-|Reader|View assessments for a workload and the corresponding recommendations|

-|Contributor|Create assessments for a workload and triage the corresponding recommendations|

-**A**. In the "Most Valuable Professionals" (MVP) program scope, assessments can't be edited once completed.

-Limited Access services require registration, and only customers managed by Microsoft, meaning those who are working directly with Microsoft account teams, are eligible for access. The use of these services is limited to the use case selected at the time of registration. Customers must acknowledge that they've reviewed and agree to the terms of service. Microsoft may require customers to reverify this information.

-Review may take 5-10 business days. You will receive an email as soon as your application is reviewed.

-### How long will the registration process take?

-You'll receive communication from us about your application within 10 business days. In some cases, reviews can take longer. You'll receive an email as soon as your application is reviewed.

- "modelVersion": "2023-10-01",

- "modelVersion": "2023-10-01",

- "modelVersion": "2023-10-01",

-This article demonstrates how to perform near real-time analysis on frames that are taken from a live video stream by using the Azure AI Vision API. The basic elements of such an analysis are:

-The samples in this article are written in C#. To access the code, go to the [Video frame analysis sample](https://github.com/Microsoft/Cognitive-Samples-VideoFrameAnalysis/) page on GitHub.

-You can solve the problem of running near real-time analysis on video streams by using a variety of approaches. This article outlines three of them, in increasing levels of sophistication.

-### Design an infinite loop

-The simplest design for near real-time analysis is an infinite loop. In each iteration of this loop, you grab a frame, analyze it, and then consume the result:

-### Allow the API calls to run in parallel

-### Design a producer-consumer system

-For your final approach, designing a "producer-consumer" system, you build a producer thread that looks similar to your previously mentioned infinite loop. However, instead of consuming the analysis results as soon as they're available, the producer simply places the tasks in a queue to keep track of them.

-You also create a consumer thread, which takes tasks off the queue, waits for them to finish, and either displays the result or raises the exception that was thrown. By using the queue, you can guarantee that the results get consumed one at a time, in the correct order, without limiting the maximum frame rate of the system.

-To help get your app up and running as quickly as possible, we've implemented the system that's described in the preceding section. It's intended to be flexible enough to accommodate many scenarios, while being easy to use. To access the code, go to the [Video frame analysis sample](https://github.com/Microsoft/Cognitive-Samples-VideoFrameAnalysis/) page on GitHub.

-The library contains the `FrameGrabber` class, which implements the previously discussed producer-consumer system to process video frames from a webcam. Users can specify the exact form of the API call, and the class uses events to let the calling code know when a new frame is acquired, or when a new analysis result is available.

-The first sample app is a simple console app that grabs frames from the default webcam and then submits them to the Face service for face detection. A simplified version of the app is reproduced in the following code:

-The second sample app is a bit more interesting. It allows you to choose which API to call on the video frames. On the left side, the app shows a preview of the live video. On the right, it overlays the most recent API result on the corresponding frame.

-In most modes, there's a visible delay between the live video on the left and the visualized analysis on the right. This delay is the time that it takes to make the API call. An exception is in the "EmotionsWithClientFaceDetect" mode, which performs face detection locally on the client computer by using OpenCV before it submits any images to Azure AI services.

-By using this approach, you can visualize the detected face immediately. You can then update the emotions later, after the API call returns. This demonstrates the possibility of a "hybrid" approach. That is, some simple processing can be performed on the client, and then Azure AI services APIs can be used to augment this processing with more advanced analysis when necessary.

-2. Create resources for Azure AI Vision and Face in the Azure portal to get your key and endpoint. Make sure to select the free tier (F0) during setup.

-3. Clone the [Cognitive-Samples-VideoFrameAnalysis](https://github.com/Microsoft/Cognitive-Samples-VideoFrameAnalysis/) GitHub repo.

-4. Open the sample in Visual Studio 2015 or later, and then build and run the sample applications:

-When you're ready to integrate the samples, reference the VideoFrameAnalyzer library from your own projects.

-The image-, voice-, video-, and text-understanding capabilities of VideoFrameAnalyzer use Azure AI services. Microsoft receives the images, audio, video, and other data that you upload (via this app) and might use them for service-improvement purposes. We ask for your help in protecting the people whose data your app sends to Azure AI services.

-zone_pivot_groups: programming-languages-computer-vision-40

-In this guide, you'll learn how to call the v3.2 GA Read API to extract text from images. You'll learn the different ways you can configure the behavior of this API to meet your needs. This guide assumes you have already <a href="https://portal.azure.com/#create/Microsoft.CognitiveServicesComputerVision" title="created a Vision resource" target="_blank">create a Vision resource </a> and obtained a key and endpoint URL. If you haven't, follow a [quickstart](../quickstarts-sdk/client-library.md) to get started.

-The **Read** call takes images and documents as its input. They have the following requirements:

-* For PDF and TIFF files, up to 2000 pages (only the first two pages for the free tier) are processed.

-* The file size of images must be less than 500 MB (4 MB for the free tier) and dimensions at least 50 x 50 pixels and at most 10000 x 10000 pixels. PDF files do not have a size limit.

-By default, the service will use the latest generally available (GA) model to extract text. Starting with Read 3.2, a `model-version` parameter allows choosing between the GA and preview models for a given API version. The model you specify will be used to extract text with the Read operation.

-| [2022-01-30-preview](../whats-new.md#february-2022) | Preview model adds print text support for Hindi, Arabic and related languages. For handwritten text, adds support for Japanese and Korean. |

-### Select page(s) or page ranges for text extraction

-> The data submitted to the `Read` operation are temporarily encrypted and stored at rest for a short duration, and then deleted. This lets your applications retrieve the extracted text as part of the service response.

-The response includes classifying whether each text line is of handwriting style or not, along with a confidence score. This feature is only supported for Latin languages. The following example shows the handwritten classification for the text in the image.

-## Create and update a **DynamicPersonGroup**

-### Scenario 3: Identify against the entire **PersonDirectory**

-## Verify faces against persons in the **PersonDirectory**

-The Face service automatically encrypts your data when persisted to the cloud. The Face service encryption protects your data and helps you to meet your organizational security and compliance commitments.

-* [What is Azure Key Vault](../../key-vault/general/overview.md)?

-description: Learn how to migrate to the v3 Read OCR containers

-# Migrate to the Read v3.x OCR containers

-If you're using version 2 of the Azure AI Vision Read OCR container, Use this article to learn about upgrading your application to use version 3.x of the container.

-## Configuration changes

-* `ReadEngineConfig:ResultExpirationPeriod` is no longer supported. The Read OCR container has a built Cron job that removes the results and metadata associated with a request after 48 hours.

-* `Cache:Redis:Configuration` is no longer supported. The Cache isn't used in the v3.x containers, so you don't need to set it.

-See the [Azure AI Vision v3 REST API migration guide](./upgrade-api-versions.md) for detailed information on updating your applications to use version 3 of cloud-based Read API. This information applies to the container as well. Sync operations are only supported in containers.

-To enable a visualization of AI Insight events in a video frame, you need to use the `.debug` version of a [Spatial Analysis operation](spatial-analysis-operations.md) on a desktop machine or Azure VM. The visualization is not possible on Azure Stack Edge devices. There are four debug operations available.

-2. In the terminal run `xhost +`

-3. Update the [deployment manifest](https://github.com/Azure-Samples/cognitive-services-sample-data-files/blob/master/ComputerVision/spatial-analysis/DeploymentManifest_for_non_ASE_devices.json) under the `spaceanalytics` module with the value of the `DISPLAY` environment variable. You can find its value by running `echo $DISPLAY` in the terminal on the host computer.

-4. Update the graph in the deployment manifest you want to run in debug mode. In the example below, we update the operationId to cognitiveservices.vision.spatialanalysis-personcrossingpolygon.debug. A new parameter `VISUALIZER_NODE_CONFIG` is required to enable the visualizer window. All operations are available in debug flavor. When using shared nodes, use the cognitiveservices.vision.spatialanalysis.debug operation and add `VISUALIZER_NODE_CONFIG` to the instance parameters.

-5. Redeploy and you will see the visualizer window on the host computer

-6. After the deployment has completed, you might have to copy the `.Xauthority` file from the host computer to the container and restart it. In the sample below, `peopleanalytics` is the name of the container on the host computer.

-Telegraf is an open source image that works with Spatial Analysis, and is available in the Microsoft Container Registry. It takes the following inputs and sends them to Azure Monitor. The telegraf module can be built with desired custom inputs and outputs. The telegraf module configuration in Spatial Analysis is part of the deployment manifest (linked above). This module is optional and can be removed from the manifest if you don't need it.

-1. Spatial Analysis Metrics

-2. Disk Metrics

-3. CPU Metrics

-4. Docker Metrics

-5. GPU Metrics

-1. Azure Monitor

-The supplied Spatial Analysis telegraf module will publish all the telemetry data emitted by the Spatial Analysis container to Azure Monitor. See the [Azure Monitor](../../azure-monitor/overview.md) for information on adding Azure Monitor to your subscription.

-After setting up Azure Monitor, you will need to create credentials that enable the module to send telemetry. You can use the Azure portal to create a new Service Principal, or use the Azure CLI command below to create one.

-In the deployment manifest for your [Azure Stack Edge device](https://go.microsoft.com/fwlink/?linkid=2142179), [desktop machine](https://go.microsoft.com/fwlink/?linkid=2152270), or [Azure VM with GPU](https://go.microsoft.com/fwlink/?linkid=2152189), look for the *telegraf* module, and replace the following values with the Service Principal information from the previous step and redeploy.

-"telegraf": {

-  "image": "mcr.microsoft.com/azure-cognitive-services/vision/spatial-analysis/telegraf:1.0",

-Once the telegraf module is deployed, the reported metrics can be accessed either through the Azure Monitor service, or by selecting **Monitoring** in the IoT Hub on the Azure portal.

-|--|-|

-| InputRate | The rate at which the graph processes video input. Reported every 5 minutes. |

-| OutputRate | The rate at which the graph outputs AI insights. Reported every 5 minutes. |

-## Troubleshooting an IoT Edge Device

-In the "env" section add the following configuration:

-2. Get the **Connection String** for your storage account from the Azure portal. It will be located in **Access Keys**.

-3. Spatial Analysis logs will be automatically uploaded into a Blob Storage container named *rtcvlogs* with the following file name format: `{CONTAINER_NAME}/{START_TIME}-{END_TIME}-{QUERY_TIME}.log`.

-| EndTime | Desired logs end time, in milliseconds UTC. | `-1`, the current time. When `[-1.-1]` time range is used, the api returns logs from the last one hour. |

-| DoPost | Perform the upload operation. When this is set to `false`, it performs the requested operation and returns the upload size without performing the upload. When set to `true`, it will initiate the asynchronous upload of the selected logs | `false`, do not upload.|

-|DoPost| Either *true* or *false*. Indicates if logs have been uploaded or not. When you choose not to upload logs, the api returns information ***synchronously***. When you choose to upload logs, the api returns 200, if the request is valid, and starts uploading logs ***asynchronously***.|

-3. Save the endpoint string. You will use this later when configuring `kubectl` to access the Kubernetes cluster.

-Remotely, connect from a Windows client. After the Kubernetes cluster is created, you can manage the applications via this cluster. You will need to connect to the PowerShell interface of the device. Depending on the operating system of client, the procedures to remotely connect to the device may be different. The following steps are for a Windows client running PowerShell.

- 1. Make sure that the Windows Remote Management service is running on your client. At the command prompt, type `winrm quickconfig`.

-2. Assign a variable for the device IP address. For example, `$ip = "<device-ip-address>"`.

-3. Use the following command to add the IP address of your device to the client's trusted hosts list.

-4. Start a Windows PowerShell session on the device.

-5. Provide the password when prompted. Use the same password that is used to sign into the local web interface. The default local web interface password is `Password1`.

-2. Create a user and get a config file. This command will output configuration information for the Kubernetes cluster. Copy this information and save it in a file named *config*. Do not save the file a file extension.

-3. Add the *config* file to the *.kube* folder in your user profile on the local machine.

-4. Associate the namespace with the user you created.

-5. Install `kubectl` on your Windows client using the following command:

-6. Add a DNS entry to the hosts file on your system.

-7. Verify you can connect to the Kubernetes pods.

-|`Get-HcsKubernetesUserConfig -AseUser` | Generates a Kubernetes configuration file. When using the command, copy the information into a file named *config*. Do not save the file with a file extension. |

-If you need more support in finding a solution to a problem you're having with the Spatial Analysis container, follow these steps to fill out and submit a support ticket. Our team will get back to you with additional guidance.

-### Fill out the basics

-2. Select the subscription that you are utilizing to deploy the Spatial Analysis container.

-3. Select `My services` and select `Azure AI services` as the service.

-4. Select the resource that you are utilizing to deploy the Spatial Analysis container.

-5. Write a brief description detailing the problem you are facing.

-6. Select `Spatial Analysis` as your problem type.

-7. Select the appropriate subtype from the drop down.

-8. Select **Next: Solutions** to move on to the next page.

-On this page, add some additional details about the problem you've been facing. Be sure to include as much detail as possible, as this will help our engineers better narrow down the issue. Include your preferred contact method and the severity of the issue so we can contact you appropriately, and select **Next: Review + create** to move to the next step.

-Review the details of your support request to ensure everything is accurate and represents the problem effectively. Once you are ready, select **Create** to send the ticket to our team! You will receive an email confirmation once your ticket is received, and our team will work to get back to you as soon as possible. You can view the status of your ticket in the Azure portal.

- "status": "Succeeded",

- "recognitionResults": [

- {

- "page": 1,

- "language": "en",

- "clockwiseOrientation": 349.59,

- "width": 2661,

- "height": 1901,

- "unit": "pixel",

- "lines": [

- {

- "boundingBox": [

- 67,

- 646,

- 2582,

- 713,

- 2580,

- 876,

- 67,

- 821

- ],

- "text": "The quick brown fox jumps",

- "words": [

- {

- "boundingBox": [

- 143,

- 650,

- 435,

- 661,

- 436,

- 823,

- 144,

- 824

- ],

- "text": "The",

- },

- // The rest of result is omitted for brevity

- "status": "succeeded",

- "createdDateTime": "2020-05-28T05:13:21Z",

- "lastUpdatedDateTime": "2020-05-28T05:13:22Z",

- "analyzeResult": {

- "version": "3.0.0",

- "readResults": [

- "page": 1,

- "language": "en",

- "angle": 0.8551,

- "width": 2661,

- "height": 1901,

- "unit": "pixel",

- "lines": [

- {

- "boundingBox": [

- 67,

- 646,

- 2582,

- 713,

- 2580,

- 876,

- 67,

- 821

- ],

- "text": "The quick brown fox jumps",

- "words": [

- {

- "boundingBox": [

- 143,

- 650,

- 435,

- 661,

- 436,

- 823,

- 144,

- 824

- ],

- "text": "The",

- "confidence": 0.958

- },

- // The rest of result is omitted for brevity

-

- }

-## Service only

- "status": "Succeeded",

- "recognitionResult": [

- {

- "lines": [

- {

- "boundingBox": [

- 67,

- 646,

- 2582,

- 713,

- 2580,

- 876,

- 67,

- 821

- ],

- "text": "The quick brown fox jumps",

- "words": [

- {

- "boundingBox": [

- 143,

- 650,

- 435,

- 661,

- 436,

- 823,

- 144,

- 824

- ],

- "text": "The",

- },

- // The rest of result is omitted for brevity

-

- }

- "status": "succeeded",

- "createdDateTime": "2020-05-28T05:13:21Z",

- "lastUpdatedDateTime": "2020-05-28T05:13:22Z",

- "analyzeResult": {

- "version": "3.0.0",

- "readResults": [

- "page": 1,

- "angle": 0.8551,

- "width": 2661,

- "height": 1901,

- "unit": "pixel",

- "lines": [

- {

- "boundingBox": [

- 67,

- 646,

- 2582,

- 713,

- 2580,

- 876,

- 67,

- 821

- ],

- "text": "The quick brown fox jumps",

- "words": [

- {

- "boundingBox": [

- 143,

- 650,

- 435,

- 661,

- 436,

- 823,

- 144,

- 824

- ],

- "text": "The",

- "confidence": 0.958

- },

- // The rest of result is omitted for brevity

-

- }

-Custom Vision collects user data to operate the service, but customers have full control over viewing and deleting their data using the Custom Vision [Training APIs](https://go.microsoft.com/fwlink/?linkid=865446).

-To learn how to view and delete user data in Custom Vision, see the following table.

-| Account info (Keys) | [GetAccountInfo](https://go.microsoft.com/fwlink/?linkid=865446) | Delete using Azure portal (Azure Subscriptions). Or using "Delete Your Account" button in CustomVision.ai settings page (Microsoft Account Subscriptions) |

-You can integrate your Custom Vision project with an Azure blob storage queue to get push notifications of project training/export activity and backup copies of published models. This feature is useful to avoid continually polling the service for results when long operations are running. Instead, you can integrate the storage queue notifications into your workflow.

-This guide shows you how to use these REST APIs with cURL. You can also use an HTTP request service like Postman to issue the requests.

-Go to your Custom Vision training resource on the Azure portal, select the **Identity** page, and enable system assigned managed identity.

-* If you plan to use the model backup feature, select the **Storage Blob Data Contributor** role, and add your Custom Vision training resource as a member. Select **Review + assign** to complete.

-* If you plan to use the notification queue feature, then select the **Storage Queue Data Contributor** role, and add your Custom Vision training resource as a member. Select **Review + assign** to complete.

-## Integrate Custom Vision project

-### Create new project

-### Update existing project

-description: Learn how to launch the Immersive reader using JavaScript, Python, Android, or iOS. Immersive Reader uses proven techniques to improve reading comprehension for language learners, emerging readers, and students with learning differences.

-In the [overview](./overview.md), you learned about what the Immersive Reader is and how it implements proven techniques to improve reading comprehension for language learners, emerging readers, and students with learning differences. This article demonstrates how to launch the Immersive Reader JavaScript, Python, Android, or iOS.

-|**Text within images**| Digital images with imbedded text aren't supported.|

-> To use Vision enhancement, you need a Computer Vision resource. It must be in the paid (S1) tier and in the same Azure region as your GPT-4 Turbo with Vision resource.

-> To use Vision enhancement, you need an Azure AI Vision resource. It must be in the paid (S1) tier and in the same Azure region as your GPT-4 Turbo with Vision resource.

-| Region | Text-Embedding-Ada-002 | text-embedding-3-small | text-embedding-3-large | GPT-35-Turbo | GPT-35-Turbo-1106 | GPT-35-Turbo-16K | GPT-35-Turbo-Instruct | GPT-4 | GPT-4-32K | GPT-4-Turbo | GPT-4-Turbo-V | Babbage-002 | Babbage-002 - finetune | Davinci-002 | Davinci-002 - finetune | GPT-35-Turbo - finetune | GPT-35-Turbo-1106 - finetune |

-|:--|:-|:-|:-|:|:--|:-|:|:--|:|:--|:-|:--|:-|:--|:-|:--|:-|

-| australiaeast | 350 K | - | - | 300 K | 120 K | 300 K | - | 40 K | 80 K | 80 K | 30 K | - | - | - | - | - | - |

-| brazilsouth | 350 K | - | - | - | - | - | - | - | - | - | - | - | - | - | - | - | - |

-| canadaeast | 350 K | 350 K | 350 K | 300 K | 120 K | 300 K | - | 40 K | 80 K | 80 K | - | - | - | - | - | - | - |

-| eastus | 240 K | 350 K | 350 K | 240 K | - | 240 K | 240 K | - | - | 80 K | - | - | - | - | - | - | - |

-| eastus2 | 350 K | 350 K | 350 K | 300 K | - | 300 K | - | 40 K | 80 K | 80 K | - | - | - | - | - | - | - |

-| francecentral | 240 K | - | - | 240 K | 120 K | 240 K | - | 20 K | 60 K | 80 K | - | - | - | - | - | - | - |

-| japaneast | 350 K | - | - | 300 K | - | 300 K | - | 40 K | 80 K | - | 30 K | - | - | - | - | - | - |

-| northcentralus | 350 K | - | - | 300 K | - | 300 K | - | - | - | 80 K | - | 240 K | 250 K | 240 K | 250 K | 250 K | 250 K |

-| norwayeast | 350 K | - | - | - | - | - | - | - | - | 150 K | - | - | - | - | - | - | - |

-| southafricanorth | 350 K | - | - | - | - | - | - | - | - | - | - | - | - | - | - | - | - |

-| southcentralus | 240 K | - | - | 240 K | - | - | - | - | - | 80 K | - | - | - | - | - | - | - |

-| southindia | 350 K | - | - | - | 120 K | - | - | - | - | 150 K | - | - | - | - | - | - | - |

-| swedencentral | 350 K | - | - | 300 K | 120 K | 300 K | 240 K | 40 K | 80 K | 150 K | 30 K | 240 K | 250 K | 240 K | 250 K | 250 K | 250 K |

-| switzerlandnorth | 350 K | - | - | 300 K | - | 300 K | - | 40 K | 80 K | - | 30 K | - | - | - | - | - | - |

-| uksouth | 350 K | - | - | 240 K | 120 K | 240 K | - | 40 K | 80 K | 80 K | - | - | - | - | - | - | - |

-| westeurope | 240 K | - | - | 240 K | - | - | - | - | - | - | - | - | - | - | - | - | - |

-| westus | 350 K | - | - | - | 120 K | - | - | - | - | 80 K | 30 K | - | - | - | - | - | - |

-* [Live chat with Azure Open AI in behind (SDK)](https://github.com/Azure-Samples/cognitive-services-speech-sdk/tree/master/samples/js/browser/avatar#chat-sample)

-When you use the text to speech avatar feature, you'll be billed by the minutes of video output, and the text to speech, speech to text, Azure Open AI, or other Azure services are charged separately.

