+| Tags | Individual tag size must be between 1 and 256 characters (inclusive). No whitespaces or duplicate tags allowed. | Individual tag size must be between 1 and 256 characters (inclusive). No whitespaces or duplicate tags allowed. | Individual tag size must be between 1 and 256 characters (inclusive). No whitespaces or duplicate tags allowed. |

+3. For **Pool Servers** select an existing node or specify an IP and port for the server hosting the header-based application

+Failure to access a SHA protected application can be due to any number of factors. BIG-IP logging can help quickly isolate all sorts of issues with connectivity, SSO, policy violations, or misconfigured variable mappings. Start troubleshooting by increasing the log verbosity level.

+Reproduce your issue, then inspect the logs, but remember to switch this back when finished as verbose mode generates lots of data.

+If you see a BIG-IP branded error immediately after successful Azure AD pre-authentication, itΓÇÖs possible the issue relates to SSO from Azure AD to the BIG-IP.

+2. Run the report for the last hour to see if the logs provide any clues. The **View session** variables link for your session will also help understand if the APM is receiving the expected claims from Azure AD

+1. In which case head to **Access Policy > Overview > Active Sessions** and select the link for your active session

+2. The **View Variables** link in this location may also help root cause SSO issues, particularly if the BIG-IP APM fails to obtain the right attributes from Azure AD or another source

+3. For **Pool Servers** select an existing server node or specify an IP and port for the backend node hosting the header-based application

+>[!NOTE]

+>Re-enabling strict mode and deploying a configuration will overwrite any settings performed outside of the Guided Configuration UI, therefore we recommend the advanced configuration method for production services.

+Failure to access a SHA protected application can be due to any number of factors. If troubleshooting kerberos SSO issues, be aware of the following.

+* Ensure there are no duplicate SPNs in your AD environment by executing the following query at the command line on a domain PC: setspn -q HTTP/my_target_SPN

+BIG-IP logging can help quickly isolate all sorts of issues with connectivity, SSO, policy violations, or misconfigured variable mappings. Start troubleshooting by increasing the log verbosity level.

+Reproduce your issue, then inspect the logs, but remember to switch this back when finished as verbose mode generates lots of data.

+If you see a BIG-IP branded error immediately after successful Azure AD pre-authentication, itΓÇÖs possible the issue relates to SSO from Azure AD to the BIG-IP.

+2. Select the link for your active session. The **View Variables** link in this location may also help determine root cause KCD issues, particularly if the BIG-IP APM fails to obtain the right user and domain identifiers from session variables.

+3. For **Pool Servers** select an existing node or specify an IP and port for the server hosting the header-based application

+Failure to access a SHA protected application can be due to any number of factors. BIG-IP logging can help quickly isolate all sorts of issues with connectivity, SSO, policy violations, or misconfigured variable mappings. Start troubleshooting by increasing the log verbosity level.

+Reproduce your issue, then inspect the logs, but remember to switch this back when finished as verbose mode generates lots of data.

+If you see a BIG-IP branded error immediately after successful Azure AD pre-authentication, itΓÇÖs possible the issue relates to SSO from Azure AD to the BIG-IP.

+2. Run the report for the last hour to see if the logs provide any clues. The **View session** variables link for your session will also help understand if the APM is receiving the expected claims from Azure AD

+1. In which case head to **Access Policy > Overview > Active Sessions** and select the link for your active session

+2. The **View Variables** link in this location may also help root cause SSO issues, particularly if the BIG-IP APM fails to obtain the right attributes from Azure AD or another source

+The following command can also be used from the BIG-IP bash shell to validate the APM service account used for LDAP queries and can successfully authenticate and query a user object:

+3. For **Pool Servers** select an existing node or specify an IP and port for the servers hosting the Oracle EBS application.

+Failure to access a SHA protected application can be due to any number of factors. BIG-IP logging can help quickly isolate all sorts of issues with connectivity, SSO, policy violations, or misconfigured variable mappings. Start troubleshooting by increasing the log verbosity level.

+Reproduce your issue, then inspect the logs, but remember to switch this back when finished as verbose mode generates lots of data.

+If you see a BIG-IP branded error immediately after successful Azure AD pre-authentication, itΓÇÖs possible the issue relates to SSO from Azure AD to the BIG-IP.

+2. Run the report for the last hour to see if the logs provide any clues. The **View session** variables link for your session will also help understand if the APM is receiving the expected claims from Azure AD

+1. In which case head to **Access Policy > Overview > Active Sessions** and select the link for your active session

+2. The **View Variables** link in this location may also help root cause SSO issues, particularly if the BIG-IP APM fails to obtain the right attributes from Azure AD or another source

+In this article, learn to secure Oracle JD Edwards (JDE) using Azure Active Directory (Azure AD), through F5ΓÇÖs BIG-IP Easy Button guided configuration.

+The SHA solution for this scenario is made up of several components:

+ 

+ 

+3. For **Pool Servers** select an existing node or specify an IP and port for the servers hosting the Oracle JDE application.

+Failure to access a SHA protected application can be due to any number of factors. BIG-IP logging can help quickly isolate all sorts of issues with connectivity, SSO, policy violations, or misconfigured variable mappings. Start troubleshooting by increasing the log verbosity level.

+Reproduce your issue, then inspect the logs, but remember to switch this back when finished as verbose mode generates lots of data.

+If you see a BIG-IP branded error immediately after successful Azure AD pre-authentication, itΓÇÖs possible the issue relates to SSO from Azure AD to the BIG-IP.

+2. Run the report for the last hour to see if the logs provide any clues. The **View session** variables link for your session will also help understand if the APM is receiving the expected claims from Azure AD

+1. In which case head to **Access Policy > Overview > Active Sessions** and select the link for your active session

+2. The **View Variables** link in this location may also help root cause SSO issues, particularly if the BIG-IP APM fails to obtain the right attributes from Azure AD or another source

+* Enabled and configured Enterprise Managed Users GitHub Enterprise to login with OIDC SSO through your Azure AD tenant.

+ Title: 'Tutorial: Configure KPN Grip for automatic user provisioning with Azure Active Directory | Microsoft Docs'

+description: Learn how to automatically provision and de-provision user accounts from Azure AD to KPN Grip.

+documentationcenter: ''

+writer: Thwimmer

+ms.assetid: 0d2558a4-1c6c-44e0-bf4c-471da6920f5a

+# Tutorial: Configure KPN Grip for automatic user provisioning

+This tutorial describes the steps you need to do in both KPN Grip and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [KPN Grip](https://grip.kpn.com) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS apps with Azure AD](../app-provisioning/user-provisioning.md).

+## Capabilities supported

+> [!div class="checklist"]

+> * Create users in KPN Grip.

+> * Remove users in KPN Grip when they do not require access anymore.

+> * Keep user attributes synchronized between Azure AD and KPN Grip.

+> * [Single sign-on](../manage-apps/add-application-portal-setup-oidc-sso.md) to KPN Grip.

+## Prerequisites

+The scenario outlined in this tutorial assumes that you already have the following prerequisites:

+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md).

+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning. For example Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator.

+* A user account in KPN Grip with Admin permissions.

+## Step 1. Plan your provisioning deployment

+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).

+1. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+1. Determine what data to [map between Azure AD and KPN Grip](../app-provisioning/customize-application-attributes.md).

+## Step 2. Configure KPN Grip to support provisioning with Azure AD

+To configure KPN Grip to support provisioning with Azure AD refer [KPN Grip Azure Ad Settings](https://grip.kpn.com/en/documentation/article/connectazuread#heading-authenticating-with-aad-accounts).

+## Step 3. Add KPN Grip from the Azure AD application gallery

+Add KPN Grip from the Azure AD application gallery to start managing provisioning to KPN Grip. If you have previously setup KPN Grip for SSO, you can use the same application. However it's recommended you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).

+## Step 4. Define who will be in scope for provisioning

+The Azure AD provisioning service allows you to scope who will be provisioned. It's based on assignment to the application and or based on attributes of the user and group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+* When assigning users and groups to KPN Grip, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add more roles.

+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control provisioning by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+## Step 5. Configure automatic user provisioning to KPN Grip

+This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and groups in KPN Grip based on user and group assignments in Azure AD.

+### To configure automatic user provisioning for KPN Grip in Azure AD:

+1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**.

+ 

+1. In the applications list, select **KPN Grip**.

+ 

+1. Select the **Provisioning** tab.

+ 

+1. Set the **Provisioning Mode** to **Automatic**.

+ 

+1. Under the **Admin Credentials** section, input your KPN Grip Tenant URL and Secret Token. Click **Test Connection** to ensure Azure AD can connect to KPN Grip. If the connection fails, ensure your KPN Grip account has Admin permissions and try again.

+ 

+1. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.

+ 

+1. Select **Save**.

+1. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to KPN Grip**.

+1. Review the user attributes that are synchronized from Azure AD to KPN Grip in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in KPN Grip for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you'll need to ensure that the KPN Grip API supports filtering users based on that attribute. Select the **Save** button to commit any changes.

+ |Attribute|Type|Supported for filtering|Required by KPN Grip

+ |||||

+ |userName|String|✓|✓

+ |displayName|String||✓

+ |active|Boolean||

+ |name.givenName|String||

+ |name.familyName|String||

+ |emails[type eq "work"].value|String||

+ |emails[type eq "alternate"].value|String||

+ |phoneNumbers[type eq "work"].value|String||

+ |phoneNumbers[type eq "mobile"].value|String||

+ |addresses[type eq "work"].region|String||

+ |addresses[type eq "work"].streetAddress|String||

+ |addresses[type eq "work"].locality|String||

+ |addresses[type eq "work"].postalCode|String||

+ |addresses[type eq "work"].country|String||

+ |externalId|String||

+ |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager|String||

+ |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber|String||

+1. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+1. To enable the Azure AD provisioning service for KPN Grip, change the **Provisioning Status** to **On** in the **Settings** section.

+ 

+1. Define the users and groups that you would like to provision to KPN Grip by choosing the appropriate values in **Scope** in the **Settings** section.

+ 

+1. When you're ready to provision, click **Save**.

+ 

+This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to complete than next cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.

+## Step 6. Monitor your deployment

+Once you've configured provisioning, use the following resources to monitor your deployment:

+* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully

+* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it's to completion

+* If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).

+## More resources

+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)

+* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+## Next steps

+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)

+ Title: 'Tutorial: Configure Netpresenter Next for automatic user provisioning with Azure Active Directory | Microsoft Docs'

+description: Learn how to automatically provision and de-provision user accounts from Azure AD to Netpresenter Next.

+# Tutorial: Configure Netpresenter Next for automatic user provisioning

+This tutorial describes the steps you need to perform in both Netpresenter Next and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Netpresenter Next](https://www.Netpresenter.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).

+> * Create users in Netpresenter Next

+> * Remove users in Netpresenter Next when they do not require access anymore

+> * Keep user attributes synchronized between Azure AD and Netpresenter Next.

+> * [Single sign-on](../manage-apps/add-application-portal-setup-oidc-sso.md) to Netpresenter Next (recommended).

+* An administrator account with Netpresenter Next.

+3. Determine what data to [map between Azure AD and Netpresenter Next](../app-provisioning/customize-application-attributes.md).

+## Step 2. Configure Netpresenter Next to support provisioning with Azure AD

+1. Sign in to the Netpresenter Next with an administrator account.

+## Step 3. Add Netpresenter Next from the Azure AD application gallery

+Add Netpresenter Next from the Azure AD application gallery to start managing provisioning to Netpresenter Next. If you have previously setup Netpresenter Next for SSO, you can use the same application. However it's recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).

+* When assigning users and groups to Netpresenter Next, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add another roles.

+## Step 5. Configure automatic user provisioning to Netpresenter Next

+### To configure automatic user provisioning for Netpresenter Next in Azure AD:

+2. In the applications list, select **Netpresenter Next**.

+ 

+5. Under the **Admin Credentials** section, input your Netpresenter Next Tenant URL and Secret Token. Click **Test Connection** to ensure Azure AD can connect to Netpresenter Next. If the connection fails, ensure your Netpresenter Next account has Admin permissions and try again.

+8. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Netpresenter Next**.

+9. Review the user attributes that are synchronized from Azure AD to Netpresenter Next in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Netpresenter Next for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you'll need to ensure that the Netpresenter Next API supports filtering users based on that attribute. Select the **Save** button to commit any changes.

+ |Attribute|Type|Supported for filtering|Required by Netpresenter Next

+ |||||

+ |userName|String|✓|✓

+ |externalId|String|✓|✓

+ |emails[type eq "work"].value|String|✓|✓

+ |active|Boolean||

+ |name.givenName|String||

+ |name.familyName|String||

+ |phoneNumbers[type eq "work"].value|String||

+ |phoneNumbers[type eq "mobile"].value|String||

+11. To enable the Azure AD provisioning service for Netpresenter Next, change the **Provisioning Status** to **On** in the **Settings** section.

+12. Define the users and/or groups that you would like to provision to Netpresenter Next by choosing the desired values in **Scope** in the **Settings** section.

+By default, each API routes requests to a single backend service URL. Even though there are Azure API Management instances in various regions, the API gateway will still forward requests to the same backend service, which is deployed in only one region. In this case, the performance gain will come only from responses cached within Azure API Management in a region specific to the request, but contacting the backend across the globe may still cause high latency.

+### [Azure Machine Learning](../machine-learning/index.yml)

+### [Cognitive

+### [Cognitive

+Cognitive Services Language Understanding (LUIS) is part of [Cognitive Services for Language](../cognitive-services/language-service/index.yml).

+### [Cognitive

+### [Cognitive

+### [Azure HDInsight](../hdinsight/index.yml)

+### [Power BI](/power-bi/fundamentals/)

+### [Power BI Embedded](/power-bi/developer/embedded/)

+### [Automation](../automation/index.yml)

+### [Azure Advisor](../advisor/index.yml)

+### [Azure Cost Management and Billing](../cost-management-billing/index.yml)

+### [Azure Lighthouse](../lighthouse/index.yml)

+### [Azure Monitor](../azure-monitor/index.yml)

+### [Media Services](../media-services/index.yml)

+### [Azure Migrate](../migrate/index.yml)

+### [Private Link](../private-link/index.yml)

+### [Traffic Manager](../traffic-manager/index.yml)

+### [Azure Information Protection](/azure/information-protection/)

+Azure Information Protection Premium is part of the [Enterprise Mobility + Security](/enterprise-mobility-security) suite. For details on this service and how to use it, see [Azure Information Protection Premium Government Service Description](/enterprise-mobility-security/solutions/ems-aip-premium-govt-service-description).

+### [Microsoft Defender for Cloud](../defender-for-cloud/index.yml)

+### [Microsoft Sentinel](../sentinel/index.yml)

+### [Azure Import/Export](../import-export/index.yml)

+### [App Service](../app-service/index.yml)

+| [AI Builder](/ai-builder/) | ✅ | ✅ |

+| [API Management](../../api-management/index.yml) | ✅ | ✅ |

+| [Application Gateway](../../application-gateway/index.yml) | ✅ | ✅ |

+| [Automation](../../automation/index.yml) | ✅ | ✅ |

+| [Azure Active Directory B2C](../../active-directory-b2c/index.yml) | ✅ | ✅ |

+| [Azure Active Directory Domain Services](../../active-directory-domain-services/index.yml) | ✅ | ✅ |

+| [Azure Active Directory Provisioning Service](../../active-directory/app-provisioning/how-provisioning-works.md)| ✅ | ✅ |

+| [Azure Advisor](../../advisor/index.yml) | ✅ | ✅ |

+| [Azure Analysis Services](../../analysis-services/index.yml) | ✅ | ✅ |

+| [Azure App Configuration](../../azure-app-configuration/index.yml) | ✅ | ✅ |

+| [Azure Arc-enabled servers](../../azure-arc/servers/index.yml) | ✅ | ✅ |

+| [Azure Archive Storage](../../storage/blobs/access-tiers-overview.md) | ✅ | ✅ |

+| [Azure Backup](../../backup/index.yml) | ✅ | ✅ |

+| [Azure Bastion](../../bastion/index.yml) | ✅ | ✅ |

+| [Azure Blueprints](../../governance/blueprints/index.yml) | ✅ | ✅ |

+| [Azure Cache for Redis](../../azure-cache-for-redis/index.yml) | ✅ | ✅ |

+| [Azure Cloud Services](../../cloud-services/index.yml) | ✅ | ✅ |

+| [Azure Cognitive Search](../../search/index.yml) (formerly Azure Search) | ✅ | ✅ |

+| [Azure Cosmos DB](../../cosmos-db/index.yml) | ✅ | ✅ |

+| [Azure Cost Management and Billing](../../cost-management-billing/index.yml) | ✅ | ✅ |

+| [Azure Data Box](../../databox/index.yml) ***** | ✅ | ✅ |

+| [Azure Data Explorer](/azure/data-explorer/) | ✅ | ✅ |

+| [Azure Data Share](../../data-share/index.yml) | ✅ | ✅ |

+| [Azure Database for MariaDB](../../mariadb/index.yml) | ✅ | ✅ |

+| [Azure Database for MySQL](../../mysql/index.yml) | ✅ | ✅ |

+| [Azure Database for PostgreSQL](../../postgresql/index.yml) | ✅ | ✅ |

+| [Azure Database Migration Service](../../dms/index.yml) | ✅ | ✅ |

+| [Azure Databricks](/azure/databricks/) ****** | ✅ | ✅ |

+| [Azure DDoS Protection](../../ddos-protection/index.yml) | ✅ | ✅ |

+| [Azure Dedicated HSM](../../dedicated-hsm/index.yml) | ✅ | ✅ |

+| [Azure DevTest Labs](../../devtest-labs/index.yml) | ✅ | ✅ |

+| [Azure DNS](../../dns/index.yml) | ✅ | ✅ |

+| [Azure ExpressRoute](../../expressroute/index.yml) | ✅ | ✅ |

+| [Azure Firewall](../../firewall/index.yml) | ✅ | ✅ |

+| [Azure Firewall Manager](../../firewall-manager/index.yml) | ✅ | ✅ |

+| [Azure for Education](https://azureforeducation.microsoft.com/) | ✅ | ✅ |

+| [Azure Form Recognizer](../../applied-ai-services/form-recognizer/index.yml) | ✅ | ✅ |

+| [Azure Front Door](../../frontdoor/index.yml) | ✅ | ✅ |

+| [Azure Functions](../../azure-functions/index.yml) | ✅ | ✅ |

+| [Azure HDInsight](../../hdinsight/index.yml) | ✅ | ✅ |

+| [Azure Healthcare APIs](../../healthcare-apis/index.yml) (formerly Azure API for FHIR) | ✅ | ✅ |

+| [Azure HPC Cache](../../hpc-cache/index.yml) | ✅ | ✅ |

+| [Azure Immersive Reader](../../applied-ai-services/immersive-reader/index.yml) | ✅ | ✅ |

+| [Azure Information Protection](/azure/information-protection/) | ✅ | ✅ |

+| [Azure Internet Analyzer](../../internet-analyzer/index.yml) | ✅ | ✅ |

+| [Azure IoT Hub](../../iot-hub/index.yml) | ✅ | ✅ |

+| [Azure Kubernetes Service (AKS)](../../aks/index.yml) | ✅ | ✅ |

+| [Azure Lab Services](../../lab-services/index.yml) | ✅ | ✅ |

+| [Azure Lighthouse](../../lighthouse/index.yml) | ✅ | ✅ |

+| [Azure Logic Apps](../../logic-apps/index.yml) | ✅ | ✅ |

+| [Azure Machine Learning](../../machine-learning/index.yml) | ✅ | ✅ |

+| [Azure Managed Applications](../../azure-resource-manager/managed-applications/index.yml) | ✅ | ✅ |

+| [Azure Maps](../../azure-maps/index.yml) | ✅ | ✅ |

+| [Azure Media Services](../../media-services/index.yml) | ✅ | ✅ |

+| [Azure Migrate](../../migrate/index.yml) | ✅ | ✅ |

+| [Azure Monitor](../../azure-monitor/index.yml) (incl. [Application Insights](../../azure-monitor/app/app-insights-overview.md), [Log Analytics](../../azure-monitor/logs/data-platform-logs.md), and [Application Change Analysis](../../azure-monitor/app/change-analysis.md)) | ✅ | ✅ |

+| [Azure NetApp Files](../../azure-netapp-files/index.yml) | ✅ | ✅ |

+| [Azure Open Datasets](../../open-datasets/index.yml) | ✅ | ✅ |

+| [Azure Peering Service](../../peering-service/index.yml) | ✅ | ✅ |

+| [Azure Policy](../../governance/policy/index.yml) | ✅ | ✅ |

+| [Azure Red Hat OpenShift](../../openshift/index.yml) | ✅ | ✅ |

+| [Azure Resource Graph](../../governance/resource-graph/index.yml) | ✅ | ✅ |

+| [Azure Resource Manager](../../azure-resource-manager/management/index.yml) | ✅ | ✅ |

+| [Azure Scheduler](../../scheduler/index.yml) (replaced by [Azure Logic Apps](../../logic-apps/index.yml)) | ✅ | ✅ |

+| [Azure Service Fabric](../../service-fabric/index.yml) | ✅ | ✅ |

+| [Azure Service Health](../../service-health/index.yml) | ✅ | ✅ |

+| [Azure SignalR Service](../../azure-signalr/index.yml) | ✅ | ✅ |

+| [Azure Site Recovery](../../site-recovery/index.yml) | ✅ | ✅ |

+| [Azure Sphere](/azure-sphere/) | ✅ | ✅ |

+| [Azure Spring Cloud](../../spring-cloud/index.yml) | ✅ | ✅ |

+| [Azure SQL Database](../../azure-sql/database/sql-database-paas-overview.md) | ✅ | ✅ |

+| [Azure Stack Edge](../../databox-online/index.yml) (formerly Data Box Edge) ***** | ✅ | ✅ |

+| [Azure Stream Analytics](../../stream-analytics/index.yml) | ✅ | ✅ |

+| [Azure Synapse Analytics](../../synapse-analytics/index.yml) | ✅ | ✅ |

+| [Azure Time Series Insights](../../time-series-insights/index.yml) | ✅ | ✅ |

+| [Azure Virtual Desktop](../../virtual-desktop/index.yml) (formerly Windows Virtual Desktop) | ✅ | ✅ |

+| [Azure VMware Solution](../../azure-vmware/index.yml) | ✅ | ✅ |

+| [Azure Web Application Firewall](../../web-application-firewall/index.yml) | ✅ | ✅ |

+| [Batch](../../batch/index.yml) | ✅ | ✅ |

+| [Cloud Shell](../../cloud-shell/overview.md) | ✅ | ✅ |

+| [Cognitive

+| [Cognitive

+| [Cognitive

+| [Cognitive

+| [Cognitive

+| [Cognitive

+| [Cognitive

+| [Cognitive

+| [Cognitive

+| [Cognitive

+| [Container Instances](../../container-instances/index.yml) | ✅ | ✅ |

+| [Container Registry](../../container-registry/index.yml) | ✅ | ✅ |

+| [Content Delivery Network](../../cdn/index.yml) | ✅ | ✅ |

+| [Data Factory](../../data-factory/index.yml) | ✅ | ✅ |

+| [Dataverse](/powerapps/maker/data-platform/) (incl. [Azure Synapse Link for Dataverse](/powerapps/maker/data-platform/export-to-data-lake)) | ✅ | ✅ |

+| [Dynamics 365 Commerce](/dynamics365/commerce/)| ✅ | ✅ |

+| [Dynamics 365 Customer Service](/dynamics365/customer-service/overview)| ✅ | ✅ |

+| [Dynamics 365 Field Service](/dynamics365/field-service/overview)| ✅ | ✅ |

+| [Dynamics 365 Finance](/dynamics365/finance/)| ✅ | ✅ |

+| [Dynamics 365 Guides](/dynamics365/mixed-reality/guides/)| ✅ | ✅ |

+| [Dynamics 365 Sales](/dynamics365/sales/help-hub) | ✅ | ✅ |

+| [Dynamics 365 Sales Professional](/dynamics365/sales/overview#dynamics-365-sales-professional) | ✅ | ✅ |

+| [Dynamics 365 Supply Chain Management](/dynamics365/supply-chain/)| ✅ | ✅ |

+| [Event Grid](../../event-grid/index.yml) | ✅ | ✅ |

+| [Event Hubs](../../event-hubs/index.yml) | ✅ | ✅ |

+| [Import/Export](../../import-export/index.yml) | ✅ | ✅ |

+| [Key Vault](../../key-vault/index.yml) | ✅ | ✅ |

+| [Load Balancer](../../load-balancer/index.yml) | ✅ | ✅ |

+| [Microsoft Azure Attestation](../../attestation/index.yml)| ✅ | ✅ |

+| [Microsoft Defender for Cloud](../../defender-for-cloud/index.yml) (formerly Azure Security Center) | ✅ | ✅ |

+| [Microsoft Defender for Cloud Apps](/defender-cloud-apps/) (formerly Microsoft Cloud App Security) | ✅ | ✅ |

+| [Microsoft Defender for Identity](/defender-for-identity/) (formerly Azure Advanced Threat Protection) | ✅ | ✅ |

+| [Microsoft Defender for IoT](../../defender-for-iot/index.yml) (formerly Azure Security for IoT) | ✅ | ✅ |

+| [Microsoft Graph](/graph/) | ✅ | ✅ |

+| [Microsoft Intune](/mem/intune/) | ✅ | ✅ |

+| [Microsoft Sentinel](../../sentinel/index.yml) (incl. [UEBA](../../sentinel/identify-threats-with-entity-behavior-analytics.md#what-is-user-and-entity-behavior-analytics-ueba)) | ✅ | ✅ |

+| [Microsoft Stream](/stream/) | ✅ | ✅ |

+| [Microsoft Threat Experts](/microsoft-365/security/defender-endpoint/microsoft-threat-experts) | ✅ | ✅ |

+| [Network Watcher](../../network-watcher/index.yml) (incl. [Traffic Analytics](../../network-watcher/traffic-analytics.md)) | ✅ | ✅ |

+| [Notification Hubs](../../notification-hubs/index.yml) | ✅ | ✅ |

+| [Power Apps](/powerapps/) | ✅ | ✅ |

+| [Power Automate](/power-automate/) (formerly Microsoft Flow) | ✅ | ✅ |

+| [Power BI](/power-bi/fundamentals/) | ✅ | ✅ |

+| [Power BI Embedded](/power-bi/developer/embedded/) | ✅ | ✅ |

+| [Power Data Integrator for Dataverse](/power-platform/admin/data-integrator) (formerly Dynamics 365 Integrator App) | ✅ | ✅ |

+| [Power Virtual Agents](/power-virtual-agents/) | ✅ | ✅ |

+| [Private Link](../../private-link/index.yml) | ✅ | ✅ |

+| [Service Bus](../../service-bus-messaging/index.yml) | ✅ | ✅ |

+| [SQL Server Stretch Database](../../sql-server-stretch-database/index.yml) | ✅ | ✅ |

+| [Storage: Blobs](../../storage/blobs/index.yml) (incl. [Azure Data Lake Storage Gen2](../../storage/blobs/data-lake-storage-introduction.md)) | ✅ | ✅ |

+| [Storage: Data Movement](../../storage/common/storage-use-data-movement-library.md) | ✅ | ✅ |

+| [Storage: Disks (incl. managed disks)](../../virtual-machines/managed-disks-overview.md) | ✅ | ✅ |

+| [Storage: Files](../../storage/files/index.yml) (incl. [Azure File Sync](../../storage/file-sync/index.yml)) | ✅ | ✅ |

+| [Storage: Queues](../../storage/queues/index.yml) | ✅ | ✅ |

+| [Storage: Tables](../../storage/tables/index.yml) | ✅ | ✅ |

+| [StorSimple](../../storsimple/index.yml) | ✅ | ✅ |

+| [Traffic Manager](../../traffic-manager/index.yml) | ✅ | ✅ |

+| [Virtual Machine Scale Sets](../../virtual-machine-scale-sets/index.yml) | ✅ | ✅ |

+| [Virtual Machines](../../virtual-machines/index.yml) (incl. [Reserved VM Instances](../../virtual-machines/prepay-reserved-vm-instances.md)) | ✅ | ✅ |

+| [Virtual Network](../../virtual-network/index.yml) | ✅ | ✅ |

+| [Virtual Network NAT](../../virtual-network/nat-gateway/index.yml) | ✅ | ✅ |

+| [Virtual WAN](../../virtual-wan/index.yml) | ✅ | ✅ |

+| [VPN Gateway](../../vpn-gateway/index.yml) | ✅ | ✅ |

+| [Web Apps (App Service)](../../app-service/index.yml) | ✅ | ✅ |

+| [Windows 10 IoT Core Services](/windows-hardware/manufacture/iot/iotcoreservicesoverview) | ✅ | ✅ |

+| [AI Builder](/ai-builder/) | ✅ | ✅ | | | |

+| [API Management](../../api-management/index.yml) | ✅ | ✅ | ✅ | ✅ | ✅ |

+| [Application Gateway](../../application-gateway/index.yml) | ✅ | ✅ | ✅ | ✅ | ✅ |

+| [Automation](../../automation/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| [Azure Active Directory Domain Services](../../active-directory-domain-services/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| [Azure Advisor](../../advisor/index.yml) | ✅ | ✅ | ✅ | ✅ | ✅ |

+| [Azure Analysis Services](../../analysis-services/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| [Azure App Configuration](../../azure-app-configuration/index.yml) | ✅ | ✅ | ✅ |✅ | |

+| [Azure Arc-enabled Kubernetes](../../azure-arc/kubernetes/index.yml) | ✅ | ✅ | | | |

+| [Azure Arc-enabled servers](../../azure-arc/servers/index.yml) | ✅ | ✅ | | | |

+| [Azure Archive Storage](../../storage/blobs/access-tiers-overview.md) | ✅ | ✅ | ✅ | ✅ | |

+| [Azure Backup](../../backup/index.yml) | ✅ | ✅ | ✅ | ✅ | ✅ |

+| [Azure Bastion](../../bastion/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| [Azure Blueprints](../../governance/blueprints/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| [Azure Cache for Redis](../../azure-cache-for-redis/index.yml) | ✅ | ✅ | ✅ | ✅ | ✅ |

+| [Azure Cloud Services](../../cloud-services/index.yml) | ✅ | ✅ | ✅ | ✅ | ✅ |

+| [Azure Cognitive Search](../../search/index.yml) (formerly Azure Search) | ✅ | ✅ | ✅ | ✅ | |

+| [Azure Cosmos DB](../../cosmos-db/index.yml) | ✅ | ✅ | ✅ | ✅ | ✅ |

+| [Azure Cost Management and Billing](../../cost-management-billing/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| [Azure Data Box](../../databox/index.yml) ***** | ✅ | ✅ | ✅ | ✅ | ✅ |

+| [Azure Data Explorer](/azure/data-explorer/) | ✅ | ✅ | ✅ | ✅ | ✅ |

+| [Azure Data Share](../../data-share/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| [Azure Database for MariaDB](../../mariadb/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| [Azure Database for MySQL](../../mysql/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| [Azure Database for PostgreSQL](../../postgresql/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| [Azure Database Migration Service](../../dms/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| [Azure Databricks](/azure/databricks/) | ✅ | ✅ | ✅ | ✅ | |

+| [Azure DDoS Protection](../../ddos-protection/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| [Azure Dedicated HSM](../../dedicated-hsm/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| [Azure DevTest Labs](../../devtest-labs/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| [Azure DNS](../../dns/index.yml) | ✅ | ✅ | ✅ | ✅ | ✅ |

+| [Azure ExpressRoute](../../expressroute/index.yml) | ✅ | ✅ | ✅ | ✅ | ✅ |

+| [Azure Firewall](../../firewall/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| [Azure Firewall Manager](../../firewall-manager/index.yml) | ✅ | ✅ | | | |

+| [Azure Form Recognizer](../../applied-ai-services/form-recognizer/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| [Azure Front Door](../../frontdoor/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| [Azure Functions](../../azure-functions/index.yml) | ✅ | ✅ | ✅ | ✅ | ✅ |

+| [Azure HDInsight](../../hdinsight/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| [Azure Healthcare APIs](../../healthcare-apis/index.yml) (formerly Azure API for FHIR) | ✅ | ✅ | ✅ | ✅ | |

+| [Azure HPC Cache](../../hpc-cache/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| **Service** | **FedRAMP High** | **DoD IL2** | **DoD IL4** | **DoD IL5** | **DoD IL6** |

+| [Azure Information Protection](/azure/information-protection/) ****** | ✅ | ✅ | ✅ | ✅ | ✅ |

+| [Azure IoT Hub](../../iot-hub/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| [Azure Kubernetes Service (AKS)](../../aks/index.yml) | ✅ | ✅ | ✅ | ✅ | ✅ |

+| [Azure Lab Services](../../lab-services/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| [Azure Lighthouse](../../lighthouse/index.yml)| ✅ | ✅ | ✅ | ✅ | |

+| [Azure Logic Apps](../../logic-apps/index.yml) | ✅ | ✅ | ✅ | ✅ | ✅ |

+| [Azure Machine Learning](../../machine-learning/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| [Azure Managed Applications](../../azure-resource-manager/managed-applications/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| [Azure Maps](../../azure-maps/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| [Azure Media Services](../../media-services/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| [Azure Migrate](../../migrate/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| [Azure Monitor](../../azure-monitor/index.yml) (incl. [Log Analytics](../../azure-monitor/logs/data-platform-logs.md)) | ✅ | ✅ | ✅ | ✅ | |

+| [Azure NetApp Files](../../azure-netapp-files/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| [Azure Peering Service](../../peering-service/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| [Azure Policy](../../governance/policy/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| [Azure Resource Graph](../../governance/resource-graph/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| [Azure Resource Manager](../../azure-resource-manager/management/index.yml) | ✅ | ✅ | ✅ | ✅ | ✅ |

+| [Azure Resource Mover](../../resource-mover/index.yml) | ✅ | ✅ | | | |

+| [Azure Route Server](../../route-server/index.yml) | ✅ | ✅ | | | |

+| [Azure Scheduler](../../scheduler/index.yml) (replaced by [Azure Logic Apps](../../logic-apps/index.yml)) | ✅ | ✅ | ✅ | ✅ | |

+| [Azure Service Fabric](../../service-fabric/index.yml) | ✅ | ✅ | ✅ | ✅ | ✅ |

+| [Azure Service Health](../../service-health/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| [Azure SignalR Service](../../azure-signalr/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| [Azure Site Recovery](../../site-recovery/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| [Azure SQL Database](../../azure-sql/database/sql-database-paas-overview.md) | ✅ | ✅ | ✅ | ✅ | ✅ |

+| [Azure Stack Edge](../../databox-online/index.yml) (formerly Data Box Edge) ***** | ✅ | ✅ | ✅ | ✅ | ✅ |

+| [Azure Stream Analytics](../../stream-analytics/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| [Azure Synapse Analytics](../../synapse-analytics/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| [Azure Synapse Link for Dataverse](/powerapps/maker/data-platform/export-to-data-lake) | ✅ | ✅ | ✅ | ✅ | |

+| [Azure Virtual Desktop](../../virtual-desktop/index.yml) (formerly Windows Virtual Desktop) | ✅ | ✅ | ✅ | ✅ | |

+| [Azure Web Application Firewall](../../web-application-firewall/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| [Batch](../../batch/index.yml) | ✅ | ✅ | ✅ | ✅ | ✅ |

+| [Cloud Shell](../../cloud-shell/overview.md) | ✅ | ✅ | ✅ | ✅ | |

+| [Cognitive

+| [Cognitive

+| [Cognitive

+| [Cognitive

+| [Cognitive

+| [Cognitive

+| [Cognitive

+| [Cognitive

+| [Cognitive

+| [Cognitive

+| [Container Instances](../../container-instances/index.yml)| ✅ | ✅ | ✅ | ✅ | |

+| [Container Registry](../../container-registry/index.yml) | ✅ | ✅ | ✅ | ✅ | ✅ |

+| [Content Delivery Network](../../cdn/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| [Data Factory](../../data-factory/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| [Dataverse](/powerapps/maker/data-platform/) (formerly Common Data Service) | ✅ | ✅ | ✅ | ✅ | |

+| [Dynamics 365 Customer Insights](/dynamics365/customer-insights/) | ✅ | ✅ | ✅ | ✅ | |

+| [Dynamics 365 Customer Voice](/dynamics365/customer-voice/about) (formerly Forms Pro) | ✅ | ✅ | ✅ | ✅ | |

+| [Dynamics 365 Finance](/dynamics365/finance/) | ✅ | ✅ | | | |

+| [Dynamics 365 Project Service Automation](/dynamics365/project-operations/psa/overview) | ✅ | ✅ | ✅ | ✅ | |

+| [Dynamics 365 Sales](/dynamics365/sales/help-hub) | ✅ | ✅ | ✅ | ✅ | |

+| [Dynamics 365 Supply Chain Management](/dynamics365/supply-chain/) | ✅ | ✅ | | | |

+| [Event Grid](../../event-grid/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| [Event Hubs](../../event-hubs/index.yml) | ✅ | ✅ | ✅ | ✅ | ✅ |

+| [Import/Export](../../import-export/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| [Key Vault](../../key-vault/index.yml) | ✅ | ✅ | ✅ | ✅ | ✅ |

+| [Load Balancer](../../load-balancer/index.yml) | ✅ | ✅ | ✅ | ✅ | ✅ |

+| [Microsoft Defender for Cloud](../../defender-for-cloud/index.yml) (formerly Azure Security Center) | ✅ | ✅ | ✅ | ✅ | ✅ |

+| [Microsoft Defender for Cloud Apps](/defender-cloud-apps/) (formerly Microsoft Cloud App Security) | ✅ | ✅ | ✅ | ✅ | |

+| [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/) (formerly Microsoft Defender Advanced Threat Protection) | ✅ | ✅ | ✅ | ✅ | |

+| [Microsoft Defender for Identity](/defender-for-identity/) (formerly Azure Advanced Threat Protection) | ✅ | ✅ | ✅ | ✅ | |

+| [Microsoft Defender for IoT](../../defender-for-iot/index.yml) (formerly Azure Security for IoT) | ✅ | ✅ | ✅ | ✅ | |

+| [Microsoft Graph](/graph/) | ✅ | ✅ | ✅ | ✅ | ✅ |

+| [Microsoft Intune](/mem/intune/) | ✅ | ✅ | ✅ | ✅ | |

+| [Microsoft Sentinel](../../sentinel/index.yml) (formerly Azure Sentinel) | ✅ | ✅ | ✅ | ✅ | |

+| [Microsoft Stream](/stream/) | ✅ | ✅ | ✅ | ✅ | |

+| [Network Watcher](../../network-watcher/index.yml) | ✅ | ✅ | ✅ | ✅ | ✅ |

+| [Notification Hubs](../../notification-hubs/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| [Power Apps](/powerapps/) | ✅ | ✅ | ✅ | ✅ | |

+| [Power Automate](/power-automate/) (formerly Microsoft Flow) | ✅ | ✅ | ✅ | ✅ | |

+| [Power BI](/power-bi/fundamentals/) | ✅ | ✅ | ✅ | ✅ | ✅ |

+| [Power BI Embedded](/power-bi/developer/embedded/) | ✅ | ✅ | ✅ | ✅ | |

+| [Power Data Integrator for Dataverse](/power-platform/admin/data-integrator) (formerly Dynamics 365 Integrator App) | ✅ | ✅ | ✅ | ✅ | |

+| [Power Query Online](/power-query/) | ✅ | ✅ | ✅ | ✅ | |

+| [Power Virtual Agents](/power-virtual-agents/) | ✅ | ✅ | ✅ | ✅ | |

+| [Private Link](../../private-link/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| [Service Bus](../../service-bus-messaging/index.yml) | ✅ | ✅ | ✅ | ✅ | ✅ |

+| [SQL Server Stretch Database](../../sql-server-stretch-database/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| [Storage: Blobs](../../storage/blobs/index.yml) (incl. [Azure Data Lake Storage Gen2](../../storage/blobs/data-lake-storage-introduction.md)) | ✅ | ✅ | ✅ | ✅ | ✅ |

+| [Storage: Disks (incl. managed disks)](../../virtual-machines/managed-disks-overview.md) | ✅ | ✅ | ✅ | ✅ | ✅ |

+| [Storage: Files](../../storage/files/index.yml) (incl. [Azure File Sync](../../storage/file-sync/index.yml)) | ✅ | ✅ | ✅ | ✅ | ✅ |

+| [Storage: Queues](../../storage/queues/index.yml) | ✅ | ✅ | ✅ | ✅ | ✅ |

+| [Storage: Tables](../../storage/tables/index.yml) | ✅ | ✅ | ✅ | ✅ | ✅ |

+| [StorSimple](../../storsimple/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| [Traffic Manager](../../traffic-manager/index.yml) | ✅ | ✅ | ✅ | ✅ | ✅ |

+| [Virtual Machine Scale Sets](../../virtual-machine-scale-sets/index.yml) | ✅ | ✅ | ✅ | ✅ | ✅ |

+| [Virtual Machines](../../virtual-machines/index.yml) (incl. [Reserved VM Instances](../../virtual-machines/prepay-reserved-vm-instances.md)) | ✅ | ✅ | ✅ | ✅ | ✅ |

+| **Service** | **FedRAMP High** | **DoD IL2** | **DoD IL4** | **DoD IL5** | **DoD IL6** |

+| [Virtual Network](../../virtual-network/index.yml) | ✅ | ✅ | ✅ | ✅ | ✅ |

+| [Virtual Network NAT](../../virtual-network/nat-gateway/index.yml) | ✅ | ✅ | ✅ | ✅ | |

+| [Virtual WAN](../../virtual-wan/index.yml) | ✅ | ✅ | ✅ | ✅ | ✅ |

+| [VPN Gateway](../../vpn-gateway/index.yml) | ✅ | ✅ | ✅ | ✅ | ✅ |

+| [Web Apps (App Service)](../../app-service/index.yml) | ✅ | ✅ | ✅ | ✅ | ✅ |

+### [Azure Cognitive Search](../search/index.yml)

+### [Azure Machine Learning](../machine-learning/index.yml)

+### [Cognitive

+- Configure encryption at rest of content in the Content Moderator service by [using customer-managed keys in Azure Key Vault](../cognitive-services/content-moderator/encrypt-data-at-rest.md#customer-managed-keys-with-azure-key-vault).

