+Azure AI Language is a cloud-based service that applies Natural Language Processing (NLP) features to text-based data. The native document support capability enables you to send API requests asynchronously, using an HTTP POST request body to send your data and HTTP GET request query string to retrieve the status results. Your processed documents are located in your Azure Blob Storage target container.

+Mapping these fields correctly helps ensure the model has better response and citation quality. You can additionally configure this [in the API](../references/on-your-data.md) using the `fieldsMapping` parameter.

+### Search filter (API)

+If you want to implement additional value-based criteria for query execution, you can set up a search filter using the `filter` parameter in the [REST API](../references/azure-search.md).

+1. Ingestion assets are created in Azure AI Search resource and Azure storage account. Currently these assets are: indexers, indexes, data sources, a [custom skill](/azure/search/cognitive-search-custom-skill-interface) in the search resource, and a container (later called the chunks container) in the Azure storage account. You can specify the input Azure storage container using the [Azure OpenAI studio](https://oai.azure.com/), or the [ingestion API (preview)](/rest/api/azureopenai/ingestion-jobs).

+You can modify the following additional settings in the **Data parameters** section in Azure OpenAI Studio and [the API](../references/on-your-data.md). You don't need to reingest your data when you update these parameters.

+Once you select add your dataset, you can use the **System message** section in the Azure OpenAI Studio, or the `roleInformation` [parameter in the API](../references/on-your-data.md).

+You can customize the app's frontend and backend logic. The app provides several [environment variables](https://github.com/microsoft/sample-app-aoai-chatGPT#common-customization-scenarios-eg-updating-the-default-chat-logo-and-headers) for common customization scenarios such as changing the icon in the app. See the source code for the web app, and more information on [GitHub](https://github.com/microsoft/sample-app-aoai-chatGPT).

+Sample source code for the web app is available on [GitHub](https://github.com/microsoft/sample-app-aoai-chatGPT). Source code is provided "as is" and as a sample only. Customers are responsible for all customization and implementation of their web apps.

+| australiaeast | 350 K | - | - | 300 K | 120 K | 300 K | - | 40 K | 80 K | 80 K | 30 K | - | - | - | - | - | - |

+description: Learn how to prepare high-quality video samples for creating a custom text to speech avatar.

+Custom text to speech avatar model building requires training on a video recording of a real human speaking. This person is the avatar talent. You must get sufficient consent under all relevant laws and regulations from the avatar talent to create a custom avatar from their talent's image or likeness. Refer to [Get consent file from the avatar talent](custom-avatar-create.md#get-consent-file-from-the-avatar-talent) to learn requirement of consent statement video.

+We recommend recording in a professional video shooting studio or a well-lit place.

+### Background requirement

+- If you need a commercial, multi-scene avatar, the background of the video should be clean, smooth, pure-colored, and a green screen is the best choice.

+- If your avatar only needs to be used in a single scene, you can select a specific scene to record (such as in your office), but the background can't be subtracted and changed.

+- Tips about using a pure-colored background (such as green screen) in shooting:

+

+ | Dos | Don'ts |

+ |--|--|

+ | - A green screen is set behind your back, and if your avatar video shows the full body of the actor, including feet, there should be a green screen under the feet. And the back green screen and floor green screen should be completely connected. <br/>- The green screen should be flat, and the color is uniform.<br/> - The actor should keep 0.5 m ΓÇô 1 m distance away from the back background.<br/>- The green screen can be properly lit to prevent shadows.<br/>- The full outline of the actor is within the edge of the green screen.| - The actor shouldn't stand too close to the green screen.<br/>- Avoid the actorΓÇÖs head and hands spilling out of the green screen when speaking.|

+### Lighting requirement

+- Ensure even and bright lighting on the actor's face, avoiding shadows on the face or reflections on actor's glasses and clothes.

+- Try to avoid the impact of changes in ambient light on actors. It's recommended to turn off the projector, close the curtains to avoid daylight changes, and use a stable artificial light source, etc.

+### Devices

+- Camera requirement: A minimum of 1080-P resolution and 25 FPS (frames per second).

+- Don't change the position of light and camera after settling down during the whole video shooting.

+- You can use a teleprompter to remind the script during recording but ensure it doesn't affect the actor's gaze towards the camera. Provide a seat if the avatar needs to be in a sitting position.

+- For half-length or seated digital avatars, provide a seat for the actor. If you don't want the image of the chair to appear, you can choose a simple chair.

+## Appearance of the actor

+The custom text to speech avatar doesn't support customization of clothes or looks. Therefore, it's essential to carefully design and prepare the avatar's appearance when recording the training data. Consider the following tips:

+| Categories | Dos | Don'ts |

+||-|-|

+| **Hair** | - The actorΓÇÖs hair should have a smooth and glossy surface.</br>- Even the actorΓÇÖs bangs or broken hair should have a clear and smooth border.</br>- Choose a hairstyle that is easy to keep consistent during the whole video recording. | - Avoid messy hair or backgrounds showing through the hair.</br>- Do not let hair block the eyes or eyebrows.</br>- Avoid shadows on the face caused by hairstyle.</br>- Avoid hair changes too much during speech and body gesture. For example, the high ponytail of an actor may appear, disappear, and swing during speaking. |

+| **Clothing** | - Pay attention to clothing status and make sure no significant changes on the clothing during speaking. | - Avoid wearing clothing and accessories that are too loose, heavy, or complex, as they may impact the consistency of clothing status during speaking and body gesture.</br>- Avoid wearing clothing that is too similar to the background color or reflective materials like white shirts or translucent materials.</br>- Avoid clothing with obvious lines or items with logos and brand names you don't want to highlight.</br>- Avoid reflective elements such as metal belts, shiny leather shoes, and leather pants. |

+| **Face** | - Ensure the actor's face is clearly visible. | - Avoid face obscured by hair, sunglasses, or accessories. |

+ - Maintain a front-facing pose. The actor can move slightly to show a relaxed status, like moving the head or shoulder slightly, but don't move the body too much.

+

+**Samples of status 0 speaking:**

+

+

+

+

+**Samples of natural speaking:**

+

+

+

+This video clip is important if you build a real-time conversation with the custom avatar. The video clip is used as the main template for both speaking and listening status for a chatbot.

+ - Maintain status 0, don't speak, but still feel relaxed.

+ - Even remaining in status 0, don't keep completely still; you can move a little bit but not too much. Perform like you're waiting.

+ - Maintain a smile as if listening or waiting patiently.

+ - Length: 1 minute.

+

+**Samples of silent status:**

+

+

+

+**Gestures (optional):**

+Gesture video clips are optional, and customers who have the need to insert certain gestures in the avatar speaking can follow this guideline to take gesture videos. Gesture insertion is only enabled for batch mode avatar; real-time avatar doesnΓÇÖt support gesture insertion at this point. Each custom avatar model can support no more than 10 gestures.

+**Gesture tips:**

+- Each gesture clip should be within 10 seconds.

+- Gestures should start from status 0 and end with status 0; otherwise, the gesture clip can't be smoothly inserted into the avatar video.

+- The gesture clip only captures the body gestures; the actor doesnΓÇÖt have to speak during making gestures.

+- We recommend designing a list of gestures before recording; here are some examples of gesture video clips:

+**Samples of gesture:**

+| Gestures | Samples |

+|--||

+| Delivering sell link/promotion code |  |

+| Introducing the product |  |

+| Displaying the price (number from 1 to 10-fist-number with each hand) | Right hand  Left hand  |

+High-quality avatar models are built from high-quality video recordings, including audio quality. Here are more tips for actorΓÇÖs performance and recording video clips:

+| **Dos** | **Don'ts** |

+||--|

+| - Ensure all video clips are taken in the same conditions.</br>- During the recording process, design the size and display area of the character you need so that the character can be displayed on the screen appropriately.</br> - Actor should be steady during the recording. </br> - Mind facial expressions, which should be suitable for the avatar's use case. For example, look positive and smile if the custom text to speech avatar is used as customer service. Look professionally if the avatar is used for news reporting.</br> - Maintain eye gaze towards the camera, even when using a teleprompter.</br> - Return your body to status 0 when pausing speaking.</br> - Speak on a self-chosen topic, and minor speech mistakes like miss a word or mispronounced are acceptable. If the actor misses a word or mispronounces something, just go back to status 0, pause for 3 seconds, and then continue speaking.</br> - Consciously pause between sentences and paragraphs. When pausing, go back to the status 0 and close your lips. </br> - The audio should be clear and loud enough; bad audio quality impacts training result.</br> - Keep the shooting environment quiet. | - Don't adjust the camera parameters, focal length, position, angle of view. Don't move the camera; keep the person's position, size, angle, consistent in the camera.</br> - Characters that are too small may lead to a loss of image quality during post-processing. Characters that are too large may cause the screen to overflow during gestures and movements.</br> - Don't make too long gestures or too much movement for one gesture; for example, actorΓÇÖs hands are always making gestures and forget to go back to status 0.</br> - The actor's movements and gestures must not block the face.</br> - Avoid small movements of the actor like licking lips, touching hair, talking sideways, constant head shaking during speech, and not closing up after speaking.</br> - Avoid background noise; staff should avoid walking and talking during video recording.</br> - Avoid other peopleΓÇÖs voice recorded during the actor speaking. |

+Doing some basic processing of your video data is helpful for model training efficiency, such as:

+- Make sure that the character is in the middle of the screen, the size and position are consistent during the video processing. Each video processing parameter such as brightness, contrast remains the same and doesn't change.

+- The start and end of the clip should be kept in state 0; the actors should close their mouths and smile, and look ahead. The video should be continuous, not abrupt.

+**Avatar training video recording file format:** .mp4 or .mov.

+**Resolution:** At least 1920x1080.

+**Frame rate per second:** At least 25 FPS.

+ Title: Process images in prompt flow

+description: Learn how to use images in prompt flow.

+# Process images in prompt flow

+In this article, you learn:

+3. You might want to preprocess the image using the [Python tool](./prompt-flow-tools/python-tool.md) before feeding it to the LLM. For example, you can resize or crop the image to a smaller size.

+ > To process images using a Python function, you need to use the `Image` class that you import from the `promptflow.contracts.multimedia` package. The `Image` class is used to represent an `Image` type within prompt flow. It is designed to work with image data in byte format, which is convenient when you need to handle or manipulate the image data directly.

+The [Azure OpenAI GPT-4 Turbo with Vision tool](./prompt-flow-tools/azure-open-ai-gpt-4v-tool.md) and OpenAI GPT-4V are built-in tools in prompt flow that can use OpenAI GPT-4V model to answer questions based on input images. You can find the tool by selecting **+ More tools** in the flow authoring page.

+- Upload, drag, or paste an image, or specify an image URL or the relative image path.

+In this section, you learn how to build a chatbot that can process image and text inputs.

+Currently the **Test** tab in the deployment detail page doesn't support image inputs or outputs.

+If the flow generates image output, it is returned with `base64` format, for example, `{"data:<mime type>;base64": "<base64 string>"}`.

+## Build with the Azure OpenAI GPT-4 Turbo with Vision tool

+1. Create or open a flow in [Azure AI Studio](https://ai.azure.com). For more information, see [Create a flow](../flow-develop.md).

+1. Select **+ More tools** > **Azure OpenAI GPT-4 Turbo with Vision** to add the Azure OpenAI GPT-4 Turbo with Vision tool to your flow.

+ :::image type="content" source="../../media/prompt-flow/azure-openai-gpt-4-vision-tool.png" alt-text="Screenshot of the Azure OpenAI GPT-4 Turbo with Vision tool added to a flow in Azure AI Studio." lightbox="../../media/prompt-flow/azure-openai-gpt-4-vision-tool.png":::

+1. Select the connection to your Azure OpenAI Service. For example, you can select the **Default_AzureOpenAI** connection. For more information, see [Prerequisites](#prerequisites).

+1. Enter values for the Azure OpenAI GPT-4 Turbo with Vision tool input parameters described [here](#inputs). For example, you can use this example prompt:

+ ```jinja

+ # system:

+ As an AI assistant, your task involves interpreting images and responding to questions about the image.

+ Remember to provide accurate answers based on the information present in the image.

+

+ # user:

+ Can you tell me what the image depicts?

+ 

+ ```

+1. Select **Validate and parse input** to validate the tool inputs.

+1. Specify an image to analyze in the `image_input` input parameter. For example, you can upload an image or enter the URL of an image to analyze. Otherwise you can paste or drag and drop an image into the tool.

+1. Add more tools to your flow as needed, or select **Run** to run the flow.

+1. The outputs are described [here](#outputs).

+Here's an example output response:

+```json

+{

+ "system_metrics": {

+ "completion_tokens": 96,

+ "duration": 4.874329,

+ "prompt_tokens": 1157,

+ "total_tokens": 1253

+ },

+ "output": "The image depicts a user interface for Azure's OpenAI GPT-4 service. It is showing a configuration screen where settings related to the AI's behavior can be adjusted, such as the model (GPT-4), temperature, top_p, frequency penalty, etc. There's also an area where users can enter a prompt to generate text, and an option to include an image input for the AI to interpret, suggesting that this particular interface supports both text and image inputs."

+}

+```

+The following are available input parameters:

+| Name | Type | Description | Required |

+| - | - | -- | -- |

+The following are available output parameters:

+## Next steps

+- [Learn more about how to create a flow](../flow-develop.md)

+For other configurations, see:

+* [DNS and SSL configuration][dns-ssl-configuration]

+* [Application routing add-on configuration][custom-ingress-configurations]

+* [Configure internal NGIX ingress controller for Azure private DNS zone][create-nginx-private-controller].

+* To integrate with an Azure internal load balancer and configure a private Azure DNS zone to enable DNS resolution for the private endpoints to resolve specific domains, see [Configure internal NGIX ingress controller for Azure private DNS zone][create-nginx-private-controller].

+[create-nginx-private-controller]: create-nginx-ingress-private-controller.md

+With [Azure Container Networking Interface (CNI)][cni-networking], every pod gets an IP address from the subnet and can be accessed directly. Systems in the same virtual network as the AKS cluster see the pod IP as the source address for any traffic from the pod. Systems outside the AKS cluster virtual network see the node IP as the source address for any traffic from the pod. These IP addresses must be unique across your network space and must be planned in advance. Each node has a configuration parameter for the maximum number of pods that it supports. The equivalent number of IP addresses per node are then reserved up front for that node. This approach requires more planning, and often leads to IP address exhaustion or the need to rebuild clusters in a larger subnet as your application demands grow.

+> [!NOTE]

+>

+> This article is only introducing traditional Azure CNI. For [Azure CNI Overlay][azure-cni-overlay] and [Azure CNI for dynamic IP allocation][configure-azure-cni-dynamic-ip-allocation], refer to their documentation instead.

+ Yes. But for [Azure CNI for dynamic IP allocation][configure-azure-cni-dynamic-ip-allocation], the VMs cannot be deployed in pod's subnet.

+

+ But for [Azure CNI for dynamic IP allocation][configure-azure-cni-dynamic-ip-allocation], no matter the connection is inside the same virtual network or cross virtual networks, the pod IP is always the source address for any traffic from the pod. This is because the [Azure CNI for dynamic IP allocation][configure-azure-cni-dynamic-ip-allocation] implements [Microsoft Azure Container Networking][github-azure-container-networking] infrastructure, which gives end-to-end experience. Hence, it eliminates the use of [`ip-masq-agent`][ip-masq-agent], which is still used by traditional Azure CNI.

+* [Use the application routing addon in Azure Kubernetes Service (AKS)](app-routing.md)

+[github-azure-container-networking]: https://github.com/Azure/azure-container-networking

+[ip-masq-agent]: https://kubernetes.io/docs/tasks/administer-cluster/ip-masq-agent/

+[azure-cni-overlay]: azure-cni-overlay.md

+[configure-azure-cni-dynamic-ip-allocation]: configure-azure-cni-dynamic-ip-allocation.md

+```azurecli-interactive

+az account set -s $subscription

+az aks get-credentials -n $clusterName -g $resourceGroup

+* [Use the application routing addon in Azure Kubernetes Service (AKS)](app-routing.md)

+ Title: Configure internal NGIX ingress controller for Azure private DNS zone

+description: Understand how to configure an ingress controller with a private IP address and an Azure private DNS zone using the application routing add-on for Azure Kubernetes Service.

+# Configure NGINX ingress controller to support Azure private DNS zone with application routing add-on

+This article demonstrates how to configure an NGINX ingress controller to work with Azure internal load balancer and configure a private Azure DNS zone to enable DNS resolution for the private endpoints to resolve specific domains.

+## Before you begin

+- An AKS cluster with the [application routing add-on][app-routing-add-on-basic-configuration].

+- To attach an Azure private DNS Zone, you need the [Owner][rbac-owner], [Azure account administrator][rbac-classic], or [Azure co-administrator][rbac-classic] role on your Azure subscription.

+## Connect to your AKS cluster

+To connect to the Kubernetes cluster from your local computer, you use `kubectl`, the Kubernetes command-line client. You can install it locally using the [az aks install-cli][az-aks-install-cli] command. If you use the Azure Cloud Shell, `kubectl` is already installed.

+The following example configures connecting to your cluster named *myAKSCluster* in the *myResourceGroup* using the [`az aks get-credentials`][az-aks-get-credentials] command.

+```azurecli-interactive

+az aks get-credentials --resource-group myResourceGroup --name myAKSCluster

+```

+## Create a virtual network

+To publish a private DNS zone to your virtual network, you need to specify a list of virtual networks that are allowed to resolve records within the zone. These are called [virtual network links][virtual-network-links].

+The following example creates a virtual network named *myAzureVNet* in the *myResourceGroup* resource group, and one subnet named *mySubnet* to create within the VNet with a specific address prefix.

+```azurecli-interactive

+az network vnet create \

+ --name myAzureVNet \

+ --resource-group myResourceGroup \

+ --location eastus \

+ --address-prefix 10.2.0.0/16 \

+ --subnet-name mysubnet \

+ --subnet-prefixes 10.2.0.0/24

+```

+## Create an Azure private DNS zone

+> [!NOTE]

+> You can configure the application routing add-on to automatically create records on one or more Azure global and private DNS zones for hosts defined on Ingress resources. All global Azure DNS zones and all private Azure DNS zones need to be in the same resource group.

+You create a DNS zone using the [az network private-dns zone create][az-network-private-dns-zone-create] command, specifying the name of the zone and the resource group to create it in. The following example creates a DNS zone named *private.contoso.com* in the *myResourceGroup* resource group.

+```azurecli-interactive

+az network private-dns zone create --resource-group myResourceGoup -n private.contoso.com

+```

+You create a virtual network link to the DNS zone created earlier using the [az network private-dns link vnet create][az-network-private-dns-link-vnet-create] command. The following example creates a link named *myDNSLink* to the zone *private.contoso.com* for the virtual network *myAzureVNet*. Include the `--registration-enabled` parameter to specify the link is not registration enabled.