->[!WARNING]

-> File should only be named as **`prometheus-config`**. Do not add any extensions like .yaml or .txt.

-1. Use the following example to create a file named **`prometheus-config`**. Copy the code in the example into the file created.

- ```yaml

- global:

- scrape_interval: 30s

- scrape_configs:

- - job_name: "cilium-pods"

- kubernetes_sd_configs:

- - role: pod

- relabel_configs:

- - source_labels: [__meta_kubernetes_pod_container_name]

- action: keep

- regex: cilium-agent

- - source_labels:

- [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]

- separator: ":"

- regex: ([^:]+)(?::\d+)?

- target_label: __address__

- replacement: ${1}:${2}

- action: replace

- - source_labels: [__meta_kubernetes_pod_node_name]

- action: replace

- target_label: instance

- - source_labels: [__meta_kubernetes_pod_label_k8s_app]

- action: replace

- target_label: k8s_app

- - source_labels: [__meta_kubernetes_pod_name]

- action: replace

- regex: (.*)

- target_label: pod

- metric_relabel_configs:

- - source_labels: [__name__]

- action: keep

- regex: (.*)

- ```

-1. To create the `configmap`, use the following example:

- ```azurecli-interactive

- kubectl create configmap ama-metrics-prometheus-config \

- --from-file=./prometheus-config \

- --namespace kube-system

- ```

- kubectl rollout restart deploy -n kube-system ama-metrics

-[azurelinux-doc]: https://microsoft.github.io/CBL-Mariner/docs/#cbl-mariner-linux

-description: Describes how to setup up logging to monitoring your Azure Analysis Services server.

-# Setup diagnostic logging

-An important part of any Analysis Services solution is monitoring how your servers are performing. Azure Analysis services is integrated with Azure Monitor. With [Azure Monitor resource logs](../azure-monitor/essentials/platform-logs-overview.md), you can monitor and send logs to [Azure Storage](https://azure.microsoft.com/services/storage/), stream them to [Azure Event Hubs](https://azure.microsoft.com/services/event-hubs/), and export them to [Azure Monitor logs](../azure-monitor/overview.md).

-You can select **Engine**, **Service**, and **Metrics** categories.

-### Engine

-Selecting **Engine** logs all [xEvents](/analysis-services/instances/monitor-analysis-services-with-sql-server-extended-events). You cannot select individual events.

-|XEvent categories |Event name |

-|||

-|Security Audit | Audit Login |

-|Security Audit | Audit Logout |

-|Security Audit | Audit Server Starts And Stops |

-|Progress Reports | Progress Report Begin |

-|Progress Reports | Progress Report End |

-|Progress Reports | Progress Report Current |

-|Queries | Query Begin |

-|Queries | Query End |

-|Commands | Command Begin |

-|Commands | Command End |

-|Errors & Warnings | Error |

-|Discover | Discover End |

-|Notification | Notification |

-|Session | Session Initialize |

-|Locks | Deadlock |

-|Query Processing | VertiPaq SE Query Begin |

-|Query Processing | VertiPaq SE Query End |

-|Query Processing | VertiPaq SE Query Cache Match |

-|Query Processing | Direct Query Begin |

-|Query Processing | Direct Query End |

-### Service

-|Operation name |Occurs when |

-|||

-|ResumeServer | Resume a server |

-|SuspendServer | Pause a server |

-|DeleteServer | Delete a server |

-|RestartServer | User restarts a server through SSMS or PowerShell |

-|GetServerLogFiles | User exports server log through PowerShell |

-|ExportModel | User exports a model in the portal by using Open in Visual Studio |

-### All metrics

-The Metrics category logs the same [Server metrics](analysis-services-monitor.md#server-metrics) to the AzureMetrics table. If you're using query [scale-out](analysis-services-scale-out.md) and need to separate metrics for each read replica, use the AzureDiagnostics table instead, where **OperationName** is equal to **LogMetric**.

-## Setup diagnostics logging

- * **Archive to a storage account**. To use this option, you need an existing storage account to connect to. See [Create a storage account](../storage/common/storage-account-create.md). Follow the instructions to create a Resource Manager, general-purpose account, then select your storage account by returning to this page in the portal. It may take a few minutes for newly created storage accounts to appear in the drop-down menu.

- * **Stream to an event hub**. To use this option, you need an existing Event Hub namespace and event hub to connect to. To learn more, see [Create an Event Hubs namespace and an event hub using the Azure portal](../event-hubs/event-hubs-create.md). Then return to this page in the portal to select the Event Hub namespace and policy name.

- * **Send to Azure Monitor (Log Analytics workspace)**. To use this option, either use an existing workspace or [create a new workspace](../azure-monitor/logs/quick-create-workspace.md) resource in the portal. For more information on viewing your logs, see [View logs in Log Analytics workspace](#view-logs-in-log-analytics-workspace) in this article.

-Metrics and server events are integrated with xEvents in your Log Analytics workspace resource for side-by-side analysis. Log Analytics workspace can also be configured to receive events from other Azure services providing a holistic view of diagnostic logging data across your architecture.

-### Example queries

-#### Example 1

-The following query returns durations for each query end/refresh end event for a model database and server. If scaled out, the results are broken out by replica because the replica number is included in ServerName_s. Grouping by RootActivityId_g reduces the row count retrieved from the Azure Diagnostics REST API and helps stay within the limits as described in Log Analytics Rate limits.

-```Kusto

-let window = AzureDiagnostics

- | where ResourceProvider == "MICROSOFT.ANALYSISSERVICES" and Resource =~ "MyServerName" and DatabaseName_s =~ "MyDatabaseName" ;

-window

-| where OperationName has "QueryEnd" or (OperationName has "CommandEnd" and EventSubclass_s == 38)

-| where extract(@"([^,]*)", 1,Duration_s, typeof(long)) > 0

-| extend DurationMs=extract(@"([^,]*)", 1,Duration_s, typeof(long))

-| project StartTime_t,EndTime_t,ServerName_s,OperationName,RootActivityId_g,TextData_s,DatabaseName_s,ApplicationName_s,Duration_s,EffectiveUsername_s,User_s,EventSubclass_s,DurationMs

-| order by StartTime_t asc

-```

-#### Example 2

-The following query returns memory and QPU consumption for a server. If scaled out, the results are broken out by replica because the replica number is included in ServerName_s.

-```Kusto

-let window = AzureDiagnostics

- | where ResourceProvider == "MICROSOFT.ANALYSISSERVICES" and Resource =~ "MyServerName";

-window

-| where OperationName == "LogMetric"

-| where name_s == "memory_metric" or name_s == "qpu_metric"

-| project ServerName_s, TimeGenerated, name_s, value_s

-| summarize avg(todecimal(value_s)) by ServerName_s, name_s, bin(TimeGenerated, 1m)

-| order by TimeGenerated asc

-```

-#### Example 3

-The following query returns the Rows read/sec Analysis Services engine performance counters for a server.

-```Kusto

-let window = AzureDiagnostics

- | where ResourceProvider == "MICROSOFT.ANALYSISSERVICES" and Resource =~ "MyServerName";

-window

-| where OperationName == "LogMetric"

-| where parse_json(tostring(parse_json(perfobject_s).counters))[0].name == "Rows read/sec"

-| extend Value = tostring(parse_json(tostring(parse_json(perfobject_s).counters))[0].value)

-| project ServerName_s, TimeGenerated, Value

-| summarize avg(todecimal(Value)) by ServerName_s, bin(TimeGenerated, 1m)

-| order by TimeGenerated asc

-```

-There are hundreds of queries you can use. To learn more about queries, see [Get started with Azure Monitor log queries](../azure-monitor/logs/get-started-queries.md).

-### </a>Connect to your subscriptions

-Learn more about [Azure Monitor resource logging](../azure-monitor/essentials/platform-logs-overview.md).

-See [Set-AzDiagnosticSetting](/powershell/module/az.monitor/set-azdiagnosticsetting) in PowerShell help.

-description: Learn how Analysis Services use Azure Metrics Explorer, a free tool in the portal, to help you monitor the performance and health of your servers.

-# Monitor server metrics

-Analysis Services provides metrics in Azure Metrics Explorer, a free tool in the portal, to help you monitor the performance and health of your servers. For example, monitor memory and CPU usage, number of client connections, and query resource consumption. Analysis Services uses the same monitoring framework as most other Azure services. To learn more, see [Analyze metrics with Azure Monitor metrics explorer](../azure-monitor/essentials/analyze-metrics.md).

-To perform more in-depth diagnostics, track performance, and identify trends across multiple service resources in a resource group or subscription, use [Azure Monitor](../azure-monitor/overview.md). Azure Monitor (service) may result in a billable service.

-## To monitor metrics for an Analysis Services server

-1. In Azure portal, select **Metrics**.

- 

-2. In **Metric**, select the metrics to include in your chart.

- 

-<a id="#server-metrics"></a>

-## Server metrics

-Use this table to determine which metrics are best for your monitoring scenario. Only metrics of the same unit can be shown on the same chart.

-|Metric|Metric Display Name|Unit|Aggregation Type|Description|

-||||||

-|CommandPoolJobQueueLength|Command Pool Job Queue Length|Count|Average|Number of jobs in the queue of the command thread pool.|

-|CurrentConnections|Connection: Current connections|Count|Average|Current number of client connections established.|

-|CurrentUserSessions|Current User Sessions|Count|Average|Current number of user sessions established.|

-|mashup_engine_memory_metric|M Engine Memory|Bytes|Average|Memory usage by mashup engine processes|

-|mashup_engine_qpu_metric|M Engine QPU|Count|Average|QPU usage by mashup engine processes|

-|memory_metric|Memory|Bytes|Average|Memory. Range 0-25 GB for S1, 0-50 GB for S2 and 0-100 GB for S4|

-|memory_thrashing_metric|Memory Thrashing|Percent|Average|Average memory thrashing.|

-|CleanerCurrentPrice|Memory: Cleaner Current Price|Count|Average|Current price of memory, $/byte/time, normalized to 1000.|

-|CleanerMemoryNonshrinkable|Memory: Cleaner Memory nonshrinkable|Bytes|Average|Amount of memory, in bytes, not subject to purging by the background cleaner.|

-|CleanerMemoryShrinkable|Memory: Cleaner Memory shrinkable|Bytes|Average|Amount of memory, in bytes, subject to purging by the background cleaner.|

-|MemoryLimitHard|Memory: Memory Limit Hard|Bytes|Average|Hard memory limit, from configuration file.|

-|MemoryLimitHigh|Memory: Memory Limit High|Bytes|Average|High memory limit, from configuration file.|

-|MemoryLimitLow|Memory: Memory Limit Low|Bytes|Average|Low memory limit, from configuration file.|

-|MemoryLimitVertiPaq|Memory: Memory Limit VertiPaq|Bytes|Average|In-memory limit, from configuration file.|

-|MemoryUsage|Memory: Memory Usage|Bytes|Average|Memory usage of the server process as used in calculating cleaner memory price. Equal to counter Process\PrivateBytes plus the size of memory-mapped data, ignoring any memory, which was mapped or allocated by the in-memory analytics engine (VertiPaq) in excess of the engine Memory Limit.|

-|private_bytes_metric|Private Bytes |Bytes|Average|The total amount of memory the Analysis Services engine process and Mashup container processes have allocated, not including memory shared with other processes.|

-|virtual_bytes_metric|Virtual Bytes |Bytes|Average|The current size of the virtual address space that Analysis Services engine process and Mashup container processes are using.|

-|mashup_engine_private_bytes_metric|M Engine Private Bytes |Bytes|Average|The total amount of memory Mashup container processes have allocated, not including memory shared with other processes.|

-|mashup_engine_virtual_bytes_metric|M Engine Virtual Bytes |Bytes|Average|The current size of the virtual address space Mashup container processes are using.|

-|Quota|Memory: Quota|Bytes|Average|Current memory quota, in bytes. Memory quota is also known as a memory grant or memory reservation.|

-|QuotaBlocked|Memory: Quota Blocked|Count|Average|Current number of quota requests that are blocked until other memory quotas are freed.|

-|VertiPaqNonpaged|Memory: VertiPaq Nonpaged|Bytes|Average|Bytes of memory locked in the working set for use by the in-memory engine.|

-|VertiPaqPaged|Memory: VertiPaq Paged|Bytes|Average|Bytes of paged memory in use for in-memory data.|

-|ProcessingPoolJobQueueLength|Processing Pool Job Queue Length|Count|Average|Number of non-I/O jobs in the queue of the processing thread pool.|

-|RowsConvertedPerSec|Processing: Rows converted per sec|CountPerSecond|Average|Rate of rows converted during processing.|

-|RowsReadPerSec|Processing: Rows read per sec|CountPerSecond|Average|Rate of rows read from all relational databases.|

-|RowsWrittenPerSec|Processing: Rows written per sec|CountPerSecond|Average|Rate of rows written during processing.|

-|qpu_metric|QPU|Count|Average|QPU. Range 0-100 for S1, 0-200 for S2 and 0-400 for S4|

-|QueryPoolBusyThreads|Query Pool Busy Threads|Count|Average|Number of busy threads in the query thread pool.|

-|SuccessfulConnectionsPerSec|Successful Connections Per Sec|CountPerSecond|Average|Rate of successful connection completions.|

-|CommandPoolBusyThreads|Threads: Command pool busy threads|Count|Average|Number of busy threads in the command thread pool.|

-|CommandPoolIdleThreads|Threads: Command pool idle threads|Count|Average|Number of idle threads in the command thread pool.|

-|LongParsingBusyThreads|Threads: Long parsing busy threads|Count|Average|Number of busy threads in the long parsing thread pool.|

-|LongParsingIdleThreads|Threads: Long parsing idle threads|Count|Average|Number of idle threads in the long parsing thread pool.|

-|LongParsingJobQueueLength|Threads: Long parsing job queue length|Count|Average|Number of jobs in the queue of the long parsing thread pool.|

-|ProcessingPoolIOJobQueueLength|Threads: Processing pool I/O job queue length|Count|Average|Number of I/O jobs in the queue of the processing thread pool.|

-|ProcessingPoolBusyIOJobThreads|Threads: Processing pool busy I/O job threads|Count|Average|Number of threads running I/O jobs in the processing thread pool.|

-|ProcessingPoolBusyNonIOThreads|Threads: Processing pool busy non-I/O threads|Count|Average|Number of threads running non-I/O jobs in the processing thread pool.|

-|ProcessingPoolIdleIOJobThreads|Threads: Processing pool idle I/O job threads|Count|Average|Number of idle threads for I/O jobs in the processing thread pool.|

-|ProcessingPoolIdleNonIOThreads|Threads: Processing pool idle non-I/O threads|Count|Average|Number of idle threads in the processing thread pool dedicated to non-I/O jobs.|

-|QueryPoolIdleThreads|Threads: Query pool idle threads|Count|Average|Number of idle threads for I/O jobs in the processing thread pool.|

-|QueryPoolJobQueueLength|Threads: Query pool job queue length|Count|Average|Number of jobs in the queue of the query thread pool.|

-|ShortParsingBusyThreads|Threads: Short parsing busy threads|Count|Average|Number of busy threads in the short parsing thread pool.|

-|ShortParsingIdleThreads|Threads: Short parsing idle threads|Count|Average|Number of idle threads in the short parsing thread pool.|

-|ShortParsingJobQueueLength|Threads: Short parsing job queue length|Count|Average|Number of jobs in the queue of the short parsing thread pool.|

-|TotalConnectionFailures|Total Connection Failures|Count|Average|Total failed connection attempts.|

-|TotalConnectionRequests|Total Connection Requests|Count|Average|Total connection requests. |

-## Next steps

-[Azure Monitor overview](../azure-monitor/overview.md)

-[Analyze metrics with Azure Monitor metrics explorer](../azure-monitor/essentials/analyze-metrics.md)

-[Metrics in Azure Monitor REST API](/rest/api/monitor/metrics)

-With scale-out, client queries are distributed among multiple *query replicas* in a query pool. Query replicas have synchronized copies of your tabular models. By spreading the query workload, response times during high query workloads can be reduced. Model processing operations can be separated from the query pool, ensuring client queries are not adversely affected by processing operations.

-Azure Analysis Services uses Azure Blob storage to persist storage and metadata for Analysis Services databases. Data files within Blob are encrypted using [Azure Blob Server Side Encryption (SSE)](../storage/common/storage-service-encryption.md). When using Direct Query mode, only metadata is stored. The actual data is accessed through encrypted protocol from the data source at query time.

-Tabular models at all compatibility levels support row-level security. Row-level security is configured in the model by using DAX expressions that define the rows in a table, and any rows in the many direction of a related table that a user can query. Row filters using DAX expressions are defined for the Read and Read and Process permissions.

-Analysis Services has a vibrant community of developers who create tools. [DAX Studio](https://daxstudio.org/), is a great open-source tool for DAX authoring, diagnosis, performance tuning, and analysis.

-Azure Analysis Services is integrated with Azure Monitor metrics, providing an extensive number of resource-specific metrics to help you monitor the performance and health of your servers. To learn more, see [Monitor server metrics](analysis-services-monitor.md). Record metrics with [resource platform logs](../azure-monitor/essentials/platform-logs-overview.md). Monitor and send logs to [Azure Storage](https://azure.microsoft.com/services/storage/), stream them to [Azure Event Hubs](https://azure.microsoft.com/services/event-hubs/), and export them to [Azure Monitor logs](https://azure.microsoft.com/services/log-analytics/), a service of [Azure](https://www.microsoft.com/cloud-platform/operations-management-suite). To learn more, see [Setup diagnostic logging](analysis-services-logging.md).

-With scale-out, client queries can be distributed among multiple *query replicas* in a *query pool*, reducing response times during high query workloads. You can also separate processing from the query pool, ensuring client queries are not adversely affected by processing operations. Scale-out can be configured in Azure portal or by using the Analysis Services REST API.

-Scale-out is available for servers in the Standard pricing tier. Each query replica is billed at the same rate as your server. All query replicas are created in the same region as your server. The number of query replicas you can configure are limited by the region your server is in. To learn more, see [Availability by region](analysis-services-overview.md#availability-by-region). Scale-out does not increase the amount of available memory for your server. To increase memory, you need to upgrade your plan.

-With scale-out, you can create a query pool with up to seven additional query replica resources (eight total, including your *primary* server). You can scale the number of replicas in the query pool to meet QPU demands at critical times, and you can separate a processing server from the query pool at any time.