+### [Cognitive

+### [Cognitive

+- Configure encryption at rest of content in the Face service by [using customer-managed keys in Azure Key Vault](../cognitive-services/face/encrypt-data-at-rest.md#customer-managed-keys-with-azure-key-vault).

+### [Cognitive

+- Configure encryption at rest of content in the Language Understanding service by [using customer-managed keys in Azure Key Vault](../cognitive-services/luis/encrypt-data-at-rest.md#customer-managed-keys-with-azure-key-vault).

+Cognitive Services Language Understanding (LUIS) is part of [Cognitive Services for Language](../cognitive-services/language-service/index.yml).

+### [Cognitive

+- Configure encryption at rest of content in Cognitive Services Personalizer [using customer-managed keys in Azure Key Vault](../cognitive-services/personalizer/encrypt-data-at-rest.md#customer-managed-keys-with-azure-key-vault).

+### [Cognitive

+- Configure encryption at rest of content in Cognitive Services QnA Maker [using customer-managed keys in Azure Key Vault](../cognitive-services/qnamaker/encrypt-data-at-rest.md).

+Cognitive Services QnA Maker is part of [Cognitive Services for Language](../cognitive-services/language-service/index.yml).

+### [Cognitive

+### [Cognitive

+- Configure encryption at rest of content in the Translator service by [using customer-managed keys in Azure Key Vault](../cognitive-services/translator/encrypt-data-at-rest.md).

+### [Azure Databricks](/azure/databricks/)

+- Configure customer-managed Keys (CMK) for your [Azure Databricks Workspace](/azure/databricks/security/keys/customer-managed-key-managed-services-azure) and [Databricks File System](/azure/databricks/security/keys/customer-managed-keys-dbfs/) (DBFS).

+### [Azure Data Explorer](/azure/data-explorer/)

+- Data in Azure Data Explorer clusters in Azure is secured and encrypted with Microsoft-managed keys by default. For extra control over encryption keys, you can supply customer-managed keys to use for data encryption and manage [encryption of your data](/azure/data-explorer/security#customer-managed-keys-with-azure-key-vault) at the storage level with your own keys.

+### [Azure HDInsight](../hdinsight/index.yml)

+### [Azure Stream Analytics](../stream-analytics/index.yml)

+- Configure encryption at rest of content in Azure Stream Analytics by [using customer-managed keys in Azure Key Vault](../stream-analytics/data-protection.md#encrypt-your-data).

+### [Azure Synapse Analytics](../synapse-analytics/index.yml)

+### [Data Factory](../data-factory/index.yml)

+### [Event Hubs](../event-hubs/index.yml)

+### [Batch](../batch/index.yml)

+### [Virtual machines](../virtual-machines/index.yml) and [virtual machine scale sets](../virtual-machine-scale-sets/index.yml)

+#### [Azure Dedicated Host](../virtual-machines/dedicated-hosts.md)

+Azure Dedicated Host provides physical servers that can host one or more virtual machines and that are dedicated to one Azure subscription. Dedicated hosts are the same physical servers used in our datacenters, provided as a resource. You can provision dedicated hosts within a region, availability zone, and fault domain. You can then place VMs directly into your provisioned hosts, in whatever configuration meets your needs.

+#### Disk encryption for virtual machines

+#### Disk encryption for virtual machine scale sets

+- [Encrypt disks in virtual machine scale sets](../virtual-machine-scale-sets/disk-encryption-key-vault.md)

+### [Azure Kubernetes Service](../aks/index.yml)

+### [Container Instances](../container-instances/index.yml)

+### [Container Registry](../container-registry/index.yml)

+### [Azure Cosmos DB](../cosmos-db/index.yml)

+### [Azure Database for MySQL](../mysql/index.yml)

+### [Azure Database for PostgreSQL](../postgresql/index.yml)

+### [Azure Healthcare APIs](../healthcare-apis/index.yml) (formerly Azure API for FHIR)

+### [Azure SQL Database](../azure-sql/database/sql-database-paas-overview.md)

+- Add transparent data encryption with customer-managed keys via Azure Key Vault. For more information, see [Azure SQL transparent data encryption with customer-managed key](../azure-sql/database/transparent-data-encryption-byok-overview.md).

+### [SQL Server Stretch Database](../sql-server-stretch-database/index.yml)

+- Add transparent data encryption with customer-managed keys via Azure Key Vault. For more information, see [Azure SQL transparent data encryption with customer-managed key](../azure-sql/database/transparent-data-encryption-byok-overview.md).

+### [Azure Stack Edge](../databox-online/index.yml)

+### [Service Bus](../service-bus-messaging/index.yml)

+### [Azure IoT Hub](../iot-hub/index.yml)

+- IoT Hub supports encryption of data at rest with customer-managed keys, also known as *bring your own key* (BYOK). Azure IoT Hub provides encryption of data at rest and in transit. By default, Azure IoT Hub uses Microsoft-managed keys to encrypt the data. Customer-managed key support enables you to encrypt data at rest by using an [encryption key that you manage via Azure Key Vault](../iot-hub/iot-hub-customer-managed-keys.md).

+### [Automation](../automation/index.yml)

+### [Azure Managed Applications](../azure-resource-manager/managed-applications/index.yml)

+- You can store your managed application definition in a storage account that you provide when you create the application. Doing so allows you to manage its location and access for your regulatory needs, including [storage encryption with customer-managed keys](#storage-encryption-with-key-vault-managed-keys). For more information, see [Bring your own storage](../azure-resource-manager/managed-applications/publish-service-catalog-app.md#bring-your-own-storage-for-the-managed-application-definition).

+### [Azure Monitor](../azure-monitor/index.yml)

+### [Azure Site Recovery](../site-recovery/index.yml)

+- You can replicate Azure VMs with managed disks enabled for customer-managed keys from one Azure region to another. For more information, see [Replicate machines with customer-managed keys enabled disks](../site-recovery/azure-to-azure-how-to-enable-replication-cmk-disks.md).

+### [Microsoft Intune](/mem/intune/fundamentals/)

+### [Azure Data Box](../databox/index.yml)

+### [Azure Migrate](../migrate/index.yml)

+### [Azure Information Protection](/azure/information-protection/)

+### [Microsoft Sentinel](../sentinel/index.yml) (formerly Azure Sentinel)

+### [Microsoft Defender for Cloud Apps](/defender-cloud-apps/) (formerly Microsoft Cloud App Security)

+- Configure encryption at rest of content in Microsoft Defender for Cloud Apps [using customer-managed keys in Azure Key Vault](/enterprise-mobility-security/solutions/ems-cloud-app-security-govt-service-byok).

+### [Azure Archive Storage](../storage/blobs/access-tiers-overview.md)

+- Azure Archive Storage is a tier of Azure Storage. It automatically helps secure data at rest by using 256-bit AES encryption. Just like hot and cool tiers, Archive Storage can be set at the blob level. To enable access to the content, you need to rehydrate the archived blob or copy it to an online tier, at which point you can enforce customer-managed keys that are in place for your online storage tiers. When you create a target storage account for IL5 data in Archive Storage, add storage encryption via customer-managed keys. For more information, see [Storage encryption with Key Vault managed keys](#storage-encryption-with-key-vault-managed-keys).

+### [Azure File Sync](../storage/file-sync/index.yml)

+### [Azure HPC Cache](../hpc-cache/index.yml)

+### [Azure Import/Export](../import-export/index.yml)

+- By default, the Import/Export service will encrypt data that's written to the hard drive for transport. When you create a target storage account for import and export of IL5 data, add storage encryption via customer-managed keys. For more information, see [Storage encryption with Key Vault managed keys](#storage-encryption-with-key-vault-managed-keys) in this article.

+### [Azure NetApp Files](../azure-netapp-files/index.yml)

+- Configure encryption at rest of content in Azure NetApp Files [using customer-managed keys](../azure-netapp-files/faq-security.md#how-are-encryption-keys-managed)

+### [Azure Storage](../storage/index.yml)

+For more information about how to enable this Azure Storage encryption feature, see [Configure encryption with customer-managed keys stored in Azure Key Vault](../storage/common/customer-managed-keys-configure-key-vault.md).

+### [StorSimple](../storsimple/index.yml)

+|Azure App Service on Windows | GA, OnBD* | GA, opt-in | Public Preview, Container and Custom Containers are GA | Public Preview | Not supported |

+|Azure Functions - dependencies | Not supported | Not supported | Public Preview | Not supported | Through [extension](monitor-functions.md#distributed-tracing-for-python-function-apps) |

+|Azure Spring Cloud | Not supported | Not supported | GA | Not supported | Not supported |

+# Manage Azure Resource Groups by using Azure CLI

+- To learn the Resource Manager template syntax, see [Understand the structure and syntax of Azure Resource Manager templates](../templates/syntax.md).

+# Manage Azure Resource Groups by using Azure PowerShell

+When data space used reaches the maximum data size limit, either at the database level or at the elastic pool level, inserts and updates that increase data size fail and clients receive an [error message](troubleshoot-common-errors-issues.md). SELECT and DELETE statements remain unaffected.

+In Premium and Business Critical service tiers, clients also receive an error message if combined storage consumption by data, transaction log, and tempdb for a single database or an elastic pool exceeds maximum local storage size. For more information, see [Storage space governance](#storage-space-governance).

+- If the database is in an elastic pool, then alternatively the database can be moved outside of the pool, so that its storage space isn't shared with other databases.

+- Check if high space utilization is due to a spike in the size of Persistent Version Store (PVS). PVS is a part of each database, and is used to implement [Accelerated Database Recovery](../accelerated-database-recovery.md). To determine current PVS size, see [PVS troubleshooting](/sql/relational-databases/accelerated-database-recovery-management#troubleshooting). A common reason for large PVS size is a transaction that is open for a long time (hours), preventing cleanup of row older versions in PVS.

+- For databases and elastic pools in Premium and Business Critical service tiers that consume large amounts of storage, you may receive an out-of-space error even though used space in the database or elastic pool is below its maximum data size limit. This may happen if tempdb or transaction log files consume a large amount of storage toward the maximum local storage limit. [Fail over](high-availability-sla.md#testing-application-fault-resiliency) the database or elastic pool to reset tempdb to its initial smaller size, or [shrink](file-space-manage.md#shrinking-transaction-log-file) transaction log to reduce local storage consumption.

+The maximum numbers of sessions and workers are determined by the service tier and compute size. New requests are rejected when session or worker limits are reached, and clients receive an error message. While the number of connections can be controlled by the application, the number of concurrent workers is often harder to estimate and control. This is especially true during peak load periods when database resource limits are reached and workers pile up due to longer running queries, large blocking chains, or excessive query parallelism.

+|Reduce the size of memory grants|For more information about memory grants, see the [Understanding SQL Server memory grant](https://techcommunity.microsoft.com/t5/sql-server/understanding-sql-server-memory-grant/ba-p/383595) blog post. A common solution for avoiding excessively large memory grants is keeping [statistics](/sql/relational-databases/statistics/statistics) up to date. This results in more accurate estimates of memory consumption by the query engine, avoiding unnecessarily large memory grants.</br></br>By default, in databases using compatibility level 140 and above, the database engine may automatically adjust memory grant size using [Batch mode memory grant feedback](/sql/relational-databases/performance/intelligent-query-processing#batch-mode-memory-grant-feedback). Similarly, in databases using compatibility level 150 and above, the database engine also uses [Row mode memory grant feedback](/sql/relational-databases/performance/intelligent-query-processing#row-mode-memory-grant-feedback), for more common row mode queries. This built-in functionality helps avoid out-of-memory errors due to unnecessarily large memory grants.|

+|Reduce the size of query plan cache|The database engine caches query plans in memory, to avoid compiling a query plan for every query execution. To avoid query plan cache bloat caused by caching plans that are only used once, make sure to use parameterized queries, and consider enabling OPTIMIZE_FOR_AD_HOC_WORKLOADS [database-scoped configuration](/sql/t-sql/statements/alter-database-scoped-configuration-transact-sql).|

+Because all data is copied to local storage volumes on different machines, moving larger databases may require a substantial amount of time. During that time, if local space consumption by a database or an elastic pool, or by the tempdb database grows rapidly, the risk of running out of space increases. The system initiates database movement in a balanced fashion to minimize out-of-space errors while avoiding unnecessary failovers.

+1. **Assign Azure Key Vault** that stores the credentials to connect to the selected database. You should have already [created the relevant secrets](#create-secrets-in-the-key-vault) in the key vault. To assign the key vault at the individual row level, click **Select a key vault and secret**.. You can also assign the key vault by multi-selecting the rows and click **Assign key vault** in the top menu of the grid.

+ :::image type="content" source="./media/backup-azure-database-postgresql/assign-azure-key-vault-inline.png" alt-text="Screenshot showing how to assign Azure Key Vault." lightbox="./media/backup-azure-database-postgresql/assign-azure-key-vault-expanded.png":::

+## Track a backup job

+Azure Backup service creates a job for scheduled backups or if you trigger on-demand backup operation for tracking. To view the backup job status:

+1. Go to the **Backup instance** screen.

+ It shows the jobs dashboard with operation and status for the past seven days.

+ :::image type="content" source="./media/backup-azure-database-postgresql/postgre-jobs-dashboard-inline.png" alt-text="Screenshot showing the Jobs dashboard." lightbox="./media/backup-azure-database-postgresql/postgre-jobs-dashboard-expanded.png":::

+1. To view the status of the backup job, select **View all** to see ongoing and past jobs of this backup instance.

+ :::image type="content" source="./media/backup-azure-database-postgresql/postgresql-jobs-view-all-inline.png" alt-text="Screenshot showing to select the View all option." lightbox="./media/backup-azure-database-postgresql/postgresql-jobs-view-all-expanded.png":::

+1. Review the list of backup and restore jobs and their status. Select a job from the list of jobs to view job details.

+ :::image type="content" source="./media/backup-azure-database-postgresql/postgresql-jobs-select-job-inline.png" alt-text="Screenshot showing to select job to see details." lightbox="./media/backup-azure-database-postgresql/postgresql-jobs-select-job-expanded.png":::

+To trigger an on-demand backup, use the [az dataprotection backup-instance adhoc-backup](/cli/azure/dataprotection/backup-instance#az_dataprotection_backup_instance_adhoc_backup) command.

+ Title: Quick start - Back up Azure Database for PostgreSQL server

+description: In this quickstart, learn how to back up Azure Database for PostgreSQL server to an Azure Backup Vault.

+# Back up Azure Database for PostgreSQL server in Azure

+Azure Database for PostgreSQL is a managed service that you use to run, manage, and scale highly available PostgreSQL databases in the cloud. This quickstart shows you how to back up Azure Database for PostgreSQL server running on an Azure VM to an Azure Backup Recovery Services vault. To create Azure Database for PostgreSQL server, see the [tutorial](../postgresql/tutorial-design-database-using-azure-portal.md).

+## Prerequisites

+Before you start back up of Azure PostgreSQL database:

+- Identify or [create a Backup Vault](tutorial-postgresql-backup.md#create-a-backup-vault) in the same region where you want to back up the Azure Database for PostgreSQL server instance.

+- Check that Azure Database for PostgreSQL server is named in accordance with naming guidelines for Azure Backup. [Learn more](../postgresql/tutorial-design-database-using-azure-portal.md#create-an-azure-database-for-postgresql)

+- [Create secrets in the key vault](backup-azure-database-postgresql.md#create-secrets-in-the-key-vault).

+- [Grant privileges to database users using PowerShell scripts](backup-azure-database-postgresql.md#run-powershell-script-to-grant-privileges-to-database-users).

+- [Allow access permissions for the relevant key vault](backup-azure-database-postgresql-overview.md#access-permissions-on-the-azure-key-vault-associated-with-the-postgresql-server).

+- [Provide database user's backup privileges on the database](backup-azure-database-postgresql-overview.md#database-users-backup-privileges-on-the-database).

+- [Allow access permissions for PostgreSQL server](backup-azure-database-postgresql-overview.md#access-permissions-on-the-azure-postgresql-server).

+- [Create a back up policy](backup-azure-database-postgresql.md#create-backup-policy).

+## Configure backup on the database

+You can configure backup on multiple databases across multiple Azure PostgreSQL servers. To configure backup on the Azure PostgreSQL databases using Azure Backup, follow these steps:

+1. Go to **Backup vault** -> **+Backup**.

+ :::image type="content" source="./media/backup-azure-database-postgresql/adding-backup-inline.png" alt-text="Screenshot showing the option to add a backup." lightbox="./media/backup-azure-database-postgresql/adding-backup-expanded.png":::

+ :::image type="content" source="./media/backup-azure-database-postgresql/adding-backup-details-inline.png" alt-text="Screenshot showing the option to add backup information." lightbox="./media/backup-azure-database-postgresql/adding-backup-details-expanded.png":::

+ Alternatively, you can navigate to this page from the [Backup center](./backup-center-overview.md).

+1. Select or [create](tutorial-postgresql-backup.md#create-a-backup-vault) a Backup Policy that defines the backup schedule and the retention duration.

+ :::image type="content" source="./media/backup-azure-database-postgresql/create-or-add-backup-policy-inline.png" alt-text="Screenshot showing the option to add a backup policy." lightbox="./media/backup-azure-database-postgresql/create-or-add-backup-policy-expanded.png":::

+1. **Select Azure PostgreSQL databases to back up**: Choose one of the Azure PostgreSQL servers across subscriptions if they're in the same region as that of the vault. Expand the arrow to see the list of databases within a server.

+ >[!Note]

+ >You don't need to back up the databases *azure_maintenance* and *azure_sys*. Additionally, you can't back up a database already backed-up to a Backup vault.

+ :::image type="content" source="./media/backup-azure-database-postgresql/select-azure-postgresql-databases-to-back-up-inline.png" alt-text="Screenshot showing the option to select an Azure PostgreSQL database." lightbox="./media/backup-azure-database-postgresql/select-azure-postgresql-databases-to-back-up-expanded.png":::

+ :::image type="content" source="./media/backup-azure-database-postgresql/choose-an-azure-postgresql-server-inline.png" alt-text="Screenshot showing how to choose an Azure PostgreSQL server." lightbox="./media/backup-azure-database-postgresql/choose-an-azure-postgresql-server-expanded.png":::

+1. **Assign Azure Key Vault** that stores the credentials to connect to the selected database. To assign the key vault at the individual row level, click **Select a key vault and secret**. You can also assign the key vault by multi-selecting the rows and click **Assign key vault** in the top menu of the grid.

+ :::image type="content" source="./media/backup-azure-database-postgresql/assign-azure-key-vault-inline.png" alt-text="Screenshot showing how to assign Azure Key Vault." lightbox="./media/backup-azure-database-postgresql/assign-azure-key-vault-expanded.png":::

+1. To specify the secret information, use one of the following options:

+ 1. **Enter secret URI**: Use this option if the secret URI is shared/known to you. You can copy the **secret URI from the Key vault** -> **Secrets (select a secret)** -> **Secret Identifier**.

+ :::image type="content" source="./media/backup-azure-database-postgresql/enter-secret-uri-inline.png" alt-text="Screenshot showing how to enter secret U R I." lightbox="./media/backup-azure-database-postgresql/enter-secret-uri-expanded.png":::

+ However, with this option, Azure Backup gets no visibility about the key vault youΓÇÖve referenced. Therefore, access permissions on the key vault canΓÇÖt be granted inline. The backup admin along with the Postgres and/or key vault admin need to ensure that the backup vaultΓÇÖs [access on the key vault is granted manually](backup-azure-database-postgresql-overview.md#access-permissions-on-the-azure-key-vault-associated-with-the-postgresql-server) outside the configure backup flow for the backup operation to succeed.

+ 1. **Select the key vault**: Use this option if you know the key vault and secret name. With this option, you (backup admin with write access on the key vault) can grant the access permissions on the key vault inline. The key vault and the secret could pre-exist or be created on the go. Ensure that the secret is the PG server connection string in ADO.net format updated with the credentials of the database user that has been granted with the _backup_ privileges on the server. Learn more about how to [create secrets in the key vault](backup-azure-database-postgresql.md#create-secrets-in-the-key-vault).

+ :::image type="content" source="./media/backup-azure-database-postgresql/assign-secret-store-inline.png" alt-text="Screenshot showing how to assign secret store." lightbox="./media/backup-azure-database-postgresql/assign-secret-store-expanded.png":::

+ :::image type="content" source="./media/backup-azure-database-postgresql/select-secret-from-azure-key-vault-inline.png" alt-text="Screenshot showing the selection of secret from Azure Key Vault." lightbox="./media/backup-azure-database-postgresql/select-secret-from-azure-key-vault-expanded.png":::

+1. When the secret information update is complete, the validation starts after the key vault information has been updated.

+ >[!Note]

+ >

+ >- Here, the backup service validates if it has all the necessary [access permissions](backup-azure-database-postgresql-overview.md#key-vault-based-authentication-model) to read secret details from the key vault and connect to the database.

+ >- If one or more access permissions are found missing, it'll display one of the error messages ΓÇô _Role assignment not done or User cannot assign roles_.

+ :::image type="content" source="./media/backup-azure-database-postgresql/validation-of-secret-inline.png" alt-text="Screenshot showing the validation of secret." lightbox="./media/backup-azure-database-postgresql/validation-of-secret-expanded.png":::

+ - **User cannot assign roles**: This message displays when you (the backup admin) donΓÇÖt have the write access on the PostgreSQL server and/or key vault to assign missing permissions as listed under **View details**. Download the assignment template from the action button and have it run by the PostgreSQL and/or key vault admin. ItΓÇÖs an ARM template that helps you assign the necessary permissions on the required resources. Once the template is run successfully, click **Re-validate** on the Configure Backup page.

+ :::image type="content" source="./media/backup-azure-database-postgresql/download-role-assignment-template-inline.png" alt-text="Screenshot showing the option to download role assignment template." lightbox="./media/backup-azure-database-postgresql/download-role-assignment-template-expanded.png":::

+ - **Role assignment not done**: This message displays when you (the backup admin) have the write access on the PostgreSQL server and/or key vault to assign missing permissions as listed under **View details**. Use **Assign missing roles** action button in the top action menu to grant permissions on the PostgreSQL server and/or the key vault inline.

+ :::image type="content" source="./media/backup-azure-database-postgresql/role-assignment-not-done-inline.png" alt-text="Screenshot showing the error about the role assignment not done." lightbox="./media/backup-azure-database-postgresql/role-assignment-not-done-expanded.png":::

+1. Select **Assign missing roles** in the top menu and assign roles. Once the process starts, the [missing access permissions](backup-azure-database-postgresql-overview.md#azure-backup-authentication-with-the-postgresql-server) on the KV and/or PG server are granted to the backup vault. You can define the scope at which the access permissions should be granted. When the action is complete, re-validation starts.

+ :::image type="content" source="./media/backup-azure-database-postgresql/assign-missing-roles-inline.png" alt-text="Screenshot showing the option to assign missing roles." lightbox="./media/backup-azure-database-postgresql/assign-missing-roles-expanded.png":::

+ :::image type="content" source="./media/backup-azure-database-postgresql/define-scope-of-access-permission-inline.png" alt-text="Screenshot showing to define the scope of access permission." lightbox="./media/backup-azure-database-postgresql/define-scope-of-access-permission-expanded.png":::

+ - Backup vault accesses secrets the key vault and runs a test connection to the database to validate if the credentials have been entered correctly. The privileges of the database user are also checked to see [if the Database user has backup-related permissions on the database](backup-azure-database-postgresql-overview.md#database-users-backup-privileges-on-the-database).

+ - PostgreSQL admin will have all the backup and restore permissions on the database by default. Therefore, validations would succeed.

+

+ - A low-privileged user may not have backup/restore permissions on the database. Therefore, the validations would fail. A PowerShell script is dynamically generated (one per record/selected database). [Run the PowerShell script to grant these privileges to the database user on the database](backup-azure-database-postgresql.md#create-secrets-in-the-key-vault). Alternatively, you can assign these privileges using PG admin or PSQL tool.

+ :::image type="content" source="./media/backup-azure-database-postgresql/backup-vault-accesses-secrets-inline.png" alt-text="Screenshot showing the backup vault access secrets from the key vault." lightbox="./media/backup-azure-database-postgresql/backup-vault-accesses-secrets-expanded.png":::

+ :::image type="content" source="./media/backup-azure-database-postgresql/run-test-connection.png" alt-text="Screenshot showing the process to start test connection.":::

+ :::image type="content" source="./media/backup-azure-database-postgresql/user-credentials-to-run-test-connection-inline.png" alt-text="Screenshot showing how to provide user credentials to run the test." lightbox="./media/backup-azure-database-postgresql/user-credentials-to-run-test-connection-expanded.png":::

+1. Keep the records with backup readiness as Success to proceed to last step of submitting the operation.

+ :::image type="content" source="./media/backup-azure-database-postgresql/backup-readiness-as-success-inline.png" alt-text="Screenshot showing the backup readiness is successful." lightbox="./media/backup-azure-database-postgresql/backup-readiness-as-success-expanded.png":::

+ :::image type="content" source="./media/backup-azure-database-postgresql/review-backup-configuration-details-inline.png" alt-text="Screenshot showing the backup configuration review page." lightbox="./media/backup-azure-database-postgresql/review-backup-configuration-details-expanded.png":::

+1. Submit the configure backup operation and track the progress under **Backup instances**.

+ :::image type="content" source="./media/backup-azure-database-postgresql/submit-configure-backup-operation-inline.png" alt-text="Screenshot showing the backup configuration submission and tracking progress." lightbox="./media/backup-azure-database-postgresql/submit-configure-backup-operation-expanded.png":::

+## Run an on-demand backup

+To trigger an on-demand backup (that's not in the schedule specified in the policy), follow these steps:

+1. Go to **Backup instances** -> **Backup Now**.

+ :::image type="content" source="./media/backup-azure-database-postgresql/navigate-to-retention-rules-inline.png" alt-text="Screenshot showing the option to navigate to the list of retention rules that were defined in the associated Backup policy." lightbox="./media/backup-azure-database-postgresql/navigate-to-retention-rules-expanded.png":::

+1. Choose retention rules from the list that were defined in the associated Backup policy.

+ :::image type="content" source="./media/backup-azure-database-postgresql/choose-retention-rules-inline.png" alt-text="Screenshot showing the option to choose retention rules that were defined in the associated Backup policy." lightbox="./media/backup-azure-database-postgresql/choose-retention-rules-expanded.png":::

+

+## Track a backup job

+Azure Backup service creates a job for scheduled backups or if you trigger on-demand backup operation for tracking. To view the backup job status:

+1. Go to the **Backup instance** screen.

+ It shows the jobs dashboard with operation and status for the past seven days.

+ :::image type="content" source="./media/backup-azure-database-postgresql/postgre-jobs-dashboard-inline.png" alt-text="Screenshot showing the Jobs dashboard." lightbox="./media/backup-azure-database-postgresql/postgre-jobs-dashboard-expanded.png":::

+1. To view the status of the backup job, select **View all** to see ongoing and past jobs of this backup instance.

+ :::image type="content" source="./media/backup-azure-database-postgresql/postgresql-jobs-view-all-inline.png" alt-text="Screenshot showing to select the View all option." lightbox="./media/backup-azure-database-postgresql/postgresql-jobs-view-all-expanded.png":::

+1. Review the list of backup and restore jobs and their status. Select a job from the list of jobs to view job details.

+ :::image type="content" source="./media/backup-azure-database-postgresql/postgresql-jobs-select-job-inline.png" alt-text="Screenshot showing to select job to see details." lightbox="./media/backup-azure-database-postgresql/postgresql-jobs-select-job-expanded.png":::

+## Next steps

+- [Restore Azure Database for PostgreSQL server](restore-azure-database-postgresql.md)

+- [Manage Azure Database for PostgreSQL server](manage-azure-database-postgresql.md)

+> - Create a Backup vault

+> - Create a Backup Policy

+> - Prepare the databases

+> - Configure backup on the database

+> - Run an on-demand backup

+> - Track a backup job

+- Check that Azure Database for PostgreSQL server is named in accordance with naming guidelines for Azure Backup. [Learn more](../postgresql/tutorial-design-database-using-azure-portal.md#create-an-azure-database-for-postgresql)

+1. **Assign Azure key vault** that stores the credentials to connect to the selected database. To assign the key vault at the individual row level, click **Select a key vault and secret**. You can also assign the key vault by multi-selecting the rows and click **Assign key vault** in the top menu of the grid.

+## Track a backup job

+Azure Backup service creates a job for scheduled backups or if you trigger on-demand backup operation for tracking. To view the backup job status:

+1. Go to the **Backup instance** screen.

+ It shows the jobs dashboard with operation and status for the past seven days.

+ :::image type="content" source="./media/backup-azure-database-postgresql/postgre-jobs-dashboard-inline.png" alt-text="Screenshot showing the Jobs dashboard." lightbox="./media/backup-azure-database-postgresql/postgre-jobs-dashboard-expanded.png":::

+1. To view the status of the backup job, select **View all** to see ongoing and past jobs of this backup instance.

+ :::image type="content" source="./media/backup-azure-database-postgresql/postgresql-jobs-view-all-inline.png" alt-text="Screenshot showing to select the View all option." lightbox="./media/backup-azure-database-postgresql/postgresql-jobs-view-all-expanded.png":::

+1. Review the list of backup and restore jobs and their status. Select a job from the list of jobs to view job details.

+ :::image type="content" source="./media/backup-azure-database-postgresql/postgresql-jobs-select-job-inline.png" alt-text="Screenshot showing to select job to see details." lightbox="./media/backup-azure-database-postgresql/postgresql-jobs-select-job-expanded.png":::

+> - Create a Backup vault

+> - Create a Backup Policy

+> - Prepare the databases

+> - Configure backup on the database

+> - Run an on-demand backup

+> - Track a backup job

+ Title: 'Quickstart: Deploy Bastion from VM settings'

+# Quickstart: Deploy Azure Bastion from VM settings

+This quickstart article shows you how to deploy Azure Bastion to your virtual network from the Azure portal based on settings from an existing virtual machine. After you deploy Bastion, the RDP/SSH experience is available to all of the virtual machines in the virtual network. Azure Bastion is a PaaS service that is maintained for you. For more information about Azure Bastion, see [What is Azure Bastion?](bastion-overview.md)

+In this quickstart, after you deploy Bastion, you connect to your VM via private IP address using the Azure portal. When you connect to the VM, it doesn't need a public IP address, client software, agent, or a special configuration. If your VM has a public IP address that you don't need for anything else, you can remove it.

+* **An Azure account with an active subscription**. If you don't have one, [create one for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio).

+* **A VM in a VNet**. This quickstart lets you quickly deploy Bastion to a VNet using settings from the virtual machine to which you want to connect. Bastion pulls the required values from the VM and deploys to the VNet based on these values. The virtual machine itself doesn't become a bastion host.

+ * If you don't already have a VM in a VNet, create one using [Quickstart: Create a VM](../virtual-machines/windows/quick-create-portal.md).

+ * You don't need to have a public IP address for this VM in order to connect via Azure Bastion.

+* **Required VM roles:**

+* **Required VM ports inbound ports:**

+ * 3389 for Windows VMs

+ * 22 for Linux VMs

+ > [!NOTE]

+ > The use of Azure Bastion with Azure Private DNS Zones is not supported at this time. Before you begin, please make sure that the virtual network where you plan to deploy your Bastion resource is not linked to a private DNS zone.

+**Bastion values:**

+When you deploy from VM settings, Bastion is automatically configured with default values. You don't need to specify any additional values for this exercise. However, once Bastion deploys, you can later modify [configuration settings](configuration-settings.md). For example, the SKU that is automatically configured is the Basic SKU. To support more Bastion features, you can easily [upgrade the SKU](upgrade-sku.md) after the deployment completes.

+After completing this configuration, you'll have an Azure Bastion deployment with the values listed in the following table:

+|**Name** | **Value** |

+|||

+|AzureBastionSubnet | This subnet is created within the VNet as a /26 |

+|SKU | Basic |

+| Name | Based on the virtual network name |

+| Public IP address name | Based on the virtual network name |

+## <a name="createvmset"></a>Deploy Bastion to a VNet

+There are a few different ways to deploy Bastion to a virtual network. In this quickstart, you deploy Bastion from your virtual machine settings in the Azure portal (you don't sign in and deploy from your VM directly).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In the portal, navigate to the VM to which you want to connect. The values from the virtual network in which this VM resides will be used to create the Bastion deployment.

+1. Select **Bastion** in the left menu. You can view some of the values that will be used when creating the bastion host for your virtual network. Select **Deploy Bastion**.

+ :::image type="content" source="./media/quickstart-host-portal/deploy-bastion.png" alt-text="Screenshot of Deploy Bastion." lightbox="./media/quickstart-host-portal/deploy-bastion.png":::

+1. Bastion begins deploying. This can take around 10 minutes to complete.

+ :::image type="content" source="./media/quickstart-host-portal/creating-bastion.png" alt-text="Screenshot of Bastion resources being created." lightbox="./media/quickstart-host-portal/creating-bastion.png":::

+## <a name="connect"></a>Connect to a VM

+When the Bastion deployment is complete, the screen changes to the **Connect** page.

+1. Type the username and password for your virtual machine. Then, select **Connect**.

+ :::image type="content" source="./media/quickstart-host-portal/connect-vm.png" alt-text="Screenshot shows the Connect using Azure Bastion dialog." lightbox="./media/quickstart-host-portal/connect-vm.png":::

+1. The connection to this virtual machine via Bastion will open directly in the Azure portal (over HTML5) using port 443 and the Bastion service. Select **Allow** when asked for permissions to the clipboard. This lets you use the remote clipboard arrows on the left of the screen.

+ * When you connect, the desktop of the VM may look different than the example screenshot.

+ * Using keyboard shortcut keys while connected to a VM may not result in the same behavior as shortcut keys on a local computer. For example, when connected to a Windows VM from a Windows client, CTRL+ALT+END is the keyboard shortcut for CTRL+ALT+Delete on a local computer. To do this from a Mac while connected to a Windows VM, the keyboard shortcut is Fn+CTRL+ALT+Backspace.

+ :::image type="content" source="./media/quickstart-host-portal/connected.png" alt-text="Screenshot of RDP connection." lightbox="./media/quickstart-host-portal/connected.png":::

+ Title: 'Tutorial: Deploy Bastion using manual settings: Azure portal'

+description: Learn how to deploy Bastion using manual settings using the Azure portal.

+# Tutorial: Deploy Bastion using manual settings: Azure portal

+This tutorial shows you how to deploy Azure Bastion to your virtual network from the Azure portal using manual settings that you specify. While you can [deploy Bastion using VM settings](quickstart-host-portal.md), deploying Bastion using manual settings lets you specify granular settings for the bastion host. After you deploy Bastion, the RDP/SSH experience is available to all of the virtual machines in the virtual network. Azure Bastion is a PaaS service that is maintained for you, not a bastion host that you install on one of your VMs. For more information about Azure Bastion, see [What is Azure Bastion?](bastion-overview.md)

+In this tutorial, you deploy Bastion using the Standard SKU tier and adjust host scaling (instance count). After the deployment is complete, you connect to your VM via private IP address. The VM you connect to doesn't need a public IP address, client software, agent, or a special configuration. If your VM has a public IP address that you don't need for anything else, you can remove it.

+> * Remove the public IP address from a virtual machine.

+* A [virtual network](../virtual-network/quick-create-portal.md). This will be the VNet to which you deploy Bastion.

+* A Windows virtual machine in the virtual network. This VM isn't a part of the Bastion configuration and doesn't become a bastion host. You connect to this VM later via Bastion. If you don't have a VM, create one using [Quickstart: Create a VM](../virtual-machines/windows/quick-create-portal.md).

+ >[!IMPORTANT]

+ >For Azure Bastion resources deployed on or after November 2, 2021, the minimum AzureBastionSubnet size is /26 or larger (/25, /24, etc.). All Azure Bastion resources deployed in subnets of size /27 prior to this date are unaffected by this change and will continue to work, but we highly recommend increasing the size of any existing AzureBastionSubnet to /26 in case you choose to take advantage of [host scaling](./configure-host-scaling.md) in the future.

+ >

+1. Under services, select **Bastions**.

+1. On the Bastions page, select **+ Create** to open the **Create a Bastion** page.

+* **Tier:** The tier is also known as the **SKU**. For this tutorial, we select the **Standard** SKU from the dropdown. Selecting the Standard SKU lets you configure the instance count for host scaling. The Basic SKU doesn't support host scaling. For more information about features that require te Standard SKU, see [Configuration settings - SKU](configuration-settings.md#skus).

+* **Instance count:** This is the setting for **host scaling** and configured in scale unit increments. Use the slider to configure the instance count. If you specified the Basic tier SKU, you canΓÇÖt configure this setting. For more information, see [Configuration settings - host scaling](configuration-settings.md#instance). In this tutorial, you can select the instance count you'd prefer, keeping in mind any scale unit [pricing](https://azure.microsoft.com/pricing/details/azure-bastion) considerations.

+* **Virtual network**: The virtual network in which the Bastion resource will be created. You can create a new virtual network in the portal during this process, or use an existing virtual network. If you're using an existing virtual network, make sure the existing virtual network has enough free address space to accommodate the Bastion subnet requirements. If you don't see your virtual network from the dropdown, make sure you've selected the correct Resource Group.

+In most cases, you won't already have an AzureBastionSubnet configured. To configure the bastion subnet:

+The public IP address of the Bastion resource on which RDP/SSH will be accessed (over port 443). Create a **new public IP address**. The public IP address must be in the same region as the Bastion resource you're creating. This IP address doesn't have anything to do with any of the VMs that you want to connect to. It's the public IP address for the Bastion host resource.

+1. You'll see a message letting you know that your deployment is underway. Status will display on this page as the resources are created. It takes about 5 minutes for the Bastion resource to be created and deployed.

+## Remove VM public IP address

+The platform enables users to build and publish custom translation systems to and from English. Custom Translator supports more than three dozen languages that map directly to the languages available for NMT. For a complete list, *see* [Translator language support](../language-support.md).

+ [Custom Translator](../overview.md) enables you to a build translation system that reflects your business, industry, and domain-specific terminology and style. Training and deploying a custom system is easy and doesn't require any programming skills. The customized translation system seamlessly integrates into your existing applications, workflows, and websites and is available on Azure through the same cloud-based [Microsoft Text Translator API](../../reference/v3-0-translate.md?tabs=curl) service that powers billions of translations every day.

+The platform enables users to build and publish custom translation systems to and from English. The Custom Translator supports more than three dozen languages that map directly to the languages available for NMT. For a complete list, *see* [Translator language support](../../language-support.md).

+Training a full custom translation model requires a substantial amount of data. If you don't have at least 10,000 sentences of previously trained documents, you won't be able to train a full-language translation model. However, you can either train a dictionary-only model or use the high-quality, out-of-the-box translations available with the Text Translator API.

+| Phrase dictionary | Forces the given translation 100% of the time. | **Be restrictive**. A phrase dictionary is case-sensitive and any word or phrase listed is translated in the way you specify. In many cases, it's better to not use a phrase dictionary and let the system learn. |

+ Tuning and testing data is optional. If you don't provide it, the system will remove an appropriate percentage from your training documents to use for tuning and testing. The removal happens dynamically as part of the training process. Since this step occurs as part of training, your uploaded documents aren't affected. You can see the final used sentence counts for each category of dataΓÇötraining, tuning, testing, and dictionaryΓÇöon the Model details page after training has succeeded.

+* Remove source and target sentences that don't match the source and target languages.

+> [Try our Quickstart](quickstart.md)

+1. Login and copy script [ip_fwd.sh](https://github.com/sajitsasi/az-ip-fwd/blob/main/ip_fwd.sh) to your backend server VMs.

+> [!Note]

+> If you have more than one SQL Server and need to define multiple load balancer rules and IP table records with different ports, make sure you explicitly add the port name after the FQDN when you edit Linked Service. The NAT VM will handle the port translation. If it's not explicitly specified, the connection will always time-out.

+| **Connection to web page from anomalous IP address detected**<br>(AppServices_AnomalousPageAccess) | Azure App Service activity log indicates an anomalous connection to a sensitive web page from the listed source IP address. This might indicate that someone is attempting a brute force attack into your web app administration pages. It might also be the result of a new IP address being used by a legitimate user. If the source IP address is trusted, you can safely suppress this alert for this resource. To learn how to suppress security alerts, see [Suppress alerts from Microsoft Defender for Cloud](alerts-suppression-rules.md). <br>(Applies to: App Service on Windows and App Service on Linux) | Initial Access | Low |

+> If you're connecting machines from other cloud providers, see [Connect your AWS accounts](quickstart-onboard-aws.md) or [Connect your GCP projects](quickstart-onboard-gcp.md).

+- [Connect your GCP projects to Azure Security Center](quickstart-onboard-gcp.md)

+Connecting your AWS or GCP projects integrates their native security tools like AWS Security Hub and GCP Security Command Center into Azure Security Center.

+- [Connect your GCP projects to Azure Security Center](quickstart-onboard-gcp.md)

+Onboarding your AWS and GCP projects into Security Center, integrates AWS Security Hub, GCP Security Command and Azure Security Center.

