+1. If you have access to multiple tenants, select the **Settings** icon in the top menu to switch to your Microsoft Entra tenant from the **Directories + subscriptions** menu. Currently, you can't submit support cases directly from your Azure AD B2C tenant.

+- Disable public network access flag of Azure AI default resources such as Storage, Key Vault, Container Registry.

+- Azure AI services and Azure AI Search should be public.

+- [Troubleshoot secure connectivity to a project](troubleshoot-secure-connection-project.md)

+|5.2.1|Ensure that the cluster has at least one active policy control mechanism in place|Not Scored|L1|Depends on Environment|

+[security-concepts-aks-apps-clusters]: concepts-security.md

+- If the open-source CSI storage driver is installed on your cluster, uninstall it before enabling the Azure storage CSI driver.

+ INSERT INTO SEQUENCE VALUES ('SEQ_GEN',0);

+ --from-literal=password="${DB_PASSWORD}" \

+ --from-literal=url="${DB_CONNECTION_STRING}" \

+ --from-literal=user="${DB_USER}"

+1. In the **Domain Structure** box, select **Services**.

+1. Under the **Services**, select **Data Sources**.

+1. In the **Summary of JDBC Data Sources** panel, select **Monitoring**. Your screen should look similar to the following example. You find the state of data source is running on managed servers.

+ :::image type="content" source="media/howto-deploy-java-wls-app/datasource-state.png" alt-text="Screenshot of data source state." border="false":::

+ Title: Configure Istio-based service mesh add-on for Azure Kubernetes Service (preview)

+description: Configure Istio-based service mesh add-on for Azure Kubernetes Service (preview)

+# Configure Istio-based service mesh add-on for Azure Kubernetes Service (preview)

+Open-source Istio uses [MeshConfig][istio-meshconfig] to define mesh-wide settings for the Istio service mesh. Istio-based service mesh add-on for AKS builds on top of MeshConfig and classifies different properties as supported, allowed, and blocked.

+This article walks through how to configure Istio-based service mesh add-on for Azure Kubernetes Service and the support policy applicable for such configuration.

+## Prerequisites

+This guide assumes you followed the [documentation][istio-deploy-addon] to enable the Istio add-on on an AKS cluster.

+## Set up configuration on cluster

+1. Find out which revision of Istio is deployed on the cluster:

+ ```bash

+ az aks show -n $CLUSTER -g $RESOURCE_GROUP --query 'serviceMeshProfile'

+ ```

+ Output:

+ ```

+ {

+ "istio": {

+ "certificateAuthority": null,

+ "components": {

+ "egressGateways": null,

+ "ingressGateways": null

+ },

+ "revisions": [

+ "asm-1-18"

+ ]

+ },

+ "mode": "Istio"

+ }

+ ```

+2. Create a ConfigMap with the name `istio-shared-configmap-<asm-revision>` in the `aks-istio-system` namespace. For example, if your cluster is running asm-1-18 revision of mesh, then the ConfigMap needs to be named as `istio-shared-configmap-asm-1-18`. Mesh configuration has to be provided within the data section under mesh.

+ Example:

+ ```yaml

+ apiVersion: v1

+ kind: ConfigMap

+ metadata:

+ name: istio-shared-configmap-asm-1-18

+ namespace: aks-istio-system

+ data:

+ mesh: |-

+ accessLogFile: /dev/stdout

+ defaultConfig:

+ holdApplicationUntilProxyStarts: true

+ ```

+ The values under `defaultConfig` are mesh-wide settings applied for Envoy sidecar proxy.

+> [!CAUTION]

+> A default ConfigMap (for example, `istio-asm-1-18` for revision asm-1-18) is created in `aks-istio-system` namespace on the cluster when the Istio addon is enabled. However, this default ConfigMap gets reconciled by the managed Istio addon and thus users should NOT directly edit this ConfigMap. Instead users should create a revision specific Istio shared ConfigMap (for example `istio-shared-configmap-asm-1-18` for revision asm-1-18) in the aks-istio-system namespace, and then the Istio control plane will merge this with the default ConfigMap, with the default settings taking precedence.

+### Mesh configuration and upgrades

+When you're performing [canary upgrade for Istio](./istio-upgrade.md), you need create a separate ConfigMap for the new revision in the `aks-istio-system` namespace **before initiating the canary upgrade**. This way the configuration is available when the new revision's control plane is deployed on cluster. For example, if you're upgrading the mesh from asm-1-18 to asm-1-19, you need to copy changes over from `istio-shared-configmap-asm-1-18` to create a new ConfigMap called `istio-shared-configmap-asm-1-19` in the `aks-istio-system` namespace.

+After the upgrade is completed or rolled back, you can delete the ConfigMap of the revision that was removed from the cluster.

+## Allowed, supported, and blocked values

+Fields in `MeshConfig` are classified into three categories:

+- **Blocked**: Disallowed fields are blocked via addon managed admission webhooks. API server immediately publishes the error message to the user that the field is disallowed.

+- **Supported**: Supported fields (for example, fields related to access logging) receive support from Azure support.

+- **Allowed**: These fields (such as proxyListenPort or proxyInboundListenPort) are allowed but they aren't covered by Azure support.

+Mesh configuration and the list of allowed/supported fields are revision specific to account for fields being added/removed across revisions. The full list of allowed fields and the supported/unsupported ones within the allowed list is provided in the below table. When new mesh revision is made available, any changes to allowed and supported classification of the fields is noted in this table.

+### MeshConfig

+| **Field** | **Supported** |

+|--||

+| proxyListenPort | false |

+| proxyInboundListenPort | false |

+| proxyHttpPort | false |

+| connectTimeout | false |

+| tcpKeepAlive | false |

+| defaultConfig | true |

+| outboundTrafficPolicy | true |

+| extensionProviders | true |

+| defaultProvideres | true |

+| accessLogFile | true |

+| accessLogFormat | true |

+| accessLogEncoding | true |

+| enableTracing | true |

+| enableEnvoyAccessLogService | true |

+| disableEnvoyListenerLog | true |

+| trustDomain | false |

+| trustDomainAliases | false |

+| caCertificates | false |

+| defaultServiceExportTo | false |

+| defaultVirtualServiceExportTo | false |

+| defaultDestinationRuleExportTo | false |

+| localityLbSetting | false |

+| dnsRefreshRate | false |

+| h2UpgradePolicy | false |

+| enablePrometheusMerge | true |

+| discoverySelectors | true |

+| pathNormalization | false |

+| defaultHttpRetryPolicy | false |

+| serviceSettings | false |

+| meshMTLS | false |

+| tlsDefaults | false |

+### ProxyConfig (meshConfig.defaultConfig)

+| **Field** | **Supported** |

+|--||

+| tracingServiceName | true |

+| drainDuration | true |

+| statsUdpAddress | false |

+| proxyAdminPort | false |

+| tracing | true |

+| concurrency | true |

+| envoyAccessLogService | true |

+| envoyMetricsService | true |

+| proxyMetadata | false |

+| statusPort | false |

+| extraStatTags | false |

+| proxyStatsMatcher | false |

+| terminationDrainDuration | true |

+| meshId | false |

+| holdApplicationUntilProxyStarts | true |

+| caCertificatesPem | false |

+| privateKeyProvider | false |

+Fields present in [open source MeshConfig reference documentation][istio-meshconfig] but not in the above table are blocked. For example, `configSources` is blocked.

+> [!CAUTION]

+> **Support scope of configurations:** Mesh configuration allows for extension providers such as self-managed instances of Zipkin or Apache Skywalking to be configured with the Istio addon. However, these extension providers are outside the support scope of the Istio addon. Any issues associated with extension tools are outside the support boundary of the Istio addon.

+## Common errors and troubleshooting tips

+- Ensure that the MeshConfig is indented with spaces instead of tabs.

+- Ensure that you're only editing the revision specific shared ConfigMap (for example `istio-shared-configmap-asm-1-18`) and not trying to edit the default ConfigMap (for example `istio-asm-1-18`).

+- The ConfigMap must follow the name `istio-shared-configmap-<asm-revision>` and be in the `aks-istio-system` namespace.

+- Ensure that all MeshConfig fields are spelled correctly. If they're unrecognized or if they aren't part of the allowed list, admission control denies such configurations.

+- When performing canary upgrades, [check your revision specific ConfigMaps](#mesh-configuration-and-upgrades) to ensure configurations exist for the revisions deployed on your cluster.

+- Certain `MeshConfig` options such as accessLogging may increase Envoy's resource consumption, and disabling some of these settings may mitigate Istio data plane resource utilization. It's also advisable to use the `discoverySelectors` field in the MeshConfig to help alleviate memory consumption for Istiod and Envoy.

+- If the `concurrency` field in the MeshConfig is misconfigured and set to zero, it causes Envoy to use up all CPU cores. Instead if this field is unset, number of worker threads to run is automatically determined based on CPU requests/limits.

+- [Pod and sidecar race conditions][istio-sidecar-race-condition] in which the application starts before Envoy can be mitigated using the `holdApplicationUntilProxyStarts` field in the MeshConfig.

+[istio-meshconfig]: https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/

+[istio-sidecar-race-condition]: https://istio.io/latest/docs/ops/common-problems/injection/#pod-or-containers-start-with-network-issues-if-istio-proxy-is-not-ready

+description: Upgrade Istio-based service mesh add-on for Azure Kubernetes Service (preview).

+The following example illustrates how to upgrade from revision `asm-1-18` to `asm-1-19`. The steps are the same for all minor upgrades.

+1. If you've set up [mesh configuration][meshconfig] for the existing mesh revision on your cluster, you need to create a separate ConfigMap corresponding to the new revision in the `aks-istio-system` namespace **before initiating the canary upgrade** in the next step. This configuration is applicable the moment the new revision's control plane is deployed on cluster. More details can be found [here][meshconfig-canary-upgrade].

+1. Initiate a canary upgrade from revision `asm-1-18` to `asm-1-19` using [az aks mesh upgrade start](/cli/azure/aks/mesh#az-aks-mesh-upgrade-start):

+1. Verify control plane pods corresponding to both `asm-1-18` and `asm-1-19` exist:

+ istiod-asm-1-18-55fccf84c8-dbzlt 1/1 Running 0 58m

+ istiod-asm-1-18-55fccf84c8-fg8zh 1/1 Running 0 58m

+ istiod-asm-1-19-f85f46bf5-7rwg4 1/1 Running 0 51m

+ istiod-asm-1-19-f85f46bf5-8p9qx 1/1 Running 0 51m

+ aks-istio-ingressgateway-external-asm-1-18-58f889f99d-qkvq2 1/1 Running 0 59m

+ aks-istio-ingressgateway-external-asm-1-18-58f889f99d-vhtd5 1/1 Running 0 58m

+ aks-istio-ingressgateway-external-asm-1-19-7466f77bb9-ft9c8 1/1 Running 0 51m

+ aks-istio-ingressgateway-external-asm-1-19-7466f77bb9-wcb6s 1/1 Running 0 51m

+ aks-istio-ingressgateway-internal-asm-1-18-579c5d8d4b-4cc2l 1/1 Running 0 58m

+ aks-istio-ingressgateway-internal-asm-1-18-579c5d8d4b-jjc7m 1/1 Running 0 59m

+ aks-istio-ingressgateway-internal-asm-1-19-757d9b5545-g89s4 1/1 Running 0 51m

+ aks-istio-ingressgateway-internal-asm-1-19-757d9b5545-krq9w 1/1 Running 0 51m

+ kubectl label namespace default istio.io/rev=asm-1-19 --overwrite

+ kubectl label namespace default istio.io/rev=asm-1-18 --overwrite

+1. If [mesh configuration][meshconfig] was set up for the revisions in previous steps, you can now delete the ConfigMap for the revision that was removed from the cluster on completing or rolling back the upgrade.

+* Istio add-on patch version availability information is published in [AKS release notes][aks-release-notes].

+* Patches are rolled out automatically for istiod and ingress pods as part of these AKS releases, which respect the `default` [planned maintenance window](./planned-maintenance.md) set up for the cluster.

+ "image": "mcr.microsoft.com/oss/istio/proxyv2:1.18.2-distroless",

+ "image": "mcr.microsoft.com/oss/istio/proxyv2:1.18.2-distroless"

+ productpage-v1-979d4d9fc-p4764: docker.io/istio/examples-bookinfo-productpage-v1:1.18.0, mcr.microsoft.com/oss/istio/proxyv2:1.18.1-distroless

+ productpage-v1-979d4d9fc-p4764: docker.io/istio/examples-bookinfo-productpage-v1:1.18.0, mcr.microsoft.com/oss/istio/proxyv2:1.18.2-distroless

+[meshconfig]: ./istio-meshconfig.md

+[meshconfig-canary-upgrade]: ./istio-meshconfig.md#mesh-configuration-and-upgrades

+ Title: Use the in-place migration feature to migrate your App Service Environment to App Service Environment v3

+description: Learn how to migrate your App Service Environment to App Service Environment v3 by using the in-place migration feature.

+# Use the in-place migration feature to migrate App Service Environment v1 and v2 to App Service Environment v3

+> [!NOTE]

+> The migration feature described in this article is used for in-place (same subnet) automated migration of App Service Environment v1 and v2 to App Service Environment v3. If you're looking for information on the side by side migration feature, see [Migrate to App Service Environment v3 by using the side by side migration feature](side-by-side-migrate.md). If you're looking for information on manual migration options, see [Manual migration options](migration-alternatives.md). For help deciding which migration option is right for you, see [Migration path decision tree](upgrade-to-asev3.md#migration-path-decision-tree). For more information on App Service Environment v3, see [App Service Environment v3 overview](overview.md).

+>

+You can automatically migrate App Service Environment v1 and v2 to [App Service Environment v3](overview.md) by using the in-place migration feature. To learn more about the migration process and to see if your App Service Environment supports migration at this time, see the [overview of the in-place migration feature](migrate.md).

+>

+Ensure that you understand how migrating to App Service Environment v3 affects your applications. Review the [migration process](migrate.md#overview-of-the-migration-process-using-the-in-place-migration-feature) to understand the process timeline and where and when you need to get involved. Also review the [FAQs](migrate.md#frequently-asked-questions), which can answer some of your questions.

+Since scaling is blocked during the migration, you should scale your environment to the desired size before starting the migration. If you need to scale your environment after the migration, you can do so once the migration is complete.

+We recommend that you use the [Azure portal](how-to-migrate.md?pivots=experience-azp) for the in-place migration experience. If you decide to use the [Azure CLI](/cli/azure/) for the migration, follow the steps described here in order and as written, because you're making Azure REST API calls. We recommend that you use the Azure CLI to make these API calls. For information about other methods, see [Azure REST API reference](/rest/api/azure/).

+The following command checks whether your App Service Environment is supported for migration. If you receive an error or if your App Service Environment is in an unhealthy or suspended state, you can't migrate at this time. See the [troubleshooting](migrate.md#troubleshooting) section for descriptions of the potential error messages that you can get. If your environment [isn't supported for migration using the in-place migration feature](migrate.md#supported-scenarios) or you want to migrate to App Service Environment v3 without using the in-place migration feature, see the [manual migration options](migration-alternatives.md).

+>

+If your App Service Environment isn't supported for migration at this time or your environment is in an unhealthy or suspended state, you can't use the migration feature. If your environment [isn't supported for migration with the in-place migration feature](migrate.md#supported-scenarios) or you want to migrate to App Service Environment v3 without using the in-place migration feature, see the [manual migration options](migration-alternatives.md).

+ Title: Use the side by side migration feature to migrate your App Service Environment v2 to App Service Environment v3

+description: Learn how to migrate your App Service Environment v2 to App Service Environment v3 by using the side by side migration feature.

+# zone_pivot_groups: app-service-cli-portal

+# Use the side by side migration feature to migrate App Service Environment v2 to App Service Environment v3 (Preview)

+> [!NOTE]

+> The migration feature described in this article is used for side by side (different subnet) automated migration of App Service Environment v2 to App Service Environment v3 and is currently **in preview**.

+>

+> If you're looking for information on the in-place migration feature, see [Migrate to App Service Environment v3 by using the in-place migration feature](migrate.md). If you're looking for information on manual migration options, see [Manual migration options](migration-alternatives.md). For help deciding which migration option is right for you, see [Migration path decision tree](upgrade-to-asev3.md#migration-path-decision-tree). For more information on App Service Environment v3, see [App Service Environment v3 overview](overview.md).

+>

+You can automatically migrate App Service Environment v2 to [App Service Environment v3](overview.md) by using the side by side migration feature. To learn more about the migration process and to see if your App Service Environment supports migration at this time, see the [overview of the side by side migration feature](side-by-side-migrate.md).

+> [!IMPORTANT]

+> We recommend that you use this feature for development environments before migrating any production environments, to avoid unexpected problems. Please provide any feedback related to this article or the feature by using the buttons at the bottom of the page.

+>

+## Prerequisites

+Ensure that you understand how migrating to App Service Environment v3 affects your applications. Review the [migration process](side-by-side-migrate.md#overview-of-the-migration-process-using-the-side-by-side-migration-feature) to understand the process timeline and where and when you need to get involved. Also review the [FAQs](side-by-side-migrate.md#frequently-asked-questions), which can answer some of your questions.

+Ensure that there are no locks on your virtual network, resource groups, resources, or subscription. Locks block platform operations during migration.

+Ensure that no Azure policies are blocking actions that are required for the migration, including subnet modifications and Azure App Service resource creations. Policies that block resource modifications and creations can cause migration to get stuck or fail.

+Since your App Service Environment v3 is in a different subnet in your virtual network, you need to ensure that you have an available subnet in your virtual network that meets the [subnet requirements for App Service Environment v3](./networking.md#subnet-requirements). The subnet you select must also be able to communicate with the subnet that your existing App Service Environment is in. Ensure there's nothing blocking communication between the two subnets. If you don't have an available subnet, you need to create one before migrating. Creating a new subnet might involve increasing your virtual network address space. For more information, see [Create a virtual network and subnet](../../virtual-network/manage-virtual-network.md).

+Since scaling is blocked during the migration, you should scale your environment to the desired size before starting the migration. If you need to scale your environment after the migration, you can do so once the migration is complete.

+Follow the steps described here in order and as written, because you're making Azure REST API calls. We recommend that you use the Azure CLI to make these API calls. For information about other methods, see [Azure REST API reference](/rest/api/azure/).

+For this guide, [install the Azure CLI](/cli/azure/install-azure-cli) or use [Azure Cloud Shell](https://shell.azure.com/).

+## 1. Select the subnet for your new App Service Environment v3

+Select a subnet in your App Service Environment v3 that meets the [subnet requirements for App Service Environment v3](./networking.md#subnet-requirements). Note the name of the subnet you select. This subnet must be different than the subnet your existing App Service Environment is in.

+## 2. Get your App Service Environment ID

+Run the following commands to get your App Service Environment ID and store it as an environment variable. Replace the placeholders for the name and resource groups with your values for the App Service Environment that you want to migrate. `ASE_RG` and `VNET_RG` are the same if your virtual network and App Service Environment are in the same resource group.

