Service | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
ai-services | Azure Kubernetes Recipe | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/containers/azure-kubernetes-recipe.md | |
ai-services | Configure Containers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/concepts/configure-containers.md | Title: Configure containers - Language service description: Language service provides each container with a common configuration framework, so that you can easily configure and manage storage, logging and telemetry, and security settings for your containers. #-+ - ignite-2023 Last updated 12/19/2023-+ # Configure Language service docker containers |
ai-services | Multi Region Deployment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/concepts/custom-features/multi-region-deployment.md | Title: Deploy custom language projects to multiple regions in Azure AI Language description: Learn about deploying your language projects to multiple regions. #-+ Last updated 12/19/2023-+ |
ai-services | Project Versioning | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/concepts/custom-features/project-versioning.md | Title: Conversational Language Understanding Project Versioning description: Learn how versioning works in conversational language understanding #-+ Last updated 12/19/2023-+ |
ai-services | Data Limits | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/concepts/data-limits.md | Title: Data limits for Language service features description: Data and service limitations for Azure AI Language features. #-+ Last updated 12/19/2023-+ # Service limits for Azure AI Language |
ai-services | Developer Guide | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/concepts/developer-guide.md | Title: Use the Language SDK and REST API description: Learn about how to integrate the Language service SDK and REST API into your applications. #-+ Last updated 12/19/2023-+ # SDK and REST developer guide for the Language service |
ai-services | Encryption Data At Rest | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/concepts/encryption-data-at-rest.md | Title: Language service encryption of data at rest description: Learn how the Language service encrypts your data when it's persisted to the cloud. -+ Last updated 12/19/2023-+ #Customer intent: As a user of the Language service, I want to learn how encryption at rest works. |
ai-services | Language Support | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/concepts/language-support.md | Title: Language support for language features description: This article explains which natural languages are supported by the different features of Azure AI Language. #-+ Last updated 12/19/2023-+ # Language support for Language features |
ai-services | Migrate Language Service Latest | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/concepts/migrate-language-service-latest.md | Title: Migrate to the latest version of Azure AI Language description: Learn how to move your Text Analytics applications to use the latest version of the Language service. #-+ Last updated 12/19/2023-+ # Migrate to the latest version of Azure AI Language |
ai-services | Migrate | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/concepts/migrate.md | Title: "Migrate to Azure AI Language from: LUIS, QnA Maker, and Text Analytics" description: Use this article to learn if you need to migrate your applications from LUIS, QnA Maker, and Text Analytics.-+ Last updated 12/19/2023-+ # Migrating to Azure AI Language |
ai-services | Model Lifecycle | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/concepts/model-lifecycle.md | Title: Model Lifecycle of Language service models description: This article describes the timelines for models and model versions used by Language service features. #-+ Last updated 01/16/2024-+ # Model lifecycle |
ai-services | Multilingual Emoji Support | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/concepts/multilingual-emoji-support.md | Title: Multilingual and emoji support in Azure AI Language description: Learn about offsets caused by multilingual and emoji encodings in Language service features. #-+ Last updated 12/19/2023-+ # Multilingual and emoji support in Language service features |
ai-services | Previous Updates | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/concepts/previous-updates.md | Title: Previous language service updates description: An archive of previous Azure AI Language updates. #-+ Last updated 12/19/2023-+ |
ai-services | Regional Support | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/concepts/regional-support.md | Title: Regional support for Azure AI Language description: Learn which Azure regions are supported by the Language service. #-+ Last updated 12/19/2023-+ |
ai-services | Role Based Access Control | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/concepts/role-based-access-control.md | Title: Role-based access control for the Language service description: Learn how to use Azure RBAC for managing individual access to Azure resources. #-+ Last updated 12/19/2023-+ |
ai-services | Use Asynchronously | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/concepts/use-asynchronously.md | Title: "How to: Use Language service features asynchronously" description: Learn how to send Language service API requests asynchronously. #-+ Last updated 12/19/2023-+ # How to use Language service features asynchronously |
ai-services | App Architecture | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/concepts/app-architecture.md | Title: When to choose conversational language understanding or orchestration wor description: Learn when to choose conversational language understanding or orchestration workflow #-+ Last updated 12/19/2023-+ |
ai-services | Best Practices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/concepts/best-practices.md | Title: Conversational language understanding best practices description: Apply best practices when using conversational language understanding #-+ Last updated 12/19/2023-+ |
ai-services | Data Formats | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/concepts/data-formats.md | Title: conversational language understanding data formats description: Learn about the data formats accepted by conversational language understanding. #-+ Last updated 12/19/2023-+ |
ai-services | Entity Components | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/concepts/entity-components.md | Title: Entity components in Conversational Language Understanding description: Learn how Conversational Language Understanding extracts entities from text #-+ Last updated 12/19/2023-+ |
ai-services | Evaluation Metrics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/concepts/evaluation-metrics.md | Title: Conversational Language Understanding evaluation metrics description: Learn about evaluation metrics in Conversational Language Understanding #-+ Last updated 12/19/2023-+ |
ai-services | Multiple Languages | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/concepts/multiple-languages.md | Title: Multilingual projects description: Learn about which how to make use of multilingual projects in conversational language understanding #-+ Last updated 12/19/2023-+ # Multilingual projects |
ai-services | None Intent | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/concepts/none-intent.md | Title: Conversational Language Understanding None Intent description: Learn about the default None intent in conversational language understanding #-+ Last updated 12/19/2023-+ |
ai-services | Faq | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/faq.md | Title: Frequently Asked Questions description: Use this article to quickly get the answers to FAQ about conversational language understanding #-+ Last updated 12/19/2023-+ |
ai-services | Glossary | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/glossary.md | Title: Definitions used in conversational language understanding description: Learn about definitions used in conversational language understanding. #-+ Last updated 12/19/2023-+ |
ai-services | Build Schema | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/how-to/build-schema.md | Title: How to build a Conversational Language Understanding project schema description: Use this article to start building a Conversational Language Understanding project schema #-+ Last updated 12/19/2023-+ |
ai-services | Call Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/how-to/call-api.md | Title: Send prediction requests to a conversational language understanding deplo description: Learn about sending prediction requests for conversational language understanding. #-+ Last updated 12/19/2023-+ |
ai-services | Create Project | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/how-to/create-project.md | Title: How to create projects in Conversational Language Understanding description: Use this article to learn how to create projects in Conversational Language Understanding. #-+ Last updated 12/19/2023-+ |
ai-services | Deploy Model | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/how-to/deploy-model.md | Title: How to deploy a model for conversational language understanding description: Use this article to learn how to deploy models for conversational language understanding. #-+ Last updated 12/19/2023-+ |
ai-services | Fail Over | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/how-to/fail-over.md | Title: Back up and recover your conversational language understanding models description: Learn how to save and recover your conversational language understanding models. #-+ Last updated 12/19/2023-+ |
ai-services | Migrate From Luis | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/how-to/migrate-from-luis.md | Title: Conversational Language Understanding backwards compatibility description: Learn about backwards compatibility between LUIS and Conversational Language Understanding #-+ Last updated 12/19/2023-+ |
ai-services | Tag Utterances | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/how-to/tag-utterances.md | Title: How to tag utterances in Conversational Language Understanding description: Use this article to tag your utterances in Conversational Language Understanding projects #-+ Last updated 12/19/2023-+ |
ai-services | Train Model | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/how-to/train-model.md | Title: How to train and evaluate models in Conversational Language Understanding description: Use this article to train a model and view its evaluation details to make improvements. #-+ Last updated 12/19/2023-+ |
ai-services | View Model Evaluation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/how-to/view-model-evaluation.md | Title: How to view conversational language understanding models details description: Use this article to learn about viewing the details for a conversational language understanding model. #-+ Last updated 12/19/2023-+ |
ai-services | Language Support | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/language-support.md | Title: Conversational language understanding language support description: This article explains which natural languages are supported by the conversational language understanding feature of Azure AI Language. #-+ Last updated 12/19/2023-+ |
ai-services | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/overview.md | Title: Conversational Language Understanding - Azure AI services description: Customize an AI model to predict the intentions of utterances, and extract important information from them. #-+ Last updated 12/19/2023-+ |
ai-services | Prebuilt Component Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/prebuilt-component-reference.md | Title: Supported prebuilt entity components description: Learn about which entities can be detected automatically in Conversational Language Understanding #-+ Last updated 12/19/2023-+ |
ai-services | Quickstart | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/quickstart.md | Title: Quickstart - create a conversational language understanding project description: Quickly start building an AI model to extract information and predict the intentions of text-based utterances. #-+ Last updated 12/19/2023-+ zone_pivot_groups: usage-custom-language-features |
ai-services | Service Limits | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/service-limits.md | Title: Conversational Language Understanding limits description: Learn about the data, region, and throughput limits for Conversational Language Understanding #-+ Last updated 12/19/2023-+ |
ai-services | Bot Framework | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/conversational-language-understanding/tutorials/bot-framework.md | Title: Add natural language understanding to your bot in Bot Framework SDK using conversational language understanding description: Learn how to train a bot to understand natural language. keywords: conversational language understanding, bot framework, bot, language understanding, nlu--++ |
ai-services | Data Formats | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-named-entity-recognition/concepts/data-formats.md | Title: Custom NER data formats description: Learn about the data formats accepted by custom NER. #-+ Last updated 12/19/2023-+ |
ai-services | Evaluation Metrics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-named-entity-recognition/concepts/evaluation-metrics.md | Title: Custom NER evaluation metrics description: Learn about evaluation metrics in Custom Named Entity Recognition (NER) #-+ Last updated 12/19/2023-+ |
ai-services | Fail Over | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-named-entity-recognition/fail-over.md | Title: Back up and recover your custom Named Entity Recognition (NER) models description: Learn how to save and recover your custom NER models. #-+ Last updated 12/19/2023-+ |
ai-services | Faq | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-named-entity-recognition/faq.md | Title: Custom Named Entity Recognition (NER) FAQ description: Learn about Frequently asked questions when using custom Named Entity Recognition. #-+ Last updated 12/19/2023-+ |
ai-services | Glossary | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-named-entity-recognition/glossary.md | Title: Definitions and terms used for Custom Named Entity Recognition (NER) description: Definitions and terms you may encounter when building AI models using Custom Named Entity Recognition #-+ Last updated 12/19/2023-+ |
ai-services | Call Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-named-entity-recognition/how-to/call-api.md | Title: Send a Named Entity Recognition (NER) request to your custom model description: Learn how to send requests for custom NER. #-+ Last updated 12/19/2023-+ ms.devlang: csharp # ms.devlang: csharp, python |
ai-services | Create Project | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-named-entity-recognition/how-to/create-project.md | Title: Create custom NER projects and use Azure resources description: Learn how to create and manage projects and Azure resources for custom NER. #-+ Last updated 12/19/2023-+ |
ai-services | Deploy Model | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-named-entity-recognition/how-to/deploy-model.md | Title: How to deploy a custom NER model description: Learn how to deploy a model for custom NER. #-+ Last updated 12/19/2023-+ |
ai-services | Design Schema | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-named-entity-recognition/how-to/design-schema.md | Title: Preparing data and designing a schema for custom NER description: Learn about how to select and prepare data, to be successful in creating custom NER projects. #-+ Last updated 12/19/2023-+ |
ai-services | Tag Data | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-named-entity-recognition/how-to/tag-data.md | Title: How to label your data for Custom Named Entity Recognition (NER) description: Learn how to label your data for use with Custom Named Entity Recognition (NER). #-+ Last updated 12/19/2023-+ |
ai-services | Train Model | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-named-entity-recognition/how-to/train-model.md | Title: How to train your Custom Named Entity Recognition (NER) model description: Learn about how to train your model for Custom Named Entity Recognition (NER). #-+ Last updated 12/19/2023-+ |
ai-services | Use Autolabeling | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-named-entity-recognition/how-to/use-autolabeling.md | Title: How to use autolabeling in custom named entity recognition description: Learn how to use autolabeling in custom named entity recognition. #-+ Last updated 12/19/2023-+ # How to use autolabeling for Custom Named Entity Recognition |
ai-services | Use Containers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-named-entity-recognition/how-to/use-containers.md | Title: Use Docker containers for Custom Named Entity Recognition on-premises description: Learn how to use Docker containers for Custom Named Entity Recognition on-premises. #-+ Last updated 12/19/2023-+ keywords: on-premises, Docker, container, natural language processing |
ai-services | View Model Evaluation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-named-entity-recognition/how-to/view-model-evaluation.md | Title: Evaluate a Custom Named Entity Recognition (NER) model description: Learn how to evaluate and score your Custom Named Entity Recognition (NER) model #-+ Last updated 12/19/2023-+ |
ai-services | Language Support | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-named-entity-recognition/language-support.md | Title: Language and region support for custom named entity recognition description: Learn about the languages and regions supported by custom named entity recognition. #-+ Last updated 12/19/2023 -+ # Language support for custom named entity recognition |
ai-services | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-named-entity-recognition/overview.md | Title: Custom named entity recognition - Azure AI services description: Customize an AI model to label and extract information from documents using Azure AI services. #-+ Last updated 12/19/2023-+ |
ai-services | Quickstart | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-named-entity-recognition/quickstart.md | Title: Quickstart - Custom named entity recognition (NER) description: Quickly start building an AI model to categorize and extract information from unstructured text. #-+ Last updated 12/19/2023-+ zone_pivot_groups: usage-custom-language-features |
ai-services | Service Limits | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-named-entity-recognition/service-limits.md | Title: Custom Named Entity Recognition (NER) service limits description: Learn about the data and service limits when using Custom Named Entity Recognition (NER). #-+ Last updated 12/19/2023-+ |
ai-services | Data Formats | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-analytics-for-health/concepts/data-formats.md | Title: Custom Text Analytics for health data formats description: Learn about the data formats accepted by custom text analytics for health. #-+ Last updated 12/19/2023-+ |
ai-services | Entity Components | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-analytics-for-health/concepts/entity-components.md | Title: Entity components in custom Text Analytics for health description: Learn how custom Text Analytics for health extracts entities from text #-+ Last updated 12/19/2023-+ |
ai-services | Evaluation Metrics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-analytics-for-health/concepts/evaluation-metrics.md | Title: Custom text analytics for health evaluation metrics description: Learn about evaluation metrics in custom Text Analytics for health #-+ Last updated 12/19/2023-+ |
ai-services | Call Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-analytics-for-health/how-to/call-api.md | Title: Send a custom Text Analytics for health request to your custom model description: Learn how to send a request for custom text analytics for health. #-+ Last updated 12/19/2023-+ ms.devlang: http |
ai-services | Create Project | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-analytics-for-health/how-to/create-project.md | Title: Using Azure resources in custom Text Analytics for health description: Learn about the steps for using Azure resources with custom text analytics for health. #-+ Last updated 12/19/2023-+ |
ai-services | Deploy Model | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-analytics-for-health/how-to/deploy-model.md | Title: Deploy a custom Text Analytics for health model description: Learn about deploying a model for custom Text Analytics for health. #-+ Last updated 12/19/2023-+ |
ai-services | Design Schema | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-analytics-for-health/how-to/design-schema.md | Title: Preparing data and designing a schema for custom Text Analytics for healt description: Learn about how to select and prepare data, to be successful in creating custom TA4H projects. #-+ Last updated 12/19/2023-+ |
ai-services | Fail Over | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-analytics-for-health/how-to/fail-over.md | Title: Back up and recover your custom Text Analytics for health models description: Learn how to save and recover your custom Text Analytics for health models. #-+ Last updated 12/19/2023-+ |
ai-services | Label Data | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-analytics-for-health/how-to/label-data.md | Title: How to label your data for custom Text Analytics for health description: Learn how to label your data for use with custom Text Analytics for health. #-+ Last updated 12/19/2023-+ |
ai-services | Train Model | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-analytics-for-health/how-to/train-model.md | Title: How to train your custom Text Analytics for health model description: Learn about how to train your model for custom Text Analytics for health. #-+ Last updated 12/19/2023-+ |
ai-services | View Model Evaluation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-analytics-for-health/how-to/view-model-evaluation.md | Title: Evaluate a Custom Text Analytics for health model description: Learn how to evaluate and score your Custom Text Analytics for health model #-+ Last updated 12/19/2023-+ |
ai-services | Language Support | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-analytics-for-health/language-support.md | Title: Language and region support for custom Text Analytics for health description: Learn about the languages and regions supported by custom Text Analytics for health #-+ Last updated 12/19/2023 -+ # Language support for custom text analytics for health |
ai-services | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-analytics-for-health/overview.md | Title: Custom Text Analytics for health - Azure AI services description: Customize an AI model to label and extract healthcare information from documents using Azure AI services. #-+ Last updated 12/19/2023-+ |
ai-services | Quickstart | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-analytics-for-health/quickstart.md | Title: Quickstart - Custom Text Analytics for health (Custom TA4H) description: Quickly start building an AI model to categorize and extract information from healthcare unstructured text. #-+ Last updated 12/19/2023-+ zone_pivot_groups: usage-custom-language-features |
ai-services | Glossary | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-analytics-for-health/reference/glossary.md | Title: Definitions used in custom Text Analytics for health description: Learn about definitions used in custom Text Analytics for health #-+ Last updated 12/19/2023-+ |
ai-services | Service Limits | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-analytics-for-health/reference/service-limits.md | Title: Custom Text Analytics for health service limits description: Learn about the data and service limits when using Custom Text Analytics for health. #-+ Last updated 12/19/2023-+ |
ai-services | Data Formats | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-classification/concepts/data-formats.md | Title: Custom text classification data formats description: Learn about the data formats accepted by custom text classification. #-+ Last updated 12/19/2023-+ |
ai-services | Evaluation Metrics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-classification/concepts/evaluation-metrics.md | Title: Custom text classification evaluation metrics description: Learn about evaluation metrics in custom text classification. #-+ Last updated 12/19/2023-+ |
ai-services | Fail Over | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-classification/fail-over.md | Title: Back up and recover your custom text classification models description: Learn how to save and recover your custom text classification models. #-+ Last updated 12/19/2023-+ |
ai-services | Faq | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-classification/faq.md | Title: Custom text classification FAQ description: Learn about Frequently asked questions when using the custom text classification API. #-+ Last updated 12/19/2023-+ |
ai-services | Glossary | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-classification/glossary.md | Title: Definitions used in custom text classification description: Learn about definitions used in custom text classification. #-+ Last updated 12/19/2023-+ |
ai-services | Call Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-classification/how-to/call-api.md | Title: Send a text classification request to your custom model description: Learn how to send requests for custom text classification. #-+ Last updated 12/19/2023-+ ms.devlang: csharp # ms.devlang: csharp, python |
ai-services | Create Project | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-classification/how-to/create-project.md | Title: How to create custom text classification projects description: Learn about the steps for using Azure resources with custom text classification. #-+ Last updated 12/19/2023-+ |
ai-services | Deploy Model | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-classification/how-to/deploy-model.md | Title: How to deploy a custom text classification model description: Learn how to deploy a model for custom text classification. #-+ Last updated 12/19/2023-+ |
ai-services | Design Schema | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-classification/how-to/design-schema.md | Title: How to prepare data and define a custom classification schema description: Learn about data selection, preparation, and creating a schema for custom text classification projects. #-+ Last updated 12/19/2023-+ |
ai-services | Tag Data | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-classification/how-to/tag-data.md | Title: How to label your data for custom classification - Azure AI services description: Learn about how to label your data for use with the custom text classification. #-+ Last updated 12/19/2023-+ |
ai-services | Train Model | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-classification/how-to/train-model.md | Title: How to train your custom text classification model - Azure AI services description: Learn about how to train your model for custom text classification. #-+ Last updated 12/19/2023-+ |
ai-services | Use Autolabeling | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-classification/how-to/use-autolabeling.md | Title: How to use autolabeling in custom text classification description: Learn how to use autolabeling in custom text classification. #-+ Last updated 12/19/2023-+ # How to use autolabeling for Custom Text Classification |
ai-services | View Model Evaluation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-classification/how-to/view-model-evaluation.md | Title: View a custom text classification model evaluation - Azure AI services description: Learn how to view the evaluation scores for a custom text classification model #-+ Last updated 12/19/2023-+ |
ai-services | Language Support | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-classification/language-support.md | Title: Language support in custom text classification description: Learn about which languages are supported by custom text classification. #-+ Last updated 12/19/2023-+ |
ai-services | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-classification/overview.md | Title: Custom text classification - Azure AI services description: Customize an AI model to classify documents and other content using Azure AI services. #-+ Last updated 12/19/2023-+ |
ai-services | Quickstart | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-classification/quickstart.md | Title: Quickstart - Custom text classification description: Quickly start building an AI model to identify and apply labels (classify) unstructured text. #-+ Last updated 12/19/2023-+ zone_pivot_groups: usage-custom-language-features |
ai-services | Service Limits | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-classification/service-limits.md | Title: Custom text classification limits description: Learn about the data and rate limits when using custom text classification. #-+ Last updated 12/19/2023 -+ |
ai-services | Triage Email | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom-text-classification/tutorials/triage-email.md | Title: Triage incoming emails with Power Automate description: Learn how to use custom text classification to categorize and triage incoming emails with Power Automate #-+ Last updated 12/19/2023-+ # Tutorial: Triage incoming emails with power automate |
ai-services | Azure Machine Learning Labeling | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/custom/azure-machine-learning-labeling.md | Title: Use Azure Machine Learning labeling in Language Studio description: Learn how to label your data in Azure Machine Learning, and import it for use in the Language service. #-+ Last updated 12/19/2023-+ # Use Azure Machine Learning labeling in Language Studio |
ai-services | Call Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/entity-linking/how-to/call-api.md | Title: How to call the entity linking API description: Learn how to identify and link entities found in text with the entity linking API. #-+ Last updated 12/19/2023-+ |
ai-services | Language Support | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/entity-linking/language-support.md | Title: Language support for key phrase analysis description: A list of natural languages supported by the entity linking API #-+ Last updated 12/19/2023-+ |
ai-services | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/entity-linking/overview.md | Title: What is entity linking in Azure AI Language? description: An overview of entity linking in Azure AI services, which helps you extract entities from text, and provides links to an online knowledge base. #-+ Last updated 12/19/2023-+ |
ai-services | Quickstart | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/entity-linking/quickstart.md | Title: "Quickstart: Entity linking using the client library and REST API" description: 'Use this quickstart to perform Entity Linking, using C#, Python, Java, JavaScript, and the REST API.' #-+ Last updated 12/19/2023-+ ms.devlang: csharp # ms.devlang: csharp, java, javascript, python |
ai-services | Language Studio | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/language-studio.md | Title: "Quickstart: Get started with Language Studio" description: Use this article to learn about Language Studio, and testing features of Azure AI Language--++ Last updated 12/19/2023 |
ai-services | Use Native Documents | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/native-document-support/use-native-documents.md | -Azure AI Language is a cloud-based service that applies Natural Language Processing (NLP) features to text-based data. The native document support capability enables you to send API requests asynchronously, using an HTTP POST request body to send your data and HTTP GET request query string to retrieve the processed data. +Azure AI Language is a cloud-based service that applies Natural Language Processing (NLP) features to text-based data. The native document support capability enables you to send API requests asynchronously, using an HTTP POST request body to send your data and HTTP GET request query string to retrieve the status results. Your processed documents are located in your Azure Blob Storage target container. A native document refers to the file format used to create the original document such as Microsoft Word (docx) or a portable document file (pdf). Native document support eliminates the need for text preprocessing before using Azure AI Language resource capabilities. Currently, native document support is available for the following capabilities: |
ai-services | Data Formats | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/orchestration-workflow/concepts/data-formats.md | Title: Orchestration workflow data formats description: Learn about the data formats accepted by orchestration workflow. #-+ Last updated 12/19/2023-+ |
ai-services | Evaluation Metrics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/orchestration-workflow/concepts/evaluation-metrics.md | Title: Orchestration workflow model evaluation metrics description: Learn about evaluation metrics in orchestration workflow #-+ Last updated 12/19/2023-+ |
ai-services | Fail Over | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/orchestration-workflow/concepts/fail-over.md | Title: Save and recover orchestration workflow models description: Learn how to save and recover your orchestration workflow models. #-+ Last updated 12/19/2023-+ |
ai-services | None Intent | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/orchestration-workflow/concepts/none-intent.md | Title: Orchestration workflow none intent description: Learn about the default None intent in orchestration workflow. #-+ Last updated 12/19/2023-+ |
ai-services | Faq | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/orchestration-workflow/faq.md | Title: Frequently Asked Questions for orchestration projects description: Use this article to quickly get the answers to FAQ about orchestration projects #-+ Last updated 12/19/2023-+ |
ai-services | Glossary | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/orchestration-workflow/glossary.md | Title: Definitions used in orchestration workflow description: Learn about definitions used in orchestration workflow. #-+ Last updated 12/19/2023-+ |
ai-services | Build Schema | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/orchestration-workflow/how-to/build-schema.md | Title: How to build an orchestration project schema description: Learn how to define intents for your orchestration workflow project. #-+ Last updated 12/19/2023-+ |
ai-services | Call Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/orchestration-workflow/how-to/call-api.md | Title: How to send requests to orchestration workflow description: Learn about sending requests for orchestration workflow. #-+ Last updated 12/19/2023-+ ms.devlang: csharp # ms.devlang: csharp, python |
ai-services | Create Project | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/orchestration-workflow/how-to/create-project.md | Title: Create orchestration workflow projects and use Azure resources description: Use this article to learn how to create projects in orchestration workflow #-+ Last updated 12/19/2023-+ |
ai-services | Deploy Model | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/orchestration-workflow/how-to/deploy-model.md | Title: How to deploy an orchestration workflow project description: Learn about deploying orchestration workflow projects. #-+ Last updated 12/19/2023-+ |
ai-services | Tag Utterances | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/orchestration-workflow/how-to/tag-utterances.md | Title: How to tag utterances in an orchestration workflow project description: Use this article to tag utterances #-+ Last updated 12/19/2023-+ |
ai-services | Train Model | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/orchestration-workflow/how-to/train-model.md | Title: How to train and evaluate models in orchestration workflow description: Learn how to train a model for orchestration workflow projects. #-+ Last updated 12/19/2023-+ |
ai-services | View Model Evaluation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/orchestration-workflow/how-to/view-model-evaluation.md | Title: How to view orchestration workflow models details description: Learn how to view details for your model and evaluate its performance. #-+ Last updated 12/19/2023-+ |
ai-services | Language Support | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/orchestration-workflow/language-support.md | Title: Language support for orchestration workflow description: Learn about the languages supported by orchestration workflow. #-+ Last updated 12/19/2023 -+ # Language support for orchestration workflow projects |
ai-services | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/orchestration-workflow/overview.md | Title: Orchestration workflows - Azure AI services description: Customize an AI model to connect your Conversational Language Understanding, question answering and LUIS applications. #-+ Last updated 12/19/2023-+ |
ai-services | Quickstart | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/orchestration-workflow/quickstart.md | Title: Quickstart - Orchestration workflow description: Quickly start creating an AI model to connect your Conversational Language Understanding, question answering and LUIS applications. #-+ Last updated 12/19/2023-+ zone_pivot_groups: usage-custom-language-features |
ai-services | Service Limits | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/orchestration-workflow/service-limits.md | Title: Orchestration workflow limits description: Learn about the data, region, and throughput limits for Orchestration workflow #-+ Last updated 12/19/2023-+ |
ai-services | Connect Services | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/orchestration-workflow/tutorials/connect-services.md | Title: Integrate custom question answering and conversational language understanding with orchestration workflow description: Learn how to connect different projects with orchestration workflow. keywords: conversational language understanding, bot framework, bot, language understanding, nlu--++ |
ai-services | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/overview.md | Title: What is Azure AI Language description: Learn how to integrate AI into your applications that can extract information and understand written language. #-+ Last updated 12/19/2023-+ # What is Azure AI Language? |
ai-services | Data Formats | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/sentiment-opinion-mining/custom/concepts/data-formats.md | Title: Custom sentiment analysis data formats description: Learn about the data formats accepted by custom sentiment analysis. #-+ Last updated 12/19/2023-+ |
ai-services | Call Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/sentiment-opinion-mining/custom/how-to/call-api.md | Title: Send a Custom sentiment analysis request to your custom model description: Learn how to send requests for Custom sentiment analysis. #-+ Last updated 12/19/2023-+ ms.devlang: csharp # ms.devlang: csharp, python |
ai-services | Create Project | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/sentiment-opinion-mining/custom/how-to/create-project.md | Title: How to create Custom sentiment analysis projects description: Learn about the steps for using Azure resources with Custom sentiment analysis. #-+ Last updated 12/19/2023-+ |
ai-services | Deploy Model | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/sentiment-opinion-mining/custom/how-to/deploy-model.md | Title: Deploy a Custom sentiment analysis model description: Learn about deploying a model for Custom sentiment analysis. #-+ Last updated 12/19/2023-+ |
ai-services | Design Schema | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/sentiment-opinion-mining/custom/how-to/design-schema.md | Title: How to prepare data and define a custom sentiment analysis schema description: Learn about data selection and preparation for custom sentient analysis projects. #-+ Last updated 12/19/2023-+ |
ai-services | Label Data | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/sentiment-opinion-mining/custom/how-to/label-data.md | Title: How to label your data for Custom sentiment analysis - Azure AI services description: Learn about how to label your data for use with the custom Sentiment analysis. #-+ Last updated 12/19/2023-+ |
ai-services | Train Model | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/sentiment-opinion-mining/custom/how-to/train-model.md | Title: How to train your Custom sentiment analysis model - Azure AI services description: Learn about how to train your model for Custom sentiment analysis. #-+ Last updated 12/19/2023-+ |
ai-services | Quickstart | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/sentiment-opinion-mining/custom/quickstart.md | Title: Quickstart - Custom sentiment analysis description: Quickly start building an AI model to identify the sentiment of text. #-+ Last updated 01/25/2024-+ zone_pivot_groups: usage-custom-language-features |
ai-services | Call Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/sentiment-opinion-mining/how-to/call-api.md | Title: How to perform sentiment analysis and opinion mining description: This article will show you how to detect sentiment, and mine for opinions in text. #-+ Last updated 12/19/2023-+ |
ai-services | Use Containers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/sentiment-opinion-mining/how-to/use-containers.md | Title: Install and run Docker containers for Sentiment Analysis description: Use the Docker containers for the Sentiment Analysis API to perform natural language processing such as sentiment analysis, on-premises. #-+ Last updated 12/19/2023-+ keywords: on-premises, Docker, container, sentiment analysis, natural language processing |
ai-services | Language Support | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/sentiment-opinion-mining/language-support.md | Title: Sentiment Analysis and Opinion Mining language support description: This article explains which languages are supported by the Sentiment Analysis and Opinion Mining features of the Language service. #-+ Last updated 12/19/2023-+ |
ai-services | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/sentiment-opinion-mining/overview.md | Title: What is sentiment analysis and opinion mining in the Language service? description: An overview of the sentiment analysis feature in Azure AI services, which helps you find out what people think of a topic by mining text for clues. #-+ Last updated 01/25/2024-+ |
ai-services | Quickstart | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/sentiment-opinion-mining/quickstart.md | Title: "Quickstart: Use the Sentiment Analysis client library and REST API" description: Use this quickstart to start using the Sentiment Analysis API. #-+ Last updated 01/25/2024-+ ms.devlang: csharp # ms.devlang: csharp, java, javascript, python |
ai-services | Quickstart | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/summarization/quickstart.md | |
ai-services | Power Automate | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/tutorials/power-automate.md | Title: Use Language service in power automate description: Learn how to use Azure AI Language in power automate, without writing code. #-+ Last updated 12/19/2023-+ |
ai-services | Use Kubernetes Service | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/tutorials/use-kubernetes-service.md | Title: Deploy a key phrase extraction container to Azure Kubernetes Service description: Deploy a key phrase extraction container image to Azure Kubernetes Service, and test it in a web browser. #-+ Last updated 12/19/2023-+ |
ai-services | Whats New | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/whats-new.md | Title: What's new in Azure AI Language? description: Find out about new releases and features for the Azure AI Language. #-+ Previously updated : 01/31/2024- Last updated : 02/26/2024+ # What's new in Azure AI Language? |
ai-services | Use Your Data | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/concepts/use-your-data.md | If you're using your own index, you will be prompted in the Azure OpenAI Studio In this example, the fields mapped to **Content data** and **Title** provide information to the model to answer questions. **Title** is also used to title citation text. The field mapped to **File name** generates the citation names in the response. -Mapping these fields correctly helps ensure the model has better response and citation quality. You can additionally configure this [in the API](../reference.md#completions-extensions) using the `fieldsMapping` parameter. +Mapping these fields correctly helps ensure the model has better response and citation quality. You can additionally configure this [in the API](../references/on-your-data.md) using the `fieldsMapping` parameter. ++### Search filter (API) ++If you want to implement additional value-based criteria for query execution, you can set up a search filter using the `filter` parameter in the [REST API](../references/azure-search.md). + # [Azure Cosmos DB for MongoDB vCore](#tab/mongo-db) Once you have added the URL/web address for data ingestion, the web pages from y Data is ingested into Azure AI search using the following process: -1. Ingestion assets are created in Azure AI Search resource and Azure storage account. Currently these assets are: indexers, indexes, data sources, a [custom skill](/azure/search/cognitive-search-custom-skill-interface) in the search resource, and a container (later called the chunks container) in the Azure storage account. You can specify the input Azure storage container using the [Azure OpenAI studio](https://oai.azure.com/), or the [ingestion API (preview)](../reference.md#start-an-ingestion-job-preview). +1. Ingestion assets are created in Azure AI Search resource and Azure storage account. Currently these assets are: indexers, indexes, data sources, a [custom skill](/azure/search/cognitive-search-custom-skill-interface) in the search resource, and a container (later called the chunks container) in the Azure storage account. You can specify the input Azure storage container using the [Azure OpenAI studio](https://oai.azure.com/), or the [ingestion API (preview)](/rest/api/azureopenai/ingestion-jobs). 2. Data is read from the input container, contents are opened and chunked into small chunks with a maximum of 1,024 tokens each. If vector search is enabled, the service calculates the vector representing the embeddings on each chunk. The output of this step (called the "preprocessed" or "chunked" data) is stored in the chunks container created in the previous step. Use the following sections to learn how to improve the quality of responses give ### Runtime parameters -You can modify the following additional settings in the **Data parameters** section in Azure OpenAI Studio and [the API](../reference.md#completions-extensions). You don't need to reingest your data when you update these parameters. +You can modify the following additional settings in the **Data parameters** section in Azure OpenAI Studio and [the API](../references/on-your-data.md). You don't need to reingest your data when you update these parameters. |Parameter name | Description | You can modify the following additional settings in the **Data parameters** sect You can define a system message to steer the model's reply when using Azure OpenAI On Your Data. This message allows you to customize your replies on top of the retrieval augmented generation (RAG) pattern that Azure OpenAI On Your Data uses. The system message is used in addition to an internal base prompt to provide the experience. To support this, we truncate the system message after a specific [number of tokens](#token-usage-estimation-for-azure-openai-on-your-data) to ensure the model can answer questions using your data. If you are defining extra behavior on top of the default experience, ensure that your system prompt is detailed and explains the exact expected customization. -Once you select add your dataset, you can use the **System message** section in the Azure OpenAI Studio, or the `roleInformation` [parameter in the API](../reference.md#completions-extensions). +Once you select add your dataset, you can use the **System message** section in the Azure OpenAI Studio, or the `roleInformation` [parameter in the API](../references/on-your-data.md). :::image type="content" source="../media/use-your-data/system-message.png" alt-text="A screenshot showing the system message option in Azure OpenAI Studio." lightbox="../media/use-your-data/system-message.png"::: |
ai-services | Use Web App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/use-web-app.md | Along with Azure OpenAI Studio, APIs and SDKs, you can also use the available st ## Web app customization -You can customize the app's frontend and backend logic. For example, you could change the icon that appears in the center of the app by updating `/frontend/src/assets/Contoso.svg` and then redeploying the app [using the Azure CLI](https://github.com/microsoft/sample-app-aoai-chatGPT#deploy-with-the-azure-cli). See the source code for the web app, and more information on [GitHub](https://github.com/microsoft/sample-app-aoai-chatGPT). +You can customize the app's frontend and backend logic. The app provides several [environment variables](https://github.com/microsoft/sample-app-aoai-chatGPT#common-customization-scenarios-eg-updating-the-default-chat-logo-and-headers) for common customization scenarios such as changing the icon in the app. See the source code for the web app, and more information on [GitHub](https://github.com/microsoft/sample-app-aoai-chatGPT). When customizing the app, we recommend: When customizing the app, we recommend: - When you rotate API keys for your Azure OpenAI or Azure AI Search resource, be sure to update the app settings for each of your deployed apps to use the new keys. -Sample source code for Azure OpenAI On Your Data web app is available on [GitHub](https://github.com/microsoft/sample-app-aoai-chatGPT). Source code is provided "as is" and as a sample only. Customers are responsible for all customization and implementation of their web apps using Azure OpenAI On Your Data. +Sample source code for the web app is available on [GitHub](https://github.com/microsoft/sample-app-aoai-chatGPT). Source code is provided "as is" and as a sample only. Customers are responsible for all customization and implementation of their web apps. ### Updating the web app |
ai-services | Quotas Limits | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/quotas-limits.md | The default quota for models varies by model and region. Default quota limits ar | Region | Text-Embedding-Ada-002 | text-embedding-3-small | text-embedding-3-large | GPT-35-Turbo | GPT-35-Turbo-1106 | GPT-35-Turbo-16K | GPT-35-Turbo-Instruct | GPT-4 | GPT-4-32K | GPT-4-Turbo | GPT-4-Turbo-V | Babbage-002 | Babbage-002 - finetune | Davinci-002 | Davinci-002 - finetune | GPT-35-Turbo - finetune | GPT-35-Turbo-1106 - finetune | |:--|:-|:-|:-|:|:--|:-|:|:--|:|:--|:-|:--|:-|:--|:-|:--|:-|-| australiaeast | 350 K | - | - | 300 K | 120 K | 300 K | - | 40 K | 80 K | 80 K | - | - | - | - | - | - | - | +| australiaeast | 350 K | - | - | 300 K | 120 K | 300 K | - | 40 K | 80 K | 80 K | 30 K | - | - | - | - | - | - | | brazilsouth | 350 K | - | - | - | - | - | - | - | - | - | - | - | - | - | - | - | - | | canadaeast | 350 K | 350 K | 350 K | 300 K | 120 K | 300 K | - | 40 K | 80 K | 80 K | - | - | - | - | - | - | - | | eastus | 240 K | 350 K | 350 K | 240 K | - | 240 K | 240 K | - | - | 80 K | - | - | - | - | - | - | - | The default quota for models varies by model and region. Default quota limits ar | westeurope | 240 K | - | - | 240 K | - | - | - | - | - | - | - | - | - | - | - | - | - | | westus | 350 K | - | - | - | 120 K | - | - | - | - | 80 K | 30 K | - | - | - | - | - | - | - ### General best practices to remain within rate limits To minimize issues related to rate limits, it's a good idea to use the following techniques: |
ai-services | Custom Avatar Record Video Samples | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/text-to-speech-avatar/custom-avatar-record-video-samples.md | Title: How to record video samples for custom text to speech avatar - Speech service -description: Learn how to prepare high-quality video samples for creating a custom text to speech avatar +description: Learn how to prepare high-quality video samples for creating a custom text to speech avatar. keywords: how to record video samples for custom text to speech avatar This article provides instructions on preparing high-quality video samples for creating a custom text to speech avatar. -Custom text to speech avatar model building requires training on a video recording of a real human speaking. This person is the avatar talent. You must get sufficient consent under all relevant laws and regulations from the avatar talent to create a custom avatar from their talent's image or likeness. +Custom text to speech avatar model building requires training on a video recording of a real human speaking. This person is the avatar talent. You must get sufficient consent under all relevant laws and regulations from the avatar talent to create a custom avatar from their talent's image or likeness. Refer to [Get consent file from the avatar talent](custom-avatar-create.md#get-consent-file-from-the-avatar-talent) to learn requirement of consent statement video. ## Recording environment -- We recommend recording in a professional video shooting studio or a well-lit place with a clean background.-- The background of the video should be clean, smooth, pure-colored, and a green screen is the best choice.-- Ensure even and bright lighting on the actor's face, avoiding shadows on face or reflections on actor's glasses and clothes.-- Camera requirement: A minimum of 1080-P resolution and 36 FPS.-- Other devices: You can use a teleprompter to remind the script during recording but ensure it doesn't affect the actor's gaze towards the camera. Provide a seat if the avatar needs to be in a sitting position.+We recommend recording in a professional video shooting studio or a well-lit place. -## Appearance of the actor +### Background requirement -The custom text to speech avatar doesn't support customization of clothes or looks. Therefore, it's essential to carefully design and prepare the avatar's appearance when recording the training data. Consider the following tips: +- If you need a commercial, multi-scene avatar, the background of the video should be clean, smooth, pure-colored, and a green screen is the best choice. +- If your avatar only needs to be used in a single scene, you can select a specific scene to record (such as in your office), but the background can't be subtracted and changed. +- Tips about using a pure-colored background (such as green screen) in shooting: + + | Dos | Don'ts | + |--|--| + | - A green screen is set behind your back, and if your avatar video shows the full body of the actor, including feet, there should be a green screen under the feet. And the back green screen and floor green screen should be completely connected. <br/>- The green screen should be flat, and the color is uniform.<br/> - The actor should keep 0.5 m ΓÇô 1 m distance away from the back background.<br/>- The green screen can be properly lit to prevent shadows.<br/>- The full outline of the actor is within the edge of the green screen.| - The actor shouldn't stand too close to the green screen.<br/>- Avoid the actorΓÇÖs head and hands spilling out of the green screen when speaking.| ++### Lighting requirement ++- Ensure even and bright lighting on the actor's face, avoiding shadows on the face or reflections on actor's glasses and clothes. +- Try to avoid the impact of changes in ambient light on actors. It's recommended to turn off the projector, close the curtains to avoid daylight changes, and use a stable artificial light source, etc. -- The actor's hair should have a smooth and glossy surface, avoiding messy hair or backgrounds showing through the hair.+### Devices ++- Camera requirement: A minimum of 1080-P resolution and 25 FPS (frames per second). +- Don't change the position of light and camera after settling down during the whole video shooting. +- You can use a teleprompter to remind the script during recording but ensure it doesn't affect the actor's gaze towards the camera. Provide a seat if the avatar needs to be in a sitting position. +- For half-length or seated digital avatars, provide a seat for the actor. If you don't want the image of the chair to appear, you can choose a simple chair. ++## Appearance of the actor -- Avoid wearing clothing that is too similar to the background color or reflective materials like white shirts. Avoid clothing with obvious lines or items with logos and brand names you don't want to highlight.+The custom text to speech avatar doesn't support customization of clothes or looks. Therefore, it's essential to carefully design and prepare the avatar's appearance when recording the training data. Consider the following tips: -- Ensure the actor's face is clearly visible, not obscured by hair, sunglasses, or accessories.+| Categories | Dos | Don'ts | +||-|-| +| **Hair** | - The actorΓÇÖs hair should have a smooth and glossy surface.</br>- Even the actorΓÇÖs bangs or broken hair should have a clear and smooth border.</br>- Choose a hairstyle that is easy to keep consistent during the whole video recording. | - Avoid messy hair or backgrounds showing through the hair.</br>- Do not let hair block the eyes or eyebrows.</br>- Avoid shadows on the face caused by hairstyle.</br>- Avoid hair changes too much during speech and body gesture. For example, the high ponytail of an actor may appear, disappear, and swing during speaking. | +| **Clothing** | - Pay attention to clothing status and make sure no significant changes on the clothing during speaking. | - Avoid wearing clothing and accessories that are too loose, heavy, or complex, as they may impact the consistency of clothing status during speaking and body gesture.</br>- Avoid wearing clothing that is too similar to the background color or reflective materials like white shirts or translucent materials.</br>- Avoid clothing with obvious lines or items with logos and brand names you don't want to highlight.</br>- Avoid reflective elements such as metal belts, shiny leather shoes, and leather pants. | +| **Face** | - Ensure the actor's face is clearly visible. | - Avoid face obscured by hair, sunglasses, or accessories. | ## What video clips to record You need three types of basic video clips: **Status 0 speaking:** - Status 0 represents the posture you can naturally maintain most of the time while speaking. For example, arms crossed in front of the body or hanging down naturally at the sides. - - Maintain a front-facing pose with minimal body movement. The actor can nod slightly, but don't move the body too much. + - Maintain a front-facing pose. The actor can move slightly to show a relaxed status, like moving the head or shoulder slightly, but don't move the body too much. - Length: keep speaking in status 0 for 3-5 minutes.+ +**Samples of status 0 speaking:** ++![Animated graphic depicting Lisa speaking in status 0, representing the posture naturally maintained while speaking.](media/status-0-lisa.gif) ++![Animated graphic depicting Harry speaking in status 0, representing the posture naturally maintained while speaking.](media/status-0-harry.gif) ++![Animated graphic depicting Lori speaking in status 0, representing the posture naturally maintained while speaking.](media/status-0-lori.gif) **Naturally speaking:** - Actor speaks in status 0 but with natural hand gestures from time to time. - Hands should start from status 0 and return after making gestures. - Use natural and common gestures when speaking. Avoid meaningful gestures like pointing, applause, or thumbs up. - Length: Minimum 5 minutes, maximum 30 minutes in total. At least one piece of 5-minute continuous video recording is required. If recording multiple video clips, keep each clip under 10 minutes.+ +**Samples of natural speaking:** ++![Animated graphic depicting sample of Lisa speaking in status 0 with natural hand gestures, representing the posture naturally maintained while speaking.](media/natural-lisa.gif) ++![Animated graphic depicting sample of Harry speaking in status 0 with natural hand gestures, representing the posture naturally maintained while speaking.](media/natural-harry.gif) ++![Animated graphic depicting sample of Lori speaking in status 0 with natural hand gestures, representing the posture naturally maintained while speaking.](media/natural-lori.gif) **Silent status:**- - Maintain status 0 but don't speak. - - Maintain a smile or nodding head as if listening or waiting. - - Length: 1 minute. -Here are more tips for recording video clips: +This video clip is important if you build a real-time conversation with the custom avatar. The video clip is used as the main template for both speaking and listening status for a chatbot. -- Ensure all video clips are taken in the same conditions.-- Mind facial expressions, which should be suitable for the avatar's use case. For example, look positive and be smile if the custom text to speech avatar will be used as customer service, and look professionally if the avatar will be used for news reporting.-- Maintain eye gaze towards the camera, even when using a teleprompter-- Return your body to status 0 when pausing speaking.-- Speak on a self-chosen topic, and minor speech mistakes like miss a word or mispronounced are acceptable. If the actor misses a word or mispronounces something, just go back to status 0, pause for 3 seconds, and then continue speaking.-- Consciously pause between sentences and paragraphs. When pausing, go back to the status 0 and close your lips.-- Maintain high-quality audio, avoiding background noise, like other people's voice.+ - Maintain status 0, don't speak, but still feel relaxed. + - Even remaining in status 0, don't keep completely still; you can move a little bit but not too much. Perform like you're waiting. + - Maintain a smile as if listening or waiting patiently. + - Length: 1 minute. + +**Samples of silent status:** ++![Animated graphic depicting sample of Lisa maintaining silent status without speaking but still feeling relaxed.](media/silent-lisa.gif) ++![Animated graphic depicting sample of Harry maintaining silent status without speaking but still feeling relaxed.](media/silent-harry.gif) ++![Animated graphic depicting sample of Lori maintaining silent status without speaking but still feeling relaxed.](media/silent-lori.gif) ++**Gestures (optional):** ++Gesture video clips are optional, and customers who have the need to insert certain gestures in the avatar speaking can follow this guideline to take gesture videos. Gesture insertion is only enabled for batch mode avatar; real-time avatar doesnΓÇÖt support gesture insertion at this point. Each custom avatar model can support no more than 10 gestures. ++**Gesture tips:** +- Each gesture clip should be within 10 seconds. +- Gestures should start from status 0 and end with status 0; otherwise, the gesture clip can't be smoothly inserted into the avatar video. +- The gesture clip only captures the body gestures; the actor doesnΓÇÖt have to speak during making gestures. +- We recommend designing a list of gestures before recording; here are some examples of gesture video clips: ++**Samples of gesture:** ++| Gestures | Samples | +|--|| +| Delivering sell link/promotion code | ![An animated graphic depicting sample of delivering sell link.](media/delivering-sell-link.gif) | +| Introducing the product | ![An animated graphic depicting sample of introducing the product.](media/introducing-the-product.gif) | +| Displaying the price (number from 1 to 10-fist-number with each hand) | Right hand ![An animated graphic depicting sample of displaying the price with right hand.](media/displaying-the-price-with-right-hand.gif) Left hand ![An animated graphic depicting sample of displaying the price with left hand.](media/displaying-the-price-with-left-hand.gif) | ++High-quality avatar models are built from high-quality video recordings, including audio quality. Here are more tips for actorΓÇÖs performance and recording video clips: ++| **Dos** | **Don'ts** | +||--| +| - Ensure all video clips are taken in the same conditions.</br>- During the recording process, design the size and display area of the character you need so that the character can be displayed on the screen appropriately.</br> - Actor should be steady during the recording. </br> - Mind facial expressions, which should be suitable for the avatar's use case. For example, look positive and smile if the custom text to speech avatar is used as customer service. Look professionally if the avatar is used for news reporting.</br> - Maintain eye gaze towards the camera, even when using a teleprompter.</br> - Return your body to status 0 when pausing speaking.</br> - Speak on a self-chosen topic, and minor speech mistakes like miss a word or mispronounced are acceptable. If the actor misses a word or mispronounces something, just go back to status 0, pause for 3 seconds, and then continue speaking.</br> - Consciously pause between sentences and paragraphs. When pausing, go back to the status 0 and close your lips. </br> - The audio should be clear and loud enough; bad audio quality impacts training result.</br> - Keep the shooting environment quiet. | - Don't adjust the camera parameters, focal length, position, angle of view. Don't move the camera; keep the person's position, size, angle, consistent in the camera.</br> - Characters that are too small may lead to a loss of image quality during post-processing. Characters that are too large may cause the screen to overflow during gestures and movements.</br> - Don't make too long gestures or too much movement for one gesture; for example, actorΓÇÖs hands are always making gestures and forget to go back to status 0.</br> - The actor's movements and gestures must not block the face.</br> - Avoid small movements of the actor like licking lips, touching hair, talking sideways, constant head shaking during speech, and not closing up after speaking.</br> - Avoid background noise; staff should avoid walking and talking during video recording.</br> - Avoid other peopleΓÇÖs voice recorded during the actor speaking. | ## Data requirements -- Avatar training video recording file format: .mp4 or .mov.-- Resolution: At least 1920x1080.-- Frame rate per second: At least 25 FPS.+Doing some basic processing of your video data is helpful for model training efficiency, such as: ++- Make sure that the character is in the middle of the screen, the size and position are consistent during the video processing. Each video processing parameter such as brightness, contrast remains the same and doesn't change. +- The start and end of the clip should be kept in state 0; the actors should close their mouths and smile, and look ahead. The video should be continuous, not abrupt. ++**Avatar training video recording file format:** .mp4 or .mov. ++**Resolution:** At least 1920x1080. ++**Frame rate per second:** At least 25 FPS. ## Next steps |
ai-studio | Flow Process Image | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/how-to/flow-process-image.md | Title: Process images in prompt flow (preview)- -description: Learn how to incorporate images into prompt flow. ---+ Title: Process images in prompt flow ++description: Learn how to use images in prompt flow. + --- Previously updated : 02/05/2024 Last updated : 2/26/2024+++ -# Process images in prompt flow (preview) +# Process images in prompt flow + Multimodal Large Language Models (LLMs), which can process and interpret diverse forms of data inputs, present a powerful tool that can elevate the capabilities of language-only systems to new heights. Among the various data types, images are important for many real-world applications. The incorporation of image data into AI systems provides an essential layer of visual understanding. -In this article, you'll learn: +In this article, you learn: > [!div class="checklist"] > - How to use image data in prompt flow > - How to use built-in GPT-4V tool to analyze image inputs. In this article, you'll learn: > - How to create a batch run using image data. > - How to consume online endpoint with image data. -> [!IMPORTANT] -> Prompt flow image support is currently in public preview. This preview is provided without a service-level agreement, and is not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. -> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). - ## Image type in prompt flow Prompt flow input and output support Image as a new data type. To use image data in prompt flow authoring page: :::image type="content" source="../media/prompt-flow/how-to-process-image/add-image-type-input.png" alt-text="Screenshot of flow authoring page showing adding flow input as Image type." lightbox = "../media/prompt-flow/how-to-process-image/add-image-type-input.png"::: 2. Preview the image. If the image isn't displayed correctly, delete the image and add it again. :::image type="content" source="../media/prompt-flow/how-to-process-image/flow-input-image-preview.png" alt-text="Screenshot of flow authoring page showing image preview flow input." lightbox = "../media/prompt-flow/how-to-process-image/flow-input-image-preview.png":::-3. You might want to **preprocess the image using Python tool** before feeding it to LLM, for example, you can resize or crop the image to a smaller size. +3. You might want to preprocess the image using the [Python tool](./prompt-flow-tools/python-tool.md) before feeding it to the LLM. For example, you can resize or crop the image to a smaller size. :::image type="content" source="../media/prompt-flow/how-to-process-image/process-image-using-python.png" alt-text="Screenshot of using python tool to do image preprocessing." lightbox = "../media/prompt-flow/how-to-process-image/process-image-using-python.png"::: > [!IMPORTANT]- > To process image using Python function, you need to use the `Image` class, import it from `promptflow.contracts.multimedia` package. The Image class is used to represent an Image type within prompt flow. It is designed to work with image data in byte format, which is convenient when you need to handle or manipulate the image data directly. + > To process images using a Python function, you need to use the `Image` class that you import from the `promptflow.contracts.multimedia` package. The `Image` class is used to represent an `Image` type within prompt flow. It is designed to work with image data in byte format, which is convenient when you need to handle or manipulate the image data directly. > > To return the processed image data, you need to use the `Image` class to wrap the image data. Create an `Image` object by providing the image data in bytes and the [MIME type](https://developer.mozilla.org/docs/Web/HTTP/Basics_of_HTTP/MIME_types/Common_types) `mime_type`. The MIME type lets the system understand the format of the image data, or it can be `*` for unknown type. If the Image object from Python node is set as the flow output, you can preview ## Use GPT-4V tool -Azure OpenAI GPT-4 Turbo with Vision tool and OpenAI GPT-4V are built-in tools in prompt flow that can use OpenAI GPT-4V model to answer questions based on input images. You can find the tool by selecting **More tool** in the flow authoring page. +The [Azure OpenAI GPT-4 Turbo with Vision tool](./prompt-flow-tools/azure-open-ai-gpt-4v-tool.md) and OpenAI GPT-4V are built-in tools in prompt flow that can use OpenAI GPT-4V model to answer questions based on input images. You can find the tool by selecting **+ More tools** in the flow authoring page. Add the [Azure OpenAI GPT-4 Turbo with Vision tool](./prompt-flow-tools/azure-open-ai-gpt-4v-tool.md) to the flow. Make sure you have an Azure OpenAI connection, with the availability of GPT-4 vision-preview models. You can assign a value to the image input through the following ways: - Reference from the flow input of Image type. - Reference from other node's output of Image type.-- Upload, drag, paste an image, or specify an image URL or the relative image path.+- Upload, drag, or paste an image, or specify an image URL or the relative image path. ## Build a chatbot to process images -In this section, you'll learn how to build a chatbot that can process image and text inputs. +In this section, you learn how to build a chatbot that can process image and text inputs. Assume you want to build a chatbot that can answer any questions about the image and text together. You can achieve this by following the steps below: If the batch run outputs contain images, you can check the **flow_outputs datase You can [deploy a flow to an online endpoint for real-time inference](./flow-deploy.md). -Currently the **Test** tab in the deployment detail page does not support image inputs or outputs. +Currently the **Test** tab in the deployment detail page doesn't support image inputs or outputs. For now, you can test the endpoint by sending request including image inputs. To consume the online endpoint with image input, you should represent the image by using the format `{"data:<mime type>;<representation>": "<value>"}`. In this case, `<representation>` can either be `url` or `base64`. -If the flow generates image output, it will be returned with `base64` format, for example, `{"data:<mime type>;base64": "<base64 string>"}`. +If the flow generates image output, it is returned with `base64` format, for example, `{"data:<mime type>;base64": "<base64 string>"}`. ## Next steps |
ai-studio | Azure Open Ai Gpt 4V Tool | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/how-to/prompt-flow-tools/azure-open-ai-gpt-4v-tool.md | description: This article introduces the Azure OpenAI GPT-4 Turbo with Vision to Previously updated : 1/8/2024 Last updated : 2/26/2024 The prompt flow *Azure OpenAI GPT-4 Turbo with Vision* tool enables you to use y - An [Azure AI hub resource](../../how-to/create-azure-ai-resource.md) with a GPT-4 Turbo with Vision model deployed in one of the regions that support GPT-4 Turbo with Vision: Australia East, Switzerland North, Sweden Central, and West US. When you deploy from your project's **Deployments** page, select: `gpt-4` as the model name and `vision-preview` as the model version. -## Connection +## Build with the Azure OpenAI GPT-4 Turbo with Vision tool -Set up connections to provisioned resources in prompt flow. +1. Create or open a flow in [Azure AI Studio](https://ai.azure.com). For more information, see [Create a flow](../flow-develop.md). +1. Select **+ More tools** > **Azure OpenAI GPT-4 Turbo with Vision** to add the Azure OpenAI GPT-4 Turbo with Vision tool to your flow. -| Type | Name | API KEY | API Type | API Version | -|-|-|-|-|-| -| AzureOpenAI | Required | Required | Required | Required | + :::image type="content" source="../../media/prompt-flow/azure-openai-gpt-4-vision-tool.png" alt-text="Screenshot of the Azure OpenAI GPT-4 Turbo with Vision tool added to a flow in Azure AI Studio." lightbox="../../media/prompt-flow/azure-openai-gpt-4-vision-tool.png"::: ++1. Select the connection to your Azure OpenAI Service. For example, you can select the **Default_AzureOpenAI** connection. For more information, see [Prerequisites](#prerequisites). +1. Enter values for the Azure OpenAI GPT-4 Turbo with Vision tool input parameters described [here](#inputs). For example, you can use this example prompt: ++ ```jinja + # system: + As an AI assistant, your task involves interpreting images and responding to questions about the image. + Remember to provide accurate answers based on the information present in the image. + + # user: + Can you tell me what the image depicts? + ![image]({{image_input}}) + ``` ++1. Select **Validate and parse input** to validate the tool inputs. +1. Specify an image to analyze in the `image_input` input parameter. For example, you can upload an image or enter the URL of an image to analyze. Otherwise you can paste or drag and drop an image into the tool. +1. Add more tools to your flow as needed, or select **Run** to run the flow. +1. The outputs are described [here](#outputs). ++Here's an example output response: ++```json +{ + "system_metrics": { + "completion_tokens": 96, + "duration": 4.874329, + "prompt_tokens": 1157, + "total_tokens": 1253 + }, + "output": "The image depicts a user interface for Azure's OpenAI GPT-4 service. It is showing a configuration screen where settings related to the AI's behavior can be adjusted, such as the model (GPT-4), temperature, top_p, frequency penalty, etc. There's also an area where users can enter a prompt to generate text, and an option to include an image input for the AI to interpret, suggesting that this particular interface supports both text and image inputs." +} +``` ## Inputs -| Name | Type | Description | Required | -||-||-| +The following are available input parameters: ++| Name | Type | Description | Required | +| - | - | -- | -- | | connection | AzureOpenAI | The Azure OpenAI connection to be used in the tool. | Yes | | deployment\_name | string | The language model to use. | Yes | | prompt | string | Text prompt that the language model uses to generate its response. | Yes | Set up connections to provisioned resources in prompt flow. ## Outputs +The following are available output parameters: + | Return Type | Description | |-|| | string | The text of one response of conversation |++## Next steps ++- [Learn more about how to create a flow](../flow-develop.md) + |
aks | App Routing | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/app-routing.md | The application routing add-on with NGINX delivers the following: * Integration with [Azure DNS][azure-dns-overview] for public and private zone management * SSL termination with certificates stored in Azure Key Vault. -For other configuration information related to SSL encryption and DNS integration, review [DNS and SSL configuration][dns-ssl-configuration] and [application routing add-on configuration][custom-ingress-configurations]. +For other configurations, see: ++* [DNS and SSL configuration][dns-ssl-configuration] +* [Application routing add-on configuration][custom-ingress-configurations] +* [Configure internal NGIX ingress controller for Azure private DNS zone][create-nginx-private-controller]. With the retirement of [Open Service Mesh][open-service-mesh-docs] (OSM) by the Cloud Native Computing Foundation (CNCF), using the application routing add-on is the default method for all AKS clusters. When the application routing add-on is disabled, some Kubernetes resources might * [Configure custom ingress configurations][custom-ingress-configurations] shows how to create an advanced Ingress configuration and [configure a custom domain using Azure DNS to manage DNS zones and setup a secure ingress][dns-ssl-configuration]. +* To integrate with an Azure internal load balancer and configure a private Azure DNS zone to enable DNS resolution for the private endpoints to resolve specific domains, see [Configure internal NGIX ingress controller for Azure private DNS zone][create-nginx-private-controller]. + * Learn about monitoring the ingress-nginx controller metrics included with the application routing add-on with [with Prometheus in Grafana][prometheus-in-grafana] (preview) as part of analyzing the performance and usage of your application. <!-- LINKS - internal --> When the application routing add-on is disabled, some Kubernetes resources might [custom-ingress-configurations]: app-routing-nginx-configuration.md [az-aks-create]: /cli/azure/aks#az-aks-create [prometheus-in-grafana]: app-routing-nginx-prometheus.md+[create-nginx-private-controller]: create-nginx-ingress-private-controller.md <!-- LINKS - external --> [kubernetes-ingress-object-overview]: https://kubernetes.io/docs/concepts/services-networking/ingress/ |
aks | Azure Cni Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-cni-overview.md | Last updated 9/13/2023 By default, AKS clusters use [kubenet][kubenet] and create a virtual network and subnet. With *kubenet*, nodes get an IP address from a virtual network subnet. Network address translation (NAT) is then configured on the nodes, and pods receive an IP address "hidden" behind the node IP. This approach reduces the number of IP addresses that you need to reserve in your network space for pods to use. -With [Azure Container Networking Interface (CNI)][cni-networking], every pod gets an IP address from the subnet and can be accessed directly. Systems in the same virtual network as the AKS cluster see the pod IP as the source address for any traffic from the pod. Systems outside the AKS cluster virtual network see the node IP as the source address for any traffic from the pod. These IP addresses must be unique across your network space and must be planned in advance. Each node has a configuration parameter for the maximum number of pods that it supports. The equivalent number of IP addresses per node are then reserved up front for that node. This approach requires more planning, and often leads to IP address exhaustion or the need to rebuild clusters in a larger subnet as your application demands grow. +With [Azure Container Networking Interface (CNI)][cni-networking], every pod gets an IP address from the subnet and can be accessed directly. Systems in the same virtual network as the AKS cluster see the pod IP as the source address for any traffic from the pod. Systems outside the AKS cluster virtual network see the node IP as the source address for any traffic from the pod. These IP addresses must be unique across your network space and must be planned in advance. Each node has a configuration parameter for the maximum number of pods that it supports. The equivalent number of IP addresses per node are then reserved up front for that node. This approach requires more planning, and often leads to IP address exhaustion or the need to rebuild clusters in a larger subnet as your application demands grow. ++> [!NOTE] +> +> This article is only introducing traditional Azure CNI. For [Azure CNI Overlay][azure-cni-overlay] and [Azure CNI for dynamic IP allocation][configure-azure-cni-dynamic-ip-allocation], refer to their documentation instead. ## Prerequisites Although it's technically possible to specify a service address range within the * **Can I deploy VMs in my cluster subnet?** - Yes. + Yes. But for [Azure CNI for dynamic IP allocation][configure-azure-cni-dynamic-ip-allocation], the VMs cannot be deployed in pod's subnet. * **What source IP do external systems see for traffic that originates in an Azure CNI-enabled pod?** Systems in the same virtual network as the AKS cluster see the pod IP as the source address for any traffic from the pod. Systems outside the AKS cluster virtual network see the node IP as the source address for any traffic from the pod.+ + But for [Azure CNI for dynamic IP allocation][configure-azure-cni-dynamic-ip-allocation], no matter the connection is inside the same virtual network or cross virtual networks, the pod IP is always the source address for any traffic from the pod. This is because the [Azure CNI for dynamic IP allocation][configure-azure-cni-dynamic-ip-allocation] implements [Microsoft Azure Container Networking][github-azure-container-networking] infrastructure, which gives end-to-end experience. Hence, it eliminates the use of [`ip-masq-agent`][ip-masq-agent], which is still used by traditional Azure CNI. * **Can I configure per-pod network policies?** Learn more about networking in AKS in the following articles: * [Use an internal load balancer with Azure Kubernetes Service (AKS)](internal-lb.md) -* [Create a basic ingress controller with external network connectivity][aks-ingress-basic] --* [Enable the HTTP application routing add-on][aks-http-app-routing] --* [Create an ingress controller that uses an internal, private network and IP address][aks-ingress-internal] --* [Create an ingress controller with a dynamic public IP and configure Let's Encrypt to automatically generate TLS certificates][aks-ingress-tls] --* [Create an ingress controller with a static public IP and configure Let's Encrypt to automatically generate TLS certificates][aks-ingress-static-tls] +* [Use the application routing addon in Azure Kubernetes Service (AKS)](app-routing.md) <!-- IMAGES --> [advanced-networking-diagram-01]: ./media/networking-overview/advanced-networking-diagram-01.png Learn more about networking in AKS in the following articles: [cni-networking]: https://github.com/Azure/azure-container-networking/blob/master/docs/cni.md [kubenet]: concepts-network.md#kubenet-basic-networking [github]: https://raw.githubusercontent.com/microsoft/Docker-Provider/ci_prod/kubernetes/container-azm-ms-agentconfig.yaml+[github-azure-container-networking]: https://github.com/Azure/azure-container-networking +[ip-masq-agent]: https://kubernetes.io/docs/tasks/administer-cluster/ip-masq-agent/ <!-- LINKS - Internal --> [az-aks-create]: /cli/azure/aks#az_aks_create Learn more about networking in AKS in the following articles: [ManagedClusterAgentPoolProfile]: /azure/templates/microsoft.containerservice/managedclusters#managedclusteragentpoolprofile-object [aks-network-concepts]: concepts-network.md [aks-network-nsg]: concepts-network.md#network-security-groups-[aks-ingress-basic]: ingress-basic.md -[aks-ingress-tls]: ingress-tls.md -[aks-ingress-static-tls]: ingress-static-ip.md -[aks-http-app-routing]: http-application-routing.md -[aks-ingress-internal]: ingress-internal-ip.md [az-extension-add]: /cli/azure/extension#az_extension_add [az-extension-update]: /cli/azure/extension#az_extension_update [az-feature-register]: /cli/azure/feature#az_feature_register Learn more about networking in AKS in the following articles: [network-comparisons]: concepts-network.md#compare-network-models [system-node-pools]: use-system-pools.md [prerequisites]: configure-azure-cni.md#prerequisites+[azure-cni-overlay]: azure-cni-overlay.md +[configure-azure-cni-dynamic-ip-allocation]: configure-azure-cni-dynamic-ip-allocation.md |
aks | Configure Azure Cni Dynamic Ip Allocation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/configure-azure-cni-dynamic-ip-allocation.md | Azure CNI provides the capability to monitor IP subnet usage. To enable IP subne Set the variables for subscription, resource group and cluster. Consider the following as examples: -```azurecli -- $s="subscriptionId" -- $rg="resourceGroup" -- $c="ClusterName" -- az account set -s $s -- az aks get-credentials -n $c -g $rg -+```azurecli-interactive +az account set -s $subscription +az aks get-credentials -n $clusterName -g $resourceGroup ``` ### Apply the config Learn more about networking in AKS in the following articles: * [Use a static IP address with the Azure Kubernetes Service (AKS) load balancer](static-ip.md) * [Use an internal load balancer with Azure Kubernetes Service (AKS)](internal-lb.md)--* [Create a basic ingress controller with external network connectivity][aks-ingress-basic] -* [Enable the HTTP application routing add-on][aks-http-app-routing] -* [Create an ingress controller that uses an internal, private network and IP address][aks-ingress-internal] -* [Create an ingress controller with a dynamic public IP and configure Let's Encrypt to automatically generate TLS certificates][aks-ingress-tls] -* [Create an ingress controller with a static public IP and configure Let's Encrypt to automatically generate TLS certificates][aks-ingress-static-tls] +* [Use the application routing addon in Azure Kubernetes Service (AKS)](app-routing.md) <!-- LINKS - External --> [github]: https://raw.githubusercontent.com/microsoft/Docker-Provider/ci_prod/kubernetes/container-azm-ms-agentconfig.yaml <!-- LINKS - Internal -->-[aks-ingress-basic]: ingress-basic.md -[aks-ingress-tls]: ingress-tls.md -[aks-ingress-static-tls]: ingress-static-ip.md -[aks-http-app-routing]: http-application-routing.md -[aks-ingress-internal]: ingress-internal-ip.md [azure-cni-prereq]: ./configure-azure-cni.md#prerequisites [azure-cni-deployment-parameters]: ./azure-cni-overview.md#deployment-parameters [az-aks-enable-addons]: /cli/azure/aks#az_aks_enable_addons |
aks | Create Nginx Ingress Private Controller | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/create-nginx-ingress-private-controller.md | + + Title: Configure internal NGIX ingress controller for Azure private DNS zone +description: Understand how to configure an ingress controller with a private IP address and an Azure private DNS zone using the application routing add-on for Azure Kubernetes Service. +++ Last updated : 02/27/2024+++++# Configure NGINX ingress controller to support Azure private DNS zone with application routing add-on ++This article demonstrates how to configure an NGINX ingress controller to work with Azure internal load balancer and configure a private Azure DNS zone to enable DNS resolution for the private endpoints to resolve specific domains. ++## Before you begin ++- An AKS cluster with the [application routing add-on][app-routing-add-on-basic-configuration]. +- To attach an Azure private DNS Zone, you need the [Owner][rbac-owner], [Azure account administrator][rbac-classic], or [Azure co-administrator][rbac-classic] role on your Azure subscription. ++## Connect to your AKS cluster ++To connect to the Kubernetes cluster from your local computer, you use `kubectl`, the Kubernetes command-line client. You can install it locally using the [az aks install-cli][az-aks-install-cli] command. If you use the Azure Cloud Shell, `kubectl` is already installed. ++The following example configures connecting to your cluster named *myAKSCluster* in the *myResourceGroup* using the [`az aks get-credentials`][az-aks-get-credentials] command. ++```azurecli-interactive +az aks get-credentials --resource-group myResourceGroup --name myAKSCluster +``` ++## Create a virtual network ++To publish a private DNS zone to your virtual network, you need to specify a list of virtual networks that are allowed to resolve records within the zone. These are called [virtual network links][virtual-network-links]. ++The following example creates a virtual network named *myAzureVNet* in the *myResourceGroup* resource group, and one subnet named *mySubnet* to create within the VNet with a specific address prefix. ++```azurecli-interactive +az network vnet create \ + --name myAzureVNet \ + --resource-group myResourceGroup \ + --location eastus \ + --address-prefix 10.2.0.0/16 \ + --subnet-name mysubnet \ + --subnet-prefixes 10.2.0.0/24 +``` ++## Create an Azure private DNS zone ++> [!NOTE] +> You can configure the application routing add-on to automatically create records on one or more Azure global and private DNS zones for hosts defined on Ingress resources. All global Azure DNS zones and all private Azure DNS zones need to be in the same resource group. ++You create a DNS zone using the [az network private-dns zone create][az-network-private-dns-zone-create] command, specifying the name of the zone and the resource group to create it in. The following example creates a DNS zone named *private.contoso.com* in the *myResourceGroup* resource group. ++```azurecli-interactive +az network private-dns zone create --resource-group myResourceGoup -n private.contoso.com +``` ++You create a virtual network link to the DNS zone created earlier using the [az network private-dns link vnet create][az-network-private-dns-link-vnet-create] command. The following example creates a link named *myDNSLink* to the zone *private.contoso.com* for the virtual network *myAzureVNet*. Include the `--registration-enabled` parameter to specify the link is not registration enabled. ++```azurecli-interactive +az network private-dns link vnet create --resource-group myResourceGroup \ + --name myDNSLink \ + --zone-name private.contoso.com \ + --virtual-network myAzureVNet \ + --registration-enabled false +``` ++The Azure DNS private zone auto registration feature manages DNS records for virtual machines deployed in a virtual network. When you link a virtual network with a private DNS zone with this setting enabled, a DNS record gets created for each Azure virtual machine for your AKS node deployed in the virtual network. ++## Attach an Azure private DNS zone to the application routing add-on ++> [!NOTE] +> The `az aks approuting zone add` command uses the permissions of the user running the command to create the [Azure DNS Zone][azure-dns-zone-role] role assignment. The **Private DNS Zone Contributor** role is a built-in role for managing private DNS resources and is assigned to the add-on's managed identity. For more information on AKS managed identities, see [Summary of managed identities][summary-msi]. ++1. Retrieve the resource ID for the DNS zone using the [`az network dns zone show`][az-network-dns-zone-show] command and set the output to a variable named `ZONEID`. The following example queries the zone *private.contoso.com* in the resource group *myResourceGroup*. ++ ```azurecli-interactive + ZONEID=$(az network private-dns zone show --resource-group myResourceGroup --name private.contoso.com --query "id" --output tsv) + ``` ++1. Update the add-on to enable integration with Azure DNS using the [`az aks approuting zone`][az-aks-approuting-zone] command. You can pass a comma-separated list of DNS zone resource IDs. The following example updates the AKS cluster *myAKSCluster* in the resource group *myResourceGroup*. ++ ```azurecli-interactive + az aks approuting zone add --resource-group myResourceGroup --name myAKSCluster --ids=${ZONEID} --attach-zones + ``` ++## Create an NGINX ingress controller with a private IP address and an internal load balancer ++The application routing add-on uses a Kubernetes [custom resource definition (CRD)][k8s-crds] called [`NginxIngressController`][app-routing-crds] to configure NGINX ingress controllers. You can create more ingress controllers or modify an existing configuration. ++`NginxIngressController` CRD has a `loadBalancerAnnotations` field to control the behavior of the NGINX ingress controller's service by setting [load balancer annotations](load-balancer-standard.md#customizations-via-kubernetes-annotations). ++Perform the following steps to create an NGINX ingress controller with an internal facing Azure Load Balancer with a private IP address. ++1. Copy the following YAML manifest into a new file named **nginx-internal-controller.yaml** and save the file to your local computer. ++ ```yml + apiVersion: approuting.kubernetes.azure.com/v1alpha1 + kind: NginxIngressController + metadata: + name: nginx-internal + spec: + ingressClassName: nginx-internal + controllerNamePrefix: nginx-internal + loadBalancerAnnotations: + service.beta.kubernetes.io/azure-load-balancer-internal: "true" + ``` ++1. Create the NGINX ingress controller resources using the [`kubectl apply`][kubectl-apply] command. ++ ```bash + kubectl apply -f nginx-internal-controller.yaml + ``` ++ The following example output shows the created resource: ++ ```output + nginxingresscontroller.approuting.kubernetes.azure.com/nginx-internal created + ``` ++1. Verify the ingress controller was created ++ You can verify the status of the NGINX ingress controller using the [`kubectl get nginxingresscontroller`][kubectl-get] command. ++ ```bash + kubectl get nginxingresscontroller + ``` ++ The following example output shows the created resource. It may take a few minutes for the controller to be available: ++ ```output + NAME INGRESSCLASS CONTROLLERNAMEPREFIX AVAILABLE + default webapprouting.kubernetes.azure.com nginx True + nginx-internal nginx-internal nginx-internal True + ``` ++## Deploy an application ++The application routing add-on uses annotations on Kubernetes Ingress objects to create the appropriate resources. ++1. Create an application namespace called `hello-web-app-routing` to run the example pods using the [`kubectl create namespace`][kubectl-create-namespace] command. ++ ```bash + kubectl create namespace hello-web-app-routing + ``` ++1. Create the deployment by copying the following YAML manifest into a new file named **deployment.yaml** and save the file to your local computer. ++ ```yaml + apiVersion: apps/v1 + kind: Deployment + metadata: + name: aks-helloworld + namespace: hello-web-app-routing + spec: + replicas: 1 + selector: + matchLabels: + app: aks-helloworld + template: + metadata: + labels: + app: aks-helloworld + spec: + containers: + - name: aks-helloworld + image: mcr.microsoft.com/azuredocs/aks-helloworld:v1 + ports: + - containerPort: 80 + env: + - name: TITLE + value: "Welcome to Azure Kubernetes Service (AKS)" + ``` ++1. Create the service by copying the following YAML manifest into a new file named **service.yaml** and save the file to your local computer. ++ ```yaml + apiVersion: v1 + kind: Service + metadata: + name: aks-helloworld + namespace: hello-web-app-routing + spec: + type: ClusterIP + ports: + - port: 80 + selector: + app: aks-helloworld + ``` ++1. Create the cluster resources using the [`kubectl apply`][kubectl-apply] command. ++ ```bash + kubectl apply -f deployment.yaml -n hello-web-app-routing + ``` ++ The following example output shows the created resource: ++ ```output + deployment.apps/aks-helloworld created created + ``` ++ ```bash + kubectl apply -f service.yaml -n hello-web-app-routing + ``` ++ The following example output shows the created resource: ++ ```output + service/aks-helloworld created created + ``` ++## Create the Ingress resource that uses a host name on the Azure private DNS zone and a private IP address ++1. Copy the following YAML manifest into a new file named **ingress.yaml** and save the file to your local computer. ++ Update *`<Hostname>`* with the name of your DNS host, for example, `helloworld.private.contoso.com`. Verify you're specifying `nginx-internal` for the `ingressClassName`. ++ ```yml + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: aks-helloworld + namespace: hello-web-app-routing + spec: + ingressClassName: nginx-internal + rules: + - host: <Hostname> + http: + paths: + - backend: + service: + name: aks-helloworld + port: + number: 80 + path: / + pathType: Prefix + ``` ++1. Create the cluster resources using the [`kubectl apply`][kubectl-apply] command. ++ ```bash + kubectl apply -f ingress.yaml -n hello-web-app-routing + ``` ++ The following example output shows the created resource: ++ ```output + ingress.networking.k8s.io/aks-helloworld created + ``` ++## Verify the managed Ingress was created ++You can verify the managed Ingress was created using the [`kubectl get ingress`][kubectl-get] command. ++```bash +kubectl get ingress -n hello-web-app-routing +``` ++The following example output shows the created managed Ingress: ++```output +NAME CLASS HOSTS ADDRESS PORTS AGE +aks-helloworld nginx-internal helloworld.private.contoso.com 10.224.0.7 80 98s +``` ++## Verify the Azure private DNS zone was updated ++In a few minutes, run the [az network private-dns record-set a list][az-network-private-dns-record-set-a-list] command to view the A records for your Azure private DNS zone. Specify the name of the resource group and the name of the DNS zone. In this example, the resource group is *myResourceGroup* and DNS zone is *private.contoso.com*. ++```azurecli-interactive +az network private-dns record-set a list --resource-group myResourceGroup --zone-name private.contoso.com +``` ++The following example output shows the created record: ++```output +[ + { + "aRecords": [ + { + "ipv4Address": "10.224.0.7" + } + ], + "etag": "188f0ce5-90e3-49e6-a479-9e4053f21965", + "fqdn": "helloworld.private.contoso.com.", + "id": "/subscriptions/xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx/resourceGroups/foo/providers/Microsoft.Network/privateDnsZones/private.contoso.com/A/helloworld", + "isAutoRegistered": false, + "name": "helloworld", + "resourceGroup": "foo", + "ttl": 300, + "type": "Microsoft.Network/privateDnsZones/A" + } +] +``` ++## Next steps ++For other configuration information related to SSL encryption other advanced NGINX ingress controller and ingress resource configuration, review [DNS and SSL configuration][dns-ssl-configuration] and [application routing add-on configuration][custom-ingress-configurations]. ++<!-- LINKS - external --> +[kubectl-apply]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#apply +[kubectl-get]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#get +[kubectl-create-namespace]: https://kubernetes.io/docs/reference/kubectl/generated/kubectl_create/kubectl_create_namespace/ +[k8s-crds]: https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/ +[app-routing-crds]: https://aka.ms/aks/approuting/nginxingresscontrollercrd ++<!-- LINKS - internal --> +[summary-msi]: use-managed-identity.md#summary-of-managed-identities +[rbac-owner]: ../role-based-access-control/built-in-roles.md#owner +[rbac-classic]: ../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles +[app-routing-add-on-basic-configuration]: app-routing.md +[dns-ssl-configuration]: app-routing-dns-ssl.md +[custom-ingress-configurations]: app-routing-nginx-configuration.md +[az-aks-approuting-zone]: /cli/azure/aks/approuting/zone +[az-network-dns-zone-show]: /cli/azure/network/dns/zone#az-network-dns-zone-show +[az-aks-install-cli]: /cli/azure/aks#az-aks-install-cli +[az-aks-get-credentials]: /cli/azure/aks#az-aks-get-credentials +[virtual-network-links]: ../dns/private-dns-virtual-network-links.md +[azure-dns-zone-role]: ../dns/dns-protect-private-zones-recordsets.md +[az-network-private-dns-zone-create]: /cli/azure/network/private-dns/zone?#az-network-private-dns-zone-create +[az-network-private-dns-link-vnet-create]: /cli/azure/network/private-dns/link/vnet#az-network-private-dns-link-vnet-create +[az-network-private-dns-record-set-a-list]: /cli/azure/network/private-dns/record-set/a#az-network-private-dns-record-set-a-list |
aks | Howto Deploy Java Wls App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/howto-deploy-java-wls-app.md | Use the following steps to build the image: This command should produce output similar to the following example: ```output- /auxiliary/models/dbmodel.yaml - /auxiliary/models/archive.zip /auxiliary/models/model.properties+ /auxiliary/models/dbmodel.yaml /auxiliary/models/model.yaml- /auxiliary/weblogic-deploy/VERSION.txt - /auxiliary/weblogic-deploy/LICENSE.txt + /auxiliary/models/archive.zip + /auxiliary/models/appmodel.yaml /auxiliary/Dockerfile+ /auxiliary/weblogic-deploy/LICENSE.txt + /auxiliary/weblogic-deploy/VERSION.txt ``` 1. Use the following steps to push the auxiliary image to Azure Container Registry: |
aks | Integrations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/integrations.md | AKS uses the following rules for applying updates to installed add-ons: | azure-policy | Use Azure Policy for AKS, which enables at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. | [Understand Azure Policy for Kubernetes clusters][azure-policy-aks] | [GitHub][azure-policy-repo] | | azure-keyvault-secrets-provider | Use Azure Keyvault Secrets Provider addon.| [Use the Azure Key Vault Provider for Secrets Store CSI Driver in an AKS cluster][keyvault-secret-provider] | [GitHub][keyvault-secret-provider-repo] | | virtual-node | Use virtual nodes with your AKS cluster. | [Use virtual nodes][virtual-nodes] | [GitHub][virtual-nodes-oss-repo] |-| http_application_routing | Configure ingress with automatic public DNS name creation for your AKS cluster (retired). | [HTTP application routing add-on on Azure Kubernetes Service (AKS) (retired)][http-app-routing] | [GitHub][app-routing-repo] | | open-service-mesh | Use Open Service Mesh with your AKS cluster (retired). | [Open Service Mesh AKS add-on (retired)][osm] | [GitHub][osm-repo] | ## Extensions For more information, see [Windows AKS partner solutions][windows-aks-partner-so <!-- LINKS --> [aks-repo]: https://github.com/Azure/AKS-[http-app-routing]: http-application-routing.md [app-routing-repo]: https://github.com/Azure/aks-app-routing-operator [container-insights]: ../azure-monitor/containers/container-insights-overview.md [virtual-nodes]: virtual-nodes.md |
aks | Intro Kubernetes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/intro-kubernetes.md | Pods can also connect to other services in a peered virtual network and on-premi For more information, see the [Network concepts for applications in AKS][aks-networking]. -### Ingress with HTTP application routing +### Ingress with application routing add-on -The HTTP application routing add-on helps you easily access applications deployed to your AKS cluster. When enabled, the HTTP application routing solution configures an ingress controller in your AKS cluster. +The application routing addon is the recommended way to configure an Ingress controller in AKS. The application routing addon is a fully managed, ingress controller for Azure Kubernetes Service (AKS) that provides the following features: -As applications are deployed, publicly accessible DNS names are auto-configured. The HTTP application routing sets up a DNS zone and integrates it with the AKS cluster. You can then deploy Kubernetes ingress resources as normal. +* Easy configuration of managed NGINX Ingress controllers based on Kubernetes NGINX Ingress controller. -To get started with Ingress traffic, see [HTTP application routing][aks-http-routing]. +* Integration with Azure DNS for public and private zone management. ++* SSL termination with certificates stored in Azure Key Vault. ++For more information about the application routing add-on, see [Managed NGINX ingress with the application routing add-on](app-routing.md). ## Development tooling integration Learn more about deploying and managing AKS. [aks-quickstart-powershell]: ./learn/quick-kubernetes-deploy-powershell.md [aks-quickstart-template]: ./learn/quick-kubernetes-deploy-rm-template.md [aks-gpu]: ./gpu-cluster.md-[aks-http-routing]: ./http-application-routing.md [aks-networking]: ./concepts-network.md [aks-scale]: ./tutorial-kubernetes-scale.md [aks-upgrade]: ./upgrade-cluster.md |
aks | Istio Deploy Addon | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/istio-deploy-addon.md | Run the following command to update to the latest version of the extension relea az extension update --name aks-preview ``` -### Register the _AzureServiceMeshPreview_ feature flag --Register the `AzureServiceMeshPreview` feature flag by using the [az feature register][az-feature-register] command: --```azurecli-interactive -az feature register --namespace "Microsoft.ContainerService" --name "AzureServiceMeshPreview" -``` --It takes a few minutes for the feature to register. Verify the registration status by using the [az feature show][az-feature-show] command: --```azurecli-interactive -az feature show --namespace "Microsoft.ContainerService" --name "AzureServiceMeshPreview" -``` --When the status reflects *Registered*, refresh the registration of the *Microsoft.ContainerService* resource provider by using the [az provider register][az-provider-register] command: --```azurecli-interactive -az provider register --namespace Microsoft.ContainerService -``` - ## Install Istio add-on at the time of cluster creation To install the Istio add-on when creating the cluster, use the `--enable-azure-service-mesh` or`--enable-asm` parameter. |
aks | Istio Plugin Ca | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/istio-plugin-ca.md | Run the following command to update to the latest version of the extension relea az extension update --name aks-preview ``` -### Register the _AzureServiceMeshPreview_ feature flag --Register the `AzureServiceMeshPreview` feature flag by using the [az feature register][az-feature-register] command: --```azurecli-interactive -az feature register --namespace "Microsoft.ContainerService" --name "AzureServiceMeshPreview" -``` --It takes a few minutes for the feature to register. Verify the registration status by using the [az feature show][az-feature-show] command: --```azurecli-interactive -az feature show --namespace "Microsoft.ContainerService" --name "AzureServiceMeshPreview" -``` --When the status reflects *Registered*, refresh the registration of the *Microsoft.ContainerService* resource provider by using the [az provider register][az-provider-register] command: --```azurecli-interactive -az provider register --namespace Microsoft.ContainerService -``` - ### Set up Azure Key Vault 1. You need an [Azure Key Vault resource][akv-quickstart] to supply the certificate and key inputs to the Istio add-on. |
aks | Node Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/node-access.md | To connect to another node in the cluster, use the `kubectl debug` command. For > ssh -o 'ProxyCommand ssh -p 2022 -W %h:%p azureuser@127.0.0.1' -o PreferredAuthentications=password azureuser@10.224.0.62 > ``` +## Use Host Process Container to access Windows node ++1. Create `hostprocess.yaml` with the following content and replacing `AKSWINDOWSNODENAME` with the AKS Windows node name. ++ ```yaml + apiVersion: v1 + kind: Pod + metadata: + labels: + pod: hpc + name: hpc + spec: + securityContext: + windowsOptions: + hostProcess: true + runAsUserName: "NT AUTHORITY\\SYSTEM" + hostNetwork: true + containers: + - name: hpc + image: mcr.microsoft.com/windows/servercore:ltsc2022 # Use servercore:1809 for WS2019 + command: + - powershell.exe + - -Command + - "Start-Sleep 2147483" + imagePullPolicy: IfNotPresent + nodeSelector: + kubernetes.io/os: windows + kubernetes.io/hostname: AKSWINDOWSNODENAME + tolerations: + - effect: NoSchedule + key: node.kubernetes.io/unschedulable + operator: Exists + - effect: NoSchedule + key: node.kubernetes.io/network-unavailable + operator: Exists + - effect: NoExecute + key: node.kubernetes.io/unreachable + operator: Exists + ``` ++2. Run `kubectl apply -f hostprocess.yaml` to deploy the Windows host process container (HPC) in the specified Windows node. ++3. Use `kubectl exec -it [HPC-POD-NAME] -- powershell`. ++4. You can run any PowerShell commands inside the HPC container to access the Windows node. ++> [!Note] +> +> You need to switch the root folder to `C:\` inside the HPC container to access the files in the Windows node. + ## SSH using Azure Bastion for Windows If your Linux proxy node isn't reachable, using Azure Bastion as a proxy is an alternative. This method requires that you set up an Azure Bastion host for the virtual network in which the cluster resides. See [Connect with Azure Bastion][azure-bastion] for more details. |
aks | Operator Best Practices Network | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/operator-best-practices-network.md | An *ingress controller* is a daemon that runs on an AKS node and watches for inc Ingress controllers must be scheduled on a Linux node. Indicate that the resource should run on a Linux-based node using a node selector in your YAML manifest or Helm chart deployment. For more information, see [Use node selectors to control where pods are scheduled in AKS][concepts-node-selectors]. -> [!NOTE] -> Windows Server nodes shouldn't run the ingress controller. +## Ingress with the application routing addon -There are many scenarios for ingress, including the following how-to guides: +The application routing addon is the recommended way to configure an Ingress controller in AKS. The application routing addon is a fully managed, ingress controller for Azure Kubernetes Service (AKS) that provides the following features: -* [Create a basic ingress controller with external network connectivity][aks-ingress-basic] -* [Create an ingress controller that uses an internal, private network and IP address][aks-ingress-internal] -* [Create an ingress controller that uses your own TLS certificates][aks-ingress-own-tls] -* Create an ingress controller that uses Let's Encrypt to automatically generate TLS certificates [with a dynamic public IP address][aks-ingress-tls] or [with a static public IP address][aks-ingress-static-tls] +* Easy configuration of managed NGINX Ingress controllers based on Kubernetes NGINX Ingress controller. ++* Integration with Azure DNS for public and private zone management. ++* SSL termination with certificates stored in Azure Key Vault. ++For more information about the application routing add-on, see [Managed NGINX ingress with the application routing add-on](app-routing.md). ## Secure traffic with a web application firewall (WAF) This article focused on network connectivity and security. For more information [sp-delegation]: kubernetes-service-principal.md#delegate-access-to-other-azure-resources [expressroute]: ../expressroute/expressroute-introduction.md [vpn-gateway]: ../vpn-gateway/vpn-gateway-about-vpngateways.md-[aks-ingress-internal]: ingress-internal-ip.md -[aks-ingress-static-tls]: ingress-static-ip.md -[aks-ingress-basic]: ingress-basic.md -[aks-ingress-tls]: ingress-tls.md -[aks-ingress-own-tls]: ingress-own-tls.md [app-gateway]: ../application-gateway/overview.md [use-network-policies]: use-network-policies.md [advanced-networking]: configure-azure-cni.md |
aks | Static Ip | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/static-ip.md | Events: ## Next steps -For more control over the network traffic to your applications, you may want to [create an ingress controller][aks-ingress-basic]. You can also [create an ingress controller with a static public IP address][aks-static-ingress]. +For more control over the network traffic to your applications, use the application routing addon for AKS. For more information about the app routing addon, see [Managed NGINX ingress with the application routing add-on](app-routing.md). <!-- LINKS - External --> [kubectl-describe]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#describe |
aks | Use Byo Cni | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-byo-cni.md | Learn more about networking in AKS in the following articles: * [Use a static IP address with the Azure Kubernetes Service (AKS) load balancer](static-ip.md) * [Use an internal load balancer with Azure Kubernetes Service (AKS)](internal-lb.md)-* [Create a basic ingress controller with external network connectivity][aks-ingress-basic] -* [Enable the HTTP application routing add-on][aks-http-app-routing] -* [Create an ingress controller that uses an internal, private network and IP address][aks-ingress-internal] -* [Create an ingress controller with a dynamic public IP and configure Let's Encrypt to automatically generate TLS certificates][aks-ingress-tls] -* [Create an ingress controller with a static public IP and configure Let's Encrypt to automatically generate TLS certificates][aks-ingress-static-tls] +* [Use the application routing addon in Azure Kubernetes Service (AKS)](app-routing.md) <!-- LINKS - External --> [kubernetes-cni]: https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/ Learn more about networking in AKS in the following articles: [az-aks-create]: /cli/azure/aks#az_aks_create [aks-network-concepts]: concepts-network.md [aks-network-nsg]: concepts-network.md#network-security-groups-[aks-ingress-basic]: ingress-basic.md -[aks-ingress-tls]: ingress-tls.md -[aks-ingress-static-tls]: ingress-static-ip.md -[aks-http-app-routing]: http-application-routing.md -[aks-ingress-internal]: ingress-internal-ip.md [deploy-bicep-template]: ../azure-resource-manager/bicep/deploy-cli.md [az-group-create]: /cli/azure/group#az_group_create [deploy-arm-template]: ../azure-resource-manager/templates/deploy-cli.md |
aks | Use Managed Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-managed-identity.md | AKS uses several managed identities for built-in services and add-ons. | Add-on | azure-policy | No identity required. | N/A | No | Add-on | Calico | No identity required. | N/A | No | Add-on | Dashboard | No identity required. | N/A | No-| Add-on | application-routing | Manages Azure DNS and Azure Key Vault certificates | Key Vault Secrets User role for Key Vault, DNZ Zone Contributor role for DNS zone | No +| Add-on | application-routing | Manages Azure DNS and Azure Key Vault certificates | Key Vault Secrets User role for Key Vault, DNZ Zone Contributor role for DNS zones, Private DNS Zone Contributor role for private DNS zones | No | Add-on | HTTPApplicationRouting | Manages required network resources. | Reader role for node resource group, contributor role for DNS zone | No | Add-on | Ingress application gateway | Manages required network resources. | Contributor role for node resource group | No | Add-on | omsagent | Used to send AKS metrics to Azure Monitor. | Monitoring Metrics Publisher role | No |
aks | Use Windows Hpc | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-windows-hpc.md | To use HostProcess features with your deployment, set *hostProcess: true* and *h ```yaml spec: ...- containers: - ... - securityContext: - windowsOptions: - hostProcess: true - ... + securityContext: + windowsOptions: + hostProcess: true + ... hostNetwork: true+ containers: ... ``` spec: spec: nodeSelector: kubernetes.io/os: windows+ securityContext: + windowsOptions: + hostProcess: true + runAsUserName: "NT AUTHORITY\\SYSTEM" + hostNetwork: true containers: - name: powershell- image: mcr.microsoft.com/powershell:lts-nanoserver-1809 - securityContext: - windowsOptions: - hostProcess: true - runAsUserName: "NT AUTHORITY\\SYSTEM" + image: mcr.microsoft.com/powershell:lts-nanoserver-1809 # or lts-nanoserver-ltsc2022 command:- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe - - -command - - | - $AdminRights = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator") - Write-Host "Process has admin rights: $AdminRights" - while ($true) { Start-Sleep -Seconds 2147483 } - hostNetwork: true + - powershell.exe + - -Command + - Start-Sleep -Seconds 2147483 terminationGracePeriodSeconds: 0 ``` |
app-service | Manage Backup | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/manage-backup.md | There are two types of backups in App Service. Automatic backups made for your a | Linked database | Not backed up. | The following linked databases can be backed up: [SQL Database](/azure/azure-sql/database/), [Azure Database for MySQL](../mysql/index.yml), [Azure Database for PostgreSQL](../postgresql/index.yml), [MySQL in-app](https://azure.microsoft.com/blog/mysql-in-app-preview-app-service/). | | [Storage account](../storage/index.yml) required | No. | Yes. | | Backup frequency | Hourly, not configurable. | Configurable. |-| Retention | 30 days, not configurable. <br>- Days 1-3: hourly backups retained.<br>- Days 4-14: every 3 hourly backup retained.<br>- Days 15-30: every 6 hourly backup retained. | 0-30 days or indefinite. | +| Retention | 30 days, not configurable. <br>- Days 1-3: hourly backups retained.<br>- Days 4-14: every third hourly backup retained.<br>- Days 15-30: every sixth hourly backup retained. | 0-30 days or indefinite. | | Downloadable | No. | Yes, as Azure Storage blobs. | | Partial backups | Not supported. | Supported. |-| Back up over VNet | Not supported. | Supported. | +| Backups over VNet | Not supported. | Supported. | <!- There are two types of backups in App Service. Automatic backups made for your a :::image type="content" source="./media/manage-backup/open-backups-page.png" alt-text="Screenshot that shows how to open the backups page."::: -1. Select the automatic backup or custom backup to restore by clicking its **Restore** link. +1. Select the automatic backup or custom backup to restore by selecting its **Restore** link. :::image type="content" source="./media/manage-backup/click-restore-link.png" alt-text="Screenshot that shows how to select the restore link."::: There are two types of backups in App Service. Automatic backups made for your a 1. You can choose to restore your site configuration under **Advanced options**. -1. Click **Restore**. +1. Select **Restore**. # [Azure CLI](#tab/cli) There are two types of backups in App Service. Automatic backups made for your a > > -1. Click **Configure**. +1. Select **Configure**. Once the storage account and container is configured, you can initiate an on-demand backup at any time. On-demand backups are retained indefinitely. To restore a database that's included in a custom backup: For troubleshooting information, see [Why is my linked database not backed up](#why-is-my-linked-database-not-backed-up). -## Back up and restore over Azure Virtual Network (preview) +## Back up and restore over Azure Virtual Network With [custom backups](#create-a-custom-backup), you can back up your app's files and configuration data to a firewall-protected storage account if the following requirements are fulfilled: - The app is [integrated with a virtual network](overview-vnet-integration.md), or the app is in a v3 [App Service environment](environment/app-service-app-service-environment-intro.md).-- The storage account has [granted access from the virtual network](../storage/common/storage-network-security.md#grant-access-from-a-virtual-network) that the app is integrated with, or that the v3 App Service environment is created with.+- The storage account [allows access from the virtual network](../storage/common/storage-network-security.md#grant-access-from-a-virtual-network) that the app is integrated with, or that the v3 App Service environment is created with. To back up and restore over Azure Virtual Network: 1. When configuring [custom backups](#create-a-custom-backup), select **Backup/restore over virtual network integration**. 1. Save your settings by selecting **Configure**. -If you don't see the checkbox, or if the checkbox is disabled, verify that you have fulfilled the aforementioned requirements. +If you don't see the checkbox, or if the checkbox is disabled, verify that your resources fulfill the requirements. -Once the configuration is saved, any manual, scheduled backup, or restore is made through the virtual network. If you make changes to the app, the virtual network, or the storage account that prevent the app from accessing the storage account through the virtual network, the backup or restore operations will fail. +Once the configuration is saved, any manual, scheduled backup, or restore is made through the virtual network. If you make changes to the app, the virtual network, or the storage account that prevent the app from accessing the storage account through the virtual network, the backup or restore operations fail. <a name="partialbackups"></a> Run backups the same way you would normally do it, [custom on-demand](#create-a- ## How backups are stored -After you have made one or more backups for your app, the backups are visible on the **Containers** page of your storage account, and your app. In the storage account, each backup consists of a`.zip` file that contains the backup data and an `.xml` file that contains a manifest of the `.zip` file contents. You can unzip and browse these files if you want to access your backups without actually performing an app restore. +After you make one or more backups for your app, the backups are visible on the **Containers** page of your storage account, and your app. In the storage account, each backup consists of a`.zip` file that contains the backup data and an `.xml` file that contains a manifest of the `.zip` file contents. You can unzip and browse these files if you want to access your backups without actually performing an app restore. The database backup for the app is stored in the root of the .zip file. For SQL Database, this is a BACPAC file (no file extension) and can be imported. To create a database in Azure SQL Database based on the BACPAC export, see [Import a BACPAC file to create a database in Azure SQL Database](/azure/azure-sql/database/database-import). The **Backups** page shows you the status of each backup. To get log details reg | A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server). | Check that the connection string is valid. Allow the app's [outbound IPs](overview-inbound-outbound-ips.md) in the database server settings. | | Cannot open server "\<name>" requested by the login. The login failed. | Check that the connection string is valid. | | Missing mandatory parameters for valid Shared Access Signature. | Delete the backup schedule and reconfigure it. |-| SSL connection is required. Please specify SSL options and retry when trying to connect. | SSL connectivity to Azure Database for MySQL and Azure Database for PostgreSQL isn't supported for database backups. Use the native backup feature in the respective database instead. | +| SSL connection is required. Specify SSL options and retry when trying to connect. | SSL connectivity to Azure Database for MySQL and Azure Database for PostgreSQL isn't supported for database backups. Use the native backup feature in the respective database instead. | ## Automate with scripts The following table shows which app configuration is restored when you choose to A custom backup (on-demand backup or scheduled backup) includes all content and configuration that's included in an [automatic backup](#whats-included-in-an-automatic-backup), plus any linked database, up to the allowable maximum size. -When [backing up over an Azure Virtual Network](#back-up-and-restore-over-azure-virtual-network-preview), you can't [back up the linked database](#back-up-and-restore-a-linked-database). +When [backing up over an Azure Virtual Network](#back-up-and-restore-over-azure-virtual-network), you can't [back up the linked database](#back-up-and-restore-a-linked-database). #### Why is my linked database not backed up? Linked databases are backed up only for custom backups, up to the allowable maximum size. If the maximum backup size (10 GB) or the maximum database size (4 GB) is exceeded, your backup fails. Here are a few common reasons why your linked database isn't backed up: -* Backups of [TLS enabled Azure Database for MySQL](../mysql/concepts-ssl-connection-security.md) isn't supported. If a backup is configured, you'll encounter backup failures. -* Backups of [TLS enabled Azure Database for PostgreSQL](../postgresql/concepts-ssl-connection-security.md) isn't supported. If a backup is configured, you'll encounter backup failures. -* In-app MySQL databases are automatically backed up without any configuration. If you make manual settings for in-app MySQL databases, such as adding connection strings, the backups may not work correctly. +* Backups of [TLS enabled Azure Database for MySQL](../mysql/concepts-ssl-connection-security.md) isn't supported. If a backup is configured, you get backup failures. +* Backups of [TLS enabled Azure Database for PostgreSQL](../postgresql/concepts-ssl-connection-security.md) isn't supported. If a backup is configured, you get backup failures. +* In-app MySQL databases are automatically backed up without any configuration. If you make manual settings for in-app MySQL databases, such as adding connection strings, the backups might not work correctly. #### What happens if the backup size exceeds the allowable maximum? Automatic backups can't be restored if the backup size exceeds the maximum size. #### Can I use a storage account that has security features enabled? -You can back up to a firewall-protected storage account if it's part of the same virtual network topology as your app. See [Back up and restore over Azure Virtual Network (preview)](#back-up-and-restore-over-azure-virtual-network-preview). +You can back up to a firewall-protected storage account if it's part of the same virtual network topology as your app. See [Back up and restore over Azure Virtual Network](#back-up-and-restore-over-azure-virtual-network). #### How do I restore to an app in a different subscription? The steps are the same as in [How do I restore to an app in a different subscrip #### Where are the automatic backups stored? -Automatic backups are simple and stored in the same datacenter as the App Service and should not be relied upon as your disaster recovery plan. +Automatic backups are simple and stored in the same datacenter as the App Service and shouldn't be relied upon as your disaster recovery plan. #### How do I stop the automatic backup? -You cannot stop automatic backup. The automatic backup is stored on the platform and has no effect on the underlying app instance or its storage. +You can't stop automatic backups. The automatic backup is stored on the platform and has no effect on the underlying app instance or its storage. <a name="nextsteps"></a> |
application-gateway | Features | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/features.md | For more information, see [Overview of SSL termination and end to end SSL with A Application Gateway Standard_v2 supports autoscaling and can scale up or down based on changing traffic load patterns. Autoscaling also removes the requirement to choose a deployment size or instance count during provisioning. -For more information about the Application Gateway Standard_v2 features, see [What is Azure Application Gateway v2?](overview-v2.md). +For more information about the Application Gateway Standard_v2 features, see [What is Azure Application Gateway v2](overview-v2.md). ## Zone redundancy Web Application Firewall (WAF) is a service that provides centralized protection Web applications are increasingly targets of malicious attacks that exploit common known vulnerabilities. Common among these exploits are SQL injection attacks, cross site scripting attacks to name a few. Preventing such attacks in application code can be challenging and may require rigorous maintenance, patching and monitoring at many layers of the application topology. A centralized web application firewall helps make security management much simpler and gives better assurance to application administrators against threats or intrusions. A WAF solution can also react to a security threat faster by patching a known vulnerability at a central location versus securing each of individual web applications. Existing application gateways can be converted to a Web Application Firewall enabled application gateway easily. -Refer to [Application DDoS protection](../web-application-firewall/shared/application-ddos-protection.md) for guidance on how to use Azure WAF with Application Gateway to protect against DDoS attacks. For more information, see [What is Azure Web Application Firewall?](../web-application-firewall/overview.md). +Refer to [Application DDoS protection](../web-application-firewall/shared/application-ddos-protection.md) for guidance on how to use Azure WAF with Application Gateway to protect against DDoS attacks. For more information, see [What is Azure Web Application Firewall](../web-application-firewall/overview.md). ## Ingress Controller for AKS Application Gateway Ingress Controller (AGIC) allows you to use Application Gateway as the ingress for an [Azure Kubernetes Service (AKS)](https://azure.microsoft.com/services/kubernetes-service/) cluster. The following table shows an average performance throughput for each application ## Version feature comparison -For an Application Gateway v1-v2 feature comparison, see [What is Azure Application Gateway v2?](overview-v2.md#feature-comparison-between-v1-sku-and-v2-sku). +For an Application Gateway v1-v2 feature comparison, see [What is Azure Application Gateway v2](overview-v2.md#feature-comparison-between-v1-sku-and-v2-sku). ## Next steps |
application-gateway | Alb Controller Backend Health Metrics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/for-containers/alb-controller-backend-health-metrics.md | ALB Controller's backend health exposes three different experiences: ALB Controller's metric endpoint exposes both metrics and summary of backend health. This endpoint enables exposure to Prometheus. Access to these endpoints can be reached via the following URLs:+ - Backend Health - http://\<alb-controller-pod-ip\>:8000/backendHealth- - Output is JSON format + - Output is JSON format - Metrics - http://\<alb-controller-pod-ip\>:8001/metrics- - Output is text format + - Output is text format Any clients or pods that have connectivity to this pod and port may access these endpoints. To restrict access, we recommend using [Kubernetes network policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) to restrict access to certain clients. Example output: Once you have the IP address of your alb-controller pod, you may validate the backend health service is running by browsing to http://\<pod-ip\>:8000. For example, the following command may be run:+ ```bash curl http://10.1.0.247:8000 ``` Example response:-``` ++```text Available paths: Path: /backendHealth Description: Prints the backend health of the ALB. This experience summarizes of all Kubernetes services with references to Applica This experience may be accessed by specifying the Application Gateway for Containers resource ID in the query of the request to the alb-controller pod. The following command can be used to probe backend health for the specified Application Gateway for Containers resource.+ ```bash curl http://\<alb-controller-pod-ip-address\>:8000/backendHealth?alb-id=/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/yyyyyyyy/providers/Microsoft.ServiceNetworking/trafficControllers/zzzzzzzzzz ``` Example output:+ ```json { "services": [ This experience searches for the health summary status of a given service. This experience may be accessed by specifying the name of the namespace, service, and port number of the service in the following format of the query string to the alb-controller pod: _\<namespace\>/\<service\>/\<service-port-number\>_ The following command can be used to probe backend health for the specified Kubernetes service.+ ```bash curl http://\<alb-controller-pod-ip-address\>:8000/backendHealth?service-name=default/service-hello-world/80 ``` Example output:+ ```json { "services": [ This experience shows all endpoints that make up the service, including their co This experience may be accessed by specifying detailed=true in the query string to the alb-controller pod. For example, we can verify individual endpoint health by executing the following command:+ ```bash curl http://\<alb-controller-pod-ip-address\>:8000/backendHealth?service-name=default/service-hello-world/80\&detailed=true ``` Example output:+ ```json { "services": [ ALB Controller currently surfaces metrics following [text based format](https:// The following Application Gateway for Containers specific metrics are currently available today: -| Metric Name | Description | +| Metric Name | Description | | -- | - | | alb_connection_status | Connection status to an Application Gateway for Containers resource | | alb_reconnection_count | Number of reconnection attempts to an Application Gateway for Containers resources | |
application-gateway | Alb Controller Release Notes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/for-containers/alb-controller-release-notes.md | The ALB Controller is a Kubernetes deployment that orchestrates configuration an Each release of ALB Controller has a documented helm chart version and supported Kubernetes cluster version. Instructions for new or existing deployments of ALB Controller are found in the following links:+ - [New deployment of ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md#for-new-deployments) - [Upgrade existing ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md#for-existing-deployments) ## Latest Release (Recommended)-0.6.3 - Hotfix to address handling of AGC frontends during controller restart in managed scenario ++| ALB Controller Version | Gateway API Version | Kubernetes Version | Release Notes | +| - | - | | - | +| 1.0.0| v1 | v1.26, v1.27, v1.28 | URL redirect for both Gateway and Ingress API, v1beta1 -> v1 of Gateway API, quality improvements<br/>Breaking Changes: TLS Policy for Gateway API [PolicyTargetReference](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1alpha2.PolicyTargetReferenceWithSectionName)<br/>Listener is now referred to as [SectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.SectionName)<br/>Fixes: Request timeout of 3 seconds, [HealthCheckPolicy interval](https://github.com/Azure/AKS/issues/4086), [pod crash for missing API fields](https://github.com/Azure/AKS/issues/4087) | ## Release history++0.6.3 - Hotfix to address handling of AGC frontends during controller restart in managed scenario + 0.6.2 - Skipped November 6, 2023 - 0.6.1 - Gateway / Ingress API - Header rewrite support, Ingress API - URL rewrite support, Ingress multiple-TLS listener bug fix, July 25, 2023 - 0.4.023971 - Ingress + Gateway coexistence improvements July 24, 2023 - 0.4.023961 - Improved Ingress support July 24, 2023 - 0.4.023921 - Initial release of ALB Controller-* Minimum supported Kubernetes version: v1.25 ++- Minimum supported Kubernetes version: v1.25 |
application-gateway | Api Specification Kubernetes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/for-containers/api-specification-kubernetes.md | Title: Application Gateway for Containers API Specification for Kubernetes (preview) + Title: Application Gateway for Containers API Specification for Kubernetes description: This article provides documentation for Application Gateway for Containers' API specification for Kubernetes. Previously updated : 11/6/2023 Last updated : 02/27/2024 -# Application Gateway for Containers API specification for Kubernetes (preview) +# Application Gateway for Containers API specification for Kubernetes ## Packages This document defines each of the resource types for `alb.networking.azure.io/v1 (<code>string</code> alias)</h3> <div> <p>AlbConditionReason defines the set of reasons that explain-why a particular condition type has been raised on the Application Gateway for Containers resource.</p> +why a particular condition type are raised by the Application Gateway for Containers resource.</p> </div> <table> <thead> why a particular condition type has been raised on the Application Gateway for C </thead> <tbody><tr><td><p>"Accepted"</p></td> <td><p>AlbReasonAccepted indicates that the Application Gateway for Containers resource-has been accepted by the controller.</p> +are accepted by the controller.</p> </td> </tr><tr><td><p>"Ready"</p></td> <td><p>AlbReasonDeploymentReady indicates the Application Gateway for Containers resource field.</p> </thead> <tbody><tr><td><p>"Accepted"</p></td> <td><p>AlbConditionTypeAccepted indicates whether the Application Gateway for Containers resource-has been accepted by the controller.</p> +are accepted by the controller.</p> </td> </tr><tr><td><p>"Deployment"</p></td> <td><p>AlbConditionTypeDeployment indicates the deployment status of the Application Gateway for Containers resource.</p> has been accepted by the controller.</p> </em> </td> <td>-<p>Associations are subnet resource IDs the Application Gateway for Containers resource will be associated with.</p> +<p>Associations are subnet resource IDs the Application Gateway for Containers resource are associated with.</p> </td> </tr> </tbody> has been accepted by the controller.</p> <em>(Optional)</em> <p>Known condition types are:</p> <ul>-<li>"Accepted"</li> -<li>"Ready"</li> +<li>“Accepted”</li> +<li>“Ready”</li> </ul> </td> </tr> AlbSpec </em> </td> <td>-<p>Associations are subnet resource IDs the Application Gateway for Containers resource will be associated with.</p> +<p>Associations are subnet resource IDs the Application Gateway for Containers resource are associated with.</p> </td> </tr> </table> BackendTLSPolicySpec <td> <code>targetRef</code><br/> <em>-<a href="https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.PolicyTargetReference"> -Gateway API .PolicyTargetReference +<a href="#alb.networking.azure.io/v1.CustomTargetRef"> +CustomTargetRef </a> </em> </td> BackendTLSPolicyConfig <em>(Optional)</em> <p>Override defines policy configuration that should override policy configuration attached below the targeted resource in the hierarchy.</p>+<p>Note: Override is currently not supported and will result in a validation error. +Support for Override will be added in a future release.</p> </td> </tr> <tr> BackendTLSPolicyStatus (<code>string</code> alias)</h3> <div> <p>BackendTLSPolicyConditionReason defines the set of reasons that explain why a-particular BackendTLSPolicy condition type has been raised.</p> +particular BackendTLSPolicy condition type is raised.</p> </div> <table> <thead> particular BackendTLSPolicy condition type has been raised.</p> <th>Description</th> </tr> </thead>-<tbody><tr><td><p>"InvalidCertificateRef"</p></td> -<td><p>BackendTLSPolicyInvalidCertificateRef is used when an invalid certificate is referenced</p> -</td> -</tr><tr><td><p>"Accepted"</p></td> +<tbody><tr><td><p>"Accepted"</p></td> <td><p>BackendTLSPolicyReasonAccepted is used to set the BackendTLSPolicyConditionReason to Accepted When the given BackendTLSPolicy is correctly configured</p> </td> </tr><tr><td><p>"InvalidBackendTLSPolicy"</p></td> <td><p>BackendTLSPolicyReasonInvalid is the reason when the BackendTLSPolicy isn’t Accepted</p> </td>+</tr><tr><td><p>"InvalidCertificateRef"</p></td> +<td><p>BackendTLSPolicyReasonInvalidCertificateRef is used when an invalid certificate is referenced</p> +</td> </tr><tr><td><p>"InvalidGroup"</p></td> <td><p>BackendTLSPolicyReasonInvalidGroup is used when the group is invalid</p> </td> When the given BackendTLSPolicy is correctly configured</p> <td><p>BackendTLSPolicyReasonInvalidService is used when the Service is invalid</p> </td> </tr><tr><td><p>"NoTargetReference"</p></td>-<td><p>BackendTLSPolicyReasonNoTargetReference is used when there is no target reference</p> +<td><p>BackendTLSPolicyReasonNoTargetReference is used when there’s no target reference</p> +</td> +</tr><tr><td><p>"OverrideNotSupported"</p></td> +<td><p>BackendTLSPolicyReasonOverrideNotSupported is used when the override isn’t supported</p> </td> </tr><tr><td><p>"RefNotPermitted"</p></td> <td><p>BackendTLSPolicyReasonRefNotPermitted is used when the ref isn’t permitted</p> </td>+</tr><tr><td><p>"SectionNamesNotPermitted"</p></td> +<td><p>BackendTLSPolicyReasonSectionNamesNotPermitted is used when the section names aren’t permitted</p> +</td> </tr></tbody> </table> <h3 id="alb.networking.azure.io/v1.BackendTLSPolicyConditionType">BackendTLSPolicyConditionType string <td> <code>clientCertificateRef</code><br/> <em>-<a href="https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference"> +<a href="https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.SecretObjectReference"> Gateway API .SecretObjectReference </a> </em> int <td> <code>targetRef</code><br/> <em>-<a href="https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.PolicyTargetReference"> -Gateway API .PolicyTargetReference +<a href="#alb.networking.azure.io/v1.CustomTargetRef"> +CustomTargetRef </a> </em> </td> BackendTLSPolicyConfig <em>(Optional)</em> <p>Override defines policy configuration that should override policy configuration attached below the targeted resource in the hierarchy.</p>+<p>Note: Override is currently not supported and will result in a validation error. +Support for Override will be added in a future release.</p> </td> </tr> <tr> constants so that operators and tools can converge on a common vocabulary to describe BackendTLSPolicy state.</p> <p>Known condition types are:</p> <ul>-<li>"Accepted"</li> +<li>“Accepted”</li> </ul> </td> </tr> CommonTLSPolicyVerify <td> <code>caCertificateRef</code><br/> <em>-<a href="https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference"> +<a href="https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.SecretObjectReference"> Gateway API .SecretObjectReference </a> </em> certificate of the backend.</p> <h3 id="alb.networking.azure.io/v1.CustomTargetRef">CustomTargetRef </h3> <p>-(<em>Appears on:</em><a href="#alb.networking.azure.io/v1.FrontendTLSPolicySpec">FrontendTLSPolicySpec</a>) +(<em>Appears on:</em><a href="#alb.networking.azure.io/v1.BackendTLSPolicySpec">BackendTLSPolicySpec</a>, <a href="#alb.networking.azure.io/v1.FrontendTLSPolicySpec">FrontendTLSPolicySpec</a>, <a href="#alb.networking.azure.io/v1.HealthCheckPolicySpec">HealthCheckPolicySpec</a>, <a href="#alb.networking.azure.io/v1.RoutePolicySpec">RoutePolicySpec</a>) </p> <div> <p>CustomTargetRef is a reference to a custom resource that isn’t part of the Kubernetes core API.</p> <tbody> <tr> <td>-<code>name</code><br/> -<em> -<a href="https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.ObjectName"> -Gateway API .ObjectName -</a> -</em> -</td> -<td> -<p>Name is the name of the referent.</p> -</td> -</tr> -<tr> -<td> -<code>kind</code><br/> +<code>PolicyTargetReference</code><br/> <em>-<a href="https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Kind"> -Gateway API .Kind +<a href="https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyTargetReference"> +Gateway API .PolicyTargetReference </a> </em> </td> <td>-<p>Kind is the kind of the referent.</p> +<p> +(Members of <code>PolicyTargetReference</code> are embedded into this type.) +</p> </td> </tr> <tr> <td>-<code>listeners</code><br/> +<code>sectionNames</code><br/> <em> []string </em> </td> <td> <em>(Optional)</em>-<p>Listener is the name of the Listener.</p> -</td> -</tr> -<tr> -<td> -<code>namespace</code><br/> -<em> -<a href="https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Namespace"> -Gateway API .Namespace -</a> -</em> -</td> -<td> -<p>Namespace is the namespace of the referent. When unspecified, the local</p> -</td> -</tr> -<tr> -<td> -<code>group</code><br/> -<em> -<a href="https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Group"> -Gateway API .Group -</a> -</em> -</td> -<td> -<em>(Optional)</em> -<p>Group is the group of the referent.</p> +<p>SectionNames is the name of the section within the target resource. When +unspecified, this targetRef targets the entire resource. In the following +resources, SectionNames is interpreted as the following:</p> +<ul> +<li>Gateway: Listener Name</li> +<li>Service: Port Name</li> +</ul> +<p>If a SectionNames is specified, but does not exist on the targeted object, +the Policy will fail to attach, and the policy implementation will record +a <code>ResolvedRefs</code> or similar Condition in the Policy’s status.</p> </td> </tr> </tbody> FrontendTLSPolicyConfig <p>Default defines default policy configuration for the targeted resource.</p> </td> </tr>+<tr> +<td> +<code>override</code><br/> +<em> +<a href="#alb.networking.azure.io/v1.FrontendTLSPolicyConfig"> +FrontendTLSPolicyConfig +</a> +</em> +</td> +<td> +<em>(Optional)</em> +<p>Override defines policy configuration that should override policy +configuration attached below the targeted resource in the hierarchy.</p> +<p>Note: Override is currently not supported and will result in a validation error. +Support for Override will be added in a future release.</p> +</td> +</tr> </table> </td> </tr> FrontendTLSPolicyStatus (<code>string</code> alias)</h3> <div> <p>FrontendTLSPolicyConditionReason defines the set of reasons that explain why a-particular FrontendTLSPolicy condition type has been raised.</p> +particular FrontendTLSPolicy condition type is raised.</p> </div> <table> <thead> When the given FrontendTLSPolicy is correctly configured</p> <td><p>FrontendTLSPolicyReasonInvalidPolicyType is used when the policy type is invalid</p> </td> </tr><tr><td><p>"NoTargetReference"</p></td>-<td><p>FrontendTLSPolicyReasonNoTargetReference is used when there is no target reference</p> +<td><p>FrontendTLSPolicyReasonNoTargetReference is used when there’s no target reference</p> +</td> +</tr><tr><td><p>"OverrideNotSupported"</p></td> +<td><p>FrontendTLSPolicyReasonOverrideNotSupported is used when the override isn’t supported</p> </td> </tr><tr><td><p>"RefNotPermitted"</p></td> <td><p>FrontendTLSPolicyReasonRefNotPermitted is used when the ref isn’t permitted</p> </td>+</tr><tr><td><p>"SectionNamesNotPermitted"</p></td> +<td><p>FrontendTLSPolicyReasonSectionNamesNotPermitted is used when the section names aren’t permitted</p> +</td> </tr></tbody> </table> <h3 id="alb.networking.azure.io/v1.FrontendTLSPolicyConditionType">FrontendTLSPolicyConditionType FrontendTLSPolicyConfig <p>Default defines default policy configuration for the targeted resource.</p> </td> </tr>+<tr> +<td> +<code>override</code><br/> +<em> +<a href="#alb.networking.azure.io/v1.FrontendTLSPolicyConfig"> +FrontendTLSPolicyConfig +</a> +</em> +</td> +<td> +<em>(Optional)</em> +<p>Override defines policy configuration that should override policy +configuration attached below the targeted resource in the hierarchy.</p> +<p>Note: Override is currently not supported and will result in a validation error. +Support for Override will be added in a future release.</p> +</td> +</tr> </tbody> </table> <h3 id="alb.networking.azure.io/v1.FrontendTLSPolicyStatus">FrontendTLSPolicyStatus constants so that operators and tools can converge on a common vocabulary to describe FrontendTLSPolicy state.</p> <p>Known condition types are:</p> <ul>-<li>"Accepted"</li> +<li>“Accepted”</li> </ul> </td> </tr> vocabulary to describe FrontendTLSPolicy state.</p> </td> </tr></tbody> </table>+<h3 id="alb.networking.azure.io/v1.FrontendTLSPolicyTypeName">FrontendTLSPolicyTypeName +(<code>string</code> alias)</h3> +<p> +(<em>Appears on:</em><a href="#alb.networking.azure.io/v1.PolicyType">PolicyType</a>) +</p> +<div> +<p>FrontendTLSPolicyTypeName is the name of the Frontend TLS Policy.</p> +</div> +<table> +<thead> +<tr> +<th>Value</th> +<th>Description</th> +</tr> +</thead> +<tbody><tr><td><p>"2023-06"</p></td> +<td><p>PredefinedPolicy202306 is the name of the predefined Frontend TLS Policy for the policy “2023-06”.</p> +</td> +</tr><tr><td><p>"2023-06-S"</p></td> +<td><p>PredefinedPolicy202306Strict is the name of the predefined Frontend TLS Policy for the policy “2023-06-S”. +This is a strict version of the policy “2023-06”.</p> +</td> +</tr></tbody> +</table> <h3 id="alb.networking.azure.io/v1.HTTPHeader">HTTPHeader </h3> <p> case insensitive. (See <a href="https://tools.ietf.org/html/rfc7230#section-3.2" <p>If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the-case-insensitivity of header names, "foo" and "Foo" are considered +case-insensitivity of header names, “foo” and “Foo” are considered equivalent.</p> </td> </tr> string <p>HTTPHeaderName is the name of an HTTP header.</p> <p>Valid values include:</p> <ul>-<li>"Authorization"</li> -<li>"Set-Cookie"</li> +<li>“Authorization”</li> +<li>“Set-Cookie”</li> </ul> <p>Invalid values include:</p> <ul>-<li>":method" - ":" is an invalid character. This means that HTTP/2 pseudo -headers are not currently supported by this type.</li> -<li>"/invalid" - "/ " is an invalid character</li> +<li>”:method” - “:” is an invalid character. This means that HTTP/2 pseudo +headers aren’t currently supported by this type.</li> +<li>”/invalid” - “/ ” is an invalid character</li> </ul> </div> <h3 id="alb.networking.azure.io/v1.HTTPMatch">HTTPMatch HTTPPathModifierType </em> </td> <td>-<p>Type defines the type of path modifier. Additional types may be +<p>Type defines the type of path modifier. More types may be added in a future release of the API.</p>-<p>Note that values may be added to this enum, implementations -must ensure that unknown values will not cause a crash.</p> +<p>Values may be added to this enum, implementations +must ensure unknown values won’t cause a crash.</p> <p>Unknown values here must result in the implementation setting the Accepted Condition for the rule to be false</p> </td> string <em>(Optional)</em> <p>ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request-to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch -of "/xyz" would be modified to "/xyz/bar".</p> -<p>Note that this matches the behavior of the PathPrefix match type. This +to “/foo/bar” with a prefix match of “/foo” and a ReplacePrefixMatch +of “/xyz” would be modified to “/xyz/bar”.</p> +<p>This matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the <code>/</code> separator. When specified, a trailing <code>/</code> is ignored. For example, the paths <code>/abc</code>, <code>/abc/</code>, and <code>/abc/def</code> would all-match the prefix <code>/abc</code>, but the path <code>/abcd</code> would not.</p> +match the prefix <code>/abc</code>, but the path <code>/abcd</code> wouldn’t.</p> <p>ReplacePrefixMatch is only compatible with a <code>PathPrefix</code> HTTPRouteMatch.-Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in +Using any other HTTPRouteMatch type on the same HTTPRouteRule results in the implementation setting the Accepted Condition for the Route to <code>status: False</code>.</p> <table> <thead> the implementation setting the Accepted Condition for the Route to <code>status: <tr> <td>/foo/bar</td> <td>/foo</td>-<td></td> +<td> </td> <td>/bar</td> </tr> <tr> <td>/foo/</td> <td>/foo</td>-<td></td> +<td> </td> <td>/</td> </tr> <tr> <td>/foo</td> <td>/foo</td>-<td></td> +<td> </td> <td>/</td> </tr> <tr> the implementation setting the Accepted Condition for the Route to <code>status: </tr> </thead> <tbody><tr><td><p>"ReplaceFullPath"</p></td>-<td><p>FullPathHTTPPathModifier indicates that the full path will be replaced -by the specified value.</p> +<td><p>FullPathHTTPPathModifier replaces the full path with the specified value.</p> </td> </tr><tr><td><p>"ReplacePrefixMatch"</p></td>-<td><p>PrefixMatchHTTPPathModifier indicates that any prefix path matches will be -replaced by the substitution value. For example, a path with a prefix -match of "/foo" and a ReplacePrefixMatch substitution of "/bar" will have -the "/foo" prefix replaced with "/bar" in matching requests.</p> -<p>Note that this matches the behavior of the PathPrefix match type. This +<td><p>PrefixMatchHTTPPathModifier replaces any prefix path with the +substitution value. For example, a path with a prefix +match of “/foo” and a ReplacePrefixMatch substitution of “/bar” +replace “/foo” with “/bar” in matching requests.</p> +<p>This matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the <code>/</code> separator. When specified, a trailing <code>/</code> is ignored. For example, the paths <code>/abc</code>, <code>/abc/</code>, and <code>/abc/def</code> would all-match the prefix <code>/abc</code>, but the path <code>/abcd</code> would not.</p> +match the prefix <code>/abc</code>, but the path <code>/abcd</code> wouldn’t.</p> </td> </tr></tbody> </table> GET /foo HTTP/1.1 my-header: foo</p> <p>Config: set:-- name: "my-header"-value: "bar"</p> +- name: “my-header” +value: “bar”</p> <p>Output: GET /foo HTTP/1.1 my-header: bar</p> GET /foo HTTP/1.1 my-header: foo</p> <p>Config: add:-- name: "my-header"-value: "bar,baz"</p> +- name: “my-header” +value: “bar,baz”</p> <p>Output: GET /foo HTTP/1.1 my-header: foo,bar,baz</p> my-header: foo,bar,baz</p> <td> <em>(Optional)</em> <p>Remove the given header(s) from the HTTP request before the action. The-value of Remove is a list of HTTP header names. Note that the header -names are case-insensitive (see +value of Remove is a list of HTTP header names. Header names +are case-insensitive (see <a href="https://datatracker.ietf.org/doc/html/rfc2616#section-4.2)">https://datatracker.ietf.org/doc/html/rfc2616#section-4.2)</a>.</p> <p>Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz</p> <p>Config:-remove: ["my-header1", "my-header3"]</p> +remove: [“my-header1”, “my-header3”]</p> <p>Output: GET /foo HTTP/1.1 my-header2: bar</p> HealthCheckPolicySpec <td> <code>targetRef</code><br/> <em>-<a href="https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.PolicyTargetReference"> -Gateway API .PolicyTargetReference +<a href="#alb.networking.azure.io/v1.CustomTargetRef"> +CustomTargetRef </a> </em> </td> HealthCheckPolicyConfig <em>(Optional)</em> <p>Override defines policy configuration that should override policy configuration attached below the targeted resource in the hierarchy.</p>+<p>Note: Override is currently not supported and will result in a validation error. +Support for Override will be added in a future release.</p> </td> </tr> <tr> HealthCheckPolicyStatus (<code>string</code> alias)</h3> <div> <p>HealthCheckPolicyConditionReason defines the set of reasons that explain why a-particular HealthCheckPolicy condition type has been raised.</p> +particular HealthCheckPolicy condition type is raised.</p> </div> <table> <thead> When the given HealthCheckPolicy is correctly configured</p> <td><p>HealthCheckPolicyReasonInvalidService is used when the Service is invalid</p> </td> </tr><tr><td><p>"NoTargetReference"</p></td>-<td><p>HealthCheckPolicyReasonNoTargetReference is used when there is no target reference</p> +<td><p>HealthCheckPolicyReasonNoTargetReference is used when there’s no target reference</p> +</td> +</tr><tr><td><p>"OverrideNotSupported"</p></td> +<td><p>HealthCheckPolicyReasonOverrideNotSupported is used when the override isn’t supported</p> </td> </tr><tr><td><p>"RefNotPermitted"</p></td> <td><p>HealthCheckPolicyReasonRefNotPermitted is used when the ref isn’t permitted</p> </td>+</tr><tr><td><p>"SectionNamesNotPermitted"</p></td> +<td><p>HealthCheckPolicyReasonSectionNamesNotPermitted is used when the section names aren’t permitted</p> +</td> </tr></tbody> </table> <h3 id="alb.networking.azure.io/v1.HealthCheckPolicyConditionType">HealthCheckPolicyConditionType field.</p> <tbody> <tr> <td>-<code>port</code><br/> -<em> -int32 -</em> -</td> -<td> -<em>(Optional)</em> -<p>Port is the port to use for HealthCheck checks.</p> -</td> -</tr> -<tr> -<td> -<code>protocol</code><br/> -<em> -<a href="#alb.networking.azure.io/v1.Protocol"> -Protocol -</a> -</em> -</td> -<td> -<em>(Optional)</em> -<p>Protocol is the protocol to use for HealthCheck checks.</p> -</td> -</tr> -<tr> -<td> <code>interval</code><br/> <em> <a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"> target resource.</p> <td> <code>targetRef</code><br/> <em>-<a href="https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.PolicyTargetReference"> -Gateway API .PolicyTargetReference +<a href="#alb.networking.azure.io/v1.CustomTargetRef"> +CustomTargetRef </a> </em> </td> HealthCheckPolicyConfig <em>(Optional)</em> <p>Override defines policy configuration that should override policy configuration attached below the targeted resource in the hierarchy.</p>+<p>Note: Override is currently not supported and will result in a validation error. +Support for Override will be added in a future release.</p> </td> </tr> <tr> constants so that operators and tools can converge on a common vocabulary to describe HealthCheckPolicy state.</p> <p>Known condition types are:</p> <ul>-<li>"Accepted"</li> +<li>“Accepted”</li> </ul> </td> </tr> Protocol </em> </td> <td>-<p>Protocol should be one of "HTTP", "HTTPS"</p> +<p>Protocol should be one of “HTTP”, “HTTPS”</p> </td> </tr> </tbody> string </td> <td> <em>(Optional)</em>-<p>Errors is a list of errors relating to this setting</p> +<p>Errors are a list of errors relating to this setting</p> </td> </tr> <tr> IngressTimeouts </tr> </tbody> </table>-<h3 id="alb.networking.azure.io/v1.IngressCertificate">IngressCertificate -</h3> -<p> -(<em>Appears on:</em><a href="#alb.networking.azure.io/v1.IngressRuleTLS">IngressRuleTLS</a>) -</p> -<div> -<p>IngressCertificate defines a certificate and private key to be used with TLS.</p> -</div> -<table> -<thead> -<tr> -<th>Field</th> -<th>Description</th> -</tr> -</thead> -<tbody> -<tr> -<td> -<code>type</code><br/> -<em> -string -</em> -</td> -<td> -<p>Type indicates where the Certificate is stored. -Can be KubernetesSecret, or KeyVaultCertificate</p> -</td> -</tr> -<tr> -<td> -<code>name</code><br/> -<em> -string -</em> -</td> -<td> -<em>(Optional)</em> -<p>Name is the name of a KubernetesSecret containing the TLS cert and key</p> -</td> -</tr> -<tr> -<td> -<code>secretId</code><br/> -<em> -string -</em> -</td> -<td> -<em>(Optional)</em> -<p>SecretID is the resource ID of a KeyVaultCertificate</p> -</td> -</tr> -</tbody> -</table> <h3 id="alb.networking.azure.io/v1.IngressExtension">IngressExtension </h3> <div> IngressExtensionSpec </td> <td> <em>(Optional)</em>-<p>Rules defines the rules per host</p> +<p>Rules define the rules per host</p> </td> </tr> <tr> IngressExtensionStatus (<code>string</code> alias)</h3> <div> <p>IngressExtensionConditionReason defines the set of reasons that explain why a-particular IngressExtension condition type has been raised.</p> +particular IngressExtension condition type is raised.</p> </div> <table> <thead> particular IngressExtension condition type has been raised.</p> <td><p>IngressExtensionReasonNoErrors indicates there are no validation errors</p> </td> </tr><tr><td><p>"PartiallyAcceptedWithErrors"</p></td>-<td><p>IngressExtensionReasonPartiallyAccepted is used to set the IngressExtensionConditionAccepted to Accepted, but with non-fatal validation errors</p> +<td><p>IngressExtensionReasonPartiallyAccepted is used to set the IngressExtensionConditionAccepted to Accepted, but with nonfatal validation errors</p> </td> </tr></tbody> </table> field.</p> </tr> </thead> <tbody><tr><td><p>"Accepted"</p></td>-<td><p>IngressExtensionConditionAccepted indicates if the IngressExtension has been accepted (reconciled) by the controller</p> +<td><p>IngressExtensionConditionAccepted indicates if the IngressExtension is accepted (reconciled) by the controller</p> </td> </tr><tr><td><p>"Errors"</p></td> <td><p>IngressExtensionConditionErrors indicates if there are validation or build errors on the extension</p> field.</p> </td> <td> <em>(Optional)</em>-<p>Rules defines the rules per host</p> +<p>Rules define the rules per host</p> </td> </tr> <tr> field.</p> </td> <td> <em>(Optional)</em>-<p>Rules has detailed status information regarding each Rule</p> +<p>Rules have detailed status information regarding each Rule</p> </td> </tr> <tr> field.</p> <p>Conditions describe the current conditions of the IngressExtension. Known condition types are:</p> <ul>-<li>"Accepted"</li> -<li>"Errors"</li> +<li>“Accepted”</li> +<li>“Errors”</li> </ul> </td> </tr> string </em> </td> <td>-<p>Host is used to match against Ingress rules with the same hostname in order to identify which rules are affected by these settings</p> -</td> -</tr> -<tr> -<td> -<code>tls</code><br/> -<em> -<a href="#alb.networking.azure.io/v1.IngressRuleTLS"> -IngressRuleTLS -</a> -</em> -</td> -<td> -<em>(Optional)</em> -<p>TLS defines TLS settings for the rule</p> +<p>Host is used to match against Ingress rules with the same hostname in order to identify which rules affect these settings</p> </td> </tr> <tr> IngressRuleTLS </td> <td> <em>(Optional)</em>-<p>AdditionalHostnames specifies additional hostnames to listen on</p> +<p>AdditionalHostnames specifies more hostnames to listen on</p> </td> </tr> <tr> string </td> <td> <em>(Optional)</em>-<p>Errors is a list of errors relating to this setting</p> +<p>Errors are a list of errors relating to this setting</p> </td> </tr> <tr> bool </tr> </tbody> </table>-<h3 id="alb.networking.azure.io/v1.IngressRuleTLS">IngressRuleTLS -</h3> -<p> -(<em>Appears on:</em><a href="#alb.networking.azure.io/v1.IngressRuleSetting">IngressRuleSetting</a>) -</p> -<div> -<p>IngressRuleTLS provides options for configuring TLS settings on a rule</p> -</div> -<table> -<thead> -<tr> -<th>Field</th> -<th>Description</th> -</tr> -</thead> -<tbody> -<tr> -<td> -<code>certificate</code><br/> -<em> -<a href="#alb.networking.azure.io/v1.IngressCertificate"> -IngressCertificate -</a> -</em> -</td> -<td> -<em>(Optional)</em> -<p>Certificate specifies a TLS Certificate to configure a rule with</p> -</td> -</tr> -</tbody> -</table> <h3 id="alb.networking.azure.io/v1.IngressTimeouts">IngressTimeouts </h3> <p> Kubernetes meta/v1.Duration <td> <code>name</code><br/> <em>-string +<a href="#alb.networking.azure.io/v1.FrontendTLSPolicyTypeName"> +FrontendTLSPolicyTypeName +</a> </em> </td> <td> FrontendTLSPolicyType </p> <div> <p>PreciseHostname is the fully qualified domain name of a network host. This-matches the RFC 1123 definition of a hostname with 1 notable exception that -numeric IP addresses are not allowed.</p> -<p>Note that as per RFC1035 and RFC1123, a <em>label</em> must consist of lower case +matches the RFC 1123 definition of a hostname with one notable exception that +numeric IP addresses aren’t allowed.</p> +<p>Per RFC1035 and RFC1123, a <em>label</em> must consist of lower case alphanumeric characters or ‘-’, and must start and end with an alphanumeric character. No other punctuation is allowed.</p> </div> <h3 id="alb.networking.azure.io/v1.Protocol">Protocol (<code>string</code> alias)</h3> <p>-(<em>Appears on:</em><a href="#alb.networking.azure.io/v1.HealthCheckPolicyConfig">HealthCheckPolicyConfig</a>, <a href="#alb.networking.azure.io/v1.IngressBackendPort">IngressBackendPort</a>) +(<em>Appears on:</em><a href="#alb.networking.azure.io/v1.IngressBackendPort">IngressBackendPort</a>) </p> <div> <p>Protocol defines the protocol used for certain properties. Valid Protocol values are:</p> </tr> </thead> <tbody><tr><td><p>"HTTP"</p></td>-<td><p>HTTP implies that the service will use HTTP</p> +<td><p>HTTP implies that the service uses HTTP</p> </td> </tr><tr><td><p>"HTTPS"</p></td>-<td><p>HTTPS implies that the service will be use HTTPS</p> +<td><p>HTTPS implies that the service uses HTTPS</p> </td> </tr><tr><td><p>"TCP"</p></td>-<td><p>TCP implies that the service will be use plain TCP</p> +<td><p>TCP implies that the service uses plain TCP</p> </td> </tr></tbody> </table> header in the response.</p> following rules:</p> <ul> <li>If redirect scheme is not-empty, the redirect port MUST be the well-known-port associated with the redirect scheme. Specifically "http" to port 80 -and "https" to port 443. If the redirect scheme does not have a +port associated with the redirect scheme. Specifically “http” to port 80 +and “https” to port 443. If the redirect scheme doesn’t have a well-known port, the listener port of the Gateway SHOULD be used.</li> <li>If redirect scheme is empty, the redirect port MUST be the Gateway Listener port.</li> Listener port.</li> <p>Implementations SHOULD NOT add the port number in the ‘Location’ header in the following cases:</p> <ul>-<li>A Location header that will use HTTP (whether that is determined via +<li>A Location header that uses HTTP (whether that is determined via the Listener protocol or the Scheme field) <em>and</em> use port 80.</li>-<li>A Location header that will use HTTPS (whether that is determined via +<li>A Location header that uses HTTPS (whether that is determined via the Listener protocol or the Scheme field) <em>and</em> use port 443.</li> </ul> </td> int <td> <em>(Optional)</em> <p>StatusCode is the HTTP status code to be used in response.</p>-<p>Note that values may be added to this enum, implementations -must ensure that unknown values will not cause a crash.</p> +<p>Values may be added to this enum, implementations +must ensure that unknown values won’t cause a crash.</p> </td> </tr> </tbody> must ensure that unknown values will not cause a crash.</p> </thead> <tbody><tr><td><p>"RequestHeaderModifier"</p></td> <td><p>RequestHeaderModifier can be used to add or remove an HTTP-header from an HTTP request before it is sent to the upstream target.</p> +header from an HTTP request before it’s sent to the upstream target.</p> </td> </tr><tr><td><p>"ResponseHeaderModifier"</p></td> <td><p>ResponseHeaderModifier can be used to add or remove an HTTP-header from an HTTP response before it is sent to the client.</p> +header from an HTTP response before it’s sent to the client.</p> </td> </tr><tr><td><p>"URLRewrite"</p></td> <td><p>URLRewrite can be used to modify a request during forwarding.</p> RoutePolicySpec <td> <code>targetRef</code><br/> <em>-<a href="https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.PolicyTargetReference"> -Gateway API .PolicyTargetReference +<a href="#alb.networking.azure.io/v1.CustomTargetRef"> +CustomTargetRef </a> </em> </td> RoutePolicyConfig <em>(Optional)</em> <p>Override defines policy configuration that should override policy configuration attached below the targeted resource in the hierarchy.</p>+<p>Note: Override is currently not supported and will result in a validation error. +Support for Override will be added in a future release.</p> </td> </tr> <tr> RoutePolicyStatus (<code>string</code> alias)</h3> <div> <p>RoutePolicyConditionReason defines the set of reasons that explain why a-particular RoutePolicy condition type has been raised.</p> +particular RoutePolicy condition type is raised.</p> </div> <table> <thead> When the given RoutePolicy is correctly configured</p> <td><p>RoutePolicyReasonInvalidName is used when the name is invalid</p> </td> </tr><tr><td><p>"NoTargetReference"</p></td>-<td><p>RoutePolicyReasonNoTargetReference is used when there is no target reference</p> +<td><p>RoutePolicyReasonNoTargetReference is used when there’s no target reference</p> +</td> +</tr><tr><td><p>"OverrideNotSupported"</p></td> +<td><p>RoutePolicyReasonOverrideNotSupported is used when the override isn’t supported</p> </td> </tr><tr><td><p>"RefNotPermitted"</p></td> <td><p>RoutePolicyReasonRefNotPermitted is used when the ref isn’t permitted</p> </td>+</tr><tr><td><p>"SectionNamesNotPermitted"</p></td> +<td><p>RoutePolicyReasonSectionNamesNotPermitted is used when the section names aren’t permitted</p> +</td> </tr></tbody> </table> <h3 id="alb.networking.azure.io/v1.RoutePolicyConditionType">RoutePolicyConditionType SessionAffinity <td> <code>targetRef</code><br/> <em>-<a href="https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.PolicyTargetReference"> -Gateway API .PolicyTargetReference +<a href="#alb.networking.azure.io/v1.CustomTargetRef"> +CustomTargetRef </a> </em> </td> RoutePolicyConfig <em>(Optional)</em> <p>Override defines policy configuration that should override policy configuration attached below the targeted resource in the hierarchy.</p>+<p>Note: Override is currently not supported and will result in a validation error. +Support for Override will be added in a future release.</p> </td> </tr> <tr> constants so that operators and tools can converge on a common vocabulary to describe RoutePolicy state.</p> <p>Known condition types are:</p> <ul>-<li>"Accepted"</li> +<li>“Accepted”</li> </ul> </td> </tr> HTTPPathModifier </td> </tr> </tbody>-</table> +</table> |
application-gateway | Application Gateway For Containers Components | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/for-containers/application-gateway-for-containers-components.md | - Title: Application Gateway for Containers components (preview) + Title: Application Gateway for Containers components description: This article provides information about how Application Gateway for Containers accepts incoming requests and routes them to a backend target. Previously updated : 08/08/2023 Last updated : 02/27/2024 -# Application Gateway for Containers components (preview) +# Application Gateway for Containers components -This article provides detailed descriptions and requirements for components of Application Gateway for Containers. Information about how Application Gateway for Containers accepts incoming requests and routes them to a backend target is provided. For a general overview of Application Gateway for Containers, see [What is Application Gateway for Containers?](overview.md). +This article provides detailed descriptions and requirements for components of Application Gateway for Containers. Information about how Application Gateway for Containers accepts incoming requests and routes them to a backend target is provided. For a general overview of Application Gateway for Containers, see [What is Application Gateway for Containers](overview.md). ### Core components-- Application Gateway for Containers is an Azure parent resource that deploys the control plane++- An Application Gateway for Containers resource is an Azure parent resource that deploys the control plane. - The control plane is responsible for orchestrating proxy configuration based on customer intent.-- Application Gateway for Containers has two child resources; associations and frontends- - Child resources are exclusive to only their parent Application Gateway for Containers and may not be referenced by additional Application Gateway for Containers +- Application Gateway for Containers has two child resources; associations and frontends. + - Child resources are exclusive to only their parent Application Gateway for Containers and may not be referenced by another Application Gateway for Container resource. ### Application Gateway for Containers frontends-- An Application Gateway for Containers frontend resource is an Azure child resource of the Application Gateway for Containers parent resource-- An Application Gateway for Containers frontend defines the entry point client traffic should be received by a given Application Gateway for Containers- - A frontend can't be associated to multiple Application Gateway for Containers - - Each frontend provides a unique FQDN that can be referenced by a customer's CNAME record - - Private IP addresses are currently unsupported ++- An Application Gateway for Containers frontend resource is an Azure child resource of the Application Gateway for Containers parent resource. +- An Application Gateway for Containers frontend defines the entry point client traffic should be received by a given Application Gateway for Containers. + - A frontend can't be associated to multiple Application Gateway for Containers + - Each frontend provides a unique FQDN that can be referenced by a customer's CNAME record + - Private IP addresses are currently unsupported - A single Application Gateway for Containers can support multiple frontends ### Application Gateway for Containers associations-- An Application Gateway for Containers association resource is an Azure child resource of the Application Gateway for Containers parent resource++- An Application Gateway for Containers association resource is an Azure child resource of the Application Gateway for Containers parent resource. - An Application Gateway for Containers association defines a connection point into a virtual network. An association is a 1:1 mapping of an association resource to an Azure Subnet that has been delegated. - Application Gateway for Containers is designed to allow for multiple associations- - At this time, the current number of associations is currently limited to 1 + - At this time, the current number of associations is currently limited to 1 - During creation of an association, the underlying data plane is provisioned and connected to a subnet within the defined virtual network's subnet - Each association should assume at least 256 addresses are available in the subnet at time of provisioning.- - A minimum /24 subnet mask for new deployment, assuming nothing has been provisioning in the subnet). - - If n number of Application Gateway for Containers are provisioned, with the assumption each Application Gateway for Containers contains one association, and the intent is to share the same subnet, the available required addresses should be n*256. - - All Application Gateway for Containers association resources should match the same region as the Application Gateway for Containers parent resource + - A minimum /24 subnet mask for each deployment (assuming no resources have previously been provisioned in the subnet). + - If n number of Application Gateway for Containers are provisioned, with the assumption each Application Gateway for Containers contains one association, and the intent is to share the same subnet, the available required addresses should be n*256. + - All Application Gateway for Containers association resources should match the same region as the Application Gateway for Containers parent resource ### Application Gateway for Containers ALB Controller+ - An Application Gateway for Containers ALB Controller is a Kubernetes deployment that orchestrates configuration and deployment of Application Gateway for Containers by watching Kubernetes both Custom Resources and Resource configurations, such as, but not limited to, Ingress, Gateway, and ApplicationLoadBalancer. It uses both ARM / Application Gateway for Containers configuration APIs to propagate configuration to the Application Gateway for Containers Azure deployment. - ALB Controller is deployed / installed via Helm - ALB Controller consists of two running pods- - alb-controller pod is responsible for orchestrating customer intent to Application Gateway for Containers load balancing configuration - - alb-controller-bootstrap pod is responsible for management of CRDs + - alb-controller pod is responsible for orchestrating customer intent to Application Gateway for Containers load balancing configuration + - alb-controller-bootstrap pod is responsible for management of CRDs ## Azure / general concepts ### Private IP address+ - A private IP address isn't explicitly defined as an Azure Resource Manager resource. A private IP address would refer to a specific host address within a given virtual network's subnet. ### Subnet delegation A set of routing rules evaluates how the request for that hostname should be ini ### Modifications to the request -Application Gateway for Containers inserts three additional headers to all requests before requests are initiated from Application Gateway for Containers to a backend target: +Application Gateway for Containers inserts three extra headers to all requests before requests are initiated from Application Gateway for Containers to a backend target: + - x-forwarded-for - x-forwarded-proto - x-request-id -**x-forwarded-for** is the original requestor's client IP address. If the request is coming through a proxy, the header value will append the address received, comma delimited. In example: 1.2.3.4,5.6.7.8; where 1.2.3.4 is the client IP address to the proxy in front of Application Gateway for Containers, and 5.6.7.8 is the address of the proxy forwarding traffic to Application Gateway for Containers. +**x-forwarded-for** is the original requestor's client IP address. If the request is coming through a proxy, the header value appends the address received, comma delimited. In example: 1.2.3.4,5.6.7.8; where 1.2.3.4 is the client IP address to the proxy in front of Application Gateway for Containers, and 5.6.7.8 is the address of the proxy forwarding traffic to Application Gateway for Containers. **x-forwarded-proto** returns the protocol received by Application Gateway for Containers from the client. The value is either http or https. **x-request-id** is a unique guid generated by Application Gateway for Containers for each client request and presented in the forwarded request to the backend target. The guid consists of 32 alphanumeric characters, separated by dashes (for example: d23387ab-e629-458a-9c93-6108d374bc75). This guid can be used to correlate a request received by Application Gateway for Containers and initiated to a backend target as defined in access logs. +## Request timeouts ++Application Gateway for Containers enforces the following timeouts as requests are initiated and maintained between the client, AGC, and backend. ++| Timeout | Duration | Description | +| - | | -- | +| Request Timeout | 60 seconds | time for which AGC waits for the backend target response. | +| HTTP Idle Timeout | 5 minutes | idle timeout before closing an HTTP connection. | +| Stream Idle Timeout | 5 minutes | idle timeout before closing an individual stream carried by an HTTP connection. | +| Upstream Connect Timeout | 5 seconds | time for establishing a connection to the backend target. | |
application-gateway | Application Gateway For Containers Metrics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/for-containers/application-gateway-for-containers-metrics.md | Use the following steps to view Application Gateway for Containers in the Azure 3. Under **Monitoring**, select **Metrics**. 4. Next to **Chart Title**, enter a title for your metrics view. 5. **Scope** and **Metric Namespace** are is automatically populated. Under **Metric**, select a metric such as: **Total Requests**. For the **Total Requests** metric, the **Aggregation** is set to **Sum**.-6. Select **Add filter**. **Property** is set to **Frontend**. Choose the **=** (equals) **Operator**. -7. Enter values to use for filtering under **Values**. For example: -8. Select the values you want to actively filter from the entries you create. +6. Select **Add filter**. **Property** is set to **Frontend**. Choose the **=** (equals) **Operator**. +7. Enter values to use for filtering under **Values**. ++ For example: ++ - **frontend-primary:80** + - **ingress-frontend:443** + - **ingress-frontend:80** ++8. Select the values you want to actively filter from the entries you create. 9. Choose **Apply Splitting**, select **Frontend**, and accept default values for **Limit** and **Sort**. See the following example: **Total Requests** Use the following steps to view Application Gateway for Containers in the Azure ![Application Gateway for Containers metrics backend healthy targets](./media/application-gateway-for-containers-metrics/backend-healthy-targets.png) - ## Next steps -* [Using Azure Log Analytics in Power BI](/power-bi/transform-model/log-analytics/desktop-log-analytics-overview) -* [Configure Azure Log Analytics for Power BI](/power-bi/transform-model/log-analytics/desktop-log-analytics-configure) -* [Visualize Azure AI Search Logs and Metrics with Power BI](/azure/search/search-monitor-logs-powerbi) +- [Using Azure Log Analytics in Power BI](/power-bi/transform-model/log-analytics/desktop-log-analytics-overview) +- [Configure Azure Log Analytics for Power BI](/power-bi/transform-model/log-analytics/desktop-log-analytics-configure) +- [Visualize Azure AI Search Logs and Metrics with Power BI](/azure/search/search-monitor-logs-powerbi) |
application-gateway | Custom Health Probe | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/for-containers/custom-health-probe.md | Application Gateway for Containers monitors the health of all backend targets by In addition to using default health probe monitoring, you can also customize the health probe to suit your application's requirements. This article discusses both default and custom health probes. The order and logic of health probing is as follows:+ 1. Use definition of HealthCheckPolicy Custom Resource (CR). 2. If there's no HealthCheckPolicy CR, then use [Readiness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-readiness-probes) 3. If there's no Readiness probe defined, use the [default health probe](#default-health-probe) The following properties make up custom health probes: | (http) path | The specific path of the request. If a single file should be loaded, the path might be /https://docsupdatetracker.net/index.html. | | (http -> match) statusCodes | Contains two properties, `start` and `end`, that define the range of valid HTTP status codes returned from the backend. | -[ ![A diagram showing the Application Gateway for Containers using custom health probes to determine backend health.](./media/custom-health-probe/custom-health-probe.png) ](./media/custom-health-probe/custom-health-probe.png#lightbox) +[![A diagram showing the Application Gateway for Containers using custom health probes to determine backend health.](./media/custom-health-probe/custom-health-probe.png)](./media/custom-health-probe/custom-health-probe.png#lightbox) ## Default health probe+ Application Gateway for Containers automatically configures a default health probe when you don't define a custom probe configuration or configure a readiness probe. The monitoring behavior works by making an HTTP GET request to the IP addresses of configured backend targets. For default probes, if the backend target is configured for HTTPS, the probe uses HTTPS to test health of the backend targets. For more implementation details, see [HealthCheckPolicyConfig](api-specification-kubernetes.md#alb.networking.azure.io/v1.HealthCheckPolicyConfig) in the API specification. |