-Regardless of the number of query replicas you have in a query pool, processing workloads are not distributed among query replicas. The primary server serves as the processing server. Query replicas serve only queries against the model databases synchronized between the primary server and each replica in the query pool.

-When scaling out, it can take up to five minutes for new query replicas to be incrementally added to the query pool. When all new query replicas are up and running, new client connections are load balanced across resources in the query pool. Existing client connections are not changed from the resource they are currently connected to. When scaling in, any existing client connections to a query pool resource that is being removed from the query pool are terminated. Clients can reconnect to a remaining query pool resource.

-When configuring scale-out the first time, model databases on your primary server are *automatically* synchronized with new replicas in a new query pool. Automatic synchronization occurs only once. During automatic synchronization, the primary server's data files (encrypted at rest in blob storage) are copied to a second location, also encrypted at rest in blob storage. Replicas in the query pool are then *hydrated* with data from the second set of files.

-While an automatic synchronization is performed only when you scale-out a server for the first time, you can also perform a manual synchronization. Synchronizing assures data on replicas in the query pool match that of the primary server. When processing (refresh) models on the primary server, a synchronization must be performed *after* processing operations are completed. This synchronization copies updated data from the primary server's files in blob storage to the second set of files. Replicas in the query pool are then hydrated with updated data from the second set of files in blob storage.

-When performing a subsequent scale-out operation, for example, increasing the number of replicas in the query pool from two to five, the new replicas are hydrated with data from the second set of files in blob storage. There is no synchronization. If you then perform a synchronization after scaling out, the new replicas in the query pool would be hydrated twice - a redundant hydration. When performing a subsequent scale-out operation, it's important to keep in mind:

-* Perform a synchronization *before the scale-out operation* to avoid redundant hydration of the added replicas. Concurrent synchronization and scale-out operations running at the same time are not allowed.

-* Synchronization is allowed even when there are no replicas in the query pool. If you are scaling out from zero to one or more replicas with new data from a processing operation on the primary server, perform the synchronization first with no replicas in the query pool, and then scale-out. Synchronizing before scaling out avoids redundant hydration of the newly added replicas.

-* When deleting a model database from the primary server, it does not automatically get deleted from replicas in the query pool. You must perform a synchronization operation by using the [Sync-AzAnalysisServicesInstance](/powershell/module/az.analysisservices/sync-AzAnalysisServicesinstance) PowerShell command that removes the file/s for that database from the replica's shared blob storage location and then deletes the model database on the replicas in the query pool. To determine if a model database exists on replicas in the query pool but not on the primary server, ensure the **Separate the processing server from querying pool** setting is to **Yes**. Then use SSMS to connect to the primary server using the `:rw` qualifier to see if the database exists. Then connect to replicas in the query pool by connecting without the `:rw` qualifier to see if the same database also exists. If the database exists on replicas in the query pool but not on the primary server, run a sync operation.

-* When renaming a database on the primary server, there's an additional step necessary to ensure the database is properly synchronized to any replicas. After renaming, perform a synchronization by using the [Sync-AzAnalysisServicesInstance](/powershell/module/az.analysisservices/sync-AzAnalysisServicesinstance) command specifying the `-Database` parameter with the old database name. This synchronization removes the database and files with the old name from any replicas. Then perform another synchronization specifying the `-Database` parameter with the new database name. The second synchronization copies the newly named database to the second set of files and hydrates any replicas. These synchronizations cannot be performed by using the Synchronize model command in the portal.

-When setting **ReplicaSyncMode=2**, depending on how much of the cache needs to be updated, additional memory may be consumed by the query replicas. To keep the database online and available for queries, depending on how much of the data has changed, the operation can require up to *double the memory* on the replica because both the old and new segments are kept in memory simultaneously. Replica nodes have the same memory allocation as the primary node, and there is normally extra memory on the primary node for refresh operations, so it may be unlikely that the replicas would run out of memory. Additionally, the common scenario is that the database is incrementally updated on the primary node, and therefore the requirement for double the memory should be uncommon. If the Sync operation does encounter an out of memory error, it will retry using the default technique (attach/detach two at a time).

-For maximum performance for both processing and query operations, you can choose to separate your processing server from the query pool. When separated, new client connections are assigned to query replicas in the query pool only. If processing operations only take up a short amount of time, you can choose to separate your processing server from the query pool only for the amount of time it takes to perform processing and synchronization operations, and then include it back into the query pool. When separating the processing server from the query pool, or adding it back into the query pool can take up to five minutes for the operation to complete.

-To determine if scale-out for your server is necessary, [monitor your server](analysis-services-monitor.md) in Azure portal by using Metrics. If your QPU regularly maxes out, it means the number of queries against your models is exceeding the QPU limit for your plan. The Query pool job queue length metric also increases when the number of queries in the query thread pool queue exceeds available QPU.

-Another good metric to watch is average QPU by ServerResourceType. This metric compares average QPU for the primary server with the query pool.

-Use Azure Monitor Logs for more detailed diagnostics of scaled out server resources. With logs, you can use Log Analytics queries to break out QPU and memory by server and replica. To learn more, see example queries in [Analysis Services diagnostics logging](analysis-services-logging.md#example-queries).

-When configuring scale-out for a server the first time, models on your primary server are automatically synchronized with replicas in the query pool. Automatic synchronization only occurs once, when you first configure scale-out to one or more replicas. Subsequent changes to the number of replicas on the same server *will not trigger another automatic synchronization*. Automatic synchronization will not occur again even if you set the server to zero replicas and then again scale-out to any number of replicas.

-You can change the pricing tier on a server with multiple replicas. The same pricing tier applies to all replicas. A scale operation will first bring down all replicas all at once then bring up all replicas on the new pricing tier.

-**Issue:** Users get error **Cannot find server '\<Name of the server>' instance in connection mode 'ReadOnly'.**

-**Solution:** When selecting the **Separate the processing server from the querying pool** option, client connections using the default connection string (without `:rw`) are redirected to query pool replicas. If replicas in the query pool are not yet online because synchronization has not yet been completed, redirected client connections can fail. To prevent failed connections, there must be at least two servers in the query pool when performing a synchronization. Each server is synchronized individually while others remain online. If you choose to not have the processing server in the query pool during processing, you can choose to remove it from the pool for processing, and then add it back into the pool after processing is complete, but prior to synchronization. Use Memory and QPU metrics to monitor synchronization status.

-[Monitor server metrics](analysis-services-monitor.md)

- - If you can't support downtime, see the [side by side migration feature](side-by-side-migrate.md) or the[migration-alternatives](migration-alternatives.md#migrate-manually).

-The access log is generated only if you've enabled it on each Application Gateway instance, as detailed in the preceding steps. The data is stored in the storage account that you specified when you enabled the logging. Each access of Application Gateway is logged in JSON format as shown below.

-1. If following the BYO deployment strategy, ensure you have set up your Application Gateway for Containers resources and [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md)

-2. If following the ALB managed deployment strategy, ensure you have provisioned your [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md) and provisioned the Application Gateway for Containers resources via the [ApplicationLoadBalancer custom resource](quickstart-create-application-gateway-for-containers-managed-by-alb-controller.md).

-3. Deploy sample HTTP application

- - a namespace called `test-infra`

- - one service called `mtls-app` in the `test-infra` namespace

- - one deployment called `mtls-app` in the `test-infra` namespace

- - one config map called `mtls-app-nginx-cm` in the `test-infra` namespace

- - four secrets called `backend.com`, `frontend.com`, `gateway-client-cert`, and `ca.bundle` in the `test-infra` namespace

-Create a gateway:

-apiVersion: gateway.networking.k8s.io/v1beta1

-```bash

-RESOURCE_GROUP='<resource group name of the Application Gateway For Containers resource>'

-RESOURCE_NAME='alb-test'

-RESOURCE_ID=$(az network alb show --resource-group $RESOURCE_GROUP --name $RESOURCE_NAME --query id -o tsv)

-FRONTEND_NAME='frontend'

-az network alb frontend create -g $RESOURCE_GROUP -n $FRONTEND_NAME --alb-name $AGFC_NAME

-```

-```bash

-kubectl apply -f - <<EOF

-apiVersion: gateway.networking.k8s.io/v1beta1

-kind: Gateway

-metadata:

- name: gateway-01

- namespace: test-infra

- annotations:

- alb.networking.azure.io/alb-id: $RESOURCE_ID

-spec:

- gatewayClassName: azure-alb-external

- listeners:

- - name: https-listener

- port: 443

- protocol: HTTPS

- allowedRoutes:

- namespaces:

- from: Same

- tls:

- mode: Terminate

- certificateRefs:

- - kind : Secret

- group: ""

- name: frontend.com

- addresses:

- - type: alb.networking.azure.io/alb-frontend

- value: $FRONTEND_NAME

-EOF

-```

-Once the gateway resource has been created, ensure the status is valid, the listener is _Programmed_, and an address is assigned to the gateway.

-Example output of successful gateway creation.

-Once the gateway has been created, create an HTTPRoute resource.

-apiVersion: gateway.networking.k8s.io/v1beta1

-Once the HTTPRoute resource has been created, ensure the route has been _Accepted_ and the Application Gateway for Containers resource has been _Programmed_.

-Verify the status of the Application Gateway for Containers resource has been successfully updated.

-Once the BackendTLSPolicy object has been created check the status on the object to ensure that the policy is valid.

-Example output of valid BackendTLSPolicy object creation.

-Now we're ready to send some traffic to our sample application, via the FQDN assigned to the frontend. Use the following command to get the FQDN.

-Header rewrites take advantage of [filters](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPURLRewriteFilter) as defined by Kubernetes Gateway API.

-apiVersion: gateway.networking.k8s.io/v1beta1

-apiVersion: gateway.networking.k8s.io/v1beta1

-apiVersion: gateway.networking.k8s.io/v1beta1

-# Multiple site hosting with Application Gateway for Containers - Gateway API

-1. If you follow the BYO deployment strategy, ensure you set up your Application Gateway for Containers resources and [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md)

-2. If you follow the ALB managed deployment strategy, ensure provisioning of your [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md) and the Application Gateway for Containers resources via the [ApplicationLoadBalancer custom resource](quickstart-create-application-gateway-for-containers-managed-by-alb-controller.md).

-3. Deploy sample HTTP application

- Apply the following deployment.yaml file on your cluster to create a sample web application to demonstrate path, query, and header based routing.

- ```bash

- kubectl apply -f https://trafficcontrollerdocs.blob.core.windows.net/examples/traffic-split-scenario/deployment.yaml

- ```

-

- This command creates the following on your cluster:

- - a namespace called `test-infra`

- - two services called `backend-v1` and `backend-v2` in the `test-infra` namespace

- - two deployments called `backend-v1` and `backend-v2` in the `test-infra` namespace

-apiVersion: gateway.networking.k8s.io/v1beta1

-```bash

-RESOURCE_GROUP='<resource group name of the Application Gateway For Containers resource>'

-RESOURCE_NAME='alb-test'

-RESOURCE_ID=$(az network alb show --resource-group $RESOURCE_GROUP --name $RESOURCE_NAME --query id -o tsv)

-FRONTEND_NAME='frontend'

-```

-```bash

-kubectl apply -f - <<EOF

-apiVersion: gateway.networking.k8s.io/v1beta1

-kind: Gateway

-metadata:

- name: gateway-01

- namespace: test-infra

- annotations:

- alb.networking.azure.io/alb-id: $RESOURCE_ID

-spec:

- gatewayClassName: azure-alb-external

- listeners:

- - name: http-listener

- port: 80

- protocol: HTTP

- allowedRoutes:

- namespaces:

- from: Same

- addresses:

- - type: alb.networking.azure.io/alb-frontend

- value: $FRONTEND_NAME

-EOF

-```

-apiVersion: gateway.networking.k8s.io/v1beta1

-apiVersion: gateway.networking.k8s.io/v1beta1

-1. If you follow the BYO deployment strategy, ensure that you set up your Application Gateway for Containers resources and [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md)

-2. If you follow the ALB managed deployment strategy, ensure provisioning of your [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md) and the Application Gateway for Containers resources via the [ApplicationLoadBalancer custom resource](quickstart-create-application-gateway-for-containers-managed-by-alb-controller.md).

-3. Deploy sample HTTP application

- Apply the following deployment.yaml file on your cluster to create a sample web application to demonstrate path, query, and header based routing.

- ```bash

- kubectl apply -f https://trafficcontrollerdocs.blob.core.windows.net/examples/traffic-split-scenario/deployment.yaml

- ```

- This command creates the following on your cluster:

- - a namespace called `test-infra`

- - two services called `backend-v1` and `backend-v2` in the `test-infra` namespace

- - two deployments called `backend-v1` and `backend-v2` in the `test-infra` namespace

- apiVersion: gateway.networking.k8s.io/v1beta1

-```bash

-RESOURCE_GROUP='<resource group name of the Application Gateway For Containers resource>'

-RESOURCE_NAME='alb-test'

-RESOURCE_ID=$(az network alb show --resource-group $RESOURCE_GROUP --name $RESOURCE_NAME --query id -o tsv)

-FRONTEND_NAME='frontend'

-```

-```bash

-kubectl apply -f - <<EOF

-apiVersion: gateway.networking.k8s.io/v1beta1

-kind: Gateway

-metadata:

- name: gateway-01

- namespace: test-infra

- annotations:

- alb.networking.azure.io/alb-id: $RESOURCE_ID

-spec:

- gatewayClassName: azure-alb-external

- listeners:

- - name: https-listener

- port: 443

- protocol: HTTPS

- allowedRoutes:

- namespaces:

- from: Same

- tls:

- mode: Terminate

- certificateRefs:

- - kind : Secret

- group: ""

- name: listener-tls-secret

- addresses:

- - type: alb.networking.azure.io/alb-frontend

- value: $FRONTEND_NAME

-EOF

-```

-apiVersion: gateway.networking.k8s.io/v1beta1

-1. If following the BYO deployment strategy, ensure you have set up your Application Gateway for Containers resources and [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md)

-3. Deploy sample HTTP application

- ```bash

- kubectl apply -f https://trafficcontrollerdocs.blob.core.windows.net/examples/traffic-split-scenario/deployment.yaml

- ```

- This command creates the following on your cluster:

- - a namespace called `test-infra`

- - two services called `backend-v1` and `backend-v2` in the `test-infra` namespace

- - two deployments called `backend-v1` and `backend-v2` in the `test-infra` namespace

-apiVersion: gateway.networking.k8s.io/v1beta1

-```bash

-RESOURCE_GROUP='<resource group name of the Application Gateway For Containers resource>'

-RESOURCE_NAME='alb-test'

-RESOURCE_ID=$(az network alb show --resource-group $RESOURCE_GROUP --name $RESOURCE_NAME --query id -o tsv)

-FRONTEND_NAME='frontend'

-```

-```bash

-kubectl apply -f - <<EOF

-apiVersion: gateway.networking.k8s.io/v1beta1

-kind: Gateway

-metadata:

- name: gateway-01

- namespace: test-infra

- annotations:

- alb.networking.azure.io/alb-id: $RESOURCE_ID

-spec:

- gatewayClassName: azure-alb-external

- listeners:

- - name: http

- port: 80

- protocol: HTTP

- allowedRoutes:

- namespaces:

- from: Same

- addresses:

- - type: alb.networking.azure.io/alb-frontend

- value: $FRONTEND_NAME

-EOF

-```

-Once the gateway resource has been created, ensure the status is valid, the listener is _Programmed_, and an address is assigned to the gateway.

-Once the gateway has been created, create an HTTPRoute

-apiVersion: gateway.networking.k8s.io/v1beta1

-Once the HTTPRoute resource has been created, ensure the route has been _Accepted_ and the Application Gateway for Containers resource has been _Programmed_.

-Now we're ready to send some traffic to our sample application, via the FQDN assigned to the frontend. Use the command below to get the FQDN.

-URL redirects take advantage of the [RequestRedirect rule filter](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1beta1.HTTPRequestRedirectFilter) as defined by Kubernetes Gateway API.

- - `Prefix` redirection type will redirect all requests starting with a defined value. For example, a prefix of /shop would match /shop and any text after. For example, /shop, /shop/checkout, and /shop/item-a would all redirect to /shop as well.

- - `Full` redirection type matches an exact value. For example, /shop could redirect to /store, but /shop/checkout wouldn't redirect to /store.

-1. If following the BYO deployment strategy, ensure you have set up your Application Gateway for Containers resources and [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md)

-2. If following the ALB managed deployment strategy, ensure you have provisioned your [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md) and provisioned the Application Gateway for Containers resources via the [ApplicationLoadBalancer custom resource](quickstart-create-application-gateway-for-containers-managed-by-alb-controller.md).

-3. Deploy sample HTTP application

- apiVersion: gateway.networking.k8s.io/v1beta1

- apiVersion: gateway.networking.k8s.io/v1beta1

-apiVersion: gateway.networking.k8s.io/v1beta1

-apiVersion: gateway.networking.k8s.io/v1beta1

-apiVersion: gateway.networking.k8s.io/v1beta1

- - `Prefix` redirection type will redirect all requests starting with a defined value. For example, a prefix of /shop would match /shop and any text after. For example, /shop, /shop/checkout, and /shop/item-a would all redirect to /shop as well.

-1. If following the BYO deployment strategy, ensure you have set up your Application Gateway for Containers resources and [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md)

-2. If following the ALB managed deployment strategy, ensure you have provisioned your [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md) and provisioned the Application Gateway for Containers resources via the [ApplicationLoadBalancer custom resource](quickstart-create-application-gateway-for-containers-managed-by-alb-controller.md).

-3. Deploy sample HTTP application

-URL Rewrites take advantage of [filters](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPURLRewriteFilter) as defined by Kubernetes Gateway API.

-[  ](./media/how-to-url-rewrite-gateway-api/url-rewrite.png#lightbox)

-1. If following the BYO deployment strategy, ensure you have set up your Application Gateway for Containers resources and [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md)

-2. If following the ALB managed deployment strategy, ensure you have provisioned your [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md) and provisioned the Application Gateway for Containers resources via the [ApplicationLoadBalancer custom resource](quickstart-create-application-gateway-for-containers-managed-by-alb-controller.md).

- - a namespace called `test-infra`

- - one service called `echo` in the `test-infra` namespace

- - one deployment called `echo` in the `test-infra` namespace

- - one secret called `listener-tls-secret` in the `test-infra` namespace

- apiVersion: gateway.networking.k8s.io/v1beta1

- apiVersion: gateway.networking.k8s.io/v1beta1

-apiVersion: gateway.networking.k8s.io/v1beta1

-1. If following the BYO deployment strategy, ensure you have set up your Application Gateway for Containers resources and [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md)

-2. If following the ALB managed deployment strategy, ensure you have provisioned your [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md) and provisioned the Application Gateway for Containers resources via the [ApplicationLoadBalancer custom resource](quickstart-create-application-gateway-for-containers-managed-by-alb-controller.md).

-3. Deploy sample HTTP application

- - a namespace called `test-infra`

- - two services called `backend-v1` and `backend-v2` in the `test-infra` namespace

- - two deployments called `backend-v1` and `backend-v2` in the `test-infra` namespace

-## Application Gateway layer 4 proxy monitoring

-### Layer 4 metrics

-| Current Connections | The number of active connections: reading, writing, or waiting. The count of current connections established with Application Gateway. | Common | None |

-| New Connections per second | The average number of connections handled per second in last 1 minute. | Common | None |

-| Throughput | The rate of data flow (inBytes+ outBytes) in the last 1 minute. | Common | None |

-| Healthy host count | The number of healthy backend hosts. | Common | BackendSettingsPool |

-| Unhealthy host | The number of unhealthy backend hosts. | Common | BackendSettingsPool |

-| ClientRTT | Average round trip time between clients and Application Gateway. | Common | Listener |

-| Backend Connect Time | Time spent establishing a connection with a backend server. | Common | Listener, BackendServer, BackendPool, BackendSetting |

-| Backend First Byte Response Time | Time interval between start of establishing a connection to backend server and receiving the first byte of data (approximating processing time of backend server). | Common | Listener, BackendServer, BackendPool, BackendHttpSetting`*` |

-| Backend Session Duration | The total time of a backend connection. The average time duration from the start of a new connection to its termination. | L4 only | Listener, BackendServer, BackendPool, BackendHttpSetting`*` |

-| Connection Lifetime | The total time of a client connection to application gateway. The average time duration from the start of a new connection to its termination in milliseconds. | L4 only | Listener |

-### Layer 4 logs

-### Layer 4 backend health

-### REST API

-See [Application Gateways - Backend Health](/rest/api/application-gateway/application-gateways/backend-health?tabs=HTTP) for details of the API call to retrieve the backend health of an application gateway.