+```azurecli

+ASE_NAME=<Your-App-Service-Environment-name>

+ASE_RG=<Your-ASE-Resource-Group>

+VNET_RG=<Your-VNet-Resource-Group>

+ASE_ID=$(az appservice ase show --name $ASE_NAME --resource-group $ASE_RG --query id --output tsv)

+```

+## 3. Validate migration is supported

+The following command checks whether your App Service Environment is supported for migration. If you receive an error or if your App Service Environment is in an unhealthy or suspended state, you can't migrate at this time. See the [troubleshooting](side-by-side-migrate.md#troubleshooting) section for descriptions of the potential error messages that you can get. If your environment [isn't supported for migration using the side by side migration feature](side-by-side-migrate.md#supported-scenarios) or you want to migrate to App Service Environment v3 without using the side by side migration feature, see the [manual migration options](migration-alternatives.md).

+```azurecli

+az rest --method post --uri "${ASE_ID}/NoDowntimeMigrate?phase=Validation&api-version=2022-03-01"

+```

+If there are no errors, your migration is supported, and you can continue to the next step.

+## 4. Generate outbound IP addresses for your new App Service Environment v3

+Create a file called *zoneredundancy.json* with the following details for your region and zone redundancy selection.

+```json

+{

+ "location":"<region>",

+ "Properties": {

+ "zoneRedundant": "<true/false>"

+ }

+}

+```

+You can make your new App Service Environment v3 zone redundant if your existing environment is in a [region that supports zone redundancy](./overview.md#regions). Zone redundancy can be configured by setting the `zoneRedundant` property to `true`. Zone redundancy is an optional configuration. This configuration can only be set during the creation of your new App Service Environment v3 and can't be removed at a later time.

+Run the following command to create new outbound IP addresses. This step takes about 15 minutes to complete. Don't scale or make changes to your existing App Service Environment during this time.

+```azurecli

+az rest --method post --uri "${ASE_ID}/NoDowntimeMigrate?phase=PreMigration&api-version=2022-03-01" --body @zoneredundancy.json

+```

+Run the following command to check the status of this step:

+```azurecli

+az rest --method get --uri "${ASE_ID}?api-version=2022-03-01" --query properties.status

+```

+If the step is in progress, you get a status of `Migrating`. After you get a status of `Ready`, run the following command to view your new outbound IPs. If you don't see the new IPs immediately, wait a few minutes and try again.

+```azurecli

+az rest --method get --uri "${ASE_ID}?api-version=2022-03-01"

+```

+## 5. Update dependent resources with new outbound IPs

+By using the new IPs, update any of your resources or networking components to ensure that your new environment functions as intended after migration is complete. It's your responsibility to make any necessary updates.

+This step is also a good time to review the [inbound and outbound network](networking.md#ports-and-network-restrictions) dependency changes when moving to App Service Environment v3. These changes include the port change for Azure Load Balancer, which now uses port 80. Don't migrate until you complete this step.

+## 6. Delegate your App Service Environment subnet

+App Service Environment v3 requires the subnet it's in to have a single delegation of `Microsoft.Web/hostingEnvironments`. Previous versions didn't require this delegation. You need to confirm that your subnet is delegated properly and update the delegation (if necessary) before migrating. You can update the delegation either by running the following command or by going to the subnet in the [Azure portal](https://portal.azure.com).

+```azurecli

+az network vnet subnet update --resource-group $VNET_RG --name <subnet-name> --vnet-name <vnet-name> --delegations Microsoft.Web/hostingEnvironments

+```

+## 7. Confirm there are no locks on the virtual network

+Virtual network locks block platform operations during migration. If your virtual network has locks, you need to remove them before migrating. If necessary, you can add back the locks after migration is complete.

+Locks can exist at three scopes: subscription, resource group, and resource. When you apply a lock at a parent scope, all resources within that scope inherit the same lock. If you have locks applied at the subscription, resource group, or resource scope, you need to remove them before the migration. For more information on locks and lock inheritance, see [Lock your resources to protect your infrastructure](../../azure-resource-manager/management/lock-resources.md).

+Use the following command to check if your virtual network has any locks:

+```azurecli

+az lock list --resource-group $VNET_RG --resource <vnet-name> --resource-type Microsoft.Network/virtualNetworks

+```

+Delete any existing locks by using the following command:

+```azurecli

+az lock delete --resource-group $VNET_RG --name <lock-name> --resource <vnet-name> --resource-type Microsoft.Network/virtualNetworks

+```

+For related commands to check if your subscription or resource group has locks, see the [Azure CLI reference for locks](../../azure-resource-manager/management/lock-resources.md#azure-cli).

+## 8. Prepare your configurations

+If your existing App Service Environment uses a custom domain suffix, you can [configure one for your new App Service Environment v3 resource during the migration process](./side-by-side-migrate.md#add-a-custom-domain-suffix-optional). Configuring a custom domain suffix is optional. If your App Service Environment v2 has a custom domain suffix and you don't want to use it on your new App Service Environment v3, skip this step. If you previously didn't have a custom domain suffix but want one, you can configure one at this point or at any time once migration is complete. For more information on App Service Environment v3 custom domain suffixes, including requirements, step-by-step instructions, and best practices, see [Custom domain suffix for App Service Environments](./how-to-custom-domain-suffix.md).

+> [!NOTE]

+> If you're configuring a custom domain suffix, when you're adding the network permissions on your Azure key vault, be sure that your key vault allows access from your App Service Environment's new outbound IP addresses that were generated in step 4.

+>

+To set these configurations, including identifying the subnet you selected earlier, create another file called *parameters.json* with the following details based on your scenario. Be sure to use the new subnet that you selected for your new App Service Environment v3. Don't include the properties for a custom domain suffix if this feature doesn't apply to your migration. Pay attention to the value of the `zoneRedundant` property and set it to the same value you used in the outbound IP generation step. **You must use the same value for zone redundancy that you used in the IP generation step.**

+If you're migrating without a custom domain suffix, use this code:

+```json

+{

+ "Properties": {

+ "VirtualNetwork": {

+ "Id": "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/virtualNetworks/<virtual-network-name>/subnets/<subnet-name>"

+ },

+ "zoneRedundant": "<true/false>"

+ }

+}

+```

+If you're using a user assigned managed identity for your custom domain suffix configuration, use this code:

+```json

+{

+ "Properties": {

+ "VirtualNetwork": {

+ "Id": "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/virtualNetworks/<virtual-network-name>/subnets/<subnet-name>"

+ },

+ "zoneRedundant": "<true/false>",

+ "customDnsSuffixConfiguration": {

+ "dnsSuffix": "internal-contoso.com",

+ "certificateUrl": "https://contoso.vault.azure.net/secrets/myCertificate",

+ "keyVaultReferenceIdentity": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/asev3-migration/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ase-managed-identity"

+ }

+ }

+}

+```

+If you're using a system assigned managed identity for your custom domain suffix configuration, use this code:

+```json

+{

+ "properties": {

+ "VirtualNetwork": {

+ "Id": "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/virtualNetworks/<virtual-network-name>/subnets/<subnet-name>"

+ },

+ "zoneRedundant": "<true/false>",

+ "customDnsSuffixConfiguration": {

+ "dnsSuffix": "internal-contoso.com",

+ "certificateUrl": "https://contoso.vault.azure.net/secrets/myCertificate",

+ "keyVaultReferenceIdentity": "SystemAssigned"

+ }

+ }

+}

+```

+## 9. Migrate to App Service Environment v3 and check status

+After you complete all of the preceding steps, you can start the migration. Make sure that you understand the [implications of migration](side-by-side-migrate.md#migrate-to-app-service-environment-v3).

+This step takes three to six hours complete. During that time, there's no application downtime. Scaling, deployments, and modifications to your existing App Service Environment are blocked during this step.

+Run the following command to start the migration:

+```azurecli

+az rest --method post --uri "${ASE_ID}/NoDowntimeMigrate?phase=HybridDeployment&api-version=2022-03-01" --body @parameters.json

+```

+Run the following command to check the status of your migration:

+```azurecli

+az rest --method get --uri "${ASE_ID}?api-version=2022-03-01" --query properties.subStatus

+```

+After you get a status of `Ready`, migration is done, and you have an App Service Environment v3 resource. Your apps are now running in your new environment as well as in your old environment.

+Get the details of your new environment by running the following command or by going to the [Azure portal](https://portal.azure.com).

+```azurecli

+az appservice ase show --name $ASE_NAME --resource-group $ASE_RG

+```

+## 10. Get the inbound IP address for your new App Service Environment v3 and update dependent resources

+You have two App Service Environments at this stage in the migration process. Your apps are running in both environments. You need to update any dependent resources to use the new inbound IP address for your new App Service Environment v3. For internal facing (ILB) App Service Environments, you need to update your private DNS zones to point to the new inbound IP address.

+You can get the inbound IP address for your new App Service Environment v3 by running the following command.

+```azurecli

+az rest --method get --uri "${ASE_ID}?api-version=2022-03-01"

+```

+## 11. Redirect customer traffic and complete migration

+This step is your opportunity to test and validate your new App Service Environment v3. Once you confirm your apps are working as expected, you can redirect customer traffic to your new environment by running the following command. This command also deletes your old environment.

+```azurecli

+az rest --method post --uri "${ASE_ID}/NoDowntimeMigrate?phase=DnsChange&api-version=2022-03-01"

+```

+If you find any issues or decide at this point that you no longer want to proceed with the migration, contact support to revert the migration. Don't run the above command if you need to revert the migration. For more information, see [Revert migration](side-by-side-migrate.md#redirect-customer-traffic-and-complete-migration).

+## Next steps

+> [!div class="nextstepaction"]

+> [Use an App Service Environment v3 resource](using.md)

+> [!div class="nextstepaction"]

+> [App Service Environment v3 networking](networking.md)

+> [!div class="nextstepaction"]

+> [Custom domain suffix](./how-to-custom-domain-suffix.md)

+ Title: Migrate to App Service Environment v3 by using the in-place migration feature

+description: Overview of the in-place migration feature for migration to App Service Environment v3.

+# Migration to App Service Environment v3 using the in-place migration feature

+> [!NOTE]

+> The migration feature described in this article is used for in-place (same subnet) automated migration of App Service Environment v1 and v2 to App Service Environment v3. If you're looking for information on the side by side migration feature, see [Migrate to App Service Environment v3 by using the side by side migration feature](side-by-side-migrate.md). If you're looking for information on manual migration options, see [Manual migration options](migration-alternatives.md). For help deciding which migration option is right for you, see [Migration path decision tree](upgrade-to-asev3.md#migration-path-decision-tree). For more information on App Service Environment v3, see [App Service Environment v3 overview](overview.md).

+>

+App Service can automate migration of your App Service Environment v1 and v2 to an [App Service Environment v3](overview.md). There are different migration options. Review the [migration path decision tree](upgrade-to-asev3.md#migration-path-decision-tree) to decide which option is best for your use case. App Service Environment v3 provides [advantages and feature differences](overview.md#feature-differences) over earlier versions. Make sure to review the [supported features](overview.md#feature-differences) of App Service Environment v3 before migrating to reduce the risk of an unexpected application issue.

+The in-place migration feature automates your migration to App Service Environment v3 by upgrading your existing App Service Environment in the same subnet. This migration option is best for customers who want to migrate to App Service Environment v3 with minimal changes to their networking configurations and can support about one hour of application downtime. If you can't support downtime, see the [side migration feature](side-by-side-migrate.md) or the [manual migration options](migration-alternatives.md).

+At this time, the in-place migration feature doesn't support migrations to App Service Environment v3 in the following regions:

+The following App Service Environment configurations can be migrated using the in-place migration feature. The table gives the App Service Environment v3 configuration when using the in-place migration feature based on your existing App Service Environment. All supported App Service Environments can be migrated to a [zone redundant App Service Environment v3](../../availability-zones/migrate-app-service-environment.md) using the in-place migration feature as long as the environment is [in a region that supports zone redundancy](./overview.md#regions). You can [configure zone redundancy](#choose-your-app-service-environment-v3-configurations) during the migration process.

+## In-place migration feature limitations

+The following are limitations when using the in-place migration feature:

+The in-place migration feature doesn't support the following scenarios. See the [manual migration options](migration-alternatives.md) if your App Service Environment falls into one of these categories.

+- App Service Environment v1 in a [Classic virtual network](/previous-versions/azure/virtual-network/create-virtual-network-classic)

+The App Service platform reviews your App Service Environment to confirm in-place migration support. If your scenario doesn't pass all validation checks, you can't migrate at this time using the in-place migration feature. If your environment is in an unhealthy or suspended state, you can't migrate until you make the needed updates.

+|Migrate can only be called on an ASE in ARM VNET and this ASE is in Classic VNET. |App Service Environments in Classic VNets can't migrate using the in-place migration feature. |Migrate using one of the [manual migration options](migration-alternatives.md). |

+|ASEv3 Migration is not yet ready. |The underlying infrastructure isn't ready to support App Service Environment v3. |Migrate using one of the [manual migration options](migration-alternatives.md) if you want to migrate immediately. Otherwise, wait for the in-place migration feature to be available in your region. |

+|Migration cannot be called on this ASE, please contact support for help migrating. |Support needs to be engaged for migrating this App Service Environment. This issue is potentially due to custom settings used by this environment. |Open a support case to engage support to resolve your issue. |

+|Migration is invalid. Your ASE needs to be upgraded to the latest build to ensure successful migration. We will upgrade your ASE now. Please try migrating again in few hours once platform upgrade has finished. |Your App Service Environment isn't on the minimum build required for migration. An upgrade is started. Your App Service Environment won't be impacted, but you won't be able to scale or make changes to your App Service Environment while the upgrade is in progress. You won't be able to migrate until the upgrade finishes. |Wait until the upgrade finishes and then migrate. |

+## Overview of the migration process using the in-place migration feature

+In-place migration consists of a series of steps that must be followed in order. Key points are given for a subset of the steps. It's important to understand what happens during these steps and how your environment and apps are impacted. After reviewing the following information and when you're ready to migrate, follow the [step-by-step guide](how-to-migrate.md).

+Once the new IPs are created, you have the new default outbound to the internet public addresses. In preparation for the migration, you can adjust any external firewalls, DNS routing, network security groups, and any other resources that rely on these IPs. For ELB App Service Environment, you also have the new inbound IP address that you can use to set up new endpoints with services like [Traffic Manager](../../traffic-manager/traffic-manager-overview.md) or [Azure Front Door](../../frontdoor/front-door-overview.md). **It's your responsibility to update any and all resources that will be impacted by the IP address change associated with the new App Service Environment v3. Don't move on to the next step until you've made all required updates.** This step is also a good time to review the [inbound and outbound network](networking.md#ports-and-network-restrictions) dependency changes when moving to App Service Environment v3 including the port change for the Azure Load Balancer health probe, which now uses port 80.

+App Service Environment v3 requires the subnet it's in to have a single delegation of `Microsoft.Web/hostingEnvironments`. Migration can't succeed if the App Service Environment's subnet isn't delegated or you delegate it to a different resource.

+Your App Service plans are converted from Isolated to the corresponding Isolated v2 tier as part of the migration. For example, I2 is converted to I2v2. Your apps might be over-provisioned after the migration since the Isolated v2 tier has more memory and CPU per corresponding instance size. You have the opportunity to scale your environment as needed once migration is complete. For more information, review the [SKU details](https://azure.microsoft.com/pricing/details/app-service/windows/).

+Your App Service Environment v3 can be deployed across availability zones in the regions that support it. This architecture is known as [zone redundancy](../../availability-zones/migrate-app-service-environment.md). Zone redundancy can only be configured during App Service Environment creation. If you want your new App Service Environment v3 to be zone redundant, enable the configuration during the migration process. Any App Service Environment that is using the in-place migration feature to migrate can be configured as zone redundant as long as you're using a [region that supports zone redundancy for App Service Environment v3](./overview.md#regions). If you're existing environment is in a region that doesn't support zone redundancy, the configuration option is disabled and you can't configure it. The in-place migration feature doesn't support changing regions. If you'd like to use a different region, use one of the [manual migration options](migration-alternatives.md).

+> [!IMPORTANT]

+> Since scaling is blocked during the migration, you should scale your environment to the desired size before starting the migration.

+>

+Migration requires a three to six hour service window for App Service Environment v2 to v3 migrations. Up to a six hour service window is required depending on environment size for v1 to v3 migrations. The service window might be extended in rare cases where manual intervention by the service team is required. During migration, scaling and environment configurations are blocked and the following events occur:

+- All App Service plans in the App Service Environment are converted from the Isolated to Isolated v2 tier.

+ - If you can't support downtime, see the [side by side migration feature](side-by-side-migrate.md) or the[migration-alternatives](migration-alternatives.md#migrate-manually).

+There's no cost to migrate your App Service Environment. When you use the in-place migration feature, you stop being charged for your previous App Service Environment as soon as it shuts down during the migration process. You begin getting charged for your new App Service Environment v3 as soon as it gets deployed. For more information about App Service Environment v3 pricing, see the [pricing details](overview.md#pricing).

+When you migrate to App Service Environment v3 from previous versions, there are scenarios that you should consider that can potentially reduce your monthly cost. Consider [reservations](../../cost-management-billing/reservations/reservation-discount-app-service.md#how-reservation-discounts-apply-to-isolated-v2-instances) and [savings plans](../../cost-management-billing/savings-plan/savings-plan-compute-overview.md) to further reduce your costs. For information on cost saving opportunities, see [Cost saving opportunities after upgrading to App Service Environment v3](upgrade-to-asev3.md#cost-saving-opportunities-after-upgrading-to-app-service-environment-v3).

+> Due to the conversion of App Service plans from Isolated to Isolated v2, your apps may be over-provisioned after the migration since the Isolated v2 tier has more memory and CPU per corresponding instance size. You'll have the opportunity to [scale your environment](../manage-scale-up.md) as needed once migration is complete. For more information, review the [SKU details](https://azure.microsoft.com/pricing/details/app-service/windows/).

+### Scale down your App Service plans

+The App Service plan SKUs available for App Service Environment v3 run on the Isolated v2 (Iv2) tier. The number of cores and amount of RAM are effectively doubled per corresponding tier compared the Isolated tier. When you migrate, your App Service plans are converted to the corresponding tier. For example, your I2 instances are converted to I2v2. While I2 has two cores and 7-GB RAM, I2v2 has four cores and 16-GB RAM. If you expect your capacity requirements to stay the same, you're over-provisioned and paying for compute and memory you're not using. For this scenario, you can scale down your I2v2 instance to I1v2 and end up with a similar number of cores and RAM that you had previously.

+ You can't migrate using the in-place migration feature at this time. If you have an unsupported environment and want to migrate immediately, see the [manual migration options](migration-alternatives.md).

+- **How do I choose which migration option is right for me?**

+ Review the [migration path decision tree](upgrade-to-asev3.md#migration-path-decision-tree) to decide which option is best for your use case.

