelease |December 19, 2014 |February 29, 2016 |

+| 0.9.1-prelease |December 19, 2014 |February 29, 2016 |

+| 0.9.0-prelease |December 10, 2014 |February 29, 2016 |

+## Frequently asked Questions

+* General availability: [The latest minor PostgreSQL version updates](reference-versions.md#postgresql-versions) (12.18, 13.14, 14.11, 15.6, and 16.2) are now available.

+ * [The last update for PostgreSQL 11](./reference-versions.md#postgresql-version-11-and-older) was released by community in November 2023.

+> | [pg\_partman](https://pgxn.org/dist/pg_partman/doc/pg_partman.html) | Manages partitioned tables by time or ID. | 4.7.4 | 4.7.4 | 4.7.4 | 5.0.1 | 5.0.1 | 5.0.1 |

+> | [pg\_cron](https://github.com/citusdata/pg_cron) | Job scheduler for PostgreSQL. | 1.5 | 1.6 | 1.6 | 1.6 | 1.6 | 1.6 |

+> [pgvector](https://github.com/pgvector/pgvector#installation-notes) | Open-source vector similarity search for Postgres | 0.5.1 | 0.6.0 | 0.6.0 | 0.6.0 | 0.6.0 | 0.6.0 |

+> | [PostGIS](https://www.postgis.net/) | Spatial and geographic objects for PostgreSQL. | 3.3.4 | 3.4.1 | 3.4.1 | 3.4.1 | 3.4.1 | 3.4.1 |

+> | address\_standardizer | Used to parse an address into constituent elements. Used to support geocoding address normalization step. | 3.3.4 | 3.4.1 | 3.4.1 | 3.4.1 | 3.4.1 | 3.4.1 |

+> | postgis\_sfcgal | PostGIS SFCGAL functions. | 3.3.4 | 3.4.1 | 3.4.1 | 3.4.1 | 3.4.1 | 3.4.1 |

+> | postgis\_topology | PostGIS topology spatial types and functions. | 3.3.4 | 3.4.1 | 3.4.1 | 3.4.1 | 3.4.1 | 3.4.1 |

+* Learn about [supported PostgreSQL versions](./reference-versions.md#postgresql-versions).

+The current minor release is 16.2. Refer to the [PostgreSQL

+documentation](https://www.postgresql.org/docs/release/16.2/) to

+The current minor release is 15.6. Refer to the [PostgreSQL

+documentation](https://www.postgresql.org/docs/release/15.6/) to

+The current minor release is 14.11. Refer to the [PostgreSQL

+documentation](https://www.postgresql.org/docs/release/14.11/) to

+The current minor release is 13.14. Refer to the [PostgreSQL

+documentation](https://www.postgresql.org/docs/release/13.14/) to

+The current minor release is 12.18. Refer to the [PostgreSQL

+documentation](https://www.postgresql.org/docs/release/12.18/) to

+### PostgreSQL version 11 and older

+We don't support PostgreSQL version 11 and older for Azure Cosmos DB for PostgreSQL.

+learn more about improvements and fixes in this last minor release.

+- As the community won't be releasing any further bug fixes or security fixes, Azure Cosmos DB for PostgreSQL won't patch the retired database engine for any bugs or security issues, or otherwise take security measures with regard to the retired database engine. You might experience security vulnerabilities or other issues as a result. However, Azure will continue to perform periodic maintenance and patching for the host, OS, containers, and any other service-related components.

+- If any support issue you might experience relates to the PostgreSQL engine itself, as the community no longer provides the patches, we might not be able to provide you with support. In such cases, you will have to upgrade your database to one of the supported versions.

+- You won't be able to create new database servers for the retired version. However, you will be able to perform point-in-time recoveries and create read replicas for your existing servers.

+- New service capabilities developed by Azure Cosmos DB for PostgreSQL might only be available to supported database server versions.

+- In the extreme event of a serious threat to the service caused by the PostgreSQL database engine vulnerability identified in the retired database version, Azure might choose to stop your database server to secure the service. In such case, you will be notified [to upgrade the server](./howto-upgrade.md) before bringing the server online.

+- [Vulnerability assessments for AWS with Microsoft Defender Vulnerability Management](agentless-vulnerability-assessment-aws.md)

+- [Scan your AWS images for vulnerabilities with Microsoft Defender Vulnerability Management](agentless-vulnerability-assessment-aws.md)

+- [Scan your GGP images for vulnerabilities with Microsoft Defender Vulnerability Management](agentless-vulnerability-assessment-gcp.md)

+> Defender for Server's vulnerability assessment solution powered by Qualys, is on a retirement path that set to complete on **May 1st, 2024**. If you are a currently using the built-in vulnerability assessment powered by Qualys, you should plan to [transition to the Microsoft Defender Vulnerability Management vulnerability scanning solution](how-to-transition-to-built-in.md).

+- [Delete the VM extension with PowerShell](/powershell/module/az.compute/remove-azvmextension).

+- [REST API DELETE request](/rest/api/compute/virtual-machine-extensions/delete?tabs=HTTP).

+- **Healthy** (green) - no health issues.

+- **Unhealthy** (red) - there's a health issue that requires immediate attention.

+- **Stopped reporting** (orange) - the solution has stopped reporting its health.

+- **Not reported** (gray) - the solution hasn't reported anything yet and no health data is available. A solution's status might be unreported if it was connected recently and is still deploying.

+- **Solution console** - Opens the management experience for this solution.

+- **Link VM** - Opens the Link Applications page. Here you can connect resources to the partner solution.

+- **Delete solution**

+- **Configure**

+description: Learn how to prepare for the deprecation of the Log Analytics (MMA) agent in Microsoft Defender for Cloud.

+The Log Analytics agent, also known as the Microsoft Monitoring Agent (MMA), [is retiring in August 2024](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/microsoft-defender-for-cloud-strategy-and-plan-towards-log/ba-p/3883341). As a result, the Defender for Servers and Defender for SQL on machines plans in Microsoft Defender for Cloud will be updated, and features that rely on the Log Analytics agent will be redesigned.

+To simplify onboarding, all Defender for Servers security features and capabilities will be provided with a single agent ([Microsoft Defender for Endpoint](integration-defender-for-endpoint.md)), complemented by [agentless machine scanning](concept-agentless-data-collection.md), without any dependency on Log Analytics agent or AMA. Note that:ΓÇ»

+- Features in preview that rely on AMA remain supported until an alternate version of the feature is provided, which will rely on the Defender for Endpoint integration or the agentless machine scanning feature.

+- By enabling the Defender for Endpoint integration and agentless machine scanning feature before the deprecation takes place, your Defender for Servers deployment will be up to date and supported.

+| Defender for Endpoint integration for down-level Windows machines (Windows Server 2016/2012 R2) | Legacy Defender for Endpoint sensor, based on the Log Analytics agent | [Unified agent integration](/microsoft-365/security/defender-endpoint/configure-server-endpoints) | - Functionality with the unified agent is GA.<br/>- Functionality with the legacy Defender for Endpoint sensor using the Log Analytics agent will be deprecated in August 2024. |

+| Adaptive application controls | Log Analytics agent (GA), AMA (Preview) | | The adaptive application control feature is set to be deprecated in August 2024. |

+| Endpoint protection discovery recommendations | Recommendations that are available through the Foundational Cloud Security Posture Management (CSPM) plan and Defender for Servers, using the Log Analytics agent (GA), AMA (Preview)ΓÇ»| Agentless machine scanning | - Functionality with agentless machine scanning will be released to preview in February 2024 as part of Defender for Servers Plan 2 and the Defender CSPM plan.<br/>- Azure VMs, Google Cloud Platform (GCP) instances, and Amazon Web Services (AWS) instances will be supported. On-premises machines wonΓÇÖt be supported. |

+| Missing OS update recommendation | Recommendations available in the Foundational CSPM and Defender for Servers plans using the Log Analytics agent. | Integration with Update Manager, Microsoft | New recommendations based on Azure Update Manager integration [are GA](release-notes-archive.md#two-recommendations-related-to-missing-operating-system-os-updates-were-released-to-ga), with no agent dependencies. |

+| OS misconfigurations (Microsoft Cloud Security Benchmark) | Recommendations that are available through the Foundational CSPM and Defender for Servers plans using the Log Analytics agent, Guest Configuration agent (Preview). | Microsoft Defender Vulnerability Management premium, as part of Defender for Servers Plan 2. | - Functionality based on integration with Microsoft Defender Vulnerability Management premium will be available in preview around April 2024.<br/>- Functionality with the Log Analytics agent will be deprecated in August 2024<br/>- Functionality with Guest Configuration agent (Preview) will deprecate when the Microsoft Defender Vulnerability Management is available.<br/>- Support of this feature for Docker-hub and Azure Virtual Machine Scale Sets will be deprecated in Aug 2024. |

+The [500-MB benefit](faq-defender-for-servers.yml#is-the-500-mb-of-free-data-ingestion-allowance-applied-per-workspace-or-per-machine-) for data ingestion over the defined tables remains supported via the AMA agent for the machines under subscriptions covered by Defender for Servers Plan 2. Every machine is eligible for the benefit only once, even if both Log Analytics agent and Azure Monitor agent are installed on it.

+Endpoint discovery and recommendations are currently provided by the Defender for Cloud Foundational CSPM and the Defender for Servers plans using the Log Analytics agent in GA, or in preview via the AMA. This experience will be replaced by security recommendations that are gathered using agentless machine scanning.ΓÇ»

+Endpoint protection recommendations are constructed in two stages. The first stage is [discovery](#endpoint-detection-and-response-solutiondiscovery) of an endpoint detection and response solution. The second isΓÇ»[assessment](#endpoint-detection-and-response-solutionconfiguration-assessment) of the solutionΓÇÖs configuration. The following tables provide details of the current and new experiences for each stage.

+#### Endpoint detection and response solution - discovery

+#### Endpoint detection and response solution - configuration assessment

+| Resources are classified as unhealthy if one or more of the security checks arenΓÇÖt healthy. | Three security checks:<br/>- Real time protection is off<br/>- Signatures are out of date.<br/>- Both quick scan and full scan aren't run for seven days. | Three security checks:<br/>- Anti-virus is off or partially configured<br/>- Signatures are out of date<br/>- Both quick scan and full scan aren't run for seven days. |

+| Prerequisites to get the recommendation | An anti-malware solution in place | An endpoint detection and response solution in place. |

+| [Endpoint protection health failures on virtual machine scale sets should be resolved](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/e71020c2-860c-3235-cd39-04f3f8c936d2) | MMA | Azure Virtual Machine Scale Sets | August 2024 | No replacement |

+| [Endpoint protection solution should be installed on virtual machine scale sets](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/21300918-b2e3-0346-785f-c77ff57d243b) | MMA | Azure Virtual Machine Scale Sets | August 2024 | No replacement |

+The [new recommendations](upcoming-changes.md#changes-in-endpoint-protection-recommendations) experience based on agentless machine scanning support both Windows and Linux OS across multicloud machines.

+- Recommendations currently in GA remain in place until the Log Analytics agent retires.

+- Recommendations that are currently in GA will continue to affect secure score.ΓÇ»

+- Current and upcoming new recommendations are located under the same Microsoft Cloud Security Benchmark control, ensuring that thereΓÇÖs no duplicate impact on secure score.

+Once the SQL server-targeted AMA autoprovisioning process is enabled, you should disable the Log Analytics agent/Azure Monitor agent autoprovisioning process and uninstall the MMA on all SQL servers:

+| Yes | Yes | No | 1. Enable [Defender for Endpoint integration](enable-defender-for-endpoint.md) and [agentless machine scanning](enable-agentless-scanning-vms.md).<br/>2. Wait for GA of all features with the alternative's platform (you can use preview version earlier).<br/>3. Once features are GA, disable the [Log Analytics agent](defender-for-sql-autoprovisioning.md#disable-the-log-analytics-agentazure-monitor-agent).

+| Yes | No | Yes | 1. Enable [Defender for Endpoint integration](enable-defender-for-endpoint.md) and [agentless machine scanning](enable-agentless-scanning-vms.md).<br/>2. You can migrate to [SQL autoprovisioning for AMA](defender-for-sql-autoprovisioning.md) in Defender for SQL on machines now.<br/>3. [Disable](defender-for-sql-autoprovisioning.md#disable-the-log-analytics-agentazure-monitor-agent) the Log Analytics agent. |

+ The **Select plans** tab is where you choose which Defender for Cloud capabilities to enable for this AWS account. Each plan has its own [requirements for permissions](#native-connector-plan-requirements) and might incur [charges](https://azure.microsoft.com/pricing/details/defender-for-cloud/?v=17.23h).

+## GCP authorization design

+The authentication process between Microsoft Defender for Cloud and GCP is a federated authentication process.

+When you onboard to Defender for Cloud, the GCloud template is used to create the following resources as part of the authentication process:

+- Workload identity pool and providers

+- Service accounts and policy bindings

+The authentication process works as follows:

+1. Microsoft Defender for Cloud's CSPM service acquires a Microsoft Entra token. The token is signed by Microsoft Entra ID using the RS256 algorithm and is valid for 1 hour.

+1. The Microsoft Entra token is exchanged with Google's STS token.

+1. Google STS validates the token with the workload identity provider. The Microsoft Entra token is sent to Google's STS that validates the token with the workload identity provider. Audience validation then occurs and the token is signed. A Google STS token is then returned to Defender for Cloud's CSPM service.

+1. Defender for Cloud's CSPM service uses the Google STS token to impersonate the service account. Defender for Cloud's CSPM receives service account credentials that are used to scan the project.

+There are four parts to the onboarding process that take place when you create the security connection between your GCP project and Microsoft Defender for Cloud.

+### Project details

+In the first section, you need to add the basic properties of the connection between your GCP project and Defender for Cloud.

+Here you name your connector, select a subscription and resource group, which is used to create an ARM template resource that is called security connector. The security connector represents a configuration resource that holds the projects settings.

+### Select plans for your project

+After entering your organization's details, you'll then be able to select which plans to enable.

+From here, you can decide which resources you want to protect based on the security value you want to receive.

+### Configure access for your project

+Once you selected the plans, you want to enable and the resources you want to protect you have to configure access between Defender for Cloud and your GCP project.

+In this step, you can find the GCloud script that needs to be run on the GCP project that is going to onboarded. The GCloud script is generated based on the plans you selected to onboard.

+The GCloud script creates all of the required resources on your GCP environment so that Defender for Cloud can operate and provide the following security values:

+- Workload identity pool

+- Workload identity provider (per plan)

+- Service accounts

+- Project level policy bindings (service account has access only to the specific project)

+### Review and generate the connector for your project

+The final step for onboarding is to review all of your selections and to create the connector.

+> [!NOTE]

+> The following APIs must be enabled in order to discover your GCP resources and allow the authentication process to occur:

+>

+> - `iam.googleapis.com`

+> - `sts.googleapis.com`

+> - `cloudresourcemanager.googleapis.com`

+> - `iamcredentials.googleapis.com`

+> - `compute.googleapis.com`

+> If you don't enable these APIs at this time, you can enable them during the onboarding process by running the GCloud script.

+After you create the connector, a scan starts on your GCP environment. New recommendations appear in Defender for Cloud after up to 6 hours. If you enabled autoprovisioning, Azure Arc and any enabled extensions are installed automatically for each newly detected resource.

+## Connect your GCP organization

+Similar to onboarding a single project, When onboarding a GCP organization, Defender for Cloud creates a security connector for each project under the organization (unless specific projects were excluded).

+### Organization details

+In the first section, you need to add the basic properties of the connection between your GCP organization and Defender for Cloud.

+Here you name your connector, select a subscription and resource group that is used to create an ARM template resource that is called security connector. The security connector represents a configuration resource that holds the projects settings.

+You also select a location and add the organization ID for your project.

+When you onboard an organization, you can also choose to exclude project numbers and folder IDs.

+### Select plans for your organization

+After entering your organization's details, you'll then be able to select which plans to enable.

+From here, you can decide which resources you want to protect based on the security value you want to receive.

+### Configure access for your organization

+Once you selected the plans, you want to enable and the resources you want to protect you have to configure access between Defender for Cloud and your GCP organization.

+When you onboard an organization, there's a section that includes management project details. Similar to other GCP projects, the organization is also considered a project and is utilized by Defender for Cloud to create all of the required resources needed to connect the organization to Defender for Cloud.

+In the management project details section, you have the choice of:

+- Dedicating a management project for Defender for Cloud to include in the GCloud script.

+- Provide the details of an already existing project to be used as the management project with Defender for Cloud.

+You need to decide what is your best option for your organization's architecture. We recommend creating a dedicated project for Defender for Cloud.

+The GCloud script is generated based on the plans you selected to onboard. The script creates all of the required resources on your GCP environment so that Defender for Cloud can operate and provide the following security benefits:

+- Workload identity pool

+- Workload identity provider for each plan

+- Custom role to grant Defender for Cloud access to discover and get the project under the onboarded organization

+- A service account for each plan

+- A service account for the autoprovisioning service

+- Organization level policy bindings for each service account

+- API enablements at the management project level

+Some of the APIs aren't in direct use with the management project. Instead the APIs authenticate through this project and use one of the APIs from another project. The API must be enabled on the management project.

+### Review and generate the connector for your organization

+The final step for onboarding is to review all of your selections and to create the connector.

+> [!NOTE]

+> The following APIs must be enabled in order to discover your GCP resources and allow the authentication process to occur:

+>

+> - `iam.googleapis.com`

+> - `sts.googleapis.com`

+> - `cloudresourcemanager.googleapis.com`

+> - `iamcredentials.googleapis.com`

+> - `compute.googleapis.com`

+> If you don't enable these APIs at this time, you can enable them during the onboarding process by running the GCloud script.

+The respective Azure Arc servers for GCP virtual machines that no longer exist (and the respective Azure Arc servers with a status of [Disconnected or Expired](/azure/azure-arc/servers/overview)) are removed after seven days. This process removes irrelevant Azure Arc entities to ensure that only Azure Arc servers related to existing instances are displayed.