-Sample Request:

-``output

-POST

-https://management.azure.com/subscriptions/subid/resourceGroups/rg/providers/Microsoft.Network/

-applicationGateways/appgw/backendhealth?api-version=2021-08-01

-After

-``

-After sending this POST request, you should see an HTTP 202 Accepted response. In the response headers, find the Location header and send a new GET request using that URL.

-``output

-GET

-https://management.azure.com/subscriptions/subid/providers/Microsoft.Network/locations/region-name/operationResults/GUID?api-version=2021-08-01

-``

-## Multi-site listeners for Application Gateway layer 4 proxy

-Multi-site hosting enables you to configure more than one backend TLS or TCP-based application on the same port of application gateway. This can be achieved by using TLS listeners only. This allows you to configure a more efficient topology for your deployments by adding multiple backend applications on the same port using single application gateway. The traffic for each application can be directed to its own backend pool by providing domain names in the TLS listener.

-For example, you can create three multisite listeners each with its own domain (contoso.com, fabrikam.com, and *.adatum.com), and route them to their respective backend pools having different applications. All three domains must point to the frontend IP address of the application gateway. This feature is in preview phase for use with layer 4 proxy.

-### Feature information:

-

-> The automatic replica discovery support is available if you use version **7.1.0-preview** or later of any of the following packages.

- 1. Select an existing **Virtual network** to deploy the private endpoint to. If you don't have a virtual network, [create a virtual network](../private-link/create-private-endpoint-portal.md#create-a-virtual-network-and-bastion-host).

-1. Create a file named *mysettings.json* at the root of your project directory, and enter the following content.

- builder.Configuration.AddJsonFile("mysettings.json");

-2. Update the *deployment.yaml* file in the *Deployment* directory to use the ConfigMap `configmap-created-by-appconfig-provider` as a mounted data volume. It is important to ensure that the `volumeMounts.mountPath` matches the `WORKDIR` specified in your *Dockerfile*.

- mountPath: /app

- items:

- - key: mysettings.json

- path: mysettings.json

-For issues encountered with Arc resource bridge, collect logs for further investigation using the Azure CLI [`az arcappliance logs`](/cli/azure/arcappliance/logs) command. This command needs to be run from the same management machine that was used to run commands to deploy the Arc resource bridge. If there is a problem collecting logs, most likely the management machine is unable to reach the Appliance VM, and the network administrator needs to allow communication between the management machine to the Appliance VM.

-### Resource bridge configurations cannot be updated

-If Arc resource bridge is experiencing a network communication problem or is offline, you may see an "Appliance Network Unavailable" error when trying to perform an action that interacts with the resource bridge or an extension operating on top of the bridge. In general, any network or infrastructure connectivity issue to the appliance VM may cause this error. This error can also surface as "Error while dialing dial tcp xx.xx.xxx.xx:55000: connect: no route to host" and this is typically a network communication problem. The problem could be that communication from the host to the Arc resource bridge VM needs to be opened with the help of your network administrator. It could be that there was a temporary network issue not allowing the host to reach the Arc resource bridge VM and once the network issue is resolved, you can retry the operation. You may also need to check that the appliance VM for Arc resource bridge is not stopped. In the case of Azure Stack HCI, the host storage may be full which has caused the appliance VM to pause and the storage will need to be addressed.

-When the appliance is deployed to a host resource pool, there is no high availability if the host hardware fails. Because of this, we recommend that you don't try to deploy the appliance in a host resource pool.

-### .local not supported

-1. When there is a problem with deployment, the first step is to collect logs by Appliance VM IP (not by kubeconfig, as the kubeconfig could be empty if the deploy command didn't complete). Problems collecting logs are most likely due to the management machine being unable to reach the Appliance VM.

-description: Learn to switch to the new version of VMware vSphere and use its capabilities

-If you've onboarded to **Azure Arc-enabled VMware** before August 21, 2023, for VMs that are Azure-enabled, follow these steps to switch to the new version:

-1. In the Azure portal, select the Azure Cache for Redis instance that you want to configure Microsoft Entra token based authentication for.

-# Configure disk encryption for Azure Cache for Redis instances using customer managed keys (preview)

-|Customer managed keys (CMK) | No | Yes (preview) |

-dotnet add package Microsoft.Azure.WebJobs.Extensions.Redis --prerelease

-## Permissions considerations

-## Adding a cluster bubble layer

-Cluster bubble layers enable you to use enhanced data aggregation capabilities based on different zoom levels. Cluster bubble layers are designed to optimize the visualization and analysis of data by allowing dynamic adjustments to granularity as users zoom in or out on the map.

-Azure Maps Power BI visual offers a range of configuration options to provide flexibility when customizing the appearance of cluster bubbles. With parameters like cluster bubble size, color, text size, text color, border color, and border width, you can tailor the visual representation of clustered data to align with your reporting needs.

-| Setting | Description | Values |

-||||

-| Bubble Size  | The size of each cluster bubble. Default: 12 px | 1-50 px |

-| Cluster Color | Fill color of each cluster bubble.ΓÇ» | |

-| Text Size | The size of the number indicating the quantity of clustered bubbles. Default: 18 px.| 1-60 px|

-| Text Color | Text color of the number displayed in the cluster bubbles.| |

-| Border Color | The color of the bubbles outline. | |

-| Border Width | The width of the border in pixels. Default: 2 px | 1-20 px |

-> [Add a 3D column layer](power-bi-visual-add-3d-column-layer.md)

-> [Add a heat map layer](power-bi-visual-add-heat-map-layer.md)

-> [!div class="nextstepaction"]

-> [Show real-time traffic](power-bi-visual-show-real-time-traffic.md)

- For sample log search alert queries that query ARG or ADX, see [Log search alert query samples](./alerts-log-alert-query-samples.md)

- changedBy = tostring(properties.changeAttributes.changedBy)

- | project changeTime,targetResourceId,changedBy

-|ApplicationInsightsAgent_EXTENSION_VERSION | Main extension, which controls runtime monitoring. | `~3` |

-> Wait for new telemetry in Log Analytics before relying on it. After starting the migration, telemetry first goes to Classic Application Insights. Aim to switch to Log Analytics within 24 hours, avoiding data loss or double writing. Once done, Log Analytics solely captures new telemetry.

- $body = (ConvertTo-Json $annotation -Compress) -replace '(\\+)"', '$1$1"' -replace "`"", "`"`""

-### Combine Azure Resource Graph tables with a Log Analytics workspace

-Use the `union` command to combine cluster tables with a Log Analytics workspace.

-For example:

-```kusto

-union AzureActivity, arg("").Resources

-| take 10

-```

-```kusto

-let CL1 = arg("").Resources ;

-union AzureActivity, CL1 | take 10

-```

-When you use the [`join` operator](/azure/data-explorer/kusto/query/joinoperator) instead of union, you need to use a [`hint`](/azure/data-explorer/kusto/query/joinoperator#join-hints) to combine the data in Azure Resource Graph with data in the Log Analytics workspace. Use `Hint.remote={Direction of the Log Analytics Workspace}`. For example:

-```kusto

-Perf | where ObjectName == "Memory" and (CounterName == "Available MBytes Memory")

-| extend _ResourceId = replace_string(replace_string(replace_string(_ResourceId, 'microsoft.compute', 'Microsoft.Compute'), 'virtualmachines','virtualMachines'),"resourcegroups","resourceGroups")

-| join hint.remote=left (arg("").Resources | where type =~ 'Microsoft.Compute/virtualMachines' | project _ResourceId=id, tags) on _ResourceId | project-away _ResourceId1 | where tostring(tags.env) == "prod"

-```

-* [Private Link](../logs/private-link-security.md) (private endpoints) and [IP restrictions](/azure/data-explorer/security-network-restrict-public-access) do not support cross-service queries.

-* `mv-expand` is limited to 2000 records.

-* Azure Monitor Logs does not support the `external_table()` function, which lets you query external tables in Azure Data Explorer. To query an external table, define `external_table(<external-table-name>)` as a parameterless function in Azure Data Explorer. You can then call the function using the expression `adx("").<function-name>`.

-* Microsoft Sentinel does not support cross-service queries to Azure Resource Graph.

- * The query returns the first 1000 records only.

-| AzureDiagnostics | |

-> VMware HCX Mobility Optimized Networking is officially supported by VMware and Azure VMware Solutions from HCX version 4.1.0.

->VMware HCX Mobility Optimized Networking (MON) is not supported with the use of a 3rd party gateway. It may only be used with the T1 gateway directly connected to the T0 gateway with no network virtual appliance (NVA). You may be able to make this configuration function, but we do not support it.

-By default and without using MON, a VM in Azure VMware Solution on a stretched network without MON can communicate back to on-premises using the ExpressRoute preferred path. Based on customer use cases, one should evaluate how a VM on an Azure VMware Solution stretched segment enabled with MON should be traversing back to on-premises, either over the NE or the T0 gateway via the ExpressRoute while keeping traffic flows symmetric.

-If choosing the NE path for example, the MON policy routes have to specifically address the subnet on the on-premises side; otherwise, the 0.0.0.0/0 default route is used. Policy routes can be found under the NE segment, selecting advanced. By default, all RFC1918 IP addresses are included in the MON policy routes definition.

->Special consideration for using MON in Azure VMware Solution is to give the /32 routes advertised over BGP to its peers; this includes on-premises and Azure over the ExpressRoute connection. For example, a VM in Azure learns the path to an Azure VMware Solution VM on an Azure VMware Solution MON enabled segment. Once the return traffic is sent back to the T0 gateway as expected, if the return subnet is an RFC1918 match, traffic is forced over the NE instead of the T0. Then egresses over the ExpressRoute back to Azure on the on-premises side. This can cause confusion for stateful firewalls in the middle and asymmetric routing behavior. It's also a good idea to determine how VMs on NE MON segments will need to access the internet, either via the T0 in Azure VMware Solution or only through the NE back to on-premises. In general, all of the default policy routes should be removed to avoid asymmetric traffic. Only enable policy routes if the network infrastructure as been configured in such a way to account for and prevent asymmetric traffic.

-As outlined in the above diagram, the importance is to match a policy route to each required subnet. Otherwise, the traffic gets routed over the T0 and not the NE.

- You can learn more about the cost of running virtual machines from the [Plan to manage costs for virtual machines documentation](../virtual-machines/plan-to-manage-costs.md).

- - To learn more about the costs associated with virtual machines, see the [How you're charged for virtual machines section of Plan to manage costs for virtual machines](../virtual-machines/plan-to-manage-costs.md#how-youre-charged-for-virtual-machines).

-| TCP | AzureLoadBalancer | \* | Your container app's subnet | `30000-32676`² | Allow Azure Load Balancer to probe backend pools. |

-| TCP | AzureLoadBalancer | \* | Your container app's subnet | `30000-32676`² | Allow Azure Load Balancer to probe backend pools. |

-description: Important reference material needed when you monitor Azure Container Instances

-# Monitoring Azure Container Instances data reference

-See [Monitoring Azure Container Instances](monitor-azure-container-instances.md) for details on collecting and analyzing monitoring data for Azure Container Instances.

-## Metrics

-This section lists all the automatically collected platform metrics collected for Azure Container Instances.

-|Metric Type | Resource Provider / Type Namespace<br/> and link to individual metrics |

-|-|--|

-| Container Instances | [Microsoft.ContainerInstance/containerGroups](/azure/azure-monitor/platform/metrics-supported#microsoftcontainerinstancecontainergroups) |

-## Metric dimensions

-For more information on what metric dimensions are, see [Multi-dimensional metrics](/azure/azure-monitor/platform/data-platform-metrics#multi-dimensional-metrics).

-Azure Container Instances has the following dimension associated with its metrics.

-## Activity log

-The following table lists the operations that Azure Container Instances may record in the Activity log. This is a subset of the possible entries you might find in the activity log. You can also find this information in the [Azure role-based access control (RBAC) Resource provider operations documentation](../role-based-access-control/resource-provider-operations.md#microsoftcontainerinstance).

-| Operation | Description |

-|:|:|

-| Microsoft.ContainerInstance/register/action | Registers the subscription for the container instance resource provider and enables the creation of container groups. |

-| Microsoft.ContainerInstance/containerGroupProfiles/read | Get all container group profiles. |

-| Microsoft.ContainerInstance/containerGroupProfiles/write | Create or update a specific container group profile. |

-| Microsoft.ContainerInstance/containerGroupProfiles/delete | Delete the specific container group profile. |

-| Microsoft.ContainerInstance/containerGroups/read | Get all container groups. |

-| Microsoft.ContainerInstance/containerGroups/write | Create or update a specific container group. |

-| Microsoft.ContainerInstance/containerGroups/delete | Delete the specific container group. |

-| Microsoft.ContainerInstance/containerGroups/restart/action | Restarts a specific container group. This log only captures customer-intiated restarts, not restarts initiated by Azure Container Instances infrastructure. |

-| Microsoft.ContainerInstance/containerGroups/stop/action | Stops a specific container group. Compute resources will be deallocated and billing will stop. |

-| Microsoft.ContainerInstance/containerGroups/start/action | Starts a specific container group. |

-| Microsoft.ContainerInstance/containerGroups/containers/exec/action | Exec into a specific container. |

-| Microsoft.ContainerInstance/containerGroups/containers/attach/action | Attach to the output stream of a container. |

-| Microsoft.ContainerInstance/containerGroups/containers/buildlogs/read | Get build logs for a specific container. |

-| Microsoft.ContainerInstance/containerGroups/containers/logs/read | Get logs for a specific container. |

-| Microsoft.ContainerInstance/containerGroups/detectors/read | List Container Group Detectors |

-| Microsoft.ContainerInstance/containerGroups/operationResults/read | Get async operation result |

-| Microsoft.ContainerInstance/containerGroups/outboundNetworkDependenciesEndpoints/read | List Container Group Detectors |

-| Microsoft.ContainerInstance/containerGroups/providers/Microsoft.Insights/diagnosticSettings/read | Gets the diagnostic setting for the container group. |

-| Microsoft.ContainerInstance/containerGroups/providers/Microsoft.Insights/diagnosticSettings/write | Creates or updates the diagnostic setting for the container group. |

-| Microsoft.ContainerInstance/containerGroups/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for container group. |

-| Microsoft.ContainerInstance/locations/deleteVirtualNetworkOrSubnets/action | Notifies Microsoft.ContainerInstance that virtual network or subnet is being deleted. |

-| Microsoft.ContainerInstance/locations/cachedImages/read | Gets the cached images for the subscription in a region. |

-| Microsoft.ContainerInstance/locations/capabilities/read | Get the capabilities for a region. |

-| Microsoft.ContainerInstance/locations/operationResults/read | Get async operation result |

-| Microsoft.ContainerInstance/locations/operations/read | List the operations for Azure Container Instance service. |

-| Microsoft.ContainerInstance/locations/usages/read | Get the usage for a specific region. |

-| Microsoft.ContainerInstance/operations/read | List the operations for Azure Container Instance service. |

-| Microsoft.ContainerInstance/serviceassociationlinks/delete | Delete the service association link created by Azure Container Instance resource provider on a subnet. |

-See [all the possible resource provider operations in the activity log](../role-based-access-control/resource-provider-operations.md).

-For more information on the schema of Activity Log entries, see [Activity Log schema](../azure-monitor/essentials/activity-log-schema.md).

-## Schemas

-The following schemas are in use by Azure Container Instances.

-> Some of the columns listed below only exist as part of the schema, and won't have any data emitted in logs. These columns are denoted below with a description of 'Empty'.

-### ContainerInstanceLog_CL

-### ContainerEvent_CL

-## See also

-description: Start here to learn how to monitor Azure Container Instances

-# Monitoring Azure Container Instances

-When you have critical applications and business processes relying on Azure resources, you want to monitor those resources for their availability, performance, and operation.

-This article describes the monitoring data generated by Azure Container Instances. Azure Container Instances includes built-in support for [Azure Monitor](../azure-monitor/overview.md). If you're unfamiliar with the features of Azure Monitor common to all Azure services that use it, read [Monitoring Azure resources with Azure Monitor](../azure-monitor/essentials/monitor-azure-resource.md).

-## Monitoring overview page in Azure portal

-The **Overview** page in the Azure portal for each container instance includes a brief view of resource usage and telemetry.

- 

-## Monitoring data

-Azure Container Instances collects the same kinds of monitoring data as other Azure resources that are described in [Monitoring data from Azure resources](../azure-monitor/essentials/monitor-azure-resource.md#monitoring-data-from-azure-resources).

-See [Monitoring *Azure Container Instances* data reference](monitor-azure-container-instances-reference.md) for detailed information on the metrics and logs metrics created by Azure Container Instances.

-## Collection and routing

-Platform metrics and the Activity log are collected and stored automatically, but can be routed to other locations by using a diagnostic setting.

-Resource Logs aren't collected and stored until you create a diagnostic setting and route them to one or more locations.

-See [Create diagnostic setting to collect platform logs and metrics in Azure](/azure/azure-monitor/platform/diagnostic-settings) for the detailed process for creating a diagnostic setting using the Azure portal, CLI, or PowerShell. When you create a diagnostic setting, you specify which categories of logs to collect.

-The metrics and logs you can collect are discussed in the following sections.

-## Analyzing metrics

-You can analyze metrics for *Azure Container Instances* with metrics from other Azure services using metrics explorer by opening **Metrics** from the **Azure Monitor** menu. See [Analyze metrics with Azure Monitor metrics explorer](../azure-monitor/essentials/analyze-metrics.md) for details on using this tool.

-For a list of the platform metrics collected for Azure Container Instances, see [Monitoring Azure Container Instances data reference metrics](monitor-azure-container-instances-reference.md#metrics).

-All metrics for Azure Container Instances are in the namespace **Container group standard metrics**. In a container group with multiple containers, you can additionally filter on the [dimension](monitor-azure-container-instances-reference.md#metric-dimensions) **containerName** to acquire metrics from a specific container within the group.

-For reference, you can see a list of [all resource metrics supported in Azure Monitor](../azure-monitor/essentials/metrics-supported.md).

-### View operation level metrics for Azure Container Instances

-1. Sign in to the [Azure portal](https://portal.azure.com/).

-1. Select **Monitor** from the left-hand navigation bar, and select **Metrics**.

- 

-1. On the **Select a scope** page, choose your **subscription** and **resource group**. Under **Refine scope**, choose **Container instances** for **Resource type**. Pick one of your container instances from the list and select **Apply**.

- 

-1. Next, you can pick a metric to view from the list of available metrics. Here, we choose **CPU Usage** and use **Avg** as the aggregation value.

- 

-### Add filters to metrics

-In a scenario where you have a container group with multiple containers, you may find it useful to apply a filter on the metric dimension **containerName**. This will allow you to view metrics by container as opposed to an aggregate of the group as a whole.

- 

-## Analyzing logs

-Data in Azure Monitor Logs is stored in tables where each table has its own set of unique properties.

-All resource logs in Azure Monitor have the same fields followed by service-specific fields. The common schema is outlined in [Azure Monitor resource log schema](../azure-monitor/essentials/resource-logs-schema.md) The schema for Azure Container Instances resource logs is found in the [Azure Container Instances Data Reference](monitor-azure-container-instances-reference.md#schemas).

-The [Activity log](../azure-monitor/essentials/activity-log.md) is a type of Azure platform log that provides insight into subscription-level events. You can view it independently or route it to Azure Monitor Logs, where you can do much more complex queries using Log Analytics. You can see a list of the kinds of operations that will be logged in the [Azure Container Instances Data Reference](monitor-azure-container-instances-reference.md#activity-log)

-### Sample Kusto queries

-Azure Monitor logs includes an extensive [query language][query_lang] for pulling information from potentially thousands of lines of log output.