+```azurecli-interactive

+az network private-dns link vnet create --resource-group myResourceGroup \

+ --name myDNSLink \

+ --zone-name private.contoso.com \

+ --virtual-network myAzureVNet \

+ --registration-enabled false

+```

+The Azure DNS private zone auto registration feature manages DNS records for virtual machines deployed in a virtual network. When you link a virtual network with a private DNS zone with this setting enabled, a DNS record gets created for each Azure virtual machine for your AKS node deployed in the virtual network.

+## Attach an Azure private DNS zone to the application routing add-on

+> [!NOTE]

+> The `az aks approuting zone add` command uses the permissions of the user running the command to create the [Azure DNS Zone][azure-dns-zone-role] role assignment. The **Private DNS Zone Contributor** role is a built-in role for managing private DNS resources and is assigned to the add-on's managed identity. For more information on AKS managed identities, see [Summary of managed identities][summary-msi].

+1. Retrieve the resource ID for the DNS zone using the [`az network dns zone show`][az-network-dns-zone-show] command and set the output to a variable named `ZONEID`. The following example queries the zone *private.contoso.com* in the resource group *myResourceGroup*.

+ ```azurecli-interactive

+ ZONEID=$(az network private-dns zone show --resource-group myResourceGroup --name private.contoso.com --query "id" --output tsv)

+ ```

+1. Update the add-on to enable integration with Azure DNS using the [`az aks approuting zone`][az-aks-approuting-zone] command. You can pass a comma-separated list of DNS zone resource IDs. The following example updates the AKS cluster *myAKSCluster* in the resource group *myResourceGroup*.

+ ```azurecli-interactive

+ az aks approuting zone add --resource-group myResourceGroup --name myAKSCluster --ids=${ZONEID} --attach-zones

+ ```

+## Create an NGINX ingress controller with a private IP address and an internal load balancer

+The application routing add-on uses a Kubernetes [custom resource definition (CRD)][k8s-crds] called [`NginxIngressController`][app-routing-crds] to configure NGINX ingress controllers. You can create more ingress controllers or modify an existing configuration.

+`NginxIngressController` CRD has a `loadBalancerAnnotations` field to control the behavior of the NGINX ingress controller's service by setting [load balancer annotations](load-balancer-standard.md#customizations-via-kubernetes-annotations).

+Perform the following steps to create an NGINX ingress controller with an internal facing Azure Load Balancer with a private IP address.

+1. Copy the following YAML manifest into a new file named **nginx-internal-controller.yaml** and save the file to your local computer.

+ ```yml

+ apiVersion: approuting.kubernetes.azure.com/v1alpha1

+ kind: NginxIngressController

+ metadata:

+ name: nginx-internal

+ spec:

+ ingressClassName: nginx-internal

+ controllerNamePrefix: nginx-internal

+ loadBalancerAnnotations:

+ service.beta.kubernetes.io/azure-load-balancer-internal: "true"

+ ```

+1. Create the NGINX ingress controller resources using the [`kubectl apply`][kubectl-apply] command.

+ ```bash

+ kubectl apply -f nginx-internal-controller.yaml

+ ```

+ The following example output shows the created resource:

+ ```output

+ nginxingresscontroller.approuting.kubernetes.azure.com/nginx-internal created

+ ```

+1. Verify the ingress controller was created

+ You can verify the status of the NGINX ingress controller using the [`kubectl get nginxingresscontroller`][kubectl-get] command.

+ ```bash

+ kubectl get nginxingresscontroller

+ ```

+ The following example output shows the created resource. It may take a few minutes for the controller to be available:

+ ```output

+ NAME INGRESSCLASS CONTROLLERNAMEPREFIX AVAILABLE

+ default webapprouting.kubernetes.azure.com nginx True

+ nginx-internal nginx-internal nginx-internal True

+ ```

+## Deploy an application

+The application routing add-on uses annotations on Kubernetes Ingress objects to create the appropriate resources.

+1. Create an application namespace called `hello-web-app-routing` to run the example pods using the [`kubectl create namespace`][kubectl-create-namespace] command.

+ ```bash

+ kubectl create namespace hello-web-app-routing

+ ```

+1. Create the deployment by copying the following YAML manifest into a new file named **deployment.yaml** and save the file to your local computer.

+ ```yaml

+ apiVersion: apps/v1

+ kind: Deployment

+ metadata:

+ name: aks-helloworld

+ namespace: hello-web-app-routing

+ spec:

+ replicas: 1

+ selector:

+ matchLabels:

+ app: aks-helloworld

+ template:

+ metadata:

+ labels:

+ app: aks-helloworld

+ spec:

+ containers:

+ - name: aks-helloworld

+ image: mcr.microsoft.com/azuredocs/aks-helloworld:v1

+ ports:

+ - containerPort: 80

+ env:

+ - name: TITLE

+ value: "Welcome to Azure Kubernetes Service (AKS)"

+ ```

+1. Create the service by copying the following YAML manifest into a new file named **service.yaml** and save the file to your local computer.

+ ```yaml

+ apiVersion: v1

+ kind: Service

+ metadata:

+ name: aks-helloworld

+ namespace: hello-web-app-routing

+ spec:

+ type: ClusterIP

+ ports:

+ - port: 80

+ selector:

+ app: aks-helloworld

+ ```

+1. Create the cluster resources using the [`kubectl apply`][kubectl-apply] command.

+ ```bash

+ kubectl apply -f deployment.yaml -n hello-web-app-routing

+ ```

+ The following example output shows the created resource:

+ ```output

+ deployment.apps/aks-helloworld created created

+ ```

+ ```bash

+ kubectl apply -f service.yaml -n hello-web-app-routing

+ ```

+ The following example output shows the created resource:

+ ```output

+ service/aks-helloworld created created

+ ```

+## Create the Ingress resource that uses a host name on the Azure private DNS zone and a private IP address

+1. Copy the following YAML manifest into a new file named **ingress.yaml** and save the file to your local computer.

+ Update *`<Hostname>`* with the name of your DNS host, for example, `helloworld.private.contoso.com`. Verify you're specifying `nginx-internal` for the `ingressClassName`.

+ ```yml

+ apiVersion: networking.k8s.io/v1

+ kind: Ingress

+ metadata:

+ name: aks-helloworld

+ namespace: hello-web-app-routing

+ spec:

+ ingressClassName: nginx-internal

+ rules:

+ - host: <Hostname>

+ http:

+ paths:

+ - backend:

+ service:

+ name: aks-helloworld

+ port:

+ number: 80

+ path: /

+ pathType: Prefix

+ ```

+1. Create the cluster resources using the [`kubectl apply`][kubectl-apply] command.

+ ```bash

+ kubectl apply -f ingress.yaml -n hello-web-app-routing

+ ```

+ The following example output shows the created resource:

+ ```output

+ ingress.networking.k8s.io/aks-helloworld created

+ ```

+## Verify the managed Ingress was created

+You can verify the managed Ingress was created using the [`kubectl get ingress`][kubectl-get] command.

+```bash

+kubectl get ingress -n hello-web-app-routing

+```

+The following example output shows the created managed Ingress:

+```output

+NAME CLASS HOSTS ADDRESS PORTS AGE

+aks-helloworld nginx-internal helloworld.private.contoso.com 10.224.0.7 80 98s

+```

+## Verify the Azure private DNS zone was updated

+In a few minutes, run the [az network private-dns record-set a list][az-network-private-dns-record-set-a-list] command to view the A records for your Azure private DNS zone. Specify the name of the resource group and the name of the DNS zone. In this example, the resource group is *myResourceGroup* and DNS zone is *private.contoso.com*.

+```azurecli-interactive

+az network private-dns record-set a list --resource-group myResourceGroup --zone-name private.contoso.com

+```

+The following example output shows the created record:

+```output

+[

+ {

+ "aRecords": [

+ {

+ "ipv4Address": "10.224.0.7"

+ }

+ ],

+ "etag": "188f0ce5-90e3-49e6-a479-9e4053f21965",

+ "fqdn": "helloworld.private.contoso.com.",

+ "id": "/subscriptions/xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx/resourceGroups/foo/providers/Microsoft.Network/privateDnsZones/private.contoso.com/A/helloworld",

+ "isAutoRegistered": false,

+ "name": "helloworld",

+ "resourceGroup": "foo",

+ "ttl": 300,

+ "type": "Microsoft.Network/privateDnsZones/A"

+ }

+]

+```

+## Next steps

+For other configuration information related to SSL encryption other advanced NGINX ingress controller and ingress resource configuration, review [DNS and SSL configuration][dns-ssl-configuration] and [application routing add-on configuration][custom-ingress-configurations].

+<!-- LINKS - external -->

+[kubectl-apply]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#apply

+[kubectl-get]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#get

+[kubectl-create-namespace]: https://kubernetes.io/docs/reference/kubectl/generated/kubectl_create/kubectl_create_namespace/

+[k8s-crds]: https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/

+[app-routing-crds]: https://aka.ms/aks/approuting/nginxingresscontrollercrd

+<!-- LINKS - internal -->

+[summary-msi]: use-managed-identity.md#summary-of-managed-identities

+[rbac-owner]: ../role-based-access-control/built-in-roles.md#owner

+[rbac-classic]: ../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles

+[app-routing-add-on-basic-configuration]: app-routing.md

+[dns-ssl-configuration]: app-routing-dns-ssl.md

+[custom-ingress-configurations]: app-routing-nginx-configuration.md

+[az-aks-approuting-zone]: /cli/azure/aks/approuting/zone

+[az-network-dns-zone-show]: /cli/azure/network/dns/zone#az-network-dns-zone-show

+[az-aks-install-cli]: /cli/azure/aks#az-aks-install-cli

+[az-aks-get-credentials]: /cli/azure/aks#az-aks-get-credentials

+[virtual-network-links]: ../dns/private-dns-virtual-network-links.md

+[azure-dns-zone-role]: ../dns/dns-protect-private-zones-recordsets.md

+[az-network-private-dns-zone-create]: /cli/azure/network/private-dns/zone?#az-network-private-dns-zone-create

+[az-network-private-dns-link-vnet-create]: /cli/azure/network/private-dns/link/vnet#az-network-private-dns-link-vnet-create

+[az-network-private-dns-record-set-a-list]: /cli/azure/network/private-dns/record-set/a#az-network-private-dns-record-set-a-list

+ /auxiliary/models/dbmodel.yaml

+ /auxiliary/models/archive.zip

+ /auxiliary/models/appmodel.yaml

+ /auxiliary/weblogic-deploy/LICENSE.txt

+ /auxiliary/weblogic-deploy/VERSION.txt

+### Ingress with application routing add-on

+The application routing addon is the recommended way to configure an Ingress controller in AKS. The application routing addon is a fully managed, ingress controller for Azure Kubernetes Service (AKS) that provides the following features:

+* Easy configuration of managed NGINX Ingress controllers based on Kubernetes NGINX Ingress controller.

+* Integration with Azure DNS for public and private zone management.

+* SSL termination with certificates stored in Azure Key Vault.

+For more information about the application routing add-on, see [Managed NGINX ingress with the application routing add-on](app-routing.md).

+## Use Host Process Container to access Windows node

+1. Create `hostprocess.yaml` with the following content and replacing `AKSWINDOWSNODENAME` with the AKS Windows node name.

+ ```yaml

+ apiVersion: v1

+ kind: Pod

+ metadata:

+ labels:

+ pod: hpc

+ name: hpc

+ spec:

+ securityContext:

+ windowsOptions:

+ hostProcess: true

+ runAsUserName: "NT AUTHORITY\\SYSTEM"

+ hostNetwork: true

+ containers:

+ - name: hpc

+ image: mcr.microsoft.com/windows/servercore:ltsc2022 # Use servercore:1809 for WS2019

+ command:

+ - powershell.exe

+ - -Command

+ - "Start-Sleep 2147483"

+ imagePullPolicy: IfNotPresent

+ nodeSelector:

+ kubernetes.io/os: windows

+ kubernetes.io/hostname: AKSWINDOWSNODENAME

+ tolerations:

+ - effect: NoSchedule

+ key: node.kubernetes.io/unschedulable

+ operator: Exists

+ - effect: NoSchedule

+ key: node.kubernetes.io/network-unavailable

+ operator: Exists

+ - effect: NoExecute

+ key: node.kubernetes.io/unreachable

+ operator: Exists

+ ```

+2. Run `kubectl apply -f hostprocess.yaml` to deploy the Windows host process container (HPC) in the specified Windows node.

+3. Use `kubectl exec -it [HPC-POD-NAME] -- powershell`.

+4. You can run any PowerShell commands inside the HPC container to access the Windows node.

+> [!Note]

+>

+> You need to switch the root folder to `C:\` inside the HPC container to access the files in the Windows node.

+## Ingress with the application routing addon

+The application routing addon is the recommended way to configure an Ingress controller in AKS. The application routing addon is a fully managed, ingress controller for Azure Kubernetes Service (AKS) that provides the following features:

+* Easy configuration of managed NGINX Ingress controllers based on Kubernetes NGINX Ingress controller.

+* Integration with Azure DNS for public and private zone management.

+* SSL termination with certificates stored in Azure Key Vault.

+For more information about the application routing add-on, see [Managed NGINX ingress with the application routing add-on](app-routing.md).

+For more control over the network traffic to your applications, use the application routing addon for AKS. For more information about the app routing addon, see [Managed NGINX ingress with the application routing add-on](app-routing.md).

+* [Use the application routing addon in Azure Kubernetes Service (AKS)](app-routing.md)

+| Add-on | application-routing | Manages Azure DNS and Azure Key Vault certificates | Key Vault Secrets User role for Key Vault, DNZ Zone Contributor role for DNS zones, Private DNS Zone Contributor role for private DNS zones | No

+ securityContext:

+ windowsOptions:

+ hostProcess: true

+ ...

+ containers:

+ securityContext:

+ windowsOptions:

+ hostProcess: true

+ runAsUserName: "NT AUTHORITY\\SYSTEM"

+ hostNetwork: true

+ image: mcr.microsoft.com/powershell:lts-nanoserver-1809 # or lts-nanoserver-ltsc2022

+ - powershell.exe

+ - -Command

+ - Start-Sleep -Seconds 2147483

+| Retention | 30 days, not configurable. <br>- Days 1-3: hourly backups retained.<br>- Days 4-14: every third hourly backup retained.<br>- Days 15-30: every sixth hourly backup retained. | 0-30 days or indefinite. |

+| Backups over VNet | Not supported. | Supported. |

+1. Select the automatic backup or custom backup to restore by selecting its **Restore** link.

+1. Select **Restore**.

+1. Select **Configure**.

+## Back up and restore over Azure Virtual Network

+- The storage account [allows access from the virtual network](../storage/common/storage-network-security.md#grant-access-from-a-virtual-network) that the app is integrated with, or that the v3 App Service environment is created with.

+If you don't see the checkbox, or if the checkbox is disabled, verify that your resources fulfill the requirements.

+Once the configuration is saved, any manual, scheduled backup, or restore is made through the virtual network. If you make changes to the app, the virtual network, or the storage account that prevent the app from accessing the storage account through the virtual network, the backup or restore operations fail.

+After you make one or more backups for your app, the backups are visible on the **Containers** page of your storage account, and your app. In the storage account, each backup consists of a`.zip` file that contains the backup data and an `.xml` file that contains a manifest of the `.zip` file contents. You can unzip and browse these files if you want to access your backups without actually performing an app restore.

+| SSL connection is required. Specify SSL options and retry when trying to connect. | SSL connectivity to Azure Database for MySQL and Azure Database for PostgreSQL isn't supported for database backups. Use the native backup feature in the respective database instead. |

+When [backing up over an Azure Virtual Network](#back-up-and-restore-over-azure-virtual-network), you can't [back up the linked database](#back-up-and-restore-a-linked-database).

+* Backups of [TLS enabled Azure Database for MySQL](../mysql/concepts-ssl-connection-security.md) isn't supported. If a backup is configured, you get backup failures.

+* Backups of [TLS enabled Azure Database for PostgreSQL](../postgresql/concepts-ssl-connection-security.md) isn't supported. If a backup is configured, you get backup failures.

+* In-app MySQL databases are automatically backed up without any configuration. If you make manual settings for in-app MySQL databases, such as adding connection strings, the backups might not work correctly.

+You can back up to a firewall-protected storage account if it's part of the same virtual network topology as your app. See [Back up and restore over Azure Virtual Network](#back-up-and-restore-over-azure-virtual-network).

+Automatic backups are simple and stored in the same datacenter as the App Service and shouldn't be relied upon as your disaster recovery plan.

+You can't stop automatic backups. The automatic backup is stored on the platform and has no effect on the underlying app instance or its storage.

+For more information about the Application Gateway Standard_v2 features, see [What is Azure Application Gateway v2](overview-v2.md).

+Refer to [Application DDoS protection](../web-application-firewall/shared/application-ddos-protection.md) for guidance on how to use Azure WAF with Application Gateway to protect against DDoS attacks. For more information, see [What is Azure Web Application Firewall](../web-application-firewall/overview.md).

+For an Application Gateway v1-v2 feature comparison, see [What is Azure Application Gateway v2](overview-v2.md#feature-comparison-between-v1-sku-and-v2-sku).

+ - Output is JSON format

+ - Output is text format

+```text

+| Metric Name | Description |

+| ALB Controller Version | Gateway API Version | Kubernetes Version | Release Notes |

+| - | - | | - |

+| 1.0.0| v1 | v1.26, v1.27, v1.28 | URL redirect for both Gateway and Ingress API, v1beta1 -> v1 of Gateway API, quality improvements<br/>Breaking Changes: TLS Policy for Gateway API [PolicyTargetReference](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1alpha2.PolicyTargetReferenceWithSectionName)<br/>Listener is now referred to as [SectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.SectionName)<br/>Fixes: Request timeout of 3 seconds, [HealthCheckPolicy interval](https://github.com/Azure/AKS/issues/4086), [pod crash for missing API fields](https://github.com/Azure/AKS/issues/4087) |

+0.6.3 - Hotfix to address handling of AGC frontends during controller restart in managed scenario

+- Minimum supported Kubernetes version: v1.25

+ Title: Application Gateway for Containers API Specification for Kubernetes

+# Application Gateway for Containers API specification for Kubernetes

+why a particular condition type are raised by the Application Gateway for Containers resource.</p>

+are accepted by the controller.</p>

+are accepted by the controller.</p>

+<p>Associations are subnet resource IDs the Application Gateway for Containers resource are associated with.</p>

+<li>&ldquo;Accepted&rdquo;</li>

+<li>&ldquo;Ready&rdquo;</li>

+<p>Associations are subnet resource IDs the Application Gateway for Containers resource are associated with.</p>

+<a href="#alb.networking.azure.io/v1.CustomTargetRef">

+CustomTargetRef

+<p>Note: Override is currently not supported and will result in a validation error.