+Learn more in [Connect your AWS accounts to Azure Security Center](quickstart-onboard-aws.md) and [Connect your GCP projects to Azure Security Center](quickstart-onboard-gcp.md).

+| - [Connect GCP project](./quickstart-onboard-gcp.md) | GA | Not Available | Not Available |

+>[!NOTE]

+>During maintenance between the Microsoft edge and core network, BGP availability will appear down even if the BGP session between the customer edge and Microsoft edge remains up. For information about maintenance between the Microsoft edge and core network, make sure to have your [maintenance alerts turned on and configured](./maintenance-alerts.md).

+>

+>[!NOTE]

+>During maintenance between the Microsoft edge and core network, BGP availability will appear down even if the BGP session between the customer edge and Microsoft edge remains up. For information about maintenance between the Microsoft edge and core network, make sure to have your [maintenance alerts turned on and configured](./maintenance-alerts.md).

+>

+> * During maintenance between the Microsoft edge and core network, BGP availability will appear down even if the BGP session between the customer edge and Microsoft edge remains up. For information about maintenance between the Microsoft edge and core network, make sure to have your maintenance alerts turned on and configured correctly using the guidance below.

+>[!NOTE]

+>During maintenance between the Microsoft edge and core network, BGP availability will appear down even if the BGP session between the customer edge and Microsoft edge remains up. For information about maintenance between the Microsoft edge and core network, make sure to have your [maintenance alerts turned on and configured](./maintenance-alerts.md).

+>

+- [Migrate Azure HDInsight 3.6 Apache Storm to HDInsight 4.0 Apache Spark](storm/migrate-storm-to-spark.md).

+- [Migrate Azure HDInsight 3.6 Apache Storm to HDInsight 4.0 Apache Spark](storm/migrate-storm-to-spark.md).

+## Submit interactive PySpark queries (Not supported Synapse PySpark interactive anymore)

+> [For Synapse PySpark installation error](#known-issues), since its dependency will not be maintained anymore by other team, this will not be maintained anymore as well. If you trying to use Synapse Pyspark interactive, please switch to use [Azure Synapse Analytics](https://ms.web.azuresynapse.net/en-us/) instead. And it's a long term change.

+>

+For run an interactive PySpark job, you can follow the normal steps to submit job to HDInsight ESP cluster with ID Broker (HIB). Refer to Submit interactive PySpark queries.

+### Synapse PySpark installation error.

+ For Synapse PySpark installation error, since its dependency will not be maintained anymore by other team, it will not be maintained anymore. If you trying to use Synapse Pyspark interactive, please use [Azure Synapse Analytics](https://ms.web.azuresynapse.net/) instead. And it's a long term change.

+ 

+Refer to [Hive Cost Based Optimization](https://techcommunity.microsoft.com/t5/analytics-on-azure-blog/hive-cost-based-optimization/ba-p/3032895) blog post in [Analytics on Azure Blog](https://techcommunity.microsoft.com/t5/analytics-on-azure-blog/bg-p/AnalyticsonAzure) for further reading

+ The resourceURI should be in the format `{idScope}/registrations/{registration_id}`. The policy name (`skn`) should be set to `registration`.

+ * DPS doesn't support persistent sessions. It treats every session as non-persistent, regardless of the value of the **CleanSession** flag. We recommend setting **CleanSession** to true.

+## Chain virtual machine to Gateway Load Balancer

+Alternatively, you can chain a VM's NIC IP configuration to the gateway load balancer.

+You'll add the gateway load balancer's frontend to an existing VM's NIC IP configuration.

+Use [az network lb frontend-ip show](/cli/azure/network/lb/frontend-ip#az_az_network_lb_frontend_ip_show) to place the resource ID of your gateway load balancer frontend into a variable.

+Use [az network lb frontend-ip update](/cli/azure/network/nic/ip-config#az-network-nic-ip-config-update) to chain the gateway load balancer frontend to your existing VM's NIC IP configuration.

+```azurecli-interactive

+ feid=$(az network lb frontend-ip show \

+ --resource-group TutorGwLB-rg \

+ --lb-name myLoadBalancer-gw \

+ --name myFrontend \

+ --query id \

+ --output tsv)

+

+ az network nic ip-config update \

+ --resource-group MyResourceGroup

+ --nic-name MyNIC

+ --name MyIPconfig

+ --gateway-lb $feid

+```

+## Chain virtual machine to Gateway Load Balancer

+Alternatively, you can chain a VM's NIC IP configuration to the gateway load balancer.

+You'll add the gateway load balancer's frontend to an existing VM's NIC IP configuration.

+## Chain load balancer frontend to Gateway Load Balancer

+## Chain virtual machine to Gateway Load Balancer

+Alternatively, you can chain a VM's NIC IP configuration to the gateway load balancer.

+You'll add the gateway load balancer's frontend to an existing VM's NIC IP configuration.

+Use [Set-AzNetworkInterfaceIpConfig](/powershell/module/az.network/set-aznetworkinterfaceipconfig) to chain the gateway load balancer frontend to your existing VM's NIC IP configuration.

+```azurepowershell-interactive

+ ## Place the gateway load balancer configuration into a variable. ##

+$par1 = @{

+ ResourceGroupName = 'TutorGwLB-rg'

+ Name = 'myLoadBalancer-gw'

+}

+$gwlb = Get-AzLoadBalancer @par1

+## Place the existing NIC into a variable. ##

+$par2 = @{

+ ResourceGroupName = 'MyResourceGroup'

+ Name = 'myNic'

+}

+$nic = Get-AzNetworkInterface @par2

+## Chain the gateway load balancer to your existing VM NIC. ##

+$par3 = @{

+ Name = 'myIPconfig'

+ NetworkInterface = $nic

+ GatewayLoadBalancerId = $gwlb.FrontendIpConfigurations.Id

+}

+$config = Set-AzNetworkInterfaceIpConfig @par3

+$config | Set-AzNetworkInterface

+```

+> [Azure CLI](/cli/azure/functionapp/app), [Azure PowerShell](/powershell/module/az.functions), or [ARM template](/azure/templates/microsoft.web/sites/functions).

+> [!Important]

+> Attached compute is not supported, use [compute instances or clusters](concept-compute-target.md#azure-machine-learning-compute-managed) instead.

+| srcErrLiveNoSegments | 0x0400005 | Segments not available yet |

+- [Azure Media Player Quickstart](azure-media-player-quickstart.md)

+ Title: Overview of Azure Red Hat OpenShift egress lockdown

+description: Overview of egress lockdown for Azure Red Hat OpenShift clusters

+keywords: egress lockdown, aro cluster, aro, networking, azure, openshift, red hat

+#Customer intent: I need to understand how egress lockdown provides access to URLs and endpoints that a Red Hat OpenShift cluster needs to function efficiently.

+# Overview of Azure Red Hat OpenShift egress lockdown

+Egress lockdown provides access to the URLs and endpoints an Azure Red Hat OpenShift cluster needs to function effectively.

+Egress lockdown ensures that you have access to URLs, such as management.azure.com, so you can create another worker node backed by Azure VMs. Egress lockdown ensures access even if the outbound (egress) traffic is restricted by a firewall appliance or other means.

+Egress lockdown takes a collection of domains required for an Azure Red Hat OpenShift cluster to function and proxies calls to these domains through the Azure Red Hat OpenShift service. The domains, which are region-specific, can't be configured by customers.

+Egress lockdown doesn't rely on customer internet access for Azure Red Hat OpenShift services to work. In order for clusters to reach any Azure Red Hat OpenShift service, cluster traffic exits through an Azure private endpoint created within the cluster resource group where all of the Azure Red Hat OpenShift resources are available.

+The following image displays the architecture changes that encompass egress lockdown.

+[ ](./media/concepts-networking/190-azure-red-hat-openshift-network-architecture-0921.png#lightbox)

+A well-known subset of domains (that the Azure Red Hat OpenShift clusters need to function) validates the destination of the cluster traffic. Finally, the traffic passes through the Azure Red Hat OpenShift service to connect to these URLs and endpoints.

+## Enable egress lockdown

+In order to function, egress lock down relies on the Server Name Indication (SNI) extension to the Transport Layer Security (TLS). All customer workloads that communicate with the well-known subset of domains must have SNI enabled.

+Egress lockdown is enabled by default for new cluster creation. However, to enable egress lockdown on existing clusters, you must have SNI enabled on the customer workloads. To enable egress lockdown on your existing clusters, submit a support case to either [Microsoft Support](https://support.microsoft.com) or [Red Hat Support](https://www.redhat.com/en/services/support).

+## Verify egress lockdown is enabled on a cluster

+To verify whether egress lockdown is enabled on a cluster, sign in to your Azure cluster and run the following command:

+ ```azurecli

+ $ oc get cluster.aro.openshift.io cluster -o go-template='{{ if .spec.gatewayDomains }}{{ "Egress Lockdown Feature Enabled" }}{{ else }}{{ "Egress Lockdown Feature Disabled" }}{{ end }}{{ "\n" }}

+ ```

+Depending on whether egress lockdown is enabled or disabled, you'll see one of the following messages:

+- `Egress Lockdown Feature Enabled`

+- `Egress Lockdown Feature Disabled`

+## Next steps

+For more information on controlling egress traffic on your Azure Red Hat OpenShift cluster, see [Control egress traffic for your Azure Red Hat OpenShift (ARO) cluster (preview)](howto-restrict-egress.md).

+Before you can install extensions in Azure Database for PostgreSQL - Flexible Server, you will need to allow-list these extensions for use.

+Using the [Azure portal](https://portal.azure.com):

+ 1. Select your Azure Database for PostgreSQL - Flexible Server.

+ 2. On the sidebar, select **Server Parameters**.

+ 3. Search for the `azure.extensions` parameter.

+ 4. Select extensions you wish to allow-list.

+ :::image type="content" source="./media/concepts-extensions/allow-list.png" alt-text=" Screenshot showing Azure Database for PostgreSQL - allow-listing extensions for installation ":::

+

+After extensions are allow-listed, these must be installed in your database before you can use them. To install a particular extension, you should run the [CREATE EXTENSION](https://www.postgresql.org/docs/current/sql-createextension.html) command. This command loads the packaged objects into your database.

+ Title: Activate SIMs

+description: This how-to guide shows how to activate SIMs used by user equipment so they can use your private mobile network.

+# Activate SIMs for Azure Private 5G Core Preview

+SIM resources represent physical or eSIMs used by user equipment (UE). Activating a SIM resource allows the UE to use the corresponding physical or eSIM to access your private mobile network. In this how-to guide, you'll learn how to activate the SIMs you've provisioned.

+## Prerequisites

+- Ensure you can sign in to the Azure portal using an account with access to the active subscription you identified in [Complete the prerequisite tasks for deploying a private mobile network](complete-private-mobile-network-prerequisites.md).

+- Ensure you've provisioned and assigned a SIM policy to the SIMs you want to activate, as described in [Provision SIMs - Azure portal](provision-sims-azure-portal.md).

+- Get the name of the private mobile network containing the SIMs you want to activate.

+## Activate your chosen SIMs

+1. Sign in to the Azure portal at [https://aka.ms/AP5GCPortal](https://aka.ms/AP5GCPortal).

+1. Search for and select the Mobile Network resource representing the private mobile network for which you want to activate SIMs.

+ :::image type="content" source="media/mobile-network-search.png" alt-text="Screenshot of the Azure portal. It shows the results of a search for a mobile network resource.":::

+1. In the **Resource** menu, select **SIMs**.

+1. You're shown a list of provisioned SIMs in the private mobile network. Tick the checkbox next to the name of each SIM you want to activate.

+3. In the **Command** bar, select **Activate**.

+4. In the pop-up that appears, select **Activate** to confirm that you want to activate your chosen SIMs.

+5. The activation process can take a few minutes. During this time, the value in the **Activation** status column for each SIM will display as **Activating**. Keep selecting **Refresh** in the command bar until the **Activation** status field for all of the relevant SIMs changes to **Activated**.

+## Next steps

+- [Learn more about policy control](policy-control.md)

+ Title: Collect information for a site

+description: Learn about the information you'll need to create a site in an existing private mobile network using the Azure portal.

+# Collect the required information for a site

+Azure Private 5G Core Preview private mobile networks include one or more sites. Each site represents a physical enterprise location (for example, Contoso Corporation's Chicago factory) containing an Azure Stack Edge device that hosts a packet core instance. This how-to guide takes you through the process of collecting the information you'll need to create a new site. You'll use this information to complete the steps in [Create a site](create-a-site.md).

+## Prerequisites

+You must have completed all of the steps in [Allocate subnets and IP addresses](complete-private-mobile-network-prerequisites.md#allocate-subnets-and-ip-addresses) and [Order and set up your Azure Stack Edge Pro device(s)](complete-private-mobile-network-prerequisites.md#order-and-set-up-your-azure-stack-edge-pro-devices) for your new site.

+## Collect Mobile Network Site resource values

+Collect all the values in the following table for the Mobile Network Site resource that will represent your site.

+ |Value |Field name in Azure portal |

+ |||

+ |The Azure subscription to use to create the Mobile Network Site resource. You must use the same subscription for all resources in your private mobile network deployment. |**Project details: Subscription**|

+ |The Azure resource group in which to create the Mobile Network Site resource. We recommend that you use the same resource group that already contains your private mobile network. |**Project details: Resource group**|

+ |The name for the site. |**Instance details: Name**|

+ |The region in which youΓÇÖre creating the Mobile Network Site resource. We recommend that you use the East US region. |**Instance details: Region**|

+ |The private mobile network resource representing the network to which youΓÇÖre adding the site. |**Instance details: Mobile network**|

+## Collect custom location information

+Collect the name of the custom location that targets the Azure Kubernetes Service on Azure Stack HCI (AKS-HCI) cluster on the Azure Stack Edge Pro device in the site. You commissioned the AKS-HCI cluster as part of the steps in [Order and set up your Azure Stack Edge Pro device(s)](complete-private-mobile-network-prerequisites.md#order-and-set-up-your-azure-stack-edge-pro-devices).

+## Collect access network values

+Collect all the values in the following table to define the packet core instance's connection to the access network over the N2 and N3 interfaces.

+> [!IMPORTANT]

+> Where noted, you must use the same values you used when deploying the Azure Kubernetes Service on Azure Stack HCI (AKS-HCI) cluster on the Azure Stack Edge Pro device for this site. You did this as part of the steps in [Order and set up your Azure Stack Edge Pro device(s)](complete-private-mobile-network-prerequisites.md#order-and-set-up-your-azure-stack-edge-pro-devices).

+ |Value |Field name in Azure portal |

+ |||

+ | The IP address for the packet core instance N2 signaling interface. You identified this in [Allocate subnets and IP addresses](complete-private-mobile-network-prerequisites.md#allocate-subnets-and-ip-addresses) and it must match the value you used when deploying the AKS-HCI cluster. |**N2 address (signaling)**

+ | The network address of the access subnet in Classless Inter-Domain Routing (CIDR) notation. You identified this in [Allocate subnets and IP addresses](complete-private-mobile-network-prerequisites.md#allocate-subnets-and-ip-addresses) and it must match the value you used when deploying the AKS-HCI cluster. |**N2 subnet** and **N3 subnet**|

+ | The access subnet default gateway. You identified this in [Allocate subnets and IP addresses](complete-private-mobile-network-prerequisites.md#allocate-subnets-and-ip-addresses) and it must match the value you used when deploying the AKS-HCI cluster. |**N2 gateway** and **N3 gateway**|

+## Collect data network values

+Collect all the values in the following table to define the packet core instance's connection to the data network over the N6 interface.

+> [!IMPORTANT]

+> Where noted, you must use the same values you used when deploying the AKS-HCI cluster on your Azure Stack Edge Pro device. You did this as part of the steps in [Complete the prerequisite tasks for deploying a private mobile network](complete-private-mobile-network-prerequisites.md).

+ |Value |Field name in Azure portal |

+ |||

+ |The name of the data network. |**Data network**|

+ |The network address of the data subnet in CIDR notation. You identified this in [Allocate subnets and IP addresses](complete-private-mobile-network-prerequisites.md#allocate-subnets-and-ip-addresses) and it must match the value you used when deploying the AKS-HCI cluster. |**N6 subnet**|

+ |The data subnet default gateway. You identified this in [Allocate subnets and IP addresses](complete-private-mobile-network-prerequisites.md#allocate-subnets-and-ip-addresses) and it must match the value you used when deploying the AKS-HCI cluster. |**N6 gateway**|

+ | The network address of the subnet from which IP addresses must be allocated to User Equipment (UEs), given in CIDR notation. You identified this in [Allocate subnets and IP addresses](complete-private-mobile-network-prerequisites.md#allocate-subnets-and-ip-addresses). The following example shows the network address format. </br></br>`198.51.100.0/24` </br></br>Note that the UE subnets aren't related to the access subnet. |**UE IP subnet**|

+ |Whether Network Address and Port Translation (NAPT) should be enabled for this data network. NAPT allows you to translate a large pool of private IP addresses for UEs to a small number of public IP addresses. The translation is performed at the point where traffic enters the core network, maximizing the utility of a limited supply of public IP addresses. |**NAPT**|

+## Next steps

+You can now use the information you've collected to create the site.

+- [Create a site](create-a-site.md)

+ Title: Collect information for your private mobile network

+description: This how-to guide shows how to collect the information you need to deploy a private mobile network through Azure Private 5G Core Preview using the Azure portal.

+# Collect the required information to deploy a private mobile network

+This how-to guide takes you through the process of collecting the information you'll need to deploy a private mobile network through Azure Private 5G Core Preview using the Azure portal. You'll use this information to complete the steps in [Deploy a private mobile network - Azure portal](how-to-guide-deploy-a-private-mobile-network-azure-portal.md).

+## Prerequisites

+You must have completed all of the steps in [Complete the prerequisite tasks for deploying a private mobile network](complete-private-mobile-network-prerequisites.md).

+## Collect Mobile Network resource values

+Collect all of the following values for the Mobile Network resource that will represent your private mobile network.

+ |Value |Field name in Azure portal |

+ |||

+ |The Azure subscription to use to deploy the Mobile Network resource. You must use the same subscription for all resources in your private mobile network deployment. This is the subscription you identified in [Complete the prerequisite tasks for deploying a private mobile network](complete-private-mobile-network-prerequisites.md). |**Project details: Subscription**

+ |The Azure resource group to use to deploy the Mobile Network resource. You should use a new resource group for this resource. It's useful to include the purpose of this resource group in its name for future identification (for example, *contoso-pmn-rg*). |**Project details: Resource group**|

+ |The name for the private mobile network. |**Instance details: Mobile network name**|

+ |The region in which you're deploying the private mobile network. We recommend you use the East US region. |**Instance details: Region**|

+ |The mobile country code for the private mobile network. |**Network configuration: Mobile country code (MCC)**|

+ |The mobile network code for the private mobile network. |**Network configuration: Mobile network code (MNC)**|

+## Collect SIM values

+Each SIM resource represents a physical SIM or eSIM that will be served by the private mobile network.

+As part of creating your private mobile network, you can provision one or more SIMs that will use it. If you decide not to provision SIMs at this point, you can do so after deploying your private mobile network using the instructions in [Provision SIMs](provision-sims-azure-portal.md).

+If you want to provision SIMs as part of deploying your private mobile network, you must choose one of the following provisioning methods:

+- Manually entering values for each SIM into fields in the Azure portal. This option is best when provisioning a small number of SIMs.

+- Importing a JSON file containing values for one or more SIM resources. This option is best when provisioning a large number of SIMs. The file format required for this JSON file is given in [Provision SIM resources through the Azure portal using a JSON file](#provision-sim-resources-through-the-azure-portal-using-a-json-file).

+You must then collect each of the values given in the following table for each SIM resource you want to provision.

+ |Value |Field name in Azure portal | JSON file parameter name |

+ ||||

+ |The name for the SIM resource. This must only contain alphanumeric characters, dashes, and underscores. |**SIM name**|`simName`|

+ |The Integrated Circuit Card Identification Number (ICCID). This identifies a specific physical SIM or eSIM, and includes information on the SIM's country and issuer. This is a unique numerical value between 19 and 20 digits in length, beginning with 89. |**ICCID**|`integratedCircuitCardIdentifier`|

+ |The international mobile subscriber identity (IMSI). This is a unique number (usually 15 digits) identifying a device or user in a mobile network. |**IMSI**|`internationalMobileSubscriberIdentity`|

+ |The Authentication Key (Ki). This is a unique 128-bit value assigned to the SIM by an operator, and is used in conjunction with the derived operator code (OPc) to authenticate a user. This must be a 32-character string, containing hexadecimal characters only. |**Ki**|`authenticationKey`|

+ |The derived operator code (OPc). This is derived from the SIM's Ki and the network's operator code (OP), and is used by the packet core to authenticate a user using a standards-based algorithm. This must be a 32-character string, containing hexadecimal characters only. |**Opc**|`operatorKeyCode`|

+ |The type of device that is using this SIM. This is an optional, free-form string. You can use it as required to easily identify device types that are using the enterprise's mobile networks. |**Device type**|`deviceType`|

+### Provision SIM resources through the Azure portal using a JSON file

+The following example shows the file format you'll need if you want to provision your SIM resources using a JSON file. It contains the parameters required to provision two SIMs (SIM1 and SIM2).

+```json

+[

+ {

+ "simName": "SIM1",

+ "integratedCircuitCardIdentifier": "8912345678901234566",

+ "internationalMobileSubscriberIdentity": "001019990010001",

+ "authenticationKey": "00112233445566778899AABBCCDDEEFF",

+ "operatorKeyCode": "63bfa50ee6523365ff14c1f45f88737d",

+ "deviceType": "Cellphone"

+ },

+ {

+ "simName": "SIM2",

+ "integratedCircuitCardIdentifier": "8922345678901234567",

+ "internationalMobileSubscriberIdentity": "001019990010002",

+ "authenticationKey": "11112233445566778899AABBCCDDEEFF",

+ "operatorKeyCode": "63bfa50ee6523365ff14c1f45f88738d",

+ "deviceType": "Sensor"

+ }

+]

+```

+## Next steps

+You can now use the information you've collected to deploy your private mobile network.

+- [Deploy a private mobile network - Azure portal](how-to-guide-deploy-a-private-mobile-network-azure-portal.md)

+ Title: Collect the required information for a service

+description: In this how-to guide, you'll learn how to collect all the required information to configure a service for Azure Private 5G Core Preview.

+# Collect the required information for a service for Azure Private 5G Core Preview

+A *service* is a set of quality of service (QoS) characteristics you want to offer SIMs. For example, you may want to configure a service that provides higher bandwidth limits for particular traffic. You can also use services to block particular traffic types or traffic from specific sources.

+Each service has a set of rules to identify the service data flows (SDFs) to which the QoS characteristics should be applied. For more information, see [Policy control](policy-control.md).

+In this how-to guide, you'll learn how to collect all the required information to configure a service for Azure Private 5G Core Preview.

+You'll enter each value you collect into its corresponding field (given in the **Azure portal field name** columns in the tables below) as part of the procedure in [Configure a service for Azure Private 5G Core Preview - Azure portal](configure-service-azure-portal.md).

+## Prerequisites

+Read [Policy control](policy-control.md) and make sure you're familiar with Azure Private 5G Core policy control configuration.

+## Collect top-level setting values

+Each service has many top-level settings that determine its name and the QoS characteristics it will offer.

+Collect each of the values in the table below for your service.

+| Value | Azure portal field name |

+|--|--|

+| The name of the service. This name must only contain alphanumeric characters, dashes, or underscores. You also must not use any of the following reserved strings: *default*; *requested*; *service*. | **Service name** |

+| A precedence value that the packet core instance must use to decide between services when identifying the QoS values to offer. This value must be an integer between 0 and 255 and must be unique among all services configured on the packet core instance. A lower value means a higher priority. | **Service precedence** |

+| The maximum bit rate (MBR) for uplink traffic (traveling away from user equipment (UEs)) across all SDFs that match data flow policy rules configured on this service. The MBR must be given in the following form: `<Quantity>` `<Unit>` </br></br>`<Unit>` must be one of the following: </br></br>- *bps* </br>- *Kbps* </br>- *Mbps* </br>- *Gbps* </br>- *Tbps* </br></br>`<Quantity>` is the quantity of your chosen unit. </br></br>For example, `10 Mbps`. | **Maximum bit rate (MBR) - Uplink** |

+| The maximum bit rate (MBR) for downlink traffic (traveling towards UEs) across all SDFs that match data flow policy rules configured on this service. The MBR must be given in the following form: `<Quantity>` `<Unit>` </br></br>`<Unit>` must be one of the following: </br></br>- *bps* </br>- *Kbps* </br>- *Mbps* </br>- *Gbps* </br>- *Tbps* </br></br>`<Quantity>` is the quantity of your chosen unit. </br></br>For example, `10 Mbps`. | **Maximum bit rate (MBR) - Downlink** |

+| The default QoS Flow Allocation and Retention Policy (ARP) priority level for this service. Flows with a higher ARP priority level preempt flows with a lower ARP priority level. The ARP priority level must be an integer between 1 (highest priority) and 15 (lowest priority). See 3GPP TS 23.501 for a full description of the ARP parameters. | **Allocation and Retention Priority level** |

+| The default 5G QoS Indicator (5QI) value for this service. The 5QI value identifies a set of 5G QoS characteristics that control QoS forwarding treatment for QoS Flows. See 3GPP TS 23.501 for a full description of the 5QI parameter. </br></br>We recommend you choose a 5QI value that corresponds to a non-GBR QoS Flow (as described in 3GPP TS 23.501). Non-GBR QoS Flows are in the following ranges: 5-9; 69-70; 79-80.</br></br>You can also choose a non-standardized 5QI value.</p><p>Azure Private 5G Core doesn't support 5QI values corresponding GBR or delay-critical GBR QoS Flows. Don't use a value in any of the following ranges: 1-4; 65-67; 71-76; 82-85. | **5G QoS Indicator (5QI)** |

+| The default QoS Flow preemption capability for QoS Flows for this service. The preemption capability of a QoS Flow controls whether it can preempt another QoS Flow with a lower priority level. You can choose from the following values: </br></br>- **May not preempt** </br>- **May preempt** </br></br>See 3GPP TS 23.501 for a full description of the ARP parameters. | **Preemption capability** |

+| The default QoS Flow preemption vulnerability for QoS Flows for this service. The preemption vulnerability of a QoS Flow controls whether it can be preempted another QoS Flow with a higher priority level. You can choose from the following values: </br></br>- **Preemptable** </br>- **Not preemptable** </br></br>See 3GPP TS 23.501 for a full description of the ARP parameters. | **Preemption vulnerability** |

+## Data flow policy rule(s)

+Each service must have one or more data flow policy rules. Data flow policy rules identify the service data flows (SDFs) to which the service should be applied. They can also be used to block certain SDFs.

+For each data flow policy rule, take the following steps:

+- Collect the values in [Collect data flow policy rule values](#collect-data-flow-policy-rule-values) to determine whether SDFs matching this data flow policy rule will be allowed or blocked, and how this data flow policy rule should be prioritized against other data flow policy rules.

+- Collect the values in [Collect data flow template values](#collect-data-flow-template-values) for one or more data flow templates to use for this data flow policy rule. Data flow templates provide the packet filters the packet core instance will use to match on SDFs.

+### Collect data flow policy rule values

+Collect the values in the table below for each data flow policy rule you want to use on this service.

+| Value | Azure portal field name |

+|--|--|

+| The name of the data flow policy rule. This name must only contain alphanumeric characters, dashes, or underscores. It must not match any other rule configured on the same service. You also must not use any of the following reserved strings: *default*; *requested*; *service*. | **Rule name** |

+| A precedence value that the packet core instance must use to decide between data flow policy rules. This value must be an integer between 0 and 255 and must be unique among all data flow policy rules configured on the packet core instance. A lower value means a higher priority. | **Policy rule precedence** |

+| A traffic control setting to determine whether flows that match a data flow template on this data flow policy rule are permitted. Choose one of the following values: </br></br>- **Enabled** - Matching flows are permitted. </br>- **Blocked** - Matching flows are blocked. | **Traffic control** |

+### Collect data flow template values

+Collect the following values for each data flow template you want to use for a particular data flow policy rule.

+| Value | Azure portal field name |

+|--|--|

+| The name of the data flow template. This name must only contain alphanumeric characters, dashes, or underscores. It must not match any other template configured on the same rule. You also must not use any of the following reserved strings: *default*; *requested*; *service*. | **Template name** |

+| The protocol(s) allowed for this flow. </br></br>If you want to allow the flow to use any protocol within the Internet Protocol suite, you can set this field to **All**.</br></br>If you want to allow a selection of protocols, you can select them from the list displayed in the field. If a protocol isn't in the list, you can specify it by entering its corresponding IANA Assigned Internet Protocol Number, as described in the [IANA website](https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). For example, for IGMP, you must use 2. | **Protocols** |

+| The direction of this flow. Choose one of the following values: </br></br>- **Uplink** - traffic flowing away from UEs. </br>- **Downlink** - traffic flowing towards UEs.</br>- **Bidirectional** - traffic flowing in both directions. | **Direction** |

+| The remote IP address(es) to which UEs will connect for this flow. </br></br>If you want to allow connections on any IP address, you must use the value `any`. </br></br>Otherwise, you must provide each remote IP address or IP address range to which the packet core instance will connect for this flow. Provide these IP addresses in CIDR notation, including the netmask (for example, `192.0.2.0/24`). </br></br>Provide a comma-separated list of IP addresses and IP address ranges. For example: </br></br>`192.0.2.54/32, 198.51.100.0/24` | **Remote IPs** |

+| The remote port(s) to which UEs will connect for this flow. You can specify one or more ports or port ranges. Port ranges must be specified as `<FirstPort>-<LastPort>`. </br></br>This setting is optional. If you don't specify a value, the packet core instance will allow connections for all remote ports. </br></br>Provide a comma-separated list of your chosen ports and port ranges. For example: </br></br>`8080, 8082-8085` | **Ports** |

+## Next steps

+- [Configure a service for Azure Private 5G Core Preview - Azure portal](configure-service-azure-portal.md)

+ Title: Collect the required information for a SIM policy

+description: In this how-to guide, you'll learn how to collect all the required information to configure a SIM policy for Azure Private 5G Core Preview.

+# Collect the required information for a SIM policy for Azure Private 5G Core Preview

+SIM policies allow you to define different sets of policies and interoperability settings. Each SIM policy can be assigned to a different group of SIMs. This allows you to offer different quality of service (QoS) policy settings to different groups of SIMs on the same data network.

+In this how-to guide, we'll collect all the required information to configure a SIM policy.

+You'll enter each value you collect into its corresponding field (given in the **Field name in Azure portal** columns in the tables below) as part of the procedure in [Configure a SIM policy for Azure Private 5G Core Preview - Azure portal](configure-sim-policy-azure-portal.md).

+## Prerequisites

+Read [Policy control](policy-control.md) and make sure you're familiar with Azure Private 5G Core policy control configuration.

+## Collect top-level setting values

+SIM policies have top-level settings that are applied to every SIM to which the SIM policy is assigned. These settings include the UE aggregated maximum bit rate (UE-AMBR) and RAT/Frequency Priority ID (RFSP ID).

+Collect each of the values in the table below for your SIM policy.

+| Value | Azure portal field name |

+|--|--|

+| The name of the private mobile network for which you're configuring this SIM policy. | N/A |

+| The SIM policy name. The name must be unique across all SIM policies configured for the private mobile network. | **Policy name** |

+| The UE-AMBR for traffic traveling away from UEs across all non-GBR QoS Flows. The UE-AMBR must be given in the following form: </br></br>`<Quantity>` `<Unit>` </br></br>`<Unit>` must be one of the following: </br></br>- *bps* </br>- *Kbps* </br>- *Mbps* </br>- *Gbps* </br>- *Tbps* </br></br>`<Quantity>` is the quantity of your chosen unit. </br></br>For example, `10 Gbps`. </br></br>See 3GPP TS 23.501 for a full description of the UE-AMBR parameter. | **Total bandwidth allowed - Uplink** |

+| The UE-AMBR for traffic traveling towards UEs across all non-GBR QoS Flows. The UE-AMBR must be given in the following form: </br></br>`<Quantity>` `<Unit>` </br></br>`<Unit>` must be one of the following: </br></br>- *bps* </br>- *Kbps* </br>- *Mbps* </br>- *Gbps* </br>- *Tbps* </br></br>`<Quantity>` is the quantity of your chosen unit. </br></br>For example, `10 Gbps`. </br></br>See 3GPP TS 23.501 for a full description of the UE-AMBR parameter. | **Total bandwidth allowed - Downlink** |

+| The interval between UE registrations for UEs using SIMs to which this SIM policy is assigned, given in seconds. Choose an integer that is 30 or greater. If you omit the interval when first creating the SIM policy, it will default to 3,240 seconds (54 minutes). | **Registration timer** |

+| The subscriber profile ID for RAT/Frequency Priority ID (RFSP ID) for this SIM policy, as defined in TS 36.413. If you want to set an RFSP ID, you must specify an integer between 1 and 256. | **RFSP index** |

+## Collect information for the network scope

+Within each SIM policy, you'll have a *network scope*. The network scope represents the data network to which SIMs assigned to the SIM policy will have access. It allows you to define the QoS policy settings used for the default QoS Flow for PDU sessions involving these SIMs. These settings include the session aggregated maximum bit rate (Session-AMBR), 5G QoS Indicator (5QI) value, and Allocation and Retention Policy (ARP) priority level. You can also determine the services that will be offered to SIMs.

+Collect each of the values in the table below for the network scope.

+| Value | Azure portal field name |

+|||

+|The Data Network Name (DNN) of the data network. The DNN must match the one you used when creating the private mobile network. | **Data network** |

+|The names of the services permitted on the data network. You must have already configured your chosen services. For more information on services, see [Policy control](policy-control.md). | **Service configuration** |

+|The maximum bitrate for traffic traveling away from UEs across all non-GBR QoS Flows of a given PDU session. The bitrate must be given in the following form: `<Quantity>` `<Unit>` </br></br>`<Unit>` must be one of the following: </br></br>- *bps* </br>- *Kbps* </br>- *Mbps* </br>- *Gbps* </br>- *Tbps* </br></br>`<Quantity>` is the quantity of your chosen unit. </br></br>For example, `10 Gbps`. </br></br>See 3GPP TS 23.501 for a full description of the Session-AMBR parameter. | **Session aggregate maximum bit rate - Uplink** |

+|The maximum bitrate for traffic traveling towards UEs across all non-GBR QoS Flows of a given PDU session. The bitrate must be given in the following form: `<Quantity>` `<Unit>` </br></br>`<Unit>` must be one of the following: </br></br>- *bps* </br>- *Kbps* </br>- *Mbps* </br>- *Gbps* </br>- *Tbps* </br></br>`<Quantity>` is the quantity of your chosen unit. </br></br>For example, `10 Gbps`. </br></br>See 3GPP TS 23.501 for a full description of the Session-AMBR parameter. | **Session aggregate maximum bit rate - Downlink** |

+|The default 5G QoS Indicator (5QI) value for this data network. The 5QI identifies a set of 5G QoS characteristics that control QoS forwarding treatment for QoS Flows. See 3GPP TS 23.501 for a full description of the 5QI parameter. </br></br>Choose a 5QI value that corresponds to a non-GBR QoS Flow (as described in 3GPP TS 23.501). These values are in the following ranges: 5-9; 69-70; 79-80. </br></br>You can also choose a non-standardized 5QI value. </br></br>Azure Private 5G Core Preview doesn't support 5QI values corresponding to GBR or delay-critical GBR QoS Flows. Don't use a value in any of the following ranges: 1-4; 65-67; 71-76; 82-85. | **5G QoS Indicator (5QI)** |

+|The default QoS Flow Allocation and Retention Policy (ARP) priority level for this data network. Flows with a higher ARP priority level preempt flows with a lower ARP priority level. The ARP priority level must be an integer between 1 (highest priority) and 15 (lowest priority). See 3GPP TS 23.501 for a full description of the ARP parameters. | **Allocation and Retention Priority level** |

+|The default QoS Flow preemption capability for QoS Flows on this data network. The preemption capability of a QoS Flow controls whether it can preempt another QoS Flow with a lower priority level. </br></br>You can choose from the following values: </br></br>- **May preempt** </br>- **May not preempt** </br></br>See 3GPP TS 23.501 for a full description of the ARP parameters. | **Preemption capability** |

+|The default QoS Flow preemption vulnerability for QoS Flows on this data network. The preemption vulnerability of a QoS Flow controls whether it can be preempted another QoS Flow with a higher priority level. </br></br>You can choose from the following values: </br></br>- **Preemptable** </br>- **Not preemptable** </br></br>See 3GPP TS 23.501 for a full description of the ARP parameters. | **Preemption vulnerability** |

+|The default PDU session type for SIMs using this data network. Azure Private 5G Core will use this type by default if the SIM doesn't request a specific type. </br></br>You can choose from the following values: </br></br>- **IPv4** </br>- **IPv6** | **Default session type** |

+|An additional PDU session type that Azure Private 5G Core supports for this data network. This type must not match the default type mentioned above. </br></br>You can choose from the following values: </br></br>- **IPv4** </br>- **IPv6** | **Additional allowed session types** |

+## Next steps

+- [Configure a SIM policy for Azure Private 5G Core](configure-sim-policy-azure-portal.md)

+ Title: Prepare to deploy a private mobile network

+description: Learn how to complete the prerequisite tasks for deploying a private mobile network with Azure Private 5G Core Preview.

+# Complete the prerequisite tasks for deploying a private mobile network

+In this how-to guide, you'll carry out each of the tasks you need to complete before you can deploy a private mobile network using Azure Private 5G Core Preview.

+## Get access to Azure Private 5G Core for your Azure subscription

+Contact your support representative and ask them to register your Azure subscription for access to Azure Private 5G Core.

+Once your support representative has confirmed your access, register the Mobile Network resource provider (Microsoft.MobileNetwork) for your subscription, as described in [Azure resource providers and types](/azure/azure-resource-manager/management/resource-providers-and-types).

+## Allocate subnets and IP addresses

+For each of the following networks, allocate a subnet and then identify the listed IP addresses. If you're deploying multiple sites, you'll need to collect this information for each site.

+### Management network

+- Network address in Classless Inter-Domain Routing (CIDR) notation.

+- Default gateway.

+- One IP address for the Azure Stack Edge Pro device's management port.

+- Three sequential IP addresses for the Azure Kubernetes Service on Azure Stack HCI (AKS-HCI) cluster nodes.

+- One IP address for accessing local monitoring tools for the packet core instance.

+### Access network

+- Network address in CIDR notation.

+- Default gateway.

+- One IP address for port 5 on the Azure Stack Edge Pro device.

+- One IP address for the packet core instance's N2 signaling interface.

+- One IP address for the packet core instance's N3 interface.

+### Data network

+- Network address in CIDR notation.

+- Default gateway.

+- One IP address for port 6 on the Azure Stack Edge Pro device.

+- One IP address for the packet core instance's N6 interface.

+### User Equipment (UE) IP address pool

+- IP address pool in CIDR notation. This should contain IP addresses for each UE that will be served by the private mobile network.

+## Order and set up your Azure Stack Edge Pro device(s)

+You must do the following for each site you want to add to your private mobile network. Detailed instructions for how to carry out each step are included in the **Detailed instructions** column where applicable.

+| Step No. | Description | Detailed instructions |

+|--|--|--|

+| 1. | Order and prepare your Azure Stack Edge Pro device. | [Tutorial: Prepare to deploy Azure Stack Edge Pro with GPU](/azure/databox-online/azure-stack-edge-gpu-deploy-prep?tabs=azure-portal) |

+| 2. | Rack and cable your Azure Stack Edge Pro device. </br></br>When carrying out this procedure, you must ensure that the device has its ports connected as follows:</br></br>- Port 5 - access network</br>- Port 6 - data network</br></br>Additionally, you must have a port connected to your management network. You can choose any port from 2 to 4. | [Tutorial: Install Azure Stack Edge Pro with GPU](/azure/databox-online/azure-stack-edge-gpu-deploy-install) |

+| 3. | Connect to your Azure Stack Edge Pro device using the local web UI. | [Tutorial: Connect to Azure Stack Edge Pro with GPU](/azure/databox-online/azure-stack-edge-gpu-deploy-connect) |

+| 4. | Configure the network for your Azure Stack Edge Pro device. When carrying out the *Enable compute network* step of this procedure, ensure you use the port you've connected to your management network. | [Tutorial: Configure network for Azure Stack Edge Pro with GPU](/azure/databox-online/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy) |

+| 5. | Configure a name, Domain Name System (DNS) name, and (optionally) time settings. | [Tutorial: Configure the device settings for Azure Stack Edge Pro with GPU](/azure/databox-online/azure-stack-edge-gpu-deploy-set-up-device-update-time) |

+| 6. | Configure certificates for your Azure Stack Edge Pro device. | [Tutorial: Configure certificates for your Azure Stack Edge Pro with GPU](/azure/databox-online/azure-stack-edge-gpu-deploy-configure-certificates) |

+| 7. | Activate your Azure Stack Edge Pro device. | [Tutorial: Activate Azure Stack Edge Pro with GPU](/azure/databox-online/azure-stack-edge-gpu-deploy-activate) |

+| 8. | Run the diagnostics tests for the Azure Stack Edge Pro device in the local web UI, and verify they all pass. </br></br>You may see a warning about a disconnected, unused port. You should fix the issue if the warning relates to any of these ports:</br></br>- Port 5.</br>- Port 6.</br>- The port you chose to connect to the management network in Step 2.</br></br>For all other ports, you can ignore the warning.</br></br>If there are any errors, resolve them before continuing with the remaining steps. This includes any errors related to invalid gateways on unused ports. In this case, either delete the gateway IP address or set it to a valid gateway for the subnet. | [Run diagnostics, collect logs to troubleshoot Azure Stack Edge device issues](/azure/databox-online/azure-stack-edge-gpu-troubleshoot) |

+| 9. | Deploy an Azure Kubernetes Service on Azure Stack HCI (AKS-HCI) cluster on your Azure Stack Edge Pro device. At the end of this step, the Kubernetes cluster will be connected to Azure Arc and ready to host a packet core instance. During this step, you'll need to use the information you collected in [Allocate subnets and IP addresses](#allocate-subnets-and-ip-addresses). | Contact your support representative for detailed instructions. |

+## Next steps

+You can now collect the information you'll need to deploy your own private mobile network.