+Defender for Servers assigns tags to your Azure Arc GCP resources to manage the autoprovisioning process. You must have these tags properly assigned to your resources so that Defender for Servers can manage your resources: `Cloud`, `InstanceName`, `MDFCSecurityConnector`, `MachineId`, `ProjectId`, and `ProjectNumber`.

+1. On the **Select plans** tab, in **Databases**, select **Settings**.

+1. On the **Plan configuration** pane, turn the toggles to **On** or **Off**, depending on your need.

+- **Kubernetes audit logs to Defender for Cloud**: Enabled by default. This configuration is available at the GCP project level only. It provides agentless collection of the audit log data through [GCP Cloud Logging](https://cloud.google.com/logging/) to the Microsoft Defender for Cloud back end for further analysis. Defender for Containers requires control plane audit logs to provide [runtime threat protection](defender-for-containers-introduction.md#run-time-protection-for-kubernetes-nodes-and-clusters). To send Kubernetes audit logs to Microsoft Defender, toggle the setting to **On**.

+> [!NOTE]

+> As the Log Analytics agent (also known as MMA) is set to retire in [August 2024](https://azure.microsoft.com/updates/were-retiring-the-log-analytics-agent-in-azure-monitor-on-31-august-2024/), all Defender for Servers features and security capabilities that currently depend on it, including those described on this page, will be available through either [Microsoft Defender for Endpoint integration](integration-defender-for-endpoint.md) or [agentless scanning](concept-agentless-data-collection.md), before the retirement date. For more information about the roadmap for each of the features that are currently rely on Log Analytics Agent, see [this announcement](upcoming-changes.md#defender-for-cloud-plan-and-strategy-for-the-log-analytics-agent-deprecation).

+| February 13 | [AWS container vulnerability assessment powered by Trivy retired](#aws-container-vulnerability-assessment-powered-by-trivy-retired) |

+### AWS container vulnerability assessment powered by Trivy retired

+February 13, 2024

+The container vulnerability assessment powered by Trivy has been retired. Any customers who were previously using this assessment should upgrade to the new [AWS container vulnerability assessment powered by Microsoft Defender Vulnerability Management](agentless-vulnerability-assessment-aws.md). For instructions on how to upgrade, see [How do I upgrade from the retired Trivy vulnerability assessment to the AWS vulnerability assessment powered by Microsoft Defender Vulnerability Management?](/azure/defender-for-cloud/faq-defender-for-containers#how-do-i-upgrade-from-the-retired-trivy-vulnerability-assessment-to-the-aws-vulnerability-assessment-powered-by-microsoft-defender-vulnerability-management-)

+The container vulnerability assessment powered by Trivy is now on a retirement path to be completed by February 13. This capability is now deprecated and will continue to be available to existing customers using this capability until February 13. We encourage customers using this capability to upgrade to the new [AWS container vulnerability assessment powered by Microsoft Defender Vulnerability Management](agentless-vulnerability-assessment-aws.md) by February 13.

+>

+> - Specific features are in preview. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+> - Only the versions of AKS, EKS and GKE supported by the cloud vendor are officially supported by Defender for Cloud.

+### Kubernetes distributions/configurations support for AWS - Runtime threat protection

+### Kubernetes distributions/configurations support for GCP - Runtime threat protection

+Defender for IoT's alert detection policy steers the different alert engines to trigger alerts based on business impact and network context, and reduce low-value IT related alerts. For more information, see [Focused alerts in OT/IT environments](alerts.md#focused-alerts-in-otit-environments).

+## Focused alerts in OT/IT environments

+Organizations where sensors are deployed between OT and IT networks deal with many alerts, related to both OT and IT traffic. The amount of alerts, some of which are irrelevant, can cause alert fatigue and affect overall performance. To address these challenges, Defender for IoT's detection policy steers its different [alert engines](alert-engine-messages.md#supported-alert-types) to focus on alerts with business impact and relevance to an OT network, and reduce low-value IT related alerts. For example, the **Unauthorized internet connectivity** alert is highly relevant in an OT network, but has relatively low value in an IT network.

+To focus the alerts triggered in these environments, all alert engines, except for the *Malware* engine, trigger alerts only if they detect a related OT subnet or protocol.

+However, to maintain triggering of alerts that indicate critical scenarios:

+- The *Malware* engine triggers malware alerts regardless of whether the alerts are related to OT or IT devices.

+- The other engines include exceptions for critical scenarios. For example, the *Operational* engine triggers alerts related to sensor traffic, regardless of whether the alert is related to OT or IT traffic.

+### Local subnets

+To focus the Azure device inventory on devices that are in your OT scope, you need to manually edit the subnet list to include only the locally monitored subnets that are in your OT scope.

+Subnets in the subnet list are automatically configured as ICS subnets, which means that Defender for IoT recognizes these subnets as OT networks. You can edit this setting when you [configure the subnets](#configure-subnets-in-the-azure-portal).

+Once the subnets are configured, the network location of the devices is shown in the *Network location* (Public preview) column in the Azure device inventory. All of the devices associated with the listed subnets are displayed as *local*, while devices associated with detected subnets not included in the list are displayed as *routed*.

+#### Configure subnets in the Azure portal

+1. Under **Local subnets**, review the configured subnets. To focus the device inventory and view local devices in the inventory, delete any subnets that are not in your IoT/OT scope by selecting the options menu (...) on any subnet you want to delete.

+

+ - **ICS Subnet** is on by default, which means that Defender for IoT recognizes the subnet as an OT network. To mark a subnet as non-ICS, toggle off **ICS Subnet**.

+ In the subnet grid, subnets marked as **ICS subnet** are recognized as OT networks. This option is read-only in this grid, but you can [manually define a subnet as ICS](#manually-define-a-subnet-as-ics) if there's an OT subnet not being recognized correctly.

+> To manually change the subnet to be marked as ICS, change the device type in the device inventory in the OT sensor. In the Azure portal, subnets in the subnet list are marked as ICS by default in the [sensor settings](configure-sensor-settings-portal.md#local-subnets).

+ | **Id** |The unique alert ID, aligned with the ID on the sensor console.<br><br>**Note:** If the [alert was merged with other alerts](alerts.md#alert-management-options) from sensors that detected the same alert, the Azure portal displays the alert ID of the first sensor that generated the alerts. |

+ | **Id** | The unique alert ID, aligned with the ID on the Azure portal.<br><br> **Note:** If the [alert was merged with other alerts](alerts.md#alert-management-options) from sensors that detected the same alert, the Azure portal displays the alert ID of the first sensor that generated the alerts. |

+## February 2024

+|Service area |Updates |

+|||

+| **OT networks** | - [Focused alerts in OT/IT environments](#focused-alerts-in-otit-environments)<br>- [Alert ID now aligned on the Azure portal and sensor console](#alert-id-now-aligned-on-the-azure-portal-and-sensor-console)<br>- [New setting to focus local networks in the device inventory](#new-setting-to-focus-local-networks-in-the-device-inventory) |

+### Focused alerts in OT/IT environments

+Organizations where sensors are deployed between OT and IT networks deal with many alerts, related to both OT and IT traffic. The amount of alerts, some of which are irrelevant, can cause alert fatigue and affect overall performance.

+To address these challenges, we've updated Defender for IoT's detection policy to automatically trigger alerts based on business impact and network context, and reduce low-value IT related alerts.

+For more information, see [Focused alerts in OT/IT environments](alerts.md#focused-alerts-in-otit-environments).

+### Alert ID now aligned on the Azure portal and sensor console

+The alert ID in the **Id** column on the Azure portal **Alerts** page now displays the same alert ID as the sensor console. [Learn more about alerts on the Azure portal](how-to-manage-cloud-alerts.md#view-alerts-on-the-azure-portal).

+> [!NOTE]

+> If the [alert was merged with other alerts](alerts.md#alert-management-options) from sensors that detected the same alert, the Azure portal displays the alert ID of the first sensor that generated the alerts.

+### New setting to focus local networks in the device inventory

+To better focus the Azure device inventory on devices that are in your OT scope, we've added the **ICS** toggle in the **Subnets** sensor setting. This toggle marks the subnet as a subnet with OT networks. [Learn more](configure-sensor-settings-portal.md#configure-subnets-in-the-azure-portal).

+| **OT networks** | [Sensor update in Azure portal now supports selecting a specific version](#sensor-update-in-azure-portal-now-supports-selecting-a-specific-version) |

+- [Configure OT sensor settings from the Azure portal](configure-sensor-settings-portal.md#local-subnets)

+Running a Replicate changes Migration, with our offline scenario with "Enable Transactional Consistency" enables businesses to migrate their databases to Azure while the databases remain operational. In other words, migrations can be completed with minimum downtime for critical applications, limiting the impact on service level availability and inconvenience to their end customers.

+- DDL changes replication is supported only when you have selected the option for **Replicate data definition and administration statements for selected objects** on DMS UI. The replication feature supports replicating data definition and administration statements that occur after the initial load and are logged in the binary log to the target.

+ Title: "Tutorial: Migrate from MySQL to Azure Database for MySQL - Flexible Server using DMS Replicate Changes via the Azure portal"

+description: "Learn to perform an online migration from MySQL to Azure Database for MySQL - Flexible Server by using Azure Database Migration Service Replicate Changes Scenario"

+ - sql-migration-content

+# Tutorial: Migrate from MySQL to Azure Database for MySQL - Flexible Server online using DMS Replicate Changes scenario

+> [!NOTE]

+> This article contains references to the term *slave*, a term that Microsoft no longer uses. When the term is removed from the software, we'll remove it from this article.

+You can migrate your on-premises or other cloud services MySQL Server to Azure Database for MySQL ΓÇô Flexible Server by using Azure Database Migration Service (DMS), a fully managed service designed to enable seamless migrations from multiple database sources to Azure data platforms. In this tutorial, weΓÇÖll perform an online migration of a sample database from an on-premises MySQL server to an Azure Database for MySQL - Flexible Server (both running version 5.7) using a DMS Replicate Changes migration activity.

+Running a Replicate changes Migration, with our offline scenario with "Enable Transactional Consistency" enables businesses to migrate their databases to Azure while the databases remain operational. In other words, migrations can be completed with minimum downtime for critical applications, limiting the impact on service level availability and inconvenience to their end customers.

+In this tutorial, you'll learn how to:

+> [!div class="checklist"]

+>

+> * Create a MySQL Replicate Changes migration project in DMS.

+> * Run the Replicate Changes migration.

+> * Monitor the migration.

+> * Perform post-migration steps.

+## Prerequisites

+To complete this tutorial, you need to:

+* Use the MySQL command line tool of your choice to determine whether **log_bin** is enabled on the source server. The Binlog isn't always turned on by default, so verify that it's enabled before starting the migration. To determine whether log_bin is enabled on the source server, run the command: **SHOW VARIABLES LIKE 'log_bin'**.

+* Ensure that the user has **"REPLICATION_APPLIER"** or **"BINLOG_ADMIN"** permission on target server for applying the bin log.

+* Ensure that the user has **"REPLICATION SLAVE"** permission on the target server.

+* Ensure that the user has **"REPLICATION CLIENT"** and **"REPLICATION SLAVE"** permission on the source server for reading and applying the bin log.

+* Run an offline migration scenario with "**Enable Transactional Consistency"** to get the bin log file and position.

+ :::image type="content" source="media/tutorial-mysql-to-azure-replicate-changes/01-offline-migration-bin-log-pos.png" alt-text="Screenshot of binlog position of an Azure Database Migration Service offline migration.":::

+* If you're targeting a replicate changes migration, configure the **binlog_expire_logs_seconds** parameter on the source server to ensure that binlog files aren't purged before the replica commits the changes. We recommend at least two days, to begin with. After a successful cutover, the value can be reset.

+## Limitations

+As you prepare for the migration, be sure to consider the following limitations.

+* When performing a replicate changes migration, the name of the database on the target server must be the same as the name on the source server.

+* Support is limited to the ROW binlog format.

+* DDL changes replication is supported only when you have selected the option for **Replicate data definition and administration statements for selected objects** on DMS UI. The replication feature supports replicating data definition and administration statements that occur after the initial load and are logged in the binary log to the target.

+* Renaming databases or tables is not supported when replicating changes.

+### Create a Replicate Changes migration project

+To create a Replicate Changes migration project, perform the following steps.

+1. In the Azure portal, select **All services**, search for Azure Database Migration Service, and then select **Azure Database Migration Services**.

+ :::image type="content" source="media/tutorial-azure-mysql-single-to-flex-online/10-dms-search.png" alt-text="Screenshot of a Locate all instances of Azure Database Migration Service.":::

+2. In the search results, select the DMS instance that you created for running the preliminary offline migration, and then select **+ New Migration Project**.

+ :::image type="content" source="media/tutorial-azure-mysql-single-to-flex-online/11-select-create.png" alt-text="Screenshot of a Select a new migration project.":::

+3. On the **New migration project** page, specify a name for the project, in the **Source server type** selection box, select **MySQL**, in the **Target server type** selection box, select **Azure Database For MySQL - Flexible Server**, in the **Migration activity type** selection box, select **Replicate changes**, and then select **Create and run activity**.

+### Configure the migration project

+To configure your DMS migration project, perform the following steps.

+1. On the **Select source** screen, input the source server name, server port, username, and password to your source server.

+ :::image type="content" source="media/tutorial-mysql-to-azure-replicate-changes/02-replicate-changes-select-source.png" alt-text="Screenshot of an Add source details screen.":::

+2. Select **Next : Select target>>**, and then, on the **Select target** screen, locate the target server based on the subscription, location, and resource group. The user name is auto populated, then provide the password for the target flexible server.

+ :::image type="content" source="media/tutorial-mysql-to-azure-replicate-changes/03-replicate-changes-select-target.png" alt-text="Screenshot of a Select target.":::

+3. Select **Next : Select binlog>>**, and then, on the **Select binlog** screen, input the binlog file name and binlog position as captured in the earlier run of offline migration scenario.

+ :::image type="content" source="media/tutorial-mysql-to-azure-replicate-changes/04-replicate-changes-select-binlog.png" alt-text="Screenshot of a Select binlog.":::

+

+4. Select **Next : Select databases>>**, and then, on the **Select databases** tab, select the server database objects that you want to migrate.

+ :::image type="content" source="media/tutorial-mysql-to-azure-replicate-changes/05-replicate-changes-select-db.png" alt-text="Screenshot of a Select database.":::

+5. Select **Next : Select tables>>** to navigate to the **Select tables** tab. Select all tables to be migrated.

+ :::image type="content" source="media/tutorial-mysql-to-azure-replicate-changes/06-replicate-changes-select-table.png" alt-text="Screenshot of a Select table.":::

+6. After configuring for schema migration, select **Review and start migration**.

+ > [!NOTE]

+ > You only need to navigate to the **Configure migration settings** tab if you are trying to troubleshoot failing migrations.

+7. On the **Summary** tab, in the **Activity name** text box, specify a name for the migration activity, and then review the summary to ensure that the source and target details match what you previously specified.

+ :::image type="content" source="media/tutorial-mysql-to-azure-replicate-changes/07-replicate-changes-summary.png" alt-text="Screenshot of a Summary.":::

+8. Select **Start migration**.

+ The migration activity window appears, and the Status of the activity is Initializing. The Status changes to Running when the table migrations start.

+ :::image type="content" source="media/tutorial-mysql-to-azure-replicate-changes/08-replicate-changes-start.png" alt-text="Screenshot of a Running status.":::

+### Monitor the migration

+1. Monitor the **Seconds behind source** and as soon as it nears 0, proceed to start cutover by navigating to the **Start Cutover** menu tab at the top of the migration activity screen.

+ :::image type="content" source="media/tutorial-mysql-to-azure-replicate-changes/09-replicate-changes-cutover-open.png" alt-text="Screenshot of a Perform cutover.":::

+2. Follow the steps in the cutover window before you're ready to perform a cutover. After completing all steps, select **Confirm**, and then select **Apply**.

+ :::image type="content" source="media/tutorial-mysql-to-azure-replicate-changes/10-replicate-changes-cutover-confirm.png" alt-text="Screenshot of a Perform cutover confirmation.":::

+Once the cutover is completed, you are all set to perform post migration validations and steps.

+ :::image type="content" source="media/tutorial-mysql-to-azure-replicate-changes/11-replicate-changes-cutover-complete.png" alt-text="Screenshot of a Perform cutover completed.":::

+## Perform post-migration activities

+When the migration has finished, be sure to complete the following post-migration activities.

+* Perform sanity testing of the application against the target database to certify the migration.

+* Update the connection string to point to the new flexible server.

+* Delete the source server after you have ensured application continuity.

+* To clean up the DMS resources, perform the following steps:

+ 1. In the Azure portal, select **All services**, search for Azure Database Migration Service, and then select **Azure Database Migration Services**.

+ 2. Select your migration service instance from the search results, and then select **Delete service**.

+ 3. In the confirmation dialog box, in the **TYPE THE DATABASE MIGRATION SERVICE NAME** textbox, specify the name of the instance, and then select **Delete**.

+## Migration best practices

+When performing a migration, be sure to consider the following best practices.

+* As part of discovery and assessment, take the server SKU, CPU usage, storage, database sizes, and extensions usage as some of the critical data to help with migrations.

+* Perform test migrations before migrating for production:

+ * Test migrations are important for ensuring that you cover all aspects of the database migration, including application testing. The best practice is to begin by running a migration entirely for testing purposes. After a newly started migration enters the Replicate Data Changes phase with minimal lag, only use your Flexible Server target for running test workloads. Use that target for testing the application to ensure expected performance and results. If you're migrating to a higher MySQL version, test for application compatibility.