+Support for Override will be added in a future release.</p>

+particular BackendTLSPolicy condition type is raised.</p>

+<tbody><tr><td><p>&#34;Accepted&#34;</p></td>

+</tr><tr><td><p>&#34;InvalidCertificateRef&#34;</p></td>

+<td><p>BackendTLSPolicyReasonInvalidCertificateRef is used when an invalid certificate is referenced</p>

+</td>

+<td><p>BackendTLSPolicyReasonNoTargetReference is used when there&rsquo;s no target reference</p>

+</td>

+</tr><tr><td><p>&#34;OverrideNotSupported&#34;</p></td>

+<td><p>BackendTLSPolicyReasonOverrideNotSupported is used when the override isn&rsquo;t supported</p>

+</tr><tr><td><p>&#34;SectionNamesNotPermitted&#34;</p></td>

+<td><p>BackendTLSPolicyReasonSectionNamesNotPermitted is used when the section names aren&rsquo;t permitted</p>

+</td>

+<a href="https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.SecretObjectReference">

+<a href="#alb.networking.azure.io/v1.CustomTargetRef">

+CustomTargetRef

+<p>Note: Override is currently not supported and will result in a validation error.

+Support for Override will be added in a future release.</p>

+<li>&ldquo;Accepted&rdquo;</li>

+<a href="https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.SecretObjectReference">

+(<em>Appears on:</em><a href="#alb.networking.azure.io/v1.BackendTLSPolicySpec">BackendTLSPolicySpec</a>, <a href="#alb.networking.azure.io/v1.FrontendTLSPolicySpec">FrontendTLSPolicySpec</a>, <a href="#alb.networking.azure.io/v1.HealthCheckPolicySpec">HealthCheckPolicySpec</a>, <a href="#alb.networking.azure.io/v1.RoutePolicySpec">RoutePolicySpec</a>)

+<code>PolicyTargetReference</code><br/>

+<a href="https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.PolicyTargetReference">

+Gateway API .PolicyTargetReference

+<p>

+(Members of <code>PolicyTargetReference</code> are embedded into this type.)

+</p>

+<code>sectionNames</code><br/>

+<p>SectionNames is the name of the section within the target resource. When

+unspecified, this targetRef targets the entire resource. In the following

+resources, SectionNames is interpreted as the following:</p>

+<ul>

+<li>Gateway: Listener Name</li>

+<li>Service: Port Name</li>

+</ul>

+<p>If a SectionNames is specified, but does not exist on the targeted object,

+the Policy will fail to attach, and the policy implementation will record

+a <code>ResolvedRefs</code> or similar Condition in the Policy&rsquo;s status.</p>

+<tr>

+<td>

+<code>override</code><br/>

+<em>

+<a href="#alb.networking.azure.io/v1.FrontendTLSPolicyConfig">

+FrontendTLSPolicyConfig

+</a>

+</em>

+</td>

+<td>

+<em>(Optional)</em>

+<p>Override defines policy configuration that should override policy

+configuration attached below the targeted resource in the hierarchy.</p>

+<p>Note: Override is currently not supported and will result in a validation error.

+Support for Override will be added in a future release.</p>

+</td>

+</tr>

+particular FrontendTLSPolicy condition type is raised.</p>

+<td><p>FrontendTLSPolicyReasonNoTargetReference is used when there&rsquo;s no target reference</p>

+</td>

+</tr><tr><td><p>&#34;OverrideNotSupported&#34;</p></td>

+<td><p>FrontendTLSPolicyReasonOverrideNotSupported is used when the override isn&rsquo;t supported</p>

+</tr><tr><td><p>&#34;SectionNamesNotPermitted&#34;</p></td>

+<td><p>FrontendTLSPolicyReasonSectionNamesNotPermitted is used when the section names aren&rsquo;t permitted</p>

+</td>

+<tr>

+<td>

+<code>override</code><br/>

+<em>

+<a href="#alb.networking.azure.io/v1.FrontendTLSPolicyConfig">

+FrontendTLSPolicyConfig

+</a>

+</em>

+</td>

+<td>

+<em>(Optional)</em>

+<p>Override defines policy configuration that should override policy

+configuration attached below the targeted resource in the hierarchy.</p>

+<p>Note: Override is currently not supported and will result in a validation error.

+Support for Override will be added in a future release.</p>

+</td>

+</tr>

+<li>&ldquo;Accepted&rdquo;</li>

+<h3 id="alb.networking.azure.io/v1.FrontendTLSPolicyTypeName">FrontendTLSPolicyTypeName

+(<code>string</code> alias)</h3>

+<p>

+(<em>Appears on:</em><a href="#alb.networking.azure.io/v1.PolicyType">PolicyType</a>)

+</p>

+<div>

+<p>FrontendTLSPolicyTypeName is the name of the Frontend TLS Policy.</p>

+</div>

+<table>

+<thead>

+<tr>

+<th>Value</th>

+<th>Description</th>

+</tr>

+</thead>

+<tbody><tr><td><p>&#34;2023-06&#34;</p></td>

+<td><p>PredefinedPolicy202306 is the name of the predefined Frontend TLS Policy for the policy &ldquo;2023-06&rdquo;.</p>

+</td>

+</tr><tr><td><p>&#34;2023-06-S&#34;</p></td>

+<td><p>PredefinedPolicy202306Strict is the name of the predefined Frontend TLS Policy for the policy &ldquo;2023-06-S&rdquo;.

+This is a strict version of the policy &ldquo;2023-06&rdquo;.</p>

+</td>

+</tr></tbody>

+</table>

+case-insensitivity of header names, &ldquo;foo&rdquo; and &ldquo;Foo&rdquo; are considered

+<li>&ldquo;Authorization&rdquo;</li>

+<li>&ldquo;Set-Cookie&rdquo;</li>

+<li>&rdquo;:method&rdquo; - &ldquo;:&rdquo; is an invalid character. This means that HTTP/2 pseudo

+headers aren&rsquo;t currently supported by this type.</li>

+<li>&rdquo;/invalid&rdquo; - &ldquo;/ &rdquo; is an invalid character</li>

+<p>Type defines the type of path modifier. More types may be

+<p>Values may be added to this enum, implementations

+must ensure unknown values won&rsquo;t cause a crash.</p>

+to &ldquo;/foo/bar&rdquo; with a prefix match of &ldquo;/foo&rdquo; and a ReplacePrefixMatch

+of &ldquo;/xyz&rdquo; would be modified to &ldquo;/xyz/bar&rdquo;.</p>

+<p>This matches the behavior of the PathPrefix match type. This

+match the prefix <code>/abc</code>, but the path <code>/abcd</code> wouldn&rsquo;t.</p>

+Using any other HTTPRouteMatch type on the same HTTPRouteRule results in

+<td>&nbsp;</td>

+<td>&nbsp;</td>

+<td>&nbsp;</td>

+<td><p>FullPathHTTPPathModifier replaces the full path with the specified value.</p>

+<td><p>PrefixMatchHTTPPathModifier replaces any prefix path with the

+substitution value. For example, a path with a prefix

+match of &ldquo;/foo&rdquo; and a ReplacePrefixMatch substitution of &ldquo;/bar&rdquo;

+replace &ldquo;/foo&rdquo; with &ldquo;/bar&rdquo; in matching requests.</p>

+<p>This matches the behavior of the PathPrefix match type. This

+match the prefix <code>/abc</code>, but the path <code>/abcd</code> wouldn&rsquo;t.</p>

+- name: &ldquo;my-header&rdquo;

+value: &ldquo;bar&rdquo;</p>

+- name: &ldquo;my-header&rdquo;

+value: &ldquo;bar,baz&rdquo;</p>

+value of Remove is a list of HTTP header names. Header names

+are case-insensitive (see

+remove: [&ldquo;my-header1&rdquo;, &ldquo;my-header3&rdquo;]</p>

+<a href="#alb.networking.azure.io/v1.CustomTargetRef">

+CustomTargetRef

+<p>Note: Override is currently not supported and will result in a validation error.

+Support for Override will be added in a future release.</p>

+particular HealthCheckPolicy condition type is raised.</p>

+<td><p>HealthCheckPolicyReasonNoTargetReference is used when there&rsquo;s no target reference</p>

+</td>

+</tr><tr><td><p>&#34;OverrideNotSupported&#34;</p></td>

+<td><p>HealthCheckPolicyReasonOverrideNotSupported is used when the override isn&rsquo;t supported</p>

+</tr><tr><td><p>&#34;SectionNamesNotPermitted&#34;</p></td>

+<td><p>HealthCheckPolicyReasonSectionNamesNotPermitted is used when the section names aren&rsquo;t permitted</p>

+</td>

+<a href="#alb.networking.azure.io/v1.CustomTargetRef">

+CustomTargetRef

+<p>Note: Override is currently not supported and will result in a validation error.

+Support for Override will be added in a future release.</p>

+<li>&ldquo;Accepted&rdquo;</li>

+<p>Protocol should be one of &ldquo;HTTP&rdquo;, &ldquo;HTTPS&rdquo;</p>

+<p>Errors are a list of errors relating to this setting</p>

+<p>Rules define the rules per host</p>

+particular IngressExtension condition type is raised.</p>

+<td><p>IngressExtensionReasonPartiallyAccepted is used to set the IngressExtensionConditionAccepted to Accepted, but with nonfatal validation errors</p>

+<td><p>IngressExtensionConditionAccepted indicates if the IngressExtension is accepted (reconciled) by the controller</p>

+<p>Rules define the rules per host</p>

+<p>Rules have detailed status information regarding each Rule</p>

+<li>&ldquo;Accepted&rdquo;</li>

+<li>&ldquo;Errors&rdquo;</li>

+<p>Host is used to match against Ingress rules with the same hostname in order to identify which rules affect these settings</p>

+<p>AdditionalHostnames specifies more hostnames to listen on</p>

+<p>Errors are a list of errors relating to this setting</p>

+<a href="#alb.networking.azure.io/v1.FrontendTLSPolicyTypeName">

+FrontendTLSPolicyTypeName

+</a>

+matches the RFC 1123 definition of a hostname with one notable exception that

+numeric IP addresses aren&rsquo;t allowed.</p>

+<p>Per RFC1035 and RFC1123, a <em>label</em> must consist of lower case

+(<em>Appears on:</em><a href="#alb.networking.azure.io/v1.IngressBackendPort">IngressBackendPort</a>)

+<td><p>HTTP implies that the service uses HTTP</p>

+<td><p>HTTPS implies that the service uses HTTPS</p>

+<td><p>TCP implies that the service uses plain TCP</p>

+port associated with the redirect scheme. Specifically &ldquo;http&rdquo; to port 80

+and &ldquo;https&rdquo; to port 443. If the redirect scheme doesn&rsquo;t have a

+<li>A Location header that uses HTTP (whether that is determined via

+<li>A Location header that uses HTTPS (whether that is determined via

+<p>Values may be added to this enum, implementations

+must ensure that unknown values won&rsquo;t cause a crash.</p>

+header from an HTTP request before it&rsquo;s sent to the upstream target.</p>

+header from an HTTP response before it&rsquo;s sent to the client.</p>

+<a href="#alb.networking.azure.io/v1.CustomTargetRef">

+CustomTargetRef

+<p>Note: Override is currently not supported and will result in a validation error.

+Support for Override will be added in a future release.</p>

+particular RoutePolicy condition type is raised.</p>

+<td><p>RoutePolicyReasonNoTargetReference is used when there&rsquo;s no target reference</p>

+</td>

+</tr><tr><td><p>&#34;OverrideNotSupported&#34;</p></td>

+<td><p>RoutePolicyReasonOverrideNotSupported is used when the override isn&rsquo;t supported</p>

+</tr><tr><td><p>&#34;SectionNamesNotPermitted&#34;</p></td>

+<td><p>RoutePolicyReasonSectionNamesNotPermitted is used when the section names aren&rsquo;t permitted</p>

+</td>

+<a href="#alb.networking.azure.io/v1.CustomTargetRef">

+CustomTargetRef

+<p>Note: Override is currently not supported and will result in a validation error.

+Support for Override will be added in a future release.</p>

+<li>&ldquo;Accepted&rdquo;</li>

+</table>

+ Title: Application Gateway for Containers components

+# Application Gateway for Containers components

+This article provides detailed descriptions and requirements for components of Application Gateway for Containers. Information about how Application Gateway for Containers accepts incoming requests and routes them to a backend target is provided. For a general overview of Application Gateway for Containers, see [What is Application Gateway for Containers](overview.md).

+- An Application Gateway for Containers resource is an Azure parent resource that deploys the control plane.

+- Application Gateway for Containers has two child resources; associations and frontends.

+ - Child resources are exclusive to only their parent Application Gateway for Containers and may not be referenced by another Application Gateway for Container resource.

+- An Application Gateway for Containers frontend resource is an Azure child resource of the Application Gateway for Containers parent resource.

+- An Application Gateway for Containers frontend defines the entry point client traffic should be received by a given Application Gateway for Containers.

+ - A frontend can't be associated to multiple Application Gateway for Containers

+ - Each frontend provides a unique FQDN that can be referenced by a customer's CNAME record

+ - Private IP addresses are currently unsupported

+- An Application Gateway for Containers association resource is an Azure child resource of the Application Gateway for Containers parent resource.

+ - At this time, the current number of associations is currently limited to 1

+ - A minimum /24 subnet mask for each deployment (assuming no resources have previously been provisioned in the subnet).

+ - If n number of Application Gateway for Containers are provisioned, with the assumption each Application Gateway for Containers contains one association, and the intent is to share the same subnet, the available required addresses should be n*256.

+ - All Application Gateway for Containers association resources should match the same region as the Application Gateway for Containers parent resource

+ - alb-controller pod is responsible for orchestrating customer intent to Application Gateway for Containers load balancing configuration

+ - alb-controller-bootstrap pod is responsible for management of CRDs

+Application Gateway for Containers inserts three extra headers to all requests before requests are initiated from Application Gateway for Containers to a backend target:

+**x-forwarded-for** is the original requestor's client IP address. If the request is coming through a proxy, the header value appends the address received, comma delimited. In example: 1.2.3.4,5.6.7.8; where 1.2.3.4 is the client IP address to the proxy in front of Application Gateway for Containers, and 5.6.7.8 is the address of the proxy forwarding traffic to Application Gateway for Containers.

+## Request timeouts

+Application Gateway for Containers enforces the following timeouts as requests are initiated and maintained between the client, AGC, and backend.

+| Timeout | Duration | Description |

+| - | | -- |

+| Request Timeout | 60 seconds | time for which AGC waits for the backend target response. |

+| HTTP Idle Timeout | 5 minutes | idle timeout before closing an HTTP connection. |

+| Stream Idle Timeout | 5 minutes | idle timeout before closing an individual stream carried by an HTTP connection. |

+| Upstream Connect Timeout | 5 seconds | time for establishing a connection to the backend target. |

+6. Select **Add filter**. **Property** is set to **Frontend**. Choose the **=** (equals) **Operator**.

+7. Enter values to use for filtering under **Values**.

+ For example:

+ - **frontend-primary:80**

+ - **ingress-frontend:443**

+ - **ingress-frontend:80**

+8. Select the values you want to actively filter from the entries you create.

+- [Using Azure Log Analytics in Power BI](/power-bi/transform-model/log-analytics/desktop-log-analytics-overview)

+- [Configure Azure Log Analytics for Power BI](/power-bi/transform-model/log-analytics/desktop-log-analytics-configure)

+- [Visualize Azure AI Search Logs and Metrics with Power BI](/azure/search/search-monitor-logs-powerbi)

+[](./media/custom-health-probe/custom-health-probe.png#lightbox)

+ Title: Diagnostic logs for Application Gateway for Containers

+# Diagnostic logs for Application Gateway for Containers

+ 5. Enter a **Diagnostic setting name** (ex: agfc-logs), choose the logs and metrics to save and choose a destination, such as **Archive to a storage account**. To save all logs, select **allLogs** and **AllMetrics**.

+ Title: Backend MTLS with Application Gateway for Containers - Gateway API

+# Backend MTLS with Application Gateway for Containers - Gateway API

+[](./media/how-to-backend-mtls-gateway-api/backend-mtls.png#lightbox)

+ Apply the following deployment.yaml file on your cluster to create a sample web application and deploy sample secrets to demonstrate backend mutual authentication (mTLS).

+ ```bash

+ kubectl apply -f https://trafficcontrollerdocs.blob.core.windows.net/examples/https-scenario/end-to-end-ssl-with-backend-mtls/deployment.yaml

+ ```

+ This command creates the following on your cluster:

+

+ - a namespace called `test-infra`

+ - one service called `mtls-app` in the `test-infra` namespace

+ - one deployment called `mtls-app` in the `test-infra` namespace

+ - one config map called `mtls-app-nginx-cm` in the `test-infra` namespace

+ - four secrets called `backend.com`, `frontend.com`, `gateway-client-cert`, and `ca.bundle` in the `test-infra` namespace

+Once the gateway has been created, create an HTTPRoute resource.

+# Header rewrite for Azure Application Gateway for Containers - Gateway API

+[](./media/how-to-header-rewrite-gateway-api/header-rewrite.png#lightbox)

+ Apply the following deployment.yaml file on your cluster to create a sample web application to demonstrate the header rewrite.

+ ```bash

+ kubectl apply -f https://trafficcontrollerdocs.blob.core.windows.net/examples/traffic-split-scenario/deployment.yaml

+ ```

+ This command creates the following on your cluster:

+ - a namespace called `test-infra`

+ - two services called `backend-v1` and `backend-v2` in the `test-infra` namespace

+ - two deployments called `backend-v1` and `backend-v2` in the `test-infra` namespace

+Congratulations, you have installed ALB Controller, deployed a backend application and modified header values via Gateway API on Application Gateway for Containers.

+# Header rewrite for Azure Application Gateway for Containers - Ingress API

+[](./media/how-to-header-rewrite-ingress-api/header-rewrite.png#lightbox)

+ Apply the following deployment.yaml file on your cluster to create a sample web application to demonstrate the header rewrite.

+ ```bash

+ kubectl apply -f https://trafficcontrollerdocs.blob.core.windows.net/examples/traffic-split-scenario/deployment.yaml

+ ```

+ This command creates the following on your cluster:

+ - a namespace called `test-infra`

+ - two services called `backend-v1` and `backend-v2` in the `test-infra` namespace

+ - two deployments called `backend-v1` and `backend-v2` in the `test-infra` namespace

+In this example, we set a static user-agent with a value of `rewritten-user-agent`.