+- [Collect the required information to deploy your own private mobile network](collect-required-information-for-private-mobile-network.md)

+ Title: Configure a service

+description: With this how-to guide, learn how to configure a service for Azure Private 5G Core Preview through the Azure portal.

+# Configure a service for Azure Private 5G Core Preview - Azure portal

+*Services* are representations of a particular set of QoS information that you want to offer to UEs. For example, you may want to configure a service that provides higher bandwidth limits for particular traffic. You can also use services to block particular traffic types or traffic from specific sources.

+For more information, see [Policy control](policy-control.md).

+In this how-to guide, we'll configure a service using the Azure portal.

+## Prerequisites

+- Ensure you can sign in to the Azure portal using an account with access to the active subscription you identified in [Complete the prerequisite tasks for deploying a private mobile network](complete-private-mobile-network-prerequisites.md). This account must have the built-in Contributor or Owner role at the subscription scope.

+- Identify the name of the Mobile Network resource corresponding to your private mobile network.

+- Collect all the configuration values in [Collect the required information for a service](collect-required-information-for-service.md) for your chosen service.

+## Configure basic settings for the service

+In this step, you'll configure basic settings for your new service using the Azure portal.

+1. Sign in to the Azure portal at [https://aka.ms/AP5GCPortal](https://aka.ms/AP5GCPortal).

+1. Search for and select the **Mobile Network** resource representing the private mobile network for which you want to configure a service.

+1. In the **Resource** menu, select **Services**.

+ :::image type="content" source="media/configure-service-azure-portal/services-resource-menu-option.png" alt-text="Screenshot of the Azure portal. It shows the Services option in the resource menu of a Mobile Network resource.":::

+1. In the **Command** bar, select **Create**.

+ :::image type="content" source="media/configure-service-azure-portal/create-command-bar-option.png" alt-text="Screenshot of the Azure portal. It shows the Create option in the command bar.":::

+1. On the **Basics** configuration tab, use the information you collected in [Collect top-level setting values](collect-required-information-for-service.md#collect-top-level-setting-values) to fill out each of the fields.

+ :::image type="content" source="media/configure-service-azure-portal/create-service-basics-tab.png" alt-text="Screenshot of the Azure portal showing the Basics configuration tab for a service.":::

+## Configure data flow policy rules and data flow templates

+Now we'll configure the data flow policy rules you want to use for this service. For each rule:

+1. On the **Basics** configuration tab, select **Add policy rule**.

+ :::image type="content" source="media/configure-service-azure-portal/add-policy-rule-button.png" alt-text="Screenshot of the Azure portal. It shows the Add policy rule button on the Basics configuration tab for a service.":::

+1. In **Add policy rule** on the right, use the information you collected in [Data flow policy rule(s)](collect-required-information-for-service.md#data-flow-policy-rules) to fill out the **Rule name**, **Policy rule precedence**, and **Traffic control** fields.

+ :::image type="content" source="media\configure-service-azure-portal\add-policy-rule.png" alt-text="Screenshot of the Azure portal showing the Add policy rule fields.":::

+1. Do the following for one of the data flow templates you want to apply to this data flow policy rule:

+ 1. Select **Add data flow template**.

+ 1. Use the information you collected in [Collect data flow template values](collect-required-information-for-service.md#collect-data-flow-template-values) for your chosen template to fill out the fields in the pop-up.

+

+ :::image type="content" source="media/configure-service-azure-portal/add-service-data-flow-template.png" alt-text="Screenshot of the Azure portal showing the Add data flow template pop-up.":::

+ 1. Select **Add**.

+1. Repeat the previous step for any other data flow templates you want to apply to this data flow policy rule.

+1. In **Add policy rule** on the right, select **Add**.

+ :::image type="content" source="media/configure-service-azure-portal/finalize-policy-rule.png" alt-text="Screenshot of the Azure portal showing the Add button for a new data flow policy rule.":::

+1. On the **Basics** configuration tab, confirm that your new rule appears under the **Traffic rules** section.

+ :::image type="content" source="media/configure-service-azure-portal/service-with-rules.png" alt-text="Screenshot of the Azure portal. It shows a service with a data flow policy rule configured under the Traffic rules section.":::

+1. Repeat this entire step for any other data flow policy rules you want to configure for this service.

+## Create the service

+We'll now create the service so it can be added to your policy control configuration.

+1. On the **Basics** configuration tab, select **Review + create**.

+1. You'll now see the **Review + Create** tab. Azure will attempt to validate the configuration values you've entered. If the configuration values are invalid, the **Create** button at the bottom of the **Review + Create** tab will be grayed out. You'll need to return to the **Basics** tab and correct any invalid configuration.

+1. When the configuration is valid, the **Create** button will be blue. Select **Create** to create the service.

+ :::image type="content" source="media/configure-service-azure-portal/service-review-and-create-tab.png" alt-text="Screenshot of the Azure portal showing the Create button on the Review and create tab for a service.":::

+1. The Azure portal will display the following confirmation screen when the service has been created. Select **Go to resource** to see the new service resource.

+ :::image type="content" source="media/configure-service-azure-portal/service-resource-deployment-confirmation.png" alt-text="Screenshot of the Azure portal showing the successful deployment of a service resource and the Go to resource button.":::

+1. Confirm that the data flow policy rules and data flow templates listed at the bottom of the screen are configured as expected.

+## Next steps

+- [Create a SIM policy to which you can assign your new service](configure-sim-policy-azure-portal.md)

+ Title: Configure a SIM policy

+description: With this how-to guide, learn how to configure a SIM policy for Azure Private 5G Core Preview through the Azure portal.

+# Configure a SIM policy for Azure Private 5G Core Preview - Azure portal

+*SIM policies* allow you to define different sets of policies and interoperability settings that can each be assigned to a group of SIMs. You'll need to assign a SIM policy to a SIM before the user equipment (UE) using that SIM can access the private mobile network. In this how-to-guide, you'll learn how to configure a SIM policy.

+## Prerequisites

+- Ensure you can sign in to the Azure portal using an account with access to the active subscription you identified in [Complete the prerequisite tasks for deploying a private mobile network](complete-private-mobile-network-prerequisites.md). This account must have the built-in Contributor role at the subscription scope.

+- Identify the name of the Mobile Network resource corresponding to your private mobile network.

+- Collect all the configuration values in [Collect the required information for a SIM policy](collect-required-information-for-sim-policy.md) for your chosen SIM policy.

+- Decide whether you want to assign this SIM policy to any SIMs as part of configuring it. If you do, you must have provisioned these SIMs following the instructions in [Provision SIMs - Azure portal](provision-sims-azure-portal.md) and ensured they aren't currently active.

+## Configure the SIM policy

+1. Sign in to the Azure portal at [https://aka.ms/AP5GCPortal](https://aka.ms/AP5GCPortal).

+1. Search for and select the **Mobile Network** resource representing the private mobile network for which you want to configure a SIM policy.

+ :::image type="content" source="media/mobile-network-search.png" alt-text="Screenshot of the Azure portal. It shows the results of a search for a Mobile Network resource.":::

+1. In the **Resource** menu, select **SIM policies**.

+ :::image type="content" source="media/configure-sim-policy-azure-portal/sim-policies-resource-menu-option.png" alt-text="Screenshot of the Azure portal. It shows the SIM policies option in the resource menu of a Mobile Network resource.":::

+1. In the **Command** bar, select **Create**.

+1. Under **Create a SIM policy**:

+

+ - Set the **Default slice** field to **(Default) slice-1**.

+ - Fill out all the other fields using the information you collected from [Collect top-level setting values](collect-required-information-for-sim-policy.md#collect-top-level-setting-values).

+1. Select **Add a network scope**.

+ :::image type="content" source="media/configure-sim-policy-azure-portal/sim-policy-basics-tab.png" alt-text="Screenshot of the Azure portal. It shows the basics tab for a SIM policy. The Add a network scope button is highlighted.":::

+1. Under **Add a network scope** on the right, fill out each of the fields using the information you collected from [Collect information for the network scope](collect-required-information-for-sim-policy.md#collect-information-for-the-network-scope).

+1. Select **Add**.

+ :::image type="content" source="media/configure-sim-policy-azure-portal/add-a-network-scope.png" alt-text="Screenshot of the Azure portal. It shows the Add a network scope screen. The Add button is highlighted.":::

+1. Under the **Network scope** heading, confirm that your new network scope has the correct configuration.

+ :::image type="content" source="media/configure-sim-policy-azure-portal/network-scope-configuration.png" alt-text="Screenshot of the Azure portal. It shows the Create a SIM policy screen. The Network scope section is highlighted.":::

+1. If you want to assign this SIM policy to one or more existing provisioned SIMs, select **Next : Assign to SIMs**, and then select your chosen SIMs from the list that appears.

+ :::image type="content" source="media/configure-sim-policy-azure-portal/assign-to-sims-tab.png" alt-text="Screenshot of the Azure portal. It shows the Assign to SIMs tab for a SIM policy.":::

+1. Select **Next : Review + create**.

+1. Confirm that the configuration for the SIM policy is correct. If the configuration isn't valid, you'll see an error message and the configuration tab(s) containing the invalid configuration will be flagged with red dots. Select the flagged tab(s) and use the error messages to correct invalid configuration before returning to the **Review + create** tab.

+ Once your configuration has been validated, you can select the **Review + create** option to create your SIM policy.

+ :::image type="content" source="media/configure-sim-policy-azure-portal/sim-policy-review-and-create-tab.png" alt-text="Screenshot of the Azure portal. It shows the Review and create tab for a SIM policy. The Review and create option is highlighted.":::

+1. The Azure portal will display the following confirmation screen when the SIM policy has been created.

+ :::image type="content" source="media/configure-sim-policy-azure-portal/sim-policy-deployment-confirmation.png" alt-text="Screenshot of the Azure portal. It shows confirmation of the successful deployment of a SIM policy.":::

+1. Select **Go to resource group**. In the resource group that appears, select the **Mobile Network** resource representing your private mobile network.

+1. In the resource menu, select **SIM policies**.

+ :::image type="content" source="media/configure-sim-policy-azure-portal/sim-policies-resource-menu-option.png" alt-text="Screenshot of the Azure portal. It shows the SIM policies option in the resource menu of a Mobile Network resource.":::

+1. Select your new SIM policy from the list.

+ :::image type="content" source="media/sim-policies-list.png" alt-text="Screenshot of the Azure portal. It shows a list of currently configured SIM policies for a private mobile network." lightbox="media/sim-policies-list.png":::

+1. Check the configuration of your SIM policy to ensure it's correct.

+ :::image type="content" source="media/configure-sim-policy-azure-portal/sim-policy-resource.png" alt-text="Screenshot of the Azure portal showing a SIM policy resource." lightbox="media/configure-sim-policy-azure-portal/sim-policy-resource.png":::

+## Next steps

+- If you assigned this SIM policy to some SIMs, [activate the SIMs so they can access your private mobile network](activate-sims.md).

+ Title: Create a site

+description: This how-to guide shows how to create a site in your private mobile network.

+# Create a site - Azure Private 5G Core Preview

+Azure Private 5G Core private mobile networks include one or more *sites*. Each site represents a physical enterprise location (for example, Contoso Corporation's Chicago factory) containing an Azure Stack Edge device that hosts a packet core instance. In this how-to guide, you'll learn how to create a site in your private mobile network.

+## Prerequisites

+- Complete the steps in [Allocate subnets and IP addresses](complete-private-mobile-network-prerequisites.md#allocate-subnets-and-ip-addresses) and [Order and set up your Azure Stack Edge Pro device(s)](complete-private-mobile-network-prerequisites.md#order-and-set-up-your-azure-stack-edge-pro-devices) for your new site.

+- Collect all of the information in [Collect the required information for a site](collect-required-information-for-a-site.md).

+- Ensure you can sign in to the Azure portal using an account with access to the active subscription you used to create your private mobile network. This account must have the built-in Contributor or Owner role at the subscription scope.

+## Create the Mobile Network Site resource

+In this step, you'll create the **Mobile Network Site** resource representing the physical enterprise location of your Azure Stack Edge device, which will host the packet core instance.

+1. Sign in to the Azure portal at [https://aka.ms/AP5GCPortal](https://aka.ms/AP5GCPortal).

+1. Search for and select the **Mobile Network** resource representing the private mobile network to which you want to add a site.

+ :::image type="content" source="media/mobile-network-search.png" alt-text="Screenshot of the Azure portal. It shows the results of a search for a Mobile Network resource.":::

+1. On the **Get started** tab, select **Create sites**.

+ :::image type="content" source="media/create-sites-button.png" alt-text="Screenshot of the Azure portal showing the Get started tab, with the Create sites button highlighted.":::

+1. Use the information you collected in [Collect site resource values](collect-required-information-for-a-site.md#collect-mobile-network-site-resource-values) to fill out the fields on the **Basics** configuration tab, and then select **Next : Packet core >**.

+ :::image type="content" source="media/how-to-guide-deploy-a-private-mobile-network-azure-portal/create-site-basics-tab.png" alt-text="Screenshot of the Azure portal showing the Basics configuration tab for a site resource.":::

+1. You'll now see the **Packet core** configuration tab.

+ :::image type="content" source="media/how-to-guide-deploy-a-private-mobile-network-azure-portal/create-site-packet-core-tab.png" alt-text="Screenshot of the Azure portal showing the Packet core configuration tab for a site resource.":::

+1. In the **Packet core** section, set the fields as follows:

+ - Set **Technology type** to *5G*.

+ - Leave the **Version** field blank unless you've been instructed to do otherwise by your support representative.

+ - Set **Custom location** to the custom location you collected in [Collect custom location information](collect-required-information-for-a-site.md#collect-custom-location-information).

+1. Use the information you collected in [Collect access network values](collect-required-information-for-a-site.md#collect-access-network-values) to fill out the fields in the **Access network** section. Note the following:

+ - Use the same value for both the **N2 subnet** and **N3 subnet** fields.

+ - Use the same value for both the **N2 gateway** and **N3 gateway** fields.

+1. Use the information you collected in [Collect data network values](collect-required-information-for-a-site.md#collect-data-network-values) to fill out the fields in the **Attached data networks** section. Note that you can only connect the packet core instance to a single data network.

+1. Select **Review + create**.

+1. Azure will now validate the configuration values you've entered. You should see a message indicating that your values have passed validation.

+ :::image type="content" source="media/how-to-guide-deploy-a-private-mobile-network-azure-portal/create-site-validation.png" alt-text="Screenshot of the Azure portal showing successful validation of configuration values for a site resource.":::

+ If the validation fails, you'll see an error message and the **Configuration** tab(s) containing the invalid configuration will be flagged with red dots. Select the flagged tab(s) and use the error messages to correct invalid configuration before returning to the **Review + create** tab.

+1. Once your configuration has been validated, you can select **Create** to create the site. The Azure portal will display the following confirmation screen when the site has been created.

+ :::image type="content" source="media/site-deployment-complete.png" alt-text="Screenshot of the Azure portal showing the confirmation of a successful deployment of a site.":::

+1. Select **Go to resource group**, and confirm that it contains the following new resources:

+ - A **Mobile Network Site** resource representing the site as a whole.

+ - A **Packet Core Control Plane** resource representing the control plane function of the packet core instance in the site.

+ - A **Packet Core Data Plane** resource representing the data plane function of the packet core instance in the site.

+ - An **Attached Data Network** resource representing the site's view of the data network.

+ :::image type="content" source="media/how-to-guide-deploy-a-private-mobile-network-azure-portal/site-and-related-resources.png" alt-text="Screenshot of the Azure portal showing a resource group containing a site and its related resources." lightbox="media/how-to-guide-deploy-a-private-mobile-network-azure-portal/site-and-related-resources.png":::

+## Next steps

+If you haven't already done so, you should now design the policy control configuration for your private mobile network. This allows you to customize how your packet core instances apply quality of service (QoS) characteristics to traffic. You can also block or limit certain flows.

+- [Learn more about designing the policy control configuration for your private mobile network](policy-control.md)

+ Title: Distributed tracing

+description: Information on the distributed tracing web GUI, which provides detailed traces for signaling flows involving packet core instances.

+# Distributed tracing

+Azure Private 5G Core Preview offers a *distributed tracing web GUI*, which you can use to collect detailed traces for signaling flows involving packet core instances. You can use *traces* to diagnose many common configuration, network, and interoperability problems affecting user service.

+## Searching for specific information

+The distributed tracing web GUI provides two search tabs to allow you to search for diagnostics.

+If you can't see the **Search** heading, select the **Search** button in the top-level menu.

+- **SUPI** - Allows you to search for activity involving a particular subscriber using their Subscription Permanent Identifier (SUPI). This tab also provides an **Errors** panel, which allows you to filter the results by error condition. To search for activity for a particular subscriber, enter all of the initial digits of the subscriber's SUPI into the text box on the **SUPI search** panel.

+- **Errors** - Allows you to search for error condition occurrences across all subscribers. To search for occurrences of error conditions across all subscribers, select the **Errors** tab and then use the drop-down menus on the **Error** panel to select an error category and, optionally, a specific error.

+ :::image type="content" source="media\distributed-tracing\distributed-tracing-search-display.png" alt-text="Screenshot of the Search display in the distributed tracing web G U I, showing the S U P I and Errors tabs.":::

+Both tabs also provide a **Date/time range** panel that allows you to specify a custom time window in which to search for diagnostics data. You can specify this time window in several ways.

+- Select **Most recent** and choose an option to search for records from the most recent *15 minutes*, *30 minutes*, *1 hour*, or *2 hours*.

+- Select **Today**, **Yesterday**, or a specific date, then select an hour-long range on the specified date by selecting the **ribbon**.

+- Select **Custom range**, then specify the dates and times for the start and end of the search period. Custom ranges allow you to specify a search period that spans consecutive days.

+Long search ranges result in slower searches, so it's recommended that you keep the search range to an hour or less if possible.

+> [!TIP]

+> You can select the **cog icon** next to the **Date/time range** heading to customize the date and time format, default search period, and time zone according to your preferences.

+Once youΓÇÖve entered your chosen search parameters, select **Search** to begin your search. The following image shows an example of the results returned for a search on a particular SUPI.

+You can view more information on any result by selecting it.

+## Viewing diagnostics details

+When you select on a specific result, the display shows the following tabs containing different categories of information.

+> [!NOTE]

+> In addition to the tabs described below, the distributed tracing web GUI also includes a **User Experience** tab. This tab is not used by Azure Private 5G Core Preview and will not display any information.

+### Summary view

+The **Summary** view displays a description of the flow or error.

+### Detailed Timeline view

+The **Detailed Timeline** view shows the sequence of operations and events that occurred during the flow or error.

+Each entry in the list shows summary information for a specific event that occurred during the flow or error. Each entry includes the date and time at which the event occurred and the name of the component on which it occurred. When you select a specific entry in this list, the panel at the bottom of the screen provides more detail about the selected event.

+The **Events to be viewed** drop-down list allows you to control the level of events that are included in the list. You can choose from the following levels:

+- **High level events** - the lowest level of detail, with a one-line summary of each event.

+- **High level events and protocol flows** - includes the same information as for **High level events**, but adds details of the contents of network protocol messages involved at each stage.

+- **Detailed events** - includes the network protocol messages and more fine-grained detail of events.

+- **Engineering level events** - provides a detailed listing of internal events, typically for use by Microsoft personnel.

+### Call Flow view

+The **Call Flow** view shows the sequence of messages flowing between components during the course of the flow or error.

+The vertical lines in the diagram show the network components involved in the flow.

+- Black lines indicate packet core Network Functions that have logged sending or receiving messages for this flow.

+- Grey lines indicate other components that don't log messages.

+You can customize the view by showing or hiding individual columns and giving them more descriptive display names. To view these options, select the current column name and then select the **+** (plus) sign that appears to the right of it to open a dropdown menu. Additionally, you can select multiple columns by holding down the Ctrl key as you select each column; the **+** (plus) sign remains next to the latest column that you selected.

+- The **Remove this column** option hides the currently select column from view.

+- The **Remove other columns** option hides all columns that don't include messages flowing to or from the selected column.

+- The **Group columns** option allows you to combine several columns into a single column.

+- The **Ungroup columns** option allows you to revert the **Group columns** option.

+- The **Show messages within group** option shows any messages between group members as arrows that loop back on themselves to their originating column.

+- The **Set annotation** option allows you to enter a new display name for the column.

+You can revert to the default display options using the **Options** menu. You can access this menu by selecting the **white cogwheel on a blue background** at the upper-right corner of the view window. You can take the following actions:

+- Choose **Colors, styles and annotations -> Revert to default** to clear your custom display names.

+- Choose **Visibility -> Show all** to restore columns you've previously hidden from view.

+- Choose **Column grouping -> Ungroup all** to separate columns you've previously grouped.

+A horizontal line in the diagram shows each individual signaling message flowing between two network components. An arrow indicates the direction of flow from the sending to the receiving component.

+- A **double line** indicates that the message was logged by both the sending and receiving components.

+- A **single line** indicates that the message was logged by only one of these components, because the other component doesn't log messages.

+- A line that is **half double and half single**, with an **X** symbol at the midpoint, indicates one of the following:

+ - The message should have been logged by both components but was logged by only one of them. For example, this occurs if a message is logged by the sending component but is then lost in transit and never reaches the receiving component.

+ - The message crossed with another message in the diagram while in transit, and so was received out of order.

+ - The messages were logged in the wrong order. This doesn't indicate a problem with your deployment; it can happen because of network latency in communications.

+- A retransmitted message appears as a separate line for each retransmission.

+- A **looped line** that returns to the same column indicates a message between group members.

+Different colors and line styles (**dashed**, **dotted**, and so on) for horizontal lines are used to distinguish between different call legs.

+The messages appear in the diagram in the order in which they occurred. An axis break on all of the vertical lines in the diagram between two consecutive messages indicates a gap of 10 seconds or more occurred between these two messages.

+If the call flow diagram is too large to fit in the browser window, you can use the vertical and horizontal scrollbars to move around the display.

+## Viewing help information

+To view help information, select the **Options** symbol in the upper-right corner and choose **Help**. The help information appears in a panel at the bottom of the display. To hide this panel, select the **X** symbol at the upper-right corner of the panel.

+## Next steps

+- [Learn more about how you can monitor your deployment using the packet core dashboards](packet-core-dashboards.md)

+ Title: Deploy a private mobile network

+description: This how-to guide shows how to deploy a private mobile network through Azure Private 5G Core Preview using the Azure portal

+# Deploy a private mobile network through Azure Private 5G Core Preview - Azure portal

+Private mobile networks provide high performance, low latency, and secure connectivity for 5G Internet of Things (IoT) devices. In this how-to guide, you'll use the Azure portal to deploy a private mobile network to match your enterprise's requirements.

+You'll create the following resources as part of this how-to guide:

+- The Mobile Network resource representing your private mobile network as a whole.

+- (Optionally) SIM resources representing the physical SIMs or eSIMs that will be served by the private mobile network.

+## Prerequisites

+- Complete all of the steps in [Complete the prerequisite tasks for deploying a private mobile network](complete-private-mobile-network-prerequisites.md).

+- Ensure you can sign in to the Azure portal using an account with access to the active subscription you identified in [Complete the prerequisite tasks for deploying a private mobile network](complete-private-mobile-network-prerequisites.md). This account must have the built-in Contributor or Owner role at the subscription scope.

+- Collect all of the information listed in [Collect the required information to deploy a private mobile network - Azure portal](collect-required-information-for-private-mobile-network.md).

+- If you decided when collecting the information in [Collect the required information to deploy a private mobile network - Azure portal](collect-required-information-for-private-mobile-network.md) that you wanted to provision SIMs using a JSON file as part of deploying your private mobile network, you must have prepared this file and made it available on the machine you'll use to access the Azure portal. For more information on the file format, see [Provision SIM resources through the Azure portal using a JSON file](collect-required-information-for-private-mobile-network.md#provision-sim-resources-through-the-azure-portal-using-a-json-file).

+## Create the Mobile Network and (optionally) SIM resources

+In this step, you'll create the Mobile Network resource representing your private mobile network as a whole. You can also provision one or more SIMs.

+1. Sign in to the Azure portal at [https://aka.ms/AP5GCPortal](https://aka.ms/AP5GCPortal).

+1. In the **Search** bar, type *mobile networks* and then select the **Mobile Networks** service from the results that appear.

+ :::image type="content" source="media/mobile-networks-search.png" alt-text="Screenshot of the Azure portal showing a search for the Mobile Networks service." lightbox="media/mobile-networks-search.png":::

+1. On the **Mobile Networks** page, select **Create**.

+ :::image type="content" source="media/create-button-mobile-networks.png" alt-text="Screenshot of the Azure portal showing the Create button on the Mobile Networks page.":::

+1. Use the information you collected in [Collect private mobile network resource values](collect-required-information-for-private-mobile-network.md#collect-mobile-network-resource-values) to fill out the fields on the **Basics** configuration tab. Once you've done this, select **Next : SIMs >**.

+ :::image type="content" source="media/how-to-guide-deploy-a-private-mobile-network-azure-portal/create-private-mobile-network-basics-tab.png" alt-text="Screenshot of the Azure portal showing the Basics configuration tab.":::

+1. On the **SIMs** configuration tab, select your chosen input method by selecting the appropriate option next to **How would you like to input the SIMs information?**. You can then input the information you collected in [Collect SIM values](collect-required-information-for-private-mobile-network.md#collect-sim-values).

+ :::image type="content" source="media/how-to-guide-deploy-a-private-mobile-network-azure-portal/create-private-mobile-network-sims-tab.png" alt-text="Screenshot of the Azure portal showing the SIMs configuration tab.":::

+ - If you select **Upload JSON file**, the **Upload SIM profile configurations** field will appear. Use this field to upload your chosen JSON file.

+ - If you select **Add manually**, a new set of fields will appear under **Enter SIM profile configurations**. Fill out the first row of these fields with the correct settings for the first SIM you want to provision. If you've got more SIMs you want to provision, add the settings for each of these SIMs to a new row.

+ - If you decided that you don't want to provision any SIMs at this point, select **Add SIMs later**.

+1. Once you've selected the input method and provided information for any SIMs you want to provision, select **Review + create**.

+1. Azure will now validate the configuration values you've entered. You should see a message indicating that your values have passed validation.

+ :::image type="content" source="media/how-to-guide-deploy-a-private-mobile-network-azure-portal/create-private-mobile-network-review-create-tab.png" alt-text="Screenshot of the Azure portal showing validated configuration for a private mobile network.":::

+ If the validation fails, you'll see an error message and the configuration tab(s) containing the invalid configuration will be flagged with red dots. Select the flagged tab(s) and use the error messages to correct invalid configuration before returning to the **Review + create** tab.

+1. Once the configuration has been validated, select **Create** to create the Mobile Network resource and any SIM resources.

+1. The Azure portal will now deploy the resources into your chosen resource group. You'll see the following confirmation screen when your deployment is complete.

+ :::image type="content" source="media/pmn-deployment-complete.png" alt-text="Screenshot of the Azure portal. It shows confirmation of the successful creation of a private mobile network.":::

+ Select **Go to resource group**, and then check that your new resource group contains the correct **Mobile Network** resource, any **SIM** resources, and a default **Service** resource named **Allow-all-traffic**.

+ :::image type="content" source="media/pmn-deployment-resource-group.png" alt-text="Screenshot of the Azure portal showing a resource group containing Mobile Network and Service resources.":::

+## Next steps

+You can either begin designing policy control to determine how your private mobile network will handle traffic, or you can start adding sites to your private mobile network.

+- [Learn more about designing the policy control configuration for your private mobile network](policy-control.md)

+- [Collect the required information for a site](collect-required-information-for-a-site.md)

+ Title: Key components of a private mobile network

+description: Learn about the key components of a private mobile network deployed through Azure Private 5G Core Preview.

+# Key components of a private mobile network

+This article introduces the key physical components of a private mobile network deployed through Azure Private 5G Core Preview. It also details the resources you'll use to manage the private mobile network through Azure.

+Each private mobile network contains one or more *sites*. A site is a physical enterprise location (for example, Contoso Corporation's Chicago Factory) that will provide coverage for 5G user equipment (UEs). The following diagram shows the main components of a single site.

+- Each site contains an Azure Stack Edge device that hosts a *packet core instance*, which is deployed using Azure Private 5G Core. The packet core instance is a cloud-native implementation of the 3GPP standards-defined 5G Next Generation Core (5G NGC or 5GC).

+ When you add a site to your private mobile network, you'll create a *Kubernetes cluster* on the Azure Stack Edge device. This serves as the platform for the packet core instance.

+- Each packet core instance connects to a radio access network (RAN) to provide coverage for 5G UEs. You'll source your RAN from a third party.

+## Azure Private 5G Core resources

+The following diagram shows the key resources you'll use to manage your private mobile network through Azure.

+- The *mobile network* resource represents the private mobile network as a whole.

+- Each *SIM* resource represents a physical SIM or eSIM. The physical SIMs and eSIMs are used by UEs that will be served by the private mobile network.

+- *SIM policy* resources are a key component of Azure Private 5G Core's customizable policy control, which allows you to provide flexible traffic handling. You can determine exactly how your packet core instance applies quality of service (QoS) characteristics to service data flows (SDFs) to meet your deployment's needs. You can also use policy control to block or limit certain flows.

+ Each SIM policy defines a set of policies and interoperability settings, which can each be assigned to a group of SIMs. You'll need to assign a SIM policy to a SIM before the UE using that SIM can access the private mobile network.

+ A SIM policy will also reference one or more *services*. Each service is a representation of a set of QoS characteristics that you want to offer to UEs on SDFs that match particular properties, such as their destination, or the protocol used. You can also use services to limit or block particular SDFs based on these properties.

+ For detailed information on policy control, see [Policy control](policy-control.md).

+- The *mobile network site* and *packet core* resources allow you to manage the sites in your private mobile network and the packet core instances that run in them.

+- Each *attached data network* resource allows you to manage how its associated packet core instance will connect to the data network.

+## Next steps

+- [Learn more about the prerequisites for deploying a private mobile network](complete-private-mobile-network-prerequisites.md)

+ Title: Packet core dashboards

+description: Information on the packet core dashboards, which can be used to monitor key statistics in an Azure Private 5G Core Preview deployment.

+# Packet core dashboards

+The *packet core dashboards* provide a flexible way to monitor key statistics relating to your deployment in real time. They also allow you to view information on firing alerts, allowing you to quickly react to emerging issues.

+The packet core dashboards are powered by *Grafana*, an open-source, metric analytics and visualization suite. For more information, see the [Grafana documentation](https://grafana.com/docs/grafana/v6.1/).

+## Use the packet core dashboards

+We'll go through the common concepts and operations you'll need to understand before you can use the packet core dashboards. If you need more information on using Grafana, see the [Grafana documentation](https://grafana.com/docs/grafana/v6.1/).

+### Dashboards

+You can access the following packet core dashboards:

+- The **Overview dashboard** displays important *key performance indicators* (KPIs), including the number of connected devices, throughput, and any alerts firing in the system.

+ :::image type="content" source="media/packet-core-dashboards/packet-core-overview-dashboard.png" alt-text="Screenshot of the packet core Overview dashboard." lightbox="media/packet-core-dashboards/packet-core-overview-dashboard.png":::

+ Each panel on the overview dashboard links to another dashboard with detailed statistics about the KPI shown. You can access the link by hovering your cursor over the upper-left corner of the panel. You can then select the link in the pop-up.

+

+ :::image type="content" source="media/packet-core-dashboards/packet-core-dashboard-panel-link.png" alt-text="Screenshot of the packet core dashboard. The link to the device and session statistics dashboard is shown.":::

+- The **Alerts dashboard** provides descriptions and information on the severity and effect of each currently firing alert. The **Alarm Severity** selector in the upper-left hand corner of the Alerts dashboard allows you to filter out alerts of certain severity levels.

+ :::image type="content" source="media/packet-core-dashboards/packet-core-alerts-dashboard.png" alt-text="Screenshot of the packet core Alerts dashboard. Panels related to currently active alerts are shown." lightbox="media/packet-core-dashboards/packet-core-alerts-dashboard.png":::

+- The **Device and Session Statistics dashboard** provides information about the device and session procedures being processed by the packet core instance.

+ :::image type="content" source="media/packet-core-dashboards/packet-core-device-session-stats-dashboard.png" alt-text="Screenshot of the Device and Session Statistics dashboard. It shows panels for device authentication, device registration, device context, and P D U session procedures." lightbox="media/packet-core-dashboards/packet-core-device-session-stats-dashboard.png":::

+- The **Uplink and Downlink Statistics dashboard** provides detailed statistics on the user plane traffic being handled by the packet core instance.

+ :::image type="content" source="media/packet-core-dashboards/packet-core-uplink-downlink-stats-dashboard.png" alt-text="Screenshot of the Uplink and Downlink Statistics dashboard. Panels related to throughput, packet rates, and packet size are shown." lightbox="media/packet-core-dashboards/packet-core-device-session-stats-dashboard.png":::

+- The **Debug** dashboards show detailed breakdowns of the request and response statistics for the packet core instance's interfaces.

+ - The **System Statistics dashboard** contains low-level detail about pod restarts and 5G interface operations.

+

+ :::image type="content" source="media/packet-core-dashboards/packet-core-system-stats-dashboard.png" alt-text="Screenshot of the System Statistics dashboard. Panels related to pod details and individual network function statistics are shown." lightbox="media/packet-core-dashboards/packet-core-system-stats-dashboard.png":::

+ - The **HTTP stats dashboard** for each network function shows statistics for the HTTP requests and responses shown by that network function. You can use the **Serving Endpoint**, **Client Operation**, and **Server Operation** filters to control which operations are shown.

+

+ :::image type="content" source="media/packet-core-dashboards/packet-core-http-stats-dashboard.png" alt-text="Screenshot of the H T T P stats dashboard. Panels related to H T T P statistics for the Session Management Function are shown." lightbox="media/packet-core-dashboards/packet-core-http-stats-dashboard.png":::

+## Panels and rows

+Each dashboard contains **panels** and **rows**.

+Each statistic is displayed in a **panel**. The packet core dashboards use the types of panel described in [Types of panel](#types-of-panel).

+Panels are organized into **rows**. Each dashboard has a minimum of one row. You can show and hide individual rows by selecting the header of the row.

+### Types of panel

+The packet core dashboards use the following types of panel. For all panels, you can select the **i** icon in the upper-left corner to display more information about the statistic(s) covered by the panel.

+- **Graph** panels are used to display multiple statistics and/or recent changes in a statistic. When you move the mouse over a graph panel, hover help shows the value of the statistic at that moment in time.

+ :::image type="content" source="media/packet-core-dashboards/packet-core-graph-panel.png" alt-text="Screenshot of a graph panel in the packet core dashboards. The panel displays information on total throughput statistics.":::

+- **Single stat** panels (called "Singlestat" panels in the Grafana documentation) display a single statistic. The statistic may be presented as a simple count or as a gauge. These panels indicate whether a single statistic has exceeded a threshold by their color.

+ - The value displayed on a gauge single stat panel is shown in green at normal operational levels, amber when approaching a threshold, and red when the threshold has been breached.

+ - The entirety of a count single stat panel will turn red if a threshold is breached.

+ :::image type="content" source="media/packet-core-dashboards/packet-core-single-stat-panels.png" alt-text="Screenshot of two single stat panels in the packet core dashboards. The first panel is a simple count of throughput. The second panel is a gauge displaying C P U utilization.":::

+ - **Table** panels display statistics or alerts in a table.

+ :::image type="content" source="media/packet-core-dashboards/packet-core-table-panel.png" alt-text="Screenshot of a table panel in the packet core dashboards. The table displays information on currently active alerts.":::

+## Switching between dashboards

+You can access the lists of available dashboards and switch between them using the drop-down **dashboard links** on the upper right of each dashboard. Dashboards are grouped by the level of information that they provide.

+You can also switch between dashboards by selecting the **dashboard picker**. It's located in the upper-left of the screen and displays the name of the dashboard that you currently have open.

+You can choose to use the search bar to find a dashboard by name or select from the list of recently viewed dashboards.

+## Adjusting the time range

+The **Time picker** in the top right-hand corner of each packet core dashboard allows you to adjust the time range for which the dashboard will display statistics. You can use the time picker to retrieve diagnostics for historical problems. You can choose a relative time range (such as the last 15 minutes), or an absolute time range (such as statistics for a particular month). You can also use the **Refresh dashboard** icon to configure how regularly the statistics displayed on the dashboard will be updated. For detailed information on using the time range controls, see [Time range controls](https://grafana.com/docs/grafana/v6.1/reference/timerange/) in the Grafana documentation.

+## Next steps

+- [Learn more about the distributed tracing web GUI](distributed-tracing.md)

+ Title: Policy control

+description: Information on Azure Private 5G Core Preview's policy control configuration, which allows for flexible traffic handling in your private mobile network.

+# Policy control

+Azure Private 5G Core Preview provides flexible traffic handling. You can customize how your packet core instance applies quality of service (QoS) characteristics to traffic. You can also block or limit certain flows.

+## 5G quality of service (QoS) and QoS Flows

+The packet core instance is a key component in establishing *protocol data unit (PDU) sessions*, which are used to transport user plane traffic between a UE and the data network. Within each PDU session, there are one or more *service data flows (SDFs)*. Each SDF is a single IP flow or a set of aggregated IP flows of UE traffic that is used for a specific service.

+Each SDF may require a different set of QoS characteristics, including prioritization and bandwidth limits. For example, an SDF carrying traffic used for industrial automation will need to be handled differently to an SDF used for internet browsing.

+To ensure the correct QoS characteristics are applied, each SDF is bound to a *QoS Flow*. Each QoS Flow has a unique *QoS profile*, which identifies the QoS characteristics that should be applied to any SDFs bound to the QoS Flow. Multiple SDFs with the same QoS requirements can be bound to the same QoS Flow.

+A *QoS profile* has two main components.

+- A *5G QoS identifier (5QI)*. The 5QI value corresponds to a set of QoS characteristics that should be used for the QoS Flow. These characteristics include guaranteed and maximum bitrates, priority levels, and limits on latency, jitter, and error rate. The 5QI is given as a scalar number.

+ You can find more information on 5QI and each of the QoS characteristics in 3GPP TS 23.501. You can also find definitions for standardized (or non-dynamic) 5QI values.

+ The required parameters for each 5QI value are pre-configured in the Next Generation Node B (gNB).

+> [!NOTE]

+> Azure Private 5G Core does not support dynamically assigned 5QI, where specific QoS characteristics are signalled to the gNB during QoS Flow creation.

+- An *allocation and retention priority (ARP) value*. The ARP value defines a QoS Flow's importance. It controls whether a particular QoS Flow should be retained or preempted when there's resource constraint in the network, based on its priority compared to other QoS Flows. The QoS profile may also define whether the QoS Flow can preempt or be preempted by another QoS Flow.

+Each unique QoS Flow is assigned a unique *QoS Flow ID (QFI)*, which is used by network elements to map SDFs to QoS Flows.

+## Azure Private 5G Core policy control configuration

+Azure Private 5G Core provides configuration to allow you to determine the QoS Flows the packet core instance will create and bind to SDFs during PDU session establishment. You can configure two primary resource types - *services* and *SIM policies*.

+### Services

+A *service* is a representation of a set of QoS characteristics that you want to apply to SDFs that match particular properties, such as their destination, or the protocol used. You can also use services to limit or block particular SDFs based on these properties.

+Each service includes:

+- A set of QoS characteristics that should be applied on SDFs matching the service. The packet core instance will use these characteristics to create a QoS Flow to bind to matching SDFs. You can specify the following QoS settings on a service:

+ - The maximum bit rate (MBR) for uplink traffic (away from the UE) across all matching SDFs.

+ - The MBR for downlink traffic (towards the UE) across all matching SDFs.

+ - An ARP priority value.

+ - A 5QI value.

+ - A preemption capability setting. This setting determines whether the QoS Flow created for this service can preempt another QoS Flow with a lower ARP priority level.

+ - A preemption vulnerability setting. This setting determines whether the QoS Flow created for this service can be preempted by another QoS Flow with a higher ARP priority level.

+- One or more *data flow policy rules*, which identify the SDFs to which the service should be applied. You can configure each rule with the following to determine when it's applied and the effect it will have:

+ - One or more *data flow templates*, which provide the packet filters that identify the SDFs on which to match. You can match on an SDF's direction, protocol, target IP address, and target port. The target IP address and port refer to the component on the data network's end of the connection.

+ - A traffic control setting, which determines whether the packet core instance should allow or block traffic matching the SDF(s).

+ - A precedence value, which the packet core instance can use to rank data flow policy rules by importance.

+### SIM policies

+*SIM policies* let you define different sets of policies and interoperability settings that can each be assigned to a group of SIMs. You'll need to assign a SIM to a SIM policy before the SIM can use the private mobile network.

+Each SIM policy includes:

+- Top-level settings that are applied to every SIM assigned to the SIM policy. These settings include the UE aggregated maximum bit rate (UE-AMBR) for downloads and uploads, and the RAT/Frequency Priority ID (RFSP ID).

+- A *network scope*, which defines how SIMs assigned to this SIM policy will connect to the data network. You can use the network scope to determine the following settings:

+ - The services (as described in [Services](#services)) offered to SIMs on this data network.