+- **How do I know if I should use the in-place migration feature?**

+ The in-place migration feature is best for customers who want to migrate to App Service Environment v3 with minimal changes to their networking configurations and can support about one hour of application downtime. If you can't support downtime, see the [side migration feature](side-by-side-migrate.md) or the [manual migration options](migration-alternatives.md). The in-place migration feature creates your App Service Environment v3 in the same subnet as your existing environment and uses the same networking infrastructure. You might have to account for the inbound and outbound IP address changes if you have any dependencies on these specific IPs.

+ Yes, you should expect about one hour of downtime during the three to six hour service window during the migration step, so plan accordingly. If you have a different App Service Environment that you can point traffic to while you migrate using the in-place migration feature, you can eliminate application downtime. If you don't have another App Service Environment and you can't support downtime, see the side by [side migration feature](side-by-side-migrate.md) or the [manual migration options](migration-alternatives.md).

+ The in-place migration feature supports this [migration scenario](#supported-scenarios).

+ IP SSL isn't supported on App Service Environment v3. You must remove all IP SSL bindings before migrating using the migration feature or one of the manual options. If you intend to use the in-place migration feature, once you remove all IP SSL bindings, you pass that validation check and can proceed with the automated migration.

+ If there's an unexpected issue, support teams are on hand. You should migrate dev environments before touching any production environments to learn about the migration process and see how it impacts your workloads.

+ If you decide to migrate an App Service Environment using the in-place migration feature, the old environment gets shutdown, deleted, and all of your apps are migrated to a new environment. Your old environment is no longer accessible. A rollback to the old environment isn't possible.

+ After 31 August 2024, if you don't to App Service Environment v3, your App Service Environment v1/v2s and the apps deployed in them will no longer be available. App Service Environment v1/v2 is hosted on App Service scale units running on [Cloud Services (classic)](../../cloud-services/cloud-services-choose-me.md) architecture that will be [retired on 31 August 2024](https://azure.microsoft.com/updates/cloud-services-retirement-announcement/). Because of this, [App Service Environment v1/v2 will no longer be available after that date](https://azure.microsoft.com/updates/app-service-environment-v1-and-v2-retirement-announcement/). Migrate to App Service Environment v3 to keep your apps running or save or back up any resources or data that you need to maintain.

+> [Migrate your App Service Environment to App Service Environment v3 using the in-place migration feature](how-to-migrate.md)

+> [!NOTE]

+> There are two automated migration features available to help you upgrade to App Service Environment v3. To learn more about those features and for help deciding which migration option is right for you, see [Migration path decision tree](upgrade-to-asev3.md#migration-path-decision-tree). Consider one of the automated options for a quicker path to [App Service Environment v3](overview.md).

+>

+If you're currently using App Service Environment v1 or v2, you have the opportunity to migrate your workloads to [App Service Environment v3](overview.md). App Service Environment v3 has [advantages and feature differences](overview.md#feature-differences) that provide enhanced support for your workloads and can reduce overall costs. Consider using the [the automated migration features](upgrade-to-asev3.md) if your environment meets the criteria described in the [migration path decision tree](upgrade-to-asev3.md#migration-path-decision-tree).

+If your App Service Environment isn't supported for the migration features, you must use one of the manual methods to migrate to App Service Environment v3.

+For any migration method that doesn't use the automated migration features, you need to [create the App Service Environment v3 resource](creation.md) and a new subnet by using the method of your choice.

+The [in-place migration feature](migrate.md) automates the migration to App Service Environment v3 and transfers all of your apps to the new environment. There's about one hour of downtime during this migration. If your apps can't have any downtime, we recommend that you use the [side by side migration feature](side-by-side-migrate.md), which is a zero-downtime migration option since the new environment is created in a different subnet. If you also choose not to use the side by side migration feature, you can use one of the manual options to re-create your apps in App Service Environment v3.

+- **How do I know if I should migrate to App Service Environment v3 using one of the manual options?**

+ For help deciding which migration option is right for you, see [Migration path decision tree](upgrade-to-asev3.md#migration-path-decision-tree). If your environment meets the criteria described in the [migration path decision tree](upgrade-to-asev3.md#migration-path-decision-tree), consider using one of the automated migration features for a quicker path to [App Service Environment v3](overview.md). Manual migration is recommended if you need to slowly move your apps to your new environment and validate throughout the whole process.

+ Title: Migrate to App Service Environment v3 by using the side by side migration feature

+description: Overview of the side by side migration feature for migration to App Service Environment v3.

+# Migration to App Service Environment v3 using the side by side migration feature (Preview)

+> [!NOTE]

+> The migration feature described in this article is used for side by side (different subnet) automated migration of App Service Environment v2 to App Service Environment v3 and is currently **in preview**.

+>

+> If you're looking for information on the in-place migration feature, see [Migrate to App Service Environment v3 by using the in-place migration feature](migrate.md). If you're looking for information on manual migration options, see [Manual migration options](migration-alternatives.md). For help deciding which migration option is right for you, see [Migration path decision tree](upgrade-to-asev3.md#migration-path-decision-tree). For more information on App Service Environment v3, see [App Service Environment v3 overview](overview.md).

+>

+App Service can automate migration of your App Service Environment v1 and v2 to an [App Service Environment v3](overview.md). There are different migration options. Review the [migration path decision tree](upgrade-to-asev3.md#migration-path-decision-tree) to decide which option is best for your use case. App Service Environment v3 provides [advantages and feature differences](overview.md#feature-differences) over earlier versions. Make sure to review the [supported features](overview.md#feature-differences) of App Service Environment v3 before migrating to reduce the risk of an unexpected application issue.

+The side by side migration feature automates your migration to App Service Environment v3. The side by side migration feature creates a new App Service Environment v3 with all of your apps in a different subnet. Your existing App Service Environment isn't deleted until you initiate its deletion at the end of the migration process. Because of this process, there's a rollback option if you need to cancel your migration. This migration option is best for customers who want to migrate to App Service Environment v3 with zero downtime and can support using a different subnet for their new environment. If you need to use the same subnet and can support about one hour of application downtime, see the [in-place migration feature](migrate.md). For manual migration options that allow you to migrate at your own pace, see [manual migration options](migration-alternatives.md).

+> [!IMPORTANT]

+> It is recommended to use this feature for dev environments first before migrating any production environments to ensure there are no unexpected issues. Please provide any feedback related to this article or the feature using the buttons at the bottom of the page.

+>

+## Supported scenarios

+At this time, the side by side migration feature supports migrations to App Service Environment v3 in the following regions:

+### Azure Public

+- East Asia

+- West Central US

+The following App Service Environment configurations can be migrated using the side by side migration feature. The table gives the App Service Environment v3 configuration when using the side by side migration feature based on your existing App Service Environment.

+|Configuration |App Service Environment v3 Configuration |

+||--|

+|[Internal Load Balancer (ILB)](create-ilb-ase.md) App Service Environment v2 |ILB App Service Environment v3 |

+|[External (ELB/internet facing with public IP)](create-external-ase.md) App Service Environment v2 |ELB App Service Environment v3 |

+|ILB App Service Environment v2 with a custom domain suffix |ILB App Service Environment v3 (custom domain suffix is optional) |

+App Service Environment v3 can be deployed as [zone redundant](../../availability-zones/migrate-app-service-environment.md). Zone redundancy can be enabled as long as your App Service Environment v3 is [in a region that supports zone redundancy](./overview.md#regions).

+If you want your new App Service Environment v3 to use a custom domain suffix and you aren't using one currently, custom domain suffix can be configured during the migration set-up or at any time once migration is complete. For more information, see [Configure custom domain suffix for App Service Environment](./how-to-custom-domain-suffix.md). If your existing environment has a custom domain suffix and you no longer want to use it, don't configure a custom domain suffix during the migration set-up.

+## Side by side migration feature limitations

+The following are limitations when using the side by side migration feature:

+- Your new App Service Environment v3 is in a different subnet but the same virtual network as your existing environment.

+- You can't change the region your App Service Environment is located in.

+- ELB App Service Environment canΓÇÖt be migrated to ILB App Service Environment v3 and vice versa.

+App Service Environment v3 doesn't support the following features that you might be using with your current App Service Environment v2.

+- Configuring an IP-based TLS/SSL binding with your apps.

+- App Service Environment v3 doesn't fall back to Azure DNS if your configured custom DNS servers in the virtual network aren't able to resolve a given name. If this behavior is required, ensure that you have a forwarder to a public DNS or include Azure DNS in the list of custom DNS servers.

+The side by side migration feature doesn't support the following scenarios. See the [manual migration options](migration-alternatives.md) if your App Service Environment falls into one of these categories.

+- App Service Environment v1

+ - You can find the version of your App Service Environment by navigating to your App Service Environment in the [Azure portal](https://portal.azure.com) and selecting **Configuration** under **Settings** on the left-hand side. You can also use [Azure Resource Explorer](https://resources.azure.com/) and review the value of the `kind` property for your App Service Environment.

+ - If you have an App Service Environment v1, you can migrate using the [in-place migration feature](migrate.md) or one of the [manual migration options](migration-alternatives.md).

+- ELB App Service Environment v2 with IP SSL addresses

+- [Zone pinned](zone-redundancy.md) App Service Environment v2

+

+The App Service platform reviews your App Service Environment to confirm side by side migration support. If your scenario doesn't pass all validation checks, you can't migrate at this time using the side by side migration feature. If your environment is in an unhealthy or suspended state, you can't migrate until you make the needed updates.

+> [!NOTE]

+> App Service Environment v3 doesn't support IP SSL. If you use IP SSL, you must remove all IP SSL bindings before migrating to App Service Environment v3. The migration feature will support your environment once all IP SSL bindings are removed.

+>

+### Troubleshooting

+If your App Service Environment doesn't pass the validation checks or you try to perform a migration step in the incorrect order, you see one of the following error messages:

+|Error message |Description |Recommendation |

+|||-|

+|Migrate can only be called on an ASE in ARM VNET and this ASE is in Classic VNET. |App Service Environments in Classic virtual networks can't migrate using the side by side migration feature. |Migrate using one of the [manual migration options](migration-alternatives.md). |

+|ASEv3 Migration is not yet ready. |The underlying infrastructure isn't ready to support App Service Environment v3. |Migrate using one of the [manual migration options](migration-alternatives.md) if you want to migrate immediately. Otherwise, wait for the side by side migration feature to be available in your region. |

+|Cannot enable zone redundancy for this ASE. |The region the App Service Environment is in doesn't support zone redundancy. |If you need to enable zone redundancy, use one of the manual migration options to migrate to a [region that supports zone redundancy](overview.md#regions). |

+|Migrate cannot be called on this custom DNS suffix ASE at this time. |Custom domain suffix migration is blocked. |Open a support case to engage support to resolve your issue. |

+|Zone redundant ASE migration cannot be called at this time. |Zone redundant App Service Environment migration is blocked. |Open a support case to engage support to resolve your issue. |

+|Migrate cannot be called on ASEv2 that is zone-pinned. |App Service Environment v2 that's zone pinned can't be migrated using the side by side migration feature at this time. |Migrate using one of the [manual migration options](migration-alternatives.md) if you want to migrate immediately. |

+|Existing revert migration operation ongoing, please try again later. |A previous migration attempt is being reverted. |Wait until the revert that's in progress completes before attempting to start migration again. |

+|Properties.VirtualNetwork.Id should contain the subnet resource ID. |The error appears if you attempt to migrate without providing a new subnet for the placement of your App Service Environment v3. |Ensure you follow the guidance and complete the step to identify the subnet you'll use for your App Service Environment v3. |

+|Unable to move to `<requested phase>` from the current phase `<previous phase>` of No Downtime Migration. |This error appears if you attempt to do a migration step in the incorrect order. |Ensure you follow the migration steps in order. |

+|Failed to start revert operation on ASE in hybrid state, please try again later. |This error appears if you try to revert the migration but something goes wrong. This error doesn't affect either your old or your new environment. |Open a support case to engage support to resolve your issue. |

+|This ASE cannot be migrated without downtime. |This error appears if you try to use the side by side migration feature on an App Service Environment v1. |The side by side migration feature doesn't support App Service Environment v1. Migrate using the [in-place migration feature](migrate.md) or one of the [manual migration options](migration-alternatives.md). |

+|Migrate is not available for this subscription. |Support needs to be engaged for migrating this App Service Environment.|Open a support case to engage support to resolve your issue.|

+|Zone redundant migration cannot be called since the IP addresses created during pre-migrate are not zone redundant. |This error appears if you attempt a zone redundant migration but didn't create zone redundant IPs during the IP generation step. |Open a support case to engage support if you need to enable zone redundancy. Otherwise, you can migrate without enabling zone redundancy. |

+|Migrate cannot be called if IP SSL is enabled on any of the sites. |App Service Environments that have sites with IP SSL enabled can't be migrated using the side by side migration feature at this time. |Migrate using one of the [manual migration options](migration-alternatives.md) if you want to migrate immediately. Otherwise, you can disable the IP SSL on all sites in the App Service Environment and attempt migration again. |

+|Cannot migrate within the same subnet. |The error appears if you specify the same subnet that your current environment is in for placement of your App Service Environment v3. |You must specify a different subnet for your App Service Environment v3. If you need to use the same subnet, migrate using the [in-place migration feature](migrate.md). |

+|Subscription has too many App Service Environments. Please remove some before trying to create more.|The App Service Environment [quota for your subscription](../../azure-resource-manager/management/azure-subscription-service-limits.md#app-service-limits) is met. |Remove unneeded environments or contact support to review your options. |

+|Migrate cannot be called on this ASE until the active upgrade has finished. |App Service Environments can't be migrated during platform upgrades. You can set your [upgrade preference](how-to-upgrade-preference.md) from the Azure portal. In some cases, an upgrade is initiated when visiting the migration page if your App Service Environment isn't on the current build. |Wait until the upgrade finishes and then migrate. |

+|App Service Environment management operation in progress. |Your App Service Environment is undergoing a management operation. These operations can include activities such as deployments or upgrades. Migration is blocked until these operations are complete. |You can migrate once these operations are complete. |

+|Your InternalLoadBalancingMode is not currently supported.|App Service Environments that have InternalLoadBalancingMode set to certain values can't be migrated using the side by side migration feature at this time. |Migrate using one of the [manual migration options](migration-alternatives.md) if you want to migrate immediately. |

+|Migration is invalid. Your ASE needs to be upgraded to the latest build to ensure successful migration. We will upgrade your ASE now. Please try migrating again in few hours once platform upgrade has finished. |Your App Service Environment isn't on the minimum build required for migration. An upgrade is started. Your App Service Environment won't be impacted, but you won't be able to scale or make changes to your App Service Environment while the upgrade is in progress. You won't be able to migrate until the upgrade finishes. |Wait until the upgrade finishes and then migrate. |

+|Full migration cannot be called before IP addresses are generated. |This error appears if you attempt to migrate before finishing the premigration steps. |Ensure you complete all premigration steps before you attempt to migrate. See the [step-by-step guide for migrating](how-to-side-by-side-migrate.md). |

+## Overview of the migration process using the side by side migration feature

+Side by side migration consists of a series of steps that must be followed in order. Key points are given for a subset of the steps. It's important to understand what happens during these steps and how your environment and apps are impacted. After reviewing the following information and when you're ready to migrate, follow the [step-by-step guide](how-to-side-by-side-migrate.md).

+### Select and prepare the subnet for your new App Service Environment v3

+The platform creates your new App Service Environment v3 in a different subnet than your existing App Service Environment. You need to select a subnet that meets the following requirements:

+- The subnet must be in the same virtual network, and therefore region, as your existing App Service Environment.

+ - If your virtual network doesn't have an available subnet, you need to create one. You might need to increase the address space of your virtual network to create a new subnet. For more information, see [Create a virtual network](../../virtual-network/quick-create-portal.md).

+- The subnet must be able to communicate with the subnet your existing App Service Environment is in. Ensure there aren't network security groups or other network configurations that would prevent communication between the subnets.

+- The subnet must have a single delegation of `Microsoft.Web/hostingEnvironments`.

+- The subnet must have enough available IP addresses to support your new App Service Environment v3. The number of IP addresses needed depends on the number of instances you want to use for your new App Service Environment v3. For more information, see [App Service Environment v3 networking](networking.md#addresses).

+- The subnet must not have any locks applied to it. If there are locks, they must be removed before migration. The locks can be readded if needed once migration is complete. For more information on locks and lock inheritance, see [Lock your resources to protect your infrastructure](../../azure-resource-manager/management/lock-resources.md).

+- There must not be any Azure Policies blocking migration or related actions. If there are policies that block the creation of App Service Environments or the modification of subnets, they must be removed before migration. The policies can be readded if needed once migration is complete. For more information on Azure Policy, see [Azure Policy overview](../../governance/policy/overview.md).

+### Generate outbound IP addresses for your new App Service Environment v3

+The platform creates the [the new outbound IP addresses](networking.md#addresses). While these IPs are getting created, activity with your existing App Service Environment isn't interrupted, however, you can't scale or make changes to your existing environment. This process takes about 15 minutes to complete.

+When completed, you'll be given the new outbound IPs that your future App Service Environment v3 uses. These new IPs have no effect on your existing environment. The IPs used by your existing environment continue to be used up until you redirect customer traffic and complete the migration in the final step.

+You receive the new inbound IP address once migration is complete but before you make the [DNS change to redirect customer traffic to your new App Service Environment v3](#redirect-customer-traffic-and-complete-migration). You don't get the inbound IP at this point in the process because the inbound IP is dependent on the subnet you select for the new environment. You have a chance to update any resources that are dependent on the new inbound IP before you redirect traffic to your new App Service Environment v3.

+This step is also where you decide if you want to enable zone redundancy for your new App Service Environment v3. Zone redundancy can be enabled as long as your App Service Environment v3 is [in a region that supports zone redundancy](./overview.md#regions).

+### Update dependent resources with new outbound IPs

+The new outbound IPs are created and given to you before you start the actual migration. The new default outbound to the internet public addresses are given so you can adjust any external firewalls, DNS routing, network security groups, and any other resources that rely on these IPs before completing the migration. **It's your responsibility to update any and all resources that will be impacted by the IP address change associated with the new App Service Environment v3. Don't move on to the next step until you've made all required updates.** This step is also a good time to review the [inbound and outbound network](networking.md#ports-and-network-restrictions) dependency changes when moving to App Service Environment v3 including the port change for the Azure Load Balancer health probe, which now uses port 80.

+### Delegate your App Service Environment subnet

+App Service Environment v3 requires the subnet it's in to have a single delegation of `Microsoft.Web/hostingEnvironments`. Migration can't succeed if the App Service Environment's subnet isn't delegated or you delegate it to a different resource. Ensure that the subnet you select for your new App Service Environment v3 has a single delegation of `Microsoft.Web/hostingEnvironments`.

+### Acknowledge instance size changes

+Your App Service plans are created with the corresponding Isolated v2 SKU as part of the migration. For example, I2 plans correspond with I2v2. Your apps might be over-provisioned after the migration since the Isolated v2 tier has more memory and CPU per corresponding instance size. You have the opportunity to scale your environment as needed once migration is complete. For more information, review the [SKU details](https://azure.microsoft.com/pricing/details/app-service/windows/).