+ Title: Multiple site hosting with Application Gateway for Containers - Gateway API

+# Multiple site hosting with Application Gateway for Containers - Gateway API

+ - type: Hostname

+ Title: Multi-site hosting with Application Gateway for Containers - Ingress API

+# Multi-site hosting with Application Gateway for Containers - Ingress API

+ Title: Path, header, and query string routing with Application Gateway for Containers - Gateway API

+# Path, header, and query string routing with Application Gateway for Containers - Gateway API

+ Apply the following deployment.yaml file on your cluster to create a sample web application to demonstrate path, query, and header based routing.

+ ```bash

+ kubectl apply -f https://trafficcontrollerdocs.blob.core.windows.net/examples/traffic-split-scenario/deployment.yaml

+ ```

+ This command creates the following on your cluster:

+ - a namespace called `test-infra`

+ - two services called `backend-v1` and `backend-v2` in the `test-infra` namespace

+ - two deployments called `backend-v1` and `backend-v2` in the `test-infra` namespace

+ - type: Hostname

+Congratulations, you have installed ALB Controller, deployed a backend application and routed traffic to the application via Gateway API on Application Gateway for Containers.

+ Title: SSL offloading with Application Gateway for Containers - Gateway API

+# SSL offloading with Application Gateway for Containers - Gateway API

+ - type: Hostname

+Once the gateway is created, create an HTTPRoute resource.

+ Title: SSL offloading with Application Gateway for Containers - Ingress API

+# SSL offloading with Application Gateway for Containers - Ingress API

+2. Create an Ingress resource.

+ Title: Traffic Splitting with Application Gateway for Containers - Gateway API

+# Traffic splitting with Application Gateway for Containers - Gateway API

+ - type: Hostname

+ Title: URL Redirect for Azure Application Gateway for Containers - Gateway API

+description: Learn how to redirect URLs in Gateway API for Application Gateway for Containers.

+# URL Redirect for Azure Application Gateway for Containers - Gateway API

+Application Gateway for Containers allows you to return a redirect response to the client based three aspects of a URL: protocol, hostname, and path. For each redirect, a defined HTTP status code may be returned to the client to define the nature of the redirect.

+## Usage details

+URL redirects take advantage of the [RequestRedirect rule filter](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1beta1.HTTPRequestRedirectFilter) as defined by Kubernetes Gateway API.

+## Redirection

+A redirect sets the response status code returned to clients to understand the purpose of the redirect. The following types of redirection are supported:

+- 301 (Moved permanently): Indicates that the target resource has been assigned a new permanent URI. Any future references to this resource uses one of the enclosed URIs. Use 301 status code for HTTP to HTTPS redirection.

+- 302 (Found): Indicates that the target resource is temporarily under a different URI. Since the redirection can change on occasion, the client should continue to use the effective request URI for future requests.

+## Redirection capabilities

+- Protocol redirection is commonly used to tell the client to move from an unencrypted traffic scheme to traffic, such as HTTP to HTTPS redirection.

+- Hostname redirection matches the fully qualified domain name (fqdn) of the request. This is commonly observed in redirecting an old domain name to a new domain name; such as `contoso.com` to `fabrikam.com`.

+- Path redirection has two different variants: `prefix` and `full`.

+ - `Prefix` redirection type will redirect all requests starting with a defined value. For example, a prefix of /shop would match /shop and any text after. For example, /shop, /shop/checkout, and /shop/item-a would all redirect to /shop as well.

+ - `Full` redirection type matches an exact value. For example, /shop could redirect to /store, but /shop/checkout wouldn't redirect to /store.

+The following figure illustrates an example of a request destined for _contoso.com/summer-promotion_ being redirected to _contoso.com/shop/category/5_. In addition, a second request initiated to contoso.com via http protocol is returned a redirect to initiate a new connection to its https variant.

+[](./media/how-to-url-redirect-gateway-api/url-redirect.png#lightbox)

+## Prerequisites

+1. If following the BYO deployment strategy, ensure you have set up your Application Gateway for Containers resources and [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md)

+2. If following the ALB managed deployment strategy, ensure you have provisioned your [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md) and provisioned the Application Gateway for Containers resources via the [ApplicationLoadBalancer custom resource](quickstart-create-application-gateway-for-containers-managed-by-alb-controller.md).

+3. Deploy sample HTTP application

+ Apply the following deployment.yaml file on your cluster to deploy a sample TLS certificate to demonstrate redirect capabilities.

+

+ ```bash

+ kubectl apply -f kubectl apply -f https://trafficcontrollerdocs.blob.core.windows.net/examples/https-scenario/ssl-termination/deployment.yaml

+ ```

+ This command creates the following on your cluster:

+ - a namespace called `test-infra`

+ - one service called `echo` in the `test-infra` namespace

+ - one deployment called `echo` in the `test-infra` namespace

+ - one secret called `listener-tls-secret` in the `test-infra` namespace

+## Deploy the required Gateway API resources

+# [ALB managed deployment](#tab/alb-managed)

+1. Create a Gateway

+ ```bash

+ kubectl apply -f - <<EOF

+ apiVersion: gateway.networking.k8s.io/v1beta1

+ kind: Gateway

+ metadata:

+ name: gateway-01

+ namespace: test-infra

+ annotations:

+ alb.networking.azure.io/alb-namespace: alb-test-infra

+ alb.networking.azure.io/alb-name: alb-test

+ spec:

+ gatewayClassName: azure-alb-external

+ listeners:

+ - name: http-listener

+ port: 80

+ protocol: HTTP

+ allowedRoutes:

+ namespaces:

+ from: Same

+ - name: https-listener

+ port: 443

+ protocol: HTTPS

+ allowedRoutes:

+ namespaces:

+ from: Same

+ tls:

+ mode: Terminate

+ certificateRefs:

+ - kind : Secret

+ group: ""

+ name: listener-tls-secret

+ EOF

+ ```

+# [Bring your own (BYO) deployment](#tab/byo)

+1. Set the following environment variables

+ ```bash

+ RESOURCE_GROUP='<resource group name of the Application Gateway For Containers resource>'

+ RESOURCE_NAME='alb-test'

+ RESOURCE_ID=$(az network alb show --resource-group $RESOURCE_GROUP --name $RESOURCE_NAME --query id -o tsv)

+ FRONTEND_NAME='frontend'

+ ```

+2. Create a Gateway

+ ```bash

+ kubectl apply -f - <<EOF

+ apiVersion: gateway.networking.k8s.io/v1beta1

+ kind: Gateway

+ metadata:

+ name: gateway-01

+ namespace: test-infra

+ annotations:

+ alb.networking.azure.io/alb-id: $RESOURCE_ID

+ spec:

+ gatewayClassName: azure-alb-external

+ listeners:

+ - name: http-listener

+ port: 80

+ protocol: HTTP

+ allowedRoutes:

+ namespaces:

+ from: Same

+ - name: https-listener

+ port: 443

+ protocol: HTTPS

+ allowedRoutes:

+ namespaces:

+ from: Same

+ tls:

+ mode: Terminate

+ certificateRefs:

+ - kind : Secret

+ group: ""

+ name: listener-tls-secret

+ addresses:

+ - type: alb.networking.azure.io/alb-frontend

+ value: $FRONTEND_NAME

+ EOF

+ ```

+Once the gateway resource is created, ensure the status is valid, the listener is _Programmed_, and an address is assigned to the gateway.

+```bash

+kubectl get gateway gateway-01 -n test-infra -o yaml

+```

+Example output of successful gateway creation.

+```yaml

+status:

+ addresses:

+ - type: Hostname

+ value: xxxx.yyyy.alb.azure.com

+ conditions:

+ - lastTransitionTime: "2023-06-19T21:04:55Z"

+ message: Valid Gateway

+ observedGeneration: 1

+ reason: Accepted

+ status: "True"

+ type: Accepted

+ - lastTransitionTime: "2023-06-19T21:04:55Z"

+ message: Application Gateway For Containers resource has been successfully updated.

+ observedGeneration: 1

+ reason: Programmed

+ status: "True"

+ type: Programmed

+ listeners:

+ - attachedRoutes: 0

+ conditions:

+ - lastTransitionTime: "2023-06-19T21:04:55Z"

+ message: ""

+ observedGeneration: 1

+ reason: ResolvedRefs

+ status: "True"

+ type: ResolvedRefs

+ - lastTransitionTime: "2023-06-19T21:04:55Z"

+ message: Listener is accepted

+ observedGeneration: 1

+ reason: Accepted

+ status: "True"

+ type: Accepted

+ - lastTransitionTime: "2023-06-19T21:04:55Z"

+ message: Application Gateway For Containers resource has been successfully updated.

+ observedGeneration: 1

+ reason: Programmed

+ status: "True"

+ type: Programmed

+ name: https-listener

+ supportedKinds:

+ - group: gateway.networking.k8s.io

+ kind: HTTPRoute

+```

+Create an HTTPRoute resource for `contoso.com` that handles traffic received via https.

+```bash

+kubectl apply -f - <<EOF

+apiVersion: gateway.networking.k8s.io/v1beta1

+kind: HTTPRoute

+metadata:

+ name: https-contoso

+ namespace: test-infra

+spec:

+ parentRefs:

+ - name: gateway-01

+ sectionName: https-listener

+ hostnames:

+ - "contoso.com"

+ rules:

+ - backendRefs:

+ - name: echo

+ port: 80

+EOF

+```

+When the HTTPRoute resource is created, ensure the HTTPRoute resource shows _Accepted_ and the Application Gateway for Containers resource is _Programmed_.

+```bash

+kubectl get httproute rewrite-example -n test-infra -o yaml

+```

+Verify the Application Gateway for Containers resource is successfully updated for each HTTPRoute.

+```yaml

+status:

+ parents:

+ - conditions:

+ - lastTransitionTime: "2023-06-19T22:18:23Z"

+ message: ""

+ observedGeneration: 1

+ reason: ResolvedRefs

+ status: "True"

+ type: ResolvedRefs

+ - lastTransitionTime: "2023-06-19T22:18:23Z"

+ message: Route is Accepted

+ observedGeneration: 1

+ reason: Accepted

+ status: "True"

+ type: Accepted

+ - lastTransitionTime: "2023-06-19T22:18:23Z"

+ message: Application Gateway For Containers resource has been successfully updated.

+ observedGeneration: 1

+ reason: Programmed

+ status: "True"

+ type: Programmed

+ controllerName: alb.networking.azure.io/alb-controller

+ parentRef:

+ group: gateway.networking.k8s.io

+ kind: Gateway

+ name: gateway-01

+ namespace: test-infra

+ ```

+Once the gateway is created, create an HTTPRoute resource for `contoso.com` with a RequestRedirect filter that redirects http traffic to https.

+```bash

+kubectl apply -f - <<EOF

+apiVersion: gateway.networking.k8s.io/v1beta1

+kind: HTTPRoute

+metadata:

+ name: http-to-https-contoso-redirect

+ namespace: test-infra

+spec:

+ parentRefs:

+ - name: gateway-01

+ sectionName: http-listener

+ hostnames:

+ - "contoso.com"

+ rules:

+ - matches:

+ filters:

+ - type: RequestRedirect

+ requestRedirect:

+ scheme: https

+ statusCode: 301

+EOF

+```

+When the HTTPRoute resource is created, ensure the HTTPRoute resource shows _Accepted_ and the Application Gateway for Containers resource is _Programmed_.

+```bash

+kubectl get httproute rewrite-example -n test-infra -o yaml

+```

+Verify the Application Gateway for Containers resource is successfully updated for each HTTPRoute.

+```yaml

+status:

+ parents:

+ - conditions:

+ - lastTransitionTime: "2023-06-19T22:18:23Z"

+ message: ""

+ observedGeneration: 1

+ reason: ResolvedRefs

+ status: "True"

+ type: ResolvedRefs

+ - lastTransitionTime: "2023-06-19T22:18:23Z"

+ message: Route is Accepted

+ observedGeneration: 1

+ reason: Accepted

+ status: "True"

+ type: Accepted

+ - lastTransitionTime: "2023-06-19T22:18:23Z"

+ message: Application Gateway For Containers resource has been successfully updated.

+ observedGeneration: 1

+ reason: Programmed

+ status: "True"

+ type: Programmed

+ controllerName: alb.networking.azure.io/alb-controller

+ parentRef:

+ group: gateway.networking.k8s.io

+ kind: Gateway

+ name: gateway-01

+ namespace: test-infra

+ ```

+Create an HTTPRoute resource for `contoso.com` that handles a redirect for the path /summer-promotion to a specific URL. By eliminating sectionName, demonstrated in the http to https HTTPRoute resources, this redirect rule applies to both HTTP and HTTPS requests.

+```bash

+kubectl apply -f - <<EOF

+apiVersion: gateway.networking.k8s.io/v1beta1

+kind: HTTPRoute

+metadata:

+ name: summer-promotion-redirect

+ namespace: test-infra

+spec:

+ parentRefs:

+ - name: gateway-01

+ sectionName: https-listener

+ hostnames:

+ - "contoso.com"

+ rules:

+ - matches:

+ - path:

+ type: PathPrefix

+ value: /summer-promotion

+ filters:

+ - type: RequestRedirect

+ requestRedirect:

+ path:

+ type: ReplaceFullPath

+ replaceFullPath: /shop/category/5

+ statusCode: 302

+ - backendRefs:

+ - name: echo

+ port: 80

+EOF

+```

+When the HTTPRoute resource is created, ensure the HTTPRoute resource shows _Accepted_ and the Application Gateway for Containers resource is _Programmed_.

+```bash

+kubectl get httproute rewrite-example -n test-infra -o yaml

+```

+Verify the Application Gateway for Containers resource is successfully updated for each HTTPRoute.

+```yaml

+status:

+ parents:

+ - conditions:

+ - lastTransitionTime: "2023-06-19T22:18:23Z"

+ message: ""

+ observedGeneration: 1

+ reason: ResolvedRefs

+ status: "True"

+ type: ResolvedRefs

+ - lastTransitionTime: "2023-06-19T22:18:23Z"

+ message: Route is Accepted

+ observedGeneration: 1

+ reason: Accepted

+ status: "True"

+ type: Accepted

+ - lastTransitionTime: "2023-06-19T22:18:23Z"

+ message: Application Gateway For Containers resource has been successfully updated.

+ observedGeneration: 1

+ reason: Programmed

+ status: "True"

+ type: Programmed

+ controllerName: alb.networking.azure.io/alb-controller

+ parentRef:

+ group: gateway.networking.k8s.io

+ kind: Gateway

+ name: gateway-01

+ namespace: test-infra

+ ```

+## Test access to the application

+Now we're ready to send some traffic to our sample application, via the FQDN assigned to the frontend. Use the following command to get the FQDN.

+```bash

+fqdn=$(kubectl get gateway gateway-01 -n test-infra -o jsonpath='{.status.addresses[0].value}')

+```

+When you specify the server name indicator using the curl command, `http://contoso.com` should return a response from the Application Gateway for Containers with a `location` header defining a 301 redirect to `https://contoso.com`.

+```bash

+fqdnIp=$(dig +short $fqdn)

+curl -k --resolve contoso.com:80:$fqdnIp http://contoso.com/ -v

+```

+Via the response we should see:

+```text

+* Added contoso.com:80:xxx.xxx.xxx.xxx to DNS cache

+* Hostname contoso.com was found in DNS cache

+* Trying xxx.xxx.xxx.xxx:80...

+* Connected to contoso.com (xxx.xxx.xxx.xxx) port 80 (#0)

+> GET / HTTP/1.1

+> Host: contoso.com

+> User-Agent: curl/7.81.0

+> Accept: */*

+>

+* Mark bundle as not supporting multiuse

+< HTTP/1.1 301 Moved Permanently

+< location: https://contoso.com/

+< date: Mon, 26 Feb 2024 22:56:23 GMT

+< server: Microsoft-Azure-Application-LB/AGC

+< content-length: 0

+<

+* Connection #0 to host contoso.com left intact

+```

+When you specify the server name indicator using the curl command, `https://contoso.com/summer-promotion` Application Gateway for Containers should return a 302 redirect to `https://contoso.com/shop/category/5`.

+```bash

+fqdnIp=$(dig +short $fqdn)

+curl -k --resolve contoso.com:443:$fqdnIp https://contoso.com/summer-promotion -v

+```

+Via the response we should see:

+```text

+> GET /summer-promotion HTTP/2

+> Host: contoso.com

+> user-agent: curl/7.81.0

+> accept: */*

+>

+* TLSv1.2 (IN), TLS header, Supplemental data (23):

+* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):

+* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):

+* old SSL session ID is stale, removing

+* TLSv1.2 (IN), TLS header, Supplemental data (23):

+* TLSv1.2 (OUT), TLS header, Supplemental data (23):

+* TLSv1.2 (IN), TLS header, Supplemental data (23):

+< HTTP/2 302

+< location: https://contoso.com/shop/category/5

+< date: Mon, 26 Feb 2024 22:58:43 GMT

+< server: Microsoft-Azure-Application-LB/AGC

+<

+* Connection #0 to host contoso.com left intact

+```

+Congratulations, you have installed ALB Controller, deployed a backend application, and used Gateway API to configure both an HTTP to HTTPS redirect and path based redirection to specific client requests.

+ Title: URL Redirect for Azure Application Gateway for Containers - Ingress API

+description: Learn how to redirect URLs in Ingress API for Application Gateway for Containers.

+# URL Redirect for Azure Application Gateway for Containers - Ingress API

+Application Gateway for Containers allows you to return a redirect response to the client based three aspects of a URL: protocol, hostname, and path. For each redirect, a defined HTTP status code may be returned to the client to define the nature of the redirect.

+## Usage details

+URL redirects take advantage of the [RequestRedirect rule filter](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1beta1.HTTPRequestRedirectFilter) as defined by Kubernetes Gateway API.

+## Redirection

+A redirect sets the response status code returned to clients to understand the purpose of the redirect. The following types of redirection are supported:

+- 301 (Moved permanently): Indicates that the target resource has been assigned a new permanent URI. Any future references to this resource use one of the enclosed URIs. Use 301 status code for HTTP to HTTPS redirection.

+- 302 (Found): Indicates that the target resource is temporarily under a different URI. Since the redirection can change on occasion, the client should continue to use the effective request URI for future requests.

+## Redirection capabilities

+- Protocol redirection is commonly used to tell the client to move from an unencrypted traffic scheme to traffic, such as HTTP to HTTPS redirection.

+- Hostname redirection matches the fully qualified domain name (fqdn) of the request. This is commonly observed in redirecting an old domain name to a new domain name; such as `contoso.com` to `fabrikam.com`.

+- Path redirection has two different variants: `prefix` and `full`.

+ - `Prefix` redirection type will redirect all requests starting with a defined value. For example, a prefix of /shop would match /shop and any text after. For example, /shop, /shop/checkout, and /shop/item-a would all redirect to /shop as well.

+ - `Full` redirection type matches an exact value. For example, /shop could redirect to /store, but /shop/checkout wouldn't redirect to /store.

+The following figure illustrates an example of a request destined for _contoso.com/summer-promotion_ being redirected to _contoso.com/shop/category/5_. In addition, a second request initiated to contoso.com via http protocol is returned a redirect to initiate a new connection to its https variant.

+[  ](./media/how-to-url-redirect-ingress-api/url-redirect.png#lightbox)

+## Prerequisites

+1. If following the BYO deployment strategy, ensure you have set up your Application Gateway for Containers resources and [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md)

+2. If following the ALB managed deployment strategy, ensure you have provisioned your [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md) and provisioned the Application Gateway for Containers resources via the [ApplicationLoadBalancer custom resource](quickstart-create-application-gateway-for-containers-managed-by-alb-controller.md).

+3. Deploy sample HTTP application

+ Apply the following deployment.yaml file on your cluster to deploy a sample TLS certificate to demonstrate redirect capabilities.

+

+ ```bash

+ kubectl apply -f kubectl apply -f https://trafficcontrollerdocs.blob.core.windows.net/examples/https-scenario/ssl-termination/deployment.yaml

+ ```

+ This command creates the following on your cluster:

+ - a namespace called `test-infra`

+ - one service called `echo` in the `test-infra` namespace

+ - one deployment called `echo` in the `test-infra` namespace

+ - one secret called `listener-tls-secret` in the `test-infra` namespace

+## Deploy the required IngressExtension resources

+1. Create an IngressExtension resource to handle HTTP to HTTPS redirect for `contoso.com`

+ ```bash

+ kubectl apply -f - <<EOF

+ apiVersion: alb.networking.azure.io/v1

+ kind: IngressExtension

+ metadata:

+ name: http-to-https

+ namespace: test-infra

+ spec:

+ rules:

+ - host: contoso.com

+ requestRedirect:

+ statusCode: 301

+ scheme: https

+ EOF

+ ```

+2. Create an IngressExtension resource to handle a path based redirect from `contoso.com/summer-promotion` to `contoso.com/shop/category/5`.