+ * After testing is completed, you can migrate the production databases. At this point, you need to finalize the day and time of production migration. Ideally, there's low application use at this time. All stakeholders who need to be involved should be available and ready. The production migration requires close monitoring. For an online migration, the replication must be completed before you perform the cutover, to prevent data loss.

+* Redirect all dependent applications to access the new primary database and make the source server read-only. Then, open the applications for production usage.

+* After the application starts running on the target flexible server, monitor the database performance closely to see if performance tuning is required.

+## Next steps

+* For information about Azure Database for MySQL - Flexible Server, see [Overview - Azure Database for MySQL Flexible Server](./../mysql/flexible-server/overview.md).

+* For information about Azure Database Migration Service, see [What is Azure Database Migration Service?](./dms-overview.md).

+* For information about known issues and limitations when migrating to Azure Database for MySQL - Flexible Server using DMS, see [Known Issues With Migrations To Azure Database for MySQL - Flexible Server](./known-issues-azure-mysql-fs-online.md).

+* For information about known issues and limitations when performing migrations using DMS, see [Common issues - Azure Database Migration Service](./known-issues-troubleshooting-dms.md).

+* For troubleshooting source database connectivity issues while using DMS, see article [Issues connecting source databases](./known-issues-troubleshooting-dms-source-connectivity.md).

+## Types of OSDU groups

+## Default groups

+- Some OSDU groups are created by default when a data partition is provisioned.

+- Data groups of `data.default.viewers` and `data.default.owners` are created by default.

+- Service groups to view, edit, and admin each service such as `service.entitlement.admin` and `service.legal.editor` are created by default.

+- User groups of `users`, `users.datalake.viewers`, `users.datalake.editors`, `users.datalake.admins`, `users.datalake.ops`, and `users.data.root` are created by default.

+- The chart of default members and groups in [Bootstrapped OSDU entitlement groups](https://community.opengroup.org/osdu/platform/deployment-and-operations/infra-azure-provisioning/-/blob/master/docs/osdu-entitlement-roles.md) shows the column header groups as the member of row headers. For example, `users` group is member of `data.default.viewers` and `data.default.owners` by default. `users.datalake.admins` and `users.datalake.ops` are member of `service.entitlement.admin` group.

+- Service principal or the `client-id` or the `app-id` is the default owner of all the groups.

+

+### Peculiarity of `users@` group

+### Peculiarity of `users.data.root@` group

+For a full list of Entitlement API endpoints, see [OSDU entitlement service](https://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/tree/release/0.15/docs). A few illustrations of how to use Entitlement APIs are available in [Manage users](how-to-manage-users.md).

+1. Create an [Azure Data Manager for Energy instance](quickstart-create-microsoft-energy-data-services-instance.md) using the `client-id` generated above.

+Run the following curl command in [Azure Cloud Bash](../cloud-shell/overview.md) after you replace the placeholder values with the corresponding values found earlier in the previous steps. The access token in the response is the `client-id` auth token.

+1. Prepare the request format using the parameters.

+ https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?client_id=<client-id>

+ &redirect_uri=<redirect-uri>

+ &scope=<client-id>%2f.default&state=12345&sso_reload=true

+2. After you replace the parameters, you can paste the request in the URL of any browser and select Enter.

+3. Sign in to your Azure portal if you aren't signed in already.

+4. You might see the "Hmmm...can't reach this page" error message in the browser. You can ignore it.

+ :::image type="content" source="media/how-to-generate-auth-token/localhost-redirection-error.png" alt-text="Screenshot of localhost redirection.":::

+5. The browser redirects to `http://localhost:8080/?code={authorization code}&state=...` upon successful authentication.

+6. Copy the response from the URL bar of the browser and fetch the text between `code=` and `&state`.

+7. Keep this `authorization-code` handy for future use.

+ curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'client_id=<client-id>

+ &scope=<client-id>%2f.default openid profile offline_access

+ &code=<authorization-code>

+ &redirect_uri=<redirect-uri>

+ &client_secret=<client-secret>' 'https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token'

+ 1. Add the user to the `users@<data-partition-id>.<domain>` OSDU group with the OWNER role.

+ 2. Add the user to the `users.datalake.ops@<data-partition-id>.<domain>` OSDU group with the OWNER role to give access of all the service groups.

+ 3. Add the user to the `users.data.root@<data-partition-id>.<domain>` OSDU group with the OWNER role to give access of all the data groups.

+ Title: Send MQTT events to Microsoft Fabric via Event Hubs

+description: Shows you how to use Event Grid to send events from MQTT clients to Microsoft Fabric via Azure Event Hubs.

+# How to send MQTT events to Microsoft Fabric via Event Hubs using Azure Event Grid

+This article shows you how to use Azure Event Grid to send events from MQTT clients to Microsoft Fabric data stores via Azure Event Hubs.

+## High-level steps

+1. Create a namespace topic that receives events from MQTT clients.

+2. Create a subscription to the topic using Event Hubs as the destination.

+3. Create an event stream in Microsoft Fabric with the event hub as a source and a Fabric KQL database or Lakehouse as a destination.

+## Event flow

+1. MQTT client sends events to your Event Grid namespace topic.

+2. Event subscription to the namespace topic forwards those events to your event hub.

+3. Fabric event stream receives events from the event hub and stores them in a Fabric destination such as a KQL database or a lakehouse.

+## Detailed steps

+1. In the Azure portal, do these steps:

+ 1. [Create an Event Hubs namespace and an event hub](../event-hubs/event-hubs-create.md).

+ 1. [Create an Event Grid namespace and a topic](create-view-manage-namespace-topics.md#create-a-namespace-topic).

+ 1. [Enable managed identity on the namespace](event-grid-namespace-managed-identity.md).

+ 1. [Add the identity to Azure Event Hubs Data Sender role on the Event Hubs namespace or event hub](/azure/role-based-access-control/role-assignments-portal?tabs=delegate-condition).

+ 1. [Create a subscription to the topic using Azure Event Hubs as the destination type and select your event hub](mqtt-routing-to-event-hubs-portal.md#create-an-event-subscription-with-event-hubs-as-the-endpoint).

+ 1. [Create an Event Grid namespace and enable MQTT broker](mqtt-publish-and-subscribe-portal.md#create-a-namespace).

+ 1. [Enable routing to a namespace topic](mqtt-routing-to-event-hubs-portal.md#configure-routing-in-the-event-grid-namespace).

+1. In Microsoft Fabric, do these steps:

+ 1. [Create a lakehouse](/fabric/onelake/create-lakehouse-onelake#create-a-lakehouse).

+ 2. [Create an event stream](/fabric/real-time-analytics/event-streams/create-manage-an-eventstream#create-an-eventstream).

+ 3. [Add your event hub as an input source](/fabric/real-time-analytics/event-streams/add-manage-eventstream-sources#add-an-azure-event-hub-as-a-source).

+ 4. [Add your lakehouse as a destination](/fabric/real-time-analytics/event-streams/add-manage-eventstream-destinations#add-a-lakehouse-as-a-destination).

+1. [Publish events to the namespace topic](publish-deliver-events-with-namespace-topics.md#send-events-to-your-topic).

+## Next steps

+Build a Power BI report as shown in the sample: [Build a near-real-time Power BI report with the event data ingested in a lakehouse](/fabric/real-time-analytics/event-streams/transform-and-stream-real-time-events-to-lakehouse).

+

+-

+# Enable Top flows and Flow trace logs in Azure Firewall

+Enable the log using the following Azure PowerShell commands or navigate in the portal and search for **Enable TCP Connection Logging**:

+similar to the following output for clusters using service principals:

+And the following output for clusters using managed identity:

+```output

+ {

+ "config": null,

+ "enabled": true,

+ "identity": {

+ "clientId": "########-####-####-####-############",

+ "objectId": "########-####-####-####-############",

+ "resourceId": "<resource-id>"

+ }

+ }

+```

+If you are attempting to troubleshoot a particular ComplianceReasonCode that is appearing in your compliance results, you can search the azure-policy pod logs for that code to see the full accompanying error.

+#### 1.3.0

+Introduces error state for policies in error, enabling them to be distinguished from policies in noncompliant states. Adds support for v1 constraint templates and use of the excludedNamespaces parameter in mutation policies. Adds an error status check on constraint templates post-installation.

+- Released February 2024

+- Kubernetes 1.25+

+- Gatekeeper 3.14.0

+

+One popular goal of cloud governance is restricting what resource types are allowed in the environment. Businesses have many motivations behind resource type restrictions. For example, resource types might be costly or might go against business standards and strategies. Rather than using many policies for individual resource types, Azure Policy offers two built-in policies to achieve this goal:

+|Name<br />_{(Azure portal)} |Description |Effect |Version<br />_(GitHub) |

+1. Select the **Assign** button on the top of the page.

+1. On the **Basics** tab, set the **Scope** by selecting the ellipsis

+ and choosing a management group, subscription, or resource group. Ensure that the selected [scope](../concepts/scope.md) has at least one subscope. Then click **Select** at the bottom of the **Scope** page.

+This step only applies when the policy was assigned at the root management group scope.

+Now that you assigned a built-in policy definition, go to [All Services](https://portal.azure.com/#allservices/category/All). Azure portal is aware of the disallowed resource types from this policy assignment and disables them in the **All Services** page. The **Create** option is unavailable for disabled resource types.

+> If you assign this policy definition to your root management group, users will see the following notification when they sign in for the first time or if the policy changes after they have signed in:

+Now suppose that one subscope should be allowed to have the resource types disabled by this policy. Let's create an exemption on this scope so that otherwise restricted resources can be deployed there.

+> If you assign this policy definition to your root management group scope, Azure portal is unable to detect exemptions at lower level scopes. Resources disallowed by the policy assignment will show as disabled from the **All Services** list and the **Create** option is unavailable.

+1. Select the **Create exemption** button on the top of the page.

+1. Fill out **Exemption name** with the desired text, and leave **Exemption category** as the default of _Waiver_. Don't switch the toggle for **Exemption expiration setting**, because this exemption won't be set to expire. Optionally add an **Exemption description**, and select **Review + create**.

+With this built-in policy you specified resource types that _aren't allowed_. The alternative, more restrictive approach is to specify resource types that _are allowed_ using the **Allowed resource types** built-in policy.

+description: Use the JDBC driver from a Java application to submit Apache Hive queries to Hadoop on HDInsight.

+Learn how to use the JDBC driver from a Java application. To submit Apache Hive queries to Apache Hadoop in Azure HDInsight. The information in this document demonstrates how to connect programmatically, and from the `SQuirreL SQL` client.

+5. In the Added Driver dialog, add the following information:

+**Symptoms**: HDInsight unexpectedly disconnects the connection when trying to download a huge amount of data (say several GBs) through JDBC/ODBC.

+**Cause**: The limitation on Gateway nodes causes this error. When getting data from JDBC/ODBC, all data needs to pass through the Gateway node. However, a gateway isn't designed to download a huge amount of data, so the Gateway might close the connection if it can't handle the traffic.

+| **Custom map/reduce** | <ul><li>It provides full control over the map and reduces phases, and execution.</li><li>It allows queries to be optimized to achieve maximum performance from the cluster, or to minimize the load on the servers and the network.</li><li>The components can be written in a range of well-known languages.</li></ul> | <ul><li>It's more difficult than using Pig or Hive because you must create your own map and reduce components.</li><li>Processes that require joining sets of data are more difficult to implement.</li><li>Even though there are test frameworks available, debugging code is more complex than a normal application because the code runs as a batch job under the control of the Hadoop job scheduler.</li></ul> |

+| `Apache HCatalog` | <ul><li>It abstracts the path details of storage, making administration easier and removing the need for users to know where the data is stored.</li><li>It enables notification of events such as data availability, allowing other tools such as Oozie to detect when operations have occurred.</li><li>It exposes a relational view of data, including partitioning by key, and makes the data easy to access.</li></ul> | <ul><li>It supports RCFile, CSV text, JSON text, SequenceFile, and ORC file formats by default, but you may need to write a custom SerDe for other formats.</li><li>`HCatalog` isn't thread-safe.</li><li>There are some restrictions on the data types for columns when using the `HCatalog` loader in Pig scripts. For more information, see [HCatLoader Data Types](https://cwiki.apache.org/confluence/display/Hive/HCatalog%20LoadStore#HCatalogLoadStore-HCatLoaderDataTypes) in the Apache `HCatalog` documentation.</li></ul> |

+From time-to-time, from an ssh session with your cluster, you may receive a message that security updates are available. The message might look something like:

+The script [schedule-reboots](https://hdiconfigactions.blob.core.windows.net/linuxospatchingrebootconfigv02/schedule-reboots.sh) sets the type of reboot that will be performed on the machines in the cluster. When submitting the script action, set it to apply on all three node types: head node, worker node, and zookeeper. If the script isn't applied to a node type, the VMs for that node type won't be updated or restarted.

+description: Reducer is slow in Azure HDInsight from possible data skewing.

+If the partitions in the input table are less(say less than 10), and so is the number of output partitions, and the variable is set to `true`, this causes data to be globally sorted and written using a single reducer per partition. Even if the number of reducers available is larger, a few reducers may be lagging behind due to data skew and the max parallelism can't be attained. When changed to `false`, more than one reducer may handle a single partition and multiple smaller files are written out, resulting in faster insert. This might affect further queries though because of the presence of smaller files.

+A value of `true` makes sense when the number of partitions is larger and data isn't skewed. In such cases the result of the map phase are written out such that each partition will be handled by a single reducer resulting in better subsequent query performance.

+1. If #1 isn't possible, set the value of the config to false in beeline session and try the query again. `set hive.optimize.sort.dynamic.partition=false`. Setting the value to false at a cluster level is not recommended. The value of `true` is optimal and set the parameter as necessary based on nature of data and query.

+In this section, you learn how to check if the peering provider is registered in your subscription and how to register it if not registered. Peering provider is required to set up peering. If you previously registered the peering provider, you can skip this section.

+> [!TIP]

+> If you choose to define a list of IP addresses/ranges that can connect to the public endpoint of your IoT Central application, be sure to include the IP address of any proxy that your devices use to connect to your IoT Central application.

+ | Subscription | Select your subscription. |

+ | Name | Enter **load-balancer**. |

+ | Name | Enter **lb-frontend**. |

+ | Name | Enter **lb-frontend**. |

+ | Virtual network | Select **lb-vnet**. |

+ | Subnet | Select **backend-subnet**. |

+ | Assignment | Select **Dynamic**. |

+ | Availability zone | Select **Zone-redundant**. |

+ | Name | Enter **lb-HTTP-rule**. |

+ | Enable TCP reset | Select **checkbox**. |

+1. In **Virtual machines**, select **+ Create** > **Azure virtual machine**.

+1. In **Create a virtual machine**, enter or select the values in the **Basics** tab:

+ | Setting | Value |

+ | Subscription | Select your Azure subscription. |

+ | Resource Group | Select **load-balancer-rg**. |

+ | Virtual machine name | Enter **lb-TestVM**. |

+ | Region | Select **(US) East US**. |

+ | Availability Options | Select **No infrastructure redundancy required**. |

+ | Image | Select **Windows Server 2022 Datacenter - x64 Gen2**. |

+ | Size | Choose VM size or take default setting. |

+ | Username | Enter a username. |

+ | Password | Enter a password. |

+ | Confirm password | Reenter password. |

+1. Select the **Networking** tab, or select **Next: Disks**, then **Next: Networking**.

+1. In the **Networking** tab, select or enter:

+ | Virtual network | **lb-vnet**. |

+ | Subnet | **backend-subnet**. |

+ | NIC network security group | Select **Advanced**. |

+1. Select **Review + create**.

+1. Review the settings, and then select **Create**.

+1. Select **lb-vm1**.

+1. In the **Overview** page, select **Connect**, then **Bastion**.

+1. Enter the username and password entered during VM creation.

+1. Select **Connect**.

+1. On the server desktop, navigate to **Windows Administrative Tools** > **Windows PowerShell** > **Windows PowerShell**.

+1. In the PowerShell Window, execute the following commands to:

+ 1. Install the IIS server.

+ 1. Remove the default iisstart.htm file.

+ 1. Add a new iisstart.htm file that displays the name of the VM.

+ ```powershell

+ ```

+1. Close the Bastion session with **lb-vm1**.

+1. Repeat steps 1 through 8 to install IIS and the updated iisstart.htm file on **lb-VM2**.

+1. Select **load-balancer**.

+1. Make note or copy the address next to **Private IP address** in the **Overview** of **load-balancer**. If you can't see the **Private IP address** field, select **See more** in the information window.

+1. In the search box at the top of the portal, enter **Virtual machine**. Select **Virtual machines** in the search results.

+1. Select **lb-TestVM**.

+1. In the **Overview** page, select **Connect**, then **Bastion**.

+1. Enter the username and password entered during VM creation.

+1. Open **Microsoft Edge** on **lb-TestVM**.

+1. Enter the IP address from the previous step into the address bar of the browser. The custom page displaying one of the backend server names is displayed on the browser. In this example, it's **10.1.0.4**.

+Get started with Azure Load Balancer by using the Azure portal to create a public load balancer for a backend pool with two virtual machines. Other resources include Azure Bastion, NAT Gateway, a virtual network, and the required subnets.

+In this section, you create a zone redundant load balancer that load balances virtual machines. With zone-redundancy, one or more availability zones can fail and the data path survives as long as one zone in the region remains healthy.

+During the creation of the load balancer, you configure:

+ | Subscription | Select your subscription |

+ | Resource group | Select **load-balancer-rg** |

+ | Name | Enter **load-balancer** |

+ | Region | Select **East US** |

+ | SKU | Leave the default **Standard** |

+ | Type | Select **Public** |

+ | Tier | Leave the default **Regional** |

+ | IP Version | Select **IPv4** or **IPv6** depending on your requirements |

+ | Frontend IP address | Select **lb-frontend (To be created)** |

+ | Backend pool | Select **lb-backend-pool** |

+ | Protocol | Select **TCP** |

+ | Port | Enter **80** |

+ | Backend port | Enter **80** |

+ | Idle timeout (minutes) | Enter or select **15** |

+ | Enable TCP reset | Select checkbox |

+ | Enable Floating IP | Leave unchecked |

+ * Install the IIS server.