+ - A set of QoS characteristics that will be used to form the default QoS Flow for PDU sessions involving assigned SIMs on this data network.

+You can create multiple SIM policies to offer different QoS policy settings to separate groups of SIMs on the same data network. For example, you may want to create SIM policies with differing sets of services.

+## Creating and assigning QoS Flows during PDU session establishment

+During PDU session establishment, the packet core instance takes the following steps:

+1. Identifies the SIM resource representing the UE involved in the PDU session and its associated SIM policy (as described in [SIM policies](#sim-policies)).

+1. Creates a default QoS Flow for the PDU session using the configured values on the SIM policy.

+1. Identifies whether the SIM policy has any associated services (as described in [Services](#services)). If it does, the packet core instance creates extra QoS Flows using the QoS characteristics defined on these services.

+1. Signals the QoS Flows and any non-default characteristics to the gNodeB.

+1. Sends a set of QoS rules (including SDF definitions taken from associated services) to the UE. The UE uses these rules to take the following steps:

+ - Checks uplink packets against the SDFs.

+ - Applies any necessary traffic control.

+ - Identifies the QoS Flow to which each SDF should be bound.

+ - Marks packets with the appropriate QFI. The QFI ensures packets receive the correct QoS handling between the UE and the packet core instance without further inspection.

+1. Inspects downlink packets to check their properties against the data flow templates of the associated services, and then takes the following steps based on this matching:

+ - Applies any necessary traffic control.

+ - Identifies the QoS Flow to which each SDF should be bound.

+ - Applies any necessary QoS treatment.

+ - Marks packets with the QFI corresponding to the correct QoS Flow. The QFI ensures the packets receive the correct QoS handling between the packet core instance and data network without further inspection.

+## Designing your policy control configuration

+Azure Private 5G Core policy control configuration is flexible, allowing you to configure new services and SIM policies whenever you need, based on the changing requirements of your private mobile network.

+[Tutorial: Create an example set of policy control configuration](tutorial-create-example-set-of-policy-control-configuration.md) provides a step-by-step guide through configuring some example services for common use cases, and applying these services to new SIM policies. Run through this tutorial to familiarize yourself with the process of building policy control configuration.

+When you first come to design the policy control configuration for your own private mobile network, we recommend taking the following approach:

+1. Provision your SIMs as described in [Provision SIMs - Azure portal](provision-sims-azure-portal.md). You don't need to assign a SIM policy to these SIMs at this point.

+1. Identify the SDFs your private mobile network will need to handle.

+1. Learn about each of the available options for a service in [Collect the required information for a service](collect-required-information-for-service.md). Compare these options with the requirements of the SDFs to decide on the services you'll need.

+1. Collect the appropriate policy configuration values you'll need for each service, using the information in [Collect the required information for a service](collect-required-information-for-service.md).

+1. Configure each of your services as described in [Configure a service - Azure portal](configure-service-azure-portal.md).

+1. Group your SIMs according to the services they'll require. For each group, configure a SIM policy and assign it to the correct SIMs by carrying out the following procedures:

+ 1. [Collect the required information for a SIM policy](collect-required-information-for-sim-policy.md)

+ 1. [Configure a SIM policy - Azure portal](configure-sim-policy-azure-portal.md)

+1. Optionally, activate the SIMs to allow them to use the private mobile network.

+## Next steps

+- [Learn how to create an example set of policy control configuration](tutorial-create-example-set-of-policy-control-configuration.md)

+- [Familiarize yourself with each of the configurable settings for a service](collect-required-information-for-service.md)

+- [Familiarize yourself with each of the configurable settings for a SIM policy](collect-required-information-for-sim-policy.md)

+ Title: What is Azure Private 5G Core Preview?

+description: Azure Private 5G Core Preview is an Azure cloud service for deploying 5G core network functions to form on-premises private mobile networks for 5G Internet of Things (IoT) devices.

+# What is Azure Private 5G Core Preview?

+*Azure Private 5G Core Preview* is an Azure cloud service for deploying and managing 5G core network functions on an Azure Stack Edge device, as part of an on-premises private mobile network for enterprises. The 5G core network functions connect with standard 4G and 5G standalone radio access networks (RANs) to provide high performance, low latency, and secure connectivity for 5G Internet of Things (IoT) devices. Azure Private 5G Core gives enterprises full control and visibility of their private mobile networks.

+Azure Private 5G Core provides:

+- **Complete 5G core network functions**

+ Azure Private 5G Core instantiates a single enterprise private mobile network distributed across one or more sites around the world. Each site contains a *packet core instance*, which is a complete set of 5G network functions. These network functions include the subscriber database, policy control, control plane, and user plane. These are all deployed on a multi-access edge compute platform.

+ You can also configure packet core instances to operate in 4G mode to support Private Long-Term Evolution (LTE) use cases.

+- **Azure service management**

+

+ Azure Private 5G Core provides a centralized software lifecycle and service management for the private mobile network across multiple sites. You can use the Azure portal and Azure Resource Manager (ARM) APIs to carry out all management and monitoring tasks.

+- **Azure visibility**

+ Azure Private 5G Core integrates with Azure Monitor and Log Analytics to collect data from across the sites and provide real-time monitoring of the entire private mobile network. You can extend this capability to capture radio analytics to provide a complete network view from Azure.

+You'll also need the following to deploy a private mobile network using Azure Private 5G Core. These aren't included as part of the service.

+- **Azure Stack Edge and Azure Arc-enabled Kubernetes**

+ Packet core instances run on a Kubernetes cluster, which is connected to Azure Arc and deployed on an Azure Stack Edge Pro with GPU device. These platforms provide security and manageability for the entire core network stack from Azure. Additionally, Azure Arc allows Microsoft to provide support at the edge.

+ For more information, see [Azure Arc overview](../azure-arc/overview.md) and [Azure Kubernetes Service on Azure Stack HCI](/azure-stack/aks-hci/).

+- **RANs and SIMs**

+ The Azure private multi-access edge compute (MEC) solution offers an ecosystem of technology solution partners, including the following:

+ - Radio vendors who can connect Azure Private 5G Core to a gNodeB (for 5G deployments) or eNodeB (for 4G deployments), allowing you to choose from a broad range of shared or licensed spectrum options available in different countries.

+ - SIM vendors offering physical SIM and eSIM services. These vendors can integrate directly with Azure Private 5G Core through the SIM manager to securely provision physical SIMs and eSIMs.

+ For more information, see [What is Azure private multi-access edge compute?](../private-multi-access-edge-compute-mec/overview.md).

+The following diagram shows the key components of Azure Private 5G Core.

+ Diagram showing the components of Azure Private 5G Core. They're split between cloud components and components provided on premises. The cloud components include Azure portal, ARM APIs, Azure Monitor, SIM Manager, Service Manager, and RAN Monitor. The on-premises components include Subscriber Database and Policy Control, 4G Interworking Function, 5G Core Control Plane, 5G User Plane, Arc-enabled Kubernetes, and Azure Stack Edge.

+## Key benefits and use cases

+Deploying a private mobile network using Azure Private 5G Core at the enterprise edge ensures complete ownership of all data by the enterprise. It also positions the packet core instance as close as possible to the devices it serves, removing any reliance on cloud connectivity. This allows it to deliver low latency levels through local data processing when combined with application logic in the same location. This provides many valuable benefits:

+- **Machine to machine automation** - Ultra reliable low latency connectivity (URLLC) for command and control messages from automated systems (like robots or automated guide vehicles). These messages can be processed in real time to prevent stalling, enabling high productivity.

+- **Massive IoT telemetry** - Secure cloud connectivity for data collection from a large density and volume of IoT sensors and devices. Data for health assessment and automated systems can be processed in real time to prevent accidents and ensure on-site safety.

+- **Real-time analytics** - Local processing of real-time operational and diagnostics data. For example, live video feeds can be processed at the edge at minimal expense using AI, ensuring vital actions aren't delayed.

+Azure Private 5G Core is able to leverage this low latency with the security and high bandwidth offered by private 5G networks. This puts it in the optimal position to support Industry 4.0 use cases, such as the following:

+- **Manufacturing** - Production-line analytics and warehouse automation with robots.

+- **Public safety** - Mobility and connectivity for emergency workers and disaster recovery operatives.

+- **Energy and utilities** - Backhaul networks for smart meters and network slicing/control.

+- **Defense** - Connected command posts and battlefield with real-time analytics.

+- **Smart farms** - Connected equipment for farm operation.

+## Packet core architecture

+Azure Private 5G Core instantiates a single private mobile network distributed across one or more enterprise sites across the world. Each site contains a packet core instance, which is a cloud-native implementation of the 3GPP standards-defined 5G Next Generation Core (5G NGC or 5GC). A packet core instance authenticates end devices and aggregates their data traffic over 5G Standalone wireless and access technologies. Each packet core instance includes the following components:

+- A high performance and highly programmable 5G User Plane Function (UPF).

+- Core control plane functions including policy and subscriber management.

+- A portfolio of service-based architecture elements.

+- Management components for network monitoring.

+You can also deploy packet core instances in 4G mode to support Private Long-Term Evolution (LTE) use cases. For example, you can use the 4G Citizens Broadband Radio Service (CBRS) spectrum. 4G mode uses the same cloud-native components as 5G mode (such as the UPF). This is in contrast to other solutions that need to revert to a legacy 4G stack.

+The following diagram shows the network functions supported by a packet core instance. It also shows the interfaces these network functions use to interoperate with third-party components. Note that when running in 4G mode, the Unified Data Repository (UDR) performs the role that would usually be performed by a Home Subscriber Store (HSS).

+ Diagram displaying the packet core architecture. The packet core includes the following 5G network functions: the A M F, the S M F, the U P F, the U D R, the N R F, the P C F, the U D M, and the A U S F. The A M F communicates with 5G user equipment over the N1 interface. A G Node B provided by a Microsoft partner communicates with the A M F over the N2 interface and the U P F over the N3 interface. The U P F communicates with the data network over the N6 interface. When operating in 4G mode, the packet core includes S 11 I W F and M M E network functions. The S 11 I W F communicates with the M M E over the S 11 interface. An E Node B provided by a Microsoft partner communicates with the M M E over the S 1 C interface.

+Each packet core instance is connected to the local RAN network to provide coverage for cellular wireless devices. You can choose to limit these devices to local connectivity. Alternatively, you can provide multiple routes to the cloud, internet, or other enterprise data centers running IoT and automation applications.

+## Support for 5GC features

+### Supported 5G network functions

+- Access and Mobility Management Function (AMF)

+- Session Management Function (SMF)

+- User Plane Function (UPF)

+- Policy Control Function (PCF)

+- Authentication Server Function (AUSF)

+- Unified Data Management (UDM)

+- Unified Data Repository (UDR)

+- Network Repository Function (NRF)

+### Supported 5G procedures

+For information on Azure Private 5G Core's support for standards-based 5G procedures, see [Statement of compliance - Azure Private 5G Core](statement-of-compliance.md).

+### User equipment (UE) authentication and security context management

+Azure Private 5G Core supports the following authentication methods:

+- Authentication using Subscription Permanent Identifiers (SUPI) and 5G Globally Unique Temporary Identities (5G-GUTI).

+- 5G Authentication and Key Agreement (5G-AKA) for mutual authentication between UEs and the network.

+The packet core instance performs ciphering and integrity protection of 5G non-access stratum (NAS). During UE registration, the UE includes its security capabilities for 5G NAS with 128-bit keys.

+Azure Private 5G Core supports the following algorithms for ciphering and integrity protection:

+- 5GS null encryption algorithm

+- 128-bit Snow3G

+- 128-bit Advanced Encryption System (AES) encryption

+### Index to RAT/Frequency Selection Priority (RFSP)

+The packet core instance can provide a RAN with an RFSP Index. The RAN can match the RFSP Index to its local configuration to apply specific radio resource management (RRM) policies, such as cell reselection or frequency layer redirection.

+## Flexible integration with Azure private multi-access edge compute (MEC) partners

+Each packet core instance is standards-compliant and compatible with several radio access network (RAN) partners in the Azure private MEC ecosystem.

+Azure Private 5G Core exposes an N2 and N3 interface for the 5G control plane and user plane respectively. It complies with the following 3GPP Technical Specifications, allowing you to integrate with a wide range of RAN models:

+- [TS 38.413](https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3223) for the N2 interface.

+- [TS 29.281](https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1699) for the N3 interface.

+For 4G, it exposes S1-MME and S1-U interfaces to interoperate with 4G RAN models.

+It also employs a simple, scalable provisioning model to allow you to bring the SIM partner of your choice to Azure.

+## Azure centralized service management

+Azure Private 5G Core is available as a native Azure service, offering the same levels of reliability, security, and availability for deployment and management that are key tenets of all Azure services. This allows you to use Azure as a central access point to manage individual instances of private mobile networks across multiple enterprise sites. You can use the Azure portal (accessible from a choice of any Azure region in the world) or Azure Resource Manager (ARM) APIs to do any of the following tasks:

+- Deploy and configure a packet core instance on your Azure Stack Edge device in minutes.

+- Create a virtual representation of your physical mobile network through Azure using mobile network and site resources.

+- Provision SIM resources to authenticate devices in the network, while also supporting redundancy.

+- Employ Log Analytics and other observability services to view the health of your network and take corrective action through Azure.

+- Use Azure role-based access control (RBAC) to allow granular access to the private mobile network to different personnel or teams within your organization, or even a managed service provider.

+- Use an Azure Stack Edge device's compute capabilities to run applications that can benefit from low-latency networks.

+- Seamlessly connect your existing Azure deployments to your new private mobile network using Azure hybrid compute, networking, and IoT services.

+- Access the large ecosystem of Microsoft independent software vendor (ISV) partners for applications and network functions.

+- Utilize Azure Lighthouse and the Azure Expert Managed Services Provider (MSP) program to simplify the end-to-end deployment of a private mobile network through Azure.

+## Azure centralized monitoring

+Azure Private 5G Core is integrated with Log Analytics in Azure Monitor, as described in [Overview of Log Analytics in Azure Monitor](../azure-monitor/logs/log-analytics-overview.md). You can write queries to retrieve records or visualize data in charts. This lets you monitor and analyze activity in your private mobile network directly from the Azure portal.

+## Next steps

+- [Learn more about the key components of a private mobile network](key-components-of-a-private-mobile-network.md)

+- [Learn more about the prerequisites for deploying a private mobile network](complete-private-mobile-network-prerequisites.md)

+ Title: Provision SIMs using Azure portal

+description: In this how-to guide, learn how to provision new SIMs for an existing private mobile network using the Azure portal.

+# Provision SIMs for Azure Private 5G Core Preview - Azure portal

+*SIM resources* represent physical SIMs or eSIMs used by user equipment (UEs) served by the private mobile network. In this how-to guide, we'll provision new SIMs for an existing private mobile network.

+## Prerequisites

+- Ensure you can sign in to the Azure portal using an account with access to the active subscription you identified in [Complete the prerequisite tasks for deploying a private mobile network](complete-private-mobile-network-prerequisites.md). This account must have the built-in Contributor role at the subscription scope.

+- Identify the name of the Mobile Network resource corresponding to your private mobile network.

+- For each SIM you want to provision, decide whether you want to assign a SIM policy to it. If you do, you must have already created the relevant SIM policies using the instructions in [Configure a SIM policy - Azure portal](configure-sim-policy-azure-portal.md). SIMs can't access your private mobile network unless they have an assigned SIM policy.

+- Decide on the method you'll use to provision SIMs. You can choose from the following:

+ - Manually entering each provisioning value into fields in the Azure portal. This option is best if you're provisioning a few SIMs.

+ - Importing a JSON file containing values for one or more SIM resources. This option is best if you're provisioning a large number of SIMs. You'll need a good JSON editor if you want to use this option.

+## Collect the required information for your SIMs

+To begin, collect the values in the following table for each SIM you want to provision.

+| Value | Field name in Azure portal | JSON file parameter name |

+|--|--|--|

+| SIM name. The SIM name must only contain alphanumeric characters, dashes, and underscores. | **SIM name** | `simName` |

+| The Integrated Circuit Card Identification Number (ICCID). The ICCID identifies a specific physical SIM or eSIM, and includes information on the SIM's country and issuer. The ICCID is a unique numerical value between 19 and 20 digits in length, beginning with 89. | **ICCID** | `integratedCircuitCardIdentifier` |

+| The international mobile subscriber identity (IMSI). The IMSI is a unique number (usually 15 digits) identifying a device or user in a mobile network. | **IMSI** | `internationalMobileSubscriberIdentity` |

+| The Authentication Key (Ki). The Ki is a unique 128-bit value assigned to the SIM by an operator, and is used with the derived operator code (OPc) to authenticate a user. It must be a 32-character string, containing hexadecimal characters only. | **Ki** | `authenticationKey` |

+| The derived operator code (OPc). The OPc is taken from the SIM's Ki and the network's operator code (OP). The packet core instance uses it to authenticate a user using a standards-based algorithm. The OPc must be a 32-character string, containing hexadecimal characters only. | **Opc** | `operatorKeyCode` |

+| The type of device using this SIM. This value is an optional free-form string. You can use it as required to easily identify device types using the enterprise's private mobile network. | **Device type** | `deviceType` |

+## If applicable, create the JSON file

+Only carry out this step if you decided in [Prerequisites](#prerequisites) to use a JSON file to provision your SIMs. Otherwise, you can skip to [Begin provisioning the SIMs in the Azure portal](#begin-provisioning-the-sims-in-the-azure-portal).

+Prepare the JSON file using the information you collected for your SIMs in [Collect the required information for your SIMs](#collect-the-required-information-for-your-sims). This example file shows the required format. It contains the parameters required to provision two SIMs (`SIM1` and `SIM2`).

+```json

+[

+ {

+ "simName": "SIM1",

+ "integratedCircuitCardIdentifier": "8912345678901234566",

+ "internationalMobileSubscriberIdentity": "001019990010001",

+ "authenticationKey": "00112233445566778899AABBCCDDEEFF",

+ "operatorKeyCode": "63bfa50ee6523365ff14c1f45f88737d",

+ "deviceType": "Cellphone"

+ },

+ {

+ "simName": "SIM2",

+ "simProfileName": "profile2",

+ "integratedCircuitCardIdentifier": "8922345678901234567",

+ "internationalMobileSubscriberIdentity": "001019990010002",

+ "authenticationKey": "11112233445566778899AABBCCDDEEFF",

+ "operatorKeyCode": "63bfa50ee6523365ff14c1f45f88738d",

+ "deviceType": "Sensor"

+ }

+]

+```

+## Begin provisioning the SIMs in the Azure portal

+You'll now begin the SIM provisioning process through the Azure portal.

+1. Sign in to the Azure portal at [https://aka.ms/AP5GCPortal](https://aka.ms/AP5GCPortal).

+1. Search for and select the **Mobile Network** resource representing the private mobile network for which you want to provision SIMs.

+ :::image type="content" source="media/mobile-network-search.png" alt-text="Screenshot of the Azure portal. It shows the results of a search for a Mobile Network resource.":::

+1. Select **Add SIMs**.

+ :::image type="content" source="media/provision-sims-azure-portal/add-sims.png" alt-text="Screenshot of the Azure portal showing the Add SIMs button on a Mobile Network resource":::

+1. Select **Create** and then select your chosen provisioning method from the options that appear.

+ :::image type="content" source="media/provision-sims-azure-portal/create-new-sim.png" alt-text="Screenshot of the Azure portal showing the Create button and its options - Upload J S O N from file and Add manually.":::

+ - If you selected **Add manually**, move to [Manually provision a SIM](#manually-provision-a-sim).

+ - If you selected **Upload JSON from file**, move to [Provision SIMs using a JSON file](#provision-sims-using-a-json-file).

+## Manually provision a SIM

+In this step, you'll enter provisioning values for your SIMs directly into the Azure portal.

+1. In **Add SIMs** on the right, use the information you collected in [Collect the required information for your SIMs](#collect-the-required-information-for-your-sims) to fill out the fields for one of the SIMs you want to provision.

+1. Select **Add**.

+1. The Azure portal will now begin deploying the SIM. When the deployment is complete, select **Go to resource**.

+ :::image type="content" source="media/provision-sims-azure-portal/sim-resource-deployment.png" alt-text="Screenshot of the Azure portal showing a completed deployment of a SIM resource and the Go to resource button.":::

+1. You'll now see details of your new SIM resource.

+ :::image type="content" source="media/provision-sims-azure-portal/new-sim-resource.png" alt-text="Screenshot of the Azure portal showing the configuration a new SIM resource." lightbox="media/provision-sims-azure-portal/new-sim-resource.png":::

+1. Repeat this entire step for any other SIMs that you want to provision.

+1. If you decided in [Prerequisites](#prerequisites) that you wanted to assign a SIM policy to any of your provisioned SIMs, move to [Assign a SIM policy](#assign-a-sim-policy). Otherwise, you've finished your provisioning.

+## Provision SIMs using a JSON file

+In this step, you'll provision SIMs using a JSON file.

+1. In **Add SIMs** on the right, select **Browse** and then select the JSON file you created in [If applicable, create the JSON file](#if-applicable-create-the-json-file).

+1. Select **Add**. If the **Add** button is greyed out, check your JSON file to confirm that it's correctly formatted.

+1. The Azure portal will now begin deploying the SIMs. When the deployment is complete, select **Go to resource group**.

+ :::image type="content" source="media/provision-sims-azure-portal/multiple-sim-resource-deployment.png" alt-text="Screenshot of the Azure portal. It shows a completed deployment of SIM resources through a J S O N file and the Go to resource group button.":::

+1. The Azure portal will display the resource group containing your private mobile network. Select the **Mobile Network** resource.

+1. In the resource menu, select **SIMs**.

+1. Check the list of SIMs to ensure your new SIMs are present and provisioned correctly.

+ :::image type="content" source="media/provision-sims-azure-portal/sims-list.png" alt-text="Screenshot of the Azure portal. It shows a list of currently provisioned SIMs for a private mobile network." lightbox="media/provision-sims-azure-portal/sims-list.png":::

+1. If you decided in [Prerequisites](#prerequisites) that you wanted to assign a SIM policy to any of your provisioned SIMs, move to [Assign a SIM policy](#assign-a-sim-policy). Otherwise, you've finished your provisioning.

+## Assign a SIM policy

+In this step, you'll assign a SIM policy to your SIMs. SIMs need an assigned SIM policy before they can use your private mobile network. You can skip this step and come back to it later if you don't want the SIMs to be able to access the private mobile network straight away.

+1. Search for and select the **Mobile Network** resource representing the private mobile network for which you want to provision SIMs.

+ :::image type="content" source="media/mobile-network-search.png" alt-text="Screenshot of the Azure portal. It shows the results of a search for a Mobile Network resource.":::

+1. In the resource menu, select **SIMs**.

+1. You'll see a list of provisioned SIMs in the private mobile network. For each SIM policy you want to assign to one or more SIMs, do the following:

+ 1. Tick the checkbox next to the name of each SIM to which you assign the SIM policy.

+ 1. Select **Assign SIM policy**.

+ 1. In **Assign SIM policy** on the right, select your chosen SIM policy from the **SIM policy** drop-down menu.

+ 1. Select **Assign SIM policy**.

+

+ :::image type="content" source="media/provision-sims-azure-portal/assign-sim-policy.png" alt-text="Screenshot of the Azure portal. It shows a list of provisioned SIMs and fields to assign a SIM policy." lightbox="media/provision-sims-azure-portal/assign-sim-policy.png":::

+1. The Azure portal will now begin deploying the configuration change. When the deployment is complete, select **Go to resource** (if you have assigned a SIM policy to a single SIM) or **Go to resource group** (if you have assigned a SIM policy to multiple SIMs).

+ - If you assigned a SIM policy to a single SIM, you'll be taken to that SIM resource. Check the **SIM policy** field in the **Management** section to confirm that the correct SIM policy has been assigned successfully.

+ - If you assigned a SIM policy to multiple SIMs, you'll be taken to the resource group containing your private mobile network. Select the **Mobile Network** resource, and then select **SIMs** in the resource menu. Check the **SIM policy** column in the SIMs list to confirm the correct SIM policy has been assigned to your chosen SIMs.

+1. Repeat this step for any other SIM policies you want to assign to SIMs.

+## Next steps

+- [Activate your SIMs to allow them to use your private mobile network](activate-sims.md)

+ Title: Security

+description: An overview of security features provided by Azure Private 5G Core.

+# Security for Azure Private 5G Core Preview

+*Azure Private 5G Core* allows service providers and systems integrators to securely deploy and manage private mobile networks for an enterprise. It securely stores network configuration and SIM configuration used by devices connecting to the mobile network. This article lists details about the security capabilities provided by Azure Private 5G Core that help protect the mobile network.

+Azure Private 5G Core consists of two main components that interact with each other:

+- **The Azure Private 5G Core service, hosted in Azure**. The management resource used to create the private mobile network, manage sites, provision SIMs, and deploy packet core instances to sites.

+- **Packet core instances, hosted on Azure Stack Edge devices**. The packet core, which provides connectivity to mobile devices at an edge location.

+## Secure platform

+Azure Private 5G Core requires deployment of packet core instances onto a secure platform, Azure Stack Edge. For more information on Azure Stack Edge security, see [Azure Stack Edge security and data protection](../databox-online/azure-stack-edge-security.md).

+## Encryption at rest

+The Azure Private 5G Core service stores all data securely at rest, including SIM credentials. It provides [encryption of data at rest](../security/fundamentals/encryption-overview.md) using platform-managed encryption keys, managed by Microsoft.

+Azure Private 5G Core packet core instances are deployed on Azure Stack Edge devices, which handle [protection of data](../databox-online/azure-stack-edge-security.md#protect-your-data).

+## Write-only SIM credentials

+Azure Private 5G Core provides write-only access to SIM credentials. SIM credentials are the secrets that allow UEs (user equipment) access to the network.

+As these credentials are highly sensitive, Azure Private 5G Core won't allow users of the service read access to the credentials, except as required by law. Sufficiently privileged users may overwrite the credentials, or revoke them.

+## Next steps

+- [Deploy a private mobile network - Azure portal](how-to-guide-deploy-a-private-mobile-network-azure-portal.md)

+ Title: Statement of compliance

+description: Information on Azure Private 5G Core Preview's compliance with specifications.

+# Statement of compliance - Azure Private 5G Core Preview

+This article provides information on the standards for which Azure Private 5G Core provides support.

+## 3GPP specifications

+All packet core network functions are compliant with Release 15 of the 3GPP specifications listed. Several of the network functions can play the role of both the service consumer and service producer to adhere to these standards.

+### 5G system (5GS)

+- TS 23.003: Numbering, addressing and identification.

+- TS 23.501: System architecture for the 5G System (5GS).

+- TS 23.502: Procedures for the 5G System (5GS).

+### 4G system

+- TS 23.002: Network architecture.

+- TS 23.401: General Packet Radio Service (GPRS) enhancements for Evolved Universal Terrestrial Radio Access Network (E-UTRAN) access.

+- TS 29.272: Evolved Packet System (EPS); Mobility Management Entity (MME) and Serving GPRS Support Node (SGSN) related interfaces based on Diameter protocol.

+- TS 29.274: 3GPP Evolved Packet System (EPS); Evolved General Packet Radio Service (GPRS) Tunneling Protocol for Control plane (GTPv2-C); Stage 3.

+- TS 36.413: Evolved Universal Terrestrial Radio Access Network (E-UTRAN); S1 Application Protocol (S1AP).

+### Policy and charging control (PCC) framework

+- TS 23.503: Policy and charging control framework for the 5G System (5GS); Stage 2.

+- TS 29.212: Policy and Charging Control (PCC); Reference points.

+- TS 29.513: 5G System; Policy and Charging Control signaling flows and QoS parameter mapping; Stage 3.

+- TS 29.519: 5G System; Usage of the Unified Data Repository Service for Policy Data, Application Data and Structured Data for Exposure; Stage 3.

+### User plane

+- TS 29.281: General Packet Radio System (GPRS) Tunneling Protocol User Plane (GTPv1-U).

+- TS 38.415: NG-RAN; PDU session user plane protocol.

+### Non-access stratum (NAS) protocol / NG Application Protocol (NGAP)

+- TS 24.501: Non-Access-Stratum (NAS) protocol for 5G System (5GS); Stage 3.

+- TS 38.410: NG-RAN; NG general aspects and principles (NGAP).

+- TS 38.413: NG-RAN; NG Application Protocol (NGAP).

+### Service-based interfaces

+- TS 29.500: 5G System; Technical Realization of Service Based Architecture; Stage 3.

+- TS 29.501: 5G System; Principles and Guidelines for Services Definition; Stage 3.

+- TS 29.512: 5G System; Session Management Policy Control Service; Stage 3.

+- TS 29.571: 5G System; Common Data Types for Service Based Interfaces; Stage 3.

+### Service-based interface exposure

+- SMF - TS 29.502: 5G System; Session Management Services; Stage 3.

+- UDM - TS 29.503: 5G System; Unified Data Management Services; Stage 3.

+- UDR

+ - TS 29.504: 5G System; Unified Data Repository Services; Stage 3.

+ - TS 29.505: 5G System; Usage of the Unified Data Repository services for Subscription Data; Stage 3.

+- AUSF - TS 29.509: 5G System; Authentication Server Services; Stage 3.

+- NRF - TS 29.510: 5G System; Network function repository services; Stage 3.

+- AMF - TS 29.518: 5G System; Access and Mobility Management Services; Stage 3.

+### Security

+- TS 33.102: 3G security; Security architecture.

+- TS 33.220: Generic Authentication Architecture (GAA); Generic Bootstrapping Architecture (GBA).

+- TS 33.501: Security architecture and procedures for 5G System.

+- TS 35.206: 3G Security; Specification of the MILENAGE algorithm set: An example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 2: Algorithm specification.

+## IETF RFCs

+The implementation of all of the 3GPP specifications given in [3GPP specifications](#3gpp-specifications) is compliant with the following IETF RFCs:

+- IETF RFC 768: User Datagram Protocol.

+- IETF RFC 791: Internet Protocol.

+- IETF RFC 2474: Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers.

+- IETF RFC 2460: Internet Protocol, Version 6 (IPv6) Specification.

+- IETF RFC 4291: IP Version 6 Addressing Architecture.

+- IETF RFC 4960: Stream Control Transmission Protocol.

+- IETF RFC 2279: UTF-8, a transformation format of ISO 10646.

+- IETF RFC 3986: Uniform Resource Identifier (URI): Generic Syntax.

+- IETF RFC 5789: PATCH Method for HTTP.

+- IETF RFC 6902: JavaScript Object Notation (JSON) Patch.

+- IETF RFC 7396: JSON Merge Patch.

+- IETF RFC 7540: Hypertext Transfer Protocol Version 2 (HTTP/2).

+- IETF RFC 7807: Problem Details for HTTP APIs.

+- IETF RFC 8259: The JavaScript Object Notation (JSON) Data Interchange Format.

+- IETF RFC 3748: Extensible Authentication Protocol (EAP).

+- IETF RFC 4187: Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA).

+- IETF RFC 5448: Improved Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA').

+- IETF RFC 6749: The OAuth 2.0 Authorization Framework.

+## ITU-T Recommendations

+The implementation of all of the 3GPP specifications given in [3GPP specifications](#3gpp-specifications) is compliant with the following ITU-T Recommendations:

+- ITU-T Recommendation E.164: The international public telecommunication numbering plan.

+- ITU-T Recommendation E.212: The international identification plan for public networks and subscriptions.

+- ITU-T Recommendation E.213: Telephone and ISDN numbering plan for land Mobile Stations in public land mobile networks (PLMN).

+- ITU-T Recommendation X.121: International numbering plan for public data networks.

+## Next steps

+- [Learn more about Azure Private 5G Core](private-5g-core-overview.md)

+- [Learn more about the prerequisites for deploying a private mobile network](complete-private-mobile-network-prerequisites.md)

+ Title: Tutorial - Configure policy control

+description: In this tutorial, you'll create an example policy control configuration set with traffic handling for common scenarios.

+# Tutorial: Create an example policy control configuration set for Azure Private 5G Core

+Azure Private 5G Core Preview provides flexible traffic handling. You can customize how your packet core instance applies quality of service (QoS) characteristics to traffic to meet its needs. You can also block or limit certain flows. This tutorial takes you through the steps of creating services and SIM policies for common use cases, and then provisioning SIMs to use the new policy control configuration.

+In this tutorial, you'll learn how to:

+> [!div class="checklist"]

+> * Create a new service that filters packets based on their protocol.

+> * Create a new service that blocks traffic labeled with specific remote IP addresses and ports.

+> * Create a new service that limits the bandwidth of traffic on matching flows.

+> * Create two new SIM policies and assign services to them.

+> * Provision two new SIMs and assign them SIM policies.

+## Prerequisites

+* Read the information in [Policy control](policy-control.md) and familiarize yourself with Azure Private 5G Core policy control configuration.

+* Ensure you can sign in to the Azure portal using an account with access to the active subscription you identified in [Complete the prerequisite tasks for deploying a private mobile network](complete-private-mobile-network-prerequisites.md). This account must have the built-in Contributor role at the subscription scope.

+* Identify the name of the Mobile Network resource corresponding to your private mobile network.

+## Create a service for protocol filtering

+In this step, we'll create a service that filters packets based on their protocol. Specifically, it'll do the following:

+* Block ICMP packets flowing away from UEs.

+* Block UDP packets flowing away from UEs on port 11.

+* Allow all other ICMP and UDP traffic in both directions, but no other IP traffic.

+To create the service:

+1. Sign in to the Azure portal at [https://aka.ms/AP5GCPortal](https://aka.ms/AP5GCPortal).

+1. Search for and select the Mobile Network resource representing your private mobile network.

+ :::image type="content" source="media/mobile-network-search.png" alt-text="Screenshot of the Azure portal showing the results for a search for a Mobile Network resource.":::

+1. In the **Resource** menu, select **Services**.

+ :::image type="content" source="media/configure-service-azure-portal/services-resource-menu-option.png" alt-text="Screenshot of the Azure portal showing the Services option in the resource menu of a Mobile Network resource.":::

+1. In the **Command** bar, select **Create**.

+ :::image type="content" source="media/configure-service-azure-portal/create-command-bar-option.png" alt-text="Screenshot of the Azure portal showing the Create option in the command bar.":::

+1. We'll now enter values to define the QoS characteristics that will be applied to service data flows (SDFs) that match this service. On the **Basics** tab, fill out the fields as follows.

+ |Field |Value |

+ |||

+ |**Service name** |`service_restricted_udp_and_icmp` |

+ |**Service precedence** | `100` |

+ |**Maximum bit rate (MBR) - Uplink** | `2 Gbps` |

+ |**Maximum bit rate (MBR) - Downlink** | `2 Gbps` |

+ |**Allocation and Retention Priority level** | `2` |

+ |**5G QoS Indicator (5QI)** | `9` |

+ |**Preemption capability** | Select **May not preempt**. |

+ |**Preemption vulnerability** | Select **Not preemptable**. |

+1. Under **Data flow policy rules**, select **Add a policy rule**.

+ :::image type="content" source="media/tutorial-create-example-set-of-policy-control-configuration/example-protocol-filtering-service-without-rules.png" alt-text="Screenshot of the Azure portal showing the Create a service screen with protocol filtering configuration. The Add a policy rule button is highlighted.":::

+1. We'll now create a data flow policy rule that blocks any packets that match the data flow template we'll configure in the next step. Under **Add a policy rule** on the right, fill out the fields as follows.

+ |Field |Value |

+ |||

+ |**Rule name** |`rule_block_icmp_and_udp_uplink_traffic` |

+ |**Policy rule precedence** | Select **10**. |

+ |**Allow traffic** | Select **Blocked**. |

+1. We'll now create a data flow template that matches on ICMP packets flowing away from UEs, so that they can be blocked by the `rule_block_icmp_uplink_traffic` rule.

+ Under **Data flow templates**, select **Add a data flow template**. In the **Add a data flow template** pop-up, fill out the fields as follows.

+ |Field |Value |

+ |||

+ |**Template name** |`icmp_uplink_traffic` |

+ |**Protocols** | Select **ICMP**. |

+ |**Direction** | Select **Uplink**. |

+ |**Remote IPs** | `any` |

+ |**Ports** | Leave blank. |

+1. Select **Add**.

+ :::image type="content" source="media/tutorial-create-example-set-of-policy-control-configuration/add-a-data-flow-template.png" alt-text="Screenshot of the Azure portal. The Add a data flow template pop-up is shown and the Add button is highlighted.":::

+1. Let's create another data flow template for the same rule that matches on UDP packets flowing away from UEs on port 11.

+ Under **Data flow templates**, select **Add a data flow template**. In the **Add a data flow template** pop-up, fill out the fields as follows.

+ |Field |Value |

+ |||

+ |**Template name** |`udp_uplink_traffic_port_11` |

+ |**Protocols** | Select **UDP**. |

+ |**Direction** | Select **Uplink**. |

+ |**Remote IPs** | `any` |

+ |**Ports** | `11` |

+1. Select **Add**.

+1. We can now finalize the rule. Under **Add a policy rule**, select **Add**.

+ :::image type="content" source="media/tutorial-create-example-set-of-policy-control-configuration/protocol-filtering-rule-configuration.png" alt-text="Screenshot of the Azure portal. The Add a policy rule screen is shown with protocol filtering configuration and the Add button is highlighted.":::

+1. Finally, we'll create a data policy flow rule that allows all other ICMP and UDP traffic.

+ Select **Add a policy rule** and then fill out the fields under **Add a policy rule** on the right as follows.

+ |Field |Value |

+ |||

+ |**Rule name** |`rule_allow_other_icmp_and_udp_traffic` |

+ |**Policy rule precedence** | Select **15**. |

+ |**Allow traffic** | Select **Enabled**. |

+1. We're now back at the **Create a service** screen. We'll create a data flow template that matches on all ICMP and UDP in both directions.

+ Under **Data flow policy rules**, select **Add a data flow template**. In the **Add a data flow template** pop-up, fill out the fields as follows.

+ |Field |Value |

+ |||

+ |**Template name** |`icmp_and_udp_traffic` |

+ |**Protocols** | Tick both the **UDP** and **ICMP** checkboxes. |

+ |**Direction** | Select **Bidirectional**. |

+ |**Remote IPs** | `any` |

+ |**Ports** | Leave blank. |

+1. Select **Add**.

+1. We can now finalize the rule. Under **Add a policy rule**, select **Add**.

+1. We now have two configured data flow policy rules on the service, which are displayed under the **Data flow policy rules** heading.

+ Note that the `rule_block_icmp_and_udp_uplink_traffic` rule has a lower value for the **Policy rule** precedence field than the `rule_allow_other_icmp_and_udp_traffic` rule (10 and 15 respectively). Rules with lower values are given higher priority. This ensures that the `rule_block_icmp_and_udp_uplink_traffic` rule to block packets is applied first, before the wider `rule_allow_other_icmp_and_udp_traffic` is applied to all remaining packets.

+ :::image type="content" source="media/tutorial-create-example-set-of-policy-control-configuration/example-protocol-filtering-service.png" alt-text="Screenshot of the Azure portal. It shows the create a service screen with all fields correctly filled out and two data flow policy rules.":::

+1. On the **Basics** configuration tab, select **Review + create**.

+1. Select **Create** to create the service.

+

+ :::image type="content" source="media/tutorial-create-example-set-of-policy-control-configuration/create-example-protocol-filtering-service.png" alt-text="Screenshot of the Azure portal. It shows the Review and create tab with complete configuration for a service for protocol filtering.":::

+1. The Azure portal will display the following confirmation screen when the service has been created. Select **Go to resource** to see the new service resource.

+ :::image type="content" source="media/configure-service-azure-portal/service-resource-deployment-confirmation.png" alt-text="Screenshot of the Azure portal showing the successful deployment of a service for protocol filtering and the Go to resource button.":::

+1. Confirm that the QoS characteristics, data flow policy rules, and service data flow templates listed at the bottom of the screen are configured as expected.

+ :::image type="content" source="media/tutorial-create-example-set-of-policy-control-configuration/example-protocol-filtering-service-complete.png" alt-text="Screenshot of the Azure portal. It shows a Service resource, with configured QoS characteristics and data flow policy rules highlighted." lightbox="media/tutorial-create-example-set-of-policy-control-configuration/example-protocol-filtering-service-complete.png":::

+## Create a service for blocking traffic from specific sources

+In this step, we'll create a service that blocks traffic from specific sources. Specifically, it'll do the following:

+* Block UDP packets labeled with the remote address 10.204.141.200 and port 12 flowing towards UEs.

+* Block UDP packets labeled with any remote address in the range 10.204.141.0/24 and port 15 flowing in both directions

+To create the service:

+1. Search for and select the Mobile Network resource representing your private mobile network.

+1. In the **Resource** menu, select **Services**.

+1. In the **Command** bar, select **Create**.

+1. We'll now enter values to define the QoS characteristics that will be applied to SDFs that match this service. On the **Basics** tab, fill out the fields as follows.

+ |Field |Value |

+ |||

+ |**Service name** |`service_blocking_udp_from_specific_sources` |

+ |**Service precedence** | `150` |

+ |**Maximum bit rate (MBR) - Uplink** | `2 Gbps` |

+ |**Maximum bit rate (MBR) - Downlink** | `2 Gbps` |

+ |**Allocation and Retention Priority level** | `2` |

+ |**5G QoS Indicator (5QI)** | `9` |

+ |**Preemption capability** | Select **May not preempt**. |

+ |**Preemption vulnerability** | Select **Not preemptable**. |

+1. Under **Data flow policy rules**, select **Add a policy rule**.

+ :::image type="content" source="media/tutorial-create-example-set-of-policy-control-configuration/example-traffic-blocking-service-without-rules.png" alt-text="Screenshot of the Azure portal showing the Create a service screen with traffic blocking configuration. The Add a policy rule button is highlighted.":::

+1. We'll now create a data flow policy rule that blocks any packets that match the data flow template we'll configure in the next step. Under **Add a policy rule** on the right, fill out the fields as follows.