+ ```bash

+ kubectl apply -f - <<EOF

+ apiVersion: alb.networking.azure.io/v1

+ kind: IngressExtension

+ metadata:

+ name: summer-promotion-redirect

+ namespace: test-infra

+ spec:

+ rules:

+ - host: contoso.com

+ requestRedirect:

+ statusCode: 302

+ path:

+ type: ReplaceFullPath

+ replaceFullPath: /shop/category/5

+ EOF

+ ```

+## Deploy the required Ingress resources

+# [ALB managed deployment](#tab/alb-managed)

+1. Create the first Ingress resource to listen for HTTPS requests.

+ ```bash

+ kubectl apply -f - <<EOF

+ apiVersion: networking.k8s.io/v1

+ kind: Ingress

+ metadata:

+ name: ingress-https

+ namespace: test-infra

+ annotations:

+ alb.networking.azure.io/alb-namespace: alb-test-infra

+ alb.networking.azure.io/alb-name: alb-test

+ alb.networking.azure.io/alb-frontend: ingress-fe

+ spec:

+ ingressClassName: azure-alb-external

+ tls:

+ - hosts:

+ - contoso.com

+ secretName: listener-tls-secret

+ rules:

+ - host: contoso.com

+ http:

+ paths:

+ - path: /

+ pathType: Prefix

+ backend:

+ service:

+ name: echo

+ port:

+ number: 80

+ EOF

+ ```

+2. Create the second Ingress resource to listen on port 80 and redirect to HTTPS.

+ ```bash

+ kubectl apply -f - <<EOF

+ apiVersion: networking.k8s.io/v1

+ kind: Ingress

+ metadata:

+ name: ingress-http

+ namespace: test-infra

+ annotations:

+ alb.networking.azure.io/alb-namespace: alb-test-infra

+ alb.networking.azure.io/alb-name: alb-test

+ alb.networking.azure.io/alb-frontend: ingress-fe

+ alb.networking.azure.io/alb-ingress-extension: http-to-https

+ spec:

+ ingressClassName: azure-alb-external

+ rules:

+ - host: contoso.com

+ http:

+ paths:

+ - path: /

+ pathType: Prefix

+ backend:

+ service:

+ name: echo

+ port:

+ number: 80

+ EOF

+ ```

+3. Create a third Ingress resource to listen on port 80 and 443 for `contoso.com/summer-promotion` and redirect to `contoso.com/shop/category/5`.

+ ```bash

+ kubectl apply -f - <<EOF

+ apiVersion: networking.k8s.io/v1

+ kind: Ingress

+ metadata:

+ name: ingress-summer-promotion-redirect

+ namespace: test-infra

+ annotations:

+ alb.networking.azure.io/alb-namespace: alb-test-infra

+ alb.networking.azure.io/alb-name: alb-test

+ alb.networking.azure.io/alb-frontend: ingress-fe

+ alb.networking.azure.io/alb-ingress-extension: summer-promotion-redirect

+ spec:

+ ingressClassName: azure-alb-external

+ tls:

+ - hosts:

+ - contoso.com

+ secretName: listener-tls-secret

+ rules:

+ - host: contoso.com

+ http:

+ paths:

+ - path: /summer-promotion

+ pathType: Prefix

+ backend:

+ service:

+ name: ignored-for-redirect

+ port:

+ number: 80

+ EOF

+ ```

+# [Bring your own (BYO) deployment](#tab/byo)

+1. Set the following environment variables

+ ```bash

+ RESOURCE_GROUP='<resource group name of the Application Gateway For Containers resource>'

+ RESOURCE_NAME='alb-test'

+ RESOURCE_ID=$(az network alb show --resource-group $RESOURCE_GROUP --name $RESOURCE_NAME --query id -o tsv)

+ FRONTEND_NAME='frontend'

+ ```

+2. Create the first Ingress resource to listen for HTTPS requests.

+ ```bash

+ kubectl apply -f - <<EOF

+ apiVersion: networking.k8s.io/v1

+ kind: Ingress

+ metadata:

+ name: ingress-https

+ namespace: test-infra

+ annotations:

+ alb.networking.azure.io/alb-id: $RESOURCE_ID

+ alb.networking.azure.io/alb-frontend: $FRONTEND_NAME

+ spec:

+ ingressClassName: azure-alb-external

+ tls:

+ - hosts:

+ - contoso.com

+ secretName: listener-tls-secret

+ rules:

+ - host: contoso.com

+ http:

+ paths:

+ - path: /

+ pathType: Prefix

+ backend:

+ service:

+ name: echo

+ port:

+ number: 80

+ EOF

+ ```

+3. Create the second Ingress resource to listen on port 80 and redirect to HTTPS.

+ ```bash

+ kubectl apply -f - <<EOF

+ apiVersion: networking.k8s.io/v1

+ kind: Ingress

+ metadata:

+ name: ingress-http

+ namespace: test-infra

+ annotations:

+ alb.networking.azure.io/alb-id: $RESOURCE_ID

+ alb.networking.azure.io/alb-frontend: $FRONTEND_NAME

+ alb.networking.azure.io/alb-ingress-extension: http-to-https

+ spec:

+ ingressClassName: azure-alb-external

+ rules:

+ - host: contoso.com

+ http:

+ paths:

+ - path: /

+ pathType: Prefix

+ backend:

+ service:

+ name: echo

+ port:

+ number: 80

+ EOF

+ ```

+4. Create a third Ingress resource to listen on port 80 and 443 for `contoso.com/summer-promotion` and redirect to `contoso.com/shop/category/5`.

+ ```bash

+ kubectl apply -f - <<EOF

+ apiVersion: networking.k8s.io/v1

+ kind: Ingress

+ metadata:

+ name: ingress-summer-promotion-redirect

+ namespace: test-infra

+ annotations:

+ alb.networking.azure.io/alb-id: $RESOURCE_ID

+ alb.networking.azure.io/alb-frontend: $FRONTEND_NAME

+ alb.networking.azure.io/alb-ingress-extension: summer-promotion-redirect

+ spec:

+ ingressClassName: azure-alb-external

+ tls:

+ - hosts:

+ - contoso.com

+ secretName: listener-tls-secret

+ rules:

+ - host: contoso.com

+ http:

+ paths:

+ - path: /summer-promotion

+ pathType: Prefix

+ backend:

+ service:

+ name: ignored-for-redirect

+ port:

+ number: 80

+ EOF

+ ```

+For each Ingress resource, ensure the status is valid, the listener is _Programmed_, and an address is assigned to the ingress resource. For all three Ingress resources, you should see the same hostname in this example.

+```bash

+kubectl get ingress ingress-https -n test-infra -o yaml

+```

+Example output of successful Ingress creation.

+```yaml

+status:

+ loadBalancer:

+ ingress:

+ - hostname: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.fzyy.alb.azure.com

+ ports:

+ - port: 443

+ protocol: TCP

+```

+## Test access to the application

+Now we're ready to send some traffic to our sample application, via the FQDN assigned to the frontend. Use the following command to get the FQDN.

+```bash

+fqdn=$(kubectl get ingress ingress-http -n test-infra -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')

+```

+When you specify the server name indicator using the curl command, `http://contoso.com` should return a response from the Application Gateway for Containers with a `location` header defining a 301 redirect to `https://contoso.com`.

+```bash

+fqdnIp=$(dig +short $fqdn)

+curl -k --resolve contoso.com:80:$fqdnIp http://contoso.com/ -v

+```

+Via the response we should see:

+```text

+* Added contoso.com:80:xxx.xxx.xxx.xxx to DNS cache

+* Hostname contoso.com was found in DNS cache

+* Trying xxx.xxx.xxx.xxx:80...

+* Connected to contoso.com (xxx.xxx.xxx.xxx) port 80 (#0)

+> GET / HTTP/1.1

+> Host: contoso.com

+> User-Agent: curl/7.81.0

+> Accept: */*

+>

+* Mark bundle as not supporting multiuse

+< HTTP/1.1 301 Moved Permanently

+< location: https://contoso.com/

+< date: Mon, 26 Feb 2024 22:56:23 GMT

+< server: Microsoft-Azure-Application-LB/AGC

+< content-length: 0

+<

+* Connection #0 to host contoso.com left intact

+```

+When you specify the server name indicator using the curl command, `https://contoso.com/summer-promotion` Application Gateway for Containers should return a 302 redirect to `https://contoso.com/shop/category/5`.

+```bash

+fqdnIp=$(dig +short $fqdn)

+curl -k --resolve contoso.com:443:$fqdnIp https://contoso.com/summer-promotion -v

+```

+Via the response we should see:

+```text

+> GET /summer-promotion HTTP/2

+> Host: contoso.com

+> user-agent: curl/7.81.0

+> accept: */*

+>

+* TLSv1.2 (IN), TLS header, Supplemental data (23):

+* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):

+* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):

+* old SSL session ID is stale, removing

+* TLSv1.2 (IN), TLS header, Supplemental data (23):

+* TLSv1.2 (OUT), TLS header, Supplemental data (23):

+* TLSv1.2 (IN), TLS header, Supplemental data (23):

+< HTTP/2 302

+< location: https://contoso.com/shop/category/5

+< date: Mon, 26 Feb 2024 22:58:43 GMT

+< server: Microsoft-Azure-Application-LB/AGC

+<

+* Connection #0 to host contoso.com left intact

+```

+Congratulations, you have installed ALB Controller, deployed a backend application, and used Ingress API to configure both an HTTP to HTTPs redirect and path based redirection to specific client requests.

+# URL Rewrite for Azure Application Gateway for Containers - Gateway API

+ Apply the following deployment.yaml file on your cluster to deploy a sample TLS certificate to demonstrate redirect capabilities.

+ ```bash

+ kubectl apply -f kubectl apply -f https://trafficcontrollerdocs.blob.core.windows.net/examples/https-scenario/ssl-termination/deployment.yaml

+ ```

+ This command creates the following on your cluster:

+ - a namespace called `test-infra`

+ - one service called `echo` in the `test-infra` namespace

+ - one deployment called `echo` in the `test-infra` namespace

+ - one secret called `listener-tls-secret` in the `test-infra` namespace

+ ```bash

+ kubectl apply -f - <<EOF

+ apiVersion: gateway.networking.k8s.io/v1beta1

+ kind: Gateway

+ metadata:

+ name: gateway-01

+ namespace: test-infra

+ annotations:

+ alb.networking.azure.io/alb-namespace: alb-test-infra

+ alb.networking.azure.io/alb-name: alb-test

+ spec:

+ gatewayClassName: azure-alb-external

+ listeners:

+ - name: http-listener

+ port: 80

+ protocol: HTTP

+ allowedRoutes:

+ namespaces:

+ from: Same

+ EOF

+ ```

+ ```bash

+ RESOURCE_GROUP='<resource group name of the Application Gateway For Containers resource>'

+ RESOURCE_NAME='alb-test'

+ RESOURCE_ID=$(az network alb show --resource-group $RESOURCE_GROUP --name $RESOURCE_NAME --query id -o tsv)

+ FRONTEND_NAME='frontend'

+ ```

+ ```bash

+ kubectl apply -f - <<EOF

+ apiVersion: gateway.networking.k8s.io/v1beta1

+ kind: Gateway

+ metadata:

+ name: gateway-01

+ namespace: test-infra

+ annotations:

+ alb.networking.azure.io/alb-id: $RESOURCE_ID

+ spec:

+ gatewayClassName: azure-alb-external

+ listeners:

+ - name: http-listener

+ port: 80

+ protocol: HTTP

+ allowedRoutes:

+ namespaces:

+ from: Same

+ addresses:

+ - type: alb.networking.azure.io/alb-frontend

+ value: $FRONTEND_NAME

+ EOF

+ ```

+ - type: Hostname

+# URL Rewrite for Azure Application Gateway for Containers - Ingress API

+ Title: What is Application Gateway for Containers?

+# What is Application Gateway for Containers?

+Application Gateway for Containers is a new application (layer 7) [load balancing](/azure/architecture/guide/technology-choices/load-balancing-overview) and dynamic traffic management product for workloads running in a Kubernetes cluster. It extends Azure's Application Load Balancing portfolio and is a new offering under the Application Gateway product family.

+Application Gateway for Containers is the evolution of the [Application Gateway Ingress Controller](../ingress-controller-overview.md) (AGIC), a [Kubernetes](/azure/aks) application that enables Azure Kubernetes Service (AKS) customers to use Azure's native Application Gateway application load-balancer. In its current form, AGIC monitors a subset of Kubernetes Resources for changes and applies them to the Application Gateway, utilizing Azure Resource Manager (ARM).

+- Traffic splitting / Weighted round robin

+Application Gateway for Containers offers an elastic and scalable ingress to AKS clusters and comprises a new data plane as well as control plane with [new set of ARM APIs](#implementation-of-gateway-api), different from existing Application Gateway. These APIs are different from the current implementation of Application Gateway. Application Gateway for Containers is outside the AKS cluster data plane and is responsible for ingress. The service is managed by an ALB controller component that runs inside the AKS cluster and adheres to Kubernetes Gateway APIs.

+- Mutual authentication (mTLS) to backend target

+- Traffic splitting / weighted round robin

+- TLS policies

+- URL redirect

+ - **In Gateway API:** Every time you wish to create a new Gateway resource in Kubernetes, a Frontend resource should be provisioned in Azure prior and referenced by the Gateway resource. Deletion of the Frontend resource is responsible by the Azure administrator and isn't deleted when the Gateway resource in Kubernetes is deleted.

+- Canada Central

+- Central India

+- France Central

+- Germany West Central

+- Korea Central

+- Norway East

+- Switzerland North

+- UAE North

+ALB Controller implements version [v1](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1) of the [Gateway API](https://gateway-api.sigs.k8s.io/)

+ Title: 'Quickstart: Create Application Gateway for Containers - bring your own deployment'

+# Quickstart: Create Application Gateway for Containers - bring your own deployment

+This guide assumes you're following the **bring your own** [deployment strategy](overview.md#deployment-strategies), where ALB Controller references the Application Gateway for Containers resources precreated in Azure. It's assumed that resource lifecycles are managed in Azure, independent from what is defined within Kubernetes.

+Ensure you have first deployed ALB Controller into your Kubernetes cluster. You may follow the [Quickstart: Deploy Application Gateway for Containers ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md) guide if you haven't already deployed the ALB Controller.

+To create an association resource, you first need to reference a subnet for Application Gateway for Containers to establish connectivity to. Ensure the subnet for an Application Gateway for Containers association is at least a class C or larger (/24 or smaller CIDR prefix). For this step, you may either reuse an existing subnet and enable subnet delegation on it or create a new VNET, subnet, and enable subnet delegation.

+VNET_ADDRESS_PREFIX='<address space of the vnet that will contain various subnets. The vnet must be able to handle at least 250 available addresses (/24 or smaller cidr prefix for the subnet)>'

+Enable subnet delegation for the Application Gateway for Containers service. The delegation for Application Gateway for Containers is identified by the _Microsoft.ServiceNetworking/trafficControllers_ resource type.

+ALB Controller needs the ability to provision new Application Gateway for Containers resources and join the subnet intended for the Application Gateway for Containers association resource.

+In this example, we delegate the _AppGW for Containers Configuration Manager_ role to the resource group and delegate the _Network Contributor_ role to the subnet used by the Application Gateway for Containers association subnet, which contains the _Microsoft.Network/virtualNetworks/subnets/join/action_ permission.

+If desired, you can [create and assign a custom role](../../role-based-access-control/custom-roles-portal.md) with the _Microsoft.Network/virtualNetworks/subnets/join/action_ permission to eliminate other permissions contained in the _Network Contributor_ role. Learn more about [managing subnet permissions](../../virtual-network/virtual-network-manage-subnet.md#permissions).

+Execute the following command to create the association resource and connect it to the referenced subnet. It can take 5-6 minutes for the Application Gateway for Containers association to be created.

+ Title: 'Quickstart: Create Application Gateway for Containers managed by ALB Controller'

+# Quickstart: Create Application Gateway for Containers managed by ALB Controller

+If you don't have a subnet available with at least 250 available IP addresses and delegated to the Application Gateway for Containers resource, use the following steps to create a new subnet and enable subnet delegation. The new subnet address space can't overlap any existing subnets in the VNet.

+ Title: 'Quickstart: Deploy Application Gateway for Containers ALB Controller'

+# Quickstart: Deploy Application Gateway for Containers ALB Controller

+ > AKS cluster should have the workload identity feature enabled. [Learn how](../../aks/workload-identity-deploy-cluster.md#update-an-existing-aks-cluster) to enable workload identity on an existing AKS cluster.

+ LOCATION='northeurope'

+ You can also use the following steps to install Helm on a local device running Windows or Linux. Ensure that you have the latest version of helm installed.

+ --version 1.0.0 \

+ --version 1.0.0 \

+## Next Steps

+Now that you have successfully installed an ALB Controller on your cluster, you can provision the Application Gateway For Containers resources in Azure.

+1. A client initiates a request to an Application Gateway for Containers' (AGC) frontend.

+| TLS_AES_128_GCM_SHA256 | &check; | &check; |

+| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | &check; | &cross; |

+ Title: Troubleshoot Application Gateway for Containers

+# Troubleshooting in Application Gateway for Containers

+| alb-controller | 2/2 | 2 | 2 | 18d | alb-controller | mcr.microsoft.com/application-lb/images/alb-controller:**1.0.0** | app=alb-controller |

+| alb-controller-bootstrap | 1/1 | 1 | 1 | 18d | alb-controller-bootstrap | mcr.microsoft.com/application-lb/images/alb-controller-bootstrap:**1.0.0** | app=alb-controller-bootstrap |

+In this example, the ALB controller version is **1.0.0**.

+1. **Invalid backend Entries** : A backend is defined as invalid in the following scenarios:

+### Application Load Balancer custom resource doesn't reflect Ready status

+#### Symptoms

+ApplicationLoadBalancer custom resource status message continually says "Application Gateway for Containers resource `agc-name` is undergoing an update."

+The following logs are repeated by the primary alb-controller pod.

+```text

+{"level":"info","version":"x.x.x","Timestamp":"2024-02-26T20:31:53.760150719Z","message":"Stream opened for config updates"}

+{"level":"info","version":"x.x.x","operationID":"1ea7ffd4-b2c4-460b-bce7-4d3f855ce8d5","Timestamp":"2024-02-26T20:31:53.760313623Z","message":"Successfully sent config update request"}

+{"level":"error","version":"x.x.x","error":"rpc error: code = PermissionDenied desc = ALB Controller with object id '5b26a949-297d-40c7-b10f-5d1cf2e3259d' does not have authorization to perform action on Application Gateway for Containers resource.Please check RBAC delegations to the Application Gateway for Containers resource.","Timestamp":"2024-02-26T20:31:53.769444995Z","message":"Unable to capture config update response"}

+{"level":"info","version":"x.x.x","Timestamp":"2024-02-26T20:31:53.769504489Z","message":"Retrying to open config update stream"}

+{"level":"info","version":"x.x.x","Timestamp":"2024-02-26T20:31:54.461487406Z","message":"Stream opened up for endpoint updates"}

+{"level":"info","version":"x.x.x","operationID":"808825c2-b0a8-476b-b83a-8e7357c55750","Timestamp":"2024-02-26T20:31:54.462070039Z","message":"Successfully sent endpoint update request"}

+{"level":"error","version":"x.x.x","error":"rpc error: code = PermissionDenied desc = ALB Controller with object id '5b26a949-297d-40c7-b10f-5d1cf2e3259d' does not have authorization to perform action on Application Gateway for Containers resource.Please check RBAC delegations to the Application Gateway for Containers resource.","Timestamp":"2024-02-26T20:31:54.470728646Z","message":"Unable to capture endpoint update response"}

+{"level":"info","version":"x.x.x","Timestamp":"2024-02-26T20:31:54.47077373Z","message":"Retrying to open up endpoint update stream"}

+```

+The following error message is returned on the Kubernetes Gateway resource and no changes are reflected for any HttpRoute resources.

+> Also see [What is Application Gateway for Containers](for-containers/overview.md).

+> Also see [What is Application Gateway for Containers](for-containers/overview.md).

+> Also see [What is Application Gateway for Containers](for-containers/overview.md).

+> Also see [What is Application Gateway for Containers](for-containers/overview.md).

+> Also see [What is Application Gateway for Containers](for-containers/overview.md).

+> Also see [What is Application Gateway for Containers](for-containers/overview.md).

+> Also see [What is Application Gateway for Containers](for-containers/overview.md).

+> Also see [What is Application Gateway for Containers](for-containers/overview.md).

+> Also see [What is Application Gateway for Containers](for-containers/overview.md).

+> Also see [What is Application Gateway for Containers](for-containers/overview.md).

+> Also see [What is Application Gateway for Containers](for-containers/overview.md).

+- **Azure Kubernetes Service Ingress Controller**: The Application Gateway v2 Ingress Controller allows the Azure Application Gateway to be used as the ingress for an Azure Kubernetes Service (AKS) known as AKS Cluster. For more information, see [What is Application Gateway Ingress Controller](ingress-controller-overview.md).

+- Learn about Azure Private Link: [What is Azure Private Link](../private-link/private-link-overview.md).

+Private Link for Application Gateway allows you to connect workloads over a private connection spanning across VNets and subscriptions. When configured, a private endpoint is placed into a defined virtual network's subnet, providing a private IP address for clients looking to communicate to the gateway. For a list of other PaaS services that support Private Link functionality, see [What is Azure Private Link](../private-link/private-link-overview.md).

+- [Configure Azure Application Gateway Private Link](private-link-configure.md).

+- [What is Azure Private Link](../private-link/private-link-overview.md).

+To learn more about AGIC, see [What is Application Gateway Ingress Controller](ingress-controller-overview.md) and [Disable and re-enable AGIC add-on for your AKS cluster](ingress-controller-disable-addon.md).

+> Azure DDoS Protection incurs a cost when you use the Network Protection SKU. Overages charges only apply if more than 100 public IPs are protected in the tenant. Ensure you delete the resources in this tutorial if you aren't using the resources in the future. For information about pricing, see [Azure DDoS Protection Pricing]( https://azure.microsoft.com/pricing/details/ddos-protection/). For more information about Azure DDoS protection, see [What is Azure DDoS Protection](../ddos-protection/ddos-protection-overview.md).

+## Install Microsoft Graph PowerShell

+Use of Office 365 within Azure Automation requires the Microsoft Graph PowerShell module.

+```powershell

+Install-Module Microsoft.Graph -Scope CurrentUser

+```

+>To use Microsoft Graph PowerShell, you must be a member of Microsoft Entra ID. Guest users can't use the module.

+>To use the Microsoft Graph PowerShell module cmdlets, you must run them from Windows PowerShell. PowerShell Core does not support these cmdlets.

+You can connect to Microsoft Entra ID from the Office 365 subscription. The connection uses an Office 365 user name and password or uses multi-factor authentication (MFA). You can connect using the Azure portal or a Windows PowerShell command prompt (does not have to be elevated).

+A PowerShell example is shown below. For more information, see [Connect-MgGraph](/powershell/module/microsoft.graph.authentication/connect-mggraph).

+Connect-MgGraph -Scopes "Directory.Read.All"

+If you don't receive any errors, you've connected successfully. A quick test is to run an Office 365 cmdlet, for example, [Get-MgUser](/powershell/module/microsoft.graph.users/get-mguser), and see the results.

+You access Office 365 functionality from a PowerShell script.

+Connect-MgGraph -Scopes "Directory.Read.All"

+$O365Licenses = Get-MgSubscribedSku | Out-String

+A script running on a Windows Hybrid Runbook Worker can't connect as expected to Microsoft 365 on an Orchestrator sandbox. The script is using [Connect-MgGraph](/powershell/microsoftgraph/authentication-commands#using-connect-mggraph) for connection.

+You can resolve the issue for the Orchestrator sandbox by migrating your script to use the Microsoft Entra modules instead of the PowerShell cmdlets. For more information, see [Migrating from Orchestrator to Azure Automation (Beta)](../automation-orchestrator-migration.md).

+ΓÇïIf you want to continue to use the module cmdlets, change your script to use [Invoke-Command](/powershell/module/microsoft.powershell.core/invoke-command). Specify values for the `ComputerName` and `Credential` parameters.

+{ Connect-MgGraph … }​

+| [Work with key-values](./scripts/cli-work-with-keys.md) | Creates, views, updates, and deletes key-values. |

+| [Import key-values](./scripts/cli-import.md) | Imports key-values from other sources. |

+| [Export key-values](./scripts/cli-export.md) | Exports key-values to other targets. |

+## Enable customer-managed key encryption for your App Configuration store

+1. [Create an App Configuration store](./quickstart-azure-app-configuration-create.md) if you don't have one.

+[The feature flags in an ASP.NET Core app](./use-feature-flags-dotnet-core.md) shows how the App Configuration .NET provider and Feature Management libraries are used together to implement feature flags for your ASP.NET web application. For more information on feature flags in Azure App Configuration, see the following articles:

+4. Click outside of the date and time fields or press **Tab** to validate your choice. You can now see which key-values have changed between your selected date and time and the current time. This step helps you understand what keys and values you're preparing to revert to.

+1. To build the app by using the .NET CLI, run the following command in the command shell:

+ Title: "Tutorial: Use dynamic configuration using push refresh in a .NET app"

+description: In this tutorial, you learn how to dynamically update the configuration data for .NET apps using push refresh

+# Tutorial: Use dynamic configuration using push refresh in a .NET app

+The App Configuration .NET client library supports updating configuration on demand without causing an application to restart. An application can be configured to detect changes in App Configuration using one or both of the following two approaches.

+This tutorial shows how you can implement dynamic configuration updates in your code using push refresh. It builds on the app introduced in the tutorial. Before you continue, finish Tutorial: [Use dynamic configuration in a .NET app](./enable-dynamic-configuration-dotnet-core.md) first.

+> * Set up your .NET app to update its configuration in response to changes in App Configuration.

+* Tutorial: [Use dynamic configuration in a .NET app](./enable-dynamic-configuration-dotnet-core.md)

+The `ProcessPushNotification` method takes in a `PushNotification` object containing information about which change in App Configuration triggered the push notification. This helps ensure all configuration changes up to the triggering event are loaded in the following configuration refresh. The `SetDirty` method does not guarantee the change that triggers the push notification to be loaded in an immediate configuration refresh. If you are using the `SetDirty` method for the push model, we recommend using the `ProcessPushNotification` method instead.

+In this tutorial, you enabled your .NET app to dynamically refresh configuration settings from App Configuration. To learn how to use an Azure managed identity to streamline the access to App Configuration, continue to the next tutorial.

+Open *Program.cs* and update the file with the following code.

+*Labels* are an attribute on keys. They're used to create variants of a key. For example, you can assign labels to multiple versions of a key. A version might be an iteration, an environment, or some other contextual information. Your application can request an entirely different set of key-values by specifying another label. As a result, all key references remain unchanged in your code.

+App Configuration treats all keys stored with it as independent entities. App Configuration doesn't attempt to infer any relationship between keys or to inherit key-values based on their hierarchy. You can aggregate multiple sets of keys, however, by using labels coupled with proper configuration stacking in your application code.

+In your code, you first retrieve the key-values without any labels, and then you retrieve the same set of key-values a second time with the "Development" label. When you retrieve the values the second time, the previous values of the keys are overwritten. The .NET configuration system allows you to "stack" multiple sets of configuration data on top of each other. If a key exists in more than one set, the last set that contains it is used. With a modern programming framework, such as .NET, you get this stacking capability for free if you use a native configuration provider to access App Configuration. The following code snippet shows how you can implement stacking in a .NET application:

+* An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/).

+* An Azure App Configuration store. [Create a store](./quickstart-azure-app-configuration-create.md).

+* [.NET SDK 6.0 or later](https://dotnet.microsoft.com/download).

+* An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/).

+* An Azure App Configuration store. [Create a store](./quickstart-azure-app-configuration-create.md).

+1. In the [Azure portal](https://portal.azure.com), select your App Configuration store.

+1. To verify that your configurations have been successfully transferred from your source to your target store, list all of the key-values in your target store.

+1. To build the app by using the .NET CLI, run the following command in the command shell:

+You can also use the **--set** argument for helm upgrade to pass literal key-values. Using the **--set** argument is a good way to avoid persisting sensitive data to disk.

+You can create feature flags in Azure App Configuration and manage them from the **Feature Manager** in the Azure portal.

+| .NET | App Configuration [provider](/dotnet/api/Microsoft.Extensions.Configuration.AzureAppConfiguration) for .NET | .NET [quickstart](./quickstart-dotnet-core-app.md) |

+| ASP.NET Core | App Configuration [provider](/dotnet/api/Microsoft.Extensions.Configuration.AzureAppConfiguration) for .NET | ASP.NET Core [quickstart](./quickstart-aspnet-core-app.md) |

+| Python | App Configuration [provider](https://pypi.org/project/azure-appconfiguration-provider/) for Python | Python [quickstart](./quickstart-python-provider.md) |

+- **Key Filter**: The filter can be used to select what key-values are requested from Azure App Configuration. A value of * will select all key-values. For more information on, see [Query key-values](concept-key-value.md#query-key-values).

+- [.NET SDK 6.0 or later](https://dotnet.microsoft.com/download)

+> The Azure Cloud Shell is a free, interactive shell that you can use to run the command line instructions in this article. It has common Azure tools preinstalled, including the .NET SDK. If you're logged in to your Azure subscription, launch your [Azure Cloud Shell](https://shell.azure.com) from shell.azure.com. You can learn more about Azure Cloud Shell by [reading our documentation](../cloud-shell/overview.md)

+Use the [.NET command-line interface (CLI)](/dotnet/core/tools) to create a new ASP.NET Core web app project. The [Azure Cloud Shell](https://shell.azure.com) provides these tools for you. They're also available across the Windows, macOS, and Linux platforms.

+1. To build the app using the .NET CLI, navigate to the root directory of your project. Run the following command in the command shell:

+* [.NET SDK 6.0 or later](https://dotnet.microsoft.com/download)

+1. Use the .NET command-line interface (CLI) and run the following command to create a new ASP.NET Core web app project in a new *MyWebApp* directory:

+### Set up the Azure App Configuration store

+### Set up the App Configuration Kubernetes Provider

+- [.NET SDK 6.0 or later](https://dotnet.microsoft.com/download) - also available in the [Azure Cloud Shell](https://shell.azure.com).

+description: Use Azure CLI script to create, view, update and delete key-values from App Configuration store

+description: In this tutorial, you learn how to implement feature flags in .NET apps.

+#Customer intent: I want to control feature availability in my app by using the .NET Feature Manager library.

+## Prerequisites

+The [Add feature flags to an ASP.NET Core app Quickstart](./quickstart-feature-flag-aspnet-core.md) shows a simple example of how to use feature flags in an ASP.NET Core application. This tutorial shows additional setup options and capabilities of the Feature Management libraries. You can use the sample app created in the quickstart to try out the sample code shown in this tutorial.

+By default, the feature manager retrieves feature flag configuration from the `"FeatureManagement"` section of the .NET configuration data. To use the default configuration location, call the [AddFeatureManagement](/dotnet/api/microsoft.featuremanagement.servicecollectionextensions.addfeaturemanagement) method of the **IServiceCollection** passed into the **ConfigureServices** method of the **Startup** class.

+Rather than hard coding your feature flags into your application, we recommend that you keep feature flags outside the application and manage them separately. Doing so allows you to modify flag states at any time and have those changes take effect in the application right away. The Azure App Configuration service provides a dedicated portal UI for managing all of your feature flags. The Azure App Configuration service also delivers the feature flags to your application directly through its .NET client libraries.

+Before you start this tutorial, install the [.NET SDK 6.0 or later](https://dotnet.microsoft.com/download).

+[Microsoft Entra authentication]: azure-maps-authentication.md#microsoft-entra-authentication

+> Wait for new telemetry in Log Analytics before relying on it. After starting the migration, telemetry first goes to Classic Application Insights. Aim to switch to Log Analytics within 24 hours, avoiding data loss or double writing. Once done, Log Analytics solely captures new telemetry.

+ The number of pods should be equal to the number of Linux nodes on the cluster. The output should resemble the following example, which indicates that it was deployed properly:

+ NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE

+ ama-logs 2 2 2 2 2 <none> 1d

+ `kubectl get ds ama-logs-windows --namespace=kube-system`

+ The number of pods should be equal to the number of Windows nodes on the cluster. The output should resemble the following example, which indicates that it was deployed properly:

+ NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE

+ ama-logs-windows 2 2 2 2 2 <none> 1d

+1. Check the deployment status by using the following command:

+ `kubectl get deployment ama-logs-rs --namespace=kube-system`

+ User@aksuser:~$ kubectl get deployment ama-logs-rs --namespace=kube-system