application-gateway | Diagnostics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/for-containers/diagnostics.md | Title: Diagnostic logs for Application Gateway for Containers (preview) + Title: Diagnostic logs for Application Gateway for Containers description: Learn how to enable access logs for Application Gateway for Containers Previously updated : 1/10/2023 Last updated : 02/27/2024 -# Diagnostic logs for Application Gateway for Containers (preview) +# Diagnostic logs for Application Gateway for Containers Learn how to troubleshoot common problems in Application Gateway for Containers. Activity logging is automatically enabled for every Resource Manager resource. Y 2. In **Search resources, service, and docs**, type **Application Gateways for Containers** and select your Application Gateway for Containers name. 3. Under **Monitoring**, select **Diagnostic settings**. 4. Select **Add diagnostic setting**.- 5. Enter a **Diagnostic setting name** (ex: agfc-logs), choose the logs and metrics to save and choose a destination, such as **Archive to a storage account**. To save all logs, select **allLogs** and **AllMetrics**. + 5. Enter a **Diagnostic setting name** (ex: agfc-logs), choose the logs and metrics to save and choose a destination, such as **Archive to a storage account**. To save all logs, select **allLogs** and **AllMetrics**. 6. Select **Save** to save your settings. See the following example: ![Configure diagnostic logs](./media/diagnostics/enable-diagnostic-logs.png) Each access log entry in Application Gateway for Containers contains the followi | userAgent | User-Agent header of the request received from the client by Application Gateway for Containers | Here an example of the access log emitted in JSON format to a storage account.+ ```JSON { "category": "TrafficControllerAccessLog", |
application-gateway | How To Backend Mtls Gateway Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/for-containers/how-to-backend-mtls-gateway-api.md | - Title: Backend MTLS with Application Gateway for Containers - Gateway API (preview) + Title: Backend MTLS with Application Gateway for Containers - Gateway API description: Learn how to configure Application Gateway for Containers with support for backend MTLS authentication. Previously updated : 09/19/2023 Last updated : 02/27/2024 -# Backend MTLS with Application Gateway for Containers - Gateway API (preview) +# Backend MTLS with Application Gateway for Containers - Gateway API This document helps set up an example application that uses the following resources from Gateway API. Steps are provided to:+ - Create a [Gateway](https://gateway-api.sigs.k8s.io/concepts/api-overview/#gateway) resource with one HTTPS listener. - Create an [HTTPRoute](https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/) resource that references a backend service. - Create a [BackendTLSPolicy](api-specification-kubernetes.md#alb.networking.azure.io/v1.BackendTLSPolicy) resource that has a client and CA certificate for the backend service referenced in the HTTPRoute. Mutual Transport Layer Security (MTLS) is a process that relies on certificates See the following figure: -[ ![A diagram showing the Application Gateway for Containers backend MTLS process.](./media/how-to-backend-mtls-gateway-api/backend-mtls.png) ](./media/how-to-backend-mtls-gateway-api/backend-mtls.png#lightbox) +[![A diagram showing the Application Gateway for Containers backend MTLS process.](./media/how-to-backend-mtls-gateway-api/backend-mtls.png)](./media/how-to-backend-mtls-gateway-api/backend-mtls.png#lightbox) ## Prerequisites -> [!IMPORTANT] -> Application Gateway for Containers is currently in PREVIEW.<br> -> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. - 1. If following the BYO deployment strategy, ensure you have set up your Application Gateway for Containers resources and [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md) 2. If following the ALB managed deployment strategy, ensure you have provisioned your [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md) and provisioned the Application Gateway for Containers resources via the [ApplicationLoadBalancer custom resource](quickstart-create-application-gateway-for-containers-managed-by-alb-controller.md). 3. Deploy sample HTTP application- Apply the following deployment.yaml file on your cluster to create a sample web application and deploy sample secrets to demonstrate backend mutual authentication (mTLS). - ```bash - kubectl apply -f https://trafficcontrollerdocs.blob.core.windows.net/examples/https-scenario/end-to-end-ssl-with-backend-mtls/deployment.yaml - ``` ++ Apply the following deployment.yaml file on your cluster to create a sample web application and deploy sample secrets to demonstrate backend mutual authentication (mTLS). ++ ```bash + kubectl apply -f https://trafficcontrollerdocs.blob.core.windows.net/examples/https-scenario/end-to-end-ssl-with-backend-mtls/deployment.yaml + ``` - This command creates the following on your cluster: - - a namespace called `test-infra` - - one service called `mtls-app` in the `test-infra` namespace - - one deployment called `mtls-app` in the `test-infra` namespace - - one config map called `mtls-app-nginx-cm` in the `test-infra` namespace - - four secrets called `backend.com`, `frontend.com`, `gateway-client-cert`, and `ca.bundle` in the `test-infra` namespace + This command creates the following on your cluster: + + - a namespace called `test-infra` + - one service called `mtls-app` in the `test-infra` namespace + - one deployment called `mtls-app` in the `test-infra` namespace + - one config map called `mtls-app-nginx-cm` in the `test-infra` namespace + - four secrets called `backend.com`, `frontend.com`, `gateway-client-cert`, and `ca.bundle` in the `test-infra` namespace ## Deploy the required Gateway API resources EOF [!INCLUDE [application-gateway-for-containers-frontend-naming](../../../includes/application-gateway-for-containers-frontend-naming.md)] # [Bring your own (BYO) deployment](#tab/byo)+ 1. Set the following environment variables ```bash EOF Once the gateway resource has been created, ensure the status is valid, the listener is _Programmed_, and an address is assigned to the gateway.+ ```bash kubectl get gateway gateway-01 -n test-infra -o yaml ``` Example output of successful gateway creation.+ ```yaml status: addresses: status: kind: HTTPRoute ``` -Once the gateway has been created, create an HTTPRoute +Once the gateway has been created, create an HTTPRoute resource. + ```bash kubectl apply -f - <<EOF apiVersion: gateway.networking.k8s.io/v1beta1 EOF ``` Once the HTTPRoute resource has been created, ensure the route has been _Accepted_ and the Application Gateway for Containers resource has been _Programmed_.+ ```bash kubectl get httproute https-route -n test-infra -o yaml ``` |
application-gateway | How To Header Rewrite Gateway Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/for-containers/how-to-header-rewrite-gateway-api.md | -# Header rewrite for Azure Application Gateway for Containers - Gateway API (preview) +# Header rewrite for Azure Application Gateway for Containers - Gateway API Application Gateway for Containers allows you to rewrite HTTP headers of client requests and responses from backend targets. Application Gateway for Containers allows you to rewrite HTTP headers of client Header rewrites take advantage of [filters](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPURLRewriteFilter) as defined by Kubernetes Gateway API. ## Background+ Header rewrites enable you to modify the request and response headers to and from your backend targets. The following figure illustrates a request with a specific user agent being rewritten to a simplified value called SearchEngine-BingBot when the request is initiated to the backend target by Application Gateway for Containers: -[ ![A diagram showing the Application Gateway for Containers rewriting a request header to the backend.](./media/how-to-header-rewrite-gateway-api/header-rewrite.png) ](./media/how-to-header-rewrite-gateway-api/header-rewrite.png#lightbox) +[![A diagram showing the Application Gateway for Containers rewriting a request header to the backend.](./media/how-to-header-rewrite-gateway-api/header-rewrite.png)](./media/how-to-header-rewrite-gateway-api/header-rewrite.png#lightbox) ## Prerequisites -> [!IMPORTANT] -> Application Gateway for Containers is currently in PREVIEW.<br> -> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. - 1. If following the BYO deployment strategy, ensure that you set up your Application Gateway for Containers resources and [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md) 2. If you're following the ALB managed deployment strategy, ensure provisioning of the [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md) the Application Gateway for Containers resources via the [ApplicationLoadBalancer custom resource](quickstart-create-application-gateway-for-containers-managed-by-alb-controller.md). 3. Deploy sample HTTP application- Apply the following deployment.yaml file on your cluster to create a sample web application to demonstrate the header rewrite. - ```bash - kubectl apply -f https://trafficcontrollerdocs.blob.core.windows.net/examples/traffic-split-scenario/deployment.yaml - ``` + Apply the following deployment.yaml file on your cluster to create a sample web application to demonstrate the header rewrite. ++ ```bash + kubectl apply -f https://trafficcontrollerdocs.blob.core.windows.net/examples/traffic-split-scenario/deployment.yaml + ``` - This command creates the following on your cluster: - - a namespace called `test-infra` - - two services called `backend-v1` and `backend-v2` in the `test-infra` namespace - - two deployments called `backend-v1` and `backend-v2` in the `test-infra` namespace + This command creates the following on your cluster: ++ - a namespace called `test-infra` + - two services called `backend-v1` and `backend-v2` in the `test-infra` namespace + - two deployments called `backend-v1` and `backend-v2` in the `test-infra` namespace ## Deploy the required Gateway API resources EOF [!INCLUDE [application-gateway-for-containers-frontend-naming](../../../includes/application-gateway-for-containers-frontend-naming.md)] # [Bring your own (BYO) deployment](#tab/byo)+ 1. Set the following environment variables ```bash FRONTEND_NAME='frontend' ``` 2. Create a Gateway+ ```bash kubectl apply -f - <<EOF apiVersion: gateway.networking.k8s.io/v1beta1 EOF Once the gateway resource is created, ensure the status is valid, the listener is _Programmed_, and an address is assigned to the gateway.+ ```bash kubectl get gateway gateway-01 -n test-infra -o yaml ``` Example output of successful gateway creation.+ ```yaml status: addresses: EOF ``` Once the HTTPRoute resource is created, ensure the route is _Accepted_ and the Application Gateway for Containers resource is _Programmed_.+ ```bash kubectl get httproute header-rewrite-route -n test-infra -o yaml ``` curl -k --resolve contoso.com:80:$fqdnIp http://contoso.com ``` Via the response we should see:+ ```json { "path": "/", curl -k --resolve contoso.com:80:$fqdnIp http://contoso.com -H "user-agent: Mozi ``` Via the response we should see:+ ```json { "path": "/", curl -k --resolve contoso.com:80:$fqdnIp http://contoso.com -H "client-custom-he ``` Via the response we should see:+ ```json { "path": "/", Via the response we should see: } ``` -Congratulations, you have installed ALB Controller, deployed a backend application and modified header values via Gateway API on Application Gateway for Containers. +Congratulations, you have installed ALB Controller, deployed a backend application and modified header values via Gateway API on Application Gateway for Containers. |
application-gateway | How To Header Rewrite Ingress Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/for-containers/how-to-header-rewrite-ingress-api.md | -# Header rewrite for Azure Application Gateway for Containers - Ingress API (preview) +# Header rewrite for Azure Application Gateway for Containers - Ingress API Application Gateway for Containers allows you to rewrite HTTP headers of client requests and responses from backend targets. Application Gateway for Containers allows you to rewrite HTTP headers of client Header rewrites take advantage of Application Gateway for Container's IngressExtension custom resource. ## Background+ Header rewrites enable you to modify the request and response headers to and from your backend targets. The following figure illustrates an example of a request with a specific user agent being rewritten to a simplified value called `rewritten-user-agent` when the request is initiated to the backend target by Application Gateway for Containers: -[ ![A diagram showing the Application Gateway for Containers rewriting a request header to the backend.](./media/how-to-header-rewrite-ingress-api/header-rewrite.png) ](./media/how-to-header-rewrite-ingress-api/header-rewrite.png#lightbox) +[![A diagram showing the Application Gateway for Containers rewriting a request header to the backend.](./media/how-to-header-rewrite-ingress-api/header-rewrite.png)](./media/how-to-header-rewrite-ingress-api/header-rewrite.png#lightbox) ## Prerequisites -> [!IMPORTANT] -> Application Gateway for Containers is currently in PREVIEW.<br> -> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. - 1. If following the BYO deployment strategy, ensure you have set up your Application Gateway for Containers resources and [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md) 2. If following the ALB managed deployment strategy, ensure you have provisioned your [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md) and provisioned the Application Gateway for Containers resources via the [ApplicationLoadBalancer custom resource](quickstart-create-application-gateway-for-containers-managed-by-alb-controller.md). 3. Deploy sample HTTP application- Apply the following deployment.yaml file on your cluster to create a sample web application to demonstrate the header rewrite. - ```bash - kubectl apply -f https://trafficcontrollerdocs.blob.core.windows.net/examples/traffic-split-scenario/deployment.yaml - ``` + Apply the following deployment.yaml file on your cluster to create a sample web application to demonstrate the header rewrite. ++ ```bash + kubectl apply -f https://trafficcontrollerdocs.blob.core.windows.net/examples/traffic-split-scenario/deployment.yaml + ``` - This command creates the following on your cluster: - - a namespace called `test-infra` - - two services called `backend-v1` and `backend-v2` in the `test-infra` namespace - - two deployments called `backend-v1` and `backend-v2` in the `test-infra` namespace + This command creates the following on your cluster: ++ - a namespace called `test-infra` + - two services called `backend-v1` and `backend-v2` in the `test-infra` namespace + - two deployments called `backend-v1` and `backend-v2` in the `test-infra` namespace ## Deploy the required Gateway API resources EOF [!INCLUDE [application-gateway-for-containers-frontend-naming](../../../includes/application-gateway-for-containers-frontend-naming.md)] # [Bring your own (BYO) deployment](#tab/byo)+ 1. Set the following environment variables ```bash FRONTEND_NAME='frontend' ``` 2. Create an Ingress resource to listen for requests to `contoso.com`+ ```bash kubectl apply -f - <<EOF apiVersion: networking.k8s.io/v1 status: protocol: TCP ``` - Once the Ingress is created, next we need to define an IngressExtension with the header rewrite rules. -In this example, we set a static user-agent with a value of `rewritten-user-agent`. +In this example, we set a static user-agent with a value of `rewritten-user-agent`. This example also demonstrates addition of a new header called `AGC-Header-Add` with a value of `agc-value` and removes a request header called `client-custom-header`. EOF ``` Once the HTTPRoute resource is created, ensure the route has been _Accepted_ and the Application Gateway for Containers resource has been _Programmed_.+ ```bash kubectl get IngressExtension header-rewrite -n test-infra -o yaml ``` curl -k --resolve contoso.com:80:$fqdnIp http://contoso.com ``` Via the response we should see:+ ```json { "path": "/", curl -k --resolve contoso.com:80:$fqdnIp http://contoso.com -H "user-agent: my-u ``` Via the response we should see:+ ```json { "path": "/", curl -k --resolve contoso.com:80:$fqdnIp http://contoso.com -H "client-custom-he ``` Via the response we should see:+ ```json { "path": "/", |
application-gateway | How To Multiple Site Hosting Gateway Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/for-containers/how-to-multiple-site-hosting-gateway-api.md | Title: Multiple site hosting with Application Gateway for Containers - Gateway API (preview) + Title: Multiple site hosting with Application Gateway for Containers - Gateway API description: Learn how to host multiple sites with Application Gateway for Containers using the Gateway API. Previously updated : 11/07/2023 Last updated : 02/27/2024 -# Multiple site hosting with Application Gateway for Containers - Gateway API (preview) +# Multiple site hosting with Application Gateway for Containers - Gateway API This document helps you set up an example application that uses the resources from Gateway API to demonstrate hosting multiple sites on the same Kubernetes Gateway resource / Application Gateway for Containers frontend. Steps are provided to: - Create a [Gateway](https://gateway-api.sigs.k8s.io/concepts/api-overview/#gateway) resource with one HTTP listener. Application Gateway for Containers enables multi-site hosting by allowing you to ## Prerequisites -> [!IMPORTANT] -> Application Gateway for Containers is currently in PREVIEW.<br> -> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. - 1. If you follow the BYO deployment strategy, ensure you set up your Application Gateway for Containers resources and [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md) 2. If you follow the ALB managed deployment strategy, ensure provisioning of your [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md) and the Application Gateway for Containers resources via the [ApplicationLoadBalancer custom resource](quickstart-create-application-gateway-for-containers-managed-by-alb-controller.md). 3. Deploy sample HTTP application Example output of successful gateway creation. ```yaml status: addresses:- - type: IPAddress + - type: Hostname value: xxxx.yyyy.alb.azure.com conditions: - lastTransitionTime: "2023-06-19T21:04:55Z" |
application-gateway | How To Multiple Site Hosting Ingress Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/for-containers/how-to-multiple-site-hosting-ingress-api.md | Title: Multi-site hosting with Application Gateway for Containers - Ingress API (preview) + Title: Multi-site hosting with Application Gateway for Containers - Ingress API description: Learn how to host multiple sites with Application Gateway for Containers using the Ingress API. Previously updated : 11/07/2023 Last updated : 02/27/2024 -# Multi-site hosting with Application Gateway for Containers - Ingress API (preview) +# Multi-site hosting with Application Gateway for Containers - Ingress API This document helps you set up an example application that uses the Ingress API to demonstrate hosting multiple sites on the same Kubernetes Ingress resource / Application Gateway for Containers frontend. Steps are provided to: - Create an [Ingress](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#ingressrule-v1-networking-k8s-io) resource with two hosts. Application Gateway for Containers enables multi-site hosting by allowing you to ## Prerequisites -> [!IMPORTANT] -> Application Gateway for Containers is currently in PREVIEW.<br> -> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. - 1. If you follow the BYO deployment strategy, ensure that you set up your Application Gateway for Containers resources and [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md) 2. If you follow the ALB managed deployment strategy, ensure provisioning of your [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md) and the Application Gateway for Containers resources via the [ApplicationLoadBalancer custom resource](quickstart-create-application-gateway-for-containers-managed-by-alb-controller.md). 3. Deploy sample HTTP application |
application-gateway | How To Path Header Query String Routing Gateway Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/for-containers/how-to-path-header-query-string-routing-gateway-api.md | Title: Path, header, and query string routing with Application Gateway for Containers - Gateway API (preview) + Title: Path, header, and query string routing with Application Gateway for Containers - Gateway API description: Learn how to configure Application Gateway for Containers with support with path, header, and query string routing. Previously updated : 09/20/2023 Last updated : 02/27/2024 -# Path, header, and query string routing with Application Gateway for Containers - Gateway API (preview) +# Path, header, and query string routing with Application Gateway for Containers - Gateway API This document helps you set up an example application that uses the resources from Gateway API to demonstrate traffic routing based on URL path, query string, and header. Steps are provided to: - Create a [Gateway](https://gateway-api.sigs.k8s.io/concepts/api-overview/#gateway) resource with one HTTPS listener. Application Gateway for Containers enables traffic routing based on URL path, qu ## Prerequisites -> [!IMPORTANT] -> Application Gateway for Containers is currently in PREVIEW.<br> -> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. - 1. If following the BYO deployment strategy, ensure you have set up your Application Gateway for Containers resources and [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md) 2. If following the ALB managed deployment strategy, ensure you have provisioned your [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md) and provisioned the Application Gateway for Containers resources via the [ApplicationLoadBalancer custom resource](quickstart-create-application-gateway-for-containers-managed-by-alb-controller.md). 3. Deploy sample HTTP application- Apply the following deployment.yaml file on your cluster to create a sample web application to demonstrate path, query, and header based routing. - ```bash - kubectl apply -f https://trafficcontrollerdocs.blob.core.windows.net/examples/traffic-split-scenario/deployment.yaml - ``` + Apply the following deployment.yaml file on your cluster to create a sample web application to demonstrate path, query, and header based routing. ++ ```bash + kubectl apply -f https://trafficcontrollerdocs.blob.core.windows.net/examples/traffic-split-scenario/deployment.yaml + ``` - This command creates the following on your cluster: - - a namespace called `test-infra` - - two services called `backend-v1` and `backend-v2` in the `test-infra` namespace - - two deployments called `backend-v1` and `backend-v2` in the `test-infra` namespace + This command creates the following on your cluster: ++ - a namespace called `test-infra` + - two services called `backend-v1` and `backend-v2` in the `test-infra` namespace + - two deployments called `backend-v1` and `backend-v2` in the `test-infra` namespace ## Deploy the required Gateway API resources EOF [!INCLUDE [application-gateway-for-containers-frontend-naming](../../../includes/application-gateway-for-containers-frontend-naming.md)] # [Bring your own (BYO) deployment](#tab/byo)+ 1. Set the following environment variables ```bash FRONTEND_NAME='frontend' ``` 2. Create a Gateway+ ```bash kubectl apply -f - <<EOF apiVersion: gateway.networking.k8s.io/v1beta1 EOF Once the gateway resource has been created, ensure the status is valid, the listener is _Programmed_, and an address is assigned to the gateway.+ ```bash kubectl get gateway gateway-01 -n test-infra -o yaml ``` Example output of successful gateway creation.+ ```yaml status: addresses:- - type: IPAddress + - type: Hostname value: xxxx.yyyy.alb.azure.com conditions: - lastTransitionTime: "2023-06-19T21:04:55Z" EOF ``` Once the HTTPRoute resource has been created, ensure the route has been _Accepted_ and the Application Gateway for Containers resource has been _Programmed_.+ ```bash kubectl get httproute http-route -n test-infra -o yaml ``` fqdn=$(kubectl get gateway gateway-01 -n test-infra -o jsonpath='{.status.addres By using the curl command, we can validate three different scenarios: ### Path based routing+ In this scenario, the client request sent to http://frontend-fqdn/bar is routed to backend-v2 service. Run the following command:+ ```bash curl http://$fqdn/bar ``` curl http://$fqdn/bar Notice the container serving the request is backend-v2. ### Query string + header + path routing+ In this scenario, the client request sent to http://frontend-fqdn/some/thing?great=example with a header key/value part of "magic: foo" is routed to backend-v2 service. Run the following command:+ ```bash curl http://$fqdn/some/thing?great=example -H "magic: foo" ``` curl http://$fqdn/some/thing?great=example -H "magic: foo" Notice the container serving the request is backend-v2. ### Default route+ If neither of the first two scenarios are satisfied, Application Gateway for Containers routes all other requests to the backend-v1 service. Run the following command:+ ```bash curl http://$fqdn/ ``` Notice the container serving the request is backend-v1. -Congratulations, you have installed ALB Controller, deployed a backend application and routed traffic to the application via Gateway API on Application Gateway for Containers. +Congratulations, you have installed ALB Controller, deployed a backend application and routed traffic to the application via Gateway API on Application Gateway for Containers. |
application-gateway | How To Ssl Offloading Gateway Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/for-containers/how-to-ssl-offloading-gateway-api.md | - Title: SSL offloading with Application Gateway for Containers - Gateway API (preview) + Title: SSL offloading with Application Gateway for Containers - Gateway API description: Learn how to configure SSL offloading with Application Gateway for Containers using the Gateway API. Previously updated : 11/07/2023 Last updated : 02/27/2024 -# SSL offloading with Application Gateway for Containers - Gateway API (preview) +# SSL offloading with Application Gateway for Containers - Gateway API This document helps set up an example application that uses the following resources from Gateway API. Steps are provided to:+ - Create a [Gateway](https://gateway-api.sigs.k8s.io/concepts/api-overview/#gateway) resource with one HTTPS listener. - Create an [HTTPRoute](https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/) that references a backend service. Application Gateway for Containers enables SSL [offloading](/azure/architecture/ ## Prerequisites -> [!IMPORTANT] -> Application Gateway for Containers is currently in PREVIEW.<br> -> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. - 1. If following the BYO deployment strategy, ensure that you set up your Application Gateway for Containers resources and [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md) 2. If following the ALB managed deployment strategy, ensure that you provision your [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md) and the Application Gateway for Containers resources via the [ApplicationLoadBalancer custom resource](quickstart-create-application-gateway-for-containers-managed-by-alb-controller.md). 3. Deploy sample HTTPS application Application Gateway for Containers enables SSL [offloading](/azure/architecture/ ```bash kubectl apply -f https://trafficcontrollerdocs.blob.core.windows.net/examples/https-scenario/ssl-termination/deployment.yaml ```- + This command creates the following on your cluster: - a namespace called `test-infra` - one service called `echo` in the `test-infra` namespace Application Gateway for Containers enables SSL [offloading](/azure/architecture/ # [ALB managed deployment](#tab/alb-managed) 1. Create a Gateway+ ```bash kubectl apply -f - <<EOF apiVersion: gateway.networking.k8s.io/v1beta1 FRONTEND_NAME='frontend' ``` 2. Create a Gateway+ ```bash kubectl apply -f - <<EOF apiVersion: gateway.networking.k8s.io/v1beta1 EOF When the gateway resource is created, ensure the status is valid, the listener is _Programmed_, and an address is assigned to the gateway.+ ```bash kubectl get gateway gateway-01 -n test-infra -o yaml ``` Example output of successful gateway creation.+ ```yaml status: addresses:- - type: IPAddress + - type: Hostname value: xxxx.yyyy.alb.azure.com conditions: - lastTransitionTime: "2023-06-19T21:04:55Z" status: kind: HTTPRoute ``` -Once the gateway is created, create an HTTPRoute +Once the gateway is created, create an HTTPRoute resource. + ```bash kubectl apply -f - <<EOF apiVersion: gateway.networking.k8s.io/v1beta1 EOF ``` Once the HTTPRoute resource is created, ensure the route is _Accepted_ and the Application Gateway for Containers resource is _Programmed_.+ ```bash kubectl get httproute https-route -n test-infra -o yaml ``` |
application-gateway | How To Ssl Offloading Ingress Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/for-containers/how-to-ssl-offloading-ingress-api.md | - Title: SSL offloading with Application Gateway for Containers - Ingress API (preview) + Title: SSL offloading with Application Gateway for Containers - Ingress API description: Learn how to configure SSL offloading with Application Gateway for Containers using the Ingress API. Previously updated : 11/07/2023 Last updated : 02/27/2024 -# SSL offloading with Application Gateway for Containers - Ingress API (preview) +# SSL offloading with Application Gateway for Containers - Ingress API This document helps set up an example application that uses the _Ingress_ resource from [Ingress API](https://kubernetes.io/docs/concepts/services-networking/ingress/): Application Gateway for Containers enables SSL [offloading](/azure/architecture/ ## Prerequisites -> [!IMPORTANT] -> Application Gateway for Containers is currently in PREVIEW.<br> -> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. - 1. If you follow the BYO deployment strategy, ensure that you set up your Application Gateway for Containers resources and [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md) 2. If you follow the ALB managed deployment strategy, ensure that you provision your [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md) and the Application Gateway for Containers resources via the [ApplicationLoadBalancer custom resource](quickstart-create-application-gateway-for-containers-managed-by-alb-controller.md). 3. Deploy a sample HTTPS application: RESOURCE_ID=$(az network alb show --resource-group $RESOURCE_GROUP --name $RESOU FRONTEND_NAME='frontend' ``` -2. Create an Ingress +2. Create an Ingress resource. + ```bash kubectl apply -f - <<EOF apiVersion: networking.k8s.io/v1 EOF When the ingress resource is created, ensure the status shows the hostname of your load balancer and that both ports are listening for requests.+ ```bash kubectl get ingress ingress-01 -n test-infra -o yaml ``` Example output of successful Ingress creation.+ ```yaml apiVersion: networking.k8s.io/v1 kind: Ingress |
application-gateway | How To Traffic Splitting Gateway Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/for-containers/how-to-traffic-splitting-gateway-api.md | - Title: Traffic Splitting with Application Gateway for Containers - Gateway API (preview) + Title: Traffic Splitting with Application Gateway for Containers - Gateway API description: Learn how to configure traffic splitting / weighted round robin with Application Gateway for Containers. Previously updated : 09/20/2023 Last updated : 02/27/2024 -# Traffic splitting with Application Gateway for Containers - Gateway API (preview) +# Traffic splitting with Application Gateway for Containers - Gateway API This document helps set up an example application that uses the following resources from Gateway API: - [Gateway](https://gateway-api.sigs.k8s.io/concepts/api-overview/#gateway) - creating a gateway with one http listener Application Gateway for Containers enables you to set weights and shift traffic ## Prerequisites -> [!IMPORTANT] -> Application Gateway for Containers is currently in PREVIEW.<br> -> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. - 1. If following the BYO deployment strategy, ensure you have set up your Application Gateway for Containers resources and [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md) 2. If following the ALB managed deployment strategy, ensure you have provisioned your [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md) and provisioned the Application Gateway for Containers resources via the [ApplicationLoadBalancer custom resource](quickstart-create-application-gateway-for-containers-managed-by-alb-controller.md). 3. Deploy sample HTTP application EOF Once the gateway resource has been created, ensure the status is valid, the listener is _Programmed_, and an address is assigned to the gateway.+ ```bash kubectl get gateway gateway-01 -n test-infra -o yaml ``` Example output of successful gateway creation.+ ```yaml status: addresses:- - type: IPAddress + - type: Hostname value: xxxx.yyyy.alb.azure.com conditions: - lastTransitionTime: "2023-06-19T21:04:55Z" status: ``` Once the gateway has been created, create an HTTPRoute+ ```bash kubectl apply -f - <<EOF apiVersion: gateway.networking.k8s.io/v1beta1 EOF ``` Once the HTTPRoute resource has been created, ensure the route has been _Accepted_ and the Application Gateway for Containers resource has been _Programmed_.+ ```bash kubectl get httproute traffic-split-route -n test-infra -o yaml ``` |
application-gateway | How To Url Redirect Gateway Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/for-containers/how-to-url-redirect-gateway-api.md | + + Title: URL Redirect for Azure Application Gateway for Containers - Gateway API +description: Learn how to redirect URLs in Gateway API for Application Gateway for Containers. +++++ Last updated : 02/27/2024++++# URL Redirect for Azure Application Gateway for Containers - Gateway API ++Application Gateway for Containers allows you to return a redirect response to the client based three aspects of a URL: protocol, hostname, and path. For each redirect, a defined HTTP status code may be returned to the client to define the nature of the redirect. ++## Usage details ++URL redirects take advantage of the [RequestRedirect rule filter](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1beta1.HTTPRequestRedirectFilter) as defined by Kubernetes Gateway API. ++## Redirection +A redirect sets the response status code returned to clients to understand the purpose of the redirect. The following types of redirection are supported: ++- 301 (Moved permanently): Indicates that the target resource has been assigned a new permanent URI. Any future references to this resource uses one of the enclosed URIs. Use 301 status code for HTTP to HTTPS redirection. +- 302 (Found): Indicates that the target resource is temporarily under a different URI. Since the redirection can change on occasion, the client should continue to use the effective request URI for future requests. ++## Redirection capabilities ++- Protocol redirection is commonly used to tell the client to move from an unencrypted traffic scheme to traffic, such as HTTP to HTTPS redirection. ++- Hostname redirection matches the fully qualified domain name (fqdn) of the request. This is commonly observed in redirecting an old domain name to a new domain name; such as `contoso.com` to `fabrikam.com`. ++- Path redirection has two different variants: `prefix` and `full`. + - `Prefix` redirection type will redirect all requests starting with a defined value. For example, a prefix of /shop would match /shop and any text after. For example, /shop, /shop/checkout, and /shop/item-a would all redirect to /shop as well. + - `Full` redirection type matches an exact value. For example, /shop could redirect to /store, but /shop/checkout wouldn't redirect to /store. ++The following figure illustrates an example of a request destined for _contoso.com/summer-promotion_ being redirected to _contoso.com/shop/category/5_. In addition, a second request initiated to contoso.com via http protocol is returned a redirect to initiate a new connection to its https variant. ++[![A diagram showing the Application Gateway for Containers returning a redirect URL to a client.](./media/how-to-url-redirect-gateway-api/url-redirect.png)](./media/how-to-url-redirect-gateway-api/url-redirect.png#lightbox) ++## Prerequisites ++1. If following the BYO deployment strategy, ensure you have set up your Application Gateway for Containers resources and [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md) +2. If following the ALB managed deployment strategy, ensure you have provisioned your [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md) and provisioned the Application Gateway for Containers resources via the [ApplicationLoadBalancer custom resource](quickstart-create-application-gateway-for-containers-managed-by-alb-controller.md). +3. Deploy sample HTTP application ++ Apply the following deployment.yaml file on your cluster to deploy a sample TLS certificate to demonstrate redirect capabilities. + + ```bash + kubectl apply -f kubectl apply -f https://trafficcontrollerdocs.blob.core.windows.net/examples/https-scenario/ssl-termination/deployment.yaml + ``` ++ This command creates the following on your cluster: ++ - a namespace called `test-infra` + - one service called `echo` in the `test-infra` namespace + - one deployment called `echo` in the `test-infra` namespace + - one secret called `listener-tls-secret` in the `test-infra` namespace ++## Deploy the required Gateway API resources ++# [ALB managed deployment](#tab/alb-managed) ++1. Create a Gateway ++ ```bash + kubectl apply -f - <<EOF + apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + metadata: + name: gateway-01 + namespace: test-infra + annotations: + alb.networking.azure.io/alb-namespace: alb-test-infra + alb.networking.azure.io/alb-name: alb-test + spec: + gatewayClassName: azure-alb-external + listeners: + - name: http-listener + port: 80 + protocol: HTTP + allowedRoutes: + namespaces: + from: Same + - name: https-listener + port: 443 + protocol: HTTPS + allowedRoutes: + namespaces: + from: Same + tls: + mode: Terminate + certificateRefs: + - kind : Secret + group: "" + name: listener-tls-secret + EOF + ``` +++# [Bring your own (BYO) deployment](#tab/byo) ++1. Set the following environment variables ++ ```bash + RESOURCE_GROUP='<resource group name of the Application Gateway For Containers resource>' + RESOURCE_NAME='alb-test' ++ RESOURCE_ID=$(az network alb show --resource-group $RESOURCE_GROUP --name $RESOURCE_NAME --query id -o tsv) + FRONTEND_NAME='frontend' + ``` ++2. Create a Gateway ++ ```bash + kubectl apply -f - <<EOF + apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + metadata: + name: gateway-01 + namespace: test-infra + annotations: + alb.networking.azure.io/alb-id: $RESOURCE_ID + spec: + gatewayClassName: azure-alb-external + listeners: + - name: http-listener + port: 80 + protocol: HTTP + allowedRoutes: + namespaces: + from: Same + - name: https-listener + port: 443 + protocol: HTTPS + allowedRoutes: + namespaces: + from: Same + tls: + mode: Terminate + certificateRefs: + - kind : Secret + group: "" + name: listener-tls-secret + addresses: + - type: alb.networking.azure.io/alb-frontend + value: $FRONTEND_NAME + EOF + ``` ++++Once the gateway resource is created, ensure the status is valid, the listener is _Programmed_, and an address is assigned to the gateway. ++```bash +kubectl get gateway gateway-01 -n test-infra -o yaml +``` ++Example output of successful gateway creation. ++```yaml +status: + addresses: + - type: Hostname + value: xxxx.yyyy.alb.azure.com + conditions: + - lastTransitionTime: "2023-06-19T21:04:55Z" + message: Valid Gateway + observedGeneration: 1 + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: "2023-06-19T21:04:55Z" + message: Application Gateway For Containers resource has been successfully updated. + observedGeneration: 1 + reason: Programmed + status: "True" + type: Programmed + listeners: + - attachedRoutes: 0 + conditions: + - lastTransitionTime: "2023-06-19T21:04:55Z" + message: "" + observedGeneration: 1 + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + - lastTransitionTime: "2023-06-19T21:04:55Z" + message: Listener is accepted + observedGeneration: 1 + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: "2023-06-19T21:04:55Z" + message: Application Gateway For Containers resource has been successfully updated. + observedGeneration: 1 + reason: Programmed + status: "True" + type: Programmed + name: https-listener + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute +``` ++Create an HTTPRoute resource for `contoso.com` that handles traffic received via https. ++```bash +kubectl apply -f - <<EOF +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: https-contoso + namespace: test-infra +spec: + parentRefs: + - name: gateway-01 + sectionName: https-listener + hostnames: + - "contoso.com" + rules: + - backendRefs: + - name: echo + port: 80 +EOF +``` ++When the HTTPRoute resource is created, ensure the HTTPRoute resource shows _Accepted_ and the Application Gateway for Containers resource is _Programmed_. ++```bash +kubectl get httproute rewrite-example -n test-infra -o yaml +``` ++Verify the Application Gateway for Containers resource is successfully updated for each HTTPRoute. ++```yaml +status: + parents: + - conditions: + - lastTransitionTime: "2023-06-19T22:18:23Z" + message: "" + observedGeneration: 1 + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + - lastTransitionTime: "2023-06-19T22:18:23Z" + message: Route is Accepted + observedGeneration: 1 + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: "2023-06-19T22:18:23Z" + message: Application Gateway For Containers resource has been successfully updated. + observedGeneration: 1 + reason: Programmed + status: "True" + type: Programmed + controllerName: alb.networking.azure.io/alb-controller + parentRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-01 + namespace: test-infra + ``` ++Once the gateway is created, create an HTTPRoute resource for `contoso.com` with a RequestRedirect filter that redirects http traffic to https. ++```bash +kubectl apply -f - <<EOF +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: http-to-https-contoso-redirect + namespace: test-infra +spec: + parentRefs: + - name: gateway-01 + sectionName: http-listener + hostnames: + - "contoso.com" + rules: + - matches: + filters: + - type: RequestRedirect + requestRedirect: + scheme: https + statusCode: 301 +EOF +``` ++When the HTTPRoute resource is created, ensure the HTTPRoute resource shows _Accepted_ and the Application Gateway for Containers resource is _Programmed_. ++```bash +kubectl get httproute rewrite-example -n test-infra -o yaml +``` ++Verify the Application Gateway for Containers resource is successfully updated for each HTTPRoute. ++```yaml +status: + parents: + - conditions: + - lastTransitionTime: "2023-06-19T22:18:23Z" + message: "" + observedGeneration: 1 + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + - lastTransitionTime: "2023-06-19T22:18:23Z" + message: Route is Accepted + observedGeneration: 1 + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: "2023-06-19T22:18:23Z" + message: Application Gateway For Containers resource has been successfully updated. + observedGeneration: 1 + reason: Programmed + status: "True" + type: Programmed + controllerName: alb.networking.azure.io/alb-controller + parentRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-01 + namespace: test-infra + ``` ++Create an HTTPRoute resource for `contoso.com` that handles a redirect for the path /summer-promotion to a specific URL. By eliminating sectionName, demonstrated in the http to https HTTPRoute resources, this redirect rule applies to both HTTP and HTTPS requests. ++```bash +kubectl apply -f - <<EOF +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: summer-promotion-redirect + namespace: test-infra +spec: + parentRefs: + - name: gateway-01 + sectionName: https-listener + hostnames: + - "contoso.com" + rules: + - matches: + - path: + type: PathPrefix + value: /summer-promotion + filters: + - type: RequestRedirect + requestRedirect: + path: + type: ReplaceFullPath + replaceFullPath: /shop/category/5 + statusCode: 302 + - backendRefs: + - name: echo + port: 80 +EOF +``` ++When the HTTPRoute resource is created, ensure the HTTPRoute resource shows _Accepted_ and the Application Gateway for Containers resource is _Programmed_. ++```bash +kubectl get httproute rewrite-example -n test-infra -o yaml +``` ++Verify the Application Gateway for Containers resource is successfully updated for each HTTPRoute. ++```yaml +status: + parents: + - conditions: + - lastTransitionTime: "2023-06-19T22:18:23Z" + message: "" + observedGeneration: 1 + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + - lastTransitionTime: "2023-06-19T22:18:23Z" + message: Route is Accepted + observedGeneration: 1 + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: "2023-06-19T22:18:23Z" + message: Application Gateway For Containers resource has been successfully updated. + observedGeneration: 1 + reason: Programmed + status: "True" + type: Programmed + controllerName: alb.networking.azure.io/alb-controller + parentRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-01 + namespace: test-infra + ``` ++## Test access to the application ++Now we're ready to send some traffic to our sample application, via the FQDN assigned to the frontend. Use the following command to get the FQDN. ++```bash +fqdn=$(kubectl get gateway gateway-01 -n test-infra -o jsonpath='{.status.addresses[0].value}') +``` ++When you specify the server name indicator using the curl command, `http://contoso.com` should return a response from the Application Gateway for Containers with a `location` header defining a 301 redirect to `https://contoso.com`. ++```bash +fqdnIp=$(dig +short $fqdn) +curl -k --resolve contoso.com:80:$fqdnIp http://contoso.com/ -v +``` ++Via the response we should see: ++```text +* Added contoso.com:80:xxx.xxx.xxx.xxx to DNS cache +* Hostname contoso.com was found in DNS cache +* Trying xxx.xxx.xxx.xxx:80... +* Connected to contoso.com (xxx.xxx.xxx.xxx) port 80 (#0) +> GET / HTTP/1.1 +> Host: contoso.com +> User-Agent: curl/7.81.0 +> Accept: */* +> +* Mark bundle as not supporting multiuse +< HTTP/1.1 301 Moved Permanently +< location: https://contoso.com/ +< date: Mon, 26 Feb 2024 22:56:23 GMT +< server: Microsoft-Azure-Application-LB/AGC +< content-length: 0 +< +* Connection #0 to host contoso.com left intact +``` ++When you specify the server name indicator using the curl command, `https://contoso.com/summer-promotion` Application Gateway for Containers should return a 302 redirect to `https://contoso.com/shop/category/5`. ++```bash +fqdnIp=$(dig +short $fqdn) +curl -k --resolve contoso.com:443:$fqdnIp https://contoso.com/summer-promotion -v +``` ++Via the response we should see: ++```text +> GET /summer-promotion HTTP/2 +> Host: contoso.com +> user-agent: curl/7.81.0 +> accept: */* +> +* TLSv1.2 (IN), TLS header, Supplemental data (23): +* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): +* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): +* old SSL session ID is stale, removing +* TLSv1.2 (IN), TLS header, Supplemental data (23): +* TLSv1.2 (OUT), TLS header, Supplemental data (23): +* TLSv1.2 (IN), TLS header, Supplemental data (23): +< HTTP/2 302 +< location: https://contoso.com/shop/category/5 +< date: Mon, 26 Feb 2024 22:58:43 GMT +< server: Microsoft-Azure-Application-LB/AGC +< +* Connection #0 to host contoso.com left intact +``` ++Congratulations, you have installed ALB Controller, deployed a backend application, and used Gateway API to configure both an HTTP to HTTPS redirect and path based redirection to specific client requests. |
application-gateway | How To Url Redirect Ingress Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/for-containers/how-to-url-redirect-ingress-api.md | + + Title: URL Redirect for Azure Application Gateway for Containers - Ingress API +description: Learn how to redirect URLs in Ingress API for Application Gateway for Containers. +++++ Last updated : 02/27/2024++++# URL Redirect for Azure Application Gateway for Containers - Ingress API ++Application Gateway for Containers allows you to return a redirect response to the client based three aspects of a URL: protocol, hostname, and path. For each redirect, a defined HTTP status code may be returned to the client to define the nature of the redirect. ++## Usage details ++URL redirects take advantage of the [RequestRedirect rule filter](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1beta1.HTTPRequestRedirectFilter) as defined by Kubernetes Gateway API. ++## Redirection ++A redirect sets the response status code returned to clients to understand the purpose of the redirect. The following types of redirection are supported: ++- 301 (Moved permanently): Indicates that the target resource has been assigned a new permanent URI. Any future references to this resource use one of the enclosed URIs. Use 301 status code for HTTP to HTTPS redirection. +- 302 (Found): Indicates that the target resource is temporarily under a different URI. Since the redirection can change on occasion, the client should continue to use the effective request URI for future requests. ++## Redirection capabilities ++- Protocol redirection is commonly used to tell the client to move from an unencrypted traffic scheme to traffic, such as HTTP to HTTPS redirection. ++- Hostname redirection matches the fully qualified domain name (fqdn) of the request. This is commonly observed in redirecting an old domain name to a new domain name; such as `contoso.com` to `fabrikam.com`. ++- Path redirection has two different variants: `prefix` and `full`. + - `Prefix` redirection type will redirect all requests starting with a defined value. For example, a prefix of /shop would match /shop and any text after. For example, /shop, /shop/checkout, and /shop/item-a would all redirect to /shop as well. + - `Full` redirection type matches an exact value. For example, /shop could redirect to /store, but /shop/checkout wouldn't redirect to /store. ++The following figure illustrates an example of a request destined for _contoso.com/summer-promotion_ being redirected to _contoso.com/shop/category/5_. In addition, a second request initiated to contoso.com via http protocol is returned a redirect to initiate a new connection to its https variant. ++[ ![A diagram showing the Application Gateway for Containers returning a redirect URL to a client.](./media/how-to-url-redirect-ingress-api/url-redirect.png) ](./media/how-to-url-redirect-ingress-api/url-redirect.png#lightbox) ++## Prerequisites ++1. If following the BYO deployment strategy, ensure you have set up your Application Gateway for Containers resources and [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md) +2. If following the ALB managed deployment strategy, ensure you have provisioned your [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md) and provisioned the Application Gateway for Containers resources via the [ApplicationLoadBalancer custom resource](quickstart-create-application-gateway-for-containers-managed-by-alb-controller.md). +3. Deploy sample HTTP application ++ Apply the following deployment.yaml file on your cluster to deploy a sample TLS certificate to demonstrate redirect capabilities. + + ```bash + kubectl apply -f kubectl apply -f https://trafficcontrollerdocs.blob.core.windows.net/examples/https-scenario/ssl-termination/deployment.yaml + ``` ++ This command creates the following on your cluster: ++ - a namespace called `test-infra` + - one service called `echo` in the `test-infra` namespace + - one deployment called `echo` in the `test-infra` namespace + - one secret called `listener-tls-secret` in the `test-infra` namespace ++## Deploy the required IngressExtension resources ++1. Create an IngressExtension resource to handle HTTP to HTTPS redirect for `contoso.com` ++ ```bash + kubectl apply -f - <<EOF + apiVersion: alb.networking.azure.io/v1 + kind: IngressExtension + metadata: + name: http-to-https + namespace: test-infra + spec: + rules: + - host: contoso.com + requestRedirect: + statusCode: 301 + scheme: https + EOF + ``` ++2. Create an IngressExtension resource to handle a path based redirect from `contoso.com/summer-promotion` to `contoso.com/shop/category/5`. ++ ```bash + kubectl apply -f - <<EOF + apiVersion: alb.networking.azure.io/v1 + kind: IngressExtension + metadata: + name: summer-promotion-redirect + namespace: test-infra + spec: + rules: + - host: contoso.com + requestRedirect: + statusCode: 302 + path: + type: ReplaceFullPath + replaceFullPath: /shop/category/5 + EOF + ``` ++## Deploy the required Ingress resources ++# [ALB managed deployment](#tab/alb-managed) ++1. Create the first Ingress resource to listen for HTTPS requests. ++ ```bash + kubectl apply -f - <<EOF + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: ingress-https + namespace: test-infra + annotations: + alb.networking.azure.io/alb-namespace: alb-test-infra + alb.networking.azure.io/alb-name: alb-test + alb.networking.azure.io/alb-frontend: ingress-fe + spec: + ingressClassName: azure-alb-external + tls: + - hosts: + - contoso.com + secretName: listener-tls-secret + rules: + - host: contoso.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: echo + port: + number: 80 + EOF + ``` ++2. Create the second Ingress resource to listen on port 80 and redirect to HTTPS. ++ ```bash + kubectl apply -f - <<EOF + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: ingress-http + namespace: test-infra + annotations: + alb.networking.azure.io/alb-namespace: alb-test-infra + alb.networking.azure.io/alb-name: alb-test + alb.networking.azure.io/alb-frontend: ingress-fe + alb.networking.azure.io/alb-ingress-extension: http-to-https + spec: + ingressClassName: azure-alb-external + rules: + - host: contoso.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: echo + port: + number: 80 + EOF + ``` ++3. Create a third Ingress resource to listen on port 80 and 443 for `contoso.com/summer-promotion` and redirect to `contoso.com/shop/category/5`. ++ ```bash + kubectl apply -f - <<EOF + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: ingress-summer-promotion-redirect + namespace: test-infra + annotations: + alb.networking.azure.io/alb-namespace: alb-test-infra + alb.networking.azure.io/alb-name: alb-test + alb.networking.azure.io/alb-frontend: ingress-fe + alb.networking.azure.io/alb-ingress-extension: summer-promotion-redirect + spec: + ingressClassName: azure-alb-external + tls: + - hosts: + - contoso.com + secretName: listener-tls-secret + rules: + - host: contoso.com + http: + paths: + - path: /summer-promotion + pathType: Prefix + backend: + service: + name: ignored-for-redirect + port: + number: 80 + EOF + ``` +++# [Bring your own (BYO) deployment](#tab/byo) ++1. Set the following environment variables ++ ```bash + RESOURCE_GROUP='<resource group name of the Application Gateway For Containers resource>' + RESOURCE_NAME='alb-test' ++ RESOURCE_ID=$(az network alb show --resource-group $RESOURCE_GROUP --name $RESOURCE_NAME --query id -o tsv) + FRONTEND_NAME='frontend' + ``` ++2. Create the first Ingress resource to listen for HTTPS requests. ++ ```bash + kubectl apply -f - <<EOF + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: ingress-https + namespace: test-infra + annotations: + alb.networking.azure.io/alb-id: $RESOURCE_ID + alb.networking.azure.io/alb-frontend: $FRONTEND_NAME + spec: + ingressClassName: azure-alb-external + tls: + - hosts: + - contoso.com + secretName: listener-tls-secret + rules: + - host: contoso.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: echo + port: + number: 80 + EOF + ``` ++3. Create the second Ingress resource to listen on port 80 and redirect to HTTPS. ++ ```bash + kubectl apply -f - <<EOF + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: ingress-http + namespace: test-infra + annotations: + alb.networking.azure.io/alb-id: $RESOURCE_ID + alb.networking.azure.io/alb-frontend: $FRONTEND_NAME + alb.networking.azure.io/alb-ingress-extension: http-to-https + spec: + ingressClassName: azure-alb-external + rules: + - host: contoso.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: echo + port: + number: 80 + EOF + ``` ++4. Create a third Ingress resource to listen on port 80 and 443 for `contoso.com/summer-promotion` and redirect to `contoso.com/shop/category/5`. ++ ```bash + kubectl apply -f - <<EOF + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: ingress-summer-promotion-redirect + namespace: test-infra + annotations: + alb.networking.azure.io/alb-id: $RESOURCE_ID + alb.networking.azure.io/alb-frontend: $FRONTEND_NAME + alb.networking.azure.io/alb-ingress-extension: summer-promotion-redirect + spec: + ingressClassName: azure-alb-external + tls: + - hosts: + - contoso.com + secretName: listener-tls-secret + rules: + - host: contoso.com + http: + paths: + - path: /summer-promotion + pathType: Prefix + backend: + service: + name: ignored-for-redirect + port: + number: 80 + EOF + ``` ++++For each Ingress resource, ensure the status is valid, the listener is _Programmed_, and an address is assigned to the ingress resource. For all three Ingress resources, you should see the same hostname in this example. ++```bash +kubectl get ingress ingress-https -n test-infra -o yaml +``` ++Example output of successful Ingress creation. ++```yaml +status: + loadBalancer: + ingress: + - hostname: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.fzyy.alb.azure.com + ports: + - port: 443 + protocol: TCP +``` ++## Test access to the application ++Now we're ready to send some traffic to our sample application, via the FQDN assigned to the frontend. Use the following command to get the FQDN. ++```bash +fqdn=$(kubectl get ingress ingress-http -n test-infra -o jsonpath='{.status.loadBalancer.ingress[0].hostname}') +``` ++When you specify the server name indicator using the curl command, `http://contoso.com` should return a response from the Application Gateway for Containers with a `location` header defining a 301 redirect to `https://contoso.com`. ++```bash +fqdnIp=$(dig +short $fqdn) +curl -k --resolve contoso.com:80:$fqdnIp http://contoso.com/ -v +``` ++Via the response we should see: ++```text +* Added contoso.com:80:xxx.xxx.xxx.xxx to DNS cache +* Hostname contoso.com was found in DNS cache +* Trying xxx.xxx.xxx.xxx:80... +* Connected to contoso.com (xxx.xxx.xxx.xxx) port 80 (#0) +> GET / HTTP/1.1 +> Host: contoso.com +> User-Agent: curl/7.81.0 +> Accept: */* +> +* Mark bundle as not supporting multiuse +< HTTP/1.1 301 Moved Permanently +< location: https://contoso.com/ +< date: Mon, 26 Feb 2024 22:56:23 GMT +< server: Microsoft-Azure-Application-LB/AGC +< content-length: 0 +< +* Connection #0 to host contoso.com left intact +``` ++When you specify the server name indicator using the curl command, `https://contoso.com/summer-promotion` Application Gateway for Containers should return a 302 redirect to `https://contoso.com/shop/category/5`. ++```bash +fqdnIp=$(dig +short $fqdn) +curl -k --resolve contoso.com:443:$fqdnIp https://contoso.com/summer-promotion -v +``` ++Via the response we should see: ++```text +> GET /summer-promotion HTTP/2 +> Host: contoso.com +> user-agent: curl/7.81.0 +> accept: */* +> +* TLSv1.2 (IN), TLS header, Supplemental data (23): +* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): +* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): +* old SSL session ID is stale, removing +* TLSv1.2 (IN), TLS header, Supplemental data (23): +* TLSv1.2 (OUT), TLS header, Supplemental data (23): +* TLSv1.2 (IN), TLS header, Supplemental data (23): +< HTTP/2 302 +< location: https://contoso.com/shop/category/5 +< date: Mon, 26 Feb 2024 22:58:43 GMT +< server: Microsoft-Azure-Application-LB/AGC +< +* Connection #0 to host contoso.com left intact +``` ++Congratulations, you have installed ALB Controller, deployed a backend application, and used Ingress API to configure both an HTTP to HTTPs redirect and path based redirection to specific client requests. |
application-gateway | How To Url Rewrite Gateway Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/for-containers/how-to-url-rewrite-gateway-api.md | -# URL Rewrite for Azure Application Gateway for Containers - Gateway API (preview) +# URL Rewrite for Azure Application Gateway for Containers - Gateway API Application Gateway for Containers allows you to rewrite the URL of a client request, including the requests' hostname and/or path. When Application Gateway for Containers initiates the request to the backend target, the request contains the newly rewritten URL to initiate the request. - ## Usage details URL Rewrites take advantage of [filters](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPURLRewriteFilter) as defined by Kubernetes Gateway API. ## Background+ URL rewrite enables you to translate an incoming request to a different URL when initiated to a backend target. The following figure illustrates an example of a request destined for _contoso.com/shop_ being rewritten to _contoso.com/ecommerce_. The request is initiated to the backend target by Application Gateway for Containers: The following figure illustrates an example of a request destined for _contoso.c ## Prerequisites -> [!IMPORTANT] -> Application Gateway for Containers is currently in PREVIEW.<br> -> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. - 1. If following the BYO deployment strategy, ensure you have set up your Application Gateway for Containers resources and [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md) 2. If following the ALB managed deployment strategy, ensure you have provisioned your [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md) and provisioned the Application Gateway for Containers resources via the [ApplicationLoadBalancer custom resource](quickstart-create-application-gateway-for-containers-managed-by-alb-controller.md). 3. Deploy sample HTTP application- Apply the following deployment.yaml file on your cluster to create a sample web application to demonstrate path, query, and header based routing. - ```bash - kubectl apply -f https://trafficcontrollerdocs.blob.core.windows.net/examples/traffic-split-scenario/deployment.yaml - ``` ++ Apply the following deployment.yaml file on your cluster to deploy a sample TLS certificate to demonstrate redirect capabilities. - This command creates the following on your cluster: - - a namespace called `test-infra` - - two services called `backend-v1` and `backend-v2` in the `test-infra` namespace - - two deployments called `backend-v1` and `backend-v2` in the `test-infra` namespace + ```bash + kubectl apply -f kubectl apply -f https://trafficcontrollerdocs.blob.core.windows.net/examples/https-scenario/ssl-termination/deployment.yaml + ``` ++ This command creates the following on your cluster: ++ - a namespace called `test-infra` + - one service called `echo` in the `test-infra` namespace + - one deployment called `echo` in the `test-infra` namespace + - one secret called `listener-tls-secret` in the `test-infra` namespace ## Deploy the required Gateway API resources # [ALB managed deployment](#tab/alb-managed) 1. Create a Gateway-```bash -kubectl apply -f - <<EOF -apiVersion: gateway.networking.k8s.io/v1beta1 -kind: Gateway -metadata: - name: gateway-01 - namespace: test-infra - annotations: - alb.networking.azure.io/alb-namespace: alb-test-infra - alb.networking.azure.io/alb-name: alb-test -spec: - gatewayClassName: azure-alb-external - listeners: - - name: http-listener - port: 80 - protocol: HTTP - allowedRoutes: - namespaces: - from: Same -EOF -``` ++ ```bash + kubectl apply -f - <<EOF + apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + metadata: + name: gateway-01 + namespace: test-infra + annotations: + alb.networking.azure.io/alb-namespace: alb-test-infra + alb.networking.azure.io/alb-name: alb-test + spec: + gatewayClassName: azure-alb-external + listeners: + - name: http-listener + port: 80 + protocol: HTTP + allowedRoutes: + namespaces: + from: Same + EOF + ``` [!INCLUDE [application-gateway-for-containers-frontend-naming](../../../includes/application-gateway-for-containers-frontend-naming.md)] EOF 1. Set the following environment variables -```bash -RESOURCE_GROUP='<resource group name of the Application Gateway For Containers resource>' -RESOURCE_NAME='alb-test' + ```bash + RESOURCE_GROUP='<resource group name of the Application Gateway For Containers resource>' + RESOURCE_NAME='alb-test' -RESOURCE_ID=$(az network alb show --resource-group $RESOURCE_GROUP --name $RESOURCE_NAME --query id -o tsv) -FRONTEND_NAME='test-frontend' -``` + RESOURCE_ID=$(az network alb show --resource-group $RESOURCE_GROUP --name $RESOURCE_NAME --query id -o tsv) + FRONTEND_NAME='frontend' + ``` 2. Create a Gateway-```bash -kubectl apply -f - <<EOF -apiVersion: gateway.networking.k8s.io/v1beta1 -kind: Gateway -metadata: - name: gateway-01 - namespace: test-infra - annotations: - alb.networking.azure.io/alb-id: $RESOURCE_ID -spec: - gatewayClassName: azure-alb-external - listeners: - - name: http-listener - port: 80 - protocol: HTTP - allowedRoutes: - namespaces: - from: Same - addresses: - - type: alb.networking.azure.io/alb-frontend - value: $FRONTEND_NAME -EOF -``` ++ ```bash + kubectl apply -f - <<EOF + apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + metadata: + name: gateway-01 + namespace: test-infra + annotations: + alb.networking.azure.io/alb-id: $RESOURCE_ID + spec: + gatewayClassName: azure-alb-external + listeners: + - name: http-listener + port: 80 + protocol: HTTP + allowedRoutes: + namespaces: + from: Same + addresses: + - type: alb.networking.azure.io/alb-frontend + value: $FRONTEND_NAME + EOF + ``` Once the gateway resource is created, ensure the status is valid, the listener is _Programmed_, and an address is assigned to the gateway.+ ```bash kubectl get gateway gateway-01 -n test-infra -o yaml ``` Example output of successful gateway creation.+ ```yaml status: addresses:- - type: IPAddress + - type: Hostname value: xxxx.yyyy.alb.azure.com conditions: - lastTransitionTime: "2023-06-19T21:04:55Z" EOF ``` When the HTTPRoute resource is created, ensure the HTTPRoute resource shows _Accepted_ and the Application Gateway for Containers resource is _Programmed_.+ ```bash kubectl get httproute rewrite-example -n test-infra -o yaml ``` curl -k --resolve contoso.com:80:$fqdnIp http://contoso.com/shop ``` Via the response we should see:+ ```json { "path": "/ecommerce", curl -k --resolve contoso.com:80:$fqdnIp http://contoso.com ``` Via the response we should see:+ ```json { "path": "/", |
application-gateway | How To Url Rewrite Ingress Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/for-containers/how-to-url-rewrite-ingress-api.md | -# URL Rewrite for Azure Application Gateway for Containers - Ingress API (preview) +# URL Rewrite for Azure Application Gateway for Containers - Ingress API Application Gateway for Containers allows you to rewrite the URL of a client request, including the requests' hostname and/or path. When Application Gateway for Containers initiates the request to the backend target, the request contains the newly rewritten URL to initiate the request. - ## Usage details URL Rewrites take advantage of Application Gateway for Containers' IngressExtension custom resource. ## Background+ URL rewrite enables you to translate an incoming request to a different URL when initiated to a backend target. The following figure illustrates a request destined for _contoso.com/shop_ being rewritten to _contoso.com/ecommerce_ when the request is initiated to the backend target by Application Gateway for Containers: [ ![A diagram showing the Application Gateway for Containers rewriting a URL to the backend.](./media/how-to-url-rewrite-gateway-api/url-rewrite.png) ](./media/how-to-url-rewrite-gateway-api/url-rewrite.png#lightbox) - ## Prerequisites -> [!IMPORTANT] -> Application Gateway for Containers is currently in PREVIEW.<br> -> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. - 1. If following the BYO deployment strategy, ensure you have set up your Application Gateway for Containers resources and [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md) 2. If following the ALB managed deployment strategy, ensure you have provisioned your [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md) and provisioned the Application Gateway for Containers resources via the [ApplicationLoadBalancer custom resource](quickstart-create-application-gateway-for-containers-managed-by-alb-controller.md). 3. Deploy sample HTTP application |
application-gateway | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/for-containers/overview.md | Title: What is Application Gateway for Containers? (preview) + Title: What is Application Gateway for Containers? description: Overview of Azure Application Load Balancer Application Gateway for Containers features, resources, architecture, and implementation. Learn how Application Gateway for Containers works and how to use Application Gateway for Containers resources in Azure. -# What is Application Gateway for Containers? (preview) +# What is Application Gateway for Containers? -Application Gateway for Containers is a new application (layer 7) [load balancing](/azure/architecture/guide/technology-choices/load-balancing-overview) and dynamic traffic management product for workloads running in a Kubernetes cluster. It extends Azure's Application Load Balancing portfolio and is a new offering under the Application Gateway product family. +Application Gateway for Containers is a new application (layer 7) [load balancing](/azure/architecture/guide/technology-choices/load-balancing-overview) and dynamic traffic management product for workloads running in a Kubernetes cluster. It extends Azure's Application Load Balancing portfolio and is a new offering under the Application Gateway product family. -Application Gateway for Containers is the evolution of the [Application Gateway Ingress Controller](../ingress-controller-overview.md) (AGIC), a [Kubernetes](/azure/aks) application that enables Azure Kubernetes Service (AKS) customers to use Azure's native Application Gateway application load-balancer. In its current form, AGIC monitors a subset of Kubernetes Resources for changes and applies them to the Application Gateway, utilizing Azure Resource Manager (ARM). --> [!IMPORTANT] -> Application Gateway for Containers is currently in PREVIEW.<br> -> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. +Application Gateway for Containers is the evolution of the [Application Gateway Ingress Controller](../ingress-controller-overview.md) (AGIC), a [Kubernetes](/azure/aks) application that enables Azure Kubernetes Service (AKS) customers to use Azure's native Application Gateway application load-balancer. In its current form, AGIC monitors a subset of Kubernetes Resources for changes and applies them to the Application Gateway, utilizing Azure Resource Manager (ARM). ## How does it work? Application Gateway for Containers is made up of three components:+ - Application Gateway for Containers - Frontends - Associations The following dependencies are also referenced in an Application Gateway for Containers deployment:+ - Private IP address - Subnet Delegation - User-assigned Managed Identity For details about how Application Gateway for Containers accepts incoming reques ## Features and benefits Application Gateway for Containers offers some entirely new features at release, such as:-- Traffic splitting / Weighted round robin ++- Traffic splitting / Weighted round robin - Mutual authentication to the backend target - Kubernetes support for Ingress and Gateway API - Flexible [deployment strategies](#deployment-strategies) - Increased performance, offering near real-time updates to add or move pods, routes, and probes -Application Gateway for Containers offers an elastic and scalable ingress to AKS clusters and comprises a new data plane as well as control plane with [new set of ARM APIs](#implementation-of-gateway-api), different from existing Application Gateway. These APIs are different from the current implementation of Application Gateway. Application Gateway for Containers is outside the AKS cluster data plane and is responsible for ingress. The service is managed by an ALB controller component that runs inside the AKS cluster and adheres to Kubernetes Gateway APIs. +Application Gateway for Containers offers an elastic and scalable ingress to AKS clusters and comprises a new data plane as well as control plane with [new set of ARM APIs](#implementation-of-gateway-api), different from existing Application Gateway. These APIs are different from the current implementation of Application Gateway. Application Gateway for Containers is outside the AKS cluster data plane and is responsible for ingress. The service is managed by an ALB controller component that runs inside the AKS cluster and adheres to Kubernetes Gateway APIs. ### Load balancing features Application Gateway for Containers supports the following features for traffic management:+ - Automatic retries - Autoscaling - Availability zone resiliency Application Gateway for Containers supports the following features for traffic m - Query string - Methods - Ports (80/443)-- Mutual Authentication (mTLS) to backend target-- Traffic Splitting / weighted round robin-- TLS Policies+- Mutual authentication (mTLS) to backend target +- Traffic splitting / weighted round robin +- TLS policies +- URL redirect - URL rewrite ### Deployment strategies Application Gateway for Containers supports the following features for traffic m There are two deployment strategies for management of Application Gateway for Containers: - **Bring your own (BYO) deployment:** In this deployment strategy, deployment and lifecycle of the Application Gateway for Containers resource, Association and Frontend resource is assumed via Azure portal, CLI, PowerShell, Terraform, etc. and referenced in configuration within Kubernetes.- - **In Gateway API:** Every time you wish to create a new Gateway resource in Kubernetes, a Frontend resource should be provisioned in Azure prior and referenced by the Gateway resource. Deletion of the Frontend resource is responsible by the Azure administrator and isn't deleted when the Gateway resource in Kubernetes is deleted. + - **In Gateway API:** Every time you wish to create a new Gateway resource in Kubernetes, a Frontend resource should be provisioned in Azure prior and referenced by the Gateway resource. Deletion of the Frontend resource is responsible by the Azure administrator and isn't deleted when the Gateway resource in Kubernetes is deleted. - **Managed by ALB Controller:** In this deployment strategy ALB Controller deployed in Kubernetes is responsible for the lifecycle of the Application Gateway for Containers resource and its sub resources. ALB Controller creates Application Gateway for Containers resource when an ApplicationLoadBalancer custom resource is defined on the cluster and its lifecycle is based on the lifecycle of the custom resource. - **In Gateway API:** Every time a Gateway resource is created referencing the ApplicationLoadBalancer resource, ALB Controller provisions a new Frontend resource and manage its lifecycle based on the lifecycle of the Gateway resource. ### Supported regions Application Gateway for Containers is currently offered in the following regions:+ - Australia East+- Canada Central +- Central India - Central US - East Asia - East US - East US2+- France Central +- Germany West Central +- Korea Central - North Central US - North Europe+- Norway East - South Central US - Southeast Asia+- Switzerland North +- UAE North - UK South - West US - West Europe ### Implementation of Gateway API -ALB Controller implements version [v1beta1](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1) of the [Gateway API](https://gateway-api.sigs.k8s.io/) +ALB Controller implements version [v1](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1) of the [Gateway API](https://gateway-api.sigs.k8s.io/) | Gateway API Resource | Support | Comments | | - | - | | ALB Controller implements version [v1beta1](https://gateway-api.sigs.k8s.io/refe | [HTTPRoute](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRoute) | Yes | | | [ReferenceGrant](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.ReferenceGrant) | Yes | Currently supports version v1alpha1 of this API | -> [!Note] -> v1beta1 documentation has been removed within official Gateway API documentation, however the links to the v1 documentation are still highly relevent. - ### Implementation of Ingress API ALB Controller implements support for [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) For issues, raise a support request via the Azure portal on your Application Gat For Application Gateway for Containers pricing information, see [Application Gateway pricing](https://azure.microsoft.com/pricing/details/application-gateway/). -While in Public Preview, Application Gateway for Containers follows [Preview supplemental terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). - ## What's new To learn what's new with Application Gateway for Containers, see [Azure updates](https://azure.microsoft.com/updates/?category=networking&query=Application%20Gateway%20for%20Containers). |
application-gateway | Quickstart Create Application Gateway For Containers Byo Deployment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/for-containers/quickstart-create-application-gateway-for-containers-byo-deployment.md | Title: 'Quickstart: Create Application Gateway for Containers - bring your own deployment (preview)' + Title: 'Quickstart: Create Application Gateway for Containers - bring your own deployment' description: In this quickstart, you learn how to provision and manage the Application Gateway for Containers Azure resources independent from Kubernetes configuration. -# Quickstart: Create Application Gateway for Containers - bring your own deployment (preview) +# Quickstart: Create Application Gateway for Containers - bring your own deployment -This guide assumes you're following the **bring your own** [deployment strategy](overview.md#deployment-strategies), where ALB Controller references the Application Gateway for Containers resources precreated in Azure. It's assumed that resource lifecycles are managed in Azure, independent from what is defined within Kubernetes. +This guide assumes you're following the **bring your own** [deployment strategy](overview.md#deployment-strategies), where ALB Controller references the Application Gateway for Containers resources precreated in Azure. It's assumed that resource lifecycles are managed in Azure, independent from what is defined within Kubernetes. ## Prerequisites -> [!IMPORTANT] -> Application Gateway for Containers is currently in PREVIEW.<br> -> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. --Ensure you have first deployed ALB Controller into your Kubernetes cluster. You may follow the [Quickstart: Deploy Application Gateway for Containers ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md) guide if you haven't already deployed the ALB Controller. +Ensure you have first deployed ALB Controller into your Kubernetes cluster. You may follow the [Quickstart: Deploy Application Gateway for Containers ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md) guide if you haven't already deployed the ALB Controller. ## Create the Application Gateway for Containers resource az network alb frontend create -g $RESOURCE_GROUP -n $FRONTEND_NAME --alb-name $ ### Delegate a subnet to association resource -To create an association resource, you first need to reference a subnet for Application Gateway for Containers to establish connectivity to. Ensure the subnet for an Application Gateway for Containers association is at least a class C or larger (/24 or smaller CIDR prefix). For this step, you may either reuse an existing subnet and enable subnet delegation on it. or create a new VNET, subnet, and enable subnet delegation. +To create an association resource, you first need to reference a subnet for Application Gateway for Containers to establish connectivity to. Ensure the subnet for an Application Gateway for Containers association is at least a class C or larger (/24 or smaller CIDR prefix). For this step, you may either reuse an existing subnet and enable subnet delegation on it or create a new VNET, subnet, and enable subnet delegation. # [Reference existing VNet and Subnet](#tab/existing-vnet-subnet) To reference an existing subnet, execute the following command to set the variables for reference to the subnet in later steps.+ ```azurecli-interactive VNET_NAME='<name of the virtual network to use>' VNET_RESOURCE_GROUP='<the resource group of your VNET>' If you would like to use a new virtual network for the Application Gateway for C ```azurecli-interactive VNET_NAME='<name of the virtual network to use>' VNET_RESOURCE_GROUP='<the resource group of your VNET>'-VNET_ADDRESS_PREFIX='<address space of the vnet that will contain various subnets. The vnet must be able to handle at least 250 available addresses (/24 or smaller cidr prefix for the subnet)>' +VNET_ADDRESS_PREFIX='<address space of the vnet that will contain various subnets. The vnet must be able to handle at least 250 available addresses (/24 or smaller cidr prefix for the subnet)>' SUBNET_ADDRESS_PREFIX='<an address space under the vnet that has at least 250 available addresses (/24 or smaller cidr prefix for the subnet)>' ALB_SUBNET_NAME='subnet-alb' # subnet name can be any non-reserved subnet name (i.e. GatewaySubnet, AzureFirewallSubnet, AzureBastionSubnet would all be invalid) az network vnet create \ az network vnet create \ -Enable subnet delegation for the Application Gateway for Containers service. The delegation for Application Gateway for Containers is identified by the _Microsoft.ServiceNetworking/trafficControllers_ resource type. +Enable subnet delegation for the Application Gateway for Containers service. The delegation for Application Gateway for Containers is identified by the _Microsoft.ServiceNetworking/trafficControllers_ resource type. + ```azurecli-interactive az network vnet subnet update \ --resource-group $VNET_RESOURCE_GROUP \ echo $ALB_SUBNET_ID ### Delegate permissions to managed identity -ALB Controller will need the ability to provision new Application Gateway for Containers resources as well as join the subnet intended for the Application Gateway for Containers association resource. +ALB Controller needs the ability to provision new Application Gateway for Containers resources and join the subnet intended for the Application Gateway for Containers association resource. -In this example, we will delegate the _AppGW for Containers Configuration Manager_ role to the resource group and delegate the _Network Contributor_ role to the subnet used by the Application Gateway for Containers association subnet, which contains the _Microsoft.Network/virtualNetworks/subnets/join/action_ permission. +In this example, we delegate the _AppGW for Containers Configuration Manager_ role to the resource group and delegate the _Network Contributor_ role to the subnet used by the Application Gateway for Containers association subnet, which contains the _Microsoft.Network/virtualNetworks/subnets/join/action_ permission. -If desired, you can [create and assign a custom role](../../role-based-access-control/custom-roles-portal.md) with the _Microsoft.Network/virtualNetworks/subnets/join/action_ permission to eliminate other permissions contained in the _Network Contributor_ role. Learn more about [managing subnet permissions](../../virtual-network/virtual-network-manage-subnet.md#permissions). +If desired, you can [create and assign a custom role](../../role-based-access-control/custom-roles-portal.md) with the _Microsoft.Network/virtualNetworks/subnets/join/action_ permission to eliminate other permissions contained in the _Network Contributor_ role. Learn more about [managing subnet permissions](../../virtual-network/virtual-network-manage-subnet.md#permissions). ```azurecli-interactive IDENTITY_RESOURCE_NAME='azure-alb-identity' az role assignment create --assignee-object-id $principalId --assignee-principal ### Create an association resource -Execute the following command to create the association resource and connect it to the referenced subnet. It can take 5-6 minutes for the Application Gateway for Containers association to be created. +Execute the following command to create the association resource and connect it to the referenced subnet. It can take 5-6 minutes for the Application Gateway for Containers association to be created. ```azurecli-interactive ASSOCIATION_NAME='association-test' az network alb association create -g $RESOURCE_GROUP -n $ASSOCIATION_NAME --alb- Congratulations, you have installed ALB Controller on your cluster and deployed the Application Gateway for Containers resources in Azure! Try out a few of the how-to guides to deploy a sample application, demonstrating some of Application Gateway for Container's load balancing concepts.+ - [Backend MTLS](how-to-backend-mtls-gateway-api.md?tabs=byo) - [SSL/TLS Offloading](how-to-ssl-offloading-gateway-api.md?tabs=byo) - [Traffic Splitting / Weighted Round Robin](how-to-traffic-splitting-gateway-api.md?tabs=byo) |
application-gateway | Quickstart Create Application Gateway For Containers Managed By Alb Controller | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/for-containers/quickstart-create-application-gateway-for-containers-managed-by-alb-controller.md | Title: 'Quickstart: Create Application Gateway for Containers managed by ALB Controller (preview)' + Title: 'Quickstart: Create Application Gateway for Containers managed by ALB Controller' description: In this quickstart, you learn how to provision the Application Gateway for Containers resources via Kubernetes definition. -# Quickstart: Create Application Gateway for Containers managed by ALB Controller (preview) +# Quickstart: Create Application Gateway for Containers managed by ALB Controller This guide assumes you're following the **managed by ALB controller** [deployment strategy](overview.md#deployment-strategies), where all the Application Gateway for Containers resources are managed by ALB controller. Lifecycle is determined the resources defined in Kubernetes. ALB Controller creates the Application Gateway for Containers resource when an _ApplicationLoadBalancer_ custom resource is defined on the cluster. The Application Gateway for Containers lifecycle is based on the lifecycle of the custom resource. ## Prerequisites -> [!IMPORTANT] -> Application Gateway for Containers is currently in PREVIEW.<br> -> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. - Ensure you have first deployed ALB Controller into your Kubernetes cluster. See [Quickstart: Deploy Application Gateway for Containers ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md) if you haven't already deployed the ALB Controller. ### Prepare your virtual network / subnet for Application Gateway for Containers -If you don't have a subnet available with at least 250 available IP addresses and delegated to the Application Gateway for Containers resource, use the following steps to create a new subnet and enable subnet delegation. The new subnet address space can't overlap any existing subnets in the VNet. +If you don't have a subnet available with at least 250 available IP addresses and delegated to the Application Gateway for Containers resource, use the following steps to create a new subnet and enable subnet delegation. The new subnet address space can't overlap any existing subnets in the VNet. # [New subnet in AKS managed virtual network](#tab/new-subnet-aks-vnet) If you wish to deploy Application Gateway for Containers into the virtual network containing your AKS cluster, run the following command to find and assign the cluster's virtual network. This information is used in the next step. kubectl get applicationloadbalancer alb-test -n alb-test-infra -o yaml -w ``` Example output of a successful provisioning of the Application Gateway for Containers resource from Kubernetes.+ ```yaml status: conditions: |
application-gateway | Quickstart Deploy Application Gateway For Containers Alb Controller | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/for-containers/quickstart-deploy-application-gateway-for-containers-alb-controller.md | Title: 'Quickstart: Deploy Application Gateway for Containers ALB Controller (preview)' + Title: 'Quickstart: Deploy Application Gateway for Containers ALB Controller' description: In this quickstart, you learn how to provision the Application Gateway for Containers ALB Controller in an AKS cluster. -# Quickstart: Deploy Application Gateway for Containers ALB Controller (preview) +# Quickstart: Deploy Application Gateway for Containers ALB Controller The [ALB Controller](application-gateway-for-containers-components.md#application-gateway-for-containers-alb-controller) is responsible for translating Gateway API and Ingress API configuration within Kubernetes to load balancing rules within Application Gateway for Containers. The following guide walks through the steps needed to provision an ALB Controller into a new or existing AKS cluster. The [ALB Controller](application-gateway-for-containers-components.md#applicatio You need to complete the following tasks prior to deploying Application Gateway for Containers on Azure and installing ALB Controller on your cluster: -> [!IMPORTANT] -> Application Gateway for Containers is currently in PREVIEW.<br> -> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. - 1. Prepare your Azure subscription and your `az-cli` client. ```azurecli-interactive You need to complete the following tasks prior to deploying Application Gateway > [!NOTE] > The AKS cluster needs to be in a [region where Application Gateway for Containers is available](overview.md#supported-regions) > AKS cluster should use [Azure CNI](../../aks/configure-azure-cni.md).- > AKS cluster should have the workload identity feature enabled. [Learn how](../../aks/workload-identity-deploy-cluster.md#update-an-existing-aks-cluster) to enable workload identity on an existing AKS cluster. + > AKS cluster should have the workload identity feature enabled. [Learn how](../../aks/workload-identity-deploy-cluster.md#update-an-existing-aks-cluster) to enable workload identity on an existing AKS cluster. If using an existing cluster, ensure you enable Workload Identity support on your AKS cluster. Workload identities can be enabled via the following:- + ```azurecli-interactive AKS_NAME='<your cluster name>' RESOURCE_GROUP='<your resource group name>' You need to complete the following tasks prior to deploying Application Gateway ``` If you don't have an existing cluster, use the following commands to create a new AKS cluster with Azure CNI and workload identity enabled.- + ```azurecli-interactive AKS_NAME='<your cluster name>' RESOURCE_GROUP='<your resource group name>'- LOCATION='northeurope' # The list of available regions may grow as we roll out to more preview regions + LOCATION='northeurope' VM_SIZE='<the size of the vm in AKS>' # The size needs to be available in your location az group create --name $RESOURCE_GROUP --location $LOCATION You need to complete the following tasks prior to deploying Application Gateway > [!NOTE] > Helm is already available in Azure Cloud Shell. If you are using Azure Cloud Shell, no additional Helm installation is necessary. - You can also use the following steps to install Helm on a local device running Windows or Linux. Ensure that you have the latest version of helm installed. + You can also use the following steps to install Helm on a local device running Windows or Linux. Ensure that you have the latest version of helm installed. # [Windows](#tab/install-helm-windows) See the [instructions for installation](https://github.com/helm/helm#install) for various options of installation. Similarly, if your version of Windows has [Windows Package Manager winget](/windows/package-manager/winget/) installed, you may execute the following command: You need to complete the following tasks prior to deploying Application Gateway az aks get-credentials --resource-group $RESOURCE_GROUP --name $AKS_NAME helm install alb-controller oci://mcr.microsoft.com/application-lb/charts/alb-controller \ --namespace <helm-resource-namespace> \- --version 0.6.3 \ + --version 1.0.0 \ --set albController.namespace=<alb-controller-namespace> \ --set albController.podIdentity.clientID=$(az identity show -g $RESOURCE_GROUP -n azure-alb-identity --query clientId -o tsv) ``` You need to complete the following tasks prior to deploying Application Gateway az aks get-credentials --resource-group $RESOURCE_GROUP --name $AKS_NAME helm upgrade alb-controller oci://mcr.microsoft.com/application-lb/charts/alb-controller \ --namespace <helm-resource-namespace> \- --version 0.6.3 \ + --version 1.0.0 \ --set albController.namespace=<alb-controller-namespace> \ --set albController.podIdentity.clientID=$(az identity show -g $RESOURCE_GROUP -n azure-alb-identity --query clientId -o tsv) ``` You need to complete the following tasks prior to deploying Application Gateway type: Accepted ``` -## Next Steps +## Next Steps -Now that you have successfully installed an ALB Controller on your cluster, you can provision the Application Gateway For Containers resources in Azure. +Now that you have successfully installed an ALB Controller on your cluster, you can provision the Application Gateway For Containers resources in Azure. The next step is to link your ALB controller to Application Gateway for Containers. How you create this link depends on your deployment strategy. helm uninstall alb-controller kubectl delete ns azure-alb-system kubectl delete gatewayclass azure-alb-external ```+ > [!Note] > If a different namespace was used for alb-controller installation, ensure you specify the -n parameter on the helm uninstall command to define the proper namespace to be used. For example: `helm uninstall alb-controller -n unique-namespace` |
application-gateway | Session Affinity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/for-containers/session-affinity.md | With session affinity, Application Gateway for Containers presents a cookie in t ![A diagram depicting Application Gateway for Containers session affinity.](./media/session-affinity/session-affinity.png) The following steps are depicted in the previous diagram:-1. A client initiates a request to an Application Gateway for Containers' (AGC) frontend ++1. A client initiates a request to an Application Gateway for Containers' (AGC) frontend. 2. AGC selects one of the many available pods to load balance the request to. In this example, we assume Pod C is selected out of the four available pods. 3. Pod C returns a response to AGC. 4. In addition to the backend response from Pod C, AGC adds a Set-Cookie header containing a uniquely generated hash used for routing. The following steps are depicted in the previous diagram: | cookieDuration | Required if affinityType is application-cookie. This is the duration (lifetime) of the cookie in seconds. | In managed cookie affinity type, Application Gateway uses predefined values when the cookie is offered to the client.+ - The name of the cookie is: `AGCAffinity`. - The duration (lifetime) of the cookie is 86,400 seconds (one day). - The `cookieName` and `cookieDuration` properties and values are discarded. |
application-gateway | Tls Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/for-containers/tls-policy.md | The following table shows the list of cipher suites and minimum protocol version | **Minimum protocol version** | TLS 1.2 | TLS 1.2 | | **Enabled protocol versions** | TLS 1.2 | TLS 1.2 | | TLS_AES_256_GCM_SHA384 | ✓ | ✓ |-| TLS_AES_128_GCM_SHA256 | ✓ | ✓ | +| TLS_AES_128_GCM_SHA256 | ✓ | ✓ | | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | ✓ | ✓ | | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | ✓ | ✓ | | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | ✓ | ✓ | | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | ✓ | ✓ | | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | ✓ | ✗ |-| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | ✓ | ✗ | +| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | ✓ | ✗ | | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | ✓ | ✗ | | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | ✓ | ✗ | | **Elliptical curves** | | | EOF TLS policy is currently not supported for Ingress resources and will automatically be configured to use the default TLS policy `2023-06`. - -- |
application-gateway | Troubleshooting Guide | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/for-containers/troubleshooting-guide.md | Title: Troubleshoot Application Gateway for Containers (preview) + Title: Troubleshoot Application Gateway for Containers description: Learn how to troubleshoot common issues with Application Gateway for Containers Previously updated : 12/05/2023 Last updated : 02/27/2024 -# Troubleshooting in Application Gateway for Containers (preview) +# Troubleshooting in Application Gateway for Containers This article provides some guidance to help you troubleshoot common problems in Application Gateway for Containers. Before you start troubleshooting, determine the version of ALB Controller that i ```bash kubectl get deployment -n azure-alb-system -o wide ```+ Example output: | NAME | READY | UP-TO-DATE | AVAILABLE | AGE | CONTAINERS | IMAGES | SELECTOR | | | -- | - | | - | -- | - | -- |-| alb-controller | 2/2 | 2 | 2 | 18d | alb-controller | mcr.microsoft.com/application-lb/images/alb-controller:**0.6.3** | app=alb-controller | -| alb-controller-bootstrap | 1/1 | 1 | 1 | 18d | alb-controller-bootstrap | mcr.microsoft.com/application-lb/images/alb-controller-bootstrap:**0.6.3** | app=alb-controller-bootstrap | +| alb-controller | 2/2 | 2 | 2 | 18d | alb-controller | mcr.microsoft.com/application-lb/images/alb-controller:**1.0.0** | app=alb-controller | +| alb-controller-bootstrap | 1/1 | 1 | 1 | 18d | alb-controller-bootstrap | mcr.microsoft.com/application-lb/images/alb-controller-bootstrap:**1.0.0** | app=alb-controller-bootstrap | -In this example, the ALB controller version is **0.6.3**. +In this example, the ALB controller version is **1.0.0**. The ALB Controller version can be upgraded by running the `helm upgrade alb-controller` command. For more information, see [Install the ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md#install-the-alb-controller). The ALB Controller version can be upgraded by running the `helm upgrade alb-cont > The latest ALB Controller version can be found in the [ALB Controller release notes](alb-controller-release-notes.md#latest-release-recommended). ## Collect ALB Controller logs+ Logs can be collected from the ALB Controller by using the _kubectl logs_ command referencing the ALB Controller pod. 1. Get the running ALB Controller pod name Run the following kubectl command. Ensure you substitute your namespace if not using the default namespace of `azure-alb-system`:+ ```bash kubectl get pods -n azure-alb-system ```- + You should see output similar to the following example. Pod names might differ slightly.- + | NAME | READY | STATUS | RESTARTS | AGE | | - | -- | - | -- | - | | alb-controller-6648c5d5c-sdd9t | 1/1 | Running | 0 | 4d6h | Logs can be collected from the ALB Controller by using the _kubectl logs_ comman | alb-controller-bootstrap-6648c5d5c-hrmpc | 1/1 | Running | 0 | 4d6h | ALB controller uses an election provided by controller-runtime manager to determine an active and standby pod for high availability.- + Copy the name of each alb-controller pod (not the bootstrap pod, in this case, `alb-controller-6648c5d5c-sdd9t` and `alb-controller-6648c5d5c-au234`) and run the following command to determine the active pod. # [Linux](#tab/active-pod-linux)+ ```bash kubectl logs alb-controller-6648c5d5c-sdd9t -n azure-alb-system -c alb-controller | grep "successfully acquired lease" ``` # [Windows](#tab/active-pod-windows)+ ```cli kubectl logs alb-controller-6648c5d5c-sdd9t -n azure-alb-system -c alb-controller| findstr "successfully acquired lease" ```+ You should see the following if the pod is primary: `successfully acquired lease azure-alb-system/alb-controller-leader-election` Logs can be collected from the ALB Controller by using the _kubectl logs_ comman 2. Collect the logs Logs from ALB Controller will be returned in JSON format.- + Execute the following kubectl command, replacing the name with the pod name returned in step 1:+ ```bash kubectl logs -n azure-alb-system alb-controller-6648c5d5c-sdd9t ```- + Similarly, you can redirect the output of the existing command to a file by specifying the greater than (>) sign and the filename to write the logs to:+ ```bash kubectl logs -n azure-alb-system alb-controller-6648c5d5c-sdd9t > alb-controller-logs.json ``` Logs can be collected from the ALB Controller by using the _kubectl logs_ comman ### Application Gateway for Containers returns 500 status code Scenarios in which you would notice a 500-error code on Application Gateway for Containers are as follows:-1. __Invalid backend Entries__ : A backend is defined as invalid in the following scenarios: ++1. **Invalid backend Entries** : A backend is defined as invalid in the following scenarios: - It refers to an unknown or unsupported kind of resource. In this case, the HTTPRoute's status has a condition with reason set to `InvalidKind` and the message explains which kind of resource is unknown or unsupported. - It refers to a resource that doesn't exist. In this case, the HTTPRoute's status has a condition with reason set to `BackendNotFound` and the message explains that the resource doesn't exist. - It refers to a resource in another namespace when the reference isn't explicitly allowed by a ReferenceGrant (or equivalent concept). In this case, the HTTPRoute's status has a condition with reason set to `RefNotPermitted` and the message explains which cross-namespace reference isn't allowed. Scenarios in which you would notice a 500-error code on Application Gateway for 2. No endpoints found for all backends: when there are no endpoints found for all the backends referenced in an HTTPRoute, a 500 error code is obtained. +### Application Load Balancer custom resource doesn't reflect Ready status ++#### Symptoms ++ApplicationLoadBalancer custom resource status message continually says "Application Gateway for Containers resource `agc-name` is undergoing an update." ++The following logs are repeated by the primary alb-controller pod. ++```text +{"level":"info","version":"x.x.x","Timestamp":"2024-02-26T20:31:53.760150719Z","message":"Stream opened for config updates"} +{"level":"info","version":"x.x.x","operationID":"1ea7ffd4-b2c4-460b-bce7-4d3f855ce8d5","Timestamp":"2024-02-26T20:31:53.760313623Z","message":"Successfully sent config update request"} +{"level":"error","version":"x.x.x","error":"rpc error: code = PermissionDenied desc = ALB Controller with object id '5b26a949-297d-40c7-b10f-5d1cf2e3259d' does not have authorization to perform action on Application Gateway for Containers resource.Please check RBAC delegations to the Application Gateway for Containers resource.","Timestamp":"2024-02-26T20:31:53.769444995Z","message":"Unable to capture config update response"} +{"level":"info","version":"x.x.x","Timestamp":"2024-02-26T20:31:53.769504489Z","message":"Retrying to open config update stream"} +{"level":"info","version":"x.x.x","Timestamp":"2024-02-26T20:31:54.461487406Z","message":"Stream opened up for endpoint updates"} +{"level":"info","version":"x.x.x","operationID":"808825c2-b0a8-476b-b83a-8e7357c55750","Timestamp":"2024-02-26T20:31:54.462070039Z","message":"Successfully sent endpoint update request"} +{"level":"error","version":"x.x.x","error":"rpc error: code = PermissionDenied desc = ALB Controller with object id '5b26a949-297d-40c7-b10f-5d1cf2e3259d' does not have authorization to perform action on Application Gateway for Containers resource.Please check RBAC delegations to the Application Gateway for Containers resource.","Timestamp":"2024-02-26T20:31:54.470728646Z","message":"Unable to capture endpoint update response"} +{"level":"info","version":"x.x.x","Timestamp":"2024-02-26T20:31:54.47077373Z","message":"Retrying to open up endpoint update stream"} +``` + ### Kubernetes Gateway resource fails to get token from credential chain #### Symptoms No changes to HttpRoutes are being applied to Application Gateway for Containers. -The following error message is returned on the Kubernetes Gateway resource and no changes to HttpRoutes +The following error message is returned on the Kubernetes Gateway resource and no changes are reflected for any HttpRoute resources. ```YAML status: status: #### Solution Ensure the federated credentials of the managed identity for the ALB Controller pod to make changes to Application Gateway for Containers are configured in Azure. Instructions on how to configure federated credentials can be found in the quickstart guides:+ - [Quickstart: Deploy ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md#install-the-alb-controller) |
application-gateway | Ingress Controller Expose Service Over Http Https | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/ingress-controller-expose-service-over-http-https.md | -> Also see [What is Application Gateway for Containers?](for-containers/overview.md) currently in public preview. +> Also see [What is Application Gateway for Containers](for-containers/overview.md). ## Prerequisites |
application-gateway | Ingress Controller Expose Websocket Server | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/ingress-controller-expose-websocket-server.md | -> Also see [What is Application Gateway for Containers?](for-containers/overview.md) currently in public preview. +> Also see [What is Application Gateway for Containers](for-containers/overview.md). The following Kubernetes deployment YAML shows the minimum configuration used to deploy a WebSocket server, which is the same as deploying a regular web server: ```yaml |
application-gateway | Ingress Controller Install Existing | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/ingress-controller-install-existing.md | AGIC monitors the Kubernetes [Ingress](https://kubernetes.io/docs/concepts/servi resources, and creates and applies Application Gateway config based on the status of the Kubernetes cluster. > [!TIP]-> Also see [What is Application Gateway for Containers?](for-containers/overview.md) currently in public preview. +> Also see [What is Application Gateway for Containers](for-containers/overview.md). ## Outline |
application-gateway | Ingress Controller Install New | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/ingress-controller-install-new.md | The instructions below assume Application Gateway Ingress Controller (AGIC) will installed in an environment with no pre-existing components. > [!TIP]-> Also see [What is Application Gateway for Containers?](for-containers/overview.md) currently in public preview. +> Also see [What is Application Gateway for Containers](for-containers/overview.md). ## Required Command Line Tools |
application-gateway | Ingress Controller Letsencrypt Certificate Application Gateway | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/ingress-controller-letsencrypt-certificate-application-gateway.md | -> Also see [What is Application Gateway for Containers?](for-containers/overview.md) currently in public preview. +> Also see [What is Application Gateway for Containers](for-containers/overview.md). Use the following steps to install [cert-manager](https://docs.cert-manager.io) on your existing AKS cluster. |
application-gateway | Ingress Controller Migration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/ingress-controller-migration.md | -> Also see [What is Application Gateway for Containers?](for-containers/overview.md) currently in public preview. +> Also see [What is Application Gateway for Containers](for-containers/overview.md). ## Prerequisites Before you start the migration process, there are a few things to check. |
application-gateway | Ingress Controller Multiple Namespace Support | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/ingress-controller-multiple-namespace-support.md | As of version 0.7 [Azure Application Gateway Kubernetes IngressController](https Version 0.7 of AGIC continues to exclusively observe the `default` namespace, unless this is explicitly changed to one or more different namespaces in the Helm configuration. See the following section. > [!TIP]-> Also see [What is Application Gateway for Containers?](for-containers/overview.md) currently in public preview. +> Also see [What is Application Gateway for Containers](for-containers/overview.md). ## Enable multiple namespace support |
application-gateway | Ingress Controller Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/ingress-controller-overview.md | The Application Gateway Ingress Controller (AGIC) is a Kubernetes application, w The Ingress Controller runs in its own pod on the customerΓÇÖs AKS. AGIC monitors a subset of Kubernetes Resources for changes. The state of the AKS cluster is translated to Application Gateway specific configuration and applied to the [Azure Resource Manager (ARM)](../azure-resource-manager/management/overview.md). > [!TIP]-> Also see [What is Application Gateway for Containers?](for-containers/overview.md) currently in public preview. +> Also see [What is Application Gateway for Containers](for-containers/overview.md). ## Benefits of Application Gateway Ingress Controller AGIC helps eliminate the need to have another load balancer/public IP address in front of the AKS cluster and avoids multiple hops in your datapath before requests reach the AKS cluster. Application Gateway talks to pods using their private IP address directly and doesn't require NodePort or KubeProxy services. This capability also brings better performance to your deployments. |
application-gateway | Ingress Controller Private Ip | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/ingress-controller-private-ip.md | -> Also see [What is Application Gateway for Containers?](for-containers/overview.md) currently in public preview. +> Also see [What is Application Gateway for Containers](for-containers/overview.md). ## Prerequisites Application Gateway with a [Private IP configuration](./configure-application-gateway-with-private-frontend-ip.md) |
application-gateway | Ingress Controller Troubleshoot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/ingress-controller-troubleshoot.md | and AGIC installation. Launch your shell from [shell.azure.com](https://shell.az [![Embed launch](./media/launch-cloud-shell/launch-cloud-shell.png "Launch Azure Cloud Shell")](https://shell.azure.com) > [!TIP]-> Also see [What is Application Gateway for Containers?](for-containers/overview.md) currently in public preview. +> Also see [What is Application Gateway for Containers](for-containers/overview.md). ## Test with a simple Kubernetes app |
application-gateway | Ingress Controller Update Ingress Controller | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/ingress-controller-update-ingress-controller.md | The Azure Application Gateway Ingress Controller for Kubernetes (AGIC) can be up using a Helm repository hosted on Azure Storage. > [!TIP]-> Also see [What is Application Gateway for Containers?](for-containers/overview.md) currently in public preview. +> Also see [What is Application Gateway for Containers](for-containers/overview.md). Before beginning the upgrade procedure, ensure that you've added the required repository: |
application-gateway | Ipv6 Application Gateway Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/ipv6-application-gateway-portal.md | description: Learn how to configure Application Gateway with a frontend public I Previously updated : 02/08/2024 Last updated : 02/27/2024 |
application-gateway | Overview V2 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/overview-v2.md | The new v2 SKU includes the following enhancements: - **Header Rewrite**: Application Gateway allows you to add, remove, or update HTTP request and response headers with v2 SKU. For more information, see [Rewrite HTTP headers with Application Gateway](./rewrite-http-headers-url.md) - **Key Vault Integration**: Application Gateway v2 supports integration with Key Vault for server certificates that are attached to HTTPS enabled listeners. For more information, see [TLS termination with Key Vault certificates](key-vault-certs.md). - **Mutual Authentication (mTLS)**: Application Gateway v2 supports authentication of client requests. For more information, see [Overview of mutual authentication with Application Gateway](mutual-authentication-overview.md).-- **Azure Kubernetes Service Ingress Controller**: The Application Gateway v2 Ingress Controller allows the Azure Application Gateway to be used as the ingress for an Azure Kubernetes Service (AKS) known as AKS Cluster. For more information, see [What is Application Gateway Ingress Controller?](ingress-controller-overview.md).+- **Azure Kubernetes Service Ingress Controller**: The Application Gateway v2 Ingress Controller allows the Azure Application Gateway to be used as the ingress for an Azure Kubernetes Service (AKS) known as AKS Cluster. For more information, see [What is Application Gateway Ingress Controller](ingress-controller-overview.md). - **Private link**: The v2 SKU offers private connectivity from other virtual networks in other regions and subscriptions through the use of private endpoints. - **Performance enhancements**: The v2 SKU offers up to 5X better TLS offload performance as compared to the Standard/WAF SKU. - **Faster deployment and update time** The v2 SKU provides faster deployment and update time as compared to Standard/WAF SKU. This also includes WAF configuration changes. |
application-gateway | Private Link Configure | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/private-link-configure.md | A list of all Azure CLI references for Private Link Configuration on Application ## Next steps -- Learn about Azure Private Link: [What is Azure Private Link?](../private-link/private-link-overview.md)+- Learn about Azure Private Link: [What is Azure Private Link](../private-link/private-link-overview.md). |
application-gateway | Private Link | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/private-link.md | Today, you can deploy your critical workloads securely behind Application Gatewa - Public IP address - your workloads are accessible over the Internet. - Private IP address- your workloads are accessible privately via your virtual network / connected networks -Private Link for Application Gateway allows you to connect workloads over a private connection spanning across VNets and subscriptions. When configured, a private endpoint is placed into a defined virtual network's subnet, providing a private IP address for clients looking to communicate to the gateway. For a list of other PaaS services that support Private Link functionality, see [What is Azure Private Link?](../private-link/private-link-overview.md). +Private Link for Application Gateway allows you to connect workloads over a private connection spanning across VNets and subscriptions. When configured, a private endpoint is placed into a defined virtual network's subnet, providing a private IP address for clients looking to communicate to the gateway. For a list of other PaaS services that support Private Link functionality, see [What is Azure Private Link](../private-link/private-link-overview.md). :::image type="content" source="media/private-link/private-link.png" alt-text="Diagram showing Application Gateway Private Link"::: Four components are required to implement Private Link with Application Gateway: ## Next steps -- [Configure Azure Application Gateway Private Link](private-link-configure.md)-- [What is Azure Private Link?](../private-link/private-link-overview.md)+- [Configure Azure Application Gateway Private Link](private-link-configure.md). +- [What is Azure Private Link](../private-link/private-link-overview.md). |
application-gateway | Tutorial Ingress Controller Add On New | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/tutorial-ingress-controller-add-on-new.md | In this tutorial, you: - Created new AKS cluster with the AGIC add-on enabled - Deployed a sample application by using AGIC for ingress on the AKS cluster -To learn more about AGIC, see [What is Application Gateway Ingress Controller?](ingress-controller-overview.md) and [Disable and re-enable AGIC add-on for your AKS cluster](ingress-controller-disable-addon.md) +To learn more about AGIC, see [What is Application Gateway Ingress Controller](ingress-controller-overview.md) and [Disable and re-enable AGIC add-on for your AKS cluster](ingress-controller-disable-addon.md). To learn how to enable application gateway ingress controller add-on for an existing AKS cluster with an existing application gateway, advance to the next tutorial. |
application-gateway | Tutorial Protect Application Gateway Ddos | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/tutorial-protect-application-gateway-ddos.md | This article helps you create an Azure Application Gateway with a DDoS protected :::image type="content" source="./media/tutorial-protect-application-gateway/ddos-protection-app-gateway.png" alt-text="Diagram of DDoS Protection connecting to an Application Gateway."::: > [!IMPORTANT]-> Azure DDoS Protection incurs a cost when you use the Network Protection SKU. Overages charges only apply if more than 100 public IPs are protected in the tenant. Ensure you delete the resources in this tutorial if you aren't using the resources in the future. For information about pricing, see [Azure DDoS Protection Pricing]( https://azure.microsoft.com/pricing/details/ddos-protection/). For more information about Azure DDoS protection, see [What is Azure DDoS Protection?](../ddos-protection/ddos-protection-overview.md). +> Azure DDoS Protection incurs a cost when you use the Network Protection SKU. Overages charges only apply if more than 100 public IPs are protected in the tenant. Ensure you delete the resources in this tutorial if you aren't using the resources in the future. For information about pricing, see [Azure DDoS Protection Pricing]( https://azure.microsoft.com/pricing/details/ddos-protection/). For more information about Azure DDoS protection, see [What is Azure DDoS Protection](../ddos-protection/ddos-protection-overview.md). In this tutorial, you learn how to: |
automation | Manage Office 365 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/manage-office-365.md | description: This article tells how to use Azure Automation to manage Office 365 Last updated 11/05/2020 -+ # Manage Office 365 services You need the following to manage Office 365 subscription services in Azure Autom * Microsoft Entra ID. See [Use Microsoft Entra ID in Azure Automation to authenticate to Azure](automation-use-azure-ad.md). * An Office 365 tenant, with an account. See [Set up your Office 365 tenant](/sharepoint/dev/spfx/set-up-your-developer-tenant). -## Install the MSOnline and MSOnlineExt modules +## Install Microsoft Graph PowerShell -Use of Office 365 within Azure Automation requires Microsoft Entra ID for Windows PowerShell (`MSOnline` module). You'll also need the module [`MSOnlineExt`](https://www.powershellgallery.com/packages/MSOnlineExt/1.0.35), which simplifies Microsoft Entra management in single- and multi-tenant environments. Install the modules as described in [Use Microsoft Entra ID in Azure Automation to authenticate to Azure](automation-use-azure-ad.md). +Use of Office 365 within Azure Automation requires the Microsoft Graph PowerShell module. ++```powershell +Install-Module Microsoft.Graph -Scope CurrentUser +``` >[!NOTE]->To use MSOnline PowerShell, you must be a member of Microsoft Entra ID. Guest users can't use the module. +>To use Microsoft Graph PowerShell, you must be a member of Microsoft Entra ID. Guest users can't use the module. ## Create an Azure Automation account To complete the steps in this article, you need an account in Azure Automation. See [Create an Azure Automation account](./quickstarts/create-azure-automation-account-portal.md). -## Add MSOnline and MSOnlineExt as assets --Now add the installed MSOnline and MSOnlineExt modules to enable Office 365 functionality. Refer to [Manage modules in Azure Automation](shared-resources/modules.md). --1. In the Azure portal, select **Automation Accounts**. -2. Choose your Automation account. -3. Select **Modules Gallery** under **Shared Resources**. -4. Search for MSOnline. -5. Select the `MSOnline` PowerShell module and click **Import** to import the module as an asset. -6. Repeat steps 4 and 5 to locate and import the `MSOnlineExt` module. - ## Create a credential asset (optional) It's optional to create a credential asset for the Office 365 administrative user who has permissions to run your script. It can help, though, to keep from exposing user names and passwords inside PowerShell scripts. For instructions, see [Create a credential asset](automation-use-azure-ad.md#create-a-credential-asset). To run Office 365 subscription services, you need an Office 365 service account ## Connect to the Microsoft Entra online service >[!NOTE]->To use the MSOnline module cmdlets, you must run them from Windows PowerShell. PowerShell Core does not support these cmdlets. +>To use the Microsoft Graph PowerShell module cmdlets, you must run them from Windows PowerShell. PowerShell Core does not support these cmdlets. -You can use the MSOnline module to connect to Microsoft Entra ID from the Office 365 subscription. The connection uses an Office 365 user name and password or uses multi-factor authentication (MFA). You can connect using the Azure portal or a Windows PowerShell command prompt (does not have to be elevated). +You can connect to Microsoft Entra ID from the Office 365 subscription. The connection uses an Office 365 user name and password or uses multi-factor authentication (MFA). You can connect using the Azure portal or a Windows PowerShell command prompt (does not have to be elevated). -A PowerShell example is shown below. The [Get-Credential](/powershell/module/microsoft.powershell.security/get-credential) cmdlet prompts for credentials and stores them in the `Msolcred` variable. Then the [Connect-MsolService](/powershell/module/msonline/connect-msolservice) cmdlet uses the credentials to connect to the Azure directory online service. If you want to connect to a specific Azure environment, use the `AzureEnvironment` parameter. +A PowerShell example is shown below. For more information, see [Connect-MgGraph](/powershell/module/microsoft.graph.authentication/connect-mggraph). ```powershell-$Msolcred = Get-Credential -Connect-MsolService -Credential $MsolCred -AzureEnvironment "AzureCloud" +Connect-MgGraph -Scopes "Directory.Read.All" ``` -If you don't receive any errors, you've connected successfully. A quick test is to run an Office 365 cmdlet, for example, `Get-MsolUser`, and see the results. If you receive errors, note that a common problem is an incorrect password. -->[!NOTE] ->You can also use the AzureRM module or the Az module to connect to Microsoft Entra ID from the Office 365 subscription. The main connection cmdlet is [Connect-AzureAD](/powershell/module/azuread/connect-azuread). This cmdlet supports the `AzureEnvironmentName` parameter for specific Office 365 environments. +If you don't receive any errors, you've connected successfully. A quick test is to run an Office 365 cmdlet, for example, [Get-MgUser](/powershell/module/microsoft.graph.users/get-mguser), and see the results. ## Create a PowerShell runbook from an existing script -You access Office 365 functionality from a PowerShell script. Here's an example of a script for a credential named `Office-Credentials` with user name of `admin@TenantOne.com`. It uses `Get-AutomationPSCredential` to import the Office 365 credential. +You access Office 365 functionality from a PowerShell script. ```powershell $emailFromAddress = "admin@TenantOne.com" $emailToAddress = "servicedesk@TenantOne.com" $emailSMTPServer = "outlook.office365.com" $emailSubject = "Office 365 License Report"- $credObject = Get-AutomationPSCredential -Name "Office-Credentials"-Connect-MsolService -Credential $credObject -$O365Licenses = Get-MsolAccountSku | Out-String +Connect-MgGraph -Scopes "Directory.Read.All" ++$O365Licenses = Get-MgSubscribedSku | Out-String Send-MailMessage -Credential $credObject -From $emailFromAddress -To $emailToAddress -Subject $emailSubject -Body $O365Licenses -SmtpServer $emailSMTPServer -UseSSL ``` |
automation | Hybrid Runbook Worker | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/troubleshoot/hybrid-runbook-worker.md | description: This article tells how to troubleshoot and resolve issues that aris Last updated 09/17/2023 -+ # Troubleshoot agent-based Hybrid Runbook Worker issues in Automation Hybrid workers send [Runbook output and messages](../automation-runbook-output-a #### Issue -A script running on a Windows Hybrid Runbook Worker can't connect as expected to Microsoft 365 on an Orchestrator sandbox. The script is using [Connect-MsolService](/powershell/module/msonline/connect-msolservice) for connection. +A script running on a Windows Hybrid Runbook Worker can't connect as expected to Microsoft 365 on an Orchestrator sandbox. The script is using [Connect-MgGraph](/powershell/microsoftgraph/authentication-commands#using-connect-mggraph) for connection. If you adjust **Orchestrator.Sandbox.exe.config** to set the proxy and the bypass list, the sandbox still doesn't connect properly. A **Powershell_ise.exe.config** file with the same proxy and bypass list settings seems to work as you expect. Service Management Automation (SMA) logs and PowerShell logs don't provide any information about proxy.​ The connection to Active Directory Federation Services (AD FS) on the server can #### Resolution -You can resolve the issue for the Orchestrator sandbox by migrating your script to use the Microsoft Entra modules instead of the MSOnline module for PowerShell cmdlets. For more information, see [Migrating from Orchestrator to Azure Automation (Beta)](../automation-orchestrator-migration.md). +You can resolve the issue for the Orchestrator sandbox by migrating your script to use the Microsoft Entra modules instead of the PowerShell cmdlets. For more information, see [Migrating from Orchestrator to Azure Automation (Beta)](../automation-orchestrator-migration.md). -​If you want to continue to use the MSOnline module cmdlets, change your script to use [Invoke-Command](/powershell/module/microsoft.powershell.core/invoke-command). Specify values for the `ComputerName` and `Credential` parameters. +​If you want to continue to use the module cmdlets, change your script to use [Invoke-Command](/powershell/module/microsoft.powershell.core/invoke-command). Specify values for the `ComputerName` and `Credential` parameters. ```powershell $Credential = Get-AutomationPSCredential -Name MyProxyAccessibleCredential​ Invoke-Command -ComputerName $env:COMPUTERNAME -Credential $Credential-{ Connect-MsolService … }​ +{ Connect-MgGraph … }​ ``` This code change starts an entirely new PowerShell session under the context of the specified credentials. It should enable the traffic to flow through a proxy server that's authenticating the active user. |
azure-app-configuration | Cli Samples | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/cli-samples.md | The following table includes links to Azure CLI scripts for Azure App Configurat |**Create**|| | [Create an App Configuration store](./scripts/cli-create-service.md) | Creates a resource group and an App Configuration store instance. | |**Use**||-| [Work with key values](./scripts/cli-work-with-keys.md) | Creates, views, updates, and deletes key values. | -| [Import key values](./scripts/cli-import.md) | Imports key values from other sources. | -| [Export key values](./scripts/cli-export.md) | Exports key values to other targets. | +| [Work with key-values](./scripts/cli-work-with-keys.md) | Creates, views, updates, and deletes key-values. | +| [Import key-values](./scripts/cli-import.md) | Imports key-values from other sources. | +| [Export key-values](./scripts/cli-export.md) | Exports key-values to other targets. | |**Delete**|| | [Delete an App Configuration store](./scripts/cli-delete-service.md) | Deletes an App Configuration store instance. | | | | |
azure-app-configuration | Concept Customer Managed Keys | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/concept-customer-managed-keys.md | Title: Use customer-managed keys to encrypt your configuration data description: Encrypt your configuration data using customer-managed keys Previously updated : 08/30/2022 Last updated : 02/20/2024 After these resources are configured, use the following steps so that the Azure 1. Assign a managed identity to the Azure App Configuration instance. 1. Grant the identity `GET`, `WRAP`, and `UNWRAP` permissions in the target Key Vault's access policy. -## Enable customer-managed key encryption for your Azure App Configuration instance +## Enable customer-managed key encryption for your App Configuration store -To begin, you'll need a properly configured Azure App Configuration instance. If you don't yet have an App Configuration instance available, follow one of these quickstarts to set one up: --- [Create an ASP.NET Core app with Azure App Configuration](quickstart-aspnet-core-app.md)-- [Create a .NET Core app with Azure App Configuration](quickstart-dotnet-core-app.md)-- [Create a .NET Framework app with Azure App Configuration](quickstart-dotnet-app.md)-- [Create a Java Spring app with Azure App Configuration](quickstart-java-spring-app.md)-- [Create a JavaScript app with Azure App Configuration](quickstart-javascript.md)-- [Create a Python app with Azure App Configuration](quickstart-python.md)--> [!TIP] -> The Azure Cloud Shell is a free interactive shell that you can use to run the command line instructions in this article. It has common Azure tools preinstalled, including the .NET Core SDK. If you are logged in to your Azure subscription, launch your [Azure Cloud Shell](https://shell.azure.com) from shell.azure.com. You can learn more about Azure Cloud Shell by [reading our documentation](../cloud-shell/overview.md). --### Create and configure an Azure Key Vault +1. [Create an App Configuration store](./quickstart-azure-app-configuration-create.md) if you don't have one. 1. Create an Azure Key Vault by using the Azure CLI. Both `vault-name` and `resource-group-name` are user-provided and must be unique. We use `contoso-vault` and `contoso-resource-group` in these examples. |
azure-app-configuration | Concept Feature Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/concept-feature-management.md | To use feature flags effectively, you need to externalize all the feature flags Azure App Configuration provides a centralized repository for feature flags. You can use it to define different kinds of feature flags and manipulate their states quickly and confidently. You can then use the App Configuration libraries for various programming language frameworks to easily access these feature flags from your application. -[The feature flags in an ASP.NET Core app](./use-feature-flags-dotnet-core.md) shows how the .NET Core App Configuration provider and Feature Management libraries are used together to implement feature flags for your ASP.NET web application. For more information on feature flags in Azure App Configuration, see the following articles: +[The feature flags in an ASP.NET Core app](./use-feature-flags-dotnet-core.md) shows how the App Configuration .NET provider and Feature Management libraries are used together to implement feature flags for your ASP.NET web application. For more information on feature flags in Azure App Configuration, see the following articles: * [Manage feature flags](./manage-feature-flags.md) * [Use conditional feature flags](./howto-feature-filters-aspnet-core.md) |
azure-app-configuration | Concept Point Time Snapshot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/concept-point-time-snapshot.md | You can use the Azure portal or the Azure CLI to retrieve past key-values. :::image type="content" source="media/restore-key-value-portal.png" alt-text="Screenshot of the Azure portal, selecting restore"::: 3. Select **Date: Select date** to select a date and time you want to revert to.-4. Click outside of the date and time fields or press **Tab** to validate your choice. You can now see which key values have changed between your selected date and time and the current time. This step helps you understand what keys and values you're preparing to revert to. +4. Click outside of the date and time fields or press **Tab** to validate your choice. You can now see which key-values have changed between your selected date and time and the current time. This step helps you understand what keys and values you're preparing to revert to. :::image type="content" source="media/restore-key-value-past-values.png" alt-text="Screenshot of the Azure portal with saved key-values"::: |
azure-app-configuration | Enable Dynamic Configuration Aspnet Core | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/enable-dynamic-configuration-aspnet-core.md | A *sentinel key* is a key that you update after you complete the change of all o 1. Open *Program.cs*, and update the `AddAzureAppConfiguration` method you added previously during the quickstart. - #### [.NET 6.0+](#tab/core6x) ```csharp // Load configuration from Azure App Configuration builder.Configuration.AddAzureAppConfiguration(options => A *sentinel key* is a key that you update after you complete the change of all o }); ``` - #### [.NET Core 3.x](#tab/core3x) - ```csharp - public static IHostBuilder CreateHostBuilder(string[] args) => - Host.CreateDefaultBuilder(args) - .ConfigureWebHostDefaults(webBuilder => - { - webBuilder.ConfigureAppConfiguration(config => - { - //Retrieve the Connection String from the secrets manager - IConfiguration settings = config.Build(); - string connectionString = settings.GetConnectionString("AppConfig"); -- // Load configuration from Azure App Configuration - config.AddAzureAppConfiguration(options => - { - options.Connect(connectionString) - // Load all keys that start with `TestApp:` and have no label - .Select("TestApp:*", LabelFilter.Null) - // Configure to reload configuration if the registered sentinel key is modified - .ConfigureRefresh(refreshOptions => - refreshOptions.Register("TestApp:Settings:Sentinel", refreshAll: true)); - }); - }); -- webBuilder.UseStartup<Startup>(); - }); - ``` - - The `Select` method is used to load all key-values whose key name starts with *TestApp:* and that have *no label*. You can call the `Select` method more than once to load configurations with different prefixes or labels. If you share one App Configuration store with multiple apps, this approach helps load configuration only relevant to your current app instead of loading everything from your store. In the `ConfigureRefresh` method, you register keys you want to monitor for changes in your App Configuration store. The `refreshAll` parameter to the `Register` method indicates that all configurations you specified by the `Select` method will be reloaded if the registered key changes. A *sentinel key* is a key that you update after you complete the change of all o 1. Add Azure App Configuration middleware to the service collection of your app. - #### [.NET 6.0+](#tab/core6x) Update *Program.cs* with the following code. ```csharp A *sentinel key* is a key that you update after you complete the change of all o // ... ... ``` - #### [.NET Core 3.x](#tab/core3x) - Open *Startup.cs*, and update the `ConfigureServices` method. -- ```csharp - public void ConfigureServices(IServiceCollection services) - { - services.AddRazorPages(); -- // Add Azure App Configuration middleware to the container of services. - services.AddAzureAppConfiguration(); -- // Bind configuration "TestApp:Settings" section to the Settings object - services.Configure<Settings>(Configuration.GetSection("TestApp:Settings")); - } - ``` - - 1. Call the `UseAzureAppConfiguration` method. It enables your app to use the App Configuration middleware to update the configuration for you automatically. - #### [.NET 6.0+](#tab/core6x) Update *Program.cs* withe the following code. ```csharp A *sentinel key* is a key that you update after you complete the change of all o // ... ... ``` - #### [.NET Core 3.x](#tab/core3x) - Update the `Configure` method in *Startup.cs*. -- ```csharp - public void Configure(IApplicationBuilder app, IWebHostEnvironment env) - { - if (env.IsDevelopment()) - { - app.UseDeveloperExceptionPage(); - } - else - { - app.UseExceptionHandler("/Error"); - app.UseHsts(); - } -- // Use Azure App Configuration middleware for dynamic configuration refresh. - app.UseAzureAppConfiguration(); -- app.UseHttpsRedirection(); - app.UseStaticFiles(); -- app.UseRouting(); -- app.UseAuthorization(); -- app.UseEndpoints(endpoints => - { - endpoints.MapRazorPages(); - }); - } - ``` - - You've set up your app to use the [options pattern in ASP.NET Core](/aspnet/core/fundamentals/configuration/options) during the quickstart. When the underlying configuration of your app is updated from App Configuration, your strongly typed `Settings` object obtained via `IOptionsSnapshot<T>` is updated automatically. Note that you shouldn't use the `IOptions<T>` if dynamic configuration update is desired because it doesn't read configuration data after the app has started. ## Request-driven configuration refresh The configuration refresh is triggered by the incoming requests to your web app. ## Build and run the app locally -1. To build the app by using the .NET Core CLI, run the following command in the command shell: +1. To build the app by using the .NET CLI, run the following command in the command shell: ```console dotnet build |
azure-app-configuration | Enable Dynamic Configuration Dotnet Core Push Refresh | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/enable-dynamic-configuration-dotnet-core-push-refresh.md | Title: "Tutorial: Use dynamic configuration using push refresh in a .NET Core app" + Title: "Tutorial: Use dynamic configuration using push refresh in a .NET app" -description: In this tutorial, you learn how to dynamically update the configuration data for .NET Core apps using push refresh +description: In this tutorial, you learn how to dynamically update the configuration data for .NET apps using push refresh -# Tutorial: Use dynamic configuration using push refresh in a .NET Core app +# Tutorial: Use dynamic configuration using push refresh in a .NET app -The App Configuration .NET Core client library supports updating configuration on demand without causing an application to restart. An application can be configured to detect changes in App Configuration using one or both of the following two approaches. +The App Configuration .NET client library supports updating configuration on demand without causing an application to restart. An application can be configured to detect changes in App Configuration using one or both of the following two approaches. 1. Poll Model: This is the default behavior that uses polling to detect changes in configuration. Once the cached value of a setting expires, the next call to `TryRefreshAsync` or `RefreshAsync` sends a request to the server to check if the configuration has changed, and pulls the updated configuration if needed. 1. Push Model: This uses [App Configuration events](./concept-app-configuration-event.md) to detect changes in configuration. Once App Configuration is set up to send key value change events to Azure Event Grid, the application can use these events to optimize the total number of requests needed to keep the configuration updated. Applications can choose to subscribe to these either directly from Event Grid, or through one of the [supported event handlers](../event-grid/event-handlers.md) such as a webhook, an Azure function, or a Service Bus topic. -This tutorial shows how you can implement dynamic configuration updates in your code using push refresh. It builds on the app introduced in the tutorial. Before you continue, finish Tutorial: [Use dynamic configuration in a .NET Core app](./enable-dynamic-configuration-dotnet-core.md) first. +This tutorial shows how you can implement dynamic configuration updates in your code using push refresh. It builds on the app introduced in the tutorial. Before you continue, finish Tutorial: [Use dynamic configuration in a .NET app](./enable-dynamic-configuration-dotnet-core.md) first. You can use any code editor to do the steps in this tutorial. [Visual Studio Code](https://code.visualstudio.com/) is an excellent option that's available on the Windows, macOS, and Linux platforms. In this tutorial, you learn how to: > [!div class="checklist"] > > * Set up a subscription to send configuration change events from App Configuration to a Service Bus topic-> * Set up your .NET Core app to update its configuration in response to changes in App Configuration. +> * Set up your .NET app to update its configuration in response to changes in App Configuration. > * Consume the latest configuration in your application. ## Prerequisites -* Tutorial: [Use dynamic configuration in a .NET Core app](./enable-dynamic-configuration-dotnet-core.md) +* Tutorial: [Use dynamic configuration in a .NET app](./enable-dynamic-configuration-dotnet-core.md) * NuGet package `Microsoft.Extensions.Configuration.AzureAppConfiguration` version 5.0.0 or later ## Set up Azure Service Bus topic and subscription The `ProcessPushNotification` method resets the cache expiration to a short rand The short random delay for cache expiration is helpful if you have many instances of your application or microservices connecting to the same App Configuration store with the push model. Without this delay, all instances of your application could send requests to your App Configuration store simultaneously as soon as they receive a change notification. This can cause the App Configuration Service to throttle your store. Cache expiration delay is set to a random number between 0 and a maximum of 30 seconds by default, but you can change the maximum value through the optional parameter `maxDelay` to the `ProcessPushNotification` method. -The `ProcessPushNotification` method takes in a `PushNotification` object containing information about which change in App Configuration triggered the push notfication. This helps ensure all configuration changes up to the triggering event are loaded in the following configuration refresh. The `SetDirty` method does not gurarantee the change that triggers the push notification to be loaded in an immediate configuration refresh. If you are using the `SetDirty` method for the push model, we recommend using the `ProcessPushNotification` method instead. +The `ProcessPushNotification` method takes in a `PushNotification` object containing information about which change in App Configuration triggered the push notification. This helps ensure all configuration changes up to the triggering event are loaded in the following configuration refresh. The `SetDirty` method does not guarantee the change that triggers the push notification to be loaded in an immediate configuration refresh. If you are using the `SetDirty` method for the push model, we recommend using the `ProcessPushNotification` method instead. ## Build and run the app locally The `ProcessPushNotification` method takes in a `PushNotification` object contai ## Next steps -In this tutorial, you enabled your .NET Core app to dynamically refresh configuration settings from App Configuration. To learn how to use an Azure managed identity to streamline the access to App Configuration, continue to the next tutorial. +In this tutorial, you enabled your .NET app to dynamically refresh configuration settings from App Configuration. To learn how to use an Azure managed identity to streamline the access to App Configuration, continue to the next tutorial. > [!div class="nextstepaction"] > [Managed identity integration](./howto-integrate-azure-managed-service-identity.md) |
azure-app-configuration | Enable Dynamic Configuration Dotnet Core | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/enable-dynamic-configuration-dotnet-core.md | Finish the quickstart [Create a .NET app with App Configuration](./quickstart-do ## Activity-driven configuration refresh -Open the `Program.cs` file and update the code configurations to match the following: --### [.NET 6.0+](#tab/core6x) +Open *Program.cs* and update the file with the following code. ```csharp using Microsoft.Extensions.Configuration; if (_refresher != null) } ``` -### [.NET Core 3.x](#tab/core3x) --```csharp -using Microsoft.Extensions.Configuration; -using Microsoft.Extensions.Configuration.AzureAppConfiguration; -using System; -using System.Threading.Tasks; --namespace TestConsole -{ - class Program - { - private static IConfiguration _configuration = null; - private static IConfigurationRefresher _refresher = null; -- static void Main(string[] args) - { - var builder = new ConfigurationBuilder(); - builder.AddAzureAppConfiguration(options => - { - options.Connect(Environment.GetEnvironmentVariable("ConnectionString")) - .ConfigureRefresh(refresh => - { - refresh.Register("TestApp:Settings:Message") - .SetCacheExpiration(TimeSpan.FromSeconds(10)); - }); -- _refresher = options.GetRefresher(); - }); -- _configuration = builder.Build(); - PrintMessage().Wait(); - } -- private static async Task PrintMessage() - { - Console.WriteLine(_configuration["TestApp:Settings:Message"] ?? "Hello world!"); -- // Wait for the user to press Enter - Console.ReadLine(); -- await _refresher.TryRefreshAsync(); - Console.WriteLine(_configuration["TestApp:Settings:Message"] ?? "Hello world!"); - } - } -} -``` -- In the `ConfigureRefresh` method, a key within your App Configuration store is registered for change monitoring. The `Register` method has an optional boolean parameter `refreshAll` that can be used to indicate whether all configuration values should be refreshed if the registered key changes. In this example, only the key *TestApp:Settings:Message* will be refreshed. The `SetCacheExpiration` method specifies the minimum time that must elapse before a new request is made to App Configuration to check for any configuration changes. In this example, you override the default expiration time of 30 seconds, specifying a time of 10 seconds instead for demonstration purposes. Calling the `ConfigureRefresh` method alone won't cause the configuration to refresh automatically. You call the `TryRefreshAsync` method from the interface `IConfigurationRefresher` to trigger a refresh. This design is to avoid phantom requests sent to App Configuration even when your application is idle. You'll want to include the `TryRefreshAsync` call where you consider your application active. For example, it can be when you process an incoming message, an order, or an iteration of a complex task. It can also be in a timer if your application is active all the time. In this example, you call `TryRefreshAsync` every time you press the Enter key. Even if the call `TryRefreshAsync` fails for any reason, your application continues to use the cached configuration. Another attempt is made when the configured cache expiration time has passed and the `TryRefreshAsync` call is triggered by your application activity again. Calling `TryRefreshAsync` is a no-op before the configured cache expiration time elapses, so its performance impact is minimal, even if it's called frequently. In the previous code, you're manually saving an instance of `IConfigurationRefre 1. Register the required App Configuration services by invoking `AddAzureAppConfiguration` on your `IServiceCollection`. - #### [.NET 6.0+](#tab/core6x) Add the following code to *Program.cs*. ```csharp In the previous code, you're manually saving an instance of `IConfigurationRefre builder.Services.AddAzureAppConfiguration(); ``` - #### [.NET Core 3.x](#tab/core3x) - Open *Startup.cs*, and update the `ConfigureServices` method. -- ```csharp - public void ConfigureServices(IServiceCollection services) - { - // Add Azure App Configuration services to IServiceCollection - services.AddAzureAppConfiguration(); - - // Existing code - // ... ... - } - ``` - - 1. Refresh your configuration by resolving an instance of `IConfigurationRefresherProvider` from your service collection and invoking `TryRefreshAsync` on each of its refreshers. ```csharp |
azure-app-configuration | Howto Best Practices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/howto-best-practices.md | You can use either one or both options to group your keys. An important thing to keep in mind is that keys are what your application code references to retrieve the values of the corresponding settings. Keys shouldn't change, or else you'll have to modify your code each time that happens. -*Labels* are an attribute on keys. They're used to create variants of a key. For example, you can assign labels to multiple versions of a key. A version might be an iteration, an environment, or some other contextual information. Your application can request an entirely different set of key values by specifying another label. As a result, all key references remain unchanged in your code. +*Labels* are an attribute on keys. They're used to create variants of a key. For example, you can assign labels to multiple versions of a key. A version might be an iteration, an environment, or some other contextual information. Your application can request an entirely different set of key-values by specifying another label. As a result, all key references remain unchanged in your code. ## Key-value compositions -App Configuration treats all keys stored with it as independent entities. App Configuration doesn't attempt to infer any relationship between keys or to inherit key values based on their hierarchy. You can aggregate multiple sets of keys, however, by using labels coupled with proper configuration stacking in your application code. +App Configuration treats all keys stored with it as independent entities. App Configuration doesn't attempt to infer any relationship between keys or to inherit key-values based on their hierarchy. You can aggregate multiple sets of keys, however, by using labels coupled with proper configuration stacking in your application code. Let's look at an example. Suppose you have a setting named **Asset1**, whose value might vary based on the development environment. You create a key named "Asset1" with an empty label and a label named "Development". In the first label, you put the default value for **Asset1**, and you put a specific value for "Development" in the latter. -In your code, you first retrieve the key values without any labels, and then you retrieve the same set of key values a second time with the "Development" label. When you retrieve the values the second time, the previous values of the keys are overwritten. The .NET Core configuration system allows you to "stack" multiple sets of configuration data on top of each other. If a key exists in more than one set, the last set that contains it is used. With a modern programming framework, such as .NET Core, you get this stacking capability for free if you use a native configuration provider to access App Configuration. The following code snippet shows how you can implement stacking in a .NET Core application: +In your code, you first retrieve the key-values without any labels, and then you retrieve the same set of key-values a second time with the "Development" label. When you retrieve the values the second time, the previous values of the keys are overwritten. The .NET configuration system allows you to "stack" multiple sets of configuration data on top of each other. If a key exists in more than one set, the last set that contains it is used. With a modern programming framework, such as .NET, you get this stacking capability for free if you use a native configuration provider to access App Configuration. The following code snippet shows how you can implement stacking in a .NET application: ```csharp // Augment the ConfigurationBuilder with Azure App Configuration |
azure-app-configuration | Howto Integrate Azure Managed Service Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/howto-integrate-azure-managed-service-identity.md | To complete this tutorial, you must have: :::zone target="docs" pivot="framework-dotnet" -* [.NET SDK](https://dotnet.microsoft.com/download). -* [Azure Cloud Shell configured](../cloud-shell/quickstart.md). +* An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/). +* An Azure App Configuration store. [Create a store](./quickstart-azure-app-configuration-create.md). +* [.NET SDK 6.0 or later](https://dotnet.microsoft.com/download). :::zone-end :::zone target="docs" pivot="framework-spring" -* Azure subscription - [create one for free](https://azure.microsoft.com/free/) +* An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/). +* An Azure App Configuration store. [Create a store](./quickstart-azure-app-configuration-create.md). * A supported [Java Development Kit (JDK)](/java/azure/jdk) with version 11. * [Apache Maven](https://maven.apache.org/download.cgi) version 3.0 or above. To set up a managed identity in the portal, you first create an application and The following steps describe how to assign the App Configuration Data Reader role to App Service. For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md). -1. In the [Azure portal](https://portal.azure.com), select the App Configuration store that you created in the [quickstart](../azure-app-configuration/quickstart-azure-functions-csharp.md). +1. In the [Azure portal](https://portal.azure.com), select your App Configuration store. 1. Select **Access control (IAM)**. The following steps describe how to assign the App Configuration Data Reader rol 1. To access values stored in App Configuration, update the `Builder` configuration to use the `AddAzureAppConfiguration()` method. - ### [.NET 6.0+](#tab/core6x) - ```csharp var builder = WebApplication.CreateBuilder(args); The following steps describe how to assign the App Configuration Data Reader rol new ManagedIdentityCredential())); ``` - ### [.NET Core 3.x](#tab/core3x) -- ```csharp - public static IHostBuilder CreateHostBuilder(string[] args) => - Host.CreateDefaultBuilder(args) - .ConfigureWebHostDefaults(webBuilder => - webBuilder.ConfigureAppConfiguration((hostingContext, config) => - { - var settings = config.Build(); - config.AddAzureAppConfiguration(options => - options.Connect(new Uri(settings["AppConfig:Endpoint"]), new ManagedIdentityCredential())); - }) - .UseStartup<Startup>()); - ``` -- - > [!NOTE] > If you want to use a **user-assigned managed identity**, be sure to specify the `clientId` when creating the [ManagedIdentityCredential](/dotnet/api/azure.identity.managedidentitycredential). >```csharp |
azure-app-configuration | Howto Labels Aspnet Core | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/howto-labels-aspnet-core.md | ms.devlang: csharp Previously updated : 07/11/2023 Last updated : 02/20/2024 using Microsoft.Extensions.Configuration.AzureAppConfiguration; Load configuration values with the label corresponding to the current environment by passing the environment name into the `Select` method: -### [ASP.NET Core 6.0+](#tab/core6x) - ```csharp var builder = WebApplication.CreateBuilder(args); builder.Configuration.AddAzureAppConfiguration(options => }); ``` -### [ASP.NET Core 3.x](#tab/core3x) --```csharp - public static IHostBuilder CreateHostBuilder(string[] args) => - Host.CreateDefaultBuilder(args) - .ConfigureWebHostDefaults(webBuilder => - webBuilder.ConfigureAppConfiguration((hostingContext, config) => - { - var settings = config.Build(); - config.AddAzureAppConfiguration(options => - options - .Connect(settings.GetConnectionString("AppConfig")) - // Load configuration values with no label - .Select(KeyFilter.Any, LabelFilter.Null) - // Override with any configuration values specific to current hosting env - .Select(KeyFilter.Any, hostingContext.HostingEnvironment.EnvironmentName) - ); - }) - .UseStartup<Startup>()); -``` --- > [!IMPORTANT] > The preceding code snippet uses the Secret Manager tool to load App Configuration connection string. For information storing the connection string using the Secret Manager, see [Quickstart for Azure App Configuration with ASP.NET Core](quickstart-aspnet-core-app.md). |
azure-app-configuration | Howto Move Resource Between Regions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/howto-move-resource-between-regions.md | Follow these steps to export your configuration to the target store using the Az az appconfig kv export -n SourceConfigurationStore -d appconfig --dest-name TargetConfigurationStore --key * --label * --preserve-labels ``` -1. To verify that your configurations have been successfully transferred from your source to your target store, list all of the key values in your target store. +1. To verify that your configurations have been successfully transferred from your source to your target store, list all of the key-values in your target store. ```azurecli az appconfig kv list -n TargetAppConfiguration --all |
azure-app-configuration | Integrate Ci Cd Pipeline | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/integrate-ci-cd-pipeline.md | If you build locally, download and install the [Azure CLI](/cli/azure/install-az -1. To build the app by using the .NET Core CLI, run the following command in the command shell: +1. To build the app by using the .NET CLI, run the following command in the command shell: ```console dotnet build |
azure-app-configuration | Integrate Kubernetes Deployment Helm | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/integrate-kubernetes-deployment-helm.md | Use helm upgrade's **-f** argument to pass in the two configuration files you've helm upgrade --install -f myConfig.yaml -f mySecrets.yaml "example" ./mychart ``` -You can also use the **--set** argument for helm upgrade to pass literal key values. Using the **--set** argument is a good way to avoid persisting sensitive data to disk. +You can also use the **--set** argument for helm upgrade to pass literal key-values. Using the **--set** argument is a good way to avoid persisting sensitive data to disk. ```powershell $secrets = az appconfig kv list -n myAppConfiguration --key "secrets.*" --resolve-keyvault --query "[*].{name:key, value:value}" | ConvertFrom-Json |
azure-app-configuration | Manage Feature Flags | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/manage-feature-flags.md | -You can store all feature flags in Azure App Configuration and administer them from a single place. App Configuration has a portal UI named **Feature Manager** that's designed specifically for feature flags. App Configuration also natively supports the .NET Core feature-flag data schema. +You can create feature flags in Azure App Configuration and manage them from the **Feature Manager** in the Azure portal. In this tutorial, you learn how to: > [!div class="checklist"] > * Define and manage feature flags in App Configuration.-> * Access feature flags from your application. ## Create feature flags |
azure-app-configuration | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/overview.md | The easiest way to add an App Configuration store to your application is through |Programming language and framework | How to connect | Quickstart | |--|||-| .NET Core | App Configuration [provider](/dotnet/api/Microsoft.Extensions.Configuration.AzureAppConfiguration) for .NET Core | .NET Core [quickstart](./quickstart-dotnet-core-app.md) | -| ASP.NET Core | App Configuration [provider](/dotnet/api/Microsoft.Extensions.Configuration.AzureAppConfiguration) for .NET Core | ASP.NET Core [quickstart](./quickstart-aspnet-core-app.md) | +| .NET | App Configuration [provider](/dotnet/api/Microsoft.Extensions.Configuration.AzureAppConfiguration) for .NET | .NET [quickstart](./quickstart-dotnet-core-app.md) | +| ASP.NET Core | App Configuration [provider](/dotnet/api/Microsoft.Extensions.Configuration.AzureAppConfiguration) for .NET | ASP.NET Core [quickstart](./quickstart-aspnet-core-app.md) | | .NET Framework and ASP.NET | App Configuration [builder](https://go.microsoft.com/fwlink/?linkid=2074663) for .NET | .NET Framework [quickstart](./quickstart-dotnet-app.md) | | Java Spring | App Configuration [provider](https://go.microsoft.com/fwlink/?linkid=2180917) for Spring Cloud | Java Spring [quickstart](./quickstart-java-spring-app.md) | | JavaScript/Node.js | App Configuration [provider](https://github.com/Azure/AppConfiguration-JavaScriptProvider) for JavaScript | Javascript/Node.js [quickstart](./quickstart-javascript-provider.md)|-| Python | App Configuration [provider](https://pypi.org/project/azure-appconfiguration-provider/) for Python | Python [quickstart](./quickstart-python-provider.md)) | +| Python | App Configuration [provider](https://pypi.org/project/azure-appconfiguration-provider/) for Python | Python [quickstart](./quickstart-python-provider.md) | | Other | App Configuration [REST API](/rest/api/appconfiguration/) | None | ## Next steps |
azure-app-configuration | Pull Key Value Devops Pipeline | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/pull-key-value-devops-pipeline.md | The following parameters are used by the Azure App Configuration task: - **Azure subscription**: A drop-down containing your available Azure service connections. To update and refresh your list of available Azure service connections, press the **Refresh Azure subscription** button to the right of the textbox. - **App Configuration Endpoint**: A drop-down that loads your available configuration stores endpoints under the selected subscription. To update and refresh your list of available configuration stores endpoints, press the **Refresh App Configuration Endpoint** button to the right of the textbox. - **Selection Mode**: Specifies how the key-values read from a configuration store are selected. The 'Default' selection mode allows the use of key and label filters. The 'Snapshot' selection mode allows key-values to be selected from a snapshot. Default value is **Default**.-- **Key Filter**: The filter can be used to select what key-values are requested from Azure App Configuration. A value of * will select all key-values. For more information on, see [Query key values](concept-key-value.md#query-key-values).+- **Key Filter**: The filter can be used to select what key-values are requested from Azure App Configuration. A value of * will select all key-values. For more information on, see [Query key-values](concept-key-value.md#query-key-values). - **Label**: Specifies which label should be used when selecting key-values from the App Configuration store. If no label is provided, then key-values with the no label will be retrieved. The following characters are not allowed: , *. - **Snapshot Name**: Specifies snapshot from which key-values should be retrieved in Azure App Configuration. - **Trim Key Prefix**: Specifies one or more prefixes that should be trimmed from App Configuration keys before setting them as variables. Multiple prefixes can be separated by a new-line character. |
azure-app-configuration | Quickstart Aspnet Core App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/quickstart-aspnet-core-app.md | In this quickstart, you'll use Azure App Configuration to externalize storage an - An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/). - An App Configuration store. [Create a store](./quickstart-azure-app-configuration-create.md#create-an-app-configuration-store).-- [.NET Core SDK](https://dotnet.microsoft.com/download)+- [.NET SDK 6.0 or later](https://dotnet.microsoft.com/download) > [!TIP]-> The Azure Cloud Shell is a free, interactive shell that you can use to run the command line instructions in this article. It has common Azure tools preinstalled, including the .NET Core SDK. If you're logged in to your Azure subscription, launch your [Azure Cloud Shell](https://shell.azure.com) from shell.azure.com. You can learn more about Azure Cloud Shell by [reading our documentation](../cloud-shell/overview.md) +> The Azure Cloud Shell is a free, interactive shell that you can use to run the command line instructions in this article. It has common Azure tools preinstalled, including the .NET SDK. If you're logged in to your Azure subscription, launch your [Azure Cloud Shell](https://shell.azure.com) from shell.azure.com. You can learn more about Azure Cloud Shell by [reading our documentation](../cloud-shell/overview.md) ## Add key-values Add the following key-values to the App Configuration store and leave **Label** ## Create an ASP.NET Core web app -Use the [.NET Core command-line interface (CLI)](/dotnet/core/tools) to create a new ASP.NET Core web app project. The [Azure Cloud Shell](https://shell.azure.com) provides these tools for you. They're also available across the Windows, macOS, and Linux platforms. +Use the [.NET command-line interface (CLI)](/dotnet/core/tools) to create a new ASP.NET Core web app project. The [Azure Cloud Shell](https://shell.azure.com) provides these tools for you. They're also available across the Windows, macOS, and Linux platforms. Run the following command to create an ASP.NET Core web app in a new *TestAppConfig* folder: -#### [.NET 6.x](#tab/core6x) - ```dotnetcli dotnet new webapp --output TestAppConfig --framework net6.0 ``` -#### [.NET Core 3.x](#tab/core3x) --```dotnetcli -dotnet new webapp --output TestAppConfig --framework netcoreapp3.1 -``` --- ## Connect to the App Configuration store 1. Navigate into the project's directory *TestAppConfig*, and run the following command to add a [Microsoft.Azure.AppConfiguration.AspNetCore](https://www.nuget.org/packages/Microsoft.Azure.AppConfiguration.AspNetCore) NuGet package reference: dotnet new webapp --output TestAppConfig --framework netcoreapp3.1 1. Open *Program.cs* and add Azure App Configuration as an extra configuration source by calling the `AddAzureAppConfiguration` method. - #### [.NET 6.x](#tab/core6x) - ```csharp var builder = WebApplication.CreateBuilder(args); dotnet new webapp --output TestAppConfig --framework netcoreapp3.1 // ... ... ``` - #### [.NET Core 3.x](#tab/core3x) -- Update the `CreateHostBuilder` method. -- ```csharp - public static IHostBuilder CreateHostBuilder(string[] args) => - Host.CreateDefaultBuilder(args) - .ConfigureWebHostDefaults(webBuilder => - { - webBuilder.ConfigureAppConfiguration(config => - { - // Retrieve the connection string - IConfiguration settings = config.Build(); - string connectionString = settings.GetConnectionString("AppConfig"); -- // Load configuration from Azure App Configuration - config.AddAzureAppConfiguration(connectionString); - }); -- webBuilder.UseStartup<Startup>(); - }); - ``` -- - This code will connect to your App Configuration store using a connection string and load *all* key-values that have *no labels*. For more information on the App Configuration provider, see the [App Configuration provider API reference](/dotnet/api/Microsoft.Extensions.Configuration.AzureAppConfiguration). ## Read from the App Configuration store In this example, you'll update a web page to display its content using the setti 1. Bind the `TestApp:Settings` section in configuration to the `Settings` object. - #### [.NET 6.x](#tab/core6x) - Update *Program.cs* with the following code and add the `TestAppConfig` namespace at the beginning of the file. ```csharp In this example, you'll update a web page to display its content using the setti // ... ... ``` - #### [.NET Core 3.x](#tab/core3x) -- Open *Startup.cs* and update the `ConfigureServices` method. -- ```csharp - public void ConfigureServices(IServiceCollection services) - { - services.AddRazorPages(); -- // Bind configuration "TestApp:Settings" section to the Settings object - services.Configure<Settings>(Configuration.GetSection("TestApp:Settings")); - } - ``` -- - 1. Open *Index.cshtml.cs* in the *Pages* directory, and update the `IndexModel` class with the following code. Add the `using Microsoft.Extensions.Options` namespace at the beginning of the file, if it's not already there. ```csharp In this example, you'll update a web page to display its content using the setti ## Build and run the app locally -1. To build the app using the .NET Core CLI, navigate to the root directory of your project. Run the following command in the command shell: +1. To build the app using the .NET CLI, navigate to the root directory of your project. Run the following command in the command shell: ```dotnetcli dotnet build |
azure-app-configuration | Quickstart Azure Kubernetes Service | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/quickstart-azure-kubernetes-service.md | A ConfigMap can be consumed as environment variables or a mounted file. In this * An App Configuration store. [Create a store](./quickstart-azure-app-configuration-create.md#create-an-app-configuration-store). * An Azure Container Registry. [Create a registry](/azure/aks/tutorial-kubernetes-prepare-acr#create-an-azure-container-registry). * An Azure Kubernetes Service (AKS) cluster that is granted permission to pull images from your Azure Container Registry. [Create an AKS cluster](/azure/aks/tutorial-kubernetes-deploy-cluster#create-a-kubernetes-cluster).-* [.NET Core SDK](https://dotnet.microsoft.com/download) +* [.NET SDK 6.0 or later](https://dotnet.microsoft.com/download) * [Azure CLI](/cli/azure/install-azure-cli) * [Docker Desktop](https://www.docker.com/products/docker-desktop/) * [helm](https://helm.sh/docs/intro/install/) In this section, you will create a simple ASP.NET Core web application running i ### Create an application -1. Use the .NET Core command-line interface (CLI) and run the following command to create a new ASP.NET Core web app project in a new *MyWebApp* directory: +1. Use the .NET command-line interface (CLI) and run the following command to create a new ASP.NET Core web app project in a new *MyWebApp* directory: ```dotnetcli dotnet new webapp --output MyWebApp --framework net6.0 In this section, you will create a simple ASP.NET Core web application running i Now that you have an application running in AKS, you'll deploy the App Configuration Kubernetes Provider to your AKS cluster running as a Kubernetes controller. The provider retrieves data from your App Configuration store and creates a ConfigMap, which is consumable as a JSON file mounted in a data volume. -### Setup the Azure App Configuration store +### Set up the Azure App Configuration store Add following key-values to the App Configuration store and leave **Label** and **Content Type** with their default values. For more information about how to add key-values to a store using the Azure portal or the CLI, go to [Create a key-value](./quickstart-azure-app-configuration-create.md#create-a-key-value). Add following key-values to the App Configuration store and leave **Label** and |Settings:FontColor|*Green*| |Settings:Message|*Hello from Azure App Configuration*| -### Setup the App Configuration Kubernetes Provider +### Set up the App Configuration Kubernetes Provider 1. Run the following command to get access credentials for your AKS cluster. Replace the value of the `name` and `resource-group` parameters with your AKS instance: ```console |
azure-app-configuration | Quickstart Dotnet Core App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/quickstart-dotnet-core-app.md | In this quickstart, you incorporate Azure App Configuration into a .NET console - An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/). - An App Configuration store. [Create a store](./quickstart-azure-app-configuration-create.md#create-an-app-configuration-store).-- [.NET SDK](https://dotnet.microsoft.com/download) - also available in the [Azure Cloud Shell](https://shell.azure.com).+- [.NET SDK 6.0 or later](https://dotnet.microsoft.com/download) - also available in the [Azure Cloud Shell](https://shell.azure.com). ## Add a key-value You use the [.NET command-line interface (CLI)](/dotnet/core/tools/) to create a 4. Use App Configuration by calling the `builder.AddAzureAppConfiguration()` method in the `Program.cs` file. - ### [.NET 6.0+](#tab/core6x) - ```csharp var builder = new ConfigurationBuilder(); builder.AddAzureAppConfiguration(Environment.GetEnvironmentVariable("ConnectionString")); You use the [.NET command-line interface (CLI)](/dotnet/core/tools/) to create a Console.WriteLine(config["TestApp:Settings:Message"] ?? "Hello world!"); ``` - ### [.NET Core 3.x](#tab/core3x) - - ```csharp - static void Main(string[] args) - { - var builder = new ConfigurationBuilder(); - builder.AddAzureAppConfiguration(Environment.GetEnvironmentVariable("ConnectionString")); - - var config = builder.Build(); - Console.WriteLine(config["TestApp:Settings:Message"] ?? "Hello world!"); - } - ``` -- - ## Build and run the app locally 1. Set an environment variable named **ConnectionString**, and set it to the access key to your App Configuration store. At the command line, run the following command: |
azure-app-configuration | Quickstart Feature Flag Aspnet Core | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/quickstart-feature-flag-aspnet-core.md | Add a feature flag called *Beta* to the App Configuration store and leave **Labe 1. Open *Program.cs*, and add a call to the `UseFeatureFlags` method inside the `AddAzureAppConfiguration` call. - #### [.NET 6.x](#tab/core6x) ```csharp // Load configuration from Azure App Configuration builder.Configuration.AddAzureAppConfiguration(options => Add a feature flag called *Beta* to the App Configuration store and leave **Labe }); ``` - #### [.NET Core 3.x](#tab/core3x) - ```csharp - public static IHostBuilder CreateHostBuilder(string[] args) => - Host.CreateDefaultBuilder(args) - .ConfigureWebHostDefaults(webBuilder => - { - webBuilder.ConfigureAppConfiguration(config => - { - //Retrieve the Connection String from the secrets manager - IConfiguration settings = config.Build(); - string connectionString = settings.GetConnectionString("AppConfig"); -- // Load configuration from Azure App Configuration - config.AddAzureAppConfiguration(options => - { - options.Connect(connectionString) - // Load all keys that start with `TestApp:` and have no label - .Select("TestApp:*", LabelFilter.Null) - // Configure to reload configuration if the registered sentinel key is modified - .ConfigureRefresh(refreshOptions => - refreshOptions.Register("TestApp:Settings:Sentinel", refreshAll: true)); -- // Load all feature flags with no label - options.UseFeatureFlags(); - }); - }); -- webBuilder.UseStartup<Startup>(); - }); - ``` - - > [!TIP] > When no parameter is passed to the `UseFeatureFlags` method, it loads *all* feature flags with *no label* in your App Configuration store. The default refresh expiration of feature flags is 30 seconds. You can customize this behavior via the `FeatureFlagOptions` parameter. For example, the following code snippet loads only feature flags that start with *TestApp:* in their *key name* and have the label *dev*. The code also changes the refresh expiration time to 5 minutes. Note that this refresh expiration time is separate from that for regular key-values. > Add a feature flag called *Beta* to the App Configuration store and leave **Labe 1. Add feature management to the service collection of your app by calling `AddFeatureManagement`. - #### [.NET 6.x](#tab/core6x) Update *Program.cs* with the following code. ```csharp Add a feature flag called *Beta* to the App Configuration store and leave **Labe // ... ... ``` - #### [.NET Core 3.x](#tab/core3x) - Open *Startup.cs*, and update the `ConfigureServices` method. -- ```csharp - public void ConfigureServices(IServiceCollection services) - { - services.AddRazorPages(); -- // Add Azure App Configuration middleware to the container of services. - services.AddAzureAppConfiguration(); -- // Add feature management to the container of services. - services.AddFeatureManagement(); -- // Bind configuration "TestApp:Settings" section to the Settings object - services.Configure<Settings>(Configuration.GetSection("TestApp:Settings")); - } - ``` - - Add `using Microsoft.FeatureManagement;` at the top of the file if it's not present. > [!NOTE] |
azure-app-configuration | Cli Work With Keys | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/scripts/cli-work-with-keys.md | Title: Azure CLI Script Sample - Work with key-values in App Configuration Store -description: Use Azure CLI script to create, view, update and delete key values from App Configuration store +description: Use Azure CLI script to create, view, update and delete key-values from App Configuration store |
azure-app-configuration | Use Feature Flags Dotnet Core | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/use-feature-flags-dotnet-core.md | Title: Tutorial for using feature flags in a .NET app | Microsoft Docs -description: In this tutorial, you learn how to implement feature flags in .NET Core apps. +description: In this tutorial, you learn how to implement feature flags in .NET apps. ms.devlang: csharp Previously updated : 07/11/2023 Last updated : 02/20/2024 -#Customer intent: I want to control feature availability in my app by using the .NET Core Feature Manager library. +#Customer intent: I want to control feature availability in my app by using the .NET Feature Manager library. # Tutorial: Use feature flags in an ASP.NET Core app The .NET Feature Management libraries provide idiomatic support for implementing The Feature Management libraries also manage feature flag lifecycles behind the scenes. For example, the libraries refresh and cache flag states, or guarantee a flag state to be immutable during a request call. In addition, the ASP.NET Core library offers out-of-the-box integrations, including MVC controller actions, views, routes, and middleware. -The [Add feature flags to an ASP.NET Core app Quickstart](./quickstart-feature-flag-aspnet-core.md) shows a simple example of how to use feature flags in an ASP.NET Core application. This tutorial shows additional setup options and capabilities of the Feature Management libraries. You can use the sample app created in the quickstart to try out the sample code shown in this tutorial. - For the ASP.NET Core feature management API reference documentation, see [Microsoft.FeatureManagement Namespace](/dotnet/api/microsoft.featuremanagement). In this tutorial, you will learn how to: In this tutorial, you will learn how to: > * Add feature flags in key parts of your application to control feature availability. > * Integrate with App Configuration when you're using it to manage feature flags. +## Prerequisites ++The [Add feature flags to an ASP.NET Core app Quickstart](./quickstart-feature-flag-aspnet-core.md) shows a simple example of how to use feature flags in an ASP.NET Core application. This tutorial shows additional setup options and capabilities of the Feature Management libraries. You can use the sample app created in the quickstart to try out the sample code shown in this tutorial. + ## Set up feature management To access the .NET feature manager, your app must have references to the `Microsoft.Azure.AppConfiguration.AspNetCore` and `Microsoft.FeatureManagement.AspNetCore` NuGet packages. The .NET feature manager is configured from the framework's native configuration system. As a result, you can define your application's feature flag settings by using any configuration source that .NET supports, including the local `appsettings.json` file or environment variables. -By default, the feature manager retrieves feature flag configuration from the `"FeatureManagement"` section of the .NET Core configuration data. To use the default configuration location, call the [AddFeatureManagement](/dotnet/api/microsoft.featuremanagement.servicecollectionextensions.addfeaturemanagement) method of the **IServiceCollection** passed into the **ConfigureServices** method of the **Startup** class. --### [.NET 6.0+](#tab/core6x) +By default, the feature manager retrieves feature flag configuration from the `"FeatureManagement"` section of the .NET configuration data. To use the default configuration location, call the [AddFeatureManagement](/dotnet/api/microsoft.featuremanagement.servicecollectionextensions.addfeaturemanagement) method of the **IServiceCollection** passed into the **ConfigureServices** method of the **Startup** class. ```csharp using Microsoft.FeatureManagement; using Microsoft.FeatureManagement; builder.Services.AddFeatureManagement(); ``` -### [.NET Core 3.x](#tab/core3x) --```csharp -using Microsoft.FeatureManagement; --public class Startup -{ - public void ConfigureServices(IServiceCollection services) - { - services.AddFeatureManagement(); - } -} -``` --- You can specify that feature management configuration should be retrieved from a different configuration section by calling [Configuration.GetSection](/dotnet/api/microsoft.web.administration.configuration.getsection) and passing in the name of the desired section. The following example tells the feature manager to read from a different section called `"MyFeatureFlags"` instead: -### [.NET 6.0+](#tab/core6x) ```csharp using Microsoft.FeatureManagement; using Microsoft.FeatureManagement; builder.Services.AddFeatureManagement(Configuration.GetSection("MyFeatureFlags")); ``` -### [.NET Core 3.x](#tab/core3x) --```csharp -using Microsoft.FeatureManagement; --public class Startup -{ - public void ConfigureServices(IServiceCollection services) - { - ... - services.AddFeatureManagement(Configuration.GetSection("MyFeatureFlags")); - } -} -``` --- If you use filters in your feature flags, you must include the [Microsoft.FeatureManagement.FeatureFilters](/dotnet/api/microsoft.featuremanagement.featurefilters) namespace and add a call to [AddFeatureFilter](/dotnet/api/microsoft.featuremanagement.ifeaturemanagementbuilder.addfeaturefilter) specifying the type name of the filter you want to use as the generic type of the method. For more information on using feature filters to dynamically enable and disable functionality, see [Enable staged rollout of features for targeted audiences](./howto-targetingfilter-aspnet-core.md). The following example shows how to use a built-in feature filter called `PercentageFilter`: -### [.NET 6.0+](#tab/core6x) ```csharp using Microsoft.FeatureManagement; builder.Services.AddFeatureManagement() .AddFeatureFilter<PercentageFilter>(); ``` -### [.NET Core 3.x](#tab/core3x) --```csharp -using Microsoft.FeatureManagement; -using Microsoft.FeatureManagement.FeatureFilters; --public class Startup -{ - public void ConfigureServices(IServiceCollection services) - { - services.AddFeatureManagement() - .AddFeatureFilter<PercentageFilter>(); - } -} -``` ----Rather than hard coding your feature flags into your application, we recommend that you keep feature flags outside the application and manage them separately. Doing so allows you to modify flag states at any time and have those changes take effect in the application right away. The Azure App Configuration service provides a dedicated portal UI for managing all of your feature flags. The Azure App Configuration service also delivers the feature flags to your application directly through its .NET Core client libraries. +Rather than hard coding your feature flags into your application, we recommend that you keep feature flags outside the application and manage them separately. Doing so allows you to modify flag states at any time and have those changes take effect in the application right away. The Azure App Configuration service provides a dedicated portal UI for managing all of your feature flags. The Azure App Configuration service also delivers the feature flags to your application directly through its .NET client libraries. The easiest way to connect your ASP.NET Core application to App Configuration is through the configuration provider included in the `Microsoft.Azure.AppConfiguration.AspNetCore` NuGet package. After including a reference to the package, follow these steps to use this NuGet package. 1. Open *Program.cs* file and add the following code.-- ### [.NET 6.0+](#tab/core6x) ```csharp using Microsoft.Extensions.Configuration.AzureAppConfiguration; The easiest way to connect your ASP.NET Core application to App Configuration is .UseFeatureFlags()); ``` - ### [.NET Core 3.x](#tab/core3x) - - ```csharp - using Microsoft.Extensions.Configuration.AzureAppConfiguration; -- public static IHostBuilder CreateHostBuilder(string[] args) => - Host.CreateDefaultBuilder(args) - .ConfigureWebHostDefaults(webBuilder => - webBuilder.ConfigureAppConfiguration(config => - { - var settings = config.Build(); - config.AddAzureAppConfiguration(options => - options.Connect(settings["ConnectionStrings:AppConfig"]).UseFeatureFlags()); - }).UseStartup<Startup>()); - ``` - - 2. Update the middleware and service configurations for your app using the following code. - ### [.NET 6.0+](#tab/core6x) - Inside the `program.cs` class, register the Azure App Configuration services and middleware on the `builder` and `app` objects: ```csharp The easiest way to connect your ASP.NET Core application to App Configuration is app.UseAzureAppConfiguration(); ```-- ### [.NET Core 3.x](#tab/core3x) -- Open `Startup.cs` and update the `Configure` and `ConfigureServices` method to add the built-in middleware called `UseAzureAppConfiguration`. This middleware allows the feature flag values to be refreshed at a recurring interval while the ASP.NET Core web app continues to receive requests. -- ```csharp - public void Configure(IApplicationBuilder app, IWebHostEnvironment env) - { - app.UseAzureAppConfiguration(); - } - ``` -- ```csharp - public void ConfigureServices(IServiceCollection services) - { - services.AddAzureAppConfiguration(); - } - ``` -- In a typical scenario, you will update your feature flag values periodically as you deploy and enable and different features of your application. By default, the feature flag values are cached for a period of 30 seconds, so a refresh operation triggered when the middleware receives a request would not update the value until the cached value expires. The following code shows how to change the cache expiration time or polling interval to 5 minutes by setting the [CacheExpirationInterval](/dotnet/api/microsoft.extensions.configuration.azureappconfiguration.featuremanagement.featureflagoptions.cacheexpirationinterval) in the call to **UseFeatureFlags**. -### [.NET 6.0+](#tab/core6x) - ```csharp config.AddAzureAppConfiguration(options => options.Connect( config.AddAzureAppConfiguration(options => })); ``` -### [.NET Core 3.x](#tab/core3x) --```csharp -config.AddAzureAppConfiguration(options => - options.Connect(settings["ConnectionStrings:AppConfig"]).UseFeatureFlags(featureFlagOptions => { - featureFlagOptions.CacheExpirationInterval = TimeSpan.FromMinutes(5); - })); -``` --- ## Feature flag declaration Each feature flag declaration has two parts: a name, and a list of one or more filters that are used to evaluate if a feature's state is *on* (that is, when its value is `True`). A filter defines a criterion for when a feature should be turned on. By convention, the `FeatureManagement` section of this JSON document is used for ## Use dependency injection to access IFeatureManager For some operations, such as manually checking feature flag values, you need to get an instance of [IFeatureManager](/dotnet/api/microsoft.featuremanagement.ifeaturemanager). In ASP.NET Core MVC, you can access the feature manager `IFeatureManager` through dependency injection. In the following example, an argument of type `IFeatureManager` is added to the signature of the constructor for a controller. The runtime automatically resolves the reference and provides an implementation of the interface when calling the constructor. If you're using an application template in which the controller already has one or more dependency injection arguments in the constructor, such as `ILogger`, you can just add `IFeatureManager` as an additional argument:--### [.NET 6.0+](#tab/core6x) ```csharp using Microsoft.FeatureManagement; public class HomeController : Controller } ``` -### [.NET Core 3.x](#tab/core3x) --```csharp -using Microsoft.FeatureManagement; --public class HomeController : Controller -{ - private readonly IFeatureManager _featureManager; -- public HomeController(ILogger<HomeController> logger, IFeatureManager featureManager) - { - _featureManager = featureManager; - } -} -``` --- ## Feature flag references Define feature flags as string variables in order to reference them from code: |