+ |Field |Value |

+ |||

+ |**Rule name** |`rule_block_udp_from_specific_sources` |

+ |**Policy rule precedence** | Select **11**. |

+ |**Allow traffic** | Select **Blocked**. |

+1. Next, we'll create a data flow template that matches on UDP packets flowing towards UEs from 10.204.141.200 on port 12, so that they can be blocked by the `rule_block_udp_from_specific_sources` rule.

+ Under **Data flow templates**, select **Add a data flow template**. In the **Add a data flow template** pop-up, fill out the fields as follows.

+ |Field |Value |

+ |||

+ |**Template name** |`udp_downlink_traffic` |

+ |**Protocols** | Select **UDP**. |

+ |**Direction** | Select **Downlink**. |

+ |**Remote IPs** | `10.204.141.200/32` |

+ |**Ports** | `12` |

+1. Select **Add**.

+1. Finally, we'll create another data flow template for the same rule that matches on UDP packets flowing in either direction that are labeled with any remote address in the range 10.204.141.0/24 and port 15.

+ Under **Data flow templates**, select **Add a data flow template**. In the **Add a data flow template** pop-up, fill out the fields as follows.

+ |Field |Value |

+ |||

+ |**Template name** |`udp_bidirectional_traffic` |

+ |**Protocols** | Select **UDP**. |

+ |**Direction** | Select **Bidirectional**. |

+ |**Remote IPs** | `10.204.141.0/24` |

+ |**Ports** | `15` |

+1. Select **Add**.

+1. We can now finalize the rule. Under **Add a policy rule**, select **Add**.

+ :::image type="complex" source="media/tutorial-create-example-set-of-policy-control-configuration/example-udp-blocking-rule.png" alt-text="Screenshot of the Azure portal. It shows the Add a policy rule screen with configuration for a rule to block certain UDP traffic.":::

+ Screenshot of the Azure portal. It shows the Add a policy rule screen with all fields correctly filled out for a rule to block certain UDP traffic. It includes two configured data flow templates. The first matches on UDP packets flowing towards UEs from 10.204.141.200 on port 12. The second matches on UDP packets flowing in either direction that are labeled with any remote address in the range 10.204.141.0/24 and port 15. The Add button is highlighted.

+ :::image-end:::

+1. We now have a single data flow policy rule on the service for blocking UDP traffic. This is displayed under the **Data flow policy rules** heading.

+ :::image type="content" source="media/tutorial-create-example-set-of-policy-control-configuration/example-traffic-blocking-service.png" alt-text="Screenshot of the Azure portal. It shows completed fields for a service to block UDP from specific sources, including data flow policy rules.":::

+1. On the **Basics** configuration tab, select **Review + create**.

+1. Select **Create** to create the service.

+ :::image type="content" source="media/tutorial-create-example-set-of-policy-control-configuration/create-example-traffic-blocking-service.png" alt-text="Screenshot of the Azure portal. It shows the Review and create tab with complete configuration for a service for traffic blocking.":::

+1. The Azure portal will display the following confirmation screen when the service has been created. Select **Go to resource** to see the new service resource.

+ :::image type="content" source="media/configure-service-azure-portal/service-resource-deployment-confirmation.png" alt-text="Screenshot of the Azure portal showing the successful deployment of a service for traffic blocking and the Go to resource button.":::

+1. Confirm that the data flow policy rules and service data flow templates listed at the bottom of the screen are configured as expected.

+ :::image type="content" source="media/tutorial-create-example-set-of-policy-control-configuration/example-traffic-blocking-service-complete.png" alt-text="Screenshot showing a service resource with configuration for traffic blocking. QoS characteristics and data flow policy rules are highlighted." lightbox="media/tutorial-create-example-set-of-policy-control-configuration/example-traffic-blocking-service-complete.png":::

+## Create a service for limiting traffic

+In this step, we'll create a service that limits the bandwidth of traffic on matching flows. Specifically, it'll do the following:

+* Limit the maximum bit rate (MBR) for packets flowing away from UEs to 10 Mbps.

+* Limit the maximum bit rate (MBR) for packets flowing towards UEs to 15 Mbps.

+To create the service:

+1. Search for and select the Mobile Network resource representing your private mobile network.

+1. In the **Resource** menu, select **Services**.

+1. In the **Command** bar, select **Create**.

+1. We'll now enter values to define the QoS characteristics that will be applied to SDFs that match this service. We'll use the **Maximum bit rate (MBR) - Uplink** and **Maximum bit rate (MBR) - Downlink** fields to set our bandwidth limits. On the **Basics** tab, fill out the fields as follows.

+ |Field |Value |

+ |||

+ |**Service name** |`service_traffic_limits` |

+ |**Service precedence** | `250` |

+ |**Maximum bit rate (MBR) - Uplink** | `10 Mbps` |

+ |**Maximum bit rate (MBR) - Downlink** | `15 Mbps` |

+ |**Allocation and Retention Priority level** | `2` |

+ |**5G QoS Indicator (5QI)** | `9` |

+ |**Preemption capability** | Select **May not preempt**. |

+ |**Preemption vulnerability** | Select **Preemptable**. |

+1. Under **Data flow policy rules**, select **Add a policy rule**.

+ :::image type="content" source="media/tutorial-create-example-set-of-policy-control-configuration/example-traffic-limiting-service-without-rules.png" alt-text="Screenshot of the Azure portal showing the Create a service screen with traffic limiting configuration. The Add a policy rule button is highlighted.":::

+1. Under **Add a policy rule** on the right, fill out the fields as follows.

+ |Field |Value |

+ |||

+ |**Rule name** |`rule_bidirectional_limits` |

+ |**Policy rule precedence** | Select **22**. |

+ |**Allow traffic** | Select **Enabled**. |

+1. We'll now create a data flow template that matches on all IP traffic in both directions.

+ Select **Add a data flow template**. In the **Add a data flow template** pop-up, fill out the fields as follows.

+ |Field |Value |

+ |||

+ |**Template name** |`ip_traffic` |

+ |**Protocols** | Select **All**. |

+ |**Direction** | Select **Bidirectional**. |

+ |**Remote IPs** | `any` |

+ |**Ports** | Leave blank |

+1. Select **Add**.

+1. We can now finalize the rule. Under **Add a policy rule**, select **Add**.

+ :::image type="content" source="media/tutorial-create-example-set-of-policy-control-configuration/traffic-limiting-rule-configuration.png" alt-text="Screenshot of the Azure portal. The Add a policy rule screen is shown with traffic limiting configuration and the Add button is highlighted.":::

+1. We now have a single data flow policy rule configured on the service.

+ :::image type="content" source="media/tutorial-create-example-set-of-policy-control-configuration/example-traffic-limiting-service.png" alt-text="Screenshot of the Azure portal. It shows completed fields for a service to limit traffic, including data flow policy rules.":::

+1. On the **Basics** configuration tab, select **Review + create**.

+1. Select **Create** to create the service.

+ :::image type="content" source="media/tutorial-create-example-set-of-policy-control-configuration/create-example-traffic-limiting-service.png" alt-text="Screenshot of the Azure portal. It shows the Review and create tab with complete configuration for a service. The Create button is highlighted.":::

+1. The Azure portal will display the following confirmation screen when the service has been created. Select **Go to resource** to see the new service resource.

+ :::image type="content" source="media/configure-service-azure-portal/service-resource-deployment-confirmation.png" alt-text="Screenshot of the Azure portal showing the successful deployment of a service resource and the Go to resource button.":::

+1. Confirm that the data flow policy rules and service data flow templates listed at the bottom of the screen are configured as expected.

+ :::image type="content" source="media/tutorial-create-example-set-of-policy-control-configuration/example-traffic-limiting-service-complete.png" alt-text="Screenshot showing a service designed for traffic limiting. QoS characteristics and data flow policy rules are highlighted." lightbox="media/tutorial-create-example-set-of-policy-control-configuration/example-traffic-limiting-service-complete.png":::

+## Configure SIM policies

+In this step, we'll create two SIM policies. The first SIM policy will use the service we created in [Create a service for protocol filtering](#create-a-service-for-protocol-filtering), and the second will use the service we created in [Create a service for blocking traffic from specific sources](#create-a-service-for-blocking-traffic-from-specific-sources). Both SIM policies will use the third service we created in [Create a service for limiting traffic](#create-a-service-for-limiting-traffic).

+> [!NOTE]

+> As each SIM policy will have multiple services, there will be packets that match more than one rule across these services. For example, downlink ICMP packets will match on the following rules:

+> - The `rule_allow_other_icmp_and_udp_traffic` rule on the `service_restricted_udp_and_icmp` service.

+> - The `rule_bidirectional_limits` rule on the `service_traffic_limits` service.

+>

+> In this case, the packet core instance will prioritize the service with the lowest value for the **Service precedence** field. It will then apply the QoS characteristics from this service to the packets. In the example above, the `service_restricted_udp_and_icmp` service has a lower value (100) than the `service_traffic_limits` service (250). The packet core instance will therefore apply the QoS characteristics given on the `service_restricted_udp_and_icmp` service to downlink ICMP packets.

+Let's create the SIM policies.

+1. Search for and select the Mobile Network resource representing your private mobile network.

+ :::image type="content" source="media/mobile-network-search.png" alt-text="Screenshot of the Azure portal showing the results for a search for a Mobile Network resource.":::

+1. In the **Resource** menu, select **SIM policies**.

+ :::image type="content" source="media/configure-sim-policy-azure-portal/sim-policies-resource-menu-option.png" alt-text="Screenshot of the Azure portal showing the SIM policies option in the resource menu of a Mobile Network resource.":::

+1. In the **Command** bar, select **Create**.

+1. Under **Create a SIM policy**, fill out the fields as follows.

+ |Field |Value |

+ |||

+ |**Policy name** |`sim-policy-1` |

+ |**Total bandwidth allowed - Uplink** | `10 Gbps` |

+ |**Total bandwidth allowed - Downlink** | `10 Gbps` |

+ |**Default slice** | Select **(Default) slice-1**. |

+ |**Registration timer** | `3240` |

+ |**RFSP index** | `2` |

+1. Select **Add a network scope**.

+ :::image type="content" source="media/tutorial-create-example-set-of-policy-control-configuration/example-sim-policy-add-network-scope-option.png" alt-text="Screenshot of the Azure portal showing the Create a SIM policy screen. The Add a network scope option is highlighted.":::

+

+1. Under **Add a network scope**, fill out the fields as follows.

+ |Field |Value |

+ |||

+ |**Slice** | Select **(Default) slice-1** |

+ |**Data network** | Select the data network to which your private mobile network connects. |

+ |**Service configuration** | Select **service_restricted_udp_and_icmp** and **service_traffic_limits**. |

+ |**Session aggregate maximum bit rate - Uplink** | `2 Gbps` |

+ |**Session aggregate maximum bit rate - Downlink** | `2 Gbps` |

+ |**5G QoS Indicator (5QI)** | `9` |

+ |**Allocation and Retention Priority level** | `9` |

+ |**Preemption capability** | Select **May not preempt**. |

+ |**Preemption vulnerability** | Select **Preemptable**. |

+ |**Default session type** | Select **IPv4**. |

+ |**Additional allowed session types** | Select **IPv6**. |

+1. Select **Add**.

+ :::image type="content" source="media/tutorial-create-example-set-of-policy-control-configuration/add-a-network-scope.png" alt-text="Screenshot of the Azure portal showing the Add a network scope screen. The Add option is highlighted.":::

+1. On the **Basics** configuration tab, select **Review + create**.

+1. On the **Review + create** tab, select **Review + create**.

+ :::image type="content" source="media/tutorial-create-example-set-of-policy-control-configuration/create-example-sim-policy.png" alt-text="Screenshot of the Azure portal showing the Review and create tab for a SIM policy. The Review and create option is highlighted.":::

+1. The Azure portal will display the following confirmation screen when the SIM policy has been created.

+ :::image type="content" source="media/configure-sim-policy-azure-portal/sim-policy-deployment-confirmation.png" alt-text="Screenshot of the Azure portal showing confirmation of the successful deployment of a SIM policy.":::

+1. Select **Go to resource group**.

+1. In the **Resource group** that appears, select the **Mobile Network** resource representing your private mobile network.

+1. In the **Resource** menu, select **SIM policies**.

+ :::image type="content" source="media/configure-sim-policy-azure-portal/sim-policies-resource-menu-option.png" alt-text="Screenshot of the Azure portal showing the SIM policies option in the resource menu of a Mobile Network resource.":::

+1. Select **sim-policy-1**.

+ :::image type="content" source="media/sim-policies-list.png" alt-text="Screenshot of the Azure portal with a list of configured SIM policies for a private mobile network. The sim-policy-1 resource is highlighted." lightbox="media/sim-policies-list.png":::

+1. Check that the configuration for the SIM policy is as expected.

+ - The top level settings for the SIM policy are shown under the **Essentials** heading.

+ - The network scope configuration is shown under the **Network scope** and **Quality of service (QoS)** headings.

+ - The configured services are shown under the **Service configuration** heading.

+

+ :::image type="content" source="media/tutorial-create-example-set-of-policy-control-configuration/complete-example-sim-policy-1.png" alt-text="Screenshot of the Azure portal showing the first SIM policy resource. Essentials, network scope, and service configuration are highlighted." lightbox="media/tutorial-create-example-set-of-policy-control-configuration/complete-example-sim-policy-1.png":::

+1. We'll now create the other SIM policy. Search for and select the Mobile Network resource representing the private mobile network for which you want to configure a service.

+1. In the **Resource** menu, select **SIM policies**.

+1. In the **Command** bar, select **Create**.

+1. Under **Create a SIM policy** on the right, fill out the fields as follows.

+ |Field |Value |

+ |||

+ |**Policy name** |`sim-policy-2` |

+ |**Total bandwidth allowed - Uplink** | `10 Gbps` |

+ |**Total bandwidth allowed - Downlink** | `10 Gbps` |

+ |**Default slice** | `slice-1` |

+ |**Registration timer** | `3240` |

+ |**RFSP index** | `2` |

+1. Select **Add a network scope**.

+1. On the **Add a network scope** blade, fill out the fields as follows.

+ |Field |Value |

+ |||

+ |**Slice** | Select **slice-1 (Default)** |

+ |**Data network** | Select the data network to which your private mobile network connects. |

+ |**Service configuration** | Select **service_blocking_udp_from_specific_sources** and **service_traffic_limits**. |

+ |**Session aggregate maximum bit rate - Uplink** | `2 Gbps` |

+ |**Session aggregate maximum bit rate - Downlink** | `2 Gbps` |

+ |**5G QoS Indicator (5QI)** | `9` |

+ |**Allocation and Retention Priority level** | `9` |

+ |**Preemption capability** | Select **May not preempt**. |

+ |**Preemption vulnerability** | Select **Preemptable**. |

+ |**Default session type** | Select **IPv4**. |

+ |**Additional allowed session types** | Select **IPv6**. |

+1. Select **Add**.

+1. On the **Basics** configuration tab, select **Review + create**.

+1. On the **Review + create** configuration tab, select **Review + create**.

+1. The Azure portal will display the following confirmation screen when the SIM policy has been created.

+ :::image type="content" source="media/configure-sim-policy-azure-portal/sim-policy-deployment-confirmation.png" alt-text="Screenshot of the Azure portal showing confirmation of the successful deployment of a SIM policy.":::

+1. Select **Go to resource group**.

+1. In the **Resource group** that appears, select the **Mobile Network** resource representing your private mobile network.

+1. In the **Resource** menu, select **SIM policies**.

+1. Select **sim-policy-2**.

+ :::image type="content" source="media/tutorial-create-example-set-of-policy-control-configuration/sim-policies-list-example-2.png" alt-text="Screenshot of the Azure portal with a list of configured SIM policies for a private mobile network. The sim-policy-2 resource is highlighted." lightbox="media/tutorial-create-example-set-of-policy-control-configuration/sim-policies-list-example-2.png":::

+1. Check that the configuration for the SIM policy is as expected.

+ - The top level settings for the SIM policy are shown under the **Essentials** heading.

+ - The network scope configuration is shown under the **Network scope** and **Quality of service (QoS)** headings.

+ - The configured services are shown under the **Service configuration heading**.

+

+ :::image type="content" source="media/tutorial-create-example-set-of-policy-control-configuration/complete-example-sim-policy-2.png" alt-text="Screenshot of the Azure portal showing the second SIM policy resource. Essentials, network scope, and service configuration are highlighted." lightbox="media/tutorial-create-example-set-of-policy-control-configuration/complete-example-sim-policy-2.png":::

+## Provision SIMs

+In this step, we will provision two SIMs and assign a SIM policy to each one. This will allow the SIMs to connect to the private mobile network and receive the correct QoS policy.

+1. Save the following content as a JSON file and make a note of the filepath.

+ ```json

+ [

+ {

+ "simName": "SIM1",

+ "integratedCircuitCardIdentifier": "8912345678901234566",

+ "internationalMobileSubscriberIdentity": "001019990010001",

+ "authenticationKey": "00112233445566778899AABBCCDDEEFF",

+ "operatorKeyCode": "63bfa50ee6523365ff14c1f45f88737d",

+ "deviceType": "Cellphone"

+ },

+ {

+ "simName": "SIM2",

+ "integratedCircuitCardIdentifier": "8922345678901234567",

+ "internationalMobileSubscriberIdentity": "001019990010002",

+ "authenticationKey": "11112233445566778899AABBCCDDEEFF",

+ "operatorKeyCode": "63bfa50ee6523365ff14c1f45f88738d",

+ "deviceType": "Sensor"

+ }

+ ]

+ ```

+1. Search for and select the Mobile Network resource representing your private mobile network.

+ :::image type="content" source="media/mobile-network-search.png" alt-text="Screenshot of the Azure portal showing the results for a search for a Mobile Network resource.":::

+1. In the **Resource** menu, select **Add SIMs**.

+ :::image type="content" source="media/provision-sims-azure-portal/add-sims.png" alt-text="Screenshot of the Azure portal showing the Add SIMs button on a Mobile Network resource":::

+1. Select **Create** and then **Upload JSON from file**.

+ :::image type="content" source="media/provision-sims-azure-portal/create-new-sim.png" alt-text="Screenshot of the Azure portal showing the Create button and its options - Upload J S O N from file and Add manually.":::

+1. Select **Browse** and then select the JSON file you created at the start of this step.

+1. Select **Add**.

+1. The Azure portal will now begin deploying the SIMs. When the deployment is complete, select **Go to resource group**.

+ :::image type="content" source="media/provision-sims-azure-portal/multiple-sim-resource-deployment.png" alt-text="Screenshot of the Azure portal showing a completed deployment of SIM resources through a J S O N file and the Go to resource button.":::

+1. In the **Resource group** that appears, select the **Mobile Network** resource representing your private mobile network.

+1. In the **Resource** menu, select **SIMs**.

+ :::image type="content" source="media/tutorial-create-example-set-of-policy-control-configuration/sims-resource-menu-option.png" alt-text="Screenshot of the Azure portal. The SIMs option in the resource menu for a private mobile network is highlighted.":::

+1. Your new **SIM1** and **SIM2** SIM resources are shown in the list.

+ :::image type="content" source="media/tutorial-create-example-set-of-policy-control-configuration/sims-list.png" alt-text="Screenshot of the Azure portal. It shows the SIMs currently provisioned for the private mobile network." lightbox="media/tutorial-create-example-set-of-policy-control-configuration/sims-list.png":::

+1. Tick the checkbox next to **SIM1**.

+1. In the **Command** bar, select **Assign SIM policy**.

+ :::image type="content" source="media/tutorial-create-example-set-of-policy-control-configuration/assign-sim-policy-from-sims-list.png" alt-text="Screenshot of the Azure portal showing a list of SIMs. The SIM1 resource and the Assign SIM policy option are highlighted.":::

+1. Under **Assign SIM policy** on the right, set the **SIM policy** field to **sim-policy-1**.

+1. Select **Assign SIM policy**.

+ :::image type="content" source="media/tutorial-create-example-set-of-policy-control-configuration/assign-sim-policy.png" alt-text="Screenshot of the Azure portal showing the Assign SIM policy screen. The Assign SIM policy option is highlighted.":::

+1. Once the deployment is complete, select **Go to Resource**.

+1. Check the **SIM policy** field in the **Management** section to confirm **sim-policy-1** has been successfully assigned.

+ :::image type="content" source="media/tutorial-create-example-set-of-policy-control-configuration/sim-with-sim-policy.png" alt-text="Screenshot of the Azure portal showing a SIM resource. The SIM policy field is highlighted in the Management section." lightbox="media/tutorial-create-example-set-of-policy-control-configuration/sim-with-sim-policy.png":::

+1. Search for and select the Mobile Network resource representing your private mobile network.

+1. In the **Resource** menu, select **SIMs**.

+1. Tick the checkbox next to **SIM2**.

+1. In the **Command** bar, select **Assign SIM policy**.

+1. Under **Assign SIM policy** on the right, set the **SIM policy** field to **sim-policy-2**.

+1. Select the **Assign SIM policy** button.

+1. Once the deployment is complete, select **Go to Resource**.

+1. Check the **SIM policy** field in the **Management** section to confirm **sim-policy-2** has been successfully assigned.

+You have now provisioned two SIMs and assigned each of them a different SIM policy. Each of these SIM policies provides access to a different set of services.

+## Clean up resources

+You can now delete each of the resources we've created during this tutorial.

+1. Search for and select the Mobile Network resource representing your private mobile network.

+1. In the **Resource** menu, select **SIMs**.

+1. Tick the checkboxes next to **SIM1** and **SIM2**, and then select **Delete** from the **Command** bar.

+1. Select **Delete** to confirm your choice.

+1. Once the SIMs have been deleted, select **SIM policies** from the **Resource** menu.

+1. Tick the checkboxes next to **sim-policy-1** and **sim-policy-2**, and then select **Delete** from the **Command** bar.

+1. Select **Delete** to confirm your choice.

+1. Once the SIM policies have been deleted, select **Services** from the **Resource** menu.

+1. Tick the checkboxes next to **service_unrestricted_udp_and_icmp**, **service_blocking_udp_from_specific_sources**, and **service_traffic_limits**, and then select **Delete** from the command bar.

+1. Select **Delete** to confirm your choice.

+## Next steps

+> [!div class="nextstepaction"]

+> [Find out how to design your own policy control configuration](policy-control.md)

+**Azure Private 5G Core Preview** is an Azure cloud service for deploying and managing private mobile networks for enterprises. Private mobile networks provide high performance, low latency, and secure connectivity for 5G Internet of Things (IoT) devices on an enterprise's premises.

+Azure Private 5G Core enables a single private mobile network distributed across one or more sites around the world. Each site contains a packet core instance deployed on an Azure Stack Edge device.

+Azure Private 5G Core allows you to use Azure to easily carry out the following tasks.

+- Deliver and automate the lifecycle of packet core instances on Azure Stack Edge devices.

+- Manage configuration.

+- Set policies for quality of service (QoS) and traffic control.

+- Provision SIMs for user equipment.

+- Monitor your private mobile network.

+For more information, see [Azure Private 5G Core](../private-5g-core/private-5g-core-overview.md).

+ Title: Considerations for deployment in Azure public MEC Preview

+description: Learn about considerations for customers to plan for before they deploy applications in an Azure public multi-access edge compute (MEC) solution.

+# Considerations for deployment in Azure public MEC Preview

+Azure public multi-access edge compute (MEC) Preview sites are small-footprint extensions of Azure. They're placed in or near mobile operators' data centers in metro areas, and are designed to run workloads that require low latency while being attached to the mobile network. This article focuses on the considerations that customers should plan for before they deploy applications in the Azure public MEC.

+## Prerequisites

+- If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+- Add an allowlisted subscription to your Azure account, which allows you to deploy resources in Azure public MEC. If you don't have an active allowed subscription, contact the [Azure public MEC product team](https://aka.ms/azurepublicmec).

+## Best practices

+For Azure public MEC, follow these best practices:

+- Deploy in Azure public MEC only those components of the application that are latency sensitive or need low latency compute at the Azure public MEC. Deploy in the parent region those components of the application that perform control plane and management plane functionalities.

+- Because Azure public MEC sites are connected to the Telco network, accessing resources deployed in it over the internet isn't allowed. To access VMs deployed in the Azure public MEC, deploy jump box virtual machines (VMs) or Azure Bastion in a virtual network (VNet) in the parent region.

+- For compute resources in the Azure public MEC, deploy Azure Key Vault in the Azure region to provide secrets management and key management services.

+- Use VNet peering between the VNets in the Azure public MEC and the VNets in the parent region. IaaS resources can communicate privately through the Microsoft network and don't need to access the public internet.

+## Azure public MEC architecture

+Deploy application components that require low latencies in the Azure public MEC, and components that are non-latency sensitive in the Azure region.

+### Azure region

+The Azure region should run the components of the application that perform control and management plane functions and aren't latency sensitive.

+The following sections show some examples.

+#### Azure database and storage

+- Azure databases: Azure SQL, Azure Database for MySQL, and so on

+- Storage accounts

+- Azure Blob Storage

+#### AI and Analytics

+- Azure Machine Learning Services

+- Azure Analytics Services

+- Power BI

+- Azure Stream Analytics

+#### Identity services

+- Azure Active Directory

+#### Secrets management

+- Azure Key Vault

+### Azure public MEC

+Azure public MEC should run components that are latency sensitive and need faster response times from compute resources. To do so, run your application on compute services such as Azure Virtual Machines and Azure Kubernetes Service in the public MEC.

+## Availability and resiliency

+Applications you deploy in the Azure public MEC can be made available and resilient by using the following methods:

+- Deploy resources in active/standby, with primary resources in the Azure public MEC and standby resources in the parent Azure region. If there's a failure in the Azure public MEC, the resources in the parent region become active.

+- Use the [Azure backup and disaster recovery solution](/azure/architecture/framework/resiliency/backup-and-recovery), which provides [Azure Site Recovery](/azure/site-recovery/site-recovery-overview) and Azure Backup features. This solution:

+ - Actively replicates VMs from the Azure public MEC to the parent region and makes them available to fail over and fail back if there's an outage.

+ - Backs up VMs to prevent data corruption or lost data.

+ > [!NOTE]

+ > The Azure backup and disaster recovery solution for Azure public MEC supports only Azure Virtual Machines.

+A trade-off exists between availability and latency. Failing over the application from the Azure public MEC to the Azure region ensures that the application is available, but might increase the latency to the application.

+## Next steps

+To deploy a virtual machine in Azure public MEC using an Azure Resource Manager (ARM) template, advance to the following article:

+> [!div class="nextstepaction"]

+> [Quickstart: Deploy a virtual machine in Azure public MEC using an ARM template](quickstart-create-vm-azure-resource-manager-template.md)

+ Title: Key concepts for Azure public MEC Preview

+description: Learn about important concepts for Azure public multi-access edge compute (MEC).

+# Key concepts for Azure public MEC Preview

+This document describes important concepts for Azure public multi-access edge compute (MEC) Preview.

+## ExtendedLocation field

+All resource providers provide an additional field called [extendedLocation](/javascript/api/@azure/arm-compute/extendedlocation), which you use to deploy resources in the Azure public MEC.

+## Azure Edge Zone ID

+Every Azure public MEC site has an Azure Edge Zone ID. This ID is one of the attributes that the `extendedLocation` field uses to differentiate sites.

+## Azure CLI and SDKs

+SDKs for services supported in Azure public MEC have been updated. For information about how to use these SDKs for deployment, see [Tutorial: Deploy resources in Azure public MEC using the Go SDK](tutorial-create-vm-using-go-sdk.md), [Tutorial: Deploy a virtual machine in Azure public MEC using Python SDK](tutorial-create-vm-using-python-sdk.md), and [Quickstart: Deploy a virtual machine in Azure public MEC using Azure CLI](quickstart-create-vm-cli.md).

+## ARM templates

+You can use ARM Templates to deploy resources in the Azure public MEC. Here's an example of how `extendedLocation` is used in an Azure Resource Manager (ARM) template to deploy a virtual machine (VM):

+```json

+{

+ ...

+ "type": "Microsoft.Compute/virtualMachines"

+ "extendedLocation": {

+ "type": "EdgeZone",

+ "name": <edgezoneid>,

+ }

+ ...

+}

+```

+## Parent regions

+Every Azure public MEC site is associated with a parent Azure region. This region hosts all the control plane functions associated with the services running in the Azure public MEC. The following table lists active Azure public MEC sites, along with their Edge Zone ID and associated parent region.

+| Telco provider | Azure public MEC name | Edge Zone ID | Parent region |

+| -- | | | - |

+| AT&T | ATT Atlanta A | attatlanta1 | East US 2 |

+| AT&T | ATT Dallas A | attdallas1 | South Central US |

+## Azure services

+### Azure virtual machines

+Azure public MEC supports specific compute and GPU VM SKUs. The following table lists the supported VM sizes:

+| Type | Series | VM size |

+| - | | - |

+| VM | D-series | D2s_v3, D4s_v3, D8s_v3 |

+| VM | E-series | E4s_v3, E8s_v3 |

+| GPU | NCasT4_v3-series | Standard_NC4asT4_v3, Standard_NC8asT4_v3 |

+### Public IP

+Azure public MEC allows users to create public IPs that can be then associated with resources such as Azure Virtual Machines, Azure Standard Load Balancer, and Azure Kubernetes Clusters. All the Azure public MEC IPs are the Standard public IP SKU.

+### Azure Bastion

+Azure Bastion is a service you deploy that lets you connect to a virtual machine by using your browser and the Azure portal. To access a VM deployed in the Azure public MEC, the Bastion host must be deployed in a VNet in the parent region of the Azure public MEC site.

+### Azure Load Balancer

+The Azure public MEC supports the Standard Load Balancer SKU.

+### Network Security Groups

+Network Security Groups should be created in the parent region, and then can be associated to resources created in the Azure public MEC.

+### Resource Groups

+Resource Groups should be created in the parent Azure region, and then can be associated to resources created in the Azure public MEC.

+### Storage Services

+Azure public MEC only supports creating Standard SSD Managed Disks. All other storage services are currently not supported in the public MEC.

+### Default outbound access

+Because [default outbound access](/azure/virtual-network/ip-services/default-outbound-access) isn't supported on the public MEC, manage your outbound connectivity by using one of the following methods:

+- Use the frontend IP addresses of a Load Balancer for outbound via outbound rules.

+- Assign a public IP to the VM.

+### DNS Resolution

+By default, all services running in the Azure public MEC use the DNS infrastructure in the Azure parent region.

+## Next steps

+To learn about considerations for deployment in the Azure public MEC, advance to the following article:

+> [!div class="nextstepaction"]

+> [Considerations for deployment in the Azure public MEC](considerations-for-deployment.md)

+ Title: What is Azure public MEC Preview?

+description: Learn about the benefits of Azure public multi-access edge compute (MEC) and how it works.

+# What is Azure public MEC Preview?

+Azure public multi-access edge compute (MEC) Preview sites are small-footprint extensions of Azure. They're placed in or near mobile operators' data centers in metro areas, and are designed to run workloads that require low latency while being attached to the mobile network. Azure public MEC is offered in partnership with the operators. The placement of the infrastructure offers lower latency for applications that are accessed from mobile devices connected to the 5G mobile network.

+Azure public MEC provides secure, reliable, high-bandwidth connectivity between applications that run close to the user while being served by the Microsoft global network. Azure public MEC offers a set of Azure services like Azure Virtual Machines, Azure Load Balancer, and Azure Kubernetes for Edge, with the ability to leverage and connect to other Azure services available in the Azure region.

+Some of the industries and use cases where Azure public MEC can provide benefits are:

+- Media streaming and content delivery

+- Real-time analytics and inferencing via artificial intelligence and machine learning

+- Rendering for mixed reality

+- Connected automobiles

+- Healthcare

+- Immersive gaming experiences

+- Low latency applications for the retail industry

+## Benefits of Azure public MEC

+Azure public MEC has the following benefits:

+- Low latency applications at the 5G network edge:

+

+ - Enterprises and developers can run low-latency applications by using the operatorΓÇÖs public 5G network connectivity. This connectivity is architected with a direct, dedicated, and optimized connection to the operatorΓÇÖs mobility core network.

+- Access to key Azure services and experiences:

+ - Azure-managed toolset: Azure customers can provision and manage their Azure public MEC services and workloads through the Azure portal and other essential Azure tools.

+ - Consistent developer experience: Developing and building applications for the public MEC utilizes the same array of features and tools that Azure uses.

+- Access to a rich partner ecosystem:

+ - ISVs working on optimized and scalable applications for edge computing can use the Azure public MEC solution for building solutions. These solutions offer low latency and leverage the 5G mobility network and connected scenarios.

+## Service offerings for Azure public MEC

+Azure public MEC enables some key Azure services for customers to deploy. The control plane for these services remains in the region and the data plane is deployed at the edge, resulting in a smaller Azure footprint, fewer dependencies, and the ability to leverage other services deployed at the region.

+The following key services are available in Azure public MEC:

+- Azure Virtual Machines (Azure public MEC supports these [SKUs](key-concepts.md#azure-virtual-machines))

+- Virtual Machine Scale Sets

+- Standard public IP

+- Azure Virtual Networks

+- Virtual network peering

+- Azure Standard Load Balancer

+- Azure Kubernetes for Edge

+- Azure Bastion (must be deployed in a virtual network in the parent Azure region)

+- Azure managed disks (Azure public MEC supports Standard SSD)

+The following diagram explains how services are deployed at the Azure public MEC location. With this capability, enterprises and developers can deploy the customer workloads closer to their users.

+## Partnership with operators

+Azure public MEC solutions are available in partnership with mobile network operators. The current operator partnerships are as follows:

+- AT&T: Atlanta, Dallas

+## Next steps

+To learn about important concepts for Azure public MEC, advance to the following article:

+> [!div class="nextstepaction"]

+> [Key concepts for Azure public MEC](key-concepts.md)

+ Title: 'Quickstart: Deploy a virtual machine in Azure public MEC Preview using an ARM template'

+description: In this quickstart, learn how to deploy a virtual machine in Azure public multi-access edge compute (MEC) by using an Azure Resource Manager template.

+# Quickstart: Deploy a virtual machine in Azure public MEC Preview using an ARM template

+In this quickstart, you learn how to use an Azure Resource Manager (ARM) template to deploy an Ubuntu Linux virtual machine (VM) in Azure public multi-access edge compute (MEC) Preview.

+## Prerequisites

+- If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+- Add an allowlisted subscription to your Azure account, which allows you to deploy resources in Azure public MEC. If you don't have an active allowed subscription, contact the [Azure public MEC product team](https://aka.ms/azurepublicmec).

+ > [!NOTE]

+ > Azure public MEC deployments are supported in Azure CLI versions 2.26 and later.

+## Review the template

+1. Review the following example ARM template.

+ Every resource you deploy in Azure public MEC has an extra attribute named `extendedLocation`, which Azure adds to the resource provider. The example ARM template deploys these resources:

+ - Virtual network

+ - Public IP address

+ - Network interface

+ - Network security group

+ - Virtual machine

+ In this example ARM template:

+ - The Azure Edge Zone ID is different from the display name of the Azure public MEC.

+ - The Azure network security group has an inbound rule that allows SSH and HTTPS access from everywhere.

+ ```json

+ {

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "adminUsername": {

+ "type": "String",

+ "metadata": {

+ "description": "Username for the Virtual Machine."

+ }

+ },

+ "adminPassword": {

+ "type": "SecureString",

+ "metadata": {

+ "description": "Password for the Virtual Machine."

+ }

+ },

+ "dnsLabelPrefix": {

+ "type": "String",

+ "metadata": {

+ "description": "Unique DNS Name for the Public IP used to access the Virtual Machine."

+ }

+ },

+ "vmSize": {

+ "defaultValue": "Standard_D2s_v3",

+ "type": "String",

+ "metadata": {

+ "description": "Size of the virtual machine."

+ }

+ },

+ "location": {

+ "defaultValue": "[resourceGroup().location]",

+ "type": "String",

+ "metadata": {

+ "description": "Location for all resources."

+ }

+ },

+ "EdgeZone": {

+ "type": "String"

+ },

+ "publisher": {

+ "type": "string",

+ "defaultValue": "Canonical",

+ "metadata" : {

+ "description": "Publisher for the VM Image"

+ }

+ },

+ "offer": {

+ "type": "string",

+ "defaultValue": "UbuntuServer",

+ "metadata" : {

+ "description": "Offer for the VM Image"

+ }

+ },

+ "sku": {

+ "type": "string",

+ "defaultValue": "18.04-LTS",

+ "metadata" : {

+ "description": "SKU for the VM Image"

+ }

+ },

+ "osVersion": {

+ "type": "string",

+ "defaultValue": "latest",

+ "metadata" : {

+ "description": "version for the VM Image"

+ }

+ },

+ "vmName": {

+ "defaultValue": "myEdgeVM",

+ "type": "String",

+ "metadata": {

+ "description": "VM Name."

+ }

+ }

+ },

+ "variables": {

+ "nicName": "myEdgeVMNic",

+ "addressPrefix": "10.0.0.0/16",

+ "subnetName": "Subnet",

+ "subnetPrefix": "10.0.0.0/24",

+ "publicIPAddressName": "myEdgePublicIP",

+ "virtualNetworkName": "MyEdgeVNET",

+ "subnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), variables('subnetName'))]",

+ "networkSecurityGroupName": "default-NSG"

+ },

+ "resources": [

+ {

+ "type": "Microsoft.Network/publicIPAddresses",

+ "apiVersion": "2018-11-01",

+ "name": "[variables('publicIPAddressName')]",

+ "location": "[parameters('location')]",

+ "extendedLocation": {

+ "type": "EdgeZone",

+ "name": "[parameters('EdgeZone')]"

+ },

+ "sku": {

+ "name": "Standard"

+ },

+ "properties": {

+ "publicIPAllocationMethod": "Static",

+ "dnsSettings": {

+ "domainNameLabel": "[parameters('dnsLabelPrefix')]"

+ }

+ }

+ },

+ {

+ "type": "Microsoft.Network/networkSecurityGroups",

+ "apiVersion": "2019-08-01",

+ "name": "[variables('networkSecurityGroupName')]",

+ "location": "[parameters('location')]",

+ "properties": {

+ "securityRules": [

+ {

+ "name": "AllowHttps",

+ "properties": {

+ "description": "HTTPS is allowed",

+ "protocol": "*",

+ "sourcePortRange": "*",

+ "destinationPortRange": "443",

+ "sourceAddressPrefix": "*",

+ "destinationAddressPrefix": "*",

+ "access": "Allow",

+ "priority": 130,

+ "direction": "Inbound",

+ "sourcePortRanges": [],

+ "destinationPortRanges": [],

+ "sourceAddressPrefixes": [],

+ "destinationAddressPrefixes": []

+ }

+ },

+ {

+ "name": "AllowSSH",

+ "properties": {

+ "description": "HTTPS is allowed",

+ "protocol": "*",

+ "sourcePortRange": "*",

+ "destinationPortRange": "22",

+ "sourceAddressPrefix": "*",

+ "destinationAddressPrefix": "*",

+ "access": "Allow",

+ "priority": 140,

+ "direction": "Inbound",

+ "sourcePortRanges": [],

+ "destinationPortRanges": [],

+ "sourceAddressPrefixes": [],

+ "destinationAddressPrefixes": []

+ }

+ }

+ ]

+ }

+ },

+ {

+ "type": "Microsoft.Network/virtualNetworks",

+ "apiVersion": "2018-11-01",

+ "name": "[variables('virtualNetworkName')]",

+ "location": "[parameters('location')]",

+ "extendedLocation": {

+ "type": "EdgeZone",

+ "name": "[parameters('EdgeZone')]"

+ },

+ "dependsOn": [

+ "[resourceId('Microsoft.Network/networkSecurityGroups', variables('networkSecurityGroupName'))]"

+ ],

+ "properties": {

+ "addressSpace": {

+ "addressPrefixes": [

+ "[variables('addressPrefix')]"

+ ]

+ },

+ "subnets": [

+ {

+ "name": "[variables('subnetName')]",

+ "properties": {

+ "addressPrefix": "[variables('subnetPrefix')]",

+ "networkSecurityGroup": {

+ "id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('networkSecurityGroupName'))]"

+ }

+ }

+ }

+ ]

+ }

+ },

+ {

+ "type": "Microsoft.Network/networkInterfaces",

+ "apiVersion": "2018-11-01",

+ "name": "[variables('nicName')]",

+ "location": "[parameters('location')]",

+ "extendedLocation": {

+ "type": "EdgeZone",

+ "name": "[parameters('EdgeZone')]"

+ },

+ "dependsOn": [

+ "[resourceId('Microsoft.Network/publicIPAddresses/', variables('publicIPAddressName'))]",

+ "[resourceId('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]"

+ ],

+ "properties": {

+ "ipConfigurations": [

+ {

+ "name": "ipconfig1",

+ "properties": {

+ "privateIPAllocationMethod": "Dynamic",

+ "publicIPAddress": {

+ "id": "[resourceId('Microsoft.Network/publicIPAddresses',variables('publicIPAddressName'))]"

+ },

+ "subnet": {

+ "id": "[variables('subnetRef')]"

+ }

+ }

+ }

+ ]

+ }

+ },

+ {

+ "type": "Microsoft.Compute/virtualMachines",

+ "apiVersion": "2020-06-01",

+ "name": "[parameters('vmName')]",

+ "location": "[parameters('location')]",

+ "extendedLocation": {

+ "type": "EdgeZone",

+ "name": "[parameters('EdgeZone')]"

+ },

+ "dependsOn": [

+ "[resourceId('Microsoft.Network/networkInterfaces/', variables('nicName'))]"

+ ],

+ "properties": {

+ "hardwareProfile": {

+ "vmSize": "[parameters('vmSize')]"

+ },

+ "osProfile": {

+ "computerName": "[parameters('vmName')]",

+ "adminUsername": "[parameters('adminUsername')]",

+ "adminPassword": "[parameters('adminPassword')]"

+ },

+ "storageProfile": {

+ "imageReference": {

+ "publisher": "[parameters('publisher')]",

+ "offer": "[parameters('offer')]",

+ "sku": "[parameters('sku')]",

+ "version": "[parameters('osVersion')]"

+ },

+ "osDisk": {

+ "createOption": "FromImage",

+ "managedDisk": {

+ "storageAccountType": "StandardSSD_LRS"

+ }

+ }

+ },

+ "networkProfile": {

+ "networkInterfaces": [

+ {

+ "id": "[resourceId('Microsoft.Network/networkInterfaces',variables('nicName'))]"

+ }

+ ]

+ }

+ }

+ }

+ ],

+ "outputs": {

+ "hostname": {

+ "type": "String",

+ "value": "[reference(variables('publicIPAddressName')).dnsSettings.fqdn]"

+ },

+ "sshCommand": {

+ "type": "string",

+ "value": "[format('ssh {0}@{1}', parameters('adminUsername'), reference(resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName'))).dnsSettings.fqdn)]"

+ }

+ }

+ }

+ ```

+## Deploy the ARM template using the Azure CLI

+1. Save the contents of the sample ARM template from the previous section in a file named *azurepublicmecDeploy.json*.