+ NAME READY UP-TO-DATE AVAILABLE AGE

+ ama-logs-rs 1/1 1 1 24d

+ The output should resemble the following example with a status of `Running` for ama-logs:

+ ama-logs-windows-6drwq 1/1 Running 0 1d

+NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE

+ama-logs 2 2 2 2 2 <none> 1d

+kubectl get ds ama-logs-windows --namespace=kube-system

+NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE

+ama-logs-windows 2 2 2 2 2 <none> 1d

+kubectl get deployment ama-logs-rs --namespace=kube-system

+User@aksuser:~$ kubectl get deployment ama-logs-rs --namespace=kube-system

+NAME READY UP-TO-DATE AVAILABLE AGE

+ama-logs-rs 1/1 1 1 24d

+ Title: Sources of monitoring data for Azure Monitor and their data collection methods

+description: Describes the different types of data that can be collected in Azure Monitor and the method of data collection for each.

+# Sources of monitoring data for Azure Monitor and their data collection methods

+Azure Monitor is based on a [common monitoring data platform](data-platform.md) that allows different types of data from multiple types of resources to be analyzed together using a common set of tools. This article describes common sources of monitoring data collected by Azure Monitor and their data collection methods. Use this article as a starting point to understand the option for collecting different types of data being generated in your environment.

+> [!IMPORTANT]

+> There is a cost for collecting and retaining most types of data in Azure Monitor. To minimize your cost, ensure that you don't collect any more data than you require and that your environment is configured to optimize your costs. See [Cost optimization in Azure Monitor](best-practices-cost.md) for a summary of recommendations.

+Most resources in Azure generate the monitoring data described in the following table. Some services will also have additional data that can be collected by enabling other features of Azure Monitor (described in other sections in this article). Regardless of the services that you're monitoring though, you should start by understanding and configuring collection of this data.

+Create diagnostic settings for each of the following data types can be sent to a Log Analytics workspace, archived to a storage account, or streamed to an event hub to send it to services outside of Azure. See [Create diagnostic settings in Azure Monitor](essentials/create-diagnostic-settings.md).

+| Data type | Description | Data collection method |

+| Activity log | The Activity log provides insight into subscription-level events for Azure services including service health records and configuration changes. | Collected automatically. View in the Azure portal or create a diagnostic setting to send it to other destinations. Can be collected in Log Analytics workspace at no charge. See [Azure Monitor activity log](essentials/activity-log.md). |

+| Platform metrics | Platform metrics are numerical values that are automatically collected at regular intervals for different aspects of a resource. The specific metrics will vary for each type of resource. | Collected automatically and stored in [Azure Monitor Metrics](./essentials/data-platform-metrics.md). View in metrics explorer or create a diagnostic setting to send it to other destinations. See [Azure Monitor Metrics overview](essentials/data-platform-metrics.md) and [Supported metrics with Azure Monitor](/azure/azure-monitor/reference/supported-metrics/metrics-index) for a list of metrics for different services. |

+| Resource logs | Provide insight into operations that were performed within an Azure resource. The content of resource logs varies by the Azure service and resource type. | You must create a diagnostic setting to collect resources logs. See [Azure resource logs](essentials/resource-logs.md) and [Supported services, schemas, and categories for Azure resource logs](essentials/resource-logs-schema.md) for details on each service. |

+## Microsoft Entra ID

+Activity logs in Microsoft Entra ID are similar to the activity logs in Azure Monitor and can also use a diagnostic setting to be sent to a Log Analytics workspace, archived to a storage account, or streamed to an event hub to send it to services outside of Azure. See [Configure Microsoft Entra diagnostic settings for activity logs](/entra/identity/monitoring-health/howto-configure-diagnostic-settings).

+| Data type | Description | Data collection method |

+| Activity logs | Enable you to assess many aspects of your Microsoft Entra ID environment, including history of sign-in activity, audit trail of changes made within a particular tenant, and activities performed by the provisioning service. | Collected automatically. View in the Azure portal or create a diagnostic setting to send it to other destinations. |

+## Virtual machines

+Azure virtual machines create the same activity logs and platform metrics as other Azure resources. In addition to this host data though, you need to monitor the guest operating system and the workloads running on it, which requires the [Azure Monitor agent](./agents/agents-overview.md) or [SCOM Managed Instance](./vm/scom-managed-instance-overview.md). The following table includes the most common data to collect from VMs. See [Monitor virtual machines with Azure Monitor: Collect data](./vm/monitor-virtual-machine-data-collection.md) for a more complete description of the different kinds of data you can collect from virtual machines.

+| Data type | Description | Data collection method |

+| Windows Events | Logs for the client operating system and different applications on Windows VMs. | Deploy the Azure Monitor agent (AMA) and create a data collection rule (DCR) to send data to Log Analytics workspace. See [Collect events and performance counters from virtual machines with Azure Monitor Agent](./agents/data-collection-rule-azure-monitor-agent.md). |

+| Syslog | Logs for the client operating system and different applications on Linux VMs. | Deploy the Azure Monitor agent (AMA) and create a data collection rule (DCR) to send data to Log Analytics workspace. See [Collect Syslog events with Azure Monitor Agent](./agents/data-collection-syslog.md). To use the VM as a Syslog forwarder, see [Tutorial: Forward Syslog data to a Log Analytics workspace with Microsoft Sentinel by using Azure Monitor Agent](../sentinel/forward-syslog-monitor-agent.md) |

+| Client Performance data | Performance counter values for the operating system and applications running on the virtual machine. | Deploy the Azure Monitor agent (AMA) and create a data collection rule (DCR) to send data to Azure Monitor Metrics and/or Log Analytics workspace. See [Collect events and performance counters from virtual machines with Azure Monitor Agent](./agents/data-collection-rule-azure-monitor-agent.md).<br><br>Enable VM insights to send predefined aggregated performance data to Log Analytics workspace. See [Enable VM Insights overview](./vm/vminsights-enable-overview.md) for installation options. |

+| Processes and dependencies | Details about processes running on the machine and their dependencies on other machines and external services. Enables the [map feature in VM insights](vm/vminsights-maps.md). | Enable VM insights on the machine with the *processes and dependencies* option. See [Enable VM Insights overview](./vm/vminsights-enable-overview.md) for installation options. |

+| Text logs | Application logs written to a text file. | Deploy the Azure Monitor agent (AMA) and create a data collection rule (DCR) to send data to Log Analytics workspace. See [Collect logs from a text or JSON file with Azure Monitor Agent](./agents/data-collection-text-log.md). |

+| IIS logs | Logs created by Internet Information Service (IIS)\. | Deploy the Azure Monitor agent (AMA) and create a data collection rule (DCR) to send data to Log Analytics workspace. See [Collect IIS logs with Azure Monitor Agent](./agents/data-collection-iis.md). |

+| SNMP traps | Widely deployed management protocol for monitoring and configuring Linux devices and appliances. | See [Collect SNMP trap data with Azure Monitor Agent](./agents/data-collection-snmp-data.md). |

+| Management pack data | If you have an existing investment in SCOM, you can migrate to the cloud while retaining your investment in existing management packs using [SCOM MI](./vm/scom-managed-instance-overview.md). | SCOM MI stores data collected by management packs in an instance of SQL MI. See [Configure Log Analytics for Azure Monitor SCOM Managed Instance](/system-center/scom/configure-log-analytics-for-scom-managed-instance) to send this data to a Log Analytics workspace. |

+## Kubernetes cluster

+Azure Kubernetes Service (AKS) clusters create the same activity logs and platform metrics as other Azure resources. In addition to this host data though, they generate a common set of cluster logs and metrics that you can collect from your AKS clusters and Arc-enabled Kubernetes clusters.

+| Data type | Description | Data collection method |

+| Cluster Metrics | Usage and performance data for the cluster, nodes, deployments, and workloads. | Enable managed Prometheus for the cluster to send cluster metrics to an [Azure Monitor workspace](./essentials/azure-monitor-workspace-overview.md). See [Enable Prometheus and Grafana](./containers/kubernetes-monitoring-enable.md#enable-prometheus-and-grafana) for onboarding and [Default Prometheus metrics configuration in Azure Monitor](containers/prometheus-metrics-scrape-default.md) for a list of metrics that are collected by default. |

+| Logs | Standard Kubernetes logs including events for the cluster, nodes, deployments, and workloads. | Enable Container insights for the cluster to send container logs to a Log Analytics workspace. See [Enable Container insights](./containers/kubernetes-monitoring-enable.md#enable-container-insights) for onboarding and [Configure data collection in Container insights using data collection rule](./containers/container-insights-data-collection-dcr.md) to configure which logs will be collected. |

+## Application

+Application monitoring in Azure Monitor is done with [Application Insights](/azure/application-insights/), which collects data from applications running on various platforms in Azure, another cloud, or on-premises. When you enable Application Insights for an application, it collects metrics and logs related to the performance and operation of the application and stores it in the same Azure Monitor data platform used by other data sources.

+See [Application Insights overview](./app/app-insights-overview.md) for further details about the data that Application insights collected and links to articles on onboarding your application.

+| Data type | Description | Data collection method |

+| Logs | Operational data about your application including page views, application requests, exceptions, and traces. Also includes dependency information between application components to support Application Map and telemetry correlation. | Application logs are stored in a Log Analytics workspace that you select as part of the onboarding process. |

+| Metrics | Numeric data measuring the performance of your application and user requests measured over intervals of time. | Metric data is stored in both Azure Monitor Metrics and the Log Analytics workspace. |

+| Traces | Traces are a series of related events tracking end-to-end requests through the components of your application. | Traces are stored in the Log Analytics workspace for the app. |

+For any monitoring data that you can't collect with the other methods described in this article, you can use the APIs in the following table to send data to Azure Monitor.

+| Data type | Description | Data collection method |

+|:|:|:|

+| Logs | Collect log data from any REST client and store in Log Analytics workspace. | Create a data collection rule to define destination workspace and any data transformations. See [Logs ingestion API in Azure Monitor](logs/logs-ingestion-api-overview.md). |

+| Metrics | Collect custom metrics for Azure resources from any REST client. | See [Send custom metrics for an Azure resource to the Azure Monitor metric store by using a REST API](essentials/metrics-store-custom-rest-api.md). |

+[Sources of monitoring data for Azure Monitor and their data collection methods](../data-sources.md) describes the different kinds of data collected by Azure Monitor and the methods used to collect them. See that article for that data that can be streamed to an event hub and links to configuration details.

+ >Do not delete the PPG. Deleting a PPG removes the pinning and can cause subsequent volume groups to be created in sub-optimal locations which could lead to increased latency.

+ Application volume group for SAP HANA create multiple IP addresses, up to six IP addresses for larger-sized estates. Ensure that the delegated subnet has sufficient free IP addresses. Consider using a delegated subnet with a minimum of 59 IP addresses with a subnet size of /26. See [Considerations about delegating a subnet to Azure NetApp Files](azure-netapp-files-delegate-subnet.md#considerations).

+* Application volume group for SAP HANA only supports [Basic network features](azure-netapp-files-network-topologies.md). You should not edit network features for volumes in an application volume group.

+<a name="regions-standard-network-features"></a>The option to set Standard network features on new volumes and to modify network features for existing volumes is available in the following regions:

+See [supported regions](azure-netapp-files-network-topologies.md#supported-regions) for a full list.

+> The networking features of the DP volume are not affected by changing the source volume from Basic to Standard network features.

+The edit network features option is available in [all regions that support Standard network features](azure-netapp-files-network-topologies.md#supported-regions).

+>[!IMPORTANT]

+>You should not use the edit network features option for an [application volume group for SAP HANA](application-volume-group-introduction.md). Application volume group for SAP HANA only supports Basic network features.

+ > Using the Security privilege users feature relies on the [SMB Continuous Availability Shares feature](azure-netapp-files-create-volumes-smb.md#continuous-availability). SMB Continuous Availability is **not** supported on custom applications. It is only supported for workloads using Citrix App Layering, [FSLogix user profile containers](../virtual-desktop/create-fslogix-profile-container.md), and Microsoft SQL Server (not Linux SQL Server).

+* [Volume and protocol enhancement](understand-volume-languages.md): extended language support for file and path names

+ Azure NetApp Files uses a default volume language of C.UTF-8, which provides POSIX compliant UTF-8 encoding for character sets. The C.UTF-8 language natively supports characters with a size of 0-3 bytes, which includes a majority of the worldΓÇÖs languages on the Basic Multilingual Plane (BMP) (including Japanese, German, and most of Hebrew and Cyrillic).

+

+ Azure NetApp Files now supports characters outside of the BMP using surrogate pair logic, where multiple character byte sets are combined to form new characters. Emoji symbols, for example, fall into this category and are now supported in Azure NetApp Files.

+ To learn more about languages and special character handling in Azure NetApp Files volumes, see [Understand volume languages in Azure NetApp Files](understand-volume-languages.md).

+

+ To learn more about file path lengths in relation to language and character handling in Azure NetApp Files volumes, see [Understand path lengths in Azure NetApp Files](understand-path-lengths.md).

+

+* [Standard network features - Edit volumes available in US Gov regions](azure-netapp-files-network-topologies.md#supported-regions) (Preview)

+ This feature is now in public preview, currently available in [16 Azure regions](azure-netapp-files-network-topologies.md#supported-regions). It will roll out to other regions. Stay tuned for further information as more regions become available.

+### Known limitations

+- Implicitly created resources aren't managed by the stack. Therefore, no deny assignments or cleanup is possible.

+- Deny assignments don't support tags.

+- Deployment stacks cannot delete Key vault secrets. If you're removing key vault secrets from a template, make sure to also execute the deployment stack update/delete command with detach mode.

+- A management group-scoped stack is restricted from deploying to another management group. It can only deploy to the management group of the stack itself or to a child subscription.

+## Microsoft.AzureArcData

+> [!div class="mx-tableFixed"]

+> | Resource type | Resource group | Subscription | Region move |

+> | - | -- | - | -- |

+> | SqlServerInstances | No | No | No |

+## February 2024

+All new Azure VMware Solution private clouds are being deployed with VMware NSX version 4.1.1.

+VMware vSphere 8.0 is targeted for rollout to Azure VMware Solution by Q2 2024.

+#Customer intent: As an Azure service administrator, I want to <define conditional forwarding rules for a desired domain name to a desired set of private DNS servers via the NSX-T Data Center DNS Service.

+### VMware NSX-T Manager

+A virtual hub is a virtual network that is created and used by Azure Virtual WAN. It's the core of your Virtual WAN network in a region. It can contain gateways for site-to-site and ExpressRoute.

+ >[!IMPORTANT]

+> Azure Application Gateway is the preferred method to expose web apps running on Azure VMware Solution VMs.

+Here's a general authorization workflow:

+1. The client tries to connect to the Web PubSub service by using the URL and the JWT token returned from the application server.

+### Supported claims

+You could also configure properties for the client connection when generating the access token by specifying special claims inside the JWT token:

+| Description | Claim type | Claim value | Notes |

+| | | | |

+| The `userId` for the client connection | `sub` | the userId | Only one `sub` claim is allowed. |

+| The lifetime of the token | `exp` | the expiration time | The `exp` (expiration time) claim identifies the expiration time on or after which the token MUST NOT be accepted for processing. |

+| The [permissions](#permissions) the client connection initially has | `role` | the role value defined in [permissions](#permissions) | Specify multiple `role` claims if the client has multiple permissions. |

+| The initial groups that the client connection joins once it connects to Azure Web PubSub | `group` | the group to join | Specify multiple `group` claims if the client joins multiple groups. |

+You could also add custom claims into the access token, and these values are preserved as the `claims` property in [connect upstream request body](./reference-cloud-events.md#system-connect-event).

+[Server SDKs](./howto-generate-client-access-url.md#generate-from-service-sdk) provides APIs to generate the access token for the clients.

+A **PubSub WebSocket client** is the WebSocket client using subprotocols defined by the Azure Web PubSub service:

+If `ackId` isn't specified, it's fire-and-forget. Even there are errors when brokering messages, you have no way to get notified.

+`ackId` is a uint64 number and should be unique within a client with the same connection ID. Web PubSub Service records the `ackId` and messages with the same `ackId` are treated as the same message. The service refuses to broker the same message more than once, which is useful in retry to avoid duplicated messages. For example, if a client sends a message with `ackId=5` and fails to receive an ack response with `ackId=5`, then the client retries and sends the same message again. In some cases, the message is already brokered and the ack response is lost for some reason. The service rejects the retry and response an ack response with `Duplicate` reason.

+* `success` is a bool and indicate whether the request is successfully processed by the service. If it's `false`, clients need to check the `error`.

+Client can connect to the service using a JWT token. The token payload can carry information such as the `role` of the client. When signing the JWT token to the client, you can grant permissions to the client by giving the client specific roles.

+| Storage Blob Data Contributor | Extension Identity | Storage account | Allows Backup Extension to store cluster resource backups in the blob container. |

+ As part of extension installation, a user identity is created in the AKS cluster's Node Pool Resource Group. For the extension to access the storage account, you need to provide this identity the **Storage Blob Data Contributor** role. To assign the required role, run the following command:

+ az role assignment create --assignee-object-id $(az k8s-extension show --name azure-aks-backup --cluster-name $akscluster --resource-group $aksclusterresourcegroup --cluster-type managedClusters --query aksAssignedIdentity.principalId --output tsv) --role 'Storage Blob Data Contributor' --scope /subscriptions/$subscriptionId/resourceGroups/$storageaccountresourcegroup/providers/Microsoft.Storage/storageAccounts/$storageaccount

+ az role assignment create --assignee-object-id $(az k8s-extension show --name azure-aks-backup --cluster-name <aksclustername> --resource-group <aksclusterrg> --cluster-type managedClusters --query identity.principalId --output tsv) --role 'Storage Blob Data Contributor' --scope /subscriptions/<subscriptionid>/resourceGroups/<storageaccountrg>/providers/Microsoft.Storage/storageAccounts/<storageaccountname>

+ Title: Back up Windows system state to Azure by using Azure Backup

+1. From the **Recovery Services vaults** blade, select the new vault.

+ 

+ When you select the vault, the **Recovery Services vault** blade narrows, and the Settings blade (*which has the name of the vault at the top*) and the vault details blade open.

+2. On the new vault's **Settings** blade, use the vertical slide to scroll down to the Manage section, and select **Backup Infrastructure**.

+3. On the **Backup Infrastructure** blade, select **Backup Configuration** to open the **Backup Configuration** blade.

+1. On the Recovery Services vault blade (for the vault you just created), in the Getting Started section, select **Backup**, then on the **Getting Started with Backup** blade, select **Backup goal**.

+ The **Backup Goal** blade opens.

+ 

+ After you select **OK**, a checkmark appears next to **Backup goal**, and the **Prepare infrastructure** blade opens.

+4. On the **Prepare infrastructure** blade, select **Download Agent for Windows Server or Windows Client**.

+6. On the **Prepare infrastructure** blade, select **Download**.

+3. On the **Getting started** blade of the Schedule Backup Wizard, select **Next**.

+4. On the **Select Items to Backup** blade, select **Add Items**.

+7. Select the required Backup frequency and the retention policy for your System State backups in the subsequent blades.

+8. On the Confirmation blade, review the information, and then select **Finish**.

+3. Select **System State** on the **Select Backup Item** blade that appears and select **Next**.

+4. On the Confirmation blade, review the settings that the Back Up Now Wizard will use to back up the machine. Then select **Back Up**.

+ Title: Back up SQL Server workloads on Azure Stack by using Azure Backup

+Management of the SQL Server database backup to Azure and recovery from Azure involves:

+ * Prefer secondary - Backups should occur on a secondary replica except when the primary replica is the only replica online. If there are multiple secondary replicas available, then the node with the highest backup priority will be selected for backup. If only the primary replica is available, then the backup should occur on the primary replica.

+ * >[!Note]

+ >- Backups can happen from any readable replica - that is, primary, synchronous secondary, asynchronous secondary.

+ >- If any replica is excluded from backup, for example **Exclude Replica** is enabled or is marked as not readable, then that replica won't be selected for backup under any of the options.

+ >- If multiple replicas are available and readable, then the node with the highest backup priority will be selected for backup.

+ >- If the backup fails on the selected node, then the backup operation fails.

+ >- Recovery to the original location isn't supported.

+1. On the **Azure Backup Server**, select the **Protection** workspace.

+2. On the tool menu, select **New** to create a new protection group.

+3. On the **Select Protection Group Type** blade, select **Servers**.

+4. On the **Select Group Members** blade, the Available members list displays the various data sources. Select **+** to expand a folder and reveal the subfolders. Select the checkbox to select an item.