+ * Remove the default iisstart.htm file.

+* To test the URL for the callable endpoint that you create, you'll need a tool or app such as [Postman](https://www.postman.com/downloads/).

+ The **HTTP POST URL** box now shows the generated callback URL that other services can use to call and trigger your logic app workflow. This URL includes query parameters that specify a Shared Access Signature (SAS) key, which is used for authentication.

+1. To test the callback URL that you now have for the Request trigger, use a tool or app such as [Postman](https://www.postman.com/downloads/), and send the request using the method that the Request trigger expects.

+ This example uses the `POST` method:

+ `POST https://{logic-app-name}.azurewebsites.net:443/api/{workflow-name}/triggers/{trigger-name}/invoke?api-version=2022-05-01&sp=%2Ftriggers%2F{trigger-name}%2Frun&sv=1.0&sig={shared-access-signature}`

+ The **HTTP POST URL** box now shows the generated callback URL that other services can use to call and trigger your logic app workflow. This URL includes query parameters that specify a Shared Access Signature (SAS) key, which is used for authentication.

+1. To test the callback URL that you now have for the Request trigger, use a tool or app such as [Postman](https://www.postman.com/downloads/), and send the request using the method that the Request trigger expects.

+ This example uses the `POST` method:

+ `POST https://{server-name}.{region}.logic.azure.com/workflows/{workflow-ID}/triggers/{trigger-name}/paths/invoke/?api-version=2016-10-01&sp=%2Ftriggers%2F{trigger-name}%2Frun&sv=1.0&sig={shared-access-signature}`

+ > [!NOTE]

+ >

+ > Available alert signals differ between Consumption and Standard logic apps. For example,

+ > Consumption logic apps have many trigger-related signals, such as **Triggers Completed**

+ > and **Triggers Failed**, while Standard workflows have the **Workflow Triggers Completed Count**

+ > and **Workflow Triggers Failure Rate** signals.

+ For example, to send an alert when a trigger fails in a Consumption workflow, follow these steps:

+ 

+In this article, learn about machine learning operations (MLOps) practices in Azure Machine Learning for the purpose of managing the lifecycle of your models. Applying MLOps practices can improve the quality and consistency of your machine learning solutions.

+MLOps is based on [DevOps](https://azure.microsoft.com/overview/what-is-devops/) principles and practices that increase the efficiency of workflows. These principles include continuous integration, delivery, and deployment. MLOps applies these principles to the machine learning lifecycle, with the goal of:

+<!-- ## MLOps capabilities -->

+MLOps provides the following capabilities to the machine learning process:

+- **Register, package, and deploy models from anywhere.** Track associated metadata required to use a model.

+- **Capture governance data for the end-to-end machine learning lifecycle.** The logged lineage information can include who is publishing models and why changes were made. It can also include when models were deployed or used in production.

+- **Notify and alert on events in the machine learning lifecycle.** Events include experiment completion, model registration, model deployment, and data drift detection.

+- **Automate the end-to-end machine learning lifecycle with machine learning and Azure pipelines.** Use pipelines to frequently test and update models. You can continually roll out new machine learning models alongside your other applications and services.

+For more information on MLOps, see [Machine learning operations](/azure/cloud-adoption-framework/ready/azure-best-practices/ai-machine-learning-mlops).

+Use Azure Machine Learning pipelines to stitch together all the steps in your model training process. A machine learning pipeline can contain steps that include data preparation, feature extraction, hyperparameter tuning, and model evaluation.

+If you use the [Azure Machine Learning designer](concept-designer.md) to create a machine learning pipeline, you can clone the pipeline to iterate over its design without losing your old versions. To clone a pipeline at any time in the designer, go to the upper-right corner to select **...** > **Clone**.

+For more information on Azure Machine Learning pipelines, see [Machine learning pipelines](concept-ml-pipelines.md).

+By using Azure Machine Learning environments, you can track and reproduce your projects' software dependencies as they evolve. You can use environments to ensure that builds are reproducible without manual software configurations.

+Environments describe the pip and conda dependencies for your projects. You can use environments for model training and deployment. For more information on environments, see [What are Azure Machine Learning environments?](concept-environments.md).

+A registered model is a logical container for one or more files that make up your model. For example, if you have a model that is stored in multiple files, you can register the files as a single model in your Azure Machine Learning workspace. After registration, you can then download or deploy the registered model and receive all the component files.

+You can identify registered models by name and version. Whenever you register a model with the same name as an existing model, the registry increments the version number. You can provide metadata tags during registration and use these tags when you search for a model. Azure Machine Learning supports any model that can be loaded by using Python 3.5.2 or higher.

+> You can also register models trained outside Azure Machine Learning.

+> * When you use the **Filter by** `Tags` option on the **Models** page of Azure Machine Learning studio, instead of using `TagName : TagValue`, use `TagName=TagValue` without spaces.

+For more information on how to use models in Azure Machine Learning, see [Work with models in Azure Machine Learning](./how-to-manage-models.md).

+Before you deploy a model into production, it needs to be packaged into a Docker image. In most cases, image creation automatically happens in the background during deployment; however, you can manually specify the image.

+It's useful to first deploy to your local development environment so that you can troubleshoot and debug before deploying to the cloud. This practice can help you avoid having problems with your deployment to Azure Machine Learning. For more information on how to resolve common deployment issues, see [How to troubleshoot online endpoints](how-to-troubleshoot-online-endpoints.md).

+You can convert your model to [Open Neural Network Exchange](https://onnx.ai) (ONNX) to try to improve performance. Typically, converting to ONNX can double performance.

+### Deploy models

+You can deploy trained machine learning models as [endpoints](concept-endpoints.md) in the cloud or locally. Deployments use CPU and GPU for inferencing.

+When deploying a model as an endpoint, you need to provide the following items:

+* The __model__ that is used to score data submitted to the service or device.

+* An __entry script__¹. This script accepts requests, uses the models to score the data, and returns a response.

+* An __environment__² that describes the pip and conda dependencies required by the models and entry script.

+* Any __other assets__, such as text and data that are required by the models and entry script.

+You also provide the configuration of the target deployment platform. For example, the virtual machine (VM) family type, available memory, and number of cores. When the image is created, components required by Azure Machine Learning, such as assets needed to run the web service, are also added.

+^1,2 When you deploy an MLflow model, you don't need to provide an entry script, also known as a scoring script. You also don't need to provide an environment for the deployment. For more information on deploying MLflow models, see [Guidelines for deploying MLflow models](how-to-deploy-mlflow-models.md).

+Batch scoring is supported through batch endpoints. For more information on batch scoring, see [Batch endpoints](concept-endpoints-batch.md).

+#### Real-time scoring

+You can use your models with an online endpoint for real-time scoring. Online endpoints can use the following compute targets:

+To deploy a model to an endpoint, you must provide the following items:

+For more information on deployment for real-time scoring, see [Deploy online endpoints](how-to-deploy-online-endpoints.md).

+#### Controlled rollout for online endpoints

+* Create multiple versions of an endpoint for a deployment.

+* Switch between endpoint deployments by updating the traffic percentage in the endpoint configuration.

+For more information on deployment using a controlled rollout, see [Perform safe rollout of new deployments for real-time inference](./how-to-safely-rollout-online-endpoints.md).

+Microsoft Power BI supports using machine learning models for data analytics. For more information, see [Azure Machine Learning integration in Power BI](/power-bi/transform-model/dataflows/dataflows-machine-learning-integration).

+Azure Machine Learning gives you the capability to track the end-to-end audit trail of all your machine learning assets by using metadata. For example:

+- [Azure Machine Learning data assets](how-to-create-register-datasets.md) help you track, profile, and version data.

+- [Model interpretability](how-to-machine-learning-interpretability.md) allows you to explain your models, meet regulatory compliance, and understand how models arrive at a result for a given input.

+- Azure Machine Learning Job history stores a snapshot of the code, data, and computes used to train a model.

+- [Azure Machine Learning model registry](./how-to-manage-models.md?tabs=use-local#create-a-model-in-the-model-registry) captures all the metadata associated with your model. For example, which experiment trained the model, where the model is being deployed, and if the model's deployments are healthy.

+- [Integration with Azure](how-to-use-event-grid.md) allows you to act on events, such as model registration, deployment, data drift, and training (job) events, in the machine learning lifecycle.

+> While some information on models and data assets is automatically captured, you can add more information by using _tags_. When you look for registered models and data assets in your workspace, you can use tags as a filter.

+Azure Machine Learning publishes key events to Azure Event Grid, which can be used to notify and automate on events in the machine learning lifecycle. For more information on how to set up event-driven processes based on Azure Machine Learning events, see [Custom CI/CD and event-driven workflows](how-to-use-event-grid.md).

+You can use GitHub and [Azure Pipelines](/azure/devops/pipelines/get-started/what-is-azure-pipelines) to create a continuous integration process that trains a model. In a typical scenario, when a data scientist checks a change into a project's Git repo, Azure Pipelines starts a training job. The results of the job can then be inspected to see the performance characteristics of the trained model. You can also create a pipeline that deploys the model as a web service.

+The [Machine Learning extension](https://marketplace.visualstudio.com/items?itemName=ms-air-aiagility.vss-services-azureml) makes it easier to work with Azure Pipelines. The extension provides the following enhancements to Azure Pipelines:

+For more information on using Azure Pipelines with Machine Learning, see [Use Azure Pipelines with Azure Machine Learning](how-to-devops-machine-learning.md).

+## Related content

+- [Set up MLOps with Azure DevOps](how-to-setup-mlops-azureml.md)

+- [Learning path: End-to-end MLOps with Azure Machine Learning](/training/paths/build-first-machine-operations-workflow/)

+- [CI/CD of machine learning models with Azure Pipelines](/azure/devops/pipelines/targets/azure-machine-learning)

+ > When **Allow Only Approved Outbound** is enabled (`isolation_mode: allow_only_approved_outbound`), conda package dependencies defined in Spark session configuration will fail to install. To resolve this problem, upload a self-contained Python package wheel with no external dependencies to an Azure storage account and create private endpoint to this storage account. Use the path to Python package wheel as `py_files` parameter in your Spark job. Setting an FQDN outbound rule will not bypass this issue as FQDN rule propagation is not supported by Spark.

+Use the following steps to enable a storage endpoint for the subnet that contains your Azure Machine Learning compute clusters and compute instances:

+1. From the left of the page, select __Subnets__ and then select the subnet that contains your compute cluster and compute instance.

+| `max_queue_wait_ms` | integer | (Deprecated) The maximum amount of time in milliseconds a request will stay in the queue. (Now increase `request_timeout_ms` to account for any networking/queue delays) | `500` |

+This article shows how to access your data with the [Azure Machine Learning studio](https://ml.azure.com). Connect to your data in Azure storage services with [Azure Machine Learning datastores](how-to-access-data.md). Then, package that data for ML workflow tasks with [Azure Machine Learning datasets](how-to-create-register-datasets.md).

+This table defines and summarizes the benefits of datastores and datasets.

+|Object|Description| Benefits|

+|Datastores| To securely connect to your storage service on Azure, store your connection information (subscription ID, token authorization, etc.) in the [Key Vault](https://azure.microsoft.com/services/key-vault/) associated with the workspace | Because your information is securely stored, you don't put authentication credentials or original data sources at risk, and you no longer need to hard code these values in your scripts

+|Datasets| Dataset creation also creates a reference to the data source location, along with a copy of its metadata. With datasets you can access data during model training, share data and collaborate with other users, and use open-source libraries, like pandas, for data exploration. | Since datasets are lazily evaluated, and the data remains in its existing location, you keep a single copy of data in your storage. Additionally, you incur no extra storage cost, you avoid unintentional changes to your original data sources, and improve ML workflow performance speeds.|

+To learn where datastores and datasets fit in the overall Azure Machine Learning data access workflow, visit [Securely access data](concept-data.md#data-workflow).

+For more information about the [Azure Machine Learning Python SDK](/python/api/overview/azure/ml/) and a code-first experience, see:

+* [Connect to Azure storage services with datastores](how-to-access-data.md)

+* [Create Azure Machine Learning datasets](how-to-create-register-datasets.md)

+- An Azure subscription. If you don't have an Azure subscription, create a free account before you begin. Try the [free or paid version of Azure Machine Learning](https://azure.microsoft.com/free/)

+- Access to [Azure Machine Learning studio](https://ml.azure.com/)

+- An Azure Machine Learning workspace. [Create workspace resources](../quickstart-create-resources.md)

+ - When you create a workspace, an Azure blob container and an Azure file share are automatically registered to the workspace as datastores. They're named `workspaceblobstore` and `workspacefilestore`, respectively. For sufficient blob storage resources, the `workspaceblobstore` is set as the default datastore, already configured for use. If you require more blob storage resources, you need an Azure storage account, with a [supported storage type](how-to-access-data.md#supported-data-storage-service-types).

+You can create datastores from [these Azure storage solutions](how-to-access-data.md#supported-data-storage-service-types). **For unsupported storage solutions**, and to save data egress cost during ML experiments, you must [move your data](how-to-access-data.md#move-data-to-supported-azure-storage-solutions) to a supported Azure storage solution. For more information about datastores, visit [this resource](how-to-access-data.md).

+You can create datastores with credential-based access or identity-based access.

+Create a new datastore with the Azure Machine Learning studio.

+> If your data storage account is located in a virtual network, additional configuration steps are required to ensure that the studio can access your data. Visit [Network isolation & privacy](../how-to-enable-studio-virtual-network.md) for more information about the appropriate configuration steps.

+1. Complete the form to create and register a new datastore. The form intelligently updates itself based on your selections for Azure storage type and authentication type. For more information about where to find the authentication credentials needed to populate this form, visit the [storage access and permissions section](#access-validation).

+This screenshot shows the **Azure blob datastore** creation panel:

+For more information about new datastore creation with the Azure Machine Learning studio, visit [identity-based data access](how-to-identity-based-data-access.md).

+> If your data storage account resides in a virtual network, additional configuration steps are required to ensure that Studio can access your data. Visit [Network isolation & privacy](../how-to-enable-studio-virtual-network.md) to ensure that the appropriate configuration steps are applied.

+This screenshot shows the **Azure blob datastore** creation panel:

+After you create a datastore, create a dataset to interact with your data. Datasets package your data into a lazily evaluated consumable object for machine learning tasks - for example, training. Visit [Create Azure Machine Learning datasets](how-to-create-register-datasets.md) for more information about datasets.

+Datasets have two types: FileDataset and TabularDataset. [FileDatasets](how-to-create-register-datasets.md#filedataset) create references to single or multiple files, or public URLs. [TabularDatasets](how-to-create-register-datasets.md#tabulardataset) represent data in a tabular format. You can create TabularDatasets from

+- .csv

+- .tsv

+- .parquet

+- .json

+files, and from SQL query results.

+1. Give the data asset a name and optional description. Then, under **Type**, select a Dataset type, either **File** or **Tabular**.

+1. The **Data source** pane opens next, as shown in this screenshot:

+You have different options for your data source. For data already stored in Azure, choose "From Azure storage." To upload data from your local drive, choose "From local files." For data stored at a public web location, choose "From web files." You can also create a data asset from a SQL database, or from [Azure Open Datasets](../../open-datasets/how-to-create-azure-machine-learning-dataset-from-open-dataset.md).

+1. At the file selection step, select the location where Azure should store your data, and the data files you want to use.

+ 1. Enable skip validation if your data is in a virtual network. Learn more about [virtual network isolation and privacy](../how-to-enable-studio-virtual-network.md).

+1. Follow the steps to set the data parsing settings and schema for your data asset. The settings prepopulate based on file type, and you can further configure your settings before data asset creation.

+1. Once you reach the Review step, select Create on the last page

+After you create your dataset, verify that you can view the preview and profile in the studio:

+You can use summary statistics across your data set to verify whether your data set is ML-ready. For non-numeric columns, these statistics include only basic statistics - for example, min, max, and error count. Numeric columns offer statistical moments and estimated quantiles.

+The Azure Machine Learning dataset data profile includes:

+|Statistic|Description|

+||--

+|Feature| The summarized column name

+|Profile| In-line visualization based on the inferred type. Strings, booleans, and dates have value counts. Decimals (numerics) have approximated histograms. These visualizations offer a quick understanding of the data distribution

+|Type distribution| In-line value count of types within a column. Nulls are their own type, so this visualization can detect odd or missing values

+|Type|Inferred column type. Possible values include: strings, booleans, dates, and decimals

+|Min| Minimum value of the column. Blank entries appear for features whose type doesn't have an inherent ordering (for example, booleans)

+|Count| Total number of missing and nonmissing entries in the column

+|Not missing count| Number of entries in the column that aren't missing. Empty strings and errors are treated as values, so they don't contribute to the "not missing count."

+|Quantiles| Approximated values at each quantile, to provide a sense of the data distribution

+|Mean| Arithmetic mean or average of the column

+|Standard deviation| Measure of the amount of dispersion or variation for the data of this column

+|Variance| Measure of how far the data of this column spreads out from its average value

+|Skewness| Measures the difference of this column's data from a normal distribution

+|Kurtosis| Measures the degree of "tailness" of this column's data, compared to a normal distribution

+To ensure that you securely connect to your Azure storage service, Azure Machine Learning requires that you have permission to access the corresponding data storage. This access depends on the authentication credentials used to register the datastore.

+If your data storage account is in a **virtual network**, extra configuration steps are required to ensure that Azure Machine Learning has access to your data. See [Use Azure Machine Learning studio in a virtual network](../how-to-enable-studio-virtual-network.md) to ensure the appropriate configuration steps are applied when you create and register your datastore.

+> Cross-tenant access to storage accounts is not supported. If your scenario needs cross-tenant access, please reach out to the Azure Machine Learning Data Support team alias at amldatasupport@microsoft.com for assistance with a custom code solution.