+1. Sign in to Azure with [az login](/cli/azure/reference-index#az-login) and set the Azure subscription with [az account set](/cli/azure/account#az-account-set) command.

+ ```azurecli

+ az login

+ az account set --subscription <subscription name>

+ ```

+1. Create an Azure resource group with the [az group create](/cli/azure/group#az-group-create) command. A resource group is a logical container into which Azure resources are deployed and managed. The following example creates a resource group named myResourceGroup:

+ ```azurecli

+ az group create --name myResourceGroup --location <location>

+ ```

+ > [!NOTE]

+ > Each Azure public MEC site is associated with an Azure region. Based on the Azure public MEC location where the resource needs to be deployed, select the appropriate region value for the `--location` parameter. For more information, see [Key concepts for Azure public MEC](key-concepts.md).

+1. Deploy the ARM template in the resource group with the [az deployment group create](/cli/azure/deployment/group#az-deployment-group-create) command.

+ ```azurecli

+ az deployment group create --resource-group myResourceGroup --template-file azurepublicmecDeploy.json

+ ```

+ ```output

+ Please provide string value for 'adminUsername' (? for help): <username>

+ Please provide securestring value for 'adminPassword' (? for help): <password>

+ Please provide string value for 'dnsLabelPrefix' (? for help): <uniqueDnsLabel>

+ Please provide string value for 'EdgeZone' (? for help): <edge zone ID>

+ ```

+1. Wait a few minutes for the deployment to run.

+ After the command execution is complete, you can see the new resources in the myResourceGroup resource group. Here's a sample output:

+ ```output

+ {

+ "id": "/subscriptions/xxxxxxx/resourceGroups/myResourceGroup/providers/Microsoft.Resources/deployments/edgeZonesDeploy",

+ "location": null,

+ "name": "edgeZonesDeploy",

+ "properties": {

+ "correlationId": "<xxxxxxxx>",

+ "debugSetting": null,

+ "dependencies": [

+ {

+ "dependsOn": [

+ {

+ "id": "/subscriptions/xxxxx/resourceGroups/myResourceGroup /providers/Microsoft.Network/networkSecurityGroups/default-NSG",

+ "resourceGroup": " myResourceGroup ",

+ "resourceName": "default-NSG",

+ "resourceType": "Microsoft.Network/networkSecurityGroups"

+ }

+ ],

+ "id": "/subscriptions/xxxxxx/resourceGroups/ myResourceGroup /providers/Microsoft.Network/virtualNetworks/MyEdgeTestVnet",

+ "resourceGroup": " myResourceGroup ",

+ "resourceName": " MyEdgeTestVnet ",

+ "resourceType": "Microsoft.Network/virtualNetworks"

+ },

+ "outputs": {

+ "hostname": {

+ "type": "String",

+ "value": "xxxxx.cloudapp.azure.com"

+ },

+ "sshCommand": {

+ "type": "String",

+ "value": "ssh <adminUsername>@<publicIPFQDN>"

+ }

+ },

+ ...

+ }

+ ```

+## Access the virtual machine

+To use SSH to connect to the virtual machine in the Azure public MEC, the best method is to deploy a jump box in an Azure parent region.

+1. Follow the instructions in [Create a virtual machine in a region](../virtual-machines/linux/quick-create-template.md).

+1. Use SSH to connect to the jump box virtual machine deployed in the region.

+ ```bash

+ ssh <username>@<regionVM_publicIP>

+ ```

+1. From the jump box, use SSH to connect to the virtual machine created in the Azure public MEC.

+ ```bash

+ ssh <username>@<edgezoneVM_publicIP>

+ ```

+## Clean up resources

+In this quickstart, you deployed an ARM template in Azure public MEC by using the Azure CLI. If you don't expect to need these resources in the future, use the [az group delete](/cli/azure/group#az-group-delete) command to remove the resource group, scale set, and all related resources. Using the `--yes` parameter deletes the resources without a confirmation prompt.

+```azurecli

+az group delete \--name myResourceGroup \--yes

+```

+## Next steps

+To deploy a virtual machine in Azure public MEC using Azure CLI, advance to the following article:

+> [!div class="nextstepaction"]

+> [Quickstart: Deploy a virtual machine in Azure public MEC using Azure CLI](quickstart-create-vm-cli.md)

+ Title: 'Quickstart: Deploy a virtual machine in Azure public MEC Preview using Azure CLI'

+description: In this quickstart, learn how to deploy a virtual machine in Azure public multi-access edge (MEC) compute by using the Azure CLI.

+# Quickstart: Deploy a virtual machine in Azure public MEC Preview using Azure CLI

+In this quickstart, you learn how to use Azure CLI to deploy a Linux virtual machine (VM) in Azure public multi-access edge compute (MEC) Preview.

+## Prerequisites

+- If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+- Add an allowlisted subscription to your Azure account, which allows you to deploy resources in Azure public MEC. If you don't have an active allowed subscription, contact the [Azure public MEC product team](https://aka.ms/azurepublicmec).

+ > [!NOTE]

+ > Azure public MEC deployments are supported in Azure CLI versions 2.26 and later.

+## Sign in to Azure and set your subscription

+1. Sign in to Azure by using the [az login](/cli/azure/reference-index#az-login) command.

+ ```azurecli

+ az login

+ ```

+1. Set your Azure subscription with the [az account set](/cli/azure/account#az-account-set) command.

+ ```azurecli

+ az account set --subscription <subscription name>

+ ```

+## Create a resource group

+1. Create an Azure resource group with the [az group create](/cli/azure/group#az-group-create) command. A resource group is a logical container into which Azure resources are deployed and managed. The following example creates a resource group named myResourceGroup.

+ ```azurecli

+ az group create --name myResourceGroup --location <location>

+ ```

+ > [!NOTE]

+ > Each Azure public MEC site is associated with an Azure region. Based on the Azure public MEC location where the resource needs to be deployed, select the appropriate region value for the `--location` parameter. For more information, see [Key concepts for Azure public MEC](key-concepts.md).

+## Create a VM

+1. Create a VM with the [az vm create](/cli/azure/vm#az-vm-create) command.

+ The following example creates a VM named myVMEdge and adds a user account named azureuser at Azure public MEC:

+ ```azurecli

+ az vm create \--resource-group myResourceGroup \--name myVMEdge \--image UbuntuLTS \--admin-username azureuser \--admin-password <password> \--edge-zone <edgezone ID> \--public-ip-sku Standard

+ ```

+ The `--edge-zone` parameter determines the Azure public MEC location where the VM and its associated resources are created. Because Azure public MEC supports only standard SKU for a public IP, you must specify `Standard` for the `--public-ip-sku` parameter.

+1. Wait a few minutes for the VM and supporting resources to be created.

+ The following example output shows a successful operation:

+ ```output

+ {

+ "fqdns": "",

+ "id": "/subscriptions/<id> /resourceGroups/myResourceGroup/providers/Microsoft.Compute/ virtualMachines/myVMEdge",

+ "location": "<region>",

+ "macAddress": "<mac_address>",

+ "powerState": "VM running",

+ "privateIpAddress": "10.0.0.4",

+ "publicIpAddress": "<public_ip_address>",

+ "resourceGroup": "myResourceGroup",

+ "zones": ""

+ }

+ ```

+1. Note your `publicIpAddress` value in the output from your myVMEdge VM. Use this address to access the VM in the next sections.

+## Create a jump server in the associated region

+To use SSH to connect to the VM in Azure public MEC, the best method is to deploy a jump box in the same Azure region where you created your resource group.

+1. Create an Azure Virtual Network (VNet) by using the [az network vnet](/cli/azure/network/vnet) command.

+ The following example creates a VNet named MyVnetRegion:

+ ```azurecli

+ az network vnet create --resource-group myResourceGroup --name MyVnetRegion --address-prefix 10.1.0.0/16 --subnet-name MySubnetRegion --subnet-prefix 10.1.0.0/24

+ ```

+1. Create a VM to be deployed in the region with the [az vm create](/cli/azure/vm#az-vm-create) command.

+ The following example creates a VM named myVMRegion in the region:

+ ```azurecli

+ az vm create --resource-group myResourceGroup --name myVMRegion --image UbuntuLTS --admin-username azureuser --admin-password <password> --vnet-name MyVnetRegion --subnet MySubnetRegion --public-ip-sku Standard

+ ```

+1. Note your `publicIpAddress` value in the output from the myVMregion VM. Use this address to access the VM in the next sections.

+## Accessing the VMs

+1. Use SSH to connect to the jump box VM deployed in the region. Use the IP address from the myVMRegion VM you created in the previous section.

+ ```bash

+ ssh azureuser@<regionVM_publicIP>

+ ```

+1. From the jump box, use SSH to connect to the VM you created in Azure public MEC. Use the IP address from the myVMEdge VM you created in the previous section.

+ ```bash

+ ssh azureuser@<edgeVM_publicIP>

+ ```

+1. Ensure the Azure network security groups allow port 22 access to the VMs you create.

+## Clean up resources

+In this quickstart, you deployed a VM in Azure public MEC by using the Azure CLI. If you don't expect to need these resources in the future, use the [az group delete](/cli/azure/group#az-group-delete) command to remove the resource group, VM, and all related resources. Using the `--yes` parameter deletes the resources without a confirmation prompt.

+```azurecli

+az group delete \--name myResourceGroup \--yes

+```

+## Next steps

+To deploy resources in Azure public MEC using the Go SDK, advance to the following article:

+> [!div class="nextstepaction"]

+> [Tutorial: Deploy resources in Azure public MEC using the Go SDK](tutorial-create-vm-using-go-sdk.md)

+ Title: 'Tutorial: Deploy resources in Azure public MEC Preview using the Go SDK'

+description: In this tutorial, learn how to deploy resources in Azure public multi-access edge compute (MEC) by using the Go SDK.

+# Tutorial: Deploy resources in Azure public MEC Preview using the Go SDK

+In this tutorial, you learn how to use the Go SDK to deploy resources in Azure public multi-access edge compute (MEC) Preview. The tutorial provides code snippets written in Go to deploy a virtual machine and public IP resources in an Azure public MEC solution. You can use the same model and template to deploy other resources and services that are supported for Azure public MEC. This article isnΓÇÖt intended to be a tutorial on Go; it focuses only on the API calls required to deploy resources in Azure public MEC.

+For more information about Go, see [Azure for Go developers](/azure/developer/go/). For Go samples, see [Azure Go SDK samples](https://github.com/azure-samples/azure-sdk-for-go-samples).

+In this tutorial, you learn how to:

+> [!div class="checklist"]

+>

+> - Create a virtual machine

+> - Create a public IP address

+> - Deploy a virtual network and public IP address

+## Prerequisites

+- If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+- Add an allowlisted subscription to your Azure account, which allows you to deploy resources in Azure public MEC. If you don't have an active allowed subscription, contact the [Azure public MEC product team](https://aka.ms/azurepublicmec).

+- [Install Go](https://golang.org/doc/install)

+- [Install the Azure SDK for Go](/azure/developer/go/azure-sdk-install)

+## Create a virtual machine

+1. Add the latest compute Go SDK to your import list. For example:

+ ```go

+ import (

+ "github.com/Azure/azure-sdk-for-go/tree/main/services/compute/mgmt/2021-11-01/compute"

+ )

+ ```

+1. Use the following sample as a guide on how to use the Go SDK. You must add the `ExtendedLocation` attribute to the VM API call.

+ ```go

+ VmClient := compute.NewVirtualMachinesClient(<subscription_id>)

+ vmResult, err := vmClient.CreateOrUpdate(

+ context.Background(),

+ "<resourceGroupName>",

+ "<vmName>",

+ compute.VirtualMachine{

+ Location: to.StringPtr("westus"),

+ ExtendedLocation: &compute.ExtendedLocation{

+ Name: to.StringPtr("<edgezoneid>"),

+ Type: "EdgeZone",

+ },

+ VirtualMachineProperties: &compute.VirtualMachineProperties{

+ StorageProfile: &compute.StorageProfile{

+ ImageReference: &compute.ImageReference{

+ Publisher: to.StringPtr("<PublisherName>"),

+ Offer: to.StringPtr("<Offer>"),

+ Sku: to.StringPtr("<SKU>"),

+ Version: to.StringPtr("<version>"),

+ },

+ },

+ HardwareProfile: &compute.HardwareProfile{

+ VMSize: "Standard_D2s_v3",

+ },

+ OsProfile: &compute.OSProfile{

+ ComputerName: to.StringPtr("<vmname>"),

+ AdminUsername: to.StringPtr("<username>"),

+ AdminPassword: to.StringPtr("password"),

+ },

+ NetworkProfile: &compute.NetworkProfile{

+ NetworkInterfaces: &[]compute.NetworkInterfaceReference{

+ {

+ ID: nic.ID,

+ NetworkInterfaceReferenceProperties: &compute.NetworkInterfaceReferenceProperties{

+ Primary: to.BoolPtr(true),

+ },

+ },

+ },

+ },

+ },

+ },

+ )

+ ```

+## Create a public IP address

+1. Add the latest network Go SDK to your import list.

+ ```go

+ import (

+ "github.com/Azure/azure-sdk-for-go/tree/main/services/network/mgmt/2021-05-01/network"

+ )

+ ```

+2. Use the following Go sample as a guide on how to create a public IP address. Azure public MEC supports only the Standard SKU with static allocation for public IPs.

+ ```go

+ ipClient := network.NewPublicIPAddressesClient("<subsciption_id>")

+ PublicIPResult, err := ipClient.CreateOrUpdate(

+ context.Background(),

+ "resourceGroupName",

+ "publicIpName",

+ network.PublicIPAddress{

+ Name: to.StringPtr("publicVMIP"),

+ Location: to.StringPtr("westus"),

+ ExtendedLocation: &network.ExtendedLocation{

+ Name: to.StringPtr("microsoftlosangeles1"),

+ Type: to.StringPtr("EdgeZone"),

+ },

+ Sku: &network.PublicIPAddressSku{

+ Name:network.PublicIPAddressSkuName(

+ network.PublicIPAddressSkuNameStandard),

+ },

+ PublicIPAddressPropertiesFormat:

+ &network.PublicIPAddressPropertiesFormat{

+ PublicIPAllocationMethod: network.Static,

+ },

+ }

+ )

+ ```

+## Deploy a virtual network and public IP address

+Use the following Go sample as a guide to deploy a virtual network and public IP address in an Azure public MEC solution. Populate the `<edgezoneid>` field with a valid value.

+```go

+package main

+import (

+ "context"

+ "fmt"

+ "github.com/Azure/azure-sdk-for-go/sdk/to"

+ "github.com/Azure/azure-sdk-for-go/services/network/mgmt/2020-07-01/network"

+ "github.com/Azure/go-autorest/autorest/azure/auth"

+)

+func main() {

+ // create a VirtualNetworks client

+ vnetClient := network.NewVirtualNetworksClient("<subscription_id>")

+ ipClient := network.NewPublicIPAddressesClient("<subscription_id>")

+

+ // create a CLI authorizer from environment Vars

+ authorizer, err := auth.NewAuthorizerFromCLI()

+ if err == nil {

+ fmt.Println("Auth Successful")

+ vnetClient.Authorizer = authorizer

+ ipClient.Authorizer = authorizer

+ } else {

+ fmt.Printf("Authorizer error %v", err)

+ }

+ vnetResult, err := vnetClient.CreateOrUpdate(context.Background(),

+ "<resourceGroupName>",

+ "<vnetName>",

+ network.VirtualNetwork{

+ Location: to.StringPtr("westus"),

+ ExtendedLocation: &network.ExtendedLocation{

+ Name: to.StringPtr("<edgezoneid>") ,

+ Type: to.StringPtr("EdgeZone"),

+ },

+ VirtualNetworkPropertiesFormat: &network.VirtualNetworkPropertiesFormat{

+ AddressSpace: &network.AddressSpace{

+ AddressPrefixes: &[]string{"10.0.0.0/8"},

+ },

+ Subnets: &[]network.Subnet{

+ {

+ Name: to.StringPtr("subnet1"),

+ SubnetPropertiesFormat: &network.SubnetPropertiesFormat{

+ AddressPrefix: to.StringPtr("10.0.0.0/16"),

+ },

+ },

+ {

+ Name: to.StringPtr("subnet2"),

+ SubnetPropertiesFormat: &network.SubnetPropertiesFormat{

+ AddressPrefix: to.StringPtr("10.1.0.0/16"),

+ },

+ },

+ },

+ },

+ }

+ )

+ if err != nil {

+ fmt.Printf("VNet creation failed %v", err)

+ }

+ err = vnetResult.WaitForCompletionRef(context.Background(), vnetClient.Client)

+ if err != nil {

+ fmt.Printf("cannot create a Vnet: %v", err)

+ }

+

+ pip, err := ipClient.CreateOrUpdate(

+ context.Background(),

+ "<resourceGroupName>",

+ "<publicIPName>",

+ network.PublicIPAddress{

+ Name: to.StringPtr("<publicIPName>"),

+ Location: to.StringPtr("westus"),

+ ExtendedLocation: &network.ExtendedLocation{

+ Name: to.StringPtr("microsoftlosangeles1"),

+ Type: to.StringPtr("EdgeZone"),

+ },

+ Sku: &network.PublicIPAddressSku{

+ Name: network.PublicIPAddressSkuName(network.PublicIPAddressSkuNameStandard),

+ },

+ PublicIPAddressPropertiesFormat: &network.PublicIPAddressPropertiesFormat{

+ PublicIPAllocationMethod: network.Static,

+ },

+ },

+ )

+ if err != nil {

+ fmt.Printf("Public IP creation failed %v", err)

+ }

+ err = pip.WaitForCompletionRef(context.Background(), ipClient.Client)

+ if err != nil {

+ fmt.Printf("Cannot create Public IP: %v", err)

+ }

+```

+## Clean up resources

+In this tutorial, you created a VM in Azure public MEC by using the Go SDK. If you don't expect to need these resources in the future, use the Azure portal to delete the resource group that you created.

+## Next steps

+To deploy a virtual machine in Azure public MEC using the Python SDK, advance to the following article:

+> [!div class="nextstepaction"]

+> [Tutorial: Deploy a virtual machine in Azure public MEC using the Python SDK](tutorial-create-vm-using-python-sdk.md)

+ Title: 'Tutorial: Deploy a virtual machine in Azure public MEC Preview using the Python SDK'

+description: This tutorial demonstrates how to use Azure SDK management libraries in a Python script to create a resource group in Azure public multi-access edge compute (MEC) that contains a Linux virtual machine.

+# Tutorial: Deploy a virtual machine in Azure public MEC Preview using the Python SDK

+In this tutorial, you use Python SDK to deploy resources in Azure public multi-access edge compute (MEC) Preview. The tutorial provides Python code to deploy a virtual machine (VM) and its dependencies in Azure public MEC.

+For information about Python SDKs, see [Azure libraries for Python usage patterns](/azure/developer/python/azure-sdk-library-usage-patterns?tabs=pip).

+In this tutorial, you learn how to:

+> [!div class="checklist"]

+>

+> - Install the required Azure library packages

+> - Provision a virtual machine

+> - Run the script in your development environment

+> - Create a jump server in the associated region

+> - Access the VMs

+## Prerequisites

+- If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+- Add an allowlisted subscription to your Azure account, which allows you to deploy resources in Azure public MEC. If you don't have an active allowed subscription, contact the [Azure public MEC product team](https://aka.ms/azurepublicmec).

+- Set up Python in your local development environment by following the instructions at [Configure your local Python dev environment for Azure](/azure/developer/python/configure-local-development-environment?tabs=cmd). Ensure you create a service principal for local development, and create and activate a virtual environment for this tutorial project.

+## Install the required Azure library packages

+1. Create a file named *requirements.txt* that lists the management libraries used in this example.

+ ```txt

+ azure-mgmt-resource

+ azure-mgmt-compute

+ azure-mgmt-network

+ azure-identity

+ azure-mgmt-extendedlocation==1.0.0b2

+ ```

+1. Open a command prompt with the virtual environment activated and install the management libraries listed in requirements.txt.

+ ```bash

+ pip install -r requirements.txt

+ ```

+## Provision a virtual machine

+1. Create a Python file named *provision_vm_edge.py* and populate it with the following Python script. The script deploys VM and its associated dependency in Azure public MEC. The comments in the script explain the details.

+ ```Python

+ # Import the needed credential and management objects from the libraries.

+ from azure.identity import AzureCliCredential

+ from azure.mgmt.resource import ResourceManagementClient

+ from azure.mgmt.network import NetworkManagementClient

+ from azure.mgmt.compute import ComputeManagementClient

+ import os

+ print(f"Provisioning a virtual machine...some operations might take a minute or two.")

+ # Acquire a credential object using CLI-based authentication.

+ credential = AzureCliCredential()

+ # Retrieve subscription ID from environment variable.

+ subscription_id = os.environ["AZURE_SUBSCRIPTION_ID"]

+ # Step 1: Provision a resource group

+ # Obtain the management object for resources, using the credentials from the CLI login.

+ resource_client = ResourceManagementClient(credential, subscription_id)

+

+ # Constants we need in multiple places: the resource group name, the region and the public mec location

+ # in which we provision resources. Populate the variables with appropriate values.

+ RESOURCE_GROUP_NAME = "PythonAzureExample-VM-rg"

+ LOCATION = "<region>"

+ PUBLIC_MEC_LOCATION = "<edgezone id>"

+ USERNAME = "azureuser"

+ PASSWORD = "<password>"

+ # Provision the resource group.

+ rg_result = resource_client.resource_groups.create_or_update(RESOURCE_GROUP_NAME,

+ {

+ "location": LOCATION

+ }

+ )

+ print(f"Provisioned resource group {rg_result.name} in the {rg_result.location} region")

+ # For details on the previous code, see Example: Use the Azure libraries to provision a resource group

+ # at https://docs.microsoft.com/azure/developer/python/azure-sdk-example-resource-group

+ # Step 2: Provision a virtual network

+ # A virtual machine requires a network interface client (NIC). A NIC requires

+ # a virtual network and subnet along with an IP address. Therefore, we must provision

+ # these downstream components first, then provision the NIC, after which we

+ # can provision the VM.

+ # Network and IP address names

+ VNET_NAME = "python-example-vnet-edge"

+ SUBNET_NAME = "python-example-subnet-edge"

+ IP_NAME = "python-example-ip-edge"

+ IP_CONFIG_NAME = "python-example-ip-config-edge"

+ NIC_NAME = "python-example-nic-edge"

+ # Obtain the management object for networks

+ network_client = NetworkManagementClient(credential, subscription_id)

+ # Provision the virtual network and wait for completion

+ poller = network_client.virtual_networks.begin_create_or_update(RESOURCE_GROUP_NAME,

+ VNET_NAME,

+ {

+ "location": LOCATION,

+ "extendedLocation": {"type": "EdgeZone", "name": PUBLIC_MEC_LOCATION},

+ "address_space": {

+ "address_prefixes": ["10.1.0.0/16"]

+ }

+ }

+ )

+ vnet_result = poller.result()

+ print(f"Provisioned virtual network {vnet_result.name} with address prefixes {vnet_result.address_space.address_prefixes}")

+ # Step 3: Provision the subnet and wait for completion

+ poller = network_client.subnets.begin_create_or_update(RESOURCE_GROUP_NAME,

+ VNET_NAME, SUBNET_NAME,

+ { "address_prefix": "10.1.0.0/24" }

+ )

+ subnet_result = poller.result()

+ print(f"Provisioned virtual subnet {subnet_result.name} with address prefix {subnet_result.address_prefix}")

+ # Step 4: Provision an IP address and wait for completion

+ # Only the standard public IP SKU is supported at EdgeZones

+ poller = network_client.public_ip_addresses.begin_create_or_update(RESOURCE_GROUP_NAME,

+ IP_NAME,

+ {

+ "location": LOCATION,

+ "extendedLocation": {"type": "EdgeZone", "name": PUBLIC_MEC_LOCATION},

+ "sku": { "name": "Standard" },

+ "public_ip_allocation_method": "Static",

+ "public_ip_address_version" : "IPV4"

+ }

+ )

+ ip_address_result = poller.result()

+ print(f"Provisioned public IP address {ip_address_result.name} with address {ip_address_result.ip_address}")

+ # Step 5: Provision the network interface client

+ poller = network_client.network_interfaces.begin_create_or_update(RESOURCE_GROUP_NAME,

+ NIC_NAME,

+ {

+ "location": LOCATION,

+ "extendedLocation": {"type": "EdgeZone", "name": PUBLIC_MEC_LOCATION},

+ "ip_configurations": [ {

+ "name": IP_CONFIG_NAME,

+ "subnet": { "id": subnet_result.id },

+ "public_ip_address": {"id": ip_address_result.id }

+ }]

+ }

+ )

+ nic_result = poller.result()

+ print(f"Provisioned network interface client {nic_result.name}")

+ # Step 6: Provision the virtual machine

+ # Obtain the management object for virtual machines

+ compute_client = ComputeManagementClient(credential, subscription_id)

+ VM_NAME = "ExampleVM-edge"

+ print(f"Provisioning virtual machine {VM_NAME}; this operation might take a few minutes.")

+ # Provision the VM specifying only minimal arguments, which defaults to an Ubuntu 18.04 VM

+ # on a Standard DSv2-series with a public IP address and a default virtual network/subnet.

+ poller = compute_client.virtual_machines.begin_create_or_update(RESOURCE_GROUP_NAME, VM_NAME,

+ {

+ "location": LOCATION,

+ "extendedLocation": {"type": "EdgeZone", "name": PUBLIC_MEC_LOCATION},

+ "storage_profile": {

+ "image_reference": {

+ "publisher": 'Canonical',

+ "offer": "UbuntuServer",

+ "sku": "18.04-LTS",

+ "version": "latest"

+ }

+ },

+ "hardware_profile": {

+ "vm_size": "Standard_DS2_v2"

+ },

+ "os_profile": {

+ "computer_name": VM_NAME,

+ "admin_username": USERNAME,

+ "admin_password": PASSWORD

+ },

+ "network_profile": {

+ "network_interfaces": [{

+ "id": nic_result.id,

+ }]

+ }

+ }

+ )

+ vm_result = poller.result()

+ print(f"Provisioned virtual machine {vm_result.name}")

+ ```

+1. Before you run the script, populate these variables used in the step 1 section of the script:

+ | Variable name | Description |

+ | - | -- |

+ | LOCATION | Azure region associated with the Azure public MEC location |

+ | PUBLIC_MEC_LOCATION | Azure public MEC location identifier/edgezone ID |

+ | PASSWORD | Password to use to sign in to the VM |

+ > [!NOTE]

+ > Each Azure public MEC site is associated with an Azure region. Based on the Azure public MEC location where the resource needs to be deployed, select the appropriate region value for the resource group to be created. For more information, see [Key concepts for Azure public MEC](key-concepts.md).

+## Run the script in your development environment

+1. Run the Python script you copied from the previous section.

+ ```python

+ python provision_vm_edge.py

+ ```

+1. Wait a few minutes for the VM and supporting resources to be created.

+ The following example output shows the VM create operation was successful.

+ ```output

+ (.venv) C:\Users >python provision_vm_edge.py

+ Provisioning a virtual machine...some operations might take a minute or two.

+ Provisioned resource group PythonAzureExample-VM-rg in the <region> region

+ Provisioned virtual network python-example-vnet-edge with address prefixes ['10.1.0.0/16']

+ Provisioned virtual subnet python-example-subnet-edge with address prefix 10.1.0.0/24

+ Provisioned public IP address python-example-ip-edge with address <public ip>

+ Provisioned network interface client python-example-nic-edge

+ Provisioning virtual machine ExampleVM-edge; this operation might take a few minutes.

+ Provisioned virtual machine ExampleVM-edge

+ ```

+1. In the output from the python-example-ip-edge field, note your own publicIpAddress. Use this address to access the VM in the next section.

+## Create a jump server in the associated region

+To use SSH to connect to the VM in the Azure public MEC, the best method is to deploy a jump box in an Azure region where your resource group was deployed in the previous section.

+1. Follow the steps in [Use the Azure libraries to provision a virtual machine](/azure/developer/python/azure-sdk-example-virtual-machines?tabs=cmd).

+1. Note your own publicIpAddress in the output from the python-example-ip field of the jump server VM. Use this address to access the VM in the next section.

+## Access the VMs

+1. Use SSH to connect to the jump box VM you deployed in the region with its IP address you noted previously.

+ ```bash

+ ssh azureuser@<python-example-ip>

+ ```

+1. From the jump box, use SSH to connect to the VM you created in the Azure public MEC with its IP address you noted previously.

+ ```bash

+ ssh azureuser@<python-example-ip-edge>

+ ```

+1. Ensure the Azure network security groups allow port 22 access to the VMs you create.

+## Clean up resources

+In this tutorial, you created a VM in Azure public MEC by using the Python SDK. If you don't expect to need these resources in the future, use the [az group delete](/cli/azure/group#az-group-delete) command to remove the resource group, scale set, and all related resources. Using the `--yes` parameter deletes the resources without a confirmation prompt.

+```azurecli

+az group delete --name PythonAzureExample-VM-rg --yes

+```

+## Next steps

+For questions about Azure public MEC, contact the product team:

+> [!div class="nextstepaction"]

+> [Azure public MEC product team](https://aka.ms/azurepublicmec)

+For Azure Purview, customer content related to the metadata (e.g. blob uri path, table names and column names) stored in Azure Purview is Data Residency compliant with the exception of multi-cloud environments.

+For multi-cloud environments (AWS sources), the customer content will reside in the US region as a part of the global logs and will be data residency compliant in the next few months.

+ Title: Azure SQL indexer

+description: Set up a search indexer to index data stored in Azure SQL Database for full text search in Azure Cognitive Search.

+In this article, learn how to configure an [**indexer**](search-indexer-overview.md) that imports content from Azure SQL and makes it searchable in Azure Cognitive Search. The workflow creates a search index and loads it with text extracted from Azure SQL Database and Azure SQL managed instances.

+This article supplements [**Create an indexer**](search-howto-create-indexers.md) with information about settings that are specific to Azure SQL. You can create indexers using the [Azure portal](https://portal.azure.com), [Search REST APIs](/rest/api/searchservice/Indexer-operations) or an Azure SDK. This article uses REST to explain each step.

+<!-- Real-time data synchronization must not be an application requirement. An indexer can reindex your table at most every five minutes. If your data changes frequently, and those changes need to be reflected in the index within seconds or single minutes, we recommend using the [REST API](/rest/api/searchservice/AddUpdate-or-Delete-Documents) or [.NET SDK](search-get-started-dotnet.md) to push updated rows directly.

+Incremental indexing is possible. If you have a large data set and plan to run the indexer on a schedule, Azure Cognitive Search must be able to efficiently identify new, changed, or deleted rows. Non-incremental indexing is only allowed if you're indexing on demand (not on schedule), or indexing fewer than 100,000 rows. For more information, see [Capturing Changed and Deleted Rows](#CaptureChangedRows) below. -->

+## Define the data source

+The data source definition specifies the data to index, credentials, and policies for identifying changes in the data. A data source is defined as an independent resource so that it can be used by multiple indexers.

+1. [Create or update a data source](/rest/api/searchservice/create-data-source) to set its definition:

+1. Set "type" to `"azuresql"` (required).

+1. Set "credentials" to a connection string:

+ + You can get the connection string from the [Azure portal](https://portal.azure.com). Use the `ADO.NET connection string` option.

+ + You can specify a managed identity connection string that does not include database secrets with the following format: `Initial Catalog|Database=<your database name>;ResourceId=/subscriptions/<your subscription ID>/resourceGroups/<your resource group name>/providers/Microsoft.Sql/servers/<your SQL Server name>/;Connection Timeout=connection timeout length;`.

+ To use this connection string, follow the instructions for [Setting up an indexer connection to an Azure SQL Database using a managed identity](search-howto-managed-identities-sql.md).

+## Add search fields to an index

+In a [search index](search-what-is-an-index.md), add fields to accept values from corresponding fields in the SQL database. Ensure that the search index schema is compatible with source schema, with [equivalent data types](#TypeMapping).

+1. [Create or update an index](/rest/api/searchservice/create-index) to define search fields that will store data:

+ ```http

+ POST https://[service name].search.windows.net/indexes?api-version=2020-06-30

+ api-key: [Search service admin key]

+ {

+ "name": "mysearchindex",

+ "fields": [{

+ "name": "id",

+ "type": "Edm.String",

+ "key": true,

+ "searchable": false

+ },

+ {

+ "name": "description",

+ "type": "Edm.String",

+ "filterable": false,

+ "searchable": true,

+ "sortable": false,

+ "facetable": false,

+ "suggestions": true

+ }

+ ]

+ }

+ ```

+1. Create a document key field ("key": true) that uniquely identifies each search document. This is the only field that's required. Typically, the table's primary key is mapped to the index key field. The document key must be unique and non-null. The values can be numeric in source data, but in a search index, a key is always a string.

+1. Create additional fields for more searchable content. See [Create an index](search-how-to-create-search-index.md) for details.

+<a name="TypeMapping"></a>

+### Mapping data types

+| SQL data type | Cognitive Search field types | Notes |

+| - | -- | |

+| bit |Edm.Boolean, Edm.String | |

+| int, smallint, tinyint |Edm.Int32, Edm.Int64, Edm.String | |

+| bigint |Edm.Int64, Edm.String | |

+| real, float |Edm.Double, Edm.String | |

+| smallmoney, money decimal numeric |Edm.String |Azure Cognitive Search does not support converting decimal types into Edm.Double because this would lose precision |

+| char, nchar, varchar, nvarchar |Edm.String<br/>Collection(Edm.String) |A SQL string can be used to populate a Collection(Edm.String) field if the string represents a JSON array of strings: `["red", "white", "blue"]` |

+| smalldatetime, datetime, datetime2, date, datetimeoffset |Edm.DateTimeOffset, Edm.String | |

+| uniqueidentifer |Edm.String | |

+| geography |Edm.GeographyPoint |Only geography instances of type POINT with SRID 4326 (which is the default) are supported |

+| rowversion |Not applicable |Row-version columns cannot be stored in the search index, but they can be used for change tracking |

+| time, timespan, binary, varbinary, image, xml, geometry, CLR types |Not applicable |Not supported |

+## Configure and run the Azure SQL indexer

+Indexer configuration specifies the inputs, parameters, and properties controlling run time behaviors.

+1. [Create or update an indexer](/rest/api/searchservice/create-indexer) by giving it a name and referencing the data source and target index:

+ ```http

+ POST https://[service name].search.windows.net/indexers?api-version=2020-06-30

+ Content-Type: application/json

+ api-key: [search service admin key]

+ "name" : "[my-sqldb-indexer]",

+ "dataSourceName" : "[my-sqldb-ds]",

+ "targetIndexName" : "[my-search-index]",

+ "disabled": null,

+ "schedule": null,

+ "parameters": {

+ "batchSize": null,

+ "maxFailedItems": 0,

+ "maxFailedItemsPerBatch": 0,

+ "base64EncodeKeys": false,

+ "configuration": {

+ "queryTimeout": "00:05:00",

+ "disableOrderByHighWaterMarkColumn": false

+ }

+ },

+ "fieldMappings": [],

+ "encryptionKey": null

+ ```

+1. Under parameter configuration, you can set a timeout for SQL query execution. In the example above, the timeout is 5 minutes. The second configuration setting is "disableOrderByHighWaterMarkColumn". It causes the SQL query used by the [high water mark policy](#HighWaterMarkPolicy) to omit the ORDER BY clause.

+1. [Specify field mappings](search-indexer-field-mappings.md) if there are differences in field name or type, or if you need multiple versions of a source field in the search index.

+1. See [Create an indexer](search-howto-create-indexers.md) for more information about other properties.

+An indexer runs automatically when it's created. You can prevent this by setting "disabled" to true. To control indexer execution, [run an indexer on demand](search-howto-run-reset-indexers.md) or [put it on a schedule](search-howto-schedule-indexers.md).

+## Check indexer status

+To monitor the indexer status and execution history, send a [Get Indexer Status](/rest/api/searchservice/get-indexer-status) request:

+GET https://myservice.search.windows.net/indexers/myindexer/status?api-version=2020-06-30

+ Content-Type: application/json

+ api-key: [admin key]

+The response includes status and the number of items processed. It should look similar to the following example:

+ "startTime":"2022-02-21T00:23:24.957Z",

+ "endTime":"2022-02-21T00:36:47.752Z",

+ "startTime":"2022-02-21T00:23:24.957Z",

+ "endTime":"2022-02-21T00:36:47.752Z",

+Execution history contains up to 50 of the most recently completed executions, which are sorted in the reverse chronological order so that the latest execution comes first.

+<a name="CaptureChangedRows"></a>

+## Indexing new, changed, and deleted rows

+If your SQL database supports [change tracking](/sql/relational-databases/track-changes/about-change-tracking-sql-server), a search indexer can pick up just the new and updated content on subsequent indexer runs. Azure Cognitive Search provides two change detection policies to support incremental indexing.

+Within an indexer definition, you can specify a change detection policies that tells the indexer which change tracking mechanism is used on your table or view. There are two policies to choose from:

+We recommend using "SqlIntegratedChangeTrackingPolicy" for its efficiency and its ability to identify deleted rows.

+Database requirements:

+Change detection policies are added to data source definitions. To use this policy, create or update your data source like this:

+```http

+POST https://myservice.search.windows.net/datasources?api-version=2020-06-30

+Content-Type: application/json

+api-key: admin-key

+ "container" : { "name" : "table name" },

+ "@odata.type" : "#Microsoft.Azure.Search.SqlIntegratedChangeTrackingPolicy"

+When using SQL integrated change tracking policy, do not specify a separate data deletion detection policy. The SQL integrated change tracking policy has built-in support for identifying deleted rows. However, for the deletes to be detected automatically, the document key in your search index must be the same as the primary key in the SQL table.

+This change detection policy relies on a "high water mark" column in your table or view that captures the version or time when a row was last updated. If you're using a view, you must use a high water mark policy.

+The high water mark column must meet the following requirements:

+> [!NOTE]

+Change detection policies are added to data source definitions. To use this policy, create or update your data source like this:

+```http

+POST https://myservice.search.windows.net/datasources?api-version=2020-06-30

+Content-Type: application/json

+api-key: admin-key

+ "@odata.type" : "#Microsoft.Azure.Search.HighWaterMarkChangeDetectionPolicy",

+ "highWaterMarkColumnName" : "[a rowversion or last_updated column name]"

+ }

+> [!NOTE]

+```http

+```http

+```http

+```http

+In this article, learn how to configure an [**indexer**](search-indexer-overview.md) that imports content from Azure Cosmos DB and makes it searchable in Azure Cognitive Search. The workflow creates a search index and loads it with text extracted from Azure Cosmos DB using the [SQL API](../cosmos-db/choose-api.md#coresql-api).

+Because terminology can be confusing, it's worth noting that [Cosmos DB indexing](../cosmos-db/index-overview.md) and [Cognitive Search indexing](search-what-is-an-index.md) are different operations. Indexing in Cognitive Search creates and loads a search index on your search service.

+This article supplements [**Create an indexer**](search-howto-create-indexers.md) with information about settings that are specific to Cosmos DB SQL API. You can create indexers using the [Azure portal](https://portal.azure.com), [Search REST APIs](/rest/api/searchservice/Indexer-operations) or an Azure SDK. This article uses REST to explain each step.

+1. [Create or update an indexer](/rest/api/searchservice/create-indexer) by giving it a name and referencing the data source and target index.

+An indexer runs automatically when it's created. You can prevent this by setting "disabled" to true. To control indexer execution, [run an indexer on demand](search-howto-run-reset-indexers.md) or [put it on a schedule](search-howto-schedule-indexers.md).