-The basic structure of a query is the source table (in this article, `ContainerInstanceLog_CL` or `ContainerEvent_CL`) followed by a series of operators separated by the pipe character (`|`). You can chain several operators to refine the results and perform advanced functions.

-```query

-```query

-> [!IMPORTANT]

-> When you select **Logs** from the Azure Container Instances menu, Log Analytics is opened with the query scope set to the current Azure Container Instances. This means that log queries will only include data from that resource. If you want to run a query that includes data from other resources or data from other Azure services, select **Logs** from the **Azure Monitor** menu. See [Log query scope and time range in Azure Monitor Log Analytics](../azure-monitor/logs/scope.md) for details.

-For a list of common queries for Azure Container Instances, see the [Log Analytics queries interface](../azure-monitor/logs/queries.md).

-## Alerts

-Azure Monitor alerts proactively notify you when important conditions are found in your monitoring data. They allow you to identify and address issues in your system before your customers notice them. You can set alerts on [metrics](/azure/azure-monitor/alerts/alerts-metric-overview), [logs](/azure/azure-monitor/alerts/alerts-unified-log), and the [activity log](/azure/azure-monitor/alerts/activity-log-alerts). Different types of alerts have benefits and drawbacks.

-For Azure Container Instances, there are three categories for alerting:

-* **Activity logs** - You can set alerts for Azure Container Instances operations like create, update, and delete. See the [Monitoring Azure Container Instances data reference](monitor-azure-container-instances-reference.md#activity-log) for a list of activities you can track.

-* **Metrics** - You can set alerts for vCPU usage, memory usage, and network input and output utilization. Depending on the function of the container you deploy, you may want to monitor different metrics. For example, if you don't expect your container's memory usage to exceed a certain threshold, setting an alert for when memory usage exceeds it may be useful.

-* **Custom log search** - You can set alerts for specific outputs in logs. For example, you can use these alerts to robustly capture stdout and stderr by setting alerts for when those outputs appear in the logs.

-## Next steps

-* See the [Monitoring Azure Container Instances data reference](monitor-azure-container-instances-reference.md) for a reference of the metrics, logs, and other important values created by Azure Container Instances.

-* See [Monitoring Azure resources with Azure Monitor](../azure-monitor/essentials/monitor-azure-resource.md) for details on monitoring Azure resources.

-### Reason for error?

-### Reason for error?

-### Reason for error?

-### Reason for error?

-### Reason for error?

-### Reason for error?

-### Reason for error?

-| Feature | Azure Cosmos DB for MongoDB | Vendor-managed MongoDB Atlas |

-| Global Distribution | Yes, [globally distributed](../distribute-data-globally.md) with automatic and fast data replication across any number of Azure regions | Yes, globally distributed with manual and scheduled data replication across any number of cloud providers or regions |

-| SLA covers cloud platform | Yes | No. "Services, hardware, or software provided by a third party, such as cloud platform services on which MongoDB Atlas runs are not covered" |

-| 99.999% availability SLA | [Yes](../high-availability.md) | No |

-| Instantaneous Scaling | Yes, [database instantaneously scales](../provision-throughput-autoscale.md) with zero performance impact on your applications | No, requires 1+ hours to vertically scale up and 24+ hours to vertically scale down. Performance impact during scale up may be noticeable |

-| True active-active clusters | Yes, with [multi-primary writes](./how-to-configure-multi-region-write.md). Data for the same shard can be written to multiple regions | No |

-| Vector Search for AI applications | Yes, with [Azure Cosmos DB for MongoDB vCore Vector Search](./vcore/vector-search.md) | Yes |

-| Vector Search in Free Tier | Yes, with [Azure Cosmos DB for MongoDB vCore Vector Search](./vcore/vector-search.md) | No |

-| Free tier | [1,000 request units (RUs) and 25 GB storage forever](../try-free.md). Prevents you from exceeding limits if you want. Azure Cosmos DB for MognoDB vCore offers Free Tier with 32GB storage forever. | Yes, with 512 MB storage |

-| Azure Integrations | Native [first-party integrations](./integrations-overview.md) with Azure services such as Azure Functions, Azure Logic Apps, Azure Stream Analytics, and Power BI and more | Limited number of third party integrations |

-| Choice of instance configuration | Yes, with [Azure Cosmos DB for MongoDB vCore](./vcore/introduction.md) | Yes |

-| Expert Support | Microsoft, with 24x7 support for Azure Cosmos DB. One support team to address all of your Azure products | MongoDB, Inc. with 24x7 support for MongoDB Atlas. Need separate support teams depending on the product. Support plans costs rise significantly depending on response time chosen |

-| Support for MongoDB multi-document ACID transactions | Yes, with [Azure Cosmos DB for MongoDB vCore](./vcore/introduction.md) | Yes |

-| Support for MongoDB aggregation pipeline | Yes | Yes |

-| Replica set configuration | Yes, with [Azure Cosmos DB for MongoDB vCore](./vcore/introduction.md) | Yes |

-| Automatic sharding support | Yes | Limited, since the number of shards must be configured by the developer. Extra costs apply for additional configuration servers. |

-| Data explorer | Yes, using native Azure tooling and MongoDB tooling such as Robo3T | Yes |

-| Native data visualization without 3rd party BI tools | Yes, using Power BI | Yes |

-for all of your learning & evaluation needs. Users can provision a single free DB server per supported Azure region for a given subscription. This feature is currently available for our users in the East US, West Europe and Southeast Asia regions.

-* For a given subscription, only one free tier account is permissible in a region.

-* Free tier is currently available in East US, West Europe and Southeast Asia regions only.

-|Network security|Using an IP firewall is the first layer of protection to secure your database. Azure Cosmos DB for MongoDB vCore supports policy driven IP-based access controls for inbound firewall support. The IP-based access controls are similar to the firewall rules used by traditional database systems. However, they're expanded so that an Azure Cosmos DB for MongoDB vCore cluster is only accessible from an approved set of machines or cloud services. <br><br>Azure Cosmos DB for MongoDB vCore enables you to enable a specific IP address (168.61.48.0), an IP range (168.61.48.0/8), and combinations of IPs and ranges. <br><br>All requests originating from machines outside this allowed list are blocked by Azure Cosmos DB for MongoDB vCore. Requests from approved machines and cloud services then must complete the authentication process to be given access control to the resources.<br><br> You can use [virtual network service tags](../../../virtual-network/service-tags-overview.md) to achieve network isolation and protect your Azure Cosmos DB for MongoDB vCore resources from the general Internet. Use service tags in place of specific IP addresses when you create security rules. By specifying the service tag name (for example, AzureCosmosDB) in the appropriate source or destination field of a rule, you can allow or deny the traffic for the corresponding service.|

-In addition to organizing resources and subscriptions using the subscription hierarchy and metadata (tags), Cost Management also offers the ability to *move* or split shared costs via cost allocation rules. Cost allocation doesn't change the invoice. Cost allocation simply moves charges from one subscription, resource group, or tag to another subscription, resource group, or tag. The goal of cost allocation is to split and move shared costs to reduce overhead. And, to more accurately report on where charges are ultimately coming from (albeit indirectly), which should drive more complete accountability. For more information, see [Allocate Azure costs](./costs/allocate-costs.md).

- - If you need to move costs between subscriptions, resource groups, or add or change tags, [configure allocation rules in Cost Management](../costs/allocate-costs.md). Cost allocation is covered in detail at [Managing shared costs](capabilities-shared-cost.md).

-7. Add the `<FQDN>,<port>` of your target on-premises SQL Server. By default, port is 1433.

-# Tutorial: Connect, set up, and activate Azure Stack Edge Pro FPGA

-# Tutorial: Prepare to deploy Azure Stack Edge Pro FPGA

-## Next Steps

-[Enable the Microsoft Defender for Endpoint integration](enable-defender-for-endpoint.md).

-## Why JIT VM access is the solution

-In Azure, you can block inbound traffic on specific ports, by enabling just-in-time VM access. Defender for Cloud ensures "deny all inbound traffic" rules exist for your selected ports in the [network security group](../virtual-network/network-security-groups-overview.md#security-rules) (NSG) and [Azure Firewall rules](../firewall/rule-processing.md). These rules restrict access to your Azure VMsΓÇÖ management ports and defend them from attack.

-The following diagram shows the logic that Defender for Cloud applies when deciding how to categorize your supported VMs:

-When Defender for Cloud finds a machine that can benefit from JIT, it adds that machine to the recommendation's **Unhealthy resources** tab.

-## Next steps

- |Configure or edit a JIT policy for a VM | *Assign these actions to the role:* <ul><li>On the scope of a subscription or resource group that is associated with the VM:<br/> `Microsoft.Security/locations/jitNetworkAccessPolicies/write` </li><li> On the scope of a subscription or resource group of VM: <br/>`Microsoft.Compute/virtualMachines/write`</li></ul> |

- > To create a least-privileged role for users that need to request JIT access to a VM, and perform no other JIT operations, use the [Set-JitLeastPrivilegedRole script](https://github.com/Azure/Azure-Security-Center/tree/main/Powershell%20scripts/JIT%20Scripts/JIT%20Custom%20Role) from the Defender for Cloud GitHub community pages.

-> In order to successfully create a custom JIT policy, the policy name, together with the targeted VM name, must not exceed a total of 56 characters.

-1. In the **Not configured** virtual machines tab, mark the VMs to protect with JIT and select **Enable JIT on VMs**.

- - 5985 - WinRM

-1. In the **Configured** virtual machines tab, right-click on a VM and select **Edit**.

-### Request access to a JIT-enabled VM from Microsoft Defender for Cloud

-1. From the [Azure portal](https://portal.azure.com), search for and select **Virtual machines**.

-1. Under **Just-in-time access**, select **Enable just-in-time**.

- 1. From the **Configured** tab, right-click on the VM to which you want to add a port, and select **Edit**.

-

-

-

-The just-in-time VM access feature can be used via the Microsoft Defender for Cloud API. Use this API to get information about configured VMs, add new ones, request access to a VM, and more.

-The just-in-time VM access feature can be used via the Microsoft Defender for Cloud API. Use this API to get information about configured VMs, add new ones, request access to a VM, and more.

-

-A new insight for Azure DevOps repositories has been added to the Cloud Security Explorer to indicate whether repositories are active. This insight indicates that the code repository is not archived or disabled, meaning that write access to code, builds, and pull requests is still available for users. Archived and disabled repositories might be considered lower priority as the code is not typically used in active deployments.

-To test out the query through Cloud Security Explorer, use [this query link](https://ms.portal.azure.com#view/Microsoft_Azure_Security/SecurityGraph.ReactView/query/%7B%22type%22%3A%22securitygraphquery%22%2C%22version%22%3A2%2C%22properties%22%3A%7B%22source%22%3A%7B%22type%22%3A%22datasource%22%2C%22properties%22%3A%7B%22sources%22%3A%5B%7B%22type%22%3A%22entity%22%2C%22properties%22%3A%7B%22source%22%3A%22azuredevopsrepository%22%7D%7D%5D%2C%22conditions%22%3A%7B%22type%22%3A%22conditiongroup%22%2C%22properties%22%3A%7B%22operator%22%3A%22and%22%2C%22conditions%22%3A%5B%7B%22type%22%3A%22insights%22%2C%22properties%22%3A%7B%22name%22%3A%226b8f221b-c0ce-48e3-9fbb-16f917b1c095%22%7D%7D%5D%7D%7D%7D%7D%7D%7D)

-This article describes how to add regulatory compliance standards as security standards in an Azure subscriptions, AWS account, or GCP project.

-To invite a third party, follow the [Assign Azure roles to external guest users using the Azure portal](../../../articles/role-based-access-control/role-assignments-external-users.md#add-a-guest-user-to-your-directory) tutorial.

-1. Go to **Defender for IoT** > **Sites and sensors**, and then select **Onboard sensor** > **EIoT**.

-Seven resources have been defined in this template:

-In this quickstart, you created a virtual network and DNS private resolver. Now configure name resolution for Azure and on-premises domains

-1. Select the **Subscription** blade in the Azure portal, and then choose your subscription by selecting on it.

-1. In the Azure portal, search for and select **Virtual networks**.

-2. On the **Virtual networks** page, select **Create**.

-3. On the **Basics** tab, select the resource group you just created, enter **myvnet** for the virtual network name, and select the **Region** that is the same as your resource group.

-4. Select the **IP Addresses** tab and enter an **IPv4 address space** of 10.0.0.0/16. This address range might be entered by default.

-5. Select the **default** subnet.

-6. Enter the following values on the **Edit subnet** page:

- - Name: snet-inbound

- - IPv4 address range: 10.0.0.0/16

- - Starting address: 10.0.0.0

- - Size: /28 (16 IP addresses)

- - Select **Save**

-7. Select **Add a subnet** and enter the following values on the **Add a subnet** page:

- - Subnet purpose: Default

- - Name: snet-outbound

- - IPv4 address range: 10.0.0.0/16

- - Starting address: 10.0.1.0

- - Size: /28 (16 IP addresses)

- - Select **Add**

-8. Select the **Review + create** tab and then select **Create**.

-1. In the Azure portal, search for **DNS Private Resolvers**.

-4. Next to **Subnet**, select the inbound endpoint subnet you created (ex: snet-inbound, 10.0.0.0/28).

-5. Next to **IP address assignment**, select **Static**.

-6. Next to IP address, enter **10.0.0.4** and then select **Save**.

- > [!NOTE]

- > You can choose a static or dynamic IP address for the inbound endpoint. A dynamic IP address is used by default. Typically the first available [non-reserved](../virtual-network/virtual-networks-faq.md#are-there-any-restrictions-on-using-ip-addresses-within-these-subnets) IP address is assigned (example: 10.0.0.4). This dynamic IP address does not change unless the endpoint is deleted and reprovisioned (for example using a different subnet). In this example **Static** is selected and the first available IP address is entered.

- - Endpoints: Select the outbound endpoint that you created (ex: myoutboundendpoint).

- - Under **Destination** enter a desired destination IPv4 address (ex: 11.0.1.4).

- This example has only one conditional forwarding rule, but you can create many. Edit the rules to enable or disable them as needed. You can also add or edit rules and rulesets at any time after deployment.

- After selecting **Create**, the new DNS resolver begins deployment. This process might take a minute or two. The status of each component is displayed during deployment.

-5. Select the **IP Addresses** tab and edit the default IP address space. Replace the address space with a simulated on-premises address space (ex: 10.1.0.0/16).

-6. Select and edit the **default** subnet:

- - Subnet purpose: Default

- - Name: backendsubnet

- - Subnet address range: 10.1.0.0/16

- - Starting address: 10.1.0.0

- - Size: /24 (256 addresses)

-7. Select **Save**, select **Review + create**, and then select **Create**.

- 

-> [!NOTE]

-> In this procedure, a forwarding ruleset is linked to a VNet that was created earlier to simulate an on-premises environment. It is not possible to create a ruleset link to non-Azure resources. The purpose of the following procedure is only to demonstrate how ruleset links can be added or deleted. To understand how a private resolver can be used to resolve on-premises names, see [Resolve Azure and on-premises domains](private-resolver-hybrid-dns.md).

-2. Under **Settings**, select **Virtual Network Links**

- - The link **myvnet-link** is already present. This was created automatically when the ruleset was provisioned.

-3. Select **Add**, choose **myvnet2** from the **Virtual Network** drop-down list. Use the default **Link Name** of **myvnet2-link**.

-1. Search for **DNS Forwarding Rulesets** in the Azure Services list and select it.

-2. Select the ruleset you previously configured (ex: **myruleset**) and then under **Settings** select **Rules**.

-4. Under **Destination IP address** enter 10.1.0.5, and then select **Add**.

-If multiple subscriptions are present, the first subscription ID is used. To specify a different subscription ID, use the following command.

-New-AzVirtualNetwork -Name myvnet -ResourceGroupName myresourcegroup -Location westcentralus -AddressPrefix "10.0.0.0/16"

-> If the endpoint IP address is specified as dynamic, the address does not change unless the endpoint is deleted and reprovisioned. Typically the same IP address is assigned again during reprovisioning.<br>

-#### Dynamic IP address

-#### Static IP address

-$vnet2 = New-AzVirtualNetwork -Name myvnet2 -ResourceGroupName myresourcegroup -Location westcentralus -AddressPrefix "10.1.0.0/16"

-$forwardingrule = New-AzDnsForwardingRulesetForwardingRule -ResourceGroupName myresourcegroup -DnsForwardingRulesetName myruleset -Name "AzurePrivate" -DomainName "azure.contoso.com." -ForwardingRuleState "Enabled" -TargetDnsServer $targetDNS3

-Seven resources have been defined in this template:

-In this quickstart, you created a virtual network and DNS private resolver. Now configure name resolution for Azure and on-premises domains

-| **Montreal** | [Cologix MTL3](https://www.cologix.com/data-centers/montreal/mtl3/) | 1 | n/a | Supported | Bell Canada<br/>CenturyLink Cloud Connect<br/>Cologix<br/>Fibrenoire<br/>Megaport<br/>RISQ<br/>Telus<br/>Zayo |

- |Bash script URI|`https://hdiconfigactions.blob.core.windows.net/hbasesparkconnectorscript/connector-hbase.sh`|

- |Parameters|`-s SECONDARYS_STORAGE_URL`|

- * `SECONDARYS_STORAGE_URL` is the url of the Spark side default storage. Parameter Example: `-s wasb://sparkcon-2020-08-03t18-17-37-853z@sparkconhdistorage.blob.core.windows.net`

- |Bash script URI|`https://hdiconfigactions.blob.core.windows.net/hbasesparkconnectorscript/connector-spark.sh`|

- |Parameters|`-s "SPARK-CRON-SCHEDULE"` (optional) `-h "HBASE-CRON-SCHEDULE"` (optional)|

- * Since HBase cron isn't set up by default, you need to rerun this script when perform scaling to your HBase cluster. If your HBase cluster scales often, you may choose to set up HBase cron job automatically. For example: `-h "*/30 * * * *"` configures the script to perform checks every 30 minutes. This will run HBase cron schedule periodically to automate downloading of new HBase information on the common storage account to local node.

- # Container for the Dapr Pub/sub component

- - name: aio-mq-pubsub-pluggable

- image: ghcr.io/azure/iot-mq-dapr-components/pubsub:latest

- volumeMounts:

- - name: dapr-unix-domain-socket

- mountPath: /tmp/dapr-components-sockets

- - name: mqtt-client-token

- mountPath: /var/run/secrets/tokens

- - name: aio-ca-trust-bundle

- mountPath: /var/run/certs/aio-mq-ca-cert/

- # Container for the Dapr State store component

- - name: aio-mq-statestore-pluggable

- image: ghcr.io/azure/iot-mq-dapr-components/statestore:latest

- dapr-workload 4/4 Running 0 30s

- # Container for the Pub/sub component

- - name: aio-mq-pubsub-pluggable

- image: ghcr.io/azure/iot-mq-dapr-components/pubsub:latest

- volumeMounts:

- - name: dapr-unix-domain-socket

- mountPath: /tmp/dapr-components-sockets

- - name: mqtt-client-token

- mountPath: /var/run/secrets/tokens

- - name: aio-ca-trust-bundle

- mountPath: /var/run/certs/aio-mq-ca-cert/

- # Container for the State Management component

- - name: aio-mq-statestore-pluggable

- image: ghcr.io/azure/iot-mq-dapr-components/statestore:latest

-$ kubectl describe configmap client-ca

-| `brokerRef` | true | String |N/A |The associated broker |

-| `diagnosticServiceEndpoint` | true | String |N/A |An endpoint to send metrics/ traces to |

-| `enableMetrics` | false | Boolean |true |Enable or disable broker metrics |

-| `enableTracing` | false | Boolean |true |Enable or disable tracing |

-| `logLevel` | false | String | `info` |Log level. `trace`, `debug`, `info`, `warn`, or `error` |

-| `enableSelfCheck` | false | Boolean |true |Component that periodically probes the health of broker |

-| `enableSelfTracing` | false | Boolean |true |Automatically traces incoming messages at a frequency of 1 every `selfTraceFrequencySeconds` |

-| `logFormat` | false | String | `text` |Log format in `json` or `text` |

-| `selfCheckTimeoutSeconds` | false | Integer | 15 |Timeout interval for probe messages |

-| `selfTraceFrequencySeconds` | false | Integer |30 |How often to automatically trace external messages if `enableSelfTracing` is true |

-| `spanChannelCapacity` | false | Integer |1000 |Maximum number of spans that selftest can store before sending to the diagnostics service |

-$secretByte = [Convert]::FromBase64String($pfxSecret)

-$x509Cert = New-Object Security.Cryptography.X509Certificates.X509Certificate2

-$x509Cert.Import($secretByte, $null, [Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)

-$pfxFileByte = $x509Cert.Export([Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $password)

-[IO.File]::WriteAllBytes("KeyVaultcertificate.pfx", $pfxFileByte)

-||

-If your Azure account is a guest user, your Azure account needs to have the [Directory Readers](/azure/active-directory/roles/permissions-reference#directory-readers) role to perform the role assignment. Learn about [role assignments for guest users](/azure/role-based-access-control/role-assignments-external-users#guest-user-cannot-browse-users-groups-or-service-principals-to-assign-roles).