+**As part of the initial datastore creation and registration process**, Azure Machine Learning automatically validates that the underlying storage service exists and that the user-provided principal (username, service principal, or SAS token) has access to the specified storage.

+**After datastore creation**, this validation is only performed for methods that require access to the underlying storage container. The validation is **not** performed each time datastore objects are retrieved. For example, validation happens when you download files from your datastore. However, if you want to change your default datastore, validation doesn't occur.

+To authenticate your access to the underlying storage service, provide either your account key, shared access signatures (SAS) tokens, or service principal, according to the datastore type you want to create. The [storage type matrix](how-to-access-data.md#supported-data-storage-service-types) lists the supported authentication types that correspond to each datastore type.

+You can find account key, SAS token, and service principal information at your [Azure portal](https://portal.azure.com).

+* To obtain an account key for authentication, select **Storage Accounts** in the left pane, and choose the storage account that you want to register

+ * Expand the **Security + networking** node in the left nav

+ * Select **Access keys**

+ * The available key values serve as **Account key** values

+* To obtain an SAS token for authentication, select **Storage Accounts** in the left pane, and choose the storage account that you want

+ * To obtain an **Access key** value, expand the **Security + networking** node in the left nav

+ * Select **Shared access signature**

+ * Complete the process to generate the SAS value

+* To use a [service principal](../../active-directory/develop/howto-create-service-principal-portal.md) for authentication, go to your **App registrations** and select which app you want to use.

+ * Its corresponding **Overview** page contains required information like tenant ID and client ID.

+> * To change your access keys for an Azure Storage account (account key or SAS token), be sure to sync the new credentials with both your workspace and the datastores connected to it. For more information, visit [sync your updated credentials](../how-to-change-storage-access-key.md).

+> * If you unregister and then re-register a datastore with the same name, and that re-registration fails, the Azure Key Vault for your workspace may not have soft-delete enabled. By default, soft-delete is enabled for the key vault instance created by your workspace, but it may not be enabled if you used an existing key vault or have a workspace created prior to October 2020. For more information about how to enable soft-delete, visit [Turn on Soft Delete for an existing key vault](../../key-vault/general/soft-delete-change.md#turn-on-soft-delete-for-an-existing-key-vault).

+For Azure blob container and Azure Data Lake Gen 2 storage, ensure that your authentication credentials have **Storage Blob Data Reader** access. Learn more about [Storage Blob Data Reader](../../role-based-access-control/built-in-roles.md#storage-blob-data-reader). By default, an account SAS token has no permissions.

+* [A step-by-step example of training with TabularDatasets and automated machine learning](../tutorial-first-experiment-automated-ml.md)

+* [Train a model](how-to-set-up-training-targets.md)

+* For more dataset training examples, see the [sample notebooks](https://github.com/Azure/MachineLearningNotebooks/tree/master/how-to-use-azureml/work-with-data/)

+- Public preview: Using the RVTools XLSX, you can import an on-premises VMware environment's servers' configuration data into Azure Migrate and create a quick business case and also assess the cost of hosting these workloads on Azure and/or Azure VMware Solution (AVS) environments. [Learn more](migrate-support-matrix-vmware.md#import-servers-using-rvtools-xlsx-preview).

+### Azure regions

+| Central India | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |

+| Switzerland North | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |

+If you currently have an Azure Database for MySQL - Single Server service hosting production servers, we're glad to let you know that you can migrate your Azure Database for MySQL - Single Server servers to the Azure Database for MySQL - Flexible Server service free of cost using Azure Database for MySQL Import, in-place auto-migration or Azure Database Migration Service (classic) . Review the different ways to migrate in the section below.

+| Offline/Online | Azure Database for MySQL Import and the Azure CLI | [Tutorial: Azure Database for MySQL Import with the Azure CLI](../migrate/migrate-single-flexible-mysql-import-cli.md) |

+| Offline | In-place auto-migration nomination [form] (<https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR4lhLelkCklCuumNujnaQ-ZUQzRKSVBBV0VXTFRMSDFKSUtLUDlaNTA5Wi4u>) | [In-place auto-migration from Azure Database for MySQL Single to Flexible Server](../migrate/migrate-single-flexible-in-place-auto-migration.md) |

+> In-place auto-migration from Azure Database for MySQL ΓÇô Single Server to Flexible Server is a service-initiated in-place migration during planned maintenance window for select Single Server database workloads. The eligible servers are identified by the service and are sent an advance notification detailing steps to review migration details. If you own a Single Server workload with Basic or GP SKU, data storage used <= 20 GiB and no complex features (CMK, AAD, Read Replica, Private Link) enabled, you can now nominate yourself (if not already scheduled by the service) for auto-migration by submitting your server details through this [form](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR4lhLelkCklCuumNujnaQ-ZUQzRKSVBBV0VXTFRMSDFKSUtLUDlaNTA5Wi4u). All other Single Server workloads are recommended to use user-initiated migration tooling offered by Azure - Azure DMS, Azure Database for MySQL Import to migrate. Learn more about in-place auto-migration [here](../migrate/migrate-single-flexible-in-place-auto-migration.md).

+**A.** Your existing Azure Database for MySQL single server workloads will continue to function as before and will be officially supported until the sunset date. However, no new updates will be released for Single Server and we strongly advise you to start migrating to Azure Database for MySQL Flexible Server at the earliest. Post sunset date, Azure Database for MySQL Single Server platform will be deprecated and will no longer be available to host any existing instances.

+**A.** Unfortunately, we don't plan to support Single Server beyond the sunset date of **September 16, 2024**, and hence we strongly advise that you start planning your migration as soon as possible. Post sunset date, Azure Database for MySQL Single Server platform will be deprecated and will no longer be available to host any existing instances.

+**A.** When running the migration, you pay for the target flexible server and the source single server. The configuration and compute of the target flexible server determines the additional costs incurred. For more information, see, [Pricing](https://azure.microsoft.com/pricing/details/mysql/flexible-server/). Once you've decommissioned the source single server post successful migration, you only pay for your running flexible server. There are no costs incurred while running the migration through the Azure Database Migration Service (classic), in-place auto-migration or Azure Database for MySQL Import migration tooling.

+**A.** To limit any downtime you might incur, perform an online migration to Flexible Server, which provides minimal downtime.

+**A.** You can use [Azure Database for MySQL Import (recommended)](../migrate/migrate-single-flexible-mysql-import-cli.md) to migrate. Additionally, You can use Database Migration Service (classic) to run [online](../../dms/tutorial-mysql-Azure-single-to-flex-online-portal.md) or [offline](../../dms/tutorial-mysql-azure-single-to-flex-offline-portal.md) migrations.

+**Q. The size of my database is greater than 1 TB, so how should I proceed with my migration?**

+**A.** You can use [Azure Database for MySQL Import (recommended)](../migrate/migrate-single-flexible-mysql-import-cli.md) to migrate which is highly performant for heavier workloads.

+1. Make note of the public IP address.

+1. Enter the username and password entered during virtual machine creation. Select **Connect**.

+1. In the bash prompt, enter the following command.

+| Max. Storage size | 1 TB (Basic), 4 TB or 16 TB (GP, MO). Note: Not all regions support 16 TB. | 64 TB. Note: Not all regions support 64 TB.|

+| Max IOPS | Basic - Variable. GP/MO: up to 18 K | Up to 80 K |

+| Protect from region failure | No | Yes |

+| Ability to restore a deleted server | Limited via API | Limited via API |

+| Latency | Max lag across replicas, Replica lag | Max lag across replicas, Replica lag |

+| Microsoft Defender for Cloud | Yes | Yes |

+| Performance insights (iPerf) | Yes | Yes |

+## Troubleshooting connectivity issues with Private Endpoint based networking

+Following are basic areas to check if you are having connectivity issues using Private Endpoint based networking:

+1. **Verify IP Address Assignments:** Check that the private endpoint has the correct IP address assigned and that there are no conflicts with other resources. For more information on private endpoint and IP see this [doc](../../private-link/manage-private-endpoint.md)

+2. **Check Network Security Groups (NSGs):** Review the NSG rules for the private endpoint's subnet to ensure the necessary traffic is allowed and does not have conflicting rules. For more information on NSG see this [doc](../../virtual-network/network-security-groups-overview.md)

+3. **Validate Route Table Configuration:** Ensure the route tables associated with the private endpoint's subnet and the connected resources are correctly configured with the appropriate routes.

+4. **Use Network Monitoring and Diagnostics:** Leverage Azure Network Watcher to monitor and diagnose network traffic using tools like Connection Monitor or Packet Capture. For more information on network diagnostics see this [doc](../../network-watcher/network-watcher-overview.md)

+Further details on troubleshooting private are also available in this [guide](../../private-link/troubleshoot-private-endpoint-connectivity.md)

+## Troubleshooting DNS resolution with Private Endpoint based networking

+Following are basic areas to check if you are having DNS resolution issues using Private Endpoint based networking:

+1. **Validate DNS Resolution:** Check if the DNS server or service used by the private endpoint and the connected resources is functioning correctly. Ensure the private endpoint's DNS settings are accurate. For more information on private endpoints and DNS zone settings see this [doc](../../private-link/private-endpoint-dns.md)

+2. **Clear DNS Cache:** Clear the DNS cache on the private endpoint or client machine to ensure the latest DNS information is retrieved and avoid inconsistent errors.

+3. **Analyze DNS Logs:** Review DNS logs for error messages or unusual patterns, such as DNS query failures, server errors, or timeouts. For more on DNS metrics see this [doc](../../dns/dns-alerts-metrics.md)

+> This functionality is enabled by default for flexible servers in all Azure public regions and gov clouds. It will be enabled for flexible servers in China regions soon. Also, please note that this feature is currently disabled for PostgreSQL version 16 servers, and support for it will be introduced in the near future.

+ Title: Reliability in Azure Elastic SAN

+description: Find out about reliability in Azure Elastic SAN.

+# Reliability in Elastic SAN

+This article describes reliability support in Azure Elastic SAN and covers both regional resiliency with availability zones and disaster recovery and business continuity.

+## Availability zone support

+Azure Elastic SAN supports availability zone deployment with locally redundant storage (LRS) and regional deployment with zone-redundant storage (ZRS).

+### Prerequisites

+LRS and ZRS Elastic SAN are currently only available in a subset of regions. For a list of regions, see [Scale targets for Elastic SAN](../storage/elastic-san/elastic-san-scale-targets.md).

+#### Create a resource using availability zones

+To create an Elastic SAN with an availability zone enabled, see [Deploy an Elastic SAN](../storage/elastic-san/elastic-san-create.md).

+### Zone down experience

+When deploying an Elastic SAN, if you select ZRS for your SAN's redundancy option, zonal failover is supported by the platform without manual intervention. An elastic SAN using ZRS is designed to self-heal and rebalance itself to take advantage of healthy zones automatically.

+If you deployed an LRS elastic SAN, you may need to deploy a new SAN, using snapshots exported to managed disks.

+### Low-latency design

+The latency differences between an elastic SAN on LRS and an elastic SAN on ZRS isn't particularly high. However, for workloads sensitive to latency spikes, consider an elastic SAN on LRS since it offers the lowest latency.

+### Availability zone redeployment and migration

+To migrate an elastic SAN on LRs to ZRS, you must snapshot your elastic SAN's volumes, export them to managed disk snapshots, deploy an elastic SAN on ZRS, and then create volumes on the SAN on ZRS using those disk snapshots. To learn how to use snapshots (preview), see [Snapshot Azure Elastic SAN Preview volumes (preview)](../storage/elastic-san/elastic-san-snapshots.md).

+## Disaster recovery and business continuity

+### Single and Multi-region disaster recovery

+For Azure Elastic SAN, you're responsible for the DR experience. You can [take snapshots](../storage/elastic-san/elastic-san-snapshots.md) of your volumes and [export them](../storage/elastic-san/elastic-san-snapshots.md#export-volume-snapshot) to managed disk snapshots. Then, you can [copy an incremental snapshot to a new region](../virtual-machines/disks-copy-incremental-snapshot-across-regions.md) to store your data is in a region other than the region your elastic SAN is in. You should export to regions that are geographically distant from your primary region to reduce the possibility of multiple regions being affected due to a disaster.

+#### Outage detection, notification, and management

+You can find outage declarations in [Service Health - Microsoft Azure](https://portal.azure.com/#view/Microsoft_Azure_Health/AzureHealthBrowseBlade/~/serviceIssues).

+### Capacity and proactive disaster recovery resiliency

+Microsoft and its customers operate under the [Shared Responsibility Model](./availability-zones-overview.md#shared-responsibility-model). Shared responsibility means that for customer-enabled DR (customer-responsible services), you must address DR for any service you deploy and control. You should prevalidate any service you deploy will work with Elastic SAN. To ensure that recovery is proactive, you should always predeploy secondaries because there's no guarantee of capacity at time of impact for those who haven't preallocated.

+## Next steps

+- [Plan for deploying an Elastic SAN](../storage/elastic-san/elastic-san-planning.md)

+- [Snapshot Azure Elastic SAN volumes (preview)](../storage/elastic-san/elastic-san-snapshots.md)

+|Azure Elastic SAN|[Availability zone support](reliability-elastic-san.md#availability-zone-support)|[Disaster recovery and business continuity](reliability-elastic-san.md#disaster-recovery-and-business-continuity)|

+> Classic resources and classic administrators will be [retired on August 31, 2024](https://azure.microsoft.com/updates/cloud-services-retirement-announcement/). Starting March 26, 2024, you won't be able to add new Co-Administrators. This date was recently extended. Remove unnecessary Co-Administrators and use Azure RBAC for fine-grained access control.

+- [Owner](built-in-roles.md#owner) role at subscription scope has the equivalent access. However, Owner is a [privileged administrator role](role-assignments-steps.md#privileged-administrator-roles) and grants full access to manage Azure resources. You should consider a job function role with fewer permissions, reduce the scope, or add a condition.

+## Prepare for Co-Administrators retirement

+Use the following steps to help you prepare for the Co-Administrator role retirement.

+### Step 1: Review your current Co-Administrators

+1. Use the Azure portal to [get a list of your Co-Administrators](#view-classic-administrators).

+1. Review the [sign-in logs](/entra/identity/monitoring-health/concept-sign-ins) for your Co-Administrators to assess whether they are active users.

+### Step 2: Remove Co-Administrators that no longer need access

+1. If user is no longer in your enterprise, [remove Co-Administrator](#remove-a-co-administrator).

+1. If user was deleted, but their Co-Administrator assignment was not removed, [remove Co-Administrator](#remove-a-co-administrator).

+ Users that have been deleted typically include the text **(User was not found in this directory)**.

+ :::image type="content" source="media/classic-administrators/user-not-found.png" alt-text="Screenshot of user not found in directory and with Co-Administrator role." lightbox="media/classic-administrators/user-not-found.png":::

+1. After reviewing activity of user, if user is no longer active, [remove Co-Administrator](#remove-a-co-administrator).

+### Step 3: Replace existing Co-Administrators with job function roles

+Most users don't need the same permissions as a Co-Administrator. Consider a job function role instead.

+1. If a user still needs some access, determine the appropriate [job function role](role-assignments-steps.md#job-function-roles) they need.

+1. Determine the [scope](scope-overview.md) user needs.

+1. Follow steps to [assign a job function role to user](role-assignments-portal.md).

+1. [Remove Co-Administrator](#remove-a-co-administrator).

+### Step 4: Replace existing Co-Administrators with Owner role and conditions

+Some users might need more access than what a job function role can provide. If you must assign the [Owner](built-in-roles.md#owner) role, consider adding a condition to constrain the role assignment.

+1. Assign the [Owner role at subscription scope with conditions](role-assignments-portal-subscription-admin.md) to the user.

+1. [Remove Co-Administrator](#remove-a-co-administrator).

+## View classic administrators

+Follow these steps to view the Service Administrator and Co-Administrators for a subscription using the Azure portal.

+> Classic resources and classic administrators will be [retired on August 31, 2024](https://azure.microsoft.com/updates/cloud-services-retirement-announcement/). Starting March 26, 2024, you won't be able to add new Co-Administrators. This date was recently extended. Remove unnecessary Co-Administrators and use Azure RBAC for fine-grained access control.

+> Classic resources and classic administrators will be [retired on August 31, 2024](https://azure.microsoft.com/updates/cloud-services-retirement-announcement/). Starting March 26, 2024, you won't be able to add new Co-Administrators. This date was recently extended. Remove unnecessary Co-Administrators and use Azure RBAC for fine-grained access control.

+To remove the Service Administrator, you must have a user who is assigned the [Owner](built-in-roles.md#owner) role at subscription scope without conditions to avoid orphaning the subscription. A subscription Owner has the same access as the Service Administrator.

+> Classic resources and classic administrators will be [retired on August 31, 2024](https://azure.microsoft.com/updates/cloud-services-retirement-announcement/). Starting March 26, 2024, you won't be able to add new Co-Administrators. This date was recently extended. Remove unnecessary Co-Administrators and use Azure RBAC for fine-grained access control.

+> Classic resources and classic administrators will be [retired on August 31, 2024](https://azure.microsoft.com/updates/cloud-services-retirement-announcement/). Starting March 26, 2024, you won't be able to add new Co-Administrators. This date was recently extended. Remove unnecessary Co-Administrators and use Azure RBAC for fine-grained access control.

+- [Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/installation)

+- In Azure Cloud Shell, create a new group using the [New-MgGroup](/powershell/module/microsoft.graph.groups/new-mggroup) command.