+### Ensure there are no locks on your resources

+Virtual network locks block platform operations during migration. If your virtual network has locks, you need to remove them before migrating. The locks can be readded if needed once migration is complete. Locks can exist at three different scopes: subscription, resource group, and resource. When you apply a lock at a parent scope, all resources within that scope inherit the same lock. If you have locks applied at the subscription, resource group, or resource scope, they need to be removed before the migration. For more information on locks and lock inheritance, see [Lock your resources to protect your infrastructure](../../azure-resource-manager/management/lock-resources.md).

+### Ensure there are no Azure Policies blocking migration

+Azure Policy can be used to deny resource creation and modification to certain principals. If you have a policy that blocks the creation of App Service Environments or the modification of subnets, you need to remove it before migrating. The policy can be readded if needed once migration is complete. For more information on Azure Policy, see [Azure Policy overview](../../governance/policy/overview.md).

+### Add a custom domain suffix (optional)

+If your existing App Service Environment uses a custom domain suffix, you can configure a custom domain suffix for your new App Service Environment v3. Custom domain suffix on App Service Environment v3 is implemented differently than on App Service Environment v2. You need to provide the custom domain name, managed identity, and certificate, which must be stored in Azure Key Vault. For more information on App Service Environment v3 custom domain suffix including requirements, step-by-step instructions, and best practices, see [Configure custom domain suffix for App Service Environment](./how-to-custom-domain-suffix.md). Configuring a custom domain suffix is optional. If your App Service Environment v2 has a custom domain suffix and you don't want to use it on your new App Service Environment v3, don't configure a custom domain suffix during the migration set-up.

+### Migrate to App Service Environment v3

+After completing the previous steps, you should continue with migration as soon as possible.

+There's no application downtime during the migration, but as in the outbound IP generation step, you can't scale, modify your existing App Service Environment, or deploy apps to it during this process.

+> [!IMPORTANT]

+> Since scaling is blocked during the migration, you should scale your environment to the desired size before starting the migration.

+>

+Side by side migration requires a three to six hour service window for App Service Environment v2 to v3 migrations. During migration, scaling and environment configurations are blocked and the following events occur:

+- The new App Service Environment v3 is created in the subnet you selected.

+- Your new App Service plans are created in the new App Service Environment v3 with the corresponding Isolated v2 tier.

+- Your apps are created in the new App Service Environment v3.

+When this step completes, your application traffic is still going to your old App Service Environment and the IPs that were assigned to it. However, you also now have an App Service Environment v3 with all of your apps.

+### Get the inbound IP address for your new App Service Environment v3 and update dependent resources

+You get the new inbound IP address that you can use to set up new endpoints with services like [Traffic Manager](../../traffic-manager/traffic-manager-overview.md) or [Azure Front Door](../../frontdoor/front-door-overview.md). Don't move on to the next step until you account for this change. There's downtime if you don't update dependent resources with the new inbound IP. **It's your responsibility to update any and all resources that are impacted by the IP address change associated with the new App Service Environment v3. Don't move on to the next step until you've made all required updates.**

+### Redirect customer traffic and complete migration

+The final step is to redirect traffic to your new App Service Environment v3 and complete the migration. The platform does this change for you, but only when you initiate it. Before you do this step, you should review your new App Service Environment v3 and perform any needed testing to validate that it's functioning as intended. You can do this review using the IPs associated with your App Service Environment v3 from the IP generation steps. Once you're ready to redirect traffic, you can complete the final step of the migration. This step updates internal DNS records to point to the load balancer IP address of your new App Service Environment v3. Changes are effective immediately. This step also shuts down your old App Service Environment and deletes it. Your new App Service Environment v3 is now your production environment.

+> [!IMPORTANT]

+> During the preview, in some cases there may be up to 20 minutes of downtime when you complete the final step of the migration. This downtime is due to the DNS change. The downtime is expected to be removed once the feature is generally available. If you have a requirement for zero downtime, you should wait until the side by side migration feature is generally available. During preview, however, you can still use the side by side migration feature to migrate your dev environments to App Service Environment v3 to learn about the migration process and see how it impacts your workloads.

+>

+If you discover any issues with your new App Service Environment v3, don't run the command to redirect customer traffic. This command also initiates the deletion of your App Service Environment v2. If you find an issue, you can revert all changes and return to your old App Service Environment v2. The revert process takes 3 to 6 hours to complete. There's no downtime associated with this process. Once the revert process completes, your old App Service Environment is back online and your new App Service Environment v3 is deleted. You can then attempt the migration again once you resolve any issues.

+## Pricing

+There's no cost to migrate your App Service Environment. However, you're billed for both your App Service Environment v2 and your new App Service Environment v3 once you start the migration process. You stop being charged for your old App Service Environment v2 when you complete the final migration step where your DNS is updated and the old environment gets deleted. You should complete your validation as quickly as possible to prevent excess charges from accumulating. For more information about App Service Environment v3 pricing, see the [pricing details](overview.md#pricing).

+When you migrate to App Service Environment v3 from previous versions, there are scenarios that you should consider that can potentially reduce your monthly cost. Consider [reservations](../../cost-management-billing/reservations/reservation-discount-app-service.md#how-reservation-discounts-apply-to-isolated-v2-instances) and [savings plans](../../cost-management-billing/savings-plan/savings-plan-compute-overview.md) to further reduce your costs. For information on cost saving opportunities, see [Cost saving opportunities after upgrading to App Service Environment v3](upgrade-to-asev3.md#cost-saving-opportunities-after-upgrading-to-app-service-environment-v3).

+> [!NOTE]

+> Due to the differences between the Isolated to Isolated v2 pricing tiers, your apps may be over-provisioned after the migration since the Isolated v2 tier has more memory and CPU per corresponding instance size. You'll have the opportunity to [scale your environment](../manage-scale-up.md) as needed once migration is complete. For more information, review the [SKU details](https://azure.microsoft.com/pricing/details/app-service/windows/).

+>

+### Scale down your App Service plans

+The App Service plan SKUs available for App Service Environment v3 run on the Isolated v2 (Iv2) tier. The number of cores and amount of RAM are effectively doubled per corresponding tier compared the Isolated tier. When you migrate, your App Service plans are converted to the corresponding tier. For example, your I2 instances are converted to I2v2. While I2 has two cores and 7-GB RAM, I2v2 has four cores and 16-GB RAM. If you expect your capacity requirements to stay the same, you're over-provisioned and paying for compute and memory you're not using. For this scenario, you can scale down your I2v2 instance to I1v2 and end up with a similar number of cores and RAM that you had previously.

+## Frequently asked questions

+- **What if migrating my App Service Environment is not currently supported?**

+ You can't migrate using the side by side migration feature at this time. If you have an unsupported environment and want to migrate immediately, see the [manual migration options](migration-alternatives.md).

+- **How do I choose which migration option is right for me?**

+ Review the [migration path decision tree](upgrade-to-asev3.md#migration-path-decision-tree) to decide which option is best for your use case.

+- **How do I know if I should use the side by side migration feature?**

+ The side by side migration feature is best for customers who want to migrate to App Service Environment v3 but can't support application downtime. Since a new subnet is used for your new environment, there are networking considerations to be aware of, including new IPs. If you can support downtime, see the [in-place migration feature](migrate.md), which results in minimal configuration changes, or the [manual migration options](migration-alternatives.md). The in-place migration feature creates your App Service Environment v3 in the same subnet as your existing environment and uses the same networking infrastructure.

+- **Will I experience downtime during the migration?**

+ No, there's no downtime during the side by side migration process. Your apps continue to run on your existing App Service Environment until you complete the final step of the migration where DNS changes are effective immediately. Once you complete the final step, your old App Service Environment is shut down and deleted. Your new App Service Environment v3 is now your production environment.

+- **Will I need to do anything to my apps after the migration to get them running on the new App Service Environment?**

+ No, all of your apps running on the old environment are automatically migrated to the new environment and run like before. No user input is needed.

+- **What if my App Service Environment has a custom domain suffix?**

+ The side by side migration feature supports this [migration scenario](#supported-scenarios).

+- **What if my App Service Environment is zone pinned?**

+ The side by side migration feature doesn't support this [migration scenario](#supported-scenarios) at this time. If you have a zone pinned App Service Environment and want to migrate immediately, see the [manual migration options](migration-alternatives.md).

+- **What if my App Service Environment has IP SSL addresses?**

+ IP SSL isn't supported on App Service Environment v3. You must remove all IP SSL bindings before migrating using the migration feature or one of the manual options. If you intend to use the side by side migration feature, once you remove all IP SSL bindings, you pass that validation check and can proceed with the automated migration.

+- **What properties of my App Service Environment will change?**

+ You're on App Service Environment v3 so be sure to review the [features and feature differences](overview.md#feature-differences) compared to previous versions. Both your inbound and outbound IPs change when using the side by side migration feature. Note for ELB App Service Environment, previously there was a single IP for both inbound and outbound. For App Service Environment v3, they're separate. For more information, see [App Service Environment v3 networking](networking.md#addresses). For a full comparison of the App Service Environment versions, see [App Service Environment version comparison](version-comparison.md).

+- **What happens if migration fails or there is an unexpected issue during the migration?**

+ If there's an unexpected issue, support teams are on hand. We recommend that you migrate dev environments before touching any production environments to learn about the migration process and see how it impacts your workloads. With the side by side migration feature, you can revert all changes if there's any issues.

+- **What happens to my old App Service Environment?**

+ If you decide to migrate an App Service Environment using the side by side migration feature, your old environment is used up until the final step in the migration process. Once you complete the final step, the old environment and all of the apps hosted on it get shutdown and deleted. Your old environment is no longer accessible. A rollback to the old environment at this point isn't possible.

+- **What will happen to my App Service Environment v1/v2 resources after 31 August 2024?**

+ After 31 August 2024, if you don't migrate to App Service Environment v3, your App Service Environment v1/v2s and the apps deployed in them will no longer be available. App Service Environment v1/v2 is hosted on App Service scale units running on [Cloud Services (classic)](../../cloud-services/cloud-services-choose-me.md) architecture that will be [retired on 31 August 2024](https://azure.microsoft.com/updates/cloud-services-retirement-announcement/). Because of this, [App Service Environment v1/v2 will no longer be available after that date](https://azure.microsoft.com/updates/app-service-environment-v1-and-v2-retirement-announcement/). Migrate to App Service Environment v3 to keep your apps running or save or back up any resources or data that you need to maintain.

+## Next steps

+> [!div class="nextstepaction"]

+> [Migrate your App Service Environment to App Service Environment v3 using the side by side migration feature](how-to-side-by-side-migrate.md)

+> [!div class="nextstepaction"]

+> [App Service Environment v3 Networking](networking.md)

+> [!div class="nextstepaction"]

+> [Using an App Service Environment v3](using.md)

+> [!div class="nextstepaction"]

+> [Custom domain suffix](./how-to-custom-domain-suffix.md)

+This page is your one-stop shop for guidance and resources to help you upgrade successfully with minimal downtime. Follow the guidance to plan and complete your upgrade as soon as possible. This page is updated with the latest information as it becomes available.

+|**1**|**Pre-flight check**|Determine if your environment meets the prerequisites to automate your upgrade using one of the automated migration features. Decide whether an in-place or side by side migration is right for your use case.<br><br>- [Migration path decision tree](#migration-path-decision-tree)<br>- [Automated upgrade using the in-place migration feature](migrate.md)<br>- [Automated upgrade using the side by side migration feature](side-by-side-migrate.md)<br><br>If not, you can upgrade manually.<br><br>- [Manual migration](migration-alternatives.md)|

+|**2**|**Migrate**|Based on results of your review, either upgrade using one of the automated migration features or follow the manual steps.<br><br>- [Use the in-place automated migration feature](how-to-migrate.md)<br>- [Use the side by side automated migration feature](how-to-side-by-side-migrate.md)<br>- [Migrate manually](migration-alternatives.md)|

+|**3**|**Testing and troubleshooting**|Upgrading using one of the automated migration features requires a 3-6 hour service window. If you use the side by side migration feature, you have the opportunity to [test and validate your App Service Environment v3](side-by-side-migrate.md#redirect-customer-traffic-and-complete-migration) before completing the upgrade. Support teams are monitoring upgrades to ensure success. If you have a support plan and you need technical help, create a [support request](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest).|

+### What tooling is available to help with the upgrade to App Service Environment v3?

+There are two automated migration features available to help you upgrade to App Service Environment v3.

+- **In-place migration feature** migrates your App Service Environment to App Service Environment v3 in-place. In-place means that your App Service Environment v3 replaces your existing App Service Environment in the same subnet. There's application downtime during the migration because a subnet can only have a single App Service Environment at a given time. For more information about this feature, see [Automated upgrade using the in-place migration feature](migrate.md).

+- **Side by side migration feature** creates a new App Service Environment v3 in a different subnet that you choose and recreates all of your App Service plans and apps in that new environment. Your existing environment is up and running during the entire migration. Once the new App Service Environment v3 is ready, you can redirect traffic to the new environment and complete the migration. There's no application downtime during the migration. For more information about this feature, see [Automated upgrade using the side by side migration feature](side-by-side-migrate.md).

+- **Manual migration options** are available if you can't use the automated migration features. For more information about these options, see [Migration alternatives](migration-alternatives.md).

+### Migration path decision tree

+Use the following decision tree to determine which migration path is right for you.

+### Cost saving opportunities after upgrading to App Service Environment v3

+The App Service plan SKUs available for App Service Environment v3 run on the Isolated v2 (Iv2) tier. The number of cores and amount of RAM are effectively doubled per corresponding tier compared the Isolated tier. When you migrate, your App Service plans are converted to the corresponding tier. For example, your I2 instances are converted to I2v2. While I2 has two cores and 7-GB RAM, I2v2 has four cores and 16-GB RAM. If you expect your capacity requirements to stay the same, you're over-provisioned and paying for compute and memory you're not using. For this scenario, you can scale down your I2v2 instance to I1v2 and end up with a similar number of cores and RAM that you had previously.

+> [!NOTE]

+> All scenarios are calculated using costs based on Linux $USD pricing in East US. The payment option is set to monthly. Estimates are based on the prices applicable on the day the estimate was created. Actual total estimates may vary. For the most up-to-date estimates, see the [Azure pricing calculator](https://azure.microsoft.com/pricing/calculator/).

+>

+To demonstrate the cost saving opportunity for this scenario, use the [pricing calculator](https://azure.microsoft.com/pricing/calculator/) to estimate the monthly savings as a result of scaling down your App Service plans. For this example, your App Service Environment v2 has 1 I2 instance. You require two cores and 7-GB RAM. You're using pay-as-you-go pricing. On App Service Environment v2, your monthly payment is the following.

+[Stamp fee + 1(I2) = $991.34 + $416.10 = $1,407.44](https://azure.com/e/014bf22b3e88439dba350866a472a41a)

+When you migrate this App Service Environment using the migration feature, your new App Service Environment v3 has 1 I2v2 instance, which means you have four cores and 16-GB RAM. If you don't change anything, your monthly payment is the following.

+[1(I2v2) = $563.56](https://azure.com/e/17946ea2c4db483d882526ba515a6771)

+Your monthly cost is reduced, but you don't need that much compute and capacity. You scale down your instance to I1v2 and your monthly cost is reduced even further.

+[1(I1v2) = $281.78](https://azure.com/e/9d481c3af3cd407d975017c2b8158bbd)

+#### Break even point

+In most cases, migrating to App Service Environment v3 allows for cost saving opportunities. However, cost savings might not always be possible, especially if you're required to maintain a large number of small instances.

+To demonstrate this scenario, you have an App Service Environment v2 with a single I1 instance. Your monthly cost is:

+[Stamp fee + 1(I1) = $991.34 + $208.05 = **$1,199.39**](https://azure.com/e/ac89a70062a240e1b990304052d49fad)

+If you migrate this environment to App Service Environment v3, your monthly cost is:

+[1(I1v2) = **$281.78**](https://azure.com/e/9d481c3af3cd407d975017c2b8158bbd)

+This change is a significant cost reduction, but you're over-provisioned since you have double the cores and RAM, which you might not need. This excess isn't an issue for this scenario since the new environment is cheaper. However, when you increase your I1 instances in a single App Service Environment, you see how migrating to App Service Environment v3 can increase your monthly cost.

+For this scenario, your App Service Environment v2 has 14 I1 instances. Your monthly cost is:

+[Stamp fee + 14(I1) = $991.34 + $2,912.70 = **$3,904.04**](https://azure.com/e/bd1dce4b5c8f4d6d807ed3c4ae78fcae)

+When you migrate this environment to App Service Environment v3, your monthly cost is:

+[14(I1v2) = **$3,944.92**](https://azure.com/e/e0f1ebacf937479ba073a9c32cb2452f)

+Your App Service Environment v3 is now more expensive than your App Service Environment v2. As you start add more I1 instances, and therefore need more I1v2 instances when you migrate, the difference in price becomes more significant. If this scenario is a requirement for your environment, you might need to plan for an increase in your monthly cost. The following graph visually depicts the point where App Service Environment v3 becomes more expensive than App Service Environment v2 for this specific scenario.

+> [!NOTE]

+> This calculation was done with Linux $USD prices in East US. Break even points will vary due to price variances in the different regions. For an estimate that reflects your situation, see [the Azure pricing calculator](https://azure.microsoft.com/pricing/calculator/).

+>

+For more scenarios on cost changes and savings opportunities with App Service Environment v3, see [Estimate your cost savings by migrating to App Service Environment v3](https://azure.github.io/AppService/2023/03/02/App-service-environment-v3-pricing.html).

+> [!div class="nextstepaction"]

+> [Migration to App Service Environment v3 using the in-place migration feature](migrate.md)

+> [!div class="nextstepaction"]

+> [Migration to App Service Environment v3 using the side by side migration feature](side-by-side-migrate.md)

+> [!div class="nextstepaction"]

+> [Manually migrate to App Service Environment v3](migration-alternatives.md)

+|DNS fallback |Azure DNS |Azure DNS |[Ensure that you have a forwarder to a public DNS or include Azure DNS in the list of custom DNS servers](migrate.md#in-place-migration-feature-limitations) |

+> PowerShell 7.x does not support signed runbooks for Windows and Linux Hybrid Runbook Worker.

+> - PowerShell 7.x does not support signed runbooks for agent-based Windows and agent-based Linux Hybrid Runbook Worker.

+> - Signed PowerShell and Python runbooks aren't supported in extension-based Linux Hybrid Workers.

+> [!NOTE]

+> The Create a GPG keyring and keypair are applicable only for the agent-based hybrid workers.

+#Customer intent: I want to dynamically update my .NET app to use the latest configuration data in App Configuration.

+- [Visual Studio](https://visualstudio.microsoft.com/downloads)

+The **Licenses** tab displays Azure Arc WS2012 licenses that are available. From here, you can select an existing license to apply or create a new license.

+This linking won't trigger a compliance violation or enforcement block, allowing you to extend the application of a license beyond its provisioned cores. The expectation is that the license only includes cores for production and billed servers. Any additional cores will be charged and result in over-billing.