+5. On the **Select Data Protection Method** blade, provide a name for the protection group and select the **I want online Protection** checkbox.

+6. On the **Specify Short-Term Goals** blade, include the necessary inputs to create backup points to disk, and select **Next**.

+7. On the **Review disk allocation** blade, verify the overall storage space available, and the potential disk space. Select **Next**.

+ In this example, backups are taken once a day at 12:00 PM and 8 PM.

+ * Backups are taken once a day at 12:00 PM and 8 PM and are retained for 180 days.

+14. Once you review the policy details in the **Summary** blade, select **Create group** to complete the workflow. You can select **Close** and monitor the job progress in Monitoring workspace.

+4. On the **Specify Recovery options** blade, you can select the recovery options like Network bandwidth usage throttling to throttle the bandwidth used by recovery. Select **Next**.

+5. On the **Summary** blade, you see all the recovery configurations provided so far. Select **Recover**.

+## <a name="host"></a>Bastion service and deployment FAQs

+Yes, you can use Azure Bastion for Virtual WAN deployments. However, deploying Azure Bastion within a Virtual WAN hub isn't supported. You can deploy Azure Bastion in a spoke virtual network and use the [IP-based connection](connect-ip-address.md) feature to connect to virtual machines deployed across a different virtual network via the Virtual WAN hub. If the Azure Virtual WAN hub will be integrated with Azure Firewall as a [Secured Virtual Hub](../firewall-manager/secured-virtual-hub.md), the AzureBastionSubnet must reside within a Virtual Network where the default 0.0.0.0/0 route propagation is disabled at the virtual network connection level.

+### <a name="forcedtunnel"></a>Can I use Azure Bastion if I'm force-tunneling Internet traffic back to my on-premises location?

+No, if you're advertising a default route (0.0.0.0/0) over ExpressRoute or VPN, and this route is being injected in to your Virtual Networks, this will break the Azure Bastion service.

+You can use a private DNS zone ending with one of the names in the previous list (ex: privatelink.blob.core.windows.net).

+### My privatelink.azure.com can't resolve to management.privatelink.azure.com

+This might be due to the private DNS zone for privatelink.azure.com linked to the Bastion virtual network causing management.azure.com CNAMEs to resolve to management.privatelink.azure.com behind the scenes. Create a CNAME record in their privatelink.azure.com zone for management.privatelink.azure.com to arm-frontdoor-prod.trafficmanager.net to enable successful DNS resolution.

+No, Azure Bastion doesn't currently support Azure Private Link.

+For Azure Bastion resources deployed on or after November 2, 2021, the minimum AzureBastionSubnet size is /26 or larger (/25, /24, etc.). All Azure Bastion resources deployed in subnets of size /27 before this date are unaffected by this change and will continue to work. However, we highly recommend increasing the size of any existing AzureBastionSubnet to /26 in case you choose to take advantage of [host scaling](./configure-host-scaling.md) in the future.

+Review any error messages and [raise a support request in the Azure portal](../azure-portal/supportability/how-to-create-azure-support-request.md) as needed. Deployment failures can result from [Azure subscription limits, quotas, and constraints](../azure-resource-manager/management/azure-subscription-service-limits.md). Specifically, customers might encounter a limit on the number of public IP addresses allowed per subscription that causes the Azure Bastion deployment to fail.

+Azure Bastion is deployed within virtual networks or peered virtual networks, and is associated to an Azure region. You're responsible for deploying Azure Bastion to a Disaster Recovery (DR) site virtual network. If there is an Azure region failure, perform a failover operation for your VMs to the DR region. Then, use the Azure Bastion host that's deployed in the DR region to connect to the VMs that are now deployed there.

+### <a name="move-virtual-network"></a>Does Bastion support moving a VNet to another resource group?

+No. If you move your virtual network to another resource group (even if it's in the same subscription), you'll need to first delete Bastion from virtual network, and then proceed to move the virtual network to the new resource group. Once the virtual network is in the new resource group, you can deploy Bastion to the virtual network.

+Currently, by default, new Bastion deployments don't support zone redundancies. Previously deployed bastions might or might not be zone-redundant. The exceptions are Bastion deployments in Korea Central and Southeast Asia, which do support zone redundancies.

+## <a name="vm"></a>VM connection and available features FAQs

+### <a name="session"></a>Why do I get "Your session has expired" error message before the Bastion session starts?

+If you go to the URL directly from another browser session or tab, this error is expected. It helps ensure that your session is more secure and that the session can be accessed only through the Azure portal. Sign in to the Azure portal and begin your session again.

+Bastion doesn't support connecting to a VM that is set up as an RDS session host.

+Azure Bastion currently doesn't support timezone redirection and isn't timezone configurable. Timezone settings for a VM can be manually updated after successfully connecting to the Guest OS.

+Yes, existing sessions on the target Bastion resource will disconnect during maintenance on the Bastion resource.

+### I'm connecting to a VM using a JIT policy, do I need additional permissions?

+If user is connecting to a VM using a JIT policy, there are no additional permissions needed. For more information on connecting to a VM using a JIT policy, see [Enable just-in-time access on VMs](../defender-for-cloud/just-in-time-access-usage.md).

+Yes, connectivity via Bastion will continue to work for peered virtual networks across different subscription for a single Tenant. Subscriptions across two different Tenants aren't supported. To see Bastion in the **Connect** drop down menu, the user must select the subs they have access to in **Subscription > global subscription**.

+Make sure the user has **read** access to both the VM, and the peered virtual network. Additionally, check under IAM that the user has **read** access to following resources:

+ Title: Configure customer-managed keys (preview) for experiment encryption

+description: Learn how to configure customer-managed keys (preview) for your Azure Chaos Studio experiment resource by using Azure Blob Storage.

+# Configure customer-managed keys (preview) for Azure Chaos Studio by using Azure Blob Storage

+Azure Chaos Studio automatically encrypts all data stored in your experiment resource with service-managed keys that Microsoft provides. As an optional feature, you can add a second layer of security by also providing your own customer-managed encryption keys. Customer-managed keys (CMKs) offer greater flexibility for controlling access and key-rotation policies.

+When you use CMKs, you need to specify a user-assigned managed identity (UMI) to retrieve the key. The UMI you create must match the UMI that you use for the Chaos Studio experiment.

+When configured, Chaos Studio uses Azure Storage, which uses the CMK to encrypt all your experiment execution and result data within your own storage account.

+- An existing UMI. For more information about how to create a UMI, see [Manage user-assigned managed identities](../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md?pivots=identity-mi-methods-azp#create-a-user-assigned-managed-identity).

+- A public-access-enabled storage account.

+- Azure Chaos Studio experiments can't automatically rotate the CMK to use the latest version of the encryption key. You do key rotation directly in your chosen storage account.

+- You need to use our *2023-10-27-preview REST API* to create and use CMK-enabled experiments only. There's *no* support for CMK-enabled experiments in our general availability-stable REST API until H1 2024.

+- Chaos Studio currently *only supports creating Chaos Studio CMK experiments via the command line by using our 2023-10-27-preview REST API*. As a result, you *can't* create a Chaos Studio experiment with CMK enabled via the Azure portal. We plan to add this functionality in H1 of 2024.

+- The storage account must have *public access from all networks* enabled for Chaos Studio experiments to be able to use it. If you have a hard requirement from your organization, reach out to your CSA for potential solutions.

+## Configure your storage account

+When you create or update your storage account to use it for a CMK experiment, you need to go to the **Encryption** tab and set **Encryption type** to **Customer-managed keys (CMK)** and fill out all the required information.

+> The UMI that you use should match the one you use for the corresponding Chaos Studio CMK-enabled experiment.

+## Use customer-managed keys with Chaos Studio

+You can only configure customer-managed encryption keys when you create a new Chaos Studio experiment resource. When you specify the encryption key details, you also have to select a UMI to retrieve the key from Azure Key Vault.

+> The UMI should be the *same* UMI you use with your Chaos Studio experiment resource. Otherwise, the Chaos Studio CMK experiment fails to create or update.

+## Azure CLI

+The following code sample shows an example `PUT` command for creating or updating a Chaos Studio experiment resource to enable CMKs.

+>The two parameters specific to CMK experiments are under the `CustomerDataStorage` block, in which we ask for the subscription ID of the Azure Blob Storage account that you want to use to store your experiment data and the name of the Blob Storage container to use or create.

+If you run the same `PUT` command from the previous example on an existing CMK-enabled experiment resource, but you leave the fields in `customerDataStorage` empty, CMK is disabled on an experiment.

+## Reenable CMK on a Chaos Studio experiment

+If you run the same `PUT` command from the previous example on an existing experiment resource by using the 2023-10-27-preview REST API and populate the fields in `customerDataStorage`, CMK is reenabled on an experiment.

+You can change the managed identity for CMKs for an existing Chaos Studio experiment at any time. The outcome would be identical to updating the UMI for any Chaos Studio experiment.

+>If the UMI does *not* have the correct permissions to retrieve the CMK from your key vault and write to Blob Storage, the `PUT` command to update the UMI fails.

+When you use the `Get Experiment` command from the 2023-10-27-preview REST API, the response shows you whether the `CustomerDataStorage` properties were populated or not. In this way, you can tell whether an experiment is CMK enabled or not.

+## Update the customer-managed encryption key being used by your storage account

+You can change the key that you're using at any time because Chaos Studio is using your own storage account for encryption by using your CMK.

+Here are some answers to common questions.

+There's no charge associated directly from Chaos Studio. The use of Blob Storage and Key Vault might carry extra cost subject to those services' individual pricing.

+### Are customer-managed keys supported for existing Chaos Studio experiments?

+This feature is currently only available for Chaos Studio experiments created by using our 2023-10-27-preview REST API.

+ Title: Set up Private Link for a Chaos Studio agent-based experiment (preview)

+description: Understand the steps to set up a chaos experiment by using Azure Private Link for agent-based experiments.

+# Configure Private Link for agent-based experiments (preview)

+This article explains the steps needed to configure Azure Private Link for an Azure Chaos Studio agent-based experiment (preview). The current user experience is based on the private endpoints support that's enabled as part of the public preview of the private endpoints feature. Expect this experience to evolve with time as the feature is enhanced to general availability (GA) quality. It's currently in preview.

+- An Azure account with an active subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+- Define your agent-based experiment by following the steps in [Create a chaos experiment that uses an agent-based fault with the Azure portal](chaos-studio-tutorial-agent-based-portal.md).

+> If the target resource was created by using the Azure portal, the Chaos Agent virtual machine (VM) extension is automatically installed on the host VM. If the target is enabled by using the Azure CLI, follow the Chaos Studio documentation to install the VM extension first on the VM. Until you finish the private endpoint setup, the VM extension reports an unhealthy state. This behavior is expected.

+- You need to use our *2023-10-27-preview REST API* to create and use Private Link for agent-based experiments only. There's *no* support for Private Link for agent-based experiments in our GA-stable REST API until H1 2024.

+- The entire end-to-end experience for this flow requires some use of the CLI. The current end-to-end experience can't be done from the Azure portal.

+- The **Chaos Studio Private Accesses (CSPA)** resource type has a strict 1:1 mapping of Chaos Target:CSPA Resource (abstraction for private endpoint). We allow only *five CSPA resources to be created per subscription* to maintain the expected experience for all our customers.

+## Create a Chaos Studio Private Access resource

+To use private endpoints for agent-based chaos experiments, you need to create a new resource type called Chaos Studio Private Accesses. CSPA is the resource against which the private endpoints are created.

+Currently, this resource can *only be created from the CLI*. See the following example code for how to create this resource type:

+|subscriptionID|True|String|GUID that represents an Azure subscription ID.|

+|resourceGroupName|True|String|String that represents an Azure resource group.|

+|CSPAResourceName|True|String|String that represents the name you want to give your Chaos Studio Private Access resource.|

+|resourceLocation|True|String|Location where you want the resource to be hosted (must be a support region by Chaos Studio).|

+## Create your virtual network, subnet, and private endpoint

+[Set up your desired virtual network, subnet, and endpoint](../private-link/create-private-endpoint-portal.md) for the experiment if you haven't already.

+Make sure you attach it to the same VM's virtual network. Screenshots provide examples of creating the virtual network, subnet, and private endpoint. You need to set **Resource type** to **Microsoft.Chaos/privateAccesses** as seen in the screenshot.

+[](images/resource-private-endpoint.png#lightbox)

+[](images/resource-vnet-cspa.png#lightbox)

+## Map the agent host VM to the CSPA resource

+Find the target `Resource ID` by making a `GetTarget` call:

+The `GET` command returns a large response. Note this response. We use this response and modify it before running a `PUT Target` command to map the two resources.

+Invoke a `PUT Target` command by using this response. You need to append *two more fields* to the body of the `PUT` command before you run it.

+These extra fields are shown here:

+Here's an example block for what the `PUT Target` command should look like and the fields that you would need to fill out:

+> Copy the body from the previous `GET` command. You need to manually append the `privateAccessID` and `allowPublicAccess` fields.

+> The `PrivateAccessID` value should exactly match the `resourceID` value that you used to create the CSPA resource in the earlier section **Create a Chaos Studio Private Access resource**.

+## Restart the Azure Chaos Agent service in the VM

+After you make all the required changes to the host, restart the Azure Chaos Agent service in the VM.

+[](images/restart-windows-vm.png#lightbox)

+[](images/restart-linux-vm.png#lightbox)

+## Run your agent-based experiment by using private endpoints

+After the restart, Azure Chaos Agent should be able to communicate with the Agent Communication data plane service, and the agent registration to the data plane should be successful. After successful registration, the agent can indicate its status with a heartbeat. Then you can proceed to run the Azure Chaos Agent-based experiments by using private endpoints.

+The resolution can vary depending on the number of participants on a call, the amount of bandwidth available to the client, and other overall call parameters.

+zone_pivot_groups: container-registry-zones

+ai-usage: ai-assisted

+#customer intent: As a developer, I want artifact streaming capabilities so that I can efficiently deliver and serve containerized applications to end-users in real-time.

+**Deploying containerized applications to multiple regions**: With artifact streaming, you can store container images within a single registry and manage and stream container images to AKS clusters in multiple regions. Artifact streaming deploys container applications to multiple regions without consuming time and resources.

+**Reducing image pull latency**: Artifact streaming can reduce time to pod readiness by over 15%, depending on the size of the image, and it works best for images < 30 GB. This feature reduces image pull latency and fast container startup, which is beneficial for software developers and system architects.

+* Customers are able to store both the original and the streaming artifact in the ACR by starting artifact streaming.

+* Customers have access to the original and the streaming artifact even after turning off artifact streaming for repositories or artifacts.

+* Customers with artifact streaming and Soft Delete enabled, deletes a repository or artifact then both the original and artifact streaming versions are deleted. However, only the original version is available on the soft delete portal.

+Artifact streaming is only available in the **Premium** [service tiers](container-registry-skus.md) (also known as SKUs). Artifact streaming has potential to increase the overall registry storage consumption. Customers are subjected to more storage charges as outlined in our [pricing](https://azure.microsoft.com/pricing/details/container-registry/) if the consumption exceeds the included 500 GiB Premium SKU threshold.

+* The preview release doesn't support Windows-based container images and ARM64 images.

+* The preview release partially support multi-architecture images only the AMD64 architecture is supported.

+* Only premium SKU registries support generating streaming artifacts in the preview release. The nonpremium SKU registries don't offer this functionality during the preview.

+* You can use the [Azure Cloud Shell][Azure Cloud Shell] or a local installation of the Azure CLI to run the command examples in this article. If you'd like to use it locally, version 2.54.0 or later is required. Run `az --version` for finding the version. If you need to install or upgrade, see [Install Azure CLI][Install Azure CLI].

+<!-- markdownlint-disable MD044 -->

+<!-- markdownlint-enable MD044 -->

+ Cancel the streaming artifact creation if the conversion isn't finished yet. It stops the operation.

+6. Start autoconversion on the repository

+ Start autoconversion in the repository for newly pushed or imported images. When started, new images pushed into that repository trigger the generation of streaming artifacts.

+ For example, run the [az acr artifact-streaming update][az-acr-artifact-streaming-update] command to start autoconversion for the `jupyter/all-spark-notebook` repository in the `mystreamingtest` ACR.

+<!-- markdownlint-disable MD044 -->

+<!-- markdownlint-enable MD044 -->

+6. You can also delete the artifact streaming from the repository.

+7. You can also enable autoconversion by accessing the repository on portal. Active means autoconversion is enabled on the repository. Inactive means autoconversion is disabled on the repository.

+> [Troubleshoot Artifact streaming](troubleshoot-artifact-streaming.md)

+ Title: "Troubleshoot Artifact streaming"

+description: "Troubleshoot Artifact streaming in Azure Container Registry to diagnose and resolve with managing, scaling, and deploying artifacts through containerized platforms."

+# Troubleshoot Artifact streaming

+* Digest usage instead of Tag for Streaming Artifact.

+| RESOURCE_NOT_FOUND | Conversion operation failed because target resource isn't found. | If the target image isn't found in the registry, verify typos in the image digest. If the image is deleted, or missing in the target region (replication consistency isn't immediate for example) |

+| UNSUPPORTED_PLATFORM | Conversion isn't currently supported for image platform. | Only linux/amd64 images are initially supported. |

+| NO_SUPPORTED_PLATFORM_FOUND | Conversion isn't currently supported for any of the image platforms in the index. | Only linux/amd64 images are initially supported. No image with this platform is found in the target index. |

+| UNSUPPORTED_MEDIATYPE | Conversion isn't supported for the image MediaType. | Conversion can only target images with media type: application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, application/vnd.docker.distribution.manifest.v2+json, or application/vnd.docker.distribution.manifest.list.v2+json |

+If AKS pod deployment fails with an error related to image pulling, like the following example.

+To troubleshoot this issue, you should check the following guidelines:

+1. Verify if the AKS has permissions to access the container registry `mystreamingtest.azurecr.io`.

+ "operationType": <The type of change, either 'create', 'replace', or 'delete'.>,

+This article presents how to profile SQL query performance on Azure Cosmos DB using [ServerSideCumulativeMetrics](/dotnet/api/microsoft.azure.cosmos.serversidecumulativemetrics) retrieved from the .NET SDK. `ServerSideCumulativeMetrics` is a strongly typed object with information about the backend query execution. It contains cumulative metrics that are aggregated across all physical partitions for the request, a list of metrics for each physical partition, and the total request charge. These metrics are documented in more detail in the [Tune Query Performance](./query-metrics.md#query-execution-metrics) article.

+`ServerSideCumulativeMetrics` contains a `PartitionedMetrics` property that is a list of per-partition metrics for the round trip. If multiple physical partitions are reached in a single round trip, then metrics for each of them appear in the list. Partitioned metrics are represented as [ServerSidePartitionedMetrics](/dotnet/api/microsoft.azure.cosmos.serversidepartitionedmetrics) with a unique identifier for each physical partition and request charge for that partition.

+You can capture the request units consumed by each query to investigate expensive queries or queries that consume high throughput. You can get the total request charge using the `TotalRequestCharge` property in `ServerSideCumulativeMetrics` or you can look at the request charge from each partition using the `RequestCharge` property for each `ServerSidePartitionedMetrics` returned.

+The total request charge is also available using the `RequestCharge` property in `FeedResponse`. To learn more about how to get the request charge using the Azure portal and different SDKs, see [find the request unit charge](find-request-unit-charge.md) article.

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+```nosql

+```nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+```nosql

+```nosql

+```nosql

+```nosql

+```nosql

+```nosql

+ms.devlang: nosql

+```nosql

+```nosql

+```nosql

+```nosql

+```nosql

+```nosql

+```nosql

+```nosql

+```nosql

+```nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+ ```nosql

+ ```nosql

+ ```nosql

+ ```nosql

+ ```nosql

+ ```nosql

+ ```nosql

+ ```nosql

+ ```nosql

+ ```nosql

+ ```nosql

+ ```nosql

+ ```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+```nosql

+```nosql

+```nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+```nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+```nosql

+```nosql

+```nosql

+```nosql

+```nosql

+```nosql

+```nosql

+```nosql

+```nosql

+```nosql

+```nosql

+```nosql

+```nosql

+```nosql

+```nosql

+```nosql

+```nosql

+```nosql

+```nosql

+```nosql

+```nosql

+```nosql

+```nosql

+```nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+```nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+ms.devlang: nosql

+```nosql

+```nosql

+```nosql

+```nosql

+```nosql

+```nosql

+```nosql

+```nosql

+```nosql