+ New-MgGroup -DisplayName "RBAC Tutorial Group" -MailEnabled:$false `

+ -SecurityEnabled:$true -MailNickName "NotSet"

+ ```output

+ DisplayName Id MailNickname Description GroupTypes

+ -- -- -- -

+ RBAC Tutorial Group 11111111-1111-1111-1111-111111111111 NotSet {}

+1. Get the object ID of the group using the [Get-MgGroup](/powershell/module/microsoft.graph.groups/get-mggroup) command.

+ Get-MgGroup -Filter "DisplayName eq 'RBAC Tutorial Group'"

+ ```output

+ DisplayName Id MailNickname Description GroupTypes

+ -- -- -- -

+ RBAC Tutorial Group 11111111-1111-1111-1111-111111111111 NotSet {}

+1. Delete the group using the [Remove-MgGroup](/powershell/module/microsoft.graph.groups/remove-mggroup) command.

+ Remove-MgGroup -GroupID $groupId

+# Next hop IP support

+With the support for Next hop IP in Azure Route Server, you can peer with network virtual appliances (NVAs) that are deployed behind an Azure internal load balancer. The internal load balancer lets you set up active-passive connectivity scenarios and use load balancing to improve connectivity performance.

+> Active-active NVA connectivity may result in asymmetric routing.

+Next hop IP addresses are set up in the BGP configuration of the target NVAs. The Next hop IP isn't part of the Azure Route Server configuration.

+- [Configure Azure Route Server](quickstart-configure-route-server-portal.md).

+- [Monitor Azure Route Server](monitor-route-server.md).

+Use the [az workloads sap-application-server-instance stop](/cli/azure/workloads/sap-application-server-instance#az-workloads-sap-application-server-instance-stop) command:

+Use the [az workloads sap-database-instance stop](/cli/azure/workloads/sap-database-instance#az-workloads-sap-database-instance-stop) command:

+Setting up a private connection allows a search service to connect to a virtual network IP address instead of a port that's open to the internet. The object created for the connection is called a *shared private link*. On the connection, the search service uses the shared private link internally to reach an Azure PaaS resource inside the network boundary.

+In service-to-service communications, Azure AI Search typically sends a request over a public internet connection. However, if your data, key vault, or function should be accessed through a [private endpoint](../private-link/private-endpoint-overview.md), you must create a *shared private link*.

+Only your search service can use the private links that it creates, and there can be only one shared private link created on your service for each resource and subresource combination.

+Once you set up the private link, it's used automatically whenever the search service connects to that PaaS resource. You don't need to modify the connection string or alter the client you're using to issue the requests, although the device used for the connection must connect using an authorized IP in the Azure PaaS resource's firewall.

+ + On the Azure PaaS resource, you must have the permission to approve private endpoint connections. For instance, if you're using an Azure Storage account as your data source (such as Blob container, Azure Files share, Azure table), you need `Microsoft.Storage/storageAccounts/privateEndpointConnectionsApproval/action`.

+ + On the search service, you must have read and write permissions on shared private link resources and read operation statuses:

+ + `Microsoft.Search/searchServices/sharedPrivateLinkResources/write`

+ + `Microsoft.Search/searchServices/sharedPrivateLinkResources/read`

+ + `Microsoft.Search/searchServices/sharedPrivateLinkResources/operationStatuses/read`

+| Resource type | Subresource (or Group ID) |

+<sup>1</sup> If Azure Storage and Azure AI Search are in the same region, the connection to storage is made over the Microsoft backbone network, which means a shared private link is redundant for this configuration. However, if you already set up a private endpoint for Azure Storage, you should also set up a shared private link or the connection is refused on the storage side. Also, if you're using multiple storage formats for various scenarios in search, make sure to create a separate shared private link for each subresource.

+<sup>3</sup> The `Microsoft.Web/sites` resource type is used for App service and Azure functions. In the context of Azure AI Search, an Azure function is the more likely scenario. An Azure function is commonly used for hosting the logic of a custom skill. Azure Function has Consumption, Premium, and Dedicated [App Service hosting plans](../app-service/overview-hosting-plans.md). The [App Service Environment (ASE)](../app-service/environment/overview.md) and [Azure Kubernetes Service (AKS)](../aks/intro-kubernetes.md) aren't supported at this time.

+When you complete the steps in this section, you have a shared private link that's provisioned in a pending state. **It takes several minutes to create the link**. Once it's created, the resource owner must approve the request before it's operational.

+1. On the **Shared Private Access** page, select **+ Add Shared Private Access**.

+ :::image type="content" source="media/search-indexer-howto-secure-access/new-shared-private-link-resource.png" lightbox="media/search-indexer-howto-secure-access/new-shared-private-link-resource.png" alt-text="Screenshot of the Add Shared Private Access page, showing a guided experience for creating a shared private link resource." :::

+ :::image type="content" source="media/search-indexer-howto-secure-access/new-shared-private-link-resource-manual.png" lightbox="media/search-indexer-howto-secure-access/new-shared-private-link-resource-manual.png" alt-text="Screenshot of the Add Shared Private Access page, showing the manual experience for creating a shared private link resource.":::

+ :::image type="content" source="media/search-indexer-howto-secure-access/new-shared-private-link-resource-progress.png" lightbox="media/search-indexer-howto-secure-access/new-shared-private-link-resource-progress.png" alt-text="Screenshot of the Add Shared Private Access page, showing the resource creation in progress.":::

+ :::image type="content" source="media/search-indexer-howto-secure-access/new-shared-private-link-resource-success.png" lightbox="media/search-indexer-howto-secure-access/new-shared-private-link-resource-success.png" alt-text="Screenshot of the Add Shared Private Access page, showing the resource creation completed.":::

+1. Switch to a REST client and set up a [GET Shared Private Link Resource](/rest/api/searchmanagement/shared-private-link-resources/get). This step allows you to review existing shared private links to ensure you're not duplicating a link. There can be only one shared private link for each resource and subresource combination.

+1. On the **Authorization** page, select **Bearer Token** and then paste in the token.

+1. Send the request. You should get a list of all shared private link resources that exist for your search service. Make sure there's no existing shared private link for the resource and subresource combination.

+First, use [Get-AzSearchSharedPrivateLinkResource](/powershell/module/az.search/get-azsearchprivatelinkresource) to review any existing shared private links to ensure you're not duplicating a link. There can be only one shared private link for each resource and subresource combination.

+First, use [az-search-shared-private-link-resource list](/cli/azure/search/shared-private-link-resource) to review any existing shared private links to ensure you're not duplicating a link. There can be only one shared private link for each resource and subresource combination.

+Approval of the private endpoint connection is granted on the Azure PaaS side. It might be automatic if the service consumer has Azure role-based access control (RBAC) permissions on the service provider resource. Otherwise, manual approval is required. For details, see [Manage Azure private endpoints](/azure/private-link/manage-private-endpoint).

+This section assumes manual approval and the portal for this step, but you can also use the REST APIs of the Azure PaaS resource. [Private Endpoint Connections (Storage Resource Provider)](/rest/api/storagerp/privateendpointconnections) and [Private Endpoint Connections (Cosmos DB Resource Provider)](/rest/api/cosmos-db-resource-provider/2023-03-15/private-endpoint-connections) are two examples.

+1. In the Azure portal, open the **Networking** page of the Azure PaaS resource.[text](https://ms.portal.azure.com/#blade%2FHubsExtension%2FResourceMenuBlade%2Fid%2F%2Fsubscriptions%2Fa5b1ca8b-bab3-4c26-aebe-4cf7ec4791a0%2FresourceGroups%2Ftest-private-endpoint%2Fproviders%2FMicrosoft.Network%2FprivateEndpoints%2Ftest-private-endpoint)

+ :::image type="content" source="media/search-indexer-howto-secure-access/storage-privateendpoint-approval.png" lightbox="media/search-indexer-howto-secure-access/storage-privateendpoint-approval.png" alt-text="Screenshot of the Azure portal, showing the Private endpoint connections pane.":::

+ :::image type="content" source="media/search-indexer-howto-secure-access/storage-privateendpoint-after-approval.png" lightbox="media/search-indexer-howto-secure-access/storage-privateendpoint-after-approval.png" alt-text="Screenshot of the Azure portal, showing an Approved status on the Private endpoint connections pane.":::

+The private endpoint link on the page only resolves to the private link definition in Azure AI Search if there's shared tenancy between Azure AI Search backend private link and the Azure PaaS resource.

+A status message of `"The access token is from the wrong issuer"` and `must match the tenant associated with this subscription` appears because the backend private endpoint resource is provisioned in a Microsoft-managed tenant, while the linked resource (Azure AI Search) is in your tenant. It's by design you can't access the private endpoint resource by selecting the private endpoint connection link.

+Follow the instructions in the next section to check the status of your shared private link.

+On the Azure AI Search side, you can confirm request approval by revisiting the Shared Private Access page of the search service **Networking** page. Connection state should be approved.

+ :::image type="content" source="media/search-indexer-howto-secure-access/new-shared-private-link-resource-approved.png" alt-text="Screenshot of the Azure portal, showing an Approved shared private link resource.":::

+[Indexer execution](search-indexer-securing-resources.md#indexer-execution-environment) occurs in either a private environment that's specific to the search service, or a multitenant environment that's used internally to offload expensive skillset processing for multiple customers.

+The execution environment is transparent, but once you start building firewall rules or establishing private connections, you must take indexer execution into account. For a private connection, configure indexer execution to always run in the private environment.

+ "kind": "vector",

+ "kind": "vector",

+ "kind": "vector",

+ "kind": "vector",

+ "kind": "vector",

+ "kind": "vector",

+ "kind": "text",

+ "kind": "text",

+A [hybrid approach](hybrid-search-overview.md) that includes full text search can mitigate this problem. Another mitigation is to set a minimum threshold on the search score, but only if the query is a pure single vector query. Hybrid queries aren't conducive to minimum thresholds because the RRF ranges are so much smaller and volatile.

+An index schema for a vector store requires a name, a key field, one or more vector fields, and a vector configuration. Nonvector fields are recommended for hybrid queries, or for returning verbatim human readable content that doesn't have to go through a language model. For instructions about vector configuration, see [Create a vector store](vector-search-how-to-create-index.md).

+A vector field, such as "content_vector" in the following example, is of type `Collection(Edm.Single)`. It must be searchable and retrievable. It can't be filterable, facetable, or sortable, and it can't have analyzers, normalizers, or synonym map assignments. It must have dimensions set to the number of embeddings generated by the embedding model. For instance, if you're using text-embedding-ada-002, it generates 1,536 embeddings. A vector search profile is specified in a vector search configuration and assigned to a vector field using the profile name.

+Content (nonvector) fields are useful for human readable text returned directly from the search engine. If you're using language models exclusively for response formulation, you can skip nonvector content fields. The following example assumes that "content" is the human readable equivalent of the "content_vector" field.

+- Set the alert **Severity** as appropriate, matching the impact the activity triggering the rule might have on the target environment, should the rule be a true positive.

+ - **Informational**. No impact on your system, but the information might be indicative of future steps planned by a threat actor.

+ - **Low**. The immediate impact would be minimal. A threat actor would likely need to conduct multiple steps before achieving an impact on an environment.

+ - **Medium**. The threat actor could have some impact on the environment with this activity, but it would be limited in scope or require additional activity.

+ - **High**. The activity identified provides the threat actor with wide ranging access to conduct actions on the environment or is triggered by impact on the environment.

+ Severity level defaults are not a guarantee of current or environmental impact level. [Customize alert details](customize-alert-details.md) to customize the severity, tactics, and other properties of a given instance of an alert with the values of any relevant fields from a query output.

+

+ Severity definitions for Microsoft Sentinel analytics rule templates are relevant only for alerts created by analytics rules. For alerts ingested from from other services, the severity is defined by the source security service.

+

+The activation path during Service Fabric containers deployment, handles the downloading of the container images to the VM on which the containers are running. Once the containers are removed from the cluster and their application types are unregistered, there's a cleanup cycle that deletes the container images. This container image cleanup works only if the container image was hard coded in the service manifest. For existing Service Fabric runtime versions, the configurations supporting the cleanup of the container images are as follows -

+Starting Service Fabric version 10.0 there's a newer version of the container image deletion flow. This flow cleans up container images irrespective of how the container images were defined - either hard coded or parameterized during application deployment. PruneContainerImages and ContainerImageDeletionEnabled configuration are mutually exclusive and cluster upgrade validation exists to ensure one or the other is switched on but not both. The configuration supporting this feature are as follows -

+ |ContainerImageDeletionOnAppInstanceDeletionEnabled |Setting to enable or disable deletion of expired ttl container images only after application was deleted as well. |

+2. Add a node to a cluster by using the [az sf cluster node add PowerShell command](/cli/azure/sf/cluster/node#az-sf-cluster-node-add()).

+3. Remove a node from a cluster by using the [az sf cluster node remove PowerShell command](/cli/azure/sf/cluster/node#az-sf-cluster-node-remove()).

+* Do not dispose or cancel a committing transaction. This is not supported and could crash the host process.

+- [Azure Elastic SAN](../elastic-san/elastic-san-introduction.md): A fully integrated solution that simplifies deploying, scaling, managing, and configuring a SAN in Azure.

+| **Azure Elastic SAN** | Azure Elastic SAN is a fully integrated solution that simplifies deploying, scaling, managing, and configuring a SAN, while also offering built-in cloud capabilities like high availability. | You want large scale storage that is interoperable with multiple types of compute resources (such as SQL, MariaDB, Azure virtual machines, and Azure Kubernetes Services) accessed via the [internet Small Computer Systems Interface](https://en.wikipedia.org/wiki/ISCSI) (iSCSI) protocol.|

+## Azure Elastic SAN

+Azure Elastic storage area network (SAN) is Microsoft's answer to the problem of workload optimization and integration between your large scale databases and performance-intensive mission-critical applications. Elastic SAN is a fully integrated solution that simplifies deploying, scaling, managing, and configuring a SAN, while also offering built-in cloud capabilities like high availability.

+For more information about Azure Elastic SAN, see [What is Azure Elastic SAN?](../elastic-san/elastic-san-introduction.md).

+- This article assumes you've already installed Azure Container Storage on your AKS cluster, and that you've created a storage pool and persistent volume claim (PVC) using either [Azure Disks](use-container-storage-with-managed-disks.md) or [ephemeral disk (local storage)](use-container-storage-with-local-disk.md). Azure Elastic SAN doesn't support resizing volumes.

+- Take note of your Azure subscription ID. We recommend using a subscription on which you have a [Kubernetes contributor](../../role-based-access-control/built-in-roles.md#kubernetes-extension-contributor) role if you want to use Azure Disks or Ephemeral Disk as data storage. If you want to use Azure Elastic SAN as data storage, you'll need an [Owner](../../role-based-access-control/built-in-roles.md#owner) role on the Azure subscription.

+- **Azure Elastic SAN**: Azure Elastic SAN preview is a good fit for general purpose databases, streaming and messaging services, CI/CD environments, and other tier 1/tier 2 workloads. Storage is provisioned on demand per created volume and volume snapshot. Multiple clusters can access a single SAN concurrently, however persistent volumes can only be attached by one consumer at a time.

+> For Azure Elastic SAN and Azure Disks, Azure Container Storage will deploy the backing storage for you as part of the installation. You don't need to create your own Elastic SAN or Azure Disk.

+If you intend to use Azure Elastic SAN or Azure Disks as backing storage, then you should choose a [general purpose VM type](../../virtual-machines/sizes-general.md) such as **standard_d4s_v5** for the cluster nodes. If you intend to use Ephemeral Disk, choose a [storage optimized VM type](../../virtual-machines/sizes-storage.md) with NVMe drives such as **standard_l8s_v3**. In order to use Ephemeral Disk, the VMs must have NVMe drives. You'll specify the VM type when you create the cluster in the next section.

+> If you specified Azure Elastic SAN as backing storage for your storage pool and you don't have owner-level access to the Azure subscription, only Azure Container Storage will be installed and a storage pool won't be created. In this case, you'll have to [create an Elastic SAN storage pool manually](use-container-storage-with-elastic-san.md).

+- [Create persistent volume claim with Azure Elastic SAN](use-container-storage-with-elastic-san.md#create-a-persistent-volume-claim)

+ During public preview, Azure Container Storage supports only Azure Kubernetes Service (AKS) with storage pools provided by Azure Disks, Ephemeral Disk, or Azure Elastic SAN.

+Azure Container Storage offers persistent volume support with ReadWriteOnce access mode to Linux-based [Azure Kubernetes Service (AKS)](../../aks/intro-kubernetes.md) clusters. Supported backing storage options include block storage offerings only: Azure Disks, Ephemeral Disks, and Azure Elastic SAN. The following table summarizes the supported storage types, recommended workloads, and provisioning models.

+| **[Azure Elastic SAN](../elastic-san/elastic-san-introduction.md)** | Provision on demand, fully managed resource | General purpose databases, streaming and messaging services, CD/CI environments, and other tier 1/tier 2 workloads. | Azure Elastic SAN | Provisioned on demand per created volume and volume snapshot. Multiple clusters can access a single SAN concurrently, however persistent volumes can only be attached by one consumer at a time. |

+* **Accelerate VM-to-container initiatives:** Azure Container Storage surfaces the full spectrum of Azure block storage offerings that were previously only available for VMs and makes them available for containers. This includes ephemeral disk that provides extremely low latency for workloads like Cassandra, as well as Azure Elastic SAN that provides native iSCSI and shared provisioned targets.

+* Take note of your Azure subscription ID. We recommend using a subscription on which you have a [Kubernetes contributor](../../role-based-access-control/built-in-roles.md#kubernetes-extension-contributor) role if you want to use Azure Disks or Ephemeral Disk as data storage. If you want to use Azure Elastic SAN as data storage, you'll need an [Owner](../../role-based-access-control/built-in-roles.md#owner) role on the Azure subscription.

+* **[Azure Elastic SAN](../elastic-san/elastic-san-introduction.md)**: Azure Elastic SAN preview is a good fit for general purpose databases, streaming and messaging services, CD/CI environments, and other tier 1/tier 2 workloads. Storage is provisioned on demand per created volume and volume snapshot. Multiple clusters can access a single SAN concurrently, however persistent volumes can only be attached by one consumer at a time.