-description: Create and manage workflow definitions with multi-tenant Azure Logic Apps in Visual Studio Code.

-# Quickstart: Create and manage logic app workflow definitions with multi-tenant Azure Logic Apps and Visual Studio Code

-This quickstart shows how to create and manage logic app workflows that help you automate tasks and processes that integrate apps, data, systems, and services across organizations and enterprises by using multi-tenant [Azure Logic Apps](../logic-apps/logic-apps-overview.md) and Visual Studio Code. You can create and edit the underlying workflow definitions, which use JavaScript Object Notation (JSON), for logic apps through a code-based experience. You can also work on existing logic apps that are already deployed to Azure. For more information about multi-tenant versus single-tenant model, review [Single-tenant versus multi-tenant and integration service environment](single-tenant-overview-compare.md).

-* If you don't have an Azure account and subscription, [sign up for a free Azure account](https://azure.microsoft.com/free/).

- 1. If sign in takes longer than usual, Visual Studio Code prompts you to sign in through a Microsoft authentication website by providing you a device code. To sign in with the code instead, select **Use Device Code**.

-description: Create automated integration workflows with multi-tenant Azure Logic Apps and Visual Studio Code.

-# Quickstart: Create automated integration workflows with multi-tenant Azure Logic Apps and Visual Studio

-This quickstart shows how to design, develop, and deploy automated workflows that integrate apps, data, systems, and services across enterprises and organizations by using multi-tenant [Azure Logic Apps](../logic-apps/logic-apps-overview.md) and Visual Studio. Although you can perform these tasks in the Azure portal, Visual Studio lets you add your logic apps to source control, publish different versions, and create Azure Resource Manager templates for different deployment environments. For more information about multi-tenant versus single-tenant model, review [Single-tenant versus multi-tenant and integration service environment](single-tenant-overview-compare.md).

-

-* An Azure account and subscription. If you don't have a subscription, [sign up for a free Azure account](https://azure.microsoft.com/free/). If you have an Azure Government subscription, follow these additional steps to [set up Visual Studio for Azure Government Cloud](#azure-government).

- * [Visual Studio 2019, 2017, or 2015 - Community edition](https://aka.ms/download-visual-studio), which is free. The Azure Logic Apps extension is currently unavailable for Visual Studio 2022. This quickstart uses Visual Studio Community 2017.

- > If you use Visual Studio 2019 or 2017, make sure that you select the **Azure development** workload.

- * The corresponding Azure Logic Apps Tools for the Visual Studio extension, currently unavailable for Visual Studio 2022:

- * [Visual Studio 2015](https://aka.ms/download-azure-logic-apps-tools-visual-studio-2015)

- You can either download and install Azure Logic Apps Tools directly from the Visual Studio Marketplace, or learn [how to install this extension from inside Visual Studio](/visualstudio/ide/finding-and-using-visual-studio-extensions). Make sure that you restart Visual Studio after you finish installing.

- The designer needs an internet connection to create resources in Azure and to read properties and data from connectors in your logic app.

- > If you want to use the Gmail connector, only G-Suite business accounts can use this connector without restriction in logic apps.

-### Visual Studio 2017

-You can use the [Azure Environment Selector Visual Studio extension](https://devblogs.microsoft.com/azuregov/introducing-the-azure-environment-selector-visual-studio-extension/), which you can download and install from the [Visual Studio Marketplace](https://marketplace.visualstudio.com/items?itemName=SteveMichelotti.AzureEnvironmentSelector).

- 

- 

- 

- 

-## Create blank logic app

- 

- Visual Studio prompts you for your Azure subscription and an Azure resource group for creating and deploying resources for your logic app and connections.

- | **Location** | **Same as Resource Group** | The location type and specific location for deploying your logic app. The location type is either an Azure region or an existing [integration service environment (ISE)](connect-virtual-network-vnet-isolated-environment.md). <p>For this quickstart, keep the location type set to **Region** and the location set to **Same as Resource Group**. <p>**Note**: After you create your resource group project, you can [change the location type and the location](manage-logic-apps-with-visual-studio.md#change-location), but different location type affects your logic app in various ways. |

- ||||

- 

-## Build logic app workflow

-Next, add an RSS [trigger](../logic-apps/logic-apps-overview.md#logic-app-concepts) that fires when a new feed item appears. Every logic app starts with a trigger, which fires when specific criteria is met. Each time the trigger fires, the Azure Logic Apps engine creates a logic app instance that runs your workflow.

-1. In workflow designer, under the search box, select **All**. In the search box, enter "rss". From the triggers list, select this trigger: **When a feed item is published**

- 

-1. After the trigger appears in the designer, finish building the logic app workflow by following the workflow steps in the [Azure portal quickstart](../logic-apps/quickstart-create-example-consumption-workflow.md#add-rss-trigger), then return to this article. When you're done, your logic app looks like this example:

- 

-Before you can run and test your logic app, deploy the app to Azure from Visual Studio.

- 

- 

- 

- 

- 

- After deployment finishes, your logic app is live in the Azure portal and runs on your specified schedule (every minute). If the trigger finds new feed items, the trigger fires and creates a workflow instance that runs your logic app workflow's actions. Your workflow sends email for each new item. Otherwise, if the trigger doesn't find new items, the trigger doesn't fire and "skips" instantiating the workflow. Your workflow waits until the next interval before checking.

- 

-Congratulations, you've successfully built and deployed your logic app workflow with Visual Studio. To manage your logic app workflow and review its run history, see [Manage logic apps with Visual Studio](manage-logic-apps-with-visual-studio.md).

- 

-1. In the **Add Resource** dialog box, in the search box, find `logic app`, and select **Logic App**. Name your logic app resource, and select **Add**.

- 

- 

-In this article, you built, deployed, and ran your logic app workflow with Visual Studio. To learn about managing and performing advanced deployment for logic apps with Visual Studio, see these articles:

-> [Manage logic apps with Visual Studio](../logic-apps/manage-logic-apps-with-visual-studio.md)

-The *causal inference* component of the [Responsible AI dashboard](concept-responsible-ai-dashboard.md) addresses these questions by estimating the effect of a feature on an outcome of interest on average, across a population or a cohort, and on an individual level. It also helps construct promising interventions by simulating feature responses to various interventions and creating rules to determine which population cohorts would benefit from an intervention. Collectively, these functionalities allow decision-makers to apply new policies and effect real-world change.

-The `azureml-fe` can reach 5K requests per second (QPS) with good latency, having an overhead not exceeding 3ms on average and 15ms at 99% percentile.

-For Kubenet networking, the network is created and configured properly for Azure Machine Learning service. For the CNI networking, you need to understand the connectivity requirements and ensure DNS resolution and outbound connectivity for AKS inferencing. For example, you may be using a firewall to block network traffic.

-A new v2 project can reuse existing resources like workspaces and compute and existing assets like models and environments created using v1.

-## Should I upgrade existing code to v2

-You can reuse your existing assets in your v2 workflows. For instance a model created in v1 can be used to perform Managed Inferencing in v2.

-Optionally, if you want to upgrade specific parts of your existing code to v2, please refer to the comparison links provided in the details of each resource or asset in the rest of this document.

-## Can I use v1 and v2 together?

-v1 and v2 can co-exist in a workspace. You can reuse your existing assets in your v2 workflows. For instance a model created in v1 can be used to perform Managed Inferencing in v2. Resources like workspace, compute, and datastore work across v1 and v2, with exceptions. A user can call the v1 Python SDK to change a workspace's description, then using the v2 CLI extension change it again. Jobs (experiments/runs/pipelines in v1) can be submitted to the same workspace from the v1 or v2 Python SDK. A workspace can have both v1 and v2 model deployment endpoints.

-### Using v1 and v2 code together

-We do not recommend using the v1 and v2 SDKs together in the same code. It is technically possible to use v1 and v2 in the same code because they use different Azure namespaces. However, there are many classes with the same name across these namespaces (like Workspace, Model) which can cause confusion and make code readability and debuggability challenging.

-> [!IMPORTANT]

-> If your workspace uses a private endpoint, it will automatically have the `v1_legacy_mode` flag enabled, preventing usage of v2 APIs. See [how to configure network isolation with v2](how-to-configure-network-isolation-with-v2.md?view=azureml-api-2&preserve-view=true) for details.

-### Compute

-Compute of type `AmlCompute` and `ComputeInstance` are fully available for use in v2.

-For a comparison of SDK v1 and v2 code, see [Compute management in SDK v1 and SDK v2](migrate-to-v2-resource-compute.md).

-### Endpoint and deployment (endpoint and web service in v1)

-With SDK/CLI v1, you can deploy models on ACI or AKS as web services. Your existing v1 model deployments and web services will continue to function as they are, but Using SDK/CLI v1 to deploy models on ACI or AKS as web services is now considered as **legacy**. For new model deployments, we recommend upgrading to v2. In v2, we offer [managed endpoints or Kubernetes endpoints](./concept-endpoints.md?view=azureml-api-2&preserve-view=true). The following table guides our recommendation:

-|Endpoint type in v2|Upgrade from|Notes|

-|-|-|-|

-|Local|ACI|Quick test of model deployment locally; not for production.|

-|Managed online endpoint|ACI, AKS|Enterprise-grade managed model deployment infrastructure with near real-time responses and massive scaling for production.|

-|Managed batch endpoint|ParallelRunStep in a pipeline for batch scoring|Enterprise-grade managed model deployment infrastructure with massively parallel batch processing for production.|

-|Azure Kubernetes Service (AKS)|ACI, AKS|Manage your own AKS cluster(s) for model deployment, giving flexibility and granular control at the cost of IT overhead.|

-|Azure Arc Kubernetes|N/A|Manage your own Kubernetes cluster(s) in other clouds or on-premises, giving flexibility and granular control at the cost of IT overhead.|

-For a comparison of SDK v1 and v2 code, see [Upgrade deployment endpoints to SDK v2](migrate-to-v2-deploy-endpoints.md).

-For migration steps from your existing ACI web services to managed online endpoints, see our [upgrade guide article](migrate-to-v2-managed-online-endpoints.md) and [blog](https://aka.ms/acimoemigration).

-### Data (datasets in v1)

-Datasets are renamed to data assets. *Backwards compatibility* is provided, which means you can use V1 Datasets in V2. When you consume a V1 Dataset in a V2 job you will notice they are automatically mapped into V2 types as follows:

-* V1 FileDataset = V2 Folder (`uri_folder`)

-* V1 TabularDataset = V2 Table (`mltable`)

-It should be noted that *forwards compatibility* is **not** provided, which means you **cannot** use V2 data assets in V1.

-This article talks more about handling data in v2 - [Read and write data in a job](how-to-read-write-data-v2.md?view=azureml-api-2&preserve-view=true)

-For a comparison of SDK v1 and v2 code, see [Data assets in SDK v1 and v2](migrate-to-v2-assets-data.md).

-### Model

-Models created from v1 can be used in v2.

-For a comparison of SDK v1 and v2 code, see [Model management in SDK v1 and SDK v2](migrate-to-v2-assets-model.md)

-This example shows how you can deploy an MLflow model to a batch endpoint to perform batch predictions. This example uses an MLflow model based on the [UCI Heart Disease Data Set](https://archive.ics.uci.edu/ml/datasets/Heart+Disease). The database contains 76 attributes, but we are using a subset of 14 of them. The model tries to predict the presence of heart disease in a patient. It is integer valued from 0 (no presence) to 1 (presence).

-1. Batch Endpoint can only deploy registered models. In this case, we already have a local copy of the model in the repository, so we only need to publish the model to the registry in the workspace. You can skip this step if the model you are trying to deploy is already registered.

-1. Before moving any forward, we need to make sure the batch deployments we are about to create can run on some infrastructure (compute). Batch deployments can run on any Azure Machine Learning compute that already exists in the workspace. That means that multiple batch deployments can share the same compute infrastructure. In this example, we are going to work on an Azure Machine Learning compute cluster called `cpu-cluster`. Let's verify the compute exists on the workspace or create it otherwise.

-7. Although you can invoke a specific deployment inside of an endpoint, you will usually want to invoke the endpoint itself and let the endpoint decide which deployment to use. Such deployment is named the "default" deployment. This gives you the possibility of changing the default deployment and hence changing the model serving the deployment without changing the contract with the user invoking the endpoint. Use the following instruction to update the default deployment:

-For testing our endpoint, we are going to use a sample of unlabeled data located in this repository and that can be used with the model. Batch endpoints can only process data that is located in the cloud and that is accessible from the Azure Machine Learning workspace. In this example, we are going to upload it to an Azure Machine Learning data store. Particularly, we are going to create a data asset that can be used to invoke the endpoint for scoring. However, notice that batch endpoints accept data that can be placed in various locations.

- > Notice how we are not indicating the deployment name in the invoke operation. That's because the endpoint automatically routes the job to the default deployment. Since our endpoint only has one deployment, then that one is the default one. You can target an specific deployment by indicating the argument/parameter `deployment_name`.

-* There is one row per each data point that was sent to the model. For tabular data, this means that one row is generated for each row in the input files and hence the number of rows in the generated file (`predictions.csv`) equals the sum of all the rows in all the processed files. For other data types, there is one row per each processed file.

-* Two columns are indicated:

- * The file name where the data was read from. In tabular data, use this field to know which prediction belongs to which input data. For any given file, predictions are returned in the same order they appear in the input file so you can rely on the row number to match the corresponding prediction.

- * The prediction associated with the input data. This value is returned "as-is" it was provided by the model's `predict().` function.

-> [!WARNING]

-> The file `predictions.csv` may not be a regular CSV file and can't be read correctly using `pandas.read_csv()` method.

-| file | prediction |

-| -- | -- |

-| heart-unlabeled-0.csv | 0 |

-| heart-unlabeled-0.csv | 1 |

-| ... | 1 |

-| heart-unlabeled-3.csv | 0 |

-> Nested folder structures are not explored during inference. If you are partitioning your data using folders, make sure to flatten the structure beforehand.

-> Be advised that any unsupported file that may be present in the input data will make the job to fail. You will see an error entry as follows: *"ERROR:azureml:Error processing input file: '/mnt/batch/tasks/.../a-given-file.avro'. File type 'avro' is not supported."*.

-You will typically select this workflow when:

-> If you choose to indicate a scoring script for an MLflow model deployment, you will also have to specify the environment where the deployment will run.

- c. Select the model you are trying to deploy and click on the tab __Artifacts__.

-1. Let's create an environment where the scoring script can be executed. Since our model is MLflow, the conda requirements are also specified in the model package (for more details about MLflow models and the files included on it see [The MLmodel format](concept-mlflow-models.md#the-mlmodel-format)). We are going then to build the environment using the conda dependencies from the file. However, __we need also to include__ the package `azureml-core` which is required for Batch Deployments.

-Datastores securely connect to your storage service on Azure without putting your authentication credentials and the integrity of your original data source at risk. They store connection information, like your subscription ID and token authorization in your [Key Vault](https://azure.microsoft.com/services/key-vault/) that's associated with the workspace, so you can securely access your storage without having to hard code them in your scripts. You can create datastores that connect to [these Azure storage solutions](#supported-data-storage-service-types).

-To understand where datastores fit in Azure Machine Learning's overall data access workflow, see the [Securely access data](concept-data.md#data-workflow) article.

-For a low code experience, see how to use the [Azure Machine Learning studio to create and register datastores](how-to-connect-data-ui.md#create-datastores).

-> This article assumes you want to connect to your storage service with credential-based authentication credentials, like a service principal or a shared access signature (SAS) token. Keep in mind, if credentials are registered with datastores, all users with workspace *Reader* role are able to retrieve these credentials. [Learn more about workspace *Reader* role.](../how-to-assign-roles.md#default-roles).

-> If this is a concern, learn how to [Connect to storage services with identity based access](../how-to-identity-based-data-access.md).

- Either [create an Azure Machine Learning workspace](../quickstart-create-resources.md) or use an existing one via the Python SDK.

- Import the `Workspace` and `Datastore` class, and load your subscription information from the file `config.json` using the function `from_config()`. This looks for the JSON file in the current directory by default, but you can also specify a path parameter to point to the file using `from_config(path="your/file/path")`.

- When you create a workspace, an Azure blob container and an Azure file share are automatically registered as datastores to the workspace. They're named `workspaceblobstore` and `workspacefilestore`, respectively. The `workspaceblobstore` is used to store workspace artifacts and your machine learning experiment logs. It's also set as the **default datastore** and can't be deleted from the workspace. The `workspacefilestore` is used to store notebooks and R scripts authorized via [compute instance](../concept-compute-instance.md#accessing-files).

-

- > [!NOTE]

- > Azure Machine Learning designer will create a datastore named **azureml_globaldatasets** automatically when you open a sample in the designer homepage. This datastore only contains sample datasets. Please **do not** use this datastore for any confidential data access.

-Datastores currently support storing connection information to the storage services listed in the following matrix.

-> **For unsupported storage solutions** (those not listed in the table below), you may run into issues connecting and working with your data. We suggest you [move your data](#move-data-to-supported-azure-storage-solutions) to a supported Azure storage solution. Doing this may also help with additional scenarios, like saving data egress cost during ML experiments.

-We recommend creating a datastore for an [Azure Blob container](../../storage/blobs/storage-blobs-introduction.md). Both standard and premium storage are available for blobs. Although premium storage is more expensive, its faster throughput speeds might improve the speed of your training runs, particularly if you train against a large dataset. For information about the cost of storage accounts, see the [Azure pricing calculator](https://azure.microsoft.com/pricing/calculator/?service=machine-learning-service).

-[Azure Data Lake Storage Gen2](../../storage/blobs/data-lake-storage-introduction.md) is built on top of Azure Blob storage and designed for enterprise big data analytics. A fundamental part of Data Lake Storage Gen2 is the addition of a [hierarchical namespace](../../storage/blobs/data-lake-storage-namespace.md) to Blob storage. The hierarchical namespace organizes objects/files into a hierarchy of directories for efficient data access.

-To ensure you securely connect to your Azure storage service, Azure Machine Learning requires that you have permission to access the corresponding data storage container. This access depends on the authentication credentials used to register the datastore.

-> This guidance also applies to [datastores created with identity-based data access](../how-to-identity-based-data-access.md).

-### Virtual network

-Azure Machine Learning requires extra configuration steps to communicate with a storage account that is behind a firewall or within a virtual network. If your storage account is behind a firewall, you can [add your client's IP address to an allowlist](../../storage/common/storage-network-security.md#managing-ip-network-rules) via the Azure portal.

-Azure Machine Learning can receive requests from clients outside of the virtual network. To ensure that the entity requesting data from the service is safe and to enable data being displayed in your workspace, [use a private endpoint with your workspace](../how-to-configure-private-link.md).

-**For Python SDK users**, to access your data via your training script on a compute target, the compute target needs to be inside the same virtual network and subnet of the storage. You can [use a compute instance/cluster in the same virtual network](how-to-secure-training-vnet.md).

-**For Azure Machine Learning studio users**, several features rely on the ability to read data from a dataset, such as dataset previews, profiles, and automated machine learning. For these features to work with storage behind virtual networks, use a [workspace managed identity in the studio](../how-to-enable-studio-virtual-network.md) to allow Azure Machine Learning to access the storage account from outside the virtual network.