azure-app-configuration | Use Key Vault References Dotnet Core | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/use-key-vault-references-dotnet-core.md | In this tutorial, you learn how to: ## Prerequisites -Before you start this tutorial, install the [.NET SDK](https://dotnet.microsoft.com/download). +Before you start this tutorial, install the [.NET SDK 6.0 or later](https://dotnet.microsoft.com/download). [!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)] To add a secret to the vault, you need to take just a few additional steps. In t 1. Update the `CreateWebHostBuilder` method to use App Configuration by calling the `config.AddAzureAppConfiguration` method. Include the `ConfigureKeyVault` option, and pass the correct credential to your Key Vault using the `SetCredential` method. If you have multiple Key Vaults, the same credential will be used for all of them. If your Key Vaults require different credentials, you can set them using `Register` or `SetSecretResolver` methods from the [`AzureAppConfigurationKeyVaultOptions`](/dotnet/api/microsoft.extensions.configuration.azureappconfiguration.azureappconfigurationkeyvaultoptions) class. - #### [.NET 6.0+](#tab/core6x) - ```csharp var builder = WebApplication.CreateBuilder(args); To add a secret to the vault, you need to take just a few additional steps. In t }); ``` - #### [.NET Core 3.x](#tab/core3x) -- ```csharp - public static IHostBuilder CreateHostBuilder(string[] args) => - Host.CreateDefaultBuilder(args) - .ConfigureWebHostDefaults(webBuilder => - webBuilder.ConfigureAppConfiguration((hostingContext, config) => - { - var settings = config.Build(); -- config.AddAzureAppConfiguration(options => - { - options.Connect(settings["ConnectionStrings:AppConfig"]) - .ConfigureKeyVault(kv => - { - kv.SetCredential(new DefaultAzureCredential()); - }); - }); - }) - .UseStartup<Startup>()); - ``` - - 1. When you initialized the connection to App Configuration, you set up the connection to Key Vault by calling the `ConfigureKeyVault` method. After the initialization, you can access the values of Key Vault references in the same way you access the values of regular App Configuration keys. To see this process in action, open *Index.cshtml* in the **Views** > **Home** folder. Replace its contents with the following code: |
azure-maps | Quick Ios App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/quick-ios-app.md | In this quickstart, you created your Azure Maps account and created a demo appli [Add a polygon layer to the map in the iOS SDK]: add-polygon-layer-map-ios.md [Add a polygon layer]: add-polygon-layer-map-ios.md [Add a symbol layer]: add-symbol-layer-ios.md-[Azure Active Directory authentication]: azure-maps-authentication.md#azure-ad-authentication [Azure Maps account]: quick-demo-map-app.md#create-an-azure-maps-account [Azure portal]: https://portal.azure.com [Change map styles in iOS maps]: set-map-style-ios-sdk.md [Creating an Xcode Project for an App]: https://developer.apple.com/documentation/xcode/creating-an-xcode-project-for-an-app [free account]: https://azure.microsoft.com/free/ [manage authentication in Azure Maps]: how-to-manage-authentication.md-[Microsoft Entra ID]: /entra/fundamentals/whatis +[Microsoft Entra authentication]: azure-maps-authentication.md#microsoft-entra-authentication [Shared Key authentication]: azure-maps-authentication.md#shared-key-authentication [subscription key]: quick-demo-map-app.md#get-the-subscription-key-for-your-account [ΓÇÄXcode]: https://apps.apple.com/cz/app/xcode/id497799835?mt=12 |
azure-monitor | Convert Classic Resource | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/convert-classic-resource.md | The structure of a Log Analytics workspace is described in [Log Analytics worksp | traces | AppTraces | Detailed logs (traces) emitted through application code/logging frameworks recorded via `TrackTrace()`. | > [!CAUTION]-> Don't take a production dependency on the Log Analytics tables until you see new telemetry records show up directly in Log Analytics. It might take up to 24 hours after the migration process started for records to appear. +> Wait for new telemetry in Log Analytics before relying on it. After starting the migration, telemetry first goes to Classic Application Insights. Aim to switch to Log Analytics within 24 hours, avoiding data loss or double writing. Once done, Log Analytics solely captures new telemetry. ### Table schemas |
azure-monitor | Container Insights Troubleshoot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/containers/container-insights-troubleshoot.md | To diagnose the problem if you can't view status information or no results are r `kubectl get ds ama-logs --namespace=kube-system` - The output should resemble the following example, which indicates that it was deployed properly: + The number of pods should be equal to the number of Linux nodes on the cluster. The output should resemble the following example, which indicates that it was deployed properly: ``` User@aksuser:~$ kubectl get ds ama-logs --namespace=kube-system- NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE - ama-logs 2 2 2 2 2 beta.kubernetes.io/os=linux 1d + NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE + ama-logs 2 2 2 2 2 <none> 1d ``` 1. If you have Windows Server nodes, check the status of the agent by running the following command: - `kubectl get ds omsagent-win --namespace=kube-system` + `kubectl get ds ama-logs-windows --namespace=kube-system` - The output should resemble the following example, which indicates that it was deployed properly: + The number of pods should be equal to the number of Windows nodes on the cluster. The output should resemble the following example, which indicates that it was deployed properly: ``` User@aksuser:~$ kubectl get ds ama-logs-windows --namespace=kube-system- NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE - ama-logs-windows 2 2 2 2 2 beta.kubernetes.io/os=windows 1d + NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE + ama-logs-windows 2 2 2 2 2 <none> 1d ``` -1. Check the deployment status with agent version **06072018** or later by using the following command: +1. Check the deployment status by using the following command: - `kubectl get deployment ama-logs-rs -n=kube-system` + `kubectl get deployment ama-logs-rs --namespace=kube-system` The output should resemble the following example, which indicates that it was deployed properly: ```- User@aksuser:~$ kubectl get deployment omsagent-rs -n=kube-system - NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE - ama-logs 1 1 1 1 3h + User@aksuser:~$ kubectl get deployment ama-logs-rs --namespace=kube-system + NAME READY UP-TO-DATE AVAILABLE AGE + ama-logs-rs 1/1 1 1 24d ``` 1. Check the status of the pod to verify that it's running by using the command `kubectl get pods --namespace=kube-system`. - The output should resemble the following example with a status of `Running` for the omsagent: + The output should resemble the following example with a status of `Running` for ama-logs: ``` User@aksuser:~$ kubectl get pods --namespace=kube-system To diagnose the problem if you can't view status information or no results are r azure-vote-front-3826909965-30n62 1/1 Running 0 22d ama-logs-484hw 1/1 Running 0 1d ama-logs-fkq7g 1/1 Running 0 1d- ama-logs-windows-6drwq 1/1 Running 0 1d + ama-logs-windows-6drwq 1/1 Running 0 1d ``` 1. If the pods are in a running state, but there is no data in Log Analytics or data appears to only send during a certain part of the day, it might be an indication that the daily cap has been met. When this limit is met each day, data stops ingesting into the Log Analytics Workspace and resets at the reset time. For more information, see [Log Analytics Daily Cap](../../azure-monitor/logs/daily-cap.md#determine-your-daily-cap). |
azure-monitor | Kubernetes Monitoring Enable | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/containers/kubernetes-monitoring-enable.md | The number of pods should be equal to the number of Linux nodes on the cluster. ```output User@aksuser:~$ kubectl get ds ama-logs --namespace=kube-system-NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE -ama-logs 2 2 2 2 2 beta.kubernetes.io/os=linux 1d +NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE +ama-logs 2 2 2 2 2 <none> 1d ``` **Verify that Windows nodes were deployed properly** ```-kubectl get ds ama-metrics-win-node --namespace=kube-system +kubectl get ds ama-logs-windows --namespace=kube-system ``` The number of pods should be equal to the number of Windows nodes on the cluster. The output should resemble the following example: ```output User@aksuser:~$ kubectl get ds ama-logs-windows --namespace=kube-system-NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE -ama-logs-windows 2 2 2 2 2 beta.kubernetes.io/os=windows 1d +NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE +ama-logs-windows 2 2 2 2 2 <none> 1d ``` **Verify deployment of the Container insights solution** ```-kubectl get deployment ama-logs-rs -n=kube-system +kubectl get deployment ama-logs-rs --namespace=kube-system ``` The output should resemble the following example: ```output-User@aksuser:~$ kubectl get deployment ama-logs-rs -n=kube-system -NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE -ama-logs-rs 1 1 1 1 3h +User@aksuser:~$ kubectl get deployment ama-logs-rs --namespace=kube-system +NAME READY UP-TO-DATE AVAILABLE AGE +ama-logs-rs 1/1 1 1 24d ``` **View configuration with CLI** |
azure-monitor | Data Sources | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/data-sources.md | Title: Sources of data in Azure Monitor -description: Describes the data available to monitor the health and performance of your Azure resources and the applications running on them. + Title: Sources of monitoring data for Azure Monitor and their data collection methods +description: Describes the different types of data that can be collected in Azure Monitor and the method of data collection for each. Previously updated : 11/17/2022 Last updated : 02/23/2024 -# Sources of monitoring data for Azure Monitor +# Sources of monitoring data for Azure Monitor and their data collection methods -Azure Monitor is based on a [common monitoring data platform](data-platform.md) that includes -- [Metrics](essentials/data-platform-metrics.md)-- [Logs](logs/data-platform-logs.md)-- [Traces](app/asp-net-trace-logs.md) -- [Changes](change/change-analysis.md) +Azure Monitor is based on a [common monitoring data platform](data-platform.md) that allows different types of data from multiple types of resources to be analyzed together using a common set of tools. This article describes common sources of monitoring data collected by Azure Monitor and their data collection methods. Use this article as a starting point to understand the option for collecting different types of data being generated in your environment. -This platform allows data from multiple resources to be analyzed together using a common set of tools in Azure Monitor. Monitoring data may also be sent to other locations to support certain scenarios, and some resources may write to other locations before they can be collected into Logs or Metrics. --This article describes common sources of monitoring data collected by Azure Monitor in addition to the monitoring data created by Azure resources. Links are provided to detailed information on configuration required to collect this data to different locations. --Some of these data sources use the [new data ingestion pipeline](essentials/data-collection.md) in Azure Monitor. This article will be updated as other data sources transition to this new data collection method. --> [!NOTE] -> Access to data in the Log Analytics Workspaces is governed as outline [here](logs/manage-access.md). -> --## Application tiers --Sources of monitoring data from Azure applications can be organized into tiers, the highest tiers being your application itself and the lower tiers being components of Azure platform. The method of accessing data from each tier varies. The application tiers are summarized in the table below, and the sources of monitoring data in each tier are presented in the following sections. :::image type="content" source="media/overview/overview-simple-20230707-opt.svg" alt-text="Diagram that shows an overview of Azure Monitor with data sources on the left sending data to a central data platform and features of Azure Monitor on the right that use the collected data." border="false" lightbox="media/overview/overview-blowout-20230707-opt.svg"::: -### Azure --The following table briefly describes the application tiers that are specific to Azure. Following the link for further details on each in the sections below. --| Tier | Description | Collection method | -|:|:|:| -| [Azure Tenant](#azure-tenant) | Data about the operation of tenant-level Azure services, such as Microsoft Entra ID. | View Microsoft Entra data in portal or configure collection to Azure Monitor using a tenant diagnostic setting. | -| [Azure subscription](#azure-subscription) | Data related to the health and management of cross-resource services in your Azure subscription such as Resource Manager and Service Health. | View in portal or configure collection to Azure Monitor using a log profile. | -| [Azure resources](#azure-resources) | Data about the operation and performance of each Azure resource. | Metrics collected automatically, view in Metrics Explorer.<br>Configure diagnostic settings to collect logs in Azure Monitor.<br>Monitoring solutions and Insights available for more detailed monitoring for specific resource types. | --### Azure, other cloud, or on-premises -The following table briefly describes the application tiers that may be in Azure, another cloud, or on-premises. Following the link for further details on each in the sections below. --| Tier | Description | Collection method | -|:|:|:| -| [Operating system (guest)](#operating-system-guest) | Data about the operating system on compute resources. | Install Azure Monitor agent on virtual machines, scale sets and Arc-enabled servers to collect logs and metrics into Azure Monitor. | -| [Application Code](#application-code) | Data about the performance and functionality of the actual application and code, including performance traces, application logs, and user telemetry. | Instrument your code to collect data into Application Insights. | -| [Custom sources](#custom-sources) | Data from external services or other components or devices. | Collect log or metrics data into Azure Monitor from any REST client. | --## Azure tenant -Telemetry related to your Azure tenant is collected from tenant-wide services such as Microsoft Entra ID. ----<a name='azure-active-directory-audit-logs'></a> --### Microsoft Entra audit logs -[Microsoft Entra ID reporting](../active-directory/reports-monitoring/overview-reports.md) contains the history of sign-in activity and audit trail of changes made within a particular tenant. --| Destination | Description | Reference | -|:|:|:| -| Azure Monitor Logs | Configure Microsoft Entra logs to be collected in Azure Monitor to analyze them with other monitoring data. | [Integrate Microsoft Entra logs with Azure Monitor logs](../active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md) | -| Azure Storage | Export Microsoft Entra logs to Azure Storage for archiving. | [Tutorial: Archive Microsoft Entra logs to an Azure storage account](../active-directory/reports-monitoring/quickstart-azure-monitor-route-logs-to-storage-account.md) | -| Event Hubs | Stream Microsoft Entra logs to other locations using Event Hubs. | [Tutorial: Stream Microsoft Entra logs to an Azure event hub](../active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md). | --## Azure subscription -Telemetry related to the health and operation of your Azure subscription. ---### Azure Activity log -The [Azure Activity log](essentials/platform-logs-overview.md) includes service health records along with records on any configuration changes made to the resources in your Azure subscription. The Activity log is available to all Azure resources and represents their _external_ view. --| Destination | Description | Reference | -|:|:|:| -| Activity log | The Activity log is collected into its own data store that you can view from the Azure Monitor menu or use to create Activity log alerts. |[Query the Activity log with the Azure portal](essentials/activity-log.md#view-the-activity-log) | -| Azure Monitor Logs | Configure Azure Monitor Logs to collect the Activity log to analyze it with other monitoring data. | [Collect and analyze Azure activity logs in Log Analytics workspace in Azure Monitor](essentials/activity-log.md) | -| Azure Storage | Export the Activity log to Azure Storage for archiving. | [Archive Activity log](essentials/resource-logs.md#send-to-azure-storage) | -| Event Hubs | Stream the Activity log to other locations using Event Hubs | [Stream Activity log to Event Hubs](essentials/resource-logs.md#send-to-azure-event-hubs). | --### Azure Service Health -[Azure Service Health](../service-health/service-health-overview.md) provides information about the health of the Azure services in your subscription that your application and resources rely on. --| Destination | Description | Reference | -|:|:|:| -| Activity log<br>Azure Monitor Logs | Service Health records are stored in the Azure Activity log, so you can view them in the Azure portal or perform any other activities you can perform with the Activity log. | [View service health notifications by using the Azure portal](../service-health/service-notifications.md) | --### Azure Monitor Change Analysis --[Change Analysis](./change/change-analysis.md) provides insights into your Azure application changes, increases observability, and reduces mean time to repair. --| Destination | Description | Reference | -| -- | -- | | -| Azure Resource Manager control plane changes | Change Analysis provides a historical record of how the Azure resources that host your application have changed over time, using Azure Resource Graph | [Resources | Get Changes](../governance/resource-graph/how-to/get-resource-changes.md) | -| Resource configurations and settings changes | Change Analysis securely queries and computes IP Configuration rules, TLS settings, and extension versions to provide more change details in the app. | [Azure Resource Manager configuration changes](./change/change-analysis.md#azure-resource-manager-resource-properties-changes) | -| Web app in-guest changes | Every 30 minutes, Change Analysis captures the deployment and configuration state of an application. | [Diagnose and solve problems tool for Web App](./change/change-analysis-visualizations.md#diagnose-and-solve-problems-tool-for-web-app) | +> [!IMPORTANT] +> There is a cost for collecting and retaining most types of data in Azure Monitor. To minimize your cost, ensure that you don't collect any more data than you require and that your environment is configured to optimize your costs. See [Cost optimization in Azure Monitor](best-practices-cost.md) for a summary of recommendations. ## Azure resources-Metrics and resource logs provide information about the _internal_ operation of Azure resources. These are available for most Azure services, and monitoring solutions and insights collect additional data for particular services. +Most resources in Azure generate the monitoring data described in the following table. Some services will also have additional data that can be collected by enabling other features of Azure Monitor (described in other sections in this article). Regardless of the services that you're monitoring though, you should start by understanding and configuring collection of this data. +Create diagnostic settings for each of the following data types can be sent to a Log Analytics workspace, archived to a storage account, or streamed to an event hub to send it to services outside of Azure. See [Create diagnostic settings in Azure Monitor](essentials/create-diagnostic-settings.md). --### Platform metrics -Most Azure services will send [platform metrics](essentials/data-platform-metrics.md) that reflect their performance and operation directly to the metrics database. The specific [metrics will vary for each type of resource](essentials/metrics-supported.md). --| Destination | Description | Reference | +| Data type | Description | Data collection method | |:|:|:|-| Azure Monitor Metrics | Platform metrics will write to the Azure Monitor metrics database with no configuration. Access platform metrics from Metrics Explorer. | [Analyze metrics with Azure Monitor metrics explorer](essentials/analyze-metrics.md) <br>[Supported metrics with Azure Monitor](essentials/metrics-supported.md) | -| Azure Monitor Logs | Copy platform metrics to Logs for trending and other analysis using Log Analytics. | [Azure diagnostics direct to Log Analytics](essentials/resource-logs.md#send-to-log-analytics-workspace) | -| Azure Monitor Change Analysis | Change Analysis detects various types of changes, from the infrastructure layer through application deployment. | [Use Change Analysis in Azure Monitor](./change/change-analysis.md) | -| Event Hubs | Stream metrics to other locations using Event Hubs. |[Stream Azure monitoring data to an event hub for consumption by an external tool](essentials/stream-monitoring-data-event-hubs.md) | +| Activity log | The Activity log provides insight into subscription-level events for Azure services including service health records and configuration changes. | Collected automatically. View in the Azure portal or create a diagnostic setting to send it to other destinations. Can be collected in Log Analytics workspace at no charge. See [Azure Monitor activity log](essentials/activity-log.md). | +| Platform metrics | Platform metrics are numerical values that are automatically collected at regular intervals for different aspects of a resource. The specific metrics will vary for each type of resource. | Collected automatically and stored in [Azure Monitor Metrics](./essentials/data-platform-metrics.md). View in metrics explorer or create a diagnostic setting to send it to other destinations. See [Azure Monitor Metrics overview](essentials/data-platform-metrics.md) and [Supported metrics with Azure Monitor](/azure/azure-monitor/reference/supported-metrics/metrics-index) for a list of metrics for different services. | +| Resource logs | Provide insight into operations that were performed within an Azure resource. The content of resource logs varies by the Azure service and resource type. | You must create a diagnostic setting to collect resources logs. See [Azure resource logs](essentials/resource-logs.md) and [Supported services, schemas, and categories for Azure resource logs](essentials/resource-logs-schema.md) for details on each service. | -### Resource logs -[Resource logs](essentials/platform-logs-overview.md) provide insights into the _internal_ operation of an Azure resource. Resource logs are created automatically, but you must create a diagnostic setting to specify a destination for them to be collected for each resource. -The configuration requirements and content of resource logs vary by resource type, and not all services yet create them. See [Supported services, schemas, and categories for Azure resource logs](essentials/resource-logs-schema.md) for details on each service and links to detailed configuration procedures. If the service isn't listed in this article, then that service doesn't currently create resource logs. +## Microsoft Entra ID +Activity logs in Microsoft Entra ID are similar to the activity logs in Azure Monitor and can also use a diagnostic setting to be sent to a Log Analytics workspace, archived to a storage account, or streamed to an event hub to send it to services outside of Azure. See [Configure Microsoft Entra diagnostic settings for activity logs](/entra/identity/monitoring-health/howto-configure-diagnostic-settings). -| Destination | Description | Reference | +| Data type | Description | Data collection method | |:|:|:|-| Azure Monitor Logs | Send resource logs to Azure Monitor Logs for analysis with other collected log data. | [Collect Azure resource logs in Log Analytics workspace in Azure Monitor](essentials/resource-logs.md#send-to-log-analytics-workspace) | -| Storage | Send resource logs to Azure Storage for archiving. | [Archive Azure resource logs](essentials/resource-logs.md#send-to-azure-storage) | -| Event Hubs | Stream resource logs to other locations using Event Hubs. |[Stream Azure resource logs to an event hub](essentials/resource-logs.md#send-to-azure-event-hubs) | --## Operating system (guest) -Compute resources in Azure, in other clouds, and on-premises have a guest operating system to monitor. With the installation of an agent, you can gather telemetry from the guest into Azure Monitor to analyze it with the same monitoring tools as the Azure services themselves. -+| Activity logs | Enable you to assess many aspects of your Microsoft Entra ID environment, including history of sign-in activity, audit trail of changes made within a particular tenant, and activities performed by the provisioning service. | Collected automatically. View in the Azure portal or create a diagnostic setting to send it to other destinations. | +## Virtual machines +Azure virtual machines create the same activity logs and platform metrics as other Azure resources. In addition to this host data though, you need to monitor the guest operating system and the workloads running on it, which requires the [Azure Monitor agent](./agents/agents-overview.md) or [SCOM Managed Instance](./vm/scom-managed-instance-overview.md). The following table includes the most common data to collect from VMs. See [Monitor virtual machines with Azure Monitor: Collect data](./vm/monitor-virtual-machine-data-collection.md) for a more complete description of the different kinds of data you can collect from virtual machines. -### Azure Monitor agent -[Install the Azure Monitor agent](agents/azure-monitor-agent-manage.md) for comprehensive monitoring and management of your Windows or Linux virtual machines, scale sets and Arc-enabled servers. The Azure Monitor agent replaces the Log Analytics agent and Azure diagnostic extension. --| Destination | Description | Reference | +| Data type | Description | Data collection method | |:|:|:|-| Azure Monitor Logs | The Azure Monitor agent allows you to collect logs from data sources that you configure using [data collection rules](agents/data-collection-rule-azure-monitor-agent.md) or from monitoring solutions that provide additional insights into applications running on the machine. These can be sent to one or more Log Analytics workspaces. | [Data sources and destinations](agents/azure-monitor-agent-overview.md#data-sources-and-destinations) | -| Azure Monitor Metrics (preview) | The Azure Monitor agent allows you to collect performance counters and send them to Azure Monitor metrics database | [Data sources and destinations](agents/azure-monitor-agent-overview.md#data-sources-and-destinations) | ---### Log Analytics agent -[Install the Log Analytics agent](agents/log-analytics-agent.md) for comprehensive monitoring and management of your Windows or Linux virtual machines. The virtual machine can be running in Azure, another cloud, or on-premises. The Log Analytics agent is still supported but has been replaced by the Azure Monitor agent. --| Destination | Description | Reference | +| Windows Events | Logs for the client operating system and different applications on Windows VMs. | Deploy the Azure Monitor agent (AMA) and create a data collection rule (DCR) to send data to Log Analytics workspace. See [Collect events and performance counters from virtual machines with Azure Monitor Agent](./agents/data-collection-rule-azure-monitor-agent.md). | +| Syslog | Logs for the client operating system and different applications on Linux VMs. | Deploy the Azure Monitor agent (AMA) and create a data collection rule (DCR) to send data to Log Analytics workspace. See [Collect Syslog events with Azure Monitor Agent](./agents/data-collection-syslog.md). To use the VM as a Syslog forwarder, see [Tutorial: Forward Syslog data to a Log Analytics workspace with Microsoft Sentinel by using Azure Monitor Agent](../sentinel/forward-syslog-monitor-agent.md) | +| Client Performance data | Performance counter values for the operating system and applications running on the virtual machine. | Deploy the Azure Monitor agent (AMA) and create a data collection rule (DCR) to send data to Azure Monitor Metrics and/or Log Analytics workspace. See [Collect events and performance counters from virtual machines with Azure Monitor Agent](./agents/data-collection-rule-azure-monitor-agent.md).<br><br>Enable VM insights to send predefined aggregated performance data to Log Analytics workspace. See [Enable VM Insights overview](./vm/vminsights-enable-overview.md) for installation options. | +| Processes and dependencies | Details about processes running on the machine and their dependencies on other machines and external services. Enables the [map feature in VM insights](vm/vminsights-maps.md). | Enable VM insights on the machine with the *processes and dependencies* option. See [Enable VM Insights overview](./vm/vminsights-enable-overview.md) for installation options. | +| Text logs | Application logs written to a text file. | Deploy the Azure Monitor agent (AMA) and create a data collection rule (DCR) to send data to Log Analytics workspace. See [Collect logs from a text or JSON file with Azure Monitor Agent](./agents/data-collection-text-log.md). | +| IIS logs | Logs created by Internet Information Service (IIS)\. | Deploy the Azure Monitor agent (AMA) and create a data collection rule (DCR) to send data to Log Analytics workspace. See [Collect IIS logs with Azure Monitor Agent](./agents/data-collection-iis.md). | +| SNMP traps | Widely deployed management protocol for monitoring and configuring Linux devices and appliances. | See [Collect SNMP trap data with Azure Monitor Agent](./agents/data-collection-snmp-data.md). | +| Management pack data | If you have an existing investment in SCOM, you can migrate to the cloud while retaining your investment in existing management packs using [SCOM MI](./vm/scom-managed-instance-overview.md). | SCOM MI stores data collected by management packs in an instance of SQL MI. See [Configure Log Analytics for Azure Monitor SCOM Managed Instance](/system-center/scom/configure-log-analytics-for-scom-managed-instance) to send this data to a Log Analytics workspace. | ++## Kubernetes cluster +Azure Kubernetes Service (AKS) clusters create the same activity logs and platform metrics as other Azure resources. In addition to this host data though, they generate a common set of cluster logs and metrics that you can collect from your AKS clusters and Arc-enabled Kubernetes clusters. ++| Data type | Description | Data collection method | |:|:|:|-| Azure Monitor Logs | The Log Analytics agent connects to Azure Monitor either directly or through System Center Operations Manager and allows you to collect data from data sources that you configure or from monitoring solutions that provide additional insights into applications running on the virtual machine. | [Agent data sources in Azure Monitor](agents/agent-data-sources.md)<br>[Connect Operations Manager to Azure Monitor](agents/om-agents.md) | +| Cluster Metrics | Usage and performance data for the cluster, nodes, deployments, and workloads. | Enable managed Prometheus for the cluster to send cluster metrics to an [Azure Monitor workspace](./essentials/azure-monitor-workspace-overview.md). See [Enable Prometheus and Grafana](./containers/kubernetes-monitoring-enable.md#enable-prometheus-and-grafana) for onboarding and [Default Prometheus metrics configuration in Azure Monitor](containers/prometheus-metrics-scrape-default.md) for a list of metrics that are collected by default. | +| Logs | Standard Kubernetes logs including events for the cluster, nodes, deployments, and workloads. | Enable Container insights for the cluster to send container logs to a Log Analytics workspace. See [Enable Container insights](./containers/kubernetes-monitoring-enable.md#enable-container-insights) for onboarding and [Configure data collection in Container insights using data collection rule](./containers/container-insights-data-collection-dcr.md) to configure which logs will be collected. | -### Azure diagnostic extension -Enabling the Azure diagnostics extension for Azure Virtual machines allows you to collect logs and metrics from the guest operating system of Azure compute resources including Azure Cloud Service (classic) Web and Worker Roles, Virtual Machines, Virtual Machine Scale Sets, and Service Fabric. -| Destination | Description | Reference | -|:|:|:| -| Storage | Azure diagnostics extension always writes to an Azure Storage account. | [Install and configure Azure diagnostics extension (WAD)](agents/diagnostics-extension-windows-install.md)<br>[Use Linux Diagnostic Extension to monitor metrics and logs](../virtual-machines/extensions/diagnostics-linux.md) | -| Azure Monitor Metrics (preview) | When you configure the Diagnostics Extension to collect performance counters, they are written to the Azure Monitor metrics database. | [Send Guest OS metrics to the Azure Monitor metric store using a Resource Manager template for a Windows virtual machine](essentials/collect-custom-metrics-guestos-resource-manager-vm.md) | -| Event Hubs | Configure the Diagnostics Extension to stream the data to other locations using Event Hubs. | [Streaming Azure Diagnostics data by using Event Hubs](agents/diagnostics-extension-stream-event-hubs.md)<br>[Use Linux Diagnostic Extension to monitor metrics and logs](../virtual-machines/extensions/diagnostics-linux.md) | -| Application Insights Logs | Collect logs and performance counters from the compute resource supporting your application to be analyzed with other application data. | [Send Cloud Service, Virtual Machine, or Service Fabric diagnostic data to Application Insights](agents/diagnostics-extension-to-application-insights.md) | +## Application +Application monitoring in Azure Monitor is done with [Application Insights](/azure/application-insights/), which collects data from applications running on various platforms in Azure, another cloud, or on-premises. When you enable Application Insights for an application, it collects metrics and logs related to the performance and operation of the application and stores it in the same Azure Monitor data platform used by other data sources. +See [Application Insights overview](./app/app-insights-overview.md) for further details about the data that Application insights collected and links to articles on onboarding your application. -### VM insights -[VM insights](vm/vminsights-overview.md) provides a customized monitoring experience for virtual machines providing features beyond core Azure Monitor functionality. It requires a Dependency Agent on Windows and Linux virtual machines that integrates with the Log Analytics agent to collect discovered data about processes running on the virtual machine and external process dependencies. -| Destination | Description | Reference | +| Data type | Description | Data collection method | |:|:|:|-| Azure Monitor Logs | Stores data about processes and dependencies on the agent. | [Using VM insights Map to understand application components](vm/vminsights-maps.md) | ----## Application Code -Detailed application monitoring in Azure Monitor is done with [Application Insights](/azure/application-insights/), which collects data from applications running on various platforms. The application can be running in Azure, another cloud, or on-premises. ---+| Logs | Operational data about your application including page views, application requests, exceptions, and traces. Also includes dependency information between application components to support Application Map and telemetry correlation. | Application logs are stored in a Log Analytics workspace that you select as part of the onboarding process. | +| Metrics | Numeric data measuring the performance of your application and user requests measured over intervals of time. | Metric data is stored in both Azure Monitor Metrics and the Log Analytics workspace. | +| Traces | Traces are a series of related events tracking end-to-end requests through the components of your application. | Traces are stored in the Log Analytics workspace for the app. | -### Application data -When you enable Application Insights for an application by installing an instrumentation package, it collects metrics and logs related to the performance and operation of the application. Application Insights stores the data it collects in the same Azure Monitor data platform used by other data sources. It includes extensive tools for analyzing this data, but you can also analyze it with data from other sources using tools such as Metrics Explorer, Log Analytics, and Change Analysis. --| Destination | Description | Reference | -|:|:|:| -| Azure Monitor Logs | Operational data about your application including page views, application requests, exceptions, and traces. | [Analyze log data in Azure Monitor](logs/log-query-overview.md) | -| | Dependency information between application components to support Application Map and telemetry correlation. | [Telemetry correlation in Application Insights](app/distributed-trace-data.md) <br> [Application Map](app/app-map.md) | -| | Results of availability tests that test the availability and responsiveness of your application from different locations on the public Internet. | [Monitor availability and responsiveness of any web site](/previous-versions/azure/azure-monitor/app/monitor-web-app-availability) | -| Azure Monitor Metrics | Application Insights collects metrics describing the performance and operation of the application in addition to custom metrics that you define in your application into the Azure Monitor metrics database. | [Log-based and pre-aggregated metrics in Application Insights](app/pre-aggregated-metrics-log-metrics.md)<br>[Application Insights API for custom events and metrics](app/api-custom-events-metrics.md) | -| Azure Monitor Change Analysis | Change Analysis detects and provides insights on various types of changes in your application. | [Use Change Analysis in Azure Monitor](./change/change-analysis.md) | -| Azure Storage | Send application data to Azure Storage for archiving. | [Export telemetry from Application Insights](/previous-versions/azure/azure-monitor/app/export-telemetry) | -| | Details of availability tests are stored in Azure Storage. Use Application Insights in the Azure portal to download for local analysis. Results of availability tests are stored in Azure Monitor Logs. | [Monitor availability and responsiveness of any web site](/previous-versions/azure/azure-monitor/app/monitor-web-app-availability) | -| | Profiler trace data is stored in Azure Storage. Use Application Insights in the Azure portal to download for local analysis. | [Profile production applications in Azure with Application Insights](app/profiler-overview.md) -| | Debug snapshot data that is captured for a subset of exceptions is stored in Azure Storage. Use Application Insights in the Azure portal to download for local analysis. | [How snapshots work](app/snapshot-debugger.md#how-snapshots-work) | --## Insights -[Insights](insights/insights-overview.md) collect data to provide additional insights into the operation of a particular service or application. They may address resources in different application tiers and even multiple tiers. ---### Container insights -[Container insights](containers/container-insights-overview.md) provides a customized monitoring experience for [Azure Kubernetes Service (AKS)](../aks/index.yml). It collects additional data about these resources described in the following table. --| Destination | Description | Reference | -|:|:|:| -| Azure Monitor Logs | Stores monitoring data for AKS including inventory, logs, and events. Metric data is also stored in Logs in order to leverage its analysis functionality in the portal. | [Understand AKS cluster performance with Container insights](containers/container-insights-analyze.md) | -| Azure Monitor Metrics | Metric data is stored in the metric database to drive visualization and alerts. | [View container metrics in metrics explorer](containers/container-insights-analyze.md#view-container-metrics-in-metrics-explorer) | -| Azure Kubernetes Service | Provides direct access to your Azure Kubernetes Service (AKS) container logs (stdout/stderror), events, and pod metrics in the portal. | [How to view Kubernetes logs, events, and pod metrics in real-time](containers/container-insights-livedata-overview.md) | --### VM insights -[VM insights](vm/vminsights-overview.md) provides a customized experience for monitoring virtual machines. A description of the data collected by VM insights is included in the [Operating System (guest)](#operating-system-guest) section above. ## Custom sources-In addition to the standard tiers of an application, you may need to monitor other resources that have telemetry that can't be collected with the other data sources. For these resources, write this data to either Metrics or Logs using an Azure Monitor API. ---+For any monitoring data that you can't collect with the other methods described in this article, you can use the APIs in the following table to send data to Azure Monitor. -| Destination | Method | Description | Reference | -|:|:|:|:| -| Azure Monitor Logs | Logs ingestion API | Collect log data from any REST client and store in Log Analytics workspace using a data collection rule. | [Logs ingestion API in Azure Monitor](logs/logs-ingestion-api-overview.md) | -| | Data Collector API | Collect log data from any REST client and store in Log Analytics workspace. | [Send log data to Azure Monitor with the HTTP Data Collector API (preview)](logs/data-collector-api.md) | -| Azure Monitor Metrics | Custom Metrics API | Collect metric data from any REST client and store in Azure Monitor metrics database. | [Send custom metrics for an Azure resource to the Azure Monitor metric store by using a REST API](essentials/metrics-store-custom-rest-api.md) | ---## Other services -Other services in Azure write data to the Azure Monitor data platform. This allows you to analyze data collected by these services with data collected by Azure Monitor and apply the same analysis and visualization tools. +| Data type | Description | Data collection method | +|:|:|:| +| Logs | Collect log data from any REST client and store in Log Analytics workspace. | Create a data collection rule to define destination workspace and any data transformations. See [Logs ingestion API in Azure Monitor](logs/logs-ingestion-api-overview.md). | +| Metrics | Collect custom metrics for Azure resources from any REST client. | See [Send custom metrics for an Azure resource to the Azure Monitor metric store by using a REST API](essentials/metrics-store-custom-rest-api.md). | -| Service | Destination | Description | Reference | -|:|:|:|:| -| [Microsoft Defender for Cloud](../security-center/index.yml) | Azure Monitor Logs | Microsoft Defender for Cloud stores the security data it collects in a Log Analytics workspace, which allows it to be analyzed with other log data collected by Azure Monitor. | [Data collection in Microsoft Defender for Cloud](../security-center/security-center-enable-data-collection.md) | -| [Microsoft Sentinel](../sentinel/index.yml) | Azure Monitor Logs | Microsoft Sentinel stores the data it collects from different data sources in a Log Analytics workspace, which allows it to be analyzed with other log data collected by Azure Monitor. | [Connect data sources](../sentinel/quickstart-onboard.md) | ## Next steps |
azure-monitor | Stream Monitoring Data Event Hubs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/essentials/stream-monitoring-data-event-hubs.md | Before you configure streaming for any data source, you need to [create an Event * Outbound port 5671 and 5672 must typically be opened on the computer or virtual network consuming data from the event hub. ## Monitoring data available-[Sources of monitoring data for Azure Monitor](../data-sources.md) describes the data tiers for Azure applications and the kinds of data available for each. The following table provides a description of how different types of data can be streamed to an event hub. Follow the links provided for further detail. --| Tier | Data | Method | -|:|:|:| -| [Azure tenant](../data-sources.md#azure-tenant) | Microsoft Entra audit logs | Configure a tenant diagnostic setting on your Microsoft Entra tenant. For more information, see [Tutorial: Stream Microsoft Entra logs to an Azure event hub](../../active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md). | -| [Azure subscription](../data-sources.md#azure-subscription) | Azure activity log | [Create a diagnostic setting](./create-diagnostic-settings.md) to export activity log events to event hubs. For more information, see [Stream Azure platform logs to Azure event hubs](../essentials/resource-logs.md#send-to-azure-event-hubs). | -| [Azure resources](../data-sources.md#azure-resources) | Platform metrics<br> Resource logs | [Create a diagnostic setting](./create-diagnostic-settings.md) to export resource logs and metrics to event hubs. For more information, see [Stream Azure platform logs to Azure event hubs](../essentials/resource-logs.md#send-to-azure-event-hubs). | -| [Operating system (guest)](../data-sources.md#operating-system-guest) | Azure virtual machines | Install the [Azure Diagnostics extension](../agents/diagnostics-extension-overview.md) on Windows and Linux virtual machines in Azure. For more information, see [Streaming Azure Diagnostics data in the hot path by using event hubs](../agents/diagnostics-extension-stream-event-hubs.md) for details on Windows VMs. See [Use Linux Diagnostic extension to monitor metrics and logs](../../virtual-machines/extensions/diagnostics-linux.md#protected-settings) for details on Linux VMs. | -| [Application code](../data-sources.md#application-code) | Application Insights | Use diagnostic settings to stream to event hubs. This tier is only available with workspace-based Application Insights resources. For help with setting up workspace-based Application Insights resources, see [Workspace-based Application Insights resources](../app/create-workspace-resource.md#workspace-based-application-insights-resources) and [Migrate to workspace-based Application Insights resources](../app/convert-classic-resource.md#migrate-to-workspace-based-application-insights-resources).| +[Sources of monitoring data for Azure Monitor and their data collection methods](../data-sources.md) describes the different kinds of data collected by Azure Monitor and the methods used to collect them. See that article for that data that can be streamed to an event hub and links to configuration details. + ## Stream diagnostics data |
azure-netapp-files | Application Volume Group Considerations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/application-volume-group-considerations.md | This article describes the requirements and considerations you need to be aware * You must create a proximity placement group (PPG) and anchor it to your SAP HANA compute resources. Application volume group for SAP HANA needs this setup to search for an Azure NetApp Files resource that is close to the SAP HANA servers. For more information, see [Best practices about Proximity Placement Groups](#best-practices-about-proximity-placement-groups) and [Create a Proximity Placement Group using the Azure portal](../virtual-machines/windows/proximity-placement-groups-portal.md). >[!NOTE]- >Do not delete the PPG. Deleting a PPG will remove the pinning and can cause subsequent volume groups to be created in sub-optimal locations which could lead to increased latency. + >Do not delete the PPG. Deleting a PPG removes the pinning and can cause subsequent volume groups to be created in sub-optimal locations which could lead to increased latency. * You must complete your sizing and SAP HANA system architecture, including the following areas: * SAP ID (SID) This article describes the requirements and considerations you need to be aware It is recommended that you lay out the VNet and delegated subnet at design time. - Application volume group for SAP HANA will create multiple IP addresses, up to six IP addresses for larger-sized estates. Ensure that the delegated subnet has sufficient free IP addresses. Consider using a delegated subnet with a minimum of 59 IP addresses with a subnet size of /26. See [Considerations about delegating a subnet to Azure NetApp Files](azure-netapp-files-delegate-subnet.md#considerations). + Application volume group for SAP HANA create multiple IP addresses, up to six IP addresses for larger-sized estates. Ensure that the delegated subnet has sufficient free IP addresses. Consider using a delegated subnet with a minimum of 59 IP addresses with a subnet size of /26. See [Considerations about delegating a subnet to Azure NetApp Files](azure-netapp-files-delegate-subnet.md#considerations). ++* Application volume group for SAP HANA only supports [Basic network features](azure-netapp-files-network-topologies.md). You should not edit network features for volumes in an application volume group. >[!IMPORTANT] >The use of application volume group for SAP HANA for applications other than SAP HANA is not supported. Reach out to your Azure NetApp Files specialist for guidance on using Azure NetApp Files multi-volume layouts with other database applications. |
azure-netapp-files | Azure Netapp Files Network Topologies | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-network-topologies.md | Azure NetApp Files volumes are designed to be contained in a special purpose sub ### Supported regions -<a name="regions-standard-network-features"></a>Azure NetApp Files *Standard network features* are supported for the following regions: +<a name="regions-standard-network-features"></a>The option to set Standard network features on new volumes and to modify network features for existing volumes is available in the following regions: * Australia Central * Australia Central 2 Azure NetApp Files volumes are designed to be contained in a special purpose sub * West US 2 * West US 3 -<a name="regions-edit-network-features"></a>The option to *[edit network features for existing volumes](configure-network-features.md#edit-network-features-option-for-existing-volumes)* is supported for the following regions: --* Australia Central -* Australia Central 2 -* Australia East -* Australia Southeast -* Brazil South -* Brazil Southeast -* Canada Central -* Canada East -* Central India -* Central US -* East Asia -* East US* -* East US 2 -* France Central -* Germany North -* Germany West Central -* Japan East -* Japan West -* Korea Central -* Korea South -* North Central US -* North Europe -* Norway East -* Norway West -* Qatar Central -* South Africa North -* South Central US* -* South India -* Southeast Asia -* Sweden Central -* Switzerland North -* Switzerland West -* UAE Central -* UAE North -* UK South -* UK West -* US Gov Arizona -* US Gov Texas -* US Gov Virginia -* West Europe -* West US -* West US 2* -* West US 3 --\* Not all volume in this region are available for conversion. All volumes will be available for conversion in the future. - ## Considerations You should understand a few considerations when you plan for Azure NetApp Files network. |
azure-netapp-files | Configure Network Features | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/configure-network-features.md | The **Network Features** functionality enables you to indicate whether you want This article helps you understand the options and shows you how to configure network features. -The **Network Features** functionality isn't available in Azure Government regions. See [supported regions](azure-netapp-files-network-topologies.md#supported-regions) for a full list. +See [supported regions](azure-netapp-files-network-topologies.md#supported-regions) for a full list. ## Options for network features Two settings are available for network features: * When you change the network features option of existing volumes from Basic to Standard network features, access to existing Basic networking volumes might be lost if your UDR or NSG implementations prevent the Basic networking volumes from connecting to DNS and domain controllers. You might also lose the ability to update information, such as the site name, in the Active Directory connector if all volumes canΓÇÖt communicate with DNS and domain controllers. For guidance about UDRs and NSGs, see [Configure network features for an Azure NetApp Files volume](azure-netapp-files-network-topologies.md#udrs-and-nsgs). >[!NOTE]-> The networking features of the DP volume will not be affected by changing the source volume from basic to standard network features. +> The networking features of the DP volume are not affected by changing the source volume from Basic to Standard network features. ## <a name="set-the-network-features-option"></a>Set network features option during volume creation This section shows you how to set the network features option when you create a You can edit the network features option of existing volumes from *Basic* to *Standard* network features. The change you make applies to all volumes in the same *network sibling set* (or *siblings*). Siblings are determined by their network IP address relationship. They share the same NIC for mounting the volume to the client or connecting to the SMB share of the volume. At the creation of a volume, its siblings are determined by a placement algorithm that aims for reusing the IP address where possible. +The edit network features option is available in [all regions that support Standard network features](azure-netapp-files-network-topologies.md#supported-regions). + >[!IMPORTANT] >It's not recommended that you use the edit network features option with Terraform-managed volumes due to risks. You must follow separate instructions if you use Terraform-managed volumes. For more information see, [Update Terraform-managed Azure NetApp Files volume from Basic to Standard](#update-terraform-managed-azure-netapp-files-volume-from-basic-to-standard). -See [regions supported for this feature](azure-netapp-files-network-topologies.md#regions-edit-network-features). +>[!IMPORTANT] +>You should not use the edit network features option for an [application volume group for SAP HANA](application-volume-group-introduction.md). Application volume group for SAP HANA only supports Basic network features. > [!NOTE] > You need to submit a waitlist request for accessing the feature through the **[Azure NetApp Files standard networking features (edit volumes) Request Form](https://aka.ms/anfeditnetworkfeaturespreview)**. The feature can take approximately one week to be enabled after you submit the waitlist request. You can check the status of feature registration by using the following command: |
azure-netapp-files | Create Active Directory Connections | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/create-active-directory-connections.md | Several features of Azure NetApp Files require that you have an Active Directory This feature is used for installing SQL Server in certain scenarios where a non-administrator AD DS domain account must temporarily be granted elevated security privilege. >[!NOTE]- > Using the Security privilege users feature relies on the [SMB Continuous Availability Shares feature](azure-netapp-files-create-volumes-smb.md#continuous-availability). SMB Continuous Availability is **not** supported on custom applications. It is only supported for workloads using Citrix App Laying, [FSLogix user profile containers](../virtual-desktop/create-fslogix-profile-container.md), and Microsoft SQL Server (not Linux SQL Server). + > Using the Security privilege users feature relies on the [SMB Continuous Availability Shares feature](azure-netapp-files-create-volumes-smb.md#continuous-availability). SMB Continuous Availability is **not** supported on custom applications. It is only supported for workloads using Citrix App Layering, [FSLogix user profile containers](../virtual-desktop/create-fslogix-profile-container.md), and Microsoft SQL Server (not Linux SQL Server). > [!IMPORTANT] > Using the **Security privilege users** feature requires that you submit a waitlist request through the **[Azure NetApp Files SMB Continuous Availability Shares Public Preview waitlist submission page](https://aka.ms/anfsmbcasharespreviewsignup)**. Wait for an official confirmation email from the Azure NetApp Files team before using this feature. |
azure-netapp-files | Whats New | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/whats-new.md | Azure NetApp Files is updated regularly. This article provides a summary about t ## February 2024 +* [Volume and protocol enhancement](understand-volume-languages.md): extended language support for file and path names ++ Azure NetApp Files uses a default volume language of C.UTF-8, which provides POSIX compliant UTF-8 encoding for character sets. The C.UTF-8 language natively supports characters with a size of 0-3 bytes, which includes a majority of the worldΓÇÖs languages on the Basic Multilingual Plane (BMP) (including Japanese, German, and most of Hebrew and Cyrillic). + + Azure NetApp Files now supports characters outside of the BMP using surrogate pair logic, where multiple character byte sets are combined to form new characters. Emoji symbols, for example, fall into this category and are now supported in Azure NetApp Files. ++ To learn more about languages and special character handling in Azure NetApp Files volumes, see [Understand volume languages in Azure NetApp Files](understand-volume-languages.md). + + To learn more about file path lengths in relation to language and character handling in Azure NetApp Files volumes, see [Understand path lengths in Azure NetApp Files](understand-path-lengths.md). + * [Customer-managed keys enhancement:](configure-customer-managed-keys.md) automated managed system identity (MSI) support Azure NetApp Files is updated regularly. This article provides a summary about t ## January 2024 -* [Standard network features - Edit volumes available in US Gov regions](azure-netapp-files-network-topologies.md#regions-edit-network-features) (Preview) +* [Standard network features - Edit volumes available in US Gov regions](azure-netapp-files-network-topologies.md#supported-regions) (Preview) Azure NetApp Files now supports the capability to edit network features of existing volumes in US Gov Arizona, US Gov Texas, and US Gov Texas. This capability provides an enhanced, more standard, Microsoft Azure Virtual Network experience through various security and connectivity features that are available on Virtual Networks to Azure services. This feature is in preview in commercial and US Gov regions. Azure NetApp Files is updated regularly. This article provides a summary about t * Connectivity over Active/Active VPN gateway setup * [ExpressRoute FastPath](../expressroute/about-fastpath.md) connectivity to Azure NetApp Files - This feature is now in public preview, currently available in [16 Azure regions](azure-netapp-files-network-topologies.md#regions-edit-network-features). It will roll out to other regions. Stay tuned for further information as more regions become available. + This feature is now in public preview, currently available in [16 Azure regions](azure-netapp-files-network-topologies.md#supported-regions). It will roll out to other regions. Stay tuned for further information as more regions become available. * [Azure Application Consistent Snapshot tool (AzAcSnap) 8 (GA)](azacsnap-introduction.md) |
azure-resource-manager | Deployment Stacks | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/deployment-stacks.md | Title: Create & deploy deployment stacks in Bicep description: Describes how to create deployment stacks in Bicep. Previously updated : 01/03/2024 Last updated : 02/23/2024 # Deployment stacks (Preview) Deployment stacks provide the following benefits: - Efficient environment cleanup by employing delete flags during deployment stack updates. - Utilizing standard templates such as Bicep, ARM templates, or Template specs for your deployment stacks. +### Known limitations ++- Implicitly created resources aren't managed by the stack. Therefore, no deny assignments or cleanup is possible. +- Deny assignments don't support tags. +- Deployment stacks cannot delete Key vault secrets. If you're removing key vault secrets from a template, make sure to also execute the deployment stack update/delete command with detach mode. + ### Known issues - Deleting resource groups currently bypasses deny assignments. When creating a deployment stack in the resource group scope, the Bicep file doesn't contain the definition for the resource group. Despite the deny assignment setting, it's possible to delete the resource group and its contained stack. However, if a [lock](../management/lock-resources.md) is active on any resource within the group, the delete operation will fail.-- Implicitly created resources aren't managed by the stack. Therefore, no deny assignments or cleanup is possible. - [What-if](./deploy-what-if.md) isn't available in the preview.-- Management group scoped deployment stacks can only deploy the template to subscription.-- When using the Azure CLI create command to modify an existing stack, the deployment process continues regardless of whether you choose _n_ for a prompt. To halt the procedure, use _[CTRL] + C_.-- If you create or modify a deployment stack in the Azure portal, deny settings will be overwritten (support for deny settings in the Azure portal is currently in progress).-- Management group deployment stacks are not yet available in the Azure portal.+- A management group-scoped stack is restricted from deploying to another management group. It can only deploy to the management group of the stack itself or to a child subscription. ## Create deployment stacks |
azure-resource-manager | Move Support Resources | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/move-support-resources.md | Before starting your move operation, review the [checklist](./move-resource-grou > | b2cdirectories | **Yes** | **Yes** | No | > | b2ctenants | No | No | No | +## Microsoft.AzureArcData ++> [!div class="mx-tableFixed"] +> | Resource type | Resource group | Subscription | Region move | +> | - | -- | - | -- | +> | SqlServerInstances | No | No | No | + ## Microsoft.AzureData > [!div class="mx-tableFixed"] |
azure-vmware | Azure Vmware Solution Platform Updates | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/azure-vmware-solution-platform-updates.md | Last updated 12/21/2023 Microsoft regularly applies important updates to the Azure VMware Solution for new features and software lifecycle management. You should receive a notification through Azure Service Health that includes the timeline of the maintenance. For more information, see [Host maintenance and lifecycle management](concepts-private-clouds-clusters.md#host-maintenance-and-lifecycle-management). +## February 2024 ++All new Azure VMware Solution private clouds are being deployed with VMware NSX version 4.1.1. + ## November 2023 **VMware vSphere 8.0** -VMware vSphere 8.0 is targeted for rollout to Azure VMware Solution starting at the end of January 2024. +VMware vSphere 8.0 is targeted for rollout to Azure VMware Solution by Q2 2024. **AV64 SKU** |
azure-vmware | Configure Dns Azure Vmware Solution | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/configure-dns-azure-vmware-solution.md | description: Learn how to configure DNS forwarder for Azure VMware Solution usin Previously updated : 12/05/2023-#Customer intent: As an Azure service administrator, I want to <define conditional forwarding rules for a desired domain name to a desired set of private DNS servers via the NSX-T Data Center DNS Service.> Last updated : 2/27/2024+#Customer intent: As an Azure service administrator, I want to <define conditional forwarding rules for a desired domain name to a desired set of private DNS servers via the NSX-T Data Center DNS Service. # Configure a DNS forwarder in the Azure portal This capability uses the DNS Forwarder Service in NSX-T Data Center. A DNS servi >[!TIP] >If desired, you can also use the conditional forwarding rules for workload segments by configuring virtual machines on those segments to use the NSX-T Data Center DNS Service IP address as their DNS server. - ## Architecture The diagram shows that the NSX-T Data Center DNS Service can forward DNS queries to DNS systems hosted in Azure and on-premises environments. :::image type="content" source="media/networking/dns/dns-forwarder-diagram.png" alt-text="Diagram showing that the NSX-T DNS Service can forward DNS queries to DNS systems hosted in Azure and on-premises environments." border="false"::: - ## Configure DNS forwarder 1. In your Azure VMware Solution private cloud, under **Workload Networking**, select **DNS** > **DNS zones**. Then select **Add**. The diagram shows that the NSX-T Data Center DNS Service can forward DNS queries >[!TIP] >For private clouds created on or after July 1, 2021, you can ignore the message about a default DNS zone as one is created for you during private cloud creation. - >[!IMPORTANT] >While certain operations in your private cloud may be performed from NSX-T Manager, for private clouds created on or after July 1, 2021, you _must_ edit the DNS service from the Simplified Networking experience in the Azure portal for any configuration changes made to the default Tier-1 Gateway. The diagram shows that the NSX-T Data Center DNS Service can forward DNS queries 1. In your Azure VMware Solution private cloud, under **Workload Networking**, select **DNS** > **DNS zones** > Check **TNT##-DNS-FORWARDER-ZONE**. Then select **Edit**. ![AVS-DNS](https://user-images.githubusercontent.com/7501186/226980095-b0576824-e1b7-46dc-b726-58670e4e3096.png)- 2. Change DNS server entries to valid reachable IP addresses. Then select **OK** The diagram shows that the NSX-T Data Center DNS Service can forward DNS queries After you configure the DNS forwarder, you have some options available to verify name resolution operations. -### NSX-T Manager +### VMware NSX-T Manager NSX-T Manager provides the DNS Forwarder Service statistics at the global service level and on a per zone basis. NSX-T Manager provides the DNS Forwarder Service statistics at the global servic :::image type="content" source="media/networking/dns/nsxt-manager-dns-services-statistics.png" alt-text="Screenshot showing the DNS Forwarder statistics."::: - ### PowerCLI The NSX-T Policy API lets you run nslookup commands from the NSX-T Data Center DNS Forwarder Service. The required cmdlets are part of the `VMware.VimAutomation.Nsxt` module in PowerCLI. The following example demonstrates output from version 12.3.0 of that module. |
azure-vmware | Configure Site To Site Vpn Gateway | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/configure-site-to-site-vpn-gateway.md | description: Learn how to establish a VPN (IPsec IKEv1 and IKEv2) site-to-site t Previously updated : 12/15/2023 Last updated : 2/27/2024 # Configure a site-to-site VPN in vWAN for Azure VMware Solution You must have a public-facing IP address terminating on an on-premises VPN devic ## Create a virtual hub -A virtual hub is a virtual network that is created and used by Virtual WAN. It's the core of your Virtual WAN network in a region. It can contain gateways for site-to-site and ExpressRoute. +A virtual hub is a virtual network that is created and used by Azure Virtual WAN. It's the core of your Virtual WAN network in a region. It can contain gateways for site-to-site and ExpressRoute. >[!TIP] >You can also [create a gateway in an existing hub](../virtual-wan/virtual-wan-expressroute-portal.md#existinghub). - [!INCLUDE [Create a hub](../../includes/virtual-wan-hub-basics.md)] ## Create a VPN gateway [!INCLUDE [Create a gateway](../../includes/virtual-wan-tutorial-s2s-gateway-include.md)] - ## Create a site-to-site VPN 1. In the Azure portal, select the virtual WAN you created earlier. A virtual hub is a virtual network that is created and used by Virtual WAN. It's >[!NOTE] >If you edit the address space after creating the site (for example, add an additional address space) it can take 8-10 minutes to update the effective routes while the components are recreated. - 1. Select **Links** to add information about the physical links at the branch. If you have a Virtual WAN partner CPE device, check with them to see if this information gets exchanged with Azure as a part of the branch information upload set up from their systems. Specifying link and provider names allow you to distinguish between any number of gateways that can eventually be created as part of the hub. [BGP](../vpn-gateway/vpn-gateway-bgp-overview.md) and autonomous system number (ASN) must be unique inside your organization. BGP ensures that both Azure VMware Solution and the on-premises servers advertise their routes across the tunnel. If disabled, the subnets that need to be advertised must be manually maintained. If subnets are missed, HCX fails to form the service mesh. A virtual hub is a virtual network that is created and used by Virtual WAN. It's * **Connected**: Connectivity established between Azure VPN gateway and on-premises VPN site. * **Disconnected**: Typically seen if disconnected for any reason (on-premises or in Azure) -- 1. Download the VPN configuration file and apply it to the on-premises endpoint. 1. On the VPN (Site to site) page, near the top, select **Download VPN Config**. Azure creates a storage account in the resource group 'microsoft-network-\[location\]', where location is the location of the WAN. After you apply the configuration to your VPN devices, you can delete this storage account. A virtual hub is a virtual network that is created and used by Virtual WAN. It's For more information about the configuration file, see [About the VPN device configuration file](../virtual-wan/virtual-wan-site-to-site-portal.md#config-file). + 1. Patch the Azure VMware Solution ExpressRoute in the Virtual WAN hub. + >[!IMPORTANT] >You must first have a private cloud created before you can patch the platform. ->[!IMPORTANT] + >[!IMPORTANT] >You must also have an ExpressRoute Gateway configured as part of your Virtual WAN Hub. + [!INCLUDE [request-authorization-key](includes/request-authorization-key.md)] + 1. Link Azure VMware Solution and the VPN gateway together in the Virtual WAN hub. You use the authorization key and ExpressRoute ID (peer circuit URI) from the previous step. 1. Select your ExpressRoute gateway and then select **Redeem authorization key**. |
azure-vmware | Protect Azure Vmware Solution With Application Gateway | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/protect-azure-vmware-solution-with-application-gateway.md | The diagram shows how Application Gateway is used to protect Azure IaaS virtual :::image type="content" source="media/application-gateway/app-gateway-protects.png" alt-text="Diagram showing how Application Gateway protects Azure IaaS virtual machines (VMs), Azure Virtual Machine Scale Sets, or on-premises servers."lightbox="media/application-gateway/app-gateway-protects.png" border="false"::: > [!IMPORTANT]-> Azure Application Gateway is currently the only supported method to expose web apps running on Azure VMware Solution VMs. +> Azure Application Gateway is the preferred method to expose web apps running on Azure VMware Solution VMs. The diagram shows the testing scenario used to validate the Application Gateway with Azure VMware Solution web applications. |
azure-web-pubsub | Concept Client Protocols | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-web-pubsub/concept-client-protocols.md | The Web PubSub service provides two types of endpoints for clients to connect to Clients connect to the service with a JSON Web Token (JWT). The token can be in either the query string, as `/client/?hub={hub}&access_token={token}`, or the `Authorization` header, as `Authorization: Bearer {token}`. -Here is a general authorization workflow: +Here's a general authorization workflow: 1. The client negotiates with your application server. The application server contains the authorization middleware, which handles the client request and signs a JWT for the client to connect to the service. 1. The application server returns the JWT and the service URL to the client.-1. The client tries to connect to the Web PubSub service by using the URL and the JWT that's returned from the application server. +1. The client tries to connect to the Web PubSub service by using the URL and the JWT token returned from the application server. ++### Supported claims +You could also configure properties for the client connection when generating the access token by specifying special claims inside the JWT token: ++| Description | Claim type | Claim value | Notes | +| | | | | +| The `userId` for the client connection | `sub` | the userId | Only one `sub` claim is allowed. | +| The lifetime of the token | `exp` | the expiration time | The `exp` (expiration time) claim identifies the expiration time on or after which the token MUST NOT be accepted for processing. | +| The [permissions](#permissions) the client connection initially has | `role` | the role value defined in [permissions](#permissions) | Specify multiple `role` claims if the client has multiple permissions. | +| The initial groups that the client connection joins once it connects to Azure Web PubSub | `group` | the group to join | Specify multiple `group` claims if the client joins multiple groups. | ++You could also add custom claims into the access token, and these values are preserved as the `claims` property in [connect upstream request body](./reference-cloud-events.md#system-connect-event). ++[Server SDKs](./howto-generate-client-access-url.md#generate-from-service-sdk) provides APIs to generate the access token for the clients. <a name="simple_client"></a> var client2 = new WebSocket('wss://test.webpubsub.azure.com/client/hubs/hub1', ' ## The PubSub WebSocket client -A **PubSub WebSocket client**, is the WebSocket client using subprotocols defined by the Azure Web PubSub service: +A **PubSub WebSocket client** is the WebSocket client using subprotocols defined by the Azure Web PubSub service: * `json.webpubsub.azure.v1` * `protobuf.webpubsub.azure.v1` The **PubSub WebSocket Client** supports `ackId` property for `joinGroup`, `leav #### Behavior when No `ackId` specified -If `ackId` is not specified, it's fire-and-forget. Even there're errors when brokering messages, you have no way to get notified. +If `ackId` isn't specified, it's fire-and-forget. Even there are errors when brokering messages, you have no way to get notified. #### Behavior when `ackId` specified ##### Idempotent publish -`ackId` is a uint64 number and should be unique within a client with the same connection id. Web PubSub Service records the `ackId` and messages with the same `ackId` will be treated as the same message. The service refuses to broker the same message more than once, which is useful in retry to avoid duplicated messages. For example, if a client sends a message with `ackId=5` and fails to receive an ack response with `ackId=5`, then the client retries and sends the same message again. In some cases, the message is already brokered and the ack response is lost for some reason, the service will reject the retry and response an ack response with `Duplicate` reason. +`ackId` is a uint64 number and should be unique within a client with the same connection ID. Web PubSub Service records the `ackId` and messages with the same `ackId` are treated as the same message. The service refuses to broker the same message more than once, which is useful in retry to avoid duplicated messages. For example, if a client sends a message with `ackId=5` and fails to receive an ack response with `ackId=5`, then the client retries and sends the same message again. In some cases, the message is already brokered and the ack response is lost for some reason. The service rejects the retry and response an ack response with `Duplicate` reason. #### Ack Response Format: * The `ackId` associates the request. -* `success` is a bool and indicate whether the request is successfully processed by the service. If it is `false`, clients need to check the `error`. +* `success` is a bool and indicate whether the request is successfully processed by the service. If it's `false`, clients need to check the `error`. * `error` only exists when `success` is `false` and clients should have different logic for different `name`. You should suppose there might be more type of `name` in future. - `Forbidden`: The client doesn't have the permission to the request. The client needs to be added relevant roles. The permission of a client can be granted in several ways: #### 1. Assign the role to the client when generating the access token -Client can connect to the service using a JWT token, the token payload can carry information such as the `role` of the client. When signing the JWT token to the client, you can grant permissions to the client by giving the client specific roles. +Client can connect to the service using a JWT token. The token payload can carry information such as the `role` of the client. When signing the JWT token to the client, you can grant permissions to the client by giving the client specific roles. For example, let's sign a JWT token that has the permission to send messages to `group1` and `group2`: |
backup | Azure Kubernetes Service Cluster Backup Concept | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/azure-kubernetes-service-cluster-backup-concept.md | Also, as part of the backup and restore operations, the following roles are assi | Reader | Backup vault | AKS cluster | Allows the Backup vault to perform _List_ and _Read_ operations on AKS cluster. | | Reader | Backup vault | Snapshot resource group | Allows the Backup vault to perform _List_ and _Read_ operations on snapshot resource group. | | Contributor | AKS cluster | Snapshot resource group | Allows AKS cluster to store persistent volume snapshots in the resource group. |-| Storage Account Contributor | Extension Identity | Storage account | Allows Backup Extension to store cluster resource backups in the blob container. | +| Storage Blob Data Contributor | Extension Identity | Storage account | Allows Backup Extension to store cluster resource backups in the blob container. | | Data Operator for Managed Disk | Backup vault | Snapshot Resource Group | Allows Backup Vault service to move incremental snapshot data to the Vault. | | Disk Snapshot Contributor | Backup vault | Snapshot Resource Group | Allows Backup Vault to access Disks snapshots and perform Vaulting operation. | | Storage Blob Data Reader | Backup vault | Storage Account | Allow Backup Vault to access Blob Container with backup data stored to move to Vault. | |
backup | Azure Kubernetes Service Cluster Backup Using Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/azure-kubernetes-service-cluster-backup-using-cli.md | Title: Back up Azure Kubernetes Service (AKS) using Azure CLI description: This article explains how to back up Azure Kubernetes Service (AKS) using Azure CLI. Previously updated : 06/20/2023 Last updated : 02/27/2024 - devx-track-azurecli - ignite-2023 Once the vault and policy creation are complete, you need to perform the followi ``` - As part of extension installation, a user identity is created in the AKS cluster's Node Pool Resource Group. For the extension to access the storage account, you need to provide this identity the **Storage Account Contributor** role. To assign the required role, run the following command: + As part of extension installation, a user identity is created in the AKS cluster's Node Pool Resource Group. For the extension to access the storage account, you need to provide this identity the **Storage Blob Data Contributor** role. To assign the required role, run the following command: ```azurecli- az role assignment create --assignee-object-id $(az k8s-extension show --name azure-aks-backup --cluster-name $akscluster --resource-group $aksclusterresourcegroup --cluster-type managedClusters --query aksAssignedIdentity.principalId --output tsv) --role 'Storage Account Contributor' --scope /subscriptions/$subscriptionId/resourceGroups/$storageaccountresourcegroup/providers/Microsoft.Storage/storageAccounts/$storageaccount + az role assignment create --assignee-object-id $(az k8s-extension show --name azure-aks-backup --cluster-name $akscluster --resource-group $aksclusterresourcegroup --cluster-type managedClusters --query aksAssignedIdentity.principalId --output tsv) --role 'Storage Blob Data Contributor' --scope /subscriptions/$subscriptionId/resourceGroups/$storageaccountresourcegroup/providers/Microsoft.Storage/storageAccounts/$storageaccount ``` |
backup | Azure Kubernetes Service Cluster Manage Backups | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/azure-kubernetes-service-cluster-manage-backups.md | To stop the Backup Extension install operation, use the following command: To provide *Storage Account Contributor Permission* to the Extension Identity on storage account, run the following command: ```azurecli-interactive- az role assignment create --assignee-object-id $(az k8s-extension show --name azure-aks-backup --cluster-name <aksclustername> --resource-group <aksclusterrg> --cluster-type managedClusters --query identity.principalId --output tsv) --role 'Storage Account Contributor' --scope /subscriptions/<subscriptionid>/resourceGroups/<storageaccountrg>/providers/Microsoft.Storage/storageAccounts/<storageaccountname> + az role assignment create --assignee-object-id $(az k8s-extension show --name azure-aks-backup --cluster-name <aksclustername> --resource-group <aksclusterrg> --cluster-type managedClusters --query identity.principalId --output tsv) --role 'Storage Blob Data Contributor' --scope /subscriptions/<subscriptionid>/resourceGroups/<storageaccountrg>/providers/Microsoft.Storage/storageAccounts/<storageaccountname> ``` |
backup | Backup Azure System State | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-system-state.md | Title: Back up Windows system state to Azure + Title: Back up Windows system state to Azure by using Azure Backup description: Learn how to back up the system state of Windows Server computers to Azure. Previously updated : 01/20/2023 Last updated : 02/27/2024 -+ # Back up Windows system state to Azure When you create a Recovery Services vault, ensure that you configure the storage To set the storage redundancy for the vault, follow these steps: -1. From the **Recovery Services vaults** pane, select the new vault. +1. From the **Recovery Services vaults** blade, select the new vault. - ![Screenshot shows how to select the new vault from the list of Recovery Services vault.](./media/backup-try-azure-backup-in-10-mins/rs-vault-list.png) + ![Screenshot shows how to select the new vault from the list of Recovery Services vault.](./media/backup-try-azure-backup-in-10-mins/recovery-services-vault-list.png) - When you select the vault, the **Recovery Services vault** pane narrows, and the Settings pane (*which has the name of the vault at the top*) and the vault details pane open. + When you select the vault, the **Recovery Services vault** blade narrows, and the Settings blade (*which has the name of the vault at the top*) and the vault details blade open. ![Screenshot show how to view the storage configuration for new vault.](./media/backup-try-azure-backup-in-10-mins/set-storage-configuration-2.png)-2. On the new vault's **Settings** pane, use the vertical slide to scroll down to the Manage section, and select **Backup Infrastructure**. +2. On the new vault's **Settings** blade, use the vertical slide to scroll down to the Manage section, and select **Backup Infrastructure**. -3. On the **Backup Infrastructure** pane, select **Backup Configuration** to open the **Backup Configuration** pane. +3. On the **Backup Infrastructure** blade, select **Backup Configuration** to open the **Backup Configuration** blade. ![Screenshot shows how to set the storage configuration for new vault.](./media/backup-try-azure-backup-in-10-mins/set-storage-configuration.png) Now that you've created a vault, configure it for backing up Windows System Stat To configure the vault, follow these steps: -1. On the Recovery Services vault pane (for the vault you just created), in the Getting Started section, select **Backup**, then on the **Getting Started with Backup** pane, select **Backup goal**. +1. On the Recovery Services vault blade (for the vault you just created), in the Getting Started section, select **Backup**, then on the **Getting Started with Backup** blade, select **Backup goal**. ![Screenshot shows how to open the backup settings.](./media/backup-try-azure-backup-in-10-mins/open-backup-settings.png) - The **Backup Goal** pane opens. + The **Backup Goal** blade opens. - ![Screenshot shows how to open the backup goal pane.](./media/backup-try-azure-backup-in-10-mins/backup-goal-blade.png) + ![Screenshot shows how to open the backup goal blade.](./media/backup-try-azure-backup-in-10-mins/backup-goal-blade.png) 2. From the **Where is your workload running?** drop-down menu, select **On-premises**. To configure the vault, follow these steps: ![Screenshot shows how to configure files and folders.](./media/backup-azure-system-state/backup-goal-system-state.png) - After you select **OK**, a checkmark appears next to **Backup goal**, and the **Prepare infrastructure** pane opens. + After you select **OK**, a checkmark appears next to **Backup goal**, and the **Prepare infrastructure** blade opens. ![Screenshot shows how to prepare infrastructure.](./media/backup-try-azure-backup-in-10-mins/backup-goal-configed.png) -4. On the **Prepare infrastructure** pane, select **Download Agent for Windows Server or Windows Client**. +4. On the **Prepare infrastructure** blade, select **Download Agent for Windows Server or Windows Client**. ![Screenshot shows how to start downloading the agent for Windows client.](./media/backup-try-azure-backup-in-10-mins/choose-agent-for-server-client.png) To configure the vault, follow these steps: You don't need to install the agent yet. You can install the agent after you've downloaded the vault credentials. -6. On the **Prepare infrastructure** pane, select **Download**. +6. On the **Prepare infrastructure** blade, select **Download**. ![Screenshot shows how to download vault credentials.](./media/backup-try-azure-backup-in-10-mins/download-vault-credentials.png) To schedule the backup job, follow these steps: ![Screenshot shows how to schedule a Windows Server backup.](./media/backup-try-azure-backup-in-10-mins/schedule-first-backup.png) -3. On the **Getting started** page of the Schedule Backup Wizard, select **Next**. +3. On the **Getting started** blade of the Schedule Backup Wizard, select **Next**. -4. On the **Select Items to Backup** page, select **Add Items**. +4. On the **Select Items to Backup** blade, select **Add Items**. 5. Select **System State** and then select **OK**. 6. Select **Next**. -7. Select the required Backup frequency and the retention policy for your System State backups in the subsequent pages. +7. Select the required Backup frequency and the retention policy for your System State backups in the subsequent blades. -8. On the Confirmation page, review the information, and then select **Finish**. +8. On the Confirmation blade, review the information, and then select **Finish**. 9. After the wizard finishes creating the backup schedule, select **Close**. To back up Windows Server System State for the first time, follow these steps: ![Screenshot shows how to start backup of Windows Server.](./media/backup-try-azure-backup-in-10-mins/backup-now.png) -3. Select **System State** on the **Select Backup Item** screen that appears and select **Next**. +3. Select **System State** on the **Select Backup Item** blade that appears and select **Next**. -4. On the Confirmation page, review the settings that the Back Up Now Wizard will use to back up the machine. Then select **Back Up**. +4. On the Confirmation blade, review the settings that the Back Up Now Wizard will use to back up the machine. Then select **Back Up**. 5. Select **Close** to close the wizard. If you close the wizard before the backup process finishes, the wizard continues to run in the background. > [!NOTE] |
backup | Backup Mabs Sql Azure Stack | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-mabs-sql-azure-stack.md | Title: Back up SQL Server workloads on Azure Stack + Title: Back up SQL Server workloads on Azure Stack by using Azure Backup description: In this article, learn how to configure Microsoft Azure Backup Server (MABS) to protect SQL Server databases on Azure Stack. Previously updated : 01/18/2023 Last updated : 02/27/2024 -+ # Back up SQL Server on Azure Stack This article describes how to configure Microsoft Azure Backup Server (MABS) to ## SQL Server databases protection workflow -The management of SQL Server database backup to Azure and recovery from Azure involves: +Management of the SQL Server database backup to Azure and recovery from Azure involves: 1. Create a backup policy to protect SQL Server databases 2. Create on-demand backup copies The management of SQL Server database backup to Azure and recovery from Azure in * MABS supports multi-site cluster configurations for an instance of SQL Server. * When you protect databases that use the Always On feature, MABS has the following limitations: * MABS will honor the backup policy for availability groups that's set in SQL Server based on the backup preferences, as follows:- * Prefer secondary - Backups should occur on a secondary replica except when the primary replica is the only replica online. If there are multiple secondary replicas available, then the node with the highest backup priority will be selected for backup. IF only the primary replica is available, then the backup should occur on the primary replica. + * Prefer secondary - Backups should occur on a secondary replica except when the primary replica is the only replica online. If there are multiple secondary replicas available, then the node with the highest backup priority will be selected for backup. If only the primary replica is available, then the backup should occur on the primary replica. * Secondary only - Backup shouldn't be performed on the primary replica. If the primary replica is the only one online, the backup shouldn't occur. * Primary - Backups should always occur on the primary replica. * Any Replica - Backups can happen on any of the availability replicas in the availability group. The node to be backed up from will be based on the backup priorities for each of the nodes.- * Note the following: - * Backups can happen from any readable replica - that is, primary, synchronous secondary, asynchronous secondary. - * If any replica is excluded from backup, for example **Exclude Replica** is enabled or is marked as not readable, then that replica won't be selected for backup under any of the options. - * If multiple replicas are available and readable, then the node with the highest backup priority will be selected for backup. - * If the backup fails on the selected node, then the backup operation fails. - * Recovery to the original location isn't supported. + * >[!Note] + >- Backups can happen from any readable replica - that is, primary, synchronous secondary, asynchronous secondary. + >- If any replica is excluded from backup, for example **Exclude Replica** is enabled or is marked as not readable, then that replica won't be selected for backup under any of the options. + >- If multiple replicas are available and readable, then the node with the highest backup priority will be selected for backup. + >- If the backup fails on the selected node, then the backup operation fails. + >- Recovery to the original location isn't supported. * SQL Server 2014 or above backup issues: * SQL server 2014 added a new feature to create a [database for on-premises SQL Server on Microsoft Azure Blob storage](/sql/relational-databases/databases/sql-server-data-files-in-microsoft-azure). MABS can't be used to protect this configuration. * There are some known issues with "Prefer secondary" backup preference for the SQL Always On option. MABS always takes a backup from secondary. If no secondary can be found, then the backup fails. The management of SQL Server database backup to Azure and recovery from Azure in To create a backup policy to protect SQL Server databases to Azure, follow these steps: -1. On the Azure Backup Server UI, select the **Protection** workspace. +1. On the **Azure Backup Server**, select the **Protection** workspace. -2. On the tool ribbon, select **New** to create a new protection group. +2. On the tool menu, select **New** to create a new protection group. ![Screenshot shows how to initiate creating Protection Group.](./media/backup-azure-backup-sql/protection-group.png) Azure Backup Server starts the Protection Group wizard, which leads you through creating a **Protection Group**. Select **Next**. -3. On the **Select Protection Group Type** screen, select **Servers**. +3. On the **Select Protection Group Type** blade, select **Servers**. ![Screenshot shows how to select Protection Group Type - Servers.](./media/backup-azure-backup-sql/pg-servers.png) -4. On the **Select Group Members** screen, the Available members list displays the various data sources. Select **+** to expand a folder and reveal the subfolders. Select the checkbox to select an item. +4. On the **Select Group Members** blade, the Available members list displays the various data sources. Select **+** to expand a folder and reveal the subfolders. Select the checkbox to select an item. ![Screenshot shows how to select a SQL database.](./media/backup-azure-backup-sql/pg-databases.png) All selected items appear in the Selected members list. After selecting the servers or databases you want to protect, select **Next**. -5. On the **Select Data Protection Method** screen, provide a name for the protection group and select the **I want online Protection** checkbox. +5. On the **Select Data Protection Method** blade, provide a name for the protection group and select the **I want online Protection** checkbox. ![Screenshot shows the Data Protection Method - short-term disk & Online Azure.](./media/backup-azure-backup-sql/pg-name.png) -6. On the **Specify Short-Term Goals** screen, include the necessary inputs to create backup points to disk, and select **Next**. +6. On the **Specify Short-Term Goals** blade, include the necessary inputs to create backup points to disk, and select **Next**. In the example, **Retention range** is **5 days**, **Synchronization frequency** is once every **15 minutes**, which is the backup frequency. **Express Full Backup** is set to **8:00 P.M**. To create a backup policy to protect SQL Server databases to Azure, follow these > [!NOTE] > In the example shown, at 8:00 PM every day a backup point is created by transferring the modified data from the previous dayΓÇÖs 8:00 PM backup point. This process is called **Express Full Backup**. Transaction logs are synchronized every 15 minutes. If you need to recover the database at 9:00 PM, the point is created from the logs from the last express full backup point (8PM in this case). -7. On the **Review disk allocation** screen, verify the overall storage space available, and the potential disk space. Select **Next**. +7. On the **Review disk allocation** blade, verify the overall storage space available, and the potential disk space. Select **Next**. 8. On the **Choose Replica Creation Method**, choose how to create your first recovery point. You can transfer the initial backup manually (off network) to avoid bandwidth congestion or over the network. If you choose to wait to transfer the first backup, you can specify the time for the initial transfer. Select **Next**. To create a backup policy to protect SQL Server databases to Azure, follow these ![Screenshot shows hot to backup schedule and retention.](./media/backup-azure-backup-sql/pg-schedule.png) - In this example, backups are taken once a day at 12:00 PM and 8 PM (bottom part of the screen) + In this example, backups are taken once a day at 12:00 PM and 8 PM. > [!NOTE] > ItΓÇÖs a good practice to have a few short-term recovery points on disk, for quick recovery. These recovery points are used for operational recovery. Azure serves as a good offsite location with higher SLAs and guaranteed availability. To create a backup policy to protect SQL Server databases to Azure, follow these In this example: - * Backups are taken once a day at 12:00 PM and 8 PM (bottom part of the screen) and are retained for 180 days. + * Backups are taken once a day at 12:00 PM and 8 PM and are retained for 180 days. * The backup on Saturday at 12:00 P.M. is retained for 104 weeks * The backup on Last Saturday at 12:00 P.M. is retained for 60 months * The backup on Last Saturday of March at 12:00 P.M. is retained for 10 years 13. Select **Next** and select the appropriate option for transferring the initial backup copy to Azure. You can choose **Automatically over the network** -14. Once you review the policy details in the **Summary** screen, select **Create group** to complete the workflow. You can select **Close** and monitor the job progress in Monitoring workspace. +14. Once you review the policy details in the **Summary** blade, select **Create group** to complete the workflow. You can select **Close** and monitor the job progress in Monitoring workspace. ![Screenshot shows the in-progress job state of the Protection Group creation.](./media/backup-azure-backup-sql/pg-summary.png) To recover a protected entity (SQL Server database) from Azure, follow these ste In this example, MABS recovers the database to another SQL Server instance, or to a standalone network folder. -4. On the **Specify Recovery options** screen, you can select the recovery options like Network bandwidth usage throttling to throttle the bandwidth used by recovery. Select **Next**. +4. On the **Specify Recovery options** blade, you can select the recovery options like Network bandwidth usage throttling to throttle the bandwidth used by recovery. Select **Next**. -5. On the **Summary** screen, you see all the recovery configurations provided so far. Select **Recover**. +5. On the **Summary** blade, you see all the recovery configurations provided so far. Select **Recover**. The Recovery status shows the database being recovered. You can select **Close** to close the wizard and view the progress in the **Monitoring** workspace. |
bastion | Bastion Faq | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/bastion/bastion-faq.md | description: Learn about frequently asked questions for Azure Bastion. Previously updated : 01/18/2024 Last updated : 02/27/2024 # Azure Bastion FAQ -## <a name="host"></a>Bastion FAQs +## <a name="host"></a>Bastion service and deployment FAQs ### <a name="browsers"></a>Which browsers are supported? Azure Bastion doesn't move or store customer data out of the region it's deploye ### <a name="vwan"></a>Does Azure Bastion support Virtual WAN? -Yes, you can use Azure Bastion for Virtual WAN deployments. However, deploying Azure Bastion within a Virtual WAN hub isn't supported. You can deploy Azure Bastion in a spoke VNet and use the [IP-based connection](connect-ip-address.md) feature to connect to virtual machines deployed across a different VNet via the Virtual WAN hub. If the Azure Virtual WAN hub will be integrated with Azure Firewall as a [Secured Virtual Hub](../firewall-manager/secured-virtual-hub.md), the AzureBastionSubnet must reside within a Virtual Network where the default 0.0.0.0/0 route propagation is disabled at the VNet connection level. +Yes, you can use Azure Bastion for Virtual WAN deployments. However, deploying Azure Bastion within a Virtual WAN hub isn't supported. You can deploy Azure Bastion in a spoke virtual network and use the [IP-based connection](connect-ip-address.md) feature to connect to virtual machines deployed across a different virtual network via the Virtual WAN hub. If the Azure Virtual WAN hub will be integrated with Azure Firewall as a [Secured Virtual Hub](../firewall-manager/secured-virtual-hub.md), the AzureBastionSubnet must reside within a Virtual Network where the default 0.0.0.0/0 route propagation is disabled at the virtual network connection level. -### <a name="vwan"></a>Does Azure Bastion support Virtual WAN? --### <a name="forcedtunnel"></a>Can I use Azure Bastion if I am force-tunneling Internet traffic back to On-Premises? +### <a name="forcedtunnel"></a>Can I use Azure Bastion if I'm force-tunneling Internet traffic back to my on-premises location? -No, if you are advertising a default route (0.0.0.0/0) over ExpressRoute or VPN, and this route is being injected in to your Virtual Networks, this will break the Azure Bastion service. +No, if you're advertising a default route (0.0.0.0/0) over ExpressRoute or VPN, and this route is being injected in to your Virtual Networks, this will break the Azure Bastion service. Azure Bastion needs to be able to communicate with certain internal endpoints to successfully connect to target resources. Therefore, you *can* use Azure Bastion with Azure Private DNS Zones as long as the zone name you select doesn't overlap with the naming of these internal endpoints. Before you deploy your Azure Bastion resource, make sure that the host virtual network isn't linked to a private DNS zone with the following exact names: Azure Bastion needs to be able to communicate with certain internal endpoints to * vault.azure.net * azure.com -You may use a private DNS zone ending with one of the names listed above (ex: privatelink.blob.core.windows.net). +You can use a private DNS zone ending with one of the names in the previous list (ex: privatelink.blob.core.windows.net). Azure Bastion isn't supported with Azure Private DNS Zones in national clouds. +### My privatelink.azure.com can't resolve to management.privatelink.azure.com ++This might be due to the private DNS zone for privatelink.azure.com linked to the Bastion virtual network causing management.azure.com CNAMEs to resolve to management.privatelink.azure.com behind the scenes. Create a CNAME record in their privatelink.azure.com zone for management.privatelink.azure.com to arm-frontdoor-prod.trafficmanager.net to enable successful DNS resolution. + ### <a name="dns"></a>Does Azure Bastion support Private Link? -No, Azure Bastion doesn't currently support private link. +No, Azure Bastion doesn't currently support Azure Private Link. ### Why do I get a "Failed to add subnet" error when using "Deploy Bastion" in the portal? At this time, for most address spaces, you must add a subnet named **AzureBastio ### <a name="subnet"></a>Can I have an Azure Bastion subnet of size /27 or smaller (/28, /29, etc.)? -For Azure Bastion resources deployed on or after November 2, 2021, the minimum AzureBastionSubnet size is /26 or larger (/25, /24, etc.). All Azure Bastion resources deployed in subnets of size /27 prior to this date are unaffected by this change and will continue to work. However, we highly recommend increasing the size of any existing AzureBastionSubnet to /26 in case you choose to take advantage of [host scaling](./configure-host-scaling.md) in the future. +For Azure Bastion resources deployed on or after November 2, 2021, the minimum AzureBastionSubnet size is /26 or larger (/25, /24, etc.). All Azure Bastion resources deployed in subnets of size /27 before this date are unaffected by this change and will continue to work. However, we highly recommend increasing the size of any existing AzureBastionSubnet to /26 in case you choose to take advantage of [host scaling](./configure-host-scaling.md) in the future. ### <a name="subnet"></a> Can I deploy multiple Azure resources in my Azure Bastion subnet? No. Downgrading a SKU isn't supported. For more information about SKUs, see the No, Bastion connectivity to Azure Virtual Desktop isn't supported. -### <a name="session"></a>Why do I get "Your session has expired" error message before the Bastion session starts? --A session should be initiated only from the Azure portal. Sign in to the Azure portal and begin your session again. If you go to the URL directly from another browser session or tab, this error is expected. It helps ensure that your session is more secure and that the session can be accessed only through the Azure portal. - ### <a name="udr"></a>How do I handle deployment failures? -Review any error messages and [raise a support request in the Azure portal](../azure-portal/supportability/how-to-create-azure-support-request.md) as needed. Deployment failures may result from [Azure subscription limits, quotas, and constraints](../azure-resource-manager/management/azure-subscription-service-limits.md). Specifically, customers may encounter a limit on the number of public IP addresses allowed per subscription that causes the Azure Bastion deployment to fail. +Review any error messages and [raise a support request in the Azure portal](../azure-portal/supportability/how-to-create-azure-support-request.md) as needed. Deployment failures can result from [Azure subscription limits, quotas, and constraints](../azure-resource-manager/management/azure-subscription-service-limits.md). Specifically, customers might encounter a limit on the number of public IP addresses allowed per subscription that causes the Azure Bastion deployment to fail. ### <a name="dr"></a>How do I incorporate Azure Bastion in my Disaster Recovery plan? -Azure Bastion is deployed within VNets or peered VNets, and is associated to an Azure region. You're responsible for deploying Azure Bastion to a Disaster Recovery (DR) site VNet. In the event of an Azure region failure, perform a failover operation for your VMs to the DR region. Then, use the Azure Bastion host that's deployed in the DR region to connect to the VMs that are now deployed there. +Azure Bastion is deployed within virtual networks or peered virtual networks, and is associated to an Azure region. You're responsible for deploying Azure Bastion to a Disaster Recovery (DR) site virtual network. If there is an Azure region failure, perform a failover operation for your VMs to the DR region. Then, use the Azure Bastion host that's deployed in the DR region to connect to the VMs that are now deployed there. ++### <a name="move-virtual-network"></a>Does Bastion support moving a VNet to another resource group? ++No. If you move your virtual network to another resource group (even if it's in the same subscription), you'll need to first delete Bastion from virtual network, and then proceed to move the virtual network to the new resource group. Once the virtual network is in the new resource group, you can deploy Bastion to the virtual network. ### <a name="zone-redundant"></a>Does Bastion support zone redundancies? -Currently, by default, new Bastion deployments don't support zone redundancies. Previously deployed bastions may or may not be zone-redundant. The exceptions are Bastion deployments in Korea Central and Southeast Asia, which do support zone redundancies. +Currently, by default, new Bastion deployments don't support zone redundancies. Previously deployed bastions might or might not be zone-redundant. The exceptions are Bastion deployments in Korea Central and Southeast Asia, which do support zone redundancies. ### <a name="azure-ad-guests"></a>Does Bastion support Microsoft Entra guest accounts? Yes, [Microsoft Entra guest accounts](../active-directory/external-identities/wh No, custom domains aren't supported with Bastion shareable links. Users receive a certificate error upon trying to add specific domains in the CN/SAN of the Bastion host certificate. -## <a name="vm"></a>VM features and connection FAQs +## <a name="vm"></a>VM connection and available features FAQs ### <a name="roles"></a>Are any roles required to access a virtual machine? In order to make a connection, the following roles are required: Additionally, the user must have the rights (if required) to connect to the VM. For example, if the user is connecting to a Windows VM via RDP and isn't a member of the local Administrators group, they must be a member of the Remote Desktop Users group. +### <a name="session"></a>Why do I get "Your session has expired" error message before the Bastion session starts? ++If you go to the URL directly from another browser session or tab, this error is expected. It helps ensure that your session is more secure and that the session can be accessed only through the Azure portal. Sign in to the Azure portal and begin your session again. + ### <a name="publicip"></a>Do I need a public IP on my virtual machine to connect via Azure Bastion? No. When you connect to a VM using Azure Bastion, you don't need a public IP on the Azure virtual machine that you're connecting to. The Bastion service opens the RDP/SSH session/connection to your virtual machine over the private IP of your virtual machine, within your virtual network. This feature doesn't work with AADJ VM extension-joined machines using Microsoft ### <a name="rdscal-compatibility"></a>Is Bastion compatible with VMs set up as RDS session hosts? -Bastion does not support connecting to a VM that is set up as an RDS session host. +Bastion doesn't support connecting to a VM that is set up as an RDS session host. ### <a name="keyboard"></a>Which keyboard layouts are supported during the Bastion remote session? Currently, 1920x1080 (1080p) is the maximum supported resolution. ### <a name="timezone"></a>Does Azure Bastion support timezone configuration or timezone redirection for target VMs? -Azure Bastion currently doesn't support timezone redirection and isn't timezone configurable. Timezone settings for a VM can be manually updated after successfully connecting to the Guest OS. +Azure Bastion currently doesn't support timezone redirection and isn't timezone configurable. Timezone settings for a VM can be manually updated after successfully connecting to the Guest OS. ### <a name="disconnect"></a>Will an existing session disconnect during maintenance on the Bastion host? -Yes, existing sessions on the target Bastion resource will disconnect during maintenance on the Bastion resource. +Yes, existing sessions on the target Bastion resource will disconnect during maintenance on the Bastion resource. ++### I'm connecting to a VM using a JIT policy, do I need additional permissions? ++If user is connecting to a VM using a JIT policy, there are no additional permissions needed. For more information on connecting to a VM using a JIT policy, see [Enable just-in-time access on VMs](../defender-for-cloud/just-in-time-access-usage.md). ## <a name="peering"></a>VNet peering FAQs Yes. By default, a user sees the Bastion host that is deployed in the same virtu ### If my peered VNets are deployed in different subscriptions, will connectivity via Bastion work? -Yes, connectivity via Bastion will continue to work for peered VNets across different subscription for a single Tenant. Subscriptions across two different Tenants aren't supported. To see Bastion in the **Connect** drop down menu, the user must select the subs they have access to in **Subscription > global subscription**. +Yes, connectivity via Bastion will continue to work for peered virtual networks across different subscription for a single Tenant. Subscriptions across two different Tenants aren't supported. To see Bastion in the **Connect** drop down menu, the user must select the subs they have access to in **Subscription > global subscription**. :::image type="content" source="./media/bastion-faq/global-subscriptions.png" alt-text="Global subscriptions filter." lightbox="./media/bastion-faq/global-subscriptions.png"::: ### I have access to the peered VNet, but I can't see the VM deployed there. -Make sure the user has **read** access to both the VM, and the peered VNet. Additionally, check under IAM that the user has **read** access to following resources: +Make sure the user has **read** access to both the VM, and the peered virtual network. Additionally, check under IAM that the user has **read** access to following resources: * Reader role on the virtual machine. * Reader role on the NIC with private IP of the virtual machine. Make sure the user has **read** access to both the VM, and the peered VNet. Addi |Microsoft.Network/virtualNetworks/subnets/virtualMachines/read|Gets references to all the virtual machines in a virtual network subnet|Action| |Microsoft.Network/virtualNetworks/virtualMachines/read|Gets references to all the virtual machines in a virtual network|Action| -### I am connecting to a VM using a JIT policy, do I need additional permissions? --If user is connecting to a VM using a JIT policy, there is no additional permissions needed. For more information on connecting to a VM using a JIT policy, see [Enable just-in-time access on VMs](../defender-for-cloud/just-in-time-access-usage.md) --### My privatelink.azure.com can't resolve to management.privatelink.azure.com --This may be due to the Private DNS zone for privatelink.azure.com linked to the Bastion virtual network causing management.azure.com CNAMEs to resolve to management.privatelink.azure.com behind the scenes. Create a CNAME record in their privatelink.azure.com zone for management.privatelink.azure.com to arm-frontdoor-prod.trafficmanager.net to enable successful DNS resolution. --- ## Next steps For more information, see [What is Azure Bastion](bastion-overview.md). |
chaos-studio | Chaos Studio Configure Customer Managed Keys | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/chaos-studio/chaos-studio-configure-customer-managed-keys.md | Title: Configure customer-managed keys [preview] for experiment encryption + Title: Configure customer-managed keys (preview) for experiment encryption -description: Learn how to configure customer-managed keys (preview) for your Azure Chaos Studio experiment resource using Azure Blob Storage +description: Learn how to configure customer-managed keys (preview) for your Azure Chaos Studio experiment resource by using Azure Blob Storage. Last updated 10/06/2023 -# Configure customer-managed keys [preview] for Azure Chaos Studio using Azure Blob Storage - -Azure Chaos Studio automatically encrypts all data stored in your experiment resource with keys that Microsoft provides (service-managed keys). As an optional feature, you can add a second layer of security by also providing your own (customer-managed) encryption key(s). Customer-managed keys offer greater flexibility for controlling access and key-rotation policies. - -When you use customer-managed encryption keys, you need to specify a user-assigned managed identity (UMI) to retrieve the key. The UMI you create needs to match the UMI that you use for the Chaos Studio experiment. - -When configured, Azure Chaos Studio uses Azure Storage, which uses the customer-managed key to encrypt all of your experiment execution and result data within your own Storage account. +# Configure customer-managed keys (preview) for Azure Chaos Studio by using Azure Blob Storage ++Azure Chaos Studio automatically encrypts all data stored in your experiment resource with service-managed keys that Microsoft provides. As an optional feature, you can add a second layer of security by also providing your own customer-managed encryption keys. Customer-managed keys (CMKs) offer greater flexibility for controlling access and key-rotation policies. ++When you use CMKs, you need to specify a user-assigned managed identity (UMI) to retrieve the key. The UMI you create must match the UMI that you use for the Chaos Studio experiment. ++When configured, Chaos Studio uses Azure Storage, which uses the CMK to encrypt all your experiment execution and result data within your own storage account. ## Prerequisites- + - An Azure account with an active subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.- -- An existing user-assigned managed identity. For more information about creating a user-assigned managed identity, see [Manage user-assigned managed identities](../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md?pivots=identity-mi-methods-azp#create-a-user-assigned-managed-identity).+- An existing UMI. For more information about how to create a UMI, see [Manage user-assigned managed identities](../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md?pivots=identity-mi-methods-azp#create-a-user-assigned-managed-identity). +- A public-access-enabled storage account. -- A public-access enabled Azure storage account- ## Limitations- -- Azure Chaos Studio experiments can't automatically rotate the customer-managed key to use the latest version of the encryption key. You would do key rotation directly in your chosen Azure Storage account. --- You will need to use our **2023-10-27-preview REST API** to create and use CMK-enabled experiments ONLY. There is **no** support for CMK-enabled experiments in our GA-stable REST API until H1 2024. -- Azure Chaos Studio currently **only supports creating Chaos Studio Customer-Managed-Key experiments via the Command Line using our 2023-10-27-preview REST API**. As a result, you **cannot** create a Chaos Studio experiment with CMK enabled via the Azure portal. We plan to add this functionality in H1 of 2024.+- Azure Chaos Studio experiments can't automatically rotate the CMK to use the latest version of the encryption key. You do key rotation directly in your chosen storage account. +- You need to use our *2023-10-27-preview REST API* to create and use CMK-enabled experiments only. There's *no* support for CMK-enabled experiments in our general availability-stable REST API until H1 2024. +- Chaos Studio currently *only supports creating Chaos Studio CMK experiments via the command line by using our 2023-10-27-preview REST API*. As a result, you *can't* create a Chaos Studio experiment with CMK enabled via the Azure portal. We plan to add this functionality in H1 of 2024. +- The storage account must have *public access from all networks* enabled for Chaos Studio experiments to be able to use it. If you have a hard requirement from your organization, reach out to your CSA for potential solutions. -- The storage account must have **public access from all networks** enabled for Azure Chaos Studio experiments to be able to use it. If you have a hard requirement from your organization, reach out to your CSA for potential solutions. +## Configure your storage account -## Configure your Azure storage account - -When creating and/or updating your storage account to use for a CMK experiment, you need to navigate to the encryption tab and set the Encryption type to Customer-managed keys (CMK) and fill out all required information. +When you create or update your storage account to use it for a CMK experiment, you need to go to the **Encryption** tab and set **Encryption type** to **Customer-managed keys (CMK)** and fill out all the required information. > [!NOTE]-> The User-assigned managed identity that you use should match the one you use for the corresponding Chaos Studio CMK-enabled experiment. - -## Use customer-managed keys with Azure Chaos Studio - -You can only configure customer-managed encryption keys when you create a new Azure Chaos Studio experiment resource. When you specify the encryption key details, you also have to select a user-assigned managed identity to retrieve the key from Azure Key Vault. +> The UMI that you use should match the one you use for the corresponding Chaos Studio CMK-enabled experiment. ++## Use customer-managed keys with Chaos Studio ++You can only configure customer-managed encryption keys when you create a new Chaos Studio experiment resource. When you specify the encryption key details, you also have to select a UMI to retrieve the key from Azure Key Vault. > [!NOTE]-> The UMI should be the SAME user-assigned managed identity you use with your Chaos Studio experiment resource, otherwise the Chaos Studio CMK experiment fails to Create/Update. - +> The UMI should be the *same* UMI you use with your Chaos Studio experiment resource. Otherwise, the Chaos Studio CMK experiment fails to create or update. -# [Azure CLI](#tab/azure-cli) +## Azure CLI - -The following code sample shows an example PUT command for creating or updating a Chaos Studio experiment resource to enable customer-managed keys: +The following code sample shows an example `PUT` command for creating or updating a Chaos Studio experiment resource to enable CMKs. > [!NOTE]->The two parameters specific to CMK experiments are under the "CustomerDataStorage" block, in which we ask for the Subscription ID of the Azure Blob Storage Account you want to use to storage your experiment data and the name of the Blob Storage container to use or create. - +>The two parameters specific to CMK experiments are under the `CustomerDataStorage` block, in which we ask for the subscription ID of the Azure Blob Storage account that you want to use to store your experiment data and the name of the Blob Storage container to use or create. + ```HTTP PUT https://management.azure.com/subscriptions/<yourSubscriptionID>/resourceGroups/exampleRG/providers/Microsoft.Chaos/experiments/exampleExperiment?api-version=2023-10-27-preview PUT https://management.azure.com/subscriptions/<yourSubscriptionID>/resourceGrou } ``` ## Disable CMK on a Chaos Studio experiment- -If you run the same PUT command from the previous example on an existing CMK-enabled experiment resource, but leave the fields in "customerDataStorage" empty, CMK is disabled on an experiment. -## Re-enable CMK on a Chaos Studio experiment - -If you run the same PUT command from the previous example on an existing experiment resource using the 2023-10-27-preview REST API and populate the fields in "customerDataStorage", CMK is re-enabled on an experiment. +If you run the same `PUT` command from the previous example on an existing CMK-enabled experiment resource, but you leave the fields in `customerDataStorage` empty, CMK is disabled on an experiment. ++## Reenable CMK on a Chaos Studio experiment ++If you run the same `PUT` command from the previous example on an existing experiment resource by using the 2023-10-27-preview REST API and populate the fields in `customerDataStorage`, CMK is reenabled on an experiment. ## Change the user-assigned managed identity for retrieving the encryption key- -You can change the managed identity for customer-managed keys for an existing Chaos Studio experiment at any time. The outcome would be identical to updating the User-assigned Managed identity for any Chaos Studio experiment. ++You can change the managed identity for CMKs for an existing Chaos Studio experiment at any time. The outcome would be identical to updating the UMI for any Chaos Studio experiment. > [!NOTE]->If the User-Assigned Managed Identity does NOT have the correct permissions to retrieve the CMK from your key vault and write to the Blob Storage, the PUT command to update the UMI fails. +>If the UMI does *not* have the correct permissions to retrieve the CMK from your key vault and write to Blob Storage, the `PUT` command to update the UMI fails. ### List whether an experiment is CMK-enabled or not- -Using the "Get Experiment" command from the 2023-10-27-preview REST API, the response shows you whether the "CustomerDataStorage" properties have been populated or not, which is how you can tell whether an experiment has CMK enabled or not. - -## Update the customer-managed encryption key being used by your Azure Storage Account - -You can change the key that you're using at any time, since Azure Chaos Studio is using your own Azure Storage account for encryption using your CMK. +When you use the `Get Experiment` command from the 2023-10-27-preview REST API, the response shows you whether the `CustomerDataStorage` properties were populated or not. In this way, you can tell whether an experiment is CMK enabled or not. ++## Update the customer-managed encryption key being used by your storage account ++You can change the key that you're using at any time because Chaos Studio is using your own storage account for encryption by using your CMK. - ## Frequently asked questions- ++Here are some answers to common questions. + ### Is there an extra charge to enable customer-managed keys?- -While there's no charge associated directly from Azure Chaos Studio, the use of Azure Blob Storage and Azure Key Vault could carry some additional cost subject to those services' individual pricing. - -### Are customer-managed keys supported for existing Azure Chaos Studio experiments? - -This feature is currently only available for Azure Chaos Studio experiments created using our **2023-10-27-preview** REST API. ++There's no charge associated directly from Chaos Studio. The use of Blob Storage and Key Vault might carry extra cost subject to those services' individual pricing. ++### Are customer-managed keys supported for existing Chaos Studio experiments? ++This feature is currently only available for Chaos Studio experiments created by using our 2023-10-27-preview REST API. |
chaos-studio | Chaos Studio Private Link Agent Service | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/chaos-studio/chaos-studio-private-link-agent-service.md | Title: Set up Private Link for a Chaos Studio agent-based experiment [Preview] -description: Understand the steps to set up a chaos experiment using private link for agent-based experiments + Title: Set up Private Link for a Chaos Studio agent-based experiment (preview) +description: Understand the steps to set up a chaos experiment by using Azure Private Link for agent-based experiments. -# How-to: Configure Private Link for Agent-Based experiments [Preview] +# Configure Private Link for agent-based experiments (preview) -This guide explains the steps needed to configure Private Link for a Chaos Studio **Agent-based** Experiment [Preview]. The current user experience is based on the private endpoints support enabled as part of public preview of the private endpoints feature. Expect this experience to evolve with time as the feature is enhanced to GA quality, as it is currently in **preview**. +This article explains the steps needed to configure Azure Private Link for an Azure Chaos Studio agent-based experiment (preview). The current user experience is based on the private endpoints support that's enabled as part of the public preview of the private endpoints feature. Expect this experience to evolve with time as the feature is enhanced to general availability (GA) quality. It's currently in preview. ## Prerequisites -1. An Azure account with an active subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. -2. First define your agent-based experiment by following the steps found [here](chaos-studio-tutorial-agent-based-portal.md). +- An Azure account with an active subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. +- Define your agent-based experiment by following the steps in [Create a chaos experiment that uses an agent-based fault with the Azure portal](chaos-studio-tutorial-agent-based-portal.md). > [!NOTE]-> If the target resource was created using the portal, then the chaos agent VM extension will be austomatically installed on the host VM. If the target is enabled using the CLI, then follow the Chaos Studio documentation to install the VM extension first on the virtual machine. Until you complete the private endpoint setup, the VM extension will be reporting an unhealthy state. This is expected. +> If the target resource was created by using the Azure portal, the Chaos Agent virtual machine (VM) extension is automatically installed on the host VM. If the target is enabled by using the Azure CLI, follow the Chaos Studio documentation to install the VM extension first on the VM. Until you finish the private endpoint setup, the VM extension reports an unhealthy state. This behavior is expected. <br/> ## Limitations -- You'll need to use our **2023-10-27-preview REST API** to create and use private link for agent-based experiments ONLY. There's **no** support for private link for agent-based experiments in our GA-stable REST API until H1 2024. +- You need to use our *2023-10-27-preview REST API* to create and use Private Link for agent-based experiments only. There's *no* support for Private Link for agent-based experiments in our GA-stable REST API until H1 2024. +- The entire end-to-end experience for this flow requires some use of the CLI. The current end-to-end experience can't be done from the Azure portal. +- The **Chaos Studio Private Accesses (CSPA)** resource type has a strict 1:1 mapping of Chaos Target:CSPA Resource (abstraction for private endpoint). We allow only *five CSPA resources to be created per subscription* to maintain the expected experience for all our customers. -- The entire end-to-end for this flow requires some use of the CLI. The current end-to-end experience cannot be done from the Azure portal currently. +## Create a Chaos Studio Private Access resource -- The **Chaos Studio Private Accesses (CSPA)** resource type has a **strict 1:1 mapping of Chaos Target:CSPA Resource (abstraction for private endpoint).**.** We only allow **5 CSPA resources to be created per Subscription** to maintain the expected experience for all of our customers. - -## Step 1: Create a Chaos Studio Private Access (CSPA) resource +To use private endpoints for agent-based chaos experiments, you need to create a new resource type called Chaos Studio Private Accesses. CSPA is the resource against which the private endpoints are created. -To use Private endpoints for agent-based chaos experiments, you need to create a new resource type called **Chaos Studio Private Accesses**. CSPA is the resource against which the private endpoints are created. --> [!NOTE] -> Currently this resource can **only be created from the CLI**. See the example code for how to do this: +Currently, this resource can *only be created from the CLI*. See the following example code for how to create this resource type: ```AzCLI az rest --verbose --skip-authorization-header --header "Authorization=Bearer $accessToken" --uri-parameters api-version=2023-10-27-preview --method PUT --uri "https://centraluseuap.management.azure.com/subscriptions/<subscriptionID>/resourceGroups/<resourceGroupName>/providers/Microsoft.Chaos/privateAccesses/<CSPAResourceName>?api-version=2023-10-27-preview" --body ' az rest --verbose --skip-authorization-header --header "Authorization=Bearer $ac | Name |Required | Type | Description | |-|-|-|-|-|subscriptionID|True|String|GUID that represents an Azure subscription ID| -|resourceGroupName|True|String|String that represents an Azure resource group| -|CSPAResourceName|True|String|String that represents the name you want to give your Chaos Studio Private Access Resource| -|resourceLocation|True|String|Location you want the resource to be hosted (must be a support region by Chaos Studio)| -+|subscriptionID|True|String|GUID that represents an Azure subscription ID.| +|resourceGroupName|True|String|String that represents an Azure resource group.| +|CSPAResourceName|True|String|String that represents the name you want to give your Chaos Studio Private Access resource.| +|resourceLocation|True|String|Location where you want the resource to be hosted (must be a support region by Chaos Studio).| -## Step 2: Create your Virtual Network, Subnet, and Private Endpoint +## Create your virtual network, subnet, and private endpoint -[Set up your desired Virtual Network, Subnet, and Endpoint](../private-link/create-private-endpoint-portal.md) for the experiment if you haven't already. +[Set up your desired virtual network, subnet, and endpoint](../private-link/create-private-endpoint-portal.md) for the experiment if you haven't already. -Make sure you attach it to the same VM's VNET. Screenshots provide examples of creating the VNET, Subnet and Private Endpoint. It's important to note that you need to set the "Resource Type" to "Microsoft.Chaos/privateAccesses" as seen in the screenshot. +Make sure you attach it to the same VM's virtual network. Screenshots provide examples of creating the virtual network, subnet, and private endpoint. You need to set **Resource type** to **Microsoft.Chaos/privateAccesses** as seen in the screenshot. -[![Screenshot of resource tab of private endpoint creation.](images/resource-private-endpoint.png)](images/resource-private-endpoint.png#lightbox) +[![Screenshot that shows the Resource tab of private endpoint creation.](images/resource-private-endpoint.png)](images/resource-private-endpoint.png#lightbox) -[![Screenshot of VNET tab of private endpoint creation.](images/resource-vnet-cspa.png)](images/resource-vnet-cspa.png#lightbox) +[![Screenshot that shows the Virtual Network tab of private endpoint creation.](images/resource-vnet-cspa.png)](images/resource-vnet-cspa.png#lightbox) +## Map the agent host VM to the CSPA resource -## Step 3: Map the agent host VM to the CSPA resource --Find the Target "Resource ID" by making a GetTarget call: +Find the target `Resource ID` by making a `GetTarget` call: ```AzCLI GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{parentProviderNamespace}/{parentResourceType}/{parentResourceName}/providers/Microsoft.Chaos/targets/{targetName}?api-version=2023-10-27-preview GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{ <br/> -The GET command returns a large response. Note this response. We use this response and modify it before running a "PUT Target" command to map the two resources. +The `GET` command returns a large response. Note this response. We use this response and modify it before running a `PUT Target` command to map the two resources. <br/> -Invoke a "PUT Target" command using this response. You need to append **TWO ADDITIONAL FIELDS** to the body of the PUT command before running it. +Invoke a `PUT Target` command by using this response. You need to append *two more fields* to the body of the `PUT` command before you run it. -These extra fields are shown below: +These extra fields are shown here: ``` "privateAccessId": "subscriptions/<subID>/... These extra fields are shown below: }, ``` -Here's an example block for what the "PUT Target" command should look like and the fields that you would need to fill out: +Here's an example block for what the `PUT Target` command should look like and the fields that you would need to fill out: > [!NOTE]-> The body should be copied from the previous GET command. You'll need to manually append the "privateAccessID" and "allowPublicAccess" fields. +> Copy the body from the previous `GET` command. You need to manually append the `privateAccessID` and `allowPublicAccess` fields. ```AzCLI az rest --verbose --skip-authorization-header --header "Authorization=Bearer $ac ``` > [!NOTE]-> The PrivateAccessID should exactly match the "resourceID" used to create the CSPA resource in Step 1. +> The `PrivateAccessID` value should exactly match the `resourceID` value that you used to create the CSPA resource in the earlier section **Create a Chaos Studio Private Access resource**. -## Step 4: Restart the Azure Chaos Agent service in the VM +## Restart the Azure Chaos Agent service in the VM -After making all the required changes to the host, restart the Azure Chaos Agent Service in the VM +After you make all the required changes to the host, restart the Azure Chaos Agent service in the VM. ### Windows -[![Screenshot of restarting Windows VM.](images/restart-windows-vm.png)](images/restart-windows-vm.png#lightbox) +[![Screenshot that shows restarting the Windows VM.](images/restart-windows-vm.png)](images/restart-windows-vm.png#lightbox) ### Linux For Linux, run the following command from the CLI: Systemctl restart azure-chaos-agent ``` -[![Screenshot of restarting Linux VM.](images/restart-linux-vm.png)](images/restart-linux-vm.png#lightbox) --## Step 5: Run your Agent-based experiment using private endpoints +[![Screenshot that shows restarting the Linux VM.](images/restart-linux-vm.png)](images/restart-linux-vm.png#lightbox) -After the restart, the Chaos agent should be able to communicate with the Agent Communication data plane service and the agent registration to the data plane should be successful. After successful registration, the agent will be able to heartbeat its status and you can go ahead and run the chaos agent-based experiments using private endpoints! +## Run your agent-based experiment by using private endpoints +After the restart, Azure Chaos Agent should be able to communicate with the Agent Communication data plane service, and the agent registration to the data plane should be successful. After successful registration, the agent can indicate its status with a heartbeat. Then you can proceed to run the Azure Chaos Agent-based experiments by using private endpoints. |
communication-services | Calling Sdk Features | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/voice-video-calling/calling-sdk-features.md | The Azure Communication Services Calling SDK support up to the following video r | **Receiving video** | 1080P | 1080P | 1080P | 1080P | | **Sending video** | 720P | 720P | 720P | 1080P | -The resolution can vary depending on the number of participants on a call, the amount of bandwidth available to the client, and other overall call parameters. Read +The resolution can vary depending on the number of participants on a call, the amount of bandwidth available to the client, and other overall call parameters. ## Number of participants on a call support - Up to 350 users can join a group call, Room or Teams + ACS call. The maximum number of users that can join through WebJS calling SDK or Teams web client is capped at 100 participants, the remaining calling end point will need to join using Android, iOS, or Windows calling SDK or related Teams desktop or mobile client apps. |
communication-services | Get Started Live Stream | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/quickstarts/voice-video-calling/get-started-live-stream.md | - Title: Quickstart - Add live stream to your app- -description: In this quickstart, you learn how to add live stream calling capabilities to your app using Azure Communication Services. ---- Previously updated : 06/30/2022-------# Live stream quick start --Live streaming empower Contoso to engage thousands of online attendees by adding interactive live audio and video streaming functionality into their web and mobile applications that their audiences love, no matter where they are. --Interactive Live Streaming is the ability to broadcast media content to thousands of online attendees while enable some attendees to share their live audio and video, interact via chat, and engage with metadata content such as reactions, polls, quizzes, ads, etc. --## Prerequisites --- [Rooms](../rooms/get-started-rooms.md) meeting is needed for role-based streaming.-- The quick start examples here are available with the preview version [1.11.0-alpha.20230124.1](https://www.npmjs.com/package/@azure/communication-calling/v/1.11.0-alpha.20230124.1) of the calling Web SDK. Make sure to use that or higher version when trying this quick start.--## Live streaming with Rooms -Room participants can be assigned one of the following roles: **Presenter**, **Attendee** and **Consumer**. By default, a user is assigned an **Consumer** role, if no other role is assigned. --Participants with `Consumer` role receive only the live stream. They're not able to speak or share video or screen. Developers shouldn't show the unmute, share video, and screen option to end users/consumers. Live stream supports both open and closed Rooms. In Open Rooms, the default role is `Consumer`. -On the other hand, Participants with other roles receive both real-time and live stream. Developers can choose either stream to play. -Check [participant roles and permissions](../../concepts/rooms/room-concept.md#predefined-participant-roles-and-permissions) to know more about the roles capabilities. --### Place a Rooms call (start live streaming) -Live streaming start when the Rooms call starts. --```js -const context = { roomId: '<RoomId>' } --const call = callAgent.join(context); -``` --### Receive live stream -Contoso can use the `Features.LiveStream` to get the live stream and play it. --```typescript -call.feature(Features.LiveStream).on('liveStreamsUpdated', e => { - // Subscribe to new live video streams that were added. - e.added.forEach(liveVideoStream => { - subscribeToLiveVideoStream(liveVideoStream) - }); - // Unsubscribe from live video streams that were removed. - e.removed.forEach(liveVideoStream => { - console.log('Live video stream was removed.'); - } -); --const subscribeToLiveVideoStream = async (liveVideoStream) => { - // Create a video stream renderer for the live video stream. - let videoStreamRenderer = new VideoStreamRenderer(liveVideoStream); - let view; - const renderVideo = async () => { - try { - // Create a renderer view for the live video stream. - view = await videoStreamRenderer.createView(); - // Attach the renderer view to the UI. - liveVideoContainer.hidden = false; - liveVideoContainer.appendChild(view.target); - } catch (e) { - console.warn(`Failed to createView, reason=${e.message}, code=${e.code}`); - } - } -- // Live video stream is available during initialization. - await renderVideo(); -}; --``` --### Count participants in both real-time and streaming media lane -Web SDK already exposes `Call.totalParticipantCount` (available in beta release) which includes all participants count (Presenter, Attendee, Consumer, Participants in the lobby etc.). We've added a new API `Call.feature(Features.LiveStream).participantCount` under the `LiveStream` feature to have the count of streaming participants. `Call.feature(Features.LiveStream).participantCount` represents the number of participants receiving the streaming media only. --```typescript -call.feature(Features.LiveStream).on('participantCountChanged', e => { - // Get current streaming participant count. - Call.feature(Features.LiveStream).participantCount; -); -``` --`call.feature(Features.LiveStream).participantCount` represents the total count of participants in streaming media lane. Contoso can find out the count of participants in real-time media lane by subtracting from the total participants. So, number of real-time media participants = `call.totalParticipantCount` - `call.feature(Features.LiveStream).participantCount`. --## Next steps -For more information, see the following articles: --- Check out our [calling hero sample](../../samples/calling-hero-sample.md)-- Get started with the [UI Library](../../concepts/ui-library/ui-library-overview.md)-- Learn about [Calling SDK capabilities](./getting-started-with-calling.md?pivots=platform-web)-- Learn more about [how calling works](../../concepts/voice-video-calling/about-call-types.md) |
container-registry | Container Registry Artifact Streaming | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/container-registry-artifact-streaming.md | Title: "Artifact streaming in Azure Container Registry (Preview)" description: "Artifact streaming is a feature in Azure Container Registry to enhance and supercharge managing, scaling, and deploying artifacts through containerized platforms." - - +zone_pivot_groups: container-registry-zones Previously updated : 12/14/2023-# Customer intent: As a developer, I want artifact streaming capabilities so that I can efficiently deliver and serve containerized applications to end-users in real-time. Last updated : 02/26/2024+ai-usage: ai-assisted ++#customer intent: As a developer, I want artifact streaming capabilities so that I can efficiently deliver and serve containerized applications to end-users in real-time. # Artifact streaming in Azure Container Registry (Preview) Artifact streaming is a feature in Azure Container Registry that allows you to s Here are few scenarios to use artifact streaming: -**Deploying containerized applications to multiple regions**: With artifact streaming, you can store container images within a single registry and manage and stream container images to AKS clusters in multiple regions. artifact streaming deploys container applications to multiple regions without consuming time and resources. +**Deploying containerized applications to multiple regions**: With artifact streaming, you can store container images within a single registry and manage and stream container images to AKS clusters in multiple regions. Artifact streaming deploys container applications to multiple regions without consuming time and resources. -**Reducing image pull latency**: Artifact streaming can reduce time to pod readiness by over 15%, depending on the size of the image, and it works best for images < 30GB. This feature reduces image pull latency and fast container startup, which is beneficial for software developers and system architects. +**Reducing image pull latency**: Artifact streaming can reduce time to pod readiness by over 15%, depending on the size of the image, and it works best for images < 30 GB. This feature reduces image pull latency and fast container startup, which is beneficial for software developers and system architects. **Effective scaling of containerized applications**: Artifact streaming provides the opportunity to design, build, and deploy containerized applications at a high scale. Here are some brief aspects of artifact streaming: * Customers with new and existing registries can start artifact streaming for specific repositories or tags. -* Once artifact streaming is started, the original and the streaming artifact will be stored in the customerΓÇÖs ACR. +* Customers are able to store both the original and the streaming artifact in the ACR by starting artifact streaming. -* If the user decides to turn off artifact streaming for repositories or artifacts, the streaming and the original artifact will still be present. +* Customers have access to the original and the streaming artifact even after turning off artifact streaming for repositories or artifacts. -* If a customer deletes a repository or artifact with artifact streaming and Soft Delete enabled, then both the original and artifact streaming versions will be deleted. However, only the original version will be available on the soft delete blade. +* Customers with artifact streaming and Soft Delete enabled, deletes a repository or artifact then both the original and artifact streaming versions are deleted. However, only the original version is available on the soft delete portal. ## Availability and pricing information -Artifact streaming is only available in the **Premium** SKU [service tiers](container-registry-skus.md). Please note that artifact streaming may increase the overall registry storage consumption and customers may be subjected to additional storage charges as outlined in our [pricing](https://azure.microsoft.com/pricing/details/container-registry/) if the consumption exceeds the included 500 GiB Premium SKU threshold. +Artifact streaming is only available in the **Premium** [service tiers](container-registry-skus.md) (also known as SKUs). Artifact streaming has potential to increase the overall registry storage consumption. Customers are subjected to more storage charges as outlined in our [pricing](https://azure.microsoft.com/pricing/details/container-registry/) if the consumption exceeds the included 500 GiB Premium SKU threshold. ## Preview limitations Artifact streaming is currently in preview. The following limitations apply: * Only images with Linux AMD64 architecture are supported in the preview release.-* The preview release doesn't support Windows-based container images, and ARM64 images. -* The preview release partially support multi-architecture images, only the AMD64 architecture is supported. +* The preview release doesn't support Windows-based container images and ARM64 images. +* The preview release partially support multi-architecture images only the AMD64 architecture is supported. * For creating Ubuntu based node pool in AKS, choose Ubuntu version 20.04 or higher. * For Kubernetes, use Kubernetes version 1.26 or higher or Kubernetes version > 1.25. -* Only premium SKU registries support generating streaming artifacts in the preview release. The non-premium SKU registries do not offer this functionality during the preview. +* Only premium SKU registries support generating streaming artifacts in the preview release. The nonpremium SKU registries don't offer this functionality during the preview. * The CMK (Customer-Managed Keys) registries are NOT supported in the preview release. * Kubernetes regcred is currently NOT supported. ## Prerequisites -* You can use the [Azure Cloud Shell][Azure Cloud Shell] or a local installation of the Azure CLI to run the command examples in this article. If you'd like to use it locally, version 2.54.0 or later is required. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][Install Azure CLI]. +* You can use the [Azure Cloud Shell][Azure Cloud Shell] or a local installation of the Azure CLI to run the command examples in this article. If you'd like to use it locally, version 2.54.0 or later is required. Run `az --version` for finding the version. If you need to install or upgrade, see [Install Azure CLI][Install Azure CLI]. * Sign in to the [Azure portal](https://ms.portal.azure.com/). + ## Start artifact streaming Start artifact streaming with a series with Azure CLI commands and Azure portal for pushing, importing, and generating streaming artifacts for container images in an Azure Container Registry (ACR). These instructions outline the process for creating a *Premium* [SKU](container-registry-skus.md) ACR, importing an image, generating a streaming artifact, and managing the artifact streaming operation. Make sure to replace the placeholders with your actual values where necessary. +<!-- markdownlint-disable MD044 --> +<!-- markdownlint-enable MD044 --> + ### Push/Import the image and generate the streaming artifact - Azure CLI Artifact streaming is available in the **Premium** container registry service tier. To start Artifact streaming, update a registry using the Azure CLI (version 2.54.0 or above). To install or upgrade, see [Install Azure CLI](/cli/azure/install-azure-cli). Start artifact streaming, by following these general steps: 5. Cancel the artifact streaming creation (if needed) - Cancel the streaming artifact creation if the conversion is not finished yet. It will stop the operation. + Cancel the streaming artifact creation if the conversion isn't finished yet. It stops the operation. For example, run the [az acr artifact-streaming operation cancel][az-acr-artifact-streaming-operation-cancel] command to cancel the conversion operation for the `jupyter/all-spark-notebook:latest` image in the `mystreamingtest` ACR. Start artifact streaming, by following these general steps: az acr artifact-streaming operation cancel --repository jupyter/all-spark-notebook --id c015067a-7463-4a5a-9168-3b17dbe42ca3 ``` -6. Start auto-conversion on the repository +6. Start autoconversion on the repository - Start auto-conversion in the repository for newly pushed or imported images. When started, new images pushed into that repository will trigger the generation of streaming artifacts. + Start autoconversion in the repository for newly pushed or imported images. When started, new images pushed into that repository trigger the generation of streaming artifacts. >[!NOTE] > Auto-conversion does not apply to existing images. Existing images can be manually converted. - For example, run the [az acr artifact-streaming update][az-acr-artifact-streaming-update] command to start auto-conversion for the `jupyter/all-spark-notebook` repository in the `mystreamingtest` ACR. + For example, run the [az acr artifact-streaming update][az-acr-artifact-streaming-update] command to start autoconversion for the `jupyter/all-spark-notebook` repository in the `mystreamingtest` ACR. ```azurecli-interactive az acr artifact-streaming update --repository jupyter/all-spark-notebook --enable-streaming true Start artifact streaming, by following these general steps: az acr artifact-streaming operation show --image jupyter/all-spark-notebook:newtag ``` +++ >[!NOTE] > Artifact streaming can work across regions, regardless of whether geo-replication is started or not. > Artifact streaming can work through a private endpoint and attach to it. +<!-- markdownlint-disable MD044 --> +<!-- markdownlint-enable MD044 --> + ### Push/Import the image and generate the streaming artifact - Azure portal Artifact streaming is available in the *premium* [SKU](container-registry-skus.md) Azure Container Registry. To start artifact streaming, update a registry using the Azure portal. Follow the steps to create artifact streaming in the [Azure portal](https://port > [!div class="mx-imgBorder"] > [![A screenshot of Azure portal with the streaming artifact highlighted.](./media/container-registry-artifact-streaming/02-artifact-streaming-generated-inline.png)](./media/container-registry-artifact-streaming/02-artifact-streaming-generated-expanded.png#lightbox) -6. You can also delete the artifact streaming from the repository blade. +6. You can also delete the artifact streaming from the repository. > [!div class="mx-imgBorder"] > [![A screenshot of Azure portal with the delete artifact streaming button highlighted.](./media/container-registry-artifact-streaming/04-delete-artifact-streaming-inline.png)](./media/container-registry-artifact-streaming/04-delete-artifact-streaming-expanded.png#lightbox) -7. You can also enable auto-conversion on the repository blade. Active means auto-conversion is enabled on the repository. Inactive means auto-conversion is disabled on the repository. +7. You can also enable autoconversion by accessing the repository on portal. Active means autoconversion is enabled on the repository. Inactive means autoconversion is disabled on the repository. > [!div class="mx-imgBorder"] > [![A screenshot of Azure portal with the start artifact streaming button highlighted.](./media/container-registry-artifact-streaming/03-start-artifact-streaming-inline.png)](./media/container-registry-artifact-streaming/03-start-artifact-streaming-expanded.png#lightbox) Follow the steps to create artifact streaming in the [Azure portal](https://port > [!NOTE] > The state of artifact streaming in a repository (inactive or active) determines whether newly pushed compatible images will be automatically converted. By default, all repositories are in an inactive state for artifact streaming. This means that when new compatible images are pushed to the repository, artifact streaming will not be triggered, and the images will not be automatically converted. If you want to start automatic conversion of newly pushed images, you need to set the repository's artifact streaming to the active state. Once the repository is in the active state, any new compatible container images that are pushed to the repository will trigger artifact streaming. This will start the automatic conversion of those images. +++ ## Next steps > [!div class="nextstepaction"]-> [Troubleshoot artifact streaming](troubleshoot-artifact-streaming.md) +> [Troubleshoot Artifact streaming](troubleshoot-artifact-streaming.md) <!-- LINKS - External --> [Install Azure CLI]: /cli/azure/install-azure-cli |
container-registry | Troubleshoot Artifact Streaming | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/troubleshoot-artifact-streaming.md | Title: "Troubleshoot artifact streaming" -description: "Troubleshoot artifact streaming in Azure Container Registry to diagnose and resolve with managing, scaling, and deploying artifacts through containerized platforms." + Title: "Troubleshoot Artifact streaming" +description: "Troubleshoot Artifact streaming in Azure Container Registry to diagnose and resolve with managing, scaling, and deploying artifacts through containerized platforms." Last updated 10/31/2023 -# Troubleshoot artifact streaming +# Troubleshoot Artifact streaming The troubleshooting steps in this article can help you resolve common issues that you might encounter when using artifact streaming in Azure Container Registry (ACR). These steps and recommendations can help diagnose and resolve issues related to artifact streaming as well as provide insights into the underlying processes and logs for debugging purposes. The troubleshooting steps in this article can help you resolve common issues tha * Conversion operation failed due to an unknown error. * Troubleshooting Failed AKS Pod Deployments. * Pod conditions indicate "UpgradeIfStreamableDisabled."-* Using Digest Instead of Tag for Streaming Artifact +* Digest usage instead of Tag for Streaming Artifact. ## Causes The troubleshooting steps in this article can help you resolve common issues tha | Error Code | Error Message | Troubleshooting Info | | | - | | | UNKNOWN_ERROR | Conversion operation failed due to an unknown error. | Caused by an internal error. A retry helps here. If retry is unsuccessful, contact support. |-| RESOURCE_NOT_FOUND | Conversion operation failed because target resource isn't found. | If the target image isn't found in the registry. Verify typos in the image digest, if the image is deleted, or missing in the target region (replication consistency is not immediate for example) | -| UNSUPPORTED_PLATFORM | Conversion is not currently supported for image platform. | Only linux/amd64 images are initially supported. | -| NO_SUPPORTED_PLATFORM_FOUND | Conversion is not currently supported for any of the image platforms in the index. | Only linux/amd64 images are initially supported. No image with this platform is found in the target index. | -| UNSUPPORTED_MEDIATYPE | Conversion is not supported for the image MediaType. | Conversion can only target images with media type: application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, application/vnd.docker.distribution.manifest.v2+json or application/vnd.docker.distribution.manifest.list.v2+json | +| RESOURCE_NOT_FOUND | Conversion operation failed because target resource isn't found. | If the target image isn't found in the registry, verify typos in the image digest. If the image is deleted, or missing in the target region (replication consistency isn't immediate for example) | +| UNSUPPORTED_PLATFORM | Conversion isn't currently supported for image platform. | Only linux/amd64 images are initially supported. | +| NO_SUPPORTED_PLATFORM_FOUND | Conversion isn't currently supported for any of the image platforms in the index. | Only linux/amd64 images are initially supported. No image with this platform is found in the target index. | +| UNSUPPORTED_MEDIATYPE | Conversion isn't supported for the image MediaType. | Conversion can only target images with media type: application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, application/vnd.docker.distribution.manifest.v2+json, or application/vnd.docker.distribution.manifest.list.v2+json | | UNSUPPORTED_ARTIFACT_TYPE | Conversion isn't supported for the image ArtifactType. | Streaming Artifacts (Artifact type: application/vnd.azure.artifact.streaming.v1) can't be converted again. | | IMAGE_NOT_RUNNABLE | Conversion isn't supported for nonrunnable images. | Only linux/amd64 runnable images are initially supported. | ## Troubleshooting Failed AKS Pod Deployments -If AKS pod deployment fails with an error related to image pulling, like the following example +If AKS pod deployment fails with an error related to image pulling, like the following example. ```bash Failed to pull image "mystreamingtest.azurecr.io/jupyter/all-spark-notebook:latest": failed to resolve reference "mystreamingtest.azurecr.io/jupyter/all-spark-notebo unexpected status from HEAD request to http://localhost:8578/v2/jupyter/all-spark-notebook/manifests/latest?ns=mystreamingtest.azurecr.io:503 Service Unavailable ``` -To troubleshoot this issue, you should check the following: +To troubleshoot this issue, you should check the following guidelines: -1. Verify if the AKS has permissions to access the container registry `mystreamingtest.azurecr.io` +1. Verify if the AKS has permissions to access the container registry `mystreamingtest.azurecr.io`. 1. Ensure that the container registry `mystreamingtest.azurecr.io` is accessible and properly attached to AKS. ## Checking for "UpgradeIfStreamableDisabled" Pod Condition: |
copilot | Build Infrastructure Deploy Workloads | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/copilot/build-infrastructure-deploy-workloads.md | Title: Build infrastructure and deploy workloads using Microsoft Copilot for Azure (preview) description: Learn how Microsoft Copilot for Azure (preview) can help you build custom infrastructure for your workloads and provide templates and scripts to help you deploy. Previously updated : 01/18/2024 Last updated : 02/26/2024 Throughout a conversation, Microsoft Copilot for Azure (preview) asks you questi To get help building infrastructure and deploying workloads, start on the [More virtual machines and related solutions](https://portal.azure.com/#view/Microsoft_Azure_SolutionCenter/SolutionGroup.ReactView/groupid/defaultLandingVmBrowse) page in the Azure portal. You can reach this page from **Virtual machines** by selecting the arrow next to **Create**, then selecting **More VMs and related solutions**. Once you're there, start the conversation by letting Microsoft Copilot for Azure (preview) know what you want to build and deploy. |
cosmos-db | Change Feed Modes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/change-feed-modes.md | The response object is an array of items that represent each change. The array l },ΓÇ» "metadata": { "lsn": <A number that represents the batch ID. Many items can have the same lsn.>, - "changeType": <The type of change, either 'create', 'replace', or 'delete'.>, + "operationType": <The type of change, either 'create', 'replace', or 'delete'.>, "previousImageLSN" : <A number that represents the batch ID of the change prior to this one.>, "timeToLiveExpired" : <For delete changes, it will be 'true' if it was deleted due to a TTL expiration and 'false' if it wasn't.>, "crts": <A number that represents the Conflict Resolved Timestamp. It has the same format as _ts.> |
cosmos-db | Query Metrics Performance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query-metrics-performance.md | -This article presents how to profile SQL query performance on Azure Cosmos DB using [ServerSideCumulativeMetrics](/dotnet/api/microsoft.azure.cosmos.serversidecumulativemetrics) retrieved from the .NET SDK. `ServerSideCumulativeMetrics` is a strongly typed object with information about the backend query execution. It contains cumulative metrics that are aggregated across all physical partitions for the request, and a list of metrics for each physical partition. These metrics are documented in more detail in the [Tune Query Performance](./query-metrics.md#query-execution-metrics) article. +This article presents how to profile SQL query performance on Azure Cosmos DB using [ServerSideCumulativeMetrics](/dotnet/api/microsoft.azure.cosmos.serversidecumulativemetrics) retrieved from the .NET SDK. `ServerSideCumulativeMetrics` is a strongly typed object with information about the backend query execution. It contains cumulative metrics that are aggregated across all physical partitions for the request, a list of metrics for each physical partition, and the total request charge. These metrics are documented in more detail in the [Tune Query Performance](./query-metrics.md#query-execution-metrics) article. ## Get query metrics DoSomeLogging(totalTripsExecutionTime); ### Partitioned Metrics -`ServerSideCumulativeMetrics` contains a `PartitionedMetrics` property that is a list of per-partition metrics for the round trip. If multiple physical partitions are reached in a single round trip, then metrics for each of them appear in the list. Partitioned metrics are represented as [ServerSidePartitionedMetrics](/dotnet/api/microsoft.azure.cosmos.serversidepartitionedmetrics) with a unique identifier for each physical partition. +`ServerSideCumulativeMetrics` contains a `PartitionedMetrics` property that is a list of per-partition metrics for the round trip. If multiple physical partitions are reached in a single round trip, then metrics for each of them appear in the list. Partitioned metrics are represented as [ServerSidePartitionedMetrics](/dotnet/api/microsoft.azure.cosmos.serversidepartitionedmetrics) with a unique identifier for each physical partition and request charge for that partition. ```csharp // Retrieve the ServerSideCumulativeMetrics object from the FeedResponse foreach(var partitionGroup in groupedPartitionMetrics) ## Get the query request charge -You can capture the request units consumed by each query to investigate expensive queries or queries that consume high throughput. You can get the request charge by using the `RequestCharge` property in `FeedResponse`. To learn more about how to get the request charge using the Azure portal and different SDKs, see [find the request unit charge](find-request-unit-charge.md) article. +You can capture the request units consumed by each query to investigate expensive queries or queries that consume high throughput. You can get the total request charge using the `TotalRequestCharge` property in `ServerSideCumulativeMetrics` or you can look at the request charge from each partition using the `RequestCharge` property for each `ServerSidePartitionedMetrics` returned. ++The total request charge is also available using the `RequestCharge` property in `FeedResponse`. To learn more about how to get the request charge using the Azure portal and different SDKs, see [find the request unit charge](find-request-unit-charge.md) article. ```csharp QueryDefinition query = new QueryDefinition("SELECT TOP 5 * FROM c"); |
cosmos-db | Abs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/abs.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the absolute (positive) value of the specified numeric expression. ## Syntax -```sql +```nosql ABS(<numeric_expr>) ``` Returns a numeric expression. The following example shows the results of using this function on three different numbers. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/absolute-value/result.json"::: |
cosmos-db | Acos | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/acos.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the trigonometric arccosine of the specified numeric value. The arccosin ## Syntax -```sql +```nosql ACOS(<numeric_expr>) ``` Returns a numeric expression. The following example calculates the arccosine of the specified values using the function. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/arccosine/result.json"::: |
cosmos-db | Array Concat | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/array-concat.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns an array that is the result of concatenating two or more array values. ## Syntax -```sql +```nosql ARRAY_CONCAT(<array_expr_1>, <array_expr_2> [, <array_expr_N>]) ``` Returns an array expression. The following example shows how to concatenate two arrays. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/array-concat/result.json"::: |
cosmos-db | Array Contains | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/array-contains.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns a boolean indicating whether the array contains the specified value. You ## Syntax -```sql +```nosql ARRAY_CONTAINS(<array_expr>, <expr> [, <bool_expr>]) ``` Returns a boolean value. The following example illustrates how to check for specific values or objects in an array using this function. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/array-contains/result.json"::: |
cosmos-db | Array Length | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/array-length.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the number of elements in the specified array expression. ## Syntax -```sql +```nosql ARRAY_LENGTH(<array_expr>) ``` Returns a numeric expression. The following example illustrates how to get the length of an array using the function. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/array-length/result.json"::: |
cosmos-db | Array Slice | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/array-slice.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns a subset of an array expression using the index and length specified. ## Syntax -```sql +```nosql ARRAY_SLICE(<array_expr>, <numeric_expr_1> [, <numeric_expr_2>]) ``` Returns an array expression. The following example shows how to get different slices of an array using the function. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/array-slice/result.json"::: |
cosmos-db | Asin | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/asin.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the trigonometric arcsine of the specified numeric value. The arcsine is ## Syntax -```sql +```nosql ASIN(<numeric_expr>) ``` Returns a numeric expression. The following example calculates the arcsine of the specified angle using the function. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/asin/result.json"::: |
cosmos-db | Atan | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/atan.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the trigonometric arctangent of the specified numeric value. The arcsine ## Syntax -```sql +```nosql ATAN(<numeric_expr>) ``` Returns a numeric expression. The following example calculates the arctangent of the specified angle using the function. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/atan/result.json"::: |
cosmos-db | Atn2 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/atn2.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the principal value of the arctangent of `y/x`, expressed in radians. ## Syntax -```sql +```nosql ATN2(<numeric_expr>, <numeric_expr>) ``` Returns a numeric expression. The following example calculates the arctangent for the specified `x` and `y` components. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/atn2/result.json"::: |
cosmos-db | Average | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/average.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the average of the values in the expression. ## Syntax -```sql +```nosql AVG(<numeric_expr>) ``` For this example, consider a container with multiple items that each contain a ` In this example, the function is used to average the values of a specific field into a single aggregated value. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/average/result.json"::: |
cosmos-db | Bitwise Operators | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/bitwise-operators.md | +ms.devlang: nosql Last updated : 02/27/2024 The following table shows the explanations and examples of bitwise operations in For example, the following query uses each of the bitwise operators and renders a result. -```sql +```nosql SELECT (100 >> 2) AS rightShift, (100 << 2) AS leftShift, |
cosmos-db | Ceiling | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/ceiling.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the smallest integer value greater than or equal to the specified numeri ## Syntax -```sql +```nosql CEILING(<numeric_expr>) ``` Returns a numeric expression. The following example shows positive numeric, negative, and zero values evaluated with this function. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/ceiling/result.json"::: |
cosmos-db | Choose | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/choose.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the expression at the specified index of a list, or Undefined if the ind ## Syntax -```sql +```nosql CHOOSE(<numeric_expr>, <expr_1> [, <expr_N>]) ``` Returns an expression, which could be of any type. The following example uses a static list to demonstrate various return values at different indexes. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/choose/result.json"::: This example uses a static list to demonstrate various return values at different indexes. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/choose-indexes/result.json"::: This final example uses an existing item in a container with three relevant fiel This example selects an expression from existing paths in the item. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/choose-fields/result.json"::: |
cosmos-db | Computed Properties | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/computed-properties.md | +ms.devlang: nosql Last updated : 02/27/2024 Here's an example computed property definition to convert the `name` property to This property could then be projected in a query: -```sql +```nosql SELECT c.cp_lowerName FROM Here's an example computed property definition to calculate a 20 percent price d This property could then be filtered on to ensure that only products where the discount would be less than $50 are returned: -```sql +```nosql SELECT c.price - c.cp_20PercentDiscount as discountedPrice, c.name Here's an example computed property definition that finds the primary category f You can then group by `cp_primaryCategory` to get the count of items in each primary category: -```sql +```nosql SELECT COUNT(1), c.cp_primaryCategory Here's an example computed property definition that gets the month out of the `_ Before you can ORDER BY `cp_monthUpdated`, you must add it to your indexing policy. After your indexing policy is updated, you can order by the computed property. -```sql +```nosql SELECT * FROM |
cosmos-db | Concat | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/concat.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns a string that is the result of concatenating two or more string values. ## Syntax -```sql +```nosql CONCAT(<string_expr_1>, <string_expr_2> [, <string_expr_N>]) ``` Returns a string expression. This first example returns the concatenated string of two string expressions. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/concat/result.json"::: This next example uses an existing item in a container with various relevant fie This example uses the function to select two expressions from the item. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/concat-fields/result.json"::: |
cosmos-db | Constants | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/constants.md | +ms.devlang: nosql Last updated : 02/27/2024 A constant, also known as a literal or a scalar value, is a symbol that represen ## Syntax -```sql +```nosql <constant> ::= <undefined_constant> | <null_constant> |
cosmos-db | Contains | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/contains.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns a boolean indicating whether the first string expression contains the se ## Syntax -```sql +```nosql CONTAINS(<string_expr_1>, <string_expr_2> [, <bool_expr>]) ``` Returns a boolean expression. The following example checks if various static substrings exist in a string. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/contains/result.json"::: |
cosmos-db | Cos | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/cos.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the trigonometric cosine of the specified angle in radians. ## Syntax -```sql +```nosql COS(<numeric_expr>) ``` Returns a numeric expression. The following example calculates the cosine of the specified angle using the function. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/cos/result.json"::: |
cosmos-db | Cot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/cot.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the trigonometric cotangent of the specified angle in radians. ## Syntax -```sql +```nosql COT(<numeric_expr>) ``` Returns a numeric expression. The following example calculates the cotangent of the specified angle using the function. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/cot/result.json"::: |
cosmos-db | Count | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/count.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the count of the values in the expression. ## Syntax -```sql +```nosql COUNT(<scalar_expr>) ``` Returns a numeric scalar value. This first example passes in either a scalar value or a numeric expression to the `COUNT` function. The expression is evaluated first to a scalar, making the result of both uses of the function the same value. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/count-expression/result.json"::: |
cosmos-db | Datetimeadd | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/datetimeadd.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns a date and time string value that is the result of adding a specified nu ## Syntax -```sql +```nosql DateTimeAdd(<date_time_part>, <numeric_expr> ,<date_time>) ``` Returns a UTC date and time string in the ISO 8601 format `YYYY-MM-DDThh:mm:ss.f The following example adds various values (one year, one month, one day, one hour) to the date **July 3, 2020** at **midnight (00:00 UTC)**. The example also subtracts various values (two years, two months, two days, two hours) from the same date. Finally, this example uses an expression to modify the seconds of the same date. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/datetimeadd/result.json"::: |
cosmos-db | Datetimebin | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/datetimebin.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns a date and time string value that is the result of binning (or rounding) ## Syntax -```sql +```nosql DateTimeBin(<date_time> , <date_time_part> [, <bin_size>] [, <bin_start_date_time>]) ``` Returns a UTC date and time string in the ISO 8601 format `YYYY-MM-DDThh:mm:ss.f The following example bins the date **January 8, 2021** at **18:35 UTC** by various values. The example also changes the bin size, and the bin start date and time. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/datetimebin/result.json"::: |
cosmos-db | Datetimediff | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/datetimediff.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the difference, as a signed integer, of the specified date and time part ## Syntax -```sql +```nosql DateTimeDiff(<date_time_part>, <start_date_time>, <end_date_time>) ``` Returns a numeric value that is a signed integer. The following examples compare **February 4, 2019 16:00 UTC** and **March 5, 2018 05:00 UTC** using various date and time parts. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/datetimediff/result.json"::: |