+## Check indexer status

+To monitor the indexer status and execution history, send a [Get Indexer Status](/rest/api/searchservice/get-indexer-status) request:

+```http

+GET https://myservice.search.windows.net/indexers/myindexer/status?api-version=2020-06-30

+ Content-Type: application/json

+ api-key: [admin key]

+```

+The response includes status and the number of items processed. It should look similar to the following example:

+```json

+ {

+ "status":"running",

+ "lastResult": {

+ "status":"success",

+ "errorMessage":null,

+ "startTime":"2022-02-21T00:23:24.957Z",

+ "endTime":"2022-02-21T00:36:47.752Z",

+ "errors":[],

+ "itemsProcessed":1599501,

+ "itemsFailed":0,

+ "initialTrackingState":null,

+ "finalTrackingState":null

+ },

+ "executionHistory":

+ [

+ {

+ "status":"success",

+ "errorMessage":null,

+ "startTime":"2022-02-21T00:23:24.957Z",

+ "endTime":"2022-02-21T00:36:47.752Z",

+ "errors":[],

+ "itemsProcessed":1599501,

+ "itemsFailed":0,

+ "initialTrackingState":null,

+ "finalTrackingState":null

+ },

+ ... earlier history items

+ ]

+ }

+```

+Execution history contains up to 50 of the most recently completed executions, which are sorted in the reverse chronological order so that the latest execution comes first.

+# Make outbound connections through a private endpoint

+Many Azure resources, such as Azure storage accounts, can be configured to accept connections from a list of virtual networks and refuse outside connections that originate from a public network. If you're using an indexer and your Azure PaaS data source is on a private network, you can create an outbound [private endpoint connection](../private-link/private-endpoint-overview.md) used by Azure Cognitive Search to reach the data.

+Private endpoints created through Azure Cognitive Search APIs are referred to as *shared private links* or *managed outbound private endpoints*. The concept of a "shared private link" is that an Azure PaaS resource already has a private endpoint through [Azure Private Link service](https://azure.microsoft.com/services/private-link/), and Azure Cognitive Search is sharing access. Although access is shared, a shared private link creates its own private connection. The shared private link is the mechanism by which Azure Cognitive Search makes the connection to resources in a private network.

+To create a shared private link, use the Azure portal or the [Create Or Update Shared Private Link](/rest/api/searchmanagement/2020-08-01/shared-private-link-resources/create-or-update) operation in the Azure Cognitive Search Management REST API.

+## Prerequisites

+<a name="group-ids"></a>

+## Supported resources and group IDs

+The following table lists Azure resources for which you can create managed private endpoints from within Azure Cognitive Search.

+When setting up a shared private link resource, make sure the group ID value is exact. Values are case-sensitive and must be identical to those shown in the following table. Notice that for several resources and features, you'll need to set two IDs.

+| Azure Storage - Blob | `blob` ^1, ² |

+| Azure Storage - Tables | `table` ² |

+| Azure Key Vault for [customer-managed keys](search-security-manage-encryption-keys.md) | `vault` |

+¹ If you enabled [enrichment caching](cognitive-search-incremental-indexing-conceptual.md) and the connection to Azure Blob Storage is through a private endpoint, make sure there is a shared private link of type `blob`.

+² If you're projecting data to a [knowledge store](knowledge-store-concept-intro.md) and the connection to Azure Blob Storage and Azure Table Storage is through a private endpoint, make sure there are two shared private links of type `blob` and `table`, respectively.

+> [!TIP]

+> You can query for the list of supported resources and group IDs by using the [list of supported APIs](/rest/api/searchmanagement/2021-04-01-preview/private-link-resources/list-supported).

+## 1 - Create a shared private link

+The following section describes how to create a shared private link resource either using the Azure portal or the Azure CLI.

+Azure portal only supports creating a shared private link resource using group ID values that are generally available. For [MySQL Private Link (Preview)](../mysql/concepts-data-access-security-private-link.md) and [Azure Functions Private Link (Preview)](../azure-functions/functions-networking-options.md), use Azure CLI.

+### [**Azure portal**](#tab/portal-create)

+1. [Sign in to Azure portal](https://portal.azure.com) and [find your search service](https://ms.portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Storage%2storageAccounts/).

+1. Under **Settings** on the left navigation pane, select **Networking**.

+1. On the **Shared Private Access** tab, select **+ Add Shared Private Access**.

+1. On the blade that opens on the right, select either **Connect to an Azure resource in my directory** or **Connect to an Azure resource by resource ID or alias**.

+1. If you select the first option (recommended), the blade helps you pick the appropriate Azure resource and fills in other properties, such as the group ID of the resource and the resource type.

+1. If you select the second option, enter the Azure resource ID manually and choose the appropriate group ID from the list at the beginning of this article.

+ 

+### [**Azure CLI**](#tab/cli-create)

+You can use the Management REST API with Azure PowerShell, or the [Azure CLI](/cli/azure/) as shown in this example.

+Remember to use the preview API version, either 2020-08-01-preview or 2021-04-01-preview, if you're using a group ID that's in preview. For example, *sites* and *mysqlServer* are in preview and require you to use the preview API.

+The definition of a shared private link is provided in a JSON file. The following is an example of what a *create-pe.json* file might contain:

+Be sure to specify the correct group ID for the type of resource for which you're creating the private endpoint. Any mismatch will result in a non-successful response message.

+<a name="check-endpoint-status"></a>

+## 2 - Check the status of the private endpoint creation

+In this step, confirm that the provisioning state of the resource changes to "Succeeded".

+You can use the portal to check provisioning state for both generally available and preview resources.

+### [**Azure portal**](#tab/portal-status)

+The portal shows you the state of the shared private endpoint. In the following example, the status is "Updating".

+Once the resource is successfully created, you'll receive a portal notification and the provisioning state of the resource changes to "Succeeded".

+### [**Azure CLI**](#tab/cli-status)

+## 3 - Approve the private endpoint connection

+In this section, you use the Azure portal for the approval flow of a private endpoint to the Azure resource you're connecting to. Alternatively, you could use the **[REST API](/rest/api/storagerp/privateendpointconnections)** that's available via the Storage resource provider.

+Other providers, such as Azure Cosmos DB or Azure SQL Server, offer similar resource provider REST APIs for managing private endpoint connections.

+1. In the Azure portal, find the Azure resource that you're connecting to and open the **Networking** page.

+1. Find the section that lists the private endpoint connections. Following is an example for a storage account. After the asynchronous operation has succeeded, there should be a request for a private endpoint connection with the request message from the previous API call.

+## 4 - Query the status of the shared private link resource

+To confirm that the shared private link resource has been updated after approval, revisit the "Shared Private Access" blade of the search service **Networking** page on the Azure portal and check the "Connection State".

+## 5 - Secure your Azure resource

+The steps for restricting access vary by resource. The following scenarios show three of the more common types of resources.

+ The following is an example of how to configure an Azure storage account firewall. If you select this option and leave the page empty, it means that no traffic from virtual networks is allowed.

+ 

+ The following is an example of how to configure Azure Key Vault firewall.

+ 

+ No network setting changes are needed for Azure Functions firewalls. The function will automatically only allow access through private link after the creation of a shared private endpoint to the Function.

+## 6 - Configure the indexer to run in the private environment

+[Indexer execution](search-indexer-securing-resources.md#indexer-execution-environment) occurs in either a private environment that's specific to the search service, or a multi-tenant environment that's used internally to offload expensive skillset processing for multiple customers. The execution environment is usually transparent, but once you start building firewall rules or establishing private connections, you'll have to take indexer execution into account. In the case of private endpoints, you'll need to ensure that indexer execution always occurs in the private environment.

+This step shows you how to configure the indexer to run in the private environment using the REST API. You can also set the execution environment using the JSON editor in the portal.

+> [!NOTE]

+> You can perform this step before the private endpoint connection is approved. However, until the private endpoint connection shows as approved, any existing indexer that tries to communicate with a secure resource (such as the storage account) will end up in a transient failure state and new indexers will fail to be created.

+ 

+ 1. Obtain the status of the shared private link resource by using the [GET API](/rest/api/searchmanagement/2021-04-01-preview/shared-private-link-resources/get).

+ 1. If the status is `Approved`, check the `properties.provisioningState` property.

+ 1. If it's `Incomplete`, there might be a problem with underlying dependencies.

+ 1. In this case, reissue the `PUT` request to re-create the shared private link. You might also need to repeat the approval step.

+ 1. Check the status of the resource to verify whether the issue is fixed.

+description: Learn import concepts and requirements related to network-level security options for outbound requests made by indexers in Azure Cognitive Search.

+Azure Cognitive Search indexers can make outbound calls to various Azure resources during execution. This article explains the concepts behind indexer access to content that's protected by IP firewalls, private endpoints, or other Azure network-level security mechanisms.

+| Azure Functions | Attached to a skillset and used to host for custom web api skills |

+| Cognitive Services | Attached to a skillset and used to bill enrichment beyond the 20 free documents limit |

+> A Cognitive Service resource attached to a skillset is used for billing, based on the enrichments performed and written into the search index or a knowledge store. It isn't used for accessing the Cognitive Services APIs. Access from an indexer's enrichment pipeline to Cognitive Services APIs occurs via an internal secure communication channel, where data is strongly encrypted in transit and is never stored at rest.

+Your Azure resources could be protected using any number of the network isolation mechanisms offered by Azure. Depending on the resource and region, Cognitive Search indexers can make outbound connections through IP firewalls and private endpoints, subject to the limitations indicated in the following table.

+> In addition to the options listed above, for network-secured Azure Storage accounts, you can make Azure Cognitive Search a [trusted Microsoft service](../storage/common/storage-network-security.md#trusted-microsoft-services). This means that a specific search service can bypass virtual network or IP restrictions on the storage account and can access data in the storage account, if the appropriate role-based access control is enabled on the storage account. For more information, see [Indexer connections using the trusted service exception](search-indexer-howto-access-trusted-service-exception.md). This option can be utilized instead of the IP restriction route, in case either the storage account or the search service can't be moved to a different region.

+For optimum processing, a search service will determine an internal execution environment to set up the operation. You can't control or configure the environment, but it's important to know they exist so that you can account for them when setting up IP firewall rules.

+For any given indexer run, Azure Cognitive Search determines the best environment in which to run the indexer. If you're using an IP firewall to control access to Azure resources, knowing about execution environments will help you set up an IP range that is inclusive of both, as discussed in the next section.

+If the resource that your indexer pulls data from exists behind a firewall, you'll need [inbound rules that admit indexer connections](search-indexer-howto-access-ip-restricted.md). Make sure that the IP ranges in inbound rules include all of the IPs from which an indexer request can originate. As stated above, there are two possible environments in which indexers run and from which access requests can originate. You'll need to add the IP addresses of **both** environments for indexer access to work.

+When integrating Azure Cognitive Search into a solution that runs on a virtual network, consider the following constraints:

+- An indexer can't make a direct connection to a [virtual network service endpoint](../virtual-network/virtual-network-service-endpoints-overview.md). Public endpoints with credentials, private endpoints, trusted service, and IP addressing are the only supported methodologies for indexer connections.

+- A search service always runs in the cloud and can't be provisioned into a specific virtual network, running natively on a virtual machine. This functionality will not be offered by Azure Cognitive Search.

+To achieve integration, you can use [private endpoints](../private-link/private-endpoint-overview.md) on outbound connections to resources that are locked down (running on a protected virtual network, or just not available over a public connection).

+The mechanism by which a search service connects to your protected resource is through a shared private link. A shared private link is [Azure Private Link](../private-link/private-link-overview.md) resource that's created, managed, and used from within Cognitive Search.

+### Billing impact

+- A shared private link requires a billable search service, where the minimum tier is either Basic for text-based indexing or Standard 2 (S2) for skills-based indexing. See [tier limits on the number of private endpoints](search-limits-quotas-capacity.md#shared-private-link-resource-limits) for details.

+- Inbound and outbound connections are subject to [Azure Private Link pricing](https://azure.microsoft.com/pricing/details/private-link/).

+In Azure Cognitive Search, you can create a shared private link using either the portal or a [management API](/rest/api/searchmanagement/2021-04-01-preview/shared-private-link-resources/create-or-update).

+Traffic that goes over this (outbound) private endpoint connection will originate only from the virtual network that's in the search service specific "private" indexer execution environment.

+If the private endpoint isn't approved, or if the indexer doesn't utilize the private endpoint connection then the indexer run will end up in `transientFailure`.

+To enable indexers to access resources via private endpoint connections, it's mandatory to set the `executionEnvironment` of the indexer to `"Private"` to ensure that all indexer runs will be able to utilize the private endpoint. This is because private endpoints are provisioned within the private search service-specific environment.

+The data source object is configured with settings that are specific to Azure SQL Database resources, including [partial or incremental indexing](search-howto-connecting-azure-sql-database-to-azure-search-using-indexers.md#CaptureChangedRows) for leveraging the built-in [change detection features](/sql/relational-databases/track-changes/about-change-tracking-sql-server) of Azure SQL. The source demo hotels database in Azure SQL has a "soft delete" column named **IsDeleted**. When this column is set to true in the database, the indexer removes the corresponding document from the Azure Cognitive Search index.

+A full list of the Azure Resources for which you can create outbound private endpoints from Azure Cognitive Search can be found [here](search-indexer-howto-access-private.md#group-ids) along with the related **Group ID** values.

+Within a service, programmatic creation of content is through [Search Service REST API](/rest/api/searchservice/) or [.NET SDK](/dotnet/api/overview/azure/search.documents-readme). While there are no dedicated PowerShell commands for content, you can write PowerShell script that calls REST or .NET APIs to create and load indexes.

+A full list of the Azure Resources for which you can create outbound private endpoints from Azure Cognitive Search can be found [here](search-indexer-howto-access-private.md#group-ids) along with the related **Group ID** values.

+# Troubleshooting common issues with Shared Private Links

+A shared private link allows Azure Cognitive Search to make secure outbound connections over a private endpoint when accessing customer resources in a virtual network. This article can help you resolve errors that might occur.

+Creating a shared private link is search service control plane operation. You can [create a shared private link](search-indexer-howto-access-private.md) using either the portal or a [Management REST API](/rest/api/searchmanagement/2021-04-01-preview/shared-private-link-resources/create-or-update). During provisioning, the state of the request is "Updating". After the operation completes successfully, status is "Succeeded". A private endpoint to the resource, along with any DNS zones and mappings, is created. This endpoint is used exclusively by your search service instance and is managed through Azure Cognitive Search.

+## Request validation failures

+ + Length should be between 1 to 60 characters

+ + Alphanumeric characters

+ + Names can include underscore `_`, period `.`, and hyphen `-` as long as it's not the first character in the name

+ | Azure resource | Group ID | First available API version |

+ | | | |

+ | Azure Storage - Blob (or) ADLS Gen 2 | `blob`| `2020-08-01` |

+ | Azure Storage - Tables | `table`| `2020-08-01` |

+ | Azure Cosmos DB - SQL API | `Sql`| `2020-08-01` |

+ | Azure SQL Database | `sqlServer`| `2020-08-01` |

+ | Azure Database for MySQL (preview) | `mysqlServer`| `2020-08-01-Preview` |

+ | Azure Key Vault | `vault` | `2020-08-01` |

+ | Azure Functions (preview) | `sites` | `2020-08-01-Preview` |

+ Resources marked with "(preview)" must be created using a preview version of the Management REST API versions.

+ | Azure resource | Resource type | First available API version |

+ | | | |

+ | Azure Storage | `Microsoft.Storage/storageAccounts`| `2020-08-01` |

+ | Azure Cosmos DB | `Microsoft.DocumentDb/databaseAccounts`| `2020-08-01` |

+ | Azure SQL Database | `Microsoft.Sql/servers`| `2020-08-01` |

+ | Azure Database for MySQL (preview) | `Microsoft.DBforMySQL/servers`| `2020-08-01-Preview` |

+ | Azure Key Vault | `Microsoft.KeyVault/vaults` | `2020-08-01` |

+ | Azure Functions (preview) | `Microsoft.Web/sites` | `2020-08-01-Preview` |

+ In addition, the specified `groupId` needs to be valid for the specified resource type. For example, `groupId` "blob" is valid for type "Microsoft.Storage/storageAccounts", it can't be used with any other resource type. For a given search management API version, customers can find out the supported `groupId` and resource type details by utilizing the [List supported API](/rest/api/searchmanagement/2021-04-01-preview/private-link-resources/list-supported).

+## Deployment failures

+A search service initiates the request to create a shared private link, but Azure Resource Manager performs the actual work. You can [check the deployment's status](search-indexer-howto-access-private.md#check-endpoint-status) in the portal or by query, and address any errors that might occur.

+| Network resource provider not registered on target resource's subscription | A private endpoint (and associated DNS mappings) is created for the target resource (Storage Account, Cosmos DB, Azure SQL) via the `Microsoft.Network` resource provider (RP). If the subscription that hosts the target resource ("target subscription") isn't registered with `Microsoft.Network` RP, then the Azure Resource Manager deployment can fail. | You need to register this RP in their target subscription. You can [register the resource provider](../azure-resource-manager/management/resource-providers-and-types.md) using the Azure portal, PowerShell, or CLI.|

+| Invalid `groupId` for the target resource | When Cosmos DB accounts are created, you can specify the API type for the database account. While Cosmos DB offers several different API types, Azure Cognitive Search only supports "Sql" as the `groupId` for shared private link resources. When a shared private link of type "Sql" is created for a `privateLinkResourceId` pointing to a non-Sql database account, the Azure Resource Manager deployment will fail because of the `groupId` mismatch. The Azure resource ID of a Cosmos DB account isn't sufficient to determine the API type that is being used. Azure Cognitive Search tries to create the private endpoint, which is then denied by Cosmos DB. | You should ensure that the `privateLinkResourceId` of the specified Cosmos DB resource is for a database account of "Sql" API type |

+| Target resource not found | Existence of the target resource specified in `privateLinkResourceId` is checked only during the commencement of the Azure Resource Manager deployment. If the target resource is no longer available, then the deployment will fail. | You should ensure that the target resource is present in the specified subscription and resource group and isn't moved or deleted. |

+| Transient/other errors | The Azure Resource Manager deployment can fail if there is an infrastructure outage or because of other unexpected reasons. This should be rare and usually indicates a transient state. | Retry creating this resource at a later time. If the problem persists, reach out to Azure Support. |

+## Resource stalled in an "Updating" or "Incomplete" state

+1. You request a search RP to delete the shared private link resource.

+1. Search RP validates that the resource exists and is in a state valid for deletion. If so, it initiates an Azure Resource Manager delete operation to remove the resource.

+1. Search queries for the completion of the operation (which usually takes a few minutes). At this point, the shared private link resource would have a provisioning state of "Deleting".

+1. Once the operation completes successfully, the backing private endpoint and any associated DNS mappings are removed. The resource won't show up as part of [List](/rest/api/searchmanagement/2021-04-01-preview/shared-private-link-resources/list-by-service) operation and attempting a [Get](/rest/api/searchmanagement/2021-04-01-preview/shared-private-link-resources/get) operation on this resource will result in a 404 Not Found.

+| Resource is in non-terminal state | A shared private link resource that's not in a terminal state (`Succeeded` or `Failed`) can't be deleted. It is possible (rare) for a shared private link resource to be stuck in a non-terminal state for up to 8 hours. | Wait until the resource has reached a terminal state and retry the delete request. |

+| Delete operation failed with error "Conflict" | The Azure Resource Manager operation to delete a shared private link resource reaches out to the resource provider of the target resource specified in `privateLinkResourceId` ("target RP") before it can remove the private endpoint and DNS mappings. Customers can utilize [Azure resource locks](../azure-resource-manager/management/lock-resources.md) to prevent any changes to their resources. When Azure Resource Manager reaches out to the target RP, it requires the target RP to modify the state of the target resource (to remove details about the private endpoint from its metadata). When the target resource has a lock configured on it (or its resource group/subscription), the Azure Resource Manager operation fails with a "Conflict" (and appropriate details). The shared private link resource won't be deleted. | Customers should remove the lock on the target resource before retrying the deletion operation. **Note**: This problem can also occur when customers try to delete a search service with shared private link resources that point to "locked" target resources |

+|**Syslog** | Collection only | [Syslog data connector](connect-syslog.md) |

+ - Amazon Linux 2017.09 and Amazon Linux 2 (64-bit only)

+ - Oracle Linux 7, 8 (64-bit/32-bit)

+| **AWS VPC logs** collected using the AWS S3 connector |`_ASim_NetworkSession_AWSVPC` (regular)<br> `_Im_NetworkSession_AWSVPC` (filtering) | `ASimNetworkSessionAWSVPC` (regular)<br> `vimNetworkSessionAWSVPC` (filtering) |

+| **Azure Firewall logs** |`_ASim_NetworkSession_AzureFirewall` (regular)<br> `_Im_NetworkSession_AzureFirewall` (filtering) | `ASimNetworkSessionAzureFirewall` (regular)<br> `vimNetworkSessionAzureFirewall` (filtering) |

+| **Azure Network Security Groups (NSG) logs** collected as part of the Azure Monitor [VM Insights solution](/azure/azure-monitor/vm/vminsights-overview) |`_ASim_NetworkSession_AzureNSG` (regular)<br> `_Im_NetworkSession_AzureNSG` (filtering) | `ASimNetworkSessionAzureNSG` (regular)<br> `vimNetworkSessionAzureNSG` (filtering) |

+| **Palo Alto PanOS traffic logs** collected using CEF |`_ASim_NetworkSession_PaloAltoCEF` (regular)<br> `_Im_NetworkSession_PaloAltoCEF` (filtering) | `ASimNetworkSessionPaloAltoCEF` (regular)<br> `vimNetworkSessionPaloAltoCEF` (filtering) |

+| **Windows Firewall logs**<br>Collected as Windows events using the Log Analytics Agent (Event table) or Azure Monitor Agent (WindowsEvent table). Supports Windows events 5150 to 5159. |`_ASim_NetworkSession_`<br>`MicrosoftWindowsEventFirewall` (regular)<br><br>`_Im_NetworkSession_`<br>`MicrosoftWindowsEventFirewall` (filtering) | `ASimNetworkSession`<br>`MicrosoftWindowsEventFirewall` (regular)<br><br> `vimNetworkSession`<br>`MicrosoftWindowsEventFirewall` (filtering) |

+| **Zscaler ZIA firewall logs** |`_ASim_NetworkSessionZscalerZIA` (regular)<br> `_Im_NetworkSessionZscalerZIA` (filtering) | `AsimNetworkSessionZscalerZIA` (regular)<br> `vimNetowrkSessionSzcalerZIA` (filtering) |

+| <a name="eventtype"></a> **EventType** | Mandatory | Enumerated | Describes the operation reported by the record.<br><br> For Network Session records, the allowed values are:<br> - `EndpointNetworkSession`: for sessions reported by endpoint systems, including clients and servers. For such systems, the schema supports the `remote` and `local` alias fields. <br> - `NetworkSession`: for sessions reported by intermediary systems and network taps. <br> - `Flow`: for `NetFlow` type aggregated flows which group multiple similar sessions together. For such records, [EventSubType](#eventsubtype) should be left empty. |

+| <a name="networkdirection"></a>**NetworkDirection** | Optional | Enumerated | The direction of the connection or session:<br><br> - For the [EventType](#eventtype) `NetworkSession`, **NetworkDirection** represents the direction relative to the organization or cloud environment boundary. Supported values are `Inbound`, `Outbound`, `Local` (to the organization), `Extenral` (to the organization) or `NA` (Not Applicable).<br><br> - For the [EventType](#eventtype) `EndpointNetworkSession`, **NetworkDirection** represents the direction relative to the endpoint. Supported values are `Inbound`, `Outbound`, `Local` (to the system), 'Listen' or `NA` (Not Applicable). The `Listen` value indicates that a device has started accepting network connections but isn't actually, necessarily, connected. |

+| **Incident trigger** | "Microsoft Sentinel incident (Preview)" | Recommended for most incident automation scenarios.<br><br>The playbook receives incident objects, including entities and alerts. Using this trigger allows the playbook to be attached to an **Automation rule**, so it can be triggered when an incident is created in Microsoft Sentinel, and all the [benefits of automation rules](./automate-incident-handling-with-automation-rules.md) can be applied to the incident. | Playbooks with this trigger do not support alert grouping, meaning they will receive only the first alert sent with each incident.

+| **Alert trigger** | "Microsoft Sentinel alert" | Advisable for playbooks that need to be run on alerts manually from the Microsoft Sentinel portal, or for **scheduled** analytics rules that don't generate incidents for their alerts. | This trigger cannot be used to automate responses for alerts generated by **Microsoft security** analytics rules.<br><br>Playbooks using this trigger cannot be called by **automation rules**. |

+The **Incident** object received from **Microsoft Sentinel incident** includes the following dynamic fields:

+- Playbook is triggered by **Microsoft Sentinel incident**

+- Playbook is triggered by **Microsoft Sentinel alert**

+- Playbook is triggered by **Microsoft Sentinel incident**

+- Playbook is triggered by **Microsoft Sentinel alert**

+- Playbook is triggered by **Microsoft Sentinel incident**

+- Playbook is triggered by **Microsoft Sentinel alert**

+## Bind apps to Application Configuration Service for Tanzu and Tanzu Service Registry

+### [Portal](#tab/azure-portal)

+To bind apps to Application Configuration Service for VMware Tanzu®, follow these steps.

+1. In the Azure portal, select **Application Configuration Service**.

+1. Select **App binding**, then select **Bind app**.

+1. Choose one app in the dropdown and select **Apply** to bind the application to Application Configuration Service for Tanzu.

+ 

+A list under **App name** shows the apps bound with Application Configuration Service for Tanzu, as shown in the following screenshot:

+

+To bind apps to VMware Tanzu® Service Registry, follow these steps.

+1. Select **Service Registry**.

+1. Select **App binding**, then select **Bind app**.

+1. Choose one app in the dropdown, and then select **Apply** to bind the application to Tanzu Service Registry.

+ :::image type="content" source="media/enterprise/getting-started-enterprise/service-reg-app-bind-dropdown.png" alt-text="Azure portal screenshot of Azure Spring Cloud with Service Registry page and 'Bind app' dialog showing.":::

+A list under **App name** shows the apps bound with Tanzu Service Registry, as shown in the following screenshot:

+### [Azure CLI](#tab/azure-cli)

+To bind apps to Application Configuration Service for VMware Tanzu® and VMware Tanzu® Service Registry, use the following commands.

+```azurecli

+az spring-cloud application-configuration-service bind --app api-gateway

+az spring-cloud application-configuration-service bind --app customers-service

+az spring-cloud service-registry bind --app api-gateway

+az spring-cloud service-registry bind --app customers-service

+```

+If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place. When no longer needed, delete the resource group, which deletes the resources in the resource group. To delete the resource group by using Azure CLI, use the following commands:

+```azurecli

+echo "Enter the Resource Group name:" &&

+read resourceGroupName &&

+az group delete --name $resourceGroupName &&

+echo "Press [ENTER] to continue ..."

+```

+> [Quickstart: Set up a Log Analytics workspace](quickstart-setup-log-analytics.md)

+## Clean up resources

+If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place. When no longer needed, delete the resource group, which deletes the resources in the resource group. To delete the resource group by using Azure CLI, use the following commands:

+```azurecli

+echo "Enter the Resource Group name:" &&

+read resourceGroupName &&

+az group delete --name $resourceGroupName &&

+echo "Press [ENTER] to continue ..."

+```

+## Next steps

+> [Quickstart: Set up a Log Analytics workspace](quickstart-setup-log-analytics.md)

+```azurecli

+We will use the following values. Save them in a text file or environment variables to avoid errors. The password should be at least 8 characters long and contain at least one English uppercase letter, one English lowercase letter, one number, and one non-alphanumeric character (!, $, #, %, and so on.).

+ ```azcli

+ az configure --defaults group=<resource group name> spring-cloud=<service name>

+ ```

+1. Create an Azure Database for MySQL server.

+ ```azcli

+ az mysql server create --resource-group ${RESOURCE_GROUP} \

+ --name ${MYSQL_SERVER_NAME} \

+ --admin-user ${MYSQL_SERVER_ADMIN_NAME} \

+ --admin-password ${MYSQL_SERVER_ADMIN_PASSWORD} \

+ --sku-name GP_Gen5_2 \

+ --ssl-enforcement Disabled \

+ --version 5.7

+ ```

+ ```azcli

+ az mysql server firewall-rule create --name allAzureIPs \

+ --server ${MYSQL_SERVER_NAME} \

+ --resource-group ${RESOURCE_GROUP} \

+ --start-ip-address 0.0.0.0 --end-ip-address 0.0.0.0

+ ```

+ ```azcli

+ az mysql server firewall-rule create --name devMachine \

+ --server ${MYSQL_SERVER_NAME} \

+ --resource-group ${RESOURCE_GROUP} \

+ --start-ip-address <ip-address-of-your-dev-machine> \

+ --end-ip-address <ip-address-of-your-dev-machine>

+ ```

+ ```azcli

+ az mysql server configuration set --name wait_timeout \

+ --resource-group ${RESOURCE_GROUP} \

+ --server ${MYSQL_SERVER_NAME} --value 2147483

+ ```

+ ```sql

+ // SUBSTITUTE values

+ mysql -u ${MYSQL_SERVER_ADMIN_LOGIN_NAME} \

+ -h ${MYSQL_SERVER_FULL_NAME} -P 3306 -p

+ Enter password:

+ Welcome to the MySQL monitor. Commands end with ; or \g.

+ Your MySQL connection id is 64379

+ Server version: 5.6.39.0 MySQL Community Server (GPL)

+ Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.

+ Oracle is a registered trademark of Oracle Corporation and/or its

+ affiliates. Other names may be trademarks of their respective

+ owners.

+ Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

+ mysql> CREATE DATABASE petclinic;

+ Query OK, 1 row affected (0.10 sec)

+ mysql> CREATE USER 'root' IDENTIFIED BY 'petclinic';

+ Query OK, 0 rows affected (0.11 sec)

+ mysql> GRANT ALL PRIVILEGES ON petclinic.* TO 'root';

+ Query OK, 0 rows affected (1.29 sec)

+ mysql> CALL mysql.az_load_timezone();

+ Query OK, 3179 rows affected, 1 warning (6.34 sec)

+ mysql> SELECT name FROM mysql.time_zone_name;

+ ...

+ mysql> quit

+ Bye

+ ```

+ ```azcli

+ az mysql server configuration set \

+ --resource-group ${RESOURCE_GROUP} \

+ --name time_zone \

+ --server ${MYSQL_SERVER_NAME} \

+ --value "US/Pacific"

+ ```

+az spring-cloud app update \

+ --name customers-service \

+ --env \

+ MYSQL_SERVER_FULL_NAME=${MYSQL_SERVER_FULL_NAME} \

+ --env \

+ MYSQL_SERVER_FULL_NAME=${MYSQL_SERVER_FULL_NAME} \

+ --env \

+ MYSQL_SERVER_FULL_NAME=${MYSQL_SERVER_FULL_NAME} \

+ --env \

+ MYSQL_SERVER_FULL_NAME=${MYSQL_SERVER_FULL_NAME} \

+## Clean up resources

+If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place. When no longer needed, delete the resource group, which deletes the resources in the resource group. To delete the resource group by using Azure CLI, use the following commands:

+```azurecli

+echo "Enter the Resource Group name:" &&

+read resourceGroupName &&

+az group delete --name $resourceGroupName &&

+echo "Press [ENTER] to continue ..."

+```

+If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place. When no longer needed, delete the resource group, which deletes the resources in the resource group. To delete the resource group by using Azure CLI, use the following commands:

+echo "Enter the Resource Group name:" &&

+read resourceGroupName &&

+az group delete --name $resourceGroupName &&

+echo "Press [ENTER] to continue ..."

+> [Analyze logs and metrics with diagnostics settings](diagnostic-services.md)>

+> [Stream Azure Spring Cloud app logs in real-time](./how-to-log-streaming.md)

+## Clean up resources

+If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place. When no longer needed, delete the resource group, which deletes the resources in the resource group. To delete the resource group by using Azure CLI, use the following commands:

+```azurecli

+echo "Enter the Resource Group name:" &&

+read resourceGroupName &&

+az group delete --name $resourceGroupName &&

+echo "Press [ENTER] to continue ..."

+```

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- [.NET Core 3.1 SDK](https://dotnet.microsoft.com/download/dotnet-core/3.1). The Azure Spring Cloud service supports .NET Core 3.1 and later versions.

+- [The Azure CLI version 2.0.67 or higher](/cli/azure/install-azure-cli).

+- [Git](https://git-scm.com/).

+ ```azurecli

+ az login

+ ```

+ ```azurecli

+ az spring-cloud create -n <service instance name> -g <resource group name>

+ ```

+ This command might take several minutes to complete.

+- [Install JDK 8 or JDK 11](/azure/developer/java/fundamentals/java-jdk-install)

+- [Sign up for an Azure subscription](https://azure.microsoft.com/free/)

+- (Optional) [Install the Azure CLI version 2.0.67 or higher](/cli/azure/install-azure-cli) and install the Azure Spring Cloud extension with the command: `az extension add --name spring-cloud`

+- (Optional) [Install the Azure Toolkit for IntelliJ IDEA](https://plugins.jetbrains.com/plugin/8053-azure-toolkit-for-intellij/) and [sign-in](/azure/developer/java/toolkit-for-intellij/create-hello-world-web-app#installation-and-sign-in)

+ 

+ 

+ - **Subscription**: Select the subscription you want to be billed for this resource.

+ - **Resource group**: Creating new resource groups for new resources is a best practice. You will use this value in later steps as **\<resource group name\>**.

+ - **Service Details/Name**: Specify the **\<service instance name\>**. The name must be between 4 and 32 characters long and can contain only lowercase letters, numbers, and hyphens. The first character of the service name must be a letter and the last character must be either a letter or a number.

+ - **Location**: Select the location for your service instance.

+ - Select **Standard** for the **Pricing tier** option.

+ 

+ ```azurecli

+ az extension update --name spring-cloud

+ ```

+ ```azurecli

+ az login

+ az account list -o table

+ az account set --subscription <Name or ID of subscription, skip if you only have 1 subscription>

+ ```

+ ```azurecli

+ az group create --name <resource group name>

+ az spring-cloud create -n <service instance name> -g <resource group name>

+ ```

+ Learn more about [Azure Resource Groups](../azure-resource-manager/management/overview.md).

+ ```azurecli

+ az config set defaults.group=<resource group name> defaults.spring-cloud=<service name>

+ ```

+## Clean up resources

+If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place. When no longer needed, delete the resource group, which deletes the resources in the resource group. To delete the resource group by using Azure CLI, use the following commands:

+```azurecli

+echo "Enter the Resource Group name:" &&

+read resourceGroupName &&

+az group delete --name $resourceGroupName &&

+echo "Press [ENTER] to continue ..."

+```

+## Next steps

+> [Quickstart: Set up Azure Spring Cloud Config Server](./quickstart-setup-config-server.md)

+> [Quickstart: Provision an Azure Spring Cloud service instance](./quickstart-provision-service-instance.md)

+> [Quickstart: Provision an Azure Spring Cloud service instance using the Enterprise tier](./quickstart-provision-service-instance-enterprise.md)

+To use Application Configuration Service for Tanzu, follow these steps.

+To set the default repository, use the following command:

+```azurecli

+az spring-cloud application-configuration-service git repo add \

+ --name default \

+ --patterns api-gateway,customers-service \

+ --uri https://github.com/Azure-Samples/spring-petclinic-microservices-config.git \

+ --label master

+```

+## Clean up resources

+If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place. When no longer needed, delete the resource group, which deletes the resources in the resource group. To delete the resource group by using Azure CLI, use the following commands:

+```azurecli

+echo "Enter the Resource Group name:" &&

+read resourceGroupName &&

+az group delete --name $resourceGroupName &&

+echo "Press [ENTER] to continue ..."

+```

+## Clean up resources

+If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place. When no longer needed, delete the resource group, which deletes the resources in the resource group. To delete the resource group by using Azure CLI, use the following commands:

+```azurecli

+echo "Enter the Resource Group name:" &&

+read resourceGroupName &&

+az group delete --name $resourceGroupName &&

+echo "Press [ENTER] to continue ..."

+```

+## Next steps

+> [Quickstart: Build and deploy apps to Azure Spring Cloud](quickstart-deploy-apps.md)

+## Clean up resources

+If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place. When no longer needed, delete the resource group, which deletes the resources in the resource group. To delete the resource group by using Azure CLI, use the following commands:

+```azurecli

+echo "Enter the Resource Group name:" &&

+read resourceGroupName &&

+az group delete --name $resourceGroupName &&

+echo "Press [ENTER] to continue ..."

+```

+## Next steps

+> [Quickstart: Monitoring Azure Spring Cloud apps with logs, metrics, and tracing](./quickstart-logs-metrics-tracing.md)

+If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place. When no longer needed, delete the resource group, which deletes the resources in the resource group. To delete the resource group by using Azure CLI, use the following commands:

+echo "Enter the Resource Group name:" &&

+read resourceGroupName &&

+az group delete --name $resourceGroupName &&

+echo "Press [ENTER] to continue ..."

+> [Introduction to the sample app](./quickstart-sample-app-introduction.md)

+| Supported Azure Functions [runtimes](../azure-functions/supported-languages.md#languages-by-runtime-version)¹ | Node.js 12<br>Node.js 14<br>Node.js 16 (preview)<br>.NET Core 3.1<br>.NET 6.0<br>Python 3.8<br>Python 3.9 | All |

+¹ To specify the runtime version in managed functions, add a configuration file to your frontend app and set the [`apiRuntime` property](configuration.md#platform). Support is subject to the [Azure Functions language runtime support policy](../azure-functions/language-support-policy.md).

+| <ul><li>Triggers are limited to [HTTP](../azure-functions/functions-bindings-http-webhook.md).</li><li>The Azure Functions app must either be in Node.js 12, Node.js 14, Node.js 16 (preview), .NET Core 3.1, .NET 6.0, Python 3.8, or Python 3.9.</li><li>Some application settings are managed by the service, therefore the following prefixes are reserved by the runtime:<ul><li>*APPSETTING\_, AZUREBLOBSTORAGE\_, AZUREFILESSTORAGE\_, AZURE_FUNCTION\_, CONTAINER\_, DIAGNOSTICS\_, DOCKER\_, FUNCTIONS\_, IDENTITY\_, MACHINEKEY\_, MAINSITE\_, MSDEPLOY\_, SCMSITE\_, SCM\_, WEBSITES\_, WEBSITE\_, WEBSOCKET\_, AzureWeb*</li></ul></li></ul> | <ul><li>You are responsible to manage the Functions app deployment.</li></ul> |

+## Platform

+The `platform` section controls platform specific settings, such as the API language runtime version.

+### Selecting the API language runtime version

+To configure the API language runtime version, set the `apiRuntime` property in the `platform` section to one of the following supported values.

+| Language runtime version | Operating system | Azure Functions version | `apiRuntime` value |

+|--|--|--|--|

+| .NET Core 3.1 | Windows | 3.x | `dotnet:3.1` |

+| .NET 6.0 in-process | Windows | 4.x | `dotnet:6.0` |

+| .NET 6.0 isolated | Windows | 4.x | `dotnet-isolated:6.0` |

+| Node.js 12.x | Linux | 3.x | `node:12` |

+| Node.js 14.x | Linux | 4.x | `node:14` |

+| Node.js 16.x (preview) | Linux | 4.x | `node:16` |

+| Python 3.8 | Linux | 3.x | `python:3.8` |

+| Python 3.9 | Linux | 4.x | `python:3.9` |

+The following example configuration demonstrates how to use the `apiRuntime` property to select Node.js 16 as the API language runtime version.

+```json

+{

+ "platform": {

+ "apiRuntime": "node:16"

+ }

+}

+```

+### Disabling cache for authenticated paths

+

+

+

+

+

+ $resourceId -MetricName "UsedCapacity" -TimeGrain 01:00:00

+# Tutorial: Create an Apache Spark application with VSCode using a Synapse workspace

+> [!Note]

+>

+> **Synapse PySpark installation error** is an [known issue](#known-issues).

+## Submit interactive Synapse PySpark queries to Spark pool (Not supported anymore)

+> [!NOTE]

+>

+>For Synapse Pyspark interactive, since its dependency will not be maintained anymore by other team, this will not be maintained anymore as well. If you trying to use Synapse Pyspark interactive, please switch to use [Azure Synapse Analytics](https://ms.web.azuresynapse.net/en-us/) instead. And it's a long term change.

+>

+### Synapse PySpark installation error.

+### Not supported submit interactive Synapse PySpark queries to Spark pool anymore

+For Synapse Pyspark interactive, since its dependency will not be maintained anymore by other team, this will not be maintained anymore as well. If you trying to use Synapse Pyspark interactive, please switch to use [Azure Synapse Analytics](https://ms.web.azuresynapse.net/en-us/) instead. And it's a long term change.

+The NVadsA10v5-series virtual machines are powered by [NVIDIA A10](https://www.nvidia.com/en-us/data-center/products/a10-gpu/) GPUs and AMD EPYC 74F3V(Milan) CPUs with a base frequency of 3.4 GHz, all-cores peak frequency of 4.0 GHz. With NVadsA10v5-series Azure is introducing virtual machines with partial NVIDIA GPUs. Pick the right sized virtual machine for GPU accelerated graphics applications and virtual desktops starting at 1/6th of a GPU with 4-GiB frame buffer to a full A10 GPU with 24-GiB frame buffer.

+[Sign up for preview](https://aka.ms/AzureNVadsA10v5Preview) to get early access to the NVadsA10v5-series.

+To take advantage of the GPU capabilities of Azure NVadsA10v5-series VMs, NVIDIA GPU drivers must be installed.

+During preview you need to manually install the NVIDIA GPU-P driver for [Linux](https://download.microsoft.com/download/4/3/9/439aea00-a02d-4875-8712-d1ab46cf6a73/NVIDIA-Linux-x86_64-510.47.03-grid-azure.run) and [Windows](https://download.microsoft.com/download/8/d/2/8d228f28-56e2-4e60-bdde-a1dccfe94869/511.65_grid_win10_win11_server2016_server2019_server2022_64bit_Azure_swl.exe). We'll release updated drivers before GA and include it in extensions and all the standard documentation pages.

+* Learn about [metrics and alerts for NAT gateway resources](nat-metrics.md).