+When upgrading a Windows Server 2012/2012R machine to Windows Server 2016 or above, it's not necessary to remove the Connected Machine agent from the machine. The new operating system will be visible for the machine in Azure within a few minutes of upgrade completion. Upgraded machines no longer require ESUs and are no longer eligible for them. Any ESU license associated with the machine isn't automatically unlinked from the machine. See [Unlink a license](api-extended-security-updates.md#unlink-a-license) for instructions on doing so manually.

+## Assess WS2012 ESU patch Status

+To detect whether your Azure Arc-enabled servers are patched with the most recent Windows Server 2012/R2 Extended Security Updates, you can use the Azure Policy [Extended Security Updates should be installed on Windows Server 2012 Arc machines-Microsoft Azure](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetail.ReactView/id/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F14b4e776-9fab-44b0-b53f-38d2458ea8be/version~/null/scopes~/%5B%22%2Fsubscriptions%2F4fabcc63-0ec0-4708-8a98-04b990085bf8%22%5D). This Azure Policy, powered by Machine Configuration, identifies if the server has received the most recent ESU Patches. This is observable from the Guest Assignment and Azure Policy Compliance views built into Azure portal.

+## ESU patch issues

+### ESU patch status

+To detect whether your Azure Arc-enabled servers are patched with the most recent Windows Server 2012/R2 Extended Security Updates, use Azure Update Manager or the Azure Policy [Extended Security Updates should be installed on Windows Server 2012 Arc machines-Microsoft Azure](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetail.ReactView/id/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F14b4e776-9fab-44b0-b53f-38d2458ea8be/version~/null/scopes~/%5B%22%2Fsubscriptions%2F4fabcc63-0ec0-4708-8a98-04b990085bf8%22%5D), which checks whether the most recent WS2012 ESU patches have been received. Both of these options are available at no additional cost for Azure Arc-enabled servers enrolled in WS2012 ESUs enabled by Azure Arc.

+@app.timer_trigger(schedule="0 */5 * * * *",

+| [Azure Fluid Relay](../../azure-fluid-relay/index.yml) | &#x2705; | &#x2705; |

+| Azure Commercial | `<data-collection-endpoint>`.`<virtual-machine-region-name>`.ingest.monitor.azure.com | Only needed if sending data to Log Analytics [Custom Logs](./data-collection-text-log.md) table | Port 443 | Outbound | Yes | 275test-01li.eastus2euap-1.canary.ingest.monitor.azure.com |

+| January 2024 |**Known Issues**<ul><li>The agent extension code size is beyond the deployment limit set by Arc, thus 1.29.5 won't install on Arc enabled servers. **This issue was fixed in 1.29.6**</li></ul>**Windows**<ul><li>Added support for Transport Layer Security 1.3</li><li>Reverted a change to enable multiple IIS subscriptions to use same filter. Feature will be redeployed once memory leak is fixed.</li><li>Improved ETW event throughput rate</li></ul>**Linux**<ul><li>Fix Error messages logged intended for mdsd.err went to mdsd.warn instead in 1.29.4 only. Likely error messages: "Exception while uploading to Gig-LA : ...", "Exception while uploading to ODS: ...", "Failed to upload to ODS: ..."</li><li>Syslog time zones incorrect: AMA now uses machine current time when AMA receives an event to populate the TimeGenerated field. The previous behavior parsed the time zone from the Syslog event which caused incorrect times if a device sent an event from a time zone different than the AMA collector machine.</li><li>Reduced noise generated by AMAs' use of semanage when SELinux is enabled"</li></ul> | 1.23.0 | 1.29.5, 1.29.6 |

+| [Microsoft Sentinel](../../sentinel/overview.md) | Migrate to Azure Monitor Agent | Public Preview | See [AMA migration for Microsoft Sentinel](../../sentinel/ama-migrate.md). Only CEF and Firewall collection remain for GA status |

+# Data collection in Azure Monitor

+>[!IMPORTANT]

+>The Log Analytics agent is on a **deprecation path** and won't be supported after **August 31, 2024**. Any new data centers brought online after January 1 2024 will not support the Log Analytics agent. If you use the Log Analytics agent to ingest data to Azure Monitor, [migrate to the new Azure Monitor agent](../agents/azure-monitor-agent-migration.md) prior to that date.

+>

+The charge for maintaining archived logs is calculated based on the volume of data you archive, in GB, and the number or days for which you archive the data. Log data that has `_IsBillable == false` is not subject to retention or archive charges.

+The **\_IsBillable** column specifies whether ingested data is considered billable. Data with **\_IsBillable** equal to `false` does not incur data ingestion, retention or archive charges.

+If the max path length can't be enabled in the Windows environment or the Windows client versions are too low, there's a workaround. You can mount the SMB share deeper into the directory structure and reduce the queried path length.

+* [Understand volume languages](understand-volume-languages.md)

+## Resolve concurrent operations

+When two or more operations try to update the same resource at the same time, Azure Resource Manager detects the conflict and permits only one operation to complete successfully. Azure Resource Manager blocks the other operations and returns an error.

+Concurrent resource updates can cause unexpected results. This resolution ensures that your updates are deterministic and reliable. You know the status of your resources and avoid any inconsistency or data loss.

+Suppose you have two requests (A and B) that try to update the same resource at the same time. If request A finishes before request B, request A succeeds and request B fails. Request B returns the 409 error. After getting that error code, you can get the updated status of the resource and determine if you want to resend request B.

+Azure VMware Solution private cloud vCenter Server, NSX-T Data Center, and HCX Manager (if enabled) configurations are on a daily backup schedule. Open a [support request](https://rc.portal.azure.com/#create/Microsoft.Support) in the Azure portal to request restoration.

+> [!NOTE]

+> Restorations are intended for catastrophic situations only.

+#### To export the certificate:

+## Renew existing certificates for LDAPS identity source

+1. Renew the existing certificates in your domain controllers.

+1. Optional: If the certificates are stored in default domain controllers, this step is optional. Leave the SSLCertificatesSasUrl parameter blank and the new certificates will be downloaded from the default domain controllers and updated in vCenter automatically. If you choose to not use the default way, [export the certificate for LDAPS authentication](#to-export-the-certificate) and [upload the LDAPS certificate to blob storage and generate an SAS URL](#upload-the-ldaps-certificate-to-blob-storage-and-generate-an-sas-url-optional). Save the SAS URL for the next step.

+1. Select **Run command** > **Packages** > **Update-IdentitySourceCertificates**.

+1. Provide the required values and the new SAS URL (optional), and then select **Run**.

+ | **Field** | **Value** |

+ | | |

+ | **DomainName*** | The FQDN of the domain, for example **avslab.local**. |

+ | **SSLCertificatesSasUrl (optional)** | A comma-delimited list of SAS path URI to Certificates for authentication. Ensure permissions to read are included. To generate, place the certificates in any storage account blob and then right-click the cert and generate SAS. If the value of this field isn't provided by a user, the certificates will be downloaded from the default domain controllers. |

+1. Check **Notifications** or the **Run Execution Status** pane to see the progress.

+| | Manage Teams closed captions | ✔️ |

+| | Trigger reactions | ✔️ |

+| | Indicate other participants' reactions | ✔️ |

+| | Receive PowerPoint Live stream | ✔️ |

+| Accessibility | Receive Teams closed captions | ✔️ |

+Azure Communication Services allows end-user browsers, apps, and services to drive voice and video communication. This page focuses on Calling client SDK, which can be embedded in websites and native applications. This page provides detailed descriptions of Calling client features such as platform and browser support information. Services programmatically manages and access calls using the [Call Automation APIs](../call-automation/call-automation.md). The [Rooms API](../rooms/room-concept.md) is an optional Azure Communication Services API that adds additional features to a voice or video call, such as roles and permissions.

+While the Calling SDK doesn't enforce these limits, your users might experience performance degradation if they're exceeded. Use the API of [Optimal Video Count](../../how-tos/calling-sdk/manage-video.md?pivots=platform-web#remote-video-quality) to determine how many current incoming video streams your web environment can support.

+## Supported video resolutions

+The Azure Communicaton Services Calling SDK support up to the following video resolutions:

+| Maximum video resolution | WebJS | iOS | Android | Windows |

+| - | -- | -- | - | - |

+| **Receiving video** | 1080P | 1080P | 1080P | 1080P |

+| **Sending video** | 720P | 720P | 720P | 1080P |

+The resolution can vary depending on the number of participants on a call, the amount of bandwidth available to the client, and other overall call parameters.

+## Calling SDK timeouts

+* **Inter-packet arrival jitter, also known as jitter**. The average change in delay between successive packets. Communication Services can adapt to some levels of jitter through buffering. It's only when the jitter exceeds the buffering that a participant notices its effects.

+|1.2 Mbps|HD group video calling with resolution of HD 720 pixels at 30 FPS|

+|1.5 Mbps|Peer-to-peer HD-quality video calling with resolution of HD 1080 pixels at 30 FPS |

+Communication Services connections require internet connectivity to specific ports and IP addresses to deliver high-quality multimedia experiences. Without access to these ports and IP addresses, Communication Services won't work properly. The list of IP ranges and allow listed domains that need to be enabled are:

+The endpoints below should be reachable for U.S. Government GCC High customers only.

+description: Overview of Simulcast - how sending multiple video quality streams helps overall call quality.

+- 1080P

+- 180p

+ var communicationServiceLro = await collection.CreateOrUpdateAsync(WaitUntil.Completed, communicationServiceName, data);

+description: Learn how to manage phone numbers using Azure Communication Services.

+zone_pivot_groups: acs-azcli-azp-azpnew-java-net-python-csharp-js

+- When a phone number is released, the phone number shows up in your ACS resource on Azure Portal until the end of the billing cycle. It also can't be repurchased until the end of the billing cycle.

+- When a Communication Services resource is deleted, the phone numbers associated with that resource are automatically released at the same time.

+| Linux | Windows Client | Windows Server |

+||--|-|

+| **Ubuntu** | **Windows 11** | **Windows Server Datacenter** |

+| 20.04 <span class="pill purple">LTS</span> (AMD SEV-SNP Only) | 22H2 Pro | 2019 Server Core |

+| 22.04 <span class="pill purple">LTS</span> | 22H2 Pro <span class="pill red">ZH-CN</span> | |

+| | 22H2 Pro N | 2022 Server Core |

+| **RHEL** | 22H2 Enterprise | 2022 Azure Edition |

+| 9.3 <span class="pill purple">(AMD SEV-SNP Only)</span> | 22H2 Enterprise N | 2022 Azure Edition Core |

+| [9.3 <span class="pill purple">Preview (Intel TDX Only)](https://aka.ms/tdx-rhel-93-preview)</span> | 22H2 Enterprise Multi-session | |

+| | | |

+| **SUSE** | | |

+| [15 SP5 <span class="pill purple">Tech Preview (Intel TDX, AMD SEV-SNP)](https://aka.ms/cvm-sles-preview)</span> | | |

+| [15 SP5 for SAP <span class="pill purple">Tech Preview (Intel TDX, AMD SEV-SNP)](https://aka.ms/cvm-sles-preview)</span> | | |

+### Which Azure Cosmos DB APIs support data-plane role-based access control?

+As of now, only the NoSQL API is supported.

+| Granularity | Description |

+|-|-|

+| None | Shows the total cost for the entire date range. |

+| Daily | Shows cost per day (UTC). |

+| Monthly | Shows cost per calendar month (UTC). |

+| Accumulated | Shows the running total for each day including the total of all previous days in the selected date range. |

+- Learn about [Saving and sharing customized views](save-share-views.md).

+Data flows distribute the data processing over different cores in a Spark cluster to perform operations in parallel. A Spark cluster with more cores increases the number of cores in the compute environment. More cores increase the processing power of the data flow. Increasing the size of the cluster is often an easy way to reduce the processing time.

+The default cluster size is four driver cores and four worker cores (small). As you process more data, larger clusters are recommended. Below are the possible sizing options:

+| Worker Cores | Driver Cores | Total Cores | Notes |

+> There is a ceiling on how much the size of a cluster affects the performance of a data flow. Depending on the size of your data, there is a point where increasing the size of a cluster will stop improving performance. For example, If you have more cores than partitions of data, adding additional cores won't help.

+ # categories: string. Optional. A comma-separated list of analyzer categories to run. Values: 'code', 'artifacts', 'IaC', 'containers'. Example: 'IaC, containers'. Defaults to all.

+ # categories: string. Optional. A comma-separated list of analyzer categories to run. Values: 'code', 'artifacts', 'IaC', 'containers'. Example: 'IaC, containers'. Defaults to all.

+| February 20 | [New version of Defender Agent for Defender for Containers](#new-version-of-defender-agent-for-defender-for-containers) |

+### New version of Defender Agent for Defender for Containers

+February 20, 2024

+[A new version](/azure/aks/supported-kubernetes-versions#aks-kubernetes-release-calendar) of the [Defender Agent for Defender for Containers](tutorial-enable-containers-azure.md#deploy-the-defender-agent-in-azure) is available. It includes performance and security improvements, support for both AMD64 and ARM64 arch nodes (Linux only), and uses [Inspektor Gadget](https://www.inspektor-gadget.io/) as the process collection agent instead of Sysdig. The new version is only supported on Linux kernel versions 5.4 and higher, so if you have older versions of the Linux kernel, you need to upgrade. Support for ARM 64 is only available from AKS V1.29 and above. For more information, see [Supported host operating systems](support-matrix-defender-for-containers.md#supported-host-operating-systems).

+### Open Container Initiative (OCI) image format specification support

+| [Update recommendations to align with Azure AI Services resources](#update-recommendations-to-align-with-azure-ai-services-resources) | February 20, 2024 | February 28, 2024 |

+## Update recommendations to align with Azure AI Services resources

+**Announcement date: February 20, 2024**

+**Estimated date of change: February 28, 2024**

+The Azure AI Services category (formerly known as Cognitive Services) is adding new resource types. As a result, the following recommendations and related policy are set to be updated to comply with the new Azure AI Services naming format and align with the relevant resources.

+| Current Recommendation | Updated Recommendation |

+| - | - |

+| Cognitive Services accounts should restrict network access | [Azure AI Services resources should restrict network access](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/f738efb8-005f-680d-3d43-b3db762d6243) |

+| Cognitive Services accounts should have local authentication methods disabled | [Azure AI Services resources should have key access disabled (disable local authentication)](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/13b10b36-aa99-4db6-b00c-dcf87c4761e6) |

+See the [list of security recommendations](recommendations-reference.md).

+For details on the new API version, see [Microsoft Defender for Cloud REST APIs](/rest/api/defenderforcloud/operation-groups).

+ |**Attach a quick start catalog**|Clear the **Dev box customization tasks** checkbox. </br> Clear the **Azure deployment environment definitions** checkbox.|

+## Catalogs

+The Dev Box quick start catalog contains tasks and scripts that you can use to configure your dev box during the final stage of the creation process.Microsoft provides a [*quick start* catalog](https://github.com/microsoft/devcenter-catalog) that contains a set of sample tasks. You can attach the quick start catalog to a dev center to make these tasks available to all the projects associated with the dev center. You can modify the sample tasks to suit your needs, and you can create your own catalog of tasks.

+To learn how to create reusable customization tasks, see [Create reusable dev box customizations](./how-to-customize-dev-box-setup-tasks.md).

+ Title: Customize your dev box with setup tasks

+description: Customize your dev box by using a catalog of setup tasks and a configuration file to install software, configure settings, and more.

+#customer intent: As a platform engineer, I want to be able to complete configuration tasks on my dev boxes, so that my developers have the environment they need as soon as they start using their dev box.

+# Create reusable dev box customizations

+In this article, you learn how to customize dev boxes by using a catalog of setup tasks and a configuration file to install software, configure settings, and more. These tasks are applied to the new dev box in the final stage of the creation process. Microsoft Dev Box customization is a config-as-code approach to customizing dev boxes. You can add other settings and software without having to create a custom virtual machine (VM) image.

+By using customizations, you can automate common setup steps, save time, and reduce the chance of configuration errors. Some example setup tasks include:

+- Installing software with the WinGet or Chocolatey package managers.

+- Setting OS settings like enabling Windows Features.

+- Configuring applications like installing Visual Studio extensions.

+You can implement customizations in stages, building from a simple but functional configuration to an automated process. The stages are as follows:

+1. [Create a customized dev box by using an example configuration file](#create-a-customized-dev-box-by-using-an-example-configuration-file)

+1. [Write a configuration file](#write-a-configuration-file)

+1. [Share a configuration file from a code repository](#share-a-configuration-file-from-a-code-repository)

+1. [Define new tasks in a catalog](#define-new-tasks-in-a-catalog)

+> [!IMPORTANT]

+> Customizations in Microsoft Dev Box are currently in PREVIEW.

+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+### Team-specific customization scenarios

+Customizations are useful wherever you need to configure settings, install software, add extensions, or set common OS settings like enabling Windows Features on your dev boxes during the final stage of creation. Development team leads can use customizations to preconfigure the software required for their specific development team. Developer team leads can author configuration files that apply only the setup tasks relevant for their teams. This method lets developers make their own dev boxes that best fit their work, without needing to ask IT for changes or wait for the engineering team to create a custom VM image.

+### What are tasks?

+A task performs a specific action, like installing software. Each task consists of one or more PowerShell scripts, along with a *task.yaml* file that provides parameters and defines how the scripts run. You can also include a PowerShell command in the task.yaml file. You can store a collection of curated setup tasks in a catalog attached to your dev center, with each task in a separate folder. Dev Box supports using a GitHub repository or an Azure DevOps repository as a catalog, and scans a specified folder of the catalog recursively to find task definitions.

+Microsoft provides a quick start catalog to help you get started with customizations. It includes a default set of tasks that define common setup tasks:

+- Installing software with the WinGet or Chocolatey package managers

+- Cloning a repository by using git-clone

+- Configuring applications like installing Visual Studio extensions

+- Running PowerShell scripts

+The following example shows a catalog with choco, git-clone, install-vs-extension, and PowerShell tasks defined. Notice that each folder contains a task.yaml file and at least one PowerShell script. Task.yaml files cache scripts and the input parameters needed to reference them from configuration files.

+### What is a configuration file?

+Dev Box customizations use a yaml formatted file to specify a list of tasks to apply from the catalog when creating a new dev box. These configuration files include one or more 'tasks', which identify the catalog task and provide parameters like the name of the software to install. The configuration file is then made available to the developers creating new dev boxes. The following example uses a winget task to install Visual Studio Code, and a `git clone` task to clone a repository.

+```yaml

+# From https://github.com/microsoft/devcenter-examples

+$schema: 1.0

+tasks:

+ - name: winget

+ parameters:

+ package: Microsoft.VisualStudioCode

+ runAsUser: true

+ - name: git-clone

+ description: Clone this repository into C:\Workspaces

+ parameters:

+ repositoryUrl: https://github.com/OrchardCMS/OrchardCore.git

+ directory: C:\Workspaces

+```

+### Permissions required to configure Microsoft Dev Box for customizations

+To perform the actions required to create and apply customizations to a dev box, you need certain permissions. The following table describes the actions and permissions or roles you need to configure customizations.