-> If your data storage is an Azure SQL Database behind a virtual network, be sure to set *Deny public access* to **No** via the [Azure portal](https://portal.azure.com/) to allow Azure Machine Learning to access the storage account.

-> Cross tenant access to storage accounts is not supported. If cross tenant access is needed for your scenario, please reach out to the Azure Machine Learning Data Support team alias at amldatasupport@microsoft.com for assistance with a custom code solution.

-**As part of the initial datastore creation and registration process**, Azure Machine Learning automatically validates that the underlying storage service exists and the user provided principal (username, service principal, or SAS token) has access to the specified storage.

-**After datastore creation**, this validation is only performed for methods that require access to the underlying storage container, **not** each time datastore objects are retrieved. For example, validation happens if you want to download files from your datastore; but if you just want to change your default datastore, then validation doesn't happen.

-You can find account key, SAS token, and service principal information on your [Azure portal](https://portal.azure.com).

-* If you plan to use an account key or SAS token for authentication, select **Storage Accounts** on the left pane, and choose the storage account that you want to register.

- * The **Overview** page provides information such as the account name, container, and file share name.

- * For account keys, go to **Access keys** on the **Settings** pane.

- * For SAS tokens, go to **Shared access signatures** on the **Settings** pane.

-* If you plan to use a service principal for authentication, go to your **App registrations** and select which app you want to use.

- * Its corresponding **Overview** page will contain required information like tenant ID and client ID.

-> If you need to change your access keys for an Azure Storage account (account key or SAS token), be sure to sync the new credentials with your workspace and the datastores connected to it. Learn how to [sync your updated credentials](../how-to-change-storage-access-key.md).

-For Azure blob container and Azure Data Lake Gen 2 storage, make sure your authentication credentials have **Storage Blob Data Reader** access. Learn more about [Storage Blob Data Reader](../../role-based-access-control/built-in-roles.md#storage-blob-data-reader). An account SAS token defaults to no permissions.

-* For data **read access**, your authentication credentials must have a minimum of list and read permissions for containers and objects.

-* For data **write access**, write and add permissions also are required.

-When you register an Azure storage solution as a datastore, you automatically create and register that datastore to a specific workspace. Review the [storage access & permissions](#storage-access-and-permissions) section for guidance on virtual network scenarios, and where to find required authentication credentials.

-Within this section are examples for how to create and register a datastore via the Python SDK for the following storage types. The parameters provided in these examples are the **required parameters** to create and register a datastore.

- To create datastores for other supported storage services, see the [reference documentation for the applicable `register_azure_*` methods](/python/api/azureml-core/azureml.core.datastore.datastore#methods).

-If you prefer a low code experience, see [Connect to data with Azure Machine Learning studio](how-to-connect-data-ui.md).

->[!IMPORTANT]

-> If you unregister and re-register a datastore with the same name, and it fails, the Azure Key Vault for your workspace may not have soft-delete enabled. By default, soft-delete is enabled for the key vault instance created by your workspace, but it may not be enabled if you used an existing key vault or have a workspace created prior to October 2020. For information on how to enable soft-delete, see [Turn on Soft Delete for an existing key vault](../../key-vault/general/soft-delete-change.md#turn-on-soft-delete-for-an-existing-key-vault).

-> Datastore name should only consist of lowercase letters, digits and underscores.

-To register an Azure blob container as a datastore, use [`register_azure_blob_container()`](/python/api/azureml-core/azureml.core.datastore%28class%29#register-azure-blob-container-workspace--datastore-name--container-name--account-name--sas-token-none--account-key-none--protocol-none--endpoint-none--overwrite-false--create-if-not-exists-false--skip-validation-false--blob-cache-timeout-none--grant-workspace-access-false--subscription-id-none--resource-group-none-).

-The following code creates and registers the `blob_datastore_name` datastore to the `ws` workspace. This datastore accesses the `my-container-name` blob container on the `my-account-name` storage account, by using the provided account access key. Review the [storage access & permissions](#storage-access-and-permissions) section for guidance on virtual network scenarios, and where to find required authentication credentials.

-To register an Azure file share as a datastore, use [`register_azure_file_share()`](/python/api/azureml-core/azureml.core.datastore%28class%29#register-azure-file-share-workspace--datastore-name--file-share-name--account-name--sas-token-none--account-key-none--protocol-none--endpoint-none--overwrite-false--create-if-not-exists-false--skip-validation-false-).

-The following code creates and registers the `file_datastore_name` datastore to the `ws` workspace. This datastore accesses the `my-fileshare-name` file share on the `my-account-name` storage account, by using the provided account access key. Review the [storage access & permissions](#storage-access-and-permissions) section for guidance on virtual network scenarios, and where to find required authentication credentials.

-For an Azure Data Lake Storage Generation 2 (ADLS Gen 2) datastore, use [register_azure_data_lake_gen2()](/python/api/azureml-core/azureml.core.datastore.datastore#register-azure-data-lake-gen2-workspace--datastore-name--filesystem--account-name--tenant-id--client-id--client-secret--resource-url-none--authority-url-none--protocol-none--endpoint-none--overwrite-false-) to register a credential datastore connected to an Azure DataLake Gen 2 storage with [service principal permissions](../../active-directory/develop/howto-create-service-principal-portal.md).

-In order to utilize your service principal, you need to [register your application](../../active-directory/develop/app-objects-and-service-principals.md) and grant the service principal data access via either Azure role-based access control (Azure RBAC) or access control lists (ACL). Learn more about [access control set up for ADLS Gen 2](../../storage/blobs/data-lake-storage-access-control-model.md).

-The following code creates and registers the `adlsgen2_datastore_name` datastore to the `ws` workspace. This datastore accesses the file system `test` in the `account_name` storage account, by using the provided service principal credentials.

-Review the [storage access & permissions](#storage-access-and-permissions) section for guidance on virtual network scenarios, and where to find required authentication credentials.

-In addition to creating datastores with the Python SDK and the studio, you can also use Azure Resource Manager templates or the Azure Machine Learning VS Code extension.

-There are several templates at [https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.machinelearningservices](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.machinelearningservices) that can be used to create datastores.

-For information on using these templates, see [Use an Azure Resource Manager template to create a workspace for Azure Machine Learning](../how-to-create-workspace-template.md).

-If you prefer to create and manage datastores using the Azure Machine Learning VS Code extension, visit the [VS Code resource management how-to guide](../how-to-manage-resources-vscode.md#datastores) to learn more.

-After you create a datastore, [create an Azure Machine Learning dataset](how-to-create-register-datasets.md) to interact with your data. Datasets package your data into a lazily evaluated consumable object for machine learning tasks, like training.

-With datasets, you can [download or mount](how-to-train-with-datasets.md#mount-vs-download) files of any format from Azure storage services for model training on a compute target. [Learn more about how to train ML models with datasets](how-to-train-with-datasets.md).

-To get the list of datastores registered with a given workspace, you can use the [`datastores`](/python/api/azureml-core/azureml.core.workspace%28class%29#datastores) property on a workspace object:

-To get the workspace's default datastore, use this line:

-You can also change the default datastore with the following code. This ability is only supported via the SDK.

-Azure Machine Learning provides several ways to use your models for scoring. Some of these methods don't provide access to datastores. Use the following table to understand which methods allow you to access datastores during scoring:

-For situations where the SDK doesn't provide access to datastores, you might be able to create custom code by using the relevant Azure SDK to access the data. For example, the [Azure Storage SDK for Python](https://github.com/Azure/azure-storage-python) is a client library that you can use to access data stored in blobs or files.

-Azure Machine Learning supports accessing data from Azure Blob storage, Azure Files, Azure Data Lake Storage Gen1, Azure Data Lake Storage Gen2, Azure SQL Database, and Azure Database for PostgreSQL. If you're using unsupported storage, we recommend that you move your data to supported Azure storage solutions by using [Azure Data Factory and these steps](../../data-factory/quickstart-hello-world-copy-data-tool.md). Moving data to supported storage can help you save data egress costs during machine learning experiments.

-Azure Data Factory provides efficient and resilient data transfer with more than 80 prebuilt connectors at no extra cost. These connectors include Azure data services, on-premises data sources, Amazon S3 and Redshift, and Google BigQuery.

-* [Create an Azure machine learning dataset](how-to-create-register-datasets.md)

-> When private access (preview) is enabled, pinging charts using the [*Pin to Grafana*](../azure-monitor/visualize/grafana-plugin.md#pin-charts-from-the-azure-portal-to-azure-managed-grafana) feature will no longer work as the Azure portal canΓÇÖt access an Azure Managed Grafana workspace on a private IP address.

- 1. Select an existing **Virtual network** to deploy the private endpoint to. If you don't have a virtual network, [create a virtual network](../private-link/create-private-endpoint-portal.md#create-a-virtual-network-and-bastion-host).

-description: Azure Operator Insights is an Azure service for monitoring and analyzing data from multiple sources

-Your VM requires at least one cloud services network. You need the egress endpoints that you want to add to the proxy for your VM to access. This list should include any domains needed to pull images or access data, such as `.azurecr.io` or `.docker.io`.

-Once you have created your VM or Kubernetes cluster with this cloud services network, you can use the proxy to reach outside of the virtual machine. Proxy is useful if you need to access resources outside of the virtual machine, such as pulling images or accessing data.

-export HTTP_PROXY=http://169.254.0.11:3128

-export http_proxy=http://169.254.0.11:3128

-Once you have set the environment variables, your virtual machine should be able to reach outside of the virtual network using the proxy.

-In order to reach the desired endpoints, you need to add the required egress endpoints to the cloud services network. Egress endpoints can be added using the `--additional-egress-endpoints` parameter when creating the network. Be sure to include any domains needed to pull images or access data, such as `.azurecr.io` or `.docker.io`.

-If you don't specify a zone when you're creating a Nexus Kubernetes cluster, the Azure Operator Nexus platform automatically implements a default anti-affinity rule. This rule aims to prevent scheduling the cluster VM on a node that already has a VM from the same cluster, but it's a best-effort approach and can't make guarantees.

-|[pg_stat_statements](https://www.postgresql.org/docs/13/pgstatstatements.html) |Track execution statistics of all SQL statements executed |1.1 |1.8 |1.8 |1.8 |1.7 |1.6 |

-| Australia Central | 20.36.105.32 | 20.36.105.32/29 |

-| Australia Central2 | 20.36.113.32 | 20.36.113.32/29 |

-| Australia East | 13.70.112.32 | 13.70.112.32/29, 40.79.160.32/29, 40.79.168.32/29 |

-| Australia South East |13.77.49.33 |13.77.49.32/29 |

-| Brazil South | 191.233.201.8, 191.233.200.16 | 191.233.200.32/29, 191.234.144.32/29|

-| Canada Central | 13.71.168.32| 13.71.168.32/29, 20.38.144.32/29, 52.246.152.32/29|

-| Canada East |40.69.105.32 | 40.69.105.32/29 |

-| Central US | 52.182.136.37, 52.182.136.38 | 104.208.21.192/29, 13.89.168.192/29, 52.182.136.192/29

-| China East | 52.130.112.139 | 52.130.112.136/29|

-| China East 2 | 40.73.82.1, 52.130.120.89 | 52.130.120.88/29|

-| China North | 52.130.128.89| 52.130.128.88/29 |

-| China North 2 |40.73.50.0 | 52.130.40.64/29|

-| East Asia |13.75.33.20, 13.75.33.21 | 13.75.32.192/29, 13.75.33.192/29|

-| East US | 40.71.8.203, 40.71.83.113|20.42.65.64/29, 20.42.73.0/29, 52.168.116.64/29|

-| East US 2 |52.167.105.38, 40.70.144.38|104.208.150.192/29, 40.70.144.192/29, 52.167.104.192/29|

-| France Central |40.79.129.1 | 40.79.136.32/29, 40.79.144.32/29 |

-| France South |40.79.176.40 | 40.79.176.40/29, 40.79.177.32/29|

-| Germany West Central | 51.116.152.0 | 51.116.152.32/29, 51.116.240.32/29, 51.116.248.32/29|

-| India Central |20.192.96.33 | 104.211.86.32/29, 20.192.96.32/29|

-| India South | 40.78.192.32| 40.78.192.32/29, 40.78.193.32/29|

-| India West | 104.211.144.32| 104.211.144.32/29, 104.211.145.32/29 |

-| Japan East | 40.79.184.8, 40.79.192.23|13.78.104.32/29, 40.79.184.32/29, 40.79.192.32/29 |

-| Japan West |40.74.96.6| 40.74.96.32/29 |

-| Korea Central | 52.231.17.13 | 20.194.64.32/29,20.44.24.32/29, 52.231.16.32/29 |

-| Korea South |52.231.145.3| 52.231.145.0/29 |

-| North Central US | 52.162.104.35, 52.162.104.36 | 52.162.105.192/29|

-| North Europe |52.138.224.6, 52.138.224.7 |13.69.233.136/29, 13.74.105.192/29, 52.138.229.72/29 |

-| South Africa North | 102.133.152.0 | 102.133.120.32/29, 102.133.152.32/29, 102.133.248.32/29 |

-| South Africa West |102.133.24.0 | 102.133.25.32/29|

-| South Central US | 20.45.120.0 |20.45.121.32/29, 20.49.88.32/29, 20.49.89.32/29, 40.124.64.136/29|

-| South East Asia | 23.98.80.12, 40.78.233.2| 13.67.16.192/29, 23.98.80.192/29, 40.78.232.192/29 |

-| Switzerland West | 51.107.152.0| 51.107.153.32/29|

-| UAE Central | 20.37.72.64| 20.37.72.96/29, 20.37.73.96/29 |

-| UAE North |65.52.248.0 |40.120.72.32/29, 65.52.248.32/29 |

-| UK South | 51.105.64.0|51.105.64.32/29, 51.105.72.32/29, 51.140.144.32/29|

-| UK West |51.140.208.98 |51.140.208.96/29, 51.140.209.32/29 |

-| West Central US |13.71.193.34 | 13.71.193.32/29 |

-| West Europe | 13.69.105.208,104.40.169.187|104.40.169.32/29, 13.69.112.168/29, 52.236.184.32/29|

-| West US |13.86.216.212, 13.86.217.212 |13.86.217.224/29|

-| West US 2 | 13.66.136.192 | 13.66.136.192/29, 40.78.240.192/29, 40.78.248.192/29|

-| West US 3 |20.150.184.2 | 20.150.168.32/29, 20.150.176.32/29, 20.150.184.32/29 |

-### What you need to know about this planned maintenance?

-description: Get information about conversions

-When the conversion service converts an asset, it writes a summary of any issues into a "result file".

-For example, if a file `buggy.gltf` is converted, the output container will contain a file called `buggy.result.json`.

-There will be at most one error (either `error` or `internal error`) and there will always be one `result`.

-The arrAsset file produced by the conversion service is solely intended for consumption by the rendering service. There may be times, however, when you want to access information about a model without starting a rendering session. To support this workflow, the conversion service places a JSON file beside the arrAsset file in the output container. For example, if a file `buggy.gltf` is converted, the output container will contain a file called `buggy.info.json` beside the converted asset `buggy.arrAsset`. It contains information about the source model, the converted model, and about the conversion itself.

-* `output`: The name of the output file, when the user has specified a non-default name.

-* `numFaces`: The total number of triangles/points in the whole model. This number contributes to the primitive limit in the [standard rendering server size](../../reference/vm-sizes.md#how-the-renderer-evaluates-the-number-of-primitives).

-This section records information calculated from the converted asset.

-Before you remove a guest user from your directory, you should first remove any role assignments for that guest user. For more information, see [Remove a guest user from your directory](./role-assignments-external-users.md#remove-a-guest-user-from-your-directory).

-If a guest user needs to be able to perform these tasks, a possible solution is to assign the specific Microsoft Entra roles the guest user needs. For example, in the previous scenario, you could assign the [Directory Readers](../active-directory/roles/permissions-reference.md#directory-readers) role to read other users and assign the [Application Developer](../active-directory/roles/permissions-reference.md#application-developer) role to be able to create service principals. For more information about member and guest users and their permissions, see [What are the default user permissions in Microsoft Entra ID?](../active-directory/fundamentals/users-default-permissions.md). For more information about granting access for guest users, see [Assign Azure roles to external guest users using the Azure portal](role-assignments-external-users.md).

-# Assign Azure roles to external guest users using the Azure portal

-[Azure role-based access control (Azure RBAC)](overview.md) allows better security management for large organizations and for small and medium-sized businesses working with external collaborators, vendors, or freelancers that need access to specific resources in your environment, but not necessarily to the entire infrastructure or any billing-related scopes. You can use the capabilities in [Microsoft Entra B2B](../active-directory/external-identities/what-is-b2b.md) to collaborate with external guest users and you can use Azure RBAC to grant just the permissions that guest users need in your environment.

-## When would you invite guest users?

-Here are a couple example scenarios when you might invite guest users to your organization and grant permissions:

-Native members of a directory (member users) have different permissions than users invited from another directory as a B2B collaboration guest (guest users). For example, members user can read almost all directory information while guest users have restricted directory permissions. For more information about member users and guest users, see [What are the default user permissions in Microsoft Entra ID?](../active-directory/fundamentals/users-default-permissions.md).

-## Add a guest user to your directory

-Follow these steps to add a guest user to your directory using the Microsoft Entra ID page.

-1. Make sure your organization's external collaboration settings are configured such that you're allowed to invite guests. For more information, see [Configure external collaboration settings](../active-directory/external-identities/external-collaboration-settings-configure.md).

-1. Click **Microsoft Entra ID** > **Users** > **New guest user**.

- 

-1. Follow the steps to add a new guest user. For more information, see [Add Microsoft Entra B2B collaboration users in the Azure portal](../active-directory/external-identities/add-users-administrator.md#add-guest-users-to-the-directory).

-After you add a guest user to the directory, you can either send the guest user a direct link to a shared app, or the guest user can click the accept invitation link in the invitation email.

-

-For the guest user to be able to access your directory, they must complete the invitation process.

-

-## Assign a role to a guest user

-In Azure RBAC, to grant access, you assign a role. To assign a role to a guest user, you follow [same steps](role-assignments-portal.md) as you would for a member user, group, service principal, or managed identity. Follow these steps assign a role to a guest user at different scopes.

-1. Click the specific resource for that scope.

-1. Click **Access control (IAM)**.

- 

-1. Click the **Role assignments** tab to view the role assignments at this scope.

-1. Click **Add** > **Add role assignment**.

- If you don't have permissions to assign roles, the Add role assignment option will be disabled.

- 

- The Add role assignment page opens.

- 

- 

-1. Click **Select members**.

-1. Find and select the guest user. If you don't see the user in the list, you can type in the **Select** box to search the directory for display name or email address.

- 

-1. Click **Select** to add the guest user to the Members list.

-1. On the **Review + assign** tab, click **Review + assign**.

- After a few moments, the guest user is assigned the role at the selected scope.

- 

-## Assign a role to a guest user not yet in your directory

-To assign a role to a guest user, you follow [same steps](role-assignments-portal.md) as you would for a member user, group, service principal, or managed identity.

-If the guest user is not yet in your directory, you can invite the user directly from the Select members pane.

-1. Click the specific resource for that scope.

-1. Click **Access control (IAM)**.

-1. Click **Add** > **Add role assignment**.

- If you don't have permissions to assign roles, the Add role assignment option will be disabled.

- 

- The Add role assignment page opens.

- 

-1. Click **Select members**.

- 

-1. Click **Select** to add the guest user to the Members list.

-1. On the **Review + assign** tab, click **Review + assign** to add the guest user to your directory, assign the role, and send an invite.

- 

-1. To manually invite the guest user, right-click and copy the invitation link in the notification. Don't click the invitation link because it starts the invitation process.

-1. Send the invitation link to the guest user to complete the invitation process.

-## Remove a guest user from your directory

-Before you remove a guest user from a directory, you should first remove any role assignments for that guest user. Follow these steps to remove a guest user from a directory.

-1. Open **Access control (IAM)** at a scope, such as management group, subscription, resource group, or resource, where the guest user has a role assignment.

-1. Click the **Role assignments** tab to view all the role assignments.

-1. In the list of role assignments, add a check mark next to the guest user with the role assignment you want to remove.