+If you intend to use Azure Elastic SAN or Azure Disks with Azure Container Storage, then you should choose a [general purpose VM type](../../virtual-machines/sizes-general.md) such as **standard_d4s_v5** for the cluster nodes.

+* [Use Azure Container Storage Preview with Azure Elastic SAN](use-container-storage-with-elastic-san.md)

+- This article assumes you've already installed Azure Container Storage on your AKS cluster, and that you've created a storage pool and persistent volume claim (PVC) using either [Azure Disks](use-container-storage-with-managed-disks.md) or [ephemeral disk (local storage)](use-container-storage-with-local-disk.md). Azure Elastic SAN doesn't support resizing volumes.

+ Title: Use Azure Container Storage Preview with Azure Elastic SAN

+description: Configure Azure Container Storage Preview for use with Azure Elastic SAN. Create a storage pool, select a storage class, create a persistent volume claim, and attach the persistent volume to a pod.

+# Use Azure Container Storage Preview with Azure Elastic SAN

+[Azure Container Storage](container-storage-introduction.md) is a cloud-based volume management, deployment, and orchestration service built natively for containers. This article shows you how to configure Azure Container Storage to use Azure Elastic SAN as back-end storage for your Kubernetes workloads. At the end, you'll have a pod that's using Elastic SAN as its storage.

+> To use Azure Container Storage with Azure Elastic SAN, your AKS cluster should have a node pool of at least three [general purpose VMs](../../virtual-machines/sizes-general.md) such as **standard_d4s_v5** for the cluster nodes, each with a minimum of four virtual CPUs (vCPUs).

+Follow these steps to create a storage pool with Azure Elastic SAN.

+When the storage pool is created, Azure Container Storage will create a storage class on your behalf using the naming convention `acstor-<storage-pool-name>`. It will also create an Azure Elastic SAN resource.

+## Assign Contributor role to AKS managed identity on Azure Elastic SAN subscription

+Next, you must assign the [Contributor](../../role-based-access-control/built-in-roles.md#contributor) Azure RBAC built-in role to the AKS managed identity on your Azure Elastic SAN subscription. You'll need an [Owner](../../role-based-access-control/built-in-roles.md#owner) role for your Azure subscription in order to do this. If you don't have sufficient permissions, ask your admin to perform these steps.

+1. Select **Subscriptions**, and locate and select the subscription associated with the Azure Elastic SAN resource that Azure Container Storage created on your behalf. This will likely be the same subscription as the AKS cluster that Azure Container Storage is installed on. You can verify this by locating the Elastic SAN resource in the resource group that AKS created (`MC_YourResourceGroup_YourAKSClusterName_Region`).

+- This article assumes you've already installed Azure Container Storage on your AKS cluster, and that you've created a storage pool and persistent volume claim (PVC) using either [Azure Disks](use-container-storage-with-managed-disks.md) or [ephemeral disk (local storage)](use-container-storage-with-local-disk.md). Azure Elastic SAN doesn't support volume snapshots.

+ Title: Create multiple Azure Elastic SAN volumes in a batch

+description: Azure PowerShell Script Sample - Create multiple Elastic SAN volumes in a batch.

+# Create multiple elastic SAN volumes in a batch

+ Title: Best practices for configuring an Elastic SAN

+# Optimize the performance of your Elastic SAN

+For more information regarding MPIO cmdlets, see [MPIO reference](/powershell/module/mpio/).

+For more information on performance, see [Elastic SAN and virtual machine performance](elastic-san-performance.md).

+ Title: Use customer-managed keys with an Azure Elastic SAN

+ Title: Connect an Azure Elastic SAN volume to an AKS cluster.

+description: Learn how to connect to an Azure Elastic SAN volume an Azure Kubernetes Service cluster.

+# Connect Azure Elastic SAN volumes to an Azure Kubernetes Service cluster (Preview)

+This article explains how to connect an Azure Elastic storage area network (SAN) volume from an Azure Kubernetes Service (AKS) cluster. To make this connection, enable the [Kubernetes iSCSI CSI driver](https://github.com/kubernetes-csi/csi-driver-iscsi) on your cluster. With this driver, you can access volumes on your Elastic SAN by creating persistent volumes on your AKS cluster, and then attaching the Elastic SAN volumes to the persistent volumes.

+- [Deploy an Elastic SAN](elastic-san-create.md)

+[Plan for deploying an Elastic SAN](elastic-san-planning.md)

+[Configure Elastic SAN networking]: elastic-san-networking.md

+ Title: Connect to an Azure Elastic SAN volume - Linux.

+description: Learn how to connect to an Azure Elastic SAN volume from a Linux client.

+# Connect to Elastic SAN volumes - Linux

+This article explains how to connect to an Elastic storage area network (SAN) volume from an individual Linux client. For details on connecting from a Windows client, see [Connect to Elastic SAN volumes - Windows](elastic-san-connect-windows.md).

+You must use a cluster manager when connecting an individual elastic SAN volume to multiple clients. For details, see [Use clustered applications on Azure Elastic SAN](elastic-san-shared-volumes.md).

+- [Deploy an Elastic SAN](elastic-san-create.md)

+[Configure Elastic SAN networking](elastic-san-networking.md)

+ Title: Connect to an Azure Elastic SAN volume - Windows

+description: Learn how to connect to an Azure Elastic SAN volume from a Windows client.

+# Connect to Elastic SAN volumes - Windows

+This article explains how to connect to an Elastic storage area network (SAN) volume from an individual Windows client. For details on connecting from a Linux client, see [Connect to Elastic SAN volumes - Linux](elastic-san-connect-linux.md).

+You must use a cluster manager when connecting an individual elastic SAN volume to multiple clients. For details, see [Use clustered applications on Azure Elastic SAN](elastic-san-shared-volumes.md).

+- [Deploy an Elastic SAN](elastic-san-create.md)

+[Configure Elastic SAN networking](elastic-san-networking.md)

+ Title: Create an Azure Elastic SAN

+description: Learn how to deploy an Azure Elastic SAN with the Azure portal, Azure PowerShell module, or Azure CLI.

+# Deploy an Elastic SAN

+This article explains how to deploy and configure an elastic storage area network (SAN). If you're interested in Azure Elastic SAN, or have any feedback you'd like to provide, fill out [this](https://aka.ms/ElasticSANPreviewSignup) optional survey.

+ :::image type="content" source="media/elastic-san-create/elastic-san-create-flow.png" alt-text="Screenshot of creation flow." lightbox="media/elastic-san-create/elastic-san-create-flow.png":::

+| `<Zone>` | The availability zone where the Elastic SAN will be created.<br> *Specify the same availability zone as the zone that will host your workload.*<br>*Use only if the Elastic SAN will use locally redundant storage.*<br> *Must be a zone supported in the target location such as `1`, `2`, or `3`.* |

+The following command creates an Elastic SAN that uses **locally redundant** storage.

+| `<Zone>` | The availability zone where the Elastic SAN will be created.<br> *Specify the same availability zone as the zone that will host your workload.*<br>*Use only if the Elastic SAN uses locally redundant storage.*<br> *Must be a zone supported in the target location such as `1`, `2`, or `3`.* |

+The following command creates an Elastic SAN that uses **locally redundant** storage.

+Now that you've deployed an Elastic SAN, Connect to Elastic SAN volumes from either [Windows](elastic-san-connect-windows.md) or [Linux](elastic-san-connect-linux.md) clients.

+ Title: Delete an Azure Elastic SAN

+description: Learn how to delete an Azure Elastic SAN with the Azure portal, Azure PowerShell module, or the Azure CLI.

+# Delete an Elastic SAN

+You can use the following script to create your connections. To execute it, you'll require the following parameters:

+You can delete your SAN by using the Azure portal, Azure PowerShell, or Azure CLI. If you delete a SAN or a volume group, the corresponding child resources are deleted along with it. The delete commands for each of the resource levels are below.

+The following commands delete your volumes. These commands use `ForceDelete false`, `-DeleteSnapshot false`, `--x-ms-force-delete false`, and `--x-ms-delete-snapshots false` parameters for PowerShell and CLI, respectively. If you set `ForceDelete` or `--x-ms-force-delete` to `true`, it causes volume deletion to succeed even if you have active iSCSI connections. If you set `-DeleteSnapshot` or `--x-ms-delete-snapshots` to `true`, it deletes all snapshots associated with the volume, and the volume itself.

+[Plan for deploying an Elastic SAN](elastic-san-planning.md)

+ Title: Manage customer-managed keys for Elastic SAN

+description: Learn how to manage customer-managed keys for Azure Elastic SAN

+# Manage customer-managed keys for Azure Elastic SAN

+ Title: Encryption options for Azure Elastic SAN

+# Learn about encryption for an Azure Elastic SAN

+ Title: Increase the size of an Azure Elastic SAN and its volumes

+description: Learn how to increase the size of an Azure Elastic SAN and its volumes with the Azure portal, Azure PowerShell module, or Azure CLI.

+# Increase the size of an Elastic SAN

+This article covers increasing the size of an Elastic storage area network (SAN) and an individual volume, if you need additional storage or performance. Be sure you need the storage or performance before you increase the size because decreasing the size isn't supported, to prevent data loss.

+ Title: Introduction to Azure Elastic SAN

+description: An overview of Azure Elastic SAN, a service that enables you to create a virtual SAN to act as the storage for multiple compute options.

+# What is Azure Elastic SAN?

+Azure Elastic storage area network (SAN) is Microsoft's answer to the problem of workload optimization and integration between your large scale databases and performance-intensive mission-critical applications. Elastic SAN is a fully integrated solution that simplifies deploying, scaling, managing, and configuring a SAN, while also offering built-in cloud capabilities like high availability.

+| Snapshots (preview) | ✔️ |

+[Plan for deploying an Elastic SAN](elastic-san-planning.md)

+ Title: Metrics for Azure Elastic SAN

+description: Learn about the available metrics for an Azure Elastic SAN.

+# Elastic SAN metrics

+Azure offers metrics in the Azure portal that provide insight into your Elastic SAN resources. This article provides definitions of the specific metrics you can select to monitor.

+## Metrics definitions

+The following metrics are currently available for your Elastic SAN resource. You can configure and view them in the Azure portal:

+|Metric|Definition|

+|||

+|**Used Capacity**|The total amount of storage used in your SAN resources. At the SAN level, it's the sum of capacity used by volume groups and volumes, in bytes. At the volume group level, it's the sum of the capacity used by all volumes in the volume group, in bytes|

+|**Transactions**|The number of requests made to a storage service or the specified API operation. This number includes successful and failed requests, as well as requests that produced errors.|

+|**E2E Latency**|The average end-to-end latency of successful requests made to the resource or the specified API operation.|

+|**Server Latency**|The average time used to process a successful request. This value doesn't include the network latency specified in **E2E Latency**. |

+|**Ingress**|The amount of ingress data. This number includes ingress from an external client into the resource as well as ingress within Azure. |

+|**Egress**|The amount of egress data. This number includes egress from an external client into the resource as well as egress within Azure. |

+By default, all metrics are shown at the SAN level. To view these metrics at either the volume group or volume level, select a filter on your selected metric to view your data on a specific volume group or volume.

+## Next steps

+- [Azure Monitor Metrics overview](../../azure-monitor/essentials/data-platform-metrics.md)

+- [Azure Monitor Metrics aggregation and display explained](../../azure-monitor/essentials/metrics-aggregation-explained.md)

+ Title: Azure Elastic SAN networking concepts

+description: An overview of Azure Elastic SAN networking options, including storage service endpoints, private endpoints, and iSCSI.

+# Learn about networking configurations for Elastic SAN

+Azure Elastic storage area network (SAN) allows you to secure and control the level of access to your Elastic SAN volumes that your applications and enterprise environments require. This article describes the options for allowing users and applications access to Elastic SAN volumes from an [Azure virtual network infrastructure](../../virtual-network/vnet-integration-for-azure-services.md).

+[Configure Elastic SAN networking](elastic-san-networking.md)

+ Title: Configure networking for Azure Elastic SAN

+description: Learn how to configure access to an Azure Elastic SAN.

+# Configure network access for Azure Elastic SAN

+You can control access to your Azure Elastic storage area network (SAN) volumes. Controlling access allows you to secure your data and meet the needs of your applications and enterprise environments.

+- [Connect Azure Elastic SAN volumes to an Azure Kubernetes Service cluster](elastic-san-connect-aks.md)

+- [Connect to Elastic SAN volumes - Linux](elastic-san-connect-linux.md)

+- [Connect to Elastic SAN volumes - Windows](elastic-san-connect-windows.md)

+ Title: Azure Elastic SAN and virtual machine performance

+# How performance works when virtual machines are connected to Elastic SAN volumes

+[Deploy an Elastic SAN](elastic-san-create.md).

+ Title: Planning for an Azure Elastic SAN

+# Plan for deploying an Elastic SAN

+Before deploying an Elastic SAN, consider the following:

+In the Elastic SAN, you can enable or disable public network access at the Elastic SAN level. You can also configure access to volume groups in the SAN over both public [Storage service endpoints](../../virtual-network/virtual-network-service-endpoints-overview.md) and [private endpoints](../../private-link/private-endpoint-overview.md) from selected virtual network subnets. Once network access is configured for a volume group, the configuration is inherited by all volumes belonging to the group. If you disable public access at the SAN level, access to the volume groups within that SAN is only available over private endpoints, regardless of individual configurations for the volume group.

+## Migration

+There are currently two options for migrating your data into Azure Elastic SAN. Both paths require deploying and configuring an elastic SAN first, and then creating volumes through the migration process.

+- [Cirrus Data](https://www.cirrusdata.com/) which allows you to migrate from external locations such as an on-premises SAN.

+- [Managed disk snapshots (preview)](elastic-san-snapshots.md#create-a-volume-from-a-managed-disk-snapshot), which allows you to migrate from managed disks to elastic SAN volumes.

+- [Networking options for Elastic SAN](elastic-san-networking-concepts.md)

+- [Deploy an Elastic SAN](elastic-san-create.md)

+ Title: Elastic SAN scalability and performance targets

+# Scale targets for Elastic SAN

+An Elastic SAN has three attributes that determine its performance: total capacity, IOPS, and throughput.

+The region your SAN is located in and your SAN's redundancy determines its maximum total capacity. The minimum total capacity for an Elastic SAN is 1 tebibyte (TiB). Base or additional capacity can be increased in increments of 1 TiB.

+Different regions have varying levels of base storage capacity available. We break them down into two sets, regions with a higher base storage capacity available, and regions with a lower base storage capacity available. Other than the base storage capacity differences, which directly affect the available performance that a SAN can distribute to its volumes and volume groups, there are no differences between these sets of regions.

+##### Higher available base storage capacity

+The following regions are regions with higher base storage capacity available, and the table following the regions outlines their scale targets: Australia East, Brazil South, Canada Central, Germany West, North Europe, West Europe, UK South, East US, East US 2, South Central US, US Central, and West US 2.

+|Resource |Values |

+|||

+|Maximum number of Elastic SANs that can be deployed per subscription per region | 5 |

+|Maximum capacity-only units (TiB) | 600 |

+|Maximum base capacity units (TiB) | 400 |

+|Minimum total SAN capacity (TiB) | 1 |

+|Maximum total IOPS |2,000,000 |

+|Maximum total throughput (MB/s) |80,000 |

+##### Lower available base storage capacity

+The following regions are regions with higher base storage capacity available, and the table following the regions outlines their scale targets: East Asia, Korea Central, South Africa North, France Central, Southeast Asia, West US 3, Sweden Central, Switzerland North.

+|Resource |Values |

+|||

+|Maximum number of Elastic SANs that can be deployed per subscription per region | 5 |

+|Maximum capacity-only units (TiB) | 100 |

+|Maximum base capacity units (TiB) | 100 |

+|Minimum total SAN capacity (TiB) | 1 |

+|Maximum total IOPS |500,000 |

+|Maximum total throughput (MB/s) |20,000 |

+|Maximum capacity-only units (TiB) |200 |200 |200 |200 |

+#### Quota and capacity increases

+For capacity increase requests, raise a support ticket with the subscription ID and the region information and it will be evaluated.

+[Plan for deploying an Elastic SAN](elastic-san-planning.md)

+ Title: Use clustered applications on Azure Elastic SAN

+description: Learn more about using clustered applications on an Elastic SAN volume and sharing volumes between compute clients.

+# Use clustered applications on Azure Elastic SAN

+ Title: Backup Azure Elastic SAN volumes (preview)

+description: Learn about snapshots (preview) for Azure Elastic SAN, including how to create and use them.

+# Snapshot Azure Elastic SAN volumes (preview)

+Azure Elastic SAN volume snapshots (preview) are incremental point-in-time backups of your volumes. The first snapshot you take is a full copy of your volume but every subsequent snapshot consists only of the changes since the last snapshot. Snapshots of your volumes don't have any separate billing, but they reside in your elastic SAN and consume the SAN's capacity. Snapshots can't be used to change the state of an existing volume, you can only use them to either deploy a new volume or export the data to a managed disk snapshot.

+## Limitations

+- If a volume is larger than 4 TiB, export of a volume snapshot to a disk snapshot is not supported.

+1. Select **Create**.

+If you're using an Azure ML Managed Endpoint service, Stream Analytics can currently only access endpoints that have public network access enabled. Read more about it on the page about [Azure ML private endpoints](/azure/machine-learning/concept-secure-online-endpoint#secure-inbound-scoring-requests).

+| Username | The username that has write access to the database. Stream Analytics supports three authentication mode: SQL server authentication, system assigned managed identity and use assigned managed identity |

+Periodically, we will retire Gateways using old hardware and migrate the traffic to new Gateways as per the process outlined at [Azure SQL Database traffic migration to newer Gateways](/azure/azure-sql/database/gateway-migration). We strongly encourage customers to use the **Gateway IP address subnets** in order to not be impacted by this activity in a region.