+|Action |Permission / Role |

+|||

+|Attach a catalog to a dev center |Platform engineer with Contributor permission to the dev center. |

+|Use the developer portal to upload and apply a yaml file during dev box creation | Dev Box User |

+|Create a configuration file | Anyone can create a configuration file. |

+|Add tasks to a catalog | Permission to add to the repository hosting the catalog. |

+## Prerequisites

+To complete the steps in this article, you must have a [dev center configured with a dev box definition, dev box pool, and dev box project](./quickstart-configure-dev-box-service.md).

+## Create a customized dev box by using an example configuration file

+Use the default quick start catalog and an example configuration file to get started with customizations.

+### Attach the quick start catalog

+Attaching a catalog with customization tasks to a dev center means you can create a dev box in that dev center and reference the customization tasks from that catalog. Microsoft provides a sample repository on GitHub with a standard set of default tasks to help you get started, known as the [*quick start catalog*](https://github.com/microsoft/devcenter-catalog).

+To attach the quick start catalog to the dev center:

+1. Sign in to the [Microsoft Dev Box developer portal](https://aka.ms/devbox-portal).

+1. In the left menu under **Environment configuration**, select **Catalogs**, and then select **Add**.

+1. In **Add catalog**, select **Dev box customization tasks** as the quick start catalog. Then, select **Add**.

+1. In your dev center, select **Catalogs**, and verify that your catalog appears.

+ :::image type="content" source="media/how-to-customize-dev-box-setup-tasks/add-quick-start-catalog.png" alt-text="Screenshot of the Azure portal showing the Add catalog pane with Microsoft's quick start catalog and Dev box customization tasks highlighted.":::

+ If the connection is successful, the **Status** is displayed as **Sync successful**.

+### Create your customized dev box

+Now you have a catalog that defines the tasks your developers can use, you can reference those tasks from a configuration file and create a customized dev box.

+1. Download an [example yaml configuration from the samples repository](https://aka.ms/devbox/customizations/samplefile). This example configuration installs Visual Studio Code, and clones the OrchardCore .NET web app repo to your dev box.

+1. Sign in to the [Microsoft Dev Box developer portal](https://aka.ms/devbox-portal).

+1. Select **New** > **Dev Box**.

+1. In **Add a dev box**, enter the following values:

+ | Setting | Value |

+ |||

+ | **Name** | Enter a name for your dev box. Dev box names must be unique within a project. |

+ | **Project** | Select a project from the dropdown list. |

+ | **Dev box pool** | Select a pool from the dropdown list, which includes all the dev box pools for that project. Choose a dev box pool near to you for least latency.|

+ | **Uploaded customization files** | Select **Upload a customization file** and upload the configuration file you downloaded in step 1. |

+ :::image type="content" source="media/how-to-customize-dev-box-setup-tasks/developer-portal-customization-upload.png" alt-text="Screenshot showing the dev box customization options in the developer portal with Uploaded customization files highlighted." lightbox="media/how-to-customize-dev-box-setup-tasks/developer-portal-customization-upload.png":::

+1. Select **Create**.

+When the creation process is complete, the new dev box has nodejs and Visual Studio Code installed.

+For more examples, see the [dev center examples repository on GitHub](https://github.com/microsoft/devcenter-examples).

+## Write a configuration file

+You can define new tasks to apply to your dev boxes by creating your own configuration file. You can test your configuration file in Visual Studio Code and make any required changes without the need to create a separate dev box for each test.

+Before you can create and test your own configuration file, there must be a catalog that contains tasks attached to the dev center. You can use a Visual Studio Code extension to discover the tasks in the attached catalog.

+1. Create a Dev Box (or use an existing Dev Box) for testing.

+1. On the test dev box, install Visual Studio Code and then install the [Dev Box v1.2.2 VS Code extension](https://aka.ms/devbox/preview/customizations/vsc-extension).

+1. Download an [example yaml configuration file](https://aka.ms/devbox/customizations/samplefile) from the samples repository and open it in Visual Studio Code.

+1. Discover tasks available in the catalog by using the command palette. From **View** > **Command Palette**, select **Dev Box: List available tasks for this dev box**.

+

+ :::image type="content" source="media/how-to-customize-dev-box-setup-tasks/dev-box-command-list-tasks.png" alt-text="Screenshot of Visual Studio Code showing the command palette with Dev Box List available tasks for this dev box highlighted." lightbox="media/how-to-customize-dev-box-setup-tasks/dev-box-command-list-tasks.png":::

+

+1. Test configuration in Visual Studio Code by using f5/command palette. From **View** > **Command Palette**, select **Dev Box: Apply customizations tasks**.

+

+ :::image type="content" source="media/how-to-customize-dev-box-setup-tasks/dev-box-command-apply-tasks.png" alt-text="Screenshot of Visual Studio Code showing the command palette with Dev Box Apply customizations tasks highlighted." lightbox="media/how-to-customize-dev-box-setup-tasks/dev-box-command-apply-tasks.png":::

+

+1. The configuration file runs immediately, applying the specified tasks to your test dev box. Inspect the changes and check the Visual Studio Code terminal for any errors or warnings generated during the task execution.

+1. When the configuration file runs successfully, share it with developers to upload when they create a new dev box.

+

+> [!NOTE]

+> The ability to create and upload a file isnΓÇÖt a security risk; the file uploaded can only apply settings defined in the catalog attached to the dev center. If the task isn't defined there, the developer will get an error saying the task isn't defined.

+## Share a configuration file from a code repository

+Make your configuration file seamlessly available to your developers by naming it *workload.yaml* and uploading it to a repository accessible to the developers, usually their coding repository. When you create a dev box, you specify the repository URL and the configuration file is cloned along with the rest of the repository. Dev box searches the repository for a file named workload.yaml and, if one is located, performs the tasks listed. This configuration provides a seamless way to perform customizations on a dev box.

+1. Create a configuration file named *workload.yaml*.

+1. Add the configuration file to the root of a private Azure DevOps repository with your code and commit it.

+1. Sign in to the [Microsoft Dev Box developer portal](https://aka.ms/devbox-portal).

+1. Select **New** > **Dev Box**.

+1. In **Add a dev box**, enter the following values:

+ | Setting | Value |

+ |||

+ | **Name** | Enter a name for your dev box. Dev box names must be unique within a project. |

+ | **Project** | Select a project from the dropdown list. |

+ | **Dev box pool** | Select a pool from the dropdown list, which includes all the dev box pools for that project. Choose a dev box pool near to you for least latency.|

+ | **Repository clone URL** | Enter the URL for the repository that contains the configuration file and your code. |

+ :::image type="content" source="media/how-to-customize-dev-box-setup-tasks/developer-portal-customization-clone.png" alt-text="Screenshot showing the dev box customization options in the developer portal with Repository clone URL highlighted." lightbox="media/how-to-customize-dev-box-setup-tasks/developer-portal-customization-clone.png":::

+1. Select **Create**.

+The new dev box has the repository cloned, and all instructions from configuration file applied.

+## Define new tasks in a catalog

+Creating new tasks in a catalog allows you to create customizations tailored to your development teams and add guardrails around the configurations that are possible.

+1. Create a repository to store your tasks.

+ Optionally, you can make a copy of the [quick start catalog](https://github.com/microsoft/devcenter-catalog) in your own repository to use as a starting point.

+1. Create tasks in your repository by modifying existing PowerShell scripts, or creating new scripts.

+ To get started with creating tasks, you can use the examples given in the [dev center examples repository on GitHub](https://github.com/microsoft/devcenter-examples) and [PowerShell documentation](/powershell/).

+1. [Attach your repository to your dev center as a catalog](/azure/deployment-environments/how-to-configure-catalog?tabs=DevOpsRepoMSI).

+1. Create a configuration file for those tasks by following the steps in [Write a configuration file](#write-a-configuration-file).

+## Related content

+- [Add and configure a catalog from GitHub or Azure DevOps](/azure/deployment-environments/how-to-configure-catalog?tabs=DevOpsRepoMSI)

+- [Accelerate developer onboarding with the configuration-as-code customization in Microsoft Dev Box](https://techcommunity.microsoft.com/t5/azure-developer-community-blog/accelerate-developer-onboarding-with-the-configuration-as-code/ba-p/4062416)

+ | **Attach a quick start catalog** | Clear both checkboxes. |

+ :::image type="content" source="./media/how-to-manage-dev-center/create-dev-center-basics-not-selected.png" alt-text="Screenshot that shows the Basics tab on the pane for creating a dev center." lightbox="./media/how-to-manage-dev-center/create-dev-center-basics-not-selected.png":::

+ The Dev Box quick start catalog contains tasks and scripts that you can use to configure your dev box during the final stage of the creation process. You can attach a quick start catalog to a dev center later. For more information, see [Create reusable dev box customizations](./how-to-customize-dev-box-setup-tasks.md).

+- Use a configuration script that invokes setup tasks from a catalog attached to the dev center. The setup tasks execute during the creation of a dev box to install and customize software specific to the project.

+ | **Attach a quick start catalog** | Clear both checkboxes. |

+ :::image type="content" source="./media/quickstart-configure-dev-box-service/create-dev-center-not-selected.png" alt-text="Screenshot that shows the Basics tab on the pane for creating a dev center." lightbox="./media/quickstart-configure-dev-box-service/create-dev-center-not-selected.png":::

+ :::image type="content" source="./media/quickstart-create-dev-box/welcome-to-developer-portal.png" alt-text="Screenshot of the developer portal and the button for adding a dev box." lightbox="./media/quickstart-create-dev-box/welcome-to-developer-portal.png":::

+ | **Repository clone URL** | Leave blank. |

+ | **Uploaded customization files** | Leave blank. |

+ :::image type="content" source="./media/quickstart-create-dev-box/developer-portal-create-dev-box.png" alt-text="Screenshot of the dialog for adding a dev box." lightbox="./media/quickstart-create-dev-box/developer-portal-create-dev-box.png":::

+ :::image type="content" source="./media/quickstart-create-dev-box/dev-box-tile-creating.png" alt-text="Screenshot of the developer portal that shows the dev box card with a status of Creating." lightbox="./media/quickstart-create-dev-box/dev-box-tile-creating.png":::

+ :::image type="content" source="./media/quickstart-create-dev-box/dev-portal-open-in-browser.png" alt-text="Screenshot of dev box card that shows the option for opening in a browser." lightbox="./media/quickstart-create-dev-box/dev-portal-open-in-browser.png":::

+## Azure Database Migration Service Naming Rules

+If your DMS service failed with "Error: Service name 'x_y_z' is not valid", then you need to follow the Azure Database Migration Service Naming Rules. As Azure Database Migration Service uses Azure Data factory for its compute, it follows the exact same naming rules as mentioned [here](https://learn.microsoft.com/azure/data-factory/naming-rules).

+ Title: Deploy OSDU Admin UI on top of Azure Data Manager for Energy

+description: Learn how to deploy the OSDU Admin UI on top of your Azure Data Manager for Energy instance.

+# Deploy OSDU Admin UI on top of Azure Data Manager for Energy

+This guide shows you how to deploy the OSDU Admin UI on top of your Azure Data Manager for Energy instance.

+The OSDU Admin UI enables platform administrators to manage the Azure Data Manager for Energy data partition you connect it to. The management tasks include entitlements (user and group management), legal tags, schemas, reference data, and view objects and visualize those on a map.

+## Prerequisites

+- Install [Visual Studio Code with Dev Containers](https://code.visualstudio.com/docs/devcontainers/tutorial). It's possible to deploy the OSDU Admin UI from your local computer using either Linux or Windows WSL, we recommend using a Dev Container to eliminate potential conflicts of tooling versions, environments etc.

+- Provision an [Azure Data Manager for Energy instance](quickstart-create-microsoft-energy-data-services-instance.md).

+- Add the App Registration permissions to enable Admin UI to function properly:

+ - [Application.Read.All](/graph/permissions-reference#applicationreadall)

+ - [User.Read](/graph/permissions-reference#applicationreadall)

+ - [User.Read.All](/graph/permissions-reference#userreadall)

+

+ :::image type="content" source="media/how-to-deploy-osdu-admin-ui/app-permission-1.png" alt-text="Screenshot that shows applications read all permission.":::

+ :::image type="content" source="media/how-to-deploy-osdu-admin-ui/app-permission-2.png" alt-text="Screenshot that shows user read all permission.":::

+## Environment setup

+1. Use the Dev Container in Visual Studio Code to deploy the OSDU Admin UI to eliminate conflicts from your local machine.

+2. Click on Open to clone the repository.

+ [](https://vscode.dev/redirect?url=vscode://ms-vscode-remote.remote-containers/cloneInVolume?url=https://community.opengroup.org/osdu/ui/admin-ui-group/admin-ui-totalenergies/admin-ui-totalenergies)

+3. Accept the cloning prompt.

+ :::image type="content" source="media/how-to-deploy-osdu-admin-ui/clone-the-repository.png" alt-text="Screenshot that shows cloning the repository.":::

+4. When prompted for a container configuration template,

+ 1. Select [Ubuntu](https://github.com/devcontainers/templates/tree/main/src/ubuntu).

+ 2. Accept the default version.

+ 3. Add the [Azure CLI](https://github.com/devcontainers/features/tree/main/src/azure-cli) feature.

+ 

+5. After a few minutes, the devcontainer is running.

+

+ :::image type="content" source="media/how-to-deploy-osdu-admin-ui/running-devcontainer.png" alt-text="Screenshot that shows running devcontainer.":::

+

+6. Open the terminal.

+ :::image type="content" source="media/how-to-deploy-osdu-admin-ui/open-terminal.png" alt-text="Screenshot that shows opening terminal.":::

+7. Install NVM, Node.js, npm, and Angular CLI by executing the command in the bash terminal.

+

+ ```bash

+ curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash && \

+ export NVM_DIR="$([ -z "${XDG_CONFIG_HOME-}" ] && printf %s "${HOME}/.nvm" || printf %s "${XDG_CONFIG_HOME}/nvm")"

+ [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh" && \

+ nvm install 14.17.3 && \

+ export NG_CLI_ANALYTICS=false && \

+ npm install -g @angular/cli@13.3.9 && \

+ curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

+ ```

+ :::image type="content" source="media/how-to-deploy-osdu-admin-ui/install-screen.png" alt-text="Screenshot that shows installation.":::

+8. Log into Azure CLI by executing the command on the terminal. It takes you to the login screen.

+ ```azurecli-interactive

+ az login

+ ```

+9. It takes you to the login screen. Enter your credentials and upon success, you see a success message.

+ :::image type="content" source="media/how-to-deploy-osdu-admin-ui/login.png" alt-text="Screenshot that shows successful login.":::

+

+## Configure environment variables

+1. Fetch `client-id` as authAppId, `resource-group`, `subscription-id`, and `location`.

+ 

+2. Fetch the value of `id` as the subscription ID by running the following command on the terminal.

+ ```azurecli-interactive

+ az account show

+ ```

+3. If the above ID isn't same as the `subcription-id` from the Azure Data Manager for Energy instance, you need to change subscription.

+ ```azurecli-interactive

+ az account set --subscription <subscription-id>

+ ```

+4. Enter the required environment variables on the terminal.

+ ```bash

+ export CLIENT_ID="<client-id>" ## App Registration to be used by OSDU Admin UI, usually the client ID used to provision ADME

+ export TENANT_ID="<tenant-id>" ## Tenant ID

+ export ADME_URL="<adme-url>" ## Remove www or https from the text

+ export DATA_PARTITION="<partition>"

+ export WEBSITE_NAME="<storage-name>" ## Unique name of the storage account or static web app that will be generated

+ export RESOURCE_GROUP="<resource-group>" ## Name of resource group

+ export LOCATION="<location>" ## Azure region to deploy to, i.e. "westeurope"

+ ```

+## Deploy storage account

+1. Create resource group. Skip this step if the resource group exists already.

+ ```azurecli-interactive

+ az group create \

+ --name $RESOURCE_GROUP \

+ --location $LOCATION

+ ```

+

+1. Create storage account.

+ ```azurecli-interactive

+ az storage account create \

+ --resource-group $RESOURCE_GROUP \

+ --location $LOCATION \

+ --name $WEBSITE_NAME \

+ --sku Standard_LRS \

+ --public-network-access Enabled \

+ --allow-blob-public-access true

+ ```

+1. Configure the static website.

+ ```azurecli-interactive

+ az storage blob service-properties update \

+ --account-name $WEBSITE_NAME \

+ --static-website \

+ --404-document https://docsupdatetracker.net/index.html \

+ --index-document https://docsupdatetracker.net/index.html

+ ```

+1. Fetch the redirect URI.

+ ```azurecli-interactive

+ export REDIRECT_URI=$(az storage account show --resource-group $RESOURCE_GROUP --name $WEBSITE_NAME --query "primaryEndpoints.web") && \

+ echo "Redirect URL: $REDIRECT_URI"

+ ```

+1. Get the App Registration's Single-page Application (SPA) section.

+ ```azurecli-interactive

+ echo "https://ms.portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/~/Authentication/appId/$CLIENT_ID/isMSAApp~/false"

+ ```

+1. Open the link you got from the above result in the browser and add the `REDIRECT_URI`.

+

+ 

+## Build and deploy the web app

+1. Navigate to the `OSDUApp` folder.

+ ```bash

+ cd OSDUApp/

+ ```

+2. Install the dependencies.

+ ```nodejs

+ npm install

+ ```

+3. Modify the parameters in the config file located at `/src/config/config.json`.

+ ```json

+ {

+ "mapboxKey": "key", // This is optional for the access token from Mapbox.com and used to visualize data on the map feature.

+ ...

+ "data_partition": "<adme_data_partition>", // ADME Data Partition ID (i.e. opendes)

+ "idp": {

+ ...

+ "tenant_id": "<tenant_id>", // Entra ID tenant ID

+ "client_id": "<client_id>", // App Registration ID to use for the admin UI, usually the same as the ADME App Registration ID, i.e. "6ee7e0d6-0641-4b29-a283-541c5d00655a"

+ "redirect_uri": "<https://storageaccount.zXX.web.core.windows.net/>", // This is the website URL ($REDIRECT_URI)

+ "scope": "<client_id>/.default" // Scope of the ADME instance, i.e. "6ee7e0d6-0641-4b29-a283-541c5d00655a/.default"

+ },

+ "api_endpoints": { // Just replace contoso.energy.azure.com with your ADME_URL after removing https or wwww in all the API endpoints below.

+ "entitlement_endpoint": "https://contoso.energy.azure.com/api/",

+ "storage_endpoint": "https://contoso.energy.azure.com/api/",

+ "search_endpoint": "https://contoso.energy.azure.com/api/",

+ "legal_endpoint": "https://contoso.energy.azure.com/api/",

+ "schema_endpoint": "https://contoso.energy.azure.com/api/",

+ "osdu_connector_api_endpoint":"osdu_connector", // Optional. API endpoint of the OSDU Connector API*

+ "file_endpoint": "https://contoso.energy.azure.com/api/",

+ "graphAPI_endpoint": "https://graph.microsoft.com/v1.0/",

+ "workflow_endpoint": "https://contoso.energy.azure.com/api/"

+ }

+ ...

+ }

+ ```

+ \* [OSDU Connector API](https://community.opengroup.org/osdu/ui/admin-ui-group/admin-ui-totalenergies/connector-api-totalenergies) is built as an interface between consumers and OSDU APIs wrapping some API chain calls and objects. Currently, it manages all operations and actions on project and scenario objects.