cosmos-db | Datetimefromparts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/datetimefromparts.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns a date and time string value constructed from input numeric values for v ## Syntax -```sql +```nosql DateTimeFromParts(<numeric_year>, <numeric_month>, <numeric_day> [, <numeric_hour>] [, <numeric_minute>] [, <numeric_second>] [, <numeric_second_fraction>]) ``` Returns a UTC date and time string in the ISO 8601 format `YYYY-MM-DDThh:mm:ss.f The following example uses various combinations of the arguments to create date and time strings. This example uses the date and time **April 20, 2017 13:15 UTC**. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/datetimefromparts/result.json"::: |
cosmos-db | Datetimepart | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/datetimepart.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the value of the specified date and time part for the provided date and ## Syntax -```sql +```nosql DateTimePart(<date_time> , <date_time_part>) ``` Returns a numeric value that is a positive integer. The following example returns various parts of the date and time **May 29, 2016 08:30 UTC**. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/datetimepart/result.json"::: |
cosmos-db | Datetimetoticks | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/datetimetoticks.md | +ms.devlang: nosql Last updated : 02/27/2024 Converts the specified DateTime to ticks. A single tick represents `100` nanosec ## Syntax -```sql +```nosql DateTimeToTicks(<date_time>) ``` Returns a signed numeric value, the current number of `100`-nanosecond ticks tha The following example measures the ticks since the date and time **May 19, 2015 12:00 UTC**. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/datetimetoticks/result.json"::: |
cosmos-db | Datetimetotimestamp | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/datetimetotimestamp.md | +ms.devlang: nosql Last updated : 02/27/2024 Converts the specified date and time to a numeric timestamp. The timestamp is a ## Syntax -```sql +```nosql DateTimeToTimestamp(<date_time>) ``` Returns a signed numeric value, the current number of milliseconds that have ela The following example converts the date and time **May 19, 2015 12:00 UTC** to a timestamp. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/datetimetotimestamp/result.json"::: |
cosmos-db | Degrees | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/degrees.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the corresponding angle in degrees for an angle specified in radians. ## Syntax -```sql +```nosql DEGREES(<numeric_expr>) ``` Returns a numeric expression. The following example returns the degrees for various radian values. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/degrees/result.json"::: |
cosmos-db | Documentid | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/documentid.md | +ms.devlang: nosql Last updated : 02/27/2024 Extracts the integer identifier corresponding to a specific item within a physic ## Syntax -```sql +```nosql DOCUMENTID(<root_specifier>) ``` This example illustrates using this function to extract and return the integer i :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/documentid/seed.novalidate.json" highlight="3"::: :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/documentid/result.novalidate.json"::: This function can also be used as a filter. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/documentid-filter/seed.novalidate.json" highlight="3"::: :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/documentid-filter/result.novalidate.json"::: |
cosmos-db | Endswith | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/endswith.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns a boolean value indicating whether the first string expression ends with ## Syntax -```sql +```nosql ENDSWITH(<string_expr_1>, <string_expr_2> [, <bool_expr>]) ``` Returns a boolean expression. The following example checks if the string `abc` ends with `b` or `bC`. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/endswith/result.json"::: |
cosmos-db | Equality Comparison Operators | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/equality-comparison-operators.md | +ms.devlang: nosql Last updated : 02/27/2024 If the result of the scalar expression is ``undefined``, the item isn't included For example, the following query's comparison between a number and string value produces ``undefined``. Therefore, the filter doesn't include any results. -```sql +```nosql SELECT * FROM |
cosmos-db | Exp | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/exp.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the exponential value of the specified numeric expression. ## Syntax -```sql +```nosql EXP(<numeric_expr>) ``` Returns a numeric expression. The following example returns the exponential value for various numeric inputs. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/exp/result.json"::: |
cosmos-db | Floor | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/floor.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the largest integer less than or equal to the specified numeric expressi ## Syntax -```sql +```nosql FLOOR(<numeric_expr>) ``` Returns a numeric expression. The following example shows positive numeric, negative, and zero values evaluated with this function. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/floor/result.json"::: |
cosmos-db | From | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/from.md | +ms.devlang: nosql Last updated : 02/27/2024 The ``FROM`` clause enforces the following rules per query: ## Syntax -```sql +```nosql FROM <from_specification> <from_specification> ::= A container expression may be container-scoped or item-scoped: In this first example, the ``FROM`` clause is used to specify the current container as a source, give it a unique name, and then alias it. The alias is then used to project specific fields in the query results. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/from/result.json"::: In this next example, the ``FROM`` clause can also reduce the source to a smaller subset. To enumerate only a subtree in each item, the subroot can become the source. An array or object subroot can be used as a source. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/from-field/result.json"::: |
cosmos-db | Geospatial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/geospatial.md | +ms.devlang: nosql Last updated : 02/27/2024 |
cosmos-db | Getcurrentdatetime | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/getcurrentdatetime.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the current UTC (Coordinated Universal Time) date and time as an ISO 860 ## Syntax -```sql +```nosql GetCurrentDateTime() ``` Returns the current UTC date and time string value in the **round-trip** (ISO 86 The following example shows how to get the current UTC date and time string. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/getcurrentdatetime/result.novalidate.json"::: |
cosmos-db | Getcurrentdatetimestatic | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/getcurrentdatetimestatic.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the current UTC (Coordinated Universal Time) date and time as an ISO 860 ## Syntax -```sql +```nosql GetCurrentDateTimeStatic() ``` This example uses a container with a partition key path of `/pk`. There are thre This function returns the same static date and time for items within the same partition. For comparison, the nonstatic function gets a new date and time value for each item matched by the query. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/getcurrentdatetimestatic/result.novalidate.json"::: |
cosmos-db | Getcurrentticks | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/getcurrentticks.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the number of 100-nanosecond ticks that have elapsed since `00:00:00 Thu ## Syntax -```sql +```nosql GetCurrentTicks() ``` Returns a signed numeric value that represents the current number of 100-nanosec The following example returns the current time measured in ticks: :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/getcurrentticks/result.novalidate.json"::: |
cosmos-db | Getcurrentticksstatic | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/getcurrentticksstatic.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the number of 100-nanosecond ticks that have elapsed since `00:00:00 Thu ## Syntax -```sql +```nosql GetCurrentTicksStatic() ``` This example uses a container with a partition key path of `/pk`. There are thre This function returns the same static nanosecond ticks for items within the same partition. For comparison, the nonstatic function gets a new nanosecond ticks value for each item matched by the query. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/getcurrentticksstatic/result.novalidate.json"::: |
cosmos-db | Getcurrenttimestamp | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/getcurrenttimestamp.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the number of milliseconds that have elapsed since `00:00:00 Thursday, 1 ## Syntax -```sql +```nosql GetCurrentTimestamp() ``` Returns a signed numeric value that represents the current number of millisecond The following example shows how to get the current timestamp. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/getcurrenttimestamp/result.novalidate.json"::: |
cosmos-db | Getcurrenttimestampstatic | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/getcurrenttimestampstatic.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the number of milliseconds that have elapsed since `00:00:00 Thursday, 1 ## Syntax -```sql +```nosql GetCurrentTimestampStatic() ``` This example uses a container with a partition key path of `/pk`. There are thre This function returns the same static timestamp for items within the same partition. For comparison, the nonstatic function gets a new timestamp value for each item matched by the query. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/getcurrenttimestampstatic/result.novalidate.json"::: |
cosmos-db | Group By | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/group-by.md | +ms.devlang: nosql Last updated : 02/27/2024 The ``GROUP BY`` clause divides the query's results according to the values of o ## Syntax -```sql +```nosql <group_by_clause> ::= GROUP BY <scalar_expression_list> <scalar_expression_list> ::= For the examples in this section, this reference set of items is used. Each item In this first example, the ``GROUP BY`` clause is used to create groups of items using the value of a specified property. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/group-by/result.json"::: In this next example, an aggregate system function ([``COUNT``](count.md)) is used with the groupings to provide a total number of items per group. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/group-by-aggregate/result.json"::: In this final example, the items are grouped using multiple properties. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/group-by-multiple/result.json"::: |
cosmos-db | How To Enable Use Copilot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/how-to-enable-use-copilot.md | +ms.devlang: nosql Last updated : 02/27/2024 # CustomerIntent: As a developer, I want to use Copilot so that I can write queries faster and easier. |
cosmos-db | Iif | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/iif.md | +ms.devlang: nosql Last updated : 02/27/2024 Evaluates a boolean expression and returns the result of one of two expressions ## Syntax -```sql +```nosql IIF(<bool_expr>, <true_expr>, <not_true_expr>) ``` Returns an expression, which could be of any type. This first example evaluates a static boolean expression and returns one of two potential expressions. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/iif/result.json"::: This example evaluates one of two potential expressions on multiple items in a c The query uses fields in the original items. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/iif-fields/result.json"::: |
cosmos-db | Index Of | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/index-of.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the starting index of the first occurrence of a substring expression wit ## Syntax -```sql +```nosql INDEX_OF(<string_expr_1>, <string_expr_2> [, <numeric_expr>]) ``` Returns a numeric expression. The following example returns the index of various substrings inside the larger string **"AdventureWorks"**. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/index-of/result.json"::: |
cosmos-db | Intadd | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/intadd.md | +ms.devlang: nosql Last updated : 02/27/2024 Adds the value of the right-hand operand to the left-hand operand. For more info ## Syntax -```sql +```nosql IntAdd(<int_expr_1>, <int_expr_2>) ``` Returns a 64-bit integer. This example tests the function with various static values. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/intadd/result.json"::: |
cosmos-db | Intbitand | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/intbitand.md | +ms.devlang: nosql Last updated : 02/27/2024 Compares the bits on both the left-hand and right-hand operators using `AND` and ## Syntax -```sql +```nosql IntBitAnd(<int_expr_1>, <int_expr_2>) ``` Returns a 64-bit integer. This example tests the function with various static values. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/intbitand/result.novalidate.json"::: |
cosmos-db | Intbitleftshift | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/intbitleftshift.md | +ms.devlang: nosql Last updated : 02/27/2024 Shifts the left-hand operator left by the number of bits defined by its right-ha ## Syntax -```sql +```nosql IntBitLeftShift(<int_expr_1>, <int_expr_2>) ``` Returns a 64-bit integer. This example tests the function with various static values. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/intbitleftshift/result.novalidate.json"::: |
cosmos-db | Intbitnot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/intbitnot.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the bitwise complement of the operand. For example, every `1` bit indivi ## Syntax -```sql +```nosql IntBitNot(<int_expr>) ``` Returns a 64-bit integer. This example tests the function with various static values. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/intbitnot/result.novalidate.json"::: |
cosmos-db | Intbitor | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/intbitor.md | +ms.devlang: nosql Last updated : 02/27/2024 Compares the bits on both the left-hand and right-hand operators using inclusive ## Syntax -```sql +```nosql IntBitOr(<int_expr_1>, <int_expr_2>) ``` Returns a 64-bit integer. This example tests the function with various static values. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/intbitor/result.novalidate.json"::: |
cosmos-db | Intbitrightshift | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/intbitrightshift.md | +ms.devlang: nosql Last updated : 02/27/2024 Shifts the left-hand operator right by the number of bits defined by its right-h ## Syntax -```sql +```nosql IntBitRightShift(<int_expr_1>, <int_expr_2>) ``` Returns a 64-bit integer. This example tests the function with various static values. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/intbitrightshift/result.novalidate.json"::: |
cosmos-db | Intbitxor | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/intbitxor.md | +ms.devlang: nosql Last updated : 02/27/2024 Compares the bits on both the left-hand and right-hand operators using exclusive ## Syntax -```sql +```nosql IntBitXor(<int_expr_1>, <int_expr_2>) ``` Returns a 64-bit integer. This example tests the function with various static values. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/intbitxor/result.novalidate.json"::: |
cosmos-db | Intdiv | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/intdiv.md | +ms.devlang: nosql Last updated : 02/27/2024 Divides the left-hand operator by the right-hand operator. For more information, ## Syntax -```sql +```nosql IntDiv(<int_expr_1>, <int_expr_2>) ``` Returns a 64-bit integer. This example tests the function with various static values. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/intdiv/result.json"::: |
cosmos-db | Intmod | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/intmod.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the remainder from dividing the left-hand operator by the right-hand ope ## Syntax -```sql +```nosql IntMod(<int_expr_1>, <int_expr_2>) ``` Returns a 64-bit integer. This example tests the function with various static values. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/intmod/result.json"::: |
cosmos-db | Intmul | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/intmul.md | +ms.devlang: nosql Last updated : 02/27/2024 Multiples the values of the left and right operators. For more information, see ## Syntax -```sql +```nosql IntMul(<int_expr_1>, <int_expr_2>) ``` Returns a 64-bit integer. This example tests the function with various static values. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/intmul/result.json"::: |
cosmos-db | Intsub | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/intsub.md | +ms.devlang: nosql Last updated : 02/27/2024 Subtracts the value of the right-hand operand from the left-hand operand. For mo ## Syntax -```sql +```nosql IntSub(<int_expr_1>, <int_expr_2>) ``` Returns a 64-bit integer. This example tests the function with various static values. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/intsub/result.json"::: |
cosmos-db | Is Array | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/is-array.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns a boolean value indicating if the type of the specified expression is an ## Syntax -```sql +```nosql IS_ARRAY(<expr>) ``` Returns a boolean expression. The following example checks objects of various types using the function. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/is-array/result.json"::: |
cosmos-db | Is Bool | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/is-bool.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns a boolean value indicating if the type of the specified expression is a ## Syntax -```sql +```nosql IS_BOOL(<expr>) ``` Returns a boolean expression. The following example checks objects of various types using the function. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/is-bool/result.json"::: |
cosmos-db | Is Defined | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/is-defined.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns a boolean indicating if the property has been assigned a value. ## Syntax -```sql +```nosql IS_DEFINED(<expr>) ``` Returns a boolean expression. The following example checks for the presence of a property within the specified JSON document. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/is-defined/result.json"::: |
cosmos-db | Is Finite Number | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/is-finite-number.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns a boolean indicating if a number is a finite number (not infinite). ## Syntax -```sql +```nosql IS_FINITE_NUMBER(<numeric_expr>) ``` Returns a boolean. This example demonstrates the function with various static values. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/is-finite-number/result.json"::: |
cosmos-db | Is Integer | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/is-integer.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns a boolean indicating if a number is a 64-bit signed integer. 64-bit sign ## Syntax -```sql +```nosql IS_INTEGER(<numeric_expr>) ``` Returns a boolean. This example demonstrates the function with various static values. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/is-integer/result.json"::: |
cosmos-db | Is Null | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/is-null.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns a boolean value indicating if the type of the specified expression is `n ## Syntax -```sql +```nosql IS_NULL(<expr>) ``` Returns a boolean expression. The following example checks objects of various types using the function. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/is-null/result.json"::: |
cosmos-db | Is Number | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/is-number.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns a boolean value indicating if the type of the specified expression is a ## Syntax -```sql +```nosql IS_NUMBER(<expr>) ``` Returns a boolean expression. The following example various values to see if they're a number. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/is-number/result.json"::: |
cosmos-db | Is Object | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/is-object.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns a boolean value indicating if the type of the specified expression is a ## Syntax -```sql +```nosql IS_OBJECT(<expr>) ``` Returns a boolean expression. The following example various values to see if they're an object. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/is-object/result.json"::: |
cosmos-db | Is Primitive | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/is-primitive.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns a boolean value indicating if the type of the specified expression is a ## Syntax -```sql +```nosql IS_PRIMITIVE(<expr>) ``` Returns a boolean expression. The following example various values to see if they're a primitive. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/is-primitive/result.json"::: |
cosmos-db | Is String | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/is-string.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns a boolean value indicating if the type of the specified expression is a ## Syntax -```sql +```nosql IS_STRING(<expr>) ``` Returns a boolean expression. The following example various values to see if they're a string. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/is-string/result.json"::: |
cosmos-db | Join | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/join.md | +ms.devlang: nosql Last updated : 02/27/2024 Let's look at an example of a self-join within an item. Consider a container wit What if you need to find the **color group** of this product? Typically, you would need to write a query that has a filter checking every potential index in the `tags` array for a value with a prefix of `color-group-`. -```sql +```nosql SELECT * FROM This technique can become untenable quickly. The complexity or length of the que In a traditional relational database, the tags would be separated into a separate table and a cross-table join is performed with a filter applied to the results. In the API for NoSQL, we can perform a self-join operation within the item using the `JOIN` keyword. -```sql +```nosql SELECT p.id, p.sku, This query returns a simple array with an item for each value in the tags array. Let's break down the query. The query now has two aliases: `p` for each product item in the result set, and `t` for the self-joined `tags` array. The `*` keyword is only valid to project all fields if it can infer the input set, but now there are two input sets (`p` and `t`). Because of this constraint, we must explicitly define our returned fields as `id` and `sku` from the product along with `slug` from the tags. To make this query easier to read and understand, we can drop the `id` field and use an alias for the tag's `name` field to rename it to `tag`. -```sql +```nosql SELECT p.sku, t.name AS tag JOIN Finally, we can use a filter to find the tag `color-group-purple`. Because we used the `JOIN` keyword, our filter is flexible enough to handle any variable number of tags. -```sql +```nosql SELECT p.sku, t.name AS tag A join operation on our sample sleeping bag products and tags creates the follow Here's the SQL query and JSON result set for a join that includes multiple items in the container. -```sql +```nosql SELECT p.sku, t.name AS tag WHERE Just like with the single item, you can apply a filter here to find only items that match a specific tag. For example, this query finds all items with a tag named `bag-shape-mummy` to meet the initial requirement mentioned earlier in this section. -```sql +```nosql SELECT p.sku, t.name AS tag WHERE You can also change the filter to get a different result set. For example, this query finds all items that have a tag named `bag-insulation-synthetic-fill`. -```sql +```nosql SELECT p.sku, t.name AS tag |
cosmos-db | Keywords | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/keywords.md | +ms.devlang: nosql Last updated : 02/27/2024 The ``BETWEEN`` keyword evaluates to a boolean indicating whether the target val You can use the ``BETWEEN`` keyword with a ``WHERE`` clause to express queries that filters results against ranges of string or numerical values. For example, the following query returns all items in which the price is between ``17.25`` and ``25.50``, again inclusive. -```sql +```nosql SELECT VALUE p.price FROM WHERE You can also use the ``BETWEEN`` keyword in the ``SELECT`` clause, as in the following example. -```sql +```nosql SELECT (p.price BETWEEN 0 AND 10) AS booleanLessThanTen, p.price The ``DISTINCT`` keyword eliminates duplicates in the projected query results. In this example, the query projects values for each product category. If two categories are equivalent, only a single occurrence returns in the results. -```sql +```nosql SELECT DISTINCT VALUE p.category FROM FROM You can also project values even if the target field doesn't exist. In this case, the field doesn't exist in one of the items, so the query returns an empty object for that specific unique value. -```sql +```nosql SELECT DISTINCT p.category FROM You can use the following wildcard characters with LIKE: The ``%`` character matches any string of zero or more characters. For example, by placing a ``%`` at the beginning and end of the pattern, the following query returns all items where the specified field contains the phrase as a substring: -```sql +```nosql SELECT VALUE p.name FROM WHERE If you only used a ``%`` character at the end of the pattern, you'd only return items with a description that started with `fruit`: -```sql +```nosql SELECT VALUE p.name FROM WHERE Similarly, the wildcard at the start of the pattern indicates that you want to match values with the specified value as a prefix: -```sql +```nosql SELECT VALUE p.name FROM WHERE The ``NOT`` keyword inverses the result of the ``LIKE`` keyword's expression evaluation. This example returns all items that do **not** match the ``LIKE`` expression. -```sql +```nosql SELECT VALUE p.name FROM WHERE You can search for patterns that include one or more wildcard characters using the ``ESCAPE`` clause. For example, if you wanted to search for descriptions that contained the string ``20%``, you wouldn't want to interpret the ``%`` as a wildcard character. This example interprets the ``^`` as the escape character so you can escape a specific instance of ``%``. -```sql +```nosql SELECT VALUE p.name FROM You can enclose wildcard characters in brackets to treat them as literal charact Use the ``IN`` keyword to check whether a specified value matches any value in a list. For example, the following query returns all items where the category matches at least one of the values in a list. -```sql +```nosql SELECT * FROM The ``TOP`` keyword returns the first ``N`` number of query results in an undefi You can use ``TOP`` with a constant value, as in the following example, or with a variable value using parameterized queries. -```sql +```nosql SELECT TOP 10 * FROM |
cosmos-db | Left | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/left.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the left part of a string up to the specified number of characters. ## Syntax -```sql +```nosql LEFT(<string_expr>, <numeric_expr>) ``` Returns a string expression. The following example returns the left part of the string `Microsoft` for various length values. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/left/result.json"::: |
cosmos-db | Length | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/length.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the number of characters in the specified string expression. ## Syntax -```sql +```nosql LENGTH(<string_expr>) ``` Returns a numeric expression. The following example returns the length of a static string. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/length/result.json"::: |
cosmos-db | Linq To Sql | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/linq-to-sql.md | +ms.devlang: nosql Last updated : 02/27/2024 The syntax is `input.Select(x => f(x))`, where `f` is a scalar expression. The ` - **NoSQL** - ```sql + ```nosql SELECT VALUE f.parents[0].familyName FROM Families f ``` The syntax is `input.Select(x => f(x))`, where `f` is a scalar expression. The ` - **NoSQL** - ```sql + ```nosql SELECT VALUE f.children[0].grade + c FROM Families f ``` The syntax is `input.Select(x => f(x))`, where `f` is a scalar expression. The ` - **NoSQL** - ```sql + ```nosql SELECT VALUE { "name":f.children[0].familyName, "grade": f.children[0].grade + 3 The syntax is `input.SelectMany(x => f(x))`, where `f` is a scalar expression th - **NoSQL** - ```sql + ```nosql SELECT VALUE child FROM child IN Families.children ``` The syntax is `input.Where(x => f(x))`, where `f` is a scalar expression, which - **NoSQL** - ```sql + ```nosql SELECT * FROM Families f WHERE f.parents[0].familyName = "Wakefield" The syntax is `input.Where(x => f(x))`, where `f` is a scalar expression, which - **NoSQL** - ```sql + ```nosql SELECT * FROM Families f WHERE f.parents[0].familyName = "Wakefield" The syntax is `input(.|.SelectMany())(.Select()|.Where())*`. A concatenated quer - **NoSQL** - ```sql + ```nosql SELECT * FROM Families f WHERE f.parents[0].familyName = "Wakefield" The syntax is `input(.|.SelectMany())(.Select()|.Where())*`. A concatenated quer - **NoSQL** - ```sql + ```nosql SELECT VALUE f.parents[0].familyName FROM Families f WHERE f.children[0].grade > 3 The syntax is `input(.|.SelectMany())(.Select()|.Where())*`. A concatenated quer - **NoSQL** - ```sql + ```nosql SELECT * FROM Families f WHERE ({grade: f.children[0].grade}.grade > 3) The syntax is `input(.|.SelectMany())(.Select()|.Where())*`. A concatenated quer - **NoSQL** - ```sql + ```nosql SELECT * FROM p IN Families.parents WHERE p.familyName = "Wakefield" A nested query applies the inner query to each element of the outer container. O - **NoSQL** - ```sql + ```nosql SELECT VALUE p.familyName FROM Families f JOIN p IN f.parents A nested query applies the inner query to each element of the outer container. O - **NoSQL** - ```sql + ```nosql SELECT * FROM Families f JOIN c IN f.children A nested query applies the inner query to each element of the outer container. O - **NoSQL** - ```sql + ```nosql SELECT * FROM Families f JOIN c IN f.children |
cosmos-db | Log | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/log.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the natural logarithm of the specified numeric expression. ## Syntax -```sql +```nosql LOG(<numeric_expr> [, <numeric_base>]) ``` Returns a numeric expression. The following example returns the logarithm value of various values. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/log-base/result.json"::: |
cosmos-db | Log10 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/log10.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the base-10 logarithm of the specified numeric expression. ## Syntax -```sql +```nosql LOG10(<numeric_expr>) ``` Returns a numeric expression. The following example returns the logarithm value of various values. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/log10/result.json"::: |
cosmos-db | Logical Operators | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/logical-operators.md | +ms.devlang: nosql Last updated : 02/27/2024 |
cosmos-db | Lower | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/lower.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns a string expression after converting uppercase character data to lowerca ## Syntax -```sql +```nosql LOWER(<string_expr>) ``` Returns a string expression. The following example shows how to use the function to modify various strings. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/lower/result.json"::: |
cosmos-db | Ltrim | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/ltrim.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns a string expression after it removes leading whitespace or specified cha ## Syntax -```sql +```nosql LTRIM(<string_expr_1> [, <string_expr_2>]) ``` Returns a string expression. The following example shows how to use this function with various parameters inside a query. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/ltrim/result.json"::: |
cosmos-db | Max | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/max.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the maximum of the values in the expression. ## Syntax -```sql +```nosql MAX(<scalar_expr>) ``` This example uses a container with multiple items that each have a `/price` nume For this example, the `MAX` function is used in a query that includes the numeric field that was mentioned. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/max/result.json"::: |
cosmos-db | Min | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/min.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the minimum of the values in the expression. ## Syntax -```sql +```nosql MIN(<scalar_expr>) ``` This example uses a container with multiple items that each have a `/price` nume For this example, the `MIN` function is used in a query that includes the numeric field that was mentioned. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/min/result.json"::: |
cosmos-db | Numberbin | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/numberbin.md | +ms.devlang: nosql Last updated : 02/27/2024 Rounds the numeric expression's value down to a multiple of specified bin size. ## Syntax -```sql +```nosql NumberBin(<numeric_expr> [, <bin_size>]) ``` Returns a numeric value. This first example bins a single static number with various bin sizes. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/numberbin/result.novalidate.json"::: This next example uses a field from an existing item. This query rounds the previous field using the function. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/numberbin-field/result.novalidate.json"::: |
cosmos-db | Object Array | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/object-array.md | +ms.devlang: nosql Last updated : 02/27/2024 Here's an item that's used in examples throughout this article. You can construct arrays using static values, as shown in the following example. -```sql +```nosql SELECT [p.priceInUSD, p.priceInCAD] AS priceData FROM products p FROM products p You can also use the [``ARRAY`` expression](subquery.md#array-expression) to construct an array from a [subquery's](subquery.md) results. This query gets all the distinct categories. -```sql +```nosql SELECT p.id, ARRAY (SELECT DISTINCT VALUE c.name FROM c IN p.categories) AS categoryNames The API for NoSQL provides support for iterating over JSON arrays, with the [``I As an example, the next query performs iteration over ``tags`` for each item in the container. The output splits the array value and flattens the results into a single array. -```sql +```nosql SELECT * FROM FROM You can filter further on each individual entry of the array, as shown in the following example: -```sql +```nosql SELECT VALUE p.name FROM The results are: You can also aggregate over the result of an array iteration. For example, the following query counts the number of tags: -```sql +```nosql SELECT VALUE COUNT(1) FROM |
cosmos-db | Objecttoarray | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/objecttoarray.md | +ms.devlang: nosql Last updated : 02/27/2024 Converts each field/value pair in a JSON object into an element and then returns ## Syntax -```sql +```nosql ObjectToArray(<object_expr> [, <string_expr_1>, <string_expr_2>]) ``` An array of elements with two fields, either `k` and `v` or custom-named fields. This example demonstrates converting a static object to an array of field/value pairs using the default `k` and `v` identifiers. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/objecttoarray/result.json"::: In this example, the field name is updated to use the `name` identifier. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/objecttoarray-key/result.json"::: In this example, the value name is updated to use the `value` identifier and the field name uses the `key` identifier. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/objecttoarray-key-value/result.json"::: This final example uses an item within an existing container that stores data us In this example, the function is used to break up the object into an array item for each field/value pair. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/objecttoarray-field/result.json"::: |
cosmos-db | Offset Limit | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/offset-limit.md | +ms.devlang: nosql Last updated : 02/27/2024 When ``OFFSET LIMIT`` is used with an ``ORDER BY`` clause, the result set is pro ## Syntax -```sql +```nosql OFFSET <offset_amount> LIMIT <limit_amount> ``` For the example in this section, this reference set of items is used. Each item This example includes a query using the ``OFFSET LIMIT`` clause to return a subset of the matching items by skipping **one** item and taking the next **three**. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/offset-limit/result.json"::: |
cosmos-db | Order By | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/order-by.md | +ms.devlang: nosql Last updated : 02/27/2024 The optional ``ORDER BY`` clause specifies the sorting order for results returne ## Syntax -```sql +```nosql ORDER BY <sort_specification> <sort_specification> ::= <sort_expression> [, <sort_expression>] <sort_expression> ::= {<scalar_expression> [ASC | DESC]} [ ,...n ] For the examples in this section, this reference set of items is used. Each item In this first example, the ``ORDER BY`` clause is used to sort a field by the default sort order, ascending. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/order-by/result.json"::: In this next example, the sort order is explicitly specified to be descending. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/order-by-desc/result.json"::: In this final example, the items are sorted using two fields, in a specific order using explicitly specified ordering. A query that sorts using two or more fields requires a [composite index](../../index-policy.md#composite-indexes). ## Remarks |
cosmos-db | Pagination | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/pagination.md | +ms.devlang: nosql Last updated : 02/27/2024 You can't use continuation tokens for queries with [GROUP BY](group-by.md) or [D Here's an example of a query with ``DISTINCT`` that could use a continuation token: -```sql +```nosql SELECT DISTINCT VALUE e.name FROM |
cosmos-db | Parameterized Queries | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/parameterized-queries.md | +ms.devlang: nosql Last updated : 02/27/2024 Azure Cosmos DB for NoSQL supports queries with parameters expressed by the fami For example, you can write a query that takes ``lastName`` and ``address.state`` as parameters, and execute it for various values of ``lastName`` and ``address.state`` based on user input. -```sql +```nosql SELECT * FROM You can then send this request to Azure Cosmos DB for NoSQL as a parameterized J This next example sets the ``TOP`` argument with a parameterized query: -```sql +```nosql { "query": "SELECT TOP @pageSize * FROM products", "parameters": [ |
cosmos-db | Pi | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/pi.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the constant value of Pi. For more information, see [Pi](https://wikiped ## Syntax -```sql +```nosql PI() ``` Returns a numeric expression. The following example returns the constant value of Pi. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/pi/result.json"::: |
cosmos-db | Power | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/power.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the value of the specified expression multipled by itself the given numb ## Syntax -```sql +```nosql POWER(<numeric_expr_1>, <numeric_expr_2>) ``` Returns a numeric expression. The following example demonstrates raising a number to various powers. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/power/result.json"::: |
cosmos-db | Radians | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/radians.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the corresponding angle in radians for an angle specified in degrees. ## Syntax -```sql +```nosql RADIANS(<numeric_expr>) ``` Returns a numeric expression. The following example returns the radians for various degree values. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/radians/result.json"::: |
cosmos-db | Rand | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/rand.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns a randomly generated numeric value from zero to one. ## Syntax -```sql +```nosql RAND() ``` Returns a numeric expression. The following example returns randomly generated numeric values. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/rand/result.novalidate.json"::: |
cosmos-db | Regexmatch | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/regexmatch.md | +ms.devlang: nosql Last updated : 02/27/2024 This function provides regular expression capabilities. Regular expressions are ## Syntax -```sql +```nosql RegexMatch(<string_expr_1>, <string_expr_2>, [, <string_expr_3>]) ``` Returns a boolean expression. The following example illustrates regular expression matches using a few different modifiers. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/regexmatch/result.json"::: The next example assumes that you have a container with items including a `name` This example uses a regular expression match as a filter to return a subset of items. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/regexmatch-field/result.json"::: |
cosmos-db | Replace | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/replace.md | +ms.devlang: nosql Last updated : 02/27/2024 Replaces all occurrences of a specified string value with another string value. ## Syntax -```sql +```nosql REPLACE(<string_expr_1>, <string_expr_2>, <string_expr_3>) ``` Returns a string expression. The following example shows how to use this function to replace static values. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/replace/result.json"::: |
cosmos-db | Replicate | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/replicate.md | +ms.devlang: nosql Last updated : 02/27/2024 Repeats a string value a specified number of times. ## Syntax -```sql +```nosql REPLICATE(<string_expr>, <numeric_expr>) ``` Returns a string expression. The following example shows how to use this function to build a repeating string. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/replicate/result.json"::: |
cosmos-db | Reverse | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/reverse.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the reverse order of a string value. ## Syntax -```sql +```nosql REVERSE(<string_expr>) ``` Returns a string expression. The following example shows how to use this function to reverse multiple strings. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/reverse/result.json"::: |
cosmos-db | Right | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/right.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the right part of a string up to the specified number of characters. ## Syntax -```sql +```nosql RIGHT(<string_expr>, <numeric_expr>) ``` Returns a string expression. The following example returns the right part of the string `Microsoft` for various length values. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/right/result.json"::: |
cosmos-db | Round | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/round.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns a numeric value, rounded to the closest integer value. ## Syntax -```sql +```nosql ROUND(<numeric_expr>) ``` Returns a numeric expression. The following example rounds positive and negative numbers to the nearest integer. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/round/result.json"::: |
cosmos-db | Rtrim | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/rtrim.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns a string expression after it removes trailing whitespace or specified ch ## Syntax -```sql +```nosql RTRIM(<string_expr_1> [, <string_expr_2>]) ``` Returns a string expression. The following example shows how to use this function with various parameters inside a query. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/rtrim/result.json"::: |
cosmos-db | Scalar Expressions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/scalar-expressions.md | +ms.devlang: nosql Last updated : 02/27/2024 The [``SELECT`` clause](select.md) supports scalar expressions. A scalar express ## Syntax -```sql +```nosql <scalar_expression> ::= <constant> | input_alias The [``SELECT`` clause](select.md) supports scalar expressions. A scalar express The most common example of a scalar expression is a math equation. -```sql +```nosql SELECT VALUE ((2 + 11 % 7) - 2) / 2 ``` SELECT VALUE In this next example, the result of the scalar expression is a boolean: -```sql +```nosql SELECT ("Redmond" = "WA") AS isCitySameAsState, ("WA" = "WA") AS isStateSameAsState |
cosmos-db | Select | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/select.md | +ms.devlang: nosql Last updated : 02/27/2024 Every query consists of a ``SELECT`` clause and optionally [``FROM``](from.md) a ## Syntax -```sql +```nosql SELECT <select_specification> <select_specification> ::= SELECT <select_specification> This first example selects two static string values and returns an array with a single object containing both values. Since the values are unnamed, a sequential generated number is used to name the equivalent json field. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/select/result.json"::: In this next example, JSON projection is used to fine tune the exact structure and field names for the resulting JSON object. Here, a JSON object is created with fields named ``department`` and ``team``. The outside JSON object is still unnamed, so a generated number (``$1``) is used to name this field. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/select-json/result.json"::: This example illustrates flattening the result set from the previous example to simplify parsing. The ``VALUE`` keyword is used here to prevent the wrapping of the results into another JSON object. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/select-value-json/result.json"::: In this example, the ``VALUE`` keyword is used with a static string to create an array of strings as the result. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/select-value/result.json"::: In this final example, assume that there's a container with two items with vario This final example query uses a combination of a ``SELECT`` clause, the ``VALUE`` keyword, a ``FROM`` clause, and JSON projection to perform a common query with the results transformed to a JSON object for the client to parse. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/select-fields/result.json"::: |
cosmos-db | Setintersect | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/setintersect.md | +ms.devlang: nosql Last updated : 02/27/2024 Compares expressions in two sets and returns the set of expressions that is cont ## Syntax -```sql +```nosql SetIntersect(<array_expr_1>, <array_expr_2>) ``` Returns an array of expressions. This first example uses the function with static arrays to demonstrate the intersect functionality. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/setintersect/result.novalidate.json"::: This last example uses a single item that share values within two array properti The query selects the appropriate field from the item\[s\] in the container. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/setintersect-field/result.novalidate.json"::: |
cosmos-db | Setunion | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/setunion.md | +ms.devlang: nosql Last updated : 02/27/2024 Gathers expressions in two sets and returns a set of expressions containing all ## Syntax -```sql +```nosql SetUnion(<array_expr_1>, <array_expr_2>) ``` Returns an array of expressions. This first example uses the function with static arrays to demonstrate the union functionality. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/setunion/result.novalidate.json"::: This last example uses an item that share values within multiple array propertie The query returns the union of the two arrays as a new property. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/setunion-field/result.novalidate.json"::: |
cosmos-db | Sign | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/sign.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the positive (+1), zero (0), or negative (-1) sign of the specified nume ## Syntax -```sql +```nosql SIGN(<numeric_expr>) ``` Returns a numeric expression. The following example returns the sign of various numbers from -2 to 2. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/sign/result.json"::: |
cosmos-db | Sin | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/sin.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the trigonometric sine of the specified angle in radians. ## Syntax -```sql +```nosql SIN(<numeric_expr>) ``` Returns a numeric expression. The following example calculates the sine of the specified angle using the function. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/sin/result.json"::: |
cosmos-db | Sqrt | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/sqrt.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the square root of the specified numeric value. ## Syntax -```sql +```nosql SQRT(<numeric_expr>) ``` Returns a numeric expression. The following example returns the square roots of various numeric values. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/sqrt/result.json"::: |
cosmos-db | Square | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/square.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the square of the specified numeric value. ## Syntax -```sql +```nosql SQUARE(<numeric_expr>) ``` Returns a numeric expression. The following example returns the squares of various numbers. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/square/result.json"::: |
cosmos-db | St Area | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/st-area.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the total area of a GeoJSON **Polygon** or **MultiPolygon** expression. ## Syntax -```sql +```nosql ST_AREA(<spatial_expr>) ``` Returns a numeric expression that enumerates the total area of a set of points. The following example shows how to return the area of a polygon. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/st-area/result.json"::: |
cosmos-db | St Distance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/st-distance.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the distance between two GeoJSON Point, Polygon, MultiPolygon or LineStr ## Syntax -```sql +```nosql ST_DISTANCE(<spatial_expr_1>, <spatial_expr_2>) ``` The following example assumes a container exists with two items. The example shows how to use the function as a filter to return items within a specified distance. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/st-distance/result.json"::: |
cosmos-db | St Intersects | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/st-intersects.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns a boolean indicating whether the GeoJSON object (**Point**, **Polygon**, ## Syntax -```sql +```nosql ST_INTERSECTS(<spatial_expr_1>, <spatial_expr_2>) ``` Returns a boolean value. The following example shows how to find if two polygons intersect. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/st-intersect/result.json"::: |
cosmos-db | St Isvalid | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/st-isvalid.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns a boolean value indicating whether the specified GeoJSON **Point**, **Po ## Syntax -```sql +```nosql ST_ISVALID(<spatial_expr>) ``` Returns a boolean value. The following example how to check validity of multiple objects. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/st-isvalid/result.json"::: |
cosmos-db | St Isvaliddetailed | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/st-isvaliddetailed.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns a JSON value containing a Boolean value if the specified GeoJSON **Point ## Syntax -```sql +```nosql ST_ISVALIDDETAILED(<spatial_expr>) ``` Returns a JSON object containing a boolean value indicating if the specified Geo The following example how to check validity of multiple objects. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/st-isvaliddetailed/result.json"::: |
cosmos-db | St Within | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/st-within.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns a boolean expression indicating whether the GeoJSON object (GeoJSON **Po ## Syntax -```sql +```nosql ST_WITHIN(<spatial_expr_1>, <spatial_expr_2>) ``` Returns a boolean value. The following example shows how to find if a **Point** is within a **Polygon**. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/st-within/result.json"::: |
cosmos-db | Startswith | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/startswith.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns a boolean value indicating whether the first string expression starts wi ## Syntax -```sql +```nosql STARTSWITH(<string_expr_1>, <string_expr_2> [, <bool_expr>]) ``` Returns a boolean expression. The following example checks if the string `abc` starts with `b` or `ab`. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/startswith/result.json"::: |
cosmos-db | Stringequals | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/stringequals.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns a boolean indicating whether the first string expression matches the sec ## Syntax -```sql +```nosql STRINGEQUALS(<string_expr_1>, <string_expr_2> [, <boolean_expr>]) ``` Returns a boolean expression. The following example checks if "abc" matches "abc" and if "abc" matches "ABC." :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/stringequals/result.json"::: |
cosmos-db | Stringtoarray | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/stringtoarray.md | +ms.devlang: nosql Last updated : 02/27/2024 Converts a string expression to an array. ## Syntax -```sql +```nosql StringToArray(<string_expr>) ``` Returns an array. The following example illustrates how this function works with various inputs. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/stringtoarray/result.json"::: |
cosmos-db | Stringtoboolean | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/stringtoboolean.md | +ms.devlang: nosql Last updated : 02/27/2024 Converts a string expression to a boolean. ## Syntax -```sql +```nosql StringToBoolean(<string_expr>) ``` Returns a boolean value. The following example illustrates how this function works with various data types. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/stringtoboolean/result.json"::: |
cosmos-db | Stringtonull | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/stringtonull.md | +ms.devlang: nosql Last updated : 02/27/2024 Converts a string expression to `null`. ## Syntax -```sql +```nosql StringToNull(<string_expr>) ``` Returns a `null`. The following example illustrates how this function works with various data types. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/stringtonull/result.json"::: |
cosmos-db | Stringtonumber | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/stringtonumber.md | +ms.devlang: nosql Last updated : 02/27/2024 Converts a string expression to a number. ## Syntax -```sql +```nosql StringToNumber(<string_expr>) ``` Returns a number value. The following example illustrates how this function works with various data types. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/stringtonumber/result.json"::: |
cosmos-db | Stringtoobject | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/stringtoobject.md | +ms.devlang: nosql Last updated : 02/27/2024 Converts a string expression to an object. ## Syntax -```sql +```nosql StringToObject(<string_expr>) ``` Returns an object. The following example illustrates how this function works with various inputs. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/stringtoobject/result.json"::: |
cosmos-db | Subquery | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/subquery.md | +ms.devlang: nosql Last updated : 02/27/2024 Multi-value subqueries can optimize ``JOIN`` expressions by pushing predicates a Consider the following query: -```sql +```nosql SELECT VALUE COUNT(1) FROM The ``WHERE`` clause then applies the filter predicate on each ``<c, t, n, s>`` This query is equivalent to the preceding one but uses subqueries: -```sql +```nosql SELECT VALUE COUNT(1) FROM function getTotalWithTax(subTotal){ The following query runs the UDF `getTotalWithTax` multiple times: -```sql +```nosql SELECT VALUE { subtotal: p.price, total: udf.getTotalWithTax(p.price) WHERE Here's an equivalent query that runs the UDF only once: -```sql +```nosql SELECT VALUE { subtotal: p.price, total: totalPrice For instance, consider this set of measurements: The following query mimics joining with this data so that you add the name of the unit to the output: -```sql +```nosql SELECT s.id, (s.weight.quantity * m.multiplier) AS calculatedWeight, A simple-expression scalar subquery is a correlated subquery that has a ``SELECT As a first example, consider this trivial query. -```sql +```nosql SELECT 1 AS a, 2 AS b SELECT You can rewrite this query, by using a simple-expression scalar subquery. -```sql +```nosql SELECT (SELECT VALUE 1) AS a, (SELECT VALUE 2) AS b Both queries produce the same output. This next example query concatenates the unique identifier with a prefix as a simple-expression scalar subquery. -```sql +```nosql SELECT (SELECT VALUE Concat('ID-', p.id)) AS internalId FROM FROM This example uses a simple-expression scalar subquery to only return the relevant fields for each item. The query outputs something for each item, but it only includes the projected field if it meets the filter within the subquery. -```sql +```nosql SELECT p.id, (SELECT p.name WHERE CONTAINS(p.name, "glove")).name As a first example, consider an item with the following fields. Here's a subquery with a single aggregate function expression in its projection. This query counts all tags for each item. -```sql +```nosql SELECT p.name, (SELECT VALUE COUNT(1) FROM i IN p.inventory) AS locationCount FROM Here's the same subquery with a filter. -```sql +```nosql SELECT p.name, (SELECT VALUE COUNT(1) FROM i IN p.inventory WHERE ENDSWITH(i.location, "WA")) AS washingtonLocationCount FROM Here's another subquery with multiple aggregate function expressions: -```sql +```nosql SELECT p.name, (SELECT FROM Finally, here's a query with an aggregate subquery in both the projection and the filter: -```sql +```nosql SELECT p.name, (SELECT VALUE AVG(q.quantity) FROM q IN p.inventory WHERE q.quantity > 10) AS averageInventory WHERE A more optimal way to write this query is to join on the subquery and reference the subquery alias in both the SELECT and WHERE clauses. This query is more efficient because you need to execute the subquery only within the join statement, and not in both the projection and filter. -```sql +```nosql SELECT p.name, inventoryData.inventoryAverage Because the query engine doesn't differentiate between boolean expressions and a If the ``EXISTS`` subquery returns a single value that's ``undefined``, ``EXISTS`` evaluates to false. For example, consider the following query that returns nothing. -```sql +```nosql SELECT VALUE undefined ``` If you use the ``EXISTS`` expression and the preceding query as a subquery, the expression returns ``false``. -```sql +```nosql SELECT EXISTS (SELECT VALUE undefined) ``` SELECT If the VALUE keyword in the preceding subquery is omitted, the subquery evaluates to an array with a single empty object. -```sql +```nosql SELECT undefined ``` SELECT At that point, the ``EXISTS`` expression evaluates to ``true`` since the object (``{}``) technically exits. -```sql +```nosql SELECT EXISTS (SELECT undefined) ``` SELECT A common use case of ``ARRAY_CONTAINS`` is to filter an item by the existence of an item in an array. In this case, we're checking to see if the ``tags`` array contains an item named **"outerwear."** -```sql +```nosql SELECT p.name, p.tags WHERE The same query can use ``EXISTS`` as an alternative option. -```sql +```nosql SELECT p.name, p.tags Consider this example item in a set with multiple items each containing an ``acc Now, consider the following query that filters based on the ``type`` and ``quantityOnHand`` properties in the array within each item. -```sql +```nosql SELECT p.name, a.name AS accessoryName For each of the items in the collection, a cross-product is performed with its a Using ``EXISTS`` can help to avoid this expensive cross-product. In this next example, the query filters on array elements within the ``EXISTS`` subquery. If an array element matches the filter, then you project it and ``EXISTS`` evaluates to true. -```sql +```nosql SELECT VALUE p.name FROM WHERE Queries can also alias ``EXISTS`` and reference the alias in the projection: -```sql +```nosql SELECT p.name, EXISTS (SELECT VALUE For these examples, let's assume there's a container with at least this item. In this first example, the expression is used within the ``SELECT`` clause. -```sql +```nosql SELECT p.name, ARRAY (SELECT VALUE t.name FROM t in p.tags) AS tagNames FROM As with other subqueries, filters with the ``ARRAY`` expression are possible. -```sql +```nosql SELECT p.name, ARRAY (SELECT VALUE t.name FROM t in p.tags) AS tagNames, FROM Array expressions can also come after the ``FROM`` clause in subqueries. -```sql +```nosql SELECT p.name, n.t.name AS nonBikeTagName |
cosmos-db | Substring | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/substring.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns part of a string expression starting at the specified position and of th ## Syntax -```sql +```nosql SUBSTRING(<string_expr>, <numeric_expr_1>, <numeric_expr_2>) ``` Returns a string expression. The following example returns substrings with various lengths and starting positions. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/substring/result.json"::: |
cosmos-db | Sum | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/sum.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the sum of the values in the expression. ## Syntax -```sql +```nosql SUM(<numeric_expr>) ``` For this example, consider a container with multiple items that may contain a `q The `SUM` function is used to sum the values of the `quantity` field, when it exists, into a single aggregated value. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/sum/result.json"::: |
cosmos-db | Tan | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/tan.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns the trigonometric tangent of the specified angle in radians. ## Syntax -```sql +```nosql TAN(<numeric_expr>) ``` Returns a numeric expression. The following example calculates the cotangent of the specified angle using the function. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/tan/result.json"::: |
cosmos-db | Ternary Coalesce Operators | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/ternary-coalesce-operators.md | +ms.devlang: nosql Last updated : 02/27/2024 Consider these items in a container. They contain multiple metadata properties r This query evaluates the expression ``onSale``, which is equivalent to ``onSale = true``. The query then returns the price multiplied by ``0.85`` if ``true`` or the price unchanged if ``false``. -```sql +```nosql SELECT p.name, p.price AS subtotal, FROM You can also nest calls to the ``?`` operator. This example adds an extra calculation based on a second property (``taxFree``) -```sql +```nosql SELECT p.name, p.price AS subtotal, Use the ``??`` operator to efficiently check for a property in an item when quer For example, this query assumes that any item where the property ``collapsible`` isn't present, isn't collapsible. -```sql +```nosql SELECT p.name, p.collapsible ?? false AS isCollapsible |
cosmos-db | Tickstodatetime | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/tickstodatetime.md | +ms.devlang: nosql Last updated : 02/27/2024 Converts the specified number of ticks to a date and time value. ## Syntax -```sql +```nosql TicksToDateTime(<numeric_expr>) ``` Returns a UTC date and time string in the ISO 8601 format `YYYY-MM-DDThh:mm:ss.f The following example converts the ticks to a date and time value. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/tickstodatetime/result.json"::: |
cosmos-db | Timestamptodatetime | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/timestamptodatetime.md | +ms.devlang: nosql Last updated : 02/27/2024 Converts the specified timestamp to a date and time value. ## Syntax -```sql +```nosql TimestampToDateTime(<numeric_expr>) ``` Returns a UTC date and time string in the ISO 8601 format `YYYY-MM-DDThh:mm:ss.f The following example converts the ticks to a date and time value. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/timestamptodatetime/result.json"::: |
cosmos-db | Tostring | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/tostring.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns a string representation of a value. ## Syntax -```sql +```nosql ToString(<expr>) ``` Returns a string expression. This example converts multiple scalar and object values to a string. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/tostring/result.json"::: |
cosmos-db | Trim | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/trim.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns a string expression after it removes leading and trailing whitespace or ## Syntax -```sql +```nosql TRIM(<string_expr_1> [, <string_expr_2>]) ``` Returns a string expression. This example illustrates various ways to trim a string expression. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/trim/result.json"::: |
cosmos-db | Trunc | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/trunc.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns a numeric value truncated to the closest integer value. ## Syntax -```sql +```nosql TRUNC(<numeric_expr>) ``` Returns a numeric expression. This example illustrates various ways to truncate a number to the closest integer. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/trunc/result.json"::: |
cosmos-db | Upper | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/upper.md | +ms.devlang: nosql Last updated : 02/27/2024 Returns a string expression after converting lowercase character data to upperca ## Syntax -```sql +```nosql UPPER(<string_expr>) ``` Returns a string expression. The following example shows how to use the function to modify various strings. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/upper/result.json"::: |
cosmos-db | Where | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/where.md | +ms.devlang: nosql Last updated : 02/27/2024 The optional ``WHERE`` clause (``WHERE <filter_condition>``) specifies condition ## Syntax -```sql +```nosql WHERE <filter_condition> <filter_condition> ::= <scalar_expression> ``` WHERE <filter_condition> This first example uses a simple equality query to return a subset of items. The ``=`` operator is used with the ``WHERE`` clause to create a filter based on simple equality. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/where/result.json"::: In this next example, a more complex filter is composed of [scalar expressions](scalar-expressions.md). :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/where-scalar/result.json"::: In this final example, a property reference to a boolean property is used as the filter. :::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/where-field/result.json"::: |
cosmos-db | Working With Dates | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/working-with-dates.md | +ms.devlang: nosql Last updated : 02/27/2024 IQueryable<Order> orders = container The LINQ query is translated to the following SQL statement and executed on Azure Cosmos DB: -```sql +```nosql SELECT * FROM |
cosmos-db | Working With Json | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/query/working-with-json.md | +ms.devlang: nosql Last updated : 02/27/2024 In this case, the ``sku``, ``colors``, and ``sizes`` properties are all nested w This first example projects two nested properties. -```sql +```nosql SELECT p.name, p.metadata.sku, In addition to nested properties, JSON also supports arrays. When working with a This example accesses an array element at a specific position. -```sql +```nosql SELECT p.name, p.metadata.colors In most cases, however, you use a [subquery](subquery.md) or [self-join](join.md For example, here's a query that returns multiple permutations using the potential array values and a *cross-join*, -```sql +```nosql SELECT p.name, c AS color JOIN As another example, the query could also use [``EXISTS``](subquery.md#exists-expression) with a subquery. -```sql +```nosql SELECT VALUE p.name FROM Azure Cosmos DB for NoSQL supports two helpful type checking system functions fo Here's an example query that checks for two fields on each item in the container. -```sql +```nosql SELECT IS_NULL(p.releaseDate) AS isReleaseDateNull, IS_DEFINED(p.releaseDate) AS isReleaseDateDefined, You can access properties using the quoted property operator ``[]``. For example For example, here's a query that references a property a few distinct ways. -```sql +```nosql SELECT p.manufacturer.name AS dotNotationReference, p["manufacturer"]["name"] AS bracketReference, FROM Query projection supports JSON expressions and syntax. -```sql +```nosql SELECT { "productName": p.name, "largeSizeInFeet": p.metadata.sizes.large.feet In this example, the ``SELECT`` clause creates a JSON object. Since the sample p This example explicitly names the same field. -```sql +```nosql SELECT { "productName": p.name, "largeSizeInFeet": p.metadata.sizes.large.feet FROM Alternatively, the query can flatten the object to avoid naming a redundant field. -```sql +```nosql SELECT VALUE { "productName": p.name, "largeSizeInFeet": p.metadata.sizes.large.feet You can explicitly alias values in queries. If a query has two properties with t The ``AS`` keyword used for aliasing is optional, as shown in the following example. -```sql +```nosql SELECT p.name, p.metadata.sku AS modelNumber You can't use aliasing to project a value as a property name with a space, speci Here's an example: -```sql +```nosql SELECT VALUE { "Product's name | ": p.name, "Model number => ": p.metadata.sku |
cost-management-billing | Automation Ingest Usage Details Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/automate/automation-ingest-usage-details-overview.md | Sample amortized cost report: >[!NOTE] > - Limitations on `PayGPrice`-> - For EA customers `PayGPrice` isn't populated when `PricingModel` = `Reservations`, `Marketplace`, or `SavingsPlan`. +> - For EA customers `PayGPrice` isn't populated when `PricingModel` = `Reservations` or `Marketplace`. > - For MCA customers, `PayGPrice` isn't populated when `PricingModel` = `Reservations` or `Marketplace`. >- Limitations on `UnitPrice` > - For EA customers, `UnitPrice` isn't populated when `PricingModel` = `MarketPlace`.-> - For MCA customers, `UnitPrice` isn't populated when `PricingModel` = `Reservations` or `SavingsPlan`. +> - For MCA customers, `UnitPrice` isn't populated when `PricingModel` = `Reservations`. ## Unexpected charges |
cost-management-billing | Cost Allocation Introduction | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/costs/cost-allocation-introduction.md | + + Title: Introduction to cost allocation ++description: This article introduces you to different Azure tools and features to enable you to allocate costs effectively and efficiently. ++ Last updated : 02/26/2024+++++++# Introduction to cost allocation ++Cost allocation, as defined by the [FinOps foundation](https://www.finops.org/), is the set of practices to divide up a consolidated invoice. Or, to bill the people responsible for its various component parts. It's the process of assigning costs to different groups within an organization based on their consumption of resources and application of benefits. By providing visibility into costs to groups who are responsible for it, cost allocation helps organizations track and optimize their spending, improve budgeting and forecasting, and increase accountability and transparency. ++This article introduces you to different Azure tools and features to enable you to allocate costs effectively and efficiently. ++- Azure resource hierarchy, including management groups, subscriptions, and resource groups +- Azure Billing hierarchy +- Tags +- Cost allocation rules ++Together, they can help to cover a considerable proportion of the expenses for the most complicated Azure infrastructure. They help organizations reach an elevated level of maturity as defined by the FinOps foundation at [Cost Allocation (Metadata & Hierarchy)](https://www.finops.org/framework/capabilities/cost-allocation/). ++## Azure Resource Hierarchy ++Here's a diagram of the Azure resource hierarchy with management groups. +++### Management Groups ++Management groups are logical containers that hold subscriptions and other management groups, forming a hierarchy that can be used to apply policies and access controls across multiple subscriptions. Management groups can also facilitate cost allocation by allowing organizations to group their subscriptions according to business units, departments, environments, or any other criteria that reflect their cost structure and reporting needs. For example, an organization can create a management group for each of its business divisions, and then assign budgets, tags, and cost alerts to each management group. This way, the organization can track and control the spending of each division and generate reports that show the breakdown of costs by management group. ++For more information on management groups, see the following articles: +- [Azure Management Groups](https://azure.microsoft.com/get-started/azure-portal/management-groups) +- [Organize your resources with management groups](../../governance/management-groups/overview.md) +- [Organize subscriptions into management groups and assign roles to users](/azure/defender-for-cloud/management-groups-roles) ++### Subscriptions ++Subscriptions are a way of grouping Azure resources that might or might not share a common billing relationship. They can also be used to implement access control, governance, and cost allocation policies. For example, you can create subscriptions for different departments, projects, or environments within your organization. This increased flexibility comes with more management overhead. ++You can view and manage your subscriptions in the Azure portal, PowerShell, CLI, or REST API. In the Azure portal, you can also use tools like Cost Management and Advisor to monitor and optimize your subscription costs. ++- [Best Practices - Subscriptions](/azure/cloud-adoption-framework/ready/azure-best-practices/initial-subscriptions) +- [Organize Subscriptions](/azure/cloud-adoption-framework/ready/azure-best-practices/organize-subscriptions) ++### Resource Groups ++A resource group is a logical container that holds related resources for an Azure solution. You can use resource groups to organize your resources by category, project, environment, or any other criteria that make sense for your organization. For example, you can create a resource group for each department, application, or stage of the development lifecycle. ++Resource groups aren't only useful for managing your resources, but also for allocating costs. When you create a resource group, you can also specify a budget to control the costs. ++Like subscriptions, you can view and manage your resource groups in the Azure portal, PowerShell, CLI, or REST API. You can also use tools like Cost Management and Advisor to monitor and optimize your resource group spending. ++- [Manage Resource Groups](../../azure-resource-manager/management/manage-resource-groups-portal.md) ++## Azure billing hierarchies ++The Azure billing hierarchy differs between Enterprise Agreements (EA) Microsoft Customer Agreements (MCA). ++An EA consists of three levels for billing: ++- Billing account (enrollment) +- Department +- Enrollment account +++An MCA consists of three levels for billing: ++- Billing account +- Billing profile +- Invoice section +++The billing hierarchy enables organizations to ensure that the right organizational units are paying for the services. ++Knowing how Azure Billing and Resource hierarchies differ is essential for effective cost and resource management in the cloud. Azure Billing hierarchy reflects the organizational structure of the account owner, while Azure Resource hierarchy reflects the logical grouping of the resources used in Azure. The account owner can improve their cloud governance and cost management strategies by knowing the difference between Billing and Resource hierarchies. They can match the billing hierarchy with their organizational goals and preferences, and the resource hierarchy with their technical and operational needs. ++For more information, watch the [Cost Management setup, organization, and tagging](https://www.youtube.com/watch?time_continue=319&v=n3TLRaYJ1NY&embeds_referring_euri=https%3A%2F%2Flearn.microsoft.com%2F) video. ++## Tags ++Tags are key-value pairs that you can apply to Azure resources to group and allocate costs based on business needs. They're a great way to augment the resources and usage data with business context. You can create [Azure policies](../../governance/policy/tutorials/create-and-manage.md) to ensure that all your resources are tagged in a certain way to comply with your tagging strategy. ++However, even with a comprehensive tagging mechanism in place, you might find that some usage records are missing tags because not all Azure resources emit tags in their usage. To ensure all usage records are tagged, enable tag inheritance in Cost Management to apply subscription and resource group tags to underlying child resources. You don't need to rely on resources emitting tags in their usage or tag every resource for your cost allocation needs. ++MCA customers can also use tag inheritance to apply billing profile and invoice section tags to their usage records for cost reporting. ++For more information about tag inheritance and billing tags, see [Apply billing tags](billing-tags.md) and [Group and allocate costs using tag inheritance](enable-tag-inheritance.md). ++## Cost allocation rules ++With cost allocation rules, you can split the costs of shared services by moving costs between subscriptions, resource groups, and tags. Splitting costs is especially useful in scenarios where you have central subscriptions hosting shared infrastructure services used by different teams within your organization. Creating the right cost allocation rules ensures that the teams consuming the shared services get visibility into their portion of the costs. And, they can also be accountable for those costs. ++For more information about how to manage and allocate shared costs, see [Allocate Azure costs](allocate-costs.md). ++## Next steps ++To learn more about defining your tagging strategy, read the following articles: ++- [Define your tagging strategy](/azure/cloud-adoption-framework/ready/azure-best-practices/resource-tagging) +- [Develop your naming and tagging strategy for Azure resources](/azure/cloud-adoption-framework/ready/azure-best-practices/naming-and-tagging) +- [Naming & Tracking Conventions Tagging Template](https://view.officeapps.live.com/op/view.aspx?src=https%3A%2F%2Fraw.githubusercontent.com%2Fmicrosoft%2FCloudAdoptionFramework%2Fmaster%2Fready%2Fnaming-and-tagging-conventions-tracking-template.xlsx) +- [Resource naming and tagging decision guide](/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming-and-tagging-decision-guide) +- [Group and allocate costs using tag inheritance](enable-tag-inheritance.md) |
data-factory | How To Send Notifications To Teams | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/how-to-send-notifications-to-teams.md | Before you can send notifications to Teams from your pipelines, you must create }, { "name": "Pipline Name:",- "value": "@{pipeline().parameters.name}" + "value": "@{pipeline().Pipeline}" }, { "name": "Pipeline Status:", |
data-factory | Quickstart Create Data Factory Dot Net | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/quickstart-create-data-factory-dot-net.md | Next, create a C# .NET console application in Visual Studio: string region = "<the location of your resource group>"; string dataFactoryName = "<specify the name of data factory to create. It must be globally unique.>";- string storageAccount = "<your storage account name to copy data>"; + string storageAccountName = "<your storage account name to copy data>"; string storageKey = "<your storage account key>"; // specify the container and input folder from which all files // need to be copied to the output folder. You create linked services in a data factory to link your data stores and comput ```csharp // Create an Azure Storage linked service-CConsole.WriteLine("Create a linked service " + storageLinkedServiceName + "..."); +Console.WriteLine("Create a linked service " + storageLinkedServiceName + "..."); AzureBlobStorageLinkedService azureBlobStorage = new AzureBlobStorageLinkedService() { ConnectionString = azureBlobStorageConnectionString |
defender-for-cloud | Concept Easm | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/concept-easm.md | EASM collects data for publicly exposed assets (ΓÇ£outside-inΓÇ¥). Defender for ## Next steps - Learn about [cloud security explorer and attack paths](concept-attack-path.md) in Defender for Cloud.-- Learn about [Defender EASM](../external-attack-surface-management/index.md).+- Learn about [Defender EASM](../external-attack-surface-management/overview.md). - Learn how to [deploy Defender for EASM](../external-attack-surface-management/deploying-the-defender-easm-azure-resource.md). |
defender-for-cloud | Defender For Apis Deploy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-apis-deploy.md | Defender for APIs in Microsoft Defender for Cloud offers full lifecycle protecti Defender for APIs helps you to gain visibility into business-critical APIs. You can investigate and improve your API security posture, prioritize vulnerability fixes, and quickly detect active real-time threats. -Learn more about the [Microsoft Defender for APIs](defender-for-apis-introduction.md) plan in the Microsoft Defender for Cloud. +Learn more about [Defender for APIs](defender-for-apis-introduction.md). ## Prerequisites |
defender-for-cloud | Upcoming Changes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/upcoming-changes.md | If you're looking for the latest release notes, you can find them in the [What's | Planned change | Announcement date | Estimated date for change | |--|--|--|+| [Microsoft Security Code Analysis (MSCA) is no longer operational](#microsoft-security-code-analysis-msca-is-no-longer-operational) | February 26, 2024 | February 26, 2024 | | [Update recommendations to align with Azure AI Services resources](#update-recommendations-to-align-with-azure-ai-services-resources) | February 20, 2024 | February 28, 2024 | | [Deprecation of data recommendation](#deprecation-of-data-recommendation) | February 12, 2024 | March 14, 2024 | | [Decommissioning of Microsoft.SecurityDevOps resource provider](#decommissioning-of-microsoftsecuritydevops-resource-provider) | February 5, 2024 | March 6, 2024 | If you're looking for the latest release notes, you can find them in the [What's | [Deprecating two security incidents](#deprecating-two-security-incidents) | | November 2023 | | [Defender for Cloud plan and strategy for the Log Analytics agent deprecation](#defender-for-cloud-plan-and-strategy-for-the-log-analytics-agent-deprecation) | | August 2024 | +## Microsoft Security Code Analysis (MSCA) is no longer operational ++**Announcement date: February 26, 2024** ++**Estimated date for change: February 26, 2024** ++In February 2021, the deprecation of the MSCA task was communicated to all customers and has been past end of life support since [March 2022](https://devblogs.microsoft.com/premier-developer/microsoft-security-code-analysis/). As of February 26, 2024, MSCA is officially no longer operational. ++Customers can get the latest DevOps security tooling from Defender for Cloud through [Microsoft Security DevOps](azure-devops-extension.md) and additional security tooling through [GitHub Advanced Security for Azure DevOps](https://azure.microsoft.com/products/devops/github-advanced-security). ++ ## Update recommendations to align with Azure AI Services resources **Announcement date: February 20, 2024** |
dev-box | Concept Dev Box Network Requirements | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dev-box/concept-dev-box-network-requirements.md | + + Title: Microsoft Dev Box Networking Requirements +description: Learn about the networking requirements for deploying dev boxes, connecting to cloud-based resources, on-premises resources, and internet resources. +++++ Last updated : 02/16/2023++#Customer intent: As a platform engineer, I want to understand Dev Box networking requirements so that developers can access the resources they need. +++# Microsoft Dev Box networking requirements ++Microsoft Dev Box is a service that lets users connect to a cloud-based workstation running in Azure through the internet, from any device anywhere. To support these internet connections, you must follow the networking requirements listed in this article. You should work with your organizationΓÇÖs networking team and security team to plan and implement network access for dev boxes. +Microsoft Dev box is closely related to the Windows 365 and Azure Virtual Desktop services, and in many cases network requirements are the same. ++## General network requirements +Dev boxes require a network connection to access resources. You can choose between a Microsoft-hosted network connection, and an Azure network connection that you create in your own subscription. Choosing a method for allowing access to your network resources depends on where your resources are based. ++When using a Microsoft-hosted connection: +- Microsoft provides and fully manages the infrastructure. +- You can manage dev box security from Microsoft Intune. ++To use your own network and provision [Microsoft Entra joined](/azure/dev-box/how-to-configure-network-connections?branch=main&tabs=AzureADJoin#review-types-of-active-directory-join) dev boxes, you must meet the following requirements: +- Azure virtual network: You must have a virtual network in your Azure subscription. The region you select for the virtual network is where Azure deploys the dev boxes. +- A subnet within the virtual network and available IP address space. +- Network bandwidth: See [AzureΓÇÖs Network guidelines](/windows-server/remote/remote-desktop-services/network-guidance). ++To use your own network and provision [Microsoft Entra hybrid joined](/azure/dev-box/how-to-configure-network-connections?branch=main&tabs=AzureADJoin#review-types-of-active-directory-join) dev boxes, you must meet the above requirements, and the following requirements: +- The Azure virtual network must be able to resolve Domain name Services (DNS) entries for your Active Directory Domain Services (AD DS) environment. To support this resolution, define your AD DS DNS servers as the DNS servers for the virtual network. +- The Azure virtual network must have network access to an enterprise domain controller, either in Azure or on-premises. ++When connecting to resources on-premises through Microsoft Entra hybrid joins, work with your Azure network topology expert. Best practice is to implement a [hub-and-spoke network topology](/azure/cloud-adoption-framework/ready/azure-best-practices/hub-spoke-network-topology). The hub is the central point that connects to your on-premises network; you can use an Express Route, a site-to-site VPN, or a point-to-site VPN. The spoke is the virtual network that contains the dev boxes. You peer the dev box virtual network to the on-premises connected virtual network to provide access to on-premises resources. Hub and spoke topology can help you manage network traffic and security. ++## Allow network connectivity ++In your network configuration, you must allow traffic to the following service URLs and ports to support provisioning, management, and remote connectivity of dev boxes. ++### Required FQDNs and endpoints for Microsoft Dev Box ++To set up dev boxes and allow your users to connect to resources, you must allow traffic for specific fully qualified domain names (FQDNs) and endpoints. These FQDNs and endpoints could be blocked if you're using a firewall, such as [Azure Firewall](/azure/firewall/protect-azure-virtual-desktop), or proxy service. ++You can check that your dev boxes can connect to these FQDNs and endpoints by following the steps to run the Azure Virtual Desktop Agent URL Tool in [Check access to required FQDNs and endpoints for Azure Virtual Desktop](/azure/virtual-desktop/check-access-validate-required-fqdn-endpoint). The Azure Virtual Desktop Agent URL Tool validates each FQDN and endpoint and shows whether your dev boxes can access them. ++> [!IMPORTANT] +> Microsoft doesn't support dev box deployments where the FQDNs and endpoints listed in this article are blocked. ++Although most of the configuration is for the cloud-based dev box network, end user connectivity occurs from a physical device. Therefore, you must also follow the connectivity guidelines on the physical device network. ++|Device or service |Network connectivity required URLs and ports |Description | +|||| +|Physical device |[Link](/azure/virtual-desktop/safe-url-list?tabs=azure#remote-desktop-clients) |Remote Desktop client connectivity and updates.| +|Microsoft Intune service |[Link](/mem/intune/fundamentals/intune-endpoints) |Intune cloud services like device management, application delivery, and endpoint analytics.| +|Azure Virtual Desktop session host virtual machine |[Link](/azure/virtual-desktop/safe-url-list?tabs=azure#session-host-virtual-machines) |Remote connectivity between dev boxes and the backend Azure Virtual Desktop service.| +|Windows 365 service |[Link](/windows-365/enterprise/requirements-network?tabs=enterprise%2Cent#windows-365-service) |Provisioning and health checks.| ++## Required endpoints ++The following URLs and ports are required for the provisioning of dev boxes and the Azure Network Connection (ANC) health checks. All endpoints connect over port 443 unless otherwise specified. ++# [Windows 365 service endpoints](#tab/W365) +- *.infra.windows365.microsoft.com +- cpcsaamssa1prodprap01.blob.core.windows.net +- cpcsaamssa1prodprau01.blob.core.windows.net +- cpcsaamssa1prodpreu01.blob.core.windows.net +- cpcsaamssa1prodpreu02.blob.core.windows.net +- cpcsaamssa1prodprna01.blob.core.windows.net +- cpcsaamssa1prodprna02.blob.core.windows.net +- cpcstcnryprodprap01.blob.core.windows.net +- cpcstcnryprodprau01.blob.core.windows.net +- cpcstcnryprodpreu01.blob.core.windows.net +- cpcstcnryprodpreu02.blob.core.windows.net +- cpcstcnryprodprna01.blob.core.windows.net +- cpcstcnryprodprna02.blob.core.windows.net +- cpcstprovprodpreu01.blob.core.windows.net +- cpcstprovprodpreu02.blob.core.windows.net +- cpcstprovprodprna01.blob.core.windows.net +- cpcstprovprodprna02.blob.core.windows.net +- cpcstprovprodprap01.blob.core.windows.net +- cpcstprovprodprau01.blob.core.windows.net +- prna01.prod.cpcgateway.trafficmanager.net +- prna02.prod.cpcgateway.trafficmanager.net +- preu01.prod.cpcgateway.trafficmanager.net +- preu02.prod.cpcgateway.trafficmanager.net +- prap01.prod.cpcgateway.trafficmanager.net +- prau01.prod.cpcgateway.trafficmanager.net ++# [Dev box communication endpoints](#tab/DevBox) +- endpointdiscovery.cmdagent.trafficmanager.net +- registration.prna01.cmdagent.trafficmanager.net +- registration.preu01.cmdagent.trafficmanager.net +- registration.prap01.cmdagent.trafficmanager.net +- registration.prau01.cmdagent.trafficmanager.net +- registration.prna02.cmdagent.trafficmanager.net ++# [Registration endpoints](#tab/Registration) +- login.microsoftonline.com +- login.live.com +- enterpriseregistration.windows.net +- global.azure-devices-provisioning.net (443 & 5671 outbound) +- hm-iot-in-prod-prap01.azure-devices.net (443 & 5671 outbound) +- hm-iot-in-prod-prau01.azure-devices.net (443 & 5671 outbound) +- hm-iot-in-prod-preu01.azure-devices.net (443 & 5671 outbound) +- hm-iot-in-prod-prna01.azure-devices.net (443 & 5671 outbound) +- hm-iot-in-prod-prna02.azure-devices.net (443 & 5671 outbound) +- hm-iot-in-2-prod-preu01.azure-devices.net (443 & 5671 outbound) +- hm-iot-in-2-prod-prna01.azure-devices.net (443 & 5671 outbound) +- hm-iot-in-3-prod-preu01.azure-devices.net (443 & 5671 outbound) +- hm-iot-in-3-prod-prna01.azure-devices.net (443 & 5671 outbound) ++++## Use FQDN tags and service tags for endpoints through Azure Firewall ++Managing network security controls for dev boxes can be complex. To simplify configuration, use fully qualified domain name (FQDN) tags and service tags to allow network traffic. ++- **FQDN tags** ++ An [FQDN tag](/azure/firewall/fqdn-tags) is a predefined tag in Azure Firewall that represents a group of fully qualified domain names. By using FQDN tags, you can easily create and maintain egress rules for specific services like Windows 365 without manually specifying each domain name. ++ Non-Microsoft firewalls don't usually support FQDN tags or service tags. There might be a different term for the same functionality; check your firewall documentation. ++- **Service tags** ++ A [service tag](/azure/virtual-network/service-tags-overview) represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to network security rules. Service tags can be used in both [Network Security Group (NSG)](/azure/virtual-network/network-security-groups-overview) and [Azure Firewall](/azure/firewall/service-tags) rules to restrict outbound network access, and in [User Defined Route (UDR)](/azure/virtual-network/virtual-networks-udr-overview#user-defined) to customize traffic routing behavior. ++The listed FQDNs and endpoints and tags only correspond to Azure Virtual Desktop sites and resources. They don't include FQDNs and endpoints for other services such as Microsoft Entra ID. For service tags for other services, see [Available service tags](/azure/virtual-network/service-tags-overview#available-service-tags). ++Azure Virtual Desktop doesn't have a list of IP address ranges that you can unblock instead of FQDNs to allow network traffic. If you're using a Next Generation Firewall (NGFW), you need to use a dynamic list made for Azure IP addresses to make sure you can connect. ++For more information, see [Use Azure Firewall to manage and secure Windows 365 environments](/windows-365/enterprise/azure-firewall-windows-365). ++The following table is the list of FQDNs and endpoints your dev boxes need to access. All entries are outbound; you don't need to open inbound ports for dev boxes. ++|Address |Protocol |Outbound port |Purpose |Service tag| +|||||| +|login.microsoftonline.com |TCP |443 |Authentication to Microsoft Online Services | +|*.wvd.microsoft.com |TCP |443 |Service traffic |WindowsVirtualDesktop | +|*.prod.warm.ingest.monitor.core.windows.net |TCP |443 |Agent traffic [Diagnostic output](/azure/virtual-desktop/diagnostics-log-analytics) |AzureMonitor | +|catalogartifact.azureedge.net |TCP |443 |Azure Marketplace |AzureFrontDoor.Frontend| +|gcs.prod.monitoring.core.windows.net |TCP |443 |Agent traffic |AzureCloud| +|kms.core.windows.net |TCP |1688 |Windows activation |Internet| +|azkms.core.windows.net |TCP |1688 |Windows activation |Internet| +|mrsglobalsteus2prod.blob.core.windows.net |TCP |443 |Agent and side-by-side (SXS) stack updates |AzureCloud| +|wvdportalstorageblob.blob.core.windows.net |TCP |443 |Azure portal support |AzureCloud| +|169.254.169.254 |TCP |80 |[Azure Instance Metadata service endpoint](/azure/virtual-machines/windows/instance-metadata-service)|N/A| +|168.63.129.16 |TCP |80 |[Session host health monitoring](/azure/virtual-network/network-security-groups-overview#azure-platform-considerations)|N/A| +|oneocsp.microsoft.com |TCP |80 |Certificates |N/A| +|www.microsoft.com |TCP |80 |Certificates |N/A| ++The following table lists optional FQDNs and endpoints that your session host virtual machines might also need to access for other ++|Address |Protocol |Outbound port |Purpose| +||||| +|login.windows.net |TCP |443 |Sign in to Microsoft Online Services and Microsoft 365| +|*.events.data.microsoft.com |TCP |443 |Telemetry Service| +|www.msftconnecttest.com |TCP |80 |Detects if the session host is connected to the internet| +|*.prod.do.dsp.mp.microsoft.com |TCP |443 |Windows Update| +|*.sfx.ms |TCP |443 |Updates for OneDrive client software| +|*.digicert.com |TCP |80 |Certificate revocation check| +|*.azure-dns.com |TCP |443 |Azure DNS resolution| +|*.azure-dns.net |TCP |443 |Azure DNS resolution| ++This list doesn't include FQDNs and endpoints for other services such as Microsoft Entra ID, Office 365, custom DNS providers, or time services. Microsoft Entra FQDNs and endpoints can be found under ID 56, 59 and 125 in [Office 365 URLs and IP address ranges](/office365/enterprise/urls-and-ip-address-ranges#microsoft-365-common-and-office-online). ++> [!TIP] +> You must use the wildcard character (*) for FQDNs involving service traffic. For agent traffic, if you prefer not to use a wildcard, here's how to find specific FQDNs to allow: +> 1. Ensure your session host virtual machines are registered to a host pool. +> 2. On a session host, open **Event viewer**, then go to **Windows logs** > **Application** > **WVD-Agent** and look for event ID **3701**. +> 3. Unblock the FQDNs that you find under event ID 3701. The FQDNs under event ID 3701 are region-specific. You'll need to repeat this process with the relevant FQDNs for each Azure region you want to deploy your session host virtual machines in. ++## Remote Desktop Protocol (RDP) broker service endpoints ++Direct connectivity to Azure Virtual Desktop RDP broker service endpoints is critical for remote performance to a dev box. These endpoints affect both connectivity and latency. To align with the Microsoft 365 network connectivity principles, you should categorize these endpoints as *Optimize* endpoints, and use a [Remote Desktop Protocol (RDP) Shortpath](/windows-365/enterprise/rdp-shortpath-public-networks) from your Azure virtual network to those endpoints. RDP Shortpath can provide another connection path for improved dev box connectivity, especially in suboptimal network conditions. ++To make it easier to configure network security controls, use Azure Virtual Desktop service tags to identity those endpoints for direct routing using an Azure Networking User Defined Route (UDR). A UDR results in direct routing between your virtual network and the RDP broker for lowest latency. For more information about Azure Service Tags, see Azure service tags overview. +Changing the network routes of a dev box (at the network layer or at the dev box layer like VPN) might break the connection between the dev box and the Azure Virtual Desktop RDP broker. If so, the end user is disconnected from their dev box until a connection is re-established. ++## DNS requirements ++As part of the Microsoft Entra hybrid join requirements, your dev boxes must be able to join on-premises Active Directory. Dev boxes must be able to resolve DNS records for your on-premises AD environment to join. ++Configure your Azure Virtual Network where the dev boxes are provisioned as follows: +1. Make sure that your Azure Virtual Network has network connectivity to DNS servers that can resolve your Active Directory domain. +2. From the Azure Virtual Network's Settings, select **DNS Servers** > **Custom**. +3. Enter the IP address of DNS servers that environment that can resolve your AD DS domain. ++> [!TIP] +> Adding at least two DNS servers, as you would with a physical PC, helps mitigate the risk of a single point of failure in name resolution. +For more information, see configuring [Azure Virtual Networks settings](/azure/virtual-network/manage-virtual-network#change-dns-servers). +++## Connecting to on-premises resources ++You can allow dev boxes to connect to on-premises resources through a hybrid connection. Work with your Azure network expert to implement a [hub and spoke networking topology](/azure/cloud-adoption-framework/ready/azure-best-practices/hub-spoke-network-topology). The hub is the central point that connects to your on-premises network; you can use an Express Route, a site-to-site VPN, or a point-to-site VPN. The spoke is the virtual network that contains the dev boxes. Hub and spoke topology can help you manage network traffic and security. You peer the dev box virtual network to the on-premises connected virtual network to provide access to on-premises resources. ++## Traffic interception technologies ++Some enterprise customers use traffic interception, SSL decryption, deep packet inspection, and other similar technologies for security teams to monitor network traffic. Dev box provisioning might need direct access to the virtual machine. These traffic interception technologies can cause issues with running Azure network connection checks or dev box provisioning. Make sure no network interception is enforced for dev boxes provisioned within Microsoft Dev Box. ++Traffic interception technologies can exacerbate latency issues. You can use a [Remote Desktop Protocol (RDP) Shortpath](/windows-365/enterprise/rdp-shortpath-public-networks) to help minimize latency issues. ++## End user devices ++Any device on which you use one of the Remote Desktop clients to connect to Azure Virtual Desktop must have access to the following FQDNs and endpoints. Allowing these FQDNs and endpoints is essential for a reliable client experience. Blocking access to these FQDNs and endpoints is unsupported and affects service functionality. ++|Address |Protocol |Outbound port |Purpose |Clients | +|||||| +|login.microsoftonline.com |TCP |443 |Authentication to Microsoft Online Services |All | +|*.wvd.microsoft.com |TCP |443 |Service traffic |All | +|*.servicebus.windows.net |TCP |443 |Troubleshooting data |All | +|go.microsoft.com |TCP |443 |Microsoft FWLinks |All | +|aka.ms |TCP |443 |Microsoft URL shortener |All | +|learn.microsoft.com |TCP |443 |Documentation |All | +|privacy.microsoft.com |TCP |443 |Privacy statement |All | +|query.prod.cms.rt.microsoft.com |TCP |443 |Download an MSI to update the client. Required for automatic updates. |Windows Desktop | ++These FQDNs and endpoints only correspond to client sites and resources. This list doesn't include FQDNs and endpoints for other services such as Microsoft Entra ID or Office 365. Microsoft Entra FQDNs and endpoints can be found under ID 56, 59 and 125 in Office 365 URLs and IP address ranges. ++## Troubleshooting ++### Logon issues ++- **Logon attempt failed** ++ If the dev box user encounters logon problems and sees an error message indicating that the logon attempt failed, ensure you enabled the PKU2U protocol on both the local PC and the session host. ++ For more information about troubleshooting logon errors, see [Troubleshoot connections to Microsoft Entra joined VMs - Windows Desktop client](/azure/virtual-desktop/troubleshoot-azure-ad-connections#the-logon-attempt-failed). ++- **Group policy issues in hybrid environments** ++ If you're using a hybrid environment, you might encounter group policy issues. You can test whether the issue is related to group policy by temporarily excluding the dev box from the group policy. ++ For more information about troubleshooting group policy issues, see [Applying Group Policy troubleshooting guidance](/troubleshoot/windows-server/group-policy/applying-group-policy-troubleshooting-guidance). +++### IPv6 addressing issues ++If you're experiencing IPv6 issues, check that the *Microsoft.AzureActiveDirectory* service endpoint is not enabled on the virtual network or subnet. This service endpoint converts the IPv4 to IPv6. ++For more information, see [Virtual Network service endpoints](/azure/virtual-network/virtual-network-service-endpoints-overview). +++## Related content ++- [Check access to required FQDNs and endpoints for Azure Virtual Desktop](/azure/virtual-desktop/check-access-validate-required-fqdn-endpoint). +- Learn how to unblock these FQDNs and endpoints in Azure Firewall, see [Use Azure Firewall to protect Azure Virtual Desktop](/azure/firewall/protect-azure-virtual-desktop). +- For more information about network connectivity, see [Understanding Azure Virtual Desktop network connectivity](/azure/virtual-desktop/network-connectivity). |
event-grid | Event Domains | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/event-domains.md | Event domains also allow for domain-scope subscriptions. An event subscription o When you create an event domain, you're given a publishing endpoint similar to if you had created a topic in Event Grid. To publish events to any topic in an event domain, push the events to the domain's endpoint the [same way you would for a custom topic](./post-to-custom-topic.md). The only difference is that you must specify the topic you'd like the event to be delivered to. For example, publishing the following array of events would send event with `"id": "1111"` to topic `foo` while the event with `"id": "2222"` would be sent to topic `bar`. -# [Event Grid event schema](#tab/event-grid-event-schema) -When using the **Event Grid event schema**, specify the name of the Event Grid topic in the domain as a value for the `topic` property. In the following example, `topic` property is set to `foo` for the first event and to `bar` for the second event. +# [Cloud event schema](#tab/cloud-event-schema) ++When using the **cloud event schema**, specify the name of the Event Grid topic in the domain as a value for the `source` property. In the following example, `source` property is set to `foo` for the first event and to `bar` for the second event. ++If you want to use a different field to specify the intended topic in the domain, specify input schema mapping when creating the domain. For example, if you're using the REST API, use the [properties.inputSchemaMapping](/rest/api/eventgrid/controlplane-preview/domains/create-or-update#jsoninputschemamapping) property when to map that field to `properties.topic`. If you're using the .NET SDK, use [`EventGridJsonInputSchemaMapping`](/dotnet/api/azure.resourcemanager.eventgrid.models.eventgridjsoninputschemamapping). Other SDKs also support the schema mapping. ```json [{- "topic": "foo", + "source": "foo", "id": "1111",- "eventType": "maintenanceRequested", + "type": "maintenanceRequested", "subject": "myapp/vehicles/diggers",- "eventTime": "2018-10-30T21:03:07+00:00", + "time": "2018-10-30T21:03:07+00:00", "data": { "make": "Contoso", "model": "Small Digger" },- "dataVersion": "1.0" + "specversion": "1.0" }, {- "topic": "bar", + "source": "bar", "id": "2222",- "eventType": "maintenanceCompleted", + "type": "maintenanceCompleted", "subject": "myapp/vehicles/tractors",- "eventTime": "2018-10-30T21:04:12+00:00", + "time": "2018-10-30T21:04:12+00:00", "data": { "make": "Contoso", "model": "Big Tractor" },- "dataVersion": "1.0" + "specversion": "1.0" }] ```-# [Cloud event schema](#tab/cloud-event-schema) --When using the **cloud event schema**, specify the name of the Event Grid topic in the domain as a value for the `source` property. In the following example, `source` property is set to `foo` for the first event and to `bar` for the second event. -If you want to use a different field to specify the intended topic in the domain, specify input schema mapping when creating the domain. For example, if you're using the REST API, use the [properties.inputSchemaMapping](/rest/api/eventgrid/controlplane-preview/domains/create-or-update#jsoninputschemamapping) property when to map that field to `properties.topic`. If you're using the .NET SDK, use [`EventGridJsonInputSchemaMapping`](/dotnet/api/azure.resourcemanager.eventgrid.models.eventgridjsoninputschemamapping). Other SDKs also support the schema mapping. +# [Event Grid event schema](#tab/event-grid-event-schema) +When using the **Event Grid event schema**, specify the name of the Event Grid topic in the domain as a value for the `topic` property. In the following example, `topic` property is set to `foo` for the first event and to `bar` for the second event. ```json [{- "source": "foo", + "topic": "foo", "id": "1111",- "type": "maintenanceRequested", + "eventType": "maintenanceRequested", "subject": "myapp/vehicles/diggers",- "time": "2018-10-30T21:03:07+00:00", + "eventTime": "2018-10-30T21:03:07+00:00", "data": { "make": "Contoso", "model": "Small Digger" },- "specversion": "1.0" + "dataVersion": "1.0" }, {- "source": "bar", + "topic": "bar", "id": "2222",- "type": "maintenanceCompleted", + "eventType": "maintenanceCompleted", "subject": "myapp/vehicles/tractors",- "time": "2018-10-30T21:04:12+00:00", + "eventTime": "2018-10-30T21:04:12+00:00", "data": { "make": "Contoso", "model": "Big Tractor" },- "specversion": "1.0" + "dataVersion": "1.0" }] ``` |
event-grid | Event Schema Aks | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/event-schema-aks.md | AKS emits the following event types | Microsoft.ContainerService.NodePoolRollingSucceeded| Triggered when NodepoolRolling succeeded as a result of upgrade or an update | ## Properties common to all events -# [Event Grid event schema](#tab/event-grid-event-schema) +# [Cloud event schema](#tab/cloud-event-schema) + When an event is triggered, the Event Grid service sends data about that event to subscribing endpoint. This section contains an example of what that data would look like for each event. Each event has the following top-level data: | Property | Type | Description | |--|--||-| `topic` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | +| `source` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | | `subject` | string | Publisher-defined path to the event subject. |-| `eventType` | string | One of the registered event types for this event source. | -| `eventTime` | string | The time the event is generated based on the provider's UTC time. | +| `type` | string | One of the registered event types for this event source. | +| `time` | string | The time the event is generated based on the provider's UTC time. | | `id` | string | Unique identifier for the event. | | `data` | object | Blob storage event data. |-| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. | -| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. | --# [Cloud event schema](#tab/cloud-event-schema) +| `specversion` | string | CloudEvents schema specification version. | +# [Event Grid event schema](#tab/event-grid-event-schema) When an event is triggered, the Event Grid service sends data about that event to subscribing endpoint. This section contains an example of what that data would look like for each event. Each event has the following top-level data: | Property | Type | Description | |--|--||-| `source` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | +| `topic` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | | `subject` | string | Publisher-defined path to the event subject. |-| `type` | string | One of the registered event types for this event source. | -| `time` | string | The time the event is generated based on the provider's UTC time. | +| `eventType` | string | One of the registered event types for this event source. | +| `eventTime` | string | The time the event is generated based on the provider's UTC time. | | `id` | string | Unique identifier for the event. | | `data` | object | Blob storage event data. |-| `specversion` | string | CloudEvents schema specification version. | +| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. | +| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. | ++ This section contains an example of what that data would look like for each even ### NewKubernetesVersionAvailable -# [Event Grid event schema](#tab/event-grid-event-schema) +# [Cloud event schema](#tab/cloud-event-schema) ```json+ {- "topic": "/subscriptions/<id>/resourceGroups<rg>/providers/Microsoft.ContainerService/managedClusters/<cluster>", + "source": "/subscriptions/<id>/resourceGroups<rg>/providers/Microsoft.ContainerService/managedClusters/<cluster>", "subject": "<cluster>",- "eventType": "Microsoft.ContainerService.NewKubernetesVersionAvailable", + "type": "Microsoft.ContainerService.NewKubernetesVersionAvailable", "id": "1234567890abcdef1234567890abcdef12345678", "data": { "latestSupportedKubernetesVersion": "1.20.7", This section contains an example of what that data would look like for each even "lowestMinorKubernetesVersion": "1.18.19", "latestPreviewKubernetesVersion": "1.21.1" },- "dataVersion": "1", - "metadataVersion": "1", - "eventTime": "2021-07-01T04:52:57.0000000Z" + "specversion": "1.0", + "time": "2021-07-01T04:52:57.0000000Z" } ```-# [Cloud event schema](#tab/cloud-event-schema) +# [Event Grid event schema](#tab/event-grid-event-schema) ```json- {- "source": "/subscriptions/<id>/resourceGroups<rg>/providers/Microsoft.ContainerService/managedClusters/<cluster>", + "topic": "/subscriptions/<id>/resourceGroups<rg>/providers/Microsoft.ContainerService/managedClusters/<cluster>", "subject": "<cluster>",- "type": "Microsoft.ContainerService.NewKubernetesVersionAvailable", + "eventType": "Microsoft.ContainerService.NewKubernetesVersionAvailable", "id": "1234567890abcdef1234567890abcdef12345678", "data": { "latestSupportedKubernetesVersion": "1.20.7", This section contains an example of what that data would look like for each even "lowestMinorKubernetesVersion": "1.18.19", "latestPreviewKubernetesVersion": "1.21.1" },- "specversion": "1.0", - "time": "2021-07-01T04:52:57.0000000Z" + "dataVersion": "1", + "metadataVersion": "1", + "eventTime": "2021-07-01T04:52:57.0000000Z" } ``` |
event-grid | Event Schema Api Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/event-schema-api-management.md | API Management emits the following event types: ## Example event -# [Event Grid event schema](#tab/event-grid-event-schema) -The following example shows the schema of a product created event. The schema of other API Management resource created events is similar. --```json -[{ - "id": "92c502f2-a966-42a7-a428-d3b319844544", - "topic": "/subscriptions/{subscription-id}/resourceGroups/{your-rg}/providers/Microsoft.ApiManagement/service/{your-APIM-instance}", - "subject": "/products/myproduct", - "data": { - "resourceUri": "/subscriptions/{subscription-id}/resourceGroups/{your-rg}/providers/Microsoft.ApiManagement/service/{your-APIM-instance}/products/myproduct" - }, - "eventType": "Microsoft.ApiManagement.ProductCreated", - "dataVersion": "1", - "metadataVersion": "1", - "eventTime": "2021-07-02T00:47:47.8536532Z" -}] -``` # [Cloud event schema](#tab/cloud-event-schema) The following example shows the schema of a product created event. The schema of "specversion":"1.0" }] ```- # [Event Grid event schema](#tab/event-grid-event-schema)-The following example shows the schema of a user deleted event. The schema of other API Management resource deleted events is similar. +The following example shows the schema of a product created event. The schema of other API Management resource created events is similar. ```json [{ "id": "92c502f2-a966-42a7-a428-d3b319844544", "topic": "/subscriptions/{subscription-id}/resourceGroups/{your-rg}/providers/Microsoft.ApiManagement/service/{your-APIM-instance}",- "subject": "/users/apimuser-contoso-com", + "subject": "/products/myproduct", "data": {- "resourceUri": "/subscriptions/{subscription-id}/resourceGroups/{your-rg}/providers/Microsoft.ApiManagement/service/{your-APIM-instance}/users/apimuser-contoso-com" + "resourceUri": "/subscriptions/{subscription-id}/resourceGroups/{your-rg}/providers/Microsoft.ApiManagement/service/{your-APIM-instance}/products/myproduct" },- "eventType": "Microsoft.ApiManagement.UserDeleted", + "eventType": "Microsoft.ApiManagement.ProductCreated", "dataVersion": "1", "metadataVersion": "1", "eventTime": "2021-07-02T00:47:47.8536532Z" }] ``` +++ # [Cloud event schema](#tab/cloud-event-schema) The following example shows the schema of a user deleted event. The schema of other API Management resource deleted events is similar. The following example shows the schema of a user deleted event. The schema of ot "specversion":"1.0" }] ```- # [Event Grid event schema](#tab/event-grid-event-schema)+The following example shows the schema of a user deleted event. The schema of other API Management resource deleted events is similar. -The following example shows the schema of an API updated event. The schema of other API Management resource updated events is similar. ```json [{- "id": "95015754-aa51-4eb6-98d9-9ee322b82ad7", + "id": "92c502f2-a966-42a7-a428-d3b319844544", "topic": "/subscriptions/{subscription-id}/resourceGroups/{your-rg}/providers/Microsoft.ApiManagement/service/{your-APIM-instance}",- "subject": "/apis/myapi;Rev=1", + "subject": "/users/apimuser-contoso-com", "data": {- "resourceUri": "/subscriptions/{subscription-id}/resourceGroups/{your-rg}/providers/Microsoft.ApiManagement/service/{your-APIM-instance}/apis/myapi;Rev=1" + "resourceUri": "/subscriptions/{subscription-id}/resourceGroups/{your-rg}/providers/Microsoft.ApiManagement/service/{your-APIM-instance}/users/apimuser-contoso-com" },- "eventType": "Microsoft.ApiManagement.APIUpdated", + "eventType": "Microsoft.ApiManagement.UserDeleted", "dataVersion": "1", "metadataVersion": "1",- "eventTime": "2021-07-12T23:13:44.9048323Z" + "eventTime": "2021-07-02T00:47:47.8536532Z" }] ``` ++ # [Cloud event schema](#tab/cloud-event-schema) The following example shows the schema of an API updated event. The schema of other API Management resource updated events is similar. The following example shows the schema of an API updated event. The schema of ot "specversion":1.0 }] ```++# [Event Grid event schema](#tab/event-grid-event-schema) ++The following example shows the schema of an API updated event. The schema of other API Management resource updated events is similar. +```json +[{ + "id": "95015754-aa51-4eb6-98d9-9ee322b82ad7", + "topic": "/subscriptions/{subscription-id}/resourceGroups/{your-rg}/providers/Microsoft.ApiManagement/service/{your-APIM-instance}", + "subject": "/apis/myapi;Rev=1", + "data": { + "resourceUri": "/subscriptions/{subscription-id}/resourceGroups/{your-rg}/providers/Microsoft.ApiManagement/service/{your-APIM-instance}/apis/myapi;Rev=1" + }, + "eventType": "Microsoft.ApiManagement.APIUpdated", + "dataVersion": "1", + "metadataVersion": "1", + "eventTime": "2021-07-12T23:13:44.9048323Z" +}] +``` + ## Event properties -# [Event Grid event schema](#tab/event-grid-event-schema) ++# [Cloud event schema](#tab/cloud-event-schema) An event has the following top-level data: | Property | Type | Description | | -- | - | -- |-| `topic` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | +| `source` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | | `subject` | string | Publisher-defined path to the event subject. |-| `eventType` | string | One of the registered event types for this event source. | -| `eventTime` | string | The time the event is generated based on the provider's UTC time. | +| `type` | string | One of the registered event types for this event source. | +| `time` | string | The time the event is generated based on the provider's UTC time. | | `id` | string | Unique identifier for the event. | | `data` | object | API Management event data. |-| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. | -| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. | +| `specversion` | string | CloudEvents schema specification version. | -# [Cloud event schema](#tab/cloud-event-schema) +# [Event Grid event schema](#tab/event-grid-event-schema) An event has the following top-level data: | Property | Type | Description | | -- | - | -- |-| `source` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | +| `topic` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | | `subject` | string | Publisher-defined path to the event subject. |-| `type` | string | One of the registered event types for this event source. | -| `time` | string | The time the event is generated based on the provider's UTC time. | +| `eventType` | string | One of the registered event types for this event source. | +| `eventTime` | string | The time the event is generated based on the provider's UTC time. | | `id` | string | Unique identifier for the event. | | `data` | object | API Management event data. |-| `specversion` | string | CloudEvents schema specification version. | +| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. | +| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. | |
event-grid | Event Schema App Service | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/event-schema-app-service.md | Azure App Service emits the following event types ## Properties common to all events -# [Event Grid event schema](#tab/event-grid-event-schema) +# [Cloud event schema](#tab/cloud-event-schema) + When an event is triggered, the Event Grid service sends data about that event to subscribing endpoint. This section contains an example of what that data would look like for each event. Each event has the following top-level data: | Property | Type | Description | |--|--||-| `topic` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | +| `source` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | | `subject` | string | Publisher-defined path to the event subject. |-| `eventType` | string | One of the registered event types for this event source. | -| `eventTime` | string | The time the event is generated based on the provider's UTC time. | +| `type` | string | One of the registered event types for this event source. | +| `time` | string | The time the event is generated based on the provider's UTC time. | | `id` | string | Unique identifier for the event. | | `data` | object | Blob storage event data. |-| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. | -| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. | --# [Cloud event schema](#tab/cloud-event-schema) +| `specversion` | string | CloudEvents schema specification version. | +# [Event Grid event schema](#tab/event-grid-event-schema) When an event is triggered, the Event Grid service sends data about that event to subscribing endpoint. This section contains an example of what that data would look like for each event. Each event has the following top-level data: | Property | Type | Description | |--|--||-| `source` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | +| `topic` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | | `subject` | string | Publisher-defined path to the event subject. |-| `type` | string | One of the registered event types for this event source. | -| `time` | string | The time the event is generated based on the provider's UTC time. | +| `eventType` | string | One of the registered event types for this event source. | +| `eventTime` | string | The time the event is generated based on the provider's UTC time. | | `id` | string | Unique identifier for the event. | | `data` | object | Blob storage event data. |-| `specversion` | string | CloudEvents schema specification version. | +| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. | +| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. | + This section contains an example of what that data would look like for each even ### BackupOperationStarted, BackupOperationCompleted, BackupOperationFailed -# [Event Grid event schema](#tab/event-grid-event-schema) +# [Cloud event schema](#tab/cloud-event-schema) ```json { "id": "7c5d6de5-eb70-4de2-b788-c52a544e68b8",- "topic": "/subscriptions/<id>/resourceGroups/<rg>/providers/Microsoft.Web/sites/<site-name>", + "source": "/subscriptions/<id>/resourceGroups/<rg>/providers/Microsoft.Web/sites/<site-name>", "subject": "/Microsoft.Web/sites/<site-name>",- "eventType": "Microsoft.Web.BackupOperationStarted", - "eventTime": "2020-01-28T18:26:51.7194887Z", + "type": "Microsoft.Web.BackupOperationStarted", + "time": "2020-01-28T18:26:51.7194887Z", "data": { "appEventTypeDetail": { "action": "Started" This section contains an example of what that data would look like for each even "address": "None", "verb": "None" },- "dataVersion": "1", - "metaDataVersion": "1" + "specversion": "1.0" } ```-# [Cloud event schema](#tab/cloud-event-schema) ++# [Event Grid event schema](#tab/event-grid-event-schema) ```json { "id": "7c5d6de5-eb70-4de2-b788-c52a544e68b8",- "source": "/subscriptions/<id>/resourceGroups/<rg>/providers/Microsoft.Web/sites/<site-name>", + "topic": "/subscriptions/<id>/resourceGroups/<rg>/providers/Microsoft.Web/sites/<site-name>", "subject": "/Microsoft.Web/sites/<site-name>",- "type": "Microsoft.Web.BackupOperationStarted", - "time": "2020-01-28T18:26:51.7194887Z", + "eventType": "Microsoft.Web.BackupOperationStarted", + "eventTime": "2020-01-28T18:26:51.7194887Z", "data": { "appEventTypeDetail": { "action": "Started" This section contains an example of what that data would look like for each even "address": "None", "verb": "None" },- "specversion": "1.0" + "dataVersion": "1", + "metaDataVersion": "1" } ``` The data object contains the following properties: ### RestoreOperationStarted, RestoreOperationCompleted, RestoreOperationFailed -# [Event Grid event schema](#tab/event-grid-event-schema) ++# [Cloud event schema](#tab/cloud-event-schema) ```json { "id": "7c5d6de5-eb70-4de2-b788-c52a544e68b8",- "topic": "/subscriptions/<id>/resourceGroups/<rg>/providers/Microsoft.Web/sites/<site-name>", + "source": "/subscriptions/<id>/resourceGroups/<rg>/providers/Microsoft.Web/sites/<site-name>", "subject": "/Microsoft.Web/sites/<site-name>",- "eventType": "Microsoft.Web.RestoreOperationStarted", - "eventTime": "2020-01-28T18:26:51.7194887Z", + "type": "Microsoft.Web.RestoreOperationStarted", + "time": "2020-01-28T18:26:51.7194887Z", "data": { "appEventTypeDetail": { "action": "Started" The data object contains the following properties: "address": "None", "verb": "POST" },- "dataVersion": "1", - "metaDataVersion": "1" + "specversion": "1.0" } ``` -# [Cloud event schema](#tab/cloud-event-schema) +# [Event Grid event schema](#tab/event-grid-event-schema) ```json { "id": "7c5d6de5-eb70-4de2-b788-c52a544e68b8",- "source": "/subscriptions/<id>/resourceGroups/<rg>/providers/Microsoft.Web/sites/<site-name>", + "topic": "/subscriptions/<id>/resourceGroups/<rg>/providers/Microsoft.Web/sites/<site-name>", "subject": "/Microsoft.Web/sites/<site-name>",- "type": "Microsoft.Web.RestoreOperationStarted", - "time": "2020-01-28T18:26:51.7194887Z", + "eventType": "Microsoft.Web.RestoreOperationStarted", + "eventTime": "2020-01-28T18:26:51.7194887Z", "data": { "appEventTypeDetail": { "action": "Started" The data object contains the following properties: "address": "None", "verb": "POST" },- "specversion": "1.0" + "dataVersion": "1", + "metaDataVersion": "1" } ``` The data object contains the following properties: ### SlotSwapStarted, SlotSwapCompleted, SlotSwapFailed -# [Event Grid event schema](#tab/event-grid-event-schema) +# [Cloud event schema](#tab/cloud-event-schema) ```json { "id": "7c5d6de5-eb70-4de2-b788-c52a544e68b8",- "topic": "/subscriptions/<id>/resourceGroups/<rg>/providers/Microsoft.Web/sites/<site-name>", + "source": "/subscriptions/<id>/resourceGroups/<rg>/providers/Microsoft.Web/sites/<site-name>", "subject": "/Microsoft.Web/sites/<site-name>",- "eventType": "Microsoft.Web.SlotSwapStarted", - "eventTime": "2020-01-28T18:26:51.7194887Z", + "type": "Microsoft.Web.SlotSwapStarted", + "time": "2020-01-28T18:26:51.7194887Z", "data": { "appEventTypeDetail": null, "name": "<site-name>", The data object contains the following properties: "sourceSlot": "staging", "targetSlot": "production" },- "dataVersion": "1", - "metaDataVersion": "1" + "specversion": "1.0" } ``` -# [Cloud event schema](#tab/cloud-event-schema) +# [Event Grid event schema](#tab/event-grid-event-schema) ```json { "id": "7c5d6de5-eb70-4de2-b788-c52a544e68b8",- "source": "/subscriptions/<id>/resourceGroups/<rg>/providers/Microsoft.Web/sites/<site-name>", + "topic": "/subscriptions/<id>/resourceGroups/<rg>/providers/Microsoft.Web/sites/<site-name>", "subject": "/Microsoft.Web/sites/<site-name>",- "type": "Microsoft.Web.SlotSwapStarted", - "time": "2020-01-28T18:26:51.7194887Z", + "eventType": "Microsoft.Web.SlotSwapStarted", + "eventTime": "2020-01-28T18:26:51.7194887Z", "data": { "appEventTypeDetail": null, "name": "<site-name>", The data object contains the following properties: "sourceSlot": "staging", "targetSlot": "production" },- "specversion": "1.0" + "dataVersion": "1", + "metaDataVersion": "1" } ``` The data object contains the following properties: ### SlotSwapWithPreviewStarted, SlotSwapWithPreviewCancelled -# [Event Grid event schema](#tab/event-grid-event-schema) ++# [Cloud event schema](#tab/cloud-event-schema) ```json { "id": "7c5d6de5-eb70-4de2-b788-c52a544e68b8",- "topic": "/subscriptions/<id>/resourceGroups/<rg>/providers/Microsoft.Web/sites/<site-name>", + "source": "/subscriptions/<id>/resourceGroups/<rg>/providers/Microsoft.Web/sites/<site-name>", "subject": "/Microsoft.Web/sites/<site-name>",- "eventType": "Microsoft.Web.SlotSwapWithPreviewStarted", - "eventTime": "2020-01-28T18:26:51.7194887Z", + "type": "Microsoft.Web.SlotSwapWithPreviewStarted", + "time": "2020-01-28T18:26:51.7194887Z", "data": { "appEventTypeDetail": null, "name": "<site-name>", The data object contains the following properties: "sourceSlot": "staging", "targetSlot": "production" },- "dataVersion": "1", - "metaDataVersion": "1" + "specversion": "1.0" } ``` -# [Cloud event schema](#tab/cloud-event-schema) +# [Event Grid event schema](#tab/event-grid-event-schema) ```json { "id": "7c5d6de5-eb70-4de2-b788-c52a544e68b8",- "source": "/subscriptions/<id>/resourceGroups/<rg>/providers/Microsoft.Web/sites/<site-name>", + "topic": "/subscriptions/<id>/resourceGroups/<rg>/providers/Microsoft.Web/sites/<site-name>", "subject": "/Microsoft.Web/sites/<site-name>",- "type": "Microsoft.Web.SlotSwapWithPreviewStarted", - "time": "2020-01-28T18:26:51.7194887Z", + "eventType": "Microsoft.Web.SlotSwapWithPreviewStarted", + "eventTime": "2020-01-28T18:26:51.7194887Z", "data": { "appEventTypeDetail": null, "name": "<site-name>", The data object contains the following properties: "sourceSlot": "staging", "targetSlot": "production" },- "specversion": "1.0" + "dataVersion": "1", + "metaDataVersion": "1" } ``` The data object contains the following properties: ### AppUpdated.Restarted, AppUpdated.Stopped, AppUpdated.ChangedAppSettings -# [Event Grid event schema](#tab/event-grid-event-schema) +# [Cloud event schema](#tab/cloud-event-schema) ```json { "id": "b74ea56b-2a3f-4de5-a5d7-38e60c81cf23",- "topic": "/subscriptions/<id>/resourceGroups/<group>/providers/Microsoft.Web/sites/<site-name>", + "source": "/subscriptions/<id>/resourceGroups/<group>/providers/Microsoft.Web/sites/<site-name>", "subject": "/Microsoft.Web/sites/<site-name>",- "eventType": "Microsoft.Web.AppUpdated", - "eventTime": "2020-01-28T18:22:30.2760952Z", + "type": "Microsoft.Web.AppUpdated", + "time": "2020-01-28T18:22:30.2760952Z", "data": { "appEventTypeDetail": { "action": "Stopped" The data object contains the following properties: "address": "/websystems/WebSites/web/subscriptions/<id>/webspaces/<webspace>/sites/<site-name>/stop", "verb": "POST" },- "dataVersion": "1'", - "metaDataVersion": "1" + "specversion": "1.0" } ``` -# [Cloud event schema](#tab/cloud-event-schema) +# [Event Grid event schema](#tab/event-grid-event-schema) ```json { "id": "b74ea56b-2a3f-4de5-a5d7-38e60c81cf23",- "source": "/subscriptions/<id>/resourceGroups/<group>/providers/Microsoft.Web/sites/<site-name>", + "topic": "/subscriptions/<id>/resourceGroups/<group>/providers/Microsoft.Web/sites/<site-name>", "subject": "/Microsoft.Web/sites/<site-name>",- "type": "Microsoft.Web.AppUpdated", - "time": "2020-01-28T18:22:30.2760952Z", + "eventType": "Microsoft.Web.AppUpdated", + "eventTime": "2020-01-28T18:22:30.2760952Z", "data": { "appEventTypeDetail": { "action": "Stopped" The data object contains the following properties: "address": "/websystems/WebSites/web/subscriptions/<id>/webspaces/<webspace>/sites/<site-name>/stop", "verb": "POST" },- "specversion": "1.0" + "dataVersion": "1'", + "metaDataVersion": "1" } ``` The data object has the following properties: ### Serverfarms.AppServicePlanUpdated -# [Event Grid event schema](#tab/event-grid-event-schema) ++# [Cloud event schema](#tab/cloud-event-schema) ```json { "id": "56501672-9150-40e1-893a-18420c7fdbf7",- "topic": "/subscriptions/<id>/resourceGroups/<rg>/providers/Microsoft.Web/serverfarms/<serverfarm-name>", + "source": "/subscriptions/<id>/resourceGroups/<rg>/providers/Microsoft.Web/serverfarms/<serverfarm-name>", "subject": "/Microsoft.Web/serverfarms/<plan-name>",- "eventType": "Microsoft.Web.AppServicePlanUpdated", - "eventTime": "2020-01-28T18:22:23.5516004Z", + "type": "Microsoft.Web.AppServicePlanUpdated", + "time": "2020-01-28T18:22:23.5516004Z", "data": { "serverFarmEventTypeDetail": { "stampKind": "Public", The data object has the following properties: "address": "/websystems/WebSites/serverfarms/subscriptions/<id>/webspaces/<webspace-id>/serverfarms/<plan-name>/async", "verb": "PUT" },- "dataVersion": "1", - "metaDataVersion": "1" + "specversion": "1.0" } ``` -# [Cloud event schema](#tab/cloud-event-schema) +# [Event Grid event schema](#tab/event-grid-event-schema) ```json { "id": "56501672-9150-40e1-893a-18420c7fdbf7",- "source": "/subscriptions/<id>/resourceGroups/<rg>/providers/Microsoft.Web/serverfarms/<serverfarm-name>", + "topic": "/subscriptions/<id>/resourceGroups/<rg>/providers/Microsoft.Web/serverfarms/<serverfarm-name>", "subject": "/Microsoft.Web/serverfarms/<plan-name>",- "type": "Microsoft.Web.AppServicePlanUpdated", - "time": "2020-01-28T18:22:23.5516004Z", + "eventType": "Microsoft.Web.AppServicePlanUpdated", + "eventTime": "2020-01-28T18:22:23.5516004Z", "data": { "serverFarmEventTypeDetail": { "stampKind": "Public", The data object has the following properties: "address": "/websystems/WebSites/serverfarms/subscriptions/<id>/webspaces/<webspace-id>/serverfarms/<plan-name>/async", "verb": "PUT" },- "specversion": "1.0" + "dataVersion": "1", + "metaDataVersion": "1" } ``` |
event-grid | Event Schema Azure Cache | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/event-schema-azure-cache.md | These events are triggered when a client exports, imports, or scales by calling ## Example event When an event is triggered, the Event Grid service sends data about that event to subscribing endpoint. This section contains an example of what that data would look like for each Azure Cache for Redis event. -# [Event Grid event schema](#tab/event-grid-event-schema) --### Microsoft.Cache.PatchingCompleted event --```json -[{ -"id":"9b87886d-21a5-4af5-8e3e-10c4b8dac73b", -"eventType":"Microsoft.Cache.PatchingCompleted", -"topic":"/subscriptions/{subscription_id}/resourceGroups/{resource_group_name}/providers/Microsoft.Cache/Redis/{cache_name}", -"data":{ - "name":"PatchingCompleted", - "timestamp":"2020-12-09T21:50:19.9995668+00:00", - "status":"Succeeded"}, -"subject":"PatchingCompleted", -"dataversion":"1.0", -"metadataVersion":"1", -"eventTime":"2020-12-09T21:50:19.9995668+00:00"}] -``` --### Microsoft.Cache.ImportRDBCompleted event --```json -[{ -"id":"9b87886d-21a5-4af5-8e3e-10c4b8dac73b", -"eventType":"Microsoft.Cache.ImportRDBCompleted", -"topic":"/subscriptions/{subscription_id}/resourceGroups/{resource_group_name}/providers/Microsoft.Cache/Redis/{cache_name}", -"data":{ - "name":"ImportRDBCompleted", - "timestamp":"2020-12-09T21:50:19.9995668+00:00", - "status":"Succeeded"}, -"subject":"ImportRDBCompleted", -"dataversion":"1.0", -"metadataVersion":"1", -"eventTime":"2020-12-09T21:50:19.9995668+00:00"}] -``` --### Microsoft.Cache.ExportRDBCompleted event --```json -[{ -"id":"9b87886d-21a5-4af5-8e3e-10c4b8dac73b", -"eventType":"Microsoft.Cache.ExportRDBCompleted", -"topic":"/subscriptions/{subscription_id}/resourceGroups/{resource_group_name}/providers/Microsoft.Cache/Redis/{cache_name}", -"data":{ - "name":"ExportRDBCompleted", - "timestamp":"2020-12-09T21:50:19.9995668+00:00", - "status":"Succeeded"}, -"subject":"ExportRDBCompleted", -"dataversion":"1.0", -"metadataVersion":"1", -"eventTime":"2020-12-09T21:50:19.9995668+00:00"}] -``` --### Microsoft.Cache.ScalingCompleted --```json -[{ -"id":"9b87886d-21a5-4af5-8e3e-10c4b8dac73b", -"eventType":"Microsoft.Cache.ScalingCompleted", -"topic":"/subscriptions/{subscription_id}/resourceGroups/{resource_group_name}/providers/Microsoft.Cache/Redis/{cache_name}", -"data":{ - "name":"ScalingCompleted", - "timestamp":"2020-12-09T21:50:19.9995668+00:00", - "status":"Succeeded"}, -"subject":"ScalingCompleted", -"dataversion":"1.0", -"metadataVersion":"1", -"eventTime":"2020-12-09T21:50:19.9995668+00:00"}] -``` # [Cloud event schema](#tab/cloud-event-schema) When an event is triggered, the Event Grid service sends data about that event t }] ``` +# [Event Grid event schema](#tab/event-grid-event-schema) ++### Microsoft.Cache.PatchingCompleted event ++```json +[{ +"id":"9b87886d-21a5-4af5-8e3e-10c4b8dac73b", +"eventType":"Microsoft.Cache.PatchingCompleted", +"topic":"/subscriptions/{subscription_id}/resourceGroups/{resource_group_name}/providers/Microsoft.Cache/Redis/{cache_name}", +"data":{ + "name":"PatchingCompleted", + "timestamp":"2020-12-09T21:50:19.9995668+00:00", + "status":"Succeeded"}, +"subject":"PatchingCompleted", +"dataversion":"1.0", +"metadataVersion":"1", +"eventTime":"2020-12-09T21:50:19.9995668+00:00"}] +``` ++### Microsoft.Cache.ImportRDBCompleted event ++```json +[{ +"id":"9b87886d-21a5-4af5-8e3e-10c4b8dac73b", +"eventType":"Microsoft.Cache.ImportRDBCompleted", +"topic":"/subscriptions/{subscription_id}/resourceGroups/{resource_group_name}/providers/Microsoft.Cache/Redis/{cache_name}", +"data":{ + "name":"ImportRDBCompleted", + "timestamp":"2020-12-09T21:50:19.9995668+00:00", + "status":"Succeeded"}, +"subject":"ImportRDBCompleted", +"dataversion":"1.0", +"metadataVersion":"1", +"eventTime":"2020-12-09T21:50:19.9995668+00:00"}] +``` ++### Microsoft.Cache.ExportRDBCompleted event ++```json +[{ +"id":"9b87886d-21a5-4af5-8e3e-10c4b8dac73b", +"eventType":"Microsoft.Cache.ExportRDBCompleted", +"topic":"/subscriptions/{subscription_id}/resourceGroups/{resource_group_name}/providers/Microsoft.Cache/Redis/{cache_name}", +"data":{ + "name":"ExportRDBCompleted", + "timestamp":"2020-12-09T21:50:19.9995668+00:00", + "status":"Succeeded"}, +"subject":"ExportRDBCompleted", +"dataversion":"1.0", +"metadataVersion":"1", +"eventTime":"2020-12-09T21:50:19.9995668+00:00"}] +``` ++### Microsoft.Cache.ScalingCompleted ++```json +[{ +"id":"9b87886d-21a5-4af5-8e3e-10c4b8dac73b", +"eventType":"Microsoft.Cache.ScalingCompleted", +"topic":"/subscriptions/{subscription_id}/resourceGroups/{resource_group_name}/providers/Microsoft.Cache/Redis/{cache_name}", +"data":{ + "name":"ScalingCompleted", + "timestamp":"2020-12-09T21:50:19.9995668+00:00", + "status":"Succeeded"}, +"subject":"ScalingCompleted", +"dataversion":"1.0", +"metadataVersion":"1", +"eventTime":"2020-12-09T21:50:19.9995668+00:00"}] +``` + ## Event properties -# [Event Grid event schema](#tab/event-grid-event-schema) ++# [Cloud event schema](#tab/cloud-event-schema) + An event has the following top-level data: | Property | Type | Description | | -- | - | -- |-| `topic` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | +| `source` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | | `subject` | string | Publisher-defined path to the event subject. |-| `eventType` | string | One of the registered event types for this event source. | -| `eventTime` | string | The time the event is generated based on the provider's UTC time. | +| `type` | string | One of the registered event types for this event source. | +| `time` | string | The time the event is generated based on the provider's UTC time. | | `id` | string | Unique identifier for the event. | | `data` | object | Azure Cache for Redis event data. |-| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. | -| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. | ---# [Cloud event schema](#tab/cloud-event-schema) +| `specversion` | string | CloudEvents schema specification version. | +# [Event Grid event schema](#tab/event-grid-event-schema) An event has the following top-level data: | Property | Type | Description | | -- | - | -- |-| `source` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | +| `topic` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | | `subject` | string | Publisher-defined path to the event subject. |-| `type` | string | One of the registered event types for this event source. | -| `time` | string | The time the event is generated based on the provider's UTC time. | +| `eventType` | string | One of the registered event types for this event source. | +| `eventTime` | string | The time the event is generated based on the provider's UTC time. | | `id` | string | Unique identifier for the event. | | `data` | object | Azure Cache for Redis event data. |-| `specversion` | string | CloudEvents schema specification version. | +| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. | +| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. | + The data object has the following properties: | Property | Type | Description | | -- | - | -- |-| `timestamp` | string | The time at which the event occurred. | +| `timestamp` | string | The time when the event occurred. | | `name` | string | The name of the event. | | `status` | string | The status of the event. Failed or succeeded. | |
event-grid | Event Schema Azure Health Data Services | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/event-schema-azure-health-data-services.md | This section contains examples of what Azure Health Data Services Events message ### FhirResourceCreated event -# [Event Grid event schema](#tab/event-grid-event-schema) --```json -{ - "id": "e4c7f556-d72c-e7f7-1069-1e82ac76ab41", - "topic": "/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.HealthcareApis/workspaces/{workspace-name}", - "subject": "{fhir-account}.fhir.azurehealthcareapis.com/Patient/e0a1f743-1a70-451f-830e-e96477163902", - "data": { - "resourceType": "Patient", - "resourceFhirAccount": "{fhir-account}.fhir.azurehealthcareapis.com", - "resourceFhirId": "e0a1f743-1a70-451f-830e-e96477163902", - "resourceVersionId": 1 - }, - "eventType": "Microsoft.HealthcareApis.FhirResourceCreated", - "dataVersion": "1", - "metadataVersion": "1", - "eventTime": "2021-09-08T01:14:04.5613214Z" -} -``` # [CloudEvent schema](#tab/cloud-event-schema) ```json This section contains examples of what Azure Health Data Services Events message } } ```---### FhirResourceUpdated event # [Event Grid event schema](#tab/event-grid-event-schema) ```json {- "id": "634bd421-8467-f23c-b8cb-f6a31e41c32a", + "id": "e4c7f556-d72c-e7f7-1069-1e82ac76ab41", "topic": "/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.HealthcareApis/workspaces/{workspace-name}", "subject": "{fhir-account}.fhir.azurehealthcareapis.com/Patient/e0a1f743-1a70-451f-830e-e96477163902", "data": { "resourceType": "Patient", "resourceFhirAccount": "{fhir-account}.fhir.azurehealthcareapis.com", "resourceFhirId": "e0a1f743-1a70-451f-830e-e96477163902",- "resourceVersionId": 2 + "resourceVersionId": 1 },- "eventType": "Microsoft.HealthcareApis.FhirResourceUpdated", - "dataVersion": "2", + "eventType": "Microsoft.HealthcareApis.FhirResourceCreated", + "dataVersion": "1", "metadataVersion": "1",- "eventTime": "2021-09-08T01:29:12.0618739Z" + "eventTime": "2021-09-08T01:14:04.5613214Z" } ``` +++### FhirResourceUpdated event + # [CloudEvent schema](#tab/cloud-event-schema) ```json This section contains examples of what Azure Health Data Services Events message } } ```---### FhirResourceDeleted event # [Event Grid event schema](#tab/event-grid-event-schema) ```json {- "id": "ef289b93-3159-b833-3a44-dc6b86ed1a8a", + "id": "634bd421-8467-f23c-b8cb-f6a31e41c32a", "topic": "/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.HealthcareApis/workspaces/{workspace-name}", "subject": "{fhir-account}.fhir.azurehealthcareapis.com/Patient/e0a1f743-1a70-451f-830e-e96477163902", "data": { "resourceType": "Patient", "resourceFhirAccount": "{fhir-account}.fhir.azurehealthcareapis.com", "resourceFhirId": "e0a1f743-1a70-451f-830e-e96477163902",- "resourceVersionId": 3 + "resourceVersionId": 2 },- "eventType": "Microsoft.HealthcareApis.FhirResourceDeleted", - "dataVersion": "3", + "eventType": "Microsoft.HealthcareApis.FhirResourceUpdated", + "dataVersion": "2", "metadataVersion": "1",- "eventTime": "2021-09-08T01:31:58.5175837Z" + "eventTime": "2021-09-08T01:29:12.0618739Z" } ```++++### FhirResourceDeleted event + # [CloudEvent schema](#tab/cloud-event-schema) ```json This section contains examples of what Azure Health Data Services Events message } } ```---### DicomImageCreated # [Event Grid event schema](#tab/event-grid-event-schema) ```json {- "id": "d621839d-958b-4142-a638-bb966b4f7dfd", + "id": "ef289b93-3159-b833-3a44-dc6b86ed1a8a", "topic": "/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.HealthcareApis/workspaces/{workspace-name}",- "subject": "{dicom-account}.dicom.azurehealthcareapis.com/v1/studies/1.2.3.4.3/series/1.2.3.4.3.9423673/instances/1.3.6.1.4.1.45096.2.296485376.2210.1633373143.864442", + "subject": "{fhir-account}.fhir.azurehealthcareapis.com/Patient/e0a1f743-1a70-451f-830e-e96477163902", "data": {- "imageStudyInstanceUid": "1.2.3.4.3", - "imageSeriesInstanceUid": "1.2.3.4.3.9423673", - "imageSopInstanceUid": "1.3.6.1.4.1.45096.2.296485376.2210.1633373143.864442", - "serviceHostName": "{dicom-account}.dicom.azurehealthcareapis.com", - "sequenceNumber": 1 + "resourceType": "Patient", + "resourceFhirAccount": "{fhir-account}.fhir.azurehealthcareapis.com", + "resourceFhirId": "e0a1f743-1a70-451f-830e-e96477163902", + "resourceVersionId": 3 },- "eventType": "Microsoft.HealthcareApis.DicomImageCreated", - "dataVersion": "1", + "eventType": "Microsoft.HealthcareApis.FhirResourceDeleted", + "dataVersion": "3", "metadataVersion": "1",- "eventTime": "2022-09-15T01:14:04.5613214Z" + "eventTime": "2021-09-08T01:31:58.5175837Z" } ```++++### DicomImageCreated + # [CloudEvent schema](#tab/cloud-event-schema) ```json This section contains examples of what Azure Health Data Services Events message "specVersion": "1.0" } ```---### DicomImageDeleted # [Event Grid event schema](#tab/event-grid-event-schema) ```json {- "id": "eac1c1a0-ffa8-4b28-97cc-1d8b9a0a6021", + "id": "d621839d-958b-4142-a638-bb966b4f7dfd", "topic": "/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.HealthcareApis/workspaces/{workspace-name}", "subject": "{dicom-account}.dicom.azurehealthcareapis.com/v1/studies/1.2.3.4.3/series/1.2.3.4.3.9423673/instances/1.3.6.1.4.1.45096.2.296485376.2210.1633373143.864442", "data": { This section contains examples of what Azure Health Data Services Events message "imageSeriesInstanceUid": "1.2.3.4.3.9423673", "imageSopInstanceUid": "1.3.6.1.4.1.45096.2.296485376.2210.1633373143.864442", "serviceHostName": "{dicom-account}.dicom.azurehealthcareapis.com",- "sequenceNumber": 2 + "sequenceNumber": 1 },- "eventType": "Microsoft.HealthcareApis.DicomImageDeleted", + "eventType": "Microsoft.HealthcareApis.DicomImageCreated", "dataVersion": "1", "metadataVersion": "1",- "eventTime": "2022-09-15T01:16:07.5692209Z" + "eventTime": "2022-09-15T01:14:04.5613214Z" } ```++++### DicomImageDeleted + # [CloudEvent schema](#tab/cloud-event-schema) ```json This section contains examples of what Azure Health Data Services Events message "specVersion": "1.0" } ```--### DicomImageUpdated # [Event Grid event schema](#tab/event-grid-event-schema) ```json {- "id": "83cb0f51-af41-e58c-3c6c-46344b349bc5", + "id": "eac1c1a0-ffa8-4b28-97cc-1d8b9a0a6021", "topic": "/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.HealthcareApis/workspaces/{workspace-name}",- "subject": "{dicom-account}.dicom.azurehealthcareapis.com/v1/partitions/Microsoft.Default/studies/1.2.3.4.3/series/1.2.3.4.3.9423673/instances/1.3.6.1.4.1.45096.2.296485376.2210.1633373143.864442", + "subject": "{dicom-account}.dicom.azurehealthcareapis.com/v1/studies/1.2.3.4.3/series/1.2.3.4.3.9423673/instances/1.3.6.1.4.1.45096.2.296485376.2210.1633373143.864442", "data": {- "partitionName": "Microsoft.Default", "imageStudyInstanceUid": "1.2.3.4.3", "imageSeriesInstanceUid": "1.2.3.4.3.9423673", "imageSopInstanceUid": "1.3.6.1.4.1.45096.2.296485376.2210.1633373143.864442", "serviceHostName": "{dicom-account}.dicom.azurehealthcareapis.com", "sequenceNumber": 2 },- "eventType": "Microsoft.HealthcareApis.DicomImageUpdated", + "eventType": "Microsoft.HealthcareApis.DicomImageDeleted", "dataVersion": "1", "metadataVersion": "1",- "eventTime": "2023-06-09T16:55:44.7197137Z" + "eventTime": "2022-09-15T01:16:07.5692209Z" } ```+++### DicomImageUpdated + # [CloudEvent schema](#tab/cloud-event-schema) ```json { This section contains examples of what Azure Health Data Services Events message "specversion": "1.0" } ```++# [Event Grid event schema](#tab/event-grid-event-schema) ++```json +{ + "id": "83cb0f51-af41-e58c-3c6c-46344b349bc5", + "topic": "/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.HealthcareApis/workspaces/{workspace-name}", + "subject": "{dicom-account}.dicom.azurehealthcareapis.com/v1/partitions/Microsoft.Default/studies/1.2.3.4.3/series/1.2.3.4.3.9423673/instances/1.3.6.1.4.1.45096.2.296485376.2210.1633373143.864442", + "data": { + "partitionName": "Microsoft.Default", + "imageStudyInstanceUid": "1.2.3.4.3", + "imageSeriesInstanceUid": "1.2.3.4.3.9423673", + "imageSopInstanceUid": "1.3.6.1.4.1.45096.2.296485376.2210.1633373143.864442", + "serviceHostName": "{dicom-account}.dicom.azurehealthcareapis.com", + "sequenceNumber": 2 + }, + "eventType": "Microsoft.HealthcareApis.DicomImageUpdated", + "dataVersion": "1", + "metadataVersion": "1", + "eventTime": "2023-06-09T16:55:44.7197137Z" +} +``` + ## Next steps |
event-grid | Event Schema Azure Maps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/event-schema-azure-maps.md | An Azure Maps account emits the following event types: ## Example events -# [Event Grid event schema](#tab/event-grid-event-schema) +# [Cloud event schema](#tab/cloud-event-schema) The following example shows the schema of a **GeofenceEntered** event ```JSON {      "id":"7f8446e2-1ac7-4234-8425-303726ea3981", -   "topic":"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Maps/accounts/{accountName}", +   "source":"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Maps/accounts/{accountName}",    "subject":"/spatial/geofence/udid/{udid}/id/{eventId}",    "data":{         "geometries":[   The following example shows the schema of a **GeofenceEntered** event       "invalidPeriodGeofenceGeometryId":[         ]    }, -   "eventType":"Microsoft.Maps.GeofenceEntered", -   "eventTime":"2018-11-08T00:54:17.6408601Z", -   "metadataVersion":"1", -   "dataVersion":"1.0" +   "type":"Microsoft.Maps.GeofenceEntered", +   "time":"2018-11-08T00:54:17.6408601Z", +   "specversion":"1.0" } ``` The following example show schema for **GeofenceResult** ```JSON {      "id":"451675de-a67d-4929-876c-5c2bf0b2c000", -   "topic":"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Maps/accounts/{accountName}", +   "source":"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Maps/accounts/{accountName}",    "subject":"/spatial/geofence/udid/{udid}/id/{eventId}",    "data":{         "geometries":[   The following example show schema for **GeofenceResult**       "invalidPeriodGeofenceGeometryId":[         ]    }, -   "eventType":"Microsoft.Maps.GeofenceResult", -   "eventTime":"2018-11-08T00:52:08.0954283Z", -   "metadataVersion":"1", -   "dataVersion":"1.0" +   "type":"Microsoft.Maps.GeofenceResult", +   "time":"2018-11-08T00:52:08.0954283Z", +   "specversion":"1.0" } ``` -# [Cloud event schema](#tab/cloud-event-schema) +# [Event Grid event schema](#tab/event-grid-event-schema) The following example shows the schema of a **GeofenceEntered** event ```JSON {      "id":"7f8446e2-1ac7-4234-8425-303726ea3981", -   "source":"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Maps/accounts/{accountName}", +   "topic":"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Maps/accounts/{accountName}",    "subject":"/spatial/geofence/udid/{udid}/id/{eventId}",    "data":{         "geometries":[   The following example shows the schema of a **GeofenceEntered** event       "invalidPeriodGeofenceGeometryId":[         ]    }, -   "type":"Microsoft.Maps.GeofenceEntered", -   "time":"2018-11-08T00:54:17.6408601Z", -   "specversion":"1.0" +   "eventType":"Microsoft.Maps.GeofenceEntered", +   "eventTime":"2018-11-08T00:54:17.6408601Z", +   "metadataVersion":"1", +   "dataVersion":"1.0" } ``` The following example show schema for **GeofenceResult** ```JSON {      "id":"451675de-a67d-4929-876c-5c2bf0b2c000", -   "source":"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Maps/accounts/{accountName}", +   "topic":"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Maps/accounts/{accountName}",    "subject":"/spatial/geofence/udid/{udid}/id/{eventId}",    "data":{         "geometries":[   The following example show schema for **GeofenceResult**       "invalidPeriodGeofenceGeometryId":[         ]    }, -   "type":"Microsoft.Maps.GeofenceResult", -   "time":"2018-11-08T00:52:08.0954283Z", -   "specversion":"1.0" +   "eventType":"Microsoft.Maps.GeofenceResult", +   "eventTime":"2018-11-08T00:52:08.0954283Z", +   "metadataVersion":"1", +   "dataVersion":"1.0" } ```+ ## Event properties -# [Event Grid event schema](#tab/event-grid-event-schema) +# [Cloud event schema](#tab/cloud-event-schema) An event has the following top-level data: | Property | Type | Description | | -- | - | -- |-| `topic` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | +| `source` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | | `subject` | string | Publisher-defined path to the event subject. |-| `eventType` | string | One of the registered event types for this event source. | -| `eventTime` | string | The time the event is generated based on the provider's UTC time. | +| `type` | string | One of the registered event types for this event source. | +| `time` | string | The time the event is generated based on the provider's UTC time. | | `id` | string | Unique identifier for the event. | | `data` | object | Geofencing event data. |-| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. | -| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. | +| `specversion` | string | CloudEvents schema specification version. | -# [Cloud event schema](#tab/cloud-event-schema) +# [Event Grid event schema](#tab/event-grid-event-schema) An event has the following top-level data: | Property | Type | Description | | -- | - | -- |-| `source` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | +| `topic` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | | `subject` | string | Publisher-defined path to the event subject. |-| `type` | string | One of the registered event types for this event source. | -| `time` | string | The time the event is generated based on the provider's UTC time. | +| `eventType` | string | One of the registered event types for this event source. | +| `eventTime` | string | The time the event is generated based on the provider's UTC time. | | `id` | string | Unique identifier for the event. | | `data` | object | Geofencing event data. |-| `specversion` | string | CloudEvents schema specification version. | +| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. | +| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. | The InnerError is an object containing service-specific information about the er | -- | - | -- | | `code` | string | The error message. | -The geometries object, lists geometry IDs of the geofences that have expired relative to the user time in the request. The geometries object has geometry items with the following properties: +The geometries object lists geometry IDs of the geofences that have expired relative to the user time in the request. The geometries object has geometry items with the following properties: | Property | Type | Description | |:-- |:- |:-- | | `deviceid` | string | ID of device. |-| `distance` | string | <p>Distance from the coordinate to the closest border of the geofence. Positive means the coordinate is outside of the geofence. If the coordinate is outside of the geofence, but more than the value of searchBuffer away from the closest geofence border, then the value is 999. Negative means the coordinate is inside of the geofence. If the coordinate is inside the polygon, but more than the value of searchBuffer away from the closest geofencing border, then the value is -999. A value of 999 means that there is great confidence the coordinate is well outside the geofence. A value of -999 means that there is great confidence the coordinate is well within the geofence.<p> | +| `distance` | string | <p>Distance from the coordinate to the closest border of the geofence. Positive means the coordinate is outside of the geofence. If the coordinate is outside of the geofence, but more than the value of searchBuffer away from the closest geofence border, then the value is 999. Negative means the coordinate is inside of the geofence. If the coordinate is inside the polygon, but more than the value of searchBuffer away from the closest geofencing border, then the value is -999. A value of 999 means that there's great confidence the coordinate is well outside the geofence. A value of -999 means that there's great confidence the coordinate is well within the geofence.<p> | | `geometryid` |string | The unique ID identifies the geofence geometry. | | `nearestlat` | number | Latitude of the nearest point of the geometry. | | `nearestlon` | number | Longitude of the nearest point of the geometry. | |
event-grid | Event Schema Azure Signalr | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/event-schema-azure-signalr.md | SignalR Service emits the following event types: ## Example event -# [Event Grid event schema](#tab/event-grid-event-schema) ++# [Cloud event schema](#tab/cloud-event-schema) + The following example shows the schema of a client connection connected event: ```json [{- "topic": "/subscriptions/{subscription-id}/resourceGroups/signalr-rg/providers/Microsoft.SignalRService/SignalR/signalr-resource", + "source": "/subscriptions/{subscription-id}/resourceGroups/signalr-rg/providers/Microsoft.SignalRService/SignalR/signalr-resource", "subject": "/hub/chat",- "eventType": "Microsoft.SignalRService.ClientConnectionConnected", - "eventTime": "2019-06-10T18:41:00.9584103Z", + "type": "Microsoft.SignalRService.ClientConnectionConnected", + "time": "2019-06-10T18:41:00.9584103Z", "id": "831e1650-001e-001b-66ab-eeb76e069631", "data": { "timestamp": "2019-06-10T18:41:00.9584103Z", The following example shows the schema of a client connection connected event: "connectionId": "crH0uxVSvP61p5wkFY1x1A", "userId": "user-eymwyo23" },- "dataVersion": "1.0", - "metadataVersion": "1" + "specversion": "1.0" }] ``` The schema for a client connection disconnected event is similar: ```json [{- "topic": "/subscriptions/{subscription-id}/resourceGroups/signalr-rg/providers/Microsoft.SignalRService/SignalR/signalr-resource", + "source": "/subscriptions/{subscription-id}/resourceGroups/signalr-rg/providers/Microsoft.SignalRService/SignalR/signalr-resource", "subject": "/hub/chat",- "eventType": "Microsoft.SignalRService.ClientConnectionDisconnected", - "eventTime": "2019-06-10T18:41:00.9584103Z", + "type": "Microsoft.SignalRService.ClientConnectionDisconnected", + "time": "2019-06-10T18:41:00.9584103Z", "id": "831e1650-001e-001b-66ab-eeb76e069631", "data": { "timestamp": "2019-06-10T18:41:00.9584103Z", The schema for a client connection disconnected event is similar: "userId": "user-eymwyo23", "errorMessage": "Internal server error." },- "dataVersion": "1.0", - "metadataVersion": "1" + "specversion": "1.0" }] ``` -# [Cloud event schema](#tab/cloud-event-schema) -+# [Event Grid event schema](#tab/event-grid-event-schema) The following example shows the schema of a client connection connected event: ```json [{- "source": "/subscriptions/{subscription-id}/resourceGroups/signalr-rg/providers/Microsoft.SignalRService/SignalR/signalr-resource", + "topic": "/subscriptions/{subscription-id}/resourceGroups/signalr-rg/providers/Microsoft.SignalRService/SignalR/signalr-resource", "subject": "/hub/chat",- "type": "Microsoft.SignalRService.ClientConnectionConnected", - "time": "2019-06-10T18:41:00.9584103Z", + "eventType": "Microsoft.SignalRService.ClientConnectionConnected", + "eventTime": "2019-06-10T18:41:00.9584103Z", "id": "831e1650-001e-001b-66ab-eeb76e069631", "data": { "timestamp": "2019-06-10T18:41:00.9584103Z", The following example shows the schema of a client connection connected event: "connectionId": "crH0uxVSvP61p5wkFY1x1A", "userId": "user-eymwyo23" },- "specversion": "1.0" + "dataVersion": "1.0", + "metadataVersion": "1" }] ``` The schema for a client connection disconnected event is similar: ```json [{- "source": "/subscriptions/{subscription-id}/resourceGroups/signalr-rg/providers/Microsoft.SignalRService/SignalR/signalr-resource", + "topic": "/subscriptions/{subscription-id}/resourceGroups/signalr-rg/providers/Microsoft.SignalRService/SignalR/signalr-resource", "subject": "/hub/chat",- "type": "Microsoft.SignalRService.ClientConnectionDisconnected", - "time": "2019-06-10T18:41:00.9584103Z", + "eventType": "Microsoft.SignalRService.ClientConnectionDisconnected", + "eventTime": "2019-06-10T18:41:00.9584103Z", "id": "831e1650-001e-001b-66ab-eeb76e069631", "data": { "timestamp": "2019-06-10T18:41:00.9584103Z", The schema for a client connection disconnected event is similar: "userId": "user-eymwyo23", "errorMessage": "Internal server error." },- "specversion": "1.0" + "dataVersion": "1.0", + "metadataVersion": "1" }] ``` The schema for a client connection disconnected event is similar: ### Event properties -# [Event Grid event schema](#tab/event-grid-event-schema) +# [Cloud event schema](#tab/cloud-event-schema) + An event has the following top-level data: | Property | Type | Description | | -- | - | -- |-| `topic` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | +| `source` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | | `subject` | string | Publisher-defined path to the event subject. |-| `eventType` | string | One of the registered event types for this event source. | -| `eventTime` | string | The time the event is generated based on the provider's UTC time. | +| `type` | string | One of the registered event types for this event source. | +| `time` | string | The time the event is generated based on the provider's UTC time. | | `id` | string | Unique identifier for the event. | | `data` | object | SignalR Service event data. |-| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. | -| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. | --# [Cloud event schema](#tab/cloud-event-schema) +| `specversion` | string | CloudEvents schema specification version. | +# [Event Grid event schema](#tab/event-grid-event-schema) An event has the following top-level data: | Property | Type | Description | | -- | - | -- |-| `source` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | +| `topic` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | | `subject` | string | Publisher-defined path to the event subject. |-| `type` | string | One of the registered event types for this event source. | -| `time` | string | The time the event is generated based on the provider's UTC time. | +| `eventType` | string | One of the registered event types for this event source. | +| `eventTime` | string | The time the event is generated based on the provider's UTC time. | | `id` | string | Unique identifier for the event. | | `data` | object | SignalR Service event data. |-| `specversion` | string | CloudEvents schema specification version. | +| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. | +| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. | + |
event-grid | Event Schema Blob Storage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/event-schema-blob-storage.md | These events are triggered when a client creates, replaces, or deletes a blob by ### Example events -# [Event Grid event schema](#tab/event-grid-event-schema) ++# [Cloud event schema](#tab/cloud-event-schema) ### Microsoft.Storage.BlobCreated event ```json [{- "topic": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", + "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", "subject": "/blobServices/default/containers/test-container/blobs/new-file.txt",- "eventType": "Microsoft.Storage.BlobCreated", - "eventTime": "2017-06-26T18:41:00.9584103Z", + "type": "Microsoft.Storage.BlobCreated", + "time": "2017-06-26T18:41:00.9584103Z", "id": "831e1650-001e-001b-66ab-eeb76e069631", "data": { "api": "PutBlockList", These events are triggered when a client creates, replaces, or deletes a blob by "batchId": "b68529f3-68cd-4744-baa4-3c0498ec19f0" } },- "dataVersion": "", - "metadataVersion": "1" + "specversion": "1.0" }] ``` These events are triggered when a client creates, replaces, or deletes a blob by ```json [{- "topic": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", + "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", "subject": "/blobServices/default/containers/testcontainer/blobs/file-to-delete.txt",- "eventType": "Microsoft.Storage.BlobDeleted", - "eventTime": "2017-11-07T20:09:22.5674003Z", + "type": "Microsoft.Storage.BlobDeleted", + "time": "2017-11-07T20:09:22.5674003Z", "id": "4c2359fe-001e-00ba-0e04-58586806d298", "data": { "api": "DeleteBlob", These events are triggered when a client creates, replaces, or deletes a blob by "batchId": "b68529f3-68cd-4744-baa4-3c0498ec19f0" } },- "dataVersion": "", - "metadataVersion": "1" + "specversion": "1.0" }] ``` These events are triggered when a client creates, replaces, or deletes a blob by ```json {- "topic": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", + "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", "subject": "/blobServices/default/containers/testcontainer/blobs/Auto.jpg",- "eventType": "Microsoft.Storage.BlobTierChanged", - "eventTime": "2021-05-04T15:00:00.8350154Z", + "type": "Microsoft.Storage.BlobTierChanged", + "time": "2021-05-04T15:00:00.8350154Z", "id": "0fdefc06-b01e-0034-39f6-4016610696f6", "data": { "api": "SetBlobTier", These events are triggered when a client creates, replaces, or deletes a blob by "batchId": "3418f7a9-7006-0014-00f6-406dc6000000" } },- "dataVersion": "", - "metadataVersion": "1" + "specversion": "1.0" } ``` These events are triggered when a client creates, replaces, or deletes a blob by ```json {- "topic": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", + "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", "subject": "/blobServices/default/containers/testcontainer/blobs/00000.avro",- "eventType": "Microsoft.Storage.AsyncOperationInitiated", - "eventTime": "2021-05-04T14:44:59.3204652Z", + "type": "Microsoft.Storage.AsyncOperationInitiated", + "time": "2021-05-04T14:44:59.3204652Z", "id": "8ea4e3f2-101e-003d-5ff4-4053b2061016", "data": { "api": "SetBlobTier", These events are triggered when a client creates, replaces, or deletes a blob by "batchId": "34128c8a-7006-0014-00f4-406dc6000000" } },- "dataVersion": "", - "metadataVersion": "1" + "specversion": "1.0" } ``` --# [Cloud event schema](#tab/cloud-event-schema) +# [Event Grid event schema](#tab/event-grid-event-schema) ### Microsoft.Storage.BlobCreated event ```json [{- "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", + "topic": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", "subject": "/blobServices/default/containers/test-container/blobs/new-file.txt",- "type": "Microsoft.Storage.BlobCreated", - "time": "2017-06-26T18:41:00.9584103Z", + "eventType": "Microsoft.Storage.BlobCreated", + "eventTime": "2017-06-26T18:41:00.9584103Z", "id": "831e1650-001e-001b-66ab-eeb76e069631", "data": { "api": "PutBlockList", These events are triggered when a client creates, replaces, or deletes a blob by "batchId": "b68529f3-68cd-4744-baa4-3c0498ec19f0" } },- "specversion": "1.0" + "dataVersion": "", + "metadataVersion": "1" }] ``` These events are triggered when a client creates, replaces, or deletes a blob by ```json [{- "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", + "topic": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", "subject": "/blobServices/default/containers/testcontainer/blobs/file-to-delete.txt",- "type": "Microsoft.Storage.BlobDeleted", - "time": "2017-11-07T20:09:22.5674003Z", + "eventType": "Microsoft.Storage.BlobDeleted", + "eventTime": "2017-11-07T20:09:22.5674003Z", "id": "4c2359fe-001e-00ba-0e04-58586806d298", "data": { "api": "DeleteBlob", These events are triggered when a client creates, replaces, or deletes a blob by "batchId": "b68529f3-68cd-4744-baa4-3c0498ec19f0" } },- "specversion": "1.0" + "dataVersion": "", + "metadataVersion": "1" }] ``` These events are triggered when a client creates, replaces, or deletes a blob by ```json {- "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", + "topic": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", "subject": "/blobServices/default/containers/testcontainer/blobs/Auto.jpg",- "type": "Microsoft.Storage.BlobTierChanged", - "time": "2021-05-04T15:00:00.8350154Z", + "eventType": "Microsoft.Storage.BlobTierChanged", + "eventTime": "2021-05-04T15:00:00.8350154Z", "id": "0fdefc06-b01e-0034-39f6-4016610696f6", "data": { "api": "SetBlobTier", These events are triggered when a client creates, replaces, or deletes a blob by "batchId": "3418f7a9-7006-0014-00f6-406dc6000000" } },- "specversion": "1.0" + "dataVersion": "", + "metadataVersion": "1" } ``` These events are triggered when a client creates, replaces, or deletes a blob by ```json {- "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", + "topic": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", "subject": "/blobServices/default/containers/testcontainer/blobs/00000.avro",- "type": "Microsoft.Storage.AsyncOperationInitiated", - "time": "2021-05-04T14:44:59.3204652Z", + "eventType": "Microsoft.Storage.AsyncOperationInitiated", + "eventTime": "2021-05-04T14:44:59.3204652Z", "id": "8ea4e3f2-101e-003d-5ff4-4053b2061016", "data": { "api": "SetBlobTier", These events are triggered when a client creates, replaces, or deletes a blob by "batchId": "34128c8a-7006-0014-00f4-406dc6000000" } },- "specversion": "1.0" + "dataVersion": "", + "metadataVersion": "1" } ``` These events are triggered if you enable a hierarchical namespace on the storage ### Example events -# [Event Grid event schema](#tab/event-grid-event-schema) -### Microsoft.Storage.BlobCreated event (Data Lake Storage Gen2) +# [Cloud event schema](#tab/cloud-event-schema) -If the blob storage account has a hierarchical namespace, the data looks similar to the Blob Storage example with an exception of these changes: +### Microsoft.Storage.BlobCreated event (Data Lake Storage Gen2) -* The `dataVersion` key is set to a value of `2`. +If the blob storage account has a hierarchical namespace, the data looks similar to the previous example with an exception of these changes: * The `data.api` key is set to the string `CreateFile` or `FlushWithClose`.- * The `contentOffset` key is included in the data set. > [!NOTE] If the blob storage account has a hierarchical namespace, the data looks similar ```json [{- "topic": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", + "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", "subject": "/blobServices/default/containers/my-file-system/blobs/new-file.txt",- "eventType": "Microsoft.Storage.BlobCreated", - "eventTime": "2017-06-26T18:41:00.9584103Z", + "type": "Microsoft.Storage.BlobCreated", + "time": "2017-06-26T18:41:00.9584103Z", "id": "831e1650-001e-001b-66ab-eeb76e069631", "data": { "api": "CreateFile", If the blob storage account has a hierarchical namespace, the data looks similar "batchId": "b68529f3-68cd-4744-baa4-3c0498ec19f0" } },- "dataVersion": "2", - "metadataVersion": "1" + "specversion": "1.0" }] ``` + ### Microsoft.Storage.BlobDeleted event (Data Lake Storage Gen2) If the blob storage account has a hierarchical namespace, the data looks similar to the previous example with an exception of these changes: -* The `dataVersion` key is set to a value of `2`. * The `data.api` key is set to the string `DeleteFile`.- * The `url` key contains the path `dfs.core.windows.net`. > [!NOTE] If the blob storage account has a hierarchical namespace, the data looks similar ```json [{- "topic": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", + "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", "subject": "/blobServices/default/containers/my-file-system/blobs/file-to-delete.txt",- "eventType": "Microsoft.Storage.BlobDeleted", - "eventTime": "2017-06-26T18:41:00.9584103Z", + "type": "Microsoft.Storage.BlobDeleted", + "time": "2017-06-26T18:41:00.9584103Z", "id": "831e1650-001e-001b-66ab-eeb76e069631", "data": { "api": "DeleteFile", If the blob storage account has a hierarchical namespace, the data looks similar "batchId": "b68529f3-68cd-4744-baa4-3c0498ec19f0" } },- "dataVersion": "2", - "metadataVersion": "1" + "specversion": "1.0" }] ``` If the blob storage account has a hierarchical namespace, the data looks similar ```json [{- "topic": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", + "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", "subject": "/blobServices/default/containers/my-file-system/blobs/my-renamed-file.txt",- "eventType": "Microsoft.Storage.BlobRenamed", - "eventTime": "2017-06-26T18:41:00.9584103Z", + "type": "Microsoft.Storage.BlobRenamed", + "time": "2017-06-26T18:41:00.9584103Z", "id": "831e1650-001e-001b-66ab-eeb76e069631", "data": { "api": "RenameFile", If the blob storage account has a hierarchical namespace, the data looks similar "batchId": "b68529f3-68cd-4744-baa4-3c0498ec19f0" } },- "dataVersion": "1", - "metadataVersion": "1" + "specversion": "1.0" }] ``` If the blob storage account has a hierarchical namespace, the data looks similar ```json [{- "topic": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", + "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", "subject": "/blobServices/default/containers/my-file-system/blobs/my-new-directory",- "eventType": "Microsoft.Storage.DirectoryCreated", - "eventTime": "2017-06-26T18:41:00.9584103Z", + "type": "Microsoft.Storage.DirectoryCreated", + "time": "2017-06-26T18:41:00.9584103Z", "id": "831e1650-001e-001b-66ab-eeb76e069631", "data": { "api": "CreateDirectory", If the blob storage account has a hierarchical namespace, the data looks similar "batchId": "b68529f3-68cd-4744-baa4-3c0498ec19f0" } },- "dataVersion": "1", - "metadataVersion": "1" + "specversion": "1.0" }] ``` If the blob storage account has a hierarchical namespace, the data looks similar ```json [{- "topic": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", + "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", "subject": "/blobServices/default/containers/my-file-system/blobs/my-renamed-directory",- "eventType": "Microsoft.Storage.DirectoryRenamed", - "eventTime": "2017-06-26T18:41:00.9584103Z", + "type": "Microsoft.Storage.DirectoryRenamed", + "time": "2017-06-26T18:41:00.9584103Z", "id": "831e1650-001e-001b-66ab-eeb76e069631", "data": { "api": "RenameDirectory", If the blob storage account has a hierarchical namespace, the data looks similar "batchId": "b68529f3-68cd-4744-baa4-3c0498ec19f0" } },- "dataVersion": "1", - "metadataVersion": "1" + "specversion": "1.0" }] ``` If the blob storage account has a hierarchical namespace, the data looks similar ```json [{- "topic": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", + "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", "subject": "/blobServices/default/containers/my-file-system/blobs/directory-to-delete",- "eventType": "Microsoft.Storage.DirectoryDeleted", - "eventTime": "2017-06-26T18:41:00.9584103Z", + "type": "Microsoft.Storage.DirectoryDeleted", + "time": "2017-06-26T18:41:00.9584103Z", "id": "831e1650-001e-001b-66ab-eeb76e069631", "data": { "api": "DeleteDirectory", If the blob storage account has a hierarchical namespace, the data looks similar "batchId": "b68529f3-68cd-4744-baa4-3c0498ec19f0" } },- "dataVersion": "1", - "metadataVersion": "1" + "specversion": "1.0" }] ``` --# [Cloud event schema](#tab/cloud-event-schema) +# [Event Grid event schema](#tab/event-grid-event-schema) ### Microsoft.Storage.BlobCreated event (Data Lake Storage Gen2) -If the blob storage account has a hierarchical namespace, the data looks similar to the previous example with an exception of these changes: +If the blob storage account has a hierarchical namespace, the data looks similar to the Blob Storage example with an exception of these changes: ++* The `dataVersion` key is set to a value of `2`. * The `data.api` key is set to the string `CreateFile` or `FlushWithClose`.+ * The `contentOffset` key is included in the data set. > [!NOTE] If the blob storage account has a hierarchical namespace, the data looks similar ```json [{- "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", + "topic": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", "subject": "/blobServices/default/containers/my-file-system/blobs/new-file.txt",- "type": "Microsoft.Storage.BlobCreated", - "time": "2017-06-26T18:41:00.9584103Z", + "eventType": "Microsoft.Storage.BlobCreated", + "eventTime": "2017-06-26T18:41:00.9584103Z", "id": "831e1650-001e-001b-66ab-eeb76e069631", "data": { "api": "CreateFile", If the blob storage account has a hierarchical namespace, the data looks similar "batchId": "b68529f3-68cd-4744-baa4-3c0498ec19f0" } },- "specversion": "1.0" + "dataVersion": "2", + "metadataVersion": "1" }] ``` - ### Microsoft.Storage.BlobDeleted event (Data Lake Storage Gen2) If the blob storage account has a hierarchical namespace, the data looks similar to the previous example with an exception of these changes: +* The `dataVersion` key is set to a value of `2`. * The `data.api` key is set to the string `DeleteFile`.+ * The `url` key contains the path `dfs.core.windows.net`. > [!NOTE] If the blob storage account has a hierarchical namespace, the data looks similar ```json [{- "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", + "topic": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", "subject": "/blobServices/default/containers/my-file-system/blobs/file-to-delete.txt",- "type": "Microsoft.Storage.BlobDeleted", - "time": "2017-06-26T18:41:00.9584103Z", + "eventType": "Microsoft.Storage.BlobDeleted", + "eventTime": "2017-06-26T18:41:00.9584103Z", "id": "831e1650-001e-001b-66ab-eeb76e069631", "data": { "api": "DeleteFile", If the blob storage account has a hierarchical namespace, the data looks similar "batchId": "b68529f3-68cd-4744-baa4-3c0498ec19f0" } },- "specversion": "1.0" + "dataVersion": "2", + "metadataVersion": "1" }] ``` If the blob storage account has a hierarchical namespace, the data looks similar ```json [{- "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", + "topic": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", "subject": "/blobServices/default/containers/my-file-system/blobs/my-renamed-file.txt",- "type": "Microsoft.Storage.BlobRenamed", - "time": "2017-06-26T18:41:00.9584103Z", + "eventType": "Microsoft.Storage.BlobRenamed", + "eventTime": "2017-06-26T18:41:00.9584103Z", "id": "831e1650-001e-001b-66ab-eeb76e069631", "data": { "api": "RenameFile", If the blob storage account has a hierarchical namespace, the data looks similar "batchId": "b68529f3-68cd-4744-baa4-3c0498ec19f0" } },- "specversion": "1.0" + "dataVersion": "1", + "metadataVersion": "1" }] ``` If the blob storage account has a hierarchical namespace, the data looks similar ```json [{- "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", + "topic": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", "subject": "/blobServices/default/containers/my-file-system/blobs/my-new-directory",- "type": "Microsoft.Storage.DirectoryCreated", - "time": "2017-06-26T18:41:00.9584103Z", + "eventType": "Microsoft.Storage.DirectoryCreated", + "eventTime": "2017-06-26T18:41:00.9584103Z", "id": "831e1650-001e-001b-66ab-eeb76e069631", "data": { "api": "CreateDirectory", If the blob storage account has a hierarchical namespace, the data looks similar "batchId": "b68529f3-68cd-4744-baa4-3c0498ec19f0" } },- "specversion": "1.0" + "dataVersion": "1", + "metadataVersion": "1" }] ``` If the blob storage account has a hierarchical namespace, the data looks similar ```json [{- "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", + "topic": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", "subject": "/blobServices/default/containers/my-file-system/blobs/my-renamed-directory",- "type": "Microsoft.Storage.DirectoryRenamed", - "time": "2017-06-26T18:41:00.9584103Z", + "eventType": "Microsoft.Storage.DirectoryRenamed", + "eventTime": "2017-06-26T18:41:00.9584103Z", "id": "831e1650-001e-001b-66ab-eeb76e069631", "data": { "api": "RenameDirectory", If the blob storage account has a hierarchical namespace, the data looks similar "batchId": "b68529f3-68cd-4744-baa4-3c0498ec19f0" } },- "specversion": "1.0" + "dataVersion": "1", + "metadataVersion": "1" }] ``` If the blob storage account has a hierarchical namespace, the data looks similar ```json [{- "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", + "topic": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", "subject": "/blobServices/default/containers/my-file-system/blobs/directory-to-delete",- "type": "Microsoft.Storage.DirectoryDeleted", - "time": "2017-06-26T18:41:00.9584103Z", + "eventType": "Microsoft.Storage.DirectoryDeleted", + "eventTime": "2017-06-26T18:41:00.9584103Z", "id": "831e1650-001e-001b-66ab-eeb76e069631", "data": { "api": "DeleteDirectory", If the blob storage account has a hierarchical namespace, the data looks similar "batchId": "b68529f3-68cd-4744-baa4-3c0498ec19f0" } },- "specversion": "1.0" + "dataVersion": "1", + "metadataVersion": "1" }] ``` - ## SFTP events These events are triggered if you enable a hierarchical namespace on the storage ### Example events When an event is triggered, the Event Grid service sends data about that event to subscribing endpoint. This section contains an example of what that data would look like for each blob storage event. -# [Event Grid event schema](#tab/event-grid-event-schema) ++# [Cloud event schema](#tab/cloud-event-schema) ### Microsoft.Storage.BlobCreated event (SFTP) If the blob storage account uses SFTP to create or overwrite a blob, then the da * The `identity` key is included in the data set. This corresponds to the local user used for SFTP authentication. > [!NOTE]-> SFTP uploads will generate 2 events. One `SftpCreate` for an initial empty blob created when opening the file and one `SftpCommit` when the file contents are written. If you want to ensure that the Microsoft.Storage.BlobCreated event is triggered only when a Block Blob is completely committed, filter the event for the SftpCommit REST API call. +> SFTP uploads will generate 2 events. One `SftpCreate` for an initial empty blob created when opening the file and one `SftpCommit` when the file contents are written. ```json [{- "topic": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", + "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", "subject": "/blobServices/default/containers/testcontainer/blobs/new-file.txt",- "eventType": "Microsoft.Storage.BlobCreated", - "eventTime": "2022-04-25T19:13:00.1522383Z", + "type": "Microsoft.Storage.BlobCreated", + "time": "2022-04-25T19:13:00.1522383Z", "id": "831e1650-001e-001b-66ab-eeb76e069631", "data": { "api": "SftpCommit", If the blob storage account uses SFTP to create or overwrite a blob, then the da "batchId": "b68529f3-68cd-4744-baa4-3c0498ec19f0" } },- "dataVersion": "3", - "metadataVersion": "1" + "specversion": "1.0" }] ``` If the blob storage account uses SFTP to delete a blob, then the data looks simi ```json [{- "topic": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", + "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", "subject": "/blobServices/default/containers/testcontainer/blobs/new-file.txt",- "eventType": "Microsoft.Storage.BlobDeleted", - "eventTime": "2022-04-25T19:13:00.1522383Z", + "type": "Microsoft.Storage.BlobDeleted", + "time": "2022-04-25T19:13:00.1522383Z", "id": "831e1650-001e-001b-66ab-eeb76e069631", "data": { "api": "SftpRemove", If the blob storage account uses SFTP to delete a blob, then the data looks simi "batchId": "b68529f3-68cd-4744-baa4-3c0498ec19f0" } },- "dataVersion": "2", - "metadataVersion": "1" + "specversion": "1.0" }] ``` If the blob storage account uses SFTP to rename a blob, then the data looks simi ```json [{- "topic": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", + "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", "subject": "/blobServices/default/containers/testcontainer/blobs/my-renamed-file.txt",- "eventType": "Microsoft.Storage.BlobRenamed", - "eventTime": "2022-04-25T19:13:00.1522383Z", + "type": "Microsoft.Storage.BlobRenamed", + "time": "2022-04-25T19:13:00.1522383Z", "id": "831e1650-001e-001b-66ab-eeb76e069631", "data": { "api": "SftpRename", If the blob storage account uses SFTP to rename a blob, then the data looks simi "batchId": "b68529f3-68cd-4744-baa4-3c0498ec19f0" } },- "dataVersion": "1", - "metadataVersion": "1" + "specversion": "1.0" }] ``` If the blob storage account uses SFTP to create a directory, then the data looks ```json [{- "topic": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", + "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", "subject": "/blobServices/default/containers/testcontainer/blobs/my-new-directory",- "eventType": "Microsoft.Storage.DirectoryCreated", - "eventTime": "2022-04-25T19:13:00.1522383Z", + "type": "Microsoft.Storage.DirectoryCreated", + "time": "2022-04-25T19:13:00.1522383Z", "id": "831e1650-001e-001b-66ab-eeb76e069631", "data": { "api": "SftpMakeDir", If the blob storage account uses SFTP to create a directory, then the data looks "batchId": "b68529f3-68cd-4744-baa4-3c0498ec19f0" } },- "dataVersion": "2", - "metadataVersion": "1" + "specversion": "1.0" }] ``` If the blob storage account uses SFTP to rename a directory, then the data looks ```json [{- "topic": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", + "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", "subject": "/blobServices/default/containers/testcontainer/blobs/my-renamed-directory",- "eventType": "Microsoft.Storage.DirectoryRenamed", - "eventTime": "2022-04-25T19:13:00.1522383Z", + "type": "Microsoft.Storage.DirectoryRenamed", + "time": "2022-04-25T19:13:00.1522383Z", "id": "831e1650-001e-001b-66ab-eeb76e069631", "data": { "api": "SftpRename", If the blob storage account uses SFTP to rename a directory, then the data looks "batchId": "b68529f3-68cd-4744-baa4-3c0498ec19f0" } },- "dataVersion": "1", - "metadataVersion": "1" + "specversion": "1.0" }] ``` If the blob storage account uses SFTP to delete a directory, then the data looks ```json [{- "topic": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", + "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", "subject": "/blobServices/default/containers/testcontainer/blobs/directory-to-delete",- "eventType": "Microsoft.Storage.DirectoryDeleted", - "eventTime": "2022-04-25T19:13:00.1522383Z", + "type": "Microsoft.Storage.DirectoryDeleted", + "time": "2022-04-25T19:13:00.1522383Z", "id": "831e1650-001e-001b-66ab-eeb76e069631", "data": { "api": "SftpRemoveDir", If the blob storage account uses SFTP to delete a directory, then the data looks "batchId": "b68529f3-68cd-4744-baa4-3c0498ec19f0" } },- "dataVersion": "1", - "metadataVersion": "1" + "specversion": "1.0" }] ``` --# [Cloud event schema](#tab/cloud-event-schema) +# [Event Grid event schema](#tab/event-grid-event-schema) ### Microsoft.Storage.BlobCreated event (SFTP) If the blob storage account uses SFTP to create or overwrite a blob, then the da * The `identity` key is included in the data set. This corresponds to the local user used for SFTP authentication. > [!NOTE]-> SFTP uploads will generate 2 events. One `SftpCreate` for an initial empty blob created when opening the file and one `SftpCommit` when the file contents are written. +> SFTP uploads will generate 2 events. One `SftpCreate` for an initial empty blob created when opening the file and one `SftpCommit` when the file contents are written. If you want to ensure that the Microsoft.Storage.BlobCreated event is triggered only when a Block Blob is completely committed, filter the event for the SftpCommit REST API call. ```json [{- "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", + "topic": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", "subject": "/blobServices/default/containers/testcontainer/blobs/new-file.txt",- "type": "Microsoft.Storage.BlobCreated", - "time": "2022-04-25T19:13:00.1522383Z", + "eventType": "Microsoft.Storage.BlobCreated", + "eventTime": "2022-04-25T19:13:00.1522383Z", "id": "831e1650-001e-001b-66ab-eeb76e069631", "data": { "api": "SftpCommit", If the blob storage account uses SFTP to create or overwrite a blob, then the da "batchId": "b68529f3-68cd-4744-baa4-3c0498ec19f0" } },- "specversion": "1.0" + "dataVersion": "3", + "metadataVersion": "1" }] ``` If the blob storage account uses SFTP to delete a blob, then the data looks simi ```json [{- "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", + "topic": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", "subject": "/blobServices/default/containers/testcontainer/blobs/new-file.txt",- "type": "Microsoft.Storage.BlobDeleted", - "time": "2022-04-25T19:13:00.1522383Z", + "eventType": "Microsoft.Storage.BlobDeleted", + "eventTime": "2022-04-25T19:13:00.1522383Z", "id": "831e1650-001e-001b-66ab-eeb76e069631", "data": { "api": "SftpRemove", If the blob storage account uses SFTP to delete a blob, then the data looks simi "batchId": "b68529f3-68cd-4744-baa4-3c0498ec19f0" } },- "specversion": "1.0" + "dataVersion": "2", + "metadataVersion": "1" }] ``` If the blob storage account uses SFTP to rename a blob, then the data looks simi ```json [{- "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", + "topic": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", "subject": "/blobServices/default/containers/testcontainer/blobs/my-renamed-file.txt",- "type": "Microsoft.Storage.BlobRenamed", - "time": "2022-04-25T19:13:00.1522383Z", + "eventType": "Microsoft.Storage.BlobRenamed", + "eventTime": "2022-04-25T19:13:00.1522383Z", "id": "831e1650-001e-001b-66ab-eeb76e069631", "data": { "api": "SftpRename", If the blob storage account uses SFTP to rename a blob, then the data looks simi "batchId": "b68529f3-68cd-4744-baa4-3c0498ec19f0" } },- "specversion": "1.0" + "dataVersion": "1", + "metadataVersion": "1" }] ``` If the blob storage account uses SFTP to create a directory, then the data looks ```json [{- "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", + "topic": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", "subject": "/blobServices/default/containers/testcontainer/blobs/my-new-directory",- "type": "Microsoft.Storage.DirectoryCreated", - "time": "2022-04-25T19:13:00.1522383Z", + "eventType": "Microsoft.Storage.DirectoryCreated", + "eventTime": "2022-04-25T19:13:00.1522383Z", "id": "831e1650-001e-001b-66ab-eeb76e069631", "data": { "api": "SftpMakeDir", If the blob storage account uses SFTP to create a directory, then the data looks "batchId": "b68529f3-68cd-4744-baa4-3c0498ec19f0" } },- "specversion": "1.0" + "dataVersion": "2", + "metadataVersion": "1" }] ``` If the blob storage account uses SFTP to rename a directory, then the data looks ```json [{- "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", + "topic": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", "subject": "/blobServices/default/containers/testcontainer/blobs/my-renamed-directory",- "type": "Microsoft.Storage.DirectoryRenamed", - "time": "2022-04-25T19:13:00.1522383Z", + "eventType": "Microsoft.Storage.DirectoryRenamed", + "eventTime": "2022-04-25T19:13:00.1522383Z", "id": "831e1650-001e-001b-66ab-eeb76e069631", "data": { "api": "SftpRename", If the blob storage account uses SFTP to rename a directory, then the data looks "batchId": "b68529f3-68cd-4744-baa4-3c0498ec19f0" } },- "specversion": "1.0" + "dataVersion": "1", + "metadataVersion": "1" }] ``` If the blob storage account uses SFTP to delete a directory, then the data looks ```json [{- "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", + "topic": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account", "subject": "/blobServices/default/containers/testcontainer/blobs/directory-to-delete",- "type": "Microsoft.Storage.DirectoryDeleted", - "time": "2022-04-25T19:13:00.1522383Z", + "eventType": "Microsoft.Storage.DirectoryDeleted", + "eventTime": "2022-04-25T19:13:00.1522383Z", "id": "831e1650-001e-001b-66ab-eeb76e069631", "data": { "api": "SftpRemoveDir", If the blob storage account uses SFTP to delete a directory, then the data looks "batchId": "b68529f3-68cd-4744-baa4-3c0498ec19f0" } },- "specversion": "1.0" + "dataVersion": "1", + "metadataVersion": "1" }] ``` - ## Policy-related events These events are triggered when the actions defined by a policy are performed. ### Example events When an event is triggered, the Event Grid service sends data about that event to subscribing endpoint. This section contains an example of what that data would look like for each blob storage event. -# [Event Grid event schema](#tab/event-grid-event-schema) ++# [Cloud event schema](#tab/cloud-event-schema) ### Microsoft.Storage.BlobInventoryPolicyCompleted event ```json {- "topic": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/BlobInventory/providers/Microsoft.EventGrid/topics/BlobInventoryTopic", + "source": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/BlobInventory/providers/Microsoft.EventGrid/topics/BlobInventoryTopic", "subject": "BlobDataManagement/BlobInventory",- "eventType": "Microsoft.Storage.BlobInventoryPolicyCompleted", - "eventTime": "2021-05-28T15:03:18Z", + "type": "Microsoft.Storage.BlobInventoryPolicyCompleted", + "time": "2021-05-28T15:03:18Z", "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "data": { "scheduleDateTime": "2021-05-28T03:50:27Z", When an event is triggered, the Event Grid service sends data about that event t "policyRunId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "manifestBlobUrl": "https://testaccount.blob.core.windows.net/inventory-destination-container/2021/05/26/13-25-36/Rule_1/Rule_1.csv" },- "dataVersion": "1.0", - "metadataVersion": "1" + "specversion": "1.0" } ``` When an event is triggered, the Event Grid service sends data about that event t ```json {- "topic": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/contosoresourcegroup/providers/Microsoft.Storage/storageAccounts/contosostorageaccount", + "source": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/contosoresourcegroup/providers/Microsoft.Storage/storageAccounts/contosostorageaccount", "subject": "BlobDataManagement/LifeCycleManagement/SummaryReport",- "eventType": "Microsoft.Storage.LifecyclePolicyCompleted", - "eventTime": "2022-05-26T00:00:40.1880331", + "type": "Microsoft.Storage.LifecyclePolicyCompleted", + "time": "2022-05-26T00:00:40.1880331", "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "data": { "scheduleTime": "2022/05/24 22:57:29.3260160", When an event is triggered, the Event Grid service sends data about that event t "errorList": "" } },- "dataVersion": "1", - "metadataVersion": "1" + "specversion": "1.0" } ``` -# [Cloud event schema](#tab/cloud-event-schema) +# [Event Grid event schema](#tab/event-grid-event-schema) ### Microsoft.Storage.BlobInventoryPolicyCompleted event ```json {- "source": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/BlobInventory/providers/Microsoft.EventGrid/topics/BlobInventoryTopic", + "topic": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/BlobInventory/providers/Microsoft.EventGrid/topics/BlobInventoryTopic", "subject": "BlobDataManagement/BlobInventory",- "type": "Microsoft.Storage.BlobInventoryPolicyCompleted", - "time": "2021-05-28T15:03:18Z", + "eventType": "Microsoft.Storage.BlobInventoryPolicyCompleted", + "eventTime": "2021-05-28T15:03:18Z", "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "data": { "scheduleDateTime": "2021-05-28T03:50:27Z", When an event is triggered, the Event Grid service sends data about that event t "policyRunId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "manifestBlobUrl": "https://testaccount.blob.core.windows.net/inventory-destination-container/2021/05/26/13-25-36/Rule_1/Rule_1.csv" },- "specversion": "1.0" + "dataVersion": "1.0", + "metadataVersion": "1" } ``` When an event is triggered, the Event Grid service sends data about that event t ```json {- "source": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/contosoresourcegroup/providers/Microsoft.Storage/storageAccounts/contosostorageaccount", + "topic": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/contosoresourcegroup/providers/Microsoft.Storage/storageAccounts/contosostorageaccount", "subject": "BlobDataManagement/LifeCycleManagement/SummaryReport",- "type": "Microsoft.Storage.LifecyclePolicyCompleted", - "time": "2022-05-26T00:00:40.1880331", + "eventType": "Microsoft.Storage.LifecyclePolicyCompleted", + "eventTime": "2022-05-26T00:00:40.1880331", "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "data": { "scheduleTime": "2022/05/24 22:57:29.3260160", When an event is triggered, the Event Grid service sends data about that event t "errorList": "" } },- "specversion": "1.0" + "dataVersion": "1", + "metadataVersion": "1" } ``` - ## Event properties -# [Event Grid event schema](#tab/event-grid-event-schema) +# [Cloud event schema](#tab/cloud-event-schema) An event has the following top-level data: | Property | Type | Description | | -- | - | -- |-| `topic` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | +| `source` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | | `subject` | string | Publisher-defined path to the event subject. |-| `eventType` | string | One of the registered event types for this event source. | -| `eventTime` | string | The time the event is generated based on the provider's UTC time. | +| `type` | string | One of the registered event types for this event source. | +| `time` | string | The time the event is generated based on the provider's UTC time. | | `id` | string | Unique identifier for the event. | | `data` | object | Blob storage event data. |-| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. | -| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. | +| `specversion` | string | CloudEvents schema specification version. | -# [Cloud event schema](#tab/cloud-event-schema) +# [Event Grid event schema](#tab/event-grid-event-schema) An event has the following top-level data: | Property | Type | Description | | -- | - | -- |-| `source` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | +| `topic` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | | `subject` | string | Publisher-defined path to the event subject. |-| `type` | string | One of the registered event types for this event source. | -| `time` | string | The time the event is generated based on the provider's UTC time. | +| `eventType` | string | One of the registered event types for this event source. | +| `eventTime` | string | The time the event is generated based on the provider's UTC time. | | `id` | string | Unique identifier for the event. | | `data` | object | Blob storage event data. |-| `specversion` | string | CloudEvents schema specification version. | +| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. | +| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. | + |