+> - UPDATE on distribution column does not guarantee IDENTITY value to be unique. Use [DBCC CHECKIDENT (Transact-SQL)](/sql/t-sql/database-console-commands/dbcc-checkident-transact-sql?view=azure-sqldw-latest&preserve-view=true) after UPDATE on distribution column to verify uniqueness.

+The following high-level diagram shows how Private Link securely connects a local client to the Azure Virtual Desktop service. For more detailed information about client connections, see [Client connection sequence](#client-connection-sequence).

+The following table summarizes the private endpoints required:

+- Before you use Private Link for Azure Virtual Desktop, you need to [enable Private Link with Azure Virtual Desktop](private-link-setup.md#enable-private-link-with-azure-virtual-desktop-on-a-subscription) on each Azure subscription you want to Private Link with Azure Virtual Desktop.

+## Enable Private Link with Azure Virtual Desktop on a subscription

+### Register Private Link with Azure Virtual Desktop (Azure for US Government and Azure operated by 21Vianet only)

+ Your output should be similar to the following output. Check that the value for **ProvisioningState** is **Succeeded**.

+ Your output should be similar to the following output. Check that the value for **ProvisioningState** is **Succeeded**.

+- Improved client logging, diagnostics, and error classification to help admins troubleshoot connection and feed issues.

+- Fixed a Teams issue that caused incoming videos to flicker green during meeting calls.

+| Network security group (NSG) | For managing the network traffic to and from your VM. For example, you might need to open port 22 for SSH access, but you might want to block traffic to port 80. Blocking and allowing port access is done through the NSG.| There are no additional charges for network security groups in Azure. |

+> [!NOTE]

+> The example script uses MBR partition style. If your disk is two tebibytes (TiB) or larger, you must use GPT partitioning. If it's under two TiB, you can use either MBR or GPT.

+ > [!NOTE]

+ > If your disk is two tebibytes (TiB) or larger, you must use GPT partitioning. If it's under two TiB, you can use either MBR or GPT.

+- [Create your own custom rules](create-custom-waf-rules.md)

+- [Use Azure WAF geomatch custom rules to enhance network security](../geomatch-custom-rules-examples.md)

+ Title: Use Azure WAF geomatch custom rules to enhance network security

+description: This article shows you how to use Microsoft Azure Web Application Firewall (WAF) geomatch customer rules to enhance network security.

+# Use Azure WAF geomatch custom rules to enhance network security

+Web application firewalls (WAFs) are an important tool that helps protect web applications from harmful attacks. They can filter, monitor, and stop web traffic using both preset and custom rules. You can make your own rule that the WAF checks for every request it gets. Custom rules have higher priority than the managed rules and are checked first.

+One of the most powerful features of Azure Web Application Firewall is geomatch custom rules. These rules let you match web requests to the geographic location of where they come from. You might want to stop requests from certain places known for harmful activity, or you might want to allow requests from places important to your business. Geomatch custom rules can also help you follow data sovereignty and privacy laws by limiting access to your web applications based on the location of the people using them.

+Use the priority parameter wisely when using geomatch custom rules to avoid unnecessary processing or conflicts. Azure WAF evaluates rules in the order determined by the priority parameter, a numerical value ranging from 1 to 100, with lower values indicating higher priority. The priority must be unique across all custom rules. Assign higher priority to critical or specific rules for your web application security and lower priority to less essential or general rules. This ensures WAF applies the most appropriate actions to your web traffic. For example, the scenario where you identify an explicit URI path is the most specific and should have a higher priority rule than other types of patterns. This protects a critical path on the application with the highest priority while allowing more generic traffic to be evaluated across other custom rules or managed rulesets.

+To make the paragraph easier to understand for a technical audience using present tense and active voice, you can rewrite it as follows:

+Always test your rules before applying them to production and regularly monitor their performance and impact. By following these best practices, you can enhance your web application security by using the power of geomatch custom rules.

+This article introduces Azure WAF geomatch custom rules and shows you how to create and manage them using the Azure portal, Bicep and Azure PowerShell.

+## Geomatch custom rule patterns

+Geomatch custom rules enable you to meet diverse security goals, such as blocking requests from high-risk areas and permitting requests from trusted locations. They're particularly effective in mitigating distributed denial-of-service (DDoS) attacks, which seek to inundate your web application with a multitude of requests from various sources. With geomatch custom rules, you can promptly pinpoint and block regions generating the most DDoS traffic, while still granting access to legitimate users. In this article, you learn about various custom rule patterns that you can employ to optimize your Azure WAF using geomatch custom rules.

+## Scenario 1: Block traffic from all countries except "x"

+Geomatch custom rules prove useful when you aim to block traffic from all countries, barring one. For instance, if your web application caters exclusively to users in the United States, you can formulate a geomatch custom rule that obstructs all requests not originating from the US. This strategy effectively minimizes your web applicationΓÇÖs attack surface and deters unauthorized access from other regions. This specific technique employs a negating condition to facilitate this traffic pattern. For creating a geomatch custom rule that obstructs traffic from all countries except the US, refer to the following portal, Bicep, and PowerShell examples:

+### Portal example - Application Gateway

+### Portal example - Front Door

+> [!NOTE]

+> Notice on the Azure Front Door WAF, you use `SocketAddr` as the match variable and not `RemoteAddr`. The `RemoteAddr` variable is the original client IP address that's usually sent via the `X-Forwarded-For` request header. The `SocketAddr` variable is the source IP address the WAF sees.

+### Bicep example - Application Gateway

+```

+properties: {

+ customRules: [

+ {

+ name: 'GeoRule1'

+ priority: 10

+ ruleType: 'MatchRule'

+ action: 'Block'

+ matchConditions: [

+ {

+ matchVariables: [

+ {

+ variableName: 'RemoteAddr'

+ }

+ ]

+ operator: 'GeoMatch'

+ negationConditon: true

+ matchValues: [

+ 'US'

+ ]

+ transforms: []

+ }

+ ]

+ state: 'Enabled'

+ }

+```

+### Bicep example - Front Door

+```

+properties: {

+ customRules: {

+ rules: [

+ {

+ name: 'GeoRule1'

+ enabledState: 'Enabled'

+ priority: 10

+ ruleType: 'MatchRule'

+ matchConditions: [

+ {

+ matchVariable: 'SocketAddr'

+ operator: 'GeoMatch'

+ negateCondition: true

+ matchValue: [

+ 'US'

+ ]

+ transforms: []

+ }

+ ]

+ action: 'Block'

+ }

+```

+### Azure PowerShell example - Application Gateway

+```azurepowershell

+$RGname = "rg-waf "

+$policyName = "waf-pol"

+$variable = New-AzApplicationGatewayFirewallMatchVariable -VariableName RemoteAddr

+$condition = New-AzApplicationGatewayFirewallCondition -MatchVariable $variable -Operator GeoMatch -MatchValue "US" -NegationCondition $true

+$rule = New-AzApplicationGatewayFirewallCustomRule -Name GeoRule1 -Priority 10 -RuleType MatchRule -MatchCondition $condition -Action Block

+$policy = Get-AzApplicationGatewayFirewallPolicy -Name $policyName -ResourceGroupName $RGname

+$policy.CustomRules.Add($rule)

+Set-AzApplicationGatewayFirewallPolicy -InputObject $policy

+```

+### Azure PowerShell example - Front Door

+```azurepowershell

+$RGname = "rg-waf"

+$policyName = "wafafdpol"

+$matchCondition = New-AzFrontDoorWafMatchConditionObject -MatchVariable SocketAddr -OperatorProperty GeoMatch -MatchValue "US" -NegateCondition $true

+$customRuleObject = New-AzFrontDoorWafCustomRuleObject -Name "GeoRule1" -RuleType MatchRule -MatchCondition $matchCondition -Action Block -Priority 10

+$afdWAFPolicy= Get-AzFrontDoorWafPolicy -Name $policyName -ResourceGroupName $RGname

+Update-AzFrontDoorWafPolicy -InputObject $afdWAFPolicy -Customrule $customRuleObject

+```

+## Scenario 2 - Block traffic from all countries except "x" and "y" that target the URI "foo" or "bar"

+Consider a scenario where you need to use geomatch custom rules to block traffic from all countries, except for two or more specific ones, targeting a specific URI. Suppose your web application has specific URI paths intended only for users in the US and Canada. In this case, you create a geomatch custom rule that blocks all requests not originating from these countries.

+This pattern processes request payloads from the US and Canada through the managed rulesets, catching any malicious attacks, while blocking requests from all other countries. This approach ensures that only your target audience can access your web application, avoiding unwanted traffic from other regions.

+To minimize potential false positives, include the country code **ZZ** in the list to capture IP addresses not yet mapped to a country in AzureΓÇÖs dataset. This technique uses a negate condition for the Geolocation type and a non-negate condition for the URI match.

+To create a geomatch custom rule that blocks traffic from all countries except the US and Canada to a specified URI, refer to the portal, Bicep, and Azure PowerShell examples provided.

+### Portal example - Application Gateway

+### Portal example - Front Door

+### Bicep example - Application Gateway

+```

+properties: {

+ customRules: [

+ {

+ name: 'GeoRule2'

+ priority: 11

+ ruleType: 'MatchRule'

+ action: 'Block'

+ matchConditions: [

+ {

+ matchVariables: [

+ {

+ variableName: 'RemoteAddr'

+ }

+ ]

+ operator: 'GeoMatch'

+ negationConditon: true

+ matchValues: [

+ 'US'

+ 'CA'

+ ]

+ transforms: []

+ }

+ {

+ matchVariables: [

+ {

+ variableName: 'RequestUri'

+ }

+ ]

+ operator: 'Contains'

+ negationConditon: false

+ matchValues: [

+ '/foo'

+ '/bar'

+ ]

+ transforms: []

+ }

+ ]

+ state: 'Enabled'

+ }

+```

+### Bicep example - Front Door

+```

+properties: {

+ customRules: {

+ rules: [

+ {

+ name: 'GeoRule2'

+ enabledState: 'Enabled'

+ priority: 11

+ ruleType: 'MatchRule'

+ matchConditions: [

+ {

+ matchVariable: 'SocketAddr'

+ operator: 'GeoMatch'

+ negateCondition: true

+ matchValue: [

+ 'US'

+ 'CA'

+ ]

+ transforms: []

+ }

+ {

+ matchVariable: 'RequestUri'

+ operator: 'Contains'

+ negateCondition: false

+ matchValue: [

+ '/foo'

+ '/bar'

+ ]

+ transforms: []

+ }

+ ]

+ action: 'Block'

+ }

+```

+### Azure PowerShell example - Application Gateway

+```azurepowershell

+$RGname = "rg-waf "

+$policyName = "waf-pol"

+$variable1a = New-AzApplicationGatewayFirewallMatchVariable -VariableName RemoteAddr

+$condition1a = New-AzApplicationGatewayFirewallCondition -MatchVariable $variable1a -Operator GeoMatch -MatchValue @(ΓÇ£USΓÇ¥, ΓÇ£CAΓÇ¥) -NegationCondition $true

+$variable1b = New-AzApplicationGatewayFirewallMatchVariable -VariableName RequestUri

+$condition1b = New-AzApplicationGatewayFirewallCondition -MatchVariable $variable1b -Operator Contains -MatchValue @(ΓÇ£/fooΓÇ¥, ΓÇ£/barΓÇ¥) -NegationCondition $false

+$rule1 = New-AzApplicationGatewayFirewallCustomRule -Name GeoRule2 -Priority 11 -RuleType MatchRule -MatchCondition $condition1a, $condition1b -Action Block

+$policy = Get-AzApplicationGatewayFirewallPolicy -Name $policyName -ResourceGroupName $RGname

+$policy.CustomRules.Add($rule1)

+Set-AzApplicationGatewayFirewallPolicy -InputObject $policy

+```

+### Azure PowerShell example - Front Door

+```azurepowershell

+$RGname = "rg-waf"

+$policyName = "wafafdpol"

+$matchCondition1a = New-AzFrontDoorWafMatchConditionObject -MatchVariable SocketAddr -OperatorProperty GeoMatch -MatchValue @(ΓÇ£USΓÇ¥, "CA") -NegateCondition $true

+$matchCondition1b = New-AzFrontDoorWafMatchConditionObject -MatchVariable RequestUri -OperatorProperty Contains -MatchValue @(ΓÇ£/fooΓÇ¥, ΓÇ£/barΓÇ¥) -NegateCondition $false

+$customRuleObject1 = New-AzFrontDoorWafCustomRuleObject -Name "GeoRule2" -RuleType MatchRule -MatchCondition $matchCondition1a, $matchCondition1b -Action Block -Priority 11

+$afdWAFPolicy= Get-AzFrontDoorWafPolicy -Name $policyName -ResourceGroupName $RGname

+Update-AzFrontDoorWafPolicy -InputObject $afdWAFPolicy -Customrule $customRuleObject1

+```

+## Scenario 3 - Block traffic specifically from country "x"

+You can use geomatch custom rules to block traffic from specific countries. For instance, if your web application receives many malicious requests from country "x", create a geomatch custom rule to block all requests from that country. This protects your web application from potential attacks and reduces resource load. Apply this pattern to block multiple malicious or hostile countries. This technique requires a match condition for the traffic pattern. To block traffic from country "x", see the following portal, Bicep, and Azure PowerShell examples.

+### Portal example - Application Gateway

+### Portal example - Front Door

+### Bicep example - Application Gateway

+```

+properties: {

+ customRules: [

+ {

+ name: 'GeoRule3'

+ priority: 12

+ ruleType: 'MatchRule'

+ action: 'Block'

+ matchConditions: [

+ {

+ matchVariables: [

+ {

+ variableName: 'RemoteAddr'

+ }

+ ]

+ operator: 'GeoMatch'

+ negationConditon: false

+ matchValues: [

+ 'US'

+ ]

+ transforms: []

+ }

+ ]

+ state: 'Enabled'

+ }

+```

+### Bicep example - Front Door

+```

+properties: {

+ customRules: {

+ rules: [

+ {

+ name: 'GeoRule3'

+ enabledState: 'Enabled'

+ priority: 12

+ ruleType: 'MatchRule'

+ matchConditions: [

+ {

+ matchVariable: 'SocketAddr'

+ operator: 'GeoMatch'

+ negateCondition: false

+ matchValue: [

+ 'US'

+ ]

+ transforms: []

+ }

+ ]

+ action: 'Block'

+ }

+```

+### Azure PowerShell example - Application Gateway

+```azurepowershell

+$RGname = "rg-waf "

+$policyName = "waf-pol"

+$variable2 = New-AzApplicationGatewayFirewallMatchVariable -VariableName RemoteAddr

+$condition2 = New-AzApplicationGatewayFirewallCondition -MatchVariable $variable2 -Operator GeoMatch -MatchValue "US" -NegationCondition $false

+$rule2 = New-AzApplicationGatewayFirewallCustomRule -Name GeoRule3 -Priority 12 -RuleType MatchRule -MatchCondition $condition2 -Action Block

+$policy = Get-AzApplicationGatewayFirewallPolicy -Name $policyName -ResourceGroupName $RGname

+$policy.CustomRules.Add($rule2)

+Set-AzApplicationGatewayFirewallPolicy -InputObject $policy

+```

+### Azure PowerShell example - Front Door

+```azurepowershell

+$RGname = "rg-waf"

+$policyName = "wafafdpol"

+$matchCondition2 = New-AzFrontDoorWafMatchConditionObject -MatchVariable SocketAddr -OperatorProperty GeoMatch -MatchValue "US" -NegateCondition $false

+$customRuleObject2 = New-AzFrontDoorWafCustomRuleObject -Name "GeoRule3" -RuleType MatchRule -MatchCondition $matchCondition2 -Action Block -Priority 12

+$afdWAFPolicy= Get-AzFrontDoorWafPolicy -Name $policyName -ResourceGroupName $RGname

+Update-AzFrontDoorWafPolicy -InputObject $afdWAFPolicy -Customrule $customRuleObject2

+```

+## Geomatch custom rule anti-patterns

+Avoid anti-patterns when using geomatch custom rules, such as setting the custom rule action to `allow` instead of `block`. This can have unintended consequences, like allowing traffic to bypass the WAF and potentially exposing your web application to other threats.

+Instead of using an `allow` action, use a `block` action with a negate condition, as shown in previous patterns. This ensures only traffic from desired countries is allowed and the WAF blocks all other traffic.

+### Scenario 4 - allow traffic from country "x"

+Avoid setting the geomatch custom rule to allow traffic from a specific country. For example, if you want to allow traffic from the United States because of a large customer base, creating a custom rule with the action `allow` and the value `United States` might seem like the solution. However, this rule allows all traffic from the United States, regardless of whether it has a malicious payload or not, as the `allow` action bypasses further rule processing of managed rulesets. Additionally, the WAF still processes traffic from all other countries, consuming resources. This exposes your web application to malicious requests from the United States that the WAF would otherwise block.

+### Scenario 5 - Allow traffic from all counties except "x"

+Avoid setting the rule action to `allow` and specifying a list of countries to exclude when using geomatch custom rules. For example, if you want to allow traffic from all countries except the United States, where you suspect malicious activity, this approach can have unintended consequences. It might allow traffic from unverified or unsafe countries or countries with low or no security standards, exposing your web application to potential vulnerabilities or attacks. Using the `allow` action for all countries except the US indicates to the WAF to stop processing request payloads against managed rulesets. All rule evaluation ceases once the custom rule with `allow` is processed, exposing the application to unwanted malicious attacks.

+Instead, use a more restrictive and specific rule action, such as block, and specify a list of countries to allow with a negate condition. This ensures only traffic from trusted and verified sources can access your web application while blocking any suspicious or unwanted traffic.

+## Next steps

+- [Geomatch custom rules](ag/geomatch-custom-rules.md)

+- [Create and use Web Application Firewall v2 custom rules on Application Gateway](ag/create-custom-waf-rules.md)