+4. If you aren't able to give app permissions in the Prerequisite step because of the subscription constraints, remove `User.ReadBasic.All` and `Application.Read.All` from the `src/config/environments/environment.ts`. Removing these permissions would disable the Admin UI from converting the OIDs of users and applications into the user names and application names respectively.

+ :::image type="content" source="media/how-to-deploy-osdu-admin-ui/graph-permission.png" alt-text="Screenshot that shows graph permissions.":::

+

+5. Build the web UI.

+ ```bash

+ ng build

+ ```

+6. Upload the build to Storage Account.

+ ```azurecli-interactive

+ az storage blob upload-batch \

+ --account-name $WEBSITE_NAME \

+ --source ./dist/OSDUApp \

+ --destination '$web' \

+ --overwrite

+ ```

+

+7. Fetch the website URL.

+ ```bash

+ echo $REDIRECT_URI

+ ```

+8. Open the Website URL in the browser and validate that it's working correctly and connected to the correct Azure Data Manager for Energy instance.

+

+## References

+For information about OSDU Admin UI, see [OSDU GitLab](https://community.opengroup.org/osdu/ui/admin-ui-group/admin-ui-totalenergies/admin-ui-totalenergies).<br>

+For other deployment methods (Terraform or Azure DevOps pipeline), see [OSDU Admin UI DevOps](https://community.opengroup.org/osdu/ui/admin-ui-group/admin-ui-totalenergies/admin-ui-totalenergies/-/tree/main/OSDUApp/devops/azure).

+| **Phoenix2** | [PhoenixNAP](https://phoenixnap.com/) | 1 | West US 3 | Supported | |

+$SecurePassword = ConvertTo-SecureString "<choose a password>" -AsPlainText -Force

+$Credential = New-Object System.Management.Automation.PSCredential ("<choose a user name>", $SecurePassword);

+$VirtualMachine = Set-AzVMOperatingSystem -VM $VirtualMachine -Windows -ComputerName Srv-Work -ProvisionVMAgent -EnableAutoUpdate -Credential $Credential

+**The [assignmentType property][05] property is case sensitive**

+- **Mode**: (case sensitive: `ApplyAndMonitor`, `ApplyAndAutoCorrect`, `Audit`) choose if the policy should audit

+ DisplayName = 'My deployment policy'

+ Description = 'My deployment policy'

+1. Create the file `client-ssl-auth.properties` on client machine (hn1). It should have the following lines:

+1. Create a file `client-ssl-auth.properties` on client machine (hn1). It should have the following lines:

+ :::image type="content" source="./media/rest-proxy/azure-portal-cluster-security-networking-kafka-rest.png" alt-text="Screenshot shows the Create HDInsight cluster page with Security + networking selected." border="true":::

+ :::image type="content" source="./media/rest-proxy/azure-portal-cluster-security-networking-kafka-rest2.png" alt-text="Screenshot shows the Create HDInsight cluster page with the option to select a security group." border="true":::

+> Azure Machine Learning datastores do **not** create the underlying storage account resources. Instead, they link an **existing** storage account for Azure Machine Learning use. This does not require Azure Machine Learning datastores. If you have access to the underlying data, you can use storage URIs directly.

+Create the following YAML file (make sure you update the appropriate values):

+Create this YAML file (make sure you update the appropriate values):

+Create this YAML file (make sure you update the appropriate values):

+Create this YAML file (updating the values):

+Create this YAML file (updating the values):

+Create this YAML file (updating the values):

+Create this YAML file (updating the values):

+Create this YAML file (updating the values):

+Create this YAML file (updating the values):

+This section describes various options to create a OneLake datastore. The OneLake datastore is part of Microsoft Fabric. At this time, Azure Machine Learning supports connection to Microsoft Fabric Lakehouse artifacts that include folders / files and Amazon S3 shortcuts. For more information about Lakehouse, visit [What is a lakehouse in Microsoft Fabric](/fabric/data-engineering/lakehouse-overview).

+OneLake datastore creation requires

+This screenshot shows how you can find endpoint information in your Microsoft Fabric instance:

+This screenshot shows how you can find the artifact information in your Microsoft Fabric instance. The screenshot also shows how you can either use a GUID value or a "friendly name" to create an Azure Machine Learning OneLake datastore:

+- [Data administration](how-to-administrate-data-authentication.md#data-administration)

+ | LivenessProbeFailed | Liveness probe failed: \<FAILURE\_CONTENT\>

+ | ReadinessProbeFailed | Readiness probe failed: \<FAILURE\_CONTENT\>

+description: Link your Azure Synapse Analytics workspace to your Azure Machine Learning pipeline to use Apache Spark for data manipulation.

+> The Azure Synapse Analytics integration with Azure Machine Learning available in Python SDK v1 is deprecated. Users can still use Synapse workspace registered with Azure Machine Learning as a linked service. However, a new Synapse workspace can no longer be registered with Azure Machine Learning as a linked service. We recommend use of Managed (Automatic) Synapse compute and attached Synapse Spark pools available in CLI v2 and Python SDK v2. Visit [https://aka.ms/aml-spark](https://aka.ms/aml-spark) for more information.

+In this article, you learn how to use Apache Spark pools, powered by Azure Synapse Analytics, as the compute target for a data preparation step in an Azure Machine Learning pipeline. You learn how a single pipeline can use compute resources suited for the specific step - for example, data preparation or training. You'll see how data is prepared for the Spark step and how it passes to the next step.

+* Create an [Azure Machine Learning workspace](../quickstart-create-resources.md) to hold all your pipeline resources

+* [Configure your development environment](how-to-configure-environment.md) to install the Azure Machine Learning SDK, or use an [Azure Machine Learning compute instance](../concept-compute-instance.md) with the SDK already installed

+* Create an Azure Synapse Analytics workspace and Apache Spark pool (see [Quickstart: Create a serverless Apache Spark pool using Synapse Studio](../../synapse-analytics/quickstart-create-apache-spark-pool-studio.md))

+## Link your Azure Machine Learning workspace and Azure Synapse Analytics workspace

+You create and administer your Apache Spark pools in an Azure Synapse Analytics workspace. To integrate an Apache Spark pool with an Azure Machine Learning workspace, you must [link to the Azure Synapse Analytics workspace](how-to-link-synapse-ml-workspaces.md).

+Once you link your Azure Machine Learning workspace and your Azure Synapse Analytics workspaces, you can attach an Apache Spark pool with

+* Python SDK ([as explained later](#attach-your-apache-spark-pool-as-a-compute-target-for-azure-machine-learning))

+* Azure Resource Manager (ARM) template (see this [Example ARM template](https://github.com/Azure/azure-quickstart-templates/blob/master/quickstarts/microsoft.machinelearningservices/machine-learning-linkedservice-create/azuredeploy.json)).

+ * You can use the command line to follow the ARM template, add the linked service, and attach the Apache Spark pool with this code:

+> To successfully link to the Azure Synapse Analytics workspace, you must have the Owner role in the Azure Synapse Analytics workspace resource. Check your access in the Azure portal.

+>

+> The linked service will get a system-assigned managed identity (SAI) at creation time. You must assign this link service SAI the "Synapse Apache Spark administrator" role from Synapse Studio, so that it can submit the Spark job (see [How to manage Synapse RBAC role assignments in Synapse Studio](../../synapse-analytics/security/how-to-manage-synapse-rbac-role-assignments.md)).

+> You must also give the user of the Azure Machine Learning workspace the "Contributor" role, from Azure portal of resource management.

+This code shows hot to retrieve linked services in your workspace:

+First, `Workspace.from_config()` accesses your Azure Machine Learning workspace with the configuration in `config.json` (see [Create a workspace configuration file](how-to-configure-environment.md)). Then, the code prints all of the linked services available in the workspace. Finally, `LinkedService.get()` retrieves a linked service named `'synapselink1'`.

+To use your Apache spark pool to power a step in your machine learning pipeline, you must attach it as a `ComputeTarget` for the pipeline step, as shown in this code.

+The first step configures the `SynapseCompute`. The `linked_service` argument is the `LinkedService` object you created or retrieved in the previous step. The `type` argument must be `SynapseSpark`. The `pool_name` argument in `SynapseCompute.attach_configuration()` must match that of an existing pool in your Azure Synapse Analytics workspace. For more information about creation of an Apache spark pool in the Azure Synapse Analytics workspace, see [Quickstart: Create a serverless Apache Spark pool using Synapse Studio](../../synapse-analytics/quickstart-create-apache-spark-pool-studio.md). The `attach_config` type is `ComputeTargetAttachConfiguration`.

+After creation of the configuration, create a machine learning `ComputeTarget` by passing in the `Workspace`, `ComputeTargetAttachConfiguration`, and the name by which you'd like to refer to the compute within the machine learning workspace. The call to `ComputeTarget.attach()` is asynchronous, so the sample is blocked until the call completes.

+The sample notebook [Spark job on Apache spark pool](https://github.com/azure/machinelearningnotebooks/blob/master/how-to-use-azureml/azure-synapse/spark_job_on_synapse_spark_pool.ipynb) defines a simple machine learning pipeline. First, the notebook defines a data preparation step, powered by the `synapse_compute` defined in the previous step. Then, the notebook defines a training step powered by a compute target more appropriate for training. The sample notebook uses the Titanic survival database to show data input and output; it doesn't actually clean the data or make a predictive model. Since this sample doesn't really involve training, the training step uses an inexpensive, CPU-based compute resource.

+Data flows into a machine learning pipeline through `DatasetConsumptionConfig` objects, which can hold tabular data or sets of files. The data often comes from files in blob storage in a workspace datastore. This code shows typical code that creates input for a machine learning pipeline:

+That code assumes that the file `Titanic.csv` is in blob storage. The code shows how to read the file as a `TabularDataset` and as a `FileDataset`. This code is for demonstration purposes only, because it would become confusing to duplicate inputs or to interpret a single data source as both a table-containing resource and strictly as a file.

+> To use a `FileDataset` as input, your `azureml-core` version must be at least `1.20.0`. You can specify this with the `Environment` class, as discussed later.

+When a step completes, you can choose to store the output data, as shown in this code sample:

+Here, the `datastore` would store the data in a file named `test`. The data would be available within the machine learning workspace as a `Dataset` with the name `registered_dataset`.

+In addition to data, a pipeline step can have per-step Python dependencies. Individual `SynapseSparkStep` objects can specify their precise Azure Synapse Apache Spark configuration as well. To show this, the following code sample specifies that the `azureml-core` package version must be at least `1.20.0`. As mentioned previously, this requirement for `azureml-core` is needed to use a `FileDataset` as an input.

+This code specifies a single step in the Azure Machine Learning pipeline. The `environment` value of this code sets a specific `azureml-core` version, and the code can add other conda or pip dependencies as needed.

+The `SynapseSparkStep` zips and uploads the `./code` subdirectory from the local computer. That directory is recreated on the compute server, and the step runs the file `dataprep.py` from that directory. The `inputs` and `outputs` of that step are the `step1_input1`, `step1_input2`, and `step1_output` objects discussed earlier. The easiest way to access those values within the `dataprep.py` script is to associate them with named `arguments`.

+The sample notebook uses this code for `dataprep.py`:

+This "data preparation" script doesn't do any real data transformation, but it shows how to retrieve data, convert it to a Spark dataframe, and how to do some basic Apache Spark manipulation. To find the output in Azure Machine Learning studio, open the child job, choose the **Outputs + logs** tab, and open the `logs/azureml/driver/stdout` file, as shown in this screenshot:

+The next example uses the output from the `SynapseSparkStep` created in the [previous section](#create-a-synapsesparkstep-that-uses-the-linked-apache-spark-pool). Other steps in the pipeline might have their own unique environments and run on different compute resources appropriate to the task at hand. The sample notebook runs the "training step" on a small CPU cluster:

+This code creates the new compute resource if necessary. Then, the `step1_output` result is converted to input for the training step. The `as_download()` option means that the data is moved onto the compute resource, resulting in faster access. If the data was so large that it wouldn't fit on the local compute hard drive, you'd need to use the `as_mount()` option to stream the data with the FUSE filesystem. The `compute_target` of this second step is `'cpucluster'`, not the `'link1-spark01'` resource you used in the data preparation step. This step uses a simple program `train.py` instead of the `dataprep.py` you used in the previous step. You can see the details of `train.py` in the sample notebook.

+After you define all of your steps, you can create and run your pipeline.

+This code creates a pipeline consisting of the data preparation step on Apache Spark pools, powered by Azure Synapse Analytics (`step_1`) and the training step (`step_2`). Azure examines the data dependencies between the steps to calculate the execution graph. In this case, there's only a straightforward dependency that `step2_input` necessarily requires `step1_output`.

+The `pipeline.submit` call creates, if necessary, an Experiment named `synapse-pipeline`, and asynchronously starts a Job within it. Individual steps within the pipeline run as Child Jobs of this main job, and the Experiments page of Studio can monitor and review those steps.

+* [Publish and track machine learning pipelines](how-to-deploy-pipelines.md)

+* [Use automated ML in an Azure Machine Learning pipeline in Python](how-to-use-automlstep-in-pipelines.md)

+> [!IMPORTANT]

+> The password is URL encoded (UTF-8) when it is passed into this command, meaning the following rules apply:

+>

+> * `The alphanumeric characters "a" through "z", "A" through "Z" and "0" through "9" remain the same.`

+> * `The special characters ".", "-", "*", and "_" remain the same.`

+> * `The space character " " is converted into a plus sign "+".`

+> * `All other characters are unsafe and are first converted into one or more bytes using some encoding scheme. Then each byte is represented

+> by the 3-character string "%xy", where xy is the two-digit

+> hexadecimal representation of the byte.`

+> [!IMPORTANT]

+> The datacenters are URL encoded (UTF-8) when they are passed into this command, meaning the following rules apply:

+>

+> * `The alphanumeric characters "a" through "z", "A" through "Z" and "0" through "9" remain the same.`

+> * `The special characters ".", "-", "*", and "_" remain the same.`

+> * `The space character " " is converted into a plus sign "+".`

+> * `All other characters are unsafe and are first converted into one or more bytes using some encoding scheme. Then each byte is represented

+> by the 3-character string "%xy", where xy is the two-digit

+> hexadecimal representation of the byte.`

+A. Since MariaDB service is on deprecation path you will not be able to purchase new MariaDB reserved instances. For any existing reserved instances, you will continue to use the benefits of your reserved instances until the September, 19 2025 when MariaDB service will no longer be available. You can exchange your existing MariaDB reservations to MySQL reservations.

+Italy | North Italy

+ - All existing 5.7.42 engine version server will upgrade to 5.7.44 engine version.

+ - All existing 8.0.34 engine version server will upgrade to 8.0.35 engine version.

+To check your engine version, run `SELECT VERSION();` command at the MySQL prompt

+# Migrate MySQL on-premises or Virtual Machine (VM) workload to Azure Database for MySQL - Flexible Server using Azure Database for MySQL Import CLI (Public Preview)

+Azure Database for MySQL Import for external migrations (Public Preview) enables you to migrate your MySQL on-premises or Virtual Machine (VM) workload seamlessly to Azure Database for MySQL - Flexible Server. It uses a user-provided physical backup file and restores the source server's physical data files to the target server offering a simple and fast migration path. Post Import operation, you can take advantage of the benefits of Flexible Server, including better price & performance, granular control over database configuration, and custom maintenance windows.

+description: Learn how to troubleshoot connectivity issues and possible causes and solutions for Azure NAT Gateway.

+#Customer intent: For customers to troubleshoot and resolve common outbound connectivity issues with your NAT gateway. This article also provides best practices on how to design applications to use outbound connections efficiently.

+* Source Network Address Translation (SNAT) port exhaustion.

+* Simultaneous SNAT connection limits.

+* Connection timeouts.

+**Troubleshoot steps**

+* Assess the health of the NAT gateway by checking the [datapath availability metric](/azure/nat-gateway/nat-metrics#datapath-availability).

+* Check the SNAT Connection Count metric and [split the connection state](/azure/nat-gateway/nat-metrics#snat-connection-count) by attempted and failed connections. More than zero failed connections indicate SNAT port exhaustion or reaching the SNAT connection count limit of NAT gateway.

+* Ensure the connection count metric is within limits by verifying the [Total SNAT Connection Count metric](/azure/nat-gateway/nat-metrics#total-snat-connection-count). NAT gateway supports 50,000 simultaneous connections per IP address to a unique destination and up to 2 million connections in total. For more information, see [NAT Gateway Performance](/azure/nat-gateway/nat-gateway-resource#performance).

+* Adjust the [Transmission Control Protocol (TCP) idle timeout timer](./nat-gateway-resource.md#tcp-idle-timeout) settings as needed. An idle timeout timer set higher than the default (4 minutes) holds on to flows longer, and can create [extra pressure on SNAT port inventory](./nat-gateway-resource.md#timers).

+* Free up SNAT port inventory by reducing the [TCP idle timeout timer](./nat-gateway-resource.md#idle-timeout-timers) to a lower value. The TCP idle timeout timer can't be set lower than 4 minutes.

+TCP keepalives only need to be enabled from one side of a connection in order to keep a connection alive from both sides. When a TCP keepalive is sent from one side of a connection, the other side automatically sends an acknowledge (ACK) packet. The idle timeout timer is then reset on both sides of the connection.

+### Possible solutions for User Datagram Protocol (UDP) connection timeouts

+**Troubleshooting steps**

+If you notice a drop in datapath availability without any effect on your outbound connectivity, it could be due to NAT gateway picking up transient noise in the datapath.

+* NAT gateway misconfiguration.

+* Network Security Group (NSG) rules are configured that block internet traffic.

+* NAT gateway datapath availability is degraded.

+* Domain Name System (DNS) misconfiguration.

+**Troubleshooting steps**

+* Check that NAT gateway is configured with at least one public IP address or prefix and attached to a subnet. NAT gateway isn't operational until a public IP and subnet attached. For more information, see [NAT gateway configuration basics](/azure/nat-gateway/troubleshoot-nat#nat-gateway-configuration-basics).

+* Check the routing table of the subnet attached to NAT gateway. Any 0.0.0.0/0 traffic being force-tunneled to a Network Virtual Appliance (NVA), ExpressRoute, or VPN Gateway will take priority over NAT gateway. For more information, see [how Azure selects a route](/azure/virtual-network/virtual-networks-udr-overview#how-azure-selects-a-route).

+* Check if there are any NSG rules configured for the network interface on your virtual machine that blocks internet access.