event-grid | Event Schema Container Registry | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/event-schema-container-registry.md | Azure Container Registry emits the following event types: ## Example event -# [Event Grid event schema](#tab/event-grid-event-schema) +# [Cloud event schema](#tab/cloud-event-schema) The following example shows the schema of an image pushed event: ```json [{ "id": "831e1650-001e-001b-66ab-eeb76e069631",- "topic": "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ContainerRegistry/registries/<name>", + "source": "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ContainerRegistry/registries/<name>", "subject": "aci-helloworld:v1",- "eventType": "Microsoft.ContainerRegistry.ImagePushed", - "eventTime": "2018-04-25T21:39:47.6549614Z", + "type": "Microsoft.ContainerRegistry.ImagePushed", + "time": "2018-04-25T21:39:47.6549614Z", "data": { "id": "31c51664-e5bd-416a-a5df-e5206bc47ed0", "timestamp": "2018-04-25T21:39:47.276585742Z", "action": "push",- "location": "westus", "target": { "mediaType": "application/vnd.docker.distribution.manifest.v2+json", "size": 3023, The following example shows the schema of an image pushed event: "host": "demo.azurecr.io", "method": "PUT", "useragent": "docker/18.03.0-ce go/go1.9.4 git-commit/0520e24 os/windows arch/amd64 UpstreamClient(Docker-Client/18.03.0-ce \\\\(windows\\\\))"- }, - "connectedRegistry": { - "name": "edge1" - } + } },- "dataVersion": "2.0", - "metadataVersion": "1" + "specversion": "1.0" }] ``` The schema for an image deleted event is similar: ```json [{ "id": "f06e3921-301f-42ec-b368-212f7d5354bd",- "topic": "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ContainerRegistry/registries/<name>", + "source": "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ContainerRegistry/registries/<name>", "subject": "aci-helloworld",- "eventType": "Microsoft.ContainerRegistry.ImageDeleted", - "eventTime": "2018-04-26T17:56:01.8211268Z", + "type": "Microsoft.ContainerRegistry.ImageDeleted", + "time": "2018-04-26T17:56:01.8211268Z", "data": { "id": "f06e3921-301f-42ec-b368-212f7d5354bd", "timestamp": "2018-04-26T17:56:00.996603117Z", "action": "delete",- "location": "westus", "target": { "mediaType": "application/vnd.docker.distribution.manifest.v2+json", "digest": "sha256:213bbc182920ab41e18edc2001e06abcca6735d87782d9cef68abd83941cf0e5", The schema for an image deleted event is similar: "host": "demo.azurecr.io", "method": "DELETE", "useragent": "python-requests/2.18.4"- }, - "connectedRegistry": { - "name": "edge1" - } + } },- "dataVersion": "2.0", - "metadataVersion": "1" + "specversion": "1.0" }] ``` The schema for a chart pushed event is similar to the schema for an imaged pushe ```json [{ "id": "ea3a9c28-5b17-40f6-a500-3f02b6829277",- "topic": "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ContainerRegistry/registries/<name>", + "source": "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ContainerRegistry/registries/<name>", "subject": "mychart:1.0.0",- "eventType": "Microsoft.ContainerRegistry.ChartPushed", - "eventTime": "2019-03-12T22:16:31.5164086Z", + "type": "Microsoft.ContainerRegistry.ChartPushed", + "time": "2019-03-12T22:16:31.5164086Z", "data": { "id":"ea3a9c28-5b17-40f6-a500-3f02b682927", "timestamp":"2019-03-12T22:16:31.0087496+00:00", "action":"chart_push",- "location": "westus", "target":{ "mediaType":"application/vnd.acr.helm.chart", "size":25265, The schema for a chart pushed event is similar to the schema for an imaged pushe "tag":"mychart-1.0.0.tgz", "name":"mychart", "version":"1.0.0"- }, - "connectedRegistry": { - "name": "edge1" - } + } },- "dataVersion": "2.0", - "metadataVersion": "1" + "specversion": "1.0" }] ``` The schema for a chart deleted event is similar to the schema for an imaged dele ```json [{ "id": "39136b3a-1a7e-416f-a09e-5c85d5402fca",- "topic": "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ContainerRegistry/registries/<name>", + "source": "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ContainerRegistry/registries/<name>", "subject": "mychart:1.0.0",- "eventType": "Microsoft.ContainerRegistry.ChartDeleted", - "eventTime": "019-03-12T22:42:08.7034064Z", + "type": "Microsoft.ContainerRegistry.ChartDeleted", + "time": "019-03-12T22:42:08.7034064Z", "data": { "id":"ea3a9c28-5b17-40f6-a500-3f02b682927", "timestamp":"2019-03-12T22:42:08.3783775+00:00", "action":"chart_delete",- "location": "westus", "target":{ "mediaType":"application/vnd.acr.helm.chart", "size":25265, The schema for a chart deleted event is similar to the schema for an imaged dele "tag":"mychart-1.0.0.tgz", "name":"mychart", "version":"1.0.0"- }, - "connectedRegistry": { - "name": "edge1" - } + } },- "dataVersion": "2.0", - "metadataVersion": "1" + "specversion": "1.0" }] ``` -# [Cloud event schema](#tab/cloud-event-schema) +# [Event Grid event schema](#tab/event-grid-event-schema) The following example shows the schema of an image pushed event: ```json [{ "id": "831e1650-001e-001b-66ab-eeb76e069631",- "source": "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ContainerRegistry/registries/<name>", + "topic": "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ContainerRegistry/registries/<name>", "subject": "aci-helloworld:v1",- "type": "Microsoft.ContainerRegistry.ImagePushed", - "time": "2018-04-25T21:39:47.6549614Z", + "eventType": "Microsoft.ContainerRegistry.ImagePushed", + "eventTime": "2018-04-25T21:39:47.6549614Z", "data": { "id": "31c51664-e5bd-416a-a5df-e5206bc47ed0", "timestamp": "2018-04-25T21:39:47.276585742Z", "action": "push",+ "location": "westus", "target": { "mediaType": "application/vnd.docker.distribution.manifest.v2+json", "size": 3023, The following example shows the schema of an image pushed event: "host": "demo.azurecr.io", "method": "PUT", "useragent": "docker/18.03.0-ce go/go1.9.4 git-commit/0520e24 os/windows arch/amd64 UpstreamClient(Docker-Client/18.03.0-ce \\\\(windows\\\\))"- } + }, + "connectedRegistry": { + "name": "edge1" + } },- "specversion": "1.0" + "dataVersion": "2.0", + "metadataVersion": "1" }] ``` The schema for an image deleted event is similar: ```json [{ "id": "f06e3921-301f-42ec-b368-212f7d5354bd",- "source": "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ContainerRegistry/registries/<name>", + "topic": "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ContainerRegistry/registries/<name>", "subject": "aci-helloworld",- "type": "Microsoft.ContainerRegistry.ImageDeleted", - "time": "2018-04-26T17:56:01.8211268Z", + "eventType": "Microsoft.ContainerRegistry.ImageDeleted", + "eventTime": "2018-04-26T17:56:01.8211268Z", "data": { "id": "f06e3921-301f-42ec-b368-212f7d5354bd", "timestamp": "2018-04-26T17:56:00.996603117Z", "action": "delete",+ "location": "westus", "target": { "mediaType": "application/vnd.docker.distribution.manifest.v2+json", "digest": "sha256:213bbc182920ab41e18edc2001e06abcca6735d87782d9cef68abd83941cf0e5", The schema for an image deleted event is similar: "host": "demo.azurecr.io", "method": "DELETE", "useragent": "python-requests/2.18.4"- } + }, + "connectedRegistry": { + "name": "edge1" + } },- "specversion": "1.0" + "dataVersion": "2.0", + "metadataVersion": "1" }] ``` The schema for a chart pushed event is similar to the schema for an imaged pushe ```json [{ "id": "ea3a9c28-5b17-40f6-a500-3f02b6829277",- "source": "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ContainerRegistry/registries/<name>", + "topic": "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ContainerRegistry/registries/<name>", "subject": "mychart:1.0.0",- "type": "Microsoft.ContainerRegistry.ChartPushed", - "time": "2019-03-12T22:16:31.5164086Z", + "eventType": "Microsoft.ContainerRegistry.ChartPushed", + "eventTime": "2019-03-12T22:16:31.5164086Z", "data": { "id":"ea3a9c28-5b17-40f6-a500-3f02b682927", "timestamp":"2019-03-12T22:16:31.0087496+00:00", "action":"chart_push",+ "location": "westus", "target":{ "mediaType":"application/vnd.acr.helm.chart", "size":25265, The schema for a chart pushed event is similar to the schema for an imaged pushe "tag":"mychart-1.0.0.tgz", "name":"mychart", "version":"1.0.0"- } + }, + "connectedRegistry": { + "name": "edge1" + } },- "specversion": "1.0" + "dataVersion": "2.0", + "metadataVersion": "1" }] ``` The schema for a chart deleted event is similar to the schema for an imaged dele ```json [{ "id": "39136b3a-1a7e-416f-a09e-5c85d5402fca",- "source": "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ContainerRegistry/registries/<name>", + "topic": "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ContainerRegistry/registries/<name>", "subject": "mychart:1.0.0",- "type": "Microsoft.ContainerRegistry.ChartDeleted", - "time": "019-03-12T22:42:08.7034064Z", + "eventType": "Microsoft.ContainerRegistry.ChartDeleted", + "eventTime": "019-03-12T22:42:08.7034064Z", "data": { "id":"ea3a9c28-5b17-40f6-a500-3f02b682927", "timestamp":"2019-03-12T22:42:08.3783775+00:00", "action":"chart_delete",+ "location": "westus", "target":{ "mediaType":"application/vnd.acr.helm.chart", "size":25265, The schema for a chart deleted event is similar to the schema for an imaged dele "tag":"mychart-1.0.0.tgz", "name":"mychart", "version":"1.0.0"- } + }, + "connectedRegistry": { + "name": "edge1" + } },- "specversion": "1.0" + "dataVersion": "2.0", + "metadataVersion": "1" }] ``` The schema for a chart deleted event is similar to the schema for an imaged dele ## Event properties -# [Event Grid event schema](#tab/event-grid-event-schema) +# [Cloud event schema](#tab/cloud-event-schema) An event has the following top-level data: | Property | Type | Description | | -- | - | -- |-| `topic` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | +| `source` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | | `subject` | string | Publisher-defined path to the event subject. |-| `eventType` | string | One of the registered event types for this event source. | -| `eventTime` | string | The time the event is generated based on the provider's UTC time. | +| `type` | string | One of the registered event types for this event source. | +| `time` | string | The time the event is generated based on the provider's UTC time. | | `id` | string | Unique identifier for the event. |-| `location` | string | The location of the event. | -| `connectedRegistry` | object | The connected registry information if the event is generated by a connected registry. | | `data` | object | Blob storage event data. |-| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. | -| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. | +| `specversion` | string | CloudEvents schema specification version. | -# [Cloud event schema](#tab/cloud-event-schema) +# [Event Grid event schema](#tab/event-grid-event-schema) An event has the following top-level data: | Property | Type | Description | | -- | - | -- |-| `source` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | +| `topic` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | | `subject` | string | Publisher-defined path to the event subject. |-| `type` | string | One of the registered event types for this event source. | -| `time` | string | The time the event is generated based on the provider's UTC time. | +| `eventType` | string | One of the registered event types for this event source. | +| `eventTime` | string | The time the event is generated based on the provider's UTC time. | | `id` | string | Unique identifier for the event. |+| `location` | string | The location of the event. | +| `connectedRegistry` | object | The connected registry information if the event is generated by a connected registry. | | `data` | object | Blob storage event data. |-| `specversion` | string | CloudEvents schema specification version. | +| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. | +| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. | The data object has the following properties: | Property | Type | Description | | -- | - | -- | | `id` | string | The event ID. |-| `timestamp` | string | The time at which the event occurred. | +| `timestamp` | string | The time when the event occurred. | | `action` | string | The action that encompasses the provided event. | | `target` | object | The target of the event. | | `request` | object | The request that generated the event. | |
event-grid | Event Schema Data Box | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/event-schema-data-box.md | This article provides the properties and schema for Azure Data Box events. For ### Example events -# [Event Grid event schema](#tab/event-grid-event-schema) ++# [Cloud event schema](#tab/cloud-event-schema) ### Microsoft.DataBox.CopyStarted event ```json [{- "topic": "/subscriptions/{subscription-id}/resourceGroups/{your-rg}/providers/Microsoft.DataBox/jobs/{your-resource}", + "source": "/subscriptions/{subscription-id}/resourceGroups/{your-rg}/providers/Microsoft.DataBox/jobs/{your-resource}", "subject": "/jobs/{your-resource}",- "eventType": "Microsoft.DataBox.CopyStarted", + "type": "Microsoft.DataBox.CopyStarted", + "time": "2022-10-16T02:51:26.4248221Z", "id": "049ec3f6-5b7d-4052-858e-6f4ce6a46570", "data": { "serialNumber": "SampleSerialNumber", "stageName": "CopyStarted", "stageTime": "2022-10-12T19:38:08.0218897Z" },- "dataVersion": "1", - "metadataVersion": "1", - "eventTime": "2022-10-16T02:51:26.4248221Z" + "specVersion": "1.0" }] ``` ### Microsoft.DataBox.CopyCompleted event ```json-[{ - "topic": "/subscriptions/{subscription-id}/resourceGroups/{your-rg}/providers/Microsoft.DataBox/jobs/{your-resource}", +{ + "source": "/subscriptions/{subscription-id}/resourceGroups/{your-rg}/providers/Microsoft.DataBox/jobs/{your-resource}", "subject": "/jobs/{your-resource}",- "eventType": "Microsoft.DataBox.CopyCompleted", + "type": "Microsoft.DataBox.CopyCompleted", + "time": "2022-10-16T02:51:26.4248221Z", "id": "759c892a-a628-4e48-a116-2e1d54c555ce", "data": { "serialNumber": "SampleSerialNumber", "stageName": "CopyCompleted", "stageTime": "2022-10-12T19:38:08.0218897Z" },- "dataVersion": "1", - "metadataVersion": "1", - "eventTime": "2022-10-16T02:58:18.503829Z" -}] + "specVersion": "1.0" +} ``` ### Microsoft.DataBox.OrderCompleted event ```json-{ - "topic": "/subscriptions/{subscription-id}/resourceGroups/{your-rg}/providers/Microsoft.DataBox/jobs/{your-resource}", +[{ + "source": "/subscriptions/{subscription-id}/resourceGroups/{your-rg}/providers/Microsoft.DataBox/jobs/{your-resource}", "subject": "/jobs/{your-resource}",- "eventType": "Microsoft.DataBox.OrderCompleted", + "type": "Microsoft.DataBox.OrderCompleted", + "time": "2022-10-16T02:51:26.4248221Z", "id": "5eb07c79-39a8-439c-bb4b-bde1f6267c37", "data": { "serialNumber": "SampleSerialNumber", "stageName": "OrderCompleted", "stageTime": "2022-10-12T19:38:08.0218897Z" },- "dataVersion": "1", - "metadataVersion": "1", - "eventTime": "2022-10-16T02:51:26.4248221Z" -} + "specVersion": "1.0" +}] ``` -# [Cloud event schema](#tab/cloud-event-schema) +# [Event Grid event schema](#tab/event-grid-event-schema) ### Microsoft.DataBox.CopyStarted event ```json [{- "source": "/subscriptions/{subscription-id}/resourceGroups/{your-rg}/providers/Microsoft.DataBox/jobs/{your-resource}", + "topic": "/subscriptions/{subscription-id}/resourceGroups/{your-rg}/providers/Microsoft.DataBox/jobs/{your-resource}", "subject": "/jobs/{your-resource}",- "type": "Microsoft.DataBox.CopyStarted", - "time": "2022-10-16T02:51:26.4248221Z", + "eventType": "Microsoft.DataBox.CopyStarted", "id": "049ec3f6-5b7d-4052-858e-6f4ce6a46570", "data": { "serialNumber": "SampleSerialNumber", "stageName": "CopyStarted", "stageTime": "2022-10-12T19:38:08.0218897Z" },- "specVersion": "1.0" + "dataVersion": "1", + "metadataVersion": "1", + "eventTime": "2022-10-16T02:51:26.4248221Z" }] ``` ### Microsoft.DataBox.CopyCompleted event ```json-{ - "source": "/subscriptions/{subscription-id}/resourceGroups/{your-rg}/providers/Microsoft.DataBox/jobs/{your-resource}", +[{ + "topic": "/subscriptions/{subscription-id}/resourceGroups/{your-rg}/providers/Microsoft.DataBox/jobs/{your-resource}", "subject": "/jobs/{your-resource}",- "type": "Microsoft.DataBox.CopyCompleted", - "time": "2022-10-16T02:51:26.4248221Z", + "eventType": "Microsoft.DataBox.CopyCompleted", "id": "759c892a-a628-4e48-a116-2e1d54c555ce", "data": { "serialNumber": "SampleSerialNumber", "stageName": "CopyCompleted", "stageTime": "2022-10-12T19:38:08.0218897Z" },- "specVersion": "1.0" -} + "dataVersion": "1", + "metadataVersion": "1", + "eventTime": "2022-10-16T02:58:18.503829Z" +}] ``` ### Microsoft.DataBox.OrderCompleted event ```json-[{ - "source": "/subscriptions/{subscription-id}/resourceGroups/{your-rg}/providers/Microsoft.DataBox/jobs/{your-resource}", +{ + "topic": "/subscriptions/{subscription-id}/resourceGroups/{your-rg}/providers/Microsoft.DataBox/jobs/{your-resource}", "subject": "/jobs/{your-resource}",- "type": "Microsoft.DataBox.OrderCompleted", - "time": "2022-10-16T02:51:26.4248221Z", + "eventType": "Microsoft.DataBox.OrderCompleted", "id": "5eb07c79-39a8-439c-bb4b-bde1f6267c37", "data": { "serialNumber": "SampleSerialNumber", "stageName": "OrderCompleted", "stageTime": "2022-10-12T19:38:08.0218897Z" },- "specVersion": "1.0" -}] + "dataVersion": "1", + "metadataVersion": "1", + "eventTime": "2022-10-16T02:51:26.4248221Z" +} ```+ |
event-grid | Event Schema Data Manager For Agriculture | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/event-schema-data-manager-for-agriculture.md | This article provides the properties and schema for Azure Data Manager for Agric ## Example events -# [Event Grid event schema](#tab/event-grid-event-schema) ++# [Cloud event schema](#tab/cloud-event-schema) The following example show schema for **Microsoft.AgFoodPlatform.PartyChanged**: The following example show schema for **Microsoft.AgFoodPlatform.PartyChanged**: "createdDateTime": "2022-10-17T18:43:30Z" }, "id": "23fad010-ec87-40d9-881b-1f2d3ba9600b",- "topic": "/subscriptions/{SUBSCRIPTION-ID}/resourceGroups/{RESOURCE-GROUP-NAME}/providers/Microsoft.AgFoodPlatform/farmBeats/{YOUR-RESOURCE-NAME}", + "source": "/subscriptions/{SUBSCRIPTION-ID}/resourceGroups/{RESOURCE-GROUP-NAME}/providers/Microsoft.AgFoodPlatform/farmBeats/{YOUR-RESOURCE-NAME}", "subject": "/parties/<YOUR-PARTY-ID>",- "eventType": "Microsoft.AgFoodPlatform.PartyChanged", - "dataVersion": "1.0", - "metadataVersion": "1", - "eventTime": "2022-10-17T18:43:37.3306735Z" + "type": "Microsoft.AgFoodPlatform.PartyChanged", + "specversion":"1.0", + "time": "2022-10-17T18:43:37.3306735Z" } ] ``` -# [Cloud event schema](#tab/cloud-event-schema) +# [Event Grid event schema](#tab/event-grid-event-schema) The following example show schema for **Microsoft.AgFoodPlatform.PartyChanged**: The following example show schema for **Microsoft.AgFoodPlatform.PartyChanged**: "createdDateTime": "2022-10-17T18:43:30Z" }, "id": "23fad010-ec87-40d9-881b-1f2d3ba9600b",- "source": "/subscriptions/{SUBSCRIPTION-ID}/resourceGroups/{RESOURCE-GROUP-NAME}/providers/Microsoft.AgFoodPlatform/farmBeats/{YOUR-RESOURCE-NAME}", + "topic": "/subscriptions/{SUBSCRIPTION-ID}/resourceGroups/{RESOURCE-GROUP-NAME}/providers/Microsoft.AgFoodPlatform/farmBeats/{YOUR-RESOURCE-NAME}", "subject": "/parties/<YOUR-PARTY-ID>",- "type": "Microsoft.AgFoodPlatform.PartyChanged", - "specversion":"1.0", - "time": "2022-10-17T18:43:37.3306735Z" + "eventType": "Microsoft.AgFoodPlatform.PartyChanged", + "dataVersion": "1.0", + "metadataVersion": "1", + "eventTime": "2022-10-17T18:43:37.3306735Z" } ] ``` The following example show schema for **Microsoft.AgFoodPlatform.PartyChanged**: ## Event properties -# [Event Grid event schema](#tab/event-grid-event-schema) ++# [Cloud event schema](#tab/cloud-event-schema) An event has the following top-level data: | Property | Type | Description | |:--:|:-:|:-:|-| `topic` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | +| `source` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | | `subject` | string | Publisher-defined path to the event subject. |-| `eventType` | string | One of the registered event types for this event source. | -| `eventTime` | string | The time the event is generated based on the provider's UTC time. | +| `type` | string | One of the registered event types for this event source. | +| `time` | string | The time the event is generated based on the provider's UTC time. | | `id` | string | Unique identifier for the event. | | `data` | object | App Configuration event data. |-| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. | -| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. | +| `specversion` | string | CloudEvents schema specification version. | -# [Cloud event schema](#tab/cloud-event-schema) ++# [Event Grid event schema](#tab/event-grid-event-schema) An event has the following top-level data: | Property | Type | Description | |:--:|:-:|:-:|-| `source` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | +| `topic` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | | `subject` | string | Publisher-defined path to the event subject. |-| `type` | string | One of the registered event types for this event source. | -| `time` | string | The time the event is generated based on the provider's UTC time. | +| `eventType` | string | One of the registered event types for this event source. | +| `eventTime` | string | The time the event is generated based on the provider's UTC time. | | `id` | string | Unique identifier for the event. | | `data` | object | App Configuration event data. |-| `specversion` | string | CloudEvents schema specification version. | +| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. | +| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. | |
event-grid | Event Schema Event Grid Namespace | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/event-schema-event-grid-namespace.md | Azure Event Grid namespace (Preview) emits the following event types: ## Example event -# [Event Grid event schema](#tab/event-grid-event-schema) -This sample event shows the schema of an event raised when an MQTT clientΓÇÖs session is connected to Event Grid: +# [Cloud event schema](#tab/cloud-event-schema) ++This sample event shows the schema of an event raised when an MQTT client's session is connected to an Event Grid: ```json [{+ "specversion": "1.0", "id": "5249c38a-a048-46dd-8f60-df34fcdab06c",- "eventTime": "2023-07-29T01:23:49.6454046Z", - "eventType": "Microsoft.EventGrid.MQTTClientSessionConnected", - "topic": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myrg/providers/Microsoft.EventGrid/namespaces/myns", + "time": "2023-07-29T01:23:49.6454046Z", + "type": "Microsoft.EventGrid.MQTTClientSessionConnected", + "source": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myrg/providers/Microsoft.EventGrid/namespaces/myns", "subject": "clients/client1/sessions/session1",- "dataVersion": "1", - "metadataVersion": "1", "data": { "namespaceName": "myns", "clientAuthenticationName": "client1", This sample event shows the schema of an event raised when an MQTT clientΓÇÖs se ```json [{+ "specversion": "1.0", "id": "e30e5174-787d-4e19-8812-580148bfcf7b",- "eventTime": "2023-07-29T01:27:40.2446871Z", - "eventType": "Microsoft.EventGrid.MQTTClientSessionDisconnected", - "topic": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myrg/providers/Microsoft.EventGrid/namespaces/myns", + "time": "2023-07-29T01:27:40.2446871Z", + "type": "Microsoft.EventGrid.MQTTClientSessionDisconnected", + "source": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myrg/providers/Microsoft.EventGrid/namespaces/myns", "subject": "clients/client1/sessions/session1",- "dataVersion": "1", - "metadataVersion": "1", "data": { "namespaceName": "myns", "clientAuthenticationName": "client1", This sample event shows the schema of an event raised when an MQTT client is cre ```json [{+ "specversion": "1.0", "id": "383d1562-c95f-4095-936c-688e72c6b2bb",- "eventTime": "2023-07-29T01:14:35.8928724Z", - "eventType": "Microsoft.EventGrid.MQTTClientCreatedOrUpdated", - "topic": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myrg/providers/Microsoft.EventGrid/namespaces/myns", + "time": "2023-07-29T01:14:35.8928724Z", + "type": "Microsoft.EventGrid.MQTTClientCreatedOrUpdated", + "source": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myrg/providers/Microsoft.EventGrid/namespaces/myns", "subject": "clients/client1",- "dataVersion": "1", - "metadataVersion": "1", "data": { "createdOn": "2023-07-29T01:14:34.2048108Z", "updatedOn": "2023-07-29T01:14:34.2048108Z", This sample event shows the schema of an event raised when an MQTT client is del ```json [{+ "specversion": "1.0", "id": "2a93aaf9-66c2-4f8e-9ba3-8d899c10bf17",- "eventTime": "2023-07-29T01:30:52.5620566Z", - "eventType": "Microsoft.EventGrid.MQTTClientDeleted", - "topic": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myrg/providers/Microsoft.EventGrid/namespaces/myns", + "time": "2023-07-29T01:30:52.5620566Z", + "type": "Microsoft.EventGrid.MQTTClientDeleted", + "source": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myrg/providers/Microsoft.EventGrid/namespaces/myns", "subject": "clients/client1",- "dataVersion": "1", - "metadataVersion": "1", "data": {+ "namespaceName": "myns", "clientName": "client1",- "clientAuthenticationName": "client1", - "namespaceName": "myns" + "clientAuthenticationName": "client1" } }] ``` -# [Cloud event schema](#tab/cloud-event-schema) +# [Event Grid event schema](#tab/event-grid-event-schema) -This sample event shows the schema of an event raised when an MQTT client's session is connected to an Event Grid: +This sample event shows the schema of an event raised when an MQTT clientΓÇÖs session is connected to Event Grid: ```json [{- "specversion": "1.0", "id": "5249c38a-a048-46dd-8f60-df34fcdab06c",- "time": "2023-07-29T01:23:49.6454046Z", - "type": "Microsoft.EventGrid.MQTTClientSessionConnected", - "source": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myrg/providers/Microsoft.EventGrid/namespaces/myns", + "eventTime": "2023-07-29T01:23:49.6454046Z", + "eventType": "Microsoft.EventGrid.MQTTClientSessionConnected", + "topic": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myrg/providers/Microsoft.EventGrid/namespaces/myns", "subject": "clients/client1/sessions/session1",+ "dataVersion": "1", + "metadataVersion": "1", "data": { "namespaceName": "myns", "clientAuthenticationName": "client1", This sample event shows the schema of an event raised when an MQTT clientΓÇÖs se ```json [{- "specversion": "1.0", "id": "e30e5174-787d-4e19-8812-580148bfcf7b",- "time": "2023-07-29T01:27:40.2446871Z", - "type": "Microsoft.EventGrid.MQTTClientSessionDisconnected", - "source": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myrg/providers/Microsoft.EventGrid/namespaces/myns", + "eventTime": "2023-07-29T01:27:40.2446871Z", + "eventType": "Microsoft.EventGrid.MQTTClientSessionDisconnected", + "topic": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myrg/providers/Microsoft.EventGrid/namespaces/myns", "subject": "clients/client1/sessions/session1",+ "dataVersion": "1", + "metadataVersion": "1", "data": { "namespaceName": "myns", "clientAuthenticationName": "client1", This sample event shows the schema of an event raised when an MQTT client is cre ```json [{- "specversion": "1.0", "id": "383d1562-c95f-4095-936c-688e72c6b2bb",- "time": "2023-07-29T01:14:35.8928724Z", - "type": "Microsoft.EventGrid.MQTTClientCreatedOrUpdated", - "source": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myrg/providers/Microsoft.EventGrid/namespaces/myns", + "eventTime": "2023-07-29T01:14:35.8928724Z", + "eventType": "Microsoft.EventGrid.MQTTClientCreatedOrUpdated", + "topic": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myrg/providers/Microsoft.EventGrid/namespaces/myns", "subject": "clients/client1",+ "dataVersion": "1", + "metadataVersion": "1", "data": { "createdOn": "2023-07-29T01:14:34.2048108Z", "updatedOn": "2023-07-29T01:14:34.2048108Z", This sample event shows the schema of an event raised when an MQTT client is del ```json [{- "specversion": "1.0", "id": "2a93aaf9-66c2-4f8e-9ba3-8d899c10bf17",- "time": "2023-07-29T01:30:52.5620566Z", - "type": "Microsoft.EventGrid.MQTTClientDeleted", - "source": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myrg/providers/Microsoft.EventGrid/namespaces/myns", + "eventTime": "2023-07-29T01:30:52.5620566Z", + "eventType": "Microsoft.EventGrid.MQTTClientDeleted", + "topic": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myrg/providers/Microsoft.EventGrid/namespaces/myns", "subject": "clients/client1",+ "dataVersion": "1", + "metadataVersion": "1", "data": {- "namespaceName": "myns", "clientName": "client1",- "clientAuthenticationName": "client1" + "clientAuthenticationName": "client1", + "namespaceName": "myns" } }] ```++ ### Event properties -# [Event Grid event schema](#tab/event-grid-event-schema) +# [Cloud event schema](#tab/cloud-event-schema) All events contain the same top-level data: + | Property | Type | Description | | -- | - | -- | | `id` | string | Unique identifier for the event. |-| `topic` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | +| `source` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | | `subject` | string | Publisher-defined path to the event subject. |-| `eventType` | string | One of the registered event types for this event source. | -| `eventTime` | string | The time the event is generated based on the provider's UTC time. | +| `type` | string | One of the registered event types for this event source. | +| `time` | string | The time the event is generated based on the provider's UTC time. | | `data` | object | Event Grid namespace event data. |-| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. | -| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. | +| `specversion` | string | CloudEvents schema specification version. | -# [Cloud event schema](#tab/cloud-event-schema) +# [Event Grid event schema](#tab/event-grid-event-schema) All events contain the same top-level data: - | Property | Type | Description | | -- | - | -- | | `id` | string | Unique identifier for the event. |-| `source` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | +| `topic` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | | `subject` | string | Publisher-defined path to the event subject. |-| `type` | string | One of the registered event types for this event source. | -| `time` | string | The time the event is generated based on the provider's UTC time. | +| `eventType` | string | One of the registered event types for this event source. | +| `eventTime` | string | The time the event is generated based on the provider's UTC time. | | `data` | object | Event Grid namespace event data. |-| `specversion` | string | CloudEvents schema specification version. | +| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. | +| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. | |
event-grid | Event Schema Event Hubs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/event-schema-event-hubs.md | Event Hubs emits the **Microsoft.EventHub.CaptureFileCreated** event type when a ## Example event -# [Event Grid event schema](#tab/event-grid-event-schema) +# [Cloud event schema](#tab/cloud-event-schema) This sample event shows the schema of an event hubs event raised when the capture feature stores a file: ```json [ {- "topic": "/subscriptions/<guid>/resourcegroups/rgDataMigrationSample/providers/Microsoft.EventHub/namespaces/tfdatamigratens", + "source": "/subscriptions/<guid>/resourcegroups/rgDataMigrationSample/providers/Microsoft.EventHub/namespaces/tfdatamigratens", "subject": "eventhubs/hubdatamigration",- "eventType": "Microsoft.EventHub.CaptureFileCreated", - "eventTime": "2017-08-31T19:12:46.0498024Z", + "type": "Microsoft.EventHub.CaptureFileCreated", + "time": "2017-08-31T19:12:46.0498024Z", "id": "14e87d03-6fbf-4bb2-9a21-92bd1281f247", "data": { "fileUrl": "https://tf0831datamigrate.blob.core.windows.net/windturbinecapture/tfdatamigratens/hubdatamigration/1/2017/08/31/19/11/45.avro", This sample event shows the schema of an event hubs event raised when the captur "firstEnqueueTime": "2017-08-31T19:12:14.674Z", "lastEnqueueTime": "2017-08-31T19:12:44.309Z" },- "dataVersion": "", - "metadataVersion": "1" + "specversion": "1.0" } ] ``` -# [Cloud event schema](#tab/cloud-event-schema) +# [Event Grid event schema](#tab/event-grid-event-schema) This sample event shows the schema of an event hubs event raised when the capture feature stores a file: ```json [ {- "source": "/subscriptions/<guid>/resourcegroups/rgDataMigrationSample/providers/Microsoft.EventHub/namespaces/tfdatamigratens", + "topic": "/subscriptions/<guid>/resourcegroups/rgDataMigrationSample/providers/Microsoft.EventHub/namespaces/tfdatamigratens", "subject": "eventhubs/hubdatamigration",- "type": "Microsoft.EventHub.CaptureFileCreated", - "time": "2017-08-31T19:12:46.0498024Z", + "eventType": "Microsoft.EventHub.CaptureFileCreated", + "eventTime": "2017-08-31T19:12:46.0498024Z", "id": "14e87d03-6fbf-4bb2-9a21-92bd1281f247", "data": { "fileUrl": "https://tf0831datamigrate.blob.core.windows.net/windturbinecapture/tfdatamigratens/hubdatamigration/1/2017/08/31/19/11/45.avro", This sample event shows the schema of an event hubs event raised when the captur "firstEnqueueTime": "2017-08-31T19:12:14.674Z", "lastEnqueueTime": "2017-08-31T19:12:44.309Z" },- "specversion": "1.0" + "dataVersion": "", + "metadataVersion": "1" } ] ``` - ## Event properties -# [Event Grid event schema](#tab/event-grid-event-schema) +# [Cloud event schema](#tab/cloud-event-schema) + An event has the following top-level data: | Property | Type | Description | | -- | - | -- |-| `topic` | string | Full resource path to the event source. This field is not writeable. Event Grid provides this value. | +| `source` | string | Full resource path to the event source. This field is not writeable. Event Grid provides this value. | | `subject` | string | Publisher-defined path to the event subject. |-| `eventType` | string | One of the registered event types for this event source. | -| `eventTime` | string | The time the event is generated based on the provider's UTC time. | +| `type` | string | One of the registered event types for this event source. | +| `time` | string | The time the event is generated based on the provider's UTC time. | | `id` | string | Unique identifier for the event. | | `data` | object | Event hub event data. |-| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. | -| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. | --# [Cloud event schema](#tab/cloud-event-schema) +| `specversion` | string | CloudEvents schema specification version. | +# [Event Grid event schema](#tab/event-grid-event-schema) An event has the following top-level data: | Property | Type | Description | | -- | - | -- |-| `source` | string | Full resource path to the event source. This field is not writeable. Event Grid provides this value. | +| `topic` | string | Full resource path to the event source. This field is not writeable. Event Grid provides this value. | | `subject` | string | Publisher-defined path to the event subject. |-| `type` | string | One of the registered event types for this event source. | -| `time` | string | The time the event is generated based on the provider's UTC time. | +| `eventType` | string | One of the registered event types for this event source. | +| `eventTime` | string | The time the event is generated based on the provider's UTC time. | | `id` | string | Unique identifier for the event. | | `data` | object | Event hub event data. |-| `specversion` | string | CloudEvents schema specification version. | +| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. | +| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. | + |
event-grid | Event Schema Health Resources | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/event-schema-health-resources.md | Currently, these events are exclusively emitted at the Azure subscription scope. ## Event schemas -# [Event Grid event schema](#tab/event-grid-event-schema) ++# [Cloud event schema](#tab/cloud-event-schema) Here's the schema: ```json { "id": string,- "topic": string, + "source": string, "subject": string,+ "type": "Microsoft.ResourceNotifications.HealthResources.AvailabilityStatusChanged | Microsoft.ResourceNotifications.HealthResources.ResourceAnnotated", + "time ": string, "data": { "resourceInfo": { "id": string, Here's the schema: }, "apiVersion": string }, - "eventType": "Microsoft.ResourceNotifications.HealthResources.AvailabilityStatusChanged | Microsoft.ResourceNotifications.HealthResources.ResourceAnnotated", - "dataVersion": string, - "metadataVersion": string, - "eventTime": string + "specversion": string } ``` An event has the following top-level data: | Property | Type | Description | | -- | - | -- | | `id` | String | Unique identifier of the event |-| `topic` | String | The Azure subscription for which this system topic is being created | +| `source` | String | The Azure subscription for which this system topic is being created. | | `subject` | String | Publisher defined path to the base resource on which this event is emitted. |+| `type` | String | Registered event type of this system topic type | +| `time` | String <br/> Format: `2022-11-07T18:43:09.2894075Z` | The time the event is generated based on the provider's UTC time | | `data` | Object | Contains event data specific to the resource provider. For more information, see the next table. |-| `eventType` | String | Registered event type of this system topic type | -| `dataVersion` | String | The schema version of the data object | -| `metadataVersion` | String | The schema version of the event metadata | -| `eventTime` | String <br/> Format: `2022-11-07T18:43:09.2894075Z` | The time the event is generated based on the provider's UTC time | --+| `specversion` | String | CloudEvents schema specification version. | -# [Cloud event schema](#tab/cloud-event-schema) +# [Event Grid event schema](#tab/event-grid-event-schema) Here's the schema: ```json { "id": string,- "source": string, + "topic": string, "subject": string,- "type": "Microsoft.ResourceNotifications.HealthResources.AvailabilityStatusChanged | Microsoft.ResourceNotifications.HealthResources.ResourceAnnotated", - "time ": string, "data": { "resourceInfo": { "id": string, Here's the schema: }, "apiVersion": string }, - "specversion": string + "eventType": "Microsoft.ResourceNotifications.HealthResources.AvailabilityStatusChanged | Microsoft.ResourceNotifications.HealthResources.ResourceAnnotated", + "dataVersion": string, + "metadataVersion": string, + "eventTime": string } ``` An event has the following top-level data: | Property | Type | Description | | -- | - | -- | | `id` | String | Unique identifier of the event |-| `source` | String | The Azure subscription for which this system topic is being created. | +| `topic` | String | The Azure subscription for which this system topic is being created | | `subject` | String | Publisher defined path to the base resource on which this event is emitted. |-| `type` | String | Registered event type of this system topic type | -| `time` | String <br/> Format: `2022-11-07T18:43:09.2894075Z` | The time the event is generated based on the provider's UTC time | | `data` | Object | Contains event data specific to the resource provider. For more information, see the next table. |-| `specversion` | String | CloudEvents schema specification version. | +| `eventType` | String | Registered event type of this system topic type | +| `dataVersion` | String | The schema version of the data object | +| `metadataVersion` | String | The schema version of the event metadata | +| `eventTime` | String <br/> Format: `2022-11-07T18:43:09.2894075Z` | The time the event is generated based on the provider's UTC time | + The `data` object has the following properties: | Property | Type | Description | | -- | - | -- | | `resourceInfo` | Object | Data specific to the resource. For more information, see the next table. |-| `apiVersion` | String | Api version of the resource properties. | +| `apiVersion` | String | API version of the resource properties. | | `operationalInfo` | Object | Details of operational information pertaining to the resource. | The `resourceInfo` object has the following properties: For the `ResourceAnnotated` event, the `properties` object has the following pro ### AvailabilityStatusChanged event -# [Event Grid event schema](#tab/event-grid-event-schema) +# [Cloud event schema](#tab/cloud-event-schema) ++The following example shows the schema of a key-value modified event: ```json { "id": "1fb6fa94-d965-4306-abeq-4810f0774e97",- "topic": "/subscriptions/{subscription-id}", + "source": "/subscriptions/{subscription-id}", "subject": "/subscriptions/{subscription-id}/resourceGroups/{rg-name}/providers/Microsoft.Compute/virtualMachines/{vm-name}", "data": { "resourceInfo": { For the `ResourceAnnotated` event, the `properties` object has the following pro }, "apiVersion": "2023-12-01" },- "eventType": "Microsoft.ResourceNotifications.HealthResources.AvailabilityStatusChanged", - "dataVersion": "1", - "metadataVersion": "1", - "eventTime": "2023-07-24T19:20:37.9245071Z" + "type": "Microsoft.ResourceNotifications.HealthResources.AvailabilityStatusChanged", + "specversion": "1.0", + "time": "2023-07-24T19:20:37.9245071Z" } ``` -# [Cloud event schema](#tab/cloud-event-schema) --The following example shows the schema of a key-value modified event: +# [Event Grid event schema](#tab/event-grid-event-schema) ```json { "id": "1fb6fa94-d965-4306-abeq-4810f0774e97",- "source": "/subscriptions/{subscription-id}", + "topic": "/subscriptions/{subscription-id}", "subject": "/subscriptions/{subscription-id}/resourceGroups/{rg-name}/providers/Microsoft.Compute/virtualMachines/{vm-name}", "data": { "resourceInfo": { The following example shows the schema of a key-value modified event: }, "apiVersion": "2023-12-01" },- "type": "Microsoft.ResourceNotifications.HealthResources.AvailabilityStatusChanged", - "specversion": "1.0", - "time": "2023-07-24T19:20:37.9245071Z" + "eventType": "Microsoft.ResourceNotifications.HealthResources.AvailabilityStatusChanged", + "dataVersion": "1", + "metadataVersion": "1", + "eventTime": "2023-07-24T19:20:37.9245071Z" } ``` The following example shows the schema of a key-value modified event: ### ResourceAnnotated event -# [Event Grid event schema](#tab/event-grid-event-schema) +# [Cloud event schema](#tab/cloud-event-schema) ++The following example shows the schema of a key-value modified event: ```json { "id": "8945cf9b-e220-496e-ab4f-f3a239318995",- "topic": "/subscriptions/{subscription-id}", + "source": "/subscriptions/{subscription-id}", "subject": "/subscriptions/{subscription-id}/resourceGroups/{rg-name}/providers/Microsoft.Compute/virtualMachines/{vm-name}", "data": { "resourceInfo": { The following example shows the schema of a key-value modified event: }, "apiVersion": "2022-08-01" },- "eventType": "Microsoft.ResourceNotifications.HealthResources.ResourceAnnotated", - "dataVersion": "1", - "metadataVersion": "1", - "eventTime": "2023-07-24T19:20:37.9245071Z" + "type": "Microsoft.ResourceNotifications.HealthResources.ResourceAnnotated", + "specversion": "1.0", + "time": "2023-07-24T19:20:37.9245071Z" } ``` -# [Cloud event schema](#tab/cloud-event-schema) --The following example shows the schema of a key-value modified event: +# [Event Grid event schema](#tab/event-grid-event-schema) ```json { "id": "8945cf9b-e220-496e-ab4f-f3a239318995",- "source": "/subscriptions/{subscription-id}", + "topic": "/subscriptions/{subscription-id}", "subject": "/subscriptions/{subscription-id}/resourceGroups/{rg-name}/providers/Microsoft.Compute/virtualMachines/{vm-name}", "data": { "resourceInfo": { The following example shows the schema of a key-value modified event: }, "apiVersion": "2022-08-01" },- "type": "Microsoft.ResourceNotifications.HealthResources.ResourceAnnotated", - "specversion": "1.0", - "time": "2023-07-24T19:20:37.9245071Z" + "eventType": "Microsoft.ResourceNotifications.HealthResources.ResourceAnnotated", + "dataVersion": "1", + "metadataVersion": "1", + "eventTime": "2023-07-24T19:20:37.9245071Z" } ``` |
event-grid | Event Schema Iot Hub | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/event-schema-iot-hub.md | Azure IoT Hub emits the following event types: ## Example event -# [Event Grid event schema](#tab/event-grid-event-schema) ++# [Cloud event schema](#tab/cloud-event-schema) The schemas for DeviceConnected and DeviceDisconnected events have the same structure. This sample event shows the schema of an event raised when a device is connected to an IoT hub: ```json [{ "id": "f6bbf8f4-d365-520d-a878-17bf7238abd8", - "topic": "/SUBSCRIPTIONS/<subscription ID>/RESOURCEGROUPS/<resource group name>/PROVIDERS/MICROSOFT.DEVICES/IOTHUBS/<hub name>", + "source": "/SUBSCRIPTIONS/<subscription ID>/RESOURCEGROUPS/<resource group name>/PROVIDERS/MICROSOFT.DEVICES/IOTHUBS/<hub name>", "subject": "devices/LogicAppTestDevice", - "eventType": "Microsoft.Devices.DeviceConnected", - "eventTime": "2018-06-02T19:17:44.4383997Z", + "type": "Microsoft.Devices.DeviceConnected", + "time": "2018-06-02T19:17:44.4383997Z", "data": { "deviceConnectionStateEventInfo": { "sequenceNumber": The schemas for DeviceConnected and DeviceDisconnected events have the same stru "deviceId": "LogicAppTestDevice", "moduleId" : "DeviceModuleID" }, - "dataVersion": "1", - "metadataVersion": "1" + "specversion": "1.0" }] ``` The DeviceTelemetry event is raised when a telemetry event is sent to an IoT Hub ```json [{ "id": "9af86784-8d40-fe2g-8b2a-bab65e106785",- "topic": "/SUBSCRIPTIONS/<subscription ID>/RESOURCEGROUPS/<resource group name>/PROVIDERS/MICROSOFT.DEVICES/IOTHUBS/<hub name>", + "source": "/SUBSCRIPTIONS/<subscription ID>/RESOURCEGROUPS/<resource group name>/PROVIDERS/MICROSOFT.DEVICES/IOTHUBS/<hub name>", "subject": "devices/LogicAppTestDevice", - "eventType": "Microsoft.Devices.DeviceTelemetry", - "eventTime": "2019-01-07T20:58:30.48Z", + "type": "Microsoft.Devices.DeviceTelemetry", + "time": "2019-01-07T20:58:30.48Z", "data": { "body": { "Weather": { The DeviceTelemetry event is raised when a telemetry event is sent to an IoT Hub "iothub-message-source": "Telemetry" } },- "dataVersion": "", - "metadataVersion": "1" + "specversion": "1.0" }] ``` The schemas for DeviceCreated and DeviceDeleted events have the same structure. ```json [{ "id": "56afc886-767b-d359-d59e-0da7877166b2",- "topic": "/SUBSCRIPTIONS/<subscription ID>/RESOURCEGROUPS/<resource group name>/PROVIDERS/MICROSOFT.DEVICES/IOTHUBS/<hub name>", + "source": "/SUBSCRIPTIONS/<subscription ID>/RESOURCEGROUPS/<resource group name>/PROVIDERS/MICROSOFT.DEVICES/IOTHUBS/<hub name>", "subject": "devices/LogicAppTestDevice",- "eventType": "Microsoft.Devices.DeviceCreated", - "eventTime": "2018-01-02T19:17:44.4383997Z", + "type": "Microsoft.Devices.DeviceCreated", + "time": "2018-01-02T19:17:44.4383997Z", "data": { "twin": { "deviceId": "LogicAppTestDevice", The schemas for DeviceCreated and DeviceDeleted events have the same structure. "hubName": "egtesthub1", "deviceId": "LogicAppTestDevice" },- "dataVersion": "1", - "metadataVersion": "1" + "specversion": "1.0" }] ``` -# [Cloud event schema](#tab/cloud-event-schema) +# [Event Grid event schema](#tab/event-grid-event-schema) The schemas for DeviceConnected and DeviceDisconnected events have the same structure. This sample event shows the schema of an event raised when a device is connected to an IoT hub: ```json [{ "id": "f6bbf8f4-d365-520d-a878-17bf7238abd8", - "source": "/SUBSCRIPTIONS/<subscription ID>/RESOURCEGROUPS/<resource group name>/PROVIDERS/MICROSOFT.DEVICES/IOTHUBS/<hub name>", + "topic": "/SUBSCRIPTIONS/<subscription ID>/RESOURCEGROUPS/<resource group name>/PROVIDERS/MICROSOFT.DEVICES/IOTHUBS/<hub name>", "subject": "devices/LogicAppTestDevice", - "type": "Microsoft.Devices.DeviceConnected", - "time": "2018-06-02T19:17:44.4383997Z", + "eventType": "Microsoft.Devices.DeviceConnected", + "eventTime": "2018-06-02T19:17:44.4383997Z", "data": { "deviceConnectionStateEventInfo": { "sequenceNumber": The schemas for DeviceConnected and DeviceDisconnected events have the same stru "deviceId": "LogicAppTestDevice", "moduleId" : "DeviceModuleID" }, - "specversion": "1.0" + "dataVersion": "1", + "metadataVersion": "1" }] ``` The DeviceTelemetry event is raised when a telemetry event is sent to an IoT Hub ```json [{ "id": "9af86784-8d40-fe2g-8b2a-bab65e106785",- "source": "/SUBSCRIPTIONS/<subscription ID>/RESOURCEGROUPS/<resource group name>/PROVIDERS/MICROSOFT.DEVICES/IOTHUBS/<hub name>", + "topic": "/SUBSCRIPTIONS/<subscription ID>/RESOURCEGROUPS/<resource group name>/PROVIDERS/MICROSOFT.DEVICES/IOTHUBS/<hub name>", "subject": "devices/LogicAppTestDevice", - "type": "Microsoft.Devices.DeviceTelemetry", - "time": "2019-01-07T20:58:30.48Z", + "eventType": "Microsoft.Devices.DeviceTelemetry", + "eventTime": "2019-01-07T20:58:30.48Z", "data": { "body": { "Weather": { The DeviceTelemetry event is raised when a telemetry event is sent to an IoT Hub "iothub-message-source": "Telemetry" } },- "specversion": "1.0" + "dataVersion": "", + "metadataVersion": "1" }] ``` The schemas for DeviceCreated and DeviceDeleted events have the same structure. ```json [{ "id": "56afc886-767b-d359-d59e-0da7877166b2",- "source": "/SUBSCRIPTIONS/<subscription ID>/RESOURCEGROUPS/<resource group name>/PROVIDERS/MICROSOFT.DEVICES/IOTHUBS/<hub name>", + "topic": "/SUBSCRIPTIONS/<subscription ID>/RESOURCEGROUPS/<resource group name>/PROVIDERS/MICROSOFT.DEVICES/IOTHUBS/<hub name>", "subject": "devices/LogicAppTestDevice",- "type": "Microsoft.Devices.DeviceCreated", - "time": "2018-01-02T19:17:44.4383997Z", + "eventType": "Microsoft.Devices.DeviceCreated", + "eventTime": "2018-01-02T19:17:44.4383997Z", "data": { "twin": { "deviceId": "LogicAppTestDevice", The schemas for DeviceCreated and DeviceDeleted events have the same structure. "hubName": "egtesthub1", "deviceId": "LogicAppTestDevice" },- "specversion": "1.0" + "dataVersion": "1", + "metadataVersion": "1" }] ``` The schemas for DeviceCreated and DeviceDeleted events have the same structure. ### Event properties -# [Event Grid event schema](#tab/event-grid-event-schema) +# [Cloud event schema](#tab/cloud-event-schema) All events contain the same top-level data: + | Property | Type | Description | | -- | - | -- | | `id` | string | Unique identifier for the event. |-| `topic` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | +| `source` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | | `subject` | string | Publisher-defined path to the event subject. |-| `eventType` | string | One of the registered event types for this event source. | -| `eventTime` | string | The time the event is generated based on the provider's UTC time. | +| `type` | string | One of the registered event types for this event source. | +| `time` | string | The time the event is generated based on the provider's UTC time. | | `data` | object | IoT Hub event data. |-| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. | -| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. | +| `specversion` | string | CloudEvents schema specification version. | -# [Cloud event schema](#tab/cloud-event-schema) +# [Event Grid event schema](#tab/event-grid-event-schema) All events contain the same top-level data: - | Property | Type | Description | | -- | - | -- | | `id` | string | Unique identifier for the event. |-| `source` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | +| `topic` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | | `subject` | string | Publisher-defined path to the event subject. |-| `type` | string | One of the registered event types for this event source. | -| `time` | string | The time the event is generated based on the provider's UTC time. | +| `eventType` | string | One of the registered event types for this event source. | +| `eventTime` | string | The time the event is generated based on the provider's UTC time. | | `data` | object | IoT Hub event data. |-| `specversion` | string | CloudEvents schema specification version. | +| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. | +| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. | + |
event-grid | Event Schema Key Vault | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/event-schema-key-vault.md | An Azure Key Vault account generates the following event types: ## Event examples -# [Event Grid event schema](#tab/event-grid-event-schema) ++# [Cloud event schema](#tab/cloud-event-schema) The following example show schema for **Microsoft.KeyVault.SecretNewVersionCreated**: The following example show schema for **Microsoft.KeyVault.SecretNewVersionCreat [ { "id":"00eccf70-95a7-4e7c-8299-2eb17ee9ad64",- "topic":"/subscriptions/{subscription-id}/resourceGroups/sample-rg/providers/Microsoft.KeyVault/vaults/sample-kv", + "source":"/subscriptions/{subscription-id}/resourceGroups/sample-rg/providers/Microsoft.KeyVault/vaults/sample-kv", "subject":"newsecret",- "eventType":"Microsoft.KeyVault.SecretNewVersionCreated", - "eventTime":"2019-07-25T01:08:33.1036736Z", + "type":"Microsoft.KeyVault.SecretNewVersionCreated", + "time":"2019-07-25T01:08:33.1036736Z", "data":{ "Id":"https://sample-kv.vault.azure.net/secrets/newsecret/ee059b2bb5bc48398a53b168c6cdcb10", "VaultName":"sample-kv", The following example show schema for **Microsoft.KeyVault.SecretNewVersionCreat "NBF":"1559081980", "EXP":"1559082102" },- "dataVersion":"1", - "metadataVersion":"1" + "specversion":"1.0" } ] ``` -# [Cloud event schema](#tab/cloud-event-schema) +# [Event Grid event schema](#tab/event-grid-event-schema) The following example show schema for **Microsoft.KeyVault.SecretNewVersionCreated**: The following example show schema for **Microsoft.KeyVault.SecretNewVersionCreat [ { "id":"00eccf70-95a7-4e7c-8299-2eb17ee9ad64",- "source":"/subscriptions/{subscription-id}/resourceGroups/sample-rg/providers/Microsoft.KeyVault/vaults/sample-kv", + "topic":"/subscriptions/{subscription-id}/resourceGroups/sample-rg/providers/Microsoft.KeyVault/vaults/sample-kv", "subject":"newsecret",- "type":"Microsoft.KeyVault.SecretNewVersionCreated", - "time":"2019-07-25T01:08:33.1036736Z", + "eventType":"Microsoft.KeyVault.SecretNewVersionCreated", + "eventTime":"2019-07-25T01:08:33.1036736Z", "data":{ "Id":"https://sample-kv.vault.azure.net/secrets/newsecret/ee059b2bb5bc48398a53b168c6cdcb10", "VaultName":"sample-kv", The following example show schema for **Microsoft.KeyVault.SecretNewVersionCreat "NBF":"1559081980", "EXP":"1559082102" },- "specversion":"1.0" + "dataVersion":"1", + "metadataVersion":"1" } ] ``` The following example show schema for **Microsoft.KeyVault.SecretNewVersionCreat ### Event properties -# [Event Grid event schema](#tab/event-grid-event-schema) ++# [Cloud event schema](#tab/cloud-event-schema) + An event has the following top-level data: | Property | Type | Description | | -- | - | -- |-| `topic` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | +| `source` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | | `subject` | string | Publisher-defined path to the event subject. |-| `eventType` | string | One of the registered event types for this event source. | -| `eventTime` | string | The time the event is generated based on the provider's UTC time. | +| `type` | string | One of the registered event types for this event source. | +| `time` | string | The time the event is generated based on the provider's UTC time. | | `id` | string | Unique identifier for the event. | | `data` | object | App Configuration event data. |-| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. | -| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. | ---# [Cloud event schema](#tab/cloud-event-schema) +| `specversion` | string | CloudEvents schema specification version. | +# [Event Grid event schema](#tab/event-grid-event-schema) An event has the following top-level data: | Property | Type | Description | | -- | - | -- |-| `source` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | +| `topic` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | | `subject` | string | Publisher-defined path to the event subject. |-| `type` | string | One of the registered event types for this event source. | -| `time` | string | The time the event is generated based on the provider's UTC time. | +| `eventType` | string | One of the registered event types for this event source. | +| `eventTime` | string | The time the event is generated based on the provider's UTC time. | | `id` | string | Unique identifier for the event. | | `data` | object | App Configuration event data. |-| `specversion` | string | CloudEvents schema specification version. | +| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. | +| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. | + |
event-grid | Event Schema Machine Learning | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/event-schema-machine-learning.md | Azure Machine Learning emits the following event types: When an event is triggered, the Event Grid service sends data about that event to subscribing endpoint. This section contains an example of what that data would look like for each event. -# [Event Grid event schema](#tab/event-grid-event-schema) ++# [Cloud event schema](#tab/cloud-event-schema) ### Microsoft.MachineLearningServices.ModelRegistered event ```json [{- "topic": "/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.MachineLearningServices/workspaces/{workspace-name}", + "source": "/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.MachineLearningServices/workspaces/{workspace-name}", "subject": "models/sklearn_regression_model:20",- "eventType": "Microsoft.MachineLearningServices.ModelRegistered", - "eventTime": "2017-06-26T18:41:00.9584103Z", + "type": "Microsoft.MachineLearningServices.ModelRegistered", + "time": "2017-06-26T18:41:00.9584103Z", "id": "831e1650-001e-001b-66ab-eeb76e069631", "data": { "ModelName": "sklearn_regression_model", When an event is triggered, the Event Grid service sends data about that event t "type": "test" } },- "dataVersion": "", - "metadataVersion": "1" + "specversion": "1.0" }] ``` When an event is triggered, the Event Grid service sends data about that event t ```json [{- "topic": "/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.MachineLearningServices/workspaces/{workspace-name}", + "source": "/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.MachineLearningServices/workspaces/{workspace-name}", "subject": "endpoints/my-sklearn-service",- "eventType": "Microsoft.MachineLearningServices.ModelDeployed", - "eventTime": "2017-06-26T18:41:00.9584103Z", + "type": "Microsoft.MachineLearningServices.ModelDeployed", + "time": "2017-06-26T18:41:00.9584103Z", "id": "831e1650-001e-001b-66ab-eeb76e069631", "data": { "ServiceName": "my-sklearn-service", When an event is triggered, the Event Grid service sends data about that event t "type": "test" } },- "dataVersion": "", - "metadataVersion": "1" + "specversion": "1.0" }] ``` When an event is triggered, the Event Grid service sends data about that event t ```json [{- "topic": "/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.MachineLearningServices/workspaces/{workspace-name}", + "source": "/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.MachineLearningServices/workspaces/{workspace-name}", "subject": "experiments/0fa9dfaa-cba3-4fa7-b590-23e48548f5c1/runs/AutoML_ad912b2d-6467-4f32-a616-dbe4af6dd8fc_5",- "eventType": "Microsoft.MachineLearningServices.RunCompleted", - "eventTime": "2017-06-26T18:41:00.9584103Z", + "type": "Microsoft.MachineLearningServices.RunCompleted", + "time": "2017-06-26T18:41:00.9584103Z", "id": "831e1650-001e-001b-66ab-eeb76e069631", "data": { "experimentId": "0fa9dfaa-cba3-4fa7-b590-23e48548f5c1", When an event is triggered, the Event Grid service sends data about that event t "model_data_location": "aml://artifact/ExperimentRun/dcid.AutoML_ad912b2d-6467-4f32-a616-dbe4af6dd8fc_5/outputs/model.pkl" } },- "dataVersion": "", - "metadataVersion": "1" + "specversion": "1.0" }] ``` When an event is triggered, the Event Grid service sends data about that event t ```json [{- "topic": "/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.MachineLearningServices/workspaces/{workspace-name}", + "source": "/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.MachineLearningServices/workspaces/{workspace-name}", "subject": "datadrifts/{}/runs/{}",- "eventType": "Microsoft.MachineLearningServices.DatasetDriftDetected", - "eventTime": "2017-06-26T18:41:00.9584103Z", + "type": "Microsoft.MachineLearningServices.DatasetDriftDetected", + "time": "2017-06-26T18:41:00.9584103Z", "id": "831e1650-001e-001b-66ab-eeb76e069631", "data": { "DataDriftId": "01d29aa4-e6a4-470a-9ef3-66660d21f8ef", When an event is triggered, the Event Grid service sends data about that event t "StartTime": "2019-07-04T00:00:00+00:00", "EndTime": "2019-07-05T00:00:00+00:00" },- "dataVersion": "", - "metadataVersion": "1" + "specversion": "1.0" }] ``` When an event is triggered, the Event Grid service sends data about that event t ```json [{- "topic": "/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.MachineLearningServices/workspaces/{workspace-name}", + "source": "/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.MachineLearningServices/workspaces/{workspace-name}", "subject": "experiments/0fa9dfaa-cba3-4fa7-b590-23e48548f5c1/runs/AutoML_ad912b2d-6467-4f32-a616-dbe4af6dd8fc_5",- "eventType": "Microsoft.MachineLearningServices.RunStatusChanged", - "eventTime": "2017-06-26T18:41:00.9584103Z", + "type": "Microsoft.MachineLearningServices.RunStatusChanged", + "time": "2017-06-26T18:41:00.9584103Z", "id": "831e1650-001e-001b-66ab-eeb76e069631", "data": { "experimentId": "0fa9dfaa-cba3-4fa7-b590-23e48548f5c1", When an event is triggered, the Event Grid service sends data about that event t }, "runStatus": "failed" },- "dataVersion": "", - "metadataVersion": "1" + "specversion": "1.0" }] ``` -# [Cloud event schema](#tab/cloud-event-schema) +# [Event Grid event schema](#tab/event-grid-event-schema) ### Microsoft.MachineLearningServices.ModelRegistered event ```json [{- "source": "/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.MachineLearningServices/workspaces/{workspace-name}", + "topic": "/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.MachineLearningServices/workspaces/{workspace-name}", "subject": "models/sklearn_regression_model:20",- "type": "Microsoft.MachineLearningServices.ModelRegistered", - "time": "2017-06-26T18:41:00.9584103Z", + "eventType": "Microsoft.MachineLearningServices.ModelRegistered", + "eventTime": "2017-06-26T18:41:00.9584103Z", "id": "831e1650-001e-001b-66ab-eeb76e069631", "data": { "ModelName": "sklearn_regression_model", When an event is triggered, the Event Grid service sends data about that event t "type": "test" } },- "specversion": "1.0" + "dataVersion": "", + "metadataVersion": "1" }] ``` When an event is triggered, the Event Grid service sends data about that event t ```json [{- "source": "/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.MachineLearningServices/workspaces/{workspace-name}", + "topic": "/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.MachineLearningServices/workspaces/{workspace-name}", "subject": "endpoints/my-sklearn-service",- "type": "Microsoft.MachineLearningServices.ModelDeployed", - "time": "2017-06-26T18:41:00.9584103Z", + "eventType": "Microsoft.MachineLearningServices.ModelDeployed", + "eventTime": "2017-06-26T18:41:00.9584103Z", "id": "831e1650-001e-001b-66ab-eeb76e069631", "data": { "ServiceName": "my-sklearn-service", When an event is triggered, the Event Grid service sends data about that event t "type": "test" } },- "specversion": "1.0" + "dataVersion": "", + "metadataVersion": "1" }] ``` When an event is triggered, the Event Grid service sends data about that event t ```json [{- "source": "/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.MachineLearningServices/workspaces/{workspace-name}", + "topic": "/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.MachineLearningServices/workspaces/{workspace-name}", "subject": "experiments/0fa9dfaa-cba3-4fa7-b590-23e48548f5c1/runs/AutoML_ad912b2d-6467-4f32-a616-dbe4af6dd8fc_5",- "type": "Microsoft.MachineLearningServices.RunCompleted", - "time": "2017-06-26T18:41:00.9584103Z", + "eventType": "Microsoft.MachineLearningServices.RunCompleted", + "eventTime": "2017-06-26T18:41:00.9584103Z", "id": "831e1650-001e-001b-66ab-eeb76e069631", "data": { "experimentId": "0fa9dfaa-cba3-4fa7-b590-23e48548f5c1", When an event is triggered, the Event Grid service sends data about that event t "model_data_location": "aml://artifact/ExperimentRun/dcid.AutoML_ad912b2d-6467-4f32-a616-dbe4af6dd8fc_5/outputs/model.pkl" } },- "specversion": "1.0" + "dataVersion": "", + "metadataVersion": "1" }] ``` When an event is triggered, the Event Grid service sends data about that event t ```json [{- "source": "/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.MachineLearningServices/workspaces/{workspace-name}", + "topic": "/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.MachineLearningServices/workspaces/{workspace-name}", "subject": "datadrifts/{}/runs/{}",- "type": "Microsoft.MachineLearningServices.DatasetDriftDetected", - "time": "2017-06-26T18:41:00.9584103Z", + "eventType": "Microsoft.MachineLearningServices.DatasetDriftDetected", + "eventTime": "2017-06-26T18:41:00.9584103Z", "id": "831e1650-001e-001b-66ab-eeb76e069631", "data": { "DataDriftId": "01d29aa4-e6a4-470a-9ef3-66660d21f8ef", When an event is triggered, the Event Grid service sends data about that event t "StartTime": "2019-07-04T00:00:00+00:00", "EndTime": "2019-07-05T00:00:00+00:00" },- "specversion": "1.0" + "dataVersion": "", + "metadataVersion": "1" }] ``` When an event is triggered, the Event Grid service sends data about that event t ```json [{- "source": "/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.MachineLearningServices/workspaces/{workspace-name}", + "topic": "/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.MachineLearningServices/workspaces/{workspace-name}", "subject": "experiments/0fa9dfaa-cba3-4fa7-b590-23e48548f5c1/runs/AutoML_ad912b2d-6467-4f32-a616-dbe4af6dd8fc_5",- "type": "Microsoft.MachineLearningServices.RunStatusChanged", - "time": "2017-06-26T18:41:00.9584103Z", + "eventType": "Microsoft.MachineLearningServices.RunStatusChanged", + "eventTime": "2017-06-26T18:41:00.9584103Z", "id": "831e1650-001e-001b-66ab-eeb76e069631", "data": { "experimentId": "0fa9dfaa-cba3-4fa7-b590-23e48548f5c1", When an event is triggered, the Event Grid service sends data about that event t }, "runStatus": "failed" },- "specversion": "1.0" + "dataVersion": "", + "metadataVersion": "1" }] ``` When an event is triggered, the Event Grid service sends data about that event t ### Event properties -# [Event Grid event schema](#tab/event-grid-event-schema) +# [Cloud event schema](#tab/cloud-event-schema) An event has the following top-level data: | Property | Type | Description | | -- | - | -- |-| `topic` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | +| `source` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | | `subject` | string | Publisher-defined path to the event subject. |-| `eventType` | string | One of the registered event types for this event source. | -| `eventTime` | string | The time the event is generated based on the provider's UTC time. | +| `type` | string | One of the registered event types for this event source. | +| `time` | string | The time the event is generated based on the provider's UTC time. | | `id` | string | Unique identifier for the event. | | `data` | object | Blob storage event data. |-| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. | -| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. | +| `specversion` | string | CloudEvents schema specification version. | -# [Cloud event schema](#tab/cloud-event-schema) +# [Event Grid event schema](#tab/event-grid-event-schema) An event has the following top-level data: | Property | Type | Description | | -- | - | -- |-| `source` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | +| `topic` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | | `subject` | string | Publisher-defined path to the event subject. |-| `type` | string | One of the registered event types for this event source. | -| `time` | string | The time the event is generated based on the provider's UTC time. | +| `eventType` | string | One of the registered event types for this event source. | +| `eventTime` | string | The time the event is generated based on the provider's UTC time. | | `id` | string | Unique identifier for the event. | | `data` | object | Blob storage event data. |-| `specversion` | string | CloudEvents schema specification version. | +| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. | +| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. | + |
event-grid | Event Schema Maintenance Configuration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/event-schema-maintenance-configuration.md | Microsoft.Maintenance.PostMaintenanceEvent | Raised after maintenance job comple ## Example event -# [Event Grid event schema](#tab/event-grid-event-schema) -Following is an example of a schema for the Pre-Maintenance event: --```json -[{ - "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/testrg/providers/Microsoft.Maintenance/maintenanceConfigurations/contosomaintenanceconfiguration/providers/microsoft.maintenance/applyupdates/20230509150000", - "topic": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/testrg/providers/Microsoft.Maintenance/maintenanceConfigurations/contosomaintenanceconfiguration", - "subject": "contosomaintenanceconfiguration", -"data": -{ - "correlationId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/testrg/providers/Microsoft.Maintenance/maintenanceConfigurations/contosomaintenanceconfiguration/providers/microsoft.maintenance/applyupdates/20230509150000", - "maintenanceConfigurationId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/testrg/providers/Microsoft.Maintenance/maintenanceConfigurations/contosomaintenanceconfiguration", - "startDateTime": "2023-05-09T15:00:00Z", - "endDateTime": "2023-05-09T18:55:00Z", - "cancellationCutOffDateTime": "2023-05-09T14:59:00Z", - "resourceSubscriptionIds": ["subscription guid 1", "subscription guid 2"] -} -"eventType": "Microsoft.Maintenance.PreMaintenanceEvent", -"eventTime": "2023-05-09T14:25:00.3717473Z", - "dataVersion": "1.0", - "metadataVersion": "1" -}] -``` # [Cloud event schema](#tab/cloud-event-schema) Following is an example for a schema of a pre-maintenance event: "specversion": "1.0" }] ```- # [Event Grid event schema](#tab/event-grid-event-schema)-Following is an example of a schema for a post-maintenance event: +Following is an example of a schema for the Pre-Maintenance event: ```json [{ Following is an example of a schema for a post-maintenance event: { "correlationId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/testrg/providers/Microsoft.Maintenance/maintenanceConfigurations/contosomaintenanceconfiguration/providers/microsoft.maintenance/applyupdates/20230509150000", "maintenanceConfigurationId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/testrg/providers/Microsoft.Maintenance/maintenanceConfigurations/contosomaintenanceconfiguration", - "status": "Succeeded", "startDateTime": "2023-05-09T15:00:00Z", "endDateTime": "2023-05-09T18:55:00Z", + "cancellationCutOffDateTime": "2023-05-09T14:59:00Z", "resourceSubscriptionIds": ["subscription guid 1", "subscription guid 2"] } -"eventType": "Microsoft.Maintenance.PostMaintenanceEvent", -"eventTime": "2023-05-09T15:55:00.3717473Z", +"eventType": "Microsoft.Maintenance.PreMaintenanceEvent", +"eventTime": "2023-05-09T14:25:00.3717473Z", "dataVersion": "1.0", "metadataVersion": "1" -}] +}] ``` +++ # [Cloud event schema](#tab/cloud-event-schema) Following is an example for a post maintenance event: Following is an example for a post maintenance event: }] ``` ---## Event properties - # [Event Grid event schema](#tab/event-grid-event-schema)+Following is an example of a schema for a post-maintenance event: -An event has the following top-level data: +```json +[{ + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/testrg/providers/Microsoft.Maintenance/maintenanceConfigurations/contosomaintenanceconfiguration/providers/microsoft.maintenance/applyupdates/20230509150000", + "topic": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/testrg/providers/Microsoft.Maintenance/maintenanceConfigurations/contosomaintenanceconfiguration", + "subject": "contosomaintenanceconfiguration", +"data": +{ + "correlationId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/testrg/providers/Microsoft.Maintenance/maintenanceConfigurations/contosomaintenanceconfiguration/providers/microsoft.maintenance/applyupdates/20230509150000", + "maintenanceConfigurationId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/testrg/providers/Microsoft.Maintenance/maintenanceConfigurations/contosomaintenanceconfiguration", + "status": "Succeeded", + "startDateTime": "2023-05-09T15:00:00Z", + "endDateTime": "2023-05-09T18:55:00Z", + "resourceSubscriptionIds": ["subscription guid 1", "subscription guid 2"] +} +"eventType": "Microsoft.Maintenance.PostMaintenanceEvent", +"eventTime": "2023-05-09T15:55:00.3717473Z", + "dataVersion": "1.0", + "metadataVersion": "1" +}] +``` -**Property** | **Type** | **Description** | - | | | -topic | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | -subject | string | Publisher-defined path to the event subject. | -eventType | string | One of the registered event types for this event source. | -eventTime | string | The time the event is generated based on the provider's UTC time. | -ID | string | Unique identifier for the event | -data | object | App Configuration event data. | -dataVersion | string | The schema version of the data object. The publisher defines the schema version. | -metadataVersion | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. | +++## Event properties # [Cloud event schema](#tab/cloud-event-schema) ID | string | Unique identifier for the event. | data | object | App Configuration event data. | specversion | string | CloudEvents schema specification version. +# [Event Grid event schema](#tab/event-grid-event-schema) ++An event has the following top-level data: ++**Property** | **Type** | **Description** | + | | | +topic | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | +subject | string | Publisher-defined path to the event subject. | +eventType | string | One of the registered event types for this event source. | +eventTime | string | The time the event is generated based on the provider's UTC time. | +ID | string | Unique identifier for the event | +data | object | App Configuration event data. | +dataVersion | string | The schema version of the data object. The publisher defines the schema version. | +metadataVersion | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. | + The data object has the following properties: |
event-grid | Event Schema Media Services | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/event-schema-media-services.md | See [Schema examples](#event-schema-examples) that follow. ### JobStateChange -# [Event Grid event schema](#tab/event-grid-event-schema) ++# [Cloud event schema](#tab/cloud-event-schema) The following example shows the schema of the **JobStateChange** event: ```json [ {- "topic": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Media/mediaservices/<account-name>", + "source": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Media/mediaservices/<account-name>", "subject": "transforms/VideoAnalyzerTransform/jobs/<job-id>",- "eventType": "Microsoft.Media.JobStateChange", - "eventTime": "2018-04-20T21:26:13.8978772", + "type": "Microsoft.Media.JobStateChange", + "time": "2018-04-20T21:26:13.8978772", "id": "b9d38923-9210-4c2b-958f-0054467d4dd7", "data": { "previousState": "Processing", "state": "Finished" },- "dataVersion": "1.0", - "metadataVersion": "1" + "specversion": "1.0" } ] ``` -# [Cloud event schema](#tab/cloud-event-schema) +# [Event Grid event schema](#tab/event-grid-event-schema) The following example shows the schema of the **JobStateChange** event: ```json [ {- "source": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Media/mediaservices/<account-name>", + "topic": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Media/mediaservices/<account-name>", "subject": "transforms/VideoAnalyzerTransform/jobs/<job-id>",- "type": "Microsoft.Media.JobStateChange", - "time": "2018-04-20T21:26:13.8978772", + "eventType": "Microsoft.Media.JobStateChange", + "eventTime": "2018-04-20T21:26:13.8978772", "id": "b9d38923-9210-4c2b-958f-0054467d4dd7", "data": { "previousState": "Processing", "state": "Finished" },- "specversion": "1.0" + "dataVersion": "1.0", + "metadataVersion": "1" } ] ``` + The data object has the following properties: Where the Job state can be one of the values: *Queued*, *Scheduled*, *Processing ### JobScheduled, JobProcessing, JobCanceling -# [Event Grid event schema](#tab/event-grid-event-schema) ++# [Cloud event schema](#tab/cloud-event-schema) For each non-final Job state change (such as JobScheduled, JobProcessing, JobCanceling), the example schema looks similar to the following: ```json [{- "topic": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Media/mediaservices/<account-name>", + "source": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Media/mediaservices/<account-name>", "subject": "transforms/VideoAnalyzerTransform/jobs/<job-id>",- "eventType": "Microsoft.Media.JobProcessing", - "eventTime": "2018-10-12T16:12:18.0839935", + "type": "Microsoft.Media.JobProcessing", + "time": "2018-10-12T16:12:18.0839935", "id": "a0a6efc8-f647-4fc2-be73-861fa25ba2db", "data": { "previousState": "Scheduled", For each non-final Job state change (such as JobScheduled, JobProcessing, JobCan "testKey2": "testValue2" } },- "dataVersion": "1.0", - "metadataVersion": "1" + "specversion": "1.0" }] ``` For each final Job state change (such as JobFinished, JobCanceled, JobErrored), ```json [{- "topic": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Media/mediaservices/<account-name>", + "source": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Media/mediaservices/<account-name>", "subject": "transforms/VideoAnalyzerTransform/jobs/<job-id>",- "eventType": "Microsoft.Media.JobFinished", - "eventTime": "2018-10-12T16:25:56.4115495", + "type": "Microsoft.Media.JobFinished", + "time": "2018-10-12T16:25:56.4115495", "id": "9e07e83a-dd6e-466b-a62f-27521b216f2a", "data": { "outputs": [ For each final Job state change (such as JobFinished, JobCanceled, JobErrored), "testKey2": "testValue2" } },- "dataVersion": "1.0", - "metadataVersion": "1" + "specversion": "1.0" }] ``` -# [Cloud event schema](#tab/cloud-event-schema) +# [Event Grid event schema](#tab/event-grid-event-schema) For each non-final Job state change (such as JobScheduled, JobProcessing, JobCanceling), the example schema looks similar to the following: ```json [{- "source": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Media/mediaservices/<account-name>", + "topic": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Media/mediaservices/<account-name>", "subject": "transforms/VideoAnalyzerTransform/jobs/<job-id>",- "type": "Microsoft.Media.JobProcessing", - "time": "2018-10-12T16:12:18.0839935", + "eventType": "Microsoft.Media.JobProcessing", + "eventTime": "2018-10-12T16:12:18.0839935", "id": "a0a6efc8-f647-4fc2-be73-861fa25ba2db", "data": { "previousState": "Scheduled", For each non-final Job state change (such as JobScheduled, JobProcessing, JobCan "testKey2": "testValue2" } },- "specversion": "1.0" + "dataVersion": "1.0", + "metadataVersion": "1" }] ``` For each final Job state change (such as JobFinished, JobCanceled, JobErrored), ```json [{- "source": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Media/mediaservices/<account-name>", + "topic": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Media/mediaservices/<account-name>", "subject": "transforms/VideoAnalyzerTransform/jobs/<job-id>",- "type": "Microsoft.Media.JobFinished", - "time": "2018-10-12T16:25:56.4115495", + "eventType": "Microsoft.Media.JobFinished", + "eventTime": "2018-10-12T16:25:56.4115495", "id": "9e07e83a-dd6e-466b-a62f-27521b216f2a", "data": { "outputs": [ For each final Job state change (such as JobFinished, JobCanceled, JobErrored), "testKey2": "testValue2" } },- "specversion": "1.0" + "dataVersion": "1.0", + "metadataVersion": "1" }] ``` + You can find the error result codes in [live Event error codes](/azure/media-ser ### LiveEventEncoderConnected -# [Event Grid event schema](#tab/event-grid-event-schema) +# [Cloud event schema](#tab/cloud-event-schema) The following example shows the schema of the **LiveEventEncoderConnected** event: ```json [ {- "topic": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Media/mediaservices/<account-name>", + "source": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Media/mediaservices/<account-name>", "subject": "liveEvent/mle1",- "eventType": "Microsoft.Media.LiveEventEncoderConnected", - "eventTime": "2018-08-07T23:08:09.1710643", + "type": "Microsoft.Media.LiveEventEncoderConnected", + "time": "2018-08-07T23:08:09.1710643", "id": "<id>", "data": { "ingestUrl": "http://mle1-amsts03mediaacctgndos-ts031.channel.media.azure-test.net:80/ingest.isml", The following example shows the schema of the **LiveEventEncoderConnected** even "encoderIp": "131.107.147.xxx", "encoderPort": "27485" },- "dataVersion": "1.0", - "metadataVersion": "1" + "specversion": "1.0" } ] ``` -# [Cloud event schema](#tab/cloud-event-schema) +# [Event Grid event schema](#tab/event-grid-event-schema) The following example shows the schema of the **LiveEventEncoderConnected** event: ```json [ {- "source": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Media/mediaservices/<account-name>", + "topic": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Media/mediaservices/<account-name>", "subject": "liveEvent/mle1",- "type": "Microsoft.Media.LiveEventEncoderConnected", - "time": "2018-08-07T23:08:09.1710643", + "eventType": "Microsoft.Media.LiveEventEncoderConnected", + "eventTime": "2018-08-07T23:08:09.1710643", "id": "<id>", "data": { "ingestUrl": "http://mle1-amsts03mediaacctgndos-ts031.channel.media.azure-test.net:80/ingest.isml", The following example shows the schema of the **LiveEventEncoderConnected** even "encoderIp": "131.107.147.xxx", "encoderPort": "27485" },- "specversion": "1.0" + "dataVersion": "1.0", + "metadataVersion": "1" } ] ``` + The data object has the following properties: The data object has the following properties: ### LiveEventEncoderDisconnected -# [Event Grid event schema](#tab/event-grid-event-schema) ++# [Cloud event schema](#tab/cloud-event-schema) The following example shows the schema of the **LiveEventEncoderDisconnected** event: ```json [ {- "topic": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Media/mediaservices/<account-name>", + "source": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Media/mediaservices/<account-name>", "subject": "liveEvent/mle1",- "eventType": "Microsoft.Media.LiveEventEncoderDisconnected", - "eventTime": "2018-08-07T23:08:09.1710872", + "type": "Microsoft.Media.LiveEventEncoderDisconnected", + "time": "2018-08-07T23:08:09.1710872", "id": "<id>", "data": { "ingestUrl": "http://mle1-amsts03mediaacctgndos-ts031.channel.media.azure-test.net:80/ingest.isml", The following example shows the schema of the **LiveEventEncoderDisconnected** e "encoderPort": "27485", "resultCode": "S_OK" },- "dataVersion": "1.0", - "metadataVersion": "1" + "specversion": "1.0" } ] ``` -# [Cloud event schema](#tab/cloud-event-schema) +# [Event Grid event schema](#tab/event-grid-event-schema) The following example shows the schema of the **LiveEventEncoderDisconnected** event: ```json [ {- "source": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Media/mediaservices/<account-name>", + "topic": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Media/mediaservices/<account-name>", "subject": "liveEvent/mle1",- "type": "Microsoft.Media.LiveEventEncoderDisconnected", - "time": "2018-08-07T23:08:09.1710872", + "eventType": "Microsoft.Media.LiveEventEncoderDisconnected", + "eventTime": "2018-08-07T23:08:09.1710872", "id": "<id>", "data": { "ingestUrl": "http://mle1-amsts03mediaacctgndos-ts031.channel.media.azure-test.net:80/ingest.isml", The following example shows the schema of the **LiveEventEncoderDisconnected** e "encoderPort": "27485", "resultCode": "S_OK" },- "specversion": "1.0" + "dataVersion": "1.0", + "metadataVersion": "1" } ] ``` The graceful disconnect result codes are: ### LiveEventIncomingDataChunkDropped -# [Event Grid event schema](#tab/event-grid-event-schema) +# [Cloud event schema](#tab/cloud-event-schema) The following example shows the schema of the **LiveEventIncomingDataChunkDropped** event: ```json [ {- "topic": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Media/mediaServices/<account-name>", + "source": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Media/mediaServices/<account-name>", "subject": "/LiveEvents/MyLiveEvent1",- "eventType": "Microsoft.Media.LiveEventIncomingDataChunkDropped", - "eventTime": "2018-01-16T01:57:26.005121Z", + "type": "Microsoft.Media.LiveEventIncomingDataChunkDropped", + "time": "2018-01-16T01:57:26.005121Z", "id": "03da9c10-fde7-48e1-80d8-49936f2c3e7d", "data": { "trackType": "Video", The following example shows the schema of the **LiveEventIncomingDataChunkDroppe "timescale": 10000000, "resultCode": "FragmentDrop_OverlapTimestamp" },- "dataVersion": "1.0", - "metadataVersion": "1" + "specversion": "1.0" } ] ``` -# [Cloud event schema](#tab/cloud-event-schema) +# [Event Grid event schema](#tab/event-grid-event-schema) The following example shows the schema of the **LiveEventIncomingDataChunkDropped** event: ```json [ {- "source": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Media/mediaServices/<account-name>", + "topic": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Media/mediaServices/<account-name>", "subject": "/LiveEvents/MyLiveEvent1",- "type": "Microsoft.Media.LiveEventIncomingDataChunkDropped", - "time": "2018-01-16T01:57:26.005121Z", + "eventType": "Microsoft.Media.LiveEventIncomingDataChunkDropped", + "eventTime": "2018-01-16T01:57:26.005121Z", "id": "03da9c10-fde7-48e1-80d8-49936f2c3e7d", "data": { "trackType": "Video", The following example shows the schema of the **LiveEventIncomingDataChunkDroppe "timescale": 10000000, "resultCode": "FragmentDrop_OverlapTimestamp" },- "specversion": "1.0" + "dataVersion": "1.0", + "metadataVersion": "1" } ] ``` + The data object has the following properties: The data object has the following properties: ### LiveEventIncomingStreamReceived -# [Event Grid event schema](#tab/event-grid-event-schema) ++# [Cloud event schema](#tab/cloud-event-schema) The following example shows the schema of the **LiveEventIncomingStreamReceived** event: ```json [ {- "topic": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Media/mediaservices/<account-name>", + "source": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Media/mediaservices/<account-name>", "subject": "liveEvent/mle1",- "eventType": "Microsoft.Media.LiveEventIncomingStreamReceived", - "eventTime": "2018-08-07T23:08:10.5069288Z", + "type": "Microsoft.Media.LiveEventIncomingStreamReceived", + "time": "2018-08-07T23:08:10.5069288Z", "id": "7f939a08-320c-47e7-8250-43dcfc04ab4d", "data": { "ingestUrl": "http://mle1-amsts03mediaacctgndos-ts031.channel.media.azure-test.net:80/ingest.isml/Streams(15864-stream0)15864-stream0", The following example shows the schema of the **LiveEventIncomingStreamReceived* "duration": "20000000", "timescale": "10000000" },- "dataVersion": "1.0", - "metadataVersion": "1" + "specversion": "1.0" } ] ``` -# [Cloud event schema](#tab/cloud-event-schema) +# [Event Grid event schema](#tab/event-grid-event-schema) The following example shows the schema of the **LiveEventIncomingStreamReceived** event: ```json [ {- "source": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Media/mediaservices/<account-name>", + "topic": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Media/mediaservices/<account-name>", "subject": "liveEvent/mle1",- "type": "Microsoft.Media.LiveEventIncomingStreamReceived", - "time": "2018-08-07T23:08:10.5069288Z", + "eventType": "Microsoft.Media.LiveEventIncomingStreamReceived", + "eventTime": "2018-08-07T23:08:10.5069288Z", "id": "7f939a08-320c-47e7-8250-43dcfc04ab4d", "data": { "ingestUrl": "http://mle1-amsts03mediaacctgndos-ts031.channel.media.azure-test.net:80/ingest.isml/Streams(15864-stream0)15864-stream0", The following example shows the schema of the **LiveEventIncomingStreamReceived* "duration": "20000000", "timescale": "10000000" },- "specversion": "1.0" + "dataVersion": "1.0", + "metadataVersion": "1" } ] ``` The data object has the following properties: ### LiveEventIncomingStreamsOutOfSync -# [Event Grid event schema](#tab/event-grid-event-schema) ++# [Cloud event schema](#tab/cloud-event-schema) The following example shows the schema of the **LiveEventIncomingStreamsOutOfSync** event: ```json [ {- "topic": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Media/mediaservices/<account-name>", + "source": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Media/mediaservices/<account-name>", "subject": "liveEvent/mle1",- "eventType": "Microsoft.Media.LiveEventIncomingStreamsOutOfSync", - "eventTime": "2018-08-10T02:26:20.6269183Z", + "type": "Microsoft.Media.LiveEventIncomingStreamsOutOfSync", + "time": "2018-08-10T02:26:20.6269183Z", "id": "b9d38923-9210-4c2b-958f-0054467d4dd7", "data": { "minLastTimestamp": "319996", The following example shows the schema of the **LiveEventIncomingStreamsOutOfSyn "timescaleOfMinLastTimestamp": "10000000", "timescaleOfMaxLastTimestamp": "10000000" },- "dataVersion": "1.0", - "metadataVersion": "1" + "specversion": "1.0" } ] ``` -# [Cloud event schema](#tab/cloud-event-schema) +# [Event Grid event schema](#tab/event-grid-event-schema) The following example shows the schema of the **LiveEventIncomingStreamsOutOfSync** event: ```json [ {- "source": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Media/mediaservices/<account-name>", + "topic": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Media/mediaservices/<account-name>", "subject": "liveEvent/mle1",- "type": "Microsoft.Media.LiveEventIncomingStreamsOutOfSync", - "time": "2018-08-10T02:26:20.6269183Z", + "eventType": "Microsoft.Media.LiveEventIncomingStreamsOutOfSync", + "eventTime": "2018-08-10T02:26:20.6269183Z", "id": "b9d38923-9210-4c2b-958f-0054467d4dd7", "data": { "minLastTimestamp": "319996", The following example shows the schema of the **LiveEventIncomingStreamsOutOfSyn "timescaleOfMinLastTimestamp": "10000000", "timescaleOfMaxLastTimestamp": "10000000" },- "specversion": "1.0" + "dataVersion": "1.0", + "metadataVersion": "1" } ] ``` The data object has the following properties: ### LiveEventIncomingVideoStreamsOutOfSync -# [Event Grid event schema](#tab/event-grid-event-schema) +# [Cloud event schema](#tab/cloud-event-schema) The following example shows the schema of the **LiveEventIncomingVideoStreamsOutOfSync** event: ```json [ {- "topic": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Media/mediaServices/<account-name>", + "source": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Media/mediaServices/<account-name>", "subject": "/LiveEvents/LiveEvent1",- "eventType": "Microsoft.Media.LiveEventIncomingVideoStreamsOutOfSync", - "eventTime": "2018-01-16T01:57:26.005121Z", + "type": "Microsoft.Media.LiveEventIncomingVideoStreamsOutOfSync", + "time": "2018-01-16T01:57:26.005121Z", "id": "6dd4d862-d442-40a0-b9f3-fc14bcf6d750", "data": { "firstTimestamp": "2162058216", The following example shows the schema of the **LiveEventIncomingVideoStreamsOut "secondDuration": "2000", "timescale": "10000000" },- "dataVersion": "1.0", - "metadataVersion": "1" + "specversion": "1.0" } ] ``` -# [Cloud event schema](#tab/cloud-event-schema) +# [Event Grid event schema](#tab/event-grid-event-schema) The following example shows the schema of the **LiveEventIncomingVideoStreamsOutOfSync** event: ```json [ {- "source": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Media/mediaServices/<account-name>", + "topic": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Media/mediaServices/<account-name>", "subject": "/LiveEvents/LiveEvent1",- "type": "Microsoft.Media.LiveEventIncomingVideoStreamsOutOfSync", - "time": "2018-01-16T01:57:26.005121Z", + "eventType": "Microsoft.Media.LiveEventIncomingVideoStreamsOutOfSync", + "eventTime": "2018-01-16T01:57:26.005121Z", "id": "6dd4d862-d442-40a0-b9f3-fc14bcf6d750", "data": { "firstTimestamp": "2162058216", The following example shows the schema of the **LiveEventIncomingVideoStreamsOut "secondDuration": "2000", "timescale": "10000000" },- "specversion": "1.0" + "dataVersion": "1.0", + "metadataVersion": "1" } ] ``` + The data object has the following properties: The data object has the following properties: ### LiveEventIngestHeartbeat ++# [Cloud event schema](#tab/cloud-event-schema) +++The following example shows the schema of the **LiveEventIngestHeartbeat** event: ++```json +[ + { + "source": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Media/mediaservices/<account-name>", + "subject": "liveEvent/mle1", + "type": "Microsoft.Media.LiveEventIngestHeartbeat", + "time": "2018-08-07T23:17:57.4610506", + "id": "7f450938-491f-41e1-b06f-c6cd3965d786", + "data": { + "trackType": "audio", + "trackName": "audio", + "bitrate": 160000, + "incomingBitrate": 155903, + "lastTimestamp": "15336837535253637", + "timescale": "10000000", + "overlapCount": 0, + "discontinuityCount": 0, + "nonincreasingCount": 0, + "unexpectedBitrate": false, + "state": "Running", + "healthy": true + }, + "specversion": "1.0" + } +] +``` + # [Event Grid event schema](#tab/event-grid-event-schema) The following example shows the schema of the **LiveEventIngestHeartbeat** event: The following example shows the schema of the **LiveEventIngestHeartbeat** event ] ``` -# [Cloud event schema](#tab/cloud-event-schema) ---The following example shows the schema of the **LiveEventIngestHeartbeat** event: --```json -[ - { - "source": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Media/mediaservices/<account-name>", - "subject": "liveEvent/mle1", - "type": "Microsoft.Media.LiveEventIngestHeartbeat", - "time": "2018-08-07T23:17:57.4610506", - "id": "7f450938-491f-41e1-b06f-c6cd3965d786", - "data": { - "trackType": "audio", - "trackName": "audio", - "bitrate": 160000, - "incomingBitrate": 155903, - "lastTimestamp": "15336837535253637", - "timescale": "10000000", - "overlapCount": 0, - "discontinuityCount": 0, - "nonincreasingCount": 0, - "unexpectedBitrate": false, - "state": "Running", - "healthy": true - }, - "specversion": "1.0" - } -] -``` The data object has the following properties: ### LiveEventTrackDiscontinuityDetected -# [Event Grid event schema](#tab/event-grid-event-schema) ++# [Cloud event schema](#tab/cloud-event-schema) The following example shows the schema of the **LiveEventTrackDiscontinuityDetected** event: ```json [ {- "topic": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Media/mediaservices/<account-name>", + "source": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Media/mediaservices/<account-name>", "subject": "liveEvent/mle1",- "eventType": "Microsoft.Media.LiveEventTrackDiscontinuityDetected", - "eventTime": "2018-08-07T23:18:06.1270405Z", + "type": "Microsoft.Media.LiveEventTrackDiscontinuityDetected", + "time": "2018-08-07T23:18:06.1270405Z", "id": "5f4c510d-5be7-4bef-baf0-64b828be9c9b", "data": { "trackName": "video", The following example shows the schema of the **LiveEventTrackDiscontinuityDetec "discontinuityGap": "575284", "timescale": "10000000" },- "dataVersion": "1.0", - "metadataVersion": "1" + "specversion": "1.0" } ] ``` -# [Cloud event schema](#tab/cloud-event-schema) +# [Event Grid event schema](#tab/event-grid-event-schema) The following example shows the schema of the **LiveEventTrackDiscontinuityDetected** event: ```json [ {- "source": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Media/mediaservices/<account-name>", + "topic": "/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Media/mediaservices/<account-name>", "subject": "liveEvent/mle1",- "type": "Microsoft.Media.LiveEventTrackDiscontinuityDetected", - "time": "2018-08-07T23:18:06.1270405Z", + "eventType": "Microsoft.Media.LiveEventTrackDiscontinuityDetected", + "eventTime": "2018-08-07T23:18:06.1270405Z", "id": "5f4c510d-5be7-4bef-baf0-64b828be9c9b", "data": { "trackName": "video", The following example shows the schema of the **LiveEventTrackDiscontinuityDetec "discontinuityGap": "575284", "timescale": "10000000" },- "specversion": "1.0" + "dataVersion": "1.0", + "metadataVersion": "1" } ] ``` + The data object has the following properties: The data object has the following properties: ### Common event properties -# [Event Grid event schema](#tab/event-grid-event-schema) ++# [Cloud event schema](#tab/cloud-event-schema) An event has the following top-level data: | Property | Type | Description | | -- | - | -- |-| `topic` | string | The Event Grid topic. This property has the resource ID for the Media Services account. | +| `source` | string | The Event Grid topic. This property has the resource ID for the Media Services account. | | `subject` | string | The resource path for the Media Services channel under the Media Services account. Concatenating the topic and subject give you the resource ID for the job. |-| `eventType` | string | One of the registered event types for this event source. For example, "Microsoft.Media.JobStateChange". | -| `eventTime` | string | The time the event is generated based on the provider's UTC time. | +| `type` | string | One of the registered event types for this event source. For example, "Microsoft.Media.JobStateChange". | +| `time` | string | The time the event is generated based on the provider's UTC time. | | `id` | string | Unique identifier for the event. | | `data` | object | Media Services event data. |-| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. | -| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. | +| `specversion` | string | CloudEvents schema specification version. | -# [Cloud event schema](#tab/cloud-event-schema) +# [Event Grid event schema](#tab/event-grid-event-schema) An event has the following top-level data: | Property | Type | Description | | -- | - | -- |-| `source` | string | The Event Grid topic. This property has the resource ID for the Media Services account. | +| `topic` | string | The Event Grid topic. This property has the resource ID for the Media Services account. | | `subject` | string | The resource path for the Media Services channel under the Media Services account. Concatenating the topic and subject give you the resource ID for the job. |-| `type` | string | One of the registered event types for this event source. For example, "Microsoft.Media.JobStateChange". | -| `time` | string | The time the event is generated based on the provider's UTC time. | +| `eventType` | string | One of the registered event types for this event source. For example, "Microsoft.Media.JobStateChange". | +| `eventTime` | string | The time the event is generated based on the provider's UTC time. | | `id` | string | Unique identifier for the event. | | `data` | object | Media Services event data. |-| `specversion` | string | CloudEvents schema specification version. | +| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. | +| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. | |
event-grid | Event Schema Resource Groups | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/event-schema-resource-groups.md | Resource groups emit management events from Azure Resource Manager, such as when ## Example event -# [Event Grid event schema](#tab/event-grid-event-schema) +# [Cloud event schema](#tab/cloud-event-schema) + The following example shows the schema for a **ResourceWriteSuccess** event. The same schema is used for **ResourceWriteFailure** and **ResourceWriteCancel** events with different values for `eventType`. ```json [{ "subject": "/subscriptions/{subscription-id}/resourcegroups/{resource-group}/providers/Microsoft.Storage/storageAccounts/{storage-name}",- "eventType": "Microsoft.Resources.ResourceWriteSuccess", - "eventTime": "2018-07-19T18:38:04.6117357Z", + "source": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}", + "type": "Microsoft.Resources.ResourceWriteSuccess", + "time": "2018-07-19T18:38:04.6117357Z", "id": "4db48cba-50a2-455a-93b4-de41a3b5b7f6", "data": { "authorization": { The following example shows the schema for a **ResourceWriteSuccess** event. The "subscriptionId": "{subscription-id}", "tenantId": "{tenant-id}" },- "dataVersion": "2", - "metadataVersion": "1", - "topic": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}" ++ "specversion": "1.0" }] ``` The following example shows the schema for a **ResourceDeleteSuccess** event. Th ```json [{ "subject": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.Storage/storageAccounts/{storage-name}",- "eventType": "Microsoft.Resources.ResourceDeleteSuccess", - "eventTime": "2018-07-19T19:24:12.763881Z", + "source": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}", + "type": "Microsoft.Resources.ResourceDeleteSuccess", + "time": "2018-07-19T19:24:12.763881Z", "id": "19a69642-1aad-4a96-a5ab-8d05494513ce", "data": { "authorization": { The following example shows the schema for a **ResourceDeleteSuccess** event. Th "subscriptionId": "{subscription-id}", "tenantId": "{tenant-id}" },- "dataVersion": "2", - "metadataVersion": "1", - "topic": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}" + "specversion": "1.0" }] ``` The following example shows the schema for a **ResourceActionSuccess** event. Th ```json [{ "subject": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.EventHub/namespaces/{namespace}/AuthorizationRules/RootManageSharedAccessKey",- "eventType": "Microsoft.Resources.ResourceActionSuccess", - "eventTime": "2018-10-08T22:46:22.6022559Z", + "source": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}", + "type": "Microsoft.Resources.ResourceActionSuccess", + "time": "2018-10-08T22:46:22.6022559Z", "id": "{ID}", "data": { "authorization": { The following example shows the schema for a **ResourceActionSuccess** event. Th "subscriptionId": "{subscription-id}", "tenantId": "{tenant-id}" },- "dataVersion": "2", - "metadataVersion": "1", - "topic": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}" + "specversion": "1.0" }] ``` -# [Cloud event schema](#tab/cloud-event-schema) -+# [Event Grid event schema](#tab/event-grid-event-schema) The following example shows the schema for a **ResourceWriteSuccess** event. The same schema is used for **ResourceWriteFailure** and **ResourceWriteCancel** events with different values for `eventType`. ```json [{ "subject": "/subscriptions/{subscription-id}/resourcegroups/{resource-group}/providers/Microsoft.Storage/storageAccounts/{storage-name}",- "source": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}", - "type": "Microsoft.Resources.ResourceWriteSuccess", - "time": "2018-07-19T18:38:04.6117357Z", + "eventType": "Microsoft.Resources.ResourceWriteSuccess", + "eventTime": "2018-07-19T18:38:04.6117357Z", "id": "4db48cba-50a2-455a-93b4-de41a3b5b7f6", "data": { "authorization": { The following example shows the schema for a **ResourceWriteSuccess** event. The "subscriptionId": "{subscription-id}", "tenantId": "{tenant-id}" },-- "specversion": "1.0" + "dataVersion": "2", + "metadataVersion": "1", + "topic": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}" }] ``` The following example shows the schema for a **ResourceDeleteSuccess** event. Th ```json [{ "subject": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.Storage/storageAccounts/{storage-name}",- "source": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}", - "type": "Microsoft.Resources.ResourceDeleteSuccess", - "time": "2018-07-19T19:24:12.763881Z", + "eventType": "Microsoft.Resources.ResourceDeleteSuccess", + "eventTime": "2018-07-19T19:24:12.763881Z", "id": "19a69642-1aad-4a96-a5ab-8d05494513ce", "data": { "authorization": { The following example shows the schema for a **ResourceDeleteSuccess** event. Th "subscriptionId": "{subscription-id}", "tenantId": "{tenant-id}" },- "specversion": "1.0" + "dataVersion": "2", + "metadataVersion": "1", + "topic": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}" }] ``` The following example shows the schema for a **ResourceActionSuccess** event. Th ```json [{ "subject": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.EventHub/namespaces/{namespace}/AuthorizationRules/RootManageSharedAccessKey",- "source": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}", - "type": "Microsoft.Resources.ResourceActionSuccess", - "time": "2018-10-08T22:46:22.6022559Z", + "eventType": "Microsoft.Resources.ResourceActionSuccess", + "eventTime": "2018-10-08T22:46:22.6022559Z", "id": "{ID}", "data": { "authorization": { The following example shows the schema for a **ResourceActionSuccess** event. Th "subscriptionId": "{subscription-id}", "tenantId": "{tenant-id}" },- "specversion": "1.0" + "dataVersion": "2", + "metadataVersion": "1", + "topic": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}" }] ``` + ### Event properties -# [Event Grid event schema](#tab/event-grid-event-schema) ++# [Cloud event schema](#tab/cloud-event-schema) + An event has the following top-level data: | Property | Type | Description | | -- | - | -- |-| `topic` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | +| `source` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | | `subject` | string | Publisher-defined path to the event subject. |-| `eventType` | string | One of the registered event types for this event source. | -| `eventTime` | string | The time the event is generated based on the provider's UTC time. | +| `type` | string | One of the registered event types for this event source. | +| `time` | string | The time the event is generated based on the provider's UTC time. | | `id` | string | Unique identifier for the event. | | `data` | object | Resource group event data. |-| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. | -| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. | --# [Cloud event schema](#tab/cloud-event-schema) +| `specversion` | string | CloudEvents schema specification version. | +# [Event Grid event schema](#tab/event-grid-event-schema) An event has the following top-level data: | Property | Type | Description | | -- | - | -- |-| `source` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | +| `topic` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | | `subject` | string | Publisher-defined path to the event subject. |-| `type` | string | One of the registered event types for this event source. | -| `time` | string | The time the event is generated based on the provider's UTC time. | +| `eventType` | string | One of the registered event types for this event source. | +| `eventTime` | string | The time the event is generated based on the provider's UTC time. | | `id` | string | Unique identifier for the event. | | `data` | object | Resource group event data. |-| `specversion` | string | CloudEvents schema specification version. | +| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. | +| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. | + |
event-grid | Event Schema Resources | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/event-schema-resources.md | This section provides schemas for the `CreatedOrUpdated` and `Deleted` events. ### Event schema for CreatedOrUpdated event -# [Event Grid event schema](#tab/event-grid-event-schema) +++# [Cloud event schema](#tab/cloud-event-schema) Here's the schema: ```json { "id": "string",- "topic": "string", + "source": "string", "subject": "string", "data": { "resourceInfo": { Here's the schema: "location": "string", "tags": "string", "properties": {- "_comment": "<< object-unique-to-each-publisher >>" + "_comment": "object-unique-to-each-publisher" } }, "apiVersion": "string", Here's the schema: "resourceEventTime": "datetime" } },- "eventType": "string", - "dataVersion": "string", - "metadataVersion": "string", - "eventTime": "string" + "type": "string", + "specversion": "string", + "time": "string" } ``` ---# [Cloud event schema](#tab/cloud-event-schema) +# [Event Grid event schema](#tab/event-grid-event-schema) Here's the schema: ```json { "id": "string",- "source": "string", + "topic": "string", "subject": "string", "data": { "resourceInfo": { Here's the schema: "location": "string", "tags": "string", "properties": {- "_comment": "object-unique-to-each-publisher" + "_comment": "<< object-unique-to-each-publisher >>" } }, "apiVersion": "string", Here's the schema: "resourceEventTime": "datetime" } },- "type": "string", - "specversion": "string", - "time": "string" + "eventType": "string", + "dataVersion": "string", + "metadataVersion": "string", + "eventTime": "string" } ``` ++ ### Event schema for Deleted event -# [Event Grid event schema](#tab/event-grid-event-schema) +# [Cloud event schema](#tab/cloud-event-schema) Here's the schema: ```json { "id": "string",- "topic": "string", + "source": "string", "subject": "string", "data": { "resourceInfo": { Here's the schema: "resourceEventTime": "datetime" } },- "eventType": "string", - "dataVersion": "string", - "metadataVersion": "string", - "eventTime": "string" + "type": "string", + "specversion": "string", + "time": "string" } ``` ---# [Cloud event schema](#tab/cloud-event-schema) +# [Event Grid event schema](#tab/event-grid-event-schema) Here's the schema: ```json { "id": "string",- "source": "string", + "topic": "string", "subject": "string", "data": { "resourceInfo": { Here's the schema: "resourceEventTime": "datetime" } },- "type": "string", - "specversion": "string", - "time": "string" + "eventType": "string", + "dataVersion": "string", + "metadataVersion": "string", + "eventTime": "string" } ``` The `operationalInfo` object has the following properties: ### CreatedOrUpdated event This section shows the `CreatedOrUpdated` event generated when an Azure Storage account is created in the Azure subscription on which the system topic is created. -# [Event Grid event schema](#tab/event-grid-event-schema) ++# [Cloud event schema](#tab/cloud-event-schema) + ```json { "id": "4eef929a-a65c-47dd-93e2-46b8c17c6c17",- "topic": "/subscriptions/{subscription-id}", + "source": "/subscriptions/{subscription-id}", "subject": "/subscriptions/{subscription-id}/resourceGroups/{rg-name}/providers/Microsoft.Storage/storageAccounts/{storageAccount-name}", "data": { "resourceInfo": { This section shows the `CreatedOrUpdated` event generated when an Azure Storage "resourceEventTime": "2023-07-28T20:13:10.8418063Z" } },- "eventType": "Microsoft.ResourceNotifications.Resources.CreatedOrUpdated", - "dataVersion": "1", - "metadataVersion": "1", - "eventTime": "2023-07-28T20:13:10.8418063Z" + "type": "Microsoft.ResourceNotifications.Resources.CreatedOrUpdated", + "specversion": "1.0", + "time": "2023-07-28T20:13:10.8418063Z" } ``` -# [Cloud event schema](#tab/cloud-event-schema) -+# [Event Grid event schema](#tab/event-grid-event-schema) ```json { "id": "4eef929a-a65c-47dd-93e2-46b8c17c6c17",- "source": "/subscriptions/{subscription-id}", + "topic": "/subscriptions/{subscription-id}", "subject": "/subscriptions/{subscription-id}/resourceGroups/{rg-name}/providers/Microsoft.Storage/storageAccounts/{storageAccount-name}", "data": { "resourceInfo": { This section shows the `CreatedOrUpdated` event generated when an Azure Storage "resourceEventTime": "2023-07-28T20:13:10.8418063Z" } },- "type": "Microsoft.ResourceNotifications.Resources.CreatedOrUpdated", - "specversion": "1.0", - "time": "2023-07-28T20:13:10.8418063Z" + "eventType": "Microsoft.ResourceNotifications.Resources.CreatedOrUpdated", + "dataVersion": "1", + "metadataVersion": "1", + "eventTime": "2023-07-28T20:13:10.8418063Z" } ``` + ### Deleted event This section shows the `Deleted` event generated when an Azure Storage account is deleted in the Azure subscription on which the system topic is created. -# [Event Grid event schema](#tab/event-grid-event-schema) +# [Cloud event schema](#tab/cloud-event-schema) + ```json { "id": "d4611260-d179-4f86-b196-3a9d4128be2d",- "topic": "/subscriptions/{subscription-id}", + "source": "/subscriptions/{subscription-id}", "subject": "/subscriptions/{subscription-id}/resourceGroups/{rg-name}/providers/Microsoft.Storage/storageAccounts/{storageAccount-name}", "data": { "resourceInfo": { This section shows the `Deleted` event generated when an Azure Storage account i "resourceEventTime": "2023-07-28T20:11:36.6347858Z" } },- "eventType": "Microsoft.ResourceNotifications.Resources.Deleted", - "dataVersion": "1", - "metadataVersion": "1", - "eventTime": "2023-07-28T20:11:36.6347858Z" + "type": "Microsoft.ResourceNotifications.Resources.Deleted", + "specversion": "1.0", + "time": "2023-07-28T20:11:36.6347858Z" } ``` -# [Cloud event schema](#tab/cloud-event-schema) -+# [Event Grid event schema](#tab/event-grid-event-schema) ```json { "id": "d4611260-d179-4f86-b196-3a9d4128be2d",- "source": "/subscriptions/{subscription-id}", + "topic": "/subscriptions/{subscription-id}", "subject": "/subscriptions/{subscription-id}/resourceGroups/{rg-name}/providers/Microsoft.Storage/storageAccounts/{storageAccount-name}", "data": { "resourceInfo": { This section shows the `Deleted` event generated when an Azure Storage account i "resourceEventTime": "2023-07-28T20:11:36.6347858Z" } },- "type": "Microsoft.ResourceNotifications.Resources.Deleted", - "specversion": "1.0", - "time": "2023-07-28T20:11:36.6347858Z" + "eventType": "Microsoft.ResourceNotifications.Resources.Deleted", + "dataVersion": "1", + "metadataVersion": "1", + "eventTime": "2023-07-28T20:11:36.6347858Z" } ``` + [!INCLUDE [contact-resource-notifications](./includes/contact-resource-notifications.md)] |
event-grid | Event Schema Storage Actions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/event-schema-storage-actions.md | These events are triggered when a storage task is queued and when a storage task ### Example events -# [Event Grid event schema](#tab/event-grid-event-schema) ++# [Cloud event schema](#tab/cloud-event-schema) ### Microsoft.StorageActions.StorageTaskQueued event ```json [{- "topic":"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/BlobInventory/providers/Microsoft.StorageActions/storageAccounts/my-storage-account", - "subject":"DataManagement/StorageTasks", - "eventType":"Microsoft.StorageActions.StorageTaskQueued", - "id":"8eb4656c-5c4a-4541-91e0-685558acbb1d", - "data":{ + "source": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/BlobInventory/providers/Microsoft.StorageActions/storageAccounts/my-storage-account", + "subject": "DataManagement/StorageTasks", + "type": "Microsoft.StorageActions.StorageTaskQueued", + "time": "2023-08-07T21:35:23Z", + "id": "8eb4656c-5c4a-4541-91e0-685558acbb1d", + "data": { "queuedDateTime":"2023-08-07T21:35:23Z", "taskExecutionId":"testdelete-2023-08-07T21:35:16.9494934Z_2023-08-07T21:35:17.5432186Z" },- "dataVersion":"1.0", - "metadataVersion":"1", - "eventTime":"2023-08-07T21:35:23Z" + "specversion": "1.0" }]- ``` ### Microsoft.StorageActions.StorageTaskCompleted event ```json [{- "topic":"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/BlobInventory/providers/Microsoft.StorageActions/storageAccounts/my-storage-account", - "subject":"DataManagement/StorageTasks", - "eventType":"Microsoft.StorageActions.StorageTaskCompleted", - "id":"dee33d3b-0b39-42f2-b2be-76f2fb94b852", - "data":{ + "source": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/BlobInventory/providers/Microsoft.StorageActions/storageAccounts/my-storage-account", + "subject": "DataManagement/StorageTasks", + "type": "Microsoft.StorageActions.StorageTaskCompleted", + "time": "2023-08-07T21:35:34Z", + "id": "dee33d3b-0b39-42f2-b2be-76f2fb94b852", + "data": { "status":"Succeeded", "completedDateTime":"2023-08-07T21:35:34Z", "taskExecutionId":"testdelete-2023-08-07T21:35:16.9494934Z_2023-08-07T21:35:17.5432186Z", "taskName":"deleteallcentraleu", "summaryReportBlobUrl":"https://my-storage-account.blob.core.windows.net/result-container/deleteallcentraleu_testdelete_2023-08-07T21:35:23/SummaryReport.json" },- "dataVersion":"1.0", - "metadataVersion":"1", - "eventTime":"2023-08-07T21:35:34Z" + "specversion": "1.0" }] ``` -# [Cloud event schema](#tab/cloud-event-schema) +# [Event Grid event schema](#tab/event-grid-event-schema) ### Microsoft.StorageActions.StorageTaskQueued event ```json [{- "source": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/BlobInventory/providers/Microsoft.StorageActions/storageAccounts/my-storage-account", - "subject": "DataManagement/StorageTasks", - "type": "Microsoft.StorageActions.StorageTaskQueued", - "time": "2023-08-07T21:35:23Z", - "id": "8eb4656c-5c4a-4541-91e0-685558acbb1d", - "data": { + "topic":"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/BlobInventory/providers/Microsoft.StorageActions/storageAccounts/my-storage-account", + "subject":"DataManagement/StorageTasks", + "eventType":"Microsoft.StorageActions.StorageTaskQueued", + "id":"8eb4656c-5c4a-4541-91e0-685558acbb1d", + "data":{ "queuedDateTime":"2023-08-07T21:35:23Z", "taskExecutionId":"testdelete-2023-08-07T21:35:16.9494934Z_2023-08-07T21:35:17.5432186Z" },- "specversion": "1.0" + "dataVersion":"1.0", + "metadataVersion":"1", + "eventTime":"2023-08-07T21:35:23Z" }]+ ``` ### Microsoft.StorageActions.StorageTaskCompleted event ```json [{- "source": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/BlobInventory/providers/Microsoft.StorageActions/storageAccounts/my-storage-account", - "subject": "DataManagement/StorageTasks", - "type": "Microsoft.StorageActions.StorageTaskCompleted", - "time": "2023-08-07T21:35:34Z", - "id": "dee33d3b-0b39-42f2-b2be-76f2fb94b852", - "data": { + "topic":"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/BlobInventory/providers/Microsoft.StorageActions/storageAccounts/my-storage-account", + "subject":"DataManagement/StorageTasks", + "eventType":"Microsoft.StorageActions.StorageTaskCompleted", + "id":"dee33d3b-0b39-42f2-b2be-76f2fb94b852", + "data":{ "status":"Succeeded", "completedDateTime":"2023-08-07T21:35:34Z", "taskExecutionId":"testdelete-2023-08-07T21:35:16.9494934Z_2023-08-07T21:35:17.5432186Z", "taskName":"deleteallcentraleu", "summaryReportBlobUrl":"https://my-storage-account.blob.core.windows.net/result-container/deleteallcentraleu_testdelete_2023-08-07T21:35:23/SummaryReport.json" },- "specversion": "1.0" + "dataVersion":"1.0", + "metadataVersion":"1", + "eventTime":"2023-08-07T21:35:34Z" }] ``` These events are triggered when a storage task is queued and when a storage task ## Event properties -# [Event Grid event schema](#tab/event-grid-event-schema) +# [Cloud event schema](#tab/cloud-event-schema) An event has the following top-level data: | Property | Type | Description | | -- | - | -- |-| `topic` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | +| `source` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | | `subject` | string | Publisher-defined path to the event subject. |-| `eventTime` | string | The time the event is generated based on the provider's UTC time. | -| `eventType` | string | One of the registered event types for this event source. | +| `type` | string | One of the registered event types for this event source. | | `id` | string | Unique identifier for the event. | | `data` | object | Storage task event data. |-| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. | -| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. | +| `specversion` | string | CloudEvents schema specification version. | -# [Cloud event schema](#tab/cloud-event-schema) +# [Event Grid event schema](#tab/event-grid-event-schema) An event has the following top-level data: | Property | Type | Description | | -- | - | -- |-| `source` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | +| `topic` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | | `subject` | string | Publisher-defined path to the event subject. |-| `type` | string | One of the registered event types for this event source. | +| `eventTime` | string | The time the event is generated based on the provider's UTC time. | +| `eventType` | string | One of the registered event types for this event source. | | `id` | string | Unique identifier for the event. | | `data` | object | Storage task event data. |-| `specversion` | string | CloudEvents schema specification version. | +| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. | +| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. | + |
event-grid | Event Schema Subscriptions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/event-schema-subscriptions.md | Azure subscriptions emit management events from Azure Resource Manager, such as ## Example event -# [Event Grid event schema](#tab/event-grid-event-schema) +# [Cloud event schema](#tab/cloud-event-schema) + The following example shows the schema for a **ResourceWriteSuccess** event. The same schema is used for **ResourceWriteFailure** and **ResourceWriteCancel** events with different values for `eventType`. ```json [{ "subject": "/subscriptions/{subscription-id}/resourcegroups/{resource-group}/providers/Microsoft.Storage/storageAccounts/{storage-name}",- "eventType": "Microsoft.Resources.ResourceWriteSuccess", - "eventTime": "2018-07-19T18:38:04.6117357Z", + "topic": "/subscriptions/{subscription-id}", + "type": "Microsoft.Resources.ResourceWriteSuccess", + "time": "2018-07-19T18:38:04.6117357Z", "id": "4db48cba-50a2-455a-93b4-de41a3b5b7f6", "data": { "authorization": { The following example shows the schema for a **ResourceWriteSuccess** event. The "subscriptionId": "{subscription-id}", "tenantId": "{tenant-id}" },- "dataVersion": "2", - "metadataVersion": "1", - "topic": "/subscriptions/{subscription-id}" + "specversion": "`1.0" + }] ``` The following example shows the schema for a **ResourceDeleteSuccess** event. Th ```json [{ "subject": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.Storage/storageAccounts/{storage-name}",- "eventType": "Microsoft.Resources.ResourceDeleteSuccess", - "eventTime": "2018-07-19T19:24:12.763881Z", + "source": "/subscriptions/{subscription-id}", + "type": "Microsoft.Resources.ResourceDeleteSuccess", + "time": "2018-07-19T19:24:12.763881Z", "id": "19a69642-1aad-4a96-a5ab-8d05494513ce", "data": { "authorization": { The following example shows the schema for a **ResourceDeleteSuccess** event. Th "subscriptionId": "{subscription-id}", "tenantId": "{tenant-id}" },- "dataVersion": "2", - "metadataVersion": "1", - "topic": "/subscriptions/{subscription-id}" + "specversion": "1.0" }] ``` The following example shows the schema for a **ResourceActionSuccess** event. Th ```json [{ "subject": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.EventHub/namespaces/{namespace}/AuthorizationRules/RootManageSharedAccessKey",- "eventType": "Microsoft.Resources.ResourceActionSuccess", - "eventTime": "2018-10-08T22:46:22.6022559Z", + "source": "/subscriptions/{subscription-id}", + "type": "Microsoft.Resources.ResourceActionSuccess", + "time": "2018-10-08T22:46:22.6022559Z", "id": "{ID}", "data": { "authorization": { The following example shows the schema for a **ResourceActionSuccess** event. Th "subscriptionId": "{subscription-id}", "tenantId": "{tenant-id}" },- "dataVersion": "2", - "metadataVersion": "1", - "topic": "/subscriptions/{subscription-id}" + "specversion": "1.0" }] ``` -# [Cloud event schema](#tab/cloud-event-schema) -+# [Event Grid event schema](#tab/event-grid-event-schema) The following example shows the schema for a **ResourceWriteSuccess** event. The same schema is used for **ResourceWriteFailure** and **ResourceWriteCancel** events with different values for `eventType`. ```json [{ "subject": "/subscriptions/{subscription-id}/resourcegroups/{resource-group}/providers/Microsoft.Storage/storageAccounts/{storage-name}",- "topic": "/subscriptions/{subscription-id}", - "type": "Microsoft.Resources.ResourceWriteSuccess", - "time": "2018-07-19T18:38:04.6117357Z", + "eventType": "Microsoft.Resources.ResourceWriteSuccess", + "eventTime": "2018-07-19T18:38:04.6117357Z", "id": "4db48cba-50a2-455a-93b4-de41a3b5b7f6", "data": { "authorization": { The following example shows the schema for a **ResourceWriteSuccess** event. The "subscriptionId": "{subscription-id}", "tenantId": "{tenant-id}" },- "specversion": "`1.0" -+ "dataVersion": "2", + "metadataVersion": "1", + "topic": "/subscriptions/{subscription-id}" }] ``` The following example shows the schema for a **ResourceDeleteSuccess** event. Th ```json [{ "subject": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.Storage/storageAccounts/{storage-name}",- "source": "/subscriptions/{subscription-id}", - "type": "Microsoft.Resources.ResourceDeleteSuccess", - "time": "2018-07-19T19:24:12.763881Z", + "eventType": "Microsoft.Resources.ResourceDeleteSuccess", + "eventTime": "2018-07-19T19:24:12.763881Z", "id": "19a69642-1aad-4a96-a5ab-8d05494513ce", "data": { "authorization": { The following example shows the schema for a **ResourceDeleteSuccess** event. Th "subscriptionId": "{subscription-id}", "tenantId": "{tenant-id}" },- "specversion": "1.0" + "dataVersion": "2", + "metadataVersion": "1", + "topic": "/subscriptions/{subscription-id}" }] ``` The following example shows the schema for a **ResourceActionSuccess** event. Th ```json [{ "subject": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.EventHub/namespaces/{namespace}/AuthorizationRules/RootManageSharedAccessKey",- "source": "/subscriptions/{subscription-id}", - "type": "Microsoft.Resources.ResourceActionSuccess", - "time": "2018-10-08T22:46:22.6022559Z", + "eventType": "Microsoft.Resources.ResourceActionSuccess", + "eventTime": "2018-10-08T22:46:22.6022559Z", "id": "{ID}", "data": { "authorization": { The following example shows the schema for a **ResourceActionSuccess** event. Th "subscriptionId": "{subscription-id}", "tenantId": "{tenant-id}" },- "specversion": "1.0" + "dataVersion": "2", + "metadataVersion": "1", + "topic": "/subscriptions/{subscription-id}" }] ``` The following example shows the schema for a **ResourceActionSuccess** event. Th ### Event properties -# [Event Grid event schema](#tab/event-grid-event-schema) ++# [Cloud event schema](#tab/cloud-event-schema) An event has the following top-level data: | Property | Type | Description | | -- | - | -- |-| `topic` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | +| `source` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | | `subject` | string | Publisher-defined path to the event subject. |-| `eventType` | string | One of the registered event types for this event source. | -| `eventTime` | string | The time the event is generated based on the provider's UTC time. | +| `type` | string | One of the registered event types for this event source. | +| `time` | string | The time the event is generated based on the provider's UTC time. | | `id` | string | Unique identifier for the event. | | `data` | object | Subscription event data. |-| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. | -| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. | +| `specversion` | string | CloudEvents schema specification version. | -# [Cloud event schema](#tab/cloud-event-schema) +# [Event Grid event schema](#tab/event-grid-event-schema) An event has the following top-level data: | Property | Type | Description | | -- | - | -- |-| `source` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | +| `topic` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. | | `subject` | string | Publisher-defined path to the event subject. |-| `type` | string | One of the registered event types for this event source. | -| `time` | string | The time the event is generated based on the provider's UTC time. | +| `eventType` | string | One of the registered event types for this event source. | +| `eventTime` | string | The time the event is generated based on the provider's UTC time. | | `id` | string | Unique identifier for the event. | | `data` | object | Subscription event data. |-| `specversion` | string | CloudEvents schema specification version. | +| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. | +| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. | |
external-attack-surface-management | Deploying The Defender Easm Azure Resource | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/external-attack-surface-management/deploying-the-defender-easm-azure-resource.md | Creating the Defender EASM Azure resource involves two steps: ## Prerequisites -Before you create a Defender EASM resource group, become familiar with how to access and use the [Azure portal](https://portal.azure.com/). Also read the [Defender EASM Overview article](index.md) for key context on the product. You need: +Before you create a Defender EASM resource group, become familiar with how to access and use the [Azure portal](https://portal.azure.com/). Also read the [Defender EASM Overview article](overview.md) for key context on the product. You need: - A valid Azure subscription or free Defender EASM trial account. If you donΓÇÖt have an [Azure subscription](../guides/developer/azure-developer-guide.md#understanding-accounts-subscriptions-and-billing), create a free Azure account before you begin. - A Contributor role assigned for you to create a resource. To get this role assigned to your account, follow the steps in the [Assign roles](../role-based-access-control/role-assignments-steps.md) documentation. Or you can contact your administrator. |
external-attack-surface-management | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/external-attack-surface-management/overview.md | + + Title: Overview +description: Microsoft Defender External Attack Surface Management (Defender EASM) continuously discovers and maps your digital attack surface to provide an external view of your online infrastructure. +++ Last updated : 02/27/2024++++# Defender EASM Overview ++*Microsoft Defender External Attack Surface Management (Defender EASM)* continuously discovers and maps your digital attack surface to provide an external view of your online infrastructure. This visibility enables security and IT teams to identify unknowns, prioritize risk, eliminate threats, and extend vulnerability and exposure control beyond the firewall. Attack Surface Insights are generated by leveraging vulnerability and infrastructure data to showcase the key areas of concern for your organization. ++![Screenshot of Overview Dashboard](media/Overview-1.png) ++## Discovery and inventory ++Microsoft's proprietary discovery technology recursively searches for infrastructure with observed connections to known legitimate assets to make inferences about that infrastructure's relationship to the organization and uncover previously unknown and unmonitored properties. These known legitimate assets are called discovery 'seeds'; Defender EASM first discovers strong connections to these selected entities, recursing to unveil more connections and ultimately compile your Attack Surface. ++Defender EASM includes the discovery of the following kinds of assets: ++- Domains +- Hostnames +- Web Pages +- IP Blocks +- IP Addresses +- ASNs +- SSL Certificates +- WHOIS Contacts ++![Screenshot of Discovery View](media/Overview-2.png) ++Discovered assets are indexed and classified in your Defender EASM Inventory, providing a dynamic record of all web infrastructure under the organization's management. Assets are categorized as recent (currently active) or historic, and can include web applications, third party dependencies, and other asset connections. ++## Dashboards ++Defender EASM provides a series of dashboards that help users quickly understand their online infrastructure and any key risks to their organization. These dashboards are designed to provide insight on specific areas of risk, including vulnerabilities, compliance, and security hygiene. These insights help customers quickly address the components of their attack surface that pose the greatest risk to their organization. ++![Screenshot of Dashboard View](media/Overview-3.png) ++## Managing assets ++Customers can filter their inventory to surface the specific insights they care about most. Filtering offers a level of flexibility and customization that enables users to access a specific subset of assets. This allows you to leverage Defender EASM data according to your specific use case, whether searching for assets that connect to deprecating infrastructure or identifying new cloud resources. ++![Screenshot of Inventory View](media/Overview-4.png) ++## User permissions ++Users that are assigned either Owner or Contributor roles can create, delete, and edit Defender EASM resources and the inventory assets within it. These roles can utilize all capabilities offered in the platform. Users that are assigned the Reader role are able to view Defender EASM data, but are unable to create, delete or edit inventory assets or the resource itself. +++## Data residency, availability and privacy ++Microsoft Defender External Attack Surface Management contains both global data and customer-specific data. The underlying internet data is global Microsoft data; labels applied by customers are considered customer data. All customer data is stored in the region of the customer’s choosing. ++For security purposes, Microsoft collects users' IP addresses when they log in. This data is stored for up to 30 days but may be stored longer if needed to investigate potential fraudulent or malicious use of the product. ++In the case of a region down scenario, only the customers in the affected region experience downtime. ++The Microsoft compliance framework requires that all customer data be deleted within 180 days of that organization no longer being a customer of Microsoft. This also includes storage of customer data in offline locations, such as database backups. Once a resource is deleted, it can't be restored by our teams. The customer data is retained in our data stores for 75 days, however the actual resource can't be restored.  After the 75 day period, customer data will be permanently deleted.   +++## Next Steps ++- [Deploying the EASM Azure resource](deploying-the-defender-easm-azure-resource.md) +- [Understanding inventory assets](understanding-inventory-assets.md) +- [What is discovery?](what-is-discovery.md) |
external-attack-surface-management | Understanding Billable Assets | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/external-attack-surface-management/understanding-billable-assets.md | Prospective customers accessing Defender EASM with a 30-day trial can also see t ## Next steps -- [Microsoft Defender External Attack Surface Management (Defender EASM) overview](index.md) +- [Microsoft Defender External Attack Surface Management (Defender EASM) overview](overview.md) |
frontdoor | How To Configure Https Custom Domain | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/standard-premium/how-to-configure-https-custom-domain.md | You can also choose to use your own TLS certificate. Your TLS certificate must m #### Prepare your key vault and certificate -If you already have a certificate, you can upload it to your key vault. Otherwise, create a new certificate directly through Azure Key Vault from one of the partner certificate authorities (CAs) that Azure Key Vault integrates with. +We recommend you create a separate Azure Key Vault to store your Azure Front Door TLS certificates. For more information, see [create an Azure Key Vault](../../key-vault/general/quick-create-portal.md). If you already a certificate, you can upload it to your new Azure Key Vault. Otherwise, you can create a new certificate through Azure Key Vault from one of the certificate authorities (CAs) partners. > [!WARNING]-> Azure Front Door currently only supports Key Vault accounts in the same subscription as the Front Door configuration. Choosing a Key Vault under a different subscription than your Front Door will result in a failure. +> Azure Front Door currently only supports Azure Key Vault in the same subscription. Selecting an Azure Key Vault under a different subscription will result in a failure. > [!NOTE]-> * Front Door doesn't support certificates with elliptic curve (EC) cryptography algorithms. Also, your certificate must have a complete certificate chain with leaf and intermediate certificates, and the root certification authority (CA) must be part of the [Microsoft Trusted CA List](https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT). +> * Azure Front Door doesn't support certificates with elliptic curve (EC) cryptography algorithms. Also, your certificate must have a complete certificate chain with leaf and intermediate certificates, and also the root certification authority (CA) must be part of the [Microsoft Trusted CA List](https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT). > * We recommend using [**managed identity**](../managed-identity.md) to allow access to your Azure Key Vault certificates because App registration will be retired in the future. #### Register Azure Front Door Register the service principal for Azure Front Door as an app in your Microsoft ``` -#### Grant Azure Front Door access to your key vault +#### Grant Azure Front Door access to your Key Vault -Grant Azure Front Door permission to access the certificates in your Azure Key Vault account. +Grant Azure Front Door permission to access the certificates in your Azure Key Vault account. You only need to give **GET** permission to the certificate and secret in order for Azure Front Door to retrieve the certificate. 1. In your key vault account, select **Access policies**. |
governance | Assign Policy Azurecli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/assign-policy-azurecli.md | Title: "Quickstart: Create policy assignment using Azure CLI" description: In this quickstart, you create an Azure Policy assignment to identify non-compliant resources using Azure CLI. Previously updated : 02/23/2024 Last updated : 02/26/2024 Run the following command to create the policy assignment: ```azurecli az policy assignment create \ --name 'audit-vm-managed-disks' \- --display-name 'Audit VMs without managed disks Assignment' \ + --display-name 'Audit VM managed disks' \ --scope $rgid \ --policy $definition \ --description 'Azure CLI policy assignment to resource group' The results of the policy assignment resemble the following example: ```output "description": "Azure CLI policy assignment to resource group",-"displayName": "Audit VMs without managed disks Assignment", +"displayName": "Audit VM managed disks", "enforcementMode": "Default", "id": "/subscriptions/{subscriptionID}/resourceGroups/{resourceGroupName}/providers/Microsoft.Authorization/policyAssignments/audit-vm-managed-disks", "identity": null, |
governance | Assign Policy Bicep | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/assign-policy-bicep.md | Title: "Quickstart: Create policy assignment using Bicep file" description: In this quickstart, you create an Azure Policy assignment to identify non-compliant resources using a Bicep file. Previously updated : 02/23/2024 Last updated : 02/26/2024 Create the following Bicep file as _policy-assignment.bicep_. ```bicep param policyAssignmentName string = 'audit-vm-managed-disks' param policyDefinitionID string = '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d'+param policyDisplayName string = 'Audit VM managed disks' resource assignment 'Microsoft.Authorization/policyAssignments@2023-04-01' = { name: policyAssignmentName resource assignment 'Microsoft.Authorization/policyAssignments@2023-04-01' = { properties: { policyDefinitionId: policyDefinitionID description: 'Policy assignment to resource group scope created with Bicep file'- displayName: 'audit-vm-managed-disks' + displayName: policyDisplayName nonComplianceMessages: [ { message: 'Virtual machines should use managed disks' resource assignment 'Microsoft.Authorization/policyAssignments@2023-04-01' = { output assignmentId string = assignment.id ``` -The resource type defined in the Bicep file is [Microsoft.Authorization/policyAssignments](/azure/templates/microsoft.authorization/policyassignments). The Bicep file creates a policy assignment named _audit-vm-managed-disks_. +The resource type defined in the Bicep file is [Microsoft.Authorization/policyAssignments](/azure/templates/microsoft.authorization/policyassignments). ++The Bicep file uses three parameters to deploy the policy assignment: ++- `policyAssignmentName` creates the policy assignment named _audit-vm-managed-disks_. +- `policyDefinitionID` uses the ID of the built-in policy definition. For reference, the commands to get the ID are in the section to deploy the template. +- `policyDisplayName` creates a display name that's visible in Azure portal. For more information about Bicep files: The Azure CLI commands use a backslash (`\`) for line continuation to improve re +The following commands display the `policyDefinitionID` parameter's value: ++# [PowerShell](#tab/azure-powershell) ++```azurepowershell +(Get-AzPolicyDefinition | + Where-Object { $_.Properties.DisplayName -eq 'Audit VMs that do not use managed disks' }).ResourceId +``` ++# [Azure CLI](#tab/azure-cli) ++```azurecli +az policy definition list \ + --query "[?displayName=='Audit VMs that do not use managed disks']".id \ + --output tsv +``` +++ The following commands deploy the policy definition to your resource group. Replace `<resourceGroupName>` with your resource group name: # [PowerShell](#tab/azure-powershell) The output is verbose but resembles the following example: ```output "description": "Policy assignment to resource group scope created with Bicep file",-"displayName": "audit-vm-managed-disks", +"displayName": "Audit VM managed disks", "enforcementMode": "Default", "id": "/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.Authorization/policyAssignments/audit-vm-managed-disks", "identity": null, |
governance | Assign Policy Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/assign-policy-powershell.md | Title: "Quickstart: Create policy assignment using Azure PowerShell" description: In this quickstart, you create an Azure Policy assignment to identify non-compliant resources using Azure PowerShell. Previously updated : 02/23/2024 Last updated : 02/26/2024 Run the following command to create the policy assignment: ```azurepowershell $policyparms = @{ Name = 'audit-vm-managed-disks'-DisplayName = 'Audit VMs without managed disks Assignment' +DisplayName = 'Audit VM managed disks' Scope = $rg.ResourceId PolicyDefinition = $definition Description = 'Az PowerShell policy assignment to resource group' |
governance | Assign Policy Template | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/assign-policy-template.md | Title: "Quickstart: New policy assignment with templates" -description: In this quickstart, you use an Azure Resource Manager template (ARM template) to create a policy assignment to identify non-compliant resources. Previously updated : 08/17/2021+ Title: "Quickstart: Create policy assignment using ARM template" +description: In this quickstart, you create an Azure Policy assignment to identify non-compliant resources using an Azure Resource Manager template (ARM template). Last updated : 02/26/2024 -# Quickstart: Create a policy assignment to identify non-compliant resources by using an ARM template -The first step in understanding compliance in Azure is to identify the status of your resources. -This quickstart steps you through the process of using an Azure Resource Manager template (ARM -template) to create a policy assignment that identifies virtual machines that aren't using managed -disks, and flags them as _non-compliant_ to the policy assignment. +# Quickstart: Create a policy assignment to identify non-compliant resources by using ARM template --If your environment meets the prerequisites and you're familiar with using ARM templates, select the -**Deploy to Azure** button. The template will open in the Azure portal. +In this quickstart, you use an Azure Resource Manager template (ARM template) to create a policy assignment that validates resource's compliance with an Azure policy. The policy is assigned to a resource group and audits virtual machines that don't use managed disks. After you create the policy assignment, you identify non-compliant virtual machines. ## Prerequisites -If you don't have an Azure subscription, create a [free](https://azure.microsoft.com/free/) account -before you begin. +- If you don't have an Azure account, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. +- [Azure PowerShell](/powershell/azure/install-az-ps) or [Azure CLI](/cli/azure/install-azure-cli). +- [Visual Studio Code](https://code.visualstudio.com/) and the [Azure Resource Manager (ARM) Tools](https://marketplace.visualstudio.com/items?itemName=msazurermtools.azurerm-vscode-tools). +- `Microsoft.PolicyInsights` must be [registered](../../azure-resource-manager/management/resource-providers-and-types.md) in your Azure subscription. To register a resource provider, you must have permission to register resource providers. That permission is included in the Contributor and Owner roles. +- A resource group with at least one virtual machine that doesn't use managed disks. ## Review the template -In this quickstart, you create a policy assignment and assign a built-in policy definition called -_Audit VMs that do not use managed disks_. For a partial list of available built-in policies, see -[Azure Policy samples](./samples/index.md). +The ARM template creates a policy assignment for a resource group scope and assigns the built-in policy definition [Audit VMs that do not use managed disks](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VMRequireManagedDisk_Audit.json). ++Create the following ARM template as _policy-assignment.json_. ++1. Open Visual Studio Code and select **File** > **New Text File**. +1. Copy and paste the ARM template into Visual Studio Code. +1. Select **File** > **Save** and use the filename _policy-assignment.json_. ++```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "policyAssignmentName": { + "type": "string", + "defaultValue": "audit-vm-managed-disks" + }, + "policyDefinitionID": { + "type": "string", + "defaultValue": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d" + }, + "policyDisplayName": { + "type": "string", + "defaultValue": "Audit VM managed disks" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[parameters('policyAssignmentName')]", + "properties": { + "policyDefinitionId": "[parameters('policyDefinitionID')]", + "description": "Policy assignment to resource group scope created with ARM template", + "displayName": "[parameters('policyDisplayName')]", + "nonComplianceMessages": [ + { + "message": "Virtual machines should use managed disks" + } + ] + } + } + ], + "outputs": { + "assignmentId": { + "type": "string", + "value": "[resourceId('Microsoft.Authorization/policyAssignments', parameters('policyAssignmentName'))]" + } + } +} +``` ++The resource type defined in the ARM template is [Microsoft.Authorization/policyAssignments](/azure/templates/microsoft.authorization/policyassignments). ++The template uses three parameters to deploy the policy assignment: ++- `policyAssignmentName` creates the policy assignment named _audit-vm-managed-disks_. +- `policyDefinitionID` uses the ID of the built-in policy definition. For reference, the commands to get the ID are in the section to deploy the template. +- `policyDisplayName` creates a display name that's visible in Azure portal. ++For more information about ARM template files: ++- To find more ARM template samples, go to [Browse code samples](/samples/browse/?expanded=azure&products=azure-resource-manager). +- To learn more about template reference's for deployments, go to [Azure template reference](/azure/templates/microsoft.authorization/allversions). +- To learn how to develop ARM templates, go to [ARM template documentation](../../azure-resource-manager/templates/overview.md). +- To learn about subscription-level deployments, go to [Subscription deployments with ARM templates](../../azure-resource-manager//templates/deploy-to-subscription.md). ++## Deploy the ARM template ++You can deploy the ARM template with Azure PowerShell or Azure CLI. ++From a Visual Studio Code terminal session, connect to Azure. If you have more than one subscription, run the commands to set context to your subscription. Replace `<subscriptionID>` with your Azure subscription ID. ++# [PowerShell](#tab/azure-powershell) +```azurepowershell +Connect-AzAccount ++# Run these commands if you have multiple subscriptions +Get-AzSubScription +Set-AzContext -Subscription <subscriptionID> +``` ++# [Azure CLI](#tab/azure-cli) ++```azurecli +az login ++# Run these commands if you have multiple subscriptions +az account list --output table +az account set --subscription <subscriptionID> +``` ++++You can verify if `Microsoft.PolicyInsights` is registered. If it isn't, you can run a command to register the resource provider. ++# [PowerShell](#tab/azure-powershell) ++```azurepowershell +Get-AzResourceProvider -ProviderNamespace 'Microsoft.PolicyInsights' | + Select-Object -Property ResourceTypes, RegistrationState ++Register-AzResourceProvider -ProviderNamespace 'Microsoft.PolicyInsights' +``` ++For more information, go to [Get-AzResourceProvider](/powershell/module/az.resources/get-azresourceprovider) and [Register-AzResourceProvider](/powershell/module/az.resources/register-azresourceprovider). ++# [Azure CLI](#tab/azure-cli) ++```azurecli +az provider show \ + --namespace Microsoft.PolicyInsights \ + --query "{Provider:namespace,State:registrationState}" \ + --output table -The template used in this quickstart is from -[Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/azurepolicy-assign-builtinpolicy-resourcegroup/). +az provider register --namespace Microsoft.PolicyInsights +``` +The Azure CLI commands use a backslash (`\`) for line continuation to improve readability. For more information, go to [az provider](/cli/azure/provider). -The resource defined in the template is: +++The following commands display the `policyDefinitionID` parameter's value: ++# [PowerShell](#tab/azure-powershell) ++```azurepowershell +(Get-AzPolicyDefinition | + Where-Object { $_.Properties.DisplayName -eq 'Audit VMs that do not use managed disks' }).ResourceId +``` ++# [Azure CLI](#tab/azure-cli) ++```azurecli +az policy definition list \ + --query "[?displayName=='Audit VMs that do not use managed disks']".id \ + --output tsv +``` -- [Microsoft.Authorization/policyAssignments](/azure/templates/microsoft.authorization/policyassignments)+++The following commands deploy the policy definition to your resource group. Replace `<resourceGroupName>` with your resource group name: ++# [PowerShell](#tab/azure-powershell) -## Deploy the template +```azurepowershell +$rg = Get-AzResourceGroup -Name '<resourceGroupName>' -> [!NOTE] -> Azure Policy service is free. For more information, see -> [Overview of Azure Policy](./overview.md). +$deployparms = @{ +Name = 'PolicyDeployment' +ResourceGroupName = $rg.ResourceGroupName +TemplateFile = 'policy-assignment.json' +} -1. Select the following image to sign in to the Azure portal and open the template: +New-AzResourceGroupDeployment @deployparms +``` - :::image type="content" source="../../media/template-deployments/deploy-to-azure.svg" alt-text="Button to deploy the ARM template for assigning an Azure Policy to Azure." border="false" link="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.authorization%2Fazurepolicy-assign-builtinpolicy-resourcegroup%2Fazuredeploy.json"::: +The `$rg` variable stores properties for the resource group. The `$deployparms` variable uses [splatting](/powershell/module/microsoft.powershell.core/about/about_splatting) to create parameter values and improve readability. The `New-AzResourceGroupDeployment` command uses the parameter values defined in the `$deployparms` variable. -1. Select or enter the following values: +- `Name` is the deployment name displayed in the output and in Azure for the resource group's deployments. +- `ResourceGroupName` uses the `$rg.ResourceGroupName` property to get the name of your resource group where the policy is assigned. +- `TemplateFile` specifies the ARM template's name and location on your local computer. - | Name | Value | - ||-| - | Subscription | Select your Azure subscription. | - | Resource group | Select **Create new**, specify a name, and then select **OK**. In the screenshot, the resource group name is _mypolicyquickstart\<Date in MMDD\>rg_. | - | Location | Select a region. For example, **Central US**. | - | Policy Assignment Name | Specify a policy assignment name. You can use the policy definition display if you want. For example, _Audit VMs that do not use managed disks_. | - | Resource Group Name | Specify a resource group name where you want to assign the policy to. In this quickstart, use the default value **[resourceGroup().name]**. **[resourceGroup()](../../azure-resource-manager/templates/template-functions-resource.md#resourcegroup)** is a template function that retrieves the resource group. | - | Policy Definition ID | Specify **/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a**. | - | I agree to the terms and conditions stated above | (Select) | +# [Azure CLI](#tab/azure-cli) -1. Select **Purchase**. +```azurecli +rgname=$(az group show --resource-group <resourceGroupName> --query name --output tsv) -Some other resources: +az deployment group create \ + --name PolicyDeployment \ + --resource-group $rgname \ + --template-file policy-assignment.json +``` -- To find more samples templates, see- [Azure Quickstart Template](https://azure.microsoft.com/resources/templates/?resourceType=Microsoft.Authorization&pageNumber=1&sort=Popular). -- To see the template reference, go to- [Azure template reference](/azure/templates/microsoft.authorization/allversions). -- To learn how to develop ARM templates, see- [Azure Resource Manager documentation](../../azure-resource-manager/management/overview.md). -- To learn subscription-level deployment, see- [Create resource groups and resources at the subscription level](../../azure-resource-manager/templates/deploy-to-subscription.md). +The `rgname` variable uses an expression to get your resource group's name used in the deployment command. -## Validate the deployment +- `name` is the deployment name displayed in the output and in Azure for the resource group's deployments. +- `resource-group` is the name of your resource group where the policy is assigned. +- `template-file` specifies the ARM template's name and location on your local computer. -Select **Compliance** in the left side of the page. Then locate the _Audit VMs that do not use -managed disks_ policy assignment you created. +++You can verify the policy assignment's deployment with the following command: ++# [PowerShell](#tab/azure-powershell) ++The command uses the `$rg.ResourceId` property to get the resource group's ID. ++```azurepowershell +Get-AzPolicyAssignment -Name 'audit-vm-managed-disks' -Scope $rg.ResourceId +``` ++```output +Name : audit-vm-managed-disks +ResourceId : /subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.Authorization/policyAssignments/audit-vm-managed-disks +ResourceName : audit-vm-managed-disks +ResourceGroupName : {resourceGroupName} +ResourceType : Microsoft.Authorization/policyAssignments +SubscriptionId : {subscriptionId} +PolicyAssignmentId : /subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.Authorization/policyAssignments/audit-vm-managed-disks +Properties : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.Policy.PsPolicyAssignmentProperties +``` ++For more information, go to [Get-AzPolicyAssignment](/powershell/module/az.resources/get-azpolicyassignment). ++# [Azure CLI](#tab/azure-cli) ++The `rgid` variable uses an expression to get the resource group's ID used to show the policy assignment. ++```azurecli +rgid=$(az group show --resource-group $rgname --query id --output tsv) ++az policy assignment show --name "audit-vm-managed-disks" --scope $rgid +``` ++The output is verbose but resembles the following example: ++```output +"description": "Policy assignment to resource group scope created with ARM template", +"displayName": "Audit VM managed disks", +"enforcementMode": "Default", +"id": "/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.Authorization/policyAssignments/audit-vm-managed-disks", +"identity": null, +"location": null, +"metadata": { + "createdBy": "11111111-1111-1111-1111-111111111111", + "createdOn": "2024-02-26T19:01:23.2777972Z", + "updatedBy": null, + "updatedOn": null +}, +"name": "audit-vm-managed-disks", +"nonComplianceMessages": [ + { + "message": "Virtual machines should use managed disks", + "policyDefinitionReferenceId": null + } +] +``` ++For more information, go to [az policy assignment](/cli/azure/policy/assignment). + -If there are any existing resources that aren't compliant with this new assignment, they appear -under **Non-compliant resources**. +## Identify non-compliant resources -For more information, see -[How compliance works](./concepts/compliance-states.md). +After the policy assignment is deployed, virtual machines that are deployed to the resource group are audited for compliance with the managed disk policy. ++The compliance state for a new policy assignment takes a few minutes to become active and provide results about the policy's state. ++# [PowerShell](#tab/azure-powershell) +```azurepowershell +$complianceparms = @{ +ResourceGroupName = $rg.ResourceGroupName +PolicyAssignmentName = 'audit-vm-managed-disks' +Filter = 'IsCompliant eq false' +} ++Get-AzPolicyState @complianceparms +``` ++The `$complianceparms` variable creates parameter values used in the `Get-AzPolicyState` command. ++- `ResourceGroupName` gets the resource group name from the `$rg.ResourceGroupName` property. +- `PolicyAssignmentName` specifies the name used when the policy assignment was created. +- `Filter` uses an expression to find resources that aren't compliant with the policy assignment. ++Your results resemble the following example and `ComplianceState` shows `NonCompliant`: ++```output +Timestamp : 2/26/2024 19:02:56 +ResourceId : /subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/microsoft.compute/virtualmachines/{vmId} +PolicyAssignmentId : /subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/microsoft.authorization/policyassignments/audit-vm-managed-disks +PolicyDefinitionId : /providers/microsoft.authorization/policydefinitions/06a78e20-9358-41c9-923c-fb736d382a4d +IsCompliant : False +SubscriptionId : {subscriptionId} +ResourceType : Microsoft.Compute/virtualMachines +ResourceLocation : {location} +ResourceGroup : {resourceGroupName} +ResourceTags : tbd +PolicyAssignmentName : audit-vm-managed-disks +PolicyAssignmentOwner : tbd +PolicyAssignmentScope : /subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName} +PolicyDefinitionName : 06a78e20-9358-41c9-923c-fb736d382a4d +PolicyDefinitionAction : audit +PolicyDefinitionCategory : tbd +ManagementGroupIds : {managementGroupId} +ComplianceState : NonCompliant +AdditionalProperties : {[complianceReasonCode, ]} +``` ++For more information, go to [Get-AzPolicyState](/powershell/module/az.policyinsights/Get-AzPolicyState). ++# [Azure CLI](#tab/azure-cli) ++```azurecli +policyid=$(az policy assignment show \ + --name "audit-vm-managed-disks" \ + --scope $rgid \ + --query id \ + --output tsv) ++az policy state list --resource $policyid --filter "(isCompliant eq false)" +``` ++The `policyid` variable uses an expression to get the policy assignment's ID. The `filter` parameter limits the output to non-compliant resources. ++The `az policy state list` output is verbose, but for this article the `complianceState` shows `NonCompliant`. ++```output +"complianceState": "NonCompliant", +"components": null, +"effectiveParameters": "", +"isCompliant": false, +``` ++For more information, go to [az policy state](/cli/azure/policy/state). ++ ## Clean up resources -To remove the assignment created, follow these steps: +# [PowerShell](#tab/azure-powershell) ++```azurepowershell +Remove-AzPolicyAssignment -Name 'audit-vm-managed-disks' -Scope $rg.ResourceId +``` -1. Select **Compliance** (or **Assignments**) in the left side of the Azure Policy page and locate - the _Audit VMs that do not use managed disks_ policy assignment you created. +To sign out of your Azure PowerShell session: -1. Right-click the _Audit VMs that do not use managed disks_ policy assignment and select **Delete - assignment**. +```azurepowershell +Disconnect-AzAccount +``` - :::image type="content" source="./media/assign-policy-template/delete-assignment.png" alt-text="Screenshot of using the context menu to delete an assignment from the Compliance page." border="false"::: +# [Azure CLI](#tab/azure-cli) ++```azurecli +az policy assignment delete --name "audit-vm-managed-disks" --scope $rgid +``` ++To sign out of your Azure CLI session: ++```azurecli +az logout +``` ++ ## Next steps -In this quickstart, you assigned a built-in policy definition to a scope and evaluated its -compliance report. The policy definition validates that all the resources in the scope are compliant -and identifies which ones aren't. +In this quickstart, you assigned a built-in policy definition to a resource group scope and reviewed its compliance state. The policy definition audits if the virtual machines in the resource group are compliant and identifies resources that aren't compliant. To learn more about assigning policies to validate that new resources are compliant, continue to the-tutorial for: +tutorial. > [!div class="nextstepaction"]-> [Creating and managing policies](./tutorials/create-and-manage.md) +> [Tutorial: Create and manage policies to enforce compliance](./tutorials/create-and-manage.md) |
governance | Australia Ism | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/australia-ism.md | Title: Regulatory Compliance details for Australian Government ISM PROTECTED description: Details of the Australian Government ISM PROTECTED Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/22/2024 Last updated : 02/27/2024 |
governance | Azure Security Benchmark | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/azure-security-benchmark.md | Title: Regulatory Compliance details for Microsoft cloud security benchmark description: Details of the Microsoft cloud security benchmark Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/22/2024 Last updated : 02/27/2024 initiative definition. |[API Management should disable public network access to the service configuration endpoints](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf73bd95-24da-4a4f-96b9-4e8b94b402bd) |To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/ApiManagement_PublicEndpoint_AuditIfNotExist.json) | |[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AuditIfNotExists.json) | |[Azure Cosmos DB accounts should have firewall rules](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb) |Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_NetworkRulesExist_Audit.json) | |[Azure Cosmos DB should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F797b37f7-06b8-444c-b1ad-fc62867f335a) |Disabling public network access improves security by ensuring that your CosmosDB account isn't exposed on the public internet. Creating private endpoints can limit exposure of your CosmosDB account. Learn more at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation](../../../cosmos-db/how-to-configure-private-endpoints.md#blocking-public-network-access-during-account-creation). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateNetworkAccess_AuditDeny.json) | initiative definition. |[Azure Spring Cloud should use network injection](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faf35e2a4-ef96-44e7-a9ae-853dd97032c4) |Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud. |Audit, Disabled, Deny |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Platform/Spring_VNETEnabled_Audit.json) | |[Azure SQL Managed Instances should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9dfea752-dd46-4766-aed1-c355fa93fb91) |Disabling public network access (public endpoint) on Azure SQL Managed Instances improves security by ensuring that they can only be accessed from inside their virtual networks or via Private Endpoints. To learn more about public network access, visit [https://aka.ms/mi-public-endpoint](https://aka.ms/mi-public-endpoint). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_PublicEndpoint_Audit.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_EnablePrivateEndpoints_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | initiative definition. |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) |+|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Azure Machine Learning Computes should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe96a9a5f-07ca-471b-9bc5-6a0f33cbd68f) |Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/azure-ml-aad-policy](https://aka.ms/azure-ml-aad-policy). |Audit, Deny, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/MachineLearningServices_DisableLocalAuth_Audit.json) | |[Azure SQL Database should have Microsoft Entra-only authentication enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb3a22bc9-66de-45fb-98fa-00f5df42f41a) |Require Azure SQL logical servers to use Microsoft Entra-only authentication. This policy doesn't block servers from being created with local authentication enabled. It does block local authentication from being enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: [https://aka.ms/adonlycreate](https://aka.ms/adonlycreate). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_ADOnlyEnabled_DisableADAuth_Deny.json) | |[Azure SQL Database should have Microsoft Entra-only authentication enabled during creation](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabda6d70-9778-44e7-84a8-06713e6db027) |Require Azure SQL logical servers to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: [https://aka.ms/adonlycreate](https://aka.ms/adonlycreate). |Audit, Deny, Disabled |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_ADOnlyEnabled_Deny.json) | |[Azure SQL Managed Instance should have Microsoft Entra-only authentication enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0c28c3fb-c244-42d5-a9bf-f35f2999577b) |Require Azure SQL Managed Instance to use Microsoft Entra-only authentication. This policy doesn't block Azure SQL Managed instances from being created with local authentication enabled. It does block local authentication from being enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: [https://aka.ms/adonlycreate](https://aka.ms/adonlycreate). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_ADOnlyEnabled_DisableADAuth_Deny.json) | |[Azure SQL Managed Instances should have Microsoft Entra-only authentication enabled during creation](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F78215662-041e-49ed-a9dd-5385911b3a1f) |Require Azure SQL Managed Instance to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: [https://aka.ms/adonlycreate](https://aka.ms/adonlycreate). |Audit, Deny, Disabled |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_ADOnlyEnabled_Deny.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Cosmos DB database accounts should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5450f5bd-9c72-4390-a9c4-a7aba4edfdd2) |Disabling local authentication methods improves security by ensuring that Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: [https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth](../../../cosmos-db/how-to-setup-rbac.md#disable-local-auth). |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_DisableLocalAuth_AuditDeny.json) | |[Service Fabric clusters should only use Azure Active Directory for client authentication](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb54ed75b-3e1a-44ac-a333-05ba39b99ff0) |Audit usage of client authentication only via Azure Active Directory in Service Fabric |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json) | |[Storage accounts should prevent shared key access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54) |Audit requirement of Azure Active Directory (Azure AD) to authorize requests for your storage account. By default, requests can be authorized with either Azure Active Directory credentials, or by using the account access key for Shared Key authorization. Of these two types of authorization, Azure AD provides superior security and ease of use over Shared Key, and is recommended by Microsoft. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountAllowSharedKeyAccess_Audit.json) | initiative definition. |[Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a15ec92-a229-4763-bb14-0ea34a568f8d) |Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_AzurePolicyAddOn_Audit.json) | |[Function apps should have remote debugging turned off](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e60b895-3786-45da-8377-9c6b4b6ac5f9) |Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json) | |[Function apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0820b7b9-23aa-4725-a1ce-ae4558f718e5) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_FuntionApp_Audit.json) |-|[Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe345eecc-fa47-480f-9e88-67dcc122b164) |Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[9.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerResourceLimits.json) | +|[Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe345eecc-fa47-480f-9e88-67dcc122b164) |Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[9.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerResourceLimits.json) | |[Kubernetes cluster containers should not share host process ID or host IPC namespace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8) |Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[5.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockHostNamespace.json) | |[Kubernetes cluster containers should only use allowed AppArmor profiles](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F511f5417-5d12-434d-ab2e-816901e72a5e) |Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/EnforceAppArmorProfile.json) | |[Kubernetes cluster containers should only use allowed capabilities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc26596ff-4d70-4e6a-9a30-c2506bd2f80c) |Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedCapabilities.json) |-|[Kubernetes cluster containers should only use allowed images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffebd0533-8e55-448f-b837-bd0e06f16469) |Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[9.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedImages.json) | -|[Kubernetes cluster containers should run with a read only root file system](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf49d893-a74c-421d-bc95-c663042e5b80) |Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ReadOnlyRootFileSystem.json) | +|[Kubernetes cluster containers should only use allowed images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffebd0533-8e55-448f-b837-bd0e06f16469) |Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[9.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedImages.json) | +|[Kubernetes cluster containers should run with a read only root file system](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf49d893-a74c-421d-bc95-c663042e5b80) |Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ReadOnlyRootFileSystem.json) | |[Kubernetes cluster pod hostPath volumes should only use allowed host paths](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F098fc59e-46c7-4d99-9b16-64990e543d75) |Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AllowedHostPaths.json) | |[Kubernetes cluster pods and containers should only run with approved user and group IDs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff06ddb64-5fa3-4b77-b166-acb36f7f6042) |Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AllowedUsersGroups.json) | |[Kubernetes cluster pods should only use approved host network and port range](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F82985f06-dc18-4a48-bc1c-b9f4f0098cfe) |Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/HostNetworkPorts.json) | |
governance | Built In Initiatives | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/built-in-initiatives.md | Title: List of built-in policy initiatives description: List built-in policy initiatives for Azure Policy. Categories include Regulatory Compliance, Guest Configuration, and more. Previously updated : 02/22/2024 Last updated : 02/27/2024 |
governance | Built In Policies | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/built-in-policies.md | Title: List of built-in policy definitions description: List built-in policy definitions for Azure Policy. Categories include Tags, Regulatory Compliance, Key Vault, Kubernetes, Guest Configuration, and more. Previously updated : 02/22/2024 Last updated : 02/27/2024 The name of each built-in links to the policy definition in the Azure portal. Us [!INCLUDE [azure-policy-reference-policies-azure-active-directory](../../../../includes/policy/reference/bycat/policies-azure-active-directory.md)] +## Azure Ai Services ++ ## Azure Arc [!INCLUDE [azure-policy-reference-policies-azure-arc](../../../../includes/policy/reference/bycat/policies-azure-arc.md)] |
governance | Canada Federal Pbmm | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/canada-federal-pbmm.md | Title: Regulatory Compliance details for Canada Federal PBMM description: Details of the Canada Federal PBMM Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/22/2024 Last updated : 02/27/2024 |
governance | Cis Azure 1 1 0 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/cis-azure-1-1-0.md | Title: Regulatory Compliance details for CIS Microsoft Azure Foundations Benchmark 1.1.0 description: Details of the CIS Microsoft Azure Foundations Benchmark 1.1.0 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/22/2024 Last updated : 02/27/2024 |
governance | Cis Azure 1 3 0 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/cis-azure-1-3-0.md | Title: Regulatory Compliance details for CIS Microsoft Azure Foundations Benchmark 1.3.0 description: Details of the CIS Microsoft Azure Foundations Benchmark 1.3.0 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/22/2024 Last updated : 02/27/2024 |
governance | Cis Azure 1 4 0 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/cis-azure-1-4-0.md | Title: Regulatory Compliance details for CIS Microsoft Azure Foundations Benchmark 1.4.0 description: Details of the CIS Microsoft Azure Foundations Benchmark 1.4.0 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/22/2024 Last updated : 02/27/2024 |
governance | Cis Azure 2 0 0 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/cis-azure-2-0-0.md | Title: Regulatory Compliance details for CIS Microsoft Azure Foundations Benchmark 2.0.0 description: Details of the CIS Microsoft Azure Foundations Benchmark 2.0.0 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/22/2024 Last updated : 02/27/2024 |
governance | Cmmc L3 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/cmmc-l3.md | Title: Regulatory Compliance details for CMMC Level 3 description: Details of the CMMC Level 3 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/22/2024 Last updated : 02/27/2024 This built-in initiative is deployed as part of the |[App Service apps should have remote debugging turned off](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcb510bfd-1cba-4d9f-a230-cb0976f4bb71) |Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_WebApp_Audit.json) | |[App Service apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_WebApp_Audit.json) | |[Audit Linux machines that allow remote connections from accounts without passwords](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fea53dbee-c6c9-4f0e-9f9e-de0039b78023) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords |AuditIfNotExists, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxPassword110_AINE.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure Key Vault should have firewall enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F55615ac9-af46-4a59-874e-391cc3dfb490) |Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: [https://docs.microsoft.com/azure/key-vault/general/network-security](../../../key-vault/general/network-security.md) |Audit, Deny, Disabled |[3.2.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/AzureKeyVaultFirewallEnabled_Audit.json) | |[Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fac4a19c2-fa67-49b4-8ae5-0b2e78c49457) |To provide granular filtering on the actions that users can perform, use Azure Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. |Audit, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableRBAC_KubernetesService_Audit.json) | |[Blocked accounts with owner permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0cfea604-3201-4e14-88fc-fae4c427a6c5) |Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithOwnerPermissions_Audit.json) | |[Blocked accounts with read and write permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8d7e1fde-fe26-4b5f-8108-f8e432cbc2be) |Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithReadWritePermissions_Audit.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[CORS should not allow every domain to access your API for FHIR](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fea8f8a-4169-495d-8307-30ec335f387d) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API for FHIR. To protect your API for FHIR, remove access for all domains and explicitly define the domains allowed to connect. |audit, Audit, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_RestrictCORSAccess_Audit.json) | |[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) | This built-in initiative is deployed as part of the |[App Service apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_WebApp_Audit.json) | |[App Service apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) | |[Audit Linux machines that allow remote connections from accounts without passwords](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fea53dbee-c6c9-4f0e-9f9e-de0039b78023) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords |AuditIfNotExists, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxPassword110_AINE.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure Key Vault should have firewall enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F55615ac9-af46-4a59-874e-391cc3dfb490) |Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: [https://docs.microsoft.com/azure/key-vault/general/network-security](../../../key-vault/general/network-security.md) |Audit, Deny, Disabled |[3.2.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/AzureKeyVaultFirewallEnabled_Audit.json) | |[Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fac4a19c2-fa67-49b4-8ae5-0b2e78c49457) |To provide granular filtering on the actions that users can perform, use Azure Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. |Audit, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableRBAC_KubernetesService_Audit.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[CORS should not allow every domain to access your API for FHIR](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fea8f8a-4169-495d-8307-30ec335f387d) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API for FHIR. To protect your API for FHIR, remove access for all domains and explicitly define the domains allowed to connect. |audit, Audit, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_RestrictCORSAccess_Audit.json) | |[Enforce SSL connection should be enabled for MySQL database servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe802a67a-daf5-4436-9ea6-f6d821dd0c5d) |Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnableSSL_Audit.json) | This built-in initiative is deployed as part of the |[\[Preview\]: All Internet traffic should be routed via your deployed Azure Firewall](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffc5e4038-4584-4632-8c85-c0448d374b2c) |Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall |AuditIfNotExists, Disabled |[3.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/ASC_All_Internet_traffic_should_be_routed_via_Azure_Firewall.json) | |[\[Preview\]: Storage account public access should be disallowed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4fa4b6c0-31ca-4c0d-b10d-24b96f62a751) |Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. |audit, Audit, deny, Deny, disabled, Disabled |[3.1.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/ASC_Storage_DisallowPublicBlobAccess_Audit.json) | |[Adaptive network hardening recommendations should be applied on internet facing virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F08e6af2d-db70-460a-bfe9-d5bd474ba9d6) |Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveNetworkHardenings_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fac4a19c2-fa67-49b4-8ae5-0b2e78c49457) |To provide granular filtering on the actions that users can perform, use Azure Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. |Audit, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableRBAC_KubernetesService_Audit.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[CORS should not allow every domain to access your API for FHIR](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fea8f8a-4169-495d-8307-30ec335f387d) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API for FHIR. To protect your API for FHIR, remove access for all domains and explicitly define the domains allowed to connect. |audit, Audit, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_RestrictCORSAccess_Audit.json) | |[Function apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0820b7b9-23aa-4725-a1ce-ae4558f718e5) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_FuntionApp_Audit.json) | This built-in initiative is deployed as part of the |[Allowlist rules in your adaptive application control policy should be updated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F123a3936-f020-408a-ba0c-47873faf1534) |Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveApplicationControlsUpdate_Audit.json) | |[App Service apps should have remote debugging turned off](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcb510bfd-1cba-4d9f-a230-cb0976f4bb71) |Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_WebApp_Audit.json) | |[App Service apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_WebApp_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[CORS should not allow every domain to access your API for FHIR](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fea8f8a-4169-495d-8307-30ec335f387d) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API for FHIR. To protect your API for FHIR, remove access for all domains and explicitly define the domains allowed to connect. |audit, Audit, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_RestrictCORSAccess_Audit.json) | |[Function apps should have remote debugging turned off](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e60b895-3786-45da-8377-9c6b4b6ac5f9) |Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json) | This built-in initiative is deployed as part of the |[All network ports should be restricted on network security groups associated to your virtual machine](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9daedab3-fb2d-461e-b861-71790eead4f6) |Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnprotectedEndpoints_Audit.json) | |[App Service apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) | |[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_WebApp_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure Web Application Firewall should be enabled for Azure Front Door entry-points](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Enabled_Audit.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Flow logs should be configured for every network security group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc251913d-7d24-4958-af87-478ed3b9ba41) |Audit for network security groups to verify if flow logs are configured. Enabling flow logs allows to log information about IP traffic flowing through network security group. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. |Audit, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkSecurityGroup_FlowLog_Audit.json) | |[Function apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceFunctionApp_AuditHTTP_Audit.json) | This built-in initiative is deployed as part of the |[Adaptive network hardening recommendations should be applied on internet facing virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F08e6af2d-db70-460a-bfe9-d5bd474ba9d6) |Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveNetworkHardenings_Audit.json) | |[All network ports should be restricted on network security groups associated to your virtual machine](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9daedab3-fb2d-461e-b861-71790eead4f6) |Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnprotectedEndpoints_Audit.json) | |[App Service apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_WebApp_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure Key Vault should have firewall enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F55615ac9-af46-4a59-874e-391cc3dfb490) |Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: [https://docs.microsoft.com/azure/key-vault/general/network-security](../../../key-vault/general/network-security.md) |Audit, Deny, Disabled |[3.2.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/AzureKeyVaultFirewallEnabled_Audit.json) | |[Azure Web Application Firewall should be enabled for Azure Front Door entry-points](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Enabled_Audit.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[CORS should not allow every domain to access your API for FHIR](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fea8f8a-4169-495d-8307-30ec335f387d) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API for FHIR. To protect your API for FHIR, remove access for all domains and explicitly define the domains allowed to connect. |audit, Audit, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_RestrictCORSAccess_Audit.json) | |[Flow logs should be configured for every network security group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc251913d-7d24-4958-af87-478ed3b9ba41) |Audit for network security groups to verify if flow logs are configured. Enabling flow logs allows to log information about IP traffic flowing through network security group. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. |Audit, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkSecurityGroup_FlowLog_Audit.json) | |
governance | Fedramp High | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/fedramp-high.md | Title: Regulatory Compliance details for FedRAMP High description: Details of the FedRAMP High Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/22/2024 Last updated : 02/27/2024 initiative definition. |[Assign account managers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4c6df5ff-4ef2-4f17-a516-0da9189c603b) |CMA_0015 - Assign account managers |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0015.json) | |[Audit usage of custom RBAC roles](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) |Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) | |[Audit user account status](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F49c23d9b-02b0-0e42-4f94-e8cef1b8381b) |CMA_0020 - Audit user account status |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0020.json) |+|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Blocked accounts with owner permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0cfea604-3201-4e14-88fc-fae4c427a6c5) |Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithOwnerPermissions_Audit.json) | |[Blocked accounts with read and write permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8d7e1fde-fe26-4b5f-8108-f8e432cbc2be) |Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithReadWritePermissions_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Define and enforce conditions for shared and group accounts](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff7eb1d0b-6d4f-2d59-1591-7563e11a9313) |CMA_0117 - Define and enforce conditions for shared and group accounts |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0117.json) | |[Define information system account types](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F623b5f0a-8cbd-03a6-4892-201d27302f0c) |CMA_0121 - Define information system account types |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0121.json) | |[Document access privileges](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa08b18c7-9e0a-89f1-3696-d80902196719) |CMA_0186 - Document access privileges |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0186.json) | initiative definition. ||||| |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[Automate account management](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2cc9c165-46bd-9762-5739-d2aae5ba90a1) |CMA_0026 - Automate account management |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0026.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Manage system and admin accounts](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F34d38ea7-6754-1838-7031-d7fd07099821) |CMA_0368 - Manage system and admin accounts |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0368.json) | |[Monitor access across the organization](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F48c816c5-2190-61fc-8806-25d6f3df162f) |CMA_0376 - Monitor access across the organization |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0376.json) | |[Notify when account is not needed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8489ff90-8d29-61df-2d84-f9ab0f4c5e84) |CMA_0383 - Notify when account is not needed |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0383.json) | initiative definition. |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[Audit privileged functions](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff26af0b1-65b6-689a-a03f-352ad2d00f98) |CMA_0019 - Audit privileged functions |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0019.json) | |[Audit usage of custom RBAC roles](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) |Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Monitor account activity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7b28ba4f-0a87-46ac-62e1-46b7c09202a8) |CMA_0377 - Monitor account activity |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0377.json) | |[Monitor privileged role assignment](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fed87d27a-9abf-7c71-714c-61d881889da4) |CMA_0378 - Monitor privileged role assignment |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0378.json) | |[Restrict access to privileged accounts](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F873895e8-0e3a-6492-42e9-22cd030e9fcd) |CMA_0446 - Restrict access to privileged accounts |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0446.json) | initiative definition. |[Authentication to Linux machines should require SSH keys](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F630c64f9-8b6b-4c64-b511-6544ceff6fd6) |Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: [https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed](../../../virtual-machines/linux/create-ssh-keys-detailed.md). |AuditIfNotExists, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxNoPasswordForSSH_AINE.json) | |[Authorize access to security functions and information](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faeed863a-0f56-429f-945d-8bb66bd06841) |CMA_0022 - Authorize access to security functions and information |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0022.json) | |[Authorize and manage access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F50e9324a-7410-0539-0662-2c1e775538b7) |CMA_0023 - Authorize and manage access |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0023.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F331e8ea8-378a-410f-a2e5-ae22f38bb0da) |This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionLinux_Prerequisite.json) | |[Enforce logical access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F10c4210b-3ec9-9603-050d-77e4d26c7ebb) |CMA_0245 - Enforce logical access |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0245.json) | |[Enforce mandatory and discretionary access control policies](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb1666a13-8f67-9c47-155e-69e027ff6823) |CMA_0246 - Enforce mandatory and discretionary access control policies |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0246.json) | initiative definition. |[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[App Service apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_WebApp_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure API for FHIR should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1ee56206-5dd1-42ab-b02d-8aae8b1634ce) |Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: [https://aka.ms/fhir-privatelink](https://aka.ms/fhir-privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_PrivateLink_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AuditIfNotExists.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePrivateLinkSupportedResource_Deny.json) | initiative definition. |[Azure Synapse workspaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F72d11df1-dd8a-41f7-8925-b05b960ebafc) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links](../../../synapse-analytics/security/how-to-connect-to-workspace-with-private-links.md). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/SynapseWorkspaceUsePrivateLinks_Audit.json) | |[Azure Web PubSub Service should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Feb907f70-7514-460d-92b3-a5ae93b4f917) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: [https://aka.ms/awps/privatelink](https://aka.ms/awps/privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Web%20PubSub/WebPubSub_PrivateEndpointEnabled_Audit_v2.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_EnablePrivateEndpoints_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | initiative definition. |[Enforce security configuration settings](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F058e9719-1ff9-3653-4230-23f76b6492e0) |CMA_0249 - Enforce security configuration settings |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0249.json) | |[Function apps should have remote debugging turned off](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e60b895-3786-45da-8377-9c6b4b6ac5f9) |Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json) | |[Function apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0820b7b9-23aa-4725-a1ce-ae4558f718e5) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_FuntionApp_Audit.json) |-|[Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe345eecc-fa47-480f-9e88-67dcc122b164) |Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[9.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerResourceLimits.json) | +|[Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe345eecc-fa47-480f-9e88-67dcc122b164) |Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[9.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerResourceLimits.json) | |[Kubernetes cluster containers should not share host process ID or host IPC namespace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8) |Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[5.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockHostNamespace.json) | |[Kubernetes cluster containers should only use allowed AppArmor profiles](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F511f5417-5d12-434d-ab2e-816901e72a5e) |Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/EnforceAppArmorProfile.json) | |[Kubernetes cluster containers should only use allowed capabilities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc26596ff-4d70-4e6a-9a30-c2506bd2f80c) |Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedCapabilities.json) |-|[Kubernetes cluster containers should only use allowed images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffebd0533-8e55-448f-b837-bd0e06f16469) |Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[9.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedImages.json) | -|[Kubernetes cluster containers should run with a read only root file system](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf49d893-a74c-421d-bc95-c663042e5b80) |Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ReadOnlyRootFileSystem.json) | +|[Kubernetes cluster containers should only use allowed images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffebd0533-8e55-448f-b837-bd0e06f16469) |Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[9.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedImages.json) | +|[Kubernetes cluster containers should run with a read only root file system](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf49d893-a74c-421d-bc95-c663042e5b80) |Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ReadOnlyRootFileSystem.json) | |[Kubernetes cluster pod hostPath volumes should only use allowed host paths](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F098fc59e-46c7-4d99-9b16-64990e543d75) |Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AllowedHostPaths.json) | |[Kubernetes cluster pods and containers should only run with approved user and group IDs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff06ddb64-5fa3-4b77-b166-acb36f7f6042) |Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AllowedUsersGroups.json) | |[Kubernetes cluster pods should only use approved host network and port range](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F82985f06-dc18-4a48-bc1c-b9f4f0098cfe) |Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/HostNetworkPorts.json) | initiative definition. |[Accounts with write permissions on Azure resources should be MFA enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F931e118d-50a1-4457-a5e4-78550e086c52) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForAccountsWithWritePermissions_Audit.json) | |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[App Service apps should use managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2b9ad585-36bc-4615-b300-fd4435808332) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Enforce user uniqueness](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe336d5f4-4d8f-0059-759c-ae10f63d1747) |CMA_0250 - Enforce user uniqueness |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0250.json) | |[Function apps should use managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) | |[Service Fabric clusters should only use Azure Active Directory for client authentication](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb54ed75b-3e1a-44ac-a333-05ba39b99ff0) |Audit usage of client authentication only via Azure Active Directory in Service Fabric |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json) | initiative definition. |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[App Service apps should use managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2b9ad585-36bc-4615-b300-fd4435808332) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json) | |[Assign system identifiers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff29b17a4-0df2-8a50-058a-8570f9979d28) |CMA_0018 - Assign system identifiers |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0018.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Function apps should use managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) | |[Prevent identifier reuse for the defined time period](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4781e5fd-76b8-7d34-6df3-a0a7fca47665) |CMA_C1314 - Prevent identifier reuse for the defined time period |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_C1314.json) | |[Service Fabric clusters should only use Azure Active Directory for client authentication](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb54ed75b-3e1a-44ac-a333-05ba39b99ff0) |Audit usage of client authentication only via Azure Active Directory in Service Fabric |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json) | initiative definition. |[API Management services should use a virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/ApiManagement_VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure API for FHIR should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1ee56206-5dd1-42ab-b02d-8aae8b1634ce) |Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: [https://aka.ms/fhir-privatelink](https://aka.ms/fhir-privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_PrivateLink_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AuditIfNotExists.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePrivateLinkSupportedResource_Deny.json) | initiative definition. |[Azure Web Application Firewall should be enabled for Azure Front Door entry-points](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Enabled_Audit.json) | |[Azure Web PubSub Service should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Feb907f70-7514-460d-92b3-a5ae93b4f917) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: [https://aka.ms/awps/privatelink](https://aka.ms/awps/privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Web%20PubSub/WebPubSub_PrivateEndpointEnabled_Audit_v2.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_EnablePrivateEndpoints_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | initiative definition. |[API Management services should use a virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/ApiManagement_VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure API for FHIR should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1ee56206-5dd1-42ab-b02d-8aae8b1634ce) |Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: [https://aka.ms/fhir-privatelink](https://aka.ms/fhir-privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_PrivateLink_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AuditIfNotExists.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePrivateLinkSupportedResource_Deny.json) | initiative definition. |[Azure Web Application Firewall should be enabled for Azure Front Door entry-points](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Enabled_Audit.json) | |[Azure Web PubSub Service should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Feb907f70-7514-460d-92b3-a5ae93b4f917) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: [https://aka.ms/awps/privatelink](https://aka.ms/awps/privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Web%20PubSub/WebPubSub_PrivateEndpointEnabled_Audit_v2.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_EnablePrivateEndpoints_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |
governance | Fedramp Moderate | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/fedramp-moderate.md | Title: Regulatory Compliance details for FedRAMP Moderate description: Details of the FedRAMP Moderate Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/22/2024 Last updated : 02/27/2024 initiative definition. |[Assign account managers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4c6df5ff-4ef2-4f17-a516-0da9189c603b) |CMA_0015 - Assign account managers |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0015.json) | |[Audit usage of custom RBAC roles](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) |Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) | |[Audit user account status](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F49c23d9b-02b0-0e42-4f94-e8cef1b8381b) |CMA_0020 - Audit user account status |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0020.json) |+|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Blocked accounts with owner permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0cfea604-3201-4e14-88fc-fae4c427a6c5) |Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithOwnerPermissions_Audit.json) | |[Blocked accounts with read and write permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8d7e1fde-fe26-4b5f-8108-f8e432cbc2be) |Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithReadWritePermissions_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Define and enforce conditions for shared and group accounts](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff7eb1d0b-6d4f-2d59-1591-7563e11a9313) |CMA_0117 - Define and enforce conditions for shared and group accounts |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0117.json) | |[Define information system account types](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F623b5f0a-8cbd-03a6-4892-201d27302f0c) |CMA_0121 - Define information system account types |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0121.json) | |[Document access privileges](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa08b18c7-9e0a-89f1-3696-d80902196719) |CMA_0186 - Document access privileges |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0186.json) | initiative definition. ||||| |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[Automate account management](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2cc9c165-46bd-9762-5739-d2aae5ba90a1) |CMA_0026 - Automate account management |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0026.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Manage system and admin accounts](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F34d38ea7-6754-1838-7031-d7fd07099821) |CMA_0368 - Manage system and admin accounts |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0368.json) | |[Monitor access across the organization](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F48c816c5-2190-61fc-8806-25d6f3df162f) |CMA_0376 - Monitor access across the organization |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0376.json) | |[Notify when account is not needed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8489ff90-8d29-61df-2d84-f9ab0f4c5e84) |CMA_0383 - Notify when account is not needed |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0383.json) | initiative definition. |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[Audit privileged functions](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff26af0b1-65b6-689a-a03f-352ad2d00f98) |CMA_0019 - Audit privileged functions |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0019.json) | |[Audit usage of custom RBAC roles](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) |Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Monitor account activity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7b28ba4f-0a87-46ac-62e1-46b7c09202a8) |CMA_0377 - Monitor account activity |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0377.json) | |[Monitor privileged role assignment](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fed87d27a-9abf-7c71-714c-61d881889da4) |CMA_0378 - Monitor privileged role assignment |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0378.json) | |[Restrict access to privileged accounts](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F873895e8-0e3a-6492-42e9-22cd030e9fcd) |CMA_0446 - Restrict access to privileged accounts |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0446.json) | initiative definition. |[Authentication to Linux machines should require SSH keys](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F630c64f9-8b6b-4c64-b511-6544ceff6fd6) |Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: [https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed](../../../virtual-machines/linux/create-ssh-keys-detailed.md). |AuditIfNotExists, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxNoPasswordForSSH_AINE.json) | |[Authorize access to security functions and information](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faeed863a-0f56-429f-945d-8bb66bd06841) |CMA_0022 - Authorize access to security functions and information |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0022.json) | |[Authorize and manage access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F50e9324a-7410-0539-0662-2c1e775538b7) |CMA_0023 - Authorize and manage access |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0023.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F331e8ea8-378a-410f-a2e5-ae22f38bb0da) |This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionLinux_Prerequisite.json) | |[Enforce logical access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F10c4210b-3ec9-9603-050d-77e4d26c7ebb) |CMA_0245 - Enforce logical access |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0245.json) | |[Enforce mandatory and discretionary access control policies](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb1666a13-8f67-9c47-155e-69e027ff6823) |CMA_0246 - Enforce mandatory and discretionary access control policies |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0246.json) | initiative definition. |[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[App Service apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_WebApp_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure API for FHIR should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1ee56206-5dd1-42ab-b02d-8aae8b1634ce) |Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: [https://aka.ms/fhir-privatelink](https://aka.ms/fhir-privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_PrivateLink_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AuditIfNotExists.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePrivateLinkSupportedResource_Deny.json) | initiative definition. |[Azure Synapse workspaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F72d11df1-dd8a-41f7-8925-b05b960ebafc) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links](../../../synapse-analytics/security/how-to-connect-to-workspace-with-private-links.md). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/SynapseWorkspaceUsePrivateLinks_Audit.json) | |[Azure Web PubSub Service should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Feb907f70-7514-460d-92b3-a5ae93b4f917) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: [https://aka.ms/awps/privatelink](https://aka.ms/awps/privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Web%20PubSub/WebPubSub_PrivateEndpointEnabled_Audit_v2.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_EnablePrivateEndpoints_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | initiative definition. |[Enforce security configuration settings](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F058e9719-1ff9-3653-4230-23f76b6492e0) |CMA_0249 - Enforce security configuration settings |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0249.json) | |[Function apps should have remote debugging turned off](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e60b895-3786-45da-8377-9c6b4b6ac5f9) |Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json) | |[Function apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0820b7b9-23aa-4725-a1ce-ae4558f718e5) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_FuntionApp_Audit.json) |-|[Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe345eecc-fa47-480f-9e88-67dcc122b164) |Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[9.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerResourceLimits.json) | +|[Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe345eecc-fa47-480f-9e88-67dcc122b164) |Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[9.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerResourceLimits.json) | |[Kubernetes cluster containers should not share host process ID or host IPC namespace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8) |Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[5.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockHostNamespace.json) | |[Kubernetes cluster containers should only use allowed AppArmor profiles](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F511f5417-5d12-434d-ab2e-816901e72a5e) |Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/EnforceAppArmorProfile.json) | |[Kubernetes cluster containers should only use allowed capabilities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc26596ff-4d70-4e6a-9a30-c2506bd2f80c) |Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedCapabilities.json) |-|[Kubernetes cluster containers should only use allowed images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffebd0533-8e55-448f-b837-bd0e06f16469) |Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[9.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedImages.json) | -|[Kubernetes cluster containers should run with a read only root file system](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf49d893-a74c-421d-bc95-c663042e5b80) |Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ReadOnlyRootFileSystem.json) | +|[Kubernetes cluster containers should only use allowed images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffebd0533-8e55-448f-b837-bd0e06f16469) |Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[9.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedImages.json) | +|[Kubernetes cluster containers should run with a read only root file system](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf49d893-a74c-421d-bc95-c663042e5b80) |Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ReadOnlyRootFileSystem.json) | |[Kubernetes cluster pod hostPath volumes should only use allowed host paths](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F098fc59e-46c7-4d99-9b16-64990e543d75) |Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AllowedHostPaths.json) | |[Kubernetes cluster pods and containers should only run with approved user and group IDs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff06ddb64-5fa3-4b77-b166-acb36f7f6042) |Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AllowedUsersGroups.json) | |[Kubernetes cluster pods should only use approved host network and port range](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F82985f06-dc18-4a48-bc1c-b9f4f0098cfe) |Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/HostNetworkPorts.json) | initiative definition. |[Accounts with write permissions on Azure resources should be MFA enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F931e118d-50a1-4457-a5e4-78550e086c52) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForAccountsWithWritePermissions_Audit.json) | |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[App Service apps should use managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2b9ad585-36bc-4615-b300-fd4435808332) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Enforce user uniqueness](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe336d5f4-4d8f-0059-759c-ae10f63d1747) |CMA_0250 - Enforce user uniqueness |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0250.json) | |[Function apps should use managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) | |[Service Fabric clusters should only use Azure Active Directory for client authentication](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb54ed75b-3e1a-44ac-a333-05ba39b99ff0) |Audit usage of client authentication only via Azure Active Directory in Service Fabric |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json) | initiative definition. |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[App Service apps should use managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2b9ad585-36bc-4615-b300-fd4435808332) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json) | |[Assign system identifiers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff29b17a4-0df2-8a50-058a-8570f9979d28) |CMA_0018 - Assign system identifiers |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0018.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Function apps should use managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) | |[Prevent identifier reuse for the defined time period](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4781e5fd-76b8-7d34-6df3-a0a7fca47665) |CMA_C1314 - Prevent identifier reuse for the defined time period |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_C1314.json) | |[Service Fabric clusters should only use Azure Active Directory for client authentication](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb54ed75b-3e1a-44ac-a333-05ba39b99ff0) |Audit usage of client authentication only via Azure Active Directory in Service Fabric |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json) | initiative definition. |[API Management services should use a virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/ApiManagement_VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure API for FHIR should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1ee56206-5dd1-42ab-b02d-8aae8b1634ce) |Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: [https://aka.ms/fhir-privatelink](https://aka.ms/fhir-privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_PrivateLink_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AuditIfNotExists.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePrivateLinkSupportedResource_Deny.json) | initiative definition. |[Azure Web Application Firewall should be enabled for Azure Front Door entry-points](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Enabled_Audit.json) | |[Azure Web PubSub Service should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Feb907f70-7514-460d-92b3-a5ae93b4f917) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: [https://aka.ms/awps/privatelink](https://aka.ms/awps/privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Web%20PubSub/WebPubSub_PrivateEndpointEnabled_Audit_v2.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_EnablePrivateEndpoints_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | initiative definition. |[API Management services should use a virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/ApiManagement_VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure API for FHIR should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1ee56206-5dd1-42ab-b02d-8aae8b1634ce) |Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: [https://aka.ms/fhir-privatelink](https://aka.ms/fhir-privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_PrivateLink_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AuditIfNotExists.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePrivateLinkSupportedResource_Deny.json) | initiative definition. |[Azure Web Application Firewall should be enabled for Azure Front Door entry-points](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Enabled_Audit.json) | |[Azure Web PubSub Service should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Feb907f70-7514-460d-92b3-a5ae93b4f917) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: [https://aka.ms/awps/privatelink](https://aka.ms/awps/privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Web%20PubSub/WebPubSub_PrivateEndpointEnabled_Audit_v2.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_EnablePrivateEndpoints_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |
governance | Gov Azure Security Benchmark | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-azure-security-benchmark.md | Title: Regulatory Compliance details for Microsoft cloud security benchmark (Azure Government) description: Details of the Microsoft cloud security benchmark (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/22/2024 Last updated : 02/27/2024 initiative definition. |[API Management services should use a virtual network](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/ApiManagement_VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AuditIfNotExists.json) | |[Azure Cosmos DB accounts should have firewall rules](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb) |Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_NetworkRulesExist_Audit.json) | |[Azure Cosmos DB should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F797b37f7-06b8-444c-b1ad-fc62867f335a) |Disabling public network access improves security by ensuring that your CosmosDB account isn't exposed on the public internet. Creating private endpoints can limit exposure of your CosmosDB account. Learn more at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation](../../../cosmos-db/how-to-configure-private-endpoints.md#blocking-public-network-access-during-account-creation). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateNetworkAccess_AuditDeny.json) | initiative definition. |[Azure SignalR Service should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2393d2cf-a342-44cd-a2e2-fe0188fd1234) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: [https://aka.ms/asrs/privatelink](https://aka.ms/asrs/privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SignalR/SignalR_PrivateEndpointEnabled_Audit_v2.json) | |[Azure SQL Managed Instances should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9dfea752-dd46-4766-aed1-c355fa93fb91) |Disabling public network access (public endpoint) on Azure SQL Managed Instances improves security by ensuring that they can only be accessed from inside their virtual networks or via Private Endpoints. To learn more about public network access, visit [https://aka.ms/mi-public-endpoint](https://aka.ms/mi-public-endpoint). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_PublicEndpoint_Audit.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Cognitive Services should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_EnablePrivateEndpoints_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | initiative definition. |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) |+|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Azure Machine Learning Computes should have local authentication methods disabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe96a9a5f-07ca-471b-9bc5-6a0f33cbd68f) |Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/azure-ml-aad-policy](https://aka.ms/azure-ml-aad-policy). |Audit, Deny, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/MachineLearningServices_DisableLocalAuth_Audit.json) | |[Azure SQL Database should have Microsoft Entra-only authentication enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb3a22bc9-66de-45fb-98fa-00f5df42f41a) |Require Azure SQL logical servers to use Microsoft Entra-only authentication. This policy doesn't block servers from being created with local authentication enabled. It does block local authentication from being enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: [https://aka.ms/adonlycreate](https://aka.ms/adonlycreate). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_ADOnlyEnabled_DisableADAuth_Deny.json) | |[Azure SQL Database should have Microsoft Entra-only authentication enabled during creation](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabda6d70-9778-44e7-84a8-06713e6db027) |Require Azure SQL logical servers to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: [https://aka.ms/adonlycreate](https://aka.ms/adonlycreate). |Audit, Deny, Disabled |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_ADOnlyEnabled_Deny.json) | |[Azure SQL Managed Instance should have Microsoft Entra-only authentication enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0c28c3fb-c244-42d5-a9bf-f35f2999577b) |Require Azure SQL Managed Instance to use Microsoft Entra-only authentication. This policy doesn't block Azure SQL Managed instances from being created with local authentication enabled. It does block local authentication from being enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: [https://aka.ms/adonlycreate](https://aka.ms/adonlycreate). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_ADOnlyEnabled_DisableADAuth_Deny.json) | |[Azure SQL Managed Instances should have Microsoft Entra-only authentication enabled during creation](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F78215662-041e-49ed-a9dd-5385911b3a1f) |Require Azure SQL Managed Instance to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: [https://aka.ms/adonlycreate](https://aka.ms/adonlycreate). |Audit, Deny, Disabled |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_ADOnlyEnabled_Deny.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Service Fabric clusters should only use Azure Active Directory for client authentication](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb54ed75b-3e1a-44ac-a333-05ba39b99ff0) |Audit usage of client authentication only via Azure Active Directory in Service Fabric |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json) | |[Storage accounts should prevent shared key access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54) |Audit requirement of Azure Active Directory (Azure AD) to authorize requests for your storage account. By default, requests can be authorized with either Azure Active Directory credentials, or by using the account access key for Shared Key authorization. Of these two types of authorization, Azure AD provides superior security and ease of use over Shared Key, and is recommended by Microsoft. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountAllowSharedKeyAccess_Audit.json) | |[Synapse Workspaces should have Microsoft Entra-only authentication enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6ea81a52-5ca7-4575-9669-eaa910b7edf8) |Require Synapse Workspaces to use Microsoft Entra-only authentication. This policy doesn't block workspaces from being created with local authentication enabled. It does block local authentication from being enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: [https://aka.ms/Synapse](https://aka.ms/Synapse). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/SynapseWorkspaceDisableAadOnlyAuthentication_Audit.json) | |
governance | Gov Cis Azure 1 1 0 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-cis-azure-1-1-0.md | Title: Regulatory Compliance details for CIS Microsoft Azure Foundations Benchmark 1.1.0 (Azure Government) description: Details of the CIS Microsoft Azure Foundations Benchmark 1.1.0 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/22/2024 Last updated : 02/27/2024 |
governance | Gov Cis Azure 1 3 0 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-cis-azure-1-3-0.md | Title: Regulatory Compliance details for CIS Microsoft Azure Foundations Benchmark 1.3.0 (Azure Government) description: Details of the CIS Microsoft Azure Foundations Benchmark 1.3.0 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/22/2024 Last updated : 02/27/2024 |
governance | Gov Cmmc L3 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-cmmc-l3.md | Title: Regulatory Compliance details for CMMC Level 3 (Azure Government) description: Details of the CMMC Level 3 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/22/2024 Last updated : 02/27/2024 This built-in initiative is deployed as part of the ||||| |[App Service apps should have remote debugging turned off](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcb510bfd-1cba-4d9f-a230-cb0976f4bb71) |Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_WebApp_Audit.json) | |[App Service apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_WebApp_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fac4a19c2-fa67-49b4-8ae5-0b2e78c49457) |To provide granular filtering on the actions that users can perform, use Azure Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. |Audit, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableRBAC_KubernetesService_Audit.json) | |[Blocked accounts with owner permissions on Azure resources should be removed](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0cfea604-3201-4e14-88fc-fae4c427a6c5) |Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_RemoveBlockedAccountsWithOwnerPermissions_Audit.json) | |[Blocked accounts with read and write permissions on Azure resources should be removed](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8d7e1fde-fe26-4b5f-8108-f8e432cbc2be) |Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_RemoveBlockedAccountsWithReadWritePermissions_Audit.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Function apps should have remote debugging turned off](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e60b895-3786-45da-8377-9c6b4b6ac5f9) |Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json) | |[Function apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0820b7b9-23aa-4725-a1ce-ae4558f718e5) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_FuntionApp_Audit.json) | This built-in initiative is deployed as part of the ||||| |[App Service apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_WebApp_Audit.json) | |[App Service apps should only be accessible over HTTPS](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fac4a19c2-fa67-49b4-8ae5-0b2e78c49457) |To provide granular filtering on the actions that users can perform, use Azure Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. |Audit, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableRBAC_KubernetesService_Audit.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Enforce SSL connection should be enabled for MySQL database servers](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe802a67a-daf5-4436-9ea6-f6d821dd0c5d) |Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnableSSL_Audit.json) | |[Enforce SSL connection should be enabled for PostgreSQL database servers](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd158790f-bfb0-486c-8631-2dc6b4e8e6af) |Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableSSL_Audit.json) | This built-in initiative is deployed as part of the |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||+|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fac4a19c2-fa67-49b4-8ae5-0b2e78c49457) |To provide granular filtering on the actions that users can perform, use Azure Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. |Audit, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableRBAC_KubernetesService_Audit.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Function apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0820b7b9-23aa-4725-a1ce-ae4558f718e5) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_FuntionApp_Audit.json) | |[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) | This built-in initiative is deployed as part of the |[Allowlist rules in your adaptive application control policy should be updated](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F123a3936-f020-408a-ba0c-47873faf1534) |Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_AdaptiveApplicationControlsUpdate_Audit.json) | |[App Service apps should have remote debugging turned off](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcb510bfd-1cba-4d9f-a230-cb0976f4bb71) |Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_WebApp_Audit.json) | |[App Service apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_WebApp_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Function apps should have remote debugging turned off](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e60b895-3786-45da-8377-9c6b4b6ac5f9) |Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json) | |[Function apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0820b7b9-23aa-4725-a1ce-ae4558f718e5) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_FuntionApp_Audit.json) | This built-in initiative is deployed as part of the |[All network ports should be restricted on network security groups associated to your virtual machine](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9daedab3-fb2d-461e-b861-71790eead4f6) |Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_UnprotectedEndpoints_Audit.json) | |[App Service apps should only be accessible over HTTPS](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) | |[App Service apps should use the latest TLS version](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_WebApp_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure Web Application Firewall should be enabled for Azure Front Door entry-points](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Network/WAF_AFD_Enabled_Audit.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Flow logs should be configured for every network security group](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc251913d-7d24-4958-af87-478ed3b9ba41) |Audit for network security groups to verify if flow logs are configured. Enabling flow logs allows to log information about IP traffic flowing through network security group. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. |Audit, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkSecurityGroup_FlowLog_Audit.json) | |[Function apps should only be accessible over HTTPS](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceFunctionApp_AuditHTTP_Audit.json) | This built-in initiative is deployed as part of the ||||| |[All network ports should be restricted on network security groups associated to your virtual machine](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9daedab3-fb2d-461e-b861-71790eead4f6) |Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_UnprotectedEndpoints_Audit.json) | |[App Service apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_WebApp_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure Web Application Firewall should be enabled for Azure Front Door entry-points](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Network/WAF_AFD_Enabled_Audit.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Flow logs should be configured for every network security group](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc251913d-7d24-4958-af87-478ed3b9ba41) |Audit for network security groups to verify if flow logs are configured. Enabling flow logs allows to log information about IP traffic flowing through network security group. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. |Audit, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkSecurityGroup_FlowLog_Audit.json) | |[Function apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0820b7b9-23aa-4725-a1ce-ae4558f718e5) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_FuntionApp_Audit.json) | |
governance | Gov Fedramp High | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-fedramp-high.md | Title: Regulatory Compliance details for FedRAMP High (Azure Government) description: Details of the FedRAMP High (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/22/2024 Last updated : 02/27/2024 initiative definition. |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[App Service apps should use managed identity](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2b9ad585-36bc-4615-b300-fd4435808332) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json) | |[Audit usage of custom RBAC roles](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) |Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) |+|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Blocked accounts with owner permissions on Azure resources should be removed](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0cfea604-3201-4e14-88fc-fae4c427a6c5) |Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_RemoveBlockedAccountsWithOwnerPermissions_Audit.json) | |[Blocked accounts with read and write permissions on Azure resources should be removed](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8d7e1fde-fe26-4b5f-8108-f8e432cbc2be) |Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_RemoveBlockedAccountsWithReadWritePermissions_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Function apps should use managed identity](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) | |[Guest accounts with owner permissions on Azure resources should be removed](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F339353f6-2387-4a45-abe4-7f529d121046) |External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_RemoveGuestAccountsWithOwnerPermissions_Audit.json) | |[Guest accounts with read permissions on Azure resources should be removed](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe9ac8f8e-ce22-4355-8f04-99b911d6be52) |External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_RemoveGuestAccountsWithReadPermissions_Audit.json) | initiative definition. |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Service Fabric clusters should only use Azure Active Directory for client authentication](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb54ed75b-3e1a-44ac-a333-05ba39b99ff0) |Audit usage of client authentication only via Azure Active Directory in Service Fabric |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json) | ### Role-Based Schemes initiative definition. ||||| |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[Audit usage of custom RBAC roles](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) |Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Service Fabric clusters should only use Azure Active Directory for client authentication](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb54ed75b-3e1a-44ac-a333-05ba39b99ff0) |Audit usage of client authentication only via Azure Active Directory in Service Fabric |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json) | ### Account Monitoring / Atypical Usage initiative definition. |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[App Service apps should use managed identity](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2b9ad585-36bc-4615-b300-fd4435808332) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json) | |[Audit Linux machines that have accounts without passwords](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6ec09a3-78bf-4f8f-99dc-6c77182d0f99) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Linux machines that have accounts without passwords |AuditIfNotExists, Disabled |[1.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Guest%20Configuration/GuestConfiguration_LinuxPassword232_AINE.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F331e8ea8-378a-410f-a2e5-ae22f38bb0da) |This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Guest%20Configuration/GuestConfiguration_DeployExtensionLinux_Prerequisite.json) | |[Function apps should use managed identity](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) | |[Service Fabric clusters should only use Azure Active Directory for client authentication](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb54ed75b-3e1a-44ac-a333-05ba39b99ff0) |Audit usage of client authentication only via Azure Active Directory in Service Fabric |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json) | initiative definition. |[App Configuration should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[App Service apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_WebApp_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AuditIfNotExists.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePrivateLinkSupportedResource_Deny.json) | |[Azure Cognitive Search services should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePublicNetworkAccessDisabled_Deny.json) | initiative definition. |[Azure SignalR Service should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2393d2cf-a342-44cd-a2e2-fe0188fd1234) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: [https://aka.ms/asrs/privatelink](https://aka.ms/asrs/privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SignalR/SignalR_PrivateEndpointEnabled_Audit_v2.json) | |[Azure Synapse workspaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F72d11df1-dd8a-41f7-8925-b05b960ebafc) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links](../../../synapse-analytics/security/how-to-connect-to-workspace-with-private-links.md). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/SynapseWorkspaceUsePrivateLinks_Audit.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Cognitive Services should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_EnablePrivateEndpoints_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | initiative definition. |[Accounts with write permissions on Azure resources should be MFA enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F931e118d-50a1-4457-a5e4-78550e086c52) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableMFAForAccountsWithWritePermissions_Audit.json) | |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[App Service apps should use managed identity](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2b9ad585-36bc-4615-b300-fd4435808332) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Function apps should use managed identity](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) | |[Service Fabric clusters should only use Azure Active Directory for client authentication](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb54ed75b-3e1a-44ac-a333-05ba39b99ff0) |Audit usage of client authentication only via Azure Active Directory in Service Fabric |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json) | initiative definition. ||||| |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[App Service apps should use managed identity](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2b9ad585-36bc-4615-b300-fd4435808332) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Function apps should use managed identity](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) | |[Service Fabric clusters should only use Azure Active Directory for client authentication](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb54ed75b-3e1a-44ac-a333-05ba39b99ff0) |Audit usage of client authentication only via Azure Active Directory in Service Fabric |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json) | initiative definition. |[API Management services should use a virtual network](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/ApiManagement_VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AuditIfNotExists.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePrivateLinkSupportedResource_Deny.json) | |[Azure Cognitive Search services should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePublicNetworkAccessDisabled_Deny.json) | initiative definition. |[Azure Synapse workspaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F72d11df1-dd8a-41f7-8925-b05b960ebafc) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links](../../../synapse-analytics/security/how-to-connect-to-workspace-with-private-links.md). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/SynapseWorkspaceUsePrivateLinks_Audit.json) | |[Azure Web Application Firewall should be enabled for Azure Front Door entry-points](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Network/WAF_AFD_Enabled_Audit.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Cognitive Services should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_EnablePrivateEndpoints_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | initiative definition. |[API Management services should use a virtual network](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/ApiManagement_VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AuditIfNotExists.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePrivateLinkSupportedResource_Deny.json) | |[Azure Cognitive Search services should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePublicNetworkAccessDisabled_Deny.json) | initiative definition. |[Azure Synapse workspaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F72d11df1-dd8a-41f7-8925-b05b960ebafc) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links](../../../synapse-analytics/security/how-to-connect-to-workspace-with-private-links.md). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/SynapseWorkspaceUsePrivateLinks_Audit.json) | |[Azure Web Application Firewall should be enabled for Azure Front Door entry-points](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Network/WAF_AFD_Enabled_Audit.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Cognitive Services should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_EnablePrivateEndpoints_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |
governance | Gov Fedramp Moderate | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-fedramp-moderate.md | Title: Regulatory Compliance details for FedRAMP Moderate (Azure Government) description: Details of the FedRAMP Moderate (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/22/2024 Last updated : 02/27/2024 initiative definition. |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[App Service apps should use managed identity](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2b9ad585-36bc-4615-b300-fd4435808332) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json) | |[Audit usage of custom RBAC roles](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) |Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) |+|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Blocked accounts with owner permissions on Azure resources should be removed](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0cfea604-3201-4e14-88fc-fae4c427a6c5) |Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_RemoveBlockedAccountsWithOwnerPermissions_Audit.json) | |[Blocked accounts with read and write permissions on Azure resources should be removed](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8d7e1fde-fe26-4b5f-8108-f8e432cbc2be) |Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_RemoveBlockedAccountsWithReadWritePermissions_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Function apps should use managed identity](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) | |[Guest accounts with owner permissions on Azure resources should be removed](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F339353f6-2387-4a45-abe4-7f529d121046) |External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_RemoveGuestAccountsWithOwnerPermissions_Audit.json) | |[Guest accounts with read permissions on Azure resources should be removed](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe9ac8f8e-ce22-4355-8f04-99b911d6be52) |External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_RemoveGuestAccountsWithReadPermissions_Audit.json) | initiative definition. |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Service Fabric clusters should only use Azure Active Directory for client authentication](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb54ed75b-3e1a-44ac-a333-05ba39b99ff0) |Audit usage of client authentication only via Azure Active Directory in Service Fabric |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json) | ### Role-Based Schemes initiative definition. ||||| |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[Audit usage of custom RBAC roles](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) |Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Service Fabric clusters should only use Azure Active Directory for client authentication](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb54ed75b-3e1a-44ac-a333-05ba39b99ff0) |Audit usage of client authentication only via Azure Active Directory in Service Fabric |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json) | ### Account Monitoring / Atypical Usage initiative definition. |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[App Service apps should use managed identity](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2b9ad585-36bc-4615-b300-fd4435808332) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json) | |[Audit Linux machines that have accounts without passwords](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6ec09a3-78bf-4f8f-99dc-6c77182d0f99) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Linux machines that have accounts without passwords |AuditIfNotExists, Disabled |[1.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Guest%20Configuration/GuestConfiguration_LinuxPassword232_AINE.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F331e8ea8-378a-410f-a2e5-ae22f38bb0da) |This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Guest%20Configuration/GuestConfiguration_DeployExtensionLinux_Prerequisite.json) | |[Function apps should use managed identity](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) | |[Service Fabric clusters should only use Azure Active Directory for client authentication](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb54ed75b-3e1a-44ac-a333-05ba39b99ff0) |Audit usage of client authentication only via Azure Active Directory in Service Fabric |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json) | initiative definition. |[App Configuration should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[App Service apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_WebApp_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AuditIfNotExists.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePrivateLinkSupportedResource_Deny.json) | |[Azure Cognitive Search services should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePublicNetworkAccessDisabled_Deny.json) | initiative definition. |[Azure SignalR Service should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2393d2cf-a342-44cd-a2e2-fe0188fd1234) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: [https://aka.ms/asrs/privatelink](https://aka.ms/asrs/privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SignalR/SignalR_PrivateEndpointEnabled_Audit_v2.json) | |[Azure Synapse workspaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F72d11df1-dd8a-41f7-8925-b05b960ebafc) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links](../../../synapse-analytics/security/how-to-connect-to-workspace-with-private-links.md). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/SynapseWorkspaceUsePrivateLinks_Audit.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Cognitive Services should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_EnablePrivateEndpoints_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | initiative definition. |[Accounts with write permissions on Azure resources should be MFA enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F931e118d-50a1-4457-a5e4-78550e086c52) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableMFAForAccountsWithWritePermissions_Audit.json) | |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[App Service apps should use managed identity](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2b9ad585-36bc-4615-b300-fd4435808332) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Function apps should use managed identity](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) | |[Service Fabric clusters should only use Azure Active Directory for client authentication](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb54ed75b-3e1a-44ac-a333-05ba39b99ff0) |Audit usage of client authentication only via Azure Active Directory in Service Fabric |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json) | initiative definition. ||||| |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[App Service apps should use managed identity](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2b9ad585-36bc-4615-b300-fd4435808332) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Function apps should use managed identity](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) | |[Service Fabric clusters should only use Azure Active Directory for client authentication](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb54ed75b-3e1a-44ac-a333-05ba39b99ff0) |Audit usage of client authentication only via Azure Active Directory in Service Fabric |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json) | initiative definition. |[API Management services should use a virtual network](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/ApiManagement_VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AuditIfNotExists.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePrivateLinkSupportedResource_Deny.json) | |[Azure Cognitive Search services should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePublicNetworkAccessDisabled_Deny.json) | initiative definition. |[Azure Synapse workspaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F72d11df1-dd8a-41f7-8925-b05b960ebafc) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links](../../../synapse-analytics/security/how-to-connect-to-workspace-with-private-links.md). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/SynapseWorkspaceUsePrivateLinks_Audit.json) | |[Azure Web Application Firewall should be enabled for Azure Front Door entry-points](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Network/WAF_AFD_Enabled_Audit.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Cognitive Services should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_EnablePrivateEndpoints_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | initiative definition. |[API Management services should use a virtual network](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/ApiManagement_VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AuditIfNotExists.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePrivateLinkSupportedResource_Deny.json) | |[Azure Cognitive Search services should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePublicNetworkAccessDisabled_Deny.json) | initiative definition. |[Azure Synapse workspaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F72d11df1-dd8a-41f7-8925-b05b960ebafc) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links](../../../synapse-analytics/security/how-to-connect-to-workspace-with-private-links.md). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/SynapseWorkspaceUsePrivateLinks_Audit.json) | |[Azure Web Application Firewall should be enabled for Azure Front Door entry-points](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Network/WAF_AFD_Enabled_Audit.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Cognitive Services should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_EnablePrivateEndpoints_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |
governance | Gov Irs 1075 Sept2016 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-irs-1075-sept2016.md | Title: Regulatory Compliance details for IRS 1075 September 2016 (Azure Government) description: Details of the IRS 1075 September 2016 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/22/2024 Last updated : 02/27/2024 |
governance | Gov Iso 27001 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-iso-27001.md | Title: Regulatory Compliance details for ISO 27001:2013 (Azure Government) description: Details of the ISO 27001:2013 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/22/2024 Last updated : 02/27/2024 |
governance | Gov Nist Sp 800 171 R2 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-nist-sp-800-171-r2.md | Title: Regulatory Compliance details for NIST SP 800-171 R2 (Azure Government) description: Details of the NIST SP 800-171 R2 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/22/2024 Last updated : 02/27/2024 initiative definition. |[Audit Linux machines that have accounts without passwords](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6ec09a3-78bf-4f8f-99dc-6c77182d0f99) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Linux machines that have accounts without passwords |AuditIfNotExists, Disabled |[1.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Guest%20Configuration/GuestConfiguration_LinuxPassword232_AINE.json) | |[Audit usage of custom RBAC roles](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) |Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) | |[Authentication to Linux machines should require SSH keys](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F630c64f9-8b6b-4c64-b511-6544ceff6fd6) |Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: [https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed](../../../virtual-machines/linux/create-ssh-keys-detailed.md). |AuditIfNotExists, Disabled |[2.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Guest%20Configuration/GuestConfiguration_LinuxNoPasswordForSSH_AINE.json) |+|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AuditIfNotExists.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePrivateLinkSupportedResource_Deny.json) | |[Azure Cognitive Search services should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fda3595-9f2b-4592-8675-4231d6fa82fe) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_PrivateEndpoints_Audit.json) | initiative definition. |[Azure Synapse workspaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F72d11df1-dd8a-41f7-8925-b05b960ebafc) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links](../../../synapse-analytics/security/how-to-connect-to-workspace-with-private-links.md). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/SynapseWorkspaceUsePrivateLinks_Audit.json) | |[Blocked accounts with owner permissions on Azure resources should be removed](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0cfea604-3201-4e14-88fc-fae4c427a6c5) |Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_RemoveBlockedAccountsWithOwnerPermissions_Audit.json) | |[Blocked accounts with read and write permissions on Azure resources should be removed](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8d7e1fde-fe26-4b5f-8108-f8e432cbc2be) |Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_RemoveBlockedAccountsWithReadWritePermissions_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Cognitive Services should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_EnablePrivateEndpoints_Audit.json) | |[Container registries should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[CosmosDB accounts should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) | initiative definition. |[App Service apps should have remote debugging turned off](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcb510bfd-1cba-4d9f-a230-cb0976f4bb71) |Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_WebApp_Audit.json) | |[App Service apps should use managed identity](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2b9ad585-36bc-4615-b300-fd4435808332) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json) | |[Audit usage of custom RBAC roles](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) |Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) |+|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Blocked accounts with owner permissions on Azure resources should be removed](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0cfea604-3201-4e14-88fc-fae4c427a6c5) |Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_RemoveBlockedAccountsWithOwnerPermissions_Audit.json) | |[Blocked accounts with read and write permissions on Azure resources should be removed](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8d7e1fde-fe26-4b5f-8108-f8e432cbc2be) |Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_RemoveBlockedAccountsWithReadWritePermissions_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Function apps should have remote debugging turned off](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e60b895-3786-45da-8377-9c6b4b6ac5f9) |Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json) | |[Function apps should use managed identity](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) | |[Guest accounts with owner permissions on Azure resources should be removed](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F339353f6-2387-4a45-abe4-7f529d121046) |External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_RemoveGuestAccountsWithOwnerPermissions_Audit.json) | initiative definition. |[App Configuration should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[App Service apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_WebApp_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AuditIfNotExists.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePrivateLinkSupportedResource_Deny.json) | |[Azure Cognitive Search services should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePublicNetworkAccessDisabled_Deny.json) | initiative definition. |[Azure SignalR Service should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2393d2cf-a342-44cd-a2e2-fe0188fd1234) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: [https://aka.ms/asrs/privatelink](https://aka.ms/asrs/privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SignalR/SignalR_PrivateEndpointEnabled_Audit_v2.json) | |[Azure Synapse workspaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F72d11df1-dd8a-41f7-8925-b05b960ebafc) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links](../../../synapse-analytics/security/how-to-connect-to-workspace-with-private-links.md). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/SynapseWorkspaceUsePrivateLinks_Audit.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Cognitive Services should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_EnablePrivateEndpoints_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | initiative definition. |[API Management services should use a virtual network](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/ApiManagement_VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AuditIfNotExists.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePrivateLinkSupportedResource_Deny.json) | |[Azure Cognitive Search services should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePublicNetworkAccessDisabled_Deny.json) | initiative definition. |[Azure Synapse workspaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F72d11df1-dd8a-41f7-8925-b05b960ebafc) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links](../../../synapse-analytics/security/how-to-connect-to-workspace-with-private-links.md). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/SynapseWorkspaceUsePrivateLinks_Audit.json) | |[Azure Web Application Firewall should be enabled for Azure Front Door entry-points](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Network/WAF_AFD_Enabled_Audit.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Cognitive Services should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_EnablePrivateEndpoints_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | initiative definition. |[API Management services should use a virtual network](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/ApiManagement_VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AuditIfNotExists.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePrivateLinkSupportedResource_Deny.json) | |[Azure Cognitive Search services should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePublicNetworkAccessDisabled_Deny.json) | initiative definition. |[Azure Synapse workspaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F72d11df1-dd8a-41f7-8925-b05b960ebafc) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links](../../../synapse-analytics/security/how-to-connect-to-workspace-with-private-links.md). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/SynapseWorkspaceUsePrivateLinks_Audit.json) | |[Azure Web Application Firewall should be enabled for Azure Front Door entry-points](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Network/WAF_AFD_Enabled_Audit.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Cognitive Services should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_EnablePrivateEndpoints_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | initiative definition. |[API Management services should use a virtual network](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/ApiManagement_VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AuditIfNotExists.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePrivateLinkSupportedResource_Deny.json) | |[Azure Cognitive Search services should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePublicNetworkAccessDisabled_Deny.json) | initiative definition. |[Azure Synapse workspaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F72d11df1-dd8a-41f7-8925-b05b960ebafc) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links](../../../synapse-analytics/security/how-to-connect-to-workspace-with-private-links.md). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/SynapseWorkspaceUsePrivateLinks_Audit.json) | |[Azure Web Application Firewall should be enabled for Azure Front Door entry-points](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Network/WAF_AFD_Enabled_Audit.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Cognitive Services should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_EnablePrivateEndpoints_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | initiative definition. ||||| |[All network ports should be restricted on network security groups associated to your virtual machine](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9daedab3-fb2d-461e-b861-71790eead4f6) |Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_UnprotectedEndpoints_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure Cognitive Search services should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePublicNetworkAccessDisabled_Deny.json) | |[Azure Cosmos DB accounts should have firewall rules](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb) |Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_NetworkRulesExist_Audit.json) | |[Azure Key Vault should have firewall enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F55615ac9-af46-4a59-874e-391cc3dfb490) |Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: [https://docs.microsoft.com/azure/key-vault/general/network-security](../../../key-vault/general/network-security.md) |Audit, Deny, Disabled |[1.4.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Key%20Vault/AzureKeyVaultFirewallEnabled_Audit.json) | |[Azure Web Application Firewall should be enabled for Azure Front Door entry-points](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Network/WAF_AFD_Enabled_Audit.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) | |[Management ports of virtual machines should be protected with just-in-time network access control](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb0f33259-77d7-4c9e-aac6-3aabcfae693c) |Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_JITNetworkAccess_Audit.json) | initiative definition. ||||| |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[App Service apps should use managed identity](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2b9ad585-36bc-4615-b300-fd4435808332) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Function apps should use managed identity](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) | |[Service Fabric clusters should only use Azure Active Directory for client authentication](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb54ed75b-3e1a-44ac-a333-05ba39b99ff0) |Audit usage of client authentication only via Azure Active Directory in Service Fabric |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json) | initiative definition. |[Audit Linux machines that do not have the passwd file permissions set to 0644](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe6955644-301c-44b5-a4c4-528577de6861) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 |AuditIfNotExists, Disabled |[1.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Guest%20Configuration/GuestConfiguration_LinuxPassword121_AINE.json) | |[Audit Windows machines that do not store passwords using reversible encryption](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fda0f98fe-a24b-4ad5-af69-bd0400233661) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Windows machines that do not store passwords using reversible encryption |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Guest%20Configuration/GuestConfiguration_WindowsPasswordEncryption_AINE.json) | |[Authentication to Linux machines should require SSH keys](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F630c64f9-8b6b-4c64-b511-6544ceff6fd6) |Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: [https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed](../../../virtual-machines/linux/create-ssh-keys-detailed.md). |AuditIfNotExists, Disabled |[2.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Guest%20Configuration/GuestConfiguration_LinuxNoPasswordForSSH_AINE.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F331e8ea8-378a-410f-a2e5-ae22f38bb0da) |This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Guest%20Configuration/GuestConfiguration_DeployExtensionLinux_Prerequisite.json) | |[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) | |[Function apps should use managed identity](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) | initiative definition. ||||| |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[App Service apps should use managed identity](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2b9ad585-36bc-4615-b300-fd4435808332) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Function apps should use managed identity](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) | |[Service Fabric clusters should only use Azure Active Directory for client authentication](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb54ed75b-3e1a-44ac-a333-05ba39b99ff0) |Audit usage of client authentication only via Azure Active Directory in Service Fabric |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json) | initiative definition. ||||| |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[App Service apps should use managed identity](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2b9ad585-36bc-4615-b300-fd4435808332) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json) |+|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Blocked accounts with read and write permissions on Azure resources should be removed](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8d7e1fde-fe26-4b5f-8108-f8e432cbc2be) |Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_RemoveBlockedAccountsWithReadWritePermissions_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Function apps should use managed identity](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) | |[Service Fabric clusters should only use Azure Active Directory for client authentication](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb54ed75b-3e1a-44ac-a333-05ba39b99ff0) |Audit usage of client authentication only via Azure Active Directory in Service Fabric |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json) | |
governance | Gov Nist Sp 800 53 R4 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-nist-sp-800-53-r4.md | Title: Regulatory Compliance details for NIST SP 800-53 Rev. 4 (Azure Government) description: Details of the NIST SP 800-53 Rev. 4 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/22/2024 Last updated : 02/27/2024 initiative definition. |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[App Service apps should use managed identity](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2b9ad585-36bc-4615-b300-fd4435808332) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json) | |[Audit usage of custom RBAC roles](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) |Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) |+|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Blocked accounts with owner permissions on Azure resources should be removed](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0cfea604-3201-4e14-88fc-fae4c427a6c5) |Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_RemoveBlockedAccountsWithOwnerPermissions_Audit.json) | |[Blocked accounts with read and write permissions on Azure resources should be removed](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8d7e1fde-fe26-4b5f-8108-f8e432cbc2be) |Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_RemoveBlockedAccountsWithReadWritePermissions_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Function apps should use managed identity](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) | |[Guest accounts with owner permissions on Azure resources should be removed](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F339353f6-2387-4a45-abe4-7f529d121046) |External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_RemoveGuestAccountsWithOwnerPermissions_Audit.json) | |[Guest accounts with read permissions on Azure resources should be removed](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe9ac8f8e-ce22-4355-8f04-99b911d6be52) |External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_RemoveGuestAccountsWithReadPermissions_Audit.json) | initiative definition. |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Microsoft Managed Control 1013 - Account Management \| Automated System Account Management](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8fd7b917-d83b-4379-af60-51e14e316c61) |Microsoft implements this Access Control control |audit |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Regulatory%20Compliance/MicrosoftManagedControl1013.json) | |[Service Fabric clusters should only use Azure Active Directory for client authentication](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb54ed75b-3e1a-44ac-a333-05ba39b99ff0) |Audit usage of client authentication only via Azure Active Directory in Service Fabric |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json) | initiative definition. ||||| |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[Audit usage of custom RBAC roles](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) |Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Microsoft Managed Control 1018 - Account Management \| Role-Based Schemes](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc9121abf-e698-4ee9-b1cf-71ee528ff07f) |Microsoft implements this Access Control control |audit |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Regulatory%20Compliance/MicrosoftManagedControl1018.json) | |[Microsoft Managed Control 1019 - Account Management \| Role-Based Schemes](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6a3ee9b2-3977-459c-b8ce-2db583abd9f7) |Microsoft implements this Access Control control |audit |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Regulatory%20Compliance/MicrosoftManagedControl1019.json) | |[Microsoft Managed Control 1020 - Account Management \| Role-Based Schemes](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0b291ee8-3140-4cad-beb7-568c077c78ce) |Microsoft implements this Access Control control |audit |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Regulatory%20Compliance/MicrosoftManagedControl1020.json) | initiative definition. |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[App Service apps should use managed identity](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2b9ad585-36bc-4615-b300-fd4435808332) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json) | |[Audit Linux machines that have accounts without passwords](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6ec09a3-78bf-4f8f-99dc-6c77182d0f99) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Linux machines that have accounts without passwords |AuditIfNotExists, Disabled |[1.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Guest%20Configuration/GuestConfiguration_LinuxPassword232_AINE.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F331e8ea8-378a-410f-a2e5-ae22f38bb0da) |This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Guest%20Configuration/GuestConfiguration_DeployExtensionLinux_Prerequisite.json) | |[Function apps should use managed identity](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) | |[Microsoft Managed Control 1027 - Access Enforcement](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa76ca9b0-3f4a-4192-9a38-b25e4f8ae48c) |Microsoft implements this Access Control control |audit |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Regulatory%20Compliance/MicrosoftManagedControl1027.json) | initiative definition. |[App Configuration should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[App Service apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_WebApp_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AuditIfNotExists.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePrivateLinkSupportedResource_Deny.json) | |[Azure Cognitive Search services should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePublicNetworkAccessDisabled_Deny.json) | initiative definition. |[Azure SignalR Service should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2393d2cf-a342-44cd-a2e2-fe0188fd1234) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: [https://aka.ms/asrs/privatelink](https://aka.ms/asrs/privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SignalR/SignalR_PrivateEndpointEnabled_Audit_v2.json) | |[Azure Synapse workspaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F72d11df1-dd8a-41f7-8925-b05b960ebafc) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links](../../../synapse-analytics/security/how-to-connect-to-workspace-with-private-links.md). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/SynapseWorkspaceUsePrivateLinks_Audit.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Cognitive Services should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_EnablePrivateEndpoints_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | initiative definition. |[Accounts with write permissions on Azure resources should be MFA enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F931e118d-50a1-4457-a5e4-78550e086c52) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableMFAForAccountsWithWritePermissions_Audit.json) | |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[App Service apps should use managed identity](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2b9ad585-36bc-4615-b300-fd4435808332) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Function apps should use managed identity](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) | |[Microsoft Managed Control 1300 - User Identification And Authentication](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F99deec7d-5526-472e-b07c-3645a792026a) |Microsoft implements this Identification and Authentication control |audit |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Regulatory%20Compliance/MicrosoftManagedControl1300.json) | |[Service Fabric clusters should only use Azure Active Directory for client authentication](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb54ed75b-3e1a-44ac-a333-05ba39b99ff0) |Audit usage of client authentication only via Azure Active Directory in Service Fabric |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json) | initiative definition. ||||| |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[App Service apps should use managed identity](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2b9ad585-36bc-4615-b300-fd4435808332) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Function apps should use managed identity](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) | |[Microsoft Managed Control 1311 - Identifier Management](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe7568697-0c9e-4ea3-9cec-9e567d14f3c6) |Microsoft implements this Identification and Authentication control |audit |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Regulatory%20Compliance/MicrosoftManagedControl1311.json) | |[Microsoft Managed Control 1312 - Identifier Management](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4d6a5968-9eef-4c18-8534-376790ab7274) |Microsoft implements this Identification and Authentication control |audit |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Regulatory%20Compliance/MicrosoftManagedControl1312.json) | initiative definition. |[API Management services should use a virtual network](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/ApiManagement_VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AuditIfNotExists.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePrivateLinkSupportedResource_Deny.json) | |[Azure Cognitive Search services should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePublicNetworkAccessDisabled_Deny.json) | initiative definition. |[Azure Synapse workspaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F72d11df1-dd8a-41f7-8925-b05b960ebafc) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links](../../../synapse-analytics/security/how-to-connect-to-workspace-with-private-links.md). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/SynapseWorkspaceUsePrivateLinks_Audit.json) | |[Azure Web Application Firewall should be enabled for Azure Front Door entry-points](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Network/WAF_AFD_Enabled_Audit.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Cognitive Services should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_EnablePrivateEndpoints_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | initiative definition. |[API Management services should use a virtual network](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/ApiManagement_VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AuditIfNotExists.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePrivateLinkSupportedResource_Deny.json) | |[Azure Cognitive Search services should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePublicNetworkAccessDisabled_Deny.json) | initiative definition. |[Azure Synapse workspaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F72d11df1-dd8a-41f7-8925-b05b960ebafc) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links](../../../synapse-analytics/security/how-to-connect-to-workspace-with-private-links.md). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/SynapseWorkspaceUsePrivateLinks_Audit.json) | |[Azure Web Application Firewall should be enabled for Azure Front Door entry-points](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Network/WAF_AFD_Enabled_Audit.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Cognitive Services should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_EnablePrivateEndpoints_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |
governance | Gov Nist Sp 800 53 R5 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-nist-sp-800-53-r5.md | Title: Regulatory Compliance details for NIST SP 800-53 Rev. 5 (Azure Government) description: Details of the NIST SP 800-53 Rev. 5 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/22/2024 Last updated : 02/27/2024 initiative definition. |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[App Service apps should use managed identity](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2b9ad585-36bc-4615-b300-fd4435808332) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json) | |[Audit usage of custom RBAC roles](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) |Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) |+|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Blocked accounts with owner permissions on Azure resources should be removed](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0cfea604-3201-4e14-88fc-fae4c427a6c5) |Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_RemoveBlockedAccountsWithOwnerPermissions_Audit.json) | |[Blocked accounts with read and write permissions on Azure resources should be removed](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8d7e1fde-fe26-4b5f-8108-f8e432cbc2be) |Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_RemoveBlockedAccountsWithReadWritePermissions_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Function apps should use managed identity](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) | |[Guest accounts with owner permissions on Azure resources should be removed](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F339353f6-2387-4a45-abe4-7f529d121046) |External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_RemoveGuestAccountsWithOwnerPermissions_Audit.json) | |[Guest accounts with read permissions on Azure resources should be removed](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe9ac8f8e-ce22-4355-8f04-99b911d6be52) |External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_RemoveGuestAccountsWithReadPermissions_Audit.json) | initiative definition. |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Microsoft Managed Control 1013 - Account Management \| Automated System Account Management](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8fd7b917-d83b-4379-af60-51e14e316c61) |Microsoft implements this Access Control control |audit |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Regulatory%20Compliance/MicrosoftManagedControl1013.json) | |[Service Fabric clusters should only use Azure Active Directory for client authentication](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb54ed75b-3e1a-44ac-a333-05ba39b99ff0) |Audit usage of client authentication only via Azure Active Directory in Service Fabric |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json) | initiative definition. ||||| |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[Audit usage of custom RBAC roles](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) |Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Microsoft Managed Control 1018 - Account Management \| Role-Based Schemes](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc9121abf-e698-4ee9-b1cf-71ee528ff07f) |Microsoft implements this Access Control control |audit |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Regulatory%20Compliance/MicrosoftManagedControl1018.json) | |[Microsoft Managed Control 1019 - Account Management \| Role-Based Schemes](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6a3ee9b2-3977-459c-b8ce-2db583abd9f7) |Microsoft implements this Access Control control |audit |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Regulatory%20Compliance/MicrosoftManagedControl1019.json) | |[Microsoft Managed Control 1020 - Account Management \| Role-Based Schemes](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0b291ee8-3140-4cad-beb7-568c077c78ce) |Microsoft implements this Access Control control |audit |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Regulatory%20Compliance/MicrosoftManagedControl1020.json) | initiative definition. |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[App Service apps should use managed identity](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2b9ad585-36bc-4615-b300-fd4435808332) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json) | |[Audit Linux machines that have accounts without passwords](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6ec09a3-78bf-4f8f-99dc-6c77182d0f99) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Linux machines that have accounts without passwords |AuditIfNotExists, Disabled |[1.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Guest%20Configuration/GuestConfiguration_LinuxPassword232_AINE.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F331e8ea8-378a-410f-a2e5-ae22f38bb0da) |This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Guest%20Configuration/GuestConfiguration_DeployExtensionLinux_Prerequisite.json) | |[Function apps should use managed identity](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) | |[Microsoft Managed Control 1027 - Access Enforcement](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa76ca9b0-3f4a-4192-9a38-b25e4f8ae48c) |Microsoft implements this Access Control control |audit |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Regulatory%20Compliance/MicrosoftManagedControl1027.json) | initiative definition. |[App Configuration should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[App Service apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_WebApp_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AuditIfNotExists.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePrivateLinkSupportedResource_Deny.json) | |[Azure Cognitive Search services should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePublicNetworkAccessDisabled_Deny.json) | initiative definition. |[Azure SignalR Service should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2393d2cf-a342-44cd-a2e2-fe0188fd1234) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: [https://aka.ms/asrs/privatelink](https://aka.ms/asrs/privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SignalR/SignalR_PrivateEndpointEnabled_Audit_v2.json) | |[Azure Synapse workspaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F72d11df1-dd8a-41f7-8925-b05b960ebafc) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links](../../../synapse-analytics/security/how-to-connect-to-workspace-with-private-links.md). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/SynapseWorkspaceUsePrivateLinks_Audit.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Cognitive Services should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_EnablePrivateEndpoints_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | initiative definition. |[Accounts with write permissions on Azure resources should be MFA enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F931e118d-50a1-4457-a5e4-78550e086c52) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableMFAForAccountsWithWritePermissions_Audit.json) | |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[App Service apps should use managed identity](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2b9ad585-36bc-4615-b300-fd4435808332) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Function apps should use managed identity](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) | |[Microsoft Managed Control 1300 - User Identification And Authentication](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F99deec7d-5526-472e-b07c-3645a792026a) |Microsoft implements this Identification and Authentication control |audit |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Regulatory%20Compliance/MicrosoftManagedControl1300.json) | |[Service Fabric clusters should only use Azure Active Directory for client authentication](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb54ed75b-3e1a-44ac-a333-05ba39b99ff0) |Audit usage of client authentication only via Azure Active Directory in Service Fabric |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json) | initiative definition. ||||| |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[App Service apps should use managed identity](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2b9ad585-36bc-4615-b300-fd4435808332) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Function apps should use managed identity](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) | |[Microsoft Managed Control 1311 - Identifier Management](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe7568697-0c9e-4ea3-9cec-9e567d14f3c6) |Microsoft implements this Identification and Authentication control |audit |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Regulatory%20Compliance/MicrosoftManagedControl1311.json) | |[Microsoft Managed Control 1312 - Identifier Management](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4d6a5968-9eef-4c18-8534-376790ab7274) |Microsoft implements this Identification and Authentication control |audit |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Regulatory%20Compliance/MicrosoftManagedControl1312.json) | initiative definition. |[API Management services should use a virtual network](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/ApiManagement_VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AuditIfNotExists.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePrivateLinkSupportedResource_Deny.json) | |[Azure Cognitive Search services should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePublicNetworkAccessDisabled_Deny.json) | initiative definition. |[Azure Synapse workspaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F72d11df1-dd8a-41f7-8925-b05b960ebafc) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links](../../../synapse-analytics/security/how-to-connect-to-workspace-with-private-links.md). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/SynapseWorkspaceUsePrivateLinks_Audit.json) | |[Azure Web Application Firewall should be enabled for Azure Front Door entry-points](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Network/WAF_AFD_Enabled_Audit.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Cognitive Services should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_EnablePrivateEndpoints_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | initiative definition. |[API Management services should use a virtual network](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/ApiManagement_VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AuditIfNotExists.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePrivateLinkSupportedResource_Deny.json) | |[Azure Cognitive Search services should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePublicNetworkAccessDisabled_Deny.json) | initiative definition. |[Azure Synapse workspaces should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F72d11df1-dd8a-41f7-8925-b05b960ebafc) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links](../../../synapse-analytics/security/how-to-connect-to-workspace-with-private-links.md). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/SynapseWorkspaceUsePrivateLinks_Audit.json) | |[Azure Web Application Firewall should be enabled for Azure Front Door entry-points](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Network/WAF_AFD_Enabled_Audit.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Cognitive Services should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_EnablePrivateEndpoints_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |
governance | Hipaa Hitrust 9 2 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/hipaa-hitrust-9-2.md | Title: Regulatory Compliance details for HIPAA HITRUST 9.2 description: Details of the HIPAA HITRUST 9.2 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/22/2024 Last updated : 02/27/2024 |
governance | Irs 1075 Sept2016 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/irs-1075-sept2016.md | Title: Regulatory Compliance details for IRS 1075 September 2016 description: Details of the IRS 1075 September 2016 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/22/2024 Last updated : 02/27/2024 |
governance | Iso 27001 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/iso-27001.md | Title: Regulatory Compliance details for ISO 27001:2013 description: Details of the ISO 27001:2013 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/22/2024 Last updated : 02/27/2024 |
governance | Mcfs Baseline Confidential | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/mcfs-baseline-confidential.md | Title: Regulatory Compliance details for Microsoft Cloud for Sovereignty Baseline Confidential Policies description: Details of the Microsoft Cloud for Sovereignty Baseline Confidential Policies Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/22/2024 Last updated : 02/27/2024 |
governance | Mcfs Baseline Global | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/mcfs-baseline-global.md | Title: Regulatory Compliance details for Microsoft Cloud for Sovereignty Baseline Global Policies description: Details of the Microsoft Cloud for Sovereignty Baseline Global Policies Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/22/2024 Last updated : 02/27/2024 |
governance | Nist Sp 800 171 R2 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/nist-sp-800-171-r2.md | Title: Regulatory Compliance details for NIST SP 800-171 R2 description: Details of the NIST SP 800-171 R2 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/22/2024 Last updated : 02/27/2024 initiative definition. |[Audit Linux machines that have accounts without passwords](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6ec09a3-78bf-4f8f-99dc-6c77182d0f99) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Linux machines that have accounts without passwords |AuditIfNotExists, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxPassword232_AINE.json) | |[Audit usage of custom RBAC roles](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) |Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) | |[Authentication to Linux machines should require SSH keys](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F630c64f9-8b6b-4c64-b511-6544ceff6fd6) |Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: [https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed](../../../virtual-machines/linux/create-ssh-keys-detailed.md). |AuditIfNotExists, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxNoPasswordForSSH_AINE.json) |+|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Azure API for FHIR should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1ee56206-5dd1-42ab-b02d-8aae8b1634ce) |Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: [https://aka.ms/fhir-privatelink](https://aka.ms/fhir-privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_PrivateLink_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AuditIfNotExists.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePrivateLinkSupportedResource_Deny.json) | initiative definition. |[Azure Web PubSub Service should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Feb907f70-7514-460d-92b3-a5ae93b4f917) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: [https://aka.ms/awps/privatelink](https://aka.ms/awps/privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Web%20PubSub/WebPubSub_PrivateEndpointEnabled_Audit_v2.json) | |[Blocked accounts with owner permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0cfea604-3201-4e14-88fc-fae4c427a6c5) |Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithOwnerPermissions_Audit.json) | |[Blocked accounts with read and write permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8d7e1fde-fe26-4b5f-8108-f8e432cbc2be) |Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithReadWritePermissions_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_EnablePrivateEndpoints_Audit.json) | |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[CosmosDB accounts should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58440f8a-10c5-4151-bdce-dfbaad4a20b7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints](../../../cosmos-db/how-to-configure-private-endpoints.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_PrivateEndpoint_Audit.json) | initiative definition. |[Authorize access to security functions and information](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faeed863a-0f56-429f-945d-8bb66bd06841) |CMA_0022 - Authorize access to security functions and information |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0022.json) | |[Authorize and manage access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F50e9324a-7410-0539-0662-2c1e775538b7) |CMA_0023 - Authorize and manage access |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0023.json) | |[Authorize remote access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdad8a2e9-6f27-4fc2-8933-7e99fe700c9c) |CMA_0024 - Authorize remote access |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0024.json) |+|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Blocked accounts with owner permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0cfea604-3201-4e14-88fc-fae4c427a6c5) |Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithOwnerPermissions_Audit.json) | |[Blocked accounts with read and write permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8d7e1fde-fe26-4b5f-8108-f8e432cbc2be) |Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithReadWritePermissions_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Enforce appropriate usage of all accounts](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffd81a1b3-2d7a-107c-507e-29b87d040c19) |CMA_C1023 - Enforce appropriate usage of all accounts |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_C1023.json) | |[Enforce logical access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F10c4210b-3ec9-9603-050d-77e4d26c7ebb) |CMA_0245 - Enforce logical access |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0245.json) | |[Enforce mandatory and discretionary access control policies](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb1666a13-8f67-9c47-155e-69e027ff6823) |CMA_0246 - Enforce mandatory and discretionary access control policies |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0246.json) | initiative definition. |[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[App Service apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_WebApp_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure API for FHIR should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1ee56206-5dd1-42ab-b02d-8aae8b1634ce) |Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: [https://aka.ms/fhir-privatelink](https://aka.ms/fhir-privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_PrivateLink_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AuditIfNotExists.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePrivateLinkSupportedResource_Deny.json) | initiative definition. |[Azure Synapse workspaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F72d11df1-dd8a-41f7-8925-b05b960ebafc) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links](../../../synapse-analytics/security/how-to-connect-to-workspace-with-private-links.md). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/SynapseWorkspaceUsePrivateLinks_Audit.json) | |[Azure Web PubSub Service should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Feb907f70-7514-460d-92b3-a5ae93b4f917) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: [https://aka.ms/awps/privatelink](https://aka.ms/awps/privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Web%20PubSub/WebPubSub_PrivateEndpointEnabled_Audit_v2.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_EnablePrivateEndpoints_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | initiative definition. |[API Management services should use a virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/ApiManagement_VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure API for FHIR should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1ee56206-5dd1-42ab-b02d-8aae8b1634ce) |Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: [https://aka.ms/fhir-privatelink](https://aka.ms/fhir-privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_PrivateLink_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AuditIfNotExists.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePrivateLinkSupportedResource_Deny.json) | initiative definition. |[Azure Web Application Firewall should be enabled for Azure Front Door entry-points](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Enabled_Audit.json) | |[Azure Web PubSub Service should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Feb907f70-7514-460d-92b3-a5ae93b4f917) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: [https://aka.ms/awps/privatelink](https://aka.ms/awps/privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Web%20PubSub/WebPubSub_PrivateEndpointEnabled_Audit_v2.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_EnablePrivateEndpoints_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | initiative definition. |[API Management services should use a virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/ApiManagement_VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure API for FHIR should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1ee56206-5dd1-42ab-b02d-8aae8b1634ce) |Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: [https://aka.ms/fhir-privatelink](https://aka.ms/fhir-privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_PrivateLink_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AuditIfNotExists.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePrivateLinkSupportedResource_Deny.json) | initiative definition. |[Azure Web Application Firewall should be enabled for Azure Front Door entry-points](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Enabled_Audit.json) | |[Azure Web PubSub Service should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Feb907f70-7514-460d-92b3-a5ae93b4f917) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: [https://aka.ms/awps/privatelink](https://aka.ms/awps/privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Web%20PubSub/WebPubSub_PrivateEndpointEnabled_Audit_v2.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_EnablePrivateEndpoints_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | initiative definition. |[API Management services should use a virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/ApiManagement_VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure API for FHIR should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1ee56206-5dd1-42ab-b02d-8aae8b1634ce) |Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: [https://aka.ms/fhir-privatelink](https://aka.ms/fhir-privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_PrivateLink_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AuditIfNotExists.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePrivateLinkSupportedResource_Deny.json) | initiative definition. |[Azure Web Application Firewall should be enabled for Azure Front Door entry-points](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Enabled_Audit.json) | |[Azure Web PubSub Service should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Feb907f70-7514-460d-92b3-a5ae93b4f917) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: [https://aka.ms/awps/privatelink](https://aka.ms/awps/privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Web%20PubSub/WebPubSub_PrivateEndpointEnabled_Audit_v2.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_EnablePrivateEndpoints_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | initiative definition. |[Adaptive network hardening recommendations should be applied on internet facing virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F08e6af2d-db70-460a-bfe9-d5bd474ba9d6) |Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveNetworkHardenings_Audit.json) | |[All network ports should be restricted on network security groups associated to your virtual machine](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9daedab3-fb2d-461e-b861-71790eead4f6) |Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnprotectedEndpoints_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure Cognitive Search services should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePublicNetworkAccessDisabled_Deny.json) | |[Azure Cosmos DB accounts should have firewall rules](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb) |Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_NetworkRulesExist_Audit.json) | |[Azure Key Vault should have firewall enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F55615ac9-af46-4a59-874e-391cc3dfb490) |Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: [https://docs.microsoft.com/azure/key-vault/general/network-security](../../../key-vault/general/network-security.md) |Audit, Deny, Disabled |[3.2.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/AzureKeyVaultFirewallEnabled_Audit.json) | |[Azure Web Application Firewall should be enabled for Azure Front Door entry-points](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Enabled_Audit.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) | |[Management ports of virtual machines should be protected with just-in-time network access control](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb0f33259-77d7-4c9e-aac6-3aabcfae693c) |Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_JITNetworkAccess_Audit.json) | initiative definition. |[Function apps should have remote debugging turned off](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e60b895-3786-45da-8377-9c6b4b6ac5f9) |Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json) | |[Function apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0820b7b9-23aa-4725-a1ce-ae4558f718e5) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_FuntionApp_Audit.json) | |[Implement an automated configuration management tool](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F33832848-42ab-63f3-1a55-c0ad309d44cd) |CMA_0311 - Implement an automated configuration management tool |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0311.json) |-|[Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe345eecc-fa47-480f-9e88-67dcc122b164) |Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[9.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerResourceLimits.json) | +|[Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe345eecc-fa47-480f-9e88-67dcc122b164) |Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[9.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerResourceLimits.json) | |[Kubernetes cluster containers should not share host process ID or host IPC namespace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8) |Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[5.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockHostNamespace.json) | |[Kubernetes cluster containers should only use allowed AppArmor profiles](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F511f5417-5d12-434d-ab2e-816901e72a5e) |Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/EnforceAppArmorProfile.json) | |[Kubernetes cluster containers should only use allowed capabilities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc26596ff-4d70-4e6a-9a30-c2506bd2f80c) |Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedCapabilities.json) |-|[Kubernetes cluster containers should only use allowed images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffebd0533-8e55-448f-b837-bd0e06f16469) |Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[9.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedImages.json) | -|[Kubernetes cluster containers should run with a read only root file system](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf49d893-a74c-421d-bc95-c663042e5b80) |Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ReadOnlyRootFileSystem.json) | +|[Kubernetes cluster containers should only use allowed images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffebd0533-8e55-448f-b837-bd0e06f16469) |Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[9.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedImages.json) | +|[Kubernetes cluster containers should run with a read only root file system](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf49d893-a74c-421d-bc95-c663042e5b80) |Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ReadOnlyRootFileSystem.json) | |[Kubernetes cluster pod hostPath volumes should only use allowed host paths](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F098fc59e-46c7-4d99-9b16-64990e543d75) |Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AllowedHostPaths.json) | |[Kubernetes cluster pods and containers should only run with approved user and group IDs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff06ddb64-5fa3-4b77-b166-acb36f7f6042) |Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AllowedUsersGroups.json) | |[Kubernetes cluster pods should only use approved host network and port range](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F82985f06-dc18-4a48-bc1c-b9f4f0098cfe) |Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/HostNetworkPorts.json) | initiative definition. |[Function apps should have remote debugging turned off](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e60b895-3786-45da-8377-9c6b4b6ac5f9) |Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json) | |[Function apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0820b7b9-23aa-4725-a1ce-ae4558f718e5) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_FuntionApp_Audit.json) | |[Govern compliance of cloud service providers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5c33538e-02f8-0a7f-998b-a4c1e22076d3) |CMA_0290 - Govern compliance of cloud service providers |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0290.json) |-|[Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe345eecc-fa47-480f-9e88-67dcc122b164) |Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[9.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerResourceLimits.json) | +|[Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe345eecc-fa47-480f-9e88-67dcc122b164) |Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[9.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerResourceLimits.json) | |[Kubernetes cluster containers should not share host process ID or host IPC namespace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8) |Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[5.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockHostNamespace.json) | |[Kubernetes cluster containers should only use allowed AppArmor profiles](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F511f5417-5d12-434d-ab2e-816901e72a5e) |Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/EnforceAppArmorProfile.json) | |[Kubernetes cluster containers should only use allowed capabilities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc26596ff-4d70-4e6a-9a30-c2506bd2f80c) |Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedCapabilities.json) |-|[Kubernetes cluster containers should only use allowed images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffebd0533-8e55-448f-b837-bd0e06f16469) |Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[9.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedImages.json) | -|[Kubernetes cluster containers should run with a read only root file system](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf49d893-a74c-421d-bc95-c663042e5b80) |Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ReadOnlyRootFileSystem.json) | +|[Kubernetes cluster containers should only use allowed images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffebd0533-8e55-448f-b837-bd0e06f16469) |Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[9.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedImages.json) | +|[Kubernetes cluster containers should run with a read only root file system](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf49d893-a74c-421d-bc95-c663042e5b80) |Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ReadOnlyRootFileSystem.json) | |[Kubernetes cluster pod hostPath volumes should only use allowed host paths](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F098fc59e-46c7-4d99-9b16-64990e543d75) |Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AllowedHostPaths.json) | |[Kubernetes cluster pods and containers should only run with approved user and group IDs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff06ddb64-5fa3-4b77-b166-acb36f7f6042) |Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AllowedUsersGroups.json) | |[Kubernetes cluster pods should only use approved host network and port range](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F82985f06-dc18-4a48-bc1c-b9f4f0098cfe) |Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/HostNetworkPorts.json) | initiative definition. |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[App Service apps should use managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2b9ad585-36bc-4615-b300-fd4435808332) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json) | |[Assign system identifiers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff29b17a4-0df2-8a50-058a-8570f9979d28) |CMA_0018 - Assign system identifiers |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0018.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Enforce user uniqueness](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe336d5f4-4d8f-0059-759c-ae10f63d1747) |CMA_0250 - Enforce user uniqueness |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0250.json) | |[Function apps should use managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) | |[Require use of individual authenticators](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F08ad71d0-52be-6503-4908-e015460a16ae) |CMA_C1305 - Require use of individual authenticators |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_C1305.json) | initiative definition. |[Audit Linux machines that do not have the passwd file permissions set to 0644](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe6955644-301c-44b5-a4c4-528577de6861) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 |AuditIfNotExists, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxPassword121_AINE.json) | |[Audit Windows machines that do not store passwords using reversible encryption](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fda0f98fe-a24b-4ad5-af69-bd0400233661) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Windows machines that do not store passwords using reversible encryption |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsPasswordEncryption_AINE.json) | |[Authentication to Linux machines should require SSH keys](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F630c64f9-8b6b-4c64-b511-6544ceff6fd6) |Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: [https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed](../../../virtual-machines/linux/create-ssh-keys-detailed.md). |AuditIfNotExists, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxNoPasswordForSSH_AINE.json) |+|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Certificates should have the specified maximum validity period](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a075868-4c26-42ef-914c-5bc007359560) |Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. |audit, Audit, deny, Deny, disabled, Disabled |[2.2.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_ValidityPeriod.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F331e8ea8-378a-410f-a2e5-ae22f38bb0da) |This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionLinux_Prerequisite.json) | |[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) | |[Establish authenticator types and processes](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F921ae4c1-507f-5ddb-8a58-cfa9b5fd96f0) |CMA_0267 - Establish authenticator types and processes |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0267.json) | initiative definition. ||||| |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[App Service apps should use managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2b9ad585-36bc-4615-b300-fd4435808332) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Function apps should use managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) | |[Prevent identifier reuse for the defined time period](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4781e5fd-76b8-7d34-6df3-a0a7fca47665) |CMA_C1314 - Prevent identifier reuse for the defined time period |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_C1314.json) | |[Service Fabric clusters should only use Azure Active Directory for client authentication](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb54ed75b-3e1a-44ac-a333-05ba39b99ff0) |Audit usage of client authentication only via Azure Active Directory in Service Fabric |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json) | initiative definition. ||||| |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[App Service apps should use managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2b9ad585-36bc-4615-b300-fd4435808332) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json) |+|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Blocked accounts with read and write permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8d7e1fde-fe26-4b5f-8108-f8e432cbc2be) |Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithReadWritePermissions_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Function apps should use managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) | |[Service Fabric clusters should only use Azure Active Directory for client authentication](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb54ed75b-3e1a-44ac-a333-05ba39b99ff0) |Audit usage of client authentication only via Azure Active Directory in Service Fabric |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json) | |
governance | Nist Sp 800 53 R4 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/nist-sp-800-53-r4.md | Title: Regulatory Compliance details for NIST SP 800-53 Rev. 4 description: Details of the NIST SP 800-53 Rev. 4 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/22/2024 Last updated : 02/27/2024 initiative definition. |[Assign account managers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4c6df5ff-4ef2-4f17-a516-0da9189c603b) |CMA_0015 - Assign account managers |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0015.json) | |[Audit usage of custom RBAC roles](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) |Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) | |[Audit user account status](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F49c23d9b-02b0-0e42-4f94-e8cef1b8381b) |CMA_0020 - Audit user account status |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0020.json) |+|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Blocked accounts with owner permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0cfea604-3201-4e14-88fc-fae4c427a6c5) |Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithOwnerPermissions_Audit.json) | |[Blocked accounts with read and write permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8d7e1fde-fe26-4b5f-8108-f8e432cbc2be) |Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithReadWritePermissions_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Define and enforce conditions for shared and group accounts](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff7eb1d0b-6d4f-2d59-1591-7563e11a9313) |CMA_0117 - Define and enforce conditions for shared and group accounts |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0117.json) | |[Define information system account types](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F623b5f0a-8cbd-03a6-4892-201d27302f0c) |CMA_0121 - Define information system account types |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0121.json) | |[Document access privileges](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa08b18c7-9e0a-89f1-3696-d80902196719) |CMA_0186 - Document access privileges |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0186.json) | initiative definition. ||||| |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[Automate account management](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2cc9c165-46bd-9762-5739-d2aae5ba90a1) |CMA_0026 - Automate account management |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0026.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Manage system and admin accounts](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F34d38ea7-6754-1838-7031-d7fd07099821) |CMA_0368 - Manage system and admin accounts |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0368.json) | |[Monitor access across the organization](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F48c816c5-2190-61fc-8806-25d6f3df162f) |CMA_0376 - Monitor access across the organization |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0376.json) | |[Notify when account is not needed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8489ff90-8d29-61df-2d84-f9ab0f4c5e84) |CMA_0383 - Notify when account is not needed |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0383.json) | initiative definition. |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[Audit privileged functions](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff26af0b1-65b6-689a-a03f-352ad2d00f98) |CMA_0019 - Audit privileged functions |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0019.json) | |[Audit usage of custom RBAC roles](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) |Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Monitor account activity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7b28ba4f-0a87-46ac-62e1-46b7c09202a8) |CMA_0377 - Monitor account activity |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0377.json) | |[Monitor privileged role assignment](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fed87d27a-9abf-7c71-714c-61d881889da4) |CMA_0378 - Monitor privileged role assignment |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0378.json) | |[Restrict access to privileged accounts](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F873895e8-0e3a-6492-42e9-22cd030e9fcd) |CMA_0446 - Restrict access to privileged accounts |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0446.json) | initiative definition. |[Authentication to Linux machines should require SSH keys](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F630c64f9-8b6b-4c64-b511-6544ceff6fd6) |Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: [https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed](../../../virtual-machines/linux/create-ssh-keys-detailed.md). |AuditIfNotExists, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxNoPasswordForSSH_AINE.json) | |[Authorize access to security functions and information](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faeed863a-0f56-429f-945d-8bb66bd06841) |CMA_0022 - Authorize access to security functions and information |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0022.json) | |[Authorize and manage access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F50e9324a-7410-0539-0662-2c1e775538b7) |CMA_0023 - Authorize and manage access |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0023.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F331e8ea8-378a-410f-a2e5-ae22f38bb0da) |This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionLinux_Prerequisite.json) | |[Enforce logical access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F10c4210b-3ec9-9603-050d-77e4d26c7ebb) |CMA_0245 - Enforce logical access |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0245.json) | |[Enforce mandatory and discretionary access control policies](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb1666a13-8f67-9c47-155e-69e027ff6823) |CMA_0246 - Enforce mandatory and discretionary access control policies |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0246.json) | initiative definition. |[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[App Service apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_WebApp_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure API for FHIR should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1ee56206-5dd1-42ab-b02d-8aae8b1634ce) |Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: [https://aka.ms/fhir-privatelink](https://aka.ms/fhir-privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_PrivateLink_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AuditIfNotExists.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePrivateLinkSupportedResource_Deny.json) | initiative definition. |[Azure Synapse workspaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F72d11df1-dd8a-41f7-8925-b05b960ebafc) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links](../../../synapse-analytics/security/how-to-connect-to-workspace-with-private-links.md). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/SynapseWorkspaceUsePrivateLinks_Audit.json) | |[Azure Web PubSub Service should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Feb907f70-7514-460d-92b3-a5ae93b4f917) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: [https://aka.ms/awps/privatelink](https://aka.ms/awps/privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Web%20PubSub/WebPubSub_PrivateEndpointEnabled_Audit_v2.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_EnablePrivateEndpoints_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | initiative definition. |[Enforce security configuration settings](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F058e9719-1ff9-3653-4230-23f76b6492e0) |CMA_0249 - Enforce security configuration settings |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0249.json) | |[Function apps should have remote debugging turned off](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e60b895-3786-45da-8377-9c6b4b6ac5f9) |Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json) | |[Function apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0820b7b9-23aa-4725-a1ce-ae4558f718e5) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_FuntionApp_Audit.json) |-|[Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe345eecc-fa47-480f-9e88-67dcc122b164) |Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[9.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerResourceLimits.json) | +|[Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe345eecc-fa47-480f-9e88-67dcc122b164) |Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[9.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerResourceLimits.json) | |[Kubernetes cluster containers should not share host process ID or host IPC namespace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8) |Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[5.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockHostNamespace.json) | |[Kubernetes cluster containers should only use allowed AppArmor profiles](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F511f5417-5d12-434d-ab2e-816901e72a5e) |Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/EnforceAppArmorProfile.json) | |[Kubernetes cluster containers should only use allowed capabilities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc26596ff-4d70-4e6a-9a30-c2506bd2f80c) |Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedCapabilities.json) |-|[Kubernetes cluster containers should only use allowed images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffebd0533-8e55-448f-b837-bd0e06f16469) |Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[9.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedImages.json) | -|[Kubernetes cluster containers should run with a read only root file system](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf49d893-a74c-421d-bc95-c663042e5b80) |Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ReadOnlyRootFileSystem.json) | +|[Kubernetes cluster containers should only use allowed images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffebd0533-8e55-448f-b837-bd0e06f16469) |Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[9.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedImages.json) | +|[Kubernetes cluster containers should run with a read only root file system](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf49d893-a74c-421d-bc95-c663042e5b80) |Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ReadOnlyRootFileSystem.json) | |[Kubernetes cluster pod hostPath volumes should only use allowed host paths](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F098fc59e-46c7-4d99-9b16-64990e543d75) |Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AllowedHostPaths.json) | |[Kubernetes cluster pods and containers should only run with approved user and group IDs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff06ddb64-5fa3-4b77-b166-acb36f7f6042) |Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AllowedUsersGroups.json) | |[Kubernetes cluster pods should only use approved host network and port range](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F82985f06-dc18-4a48-bc1c-b9f4f0098cfe) |Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/HostNetworkPorts.json) | initiative definition. |[Accounts with write permissions on Azure resources should be MFA enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F931e118d-50a1-4457-a5e4-78550e086c52) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForAccountsWithWritePermissions_Audit.json) | |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[App Service apps should use managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2b9ad585-36bc-4615-b300-fd4435808332) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Enforce user uniqueness](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe336d5f4-4d8f-0059-759c-ae10f63d1747) |CMA_0250 - Enforce user uniqueness |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0250.json) | |[Function apps should use managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) | |[Service Fabric clusters should only use Azure Active Directory for client authentication](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb54ed75b-3e1a-44ac-a333-05ba39b99ff0) |Audit usage of client authentication only via Azure Active Directory in Service Fabric |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json) | initiative definition. |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[App Service apps should use managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2b9ad585-36bc-4615-b300-fd4435808332) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json) | |[Assign system identifiers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff29b17a4-0df2-8a50-058a-8570f9979d28) |CMA_0018 - Assign system identifiers |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0018.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Function apps should use managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) | |[Prevent identifier reuse for the defined time period](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4781e5fd-76b8-7d34-6df3-a0a7fca47665) |CMA_C1314 - Prevent identifier reuse for the defined time period |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_C1314.json) | |[Service Fabric clusters should only use Azure Active Directory for client authentication](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb54ed75b-3e1a-44ac-a333-05ba39b99ff0) |Audit usage of client authentication only via Azure Active Directory in Service Fabric |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json) | initiative definition. |[API Management services should use a virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/ApiManagement_VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure API for FHIR should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1ee56206-5dd1-42ab-b02d-8aae8b1634ce) |Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: [https://aka.ms/fhir-privatelink](https://aka.ms/fhir-privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_PrivateLink_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AuditIfNotExists.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePrivateLinkSupportedResource_Deny.json) | initiative definition. |[Azure Web Application Firewall should be enabled for Azure Front Door entry-points](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Enabled_Audit.json) | |[Azure Web PubSub Service should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Feb907f70-7514-460d-92b3-a5ae93b4f917) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: [https://aka.ms/awps/privatelink](https://aka.ms/awps/privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Web%20PubSub/WebPubSub_PrivateEndpointEnabled_Audit_v2.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_EnablePrivateEndpoints_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | initiative definition. |[API Management services should use a virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/ApiManagement_VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure API for FHIR should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1ee56206-5dd1-42ab-b02d-8aae8b1634ce) |Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: [https://aka.ms/fhir-privatelink](https://aka.ms/fhir-privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_PrivateLink_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AuditIfNotExists.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePrivateLinkSupportedResource_Deny.json) | initiative definition. |[Azure Web Application Firewall should be enabled for Azure Front Door entry-points](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Enabled_Audit.json) | |[Azure Web PubSub Service should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Feb907f70-7514-460d-92b3-a5ae93b4f917) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: [https://aka.ms/awps/privatelink](https://aka.ms/awps/privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Web%20PubSub/WebPubSub_PrivateEndpointEnabled_Audit_v2.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_EnablePrivateEndpoints_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |
governance | Nist Sp 800 53 R5 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/nist-sp-800-53-r5.md | Title: Regulatory Compliance details for NIST SP 800-53 Rev. 5 description: Details of the NIST SP 800-53 Rev. 5 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/22/2024 Last updated : 02/27/2024 initiative definition. |[Assign account managers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4c6df5ff-4ef2-4f17-a516-0da9189c603b) |CMA_0015 - Assign account managers |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0015.json) | |[Audit usage of custom RBAC roles](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) |Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) | |[Audit user account status](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F49c23d9b-02b0-0e42-4f94-e8cef1b8381b) |CMA_0020 - Audit user account status |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0020.json) |+|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Blocked accounts with owner permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0cfea604-3201-4e14-88fc-fae4c427a6c5) |Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithOwnerPermissions_Audit.json) | |[Blocked accounts with read and write permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8d7e1fde-fe26-4b5f-8108-f8e432cbc2be) |Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithReadWritePermissions_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Define and enforce conditions for shared and group accounts](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff7eb1d0b-6d4f-2d59-1591-7563e11a9313) |CMA_0117 - Define and enforce conditions for shared and group accounts |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0117.json) | |[Define information system account types](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F623b5f0a-8cbd-03a6-4892-201d27302f0c) |CMA_0121 - Define information system account types |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0121.json) | |[Document access privileges](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa08b18c7-9e0a-89f1-3696-d80902196719) |CMA_0186 - Document access privileges |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0186.json) | initiative definition. ||||| |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[Automate account management](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2cc9c165-46bd-9762-5739-d2aae5ba90a1) |CMA_0026 - Automate account management |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0026.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Manage system and admin accounts](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F34d38ea7-6754-1838-7031-d7fd07099821) |CMA_0368 - Manage system and admin accounts |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0368.json) | |[Monitor access across the organization](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F48c816c5-2190-61fc-8806-25d6f3df162f) |CMA_0376 - Monitor access across the organization |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0376.json) | |[Notify when account is not needed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8489ff90-8d29-61df-2d84-f9ab0f4c5e84) |CMA_0383 - Notify when account is not needed |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0383.json) | initiative definition. |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[Audit privileged functions](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff26af0b1-65b6-689a-a03f-352ad2d00f98) |CMA_0019 - Audit privileged functions |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0019.json) | |[Audit usage of custom RBAC roles](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) |Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Monitor account activity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7b28ba4f-0a87-46ac-62e1-46b7c09202a8) |CMA_0377 - Monitor account activity |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0377.json) | |[Monitor privileged role assignment](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fed87d27a-9abf-7c71-714c-61d881889da4) |CMA_0378 - Monitor privileged role assignment |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0378.json) | |[Restrict access to privileged accounts](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F873895e8-0e3a-6492-42e9-22cd030e9fcd) |CMA_0446 - Restrict access to privileged accounts |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0446.json) | initiative definition. |[Authentication to Linux machines should require SSH keys](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F630c64f9-8b6b-4c64-b511-6544ceff6fd6) |Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: [https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed](../../../virtual-machines/linux/create-ssh-keys-detailed.md). |AuditIfNotExists, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxNoPasswordForSSH_AINE.json) | |[Authorize access to security functions and information](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faeed863a-0f56-429f-945d-8bb66bd06841) |CMA_0022 - Authorize access to security functions and information |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0022.json) | |[Authorize and manage access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F50e9324a-7410-0539-0662-2c1e775538b7) |CMA_0023 - Authorize and manage access |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0023.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F331e8ea8-378a-410f-a2e5-ae22f38bb0da) |This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionLinux_Prerequisite.json) | |[Enforce logical access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F10c4210b-3ec9-9603-050d-77e4d26c7ebb) |CMA_0245 - Enforce logical access |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0245.json) | |[Enforce mandatory and discretionary access control policies](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb1666a13-8f67-9c47-155e-69e027ff6823) |CMA_0246 - Enforce mandatory and discretionary access control policies |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0246.json) | initiative definition. |[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[App Service apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_WebApp_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure API for FHIR should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1ee56206-5dd1-42ab-b02d-8aae8b1634ce) |Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: [https://aka.ms/fhir-privatelink](https://aka.ms/fhir-privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_PrivateLink_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AuditIfNotExists.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePrivateLinkSupportedResource_Deny.json) | initiative definition. |[Azure Synapse workspaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F72d11df1-dd8a-41f7-8925-b05b960ebafc) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links](../../../synapse-analytics/security/how-to-connect-to-workspace-with-private-links.md). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/SynapseWorkspaceUsePrivateLinks_Audit.json) | |[Azure Web PubSub Service should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Feb907f70-7514-460d-92b3-a5ae93b4f917) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: [https://aka.ms/awps/privatelink](https://aka.ms/awps/privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Web%20PubSub/WebPubSub_PrivateEndpointEnabled_Audit_v2.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_EnablePrivateEndpoints_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | initiative definition. |[Enforce security configuration settings](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F058e9719-1ff9-3653-4230-23f76b6492e0) |CMA_0249 - Enforce security configuration settings |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0249.json) | |[Function apps should have remote debugging turned off](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e60b895-3786-45da-8377-9c6b4b6ac5f9) |Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json) | |[Function apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0820b7b9-23aa-4725-a1ce-ae4558f718e5) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_FuntionApp_Audit.json) |-|[Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe345eecc-fa47-480f-9e88-67dcc122b164) |Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[9.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerResourceLimits.json) | +|[Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe345eecc-fa47-480f-9e88-67dcc122b164) |Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[9.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerResourceLimits.json) | |[Kubernetes cluster containers should not share host process ID or host IPC namespace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8) |Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[5.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockHostNamespace.json) | |[Kubernetes cluster containers should only use allowed AppArmor profiles](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F511f5417-5d12-434d-ab2e-816901e72a5e) |Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/EnforceAppArmorProfile.json) | |[Kubernetes cluster containers should only use allowed capabilities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc26596ff-4d70-4e6a-9a30-c2506bd2f80c) |Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedCapabilities.json) |-|[Kubernetes cluster containers should only use allowed images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffebd0533-8e55-448f-b837-bd0e06f16469) |Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[9.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedImages.json) | -|[Kubernetes cluster containers should run with a read only root file system](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf49d893-a74c-421d-bc95-c663042e5b80) |Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ReadOnlyRootFileSystem.json) | +|[Kubernetes cluster containers should only use allowed images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffebd0533-8e55-448f-b837-bd0e06f16469) |Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[9.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedImages.json) | +|[Kubernetes cluster containers should run with a read only root file system](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf49d893-a74c-421d-bc95-c663042e5b80) |Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ReadOnlyRootFileSystem.json) | |[Kubernetes cluster pod hostPath volumes should only use allowed host paths](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F098fc59e-46c7-4d99-9b16-64990e543d75) |Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AllowedHostPaths.json) | |[Kubernetes cluster pods and containers should only run with approved user and group IDs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff06ddb64-5fa3-4b77-b166-acb36f7f6042) |Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AllowedUsersGroups.json) | |[Kubernetes cluster pods should only use approved host network and port range](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F82985f06-dc18-4a48-bc1c-b9f4f0098cfe) |Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/HostNetworkPorts.json) | initiative definition. |[Accounts with write permissions on Azure resources should be MFA enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F931e118d-50a1-4457-a5e4-78550e086c52) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForAccountsWithWritePermissions_Audit.json) | |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[App Service apps should use managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2b9ad585-36bc-4615-b300-fd4435808332) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Enforce user uniqueness](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe336d5f4-4d8f-0059-759c-ae10f63d1747) |CMA_0250 - Enforce user uniqueness |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0250.json) | |[Function apps should use managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) | |[Service Fabric clusters should only use Azure Active Directory for client authentication](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb54ed75b-3e1a-44ac-a333-05ba39b99ff0) |Audit usage of client authentication only via Azure Active Directory in Service Fabric |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json) | initiative definition. |[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) | |[App Service apps should use managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2b9ad585-36bc-4615-b300-fd4435808332) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json) | |[Assign system identifiers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff29b17a4-0df2-8a50-058a-8570f9979d28) |CMA_0018 - Assign system identifiers |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0018.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | +|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Function apps should use managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) | |[Prevent identifier reuse for the defined time period](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4781e5fd-76b8-7d34-6df3-a0a7fca47665) |CMA_C1314 - Prevent identifier reuse for the defined time period |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_C1314.json) | |[Service Fabric clusters should only use Azure Active Directory for client authentication](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb54ed75b-3e1a-44ac-a333-05ba39b99ff0) |Audit usage of client authentication only via Azure Active Directory in Service Fabric |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json) | initiative definition. |[API Management services should use a virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/ApiManagement_VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure API for FHIR should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1ee56206-5dd1-42ab-b02d-8aae8b1634ce) |Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: [https://aka.ms/fhir-privatelink](https://aka.ms/fhir-privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_PrivateLink_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AuditIfNotExists.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePrivateLinkSupportedResource_Deny.json) | initiative definition. |[Azure Web Application Firewall should be enabled for Azure Front Door entry-points](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Enabled_Audit.json) | |[Azure Web PubSub Service should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Feb907f70-7514-460d-92b3-a5ae93b4f917) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: [https://aka.ms/awps/privatelink](https://aka.ms/awps/privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Web%20PubSub/WebPubSub_PrivateEndpointEnabled_Audit_v2.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_EnablePrivateEndpoints_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | initiative definition. |[API Management services should use a virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/ApiManagement_VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure API for FHIR should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1ee56206-5dd1-42ab-b02d-8aae8b1634ce) |Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: [https://aka.ms/fhir-privatelink](https://aka.ms/fhir-privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_PrivateLink_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AuditIfNotExists.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePrivateLinkSupportedResource_Deny.json) | initiative definition. |[Azure Web Application Firewall should be enabled for Azure Front Door entry-points](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Enabled_Audit.json) | |[Azure Web PubSub Service should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Feb907f70-7514-460d-92b3-a5ae93b4f917) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: [https://aka.ms/awps/privatelink](https://aka.ms/awps/privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Web%20PubSub/WebPubSub_PrivateEndpointEnabled_Audit_v2.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_EnablePrivateEndpoints_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |
governance | Nl Bio Cloud Theme | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/nl-bio-cloud-theme.md | Title: Regulatory Compliance details for NL BIO Cloud Theme description: Details of the NL BIO Cloud Theme Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/22/2024 Last updated : 02/27/2024 initiative definition. |[Function apps should use latest 'HTTP Version'](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe2c1c086-2d84-4019-bff3-c44ccd95113c) |Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. |AuditIfNotExists, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_HTTP_Latest.json) | |[Function apps that use Java should use a specified 'Java version'](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc) |Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. |AuditIfNotExists, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_java_Latest.json) | |[Function apps that use Python should use a specified 'Python version'](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7238174a-fd10-4ef0-817e-fc820a951d73) |Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. |AuditIfNotExists, Disabled |[4.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_python_Latest.json) |-|[Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe345eecc-fa47-480f-9e88-67dcc122b164) |Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[9.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerResourceLimits.json) | +|[Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe345eecc-fa47-480f-9e88-67dcc122b164) |Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[9.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerResourceLimits.json) | |[Kubernetes cluster containers should not share host process ID or host IPC namespace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8) |Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[5.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockHostNamespace.json) | |[Kubernetes cluster containers should only use allowed AppArmor profiles](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F511f5417-5d12-434d-ab2e-816901e72a5e) |Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/EnforceAppArmorProfile.json) | |[Kubernetes cluster containers should only use allowed capabilities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc26596ff-4d70-4e6a-9a30-c2506bd2f80c) |Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedCapabilities.json) |-|[Kubernetes cluster containers should only use allowed images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffebd0533-8e55-448f-b837-bd0e06f16469) |Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[9.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedImages.json) | -|[Kubernetes cluster containers should run with a read only root file system](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf49d893-a74c-421d-bc95-c663042e5b80) |Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ReadOnlyRootFileSystem.json) | +|[Kubernetes cluster containers should only use allowed images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffebd0533-8e55-448f-b837-bd0e06f16469) |Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[9.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedImages.json) | +|[Kubernetes cluster containers should run with a read only root file system](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf49d893-a74c-421d-bc95-c663042e5b80) |Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ReadOnlyRootFileSystem.json) | |[Kubernetes cluster pod hostPath volumes should only use allowed host paths](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F098fc59e-46c7-4d99-9b16-64990e543d75) |Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AllowedHostPaths.json) | |[Kubernetes cluster pods and containers should only run with approved user and group IDs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff06ddb64-5fa3-4b77-b166-acb36f7f6042) |Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AllowedUsersGroups.json) | |[Kubernetes cluster pods should only use approved host network and port range](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F82985f06-dc18-4a48-bc1c-b9f4f0098cfe) |Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/HostNetworkPorts.json) | initiative definition. |[API Management services should use a virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/ApiManagement_VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure API for FHIR should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1ee56206-5dd1-42ab-b02d-8aae8b1634ce) |Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: [https://aka.ms/fhir-privatelink](https://aka.ms/fhir-privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_PrivateLink_Audit.json) | |[Azure Cache for Redis should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AuditIfNotExists.json) | |[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePrivateLinkSupportedResource_Deny.json) | initiative definition. |[Azure Web Application Firewall should be enabled for Azure Front Door entry-points](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Enabled_Audit.json) | |[Azure Web PubSub Service should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Feb907f70-7514-460d-92b3-a5ae93b4f917) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: [https://aka.ms/awps/privatelink](https://aka.ms/awps/privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Web%20PubSub/WebPubSub_PrivateEndpointEnabled_Audit_v2.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Cognitive Services should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcddd188c-4b82-4c48-a19d-ddf74ee66a01) |Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_EnablePrivateEndpoints_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | initiative definition. |[App Service Environment should have internal encryption enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffb74e86f-d351-4b8d-b034-93da7391c01f) |Setting InternalEncryption to true encrypts the pagefile, worker disks, and internal network traffic between the front ends and workers in an App Service Environment. To learn more, refer to [https://docs.microsoft.com/azure/app-service/environment/app-service-app-service-environment-custom-settings#enable-internal-encryption](../../../app-service/environment/app-service-app-service-environment-custom-settings.md#enable-internal-encryption). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_HostingEnvironment_InternalEncryption_Audit.json) | |[Audit usage of custom RBAC roles](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) |Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) | |[Automation account variables should be encrypted](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3657f5a0-770e-44a3-b44e-9431ba1e9735) |It is important to enable encryption of Automation account variable assets when storing sensitive data |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Automation/Automation_AuditUnencryptedVars_Audit.json) |+|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fac4a19c2-fa67-49b4-8ae5-0b2e78c49457) |To provide granular filtering on the actions that users can perform, use Azure Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. |Audit, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableRBAC_KubernetesService_Audit.json) | |[Blocked accounts with owner permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0cfea604-3201-4e14-88fc-fae4c427a6c5) |Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithOwnerPermissions_Audit.json) | |[Blocked accounts with read and write permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8d7e1fde-fe26-4b5f-8108-f8e432cbc2be) |Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithReadWritePermissions_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Function apps should use managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) | |[Guest accounts with owner permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F339353f6-2387-4a45-abe4-7f529d121046) |External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveGuestAccountsWithOwnerPermissions_Audit.json) | |[Guest accounts with read permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe9ac8f8e-ce22-4355-8f04-99b911d6be52) |External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveGuestAccountsWithReadPermissions_Audit.json) | initiative definition. |[Audit Linux machines that have accounts without passwords](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6ec09a3-78bf-4f8f-99dc-6c77182d0f99) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Linux machines that have accounts without passwords |AuditIfNotExists, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxPassword232_AINE.json) | |[Audit usage of custom RBAC roles](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) |Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) | |[Audit VMs that do not use managed disks](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F06a78e20-9358-41c9-923c-fb736d382a4d) |This policy audits VMs that do not use managed disks |audit |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VMRequireManagedDisk_Audit.json) |+|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Azure Machine Learning Computes should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe96a9a5f-07ca-471b-9bc5-6a0f33cbd68f) |Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/azure-ml-aad-policy](https://aka.ms/azure-ml-aad-policy). |Audit, Deny, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/MachineLearningServices_DisableLocalAuth_Audit.json) | |[Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fac4a19c2-fa67-49b4-8ae5-0b2e78c49457) |To provide granular filtering on the actions that users can perform, use Azure Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. |Audit, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableRBAC_KubernetesService_Audit.json) | |[Blocked accounts with owner permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0cfea604-3201-4e14-88fc-fae4c427a6c5) |Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithOwnerPermissions_Audit.json) | |[Blocked accounts with read and write permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8d7e1fde-fe26-4b5f-8108-f8e432cbc2be) |Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithReadWritePermissions_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Function apps should use managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) | |[Guest accounts with owner permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F339353f6-2387-4a45-abe4-7f529d121046) |External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveGuestAccountsWithOwnerPermissions_Audit.json) | |[Guest accounts with read permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe9ac8f8e-ce22-4355-8f04-99b911d6be52) |External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveGuestAccountsWithReadPermissions_Audit.json) | initiative definition. |[Audit Linux machines that have accounts without passwords](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6ec09a3-78bf-4f8f-99dc-6c77182d0f99) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Linux machines that have accounts without passwords |AuditIfNotExists, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxPassword232_AINE.json) | |[Audit usage of custom RBAC roles](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) |Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) | |[Audit VMs that do not use managed disks](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F06a78e20-9358-41c9-923c-fb736d382a4d) |This policy audits VMs that do not use managed disks |audit |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VMRequireManagedDisk_Audit.json) |+|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Azure Machine Learning Computes should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe96a9a5f-07ca-471b-9bc5-6a0f33cbd68f) |Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/azure-ml-aad-policy](https://aka.ms/azure-ml-aad-policy). |Audit, Deny, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/MachineLearningServices_DisableLocalAuth_Audit.json) | |[Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fac4a19c2-fa67-49b4-8ae5-0b2e78c49457) |To provide granular filtering on the actions that users can perform, use Azure Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. |Audit, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableRBAC_KubernetesService_Audit.json) | |[Blocked accounts with owner permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0cfea604-3201-4e14-88fc-fae4c427a6c5) |Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithOwnerPermissions_Audit.json) | |[Blocked accounts with read and write permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8d7e1fde-fe26-4b5f-8108-f8e432cbc2be) |Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithReadWritePermissions_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Function apps should use managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) | |[Guest accounts with owner permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F339353f6-2387-4a45-abe4-7f529d121046) |External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveGuestAccountsWithOwnerPermissions_Audit.json) | |[Guest accounts with read permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe9ac8f8e-ce22-4355-8f04-99b911d6be52) |External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveGuestAccountsWithReadPermissions_Audit.json) | initiative definition. |[Audit Linux machines that have accounts without passwords](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6ec09a3-78bf-4f8f-99dc-6c77182d0f99) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Linux machines that have accounts without passwords |AuditIfNotExists, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxPassword232_AINE.json) | |[Audit usage of custom RBAC roles](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) |Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) | |[Audit VMs that do not use managed disks](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F06a78e20-9358-41c9-923c-fb736d382a4d) |This policy audits VMs that do not use managed disks |audit |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VMRequireManagedDisk_Audit.json) |+|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Azure Machine Learning Computes should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe96a9a5f-07ca-471b-9bc5-6a0f33cbd68f) |Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/azure-ml-aad-policy](https://aka.ms/azure-ml-aad-policy). |Audit, Deny, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/MachineLearningServices_DisableLocalAuth_Audit.json) | |[Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fac4a19c2-fa67-49b4-8ae5-0b2e78c49457) |To provide granular filtering on the actions that users can perform, use Azure Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. |Audit, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableRBAC_KubernetesService_Audit.json) | |[Blocked accounts with owner permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0cfea604-3201-4e14-88fc-fae4c427a6c5) |Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithOwnerPermissions_Audit.json) | |[Blocked accounts with read and write permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8d7e1fde-fe26-4b5f-8108-f8e432cbc2be) |Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithReadWritePermissions_Audit.json) |-|[Cognitive Services accounts should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Audit.json) | |[Function apps should use managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) | |[Guest accounts with owner permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F339353f6-2387-4a45-abe4-7f529d121046) |External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveGuestAccountsWithOwnerPermissions_Audit.json) | |[Guest accounts with read permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe9ac8f8e-ce22-4355-8f04-99b911d6be52) |External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveGuestAccountsWithReadPermissions_Audit.json) | |
governance | Pci Dss 3 2 1 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/pci-dss-3-2-1.md | Title: Regulatory Compliance details for PCI DSS 3.2.1 description: Details of the PCI DSS 3.2.1 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/22/2024 Last updated : 02/27/2024 |
governance | Pci Dss 4 0 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/pci-dss-4-0.md | Title: Regulatory Compliance details for PCI DSS v4.0 description: Details of the PCI DSS v4.0 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/22/2024 Last updated : 02/27/2024 |
governance | Rbi Itf Banks 2016 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/rbi-itf-banks-2016.md | Title: Regulatory Compliance details for Reserve Bank of India IT Framework for Banks v2016 description: Details of the Reserve Bank of India IT Framework for Banks v2016 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/22/2024 Last updated : 02/27/2024 initiative definition. |[API Management services should use a virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/ApiManagement_VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |+|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Azure Defender for servers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4da35fc9-c9e7-4960-aec9-797fe7d9051d) |Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnVM_Audit.json) | |[Azure Event Grid domains should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9830b652-8523-49cc-b1b3-e17dce1127ca) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/privateendpoints](https://aka.ms/privateendpoints). |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/Domains_PrivateEndpoint_Audit.json) | |[Azure Event Grid topics should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4b90e17e-8448-49db-875e-bd83fb6f804f) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/privateendpoints](https://aka.ms/privateendpoints). |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/Topics_PrivateEndpoint_Audit.json) | initiative definition. |[Azure Machine Learning workspaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F45e05259-1eb5-4f70-9574-baf73e9d219b) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link](../../../machine-learning/how-to-configure-private-link.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_PrivateEndpoint_Audit_V2.json) | |[Azure Spring Cloud should use network injection](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faf35e2a4-ef96-44e7-a9ae-853dd97032c4) |Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud. |Audit, Disabled, Deny |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Platform/Spring_VNETEnabled_Audit.json) | |[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |-|[Cognitive Services accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[Private endpoint connections on Azure SQL Database should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7698e800-9299-47a6-b3b6-5a0fee576eed) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. |Audit, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_PrivateEndpoint_Audit.json) | |
governance | Rbi Itf Nbfc 2017 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/rbi-itf-nbfc-2017.md | Title: Regulatory Compliance details for Reserve Bank of India - IT Framework for NBFC description: Details of the Reserve Bank of India - IT Framework for NBFC Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/22/2024 Last updated : 02/27/2024 |
governance | Rmit Malaysia | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/rmit-malaysia.md | Title: Regulatory Compliance details for RMIT Malaysia description: Details of the RMIT Malaysia Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/22/2024 Last updated : 02/27/2024 initiative definition. |[Audit usage of custom RBAC roles](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) |Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) | |[Authorization rules on the Event Hub instance should be defined](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff4826e5f-6a27-407c-ae3e-9582eb39891d) |Audit existence of authorization rules on Event Hub entities to grant least-privileged access |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_AuditEventHubAccessRules_Audit.json) | |[Kubernetes cluster containers should only use allowed capabilities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc26596ff-4d70-4e6a-9a30-c2506bd2f80c) |Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedCapabilities.json) |-|[Kubernetes cluster containers should run with a read only root file system](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf49d893-a74c-421d-bc95-c663042e5b80) |Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ReadOnlyRootFileSystem.json) | +|[Kubernetes cluster containers should run with a read only root file system](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf49d893-a74c-421d-bc95-c663042e5b80) |Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ReadOnlyRootFileSystem.json) | |[Kubernetes cluster pods and containers should only run with approved user and group IDs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff06ddb64-5fa3-4b77-b166-acb36f7f6042) |Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AllowedUsersGroups.json) | |[Kubernetes cluster should not allow privileged containers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F95edb821-ddaf-4404-9732-666045e056b4) |Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[9.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerNoPrivilege.json) | |[Kubernetes clusters should not allow container privilege escalation](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c6e92c9-99f0-4e55-9cf2-0c234dc48f99) |Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[7.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerNoPrivilegeEscalation.json) | initiative definition. |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||-|[Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F09ce66bc-1220-4153-8104-e3f51c936913) |Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See [https://aka.ms/AzureVMCentralBackupExcludeTag](https://aka.ms/AzureVMCentralBackupExcludeTag). |auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |[9.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Backup/VirtualMachineBackup_Backup_DeployIfNotExists.json) | +|[Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F09ce66bc-1220-4153-8104-e3f51c936913) |Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See [https://aka.ms/AzureVMCentralBackupExcludeTag](https://aka.ms/AzureVMCentralBackupExcludeTag). |auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |[9.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Backup/VirtualMachineBackup_Backup_DeployIfNotExists.json) | |[Not allowed resource types](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6c112d4e-5bc7-47ae-a041-ea2d9dccd749) |Restrict which resource types can be deployed in your environment. Limiting resource types can reduce the complexity and attack surface of your environment while also helping to manage costs. Compliance results are only shown for non-compliant resources. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/InvalidResourceTypes_Deny.json) | |[Only approved VM extensions should be installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc0e996f8-39cf-4af9-9f45-83fbde810432) |This policy governs the virtual machine extensions that are not approved. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VirtualMachines_ApprovedExtensions_Audit.json) | |
governance | Swift Csp Cscf 2021 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/swift-csp-cscf-2021.md | Title: Regulatory Compliance details for SWIFT CSP-CSCF v2021 description: Details of the SWIFT CSP-CSCF v2021 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/22/2024 Last updated : 02/27/2024 |
governance | Swift Csp Cscf 2022 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/swift-csp-cscf-2022.md | Title: Regulatory Compliance details for SWIFT CSP-CSCF v2022 description: Details of the SWIFT CSP-CSCF v2022 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/22/2024 Last updated : 02/27/2024 |
governance | Ukofficial Uknhs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/ukofficial-uknhs.md | Title: Regulatory Compliance details for UK OFFICIAL and UK NHS description: Details of the UK OFFICIAL and UK NHS Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/22/2024 Last updated : 02/27/2024 |
hdinsight-aks | Required Outbound Traffic | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight-aks/required-outbound-traffic.md | Title: Outbound traffic on HDInsight on AKS description: Learn required outbound traffic on HDInsight on AKS. Previously updated : 02/06/2024 Last updated : 02/27/2024 # Required outbound traffic for HDInsight on AKS Last updated 02/06/2024 [!INCLUDE [feature-in-preview](includes/feature-in-preview.md)] > [!NOTE]-> HDInsight on AKS uses Azure CNI network model by default. For more information, see [Azure CNI networking](../aks/concepts-network.md#azure-cni-overlay-networking). +> HDInsight on AKS uses Azure CNI Overlay network model by default. For more information, see [Azure CNI Overlay networking](../aks/concepts-network.md#azure-cni-overlay-networking). This article outlines the networking information to help manage the network policies at enterprise and make necessary changes to the network security groups (NSGs) for smooth functioning of HDInsight on AKS. |
iot-central | Howto Use Commands | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-central/core/howto-use-commands.md | Title: How to use device commands in an Azure IoT Central solution description: How to use device commands in Azure IoT Central solution. Learn how to define and call device commands from IoT Central, and respond in a device. Previously updated : 06/06/2023 Last updated : 02/27/2024 To learn about the IoT Pug and Play command conventions, see [IoT Plug and Play To learn more about the command data that a device exchanges with IoT Central, see [Telemetry, property, and command payloads](../../iot/concepts-message-payloads.md). -To learn how to manage commands by using the IoT Central REST API, see [How to use the IoT Central REST API to control devices.](../core/howto-control-devices-with-rest-api.md) +To learn how to manage commands by using the IoT Central REST API, see [How to use the IoT Central REST API to control devices.](../core/howto-control-devices-with-rest-api.md). ++To learn how to implement commands in a device without using the device SDKs, see [Communicate with an IoT hub using the MQTT protocol](../../iot/iot-mqtt-connect-to-iot-hub.md). ## Define your commands |
iot-central | Howto Use Properties | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-central/core/howto-use-properties.md | Title: Use properties in an Azure IoT Central solution description: Learn how to use read-only and writable properties in an Azure IoT Central solution. Define properties in IoT Central and use properties programmatically. Previously updated : 06/06/2023 Last updated : 02/27/2024 To learn more about the property data that a device exchanges with IoT Central, To learn how to manage properties by using the IoT Central REST API, see [How to use the IoT Central REST API to control devices.](../core/howto-control-devices-with-rest-api.md). +To learn how to implement properties in a device without using the device SDKs, see [Communicate with an IoT hub using the MQTT protocol](../../iot/iot-mqtt-connect-to-iot-hub.md). + ## Define your properties Properties are data fields that represent the state of your device. Use properties to represent the durable state of the device, such as the on/off state of a device. Properties can also represent basic device properties, such as the software version of the device. You declare properties as read-only or writable. |
iot-hub-device-update | Device Update Agent Check | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-hub-device-update/device-update-agent-check.md | Title: Device Update for Azure IoT Hub agent check | Microsoft Docs description: Device Update for IoT Hub uses Agent Check to find and diagnose missing devices.--++ Last updated 10/31/2022 |
iot-hub-device-update | Troubleshoot Device Update | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-hub-device-update/troubleshoot-device-update.md | Title: Troubleshoot common Device Update for Azure IoT Hub issues | Microsoft Docs description: This document provides a list of tips and tricks to help remedy many possible issues you may be having with Device Update for IoT Hub.--++ Last updated 9/13/2022 |
iot-operations | Howto Deploy Aks Layered Network | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-operations/manage-layered-network/howto-deploy-aks-layered-network.md | These steps deploy Layered Network Management to the AKS cluster. The cluster is You should see an output that looks like the following example: ```Output- NAME READY STATUS RESTARTS AGE + NAME READY STATUS RESTARTS AGE aio-lnm-operator-7db49dc9fd-kjf5x 1/1 Running 0 78s ``` These steps deploy Layered Network Management to the AKS cluster. The cluster is The output should look like: ```Output- NAME READY STATUS RESTARTS AGE - aio-lnm-operator-7db49dc9fd-kjf5x 1/1 Running 0 78s - lnm-level4-7598574bf-2lgss 1/1 Running 0 4s + NAME READY STATUS RESTARTS AGE + aio-lnm-operator-7db49dc9fd-kjf5x 1/1 Running 0 78s + aio-lnm-level4-7598574bf-2lgss 1/1 Running 0 4s ``` 1. To view the service, run: These steps deploy Layered Network Management to the AKS cluster. The cluster is The output should look like the following example: ```Output- NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE - lnm-level4 LoadBalancer 10.0.141.101 20.81.111.118 80:30960/TCP,443:31214/TCP 29s + NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE + aio-lnm-level4 LoadBalancer 10.0.141.101 20.81.111.118 80:30960/TCP,443:31214/TCP 29s ``` 1. To view the config maps, run: |
iot-operations | Known Issues | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-operations/troubleshoot/known-issues.md | This article contains known issues for Azure IoT Operations Preview. - Uninstalling K3s: When you uninstall k3s on Ubuntu by using the `/usr/local/bin/k3s-uninstall.sh` script, you might encounter an issue where the script gets stuck on unmounting the NFS pod. A workaround for this issue is to run the following command before you run the uninstall script: `sudo systemctl stop k3s`. +## Azure IoT Data Processor Preview ++If the data processor extension fails to uninstall, run the following commands and try the uninstall operation again: ++```bash +kubectl delete pod aio-dp-reader-worker-0 --grace-period=0 --force -n azure-iot-operations +kubectl delete pod aio-dp-reader-worker-0 --grace-period=0 --force -n azure-iot-operations +``` + ## Azure IoT MQ (preview) - You can only access the default deployment by using the cluster IP, TLS, and a service account token. Clients outside the cluster need extra configuration before they can connect. |
key-vault | Move Region | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/general/move-region.md | -Azure Key Vault does not allow you to move a key vault from one region to another. You can, however, create a key vault in the new region, manually copy each individual key, secret, or certificate from your existing key vault to the new key vault, and then remove the original key vault. +Azure Key Vault does not allow you to move a key vault from one region to another. You can, however, create a key vault in the new region, manually backup/restore each individual key, secret, or certificate from your existing key vault to the new key vault, and then remove the original key vault. ## Prerequisites |
machine-learning | Evaluate Model | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/component-reference/evaluate-model.md | The following metrics are reported when evaluating binary classification models. The metrics returned for regression models are designed to estimate the amount of error. A model is considered to fit the data well if the difference between observed and predicted values is small. However, looking at the pattern of the residuals (the difference between any one predicted point and its corresponding actual value) can tell you a lot about potential bias in the model. - The following metrics are reported for evaluating regression models. + The following metrics are reported for evaluating linear regression models. Other re gression models such as [Fast Forest Quantile Regression](./fast-forest-quantile-regression.md) may have different metrics. - **Mean absolute error (MAE)** measures how close the predictions are to the actual outcomes; thus, a lower score is better. |
machine-learning | Fast Forest Quantile Regression | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/component-reference/fast-forest-quantile-regression.md | After training is complete: + To save a snapshot of the trained model, select the training component, then switch to **Outputs+logs** tab in the right panel. Click on the icon **Register dataset**. You can find the saved model as a component in the component tree. +## Evaluation metrics ++You can use [Evaluate Model component](./evaluate-model.md) to evaluate the trained model. For **Fast Forest Quantile Regression**, the metrics are as following. ++- **Quantile Loss**: This is a measure of the error for a specific quantile in your model. +- **Average Quantile Loss**: This is simply the average of the Quantile Loss values across all the quantiles considered in the model. It gives an overall measure of how well the model is performing across all quantiles. + ## Next steps See the [set of components available](component-reference.md) to Azure Machine Learning. |
machine-learning | How To Access Data Batch Endpoints Jobs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-access-data-batch-endpoints-jobs.md | To successfully invoke a batch endpoint and create jobs, ensure you have the fol > [!TIP] > If you are using a credential-less data store or external Azure Storage Account as data input, ensure you [configure compute clusters for data access](how-to-authenticate-batch-endpoint.md#configure-compute-clusters-for-data-access). **The managed identity of the compute cluster** is used **for mounting** the storage account. The identity of the job (invoker) is still used to read the underlying data allowing you to achieve granular access control. ++ ## Understanding inputs and outputs Batch endpoints provide a durable API that consumers can use to create batch jobs. The same interface can be used to specify the inputs and the outputs your deployment expects. Use inputs to pass any information your endpoint needs to perform the job. Literal inputs are only supported in pipeline component deployments. See [Create Data outputs refer to the location where the results of a batch job should be placed. Outputs are identified by name, and Azure Machine Learning automatically assigns a unique path to each named output. However, you can specify another path if required. > [!IMPORTANT]-> Batch endpoints only support writing outputs in Azure Blob Storage datastores. +> Batch endpoints only support writing outputs in Azure Blob Storage datastores. If you need to write to an storage account with hierarchical namespaces enabled (also known as Azure Datalake Gen2 or ADLS Gen2), notice that such storage service can be registered as a Azure Blob Storage datastore since the services are fully compatible. In this way, you can write outputs from batch endpoints to ADLS Gen2. ## Create jobs with data inputs azureml-model-deployment: DEPLOYMENT_NAME ``` +## Configure job properties ++You can configure some of the properties in the created job at invocation time. ++### Configure experiment name ++# [Azure CLI](#tab/cli) + +Use the argument `--experiment-name` to specify the name of the experiment: ++```azurecli +az ml batch-endpoint invoke --name $ENDPOINT_NAME --experiment-name "my-batch-job-experiment" --input $INPUT_DATA +``` ++# [Python](#tab/sdk) ++Use the parameter `experiment_name` to specify the name of the experiment: ++```python +job = ml_client.batch_endpoints.invoke( + endpoint_name=endpoint.name, + experiment_name="my-batch-job-experiment", + inputs={ + "heart_dataset": input, + } +) +``` ++# [REST](#tab/rest) ++Use the key `experimentName` in `properties` section to indicate the experiment name: ++__Body__ + +```json +{ + "properties": { + "InputData": { + "heart_dataset": { + "JobInputType" : "UriFolder", + "Uri": "https://azuremlexampledata.blob.core.windows.net/data/heart-disease-uci/data" + } + }, + "properties": + { + "experimentName": "my-batch-job-experiment" + } + } +} +``` ++__Request__ ++```http +POST jobs HTTP/1.1 +Host: <ENDPOINT_URI> +Authorization: Bearer <TOKEN> +Content-Type: application/json +``` +++ ## Next steps * [Troubleshooting batch endpoints](how-to-troubleshoot-batch-endpoints.md). |
machine-learning | How To Workspace Diagnostic Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-workspace-diagnostic-api.md | resource_group = '<your-resource-group-name>' workspace = '<your-workspace-name>' ml_client = MLClient(DefaultAzureCredential(), subscription_id, resource_group)-resp = ml_client.workspaces.begin_diagnose(workspace) -print(resp) +resp = ml_client.workspaces.begin_diagnose(workspace).result() +# Inspect the attributes of the response you are interested in +for result in resp.application_insights_results: + print(f"Diagnostic result: {result.code}, {result.level}, {result.message}") + ```++The response is a [DiagnoseResponseResultValue](/python/api/azure-ai-ml/azure.ai.ml.entities.diagnoseresponseresultvalue) object that contains information on any problems detected with the workspace. :::moniker-end :::moniker range="azureml-api-1" [!INCLUDE [sdk v1](includes/machine-learning-sdk-v1.md)] diag_param = { resp = ws.diagnose_workspace(diag_param) print(resp) ``` The response is a JSON document that contains information on any problems detected with the workspace. The following JSON is an example response: The response is a JSON document that contains information on any problems detect "dns_resolution_results": [{ "code": "CustomDnsInUse", "level": "Warning",- "message": "It is detected VNet '/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/virtualNetworks/<virtual-network-name>' of private endpoint '/subscriptions/<subscription-id>/resourceGroups/larrygroup0916/providers/Microsoft.Network/privateEndpoints/<workspace-private-endpoint>' is not using Azure default DNS. You need to configure your DNS server and check https://learn.microsoft.com/azure/machine-learning/how-to-custom-dns to make sure the custom DNS is set up correctly." + "message": "It is detected VNet '/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/virtualNetworks/<virtual-network-name>' of private endpoint '/subscriptions/<subscription-id>/resourceGroups/<myresourcegroup>/providers/Microsoft.Network/privateEndpoints/<workspace-private-endpoint>' is not using Azure default DNS. You need to configure your DNS server and check https://learn.microsoft.com/azure/machine-learning/how-to-custom-dns to make sure the custom DNS is set up correctly." }], "storage_account_results": [], "key_vault_results": [], The response is a JSON document that contains information on any problems detect ``` If no problems are detected, an empty JSON document is returned. :::moniker range="azureml-api-2" For more information, see the [Workspace](/python/api/azure-ai-ml/azure.ai.ml.entities.workspace) reference. |
machine-learning | How To Version Track Datasets | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/v1/how-to-version-track-datasets.md | -In this article, you'll learn how to version and track Azure Machine Learning datasets for reproducibility. Dataset versioning is a way to bookmark the state of your data so that you can apply a specific version of the dataset for future experiments. +In this article, you'll learn how to version and track Azure Machine Learning datasets for reproducibility. Dataset versioning bookmarks specific states of your data, so that you can apply a specific version of the dataset for future experiments. -Typical versioning scenarios: +You might want to version your Azure Machine Learning resources in these typical scenarios: -* When new data is available for retraining -* When you're applying different data preparation or feature engineering approaches +* When new data becomes available for retraining +* When you apply different data preparation or feature engineering approaches ## Prerequisites -For this tutorial, you need: +- The [Azure Machine Learning SDK for Python](/python/api/overview/azure/ml/install). This SDK includes the [azureml-datasets](/python/api/azureml-core/azureml.core.dataset) package -- [Azure Machine Learning SDK for Python installed](/python/api/overview/azure/ml/install). This SDK includes the [azureml-datasets](/python/api/azureml-core/azureml.core.dataset) package.- -- An [Azure Machine Learning workspace](../concept-workspace.md). Retrieve an existing one by running the following code, or [create a new workspace](../quickstart-create-resources.md).+- An [Azure Machine Learning workspace](../concept-workspace.md). [Create a new workspace](../quickstart-create-resources.md), or retrieve an existing workspace with this code sample: ```Python import azureml.core For this tutorial, you need: ws = Workspace.from_config() ```-- An [Azure Machine Learning dataset](how-to-create-register-datasets.md).--<a name="register"></a> +- An [Azure Machine Learning dataset](how-to-create-register-datasets.md) ## Register and retrieve dataset versions -By registering a dataset, you can version, reuse, and share it across experiments and with colleagues. You can register multiple datasets under the same name and retrieve a specific version by name and version number. +You can version, reuse, and share a registered dataset across experiments and with your colleagues. You can register multiple datasets under the same name, and retrieve a specific version by name and version number. ### Register a dataset version -The following code registers a new version of the `titanic_ds` dataset by setting the `create_new_version` parameter to `True`. If there's no existing `titanic_ds` dataset registered with the workspace, the code creates a new dataset with the name `titanic_ds` and sets its version to 1. +This code sample sets the `create_new_version` parameter of the `titanic_ds` dataset to `True`, to register a new version of that dataset. If the workspace has no existing `titanic_ds` dataset registered, the code creates a new dataset with the name `titanic_ds`, and sets its version to 1. ```Python titanic_ds = titanic_ds.register(workspace = workspace, titanic_ds = titanic_ds.register(workspace = workspace, ### Retrieve a dataset by name -By default, the [get_by_name()](/python/api/azureml-core/azureml.core.dataset.dataset#get-by-name-workspace--name--version--latest--) method on the `Dataset` class returns the latest version of the dataset registered with the workspace. +By default, the `Dataset` class [get_by_name()](/python/api/azureml-core/azureml.core.dataset.dataset#azureml-core-dataset-dataset-get-by-name) method returns the latest version of the dataset registered with the workspace. -The following code gets version 1 of the `titanic_ds` dataset. +This code returns version 1 of the `titanic_ds` dataset. ```Python from azureml.core import Dataset titanic_ds = Dataset.get_by_name(workspace = workspace, version = 1) ``` -<a name="best-practice"></a> - ## Versioning best practice -When you create a dataset version, you're *not* creating an extra copy of data with the workspace. Because datasets are references to the data in your storage service, you have a single source of truth, managed by your storage service. +When you create a dataset version, you *don't* create an extra copy of data with the workspace. Since datasets are references to the data in your storage service, you have a single source of truth, managed by your storage service. >[!IMPORTANT]-> If the data referenced by your dataset is overwritten or deleted, calling a specific version of the dataset does *not* revert the change. +> If the data referenced by your dataset is overwritten or deleted, a call to a specific version of the dataset does *not* revert the change. -When you load data from a dataset, the current data content referenced by the dataset is always loaded. If you want to make sure that each dataset version is reproducible, we recommend that you not modify data content referenced by the dataset version. When new data comes in, save new data files into a separate data folder and then create a new dataset version to include data from that new folder. +When you load data from a dataset, the current data content referenced by the dataset is always loaded. If you want to make sure that each dataset version is reproducible, we recommend that you avoid modification of data content referenced by the dataset version. When new data comes in, save new data files into a separate data folder, and then create a new dataset version to include data from that new folder. -The following image and sample code show the recommended way to structure your data folders and to create dataset versions that reference those folders: +This image and sample code show the recommended way to both structure your data folders and create dataset versions that reference those folders: ![Folder structure](./media/how-to-version-track-datasets/folder-image.png) dataset2.register(workspace = workspace, ``` -<a name="pipeline"></a> - ## Version an ML pipeline output dataset You can use a dataset as the input and output of each [ML pipeline](../concept-ml-pipelines.md) step. When you rerun pipelines, the output of each pipeline step is registered as a new dataset version. -ML pipelines populate the output of each step into a new folder every time the pipeline reruns. This behavior allows the versioned output datasets to be reproducible. Learn more about [datasets in pipelines](./how-to-create-machine-learning-pipelines.md#steps). +Machine Learning pipelines populate the output of each step into a new folder every time the pipeline reruns. The versioned output datasets then become reproducible. For more information, visit [datasets in pipelines](./how-to-create-machine-learning-pipelines.md#steps). ```Python from azureml.core import Dataset prep_step = PythonScriptStep(script_name="prepare.py", source_directory=project_folder) ``` -<a name="track"></a> - ## Track data in your experiments -Azure Machine Learning tracks your data throughout your experiment as input and output datasets. --The following are scenarios where your data is tracked as an **input dataset**. +Azure Machine Learning tracks your data throughout your experiment as input and output datasets. In these scenarios, your data is tracked as an **input dataset**: -* As a `DatasetConsumptionConfig` object through either the `inputs` or `arguments` parameter of your `ScriptRunConfig` object when submitting the experiment job. +* As a `DatasetConsumptionConfig` object, through either the `inputs` or `arguments` parameter of your `ScriptRunConfig` object, when submitting the experiment job -* When methods like, get_by_name() or get_by_id() are called in your script. For this scenario, the name assigned to the dataset when you registered it to the workspace is the name displayed. +* When your script calls certain methods - `get_by_name()` or `get_by_id()` - for example. The name assigned to the dataset at the time you registered that dataset to the workspace is the displayed name -The following are scenarios where your data is tracked as an **output dataset**. +In these scenarios, your data is tracked as an **output dataset**: -* Pass an `OutputFileDatasetConfig` object through either the `outputs` or `arguments` parameter when submitting an experiment job. `OutputFileDatasetConfig` objects can also be used to persist data between pipeline steps. See [Move data between ML pipeline steps.](how-to-move-data-in-out-of-pipelines.md) +* Pass an `OutputFileDatasetConfig` object through either the `outputs` or `arguments` parameter when you submit an experiment job. `OutputFileDatasetConfig` objects can also persist data between pipeline steps. For more information, visit [Move data between ML pipeline steps](how-to-move-data-in-out-of-pipelines.md) -* Register a dataset in your script. For this scenario, the name assigned to the dataset when you registered it to the workspace is the name displayed. In the following example, `training_ds` is the name that would be displayed. +* Register a dataset in your script. The name assigned to the dataset when you registered it to the workspace is the name displayed. In this code sample, `training_ds` is the displayed name: ```Python training_ds = unregistered_ds.register(workspace = workspace, The following are scenarios where your data is tracked as an **output dataset**. ) ``` -* Submit child job with an unregistered dataset in script. This results in an anonymous saved dataset. +* Submission of a child job, with an unregistered dataset, in the script. This submission results in an anonymous saved dataset ### Trace datasets in experiment jobs -For each Machine Learning experiment, you can easily trace the datasets used as input with the experiment `Job` object. --The following code uses the [`get_details()`](/python/api/azureml-core/azureml.core.run.run#get-details--) method to track which input datasets were used with the experiment run: +For each Machine Learning experiment, you can trace the input datasets for the experiment `Job` object. This code sample uses the [`get_details()`](/python/api/azureml-core/azureml.core.run.run#get-details--) method to track the input datasets used with the experiment run: ```Python # get input datasets input_dataset = inputs[0]['dataset'] input_dataset.to_path() ``` -You can also find the `input_datasets` from experiments by using the [Azure Machine Learning studio](). +You can also find the `input_datasets` from experiments with the [Azure Machine Learning studio](https://ml.azure.com). -The following image shows where to find the input dataset of an experiment on Azure Machine Learning studio. For this example, go to your **Experiments** pane and open the **Properties** tab for a specific run of your experiment, `keras-mnist`. +This screenshot shows where to find the input dataset of an experiment on Azure Machine Learning studio. For this example, start at your **Experiments** pane, and open the **Properties** tab for a specific run of your experiment, `keras-mnist`. ![Input datasets](./media/how-to-version-track-datasets/input-datasets.png) -Use the following code to register models with datasets: +This code registers models with datasets: ```Python model = run.register_model(model_name='keras-mlp-mnist', model = run.register_model(model_name='keras-mlp-mnist', datasets =[('training data',train_dataset)]) ``` -After registration, you can see the list of models registered with the dataset by using Python or go to the [studio](https://ml.azure.com/). +After registration, you can see the list of models registered with the dataset with either Python or the [studio](https://ml.azure.com/). -The following view is from the **Datasets** pane under **Assets**. Select the dataset and then select the **Models** tab for a list of the models that are registered with the dataset. +Thia screenshot is from the **Datasets** pane under **Assets**. Select the dataset, and then select the **Models** tab for a list of the models that are registered with the dataset. ![Input datasets models](./media/how-to-version-track-datasets/dataset-models.png) ## Next steps * [Train with datasets](how-to-train-with-datasets.md)-* [More sample dataset notebooks](https://github.com/Azure/MachineLearningNotebooks/tree/master/how-to-use-azureml/work-with-data/) +* [More sample dataset notebooks](https://github.com/Azure/MachineLearningNotebooks/tree/master/how-to-use-azureml/work-with-data/) |
mysql | Concepts Accelerated Logs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/flexible-server/concepts-accelerated-logs.md | Database servers with mission-critical workloads demand robust performance, requ - East US - East US 2 - France Central+- Japan East +- Korea Central - North Europe - Norway East+- Poland Central - South Africa North - South Central US - Sweden Central |
mysql | Concepts Networking Private Link | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/flexible-server/concepts-networking-private-link.md | A private endpoint is a private IP address within a specific [VNet](../../virtua > [!NOTE] > - Enabling Private Link is exclusively possible for Azure Database for MySQL flexible server instances that are created with public access. Learn how to enable private endpoint using the [Azure portal](how-to-networking-private-link-portal.md) or [Azure CLI](how-to-networking-private-link-azure-cli.md).-> --> -> - Private link for Azure Database for MySQL flexible server is currently only available in public clouds. -> ## Benefits of Private Link for MySQL flexible server--Here are some benefits for using the networking private link feature with Azure Database for MySQL flexible server. +> Here are some benefits for using the networking private link feature with Azure Database for MySQL flexible server. ### Data exfiltration prevention |
nat-gateway | Nat Availability Zones | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/nat-gateway/nat-availability-zones.md | Virtual networks and their subnets are regional. Subnets aren't restricted to a ## Zonal -You can place your NAT gateway resource in a specific zone for a region. When NAT gateway is deployed to a specific zone, it provides outbound connectivity to the internet explicitly from that zone. The public IP address or prefix configured to NAT gateway must match the same zone. NAT gateway resources with public IP addresses from a different zone, zone-redundancy or with no zone aren't allowed. +You can place your NAT gateway resource in a specific zone for a region. When NAT gateway is deployed to a specific zone, it provides outbound connectivity to the internet explicitly from that zone. NAT gateway resources assigned to an availability zone can be attached to public IP addresses either from the same zone or that are zone redundant. Public IP addresses from a different availability zone or no zone aren't allowed. NAT gateway can provide outbound connectivity for virtual machines from other availability zones different from itself. The virtual machineΓÇÖs subnet needs to be configured to the NAT gateway resource to provide outbound connectivity. Additionally, multiple subnets can be configured to the same NAT gateway resource. |
nat-gateway | Nat Gateway Resource | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/nat-gateway/nat-gateway-resource.md | A single NAT gateway can scale up to 16 IP addresses. Each NAT gateway public IP A NAT gateway can be created in a specific availability zone or placed in **no zone**. When a NAT gateway is placed in no zone, Azure selects a zone for the NAT gateway to reside in. -Zone redundant public IP addresses can be used with no zone NAT gateway resources. +Zone redundant public IP addresses can be used with zonal or no zone NAT gateway resources. The recommendation is to configure a NAT gateway to individual availability zones. Additionally, it should be attached to subnets with private instances from the same zone. For more information about availability zones and Azure NAT Gateway, see [Availability zones design considerations](/azure/nat-gateway/nat-availability-zones#design-considerations). |
nat-gateway | Troubleshoot Nat | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/nat-gateway/troubleshoot-nat.md | NAT gateway can be used with public IP addresses designated to a specific zone, | NAT gateway availability zone designation | Public IP address / prefix designation that can be used | ||| | No zone | Zone-redundant, No zone, or Zonal (the public IP zone designation can be any zone within a region in order to work with a no zone NAT gateway) |-| Designated to a specific zone | The public IP address zone must match the zone of the NAT gateway | +| Designated to a specific zone | Zone-redundant or Zonal Public IPs can be used | >[!NOTE] >If you need to know the zone that your NAT gateway resides in, make sure to designate it to a specific availability zone. |
operator-5g-core | Concept Centralized Lifecycle Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/operator-5g-core/concept-centralized-lifecycle-management.md | Title: Centralized lifecycle management in Azure Operator 5G Core -description: Outlines the benefit of Azure Operator 5G Core's centralized lifecycle management feature. + Title: Centralized lifecycle management in Azure Operator 5G Core Preview +description: Outlines the benefit of Azure Operator 5G Core's (preview) centralized lifecycle management feature. Previously updated : 02/21/2024 Last updated : 02/27/2024 #CustomerIntent: As a <type of user>, I want <what?> so that <why?>. -# Centralized Lifecycle Management in Azure Operator 5G Core +# Centralized Lifecycle Management in Azure Operator 5G Core Preview -The Azure Operator 5G Core Resource Provider (RP) is responsible for the lifecycle management (LCM) of the following Azure Operator 5G Core network functions: +The Azure Operator 5G Core (preview) Resource Provider (RP) is responsible for the lifecycle management (LCM) of the following Azure Operator 5G Core network functions: - Access and Mobility Management Function (AMF) - Session Management Function (SMF) - User Plane Function (UPF) |
operator-5g-core | Concept Deployment Order | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/operator-5g-core/concept-deployment-order.md | Title: Azure Operator 5G Core Deployment ordering for clusters, network functions, and observability + Title: Azure Operator 5G Core Preview Deployment ordering for clusters, network functions, and observability description: Outlines the deployment order for components on Azure Kubernetes Services or Nexus Azure Kubernetes Services Use the following Azure CLI commands to deploy resources. ## Related content -- [Complete the prerequisites to deploy Azure Operator 5G Core on Azure Kubernetes Service](how-to-complete-prerequisites-deploy-azure-kubernetes-service.md)-- [Complete the prerequisites to deploy Azure Operator 5G Core on Nexus Azure Kubernetes Service](how-to-complete-prerequisites-deploy-nexus-azure-kubernetes-service.md)+- [Complete the prerequisites to deploy Azure Operator 5G Core Preview on Azure Kubernetes Service](how-to-complete-prerequisites-deploy-azure-kubernetes-service.md) +- [Complete the prerequisites to deploy Azure Operator 5G Core Preview on Nexus Azure Kubernetes Service](how-to-complete-prerequisites-deploy-nexus-azure-kubernetes-service.md) |
operator-5g-core | Concept Observability Analytics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/operator-5g-core/concept-observability-analytics.md | Title: Observability and analytics in Azure Operator 5G Core -description: Learn how observability and analytics are used in Azure Operator 5G Core + Title: Observability and analytics in Azure Operator 5G Core Preview +description: Learn how observability and analytics are used in Azure Operator 5G Core Preview Last updated 02/21/2024 -# Observability and analytics in Azure Operator 5G Core +# Observability and analytics in Azure Operator 5G Core Preview -Observability has three pillars: metrics, tracing, and logs. AO5GC bundles these observability tools to help you identify, investigate, and resolve problems. In addition, AO5GC alerts provide notifications based on metrics and logs. +Observability has three pillars: metrics, tracing, and logs. Azure Operator 5G Core Preview bundles these observability tools to help you identify, investigate, and resolve problems. In addition, Azure Operator 5G Core alerts provide notifications based on metrics and logs. ## Observability overview Jaeger tracing uses the following workflow: 1. The Jaeger collector stores the traces in Elastic backend storage (fed-elastic). ## Related content-- [What is Azure Operator 5G Core?](overview-product.md)-- [Quickstart: Deploy Azure Operator 5G Core observability on Azure Kubernetes Services (AKS)](quickstart-deploy-observability.md)+- [What is Azure Operator 5G Core Preview?](overview-product.md) +- [Quickstart: Deploy Azure Operator 5G Core observability (preview) on Azure Kubernetes Services (AKS)](quickstart-deploy-observability.md) |
operator-5g-core | Concept Security | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/operator-5g-core/concept-security.md | Title: Security in Azure Operator 5G Core -description: Review the security features embedded in Azure Operator 5G Core + Title: Security in Azure Operator 5G Core Preview +description: Review the security features embedded in Azure Operator 5G Core Preview -# Security in Azure Operator 5G Core +# Security in Azure Operator 5G Core Preview -Microsoft is built on Zero Trust security, including Azure Operator 5G Core. Rather than assuming that everything behind the corporate firewall is safe, Zero Trust assumes an open environment where trust must always be validated. Zero Trust is equally applied to all workload environments, both on Nexus and on Azure. +Microsoft is built on Zero Trust security, including Azure Operator 5G Core Preview. Rather than assuming that everything behind the corporate firewall is safe, Zero Trust assumes an open environment where trust must always be validated. Zero Trust is equally applied to all workload environments, both on Nexus and on Azure. Zero Trust follows Azure Operator 5G Core from development through deployment and monitoring. Security monitoring of the application occurs through a combination of native al - Microsoft Defender ΓÇô Optional protection from cyber threats and vulnerabilities. ## Related content-- [What is Azure Operator 5G Core?](overview-product.md)-- [Observability and analytics in Azure Operator 5G Core](concept-observability-analytics.md)+- [What is Azure Operator 5G Core Preview?](overview-product.md) +- [Observability and analytics in Azure Operator 5G Core Preview](concept-observability-analytics.md) |
operator-5g-core | How To Complete Prerequisites Deploy Azure Kubernetes Service | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/operator-5g-core/how-to-complete-prerequisites-deploy-azure-kubernetes-service.md | Title: Prerequisites to deploy Azure Operator 5G Core on Azure Kubernetes Service -description: Learn how to complete the prerequisites necessary to deploy Azure Operator 5G Core on the Azure Kubernetes Service + Title: Prerequisites to deploy Azure Operator 5G Core Preview on Azure Kubernetes Service +description: Learn how to complete the prerequisites necessary to deploy Azure Operator 5G Core Preview on the Azure Kubernetes Service Last updated 02/22/2024 -# Complete the prerequisites to deploy Azure Operator 5G Core on Azure Kubernetes Service +# Complete the prerequisites to deploy Azure Operator 5G Core Preview on Azure Kubernetes Service -This article shows you how to deploy Azure Operator 5G Core on the Azure Kubernetes Service. The first portion discusses the initial cluster creation; the second shows you how to modify the cluster to add the data plane ports. +This article shows you how to deploy Azure Operator 5G Core Preview on the Azure Kubernetes Service. The first portion discusses the initial cluster creation; the second shows you how to modify the cluster to add the data plane ports. ## Prerequisites $ az network private-endpoint create --resource-group $RG_NAME --name $PRIVATE_E ## Related content - Learn about the [Deployment order on Azure Kubernetes Services](concept-deployment-order.md).-- [Deploy Azure Operator 5G Core](how-to-deploy-5g-core.md).+- [Deploy Azure Operator 5G Core Preview](how-to-deploy-5g-core.md). - [Deploy a network function](quickstart-deploy-network-functions.md). |
operator-5g-core | How To Complete Prerequisites Deploy Nexus Azure Kubernetes Service | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/operator-5g-core/how-to-complete-prerequisites-deploy-nexus-azure-kubernetes-service.md | Title: Prerequisites to deploy Azure Operator 5G Core on Nexus Azure Kubernetes Service -description: Learn how to complete the prerequisites necessary to deploy Azure Operator 5G Core on the Nexus Azure Kubernetes Service. + Title: Prerequisites to deploy Azure Operator 5G Core Preview on Nexus Azure Kubernetes Service +description: Learn how to complete the prerequisites necessary to deploy Azure Operator 5G Core Preview on the Nexus Azure Kubernetes Service. Last updated 02/22/2024 #CustomerIntent: As a < type of user >, I want < what? > so that < why? >. -# Complete the prerequisites to deploy Azure Operator 5G Core on Nexus Azure Kubernetes Service +# Complete the prerequisites to deploy Azure Operator 5G Core Preview on Nexus Azure Kubernetes Service This article describes how to provision a Nexus Azure Kubernetes Service (NAKS) cluster by creating: - Network fabric (connectivity) resources Use the following destination to run containers that have their endpoints stored ## Create Cloud Services Networks -You must create a separate CSN instance for each NAKS cluster when you deploy Azure Operator 5G Core on the Nexus platform. +You must create a separate CSN instance for each NAKS cluster when you deploy Azure Operator 5G Core Preview on the Nexus platform. Adjust the additional-egress-endpoints list based on the previous description and lists. ```azurecli az customlocation create -n <CUSTOM-LOCATION-NAME> \ ## Related content - Learn about the [Deployment order](concept-deployment-order.md).-- [Deploy Azure Operator 5G Core](how-to-deploy-5g-core.md).+- [Deploy Azure Operator 5G Core Preview](how-to-deploy-5g-core.md). - [Deploy a network function](quickstart-deploy-network-functions.md). |
operator-5g-core | How To Deploy 5G Core | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/operator-5g-core/how-to-deploy-5g-core.md | Title: How to Deploy Azure Operator 5G Core -description: Learn how to deploy Azure Operator 5G core using Bicep Scripts, PowerShell, and Azure CLI. + Title: How to Deploy Azure Operator 5G Core Preview +description: Learn how to deploy Azure Operator 5G core Preview using Bicep Scripts, PowerShell, and Azure CLI. Last updated 02/21/2024 #CustomerIntent: As a < type of user >, I want < what? > so that < why? >. -# Deploy Azure Operator 5G Core +# Deploy Azure Operator 5G Core Preview -Azure Operator 5G Core is deployed using the Azure Operator 5G Core Resource Provider (RP). Bicep scripts are bundled along with empty parameter files for each Mobile Packet Core resource. These resources are: +Azure Operator 5G Core Preview is deployed using the Azure Operator 5G Core Resource Provider (RP). Bicep scripts are bundled along with empty parameter files for each Mobile Packet Core resource. These resources are: - Microsoft.MobilePacketCore/clusterServices - per cluster PaaS services - Microsoft.MobilePacketCore/amfDeployments - AMF/MME network function Before you can successfully deploy Azure Operator 5G Core, you must: - [Register your resource provider](../azure-resource-manager/management/resource-providers-and-types.md) for the HybridNetwork and MobilePacketCore namespaces. Based on your deployment environments, complete one of the following:-- [Prerequisites to deploy Azure Operator 5G Core on Azure Kubernetes Service](how-to-complete-prerequisites-deploy-azure-kubernetes-service.md).-- [Prerequisites to deploy Azure Operator 5G Core on Nexus Azure Kubernetes Service](how-to-complete-prerequisites-deploy-nexus-azure-kubernetes-service.md)+- [Prerequisites to deploy Azure Operator 5G Core Preview on Azure Kubernetes Service](how-to-complete-prerequisites-deploy-azure-kubernetes-service.md). +- [Prerequisites to deploy Azure Operator 5G Core Preview on Nexus Azure Kubernetes Service](how-to-complete-prerequisites-deploy-nexus-azure-kubernetes-service.md) ## Post cluster creation New-AzResourceGroupDeployment ` ``` ## Next step -- [Monitor the status of your Azure Operator 5G Core deployment](how-to-monitor-deployment-status.md)+- [Monitor the status of your Azure Operator 5G Core Preview deployment](how-to-monitor-deployment-status.md) |
operator-5g-core | How To Monitor Deployment Status | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/operator-5g-core/how-to-monitor-deployment-status.md | Title: Monitoring the deployment status of Azure Operator 5G Core -description: Monitor the deployment status of your Azure Operator 5G Core and its components + Title: Monitoring the deployment status of Azure Operator 5G Core Preview +description: Monitor the deployment status of your Azure Operator 5G Core Preview and its components -# Monitor the status of your Azure Operator 5G Core deployment +# Monitor the status of your Azure Operator 5G Core Preview deployment -Azure Operator 5G Core provides network function health check information using the Azure portal. +Azure Operator 5G Core Preview provides network function health check information using the Azure portal. ## View health check information You can also view the status of pods in each cluster. ## Related content -- [Observability and analytics in Azure Operator 5G Core](concept-observability-analytics.md)-- [Perform health and configuration checks post-deployment in Azure Operator 5G Core](how-to-perform-checks-post-deployment.md)+- [Observability and analytics in Azure Operator 5G Core Preview](concept-observability-analytics.md) +- [Perform health and configuration checks post-deployment in Azure Operator 5G Core Preview](how-to-perform-checks-post-deployment.md) |
operator-5g-core | How To Perform Checks Post Deployment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/operator-5g-core/how-to-perform-checks-post-deployment.md | Title: Performing health checks post-deployment in Azure Operator 5G Core + Title: Performing health checks post-deployment in Azure Operator 5G Core Preview description: Learn how to ensure your deployment is running at its highest capacity by performing health checks post-deployment. Last updated 02/21/2024 -# Perform health and configuration checks post-deployment in Azure Operator 5G Core +# Perform health and configuration checks post-deployment in Azure Operator 5G Core Preview -After Azure Operator 5G Core is deployed, you can perform health and configuration checks on the deployment. You must enable an ARC extension to monitor your deployment. +After Azure Operator 5G Core Preview is deployed, you can perform health and configuration checks on the deployment. You must enable an ARC extension to monitor your deployment. ## Set up the Azure CLI After Azure Operator 5G Core is deployed, you can perform health and configurati Enter the following command to configure the ARC: `az connectedk8s connect --name <ConnectedK8sName> --resource-group <ResourceGroupName>` -## Deploy the Azure Operator 5G Core extension +## Deploy the Azure Operator 5G Core Preview extension 1. Enter the following commands to deploy the Azure Operator 5G Core extension: az k8s-extension delete \ --cluster-type connectedClusters \ ``` -## Set permission for Azure Operator 5G Core extension to access metrics +## Set permission for Azure Operator 5G Core Preview extension to access metrics By default, the fed-prometheus cluster can be reached only from a small set of predefined namespaces. You must add the newly created **ao5gc-monitor** to the allowlist to obtain observability metrics. To add the namespace to fed-prometheus: ## Related content -- [Monitor the status of your Azure Operator 5G Core deployment](how-to-monitor-deployment-status.md)-- [Observability and analytics in Azure Operator 5G Core](concept-observability-analytics.md)+- [Monitor the status of your Azure Operator 5G Core Preview deployment](how-to-monitor-deployment-status.md) +- [Observability and analytics in Azure Operator 5G Core Preview](concept-observability-analytics.md) |
operator-5g-core | Overview Product | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/operator-5g-core/overview-product.md | Title: What is Azure Operator 5G Core? -description: Azure Operator 5G Core is a carrier-grade, Any-G, hybrid mobile packet core with fully integrated network functions that run both on-premises and in-cloud. + Title: What is Azure Operator 5G Core Preview? +description: Azure Operator 5G Core Preview is a carrier-grade, Any-G, hybrid mobile packet core with fully integrated network functions that run both on-premises and in-cloud. Last updated 02/21/2024 -# What is Azure Operator 5G Core? +# What is Azure Operator 5G Core Preview? -Azure Operator 5G Core is a carrier-grade, Any-G, hybrid mobile packet core with fully integrated network functions that run both on-premises and in-cloud. Service providers can deploy resilient networks with high performance and at high capacity while maintaining low latency. Azure Operator 5G Core is ideal for Tier 1 consumer networks, mobile network operators (MNO), virtual network operators (MVNOs), enterprises, IoT, fixed wireless access (FWA), and satellite network operators (SNOs). +Azure Operator 5G Core Preview is a carrier-grade, Any-G, hybrid mobile packet core with fully integrated network functions that run both on-premises and in-cloud. Service providers can deploy resilient networks with high performance and at high capacity while maintaining low latency. Azure Operator 5G Core is ideal for Tier 1 consumer networks, mobile network operators (MNO), virtual network operators (MVNOs), enterprises, IoT, fixed wireless access (FWA), and satellite network operators (SNOs). The power of Azure's global footprint ensures global coverage and operating infrastructure at scale, coupled with MicrosoftΓÇÖs Zero Trust security framework to provide secure and reliable connectivity to cloud applications.ΓÇ» ΓÇ» The table shows which versions of Azure Kubernetes/Nexus Azure Kubernetes K8s ar ## Related content -- [Centralized Lifecycle Management in Azure Operator 5G Core](concept-centralized-lifecycle-management.md)+- [Centralized Lifecycle Management in Azure Operator 5G Core Preview](concept-centralized-lifecycle-management.md) |
operator-5g-core | Quickstart Configure Network Function | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/operator-5g-core/quickstart-configure-network-function.md | Title: Configure a network function in Azure Operator 5G Core + Title: Configure a network function in Azure Operator 5G Core Preview description: Learn the high-level process for configuring a network function. Last updated 02/22/2024 -# Quickstart: Configure a network function in Azure Operator 5G Core +# Quickstart: Configure a network function in Azure Operator 5G Core Preview -Azure Operator 5G Core supports direct configuration of the first party packet core network functions deployed on Azure and Nexus by: +Azure Operator 5G Core Preview supports direct configuration of the first party packet core network functions deployed on Azure and Nexus by: - enabling SSH access to port 22 of network configuration management pods directly. - enabling configuration of network functions through CLI or by NETCONF to port 830, or by RESTCONF to port 443. |
operator-5g-core | Quickstart Delete Network Function Cluster | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/operator-5g-core/quickstart-delete-network-function-cluster.md | Title: Delete a network function deployment and/or ClusterServices in Azure Operator 5G Core + Title: Delete a network function deployment and/or ClusterServices in Azure Operator 5G Core Preview description: Learn the high-level process to delete a network function deployment and/or ClusterServices. -# Quickstart: Delete a network function deployment or ClusterServices in Azure Operator 5G Core +# Quickstart: Delete a network function deployment or ClusterServices in Azure Operator 5G Core Preview This quickstart shows you the Azure CLI commands you can use to delete a network function deployment or ClusterServices. ## Azure CLI commands -Use the following Azure CLI commands to delete the Azure Operator 5G Core resources: +Use the following Azure CLI commands to delete the Azure Operator 5G Core (preview) resources: `$ az resource delete --ids /subscriptions/${SUB}/resourceGroups/${RGName}/providers/Microsoft.MobilePacketCore/amfDeployments/${ResourceName}` |
operator-5g-core | Quickstart Deploy Network Functions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/operator-5g-core/quickstart-deploy-network-functions.md | Last updated 02/21/2024 # Quickstart: Deploy a network function on Azure Kubernetes Services (AKS) or Nexus Azure Kubernetes Services (NAKS) -This quickstart shows you how to deploy various network functions, including SMF, UPF, NRF, NSSF, AMF, MME, and a VNF_Agent in Azure Operator 5G Core. +This quickstart shows you how to deploy various network functions, including SMF, UPF, NRF, NSSF, AMF, MME, and a VNF_Agent in Azure Operator 5G Core Preview. ## Deploy network function using Azure CLI New-AzResourceGroupDeployment ` ## Related content -- [Quickstart: Monitor the status of your Azure Operator 5G Core deployment](how-to-monitor-deployment-status.md)+- [Quickstart: Monitor the status of your Azure Operator 5G Core Preview deployment](how-to-monitor-deployment-status.md) |
operator-5g-core | Quickstart Deploy Observability | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/operator-5g-core/quickstart-deploy-observability.md | Title: Deploy Azure Operator 5G Core observability on Azure Kubernetes Services -description: Learn the high-level process to deploy Azure Operator 5G Core observability on Azure Kubernetes Services. + Title: Deploy Azure Operator 5G Core observability(preview) on Azure Kubernetes Services +description: Learn the high-level process to deploy Azure Operator 5G Core observability (preview) on Azure Kubernetes Services. Last updated 02/22/2024 #CustomerIntent: As a < type of user >, I want < what? > so that < why? >. -# Quickstart: Deploy Azure Operator 5G Core observability on Azure Kubernetes Services (AKS) or Nexus Azure Kubernetes Services (NAKS) +# Quickstart: Deploy Azure Operator 5G Core observability (preview) on Azure Kubernetes Services (AKS) or Nexus Azure Kubernetes Services (NAKS) -Use the following Azure CLI commands to deploy observability resources for Azure Operator 5G Core. +Use the following Azure CLI commands to deploy observability resources for Azure Operator 5G Core Preview. ## Deploy observability |
operator-5g-core | Quickstart Subscription | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/operator-5g-core/quickstart-subscription.md | Title: Get access to Azure Operator 5G Core -description: See the criteria to gain access to Azure Operator 5G Core subscription, and apply for access. + Title: Get access to Azure Operator 5G Core Preview +description: See the criteria to gain access to Azure Operator 5G Core Preview subscription, and apply for access. Last updated 02/22/2024 #CustomerIntent: As a < type of user >, I want < what? > so that < why? >. -# Quickstart: Get Access to Azure Operator 5G Core +# Quickstart: Get Access to Azure Operator 5G Core Preview -Access is currently limited. For now, we're working with customers that have an existing technical partnership with Microsoft and that have targeted specific use cases. In addition to applying for initial access, all requests for Azure Operator 5G Core are required to go through a use case review. +Access is currently limited. For now, we're working with customers that have an existing technical partnership with Microsoft and that have targeted specific use cases. In addition to applying for initial access, all requests for Azure Operator 5G Core Previeware required to go through a use case review. -## Apply for access to Azure Operator 5G Core +## Apply for access to Azure Operator 5G Core Preview [Apply here](https://aka.ms/AO5GC-Activation-Request) for initial access. |
operator-5g-core | Tutorial Configure Network Function | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/operator-5g-core/tutorial-configure-network-function.md | Title: Configure network functions in Azure Operator 5G Core -description: This tutorial outlines the process to configure specific network functions--including SMF, UPF, AMF, NRF, and NSSF--in Azure Operator 5G Core. + Title: Configure network functions in Azure Operator 5G Core Preview +description: This tutorial outlines the process to configure specific network functions--including SMF, UPF, AMF, NRF, and NSSF--in Azure Operator 5G Core Preview. Use the procedure described in [NSSF Configuration](https://manuals.metaswitch.c ## Related content -- [Quickstart: Configure a network function in Azure Operator 5G Core](quickstart-configure-network-function.md)+- [Quickstart: Configure a network function in Azure Operator 5G Core Preview](quickstart-configure-network-function.md) - [Quickstart: Deploy a network function on Azure Kubernetes Services (AKS)](quickstart-deploy-network-functions.md) |
operator-nexus | Howto Baremetal Run Data Extract | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/operator-nexus/howto-baremetal-run-data-extract.md | The run data extract command executes one or more predefined scripts to extract The current list of supported commands are -- SupportAssist/TSR collection for Dell troubleshooting\+- [SupportAssist/TSR collection for Dell troubleshooting](#hardware-support-data-collection)\ Command Name: `hardware-support-data-collection`\ Arguments: Type of logs requested - `SysInfo` - System Information - `TTYLog` - Storage TTYLog data - `Debug` - debug logs -- Collect Microsoft Defender for Endpoints (MDE) agent information\+- [Collect Microsoft Defender for Endpoints (MDE) agent information](#collect-mde-agent-information)\ Command Name: `mde-agent-information`\ Arguments: None -- Collect Dell Hardware Rollup Status\+- [Collect MDE diagnostic support logs](#collect-mde-support-diagnostics)\ + Command Name: `mde-support-diagnostics`\ + Arguments: None ++- [Collect Dell Hardware Rollup Status](#hardware-rollup-status)\ Command Name: `hardware-rollup-status`\ Arguments: None Specify multiple commands using json format in `--commands` option. Each `comman These commands can be long running so the recommendation is to set `--limit-time-seconds` to at least 600 seconds (10 minutes). The `Debug` option or running multiple extracts might take longer than 10 minutes. -This example executes the `hardware-support-data-collection` command and get `SysInfo` and `TTYLog` logs from the Dell Server. +In the response, the operation performs asynchronously and returns an HTTP status code of 202. See the [Viewing the Output](#viewing-the-output) section for details on how to track command completion and view the output file. -```azurecli -az networkcloud baremetalmachine run-data-extract --name "bareMetalMachineName" \ - --resource-group "resourceGroupName" \ - --subscription "subscription" \ - --commands '[{"arguments":["SysInfo", "TTYLog"],"command":"hardware-support-data-collection"}]' \ - --limit-time-seconds 600 -``` +### Hardware Support Data Collection -This example executes the `mde-agent-information` command without arguments. +This example executes the `hardware-support-data-collection` command and get `SysInfo` and `TTYLog` logs from the Dell Server. The script executes a `racadm supportassist collect` command on the designated baremetal machine. The resulting tar.gz file contains the zipped extract command file outputs in `hardware-support-data-<timestamp>.zip`. ```azurecli az networkcloud baremetalmachine run-data-extract --name "bareMetalMachineName" \ --resource-group "resourceGroupName" \ --subscription "subscription" \- --commands '[{"command":"mde-agent-information"}]' \ + --commands '[{"arguments":["SysInfo", "TTYLog"],"command":"hardware-support-data-collection"}]' \ --limit-time-seconds 600 ``` -This example executes the `hardware-rollup-status` command without arguments. --```azurecli -az networkcloud baremetalmachine run-data-extract --name "bareMetalMachineName" \ - --resource-group "resourceGroupName" \ - --subscription "subscription" \ - --commands '[{"command":"hardware-rollup-status"}]' \ - --limit-time-seconds 600 -``` --In the response, the operation performs asynchronously and returns an HTTP status code of 202. See the **Viewing the output** section for details on how to track command completion and view the output file. --## Viewing the output --Sample output looks something like this. Note the provided link to the tar.gz zipped file from the command execution. The tar.gz file name identifies the file in the Storage Account of the Cluster Manager resource group. You can also use the link to directly access the output zip file. The tar.gz file also contains the zipped extract command file outputs in `hardware-support-data-<timestamp>.zip`. Download the output file from the storage blob to a local directory by specifying the directory path in the optional argument `--output-directory`. +__`hardware-support-data-collection` Output__ ```azurecli ====Action Command Output==== Percent Complete=[100] Deleting Job JID_814372800396 Collection successfully exported to /hostfs/tmp/runcommand/hardware-support-data-2023-04-13T21:00:01.zip - ================================ Script execution result can be found in storage account: https://cm2p9bctvhxnst.blob.core.windows.net/bmm-run-command-output/dd84df50-7b02-4d10-a2be-46782cbf4eef-action-bmmdataextcmd.tar.gz?se=2023-04-14T01%3A00%3A15Zandsig=ZJcsNoBzvOkUNL0IQ3XGtbJSaZxYqmtd%2BM6rmxDFqXE%3Dandsp=randspr=httpsandsr=bandst=2023-04-13T21%3A00%3A15Zandsv=2019-12-12 ``` +__Example list of hardware support files collected__ ++``` +Archive: TSR20240227164024_FM56PK3.pl.zip + creating: tsr/hardware/ + creating: tsr/hardware/spd/ + creating: tsr/hardware/sysinfo/ + creating: tsr/hardware/sysinfo/inventory/ + inflating: tsr/hardware/sysinfo/inventory/sysinfo_CIM_BIOSAttribute.xml + inflating: tsr/hardware/sysinfo/inventory/sysinfo_CIM_Sensor.xml + inflating: tsr/hardware/sysinfo/inventory/sysinfo_DCIM_View.xml + inflating: tsr/hardware/sysinfo/inventory/sysinfo_DCIM_SoftwareIdentity.xml + inflating: tsr/hardware/sysinfo/inventory/sysinfo_CIM_Capabilities.xml + inflating: tsr/hardware/sysinfo/inventory/sysinfo_CIM_StatisticalData.xml + creating: tsr/hardware/sysinfo/lcfiles/ + inflating: tsr/hardware/sysinfo/lcfiles/lclog_0.xml.gz + inflating: tsr/hardware/sysinfo/lcfiles/curr_lclog.xml + creating: tsr/hardware/psu/ + creating: tsr/hardware/idracstateinfo/ + inflating: tsr/hardware/idracstateinfo/avc.log + extracting: tsr/hardware/idracstateinfo/avc.log.persistent.1 +[..snip..] +``` ++### Collect MDE Agent Information + Data is collected with the `mde-agent-information` command and formatted as JSON to `/hostfs/tmp/runcommand/mde-agent-information.json`. The JSON file is found-in the data extract zip file located in the storage account. +in the data extract zip file located in the storage account. The script executes a +sequence of `mdatp` commands on the designated baremetal machine. ++This example executes the `mde-agent-information` command without arguments. ++```azurecli +az networkcloud baremetalmachine run-data-extract --name "bareMetalMachineName" \ + --resource-group "resourceGroupName" \ + --subscription "subscription" \ + --commands '[{"command":"mde-agent-information"}]' \ + --limit-time-seconds 600 +``` ++__`mde-agent-information` Output__ ```azurecli ====Action Command Output==== MDE agent is running, proceeding with data extract Getting MDE agent information for bareMetalMachine Writing to /hostfs/tmp/runcommand - ================================ Script execution result can be found in storage account: https://cmzhnh6bdsfsdwpbst.blob.core.windows.net/bmm-run-command-output/f5962f18-2228-450b-8cf7-cb8344fdss63b0-action-bmmdataextcmd.tar.gz?se=2023-07-26T19%3A07%3A22Z&sig=X9K3VoNWRFP78OKqFjvYoxubp65BbNTq%2BGnlHclI9Og%3D&sp=r&spr=https&sr=b&st=2023-07-26T15%3A07%3A22Z&sv=2019-12-12 ``` +__Example JSON object collected__ ++``` +{ + "diagnosticInformation": { + "realTimeProtectionStats": $real_time_protection_stats, + "eventProviderStats": $event_provider_stats + }, + "mdeDefinitions": $mde_definitions, + "generalHealth": $general_health, + "mdeConfiguration": $mde_config, + "scanList": $scan_list, + "threatInformation": { + "list": $threat_info_list, + "quarantineList": $threat_info_quarantine_list + } +} +``` ++### Collect MDE Support Diagnostics ++Data collected from the `mde-support-diagnostics` command uses the MDE Client Analyzer tool to bundle information from `mdatp` commands and relevant log files. The storage account `tgz` file will contain a `zip` file named `mde-support-diagnostics-<hostname>.zip`. The `zip` should be sent along with any support requests to ensure the supporting teams can use the logs for troubleshooting and root cause analysis, if needed. ++This example executes the `mde-support-diagnostics` command without arguments. ++```azurecli +az networkcloud baremetalmachine run-data-extract --name "bareMetalMachineName" \ + --resource-group "resourceGroupName" \ + --subscription "subscription" \ + --commands '[{"command":"mde-support-diagnostics"}]' \ + --limit-time-seconds 600 +``` ++__`mde-support-diagnostics` Output__ ++```azurecli +====Action Command Output==== +Executing mde-support-diagnostics command +[2024-01-23 16:07:37.588][INFO] XMDEClientAnalyzer Version: 1.3.2 +[2024-01-23 16:07:38.367][INFO] Top Command output: [/tmp/top_output_2024_01_23_16_07_37mel0nue0.txt] +[2024-01-23 16:07:38.367][INFO] Top Command Summary: [/tmp/top_summary_2024_01_23_16_07_370zh7dkqn.txt] +[2024-01-23 16:07:38.367][INFO] Top Command Outliers: [/tmp/top_outlier_2024_01_23_16_07_37aypcfidh.txt] +[2024-01-23 16:07:38.368][INFO] [MDE Diagnostic] +[2024-01-23 16:07:38.368][INFO] Collecting MDE Diagnostic +[2024-01-23 16:07:38.613][WARNING] mde is not running +[2024-01-23 16:07:41.343][INFO] [SLEEP] [3sec] waiting for agent to create diagnostic package +[2024-01-23 16:07:44.347][INFO] diagnostic package path: /var/opt/microsoft/mdatp/wdavdiag/5b1edef9-3b2a-45c1-a45d-9e7e4b6b869e.zip +[2024-01-23 16:07:44.347][INFO] Successfully created MDE diagnostic zip +[2024-01-23 16:07:44.348][INFO] Adding mde_diagnostic.zip to report directory +[2024-01-23 16:07:44.348][INFO] Collecting MDE Health +[...snip...] +================================ +Script execution result can be found in storage account: + https://cmmj627vvrzkst.blob.core.windows.net/bmm-run-command-output/7c5557b9-b6b6-a4a4-97ea-752c38918ded-action-bmmdataextcmd.tar.gz?se=2024-01-23T20%3A11%3A32Z&sig=9h20XlZO87J7fCr0S1234xcyu%2Fl%2BVuaDh1BE0J6Yfl8%3D&sp=r&spr=https&sr=b&st=2024-01-23T16%3A11%3A32Z&sv=2019-12-12 +``` ++After downloading the execution result file, the support files can be unzipped for analysis. ++__Example list of information collected by the MDE Client Analyzer__ ++```azurecli +Archive: mde-support-diagnostics-rack1compute02.zip + inflating: mde_diagnostic.zip + inflating: process_information.txt + inflating: auditd_info.txt + inflating: auditd_log_analysis.txt + inflating: auditd_logs.zip + inflating: ebpf_kernel_config.txt + inflating: ebpf_enabled_func.txt + inflating: ebpf_syscalls.zip + inflating: ebpf_raw_syscalls.zip + inflating: messagess.zip + inflating: conflicting_processes_information.txt +[...snip...] +``` ++### Hardware Rollup Status + Data is collected with the `hardware-rollup-status` command and formatted as JSON to `/hostfs/tmp/runcommand/rollupStatus.json`. The JSON file is found-in the data extract zip file located in the storage account. +in the data extract zip file located in the storage account. The data collected will show the health of the machine subsystems. ++This example executes the `hardware-rollup-status` command without arguments. ++```azurecli +az networkcloud baremetalmachine run-data-extract --name "bareMetalMachineName" \ + --resource-group "resourceGroupName" \ + --subscription "subscription" \ + --commands '[{"command":"hardware-rollup-status"}]' \ + --limit-time-seconds 600 +``` ++__`hardware-rollup-status` Output__ ```azurecli ====Action Command Output==== Executing hardware-rollup-status command Getting rollup status logs for b37dev03a1c002 Writing to /hostfs/tmp/runcommand - ================================ Script execution result can be found in storage account: https://cmkfjft8twwpst.blob.core.windows.net/bmm-run-command-output/20b217b5-ea38-4394-9db1-21a0d392eff0-action-bmmdataextcmd.tar.gz?se=2023-09-19T18%3A47%3A17Z&sig=ZJcsNoBzvOkUNL0IQ3XGtbJSaZxYqmtd%3D&sp=r&spr=https&sr=b&st=2023-09-19T14%3A47%3A17Z&sv=2019-12-12 ```++__Example JSON Collected__ ++``` +{ + "@odata.context" : "/redfish/v1/$metadata#DellRollupStatusCollection.DellRollupStatusCollection", + "@odata.id" : "/redfish/v1/Systems/System.Embedded.1/Oem/Dell/DellRollupStatus", + "@odata.type" : "#DellRollupStatusCollection.DellRollupStatusCollection", + "Description" : "A collection of DellRollupStatus resource", + "Members" : + [ + { + "@odata.context" : "/redfish/v1/$metadata#DellRollupStatus.DellRollupStatus", + "@odata.id" : "/redfish/v1/Systems/System.Embedded.1/Oem/Dell/DellRollupStatus/iDRAC.Embedded.1_0x23_SubSystem.1_0x23_Current", + "@odata.type" : "#DellRollupStatus.v1_0_0.DellRollupStatus", + "CollectionName" : "CurrentRollupStatus", + "Description" : "Represents the subcomponent roll-up statuses.", + "Id" : "iDRAC.Embedded.1_0x23_SubSystem.1_0x23_Current", + "InstanceID" : "iDRAC.Embedded.1#SubSystem.1#Current", + "Name" : "DellRollupStatus", + "RollupStatus" : "Ok", + "SubSystem" : "Current" + }, + { + "@odata.context" : "/redfish/v1/$metadata#DellRollupStatus.DellRollupStatus", + "@odata.id" : "/redfish/v1/Systems/System.Embedded.1/Oem/Dell/DellRollupStatus/iDRAC.Embedded.1_0x23_SubSystem.1_0x23_Voltage", + "@odata.type" : "#DellRollupStatus.v1_0_0.DellRollupStatus", + "CollectionName" : "VoltageRollupStatus", + "Description" : "Represents the subcomponent roll-up statuses.", + "Id" : "iDRAC.Embedded.1_0x23_SubSystem.1_0x23_Voltage", + "InstanceID" : "iDRAC.Embedded.1#SubSystem.1#Voltage", + "Name" : "DellRollupStatus", + "RollupStatus" : "Ok", + "SubSystem" : "Voltage" + }, +[..snip..] +``` ++## Viewing the Output ++Note the provided link to the tar.gz zipped file from the command execution. The tar.gz file name identifies the file in the Storage Account of the Cluster Manager resource group. You can also use the link to directly access the output zip file. The tar.gz file also contains the zipped extract command file outputs. Download the output file from the storage blob to a local directory by specifying the directory path in the optional argument `--output-directory`. |
payment-hsm | Create Payment Hsm | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/payment-hsm/create-payment-hsm.md | In the output, host 1 and host 2 are listed, as well as a management interface: ... myPaymentHSM_HSMMgmtNic Standard True Succeeded myResourceGroup ... ``` -To see the newly created network interfaces, use the [az network nic show](/cli/azure/network/nic#az-network-nic-show) command, providing the resource group and name of the network interface: +To see the details of a newly created network interface, use the [az network nic show](/cli/azure/network/nic#az-network-nic-show) command, providing the resource group and name of the network interface: ```azurecli-interactive- az network nic show -g myresourcegroup -n myPaymentHSM_HSMHost1Nic +az network nic show -g myresourcegroup -n myPaymentHSM_HSMHost1Nic ``` The output contains this line: |
payment-hsm | View Payment Hsms | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/payment-hsm/view-payment-hsms.md | Title: View your Azure Payment HSMs -description: View your Azure Payment HSMs + Title: View your Azure Payment HSMs. +description: View your Azure Payment HSMs. Get-AzDedicatedHsm -Name "myPaymentHSM" -ResourceGroup "myResourceGroup" # [Azure portal](#tab/azure-portal) - To view your payment HSMs in the Azure portal: -1. Sign in to the [Azure portal](https://portal.azure.com) +1. Sign in to the [Azure portal](https://portal.azure.com). 1. Select "Resource groups". 1. Select your resource group (for example, "myResourceGroup").-1. You will see your network interfaces, but not your payment HSMs. Select the "Show hidden types" box. - :::image type="content" source="./media/portal-view-payment-hsms.png" lightbox="./media/portal-view-payment-hsms.png" alt-text="Screenshot of the Azure portal displaying all payment HSMs."::: +1. Your network interfaces will appear. To view your payment HSMs as well, select the "Show hidden types" box. + :::image type="content" source="./media/portal-view-payment-hsms.png" lightbox="./media/portal-view-payment-hsms.png" alt-text="Screenshot of the Azure portal displaying all payment HSMs."::: 1. You can select one of your payment HSMs to see its properties.- :::image type="content" source="./media/portal-view-payment-hsm.png" lightbox="./media/portal-view-payment-hsm.png" alt-text="Screenshot of the Azure portal displaying a specific payment HSM and its properties."::: + :::image type="content" source="./media/portal-view-payment-hsm.png" lightbox="./media/portal-view-payment-hsm.png" alt-text="Screenshot of the Azure portal displaying a specific payment HSM and its properties."::: ++To view the IP addresses of the host and management network interfaces, see the "connected devices" associated with your Virtual Network: ++1. From the [Azure portal](https://portal.azure.com), select "Virtual networks". +1. Select your virtual network (for example, "myVNet"). +1. From the left-hand sidebar, select "Connected devices". + :::image type="content" source="./media/portal-view-network-interfaces.png" lightbox="./media/portal-view-network-interfaces.png" alt-text="Screenshot of the Azure portal displaying the network interfaces associated with a virtual network."::: |
postgresql | Generative Ai Azure Cognitive | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/flexible-server/generative-ai-azure-cognitive.md | Title: Integrate with Azure Cognitive Services Preview -description: Integrate Azure Database for PostgreSQL - Flexible Server with Azure Cognitive Services - Preview. + Title: Integrate Azure AI Language Services with Azure Database for PostgreSQL +description: Implement scenarios like sentiment analysis with Cognitive Services and Azure Database for PostgreSQL. Previously updated : 12/12/2023 Last updated : 2/26/2024 |
postgresql | How To Use Pgvector | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/flexible-server/how-to-use-pgvector.md | |
postgresql | Tutorial Django Aks Database | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/flexible-server/tutorial-django-aks-database.md | django-app LoadBalancer 10.0.37.27 52.179.23.131 80:30572/TCP 2m Now open a web browser to the external IP address of your service (`http://<service-external-ip-address>`) and view the Django application. > [!NOTE]-> - Currently the Django site isn't using HTTPS. It's recommended to [ENABLE TLS with your own certificates](../../aks/ingress-own-tls.md). -> - You can enable [HTTP routing](../../aks/http-application-routing.md) for your cluster. When http routing is enabled, it configures an Ingress controller in your AKS cluster. As applications are deployed, the solution also creates publicly accessible DNS names for application endpoints. +> - Currently the Django site isn't using HTTPS. For more information about HTTPS and how to configure application routing for AKS, see [Managed NGINX ingress with the application routing add-on](../../aks/app-routing.md). ## Run database migrations |
postgresql | Concepts Connectivity Architecture | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/single-server/concepts-connectivity-architecture.md | The following table lists the gateway IP address subnets of the Azure Database f * **Region Name:** This column lists the name of Azure region where Azure Database for PostgreSQL - Single Server is offered. * **Gateway IP address subnets:** This column lists the IP address subnets of the gateway rings located in the particular region. As we retire older gateway hardware, we recommend that you open the client-side firewall to allow outbound traffic for the IP address subnets in the region you are operating. -| **Region name** | **Gateway IP address subnets** | -|:-|:| -| Australia Central | 20.36.105.32/29 | -| Australia Central2 | 20.36.113.32/29 | -| Australia East | 13.70.112.32/29, 40.79.160.32/29, 40.79.168.32/29 | -| Australia South East |13.77.49.32/29 | -| Brazil South | 191.233.200.32/29, 191.234.144.32/29| -| Canada Central | 13.71.168.32/29, 20.38.144.32/29, 52.246.152.32/29| -| Canada East | 40.69.105.32/29 | -| Central US | 104.208.21.192/29, 13.89.168.192/29, 52.182.136.192/29 -| China East | 52.130.112.136/29| -| China East 2 | 52.130.120.88/29| -| China East 3 | 52.130.128.88/29| -| China North | 52.130.128.88/29 | -| China North 2 | 52.130.40.64/29| -| China North 3 | 13.75.32.192/29, 13.75.33.192/29 | -| East Asia | 13.75.32.192/29, 13.75.33.192/29| -| East US |20.42.65.64/29, 20.42.73.0/29, 52.168.116.64/29| -| East US 2 |104.208.150.192/29, 40.70.144.192/29, 52.167.104.192/29| -| France Central | 40.79.136.32/29, 40.79.144.32/29 | -| France South | 40.79.176.40/29, 40.79.177.32/29| -| Germany West Central | 51.116.152.32/29, 51.116.240.32/29, 51.116.248.32/29| -| India Central | 104.211.86.32/29, 20.192.96.32/29| -| India South | 40.78.192.32/29, 40.78.193.32/29| -| India West | 104.211.144.32/29, 104.211.145.32/29 | -| Japan East | 13.78.104.32/29, 40.79.184.32/29, 40.79.192.32/29 | -| Japan West | 40.74.96.32/29 | -| Korea Central | 20.194.64.32/29,20.44.24.32/29, 52.231.16.32/29 | -| Korea South | 52.231.145.0/29 | -| North Central US | 52.162.105.192/29| -| North Europe |13.69.233.136/29, 13.74.105.192/29, 52.138.229.72/29 | -| South Africa North | 102.133.120.32/29, 102.133.152.32/29, 102.133.248.32/29 | -| South Africa West | 102.133.25.32/29| -| South Central US |20.45.121.32/29, 20.49.88.32/29, 20.49.89.32/29, 40.124.64.136/29| -| South East Asia | 13.67.16.192/29, 23.98.80.192/29, 40.78.232.192/29 | -| Switzerland North |51.107.56.32/29, 51.103.203.192/29, 20.208.19.192/29, 51.107.242.32/27| -| Switzerland West | 51.107.153.32/29| -| UAE Central | 20.37.72.96/29, 20.37.73.96/29 | -| UAE North | 40.120.72.32/29, 65.52.248.32/29 | -| UK South |51.105.64.32/29, 51.105.72.32/29, 51.140.144.32/29| -| UK West | 51.140.208.96/29, 51.140.209.32/29 | -| West Central US | 13.71.193.32/29 | -| West Europe | 104.40.169.32/29, 13.69.112.168/29, 52.236.184.32/29| -| West US |13.86.217.224/29| -| West US 2 | 13.66.136.192/29, 40.78.240.192/29, 40.78.248.192/29| -| West US 3 | 20.150.168.32/29, 20.150.176.32/29, 20.150.184.32/29 | +| **Region name** |**Current Gateway IP address**| **Gateway IP address subnets** | +|:-|:--|:--| +| Australia Central | 20.36.105.32 | 20.36.105.32/29 | +| Australia Central2 | 20.36.113.32 | 20.36.113.32/29 | +| Australia East | 13.70.112.32 | 13.70.112.32/29, 40.79.160.32/29, 40.79.168.32/29 | +| Australia South East |13.77.49.33 |13.77.49.32/29 | +| Brazil South | 191.233.201.8, 191.233.200.16 | 191.233.200.32/29, 191.234.144.32/29| +| Canada Central | 13.71.168.32| 13.71.168.32/29, 20.38.144.32/29, 52.246.152.32/29| +| Canada East |40.69.105.32 | 40.69.105.32/29 | +| Central US | 52.182.136.37, 52.182.136.38 | 104.208.21.192/29, 13.89.168.192/29, 52.182.136.192/29 +| China East | 52.130.112.139 | 52.130.112.136/29| +| China East 2 | 40.73.82.1, 52.130.120.89 | 52.130.120.88/29| +| China North | 52.130.128.89| 52.130.128.88/29 | +| China North 2 |40.73.50.0 | 52.130.40.64/29| +| East Asia |13.75.33.20, 13.75.33.21 | 13.75.32.192/29, 13.75.33.192/29| +| East US | 40.71.8.203, 40.71.83.113|20.42.65.64/29, 20.42.73.0/29, 52.168.116.64/29| +| East US 2 |52.167.105.38, 40.70.144.38|104.208.150.192/29, 40.70.144.192/29, 52.167.104.192/29| +| France Central |40.79.129.1 | 40.79.136.32/29, 40.79.144.32/29 | +| France South |40.79.176.40 | 40.79.176.40/29, 40.79.177.32/29| +| Germany West Central | 51.116.152.0 | 51.116.152.32/29, 51.116.240.32/29, 51.116.248.32/29| +| India Central |20.192.96.33 | 104.211.86.32/29, 20.192.96.32/29| +| India South | 40.78.192.32| 40.78.192.32/29, 40.78.193.32/29| +| India West | 104.211.144.32| 104.211.144.32/29, 104.211.145.32/29 | +| Japan East | 40.79.184.8, 40.79.192.23|13.78.104.32/29, 40.79.184.32/29, 40.79.192.32/29 | +| Japan West |40.74.96.6| 40.74.96.32/29 | +| Korea Central | 52.231.17.13 | 20.194.64.32/29,20.44.24.32/29, 52.231.16.32/29 | +| Korea South |52.231.145.3| 52.231.145.0/29 | +| North Central US | 52.162.104.35, 52.162.104.36 | 52.162.105.192/29| +| North Europe |52.138.224.6, 52.138.224.7 |13.69.233.136/29, 13.74.105.192/29, 52.138.229.72/29 | +| South Africa North | 102.133.152.0 | 102.133.120.32/29, 102.133.152.32/29, 102.133.248.32/29 | +| South Africa West |102.133.24.0 | 102.133.25.32/29| +| South Central US | 20.45.120.0 |20.45.121.32/29, 20.49.88.32/29, 20.49.89.32/29, 40.124.64.136/29| +| South East Asia | 23.98.80.12, 40.78.233.2| 13.67.16.192/29, 23.98.80.192/29, 40.78.232.192/29 | +| Switzerland North |51.107.56.0 |51.107.56.32/29, 51.103.203.192/29, 20.208.19.192/29, 51.107.242.32/27| +| Switzerland West | 51.107.152.0| 51.107.153.32/29| +| UAE Central | 20.37.72.64| 20.37.72.96/29, 20.37.73.96/29 | +| UAE North |65.52.248.0 |40.120.72.32/29, 65.52.248.32/29 | +| UK South | 51.105.64.0|51.105.64.32/29, 51.105.72.32/29, 51.140.144.32/29| +| UK West |51.140.208.98 |51.140.208.96/29, 51.140.209.32/29 | +| West Central US |13.71.193.34 | 13.71.193.32/29 | +| West Europe | 13.69.105.208,104.40.169.187|104.40.169.32/29, 13.69.112.168/29, 52.236.184.32/29| +| West US |13.86.216.212, 13.86.217.212 |13.86.217.224/29| +| West US 2 | 13.66.136.192 | 13.66.136.192/29, 40.78.240.192/29, 40.78.248.192/29| +| West US 3 |20.150.184.2 | 20.150.168.32/29, 20.150.176.32/29, 20.150.184.32/29 | ## Frequently asked questions |
private-5g-core | Enable Azure Active Directory | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/private-5g-core/enable-azure-active-directory.md | You'll now register a new local monitoring application with Microsoft Entra ID t If your deployment contains multiple sites, you can use the same two redirect URIs for all sites, or create different URI pairs for each site. You can configure a maximum of two redirect URIs per site. If you've already registered an application for your deployment and you want to use the same URIs across your sites, you can skip this step. +> [!NOTE] +> These instructions assume you are using a single application for both distributed tracing and the packet core dashboards. If you want to grant access to different user groups for these two tools, you can instead set up one application for the packet core dashboards roles and one for the distributed trace role. + 1. Follow [Quickstart: Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md) to register a new application for your local monitoring tools with the Microsoft identity platform. 1. In *Add a redirect URI*, select the **Web** platform and add the following two redirect URIs, where *\<local monitoring domain\>* is the domain name for your local monitoring tools that you set up in [Configure domain system name (DNS) for local monitoring IP](#configure-domain-system-name-dns-for-local-monitoring-ip): If your deployment contains multiple sites, you can use the same two redirect UR 1. In *Add credentials*, follow the steps to add a client secret. Make sure to record the secret under the **Value** column, as this field is only available immediately after secret creation. This is the **Client secret** value that you'll need later in this procedure. -1. Follow [App roles UI](../active-directory/develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui) to create three roles for your application (Admin, Viewer, and Editor) with the following configuration: +1. Follow [App roles UI](../active-directory/develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui) to create the roles for your application with the following configuration: - In **Allowed member types**, select **Users/Groups**.- - In **Value**, enter one of **Admin**, **Viewer**, and **Editor** for each role you're creating. + - In **Value**, enter one of **Admin**, **Viewer**, and **Editor** for each role you're creating. For distributed tracing, you also need a **sas.user** role. - In **Do you want to enable this app role?**, ensure the checkbox is selected. - You'll be able to use these roles when managing access to the packet core dashboards. + You'll be able to use these roles when managing access to the packet core dashboards and distributed tracing tool. 1. Follow [Assign users and groups to roles](../active-directory/develop/howto-add-app-roles-in-azure-ad-apps.md#assign-users-and-groups-to-roles) to assign users and groups to the roles you created. |
private-5g-core | Whats New | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/private-5g-core/whats-new.md | To help you stay up to date with the latest developments, this article covers: This page is updated regularly with the latest developments in Azure Private 5G Core. +## February 2024 +### New Entra ID user role needed for distributed tracing tool ++**Type:** New feature ++**Date available:** February 21, 2024 ++Access to the [distributed tracing](distributed-tracing.md) tool now requires a dedicated sas.user role in Microsoft Entra ID. This user is available from AP5GC version 4.2310.0-8, and required from AP5GC version 2402 onwards. If you are using Microsoft Entra ID authentication, you should create this user prior to upgrading to version 2402 to avoid losing access to the tracing tool. Entra ID access to the packet core dashboards is unchanged. ++See [Enable Microsoft Entra ID for local monitoring tools](enable-azure-active-directory.md) for details. + ## December 2023 ### Packet Capture |
remote-rendering | Performance Tracing | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/remote-rendering/how-tos/performance-tracing.md | Title: Create client-side performance traces -description: Best practices for client-side performance profiling using WPF +description: Best practices for client-side performance profiling using WPA Last updated 12/11/2019-There are many reasons why the performance of Azure Remote Rendering may not be as good as desired. Apart from pure rendering performance on the cloud server, especially the quality of the network connection has a significant influence on the experience. To profile the server's performance, refer to chapter [Server-side performance queries](../overview/features/performance-queries.md). +There are many reasons why the performance of Azure Remote Rendering might not be as good as desired. Apart from pure rendering performance on the cloud server, especially the quality of the network connection has a significant influence on the experience. To profile the server's performance, refer to chapter [Server-side performance queries](../overview/features/performance-queries.md). -This chapter focuses on how to identify potential client-side bottlenecks through *:::no-loc text="performance traces":::*. +This chapter focuses on how to identify potential client-side bottlenecks through *:::no-loc text="performance traces.":::* ## Getting started If you're new to the Windows :::no-loc text="performance tracing"::: functionali ### Installation -The applications used to do tracing with ARR are general purpose tools that can be used for all Windows development. They're provided through the [Windows Performance Toolkit](/windows-hardware/test/wpt/). To get this toolkit, download the [Windows Assessment and Deployment Kit](/windows-hardware/get-started/adk-install). +The applications used to do tracing with Azure Remote Rendering (ARR) are general purpose tools that can be used for all Windows development. They're provided through the [Windows Performance Toolkit](/windows-hardware/test/wpt/). To get this toolkit, download the [Windows Assessment and Deployment Kit](/windows-hardware/get-started/adk-install). ### Terminology -When searching for information about performance traces, you may come across a range of terms. The most important ones are: +A range of terms is important when talking about performance traces. The most important ones are: -* `ETW` -* `ETL` -* `WPR` -* `WPA` -* `Perfetto` +* [**E**vent **T**racing for **W**indows](/windows/win32/etw/about-event-tracing) (ETW)\ +**ETW** is the overarching name for the efficient kernel-level tracing facility that is built into Windows. Applications that support ETW emit events to log actions that might help to track down performance issues, thus the name *event* tracing. By default, the operating system already emits events for things like disk accesses, task switches and such. Applications like ARR additionally emit custom events, for instance about dropped frames, network lag etc. -**ETW** stands for [**E**vent **T**racing for **W**indows](/windows/win32/etw/about-event-tracing). It's simply the overarching name for the efficient kernel-level tracing facility that is built into Windows. It's called *event* tracing, because applications that support ETW emit events to log actions that may help to track down performance issues. By default, the operating system already emits events for things like disk accesses, task switches and such. Applications like ARR additionally emit custom events, for instance about dropped frames, network lag etc. +* **E**vent **T**race **L**ogging (ETL)\ +**ETL** describes a gathered (logged) trace and is therefore typically used as the file extension for files that store the tracing data. Thus when you do a trace, you typically have an *\*.etl* file afterwards. -**ETL** stands for **E**vent **T**race **L**ogging. It simply means that a trace has been gathered (logged) and is therefore typically used as the file extension for files that store the tracing data. Thus when you do a trace, you typically have an \*.etl file afterwards. +* [**W**indows **P**erformance **R**ecorder](/windows-hardware/test/wpt/windows-performance-recorder) (WPR)\ +**WPR** is the name of the application that starts and stops the recording of event traces. WPR takes a profile file (*\*.wprp*) that configures which exact events to log. Such a `wprp` file is provided with the ARR SDK. When doing traces on a desktop PC, you can launch WPR directly. When doing a trace on the HoloLens, you typically go through the web interface instead. -**WPR** stands for [**W**indows **P**erformance **R**ecorder](/windows-hardware/test/wpt/windows-performance-recorder) and is the name of the application that starts and stops the recording of event traces. WPR takes a profile file (\*.wprp) that configures which exact events to log. Such a `wprp` file is provided with the ARR SDK. When doing traces on a desktop PC, you may launch WPR directly. When doing a trace on the HoloLens, you typically go through the web interface instead. +* [**W**indows **P**erformance **A**nalyzer](/windows-hardware/test/wpt/windows-performance-analyzer) (WPA)\ +**WPA** is the name of the GUI application that is used to open *\*.etl* files and sift through the data to identify performance issues. WPA allows you to sort data by various criteria, display the data in several ways, dig down into details, and correlate information. -**WPA** stands for [**W**indows **P**erformance **A**nalyzer](/windows-hardware/test/wpt/windows-performance-analyzer) and is the name of the GUI application that is used to open \*.etl files and sift through the data to identify performance issues. WPA allows you to sort data by various criteria, display the data in several ways, dig down into details, and correlate information. +* `Perfetto`\ +[**Perfetto**](https://perfetto.dev/) is a system profiling and application tracing tool for Android and Linux, which is available since Android 9 Pie. Perfetto is also enabled on [Meta Quest and Quest 2](https://developer.oculus.com/blog/how-to-run-a-perfetto-trace-on-oculus-quest-or-quest-2/) devices (when developer mode is enabled), since v27 OS. [Perfetto Trace Viewer UI](https://ui.perfetto.dev/) can be used to open and analyze resulting Perfetto traces. -[**Perfetto**](https://perfetto.dev/) is a system profiling and application tracing tool for Android and Linux. It's built into Android since Android 9 Pie. Perfetto is also enabled on [Meta Quest and Quest 2](https://developer.oculus.com/blog/how-to-run-a-perfetto-trace-on-oculus-quest-or-quest-2/) devices (when developer mode is enabled), since v27 OS. [Perfetto Trace Viewer UI](https://ui.perfetto.dev/) can be used to open and analyze resulting Perfetto traces. --While ETL traces can be created on any Windows device (local PC, HoloLens, cloud server, etc.), they're typically saved to disk and analyzed with WPA on a desktop PC. ETL files can be sent to other developers for them to have a look. Be aware that sensitive information, such as file-paths and IP addresses, may be captured in ETL traces, though. You can use ETW in two ways: to record traces, or to analyze traces. Recording traces is straight-forward and requires minimal setup. Analyzing traces on the other hand does require a decent understanding of both the WPA tool and the problem that you're investigating. General material for learning WPA is given below, and guidelines for how to interpret ARR-specific traces. +While ETL traces can be created on any Windows device (local PC, HoloLens, cloud server, etc.), they're typically saved to disk and analyzed with WPA on a desktop PC. ETL files can be sent to other developers for them to have a look. ETL traces can include sensitive information, such as file-paths and IP addresses. You can use ETW in two ways: to record traces, or to analyze traces. Recording traces is straight-forward and requires minimal setup. Analyzing traces on the other hand does require a decent understanding of both the WPA tool and the problem that you're investigating. General material for learning WPA is given later, and guidelines for how to interpret ARR-specific traces. ## Recording a trace on a local PC -To identify ARR performance issues, you should prefer to do a trace directly on a HoloLens. Because that is the only way to get a snapshot of the true performance characteristics. However, if you specifically want to do a trace without the HoloLens performance restrictions or you just want to learn how to use WPA and don't need a realistic trace, here's how to do so. +Use traces on PC to either get familiar with the tools or if you have an issue where the hardware restrictions of the HoloLens aren't relevant. Otherwise you can skip to the [Recording a trace on a HoloLens](#recording-a-trace-on-a-hololens) section. Especially ARR performance issues should only be traced directly on a HoloLens. ### WPR configuration 1. Launch the [:::no-loc text="Windows Performance Recorder":::](/windows-hardware/test/wpt/windows-performance-recorder) from the *start menu*.-1. Expand **More Options** -1. Select **Add Profiles...** +1. Expand **More Options**. +1. Select **Add Profiles...**. 1. Select the file *AzureRemoteRenderingNetworkProfiling.wprp*. You can find this file in the ARR SDK under *Tools/ETLProfiles*.- The profile will now be listed in WPR under *Custom measurements*. Make sure it's the only enabled profile. -1. Expand *First level triage*: + The profile is listed in WPR under *Custom measurements*. Make sure it's the only enabled profile. +1. Expand *First level triage*. * If all you want to do is capture a quick trace of the ARR networking events, **disable** this option. * If you need to correlate ARR network events with other system characteristics, such as CPU or memory usage, then **enable** this option.- * If you do enable this option, the trace will most likely be multiple gigabytes in size and take a long time to save and open in WPA. + * Traces with this option enabled are most likely multiple gigabytes in size and might take a long time to save and open in WPA. Afterwards your WPR configuration should look like this: -![WPR configuration](./media/wpr.png) +![Screenshot of the Windows Performance Recorder with a selected AzureRemoteRenderingNetworkProfiling profile.](./media/wpr.png) ### Recording -Select **Start** to start recording a trace. You can start and stop recording at any time; you don't need to close your application before doing so. As you can see you don't need to specify which application to trace, as ETW will always record a trace for the entire system. The `wprp` file specifies which types of events to record. +Select **Start** to start recording a trace. You can start and stop recording at any time; you don't need to close your application before doing so. As you can see you don't need to specify which application to trace, as ETW records a trace for the entire system. The `wprp` file specifies which types of events to record. Select **Save** to stop recording and specify where to store the ETL file. You now have an ETL file that you can open in WPA. To record a trace on a HoloLens, boot up your device and enter its IP address into a browser to open up the *Device Portal*. -![Device Portal](./media/wpr-hl.png) +![Screenshot of the Performance Tracing webpage in the HoloLens Device Portal.](./media/wpr-hololens.png) 1. On the left, navigate to *Performance > Performance Tracing*.-1. Select **Custom profiles** -1. Select **:::no-loc text="Browse...":::** +1. Select **Custom profiles**. +1. Select **:::no-loc text="Browse...":::**. 1. Select the file *AzureRemoteRenderingNetworkProfiling.wprp*. You can find this file in the ARR SDK under *Tools/ETLProfiles*.-1. Select **Start Trace** +1. Select **Start Trace**. 1. The HoloLens is now recording a trace. Make sure to trigger the performance issues that you want to investigate. Then select **Stop Trace**.-1. The trace is then listed at the bottom of the webpage. Select the disk icon at the right-hand side to download the ETL file. +1. The trace is then listed at the bottom of the webpage. To download the ETL file, select the disk icon at the right-hand side. You now have an ETL file that you can open in WPA. To record a trace on a Quest, you need [adb command-line tool](https://developer 1. Make sure that adb is authorized to access your device by running `adb devices` and verifying that the device is listed. 1. Locate tracing config file *AzureRemoteRenderingPerfetto.txt* file from ARR SDK under *Tools/ETLProfiles*. * By default, the trace configuration is set up to run for 30 seconds. This configuration can be modified by editing the `duration_ms: 30000` value in *AzureRemoteRenderingPerfetto.txt* file.-1. On PowerShell, run `$config = cat "AzureRemoteRenderingPerfetto.txt" | adb shell perfetto -c - $config --txt --o "/data/misc/perfetto-traces/trace"` -1. You should see output similar to: +1. On PowerShell, run `$config = cat "AzureRemoteRenderingPerfetto.txt" | adb shell perfetto -c - $config --txt --o "/data/misc/perfetto-traces/trace"`. +1. You should see output similar to this line. ``` [522.149] perfetto_cmd.cc:825 Connected to the Perfetto traced service, TTL: 30s ``` 1. Quest device is now recording a trace. Start your application and trigger the issue that you want to investigate.-1. When the trace recording is finished, you should see an output similar to: +1. When the trace recording is finished, you should see an output similar to this line. ``` [552.637] perfetto_cmd.cc:946 Trace written into the output file ```-1. Finally, you can pull the file from the device by running `adb pull "/data/misc/perfetto-traces/trace" "outputTrace.pftrace"` +1. Finally, you can pull the file from the device by running `adb pull "/data/misc/perfetto-traces/trace" "outputTrace.pftrace"`. You now have a Perfetto trace file that you can open on [Perfetto Trace Viewer UI](https://ui.perfetto.dev/). You now have a Perfetto trace file that you can open on [Perfetto Trace Viewer U Windows Performance Analyzer is the standard tool to open ETL files and inspect the traces. An explanation how WPA works is out of scope for this article. To get started, have a look at these resources: * Watch the [introductory videos](/windows-hardware/test/wpt/windows-performance-analyzer) for a first overview.-* WPA itself has a *Getting Started* tab, which explains common steps. Have a look at the available articles. Especially under "View Data" you get a quick introduction how to create graphs for specific data. -* There's excellent information [on this website](https://randomascii.wordpress.com/2015/09/24/etw-central/), however, not all of it's relevant for beginners. +* Look into the *Getting Started* tab in WPA itself, which explains common steps. Have a look at the available articles. Especially under "View Data" you get a quick introduction how to create graphs for specific data. +* Look through the excellent information [on this website](https://randomascii.wordpress.com/2015/09/24/etw-central/), however, not all of it's relevant for beginners. ### Graphing data To get started with ARR tracing, the following pieces are good to know. -![Performance graph](./media/wpa-graph.png) +![Screenshot of an example graph in the Windows Performance Analyzer tool.](./media/wpa-graph.png) -The image above shows a table of tracing data and a graph representation of the same data. +The image shows a table of tracing data and a graph representation of the same data. In the table at the bottom, note the yellow (golden) bar and the blue bar. You can drag these bars and place them at any position. -All **columns to the left of the yellow bar** are interpreted as **keys**. Keys are used to structure the tree in the top-left window. Here we have two *key* columns, "Provider Name" and "Task Name". So the tree structure in the top-left window is two levels deep. If you reorder the columns or add or remove columns from the key area, the structure in the tree view changes. +All **columns to the left of the yellow bar** are interpreted as **keys**. Keys are used to structure the tree in the top-left window. Here we have two *key* columns, "Provider Name" and "Task Name." So the tree structure in the top-left window is two levels deep. If you reorder the columns or add or remove columns from the key area, the structure in the tree view changes. -**Columns to the right of the blue bar** are used for the **graph display** in the top-right window. Most of the time only the first column is used, but some graph modes require multiple columns of data. For line graphs to work, the *aggregation mode* on that column must be set. Use 'Avg' or 'Max'. The aggregation mode is used to determine the value of the graph at a given pixel, when a pixel covers a range with multiple events. This can be observed by setting aggregation to 'Sum' and then zooming in and out. +**Columns to the right of the blue bar** are used for the **graph display** in the top-right window. Most of the time only the first column is used, but some graph modes require multiple columns of data. For line graphs to work, the *aggregation mode* on that column must be set. Use 'Avg' or 'Max.' The aggregation mode is used to determine the value of the graph at a given pixel, when a pixel covers a range with multiple events. This property can be observed by setting aggregation to 'Sum' and then zooming in and out. The columns in the middle have no special meaning. -![Events view](./media/wpa-event-view.png) +![Screenshot of the Generic Events View Editor in the Windows Performance Analyzer tool.](./media/wpa-event-view.png) -In the *Generic Events View Editor* you can configure all the columns to display, the aggregation mode, sorting and which columns are used as keys or for graphing. In the example above, **Field 2** is enabled and Field 3 - 6 are disabled. Field 2 is typically the first *custom data* field of an ETW event and thus for ARR "FrameStatistics" events, which represent some network latency value. Enable other "Field" columns to see further values of this event. +In the *Generic Events View Editor* you can configure all the columns to display, the aggregation mode, sorting and which columns are used as keys or for graphing. In the example image, **Field 2** is enabled and Field 3 - 6 are disabled. Field 2 is typically the first *custom data* field of an ETW event and thus for ARR "FrameStatistics" events, which represent some network latency value. Enable other "Field" columns to see further values of this event. ### Presets -To properly analyze a trace, you need to figure out your own workflow, and preferred data display. However, to be able to get a quick overview over the ARR-specific events, we include Windows Software Protection Platform profile and presets files in the folder *Tools/ETLProfiles*. To load a full profile, select *Profiles > Apply...* from the WPA menu bar, or open the *My Presets* panel (*Window > My Presets*) and select *Import*. The former sets up a complete WPA configuration as in the image below. The latter only makes presets for the various view configurations available and allow you to quickly open a view to look at a specific piece of ARR event data. +To properly analyze a trace, you need to figure out your own workflow, and preferred data display. However, to be able to get a quick overview over the ARR-specific events, we include Windows Software Protection Platform profile and presets files in the folder *Tools/ETLProfiles*. To load a full profile, select *Profiles > Apply...* from the WPA menu bar, or open the *My Presets* panel (*Window > My Presets*) and select *Import*. The former sets up a complete WPA configuration as in the image below this paragraph. The latter only makes presets for the various view configurations available and allow you to quickly open a view to look at a specific piece of ARR event data. -![Presets](./media/wpa-arr-trace.png) +![Screenshot of the Windows Performance Analyzer tool with the ARR presets applied.](./media/wpa-arr-trace.png) -The image above shows views of various ARR-specific events plus a view of the overall CPU utilization. +The image shows views of various ARR-specific events plus a view of the overall CPU utilization. ## Next steps |
remote-rendering | Deploy To Desktop | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/remote-rendering/quickstarts/deploy-to-desktop.md | -In this quickstart you learn how to: +In this quickstart, you learn how to: > [!div class="checklist"] > In this quickstart you learn how to: ## Prerequisites -In this quickstart we deploy the sample project from [Quickstart: Render a model with Unity](render-model.md). +In this quickstart, we deploy the sample project from [Quickstart: Render a model with Unity](render-model.md). Make sure your credentials are saved properly with the scene and you can connect to a session from within the Unity editor. Make sure your credentials are saved properly with the scene and you can connect Only flat desktop apps are currently supported on desktop so VR support has to be disabled. +# [Standalone](#tab/UnityStandalone) ++In the standalone build VR support is automatically disabled. No steps are needed here. ++# [Universal Windows Platform (UWP)](#tab/UnityUWP) + 1. Open *Edit > Project Settings...*-1. Select **Player** on the left. +1. Select **XR Plugin Management** in the menu to the left. 1. Select the **Universal Windows Platform settings** tab.-1. Expand the **XR Settings**. -1. Disable **Virtual Reality Supported**.\ - ![player settings](./media/unity-disable-xr.png) -1. Above *XR Settings*, expand **Publishing Settings**. -1. In **Supported Device Families**, make sure **Desktop** is checked. +1. Disable **OpenXR**.\ + ![A screenshot showing the Project Settings menu with a disabled "OpenXR" setting.](./media/unity-2020-disable-xr.png) ++ ## Build the sample project +# [Standalone](#tab/UnityStandalone) + 1. Open *File > Build Settings*.-1. Change *Platform* to **Universal Windows Platform** (**PC Standalone** is also supported but not used here). -1. Set *Target Device* to **PC**. -1. Set *Architecture* to **x86**. -1. Set *Build Type* to **D3D Project**.\ - ![Build settings](./media/unity-build-settings-pc.png) -1. Select **Switch to Platform**. -1. When pressing **Build** (or 'Build And Run'), you are asked to select some folder where the solution should be stored. +1. Change *Platform* to **PC, Mac & Linux Standalone**. +1. Set *Target Platform* to **Windows**.\ + ![A screenshot showing the Build Menu with the settings set for a standalone build.](./media/unity-2021-build-settings-pc-standalone.png) +1. Select **Switch Platform**. +1. When pressing **Build** (or 'Build And Run'), you're asked to select some folder where the *.exe* should be stored. ++# [UWP](#tab/UnityUWP) ++1. Open *File > Build Settings*. +1. Change *Platform* to **Universal Windows Platform**.\ + ![A screenshot showing the Build Menu with the settings set for a UWP build.](./media/unity-2021-build-settings-pc.png) +1. Select **Switch Platform**. +1. When pressing **Build** (or 'Build And Run'), you're asked to select some folder where the solution should be stored. ++++## Build the Visual Studio solution ++# [Standalone](#tab/UnityStandalone) ++Building in standalone mode doesn't produce a Visual Studio solution, but instead a simple *.exe* file. No second building step is necessary here. ++# [UWP](#tab/UnityUWP) + 1. Open the generated **Quickstart.sln** with Visual Studio. 1. Change the configuration to **Release** and **x86**. 1. Switch the debugger mode to **Local Machine**.\- ![Solution configuration](./media/unity-deploy-config-pc.png) + ![A screenshot showing the Visual Studio configuration and debugger mode.](./media/unity-deploy-config-pc.png) 1. Build the solution. ++ ## Launch the sample project -Start the Debugger in Visual Studio (F5). It will automatically deploy the app to the PC. +# [Standalone](#tab/UnityStandalone) ++Run the *.exe* file, which was produced in the build step. ++# [UWP](#tab/UnityUWP) ++Start the Debugger in Visual Studio (F5). It automatically deploys the app to the PC. The sample app should launch and then start a new session. After a while, the session is ready and the remotely rendered model will appear in front of you. If you want to launch the sample a second time later, you can also find it from the Start menu now. ++ ## Next steps In the next quickstart, we'll take a look at converting a custom model. |
remote-rendering | Deploy To Hololens | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/remote-rendering/quickstarts/deploy-to-hololens.md | -In this quickstart you'll learn how to: +In this quickstart, you learn how to: > [!div class="checklist"] > In this quickstart you'll learn how to: ## Prerequisites -In this quickstart, we'll deploy the sample project from [Quickstart: Render a model with Unity](render-model.md). +In this quickstart, we deploy the sample project from [Quickstart: Render a model with Unity](render-model.md). Make sure your credentials are saved properly with the scene and you can connect to a session from within the Unity editor. The HoloLens 2 must be in developer mode and paired with the desktop machine. Refer to [using the device portal](/windows/mixed-reality/develop/advanced-concepts/using-the-windows-device-portal#setting-up-hololens-to-use-windows-device-portal) for further instructions. ## Build the sample project +# [Unity 2021+](#tab/Unity2021PlusBuild) ++1. Open *File > Build Settings*. +1. Change *Platform* to **Universal Windows Platform**.\ + ![A screenshot showing the Build Menu with the settings set for a UWP build in Unity 2021 or later.](./media/unity-2021-build-settings-hololens.png) +1. Select **Switch Platform**. +1. When pressing **Build** (or 'Build And Run'), you're asked to select some folder where the solution should be stored. ++# [Unity 2020](#tab/Unity2020Build) + 1. Open *File > Build Settings*.-1. Change *Platform* to **Universal Windows Platform** -1. Set *Target Device* to **HoloLens** -1. Set *Architecture* to **ARM64** -1. Set *Build Type* to **D3D Project**\ - ![Build settings](./media/unity-build-settings.png) -1. Select **Switch to Platform** -1. When pressing **Build** (or 'Build And Run'), you'll be asked to select some folder where the solution should be stored +1. Change *Platform* to **Universal Windows Platform**.\ + ![A screenshot showing the Build Menu with the settings set for a UWP build in Unity 2020.](./media/unity-2020-build-settings-hololens.png) +1. Select **Switch Platform**. +1. When pressing **Build** (or 'Build And Run'), you're asked to select some folder where the solution should be stored. ++++## Build the Visual Studio solution + 1. Open the generated **Quickstart.sln** with Visual Studio 1. Change the configuration to **Release** and **ARM64** 1. Switch the debugger mode to **Remote Machine**\- ![Solution configuration](media/unity-deploy-config.png) + ![A screenshot showing the Visual Studio configuration and debugger mode.](media/unity-deploy-config.png) 1. Build the solution-1. For the project 'Quickstart', go to *Properties > Debugging* - 1. Make sure the configuration *Release* is active +1. In the Solution Explorer, select the 'Quickstart' project + 1. Go to *Properties* + 1. Make sure the configuration *Release* and platform *ARM64* are active + 1. Go to Debugging 1. Set *Debugger to Launch* to **Remote Machine** 1. Change *Machine Name* to the **IP of your HoloLens** ## Launch the sample project 1. Connect the HoloLens with a USB cable to your PC.-1. Start the Debugger in Visual Studio (F5). It will automatically deploy the app to the device. +1. Start the Debugger in Visual Studio (F5). It automatically deploys the app to the device. The sample app should launch and then start a new session. After a while, the session is ready and the remotely rendered model will appear in front of you. If you want to launch the sample a second time later, you can also find it from the HoloLens start menu now. |
remote-rendering | Deploy To Quest | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/remote-rendering/quickstarts/deploy-to-quest.md | This quickstart covers how to deploy and run the quickstart sample app for Unity > > For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). -In this quickstart you'll learn how to: +In this quickstart, you learn how to: > [!div class="checklist"] > In this quickstart you'll learn how to: ## Prerequisites -In this quickstart, we'll deploy the sample project from [Quickstart: Render a model with Unity](render-model.md). +In this quickstart, we deploy the sample project from [Quickstart: Render a model with Unity](render-model.md). Make sure your credentials are saved properly with the scene and you can connect to a session from within the Unity editor. -In Unity you need to have **Android Build Support** installed. +In Unity, you need to have **Android Build Support** installed. Your Quest 2 / Quest Pro device must be set up for [Developer Mode](https://developer.oculus.com/documentation/native/android/mobile-device-setup/). -You need to have the [Android SDK](https://developer.android.com/studio) installed, so that tools like the [Android Debug Bridge (ADB)](https://developer.android.com/tools/adb) are available. You should also make sure these are in your `PATH` environment variable. +You need to have the [Android SDK](https://developer.android.com/studio) installed, so that tools like the [Android Debug Bridge (ADB)](https://developer.android.com/tools/adb) are available. You should also make sure the path to these binaries are in your `PATH` environment variable. -Make sure your Quest device is connected to the PC and side-loading APKs via `adb` works. +Make sure your Quest device is connected to the PC and side-loading Android Packages (APKs) via `adb` works. ## Build the sample project 1. Open *File > Build Settings*.-1. Change *Platform* to **Android** +1. Change *Platform* to **Android**. 1. If you want to be able to debug the APK, enable *Development Build*.-1. Select **Switch to Platform** - ![Solution configuration](media/unity-deploy-config-android.png) -1. When pressing **Build** (or 'Build And Run'), you'll be asked to select a folder where the APK should be stored. +1. Select **Switch Platform**. + ![A screenshot showing the Build Menu with the settings set for an Android build.](media/unity-deploy-config-android.png) +1. When pressing **Build** (or 'Build And Run'), you're asked to select a folder where the APK should be stored. 1. Once the APK file is finished, it needs to be deployed to your device using `adb`.-1. Open a command prompt, navigate to the APK file and run `adb install <YourFileName.apk>` +1. Open a command prompt, navigate to the APK file, and run `adb install <YourFileName.apk>`. ## Launch the sample project |
role-based-access-control | Best Practices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/best-practices.md | Title: Best practices for Azure RBAC description: Best practices for using Azure role-based access control (Azure RBAC).- |
role-based-access-control | Change History Report | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/change-history-report.md | Title: View activity logs for Azure RBAC changes description: View activity logs for Azure role-based access control (Azure RBAC) changes for the past 90 days.- |
role-based-access-control | Classic Administrators | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/classic-administrators.md | Title: Azure classic subscription administrators description: Describes how to remove or change the Azure Co-Administrator and Service Administrator roles, and how to view the Account Administrator.- |
role-based-access-control | Conditions Authorization Actions Attributes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/conditions-authorization-actions-attributes.md | Title: Authorization actions and attributes description: Supported actions and attributes for Azure role assignment conditions and Azure attribute-based access control (Azure ABAC) in authorization- |
role-based-access-control | Conditions Custom Security Attributes Example | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/conditions-custom-security-attributes-example.md | Title: Scale the management of Azure role assignments by using conditions and custom security attributes - Azure ABAC description: Scale the management of Azure role assignments by using Azure attribute-based access control (Azure ABAC) conditions and Microsoft Entra custom security attributes for principals.- |
role-based-access-control | Conditions Custom Security Attributes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/conditions-custom-security-attributes.md | Title: "Allow read access to blobs based on tags and custom security attributes - Azure ABAC" description: Allow read access to blobs based on tags and custom security attributes by using Azure role assignment conditions and Azure attribute-based access control (Azure ABAC).- |
role-based-access-control | Conditions Faq | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/conditions-faq.md | Title: FAQ for Azure role assignment conditions - Azure ABAC description: Frequently asked questions for Azure role assignment conditions- |
role-based-access-control | Conditions Format | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/conditions-format.md | Title: Azure role assignment condition format and syntax - Azure ABAC description: Get an overview of the format and syntax of Azure role assignment conditions for Azure attribute-based access control (Azure ABAC).- |
role-based-access-control | Conditions Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/conditions-overview.md | Title: What is Azure attribute-based access control (Azure ABAC)? description: Get an overview of Azure attribute-based access control (Azure ABAC). Use role assignments with conditions to control access to Azure resources.- |
role-based-access-control | Conditions Prerequisites | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/conditions-prerequisites.md | Title: Prerequisites for Azure role assignment conditions - Azure ABAC description: Prerequisites for Azure role assignment conditions.- |
role-based-access-control | Conditions Role Assignments Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/conditions-role-assignments-cli.md | Title: Add or edit Azure role assignment conditions using Azure CLI - Azure ABAC description: Learn how to add, edit, list, or delete attribute-based access control (ABAC) conditions in Azure role assignments using Azure CLI and Azure role-based access control (Azure RBAC).- |
role-based-access-control | Conditions Role Assignments Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/conditions-role-assignments-portal.md | Title: Add or edit Azure role assignment conditions using the Azure portal - Azure ABAC description: Learn how to add, edit, view, or delete attribute-based access control (ABAC) conditions in Azure role assignments using the Azure portal and Azure role-based access control (Azure RBAC).- |
role-based-access-control | Conditions Role Assignments Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/conditions-role-assignments-powershell.md | Title: Add or edit Azure role assignment conditions using Azure PowerShell - Azure ABAC description: Learn how to add, edit, list, or delete attribute-based access control (ABAC) conditions in Azure role assignments using Azure PowerShell and Azure role-based access control (Azure RBAC).- |
role-based-access-control | Conditions Role Assignments Rest | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/conditions-role-assignments-rest.md | Title: Add or edit Azure role assignment conditions using the REST API - Azure ABAC description: Learn how to add, edit, list, or delete attribute-based access control (ABAC) conditions in Azure role assignments using the REST API and Azure role-based access control (Azure RBAC).- |
role-based-access-control | Conditions Role Assignments Template | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/conditions-role-assignments-template.md | Title: Add Azure role assignment conditions using Azure Resource Manager templates - Azure ABAC description: Learn how to add attribute-based access control (ABAC) conditions in Azure role assignments using Azure Resource Manager templates and Azure role-based access control (Azure RBAC).- |
role-based-access-control | Conditions Troubleshoot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/conditions-troubleshoot.md | Title: Troubleshoot Azure role assignment conditions - Azure ABAC description: Troubleshoot Azure role assignment conditions- Previously updated : 11/15/2023 Last updated : 02/27/2024 Ensure that the security principals don't have multiple role assignments (with o **Cause 2** -Your role assignment has multiple actions that grant a permission and your condition does not target all the actions. For example, you can create a blob if you have either `/blobs/write` or `/blobs/add/action` data actions. If your role assignment has both data actions and you target only one of them in a condition, the role assignment will grant the permission to create blobs and bypass the condition. +Your role assignment has multiple actions that grant a permission and your condition doesn't target all the actions. For example, you can create a blob if you have either `/blobs/write` or `/blobs/add/action` data actions. If your role assignment has both data actions and you target only one of them in a condition, the role assignment will grant the permission to create blobs and bypass the condition. **Solution 2** Set `conditionVersion` property to "2.0". **Cause 2** -Your condition is not formatted correctly. +Your condition isn't formatted correctly. **Solution 2** Fix any [condition format or syntax](conditions-format.md) issues. Alternatively ### Symptom - Principal does not appear in Attribute source -When you try to add a role assignment with a condition, **Principal** does not appear in the **Attribute source** list. +When you try to add a role assignment with a condition, **Principal** doesn't appear in the **Attribute source** list. ![Screenshot showing Principal in Attribute source list when adding a condition.](./media/conditions-troubleshoot/condition-principal-attribute-source.png) When you make edits in the code editor and then switch to the visual editor, you **Cause** -The specified attribute is not available in the current scope, such as using `Version ID` in a storage account with hierarchical namespace enabled. +The specified attribute isn't available in the current scope, such as using `Version ID` in a storage account with hierarchical namespace enabled. **Solution** When you make edits in the code editor and then switch to the visual editor, you **Cause** -The specified attribute is not recognized, possibly because of a typo. +The specified attribute isn't recognized, possibly because of a typo. **Solution** When you make edits in the code editor and then switch to the visual editor, you **Cause** -The right side of the expression contains an attribute or value that is not valid. +The right side of the expression contains an attribute or value that isn't valid. **Solution** When you remove all of the actions in the visual editor, you get the following m **Cause** -There is an existing expression, but no actions have been selected as a target. +There's an existing expression, but no actions have been selected as a target. **Solution** When you attempt to add an expression, you get the following message: **Cause** -One or more role definition IDs that you attempted to add for the [Role definition ID](conditions-authorization-actions-attributes.md#role-definition-id) attribute was not found or does not have the correct GUID format: `00000000-0000-0000-0000-000000000000`. +One or more role definition IDs that you attempted to add for the [Role definition ID](conditions-authorization-actions-attributes.md#role-definition-id) attribute wasn't found or doesn't have the correct GUID format: `00000000-0000-0000-0000-000000000000`. **Solution** When you attempt to add an expression, you get the following message: **Cause** -One or more principal IDs that you attempted to add for the [Principal ID](conditions-authorization-actions-attributes.md#principal-id) attribute was not found or does not have the correct GUID format: `00000000-0000-0000-0000-000000000000`. +One or more principal IDs that you attempted to add for the [Principal ID](conditions-authorization-actions-attributes.md#principal-id) attribute wasn't found or doesn't have the correct GUID format: `00000000-0000-0000-0000-000000000000`. **Solution** $condition = "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/ **Cause** -If you use PowerShell and copy a condition from a document, it might include special characters that cause the following error. Some editors (such as Microsoft Word) add control characters when formatting text that does not appear. +If you use PowerShell and copy a condition from a document, it might include special characters that cause the following error. Some editors (such as Microsoft Word) add control characters when formatting text that doesn't appear. `The given role assignment condition is invalid.` **Solution** -If you copied a condition from a rich text editor and you are certain the condition is correct, delete all spaces and returns and then add back the relevant spaces. Alternatively, use a plain text editor or a code editor, such as Visual Studio Code. +If you copied a condition from a rich text editor and you're certain the condition is correct, delete all spaces and returns and then add back the relevant spaces. Alternatively, use a plain text editor or a code editor, such as Visual Studio Code. ## Error messages in Azure CLI When you try to add a role assignment with a condition using Azure CLI, you get **Cause** -You are likely using an earlier version of Azure CLI that does not support role assignment condition parameters. +You're likely using an earlier version of Azure CLI that doesn't support role assignment condition parameters. **Solution** |
role-based-access-control | Custom Roles Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/custom-roles-cli.md | Title: Create or update Azure custom roles using Azure CLI - Azure RBAC description: Learn how to list, create, update, or delete Azure custom roles using Azure CLI and Azure role-based access control (Azure RBAC).- |
role-based-access-control | Custom Roles Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/custom-roles-portal.md | Title: Create or update Azure custom roles using the Azure portal - Azure RBAC description: Learn how to create Azure custom roles using the Azure portal and Azure role-based access control (Azure RBAC). This includes how to list, create, update, and delete custom roles.- |
role-based-access-control | Custom Roles Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/custom-roles-powershell.md | Title: Create or update Azure custom roles using Azure PowerShell - Azure RBAC description: Learn how to list, create, update, or delete custom roles using Azure PowerShell and Azure role-based access control (Azure RBAC).- |
role-based-access-control | Custom Roles Rest | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/custom-roles-rest.md | Title: Create or update Azure custom roles using the REST API - Azure RBAC description: Learn how to list, create, update, or delete Azure custom roles using the REST API and Azure role-based access control (Azure RBAC).- ms.assetid: 1f90228a-7aac-4ea7-ad82-b57d222ab128 |
role-based-access-control | Custom Roles | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/custom-roles.md | Title: Azure custom roles - Azure RBAC description: Learn how to create Azure custom roles with Azure role-based access control (Azure RBAC) for fine-grained access management of Azure resources.- |
role-based-access-control | Delegate Role Assignments Examples | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/delegate-role-assignments-examples.md | Title: Examples to delegate Azure role assignment management with conditions - Azure ABAC description: Examples to delegate Azure role assignment management to other users by using Azure attribute-based access control (Azure ABAC).- |
role-based-access-control | Delegate Role Assignments Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/delegate-role-assignments-overview.md | Title: Delegate Azure access management to others - Azure ABAC description: Overview of how to delegate Azure role assignment management to other users by using Azure attribute-based access control (Azure ABAC).- |
role-based-access-control | Delegate Role Assignments Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/delegate-role-assignments-portal.md | Title: Delegate Azure role assignment management to others with conditions - Azure ABAC description: How to delegate Azure role assignment management to other users by using Azure attribute-based access control (Azure ABAC).- |
role-based-access-control | Deny Assignments Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/deny-assignments-portal.md | Title: List Azure deny assignments using the Azure portal - Azure RBAC description: Learn how to list the users, groups, service principals, and managed identities that have been denied access to specific Azure resource actions at particular scopes using the Azure portal and Azure role-based access control (Azure RBAC).- |
role-based-access-control | Deny Assignments Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/deny-assignments-powershell.md | Title: List Azure deny assignments using Azure PowerShell - Azure RBAC description: Learn how to list the users, groups, service principals, and managed identities that have been denied access to specific Azure resource actions at particular scopes using Azure PowerShell and Azure role-based access control (Azure RBAC).- |
role-based-access-control | Deny Assignments Rest | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/deny-assignments-rest.md | Title: List Azure deny assignments using the REST API - Azure RBAC description: Learn how to list Azure deny assignments for users, groups, and applications using the REST API and Azure role-based access control (Azure RBAC).- |
role-based-access-control | Deny Assignments | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/deny-assignments.md | Title: Understand Azure deny assignments - Azure RBAC description: Learn about Azure deny assignments in Azure role-based access control (Azure RBAC).- |
role-based-access-control | Elevate Access Global Admin | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/elevate-access-global-admin.md | Title: Elevate access to manage all Azure subscriptions and management groups description: Describes how to elevate access for a Global Administrator to manage all subscriptions and management groups in Microsoft Entra ID using the Azure portal or REST API.- |
role-based-access-control | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/overview.md | Title: What is Azure role-based access control (Azure RBAC)? description: Get an overview of Azure role-based access control (Azure RBAC). Use role assignments to control access to Azure resources.- |
role-based-access-control | Rbac And Directory Admin Roles | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/rbac-and-directory-admin-roles.md | Title: "Azure roles, Microsoft Entra roles, and classic subscription administrator roles" description: Describes the different roles in Azure - Azure roles, and Microsoft Entra roles, and classic subscription administrator roles- - ms.assetid: 174f1706-b959-4230-9a75-bf651227ebf6 |
role-based-access-control | Role Assignments Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/role-assignments-cli.md | Title: Assign Azure roles using Azure CLI - Azure RBAC description: Learn how to grant access to Azure resources for users, groups, service principals, or managed identities using Azure CLI and Azure role-based access control (Azure RBAC).- |
role-based-access-control | Role Assignments List Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/role-assignments-list-cli.md | Title: List Azure role assignments using Azure CLI - Azure RBAC description: Learn how to determine what resources users, groups, service principals, or managed identities have access to using Azure CLI and Azure role-based access control (Azure RBAC).- ms.assetid: 3483ee01-8177-49e7-b337-4d5cb14f5e32 |
role-based-access-control | Role Assignments List Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/role-assignments-list-portal.md | Title: List Azure role assignments using the Azure portal - Azure RBAC description: Learn how to determine what resources users, groups, service principals, or managed identities have access to using the Azure portal and Azure role-based access control (Azure RBAC).- |
role-based-access-control | Role Assignments List Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/role-assignments-list-powershell.md | Title: List Azure role assignments using Azure PowerShell - Azure RBAC description: Learn how to determine what resources users, groups, service principals, or managed identities have access to using Azure PowerShell and Azure role-based access control (Azure RBAC).- |
role-based-access-control | Role Assignments List Rest | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/role-assignments-list-rest.md | Title: List Azure role assignments using the REST API - Azure RBAC description: Learn how to determine what resources users, groups, service principals, or managed identities have access to using the REST API and Azure role-based access control (Azure RBAC).- |
role-based-access-control | Role Assignments Portal Managed Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/role-assignments-portal-managed-identity.md | Title: Assign Azure roles to a managed identity (Preview) - Azure RBAC description: Learn how to assign Azure roles by starting with the managed identity and then select the scope and role using the Azure portal and Azure role-based access control (Azure RBAC).- |
role-based-access-control | Role Assignments Portal Subscription Admin | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/role-assignments-portal-subscription-admin.md | Title: Assign a user as an administrator of an Azure subscription with conditions - Azure RBAC description: Learn how to make a user an administrator of an Azure subscription with conditions using the Azure portal and Azure role-based access control (Azure RBAC).- |
role-based-access-control | Role Assignments Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/role-assignments-portal.md | Title: Assign Azure roles using the Azure portal - Azure RBAC description: Learn how to grant access to Azure resources for users, groups, service principals, or managed identities using the Azure portal and Azure role-based access control (Azure RBAC).- |
role-based-access-control | Role Assignments Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/role-assignments-powershell.md | Title: Assign Azure roles using Azure PowerShell - Azure RBAC description: Learn how to grant access to Azure resources for users, groups, service principals, or managed identities using Azure PowerShell and Azure role-based access control (Azure RBAC).- |
role-based-access-control | Role Assignments Remove | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/role-assignments-remove.md | Title: Remove Azure role assignments - Azure RBAC description: Learn how to remove access to Azure resources for users, groups, service principals, or managed identities using Azure portal, Azure PowerShell, Azure CLI, or REST API.- |
role-based-access-control | Role Assignments Rest | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/role-assignments-rest.md | Title: Assign Azure roles using the REST API - Azure RBAC description: Learn how to grant access to Azure resources for users, groups, service principals, or managed identities using the REST API and Azure role-based access control (Azure RBAC).- |
role-based-access-control | Role Assignments Steps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/role-assignments-steps.md | Title: Steps to assign an Azure role - Azure RBAC description: Learn the steps to assign Azure roles to users, groups, service principals, or managed identities using Azure role-based access control (Azure RBAC).- |
role-based-access-control | Role Assignments Template | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/role-assignments-template.md | Title: Assign Azure roles using Azure Resource Manager templates - Azure RBAC description: Learn how to grant access to Azure resources for users, groups, service principals, or managed identities using Azure Resource Manager templates and Azure role-based access control (Azure RBAC).- |
role-based-access-control | Role Assignments | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/role-assignments.md | Title: Understand Azure role assignments - Azure RBAC description: Learn about Azure role assignments in Azure role-based access control (Azure RBAC) for fine-grained access management of Azure resources.- |
role-based-access-control | Role Definitions List | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/role-definitions-list.md | Title: List Azure role definitions - Azure RBAC description: Learn how to list Azure built-in and custom roles using Azure portal, Azure PowerShell, Azure CLI, or REST API.- |
role-based-access-control | Role Definitions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/role-definitions.md | Title: Understand Azure role definitions - Azure RBAC description: Learn about Azure role definitions in Azure role-based access control (Azure RBAC) for fine-grained access management of Azure resources.- |
role-based-access-control | Scope Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/scope-overview.md | Title: Understand scope for Azure RBAC description: Learn about scope for Azure role-based access control (Azure RBAC) and how to determine the scope for a resource.- |
role-based-access-control | Transfer Subscription | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/transfer-subscription.md | Title: Transfer an Azure subscription to a different Microsoft Entra directory description: Learn how to transfer an Azure subscription and known related resources to a different Microsoft Entra directory.- |
role-based-access-control | Troubleshoot Limits | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/troubleshoot-limits.md | Title: Troubleshoot Azure RBAC limits - Azure RBAC description: Learn how to use Azure Resource Graph to reduce the number of Azure role assignments and Azure custom roles in Azure role-based access control (Azure RBAC).- |
role-based-access-control | Tutorial Custom Role Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/tutorial-custom-role-cli.md | Title: "Tutorial: Create an Azure custom role with Azure CLI - Azure RBAC" description: Get started creating an Azure custom role using Azure CLI and Azure role-based access control (Azure RBAC) in this tutorial.- |
role-based-access-control | Tutorial Custom Role Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/tutorial-custom-role-powershell.md | Title: "Tutorial: Create an Azure custom role with Azure PowerShell - Azure RBAC" description: Get started creating an Azure custom role using Azure PowerShell and Azure role-based access control (Azure RBAC) in this tutorial.- - |
role-based-access-control | Tutorial Role Assignments Group Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/tutorial-role-assignments-group-powershell.md | Title: "Tutorial: Grant a group access to Azure resources using Azure PowerShell - Azure RBAC" description: Learn how to grant a group access to Azure resources using Azure PowerShell and Azure role-based access control (Azure RBAC) in this tutorial.- - |
role-based-access-control | Tutorial Role Assignments User Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/tutorial-role-assignments-user-powershell.md | Title: "Tutorial: Grant a user access to Azure resources using Azure PowerShell - Azure RBAC" description: Learn how to grant a user access to Azure resources using Azure PowerShell and Azure role-based access control (Azure RBAC) in this tutorial.- - |
sap | Deploy Workload Zone | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/automation/deploy-workload-zone.md | The following services are provided by the SAP workload zone: - A Storage account for cloud witnesses - An Azure NetApp Files account and capacity pools (optional) - Azure Files NFS shares (optional)+- [Azure Monitor for SAP](integration-azure-monitor-sap.md) (optional) :::image type="content" source="./media/deployment-framework/workload-zone.png" alt-text="Diagram that shows an SAP workload zone."::: |
sap | Integration Azure Monitor Sap | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/automation/integration-azure-monitor-sap.md | + + Title: SAP Monitoring with Azure Monitor for SAP +description: Configure Azure Monitor for SAP with SAP Deployment Automation Framework. +++ Last updated : 02/25/2024++++++# Configure Azure monitor for SAP with SAP Deployment Automation Framework ++Monitoring the performance and availability of SAP systems on Azure is simplified through [Azure Monitor for SAP](../monitor/about-azure-monitor-sap-solutions.md). It collects and analyzes metrics and logs from your applications, databases, operating systems, and Azure resources. Customers use Azure Monitor for SAP to visualize and troubleshoot issues, set alerts and notifications, and optimize SAP workloads on Azure. ++By integrating Azure Monitor for SAP and SAP Deployment Automation Framework, you can achieve a faster, easier, and more reliable deployment and operation of your SAP systems on Azure. You can use the automation framework to provision and configure the SAP systems, and Azure Monitor for SAP to monitor and optimize the performance and availability of those SAP systems. ++This integration with [SAP on Azure Deployment Automation Framework](deployment-framework.md) enables you to reduce the complexity and deployment cost of running your SAP environments on Azure, by helping to automate the monitoring of different components of an SAP landscape. ++## Overview ++As described in the [overview document](deployment-framework.md), the automation framework has two main components: ++- Deployment infrastructure (control plane, typically deployed in the hub) +- SAP infrastructure (SAP workload zone, typically deployed in a spoke) ++Deployment of Azure Monitor for SAP (AMS) and the [providers](../monitor/about-azure-monitor-sap-solutions.md#what-can-you-monitor) can be automated from the SAP Deployment Automation Framework (SDAF) to simplify the monitoring process. In this architecture, one Azure Monitor for SAP resource is deployed in each [workload zone](deployment-framework.md#about-the-sap-workload-zone), which represents the environment. This resource is responsible for monitoring the performance and availability of different components of the SAP systems in that environment. +++To monitor different components of each SAP system, there are corresponding providers and all these providers are deployed in the Azure Monitor for SAP resource of that environment. This setup allows for efficient monitoring and management of the SAP systems, as all the providers for a particular system are located in the same Azure Monitor for SAP resource. The automation framework automates the following steps: +- Creates Azure Monitor for SAP resource in workload zone. +- Performs prerequisites steps required to enable monitoring. +- Creates providers for each component of SAP landscape in Azure Monitor for SAP resource created. ++> [!NOTE] +> This automation framework currently supports deployment automation of Azure monitor for SAP resource, [OS (Linux) provider](../monitor/about-azure-monitor-sap-solutions.md#os-linux-data) to monitor the Azure VMs, and [HA Pacemaker cluster provider](../monitor/about-azure-monitor-sap-solutions.md#ha-pacemaker-cluster-data) to monitor the high availability clusters in the SAP system. ++The [key components](../monitor/about-azure-monitor-sap-solutions.md#what-is-the-architecture) of the Azure monitor for SAP resource created in the workload zone resource group would include: +- Azure monitor for SAP resource +- Managed Resource group with in the Azure monitor for SAP that includes: + - Azure functions resource + - Azure key vault + - Log analytics workspace (optional) + - Storage account ++## Workload zone configuration for Azure Monitor for SAP resource ++The example shows the parameters that are required for the deployment of Azure Monitor for SAP resource in the workload zone. Optionally, you can choose to use an existing log analytics workspace that exists in the same subscription as your workload zone. ++```terraform +# If defined these parameters control the ams instance (Azure monitor for SAP) +# create_ams_instance is an optional parameter, and should be set true is the AMS instance is to be created. +create_ams_instance = true ++# ams_instance_name is an optional parameter and should only be used if the default naming is not acceptable +ams_instance_name = "AMS-RESOURCE" ++# ams_laws_arm_id is a optional parameter to use an exisiting log analytics for the AMS instance +ams_laws_arm_id = "/subscriptions/0000000-000000-0000000-0000000000/resourcegroups/rg-name/providers/microsoft.operationalinsights/workspaces/workspacename" ++``` ++## System configuration for AMS providers ++The following example shows the parameter that is required for the automation of provider prerequisites and provider creation in the Azure monitor for SAP. ++```terraform +# enable_os_monitoring is an optional parameter and should be set to true if you want to monitor the Azure VMs of your SAP system. +enable_os_monitoring = true ++# enable_ha_monitoring is an optional parameter and should be set to true if you want to monitor the HA clusters of your SAP system. +enable_ha_monitoring = true ++``` |