+* Carefully consider your traffic routing requirements before making any changes to traffic routes for your virtual network. User Defined Routes (UDRs) that send 0.0.0.0/0 traffic to a virtual appliance or virtual network gateway override NAT gateway. See [custom routes](/azure/virtual-network/virtual-networks-udr-overview#custom-routes) to learn more about how custom routes affect the routing of network traffic.

+ To explore options for updating your traffic routes on your subnet routing table, see:

+ * [Add a custom route](/azure/virtual-network/manage-route-table#create-a-route)

+ * [Change a route](/azure/virtual-network/manage-route-table#change-a-route)

+ * [Delete a route](/azure/virtual-network/manage-route-table#delete-a-route)

+* DNS not resolving correctly can happen for many reasons. Refer to the [DNS troubleshooting guide](/azure/dns/dns-troubleshoot) to help investigate why DNS resolution is failing.

+* NAT gateway misconfiguration.

+* Active connection with another Azure outbound connectivity method such as Azure Load balancer or instance-level public IPs on virtual machines. Active connection flows continue to use the previous public IP address that was assigned when the connection was established. When NAT gateway is deployed, new connections start using NAT gateway right away.

+* Private IPs are used to connect to Azure services by service endpoints or Private Link.

+* Connections to storage accounts come from the same region as the virtual machine you're making a connection from.

+* Verify if any previous outbound connectivity method, such as a public Load balancer, is still active after deploying NAT gateway.

+* Ensure that your virtual machine is located in the same region as the Azure storage when making a storage connection.

+* Verify if the public IP address used for connections is originating from another Azure service within your Azure virtual network, such as a Network Virtual Appliance (NVA).

+* Attach a public IP address or prefix to NAT gateway. Ensure that NAT gateway is attached to subnets from the same virtual network. [Validate that NAT gateway can connect outbound](/azure/nat-gateway/troubleshoot-nat#how-to-validate-connectivity).

+ * Ensure you establish a new connection and that existing connections aren't being reused in the OS or that the browser is caching the connections. For example, when using curl in PowerShell, make sure to specify the -DisableKeepalive parameter to force a new connection. If you're using a browser, connections can also be pooled.

+ * It isn't necessary to reboot a virtual machine in a subnet configured to NAT gateway. However, if a virtual machine is rebooted, the connection state is flushed. When the connection state is flushed, all connections begin using the NAT gateway resource's IP address or addresses. This behavior is a side effect of the virtual machine reboot and not an indicator that a reboot is required.

+> Before making any changes to how traffic routes, carefully consider the routing requirements of your cloud architecture.

+* Private Link and service endpoints use the private IP addresses of virtual machine instances in your virtual network to connect to Azure platform services instead of the public IP of NAT gateway. Use Private Link to connect to other Azure services over the Azure backbone instead of over the internet with NAT gateway.

+* The destination endpoint responds with fragmented packets.

+* Ensure that the NAT gateway public IP is listed as allowed at partner destinations with Firewalls or other traffic management components.

+* Verify NAT gateway public IP is listed as allowed at the destination.

+* If reducing the rate of connections decreases the occurrence of failures, check if the destination reached its API rate limits or other constraints.

+In passive FTP mode, the client establishes connections on both the command and data channels. The client requests that the server answer on a port instead of trying to establish a connection back to the client.

+Outbound Passive FTP doesn't work for NAT gateway with multiple public IP addresses, depending on your FTP server configuration. When a NAT gateway with multiple public IP addresses sends traffic outbound, it randomly selects one of its public IP addresses for the source IP address. FTP fails when data and control channels use different source IP addresses, depending on your FTP server configuration.

+2. Make sure that the passive port range from your NAT gateway is allowed to pass any firewalls at the destination endpoint.

+Unable to connect outbound with NAT gateway on port 25 for Simple Mail Transfer Protocol (SMTP) traffic.

+Use an authenticated SMTP relay service to send email from Azure VMs or from Azure App Service. For more information, see [troubleshoot outbound SMTP connectivity problems](/azure/virtual-network/troubleshoot-outbound-smtp-connectivity).

+If your investigation is inconclusive, open a support case for further troubleshooting and collect the following information for a quicker resolution. Choose a single virtual machine in your NAT gateway configured subnet and perform the following tests:

+* Test the probe port response using **`ps ping`** from one of the backend VMs within the virtual network and record results (example: **`ps ping 10.0.0.4:3389`**).

+* If no response is received in these ping tests, run a simultaneous `netsh` trace on the backend virtual machine, and the virtual network test virtual machine while you run PsPing then stop the `netsh` trace.

+Azure monitors and operates its infrastructure with great care. However, transient failures can still occur from deployed applications, and there's no guarantee of lossless transmissions. NAT gateway is the preferred option for establishing highly reliable and resilient outbound connectivity from Azure deployments. For optimizing application connection efficiency, refer to the guidance later in the article.

+### Use connection pooling

+### Reuse connections

+### Use less aggressive retry logic

+Depending on the configured idle timeout, if retries are too aggressive, connections don't have enough time to close and release SNAT ports for reuse.

+## Relation to storage lockdown

+Storage lockdown is another feature of Azure Red Hat OpenShift that enhances cluster security. Storage Accounts created with the cluster are configured to restrict any public access. Exceptions are added for the Azure Red Hat OpenShift Resource Provisioner subnets as well as the subnet of egress lockdown gateway.

+Cluster components that utilize this storage, for example, OpenShift Image Registry, rely on egress lockdown functionality instead of accessing the storage accounts directly.

+## Set up Online migration (preview) parameters

+> [!NOTE]

+> For Online migrations using Single servers running PostgreSQL 9.5 and 9.6, we explicitly have to allow replication connection. To enable that, add a firewall entry to allowlist connection from target. Make sure the firewall rule name has `_replrule` suffix. The suffic isn't required for Single servers running PostgreSQL 10 and 11. **Online migrations preview** is currently available in all public clouds and in China regions. In other regions, Online migration can be enabled by the user at a subscription-level by registering for the **Online PostgreSQL migrations to Azure PostgreSQL Flexible server** preview feature as shown in the image.

+> The Single to Flex Migration tool is available in all Azure regions and currently supports **Offline** migrations. **Online migrations preview** is currently available in all public clouds and in China regions. In other regions, Online migration can be enabled by the user at a subscription-level by registering for the **Online PostgreSQL migrations to Azure PostgreSQL Flexible server** preview feature as shown in the image.

+> The Single to Flex Migration tool is available in all Azure regions and currently supports **Offline** migrations. **Online migrations preview** is currently available in all public clouds and in China regions. In other regions, Online migration can be enabled by the user at a subscription-level by registering for the **Online PostgreSQL migrations to Azure PostgreSQL Flexible server** preview feature as shown in the image.

+> Before you begin, it is highly recommended to go through some of the [best practices to ensure a seamless migration experience](best-practices-seamless-migration-single-to-flexible.md)

+**Migration mode** gives you the option to pick the mode for the migration. **Offline** is the default option. **Online migrations preview** is currently available in all public clouds and in China regions. In other regions, Online migration can be enabled by the user at a subscription-level by registering for the **Online PostgreSQL migrations to Azure PostgreSQL Flexible server** preview feature as shown in the image.

+| Mexico Central* | Poland Central ||||

+ { "name": "metadata_storage_content_type", "type": "Edm.String", "searchable": false, "filterable": true, "sortable": true }

+ "name" : "my-adlsgen2-indexer",

+ "configuration": {

+GET https://myservice.search.windows.net/indexers/myindexer/status?api-version=2023-11-01

+ "startTime":"2024-02-21T00:23:24.957Z",

+ "endTime":"2024-02-21T00:36:47.752Z",

+ "startTime":"2024-02-21T00:23:24.957Z",

+ "endTime":"2024-02-21T00:36:47.752Z",

+By default, the blob indexer stops as soon as it encounters a blob with an unsupported content type (for example, an audio file). You could use the "excludedFileNameExtensions" parameter to skip certain content types. However, you might want indexing to proceed even if errors occur, and then debug individual documents later. For more information about indexer errors, see [Indexer troubleshooting guidance](search-indexer-troubleshooting.md) and [Indexer errors and warnings](cognitive-search-common-errors-warnings.md).

+PUT /indexers/[indexer name]?api-version=2023-11-01

+ }

+> [!IMPORTANT]

+In this article, learn how to configure an [**indexer**](search-indexer-overview.md) that imports content from Azure Database for MySQL and makes it searchable in Azure AI Search. Inputs to the indexer are your row, in a single table or view. Output is a search index with searchable content in individual fields.

+This article supplements [**Create an indexer**](search-howto-create-indexers.md) with information that's specific to indexing from ADLS Gen2. It uses the REST APIs to demonstrate a three-part workflow common to all indexers: create a data source, create an index, create an indexer. Data extraction occurs when you submit the Create Indexer request.

+}

+GET https://myservice.search.windows.net/indexers/myindexer/status?api-version=2023-11-01

+ "startTime":"2024-02-21T00:23:24.957Z",

+ "endTime":"2024-02-21T00:36:47.752Z",

+ "startTime":"2024-02-21T00:23:24.957Z",

+ "endTime":"2024-02-21T00:36:47.752Z",

+{

+ "name" : "[Data source name]",

+ "type" : "mysql",

+ "credentials" : { "connectionString" : "[connection string]" },

+ "container" : { "name" : "[table or view name]" },

+ "dataChangeDetectionPolicy" : {

+ "@odata.type" : "#Microsoft.Azure.Search.HighWaterMarkChangeDetectionPolicy",

+ "highWaterMarkColumnName" : "[last_updated column name]"

+}

+Creating a shared private link is a search service control plane operation. You can [create a shared private link](search-indexer-howto-access-private.md) using either the portal or a [Management REST API](/rest/api/searchmanagement/shared-private-link-resources/create-or-update). During provisioning, the state of the request is "Updating". After the operation completes successfully, status is "Succeeded". A private endpoint to the resource, along with any DNS zones and mappings, is created. This endpoint is used exclusively by your search service instance and is managed through Azure AI Search.

+| Americas | Europe | Middle East | Africa | Asia Pacific |

+||||||

+| Brazil South | France Central | Israel Central | South Africa North | Australia East |

+| Canada Central | Germany West Central | Qatar Central | | Central India |

+| Central US | Italy North | UAE North | | China North 3 |

+| East US | North Europe | | | East Asia |

+| East US 2 | Norway East | | | Japan East |

+| South Central US | Poland Central | | | Korea Central |

+| US Gov Virginia | Sweden Central | | | Southeast Asia |

+| West US 2 | Switzerland North | | | |

+| West US 3 | UK South | | | |

+|| West Europe ||||

+Learn more about [currently supported availability zones](../reliability/availability-zones-service-support.md#azure-regions-with-availability-zone-support).

+Azure Site Recovery allows you to perform global disaster recovery. You can replicate and recover VMs between any two Azure regions in the world. If you have concerns around data sovereignty, you may choose to limit replication within your specific geographic cluster.

+[See here](https://azure.microsoft.com/explore/global-infrastructure/products-by-region/?products=site-recovery&regions=all) to find details on the various geographic clusters supported.

+> [!NOTE]

+> - **Support for restricted Regions reserved for in-country/region disaster recovery:** Switzerland West reserved for Switzerland North, France South reserved for France Central, Norway West for Norway East customers, JIO India Central for JIO India West customers, Brazil Southeast for Brazil South customers, South Africa West for South Africa North customers, Germany North for Germany West Central customers, UAE Central for UAE North customers.<br/><br/> To use restricted regions as your primary or recovery region, get yourselves allowlisted by raising a request [here](/troubleshoot/azure/general/region-access-request-process) for both source and target subscriptions.

+> <br>

+[Rollup 71](https://support.microsoft.com/topic/update-rollup-71-for-azure-site-recovery-kb5035688-4df258c7-7143-43e7-9aa5-afeef9c26e1a) | 9.59.6930.1 | NA | 9.59.6930.1 | NA | NA

+## Updates (February 2024)

+### Update Rollup 71

+> [!Note]

+> - The version 9.59 has been released only for Classic VMware/Physical to Azure scenario.

+> - 9.58 and 9.59 versions have not been released for Azure to Azure and Modernized VMware to Azure replication scenarios.

+[Update rollup 71](https://support.microsoft.com/topic/update-rollup-71-for-azure-site-recovery-kb5035688-4df258c7-7143-43e7-9aa5-afeef9c26e1a) provides the following updates:

+**Update** | **Details**

+ |

+**Providers and agents** | Updates to Site Recovery agents and providers as detailed in the rollup KB article.

+**Issue fixes/improvements** | No fixes added. 

+**Azure VM disaster recovery** | No improvements added. 

+**VMware VM/physical disaster recovery to Azure** |  No improvements added. 

+ Title: Enable replication for an added VMware virtual machine disk in Azure Site Recovery

+description: This article describes how to enable replication for a disk added to a VMware virtual machine that's enabled for disaster recovery with Azure Site Recovery

+# Enable replication for a disk added to a VMware virtual machine

+This article describes how to enable replication for newly added data disks that are added to a VMware virtual machine, which already has disaster recovery enabled to an Azure region, using [Azure Site Recovery](site-recovery-overview.md).

+Enabling replication for a disk you add to a virtual machine is now supported for VMware virtual machines also.

+**When you add a new disk to a VMware virtual machine that is replicating to an Azure region, the following occurs:**

+- Replication health for the virtual machine shows a warning, and a note in the portal informs you that one or more disks are available for protection.

+- If you enable protection for the added disks, the warning will disappear after initial replication of the disk.

+- If you choose not to enable replication for the disk, you can select to dismiss the warning.

+ 

+## Before you start

+This article assumes that you've already set up disaster recovery for the VMware virtual machine to which you're adding the disk. If you haven't, follow the [VMware to Azure disaster recovery tutorial](vmware-azure-set-up-replication-tutorial-modernized.md).

+## Enable replication for an added disk

+To enable replication for an added disk, do the following:

+1. In the vault > **Replicated Items**, select the virtual machine to which you added the disk.

+2. Select **Disks** > **Data disks** section of the protected item, and then select the data disk for which you want to enable replication (these disks have a **Not protected** status).

+

+ > [!NOTE]

+ > If the enable replication operation for this disk fails, you can resolve the issues and retry the operation.

+3. In **Disk Details**, select **Enable replication**.

+ 

+1. Confirm **Enable Replication**

+

+ 

+After the enable replication job runs and the initial replication finishes, the replication health warning for the disk issue is removed.

+## Next steps

+[Learn more](site-recovery-test-failover-to-azure.md) about running a test failover.

+> The default `devstoreaccount1` storage account is disabled when you set custom storage accounts. If you want to continue using `devstoreaccount1` after enabling custom storage accounts, you need to add it to the list of custom accounts and keys in the `AZURITE_ACCOUNTS` environment variable.

+<YourStorageAccountName>.file.core.windows.net:/<YourStorageAccountName>/<FileShareName> /media/<YourStorageAccountName>/<FileShareName> nfs _netdev,nofail,vers=4,minorversion=1,sec=sys 0 0

+## Steps

+This article shows how to set up Kafka as an output from Azure Stream Analytics. There are six steps:

+1. Create an Azure Stream Analytics job.

+2. Configure your Azure Stream Analytics job to use managed identity if you are using mTLS or SASL_SSl security protocols.

+3. Configure Azure Key vault if you are using mTLS or SASL_SSl security protocols.

+4. Upload certificates as secrets into Azure Key vault.

+5. Grant Azure Stream Analytics permissions to access the uploaded certificate.

+6. Configure Kafka output in your Azure Stream Analytics job.

+> [!NOTE]

+> Depending on how your Kafka cluster is configured and the type of Kafka cluster you are using, some of the above steps may not apply to you. Examples are: if you are using confluent cloud Kafka, you will not need to upload a certificate to use the Kafka connector. If your Kafka cluster is inside a virtual network (VNET) or behind a firewall, you may have to configure your Azure Stream Analytics job to access your Kafka topic using a private link or a dedicated networking configuration.

+## Steps

+This article shows how to set up Kafka as an input source for Azure Stream Analytics. There are six steps:

+1. Create an Azure Stream Analytics job.

+2. Configure your Azure Stream Analytics job to use managed identity if you are using mTLS or SASL_SSl security protocols.

+3. Configure Azure Key vault if you are using mTLS or SASL_SSl security protocols.

+4. Upload certificates as secrets into Azure Key vault.

+5. Grant Azure Stream Analytics permissions to access the uploaded certificate.

+6. Configure Kafka input in your Azure Stream Analytics job.

+> [!NOTE]

+> Depending on how your Kafka cluster is configured and the type of Kafka cluster you are using, some of the above steps may not apply to you. Examples are: if you are using confluent cloud Kafka, you will not need to upload a certificate to use the Kafka connector. If your Kafka cluster is inside a virtual network (VNET) or behind a firewall, you may have to configure your Azure Stream Analytics job to access your Kafka topic using a private link or a dedicated networking configuration.

+If your Kafka cluster is inside a virtual network (VNET) or behind a firewall, you may have to configure your Azure Stream Analytics job to access your Kafka topic using a private link or a dedicated networking configuration.

+VMs in a common availability set are updated within Update Domain boundaries. VMs across multiple Update Domains aren't updated concurrently.

+In scenarios where machines from the same availability set are being patched at the same time in different schedules, it is likely that they might not get patched or could potentially fail if the maintenance window exceeds. To avoid this, we recommend that you either increase the maintenance window or split the machines belonging to the same availability set across multiple schedules at different times.

+ - The maximum you can set this attribute is determined by the size of your disk, the formula is 300 * GiB, up to a maximum of 400,000.

+ - The maximum you can set this attribute is determined by the amount of IOPS you set, the formula is 256 KiB per second per IOPS, up to a maximum of 10,000 MB/s.

+ - The maximum you can set this attribute is determined by the size of your disk, the formula is 300 * GiB, up to a maximum of 400,000.

+ - The maximum you can set this attribute is determined by the amount of IOPS you set, the formula is 256 KiB per second per IOPS, up to a maximum of 10,000 MB/s.

+| **Max throughput** | 10,000 MB/s | 1,200 MB/s | 900 MB/s | 750 MB/s | 500 MB/s |

+| **Max IOPS** | 400,000 | 80,000 | 20,000 | 6,000 | 2,000, 3,000* |

+|64 |19,200 |4,900 |

+|128 |38,400 |9,800 |

+|256 |76,800 |10,000 |

+|512 |153,600 |10,000 |

+|1,024-65,536 (sizes in this range increasing in increments of 1 TiB) |400,000 |10,000 |

+Ultra disks support IOPS limits of 300 IOPS/GiB, up to a maximum of 400,000 IOPS per disk. To achieve the target IOPS for the disk, ensure that the selected disk IOPS are less than the VM IOPS limit. Ultra disks with greater IOPS can be used as shared disks to support multiple VMs.

+The throughput limit of a single ultra disk is 256-kB/s for each provisioned IOPS, up to a maximum of 10,000 MB/s per disk (where MB/s = 10^6 Bytes per second). The minimum guaranteed throughput per disk is 4kB/s for each provisioned IOPS, with an overall baseline minimum of 1 MB/s.