sap | Disaster Recovery Sap Hana | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/disaster-recovery-sap-hana.md | Title: Add HSR third site to HANA Pacemaker cluster -description: Extending highly available SAP HANA solution with third site for disaster recovery +description: Learn how to extend a highly available SAP HANA solution with a third site for disaster recovery. Last updated 01/16/2024 -# Add HSR third site to HANA Pacemaker cluster +# Add an HSR third site to a HANA Pacemaker cluster This article describes requirements and setup of a third HANA replication site to complement an existing Pacemaker cluster. Both SUSE Linux Enterprise Server (SLES) and RedHat Enterprise Linux (RHEL) specifics are covered. ## Overview -SAP HANA supports system replication (HSR) with more than two sites connected. You can add a third site to an existing HSR pair, managed by Pacemaker in a highly available setup. You can deploy the third site in a second Azure region for disaster recovery (DR) purposes. +SAP HANA supports system replication (HSR) with more than two sites connected. You can add a third site to an existing HSR pair, managed by Pacemaker in a highly available setup. You can deploy the third site in a second Azure region for disaster recovery (DR) purposes. -Pacemaker and HANA cluster resource agent manage the first two sites. Pacemaker cluster doesn't control the third site. +Pacemaker and the HANA cluster resource agent manage the first two sites. The Pacemaker cluster doesn't control the third site. -SAP HANA supports a third system replication site in two modes. +SAP HANA supports a third system replication site in two modes: -- [Multi-target](https://help.sap.com/docs/SAP_HANA_PLATFORM/6b94445c94ae495c83a19646e7c3fd56/ba457510958241889a459e606bbcf3d3.html) replicates data changes from primary to more than one target system. Third site connected to primary, replication in a star topology.-- [Multi-tier](https://help.sap.com/docs/SAP_HANA_PLATFORM/6b94445c94ae495c83a19646e7c3fd56/f730f308fede4040bcb5ccea6751e74d.html) is a two-tier replication. A cascading, or sometimes referred to as chained setup, of three different HANA tiers. Third site connects to secondary. +- [Multitarget](https://help.sap.com/docs/SAP_HANA_PLATFORM/6b94445c94ae495c83a19646e7c3fd56/ba457510958241889a459e606bbcf3d3.html) replicates data changes from primary to more than one target system. The third site is connected to primary replication in a star topology. +- [Multitier](https://help.sap.com/docs/SAP_HANA_PLATFORM/6b94445c94ae495c83a19646e7c3fd56/f730f308fede4040bcb5ccea6751e74d.html) is a two-tier replication. A cascading, or chained, setup of three different HANA tiers. The third site connects to the secondary. -For more information, see [SAP HANA availability across Azure regions](./sap-hana-availability-across-regions.md#combine-availability-within-one-region-and-across-regions) for more conceptual details about HANA HSR within one and across different regions. +For more conceptual details about HANA HSR within one region and across different regions, see [SAP HANA availability across Azure regions](./sap-hana-availability-across-regions.md#combine-availability-within-one-region-and-across-regions). ## Prerequisites for SLES -Requirements for a third HSR site are different between HANA scale-up and HANA scale-out. +Requirements for a third HSR site are different for HANA scale-up and HANA scale-out. > [!NOTE]-> Requirements in this chapter are only valid for a Pacemaker enabled landscape. Without Pacemaker, SAP HANA version requirements apply for the chosen replication mode. -> Pacemaker and HANA cluster resource agent manages only two sites. Third HSR site isn't controlled by Pacemaker cluster. +> Requirements in this article are only valid for a Pacemaker-enabled landscape. Without Pacemaker, SAP HANA version requirements apply to the chosen replication mode. +> Pacemaker and the HANA cluster resource agent manage only two sites. The third HSR site isn't controlled by the Pacemaker cluster. -- Both scale-up and scale-out: SAP HANA SPS 04 or newer required to use multi-target HSR with a Pacemaker cluster-- Both scale-up and scale-out: Maximum one SAP HANA system replication connected from outside the Linux cluster-- HANA scale-out only: SLES 15 SP1 or higher-- HANA scale-out only: OS package SAPHanaSR-ScaleOut version 0.180 or higher-- HANA scale-out only: SAP HANA HA hook [SAPHanaSrMultiTarget](./sap-hana-high-availability-scale-out-hsr-suse.md#implement-hana-ha-hooks-saphanasrmultitarget-and-suschksrv) in use. Preview HANA HA hook SAPHanaSR isn't multi-target aware for scale-out.+- **Both scale-up and scale-out**: SAP HANA SPS 04 or newer is required to use multitarget HSR with a Pacemaker cluster. +- **Both scale-up and scale-out**: Maximum of one SAP HANA system replication connected from outside the Linux cluster. +- **HANA scale-out only**: SLES 15 SP1 or higher. +- **HANA scale-out only**: Operating system (OS) package SAPHanaSR-ScaleOut version 0.180 or higher. +- **HANA scale-out only**: SAP HANA high-availability (HA) hook [SAPHanaSrMultiTarget](./sap-hana-high-availability-scale-out-hsr-suse.md#implement-hana-ha-hooks-saphanasrmultitarget-and-suschksrv) in use. Preview HANA HA hook `SAPHanaSR` isn't multitarget aware for scale-out. ## Prerequisites for RHEL -Requirements for a third HSR site are different between HANA scale-up and HANA scale-out. +Requirements for a third HSR site are different for HANA scale-up and HANA scale-out. > [!NOTE]-> Requirements in this chapter are only valid for a Pacemaker enabled landscape. Without Pacemaker, SAP HANA version requirements apply for the chosen replication mode. -> Pacemaker and HANA cluster resource agent manages only two sites. Third HSR site isn't controlled by Pacemaker cluster. +> Requirements in this article are only valid for a Pacemaker-enabled landscape. Without Pacemaker, SAP HANA version requirements apply for the chosen replication mode. +> Pacemaker and the HANA cluster resource agent manage only two sites. The third HSR site isn't controlled by the Pacemaker cluster. -- HANA scale-up only: See RedHat [support policies for RHEL high availability clusters](https://access.redhat.com/articles/3397471) for details on minimum OS, SAP HANA and cluster resource agents version.-- HANA scale-out only: HANA multi-target replication isn't supported on Azure with a Pacemaker cluster.+- **HANA scale-up only**: See RedHat [support policies for RHEL HA clusters](https://access.redhat.com/articles/3397471) for details on the minimum OS, SAP HANA, and cluster resource agents version. +- **HANA scale-out only**: HANA multitarget replication isn't supported on Azure with a Pacemaker cluster. -## HANA scale-up: Add HANA multi-target system replication for DR purposes +## HANA scale-up: Add HANA multitarget system replication for DR purposes -With SAP HANA HA hook SAPHanaSR for [SLES](./sap-hana-high-availability.md#implement-hana-hooks-saphanasr-and-suschksrv) and [RHEL](./sap-hana-high-availability-rhel.md#implement-the-python-system-replication-hook-saphanasr), you can add a third node for disaster recovery (DR) purposes. The Pacemaker environment is aware of a HANA multi-target DR setup. +With SAP HANA HA hook SAPHanaSR for [SLES](./sap-hana-high-availability.md#implement-hana-hooks-saphanasr-and-suschksrv) and [RHEL](./sap-hana-high-availability-rhel.md#implement-the-python-system-replication-hook-saphanasr), you can add a third node for DR purposes. The Pacemaker environment is aware of a HANA multitarget DR setup. -Failure of the third node won't trigger any cluster action. Cluster detects the replication status of connected sites and the monitored attribute for third site can change between SOK and SFAIL state. Any takeover tests to third/DR site or executing your DR exercise process should first place the cluster resources into maintenance mode to prevent any undesired cluster action. +Failure of the third node won't trigger any cluster action. The cluster detects the replication status of connected sites and the monitored attribute for the third site can change between `SOK` and `SFAIL` states. Any takeover tests to the third/DR site or executing your DR exercise process should first place the cluster resources into maintenance mode to prevent any undesired cluster action. -Example of a multi-target system replication system. For more information, see [SAP documentation](https://help.sap.com/docs/SAP_HANA_PLATFORM/4e9b18c116aa42fc84c7dbfd02111aba/2e6c71ab55f147e19b832565311a8e4e.html). -![Diagram showing an example of a HANA scale-up multi-target system replication system.](./media/sap-hana-high-availability/sap-hana-high-availability-scale-up-hsr-multi-target.png) +The following example shows a multitarget system replication system. For more information, see [SAP documentation](https://help.sap.com/docs/SAP_HANA_PLATFORM/4e9b18c116aa42fc84c7dbfd02111aba/2e6c71ab55f147e19b832565311a8e4e.html). +![Diagram that shows an example of a HANA scale-up multitarget system replication system.](./media/sap-hana-high-availability/sap-hana-high-availability-scale-up-hsr-multi-target.png) -1. Deploy Azure resources for the third node. Depending on your requirements, you can use a different Azure region for disaster recovery purposes. +1. Deploy Azure resources for the third node. Depending on your requirements, you can use a different Azure region for DR purposes. - Steps required for the third site are similar to [virtual machines for HANA scale-up cluster](./sap-hana-high-availability.md#prepare-the-infrastructure). Third site will use Azure infrastructure, operating system and HANA version matching the existing Pacemaker cluster, with the following exceptions: + Steps required for the third site are similar to [virtual machines (VMs) for HANA scale-up cluster](./sap-hana-high-availability.md#prepare-the-infrastructure). The third site uses Azure infrastructure. The OS and HANA version match the existing Pacemaker cluster, with the following exceptions: - - No load balancer deployed for third site and no integration with existing cluster load balancer for the VM of third site - - Don't install OS packages SAPHanaSR, SAPHanaSR-doc and OS package pattern ha_sles on third site VM - - No integration into the cluster for VM or HANA resources of the third site - - No HANA HA hook setup for third site in global.ini + - No load balancer is deployed for the third site. There's no integration with the existing cluster load balancer for the VM of the third site. + - Don't install OS packages SAPHanaSR, SAPHanaSR-doc, and the OS package pattern ha_sles on the third site VM. + - No integration into the cluster for VM or HANA resources of the third site. + - No HANA HA hook setup for the third site in *global.ini*. -2. Install SAP HANA on third node. +1. Install SAP HANA on the third node. - Same HANA SID and HANA installation number must be used for third site. + The same HANA SID and HANA installation number must be used for the third site. -3. With SAP HANA on third site installed and running, register the third site with the primary site. +1. With SAP HANA on the third site installed and running, register the third site with the primary site. - The example uses SITE-DR as the name for third site. + The following example uses `SITE-DR` as the name for the third site. ```bash # Execute on the third site Example of a multi-target system replication system. For more information, see [ hdbnsutil -sr_register --name=SITE-DR --remoteHost=hn1-db-0 --remoteInstance=03 --replicationMode=async --online ``` -4. Verify HANA system replication shows both secondary and third site. +1. Verify that the HANA system replication shows the secondary site and the third site. ```bash # Verify HANA HSR is in sync, execute on primary sudo su - hn1adm -c "python /usr/sap/HN1/HDB03/exe/python_support/systemReplicationStatus.py" ``` -5. Check the SAPHanaSR attribute for third site. SITE-DR should show up with status SOK in the sites section. +1. Check the `SAPHanaSR` attribute for the third site. `SITE-DR` should show up with the status `SOK` in the `Sites` section. ```bash # Check SAPHanaSR attribute on any cluster managed host (first or second site) Example of a multi-target system replication system. For more information, see [ # SITE-DR SOK ``` - Cluster detects the replication status of connected sites and the monitored attributed can change between SOK and SFAIL. No cluster action if the replication to DR site fails. + The cluster detects the replication status of connected sites. The monitored attributes can change between `SOK` and `SFAIL`. There's no cluster action if the replication to the DR site fails. -## HANA scale-out: Add HANA multi-target system replication for DR purposes +## HANA scale-out: Add HANA multitarget system replication for DR purposes -With SAP HANA HA provider [SAPHanaSrMultiTarget](./sap-hana-high-availability-scale-out-hsr-suse.md#implement-hana-ha-hooks-saphanasrmultitarget-and-suschksrv), you can add a third HANA scale-out site. This third site is often used for disaster recovery (DR) in another Azure region. The Pacemaker environment is aware of a HANA multi-target DR setup. Note that this section is only applicable to systems running Pacemaker on SUSE only, see prerequisites section in this document for details. +With the SAP HANA HA provider [SAPHanaSrMultiTarget](./sap-hana-high-availability-scale-out-hsr-suse.md#implement-hana-ha-hooks-saphanasrmultitarget-and-suschksrv), you can add a third HANA scale-out site. This third site is often used for DR in another Azure region. The Pacemaker environment is aware of a HANA multitarget DR setup. This section applies to systems running Pacemaker on SUSE only. See the "Prerequisites" section in this document for details. -Failure of the third node won't trigger any cluster action. Cluster detects the replication status of connected sites and the monitored attribute for third site can change between SOK and SFAIL state. Any takeover tests to third/DR site or executing your DR exercise process should first place the cluster resources into maintenance mode to prevent any undesired cluster action. +Failure of the third node won't trigger any cluster action. The cluster detects the replication status of connected sites and the monitored attribute for the third site can change between the `SOK` and `SFAIL` states. Any takeover tests to the third/DR site or executing your DR exercise process should first place the cluster resources into maintenance mode to prevent any undesired cluster action. -Example of a multi-target system replication system. For more information, see [SAP documentation](https://help.sap.com/docs/SAP_HANA_PLATFORM/4e9b18c116aa42fc84c7dbfd02111aba/2e6c71ab55f147e19b832565311a8e4e.html). -![Diagram showing an example of a HANA scale-out multi-target system replication system.](./media/sap-hana-high-availability/sap-hana-high-availability-scale-out-hsr-multi-target.png) +The following example shows a multitarget system replication system. For more information, see [SAP documentation](https://help.sap.com/docs/SAP_HANA_PLATFORM/4e9b18c116aa42fc84c7dbfd02111aba/2e6c71ab55f147e19b832565311a8e4e.html). +![Diagram that shows an example of a HANA scale-out multitarget system replication system.](./media/sap-hana-high-availability/sap-hana-high-availability-scale-out-hsr-multi-target.png) -1. Deploy Azure resources for the third site. Depending on your requirements, you can use a different Azure region for disaster recovery purposes. +1. Deploy Azure resources for the third site. Depending on your requirements, you can use a different Azure region for DR purposes. - Steps required for the HANA scale-out on third site are mirroring steps to deploy the [HANA scale-out cluster](./sap-hana-high-availability-scale-out-hsr-suse.md#prepare-the-infrastructure). Third site will use Azure infrastructure, operating system and HANA installation steps for SITE1 of the scale-out cluster, with the following exceptions: + Steps required for the HANA scale-out on the third site mirror the steps to deploy the [HANA scale-out cluster](./sap-hana-high-availability-scale-out-hsr-suse.md#prepare-the-infrastructure). The third site uses Azure infrastructure, OS, and HANA installation steps for `SITE1` of the scale-out cluster, with the following exceptions: - - No load balancer deployed for third site and no integration with existing cluster load balancer for the VMs of third site - - Don't install OS packages SAPHanaSR-ScaleOut, SAPHanaSR-ScaleOut-doc and OS package pattern ha_sles on third site VMs - - No majority maker VM for third site, as there's no cluster integration - - Create NFS volume /hana/shared for third site exclusive use - - No integration into the cluster for VMs or HANA resources of the third site - - No HANA HA hook setup for third site in global.ini + - No load balancer is deployed for the third site. There's no integration with the existing cluster load balancer for the VMs of the third site. + - Don't install the OS packages SAPHanaSR-ScaleOut, SAPHanaSR-ScaleOut-doc, and the OS package pattern ha_sles on the third site VMs. + - No majority maker VM for the third site because there's no cluster integration. + - Create the NFS volume /hana/shared for the third site's exclusive use. + - No integration into the cluster for the VMs or HANA resources of the third site. + - No HANA HA hook setup for the third site in *global.ini*. - You must use the same HANA SID and HANA installation number for third site. + You must use the same HANA SID and HANA installation number for the third site. -2. With SAP HANA scale-out on third site installed and running, register the third site with the primary site. +1. With SAP HANA scale-out on the third site installed and running, register the third site with the primary site. - The example uses SITE-DR as the name for third site. + The following example uses `SITE-DR` as the name for the third site. ```bash # Execute on the third site Example of a multi-target system replication system. For more information, see [ hdbnsutil -sr_register --name=SITE-DR --remoteHost=hana-s1-db1 --remoteInstance=03 --replicationMode=async --online ``` -3. Verify HANA system replication shows both secondary and third site. +1. Verify that the HANA system replication shows the secondary site and the third site. ```bash # Verify HANA HSR is in sync, execute on primary sudo su - hn1adm -c "python /usr/sap/HN1/HDB03/exe/python_support/systemReplicationStatus.py" ``` -4. Check the SAPHanaSR attribute for third site. SITE-DR should show up with status SOK in the sites section. +1. Check the `SAPHanaSR` attribute for the third site. `SITE-DR` should show up with the status `SOK` in the `Sites` section. ```bash # Check SAPHanaSR attribute on any cluster managed host (first or second site) Example of a multi-target system replication system. For more information, see [ # HANA_S2 30 4 hana-s2-db1 SOK S ``` - Cluster detects the replication status of connected sites and the monitored attributed can change between SOK and SFAIL. No cluster action if the replication to DR site fails. + The cluster detects the replication status of connected sites. The monitored attribute can change between `SOK` and `SFAIL`. There's no cluster action if the replication to the DR site fails. -## Autoregistering third site +## Autoregister the third site -During planned or unplanned takeover event between the two Pacemaker cluster sites, HSR to third site will be also interrupted. Pacemaker doesn't modify HANA replication to third site. +During a planned or unplanned takeover event between the two Pacemaker cluster sites, HSR to the third site is also interrupted. Pacemaker doesn't modify HANA replication to the third site. -SAP provides since HANA 2 SPS 04 parameter `register_secondaries_on_takeover`. With the parameter set to value `true`, after HSR takeover between cluster sites 1 and 2, HANA will register the third site on the new primary automatically to keep an HSR multi-target setup. Configure HANA parameter `register_secondaries_on_takeover = true` configured in `[system_replication]` block of global.ini on both SAP HANA sites in the Linux cluster. Both SITE1 and SITE2 need the parameter in the respective HANA global.ini configuration file. Parameter can be used also outside a Pacemaker cluster. +SAP provides since the HANA 2 SPS 04 parameter `register_secondaries_on_takeover`. With the parameter set to the value `true`, after the HSR takeover between cluster sites 1 and 2, HANA registers the third site on the new primary automatically to keep an HSR multitarget setup. Configure the HANA parameter `register_secondaries_on_takeover = true` that's configured in the `[system_replication]` block of *global.ini* on both SAP HANA sites in the Linux cluster. Both SITE1 and SITE2 need the parameter in the respective HANA *global.ini* configuration file. The parameter can also be used outside a Pacemaker cluster. -For HSR [multi-tier](https://help.sap.com/docs/SAP_HANA_PLATFORM/6b94445c94ae495c83a19646e7c3fd56/f730f308fede4040bcb5ccea6751e74d.html), no automatic SAP HANA registration of the third site exists. You need to manually register the third site to the current secondary, to keep HSR replication chain for multi-tier. +For HSR [multitier](https://help.sap.com/docs/SAP_HANA_PLATFORM/6b94445c94ae495c83a19646e7c3fd56/f730f308fede4040bcb5ccea6751e74d.html), no automatic SAP HANA registration of the third site exists. You need to manually register the third site to the current secondary to keep the HSR replication chain for multitier. -![Diagram flow showing how a HANA auto-registration works with a third site during a takeover.](./media/sap-hana-high-availability/sap-hana-high-availability-hsr-third-site-auto-register.png) +![Diagram flow that shows how a HANA autoregistration works with a third site during a takeover.](./media/sap-hana-high-availability/sap-hana-high-availability-hsr-third-site-auto-register.png) ## Next steps |
sap | Sap Hana High Availability Netapp Files Suse | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/sap-hana-high-availability-netapp-files-suse.md | Title: High availability of SAP HANA Scale-up with ANF on SLES | Microsoft Docs -description: Establish high availability of SAP HANA with ANF on SLES Azure virtual machines (VMs). + Title: High availability of SAP HANA scale-up with Azure NetApp Files on SLES | Microsoft Docs +description: Learn how to establish high availability of SAP HANA with Azure NetApp Files on SLES Azure VMs. Last updated 01/16/2024 -# High availability of SAP HANA Scale-up with Azure NetApp Files on SUSE Enterprise Linux +# High availability of SAP HANA scale-up with Azure NetApp Files on SUSE Enterprise Linux -This article describes how to configure SAP HANA System Replication in Scale-up deployment, when the HANA file systems are mounted via NFS using Azure NetApp Files (ANF). In the example configurations and installation commands, instance number 03, and HANA System ID HN1 are used. SAP HANA Replication consists of one primary node and at least one secondary node. +This article describes how to configure SAP HANA system replication in scale-up deployment when the HANA file systems are mounted via NFS by using Azure NetApp Files. In the example configurations and installation commands, instance number 03 and HANA System ID HN1 are used. SAP HANA replication consists of one primary node and at least one secondary node. -When steps in this document are marked with the following prefixes, the meaning is as follows: +When steps in this document are marked with the following prefixes, they mean: -- [A]: The step applies to all nodes-- [1]: The step applies to node1 only-- [2]: The step applies to node2 only+- [A]: The step applies to all nodes. +- [1]: The step applies to node1 only. +- [2]: The step applies to node2 only. Read the following SAP Notes and papers first: -- SAP Note [1928533](https://launchpad.support.sap.com/#/notes/1928533), which has:+- SAP Note [1928533](https://launchpad.support.sap.com/#/notes/1928533) has: - The list of Azure VM sizes that are supported for the deployment of SAP software.- - Important capacity information for Azure VM sizes. - - The supported SAP software, and operating system (OS) and database combinations. - - The required SAP kernel version for Windows and Linux on Microsoft Azure. + - Important capacity information for Azure virtual machine (VM) sizes. + - The supported SAP software and operating system (OS) and database combinations. + - The required SAP kernel version for Windows and Linux on Azure. - SAP Note [2015553](https://launchpad.support.sap.com/#/notes/1928533) lists prerequisites for SAP-supported SAP software deployments in Azure.-- SAP Note [405827](https://launchpad.support.sap.com/#/notes/405827) lists out recommended file system for HANA environment.-- SAP Note [2684254](https://launchpad.support.sap.com/#/notes/2684254) -has recommended OS settings for SLES 15 / SLES for SAP Applications 15.-- SAP Note [1944799](https://launchpad.support.sap.com/#/notes/1944799) has SAP HANA Guidelines for SLES Operating System Installation.+- SAP Note [405827](https://launchpad.support.sap.com/#/notes/405827) lists the recommended file system for the HANA environment. +- SAP Note [2684254](https://launchpad.support.sap.com/#/notes/2684254) has recommended OS settings for SUSE Linux Enterprise Server (SLES) 15/SLES for SAP Applications 15. +- SAP Note [1944799](https://launchpad.support.sap.com/#/notes/1944799) has SAP HANA guidelines for SLES OS installation. - SAP Note [2178632](https://launchpad.support.sap.com/#/notes/2178632) has detailed information about all monitoring metrics reported for SAP in Azure. - SAP Note [2191498](https://launchpad.support.sap.com/#/notes/2191498) has the required SAP Host Agent version for Linux in Azure. - SAP Note [2243692](https://launchpad.support.sap.com/#/notes/2243692) has information about SAP licensing on Linux in Azure. - SAP Note [1999351](https://launchpad.support.sap.com/#/notes/1999351) has more troubleshooting information for the Azure Enhanced Monitoring extension for SAP.-- SAP Note [1900823](https://launchpad.support.sap.com/#/notes/1900823): Contains information about SAP HANA storage requirements-- [SUSE SAP HA Best Practice Guides](https://www.suse.com/products/sles-for-sap/resource-library/sap-best-practices/): Contains all required information to set up NetWeaver High Availability and SAP HANA System Replication on-premises (to be used as a general baseline; they provide much more detailed information)+- SAP Note [1900823](https://launchpad.support.sap.com/#/notes/1900823) contains information about SAP HANA storage requirements. +- [SUSE SAP high availability (HA) Best Practice Guides](https://www.suse.com/products/sles-for-sap/resource-library/sap-best-practices/) contain all required information to set up NetWeaver HA and SAP HANA system replication on-premises (to be used as a general baseline). They provide much more detailed information. - [SAP Community Wiki](https://wiki.scn.sap.com/wiki/display/HOME/SAPonLinuxNotes) has all required SAP Notes for Linux. - [Azure Virtual Machines planning and implementation for SAP on Linux](./planning-guide.md) - [Azure Virtual Machines deployment for SAP on Linux](./deployment-guide.md) - [Azure Virtual Machines DBMS deployment for SAP on Linux](./dbms-guide-general.md)-- General SLES documentation- - [Setting up SAP HANA Cluster](https://documentation.suse.com/sles-sap/15-SP1/html/SLES4SAP-guide/cha-s4s-cluster.html). +- General SLES documentation: + - [Setting up an SAP HANA cluster](https://documentation.suse.com/sles-sap/15-SP1/html/SLES4SAP-guide/cha-s4s-cluster.html) - [SLES High Availability Extension 15 SP3 Release Notes](https://www.suse.com/releasenotes/x86_64/SLE-HA/15-SP3/https://docsupdatetracker.net/index.html)- - [Operating System Security Hardening Guide for SAP HANA for SUSE Linux Enterprise Server 15](https://documentation.suse.com/sbp/sap-15/html/OS_Security_Hardening_Guide_for_SAP_HANA_SLES15_SP2_and_later/https://docsupdatetracker.net/index.html). + - [Operating System Security Hardening Guide for SAP HANA for SUSE Linux Enterprise Server 15](https://documentation.suse.com/sbp/sap-15/html/OS_Security_Hardening_Guide_for_SAP_HANA_SLES15_SP2_and_later/https://docsupdatetracker.net/index.html) - [SUSE Linux Enterprise Server for SAP Applications 15 SP3 Guide](https://documentation.suse.com/sles/15-SP3/) - [SUSE Linux Enterprise Server for SAP Applications 15 SP3 SAP Automation](https://documentation.suse.com/sles-sap/15-SP3/html/SLES-SAP-automation/article-sap-automation.html) - [SUSE Linux Enterprise Server for SAP Applications 15 SP3 SAP Monitoring](https://documentation.suse.com/sles-sap/15-SP3/html/SLES-SAP-monitoring/article-sap-monitoring.html) Read the following SAP Notes and papers first: - [Azure Virtual Machines planning and implementation for SAP on Linux](./planning-guide.md) > [!NOTE]-> This article contains references to a term that Microsoft no longer uses. When the term is removed from the software, weΓÇÖll remove it from this article. +> This article contains references to a term that Microsoft no longer uses. When the term is removed from the software, we'll remove it from this article. ## Overview -Traditionally in scale-up environment all file systems for SAP HANA are mounted from local storage. Setting up High Availability of SAP HANA System Replication on SUSE Enterprise Linux is published in guide [Set up SAP HANA System Replication on SLES](./sap-hana-high-availability.md) +Traditionally, in a scale-up environment, all file systems for SAP HANA are mounted from local storage. Setting up HA of SAP HANA system replication on SUSE Enterprise Linux is published in [Set up SAP HANA system replication on SLES](./sap-hana-high-availability.md). -To achieve SAP HANA High Availability of scale-up system on Azure NetApp Files NFS shares, we need some extra resource configuration in the cluster in order for HANA resources to recover, when one node loses access to the NFS shares on ANF. +To achieve SAP HANA HA of a scale-up system on Azure NetApp Files NFS shares, we need extra resource configuration in the cluster. This configuration is needed so that HANA resources can recover when one node loses access to the NFS shares on Azure NetApp Files. -![SAP HANA HA Scale-up on ANF](./media/sap-hana-high-availability-sles/sap-hana-scale-up-netapp-files-suse.png) +![Diagram that shows SAP HANA HA scale-up on Azure NetApp Files.](./media/sap-hana-high-availability-sles/sap-hana-scale-up-netapp-files-suse.png) -SAP HANA filesystems are mounted on NFS shares using Azure NetApp Files on each node. File systems /hana/data, /hana/log, and /hana/shared are unique to each node. +SAP HANA file systems are mounted on NFS shares by using Azure NetApp Files on each node. The file systems /hana/data, /hana/log, and /hana/shared are unique to each node. -Mounted on node1 (**hanadb1**) +Mounted on node1 (**hanadb1**): - 10.3.1.4:/**hanadb1**-data-mnt00001 on /hana/data - 10.3.1.4:/**hanadb1**-log-mnt00001 on /hana/log - 10.3.1.4:/**hanadb1**-shared-mnt00001 on /hana/shared -Mounted on node2 (**hanadb2**) +Mounted on node2 (**hanadb2**): - 10.3.1.4:/**hanadb2**-data-mnt00001 on /hana/data - 10.3.1.4:/**hanadb2**-log-mnt00001 on /hana/log - 10.3.1.4:/**hanadb2**-shared-mnt0001 on /hana/shared > [!NOTE]-> File systems /hana/shared, /hana/data and /hana/log are not shared between the two nodes. Each cluster node has its own, separate file systems. +> The file systems /hana/shared, /hana/data, and /hana/log aren't shared between the two nodes. Each cluster node has its own separate file systems. -SAP high availability HANA System Replication configuration uses a dedicated virtual hostname and virtual IP addresses. On Azure, a load balancer is required to use a virtual IP address. The presented configuration shows a load balancer with: +SAP HA HANA system replication configuration uses a dedicated virtual hostname and virtual IP addresses. On Azure, a load balancer is required to use a virtual IP address. The presented configuration shows a load balancer with: -- Front-end configuration IP address: 10.3.0.50 for hn1-db-- Probe Port: 62503+- **Front-end configuration IP address**: 10.3.0.50 for hn1-db +- **Probe port**: 62503 -## Set up the Azure NetApp File infrastructure +## Set up the Azure NetApp Files infrastructure ++Before you continue with the setup for Azure NetApp Files infrastructure, familiarize yourself with the [Azure NetApp Files documentation](../../azure-netapp-files/index.yml). -Before you continue with the setup for Azure NetApp Files infrastructure, familiarize yourself with the Azure [NetApp Files documentation](../../azure-netapp-files/index.yml). Azure NetApp Files is available in several [Azure regions](https://azure.microsoft.com/global-infrastructure/services/?products=netapp). Check to see whether your selected Azure region offers Azure NetApp Files. -For information about the availability of Azure NetApp Files by Azure region, see [Azure NetApp Files Availability by Azure Region](https://azure.microsoft.com/global-infrastructure/services/?products=netapp®ions=all). +For information about the availability of Azure NetApp Files by Azure region, see [Azure NetApp Files availability by Azure region](https://azure.microsoft.com/global-infrastructure/services/?products=netapp®ions=all). ### Important considerations -As you create your Azure NetApp Files for SAP HANA Scale-up systems, be aware of the important considerations documented in [NFS v4.1 volumes on Azure NetApp Files for SAP HANA](./hana-vm-operations-netapp.md#important-considerations). +As you create your Azure NetApp Files for SAP HANA scale-up systems, be aware of the important considerations documented in [NFS v4.1 volumes on Azure NetApp Files for SAP HANA](./hana-vm-operations-netapp.md#important-considerations). ### Sizing of HANA database on Azure NetApp Files The throughput of an Azure NetApp Files volume is a function of the volume size and service level, as documented in [Service level for Azure NetApp Files](../../azure-netapp-files/azure-netapp-files-service-levels.md). -While designing the infrastructure for SAP HANA on Azure with Azure NetApp Files, be aware of the recommendations in [NFS v4.1 volumes on Azure NetApp Files for SAP HANA](./hana-vm-operations-netapp.md#sizing-for-hana-database-on-azure-netapp-files). +While you design the infrastructure for SAP HANA on Azure with Azure NetApp Files, be aware of the recommendations in [NFS v4.1 volumes on Azure NetApp Files for SAP HANA](./hana-vm-operations-netapp.md#sizing-for-hana-database-on-azure-netapp-files). -The configuration in this article is presented with simple Azure NetApp Files Volumes. +The configuration in this article is presented with simple Azure NetApp Files volumes. > [!IMPORTANT]-> For production systems, where performance is a key, we recommend to evaluate and consider using [Azure NetApp Files application volume group for SAP HANA](hana-vm-operations-netapp.md#deployment-through-azure-netapp-files-application-volume-group-for-sap-hana-avg). +> For production systems, where performance is key, we recommend that you evaluate and consider using [Azure NetApp Files application volume group for SAP HANA](hana-vm-operations-netapp.md#deployment-through-azure-netapp-files-application-volume-group-for-sap-hana-avg). -> [!NOTE] -> All commands to mount /hana/shared in this article are presented for NFSv4.1 /hana/shared volumes. -> If you deployed the /hana/shared volumes as NFSv3 volumes, don't forget to adjust the mount commands for /hana/shared for NFSv3. +All commands to mount /hana/shared in this article are presented for NFSv4.1 /hana/shared volumes. If you deployed the /hana/shared volumes as NFSv3 volumes, don't forget to adjust the mount commands for /hana/shared for NFSv3. ### Deploy Azure NetApp Files resources -The following instructions assume that you've already deployed your [Azure virtual network](../../virtual-network/virtual-networks-overview.md). The Azure NetApp Files resources and VMs, where the Azure NetApp Files resources are mounted, must be deployed in the same Azure virtual network or in peered Azure virtual networks. +The following instructions assume that you already deployed your [Azure virtual network](../../virtual-network/virtual-networks-overview.md). The Azure NetApp Files resources and VMs, where the Azure NetApp Files resources are mounted, must be deployed in the same Azure virtual network or in peered Azure virtual networks. 1. Create a NetApp account in your selected Azure region by following the instructions in [Create a NetApp account](../../azure-netapp-files/azure-netapp-files-create-netapp-account.md).-2. Set up Azure NetApp Files capacity pool by following the instructions in [Set up an Azure NetApp Files capacity pool](../../azure-netapp-files/azure-netapp-files-set-up-capacity-pool.md). +1. Set up an Azure NetApp Files capacity pool by following the instructions in [Set up an Azure NetApp Files capacity pool](../../azure-netapp-files/azure-netapp-files-set-up-capacity-pool.md). - The HANA architecture presented in this article uses a single Azure NetApp Files capacity pool at the *Ultra* Service level. For HANA workloads on Azure, we recommend using Azure NetApp Files *Ultra* or *Premium* [service Level](../../azure-netapp-files/azure-netapp-files-service-levels.md). -3. Delegate a subnet to Azure NetApp Files, as described in the instructions in [Delegate a subnet to Azure NetApp Files](../../azure-netapp-files/azure-netapp-files-delegate-subnet.md). -4. Deploy Azure NetApp Files volumes by following the instructions in [Create an NFS volume for Azure NetApp Files](../../azure-netapp-files/azure-netapp-files-create-volumes.md). + The HANA architecture presented in this article uses a single Azure NetApp Files capacity pool at the Ultra service level. For HANA workloads on Azure, we recommend using the Azure NetApp Files Ultra or Premium [service Level](../../azure-netapp-files/azure-netapp-files-service-levels.md). +1. Delegate a subnet to Azure NetApp Files, as described in the instructions in [Delegate a subnet to Azure NetApp Files](../../azure-netapp-files/azure-netapp-files-delegate-subnet.md). +1. Deploy Azure NetApp Files volumes by following the instructions in [Create an NFS volume for Azure NetApp Files](../../azure-netapp-files/azure-netapp-files-create-volumes.md). - As you deploy the volumes, be sure to select the NFSv4.1 version. Deploy the volumes in the designated Azure NetApp Files subnet. The IP addresses of the Azure NetApp volumes are assigned automatically. + As you deploy the volumes, be sure to select the NFSv4.1 version. Deploy the volumes in the designated Azure NetApp Files subnet. The IP addresses of the Azure NetApp Files volumes are assigned automatically. - Keep in mind that the Azure NetApp Files resources and the Azure VMs must be in the same Azure virtual network or in peered Azure virtual networks. For example, hanadb1-data-mnt00001, hanadb1-log-mnt00001, and so on, are the volume names and nfs://10.3.1.4/hanadb1-data-mnt00001, nfs://10.3.1.4/hanadb1-log-mnt00001, and so on, are the file paths for the Azure NetApp Files volumes. + The Azure NetApp Files resources and the Azure VMs must be in the same Azure virtual network or in peered Azure virtual networks. For example, hanadb1-data-mnt00001, hanadb1-log-mnt00001, and so on are the volume names, and nfs://10.3.1.4/hanadb1-data-mnt00001, nfs://10.3.1.4/hanadb1-log-mnt00001, and so on are the file paths for the Azure NetApp Files volumes. - On **hanadb1** + On **hanadb1**: - Volume hanadb1-data-mnt00001 (nfs://10.3.1.4:/hanadb1-data-mnt00001) - Volume hanadb1-log-mnt00001 (nfs://10.3.1.4:/hanadb1-log-mnt00001) - Volume hanadb1-shared-mnt00001 (nfs://10.3.1.4:/hanadb1-shared-mnt00001) - On **hanadb2** + On **hanadb2**: - Volume hanadb2-data-mnt00001 (nfs://10.3.1.4:/hanadb2-data-mnt00001) - Volume hanadb2-log-mnt00001 (nfs://10.3.1.4:/hanadb2-log-mnt00001) - Volume hanadb2-shared-mnt00001 (nfs://10.3.1.4:/hanadb2-shared-mnt00001) The following instructions assume that you've already deployed your [Azure virtu The resource agent for SAP HANA is included in SUSE Linux Enterprise Server for SAP Applications. An image for SUSE Linux Enterprise Server for SAP Applications 12 or 15 is available in Azure Marketplace. You can use the image to deploy new VMs. -### Deploy Linux VMs manually via Azure portal +### Deploy Linux VMs manually via the Azure portal -This document assumes that you've already deployed a resource group, [Azure Virtual Network](../../virtual-network/virtual-networks-overview.md), and subnet. +This document assumes that you already deployed a resource group, [Azure Virtual Network](../../virtual-network/virtual-networks-overview.md), and subnet. -Deploy virtual machines for SAP HANA. Choose a suitable SLES image that is supported for HANA system. You can deploy VM in any one of the availability options - virtual machine scale set, availability zone or availability set. +Deploy VMs for SAP HANA. Choose a suitable SLES image that's supported for the HANA system. You can deploy a VM in any one of the availability options: virtual machine scale set, availability zone, or availability set. > [!IMPORTANT] > Make sure that the OS you select is SAP certified for SAP HANA on the specific VM types that you plan to use in your deployment. You can look up SAP HANA-certified VM types and their OS releases in [SAP HANA Certified IaaS Platforms](https://www.sap.com/dmc/exp/2014-09-02-hana-hardware/enEN/#/solutions?filters=v:deCertified;ve:24;iaas;v:125;v:105;v:99;v:120). Make sure that you look at the details of the VM type to get the complete list of SAP HANA-supported OS releases for the specific VM type. -### Configure Azure load balancer +### Configure Azure Load Balancer -During VM configuration, you have an option to create or select exiting load balancer in networking section. Follow below steps, to setup standard load balancer for high availability setup of HANA database. +During VM configuration, you have an option to create or select the existing load balancer in the networking section. Follow the next steps to set up a standard load balancer for HA setup of the HANA database. -#### [Azure Portal](#tab/lb-portal) +#### [Azure portal](#tab/lb-portal) [!INCLUDE [Configure Azure standard load balancer using Azure portal](../../../includes/sap-load-balancer-db-portal.md)] During VM configuration, you have an option to create or select exiting load bal For more information about the required ports for SAP HANA, read the chapter [Connections to Tenant Databases](https://help.sap.com/viewer/78209c1d3a9b41cd8624338e42a12bf6/latest/en-US/7a9343c9f2a2436faa3cfdb5ca00c052.html) in the [SAP HANA Tenant Databases](https://help.sap.com/viewer/78209c1d3a9b41cd8624338e42a12bf6) guide or SAP Note [2388694](https://launchpad.support.sap.com/#/notes/2388694). > [!IMPORTANT]-> Floating IP is not supported on a NIC secondary IP configuration in load-balancing scenarios. For details see [Azure Load balancer Limitations](../../load-balancer/load-balancer-multivip-overview.md#limitations). If you need additional IP address for the VM, deploy a second NIC. +> Floating IP isn't supported on a NIC secondary IP configuration in load-balancing scenarios. For more information, see [Azure Load Balancer limitations](../../load-balancer/load-balancer-multivip-overview.md#limitations). If you need more IP addresses for the VM, deploy a second NIC. -> [!NOTE] -> When VMs without public IP addresses are placed in the backend pool of internal (no public IP address) Standard Azure load balancer, there will be no outbound internet connectivity, unless additional configuration is performed to allow routing to public end points. For details on how to achieve outbound connectivity see [Public endpoint connectivity for Virtual Machines using Azure Standard Load Balancer in SAP high-availability scenarios](./high-availability-guide-standard-load-balancer-outbound-connections.md). +When VMs without public IP addresses are placed in the back-end pool of internal (no public IP address) Standard Azure Load Balancer, there's no outbound internet connectivity unless more configuration is performed to allow routing to public endpoints. For more information on how to achieve outbound connectivity, see [Public endpoint connectivity for VMs using Azure Standard Load Balancer in SAP high-availability scenarios](./high-availability-guide-standard-load-balancer-outbound-connections.md). > [!IMPORTANT] >-> - Do not enable TCP timestamps on Azure VMs placed behind Azure Load Balancer. Enabling TCP timestamps will cause the health probes to fail. Set parameter `net.ipv4.tcp_timestamps` to `0`. For details see [Load Balancer health probes](../../load-balancer/load-balancer-custom-probe-overview.md) and SAP note [2382421](https://launchpad.support.sap.com/#/notes/2382421). -> - To prevent saptune from changing the manually set `net.ipv4.tcp_timestamps` value from `0` back to `1`, update saptune version to 3.1.1 or higher. For more details, see [saptune 3.1.1 ΓÇô Do I Need to Update?](https://www.suse.com/c/saptune-3-1-1-do-i-need-to-update/). +> - Don't enable TCP timestamps on Azure VMs placed behind Load Balancer. Enabling TCP timestamps causes the health probes to fail. Set the parameter `net.ipv4.tcp_timestamps` to `0`. For more information, see [Load Balancer health probes](../../load-balancer/load-balancer-custom-probe-overview.md) and SAP Note [2382421](https://launchpad.support.sap.com/#/notes/2382421). +> - To prevent saptune from changing the manually set `net.ipv4.tcp_timestamps` value from `0` back to `1`, update the saptune version to 3.1.1 or higher. For more information, see [saptune 3.1.1 ΓÇô Do I Need to Update?](https://www.suse.com/c/saptune-3-1-1-do-i-need-to-update/). ## Mount the Azure NetApp Files volume For more information about the required ports for SAP HANA, read the chapter [Co sudo mkdir -p /hana/shared/HN1 ``` -2. **[A]** Verify the NFS domain setting. Make sure that the domain is configured as the default Azure NetApp Files domain, that is, **defaultv4iddomain.com** and the mapping is set to **nobody**. +1. **[A]** Verify the NFS domain setting. Make sure that the domain is configured as the default Azure NetApp Files domain, that is, **defaultv4iddomain.com**, and the mapping is set to **nobody**. ```bash sudo cat /etc/idmapd.conf ``` - Example output + Example output: ```bash [General] For more information about the required ports for SAP HANA, read the chapter [Co ``` > [!IMPORTANT]- > Make sure to set the NFS domain in /etc/idmapd.conf on the VM to match the default domain configuration on Azure NetApp Files: **defaultv4iddomain.com**. If there's a mismatch between the domain configuration on the NFS client (i.e. the VM) and the NFS server, i.e. the Azure NetApp configuration, then the permissions for files on Azure NetApp volumes that are mounted on the VMs will be displayed as nobody. + > Make sure to set the NFS domain in /etc/idmapd.conf on the VM to match the default domain configuration on Azure NetApp Files: **defaultv4iddomain.com**. If there's a mismatch between the domain configuration on the NFS client (that is, the VM) and the NFS server (that is, the Azure NetApp Files configuration), the permissions for files on Azure NetApp Files volumes that are mounted on the VMs display as **nobody**. -3. **[A]** Edit the /etc/fstab on both nodes to permanently mount the volumes relevant to each node. Below is an example of how you mount the volumes permanently. +1. **[A]** Edit `/etc/fstab` on both nodes to permanently mount the volumes relevant to each node. The following example shows how you mount the volumes permanently. ```bash sudo vi /etc/fstab ``` - Add the following entries in /etc/fstab on both nodes + Add the following entries in `/etc/fstab` on both nodes. - Example for hanadb1 + Example for hanadb1: ```example 10.3.1.4:/hanadb1-data-mnt00001 /hana/data/HN1/mnt00001 nfs rw,nfsvers=4.1,hard,timeo=600,rsize=262144,wsize=262144,noatime,lock,_netdev,sec=sys 0 0 For more information about the required ports for SAP HANA, read the chapter [Co 10.3.1.4:/hanadb1-shared-mnt00001 /hana/shared/HN1 nfs rw,nfsvers=4.1,hard,timeo=600,rsize=262144,wsize=262144,noatime,lock,_netdev,sec=sys 0 0 ``` - Example for hanadb2 + Example for hanadb2: ```example 10.3.1.4:/hanadb2-data-mnt00001 /hana/data/HN1/mnt00001 nfs rw,nfsvers=4.1,hard,timeo=600,rsize=262144,wsize=262144,noatime,lock,_netdev,sec=sys 0 0 For more information about the required ports for SAP HANA, read the chapter [Co 10.3.1.4:/hanadb2-shared-mnt00001 /hana/shared/HN1 nfs rw,nfsvers=4.1,hard,timeo=600,rsize=262144,wsize=262144,noatime,lock,_netdev,sec=sys 0 0 ``` - Mount all volumes + Mount all volumes. ```bash sudo mount -a ``` - For workloads that require higher throughput consider using the `nconnect` mount option, as described in [NFS v4.1 volumes on Azure NetApp Files for SAP HANA](./hana-vm-operations-netapp.md#nconnect-mount-option). Check if `nconnect` is [supported by Azure NetApp Files](../../azure-netapp-files/performance-linux-mount-options.md#nconnect) on your Linux release. + For workloads that require higher throughput, consider using the `nconnect` mount option, as described in [NFS v4.1 volumes on Azure NetApp Files for SAP HANA](./hana-vm-operations-netapp.md#nconnect-mount-option). Check if `nconnect` is [supported by Azure NetApp Files](../../azure-netapp-files/performance-linux-mount-options.md#nconnect) on your Linux release. -4. **[A]** Verify that all HANA volumes are mounted with NFS protocol version NFSv4. +1. **[A]** Verify that all HANA volumes are mounted with NFS protocol version NFSv4. ```bash sudo nfsstat -m ``` - Verify that flag vers is set to 4.1. + Verify that flag `vers` is set to **4.1**. - Example from hanadb1. + Example from hanadb1: ```example /hana/log/HN1/mnt00001 from 10.3.1.4:/hanadb1-log-mnt00001 For more information about the required ports for SAP HANA, read the chapter [Co Flags: rw,noatime,vers=4.1,rsize=262144,wsize=262144,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=10.3.0.4,local_lock=none,addr=10.3.1.4 ``` -5. **[A]** Verify **nfs4_disable_idmapping**. It should be set to **Y**. To create the directory structure where **nfs4_disable_idmapping** is located, execute the mount command. You won't be able to manually create the directory under /sys/modules, because access is reserved for the kernel / drivers. +1. **[A]** Verify **nfs4_disable_idmapping**. It should be set to **Y**. To create the directory structure where **nfs4_disable_idmapping** is located, run the mount command. You won't be able to manually create the directory under `/sys/modules` because access is reserved for the kernel/drivers. ```bash #Check nfs4_disable_idmapping For more information about the required ports for SAP HANA, read the chapter [Co sudo echo "options nfs nfs4_disable_idmapping=Y" >> /etc/modprobe.d/nfs.conf ``` -## SAP HANA Installation +## SAP HANA installation 1. **[A]** Set up host name resolution for all hosts. - You can either use a DNS server or modify the /etc/hosts file on all nodes. This example shows you how to use the /etc/hosts file. Replace the IP address and the hostname in the following commands: + You can either use a DNS server or modify the `/etc/hosts` file on all nodes. This example shows how to use the `/etc/hosts` file. Replace the IP address and the host name in the following commands: ```bash sudo vi /etc/hosts ``` - Insert the following lines in the /etc/hosts file. Change the IP address and hostname to match your environment + Insert the following lines in the `/etc/hosts` file. Change the IP address and host name to match your environment. ```example 10.3.0.4 hanadb1 10.3.0.5 hanadb2 ``` -2. **[A]** Prepare the OS for running SAP HANA on Azure NetApp with NFS, as described in SAP note [3024346 - Linux Kernel Settings for NetApp NFS](https://launchpad.support.sap.com/#/notes/3024346). Create configuration file */etc/sysctl.d/91-NetApp-HANA.conf* for the NetApp configuration settings. +1. **[A]** Prepare the OS for running SAP HANA on Azure NetApp with NFS, as described in SAP Note [3024346 - Linux Kernel Settings for NetApp NFS](https://launchpad.support.sap.com/#/notes/3024346). Create the configuration file `/etc/sysctl.d/91-NetApp-HANA.conf` for the NetApp configuration settings. ```bash sudo vi /etc/sysctl.d/91-NetApp-HANA.conf ``` - Add the following entries in the configuration file + Add the following entries in the configuration file: ```parameters net.core.rmem_max = 16777216 For more information about the required ports for SAP HANA, read the chapter [Co net.ipv4.tcp_sack = 1 ``` -3. **[A]** Create configuration file */etc/sysctl.d/ms-az.conf* with additional optimization settings. +1. **[A]** Create the configuration file `/etc/sysctl.d/ms-az.conf` with more optimization settings. ```bash sudo vi /etc/sysctl.d/ms-az.conf ``` - Add the following entries in the configuration file + Add the following entries in the configuration file: ```parameters net.ipv6.conf.all.disable_ipv6 = 1 For more information about the required ports for SAP HANA, read the chapter [Co ``` > [!TIP]- > Avoid setting net.ipv4.ip_local_port_range and net.ipv4.ip_local_reserved_ports explicitly in the sysctl configuration files to allow SAP Host Agent to manage the port ranges. For more information, see SAP note [2382421](https://launchpad.support.sap.com/#/notes/2382421). + > Avoid setting `net.ipv4.ip_local_port_range` and `net.ipv4.ip_local_reserved_ports` explicitly in the sysctl configuration files to allow the SAP Host Agent to manage the port ranges. For more information, see SAP Note [2382421](https://launchpad.support.sap.com/#/notes/2382421). -4. **[A]** Adjust the sunrpc settings, as recommended in SAP note [3024346 - Linux Kernel Settings for NetApp NFS](https://launchpad.support.sap.com/#/notes/3024346). +1. **[A]** Adjust the `sunrpc` settings, as recommended in SAP Note [3024346 - Linux Kernel Settings for NetApp NFS](https://launchpad.support.sap.com/#/notes/3024346). ```bash sudo vi /etc/modprobe.d/sunrpc.conf ``` - Insert the following line + Insert the following line: ```parameter options sunrpc tcp_max_slot_table_entries=128 ``` -5. **[A]** SLES for HANA Configuration +1. **[A]** Configure SLES for HANA. - Configure SLES as described in below SAP Note based on your SLES version + Configure SLES as described in the following SAP Notes based on your SLES version: - [2684254 Recommended OS settings for SLES 15 / SLES for SAP Applications 15](https://launchpad.support.sap.com/#/notes/2684254) - [2205917 Recommended OS settings for SLES 12 / SLES for SAP Applications 12](https://launchpad.support.sap.com/#/notes/2205917) For more information about the required ports for SAP HANA, read the chapter [Co - [2593824 Linux: Running SAP applications compiled with GCC 7.x](https://launchpad.support.sap.com/#/notes/2593824) - [2886607 Linux: Running SAP applications compiled with GCC 9.x](https://launchpad.support.sap.com/#/notes/2886607) -6. **[A]** Install the SAP HANA +1. **[A]** Install the SAP HANA. - Starting with HANA 2.0 SPS 01, MDC is the default option. When you install HANA system, SYSTEMDB and a tenant with same SID will be created together. In some cases, you don't want the default tenant. In case, if you donΓÇÖt want to create initial tenant along with the installation you can follow SAP Note [2629711](https://launchpad.support.sap.com/#/notes/2629711). + Starting with HANA 2.0 SPS 01, Multitenant Database Containers (MDC) is the default option. When you install the HANA system, SYSTEMDB and a tenant with the same SID are created together. In some cases, you don't want the default tenant. If you don't want to create the initial tenant along with the installation, follow the instructions in SAP Note [2629711](https://launchpad.support.sap.com/#/notes/2629711). - 1. Start the hdblcm program from the HANA installation software directory. + 1. Start the `hdblcm` program from the HANA installation software directory. ```bash ./hdblcm ``` - 2. At the prompt, enter the following values: - - For Choose installation: Enter **1** (for install) - - For Select additional components for installation: Enter **1**. - - For Enter Installation Path [/hana/shared]: press Enter to accept the default - - For Enter Local Host Name [..]: Press Enter to accept the default - - Under, Do you want to add additional hosts to the system? (y/n) [n]: **n** - - For Enter SAP HANA System ID: Enter **HN1**. - - For Enter Instance Number [00]: Enter **03** - - For Select Database Mode / Enter Index [1]: press **Enter** to accept the default - - For Select System Usage / Enter Index [4]: enter **4** (for custom) - - For Enter Location of Data Volumes [/hana/data]: press **Enter** to accept the default - - For Enter Location of Log Volumes [/hana/log]: press **Enter** to accept the default - - For Restrict maximum memory allocation? [n]: press **Enter** to accept the default - - For Enter Certificate Host Name For Host '...' [...]: press **Enter** to accept the default - - For Enter SAP Host Agent User (sapadm) Password: Enter the host agent user password - - For Confirm SAP Host Agent User (sapadm) Password: Enter the host agent user password again to confirm - - For Enter System Administrator (hn1adm) Password: Enter the system administrator password - - For Confirm System Administrator (hn1adm) Password: Enter the system administrator password again to confirm - - For Enter System Administrator Home Directory [/usr/sap/HN1/home]: press Enter to accept the default - - For Enter System Administrator Login Shell [/bin/sh]: press Enter to accept the default - - For Enter System Administrator User ID [1001]: press Enter to accept the default - - For Enter ID of User Group (sapsys) [79]: press Enter to accept the default - - For Enter Database User (SYSTEM) Password: Enter the database user password - - For Confirm Database User (SYSTEM) Password: Enter the database user password again to confirm - - For Restart system after machine reboot? [n]: press Enter to accept the default - - For Do you want to continue? (y/n): Validate the summary. Enter **y** to continue --7. **[A]** Upgrade SAP Host Agent -- Download the latest SAP Host Agent archive from the [SAP Software Center](https://launchpad.support.sap.com/#/softwarecenter) and run the following command to upgrade the agent. Replace the path to the archive to point to the file that you downloaded: + 1. At the prompt, enter the following values: + - For **Choose installation**: Enter **1** (for install). + - For **Select additional components for installation**: Enter **1**. + - For **Enter Installation Path [/hana/shared]**: Press Enter to accept the default. + - For **Enter Local Host Name [..]**: Press Enter to accept the default. + - Under **Do you want to add additional hosts to the system? (y/n) [n]**: Select **n**. + - For **Enter SAP HANA System ID**: Enter **HN1**. + - For **Enter Instance Number [00]**: Enter **03**. + - For **Select Database Mode / Enter Index [1]**: Press Enter to accept the default. + - For **Select System Usage / Enter Index [4]**: Enter **4** (for custom). + - For **Enter Location of Data Volumes [/hana/data]**: Press Enter to accept the default. + - For **Enter Location of Log Volumes [/hana/log]**: Press Enter to accept the default. + - For **Restrict maximum memory allocation? [n]**: Press Enter to accept the default. + - For **Enter Certificate Host Name For Host '...' [...]**: Press Enter to accept the default. + - For **Enter SAP Host Agent User (sapadm) Password**: Enter the host agent user password. + - For **Confirm SAP Host Agent User (sapadm) Password**: Enter the host agent user password again to confirm. + - For **Enter System Administrator (hn1adm) Password**: Enter the system administrator password. + - For **Confirm System Administrator (hn1adm) Password**: Enter the system administrator password again to confirm. + - For **Enter System Administrator Home Directory [/usr/sap/HN1/home]**: Press Enter to accept the default. + - For **Enter System Administrator Login Shell [/bin/sh]**: Press Enter to accept the default. + - For **Enter System Administrator User ID [1001]**: Press Enter to accept the default. + - For **Enter ID of User Group (sapsys) [79]**: Press Enter to accept the default. + - For **Enter Database User (SYSTEM) Password**: Enter the database user password. + - For **Confirm Database User (SYSTEM) Password**: Enter the database user password again to confirm. + - For **Restart system after machine reboot? [n]**: Press Enter to accept the default. + - For **Do you want to continue? (y/n)**: Validate the summary. Enter **y** to continue. ++1. **[A]** Upgrade the SAP Host Agent. ++ Download the latest SAP Host Agent archive from the [SAP Software Center](https://launchpad.support.sap.com/#/softwarecenter) and run the following command to upgrade the agent. Replace the path to the archive to point to the file that you downloaded. ```bash sudo /usr/sap/hostctrl/exe/saphostexec -upgrade -archive <path to SAP Host Agent SAR> For more information about the required ports for SAP HANA, read the chapter [Co ## Configure SAP HANA system replication -Follow the steps in set up [SAP HANA System Replication](./sap-hana-high-availability.md#configure-sap-hana-20-system-replication) to configure SAP HANA System Replication. +Follow the steps in [SAP HANA system replication](./sap-hana-high-availability.md#configure-sap-hana-20-system-replication) to configure SAP HANA system replication. ## Cluster configuration -This section describes necessary steps required for cluster to operate seamlessly when SAP HANA is installed on NFS shares using Azure NetApp Files. +This section describes the necessary steps that are required for the cluster to operate seamlessly when SAP HANA is installed on NFS shares by using Azure NetApp Files. ### Create a Pacemaker cluster -Follow the steps in, [Setting up Pacemaker on SUSE Enterprise Linux](./high-availability-guide-suse-pacemaker.md) in Azure to create a basic Pacemaker cluster for this HANA server. +Follow the steps in [Setting up Pacemaker on SUSE Enterprise Linux](./high-availability-guide-suse-pacemaker.md) in Azure to create a basic Pacemaker cluster for this HANA server. ## Implement HANA hooks SAPHanaSR and susChkSrv -This is an important step to optimize the integration with the cluster and improve the detection, when a cluster failover is needed. It's highly recommended to configure both SAPHanaSR and susChkSrv Python hooks. Follow the steps mentioned in, [Implement the Python System Replication hooks SAPHanaSR and susChkSrv](./sap-hana-high-availability.md#implement-hana-hooks-saphanasr-and-suschksrv) +This important step optimizes the integration with the cluster and improves the detection when a cluster failover is needed. We highly recommend that you configure both SAPHanaSR and susChkSrv Python hooks. Follow the steps in [Implement the Python system replication hooks SAPHanaSR and susChkSrv](./sap-hana-high-availability.md#implement-hana-hooks-saphanasr-and-suschksrv). ## Configure SAP HANA cluster resources -This section describes the necessary steps required to configure the SAP HANA Cluster resources. +This section describes the necessary steps that are required to configure the SAP HANA cluster resources. ### Create SAP HANA cluster resources -Follow the steps in [creating SAP HANA cluster resources](./sap-hana-high-availability.md#create-sap-hana-cluster-resources) to create the cluster resources for the HANA server. Once the resources are created, you should see the status of the cluster with the below command +Follow the steps in [Creating SAP HANA cluster resources](./sap-hana-high-availability.md#create-sap-hana-cluster-resources) to create the cluster resources for the HANA server. After the resources are created, you should see the status of the cluster with the following command: ```bash sudo crm_mon -r ``` -Example output +Example output: ```output # Online: [ hn1-db-0 hn1-db-1 ] Example output # rsc_nc_HN1_HDB03 (ocf::heartbeat:azure-lb): Started hn1-db-0 ``` -### Create File System resources +### Create file system resources -Create a dummy file system cluster resource, which monitors and reports failures, in case there's a problem accessing the NFS-mounted file system `/hana/shared`. That allows the cluster to trigger failover, in case there's a problem accessing `/hana/shared`. For more information, see [Handling failed NFS share in SUSE HA cluster for HANA system replication](https://www.suse.com/support/kb/doc/?id=000019904). +Create a dummy file system cluster resource. It monitors and reports failures if there's a problem accessing the NFS-mounted file system /hana/shared. That allows the cluster to trigger failover if there's a problem accessing /hana/shared. For more information, see [Handling failed NFS share in SUSE HA cluster for HANA system replication](https://www.suse.com/support/kb/doc/?id=000019904). 1. **[A]** Create the directory structure on both nodes. Create a dummy file system cluster resource, which monitors and reports failures sudo mkdir -p /hana/shared/check ``` -2. **[1]** Configure the cluster to add the directory structure for monitoring +1. **[1]** Configure the cluster to add the directory structure for monitoring. ```bash sudo crm configure primitive rsc_fs_check_HN1_HDB03 Filesystem params \ Create a dummy file system cluster resource, which monitors and reports failures op stop interval=0 timeout=120 ``` -3. **[1]** Clone and check the newly configured volume in the cluster +1. **[1]** Clone and check the newly configured volume in the cluster. ```bash sudo crm configure clone cln_fs_check_HN1_HDB03 rsc_fs_check_HN1_HDB03 meta clone-node-max=1 interleave=true ``` - Example output + Example output: ```bash sudo crm status Create a dummy file system cluster resource, which monitors and reports failures # Started: [ hanadb1 hanadb2 ] ``` - `OCF_CHECK_LEVEL=20` attribute is added to the monitor operation, so that monitor operations perform a read/write test on the file system. Without this attribute, the monitor operation only verifies that the file system is mounted. This can be a problem because when connectivity is lost, the file system may remain mounted, despite being inaccessible. + The `OCF_CHECK_LEVEL=20` attribute is added to the monitor operation so that monitor operations perform a read/write test on the file system. Without this attribute, the monitor operation only verifies that the file system is mounted. This can be a problem because when connectivity is lost, the file system might remain mounted, despite being inaccessible. - `on-fail=fence` attribute is also added to the monitor operation. With this option, if the monitor operation fails on a node, that node is immediately fenced. + The `on-fail=fence` attribute is also added to the monitor operation. With this option, if the monitor operation fails on a node, that node is immediately fenced. > [!IMPORTANT]-> Timeouts in the above configuration may need to be adapted to the specific HANA set up to avoid unnecessary fence actions. DonΓÇÖt set the timeout values too low. Be aware that the filesystem monitor is not related to the HANA system replication. For details see [SUSE documentation](https://www.suse.com/support/kb/doc/?id=000019904). +> Timeouts in the preceding configuration might need to be adapted to the specific HANA setup to avoid unnecessary fence actions. Don't set the timeout values too low. Be aware that the file system monitor isn't related to the HANA system replication. For more information, see the [SUSE documentation](https://www.suse.com/support/kb/doc/?id=000019904). ## Test the cluster setup -This section describes how you can test your set up. +This section describes how you can test your setup. -1. Before you start a test, make sure that Pacemaker doesn't have any failed action (via crm status), no unexpected location constraints (for example leftovers of a migration test) and that HANA system replication is sync state, for example with systemReplicationStatus: +1. Before you start a test, make sure that Pacemaker doesn't have any failed action (via crm status) and no unexpected location constraints (for example, leftovers of a migration test). Also, ensure that HANA system replication is in sync state, for example, with `systemReplicationStatus`. ```bash sudo su - hn1adm -c "python /usr/sap/HN1/HDB03/exe/python_support/systemReplicationStatus.py" ``` -2. Verify the status of the HANA Resources using the command below +1. Verify the status of the HANA resources by using this command: ```bash SAPHanaSR-showAttr This section describes how you can test your set up. # hanadb2 DEMOTED 30 online logreplay hanadb1 4:S:master1:master:worker:master 100 SITE2 sync SOK 2.00.058.00.1634122452 hanadb2 ``` -3. Verify the cluster configuration for a failure scenario when a node is shut down (below, for example shows shutting down node 1) +1. Verify the cluster configuration for a failure scenario when a node is shut down. The following example shows shutting down node 1: ```bash sudo crm status This section describes how you can test your set up. sudo crm resource cleanup ``` - Example output + Example output: ```bash sudo crm status This section describes how you can test your set up. # Started: [ hanadb1 hanadb2 ] ``` - Stop the HANA on Node1 + Stop the HANA on Node1: ```bash sudo su - hn1adm sapcontrol -nr 03 -function StopWait 600 10 ``` - Register Node 1 as the Secondary Node and check status + Register Node 1 as the Secondary Node and check status: ```bash hdbnsutil -sr_register --remoteHost=hanadb2 --remoteInstance=03 --replicationMode=sync --name=SITE1 --operationMode=logreplay ``` - Example output + Example output: ```example #adding site ... This section describes how you can test your set up. sudo SAPHanaSR-showAttr ``` -4. Verify the cluster configuration for a failure scenario when a node loses access to the NFS share (/hana/shared) +1. Verify the cluster configuration for a failure scenario when a node loses access to the NFS share (/hana/shared). - The SAP HANA resource agents depend on binaries stored on `/hana/shared` to perform operations during fail-over. File system `/hana/shared` is mounted over NFS in the presented scenario. + The SAP HANA resource agents depend on binaries stored on /hana/shared to perform operations during failover. File system /hana/shared is mounted over NFS in the presented scenario. - It's difficult to simulate a failure, where one of the servers loses access to the NFS share. A test that can be performed is to remount the file system as read-only. - This approach validates that the cluster will be able to fail over, if access to `/hana/shared` is lost on the active node. + It's difficult to simulate a failure, where one of the servers loses access to the NFS share. As a test, you can remount the file system as read-only. This approach validates that the cluster can fail over if access to /hana/shared is lost on the active node. - **Expected Result:** On making `/hana/shared` as read-only file system, the `OCF_CHECK_LEVEL` attribute of the resource `hana_shared1`, which performs read/write operation on file system will fail as it isn't able to write anything on the file system and will perform HANA resource failover. The same result is expected when your HANA node loses access to the NFS shares. + **Expected result:** On making /hana/shared as a read-only file system, the `OCF_CHECK_LEVEL` attribute of the resource `hana_shared1`, which performs read/write operations on the file system, fails. It fails because it can't write anything on the file system and performs a HANA resource failover. The same result is expected when your HANA node loses access to the NFS shares. Resource state before starting the test: This section describes how you can test your set up. # Started: [ hanadb1 hanadb2 ] ``` - You can place /hana/shared in read-only mode on the active cluster node, using below command: + You can place /hana/shared in read-only mode on the active cluster node by using this command: ```bash sudo mount -o ro 10.3.1.4:/hanadb1-shared-mnt00001 /hana/sharedb ``` - hanadb1 will either reboot or poweroff based on the action set. Once the server (hanadb1) is down, HANA resource move to hanadb2. You can check the status of cluster from hanadb2. + The server `hanadb1` either reboots or powers off based on the action set. After the server `hanadb1` is down, the HANA resource moves to `hanadb2`. You can check the status of the cluster from `hanadb2`. ```bash sudo crm status This section describes how you can test your set up. # Started: [ hanadb1 hanadb2 ] ``` - We recommend testing the SAP HANA cluster configuration thoroughly, by also doing the tests described in [SAP HANA System Replication](./sap-hana-high-availability.md#test-the-cluster-setup). + We recommend testing the SAP HANA cluster configuration thoroughly by doing the tests described in [SAP HANA system replication](./sap-hana-high-availability.md#test-the-cluster-setup). ## Next steps |
search | Resource Partners Knowledge Mining | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/resource-partners-knowledge-mining.md | Get expert help from Microsoft partners who build comprehensive solutions that i | Partner | Description | Product link | ||-|-|-| ![BA Insight](media/resource-partners/ba-insight-logo.png "BA Insights company logo") | [**BA Insight Search for Workplace**](https://www.bainsight.com/azure-search/) is a complete enterprise search solution powered by Azure AI Search. It's the first of its kind solution, bringing the internet to enterprises for secure, "askable", powerful search to help organizations get a return on information. It delivers a web-like search experience, connects to 80+ enterprise systems and provides automated and intelligent meta tagging. | [Product page](https://www.bainsight.com/azure-search/) | -| ![BlueGranite](media/resource-partners/blue-granite-full-color.png "Blue Granite company logo") | [**BlueGranite**](https://www.bluegranite.com/) offers 25 years of experience in Modern Business Intelligence, Data Platforms, and AI solutions across multiple industries. Their Knowledge Mining services enable organizations to obtain unique insights from structured and unstructured data sources. Modular AI capabilities perform searches on numerous file types to index data and associate that data with more traditional data sources. Analytics tools extract patterns and trends from the enriched data and showcase results to users at all levels. | [Product page](https://www.bluegranite.com/knowledge-mining) | +| ![BA Insight](media/resource-partners/ba-insight-logo.png "BA Insights company logo") | [**BA Insight Search for Workplace**](https://www.bainsight.com/azure-search/) is a complete enterprise search solution powered by Azure AI Search. It's the first of its kind solution, bringing the internet to enterprises for secure, askable, powerful search to help organizations get a return on information. It delivers a web-like search experience, connects to 80+ enterprise systems and provides automated and intelligent meta tagging. | [Product page](https://www.bainsight.com/azure-search/) | +| ![Elastacloud](media/resource-partners/elastacloud-logo.png "Elastacloud company logo") | Founded by two Microsoft Regional Directors, [**Elastacloud**](https://eu1.hubs.ly/H07PsV00) is recognized for its expertise in Azure data and AI technologies over the past decade. Renowned for its innovative use of generative AI to achieve tangible business outcomes, Elastacloud delivers rapid results with strategic enterprise considerations, ensuring long-term success through secure, performant, cost-optimized, and highly accurate solutions. | [Product page](https://eu1.hubs.ly/H07Ps260) | | ![Enlighten Designs](media/resource-partners/enlighten-ver2.png "Enlighten Designs company logo") | [**Enlighten Designs**](https://www.enlighten.co.nz) is an award-winning innovation studio that has been enabling client value and delivering digitally transformative experiences for over 22 years. We're pushing the boundaries of the Microsoft technology toolbox, harnessing Azure AI Search, application development, and advanced Azure services that have the potential to transform our world. As experts in Power BI and data visualization, we hold the titles for the most viewed, and the most downloaded Power BI visuals in the world and are Microsoft's Data Journalism agency of record when it comes to data storytelling. | [Product page](https://www.enlighten.co.nz/Services/Data-Visualisation/Azure-Cognitive-Search) | | ![Neudesic](media/resource-partners/neudesic-logo.png "Neudesic company logo") | [**Neudesic**](https://www.neudesic.com/) is the trusted technology partner in business innovation, delivering impactful business results to clients through digital modernization and evolution. Our consultants bring business and technology expertise together, offering a wide range of cloud and data-driven solutions, including custom application development, data and artificial intelligence, comprehensive managed services, and business software products. Founded in 2002, Neudesic is a privately held company headquartered in Irvine, California. | [Product page](https://www.neudesic.com/services/modern-workplace/document-intelligence-platform-schedule-demo/)| | ![OrangeNXT](media/resource-partners/orangenxt-beldmerk-boven-160px.png "OrangeNXT company logo") | [**OrangeNXT**](https://orangenxt.com/) offers expertise in data consolidation, data modeling, and building skillsets that include custom logic developed for specific use-cases.</br></br>digitalNXT Search is an OrangeNXT solution that combines AI, optical character recognition (OCR), and natural language processing in Azure AI Search pipeline to help you extract search results from multiple structured and unstructured data sources. Integral to digitalNXT Search is advanced custom cognitive skills for interpreting and correlating selected data.</br></br>| [Product page](https://orangenxt.com/solutions/digitalnxt/digitalnxt-search/)| |
search | Search Get Started Bicep | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-get-started-bicep.md | This article walks you through the process for using a Bicep file to deploy an A Only those properties included in the template are used in the deployment. If more customization is required, such as [setting up network security](search-security-overview.md#network-security), you can update the service as a post-deployment task. To customize an existing service with the fewest steps, use [Azure CLI](search-manage-azure-cli.md) or [Azure PowerShell](search-manage-powershell.md). If you're evaluating preview features, use the [Management REST API](search-manage-rest.md). > [!TIP]-> For an alternative Bicep template that deploys Azure AI Search with a pre-configured indexer to Cosmos DB for NoSQL, see [Bicep deployment of Azure AI Search](https://github.com/Azure-Samples/azure-search-deployment-template). The template creates an indexer, index, and data source. The indexer runs on a schedule that refreshes from Cosmos DB on a 5-minute interval. +> For an alternative Bicep template that deploys Azure AI Search with a pre-configured indexer to Cosmos DB for NoSQL, see [Bicep deployment of Azure AI Search](https://github.com/Azure-Samples/azure-search-deployment-template). There's no bicep template support for Azure AI Search data plane operations like creating an index, but you can add a module that calls REST APIs. The sample includes a module that creates an index, data source connector, and an indexer that refreshes from Cosmos DB at 5-minute intervals. ## Prerequisites Get-AzResource -ResourceGroupName exampleRG ## Clean up resources -Other Azure AI Search quickstarts and tutorials build upon this quickstart. If you plan to continue on to work with subsequent quickstarts and tutorials, you may wish to leave this resource in place. When no longer needed, use the Azure portal, Azure CLI, or Azure PowerShell to delete the resource group and its resources. +Azure AI Search is a billable resource. If it's no longer needed, delete it from your subscription to avoid charges. You can use the Azure portal, Azure CLI, or Azure PowerShell to delete the resource group and its resources. # [CLI](#tab/CLI) Remove-AzResourceGroup -Name exampleRG ## Next steps -In this quickstart, you created an Azure AI Search service using a Bicep file, and then validated the deployment. To learn more about Azure AI Search and Azure Resource Manager, continue on to the articles below. +In this quickstart, you created an Azure AI Search service using a Bicep file, and then validated the deployment. To learn more about Azure AI Search and Azure Resource Manager, continue on to the articles. - Read an [overview of Azure AI Search](search-what-is-azure-search.md). - [Create an index](search-get-started-portal.md) for your search service. |
search | Search Howto Complex Data Types | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-howto-complex-data-types.md | To filter on a complex collection field, you can use a **lambda expression** wit As with top-level simple fields, simple subfields of complex fields can only be included in filters if they have the **filterable** attribute set to `true` in the index definition. For more information, see the [Create Index API reference](/rest/api/searchservice/create-index). +Azure Search has the limitation that the complex objects in the collections across a single document cannot exceed 3000. ++Users will encounter the below error during indexing when complex collections exceed the 3000 limit. ++ΓÇ£A collection in your document exceeds the maximum elements across all complex collections limit. The document with key '1052' has '4303' objects in collections (JSON arrays). At most '3000' objects are allowed to be in collections across the entire document. Remove objects from collections and try indexing the document again." ++In some use cases, we might need to add more than 3000 items to a collection. In those use cases, we can pipe (|) or use any form of delimiter to delimit the values, concatenate them, and store them as a delimited string. There is no limitation on the number of strings stored in an array in Azure Search. Storing these complex values as strings avoids the limitation. The customer needs to validate whether this workaround meets their scenario requirements. ++For example, it wouldn't be possible to use complex types if the "searchScope" array below had more than 3000 elements. ++```json ++"searchScope": [ + { + "countryCode": "FRA", + "productCode": 1234, + "categoryCode": "C100" + }, + { + "countryCode": "USA", + "productCode": 1235, + "categoryCode": "C200" + } +] +``` ++Storing these complex values as strings with a delimiter avoids the limitation ++```json +"searchScope": [ + "|FRA|1234|C100|", + "|FRA|*|*|", + "|*|1234|*|", + "|*|*|C100|", + "|FRA|*|C100|", + "|*|1234|C100|" +] ++``` +Rather than storing these with wildcards, we can also use a [custom analyzer](index-add-custom-analyzers.md) that splits the word into | to cut down on storage size. ++The reason we have stored the values with wildcards instead of just storing them as below ++>`|FRA|1234|C100|` ++is to cater to search scenarios where the customer might want to search for items that have country France, irrespective of products and categories. Similarly, the customer might need to search to see if the item has product 1234, irrespective of the country or the category. ++If we had stored only one entry ++>`|FRA|1234|C100|` ++without wildcards, if the user wants to filter only on France, we cannot convert the user input to match the "searchScope" array because we don't know what combination of France is present in our "searchScope" array +++If the user wants to filter only by country, let's say France. We will take the user input and construct it as a string as below: ++>`|FRA|*|*|` ++which we can then use to filter in azure search as we search in an array of item values ++```csharp +foreach (var filterItem in filterCombinations) + { + var formattedCondition = $"searchScope/any(s: s eq '{filterItem}')"; + combFilter.Append(combFilter.Length > 0 ? " or (" + formattedCondition + ")" : "(" + formattedCondition + ")"); + } ++``` +Similarly, if the user searches for France and the 1234 product code, we will take the user input, construct it as a delimited string as below, and match it against our search array. ++>`|FRA|1234|*|` ++If the user searches for 1234 product code, we will take the user input, construct it as a delimited string as below, and match it against our search array. ++>`|*|1234|*|` ++If the user searches for the C100 category code, we will take the user input, construct it as a delimited string as below, and match it against our search array. ++>`|*|*|C100|` ++If the user searches for France and the 1234 product code and C100 category code, we will take the user input, construct it as a delimited string as below, and match it against our search array. ++>`|FRA|1234|C100|` ++If a user tries to search for countries not present in our list, it will not match the delimited array "searchScope" stored in the search index, and no results will be returned. +For example, a user searches for Canada and product code 1234. The user search would be converted to ++>`|CAN|1234|*|` ++This will not match any of the entries in the delimited array in our search index. ++Only the above design choice requires this wild card entry; if it had been saved as a complex object, we could have simply performed an explicit search as shown below. ++```csharp + var countryFilter = $"searchScope/any(ss: search.in(countryCode ,'FRA'))"; + var catgFilter = $"searchScope/any(ss: search.in(categoryCode ,'C100'))"; + var combinedCountryCategoryFilter = "(" + countryFilter + " and " + catgFilter + ")"; ++``` +We can thus satisfy requirements where we need to search for a combination of values by storing it as a delimited string instead of a complex collection if our complex collections exceed the Azure Search limit. This is one of the workarounds, and the customer needs to validate if this would meet their scenario requirements. ++ ## Next steps Try the [Hotels data set](https://github.com/Azure-Samples/azure-search-sample-data/tree/master/hotels) in the **Import data** wizard. You need the Azure Cosmos DB connection information provided in the readme to access the data. |
security | Recover From Identity Compromise | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/recover-from-identity-compromise.md | For more information, see: ### Monitoring with Microsoft Entra ID -Microsoft Entra sign-in logs can show whether multi-factor authentication is being used correctly. Access sign-in logs directly from the Microsoft Entra area in the Azure portal, use the **Get-AzureADAuditSignInLogs** cmdlet, or view them in the **Logs** area of Microsoft Sentinel. +Microsoft Entra sign-in logs can show whether multi-factor authentication is being used correctly. Access sign-in logs directly from the Microsoft Entra area in the Azure portal, use the [Get-MgBetaAuditLogSignIn](/powershell/module/microsoft.graph.beta.reports/get-mgbetaauditlogsignin) cmdlet, or view them in the **Logs** area of Microsoft Sentinel. For example, search or filter the results for when the **MFA results** field has a value of **MFA requirement satisfied by claim in the token**. If your organization uses ADFS and the claims logged are not included in the ADFS configuration, these claims may indicate attacker activity. |
sentinel | Cisco Asa Ftd Via Ama | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/data-connectors/cisco-asa-ftd-via-ama.md | The Cisco ASA firewall connector allows you to easily connect your Cisco ASA log | Connector attribute | Description | | | | | **Log Analytics table(s)** | CommonSecurityLog<br/> |-| **Data collection rules support** | [Workspace transform DCR](/azure/azure-monitor/logs/tutorial-workspace-transformations-portal) | +| **Data collection rules support** | [Azure Monitor Agent DCR](/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent) | | **Supported by** | [Microsoft Corporation](https://support.microsoft.com/) | ## Query samples |
sentinel | Recommended Akamai Security Events Via Ama | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/data-connectors/recommended-akamai-security-events-via-ama.md | Akamai Solution for Microsoft Sentinel provides the capability to ingest [Akamai | Connector attribute | Description | | | | | **Log Analytics table(s)** | CommonSecurityLog (AkamaiSecurityEvents)<br/> |-| **Data collection rules support** | [Workspace transform DCR](/azure/azure-monitor/logs/tutorial-workspace-transformations-portal) | +| **Data collection rules support** | [Azure Monitor Agent DCR](/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent) | | **Supported by** | [Microsoft Corporation](https://support.microsoft.com) | ## Query samples |
sentinel | Recommended Aruba Clearpass Via Ama | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/data-connectors/recommended-aruba-clearpass-via-ama.md | The [Aruba ClearPass](https://www.arubanetworks.com/products/security/network-ac | Connector attribute | Description | | | | | **Log Analytics table(s)** | CommonSecurityLog (ArubaClearPass)<br/> |-| **Data collection rules support** | [Workspace transform DCR](/azure/azure-monitor/logs/tutorial-workspace-transformations-portal) | +| **Data collection rules support** | [Azure Monitor Agent DCR](/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent) | | **Supported by** | [Microsoft Corporation](https://support.microsoft.com/) | ## Query samples |
sentinel | Recommended Broadcom Symantec Dlp Via Ama | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/data-connectors/recommended-broadcom-symantec-dlp-via-ama.md | The [Broadcom Symantec Data Loss Prevention (DLP)](https://www.broadcom.com/prod | Connector attribute | Description | | | | | **Log Analytics table(s)** | CommonSecurityLog (SymantecDLP)<br/> |-| **Data collection rules support** | [Workspace transform DCR](/azure/azure-monitor/logs/tutorial-workspace-transformations-portal) | +| **Data collection rules support** |[Azure Monitor Agent DCR](/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent) | | **Supported by** | [Microsoft Corporation](https://support.microsoft.com) | ## Query samples |
sentinel | Recommended Cisco Secure Email Gateway Via Ama | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/data-connectors/recommended-cisco-secure-email-gateway-via-ama.md | The [Cisco Secure Email Gateway (SEG)](https://www.cisco.com/c/en/us/products/se | Connector attribute | Description | | | | | **Log Analytics table(s)** | CommonSecurityLog (CiscoSEG)<br/> |-| **Data collection rules support** | [Workspace transform DCR](/azure/azure-monitor/logs/tutorial-workspace-transformations-portal) | +| **Data collection rules support** | [Azure Monitor Agent DCR](/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent) | | **Supported by** | [Microsoft Corporation](https://support.microsoft.com) | ## Query samples |
sentinel | Recommended Claroty Via Ama | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/data-connectors/recommended-claroty-via-ama.md | The [Claroty](https://claroty.com/) data connector provides the capability to in | Connector attribute | Description | | | | | **Log Analytics table(s)** | CommonSecurityLog (Claroty)<br/> |-| **Data collection rules support** | [Workspace transform DCR](/azure/azure-monitor/logs/tutorial-workspace-transformations-portal) | +| **Data collection rules support** | [Azure Monitor Agent DCR](/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent) | | **Supported by** | [Microsoft Corporation](https://support.microsoft.com) | ## Query samples |
sentinel | Recommended Fireeye Network Security Nx Via Ama | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/data-connectors/recommended-fireeye-network-security-nx-via-ama.md | The [FireEye Network Security (NX)](https://www.fireeye.com/products/network-sec | Connector attribute | Description | | | | | **Log Analytics table(s)** | CommonSecurityLog (FireEyeNX)<br/> |-| **Data collection rules support** | [Workspace transform DCR](/azure/azure-monitor/logs/tutorial-workspace-transformations-portal) | +| **Data collection rules support** | [Azure Monitor Agent DCR](/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent) | | **Supported by** | [Microsoft Corporation](https://support.microsoft.com) | ## Query samples |
sentinel | Recommended Forcepoint Casb Via Ama | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/data-connectors/recommended-forcepoint-casb-via-ama.md | The Forcepoint CASB (Cloud Access Security Broker) Connector allows you to autom | Connector attribute | Description | | | | | **Log Analytics table(s)** | CommonSecurityLog (ForcepointCASB)<br/> |-| **Data collection rules support** | [Workspace transform DCR](/azure/azure-monitor/logs/tutorial-workspace-transformations-portal) | +| **Data collection rules support** | [Azure Monitor Agent DCR](/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent) | | **Supported by** | [Community](https://github.com/Azure/Azure-Sentinel/issues) | ## Query samples |
sentinel | Recommended Forcepoint Csg Via Ama | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/data-connectors/recommended-forcepoint-csg-via-ama.md | Forcepoint Cloud Security Gateway is a converged cloud security service that pro | Connector attribute | Description | | | | | **Log Analytics table(s)** | CommonSecurityLog (Forcepoint CSG)<br/> CommonSecurityLog (Forcepoint CSG)<br/> |-| **Data collection rules support** | [Workspace transform DCR](/azure/azure-monitor/logs/tutorial-workspace-transformations-portal) | +| **Data collection rules support** |[Azure Monitor Agent DCR](/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent)| | **Supported by** | [Community](https://github.com/Azure/Azure-Sentinel/issues) | ## Query samples |
sentinel | Recommended Forcepoint Ngfw Via Ama | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/data-connectors/recommended-forcepoint-ngfw-via-ama.md | The Forcepoint NGFW (Next Generation Firewall) connector allows you to automatic | Connector attribute | Description | | | | | **Log Analytics table(s)** | CommonSecurityLog (ForcePointNGFW)<br/> |-| **Data collection rules support** | [Workspace transform DCR](/azure/azure-monitor/logs/tutorial-workspace-transformations-portal) | +| **Data collection rules support** | [Azure Monitor Agent DCR](/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent) | | **Supported by** | [Community](https://github.com/Azure/Azure-Sentinel/issues) | ## Query samples |
sentinel | Recommended Illumio Core Via Ama | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/data-connectors/recommended-illumio-core-via-ama.md | The [Illumio Core](https://www.illumio.com/products/) data connector provides th | Connector attribute | Description | | | | | **Log Analytics table(s)** | CommonSecurityLog (IllumioCore)<br/> |-| **Data collection rules support** | [Workspace transform DCR](/azure/azure-monitor/logs/tutorial-workspace-transformations-portal) | +| **Data collection rules support** | [Azure Monitor Agent DCR](/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent) | | **Supported by** | [Microsoft](https://support.microsoft.com) | ## Query samples |
sentinel | Recommended Kaspersky Security Center Via Ama | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/data-connectors/recommended-kaspersky-security-center-via-ama.md | The [Kaspersky Security Center](https://support.kaspersky.com/KSC/13/en-US/3396. | Connector attribute | Description | | | | | **Log Analytics table(s)** | CommonSecurityLog (KasperskySC)<br/> |-| **Data collection rules support** | [Workspace transform DCR](/azure/azure-monitor/logs/tutorial-workspace-transformations-portal) | +| **Data collection rules support** | [Azure Monitor Agent DCR](/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent) | | **Supported by** | [Microsoft Corporation](https://support.microsoft.com) | ## Query samples |
sentinel | Recommended Netwrix Auditor Via Ama | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/data-connectors/recommended-netwrix-auditor-via-ama.md | Netwrix Auditor data connector provides the capability to ingest [Netwrix Audito | **Kusto function alias** | NetwrixAuditor | | **Kusto function url** | https://aka.ms/sentinel-netwrixauditor-parser | | **Log Analytics table(s)** | CommonSecurityLog<br/> |-| **Data collection rules support** | [Workspace transform DCR](/azure/azure-monitor/logs/tutorial-workspace-transformations-portal) | +| **Data collection rules support** | [Azure Monitor Agent DCR](/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent) | | **Supported by** | [Microsoft Corporation](https://support.microsoft.com) | ## Query samples |
sentinel | Recommended Nozomi Networks N2os Via Ama | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/data-connectors/recommended-nozomi-networks-n2os-via-ama.md | The [Nozomi Networks](https://www.nozominetworks.com/) data connector provides t | Connector attribute | Description | | | | | **Log Analytics table(s)** | CommonSecurityLog (NozomiNetworks)<br/> |-| **Data collection rules support** | [Workspace transform DCR](/azure/azure-monitor/logs/tutorial-workspace-transformations-portal) | +| **Data collection rules support** | [Azure Monitor Agent DCR](/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent) | | **Supported by** | [Microsoft Corporation](https://support.microsoft.com) | ## Query samples |
sentinel | Recommended Ossec Via Ama | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/data-connectors/recommended-ossec-via-ama.md | OSSEC data connector provides the capability to ingest [OSSEC](https://www.ossec | Connector attribute | Description | | | | | **Log Analytics table(s)** | CommonSecurityLog (OSSEC)<br/> |-| **Data collection rules support** | [Workspace transform DCR](/azure/azure-monitor/logs/tutorial-workspace-transformations-portal) | +| **Data collection rules support** | [Azure Monitor Agent DCR](/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent) | | **Supported by** | [Microsoft Corporation](https://support.microsoft.com/) | ## Query samples |
sentinel | Recommended Palo Alto Networks Cortex Data Lake Cdl Via Ama | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/data-connectors/recommended-palo-alto-networks-cortex-data-lake-cdl-via-ama.md | The [Palo Alto Networks CDL](https://www.paloaltonetworks.com/cortex/cortex-data | Connector attribute | Description | | | | | **Log Analytics table(s)** | CommonSecurityLog (PaloAltoNetworksCDL)<br/> |-| **Data collection rules support** | [Workspace transform DCR](/azure/azure-monitor/logs/tutorial-workspace-transformations-portal) | +| **Data collection rules support** |[Azure Monitor Agent DCR](/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent) | | **Supported by** | [Microsoft Corporation](https://support.microsoft.com) | ## Query samples |
sentinel | Recommended Pingfederate Via Ama | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/data-connectors/recommended-pingfederate-via-ama.md | The [PingFederate](https://www.pingidentity.com/en/software/pingfederate.html) d | Connector attribute | Description | | | | | **Log Analytics table(s)** | CommonSecurityLog (PingFederate)<br/> |-| **Data collection rules support** | [Workspace transform DCR](/azure/azure-monitor/logs/tutorial-workspace-transformations-portal) | +| **Data collection rules support** |[Azure Monitor Agent DCR](/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent)| | **Supported by** | [Microsoft Corporation](https://support.microsoft.com) | ## Query samples |
sentinel | Recommended Trend Micro Apex One Via Ama | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/data-connectors/recommended-trend-micro-apex-one-via-ama.md | The [Trend Micro Apex One](https://www.trendmicro.com/en_us/business/products/us | Connector attribute | Description | | | | | **Log Analytics table(s)** | CommonSecurityLog (TrendMicroApexOne)<br/> |-| **Data collection rules support** | [Workspace transform DCR](/azure/azure-monitor/logs/tutorial-workspace-transformations-portal) | +| **Data collection rules support** | [Azure Monitor Agent DCR](/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent) | | **Supported by** | [Microsoft Corporation](https://support.microsoft.com) | ## Query samples |
static-web-apps | Configuration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/static-web-apps/configuration.md | You can define configuration for Azure Static Web Apps in the _staticwebapp.conf > [!NOTE] > [_routes.json_](https://github.com/Azure/static-web-apps/wiki/routes.json-reference-(deprecated)) that was previously used to configure routing is deprecated. Use _staticwebapp.config.json_ as described in this article to configure routing and other settings for your static web app. > -> This document is regarding Azure Static Web Apps, which is a standalone product and separate from the [static website hosting](../storage/blobs/storage-blob-static-website.md) feature of Azure Storage. +> This document describes how to configure Azure Static Web Apps, which is a standalone product and separate from the [static website hosting](../storage/blobs/storage-blob-static-website.md) feature of Azure Storage. ## File location -The recommended location for the _staticwebapp.config.json_ is in the folder set as the `app_location` in the [workflow file](./build-configuration.md). However, the file may be placed in any subfolder within the folder set as the `app_location`. Additionally, if there is a build step, you must ensure that the build step outputs the file to the root of the output_location. +The recommended location for the _staticwebapp.config.json_ is in the folder set as the `app_location` in the [workflow file](./build-configuration.md). However, you can place the file in any subfolder within the folder set as the `app_location`. Additionally, if there's a build step, you must ensure that the build step outputs the file to the root of the output_location. See the [example configuration](#example-configuration-file) file for details. This rule matches requests for the file _/profile/https://docsupdatetracker.net/index.html_. Because _index.ht #### <a name="wildcards"></a>Wildcard pattern -Wildcard rules match all requests in a route pattern, are only supported at the end of a path, and may be filtered by file extension. See the [example configuration file](#example-configuration-file) for usage examples. +Wildcard rules match all requests in a route pattern, and are only supported at the end of a path. See the [example configuration file](#example-configuration-file) for usage examples. For instance, to implement routes for a calendar application, you can rewrite all URLs that fall under the _calendar_ route to serve a single file. You can create new roles as needed in the `allowedRoles` array. To restrict a ro #### Restrict access to entire application -It's common to require authentication for every route in an application. To enable this, add a rule that matches all routes and include the built-in `authenticated` role in the `allowedRoles` array. +You'll often want to require authentication for every route in your application. To lock down your routes, add a rule that matches all routes and include the built-in `authenticated` role in the `allowedRoles` array. The following example configuration blocks anonymous access and redirects all unauthenticated users to the Microsoft Entra sign-in page. The following example configuration blocks anonymous access and redirects all un ## Fallback routes -Single Page Applications often rely on client-side routing. These client-side routing rules update the browser's window location without making requests back to the server. If you refresh the page, or go directly to URLs generated by client-side routing rules, a server-side fallback route is required to serve the appropriate HTML page, which is generally the _https://docsupdatetracker.net/index.html_ for your client-side app. +Single Page Applications often rely on client-side routing. These client-side routing rules update the browser's window location without making requests back to the server. If you refresh the page, or go directly to URLs generated by client-side routing rules, a server-side fallback route is required to serve the appropriate HTML page. The fallback page is often designated as _https://docsupdatetracker.net/index.html_ for your client-side app. You can define a fallback rule by adding a `navigationFallback` section. The following example returns _/https://docsupdatetracker.net/index.html_ for all static file requests that don't match a deployed file. You can control which requests return the fallback file by defining a filter. In } ``` -For example, with the directory structure below, the above navigation fallback rule would result in the outcomes detailed in the table below. +For example, with the following directory structure, the above navigation fallback rule would result in the outcomes detailed in the followingtable. ```files Γö£ΓöÇΓöÇ images For example, with the directory structure below, the above navigation fallback r | Requests to... | returns... | with the status... | |--|--|--|-| _/about/_ | The _/https://docsupdatetracker.net/index.html_ file | `200` | -| _/images/logo.png_ | The image file | `200` | -| _/images/icon.svg_ | The _/https://docsupdatetracker.net/index.html_ file - since the _svg_ file extension isn't listed in the `/images/*.{png,jpg,gif}` filter | `200` | -| _/images/unknown.png_ | File not found error | `404` | -| _/css/unknown.css_ | File not found error | `404` | -| _/css/global.css_ | The stylesheet file | `200` | -| Any other file outside the _/images_ or _/css_ folders | The _/https://docsupdatetracker.net/index.html_ file | `200` | +| _/about/_ | The _/https://docsupdatetracker.net/index.html_ file. | `200` | +| _/images/logo.png_ | The image file. | `200` | +| _/images/icon.svg_ | The _/https://docsupdatetracker.net/index.html_ file - since the _svg_ file extension isn't listed in the `/images/*.{png,jpg,gif}` filter. | `200` | +| _/images/unknown.png_ | File not found error. | `404` | +| _/css/unknown.css_ | File not found error. | `404` | +| _/css/global.css_ | The stylesheet file. | `200` | +| Any other file outside the _/images_ or _/css_ folders | The _/https://docsupdatetracker.net/index.html_ file. | `200` | > [!IMPORTANT] > If you are migrating from the deprecated [_routes.json_](https://github.com/Azure/static-web-apps/wiki/routes.json-reference-(deprecated)) file, do not include the legacy fallback route (`"route": "/*"`) in the [routing rules](#routes). To remove a header, set the value to an empty string (`""`). Some common use cases for global headers include: - Custom caching rules-- Enforcing security policies+- Security policies - Encoding settings-- Configuring cross-origin resource sharing ([CORS](https://developer.mozilla.org/docs/Web/HTTP/CORS))+- Cross-origin resource sharing ([CORS](https://developer.mozilla.org/docs/Web/HTTP/CORS)) configuration The following example implements a custom CORS configuration. In addition to IP address blocks, you can also specify [service tags](../virtual ## Authentication -* [Default authentication providers](authentication-authorization.md#set-up-sign-in), don't require settings in the configuration file. +* [Default authentication providers](authentication-authorization.md#set-up-sign-in) don't require settings in the configuration file. + * [Custom authentication providers](authentication-custom.md) use the `auth` section of the settings file. For details on how to restrict routes to authenticated users, see [Securing routes with roles](#securing-routes-with-roles). ### Disable cache for authenticated paths -If you set up [manual integration with Azure Front Door](front-door-manual.md), you may want to disable caching for your secured routes. With [enterprise-grade edge](enterprise-edge.md) enabled, this is already configured for you. +If you set up [manual integration with Azure Front Door](front-door-manual.md), you may want to disable caching for your secured routes. With [enterprise-grade edge](enterprise-edge.md) enabled, caching is already disabled for your secured routes. To disable Azure Front Door caching for secured routes, add `"Cache-Control": "no-store"` to the route header definition. For example: ## Forwarding gateway -The `forwardingGateway` section configures how a static web app is accessed from a forwarding gateway such as a CDN or Azure Front Door. +The `forwardingGateway` section configures how a static web app is accessed from a forwarding gateway such as a Content Delivery Network (CDN) or Azure Front Door. > [!NOTE] > Forwarding gateway configuration is only available in the Azure Static Web Apps Standard plan. For example, the following configuration shows how you can add a unique identifi ## Trailing slash -A trailing slash is the `/` at the end of a URL. Conventionally, trailing slash URL refers to a directory on the web server, while a non-trailing slash indicates a file. +A trailing slash is the `/` at the end of a URL. Conventionally, trailing slash URL refers to a directory on the web server, while a nontrailing slash indicates a file. Search engines treat the two URLs separately, regardless of whether it's a file or a directory. When the same content is rendered at both of these URLs, your website serves duplicate content, which can negatively affect search engine optimization (SEO). When explicitly configured, Static Web Apps applies a set of URL normalization and redirect rules that help improve your websiteΓÇÖs performance and SEO. When you're setting `trailingSlash` to `always`, all requests that don't include ### Never -When setting `trailingSlash` to `never`, all requests ending in a trailing slash are redirected to a non-trailing slash URL. For example, `/contact/` is redirected to `/contact`. +When setting `trailingSlash` to `never`, all requests ending in a trailing slash are redirected to a nontrailing slash URL. For example, `/contact/` is redirected to `/contact`. ```json "trailingSlash": "never" When setting `trailingSlash` to `never`, all requests ending in a trailing slash ### Auto -When you set `trailingSlash` to `auto`, all requests to folders are redirected to a URL with a trailing slash. All requests to files are redirected to a non-trailing slash URL. +When you set `trailingSlash` to `auto`, all requests to folders are redirected to a URL with a trailing slash. All requests to files are redirected to a nontrailing slash URL. ```json "trailingSlash": "auto" When you set `trailingSlash` to `auto`, all requests to folders are redirected t | _/contact/_ | The _/contact.html_ file | `301` | _/contact_ | | _/contact.html_ | The _/contact.html_ file | `301` | _/contact_ | -For optimal website performance, configure a trailing slash strategy using one of the `always`, `never` or `auto` modes. +For optimal website performance, configure a trailing slash strategy using one of the `always`, `never`, or `auto` modes. By default, when the `trailingSlash` configuration is omitted, Static Web Apps applies the following rules: Based on the above configuration, review the following scenarios. | _/api/admin_ | `GET` requests from authenticated users in the _registeredusers_ role are sent to the API. Authenticated users not in the _registeredusers_ role and unauthenticated users are served a `401` error.<br/><br/>`POST`, `PUT`, `PATCH`, and `DELETE` requests from authenticated users in the _administrator_ role are sent to the API. Authenticated users not in the _administrator_ role and unauthenticated users are served a `401` error. | | _/customers/contoso_ | Authenticated users who belong to either the _administrator_ or _customers_contoso_ roles are served the _/customers/contoso/https://docsupdatetracker.net/index.html_ file. Authenticated users not in the _administrator_ or _customers_contoso_ roles are served a `403` error<sup>1</sup>. Unauthenticated users are redirected to _/login_. | | _/login_ | Unauthenticated users are challenged to authenticate with GitHub. |-| _/.auth/login/twitter_ | As authorization with Twitter is disabled by the route rule, `404` error is returned, which falls back to serving _/https://docsupdatetracker.net/index.html_ with a `200` status code. | +| _/.auth/login/twitter_ | Since authorization with Twitter is disabled by the route rule, `404` error is returned, which falls back to serving _/https://docsupdatetracker.net/index.html_ with a `200` status code. | | _/logout_ | Users are logged out of any authentication provider. | | _/calendar/2021/01_ | The browser is served the _/calendar.html_ file. | | _/specials_ | The browser is permanently redirected to _/deals_. | | _/data.json_ | The file served with the `text/json` MIME type. | | _/about_, or any folder that matches client side routing patterns | The _/https://docsupdatetracker.net/index.html_ file is served with a `200` status code. |-| An non-existent file in the _/images/_ folder | A `404` error. | +| An nonexistent file in the _/images/_ folder | A `404` error. | <sup>1</sup> You can provide a custom error page by using a [response override rule](#response-overrides). See the [Quotas article](quotas.md) for general restrictions and limitations. ## Related articles -- [Set application-level settings and environment variables that can be used by backend APIs](application-settings.md)+- [Set application-level settings and environment variables used by backend APIs](application-settings.md) - [Define settings that control the build process](./build-configuration.md) |
storage | Storage Auth Abac Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-auth-abac-powershell.md | Here's what the condition looks like in code: ## Step 3: Create a user -1. Use [New-AzureADUser](/powershell/module/azuread/new-azureaduser) to create a user or find an existing user. This tutorial uses Chandra as the example. +1. Use [New-MgUser](/powershell/module/microsoft.graph.users/new-mguser) to create a user or find an existing user. This tutorial uses Chandra as the example. 1. Initialize the variable for the object ID of the user. |
storage | Elastic San Best Practices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/elastic-san/elastic-san-best-practices.md | Use the following commands to update your settings: Enable-MSDSMAutomaticClaim -BusType iSCSI # Set the default load balancing policy based on your requirements. In this example, we set it to round robin which should be optimal for most workloads.-Set-MSDSMGlobalDefaultLoadBalancePolicy -Policy RR -# You can also use mpclaim.exe to set the policy to round robin mpclaim -L -M 2 # Set disk time out to 30 seconds Update the below registry settings for iSCSI initiator on Windows. 1. Open Registry Editor: 1. Select Start, type regedit in the search box and press enter. 1. Navigate to the following location:- [\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e97b-e325-11ce-bfc1-08002be10318}\0004 (Microsoft iSCSI Initiator)\Parameters] + [\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\\{4d36e97b-e325-11ce-bfc1-08002be10318}\0004 (Microsoft iSCSI Initiator)\Parameters] 1. Update the following settings. Right-click on each setting and select **Modify**. Change **Base** to **Decimal**, update the value and select **OK**. |Description |Parameter and value | |
storage | Elastic San Connect Windows | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/elastic-san/elastic-san-connect-windows.md | Enable-MSDSMAutomaticClaim -BusType iSCSI # Set the default load balancing policy based on your requirements. In this example, we set it to round robin # which should be optimal for most workloads.-Set-MSDSMGlobalDefaultLoadBalancePolicy -Policy RR +mpclaim -L -M 2 ``` ### Attach Volumes to the client |
stream-analytics | Automation Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/automation-powershell.md | Once the script is understood, it's straightforward to rework it to extend its s ## Get support -For further assistance, try our [Microsoft Q&A question page for Azure Stream Analytics](/answers/topics/azure-stream-analytics.html). +For further assistance, try our [Microsoft Q&A question page for Azure Stream Analytics](/answers/tags/179/azure-stream-analytics). ## Next steps |
stream-analytics | Input Validation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/input-validation.md | Finally, we can do some light integration testing in VS Code. We can insert reco ## Get support -For further assistance, try our [Microsoft Q&A question page for Azure Stream Analytics](/answers/topics/azure-stream-analytics.html). +For further assistance, try our [Microsoft Q&A question page for Azure Stream Analytics](/answers/tags/179/azure-stream-analytics). ## Next steps |
stream-analytics | No Code Stream Processing | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/no-code-stream-processing.md | The no-code editor now supports two reference data sources: Reference data is modeled as a sequence of blobs in ascending order of the date/time combination specified in the blob name. You can add blobs to the end of the sequence only by using a date/time greater than the one that the last blob specified in the sequence. Blobs are defined in the input configuration. -First, under the **Inputs** section on the ribbon, select **Reference ADLS Gen2**. To see details about each field, see the section about Azure Blob Storage in [Use reference data for lookups in Stream Analytics](stream-analytics-use-reference-data.md#azure-blob-storage). +First, under the **Inputs** section on the ribbon, select **Reference ADLS Gen2**. To see details about each field, see the section about Azure Blob Storage in [Use reference data for lookups in Stream Analytics](stream-analytics-use-reference-data.md#azure-blob-storage-or-azure-data-lake-storage-gen-2). ![Screenshot that shows fields for configuring Azure Data Lake Storage Gen2 as input in the no-code editor.](./media/no-code-stream-processing/blob-referencedata-nocode.png) |
stream-analytics | Repartition | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/repartition.md | description: This article describes how to use repartitioning to optimize Azure Previously updated : 12/21/2022 Last updated : 02/26/2024 You can repartition your input in two ways: ### Creating a separate Stream Analytics job to repartition input You can create a job that reads input and writes to an event hub output using a partition key. This event hub can then serve as input for another Stream Analytics job where you implement your analytics logic. When configuring this event hub output in your job, you must specify the partition key by which Stream Analytics will repartition your data. + ```sql -- For compat level 1.2 or higher SELECT * FROM input PARTITION BY PartitionId ``` ### Repartition input within a single Stream Analytics job-You can also introduce a step in your query that first repartitions the input and this can then be used by other steps in your query. For example, if you want to repartition input based on **DeviceId**, your query would be: +You can also introduce a step in your query that first repartitions the input, which can then be used by other steps in your query. For example, if you want to repartition input based on **DeviceId**, your query would be: + ```sql WITH RepartitionedInput AS ( -SELECT * -FROM input PARTITION BY DeviceID + SELECT * + FROM input PARTITION BY DeviceID ) SELECT DeviceID, AVG(Reading) as AvgNormalReading FROM RepartitionedInput GROUP BY DeviceId, TumblingWindow(minute, 1) ``` -The following example query joins two streams of repartitioned data. When joining two streams of repartitioned data, the streams must have the same partition key and count. The outcome is a stream that has the same partition scheme. +The following example query joins two streams of repartitioned data. When you join two streams of repartitioned data, the streams must have the same partition key and count. The outcome is a stream that has the same partition scheme. ```sql-WITH step1 AS (SELECT * FROM input1 PARTITION BY DeviceID), -step2 AS (SELECT * FROM input2 PARTITION BY DeviceID) +WITH step1 AS +( + SELECT * FROM input1 + PARTITION BY DeviceID +), +step2 AS +( + SELECT * FROM input2 + PARTITION BY DeviceID +) -SELECT * INTO output FROM step1 PARTITION BY DeviceID UNION step2 PARTITION BY DeviceID +SELECT * INTO output +FROM step1 PARTITION BY DeviceID +UNION step2 PARTITION BY DeviceID ``` The output scheme should match the stream scheme key and count so that each substream can be flushed independently. The stream could also be merged and repartitioned again by a different scheme before flushing, but you should avoid that method because it adds to the general latency of the processing and increases resource utilization. Experiment and observe the resource usage of your job to determine the exact num ## Repartitions for SQL output -When your job uses SQL database for output, use explicit repartitioning to match the optimal partition count to maximize throughput. Since SQL works best with eight writers, repartitioning the flow to eight before flushing, or somewhere further upstream, may benefit job performance. +When your job uses SQL database for output, use explicit repartitioning to match the optimal partition count to maximize throughput. Since SQL works best with eight writers, repartitioning the flow to eight before flushing, or somewhere further upstream, might benefit job performance. When there are more than eight input partitions, inheriting the input partitioning scheme might not be an appropriate choice. Consider using [INTO](/stream-analytics-query/into-azure-stream-analytics#into-shard-count) in your query to explicitly specify the number of output writers. The following example reads from the input, regardless of it being naturally partitioned, and repartitions the stream tenfold according to the DeviceID dimension and flushes the data to output. ```sql-SELECT * INTO [output] FROM [input] PARTITION BY DeviceID INTO 10 +SELECT * INTO [output] +FROM [input] +PARTITION BY DeviceID INTO 10 ``` For more information, see [Azure Stream Analytics output to Azure SQL Database](stream-analytics-sql-output-perf.md). For more information, see [Azure Stream Analytics output to Azure SQL Database]( ## Next steps * [Get started with Azure Stream Analytics](stream-analytics-introduction.md)-* [Leverage query parallelization in Azure Stream Analytics](stream-analytics-parallelization.md) +* [Use query parallelization in Azure Stream Analytics](stream-analytics-parallelization.md) |
stream-analytics | Sql Database Upsert | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/sql-database-upsert.md | Title: Update or merge records in Azure SQL Database with Azure Functions description: This article describes how to use Azure Functions to update or merge records from Azure Stream Analytics to Azure SQL Database Previously updated : 12/03/2021 Last updated : 02/27/2024 # Update or merge records in Azure SQL Database with Azure Functions -Currently, [Azure Stream Analytics](./index.yml) (ASA) only supports inserting (appending) rows to SQL outputs ([Azure SQL Databases](./sql-database-output.md), and [Azure Synapse Analytics](./azure-synapse-analytics-output.md)). This article discusses workarounds to enable UPDATE, UPSERT, or MERGE on SQL databases, with Azure Functions as the intermediary layer. +Currently, [Azure Stream Analytics](./index.yml) (ASA) supports only inserting (appending) rows to SQL outputs ([Azure SQL Databases](./sql-database-output.md), and [Azure Synapse Analytics](./azure-synapse-analytics-output.md)). This article discusses workarounds to enable UPDATE, UPSERT, or MERGE on SQL databases, with Azure Functions as the intermediary layer. Alternative options to Azure Functions are presented at the end. Writing data in a table can generally be done in the following manner: |Replace|[MERGE](/sql/t-sql/statements/merge-transact-sql) (UPSERT)|Unique key| |Accumulate|MERGE (UPSERT) with compound assignment [operator](/sql/t-sql/queries/update-transact-sql#arguments) (`+=`, `-=`...)|Unique key and accumulator| -To illustrate the differences, we can look at what happens when ingesting the following two records: +To illustrate the differences, look at what happens when ingesting the following two records: |Arrival_Time|Device_Id|Measure_Value| |-|-|-| |10:00|A|1| |10:05|A|20| -In **append** mode, we insert the two records. The equivalent T-SQL statement is: +In the **append** mode, we insert two records. The equivalent T-SQL statement is: ```SQL INSERT INTO [target] VALUES (...); Resulting in: |10:00|A|1| |10:05|A|20| -In **replace** mode, we get only the last value by key. Here we will use **Device_Id as the key.** The equivalent T-SQL statement is: +In **replace** mode, we get only the last value by key. Here we use **Device_Id as the key.** The equivalent T-SQL statement is: ```SQL MERGE INTO [target] t Resulting in: |-|-|-| |10:05|A|20| -Finally, in **accumulate** mode we sum `Value` with a compound assignment operator (`+=`). Here also we will use Device_Id as the key: +Finally, in **accumulate** mode we sum `Value` with a compound assignment operator (`+=`). Here also we use Device_Id as the key: ```SQL MERGE INTO [target] t Resulting in: For **performance** considerations, the ASA SQL database output adapters currently only support append mode natively. These adapters use bulk insert to maximize throughput and limit back pressure. -This article shows how to use Azure Functions to implement Replace and Accumulate modes for ASA. By using a function as an intermediary layer, the potential write performance won't affect the streaming job. In this regard, using Azure Functions will work best with Azure SQL. With Synapse SQL, switching from bulk to row-by-row statements may create greater performance issues. +This article shows how to use Azure Functions to implement Replace and Accumulate modes for ASA. When you use a function as an intermediary layer, the potential write performance won't affect the streaming job. In this regard, using Azure Functions works best with Azure SQL. With Synapse SQL, switching from bulk to row-by-row statements might create greater performance issues. ## Azure Functions Output -In our job, we'll replace the ASA SQL output by the [ASA Azure Functions output](./azure-functions-output.md). The UPDATE, UPSERT, or MERGE capabilities will be implemented in the function. +In our job, we replace the ASA SQL output by the [ASA Azure Functions output](./azure-functions-output.md). The UPDATE, UPSERT, or MERGE capabilities are implemented in the function. There are currently two options to access a SQL Database in a function. First is the [Azure SQL output binding](../azure-functions/functions-bindings-azure-sql.md). It's currently limited to C#, and only offers replace mode. Second is to compose a SQL query to be submitted via the appropriate [SQL driver](/sql/connect/sql-connection-libraries) ([Microsoft.Data.SqlClient](https://github.com/dotnet/SqlClient) for .NET). -For both samples below, we'll assume the following table schema. The binding option requires **a primary key** to be set on the target table. It's not necessary, but recommended, when using a SQL driver. +For both the following samples, we assume the following table schema. The binding option requires **a primary key** to be set on the target table. It's not necessary, but recommended, when using a SQL driver. ```SQL CREATE TABLE [dbo].[device_updated]( This sample was built on: To better understand the binding approach, it's recommended to follow [this tutorial](https://github.com/Azure/azure-functions-sql-extension#quick-start). -First, create a default HttpTrigger function app by following this [tutorial](../azure-functions/create-first-function-vs-code-csharp.md?tabs=in-process). The following information will be used: +First, create a default HttpTrigger function app by following this [tutorial](../azure-functions/create-first-function-vs-code-csharp.md?tabs=in-process). The following information is used: - Language: `C#` - Runtime: `.NET 6` (under function/runtime v4) Update the `Device` class and mapping section to match your own schema: public DateTime Timestamp { get; set; } ``` -You can now test the wiring between the local function and the database by debugging (F5 in VS Code). The SQL database needs to be reachable from your machine. [SSMS](/sql/ssms/sql-server-management-studio-ssms) can be used to check connectivity. Then a tool like [Postman](https://www.postman.com/) can be used to issue POST requests to the local endpoint. A request with an empty body should return http 204. A request with an actual payload should be persisted in the destination table (in replace / update mode). Here's a sample payload corresponding to the schema used in this sample: +You can now test the wiring between the local function and the database by debugging (F5 in Visual Studio Code). The SQL database needs to be reachable from your machine. [SSMS](/sql/ssms/sql-server-management-studio-ssms) can be used to check connectivity. Then a tool like [Postman](https://www.postman.com/) can be used to issue POST requests to the local endpoint. A request with an empty body should return http 204. A request with an actual payload should be persisted in the destination table (in replace / update mode). Here's a sample payload corresponding to the schema used in this sample: ```JSON [{"DeviceId":3,"Value":13.4,"Timestamp":"2021-11-30T03:22:12.991Z"},{"DeviceId":4,"Value":41.4,"Timestamp":"2021-11-30T03:22:12.991Z"}] This sample was built on: - [.NET 6.0](/dotnet/core/whats-new/dotnet-6) - Microsoft.Data.SqlClient [4.0.0](https://www.nuget.org/packages/Microsoft.Data.SqlClient/) -First, create a default HttpTrigger function app by following this [tutorial](../azure-functions/create-first-function-vs-code-csharp.md?tabs=in-process). The following information will be used: +First, create a default HttpTrigger function app by following this [tutorial](../azure-functions/create-first-function-vs-code-csharp.md?tabs=in-process). The following information is used: - Language: `C#` - Runtime: `.NET 6` (under function/runtime v4) The function can then be defined as an output in the ASA job, and used to replac ## Alternatives -Outside of Azure Functions, there are multiple ways to achieve the expected result. We'll mention the most likely solutions below. +Outside of Azure Functions, there are multiple ways to achieve the expected result. This section provides some of them. ### Post-processing in the target SQL Database -A background task will operate once the data is inserted in the database via the standard ASA SQL outputs. +A background task operates once the data is inserted in the database via the standard ASA SQL outputs. For Azure SQL, `INSTEAD OF` [DML triggers](/sql/relational-databases/triggers/dml-triggers?view=azuresqldb-current&preserve-view=true) can be used to intercept the INSERT commands issued by ASA: END; For Synapse SQL, ASA can insert into a [staging table](../synapse-analytics/sql/data-loading-best-practices.md#load-to-a-staging-table). A recurring task can then transform the data as needed into an intermediary table. Finally the [data is moved](../synapse-analytics/sql-data-warehouse/sql-data-warehouse-tables-partition.md#partition-switching) to the production table. -### Pre-processing in Azure Cosmos DB +### Preprocessing in Azure Cosmos DB Azure Cosmos DB [supports UPSERT natively](./stream-analytics-documentdb-output.md#upserts-from-stream-analytics). Here only append/replace is possible. Accumulations must be managed client-side in Azure Cosmos DB. If the requirements match, an option is to replace the target SQL database by an Azure Cosmos DB instance. Doing so requires an important change in the overall solution architecture. -For Synapse SQL, Azure Cosmos DB can be used as an intermediary layer via [Azure Synapse Link for Azure Cosmos DB](../cosmos-db/synapse-link.md). Synapse Link can be used to create an [analytical store](../cosmos-db/analytical-store-introduction.md). This data store can then be queried directly in Synapse SQL. +For Synapse SQL, Azure Cosmos DB can be used as an intermediary layer via [Azure Synapse Link for Azure Cosmos DB](../cosmos-db/synapse-link.md). Azure Synapse Link can be used to create an [analytical store](../cosmos-db/analytical-store-introduction.md). This data store can then be queried directly in Synapse SQL. ### Comparison of the alternatives Each approach offers different value proposition and capabilities: |Pre-Processing||||| ||Azure Functions|Replace, Accumulate|+|- (row-by-row performance)| ||Azure Cosmos DB replacement|Replace|N/A|N/A|-||Azure Cosmos DB Synapse Link|Replace|N/A|+| +||Azure Cosmos DB Azure Synapse Link|Replace|N/A|+| ## Get support -For further assistance, try our [Microsoft Q&A question page for Azure Stream Analytics](/answers/topics/azure-stream-analytics.html). +For further assistance, try our [Microsoft Q&A question page for Azure Stream Analytics](/answers/tags/179/azure-stream-analytics). ## Next steps |
stream-analytics | Stream Analytics Add Inputs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/stream-analytics-add-inputs.md | As data is pushed to a data source, it's consumed by the Stream Analytics job an - Reference data inputs. ### Data stream input-A data stream is an unbounded sequence of events over time. Stream Analytics jobs must include at least one data stream input. Event Hubs, IoT Hub, Azure Data Lake Storage Gen2 and Blob storage are supported as data stream input sources. Event Hubs is used to collect event streams from multiple devices and services. These streams might include social media activity feeds, stock trade information, or data from sensors. IoT Hubs are optimized to collect data from connected devices in Internet of Things (IoT) scenarios. Blob storage can be used as an input source for ingesting bulk data as a stream, such as log files. +A data stream is an unbounded sequence of events over time. Stream Analytics jobs must include at least one data stream input. Event Hubs, IoT Hub, Azure Data Lake Storage Gen2, and Blob storage are supported as data stream input sources. Event Hubs is used to collect event streams from multiple devices and services. These streams might include social media activity feeds, stock trade information, or data from sensors. IoT Hubs are optimized to collect data from connected devices in Internet of Things (IoT) scenarios Blob storage can be used as an input source for ingesting bulk data as a stream, such as log files. -For more information about streaming data inputs, see [Stream data as input into Stream Analytics](stream-analytics-define-inputs.md) +For more information about streaming data inputs, see [Stream data as input into Stream Analytics](stream-analytics-define-inputs.md). ### Reference data input Stream Analytics also supports input known as *reference data*. Reference data is either completely static or changes slowly. It's typically used to perform correlation and lookups. For example, you might join data in the data stream input to data in the reference data, much as you would perform a SQL join to look up static values. Azure Blob storage, Azure Data Lake Storage Gen2, and Azure SQL Database are currently supported as input sources for reference data. Reference data source blobs have a limit of up to 300 MB in size, depending on the query complexity and allocated Streaming Units. For more information, see the [Size limitation](stream-analytics-use-reference-data.md#size-limitation) section of the reference data documentation. -For more information about reference data inputs, see [Using reference data for lookups in Stream Analytics](stream-analytics-use-reference-data.md) +For more information about reference data inputs, see [Using reference data for lookups in Stream Analytics](stream-analytics-use-reference-data.md). ## Next steps > [!div class="nextstepaction"] |
stream-analytics | Stream Analytics Dotnet Management Sdk | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/stream-analytics-dotnet-management-sdk.md | The **Delete** method will delete the job as well as the underlying sub-resource ``` ## Get support-For further assistance, try our [Microsoft Q&A question page for Azure Stream Analytics](/answers/topics/azure-stream-analytics.html). +For further assistance, try our [Microsoft Q&A question page for Azure Stream Analytics](/answers/tags/179/azure-stream-analytics). ## Next steps You've learned the basics of using a .NET SDK to create and run analytics jobs. To learn more, see the following articles: |
stream-analytics | Stream Analytics Edge | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/stream-analytics-edge.md | This version information was last updated on 2020-09-21: ## Get help-For further assistance, try the [Microsoft Q&A question page for Azure Stream Analytics](/answers/topics/azure-stream-analytics.html). +For further assistance, try the [Microsoft Q&A question page for Azure Stream Analytics](/answers/tags/179/azure-stream-analytics). ## Next steps |
stream-analytics | Stream Analytics How To Configure Azure Machine Learning Endpoints In Stream Analytics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/stream-analytics-how-to-configure-azure-machine-learning-endpoints-in-stream-analytics.md | Now query the UDF (here named scoreTweet) for every input event and write a resp ## Get help-For further assistance, try our [Microsoft Q&A question page for Azure Stream Analytics](/answers/topics/azure-stream-analytics.html) +For further assistance, try our [Microsoft Q&A question page for Azure Stream Analytics](/answers/tags/179/azure-stream-analytics) ## Next steps * [Introduction to Azure Stream Analytics](stream-analytics-introduction.md) |
stream-analytics | Stream Analytics Javascript User Defined Aggregates | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/stream-analytics-javascript-user-defined-aggregates.md | Create a local JSON file with below content, upload the file to Stream Analytics ## Get help -For additional help, try our [Microsoft Q&A question page for Azure Stream Analytics](/answers/topics/azure-stream-analytics.html). +For additional help, try our [Microsoft Q&A question page for Azure Stream Analytics](/answers/tags/179/azure-stream-analytics). ## Next steps |
stream-analytics | Stream Analytics Job Diagram With Metrics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/stream-analytics-job-diagram-with-metrics.md | If the preceding query step is an input processor, use the input metrics to help ## Get help-For additional assistance, try our [Microsoft Q&A question page for Azure Stream Analytics](/answers/topics/azure-stream-analytics.html). +For additional assistance, try our [Microsoft Q&A question page for Azure Stream Analytics](/answers/tags/179/azure-stream-analytics). ## Next steps * [Introduction to Stream Analytics](stream-analytics-introduction.md) |
stream-analytics | Stream Analytics Job Logical Diagram With Metrics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/stream-analytics-job-logical-diagram-with-metrics.md | The input data related metrics can be viewed under **Input** category in the cha ## Get help-For more assistance, try our [Microsoft Q&A question page for Azure Stream Analytics](/answers/topics/azure-stream-analytics.html). +For more assistance, try our [Microsoft Q&A question page for Azure Stream Analytics](/answers/tags/179/azure-stream-analytics). ## Next steps * [Introduction to Stream Analytics](stream-analytics-introduction.md) |
stream-analytics | Stream Analytics Job Metrics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/stream-analytics-job-metrics.md | Azure Stream Analytics provides a serverless, distributed streaming processing s [!INCLUDE [metrics-scenarios](./includes/metrics-scenarios.md)] ## Get help-For further assistance, try the [Microsoft Q&A page for Azure Stream Analytics](/answers/topics/azure-stream-analytics.html). +For further assistance, try the [Microsoft Q&A page for Azure Stream Analytics](/answers/tags/179/azure-stream-analytics). ## Next steps * [Introduction to Azure Stream Analytics](stream-analytics-introduction.md) |
stream-analytics | Stream Analytics Monitor And Manage Jobs Use Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/stream-analytics-monitor-and-manage-jobs-use-powershell.md | Test-AzStreamAnalyticsOutput -ResourceGroupName StreamAnalytics-Default-Central- This PowerShell command tests the connection status of the output Output in StreamingJob. ## Get support-For further assistance, try our [Microsoft Q&A question page for Azure Stream Analytics](/answers/topics/azure-stream-analytics.html). +For further assistance, try our [Microsoft Q&A question page for Azure Stream Analytics](/answers/tags/179/azure-stream-analytics). ## Next steps * [Introduction to Azure Stream Analytics](stream-analytics-introduction.md) |
stream-analytics | Stream Analytics Monitor Jobs Use Vs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/stream-analytics-monitor-jobs-use-vs.md | You can also monitor errors by clicking on the **Errors** tab. ## Get support-For further assistance, try our [Microsoft Q&A question page for Azure Stream Analytics](/answers/topics/azure-stream-analytics.html). +For further assistance, try our [Microsoft Q&A question page for Azure Stream Analytics](/answers/tags/179/azure-stream-analytics). ## Next steps * [Introduction to Azure Stream Analytics](stream-analytics-introduction.md) |
stream-analytics | Stream Analytics Monitor Jobs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/stream-analytics-monitor-jobs.md | The following code enables monitoring for an **existing** Stream Analytics job. ## Get support -For further assistance, try our [Microsoft Q&A question page for Azure Stream Analytics](/answers/topics/azure-stream-analytics.html). +For further assistance, try our [Microsoft Q&A question page for Azure Stream Analytics](/answers/tags/179/azure-stream-analytics). ## Next steps |
stream-analytics | Stream Analytics Monitoring | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/stream-analytics-monitoring.md | For details, see [How to Customize Monitoring](../azure-monitor/data-platform.md ## Get help-For further assistance, try our [Microsoft Q&A question page for Azure Stream Analytics](/answers/topics/azure-stream-analytics.html) +For further assistance, try our [Microsoft Q&A question page for Azure Stream Analytics](/answers/tags/179/azure-stream-analytics) ## Next steps * [Introduction to Azure Stream Analytics](stream-analytics-introduction.md) |
stream-analytics | Stream Analytics Parallelization | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/stream-analytics-parallelization.md | Use the Metrics pane in your Azure Stream Analytics job to identify bottlenecks ## Get help -For further assistance, try our [Microsoft Q&A question page for Azure Stream Analytics](/answers/topics/azure-stream-analytics.html). +For further assistance, try our [Microsoft Q&A question page for Azure Stream Analytics](/answers/tags/179/azure-stream-analytics). ## Next steps * [Introduction to Azure Stream Analytics](stream-analytics-introduction.md) |
stream-analytics | Stream Analytics Real Time Event Processing Reference Architecture | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/stream-analytics-real-time-event-processing-reference-architecture.md | Microsoft Azure provides an extensive catalog of analytics technologies that are **Download:** [Real-Time Event Processing with Microsoft Azure Stream Analytics](https://download.microsoft.com/download/6/2/3/623924DE-B083-4561-9624-C1AB62B5F82B/real-time-event-processing-with-microsoft-azure-stream-analytics.pdf) ## Get help-For further assistance, try the [Microsoft Q&A question page for Azure Stream Analytics](/answers/topics/azure-stream-analytics.html) +For further assistance, try the [Microsoft Q&A question page for Azure Stream Analytics](/answers/tags/179/azure-stream-analytics) ## Next steps * [Introduction to Azure Stream Analytics](stream-analytics-introduction.md) |
stream-analytics | Stream Analytics Scale Jobs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/stream-analytics-scale-jobs.md | In this case, you can follow the following steps. ## Get help-For further assistance, try our [Microsoft Q&A question page for Azure Stream Analytics](/answers/topics/azure-stream-analytics.html). +For further assistance, try our [Microsoft Q&A question page for Azure Stream Analytics](/answers/tags/179/azure-stream-analytics). ## Next steps * [Introduction to Azure Stream Analytics](stream-analytics-introduction.md) |
stream-analytics | Stream Analytics Scale With Machine Learning Functions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/stream-analytics-scale-with-machine-learning-functions.md | To scale a Stream Analytics job with Studio (classic) functions, consider the fo 2. The tolerated latency for the running Stream Analytics job (and thus the batch size of the Studio (classic) web service requests). 3. The provisioned Stream Analytics SUs and the number of Studio (classic) web service requests (the additional function-related costs). -A fully partitioned Stream Analytics query was used as an example. If a more complex query is needed, the [Microsoft Q&A question page for Azure Stream Analytics](/answers/topics/azure-stream-analytics.html) is a great resource for getting additional help from the Stream Analytics team. +A fully partitioned Stream Analytics query was used as an example. If a more complex query is needed, the [Microsoft Q&A question page for Azure Stream Analytics](/answers/tags/179/azure-stream-analytics) is a great resource for getting additional help from the Stream Analytics team. ## Next steps To learn more about Stream Analytics, see: |
stream-analytics | Stream Analytics Stream Analytics Query Patterns | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/stream-analytics-stream-analytics-query-patterns.md | For more information, see the [Geofencing and geospatial aggregation scenarios w ## Get help -For further assistance, try our [Microsoft Q&A question page for Azure Stream Analytics](/answers/topics/azure-stream-analytics.html). +For further assistance, try our [Microsoft Q&A question page for Azure Stream Analytics](/answers/tags/179/azure-stream-analytics). ## Next steps * [Introduction to Azure Stream Analytics](stream-analytics-introduction.md) |
stream-analytics | Stream Analytics Troubleshoot Input | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/stream-analytics-troubleshoot-input.md | Stream Analytics jobs use IoT Hub's built-in [Event Hub compatible endpoint](../ ## Get help -For further assistance, try our [Microsoft Q&A question page for Azure Stream Analytics](/answers/topics/azure-stream-analytics.html). +For further assistance, try our [Microsoft Q&A question page for Azure Stream Analytics](/answers/tags/179/azure-stream-analytics). ## Next steps |
stream-analytics | Stream Analytics Troubleshoot Output | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/stream-analytics-troubleshoot-output.md | When using the original compatibility level (1.0), Azure Stream Analytics change ## Get help -For further assistance, try our [Microsoft Q&A question page for Azure Stream Analytics](/answers/topics/azure-stream-analytics.html). +For further assistance, try our [Microsoft Q&A question page for Azure Stream Analytics](/answers/tags/179/azure-stream-analytics). ## Next steps |
stream-analytics | Stream Analytics Troubleshoot Query | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/stream-analytics-troubleshoot-query.md | This time, the data in the output is formatted and populated as expected. ## Get help -For further assistance, try our [Microsoft Q&A question page for Azure Stream Analytics](/answers/topics/azure-stream-analytics.html). +For further assistance, try our [Microsoft Q&A question page for Azure Stream Analytics](/answers/tags/179/azure-stream-analytics). ## Next steps |
stream-analytics | Stream Analytics Twitter Sentiment Analysis Trends | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/stream-analytics-twitter-sentiment-analysis-trends.md | A job input, query, and output are specified. You're ready to start the Stream A 3. On the **Start job** page, for **Job output start time**, select **Now** and then select **Start**. ## Get support-For further assistance, try our [Microsoft Q&A question page for Azure Stream Analytics](/answers/topics/azure-stream-analytics.html). +For further assistance, try our [Microsoft Q&A question page for Azure Stream Analytics](/answers/tags/179/azure-stream-analytics). ## Next steps * [Introduction to Azure Stream Analytics](stream-analytics-introduction.md) |
stream-analytics | Stream Analytics Use Reference Data | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/stream-analytics-use-reference-data.md | Title: Use reference data for lookups in Azure Stream Analytics description: This article describes how to use reference data to look up or correlate data in an Azure Stream Analytics job's query design. Previously updated : 06/17/2022 Last updated : 02/26/2024 # Use reference data for lookups in Stream Analytics ON I1.LicensePlate = R.LicensePlate WHERE R.Expired = '1' ``` -Stream Analytics supports Azure Blob Storage and Azure SQL Database as the storage layer for reference data. You can also transform or copy reference data to Blob Storage from Azure Data Factory to use [cloud-based and on-premises data stores](../data-factory/copy-activity-overview.md). +Stream Analytics supports Azure Blob Storage, Azure Data Lake Storage Gen2, and Azure SQL Database as the storage layer for reference data. If you have the reference data in other data stores, try to use Azure Data Factory to extract, transform, and load the data to one of the supported data stores. For more information, see [Copy Activity in Azure Data Factory overview](../data-factory/copy-activity-overview.md). -## Azure Blob Storage +## Azure Blob Storage or Azure Data Lake Storage Gen 2 Reference data is modeled as a sequence of blobs in ascending order of the date/time specified in the blob name. Blobs can only be added to the end of the sequence by using a date/time *greater* than the one specified by the last blob in the sequence. Blobs are defined in the input configuration. Your reference data might be a slowly changing dataset. To refresh reference dat For example, a pattern of `sample/{date}/{time}/products.csv` with a date format of YYYY-MM-DD and a time format of HH-mm instructs Stream Analytics to pick up the updated blob `sample/2015-04-16/17-30/products.csv` on April 16, 2015, at 5:30 PM UTC. -Stream Analytics automatically scans for refreshed reference data blobs at a one-minute interval. A blob with the timestamp 10:30:00 might be uploaded with a small delay, for example, 10:30:30. You'll notice a small delay in the Stream Analytics job referencing this blob. +Stream Analytics automatically scans for refreshed reference data blobs at a one-minute interval. A blob with the timestamp 10:30:00 might be uploaded with a small delay, for example, 10:30:30. You notice a small delay in the Stream Analytics job referencing this blob. To avoid such scenarios, upload the blob earlier than the target effective time, which is 10:30:00 in this example. The Stream Analytics job now has enough time to discover and load the blob in memory and perform operations. To avoid such scenarios, upload the blob earlier than the target effective time, At start time, the job looks for the most recent blob produced before the job start time specified. This behavior ensures there's a *non-empty* reference dataset when the job starts. If one can't be found, the job displays the following diagnostic: `Initializing input without a valid reference data blob for UTC time <start time>`. -When a reference dataset is refreshed, a diagnostic log is generated: `Loaded new reference data from <blob path>`. For many reasons, a job might need to reload a previous reference dataset. Most often, the reason is to reprocess past data. The same diagnostic log is generated at that time. This action doesn't imply that current stream data will use past reference data. +When a reference dataset is refreshed, a diagnostic log is generated: `Loaded new reference data from <blob path>`. For many reasons, a job might need to reload a previous reference dataset. Most often, the reason is to reprocess past data. The same diagnostic log is generated at that time. This action doesn't imply that current stream data use past reference data. [Azure Data Factory](../data-factory/index.yml) can be used to orchestrate the task of creating the updated blobs required by Stream Analytics to update reference data definitions. For more information on how to set up a Data Factory pipeline to generate refere * Use {date}/{time} in the path pattern. * Add a new blob by using the same container and path pattern defined in the job input. * Use a date/time *greater* than the one specified by the last blob in the sequence.-- Reference data blobs are *not* ordered by the blob's **Last Modified** time. They're only ordered by the date and time specified in the blob name using the {date} and {time} substitutions.+- Reference data blobs aren't* ordered by the blob's **Last Modified** time. They're only ordered by the date and time specified in the blob name using the {date} and {time} substitutions. - To avoid having to list a large number of blobs, delete old blobs for which processing will no longer be done. Stream Analytics might have to reprocess a small amount in some scenarios, like a restart. ## Azure SQL Database You can use [Azure SQL Managed Instance](/azure/azure-sql/managed-instance/sql-m ||| |Input alias|A friendly name used in the job query to reference this input.| |Subscription|Your subscription.|-|Database|The SQL Database instance that contains your reference data. For SQL Managed Instance, you must specify the port 3342. An example is *sampleserver.public.database.windows.net,3342*.| +|Database|The SQL Database instance that contains your reference data. For SQL Managed Instance, you must specify the port 3342. An example is `sampleserver.public.database.windows.net,3342`.| |Username|The username associated with your SQL Database instance.| |Password|The password associated with your SQL Database instance. |Refresh periodically|This option allows you to select a refresh rate. Select **On** to specify the refresh rate in DD:HH:MM.| Use reference datasets that are less than 300 MB for best performance. Reference Query complexity can increase to include stateful processing such as windowed aggregates, temporal joins, and temporal analytic functions. When complexity increases, the maximum supported size of reference data decreases. -If Stream Analytics can't load the reference data and perform complex operations, the job runs out of memory and fails. In such cases, the streaming unit percent utilization metric will reach 100%. +If Stream Analytics can't load the reference data and perform complex operations, the job runs out of memory and fails. In such cases, the streaming unit percent utilization metric reaches 100%. |Number of streaming units |Recommended size | ||| If Stream Analytics can't load the reference data and perform complex operations |3 |150 MB or lower | |6 and beyond |5 GB or lower | -Support for compression isn't available for reference data. For reference datasets larger than 300 MB, use SQL Database as the source with the [delta query](./sql-reference-data.md#delta-query) option for optimal performance. If the delta query option isn't used in such scenarios, you'll see spikes in the watermark delay metric every time the reference dataset is refreshed. +Support for compression isn't available for reference data. For reference datasets larger than 300 MB, use SQL Database as the source with the [delta query](./sql-reference-data.md#delta-query) option for optimal performance. If the delta query option isn't used in such scenarios, you see spikes in the watermark delay metric every time the reference dataset is refreshed. ## Join multiple reference datasets in a job |
synapse-analytics | Synapse Workspace Synapse Rbac Roles | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/security/synapse-workspace-synapse-rbac-roles.md | The following table describes the built-in roles and the scopes at which they ca |Role |Permissions|Scopes| |||--|-|Synapse Administrator |Full Synapse access to SQL pools, Data Explorer pools, Apache Spark pools, and Integration runtimes. Includes create, read, update, and delete access to all published code artifacts. Includes Compute Operator, Linked Data Manager, and Credential User permissions on the workspace system identity credential. Includes assigning Synapse RBAC roles. In addition to Synapse Administrator, Azure Owners can also assign Synapse RBAC roles. Azure permissions are required to create, delete, and manage compute resources. </br></br>_Can read and write artifacts</br> Can do all actions on Spark activities.</br> Can view Spark pool logs</br> Can view saved notebook and pipeline output </br> Can use the secrets stored by linked services or credentials</br>Can assign and revoke Synapse RBAC roles at current scope_|Workspace </br> Spark pool<br/>Integration runtime </br>Linked service</br>Credential | +|Synapse Administrator |Full Synapse access to SQL pools, Data Explorer pools, Apache Spark pools, and Integration runtimes. Includes create, read, update, and delete access to all published code artifacts. Includes Compute Operator, Linked Data Manager, and Credential User permissions on the workspace system identity credential. Includes assigning Synapse RBAC roles. In addition to Synapse Administrator, Azure Owners can also assign Synapse RBAC roles. Azure permissions are required to create, delete, and manage compute resources. Synapse RBAC roles can be assigned even when the associated subscription is disabled.</br></br>_Can read and write artifacts</br> Can do all actions on Spark activities.</br> Can view Spark pool logs</br> Can view saved notebook and pipeline output </br> Can use the secrets stored by linked services or credentials</br>Can assign and revoke Synapse RBAC roles at current scope_|Workspace </br> Spark pool<br/>Integration runtime </br>Linked service</br>Credential | |Synapse Apache Spark Administrator</br>|Full Synapse access to Apache Spark Pools. Create, read, update, and delete access to published Spark job definitions, notebooks and their outputs, and to libraries, linked services, and credentials.  Includes read access to all other published code artifacts. Doesn't include permission to use credentials and run pipelines. Doesn't include granting access. </br></br>_Can do all actions on Spark artifacts</br>Can do all actions on Spark activities_|Workspace</br>Spark pool| |Synapse SQL Administrator|Full Synapse access to serverless SQL pools. Create, read, update, and delete access to published SQL scripts, credentials, and linked services.  Includes read access to all other published code artifacts.  Doesn't include permission to use credentials and run pipelines. Doesn't include granting access. </br></br>*Can do all actions on SQL scripts<br/>Can connect to SQL serverless endpoints with SQL `db_datareader`, `db_datawriter`, `connect`, and `grant` permissions*|Workspace| |Synapse Contributor|Full Synapse access to Apache Spark pools and Integration runtimes. Includes create, read, update, and delete access to all published code artifacts and their outputs, including scheduled pipelines, credentials and linked services.  Includes compute operator permissions. Doesn't include permission to use credentials and run pipelines. Doesn't include granting access. </br></br>_Can read and write artifacts</br>Can view saved notebook and pipeline output</br>Can do all actions on Spark activities</br>Can view Spark pool logs_|Workspace </br> Spark pool<br/> Integration runtime| Credential |Synapse Administrator </br>Synapse Credential User ## Next steps - Learn [how to review Synapse RBAC role assignments](./how-to-review-synapse-rbac-role-assignments.md) for a workspace.-- Learn [how to assign Synapse RBAC roles](./how-to-manage-synapse-rbac-role-assignments.md)+- Learn [how to assign Synapse RBAC roles](./how-to-manage-synapse-rbac-role-assignments.md) |
update-manager | Periodic Assessment At Scale | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/update-manager/periodic-assessment-at-scale.md | description: This article shows how to manage update settings for your Windows a Previously updated : 01/17/2024 Last updated : 02/27/2024 This article describes how to enable Periodic Assessment for your machines at sc You can monitor the compliance of resources under **Compliance** and remediation status under **Remediation** on the Azure Policy home page. +> [!NOTE] +> Currently, Periodic assessment policies donΓÇÖt support specialized, migrated, and restored images. However, they work for both marketplace and generalized gallery images. If you are facing failures during remediation see, [remediation failures for gallery images](troubleshoot.md#policy-remediation-tasks-are-failing-for-gallery-images-and-for-images-with-encrypted-disks) for more information. +++ ## Enable Periodic Assessment for your Azure Arc-enabled machines by using Azure Policy 1. Go to **Policy** in the Azure portal and select **Authoring** > **Definitions**. |
update-manager | Troubleshoot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/update-manager/troubleshoot.md | Title: Troubleshoot known issues with Azure Update Manager description: This article provides details on known issues and how to troubleshoot any problems with Azure Update Manager. Previously updated : 02/21/2024 Last updated : 02/27/2024 This article describes the errors that might occur when you deploy or use Azure The following troubleshooting steps apply to the Azure virtual machines (VMs) related to the patch extension on Windows and Linux machines. -### Azure Linux VM ++#### [Azure Virtual Machines](#tab/azure-machines) ++##### Azure Linux VM To verify if the Microsoft Azure Virtual Machine agent (VM agent) is running and has triggered appropriate actions on the machine and the sequence number for the autopatching request, check the agent log for more information in `/var/log/waagent.log`. Every autopatching request has a unique sequence number associated with it on the machine. Look for a log similar to `2021-01-20T16:57:00.607529Z INFO ExtHandler`. To review the logs related to all actions performed by the extension, check for * `<seq number>.core.log`: Contains information related to the patch actions. This information includes patches assessed and installed on the machine and any problems encountered in the process. * `<Date and Time>_<Handler action>.ext.log`: There's a wrapper above the patch action, which is used to manage the extension and invoke specific patch operation. This log contains information about the wrapper. For autopatching, the log `<Date and Time>_Enable.ext.log` has information on whether the specific patch operation was invoked. -### Azure Windows VM +##### Azure Windows VM To verify if the VM agent is running and has triggered appropriate actions on the machine and the sequence number for the autopatching request, check the agent log for more information in `C:\WindowsAzure\Logs\AggregateStatus`. The package directory for the extension is `C:\Packages\Plugins\Microsoft.CPlat.Core.WindowsPatchExtension<version>`. To review the logs related to all actions performed by the extension, check for * `WindowsUpdateExtension.log`: Contains information related to the patch actions. This information includes patches assessed and installed on the machine and any problems encountered in the process. * `CommandExecution.log`: There's a wrapper above the patch action, which is used to manage the extension and invoke specific patch operation. This log contains information about the wrapper. For autopatching, the log has information on whether the specific patch operation was invoked. -### Azure Arc-enabled servers +#### [Arc-enabled Servers](#tab/azure-arc) + For Azure Arc-enabled servers, see [Troubleshoot VM extensions](../azure-arc/servers/troubleshoot-vm-extensions.md) for general troubleshooting steps. To review the logs related to all actions performed by the extension, on Windows * `cmd_execution_<numeric>_stdout.txt`: There's a wrapper above the patch action. It's used to manage the extension and invoke specific patch operation. This log contains information about the wrapper. For autopatching, the log has information on whether the specific patch operation was invoked. * `cmd_excution_<numeric>_stderr.txt` +++## Policy remediation tasks are failing for gallery images and for images with encrypted disks ++### Issue +There are remediation failures for VMs which have a reference to the gallery image in the Virtual Machine mode. This is because it requires the read permission to the gallery image and it is currently not part of the Virtual Machine Contributor role. ++ :::image type="content" source="./media/troubleshoot/policy-remediation-failure-error.png" alt-text="Screenshot that shows the error code for the policy remediation failure. " lightbox="./media/troubleshoot/policy-remediation-failure-error.png"::: ++### Cause +The Virtual Machine Contributor role doesnΓÇÖt have enough permissions. ++### Resolution +- For all the new assignments, a recent change is introduced to provide **Contributor** role to the managed identity created during policy assignment for remediation. Going forward, this will be assigned for any new assignments. +- For any previous assignments if you are experiencing failure of remediation tasks, we recommend that you manually assign the contributor role to the managed identity by following the steps listed under [Grant permissions to the managed identity through defined roles](../governance/policy/how-to/remediate-resources.md) +- Also, in scenarios where the Contributor role doesnΓÇÖt work when the linked resources (gallery image or disk) is in another resource group or subscription, manually provide the managed identity with the right roles and permissions on the scope to unblock remediations by following the steps in [Grant permissions to the managed identity through defined roles](../governance/policy/how-to/remediate-resources.md). + ### Unable to generate periodic assessment for Arc-enabled servers |
virtual-machines | Automatic Extension Upgrade | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/automatic-extension-upgrade.md | az vmss extension set \ --enable-auto-upgrade true ``` +### ARM template for Virtual Machines +The following example describes how to set automatic extension upgrades for an extension (Dependency Agent Extension in this example) on a Virtual Machine using Azure Resource Manager ++```json +{ + "type": "Microsoft.Compute/virtualMachines/extensions", + "location": "[resourceGroup().location]", + "name": "<extensionName>", + "dependsOn": [ + "[concat('Microsoft.Compute/virtualMachines/', variables('vmName'))]" + ], + "properties": { + "publisher": "Microsoft.Azure.Monitoring.DependencyAgent", + "type": "DependencyAgentWindows", + "typeHandlerVersion": "9.5", + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": true, + "settings": { + "enableAMA": "true" + } + } +} +``` ++### ARM template for Virtual Machine Scale Sets +Use the following example to set automatic extension upgrade on the extension within the scale set model: ++```json +{ + "type": "Microsoft.Compute/virtualMachineScaleSets", + "apiVersion": "2023-09-01", + "name": "[variables('vmScaleSetName')]", + "location": "[resourceGroup().location]", +   "properties": { +    "virtualMachineProfile": { + "extensionProfile": { +        "extensions": [{ + "name": "<extensionName>", + "properties": { + "publisher": "Microsoft.Azure.Monitoring.DependencyAgent", + "type": "DependencyAgentWindows", + "typeHandlerVersion": "9.5", + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": true, + } + }] +     } +     } +    } +} +``` ++ ## Extension upgrades with multiple extensions A VM or Virtual Machine Scale Set can have multiple extensions with automatic extension upgrade enabled. The same VM or scale set can also have other extensions without automatic extension upgrade enabled. |
virtual-machines | Capacity Reservation Associate Vm | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/capacity-reservation-associate-vm.md | In the request body, include the `capacityReservationGroup` property: "vmSize": "Standard_D2s_v3" }, … - "CapacityReservation":{ + "capacityReservation":{ "capacityReservationGroup":{ "id":"subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/CapacityReservationGroups/{CapacityReservationGroupName}" } |
virtual-machines | Disks Types | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/disks-types.md | Title: Select a disk type for Azure IaaS VMs - managed disks description: Learn about the available Azure disk types for virtual machines, including ultra disks, Premium SSDs v2, Premium SSDs, standard SSDs, and Standard HDDs. Previously updated : 02/20/2024 Last updated : 02/27/2024 The following table provides a comparison of disk sizes and performance caps to |128 |38,400 |9,800 | |256 |76,800 |10,000 | |512 |153,600 |10,000 |-|1,024-65,536 (sizes in this range increasing in increments of 1 TiB) |400,000 |10,000 | +|1,024 |307,200 |10,000 | +|2,048-65,536 (sizes in this range increasing in increments of 1 TiB) |400,000 |10,000 | ### Ultra disk performance |
virtual-machines | Trusted Launch Faq | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/trusted-launch-faq.md | Architecture : x64 +### How external communication drivers work with Trusted Launch VMs ? ++Adding COM ports requires disabling Secure Boot. Hence, COM ports are disabled by default in Trusted Launch VMs. ## Power states |
virtual-machines | Centos End Of Life | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/workloads/centos/centos-end-of-life.md | Workloads running on these CentOS versions need to migrate to alternate platform ## Migration options -There are several options for CentOS customers to move to a supported OS. The decision of where and how to migrate depends on whether you need to: +There are several options for CentOS customers to move to a supported OS. The decision of where and how to migrate depends on: -- Retain compatibility with CentOS / Red Hat Enterprise Linux (RHEL)+- Whether you need to retain compatibility with CentOS / Red Hat Enterprise Linux (RHEL) - Prefer a community supported distribution vs. commercial distribution (for example Red Hat Enterprise Linux or RHEL)-- Configuration and image source(s) of your CentOS estate in Azure+- The configuration and image source(s) of your CentOS estate in Azure If you need to keep CentOS compatibility, migration to Red Hat Enterprise Linux, a commercial distribution, is a low-risk option. There are also several choices such as Oracle Linux, Alma Linux, Rocky Linux, etc. As you consider whether to convert your VM in-place vs redeploying, the way you If you created your own VM for use in Azure, no software billing information is present in your VM. You're likely OK to convert it in place (after a backup and any necessary prerequisites and updates). -Rogue Wave Software (formerly OpenLogic) Azure Marketplace offer +OpenLogic by Perforce Azure Marketplace offers: - [CentOS-based](https://azuremarketplace.microsoft.com/marketplace/apps/openlogic.centos?tab=Overview) Rogue Wave Software (formerly OpenLogic) Azure Marketplace offer - [CentOS-based LVM](https://azuremarketplace.microsoft.com/marketplace/apps/openlogic.centos-lvm?tab=Overview) -These are the official / endorsed CentOS image in Azure, and don't have software billing information associated. They're candidates for an in-place conversion (after a backup and any necessary prerequisites and updates). +These are the official / endorsed CentOS images in Azure, and don't have software billing information associated. They're candidates for an in-place conversion (after a backup and any necessary prerequisites and updates). **Other Azure Marketplace offers** |
virtual-network | Application Security Groups | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/application-security-groups.md | Application security groups enable you to configure network security as a natura :::image type="content" source="./media/security-groups/application-security-groups.png" alt-text="Diagram of Application security groups."::: -In the previous picture, *NIC1* and *NIC2* are members of the *AsgWeb* application security group. *NIC3* is a member of the *AsgLogic* application security group. *NIC4* is a member of the *AsgDb* application security group. Though each network interface (NIC) in this example is a member of only one network security group, a network interface can be a member of multiple application security groups, up to the [Azure limits](../azure-resource-manager/management/azure-subscription-service-limits.md?toc=%2fazure%2fvirtual-network%2ftoc.json#azure-resource-manager-virtual-networking-limits). None of the network interfaces have an associated network security group. *NSG1* is associated to both subnets and contains the following rules: +In the previous picture, *NIC1* and *NIC2* are members of the *AsgWeb* application security group. *NIC3* is a member of the *AsgLogic* application security group. *NIC4* is a member of the *AsgDb* application security group. Though each network interface (NIC) in this example is a member of only one application security group, a network interface can be a member of multiple application security groups, up to the [Azure limits](../azure-resource-manager/management/azure-subscription-service-limits.md?toc=%2fazure%2fvirtual-network%2ftoc.json#azure-resource-manager-virtual-networking-limits). None of the network interfaces have an associated network security group. *NSG1* is associated to both subnets and contains the following rules: ## Allow-HTTP-Inbound-Internet |
virtual-network | Tutorial Tap Virtual Network Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/tutorial-tap-virtual-network-cli.md | Read [prerequisites](virtual-network-tap-overview.md#prerequisites) before you c --out tsv) ``` - - Create the virtual network TAP in the *westcentralus* Azure region using the ID of the IP configuration as the destination and an optional port property. The port specifies the destination port on network interface IP configuration where the TAP traffic will be received : + - Create the virtual network TAP in the *westcentralus* Azure region using the ID of the IP configuration as the destination. The traffic mirror destination must allow traffic to port 4789: ```azurecli-interactive az network vnet tap create \ --resource-group myResourceGroup \ --name myTap \ --destination $IpConfigId \- --port 4789 \ --location westcentralus ``` |
virtual-network | Virtual Network Bandwidth Testing | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/virtual-network-bandwidth-testing.md | To measure throughput from Linux machines, use [NTTTCP-for-Linux](https://github - For **Ubuntu**, install `build-essential` and `git`. ```bash+ sudo apt-get update sudo apt-get -y install build-essential sudo apt-get -y install git ``` |
virtual-wan | How To Network Virtual Appliance Inbound | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-wan/how-to-network-virtual-appliance-inbound.md | + + Title: 'Azure Virtual WAN: Configure Destination NAT for Network Virtual Appliance (NVA) in the hub' +description: Learn how to use Destination NAT with a Network Virtual Appliance in the Virtual WAN hub. +++ Last updated : 01/04/2023++# Customer intent: As someone with a networking background, I want to create a Network Virtual Appliance (NVA) in my Virtual WAN hub and leverage destination NAT. ++# How to configure Destination NAT (DNAT) for Network Virtual Appliance in an Azure Virtual WAN hub +The following article describes how to configure Destination NAT for Next-Generation Firewall enabled Network Virtual Appliances deployed with the Virtual WAN hub. ++> [!Important] +> Destination NAT (DNAT) for Virtual WAN integrated Network Virtual Appliances is currently in Public Preview and is provided without a service-level agreement. It shouldn't be used for production workloads. Certain features might not be supported, might have constrained capabilities, or might not be available in all Azure locations. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. ++## Background ++Network Virtual Appliances (NVAs) with Next-Generation Firewall capabilities that are integrated with Virtual WAN allow customers to protect and inspect traffic between private networks connected to Virtual WAN. ++Destination NAT for Network Virtual Appliances in the Virtual WAN hub allows you to publish applications to the users in the internet without directly exposing the application or server's public IP. Consumers access applications through a public IP address assigned to a Firewall Network Virtual Appliance. The NVA is configured to filter and translate traffic and control access to backend applications. ++Infrastructure management and programming for the DNAT use case in Virtual WAN is automatic. Programming the DNAT rule on the NVA using the NVA orchestration software or NVA command line automatically programs Azure infrastructure to accept and route DNAT traffic for supported NVA partners. See the [limitations](#limitations) section for the list of supported NVA partners. ++## Concepts ++To enable the DNAT use case associate one or more Azure Public IP address resources to the Network Virtual Appliance resource. These IPs are called **internet inbound** or **internet ingress** IP addresses and are the target IP addresses users initiate connection requests to in order to access applications behind the NVA. After you configure a DNAT rule on the Network Virtual Appliance orchestrator and management software (see partner guide), the NVA management software automatically: ++* Programs NVA device software running in Virtual WAN to inspect and translate the corresponding traffic (set-up NAT rules and Firewall rules on NVA device). The rules that are programmed on the NVA are called **NVA DNAT rules**. +* Interacts with Azure APIs to create and update **inbound security rules**. Virtual WAN control plane processes inbound security rules and programs Virtual WAN and Azure-managed NVA infrastructure components to support Destination NAT use case. ++### Example ++In the following example, users access an application hosted in an Azure Virtual Network (Application IP 10.60.0.4) connect to a DNAT Public IP (4.4.4.4) assigned to the NVA on Port 443. ++The following configurations are performed: ++* **Internet inbound** IP addresses assigned to the NVA are 4.4.4.4 and 5.5.5.5. +* **NVA DNAT rule** is programmed to translate traffic with destination 4.4.4.4:443 to 10.60.0.4:443. +* NVA orchestrator interfaces with Azure APIs to create **inbound security rules** and Virtual WAN control plane programs infrastructure appropriately to support traffic flow. ++#### Inbound traffic flow +++The list below corresponds to the diagram above and describes the packet flow for the inbound connection: ++1. The user initiates a connection with one of the Public IPs used for DNAT associated to the NVA. +1. Azure load balances the connection request to one of the Firewall NVA instances. Traffic is sent to the external/untrusted interface of the NVA. +1. NVA inspects the traffic and translates the packet based on rule configuration. In this case, the NVA is configured to NAT and forward inbound traffic to 10.60.0.4:443. The source of the packet is also translated to the private IP (IP of trusted/internal interface) of the chosen Firewall instance to ensure flow symmetry. The NVA forwards the packet and Virtual WAN routes the packet to the final destination. ++#### Outbound traffic flow ++The list below corresponds to the diagram above and describes the packet flow for the outbound response: ++1. The server responds and sends the reply packets to the NVA Firewall instance over the Firewall private IP. +1. The NAT translation is reversed and the response is sent out the untrusted interface. Azure then directly sends the packet back to the user. ++## Known Limitations and Considerations ++### Limitations + +* Destination NAT is supported only for the following NVAs: **checkpoint**, **fortinet-sdwan-and-ngfw** and **fortinet-ngfw**. +* Public IPs that are used for Destination NAT must meet the following requirements: + * Destination NAT Public IPs must be from the same region as the NVA resource. For example, if the NVA is deployed in the East US region, the public IP must also be from the East US region. + * Destination NAT Public IPs can't be in use by another Azure resource. For example, you can't use an IP address in use by a Virtual Machine network interface IP Configuration or a Standard Load Balancer front-end configuration. + * Public IPs must be from IPv4 address spaces. Virtual WAN doesn't support IPv6 addresses. + * Public IPs must be deployed with Standard SKU. Basic SKU Public IPs are not supported. +* Destination NAT is only supported on new NVA deployments that are created with at least one Destination NAT Public IP. Existing NVA deployments or NVA deployments that didn't have a Destination NAT Public IP associated at NVA creation time aren't eligible to use Destination NAT. +* Programming Azure infrastructure components to support DNAT scenarios is done automatically by NVA orchestration software when a DNAT rule is created. Therefore, you can't program NVA rules through Azure portal. However, you can view the inbound security rules associated to each internet inbound Public IP. +* DNAT traffic in Virtual WAN can only be routed to connections to the same hub as the NVA. Inter-hub traffic patterns with DNAT aren't supported. ++### Considerations ++* Inbound Traffic is automatically load-balanced across all healthy instances of the Network Virtual Appliance. +* In most cases, NVAs must perform source-NAT to the Firewall private IP in addition to destination-NAT to ensure flow symmetry. Certain NVA types may not require source-NAT. Contact your NVA provider for best practices around source-NAT. +* Timeout for idle flows is automatically set to 4 minutes. +* You can assign individual IP address resources generated from an IP address prefix to the NVA as internet inbound IPs. Assign each IP address from the prefix individually. ++## Managing DNAT/Internet Inbound configurations ++> [!Important] +> The Azure portal experience for Destination NAT (DNAT) for Virtual WAN integrated Network Virtual Appliances is currently rolling out. If you do not see the DNAT options described below available in Portal, reach out to your NVA provider. ++The following section describes how to manage NVA configurations related to internet inbound and DNAT. ++1. Navigate to your Virtual WAN Hub. Select **Network Virtual Appliances** under Third Party Providers. Click on **Manage Configurations** next to the NVA. ++1. Select **Internet Inbound** under settings. ++### Associating an IP address to an NVA for Internet Inbound ++1. If the NVA is eligible for internet inbound and there are no current internet inbound IP addresses associated to the NVA, select **Enable Internet Inbound (Destination NAT) by associating a public IP to this Network Virtual Appliance**. If IPs are already associated to this NVA, select **Add**. ++1. Select the resource group and the IP address resource that you want to use for internet inbound from the dropdown. +1. Click **save**. ++### View active inbound security rules using an Internet Inbound Public IP ++1. Find the Public IP you want to view and click **View rules**. +1. View the rules associated to the public IP. + +### Remove Internet Inbound public IP from existing NVA ++> [!NOTE] +> IP addresses can only be removed if there are no rules associated to that IP is 0. Remove all rules associated to the IP by removing DNAT rules assigned to that IP from your NVA management software. ++Select the IP you want to remove from the grid and click **Delete**. ++## Programming DNAT Rules ++The following section contains NVA provider-specific instructions on configuring DNAT rules with NVAs in Virtual WAN ++|Partner| Instructions| +|--|--| +|checkpoint|[Check Point documentation](https://aka.ms/ckptDNAT)| +|fortinet| Contact azurevwan@fortinet.com for access to the preview and documentation| ++## Troubleshooting +The following section describes some common troubleshooting scenarios. ++### Public IP Association/Disassociation ++* **Option to associate IP to NVA resource not available through Azure portal** : Only NVAs that are created with DNAT/Internet Inbound IPs at deployment time are eligible to use DNAT capabilities. Delete and re-create the NVA with an Internet Inbound IP assigned at deployment time. +* **IP address not showing up in dropdown Azure portal**: Public IPs only show up in the dropdown menu if the IP address is IPv4, in the same region as the NVA and isn't in use/assigned to another Azure resource. Ensure the IP address you're trying to use meets the above requirements, or create a new IP address. +* **Can't delete/disassociate Public IP from NVA**: Only IP addresses that have no rules associated with them can be deleted. Use the NVA orchestration software to remove any DNAT rules associated to that IP address. +* **NVA provisioning state not succeeded**: If there are on-going operations on the NVA or if the provisioning status of the NVA is **not successful**, IP address association fails. Wait for any existing operations to terminate. ++### <a name="healthprobeconfigs"></a> Load balancer health probes ++NVA with internet inbound/DNAT capabilities relies on the NVA responding to three different Azure Load Balancer health probes to ensure the NVA is functioning as expected and route traffic. Health probe requests are always made from the nonpublically routable Azure IP Address [168.63.129.16](../virtual-network/what-is-ip-address-168-63-129-16.md). You should see a three-way TCP handshake performed with 168.63.129.16 in your NVA logs. ++For more information on Azure Load Balancer health probes, see [health probe documentation](../load-balancer/load-balancer-custom-probe-overview.md). ++The health probes Virtual WAN requires are: ++* **Internet Inbound or DNAT health probe**: Used to forward Internet inbound traffic to NVA untrusted/external interfaces. This health probe checks the health of the **untrusted/external** interface of the NVA only. ++ |NVA Provider| Port| + |--|--| + |fortinet|8008| + |checkpoint| 8117| ++* **Datapath health probe**: Used to forward private (VNET/on-premises) traffic to NVA **trusted/internal** interfaces. Required for private routing policies. This health probe checks the health of the **trusted/internal** interface of the NVA only. ++ |NVA Provider| Port| + |--|--| + |fortinet|8008| + |checkpoint| 8117| ++* **NVA health probe**: Used to determine the health of the Virtual Machine Scale Set running the NVA software. This health probe checks the health of all interfaces of the NVA (both **untrusted/external** and **trusted/internal**). ++ |NVA Provider| Port| + |--|--| + |fortinet|8008| + |checkpoint| 8117| ++Ensure the NVA is configured to respond to the 3 health probes correctly. Common issues include: +* Health probe response set to an incorrect port. +* Health probe response incorrectly set on only the internal/trusted interface. +* Firewall rules preventing health probe response. ++### DNAT rule creation ++* **DNAT rule creation fails**: Ensure the provisioning state of the NVA is Succeeded and that all NVA instances are healthy. Reference NVA provider documentation for details on how to troubleshoot or contact the vendor for further support. + + Additionally, ensure that the NVA is responding to **NVA health probes** on all interfaces. See the [health probes](#healthprobeconfigs) section for more information. ++### Datapath ++* **NVA doesn't see packets after user initiates connection to Public IP**: Ensure that the NVA is responding to **DNAT health probes** on the **external/untrusted** interface only. See the [health probes](#healthprobeconfigs) section for more information. +++* **Destination server doesn't see packets after NVA translation**: consider the following troubleshooting mechanisms if packets aren't being forwarded to the final destination server. + * **Azure Routing issue**: Use Azure Virtual WAN portal to check the effective routes of the defaultRouteTable or the effective routes of your Network Virtual Appliance. You should see the subnet of the destination application in the effective routes. + * **NVA operating system routing issue**: Check the internal routing table of the NVA operating system. You should see routes corresponding to the destination subnets learnt dynamically from the NVA. Make sure there are no route filters/maps that are dropping relevant prefixes. + * **Inter-hub destinations not reachable**: Inter-hub routing for DNAT use cases aren't supported. Make sure the resource you're trying to access is connected to the same hub as the NVA that has the DNAT rule configured. + * **Packet capture on NVA interfaces**: Perform packet captures on the NVA untrusted and trusted interfaces. On the untrusted interface, you should see the original packet with source IP being the user's public IP and destination IP being the internet inbound IP address assigned to the NVA. On the trusted interface, you should see the post-NAT translated packets (both source NAT and destination NAT are applied). Compare packet captures before and after Firewall rules are applied to ensure proper Firewall rule configuration. + * **SNAT port exhaustion**: For each NVA instance, an inbound connection to a single backend application needs to use a unique port to NAT traffic to the private IP of the NVA instance. As a result, each NVA instance can handle approximately 65,000 concurrent connections to the same destination. For large scale use cases, ensure the NVA is configured to forward to multiple application IP addresses to facilitate port reuse. ++* **Return traffic not returning to NVA**: + * **Application hosted in Azure**: Use Azure portal to check the effective routes of the application server. You should see the hub address space in the effective routes of the application server. + * **Application hosted on-premises**: Make sure there are no route filters on the on-premises side that filter out routes corresponding to the hub address space. Because the NVA source-NAT's traffic to a Firewall Private IP, the on-premises must accept the hub address space. + * **Application inter-hub**: Inter-hub routing for DNAT use cases aren't supported. Make sure the resource you're trying to access is connected to the same hub as the NVA that has the DNAT rule configured. + * **Packet capture on NVA interface**: Perform packet captures on the NVA trusted interface. You should see the application server send return traffic directly to the NVA instance. Make sure you compare packet captures before and after Firewall rules are applied to ensure packets to ensure proper Firewall rule configuration. |
virtual-wan | Whats New | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-wan/whats-new.md | You can also find the latest Azure Virtual WAN updates and subscribe to the RSS | Type |Area |Name |Description | Date added | Limitations | | ||||||+| Feature|Network Virtual Appliances (NVAs)/Integrated Third-party solutions in Virtual WAN hubs| Public Preview of Internet inbound/DNAT for Next-Generation Firewall NVA's| Destination NAT for Network Virtual Appliances in the Virtual WAN hub allows you to publish applications to the users in the internet without directly exposing the application or server's public IP. Consumers access applications through a public IP address assigned to a Firewall Network Virtual Appliance. |February 2024| Supported for Fortinet Next-Generation Firewall, Check Point CloudGuard. See [DNAT documentation](how-to-network-virtual-appliance-inbound.md) for the full list of limitations and considerations.| |Feature|Software-as-a-service|Palo Alto Networks Cloud NGFW|General Availability of [Palo Alto Networks Cloud NGFW](https://aka.ms/pancloudngfwdocs), the first software-as-a-serivce security offering deployable within the Virtual WAN hub.|July 2023|Palo Alto Networks Cloud NGFW is now deployable in all Virtual WAN hubs (new and old). See [Limitations of Palo Alto Networks Cloud NGFW](how-to-palo-alto-cloud-ngfw.md) for a full list of limitations and regional availability. Same limitations as routing intent.| |Feature|Network Virtual Appliances (NVAs)/Integrated Third-party solutions in Virtual WAN hubs|[Fortinet NGFW](https://www.fortinet.com/products/next-generation-firewall)|General Availability of [Fortinet NGFW](https://aka.ms/fortinetngfwdocumentation) and [Fortinet SD-WAN/NGFW dual-role](https://aka.ms/fortinetdualroledocumentation) NVAs.|May 2023| Same limitations as routing intent. Doesn't support internet inbound scenario.| |Feature|Network Virtual Appliances (NVAs)/Integrated Third-party solutions in Virtual WAN hubs|[Check Point CloudGuard Network Security for Azure Virtual WAN](https://www.checkpoint.com/cloudguard/microsoft-azure-security/wan/) |General Availability of Check Point CloudGuard Network Security NVA deployable from Azure Marketplace within the Virtual WAN hub in all Azure regions.|May 2023|Same limitations as routing intent. Doesn't support internet inbound scenario.| |