- 

-1. Click **Remove**.

- 

-1. In the remove role assignment message that appears, click **Yes**.

-1. Click the **Classic administrators** tab.

-1. If the guest user has a Co-Administrator assignment, add a check mark next to the guest user and click **Remove**.

-1. In the left navigation bar, click **Microsoft Entra ID** > **Users**.

-1. Click the guest user you want to remove.

-1. Click **Delete**.

- 

-1. In the delete message that appears, click **Yes**.

-### Guest user cannot browse the directory

-Guest users have restricted directory permissions. For example, guest users cannot browse the directory and cannot search for groups or applications. For more information, see [What are the default user permissions in Microsoft Entra ID?](../active-directory/fundamentals/users-default-permissions.md).

-

-If a guest user needs additional privileges in the directory, you can assign a Microsoft Entra role to the guest user. If you really want a guest user to have full read access to your directory, you can add the guest user to the [Directory Readers](../active-directory/roles/permissions-reference.md#directory-readers) role in Microsoft Entra ID. For more information, see [Add Microsoft Entra B2B collaboration users in the Azure portal](../active-directory/external-identities/add-users-administrator.md).

-

-### Guest user cannot browse users, groups, or service principals to assign roles

-Guest users have restricted directory permissions. Even if a guest user is an [Owner](built-in-roles.md#owner) at a scope, if they try to assign a role to grant someone else access, they cannot browse the list of users, groups, or service principals.

-

-If the guest user knows someone's exact sign-in name in the directory, they can grant access. If you really want a guest user to have full read access to your directory, you can add the guest user to the [Directory Readers](../active-directory/roles/permissions-reference.md#directory-readers) role in Microsoft Entra ID. For more information, see [Add Microsoft Entra B2B collaboration users in the Azure portal](../active-directory/external-identities/add-users-administrator.md).

-### Guest user cannot register applications or create service principals

-Guest users have restricted directory permissions. If a guest user needs to be able to register applications or create service principals, you can add the guest user to the [Application Developer](../active-directory/roles/permissions-reference.md#application-developer) role in Microsoft Entra ID. For more information, see [Add Microsoft Entra B2B collaboration users in the Azure portal](../active-directory/external-identities/add-users-administrator.md).

-

-### Guest user does not see the new directory

-If a guest user has been granted access to a directory, but they do not see the new directory listed in the Azure portal when they try to switch in their **Directories** page, make sure the guest user has completed the invitation process. For more information about the invitation process, see [Microsoft Entra B2B collaboration invitation redemption](../active-directory/external-identities/redemption-experience.md).

-### Guest user does not see resources

-If a guest user has been granted access to a directory, but they do not see the resources they have been granted access to in the Azure portal, make sure the guest user has selected the correct directory. A guest user might have access to multiple directories. To switch directories, in the upper left, click **Settings** > **Directories**, and then click the appropriate directory.

-

-Check that the guest user is assigned a role with least privileged permissions to the resource at the selected scope. For more information, [Assign Azure roles to external guest users using the Azure portal](role-assignments-external-users.md).

-Sending emails from your SAP backend is a standard feature widely distributed for use cases such as alerting for batch jobs, SAP workflow state changes or invoice distribution. Many customers established the setup using [Exchange Server On-Premises](/exchange/exchange-server). With a shift to [Microsoft 365](https://www.microsoft.com/microsoft-365) and [Exchange Online](/exchange/exchange-online) comes a set of cloud-native approaches impacting that setup.

-> Microsoft disabled Basic Authentication for Exchange online as of 2020 for newly created Microsoft 365 tenants. In addition to that, the feature gets disabled for existing tenants with no prior usage of Basic Authentication starting October 2020. See our developer [blog](https://devblogs.microsoft.com/microsoft365dev/deferred-end-of-support-date-for-basic-authentication-in-exchange-online/) for reference.

-> [!IMPORTANT]

-> SMTP Auth was exempted from the Basic Auth feature sunset

-process. However, this is a security risk for your estate, so we advise

-against it. See the latest [post](https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-september-2021-update/ba-p/2772210)

-by our Exchange Team on the matter.

-> [!IMPORTANT]

-> Current OAuth support for SMTP is described on our [Exchange Server documentation for legacy protocols](/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth).

- :::image type="content" source="media/exchange-online-integration/scot-smicm-sec-1-3.png" alt-text="Screenshot of ICM setting":::

- Coming back to the previous screen: Click on "Set" button and check "Internet" under "Supported Address Types". Using the wildcard "\*" option will allow to send emails to all domains without restriction.

-In this section, you create a Java console project, and add code to send messages to the queue that you created earlier.

- import java.util.concurrent.CountDownLatch;

- import java.util.concurrent.CountDownLatch;

- CountDownLatch countdownLatch = new CountDownLatch(1);

- .processMessage(QueueTest::processMessage)

- .processError(context -> processError(context, countdownLatch))

- CountDownLatch countdownLatch = new CountDownLatch(1);

- .processError(context -> processError(context, countdownLatch))

- private static void processError(ServiceBusErrorContext context, CountDownLatch countdownLatch) {

- countdownLatch.countDown();

-1. If you are signed into the machine using a user account that's different from the user account added to the **Azure Service Bus Data Owner** role, follow these steps. Otherwise, skip this step and move on to run the Jar file in the next step.

-On the **Overview** page for the Service Bus namespace in the Azure portal, you can see **incoming** and **outgoing** message count. You may need to wait for a minute or so and then refresh the page to see the latest values.

- import java.util.concurrent.CountDownLatch;

- import java.util.concurrent.CountDownLatch;

- CountDownLatch countdownLatch = new CountDownLatch(1);

- .processMessage(ServiceBusTopicTest::processMessage)

- .processError(context -> processError(context, countdownLatch))

- CountDownLatch countdownLatch = new CountDownLatch(1);

- .processMessage(ServiceBusTopicTest::processMessage)

- .processError(context -> processError(context, countdownLatch))

- private static void processError(ServiceBusErrorContext context, CountDownLatch countdownLatch) {

- countdownLatch.countDown();

-1. If you are signed into the machine using a user account that's different from the user account added to the **Azure Service Bus Data Owner** role, follow these steps. Otherwise, skip this step and move on to run the Jar file in the next step.

-On the **Overview** page for the Service Bus namespace in the Azure portal, you can see **incoming** and **outgoing** message count. You may need to wait for a minute or so and then refresh the page to see the latest values.

- export INSTRUMENTATION_KEY=$(az monitor app-insights component show \

- --value ${INSTRUMENTATION_KEY}

- --properties sampling-rate=100 connection_string=${INSTRUMENTATION_KEY}

-This article provides the release notes for Azure File Sync. It is important to note that major releases of Azure File Sync include service and agent improvements (for example, 15.0.0.0). Minor releases of Azure File Sync are typically for agent improvements (for example, 15.2.0.0).

-Before deploying Azure File Sync, you should evaluate whether it is compatible with your system using the Azure File Sync evaluation tool. This tool is an Azure PowerShell cmdlet that checks for potential issues with your file system and dataset, such as unsupported characters or an unsupported OS version. For installation and usage instructions, see [Evaluation Tool](file-sync-planning.md#evaluation-cmdlet) section in the planning guide.

-Before deploying Azure File Sync, you should evaluate whether it is compatible with your system using the Azure File Sync evaluation tool. This tool is an Azure PowerShell cmdlet that checks for potential issues with your file system and dataset, such as unsupported characters or an unsupported OS version. For installation and usage instructions, see [Evaluation Tool](file-sync-planning.md#evaluation-cmdlet) section in the planning guide.

-Before deploying Azure File Sync, you should evaluate whether it is compatible with your system using the Azure File Sync evaluation tool. This tool is an Azure PowerShell cmdlet that checks for potential issues with your file system and dataset, such as unsupported characters or an unsupported OS version. For installation and usage instructions, see [Evaluation Tool](file-sync-planning.md#evaluation-cmdlet) section in the planning guide.

-Before deploying Azure File Sync, you should evaluate whether it is compatible with your system using the Azure File Sync evaluation tool. This tool is an Azure PowerShell cmdlet that checks for potential issues with your file system and dataset, such as unsupported characters or an unsupported OS version. For installation and usage instructions, see [Evaluation Tool](file-sync-planning.md#evaluation-cmdlet) section in the planning guide.

-description: This article describes blob storage and Azure Data Lake Gen 2 as output for Azure Stream Analytics.

-| Container | A logical grouping for blobs stored in the Azure Blob service. When you upload a blob to the Blob service, you must specify a container for that blob. <br /><br /> Dynamic container name is optional. It supports one and only one dynamic {field} in the container name. The field must exist in the output data, and follow the [container name policy](/rest/api/storageservices/naming-and-referencing-containers--blobs--and-metadata).<br /><br />The field data type must be `string`. To use multiple dynamic fields, or combine static text along with dynamic field, you can define it in the query with built-in string functions, like CONCAT, LTRIM, etc. |

-As a prerequisite, you may need to read the following articles:

-1. Author your query to be embarrassingly parallel by using **PARTITION BY** keyword. See more details in the Embarrassingly parallel jobs section [on this page](stream-analytics-parallelization.md).

-2. Depending on output types used in your query, some output may either be not parallelizable, or need further configuration to be embarrassingly parallel. For example, Power BI output isn't parallelizable. Outputs are always merged before sending to the output sink. Blobs, Tables, ADLS, Service Bus, and Azure Function are automatically parallelized. SQL and Azure Synapse Analytics outputs have an option for parallelization. Event Hubs need to have the PartitionKey configuration set to match with the **PARTITION BY** field (usually PartitionId). For Event Hubs, also pay extra attention to match the number of partitions for all inputs and all outputs to avoid cross-over between partitions.

-3. Run your query with **1 SU V2** (which is the full capacity of a single computing node) to measure maximum achievable throughput, and if you're using **GROUP BY**, measure how many groups (cardinality) the job can handle. General symptoms of the job hitting system resource limits are the following.

- - SU % utilization metric is over 80%. This indicates memory usage is high. The factors contributing to the increase of this metric are described [here](stream-analytics-streaming-unit-consumption.md).

- - Output timestamp is falling behind with respect to wall clock time. Depending on your query logic, the output timestamp may have a logic offset from the wall clock time. However, they should progress at roughly the same rate. If the output timestamp is falling further and further behind, itΓÇÖs an indicator that the system is overworking. It can be a result of downstream output sink throttling, or high CPU utilization. We donΓÇÖt provide CPU utilization metric at this time, so it can be difficult to differentiate the two.

- - If the issue is due to sink throttling, you may need to increase the number of output partitions (and also input partitions to keep the job fully parallelizable), or increase the amount of resources of the sink (for example number of Request Units for Cosmos DB).

- - In job diagram, there's a per partition backlog event metric for each input. If the backlog event metric keeps increasing, itΓÇÖs also an indicator that the system resource is constrained (either because of output sink throttling, or high CPU).

-4. Once you have determined the limits of what a 1 SU V2 job can reach, you can extrapolate linearly the processing capacity of the job as you add more SUs, assuming you donΓÇÖt have any data skew that makes certain partition "hot."

-> Choose the right number of Streaming Units:

-If your query isn't embarrassingly parallel, you can follow the following steps.

-1. Start with a query with no **PARTITION BY** first to avoid partitioning complexity, and run your query with 1 SU V2 to measure maximum load as in [Case 1](#case-1--your-query-is-inherently-fully-parallelizable-across-input-partitions).

-2. If you can achieve your anticipated load in term of throughput, you're done. Alternatively, you may choose to measure the same job running with fractional nodes at 2/3 SU V2 and 1/3 SU V2, to find out the minimum number of streaming units that works for your scenario.

-3. If you canΓÇÖt achieve the desired throughput, try to break your query into multiple steps if possible if it doesnΓÇÖt have multiple steps already, and allocate up to 1 SU V2 for each step in the query. For example if you have 3 steps, allocate 3 SU V2s in the "Scale" option.

-4. When running such a job, Stream Analytics puts each step on its own node with dedicated 1 SU V2 resource.

-5. If you still havenΓÇÖt achieved your load target, you can attempt to use **PARTITION BY** starting from steps closer to the input. For **GROUP BY** operator that may not be naturally partitionable, you can use the local/global aggregate pattern to perform a partitioned **GROUP BY** followed by a non-partitioned **GROUP BY**. For example, if you want to count how many cars going through each toll booth every 3 minutes, and the volume of the data is beyond what can be handled by 1 SU V2.

-In the query above, you're counting cars per toll booth per partition, and then adding the count from all partitions together.

-Once partitioned, for each partition of the step, allocate 1 SU V2 so each partition can be placed on its own processing node.

-> If your query cannot be partitioned, adding additional SU in a multi-steps query may not always improve throughput. One way to gain performance is to reduce volume on the initial steps using local/global aggregate pattern, as described above in step 5.

-For certain ISV use cases, where itΓÇÖs more cost-efficient to process data from multiple tenants in a single job, using separate inputs and outputs for each tenant, you may end up running quite a few (for example 20) independent queries in a single job. The assumption is each such subqueryΓÇÖs load is relatively small.

-In this case, you can follow the following steps.

-1. In this case, don't use **PARTITION BY** in the query

-2. Reduce the input partition count to the lowest possible value of 2 if you're using Event Hubs.

-3. Run the query with 1 SU V2. With expected load for each subquery, add as many such subqueries as possible, until the job is hitting system resource limits. Refer to [Case 1](#case-1--your-query-is-inherently-fully-parallelizable-across-input-partitions) for the symptoms when this happens.

-4. Once you're hitting the subquery limit measured above, start adding the subquery to a new job. The number of jobs to run as a function of the number of independent queries should be fairly linear, assuming you donΓÇÖt have any load skew. You can then forecast how many 1 SU V2 jobs you need to run as a function of the number of tenants you would like to serve.

-5. When using reference data join with such queries, union the inputs together before joining with the same reference data. Then, split out the events if necessary. Otherwise, each reference data join keeps a copy of reference data in memory, likely blowing up the memory usage unnecessarily.

-With Azure Stream Analytics, you can quickly stand up real-time dashboards and alerts. A simple solution ingests events from Event Hubs or IoT Hub, and [feeds the Power BI dashboard with a streaming data set](/power-bi/service-real-time-streaming). For more information, see the detailed tutorial [Analyze fraudulent call data with Stream Analytics and visualize results in Power BI dashboard](stream-analytics-real-time-fraud-detection.md).

-

-This solution can be built in just a few minutes from Azure portal. There is no extensive coding involved, and SQL language is used to express the business logic.

-The Power BI dashboard offers low latency, but it cannot be used to produce full fledged Power BI reports. A common reporting pattern is to output your data to SQL Database first. Then use Power BI's SQL connector to query SQL for the latest data.

-

-Using SQL Database gives you more flexibility but at the expense of a slightly higher latency. This solution is optimal for jobs with latency requirements greater than one second. With this method, you can maximize Power BI capabilities to further slice and dice the data for reports, and much more visualization options. You also gain the flexibility of using other dashboard solutions, such as Tableau.

-SQL is not a high throughput data store. The maximum throughput to SQL Database from Azure Stream Analytics is currently around 24 MB/s. If the event sources in your solution produce data at a higher rate, you need to use processing logic in Stream Analytics to reduce the output rate to SQL. Techniques such as filtering, windowed aggregates, pattern matching with temporal joins, and analytic functions can be used. The output rate to SQL can be further optimized using techniques described in [Azure Stream Analytics output to Azure SQL Database](stream-analytics-sql-output-perf.md).

-The second most popular use of Stream Analytics is to generate real-time alerts. In this solution pattern, business logic in Stream Analytics can be used to detect [temporal and spatial patterns](stream-analytics-geospatial-functions.md) or [anomalies](stream-analytics-machine-learning-anomaly-detection.md), then produce alerting signals. However, unlike the dashboard solution where Stream Analytics uses Power BI as a preferred endpoint, a number of intermediate data sinks can be used. These sinks include Event Hubs, Service Bus, and Azure Functions. You, as the application builder, need to decide which data sink works best for your scenario.

-Downstream event consumer logic must be implemented to generate alerts in your existing business workflow. Because you can implement custom logic in Azure Functions, Azure Functions is the fastest way you can perform this integration. A tutorial for using Azure Function as the output for a Stream Analytics job can be found in [Run Azure Functions from Azure Stream Analytics jobs](stream-analytics-with-azure-functions.md). Azure Functions also supports various types of notifications including text and email. Logic App may also be used for such integration, with Event Hubs between Stream Analytics and Logic App.

-

-Event Hubs, on the other hand, offers the most flexible integration point. Many other services, like Azure Data Explorer and Time Series Insights can consume events from Event Hubs. Services can be connected directly to the Event Hubs sink from Azure Stream Analytics to complete the solution. Event Hubs is also the highest throughput messaging broker available on Azure for such integration scenarios.

-You can create custom real-time visualizations, such as dashboard or map visualization, using Azure Stream Analytics and Azure SignalR Service. Using SignalR, web clients can be updated and show dynamic content in real-time.

-

-

-In real applications where processing logic is complex and there is the need to upgrade certain parts of the logic independently, multiple Stream Analytics jobs can be composed together with Event Hubs as the intermediary event broker.

-

-This pattern improves the resiliency and manageability of the system. However, even though Stream Analytics guarantees exactly once processing, there is a small chance that duplicate events may land in the intermediary Event Hubs. It's important for the downstream Stream Analytics job to dedupe events using logic keys in a lookback window. For more information on event delivery, see [Event Delivery Guarantees](/stream-analytics-query/event-delivery-guarantees-azure-stream-analytics) reference.

-

-

-Another common pattern is real-time data warehousing, also called streaming data warehouse. In addition to events arriving at Event Hubs and IoT Hub from your application, [Azure Stream Analytics running on IoT Edge](stream-analytics-edge.md) can be used to fulfill data cleansing, data reduction, and data store and forward needs. Stream Analytics running on IoT Edge can gracefully handle bandwidth limitation and connectivity issues in the system. Stream Analytics can support throughput rates of upto 200MB/sec while writing to Azure Synapse Analytics.

-

-Most data science and analytics activities still happen offline. Data can be archived by Azure Stream Analytics through Azure Data Lake Store Gen2 output and Parquet output formats. This capability removes the friction to feed data directly into Azure Data Lake Analytics, Azure Databricks, and Azure HDInsight. Azure Stream Analytics is used as a near real-time ETL engine in this solution. You can explore archived data in Data Lake using various compute engines.

-> [!div class="mx-imgBorder"]

-> 

-

-

-An Azure Stream Analytics job can be run 24/7 to process incoming events continuously in real time. Its uptime guarantee is crucial to the health of the overall application. While Stream Analytics is the only streaming analytics service in the industry that offers a [99.9% availability guarantee](https://azure.microsoft.com/support/legal/sl).

-

- First and foremost, you need to make sure the job is running. Without the job in the running state, no new metrics or logs are generated. Jobs can change to a failed state for various reasons, including having a high SU utilization level (i.e., running out of resources).

-For alerting applications, the most important thing is to detect the next alert. You may choose to restart the job from the current time when recovering, ignoring past alerts. The job start time semantics are by the first output time, not the first input time. The input is rewound backwards an appropriate amount of time to guarantee the first output at the specified time is complete and correct. You won't get partial aggregates and trigger alerts unexpectedly as a result.

-You may also choose to start output from some amount of time in the past. Both Event Hubs and IoT Hub's retention policies hold a reasonable amount of data to allow processing from the past. The tradeoff is how fast you can catch up to the current time and start to generate timely new alerts. Data loses its value rapidly over time, so it's important to catch up to the current time quickly. There are two ways to catch up quickly:

-In the extreme scenario that incoming events are all delayed, [it's possible all the delayed events are dropped](stream-analytics-time-handling.md) if you have applied a late arriving window to your job. The dropping of the events may appear to be a mysterious behavior at the beginning; however, considering Stream Analytics is a real-time processing engine, it expects incoming events to be close to the wall clock time. It has to drop events that violate these constraints.

-The backfill process has to be done with an offline batch processing system, which most likely has a different programming model than Azure Stream Analytics. This means you have to re-implement the entire processing logic.

-It's not hard to imagine that all the solution patterns mentioned above can be combined together in a complex end-to-end system. The combined system can include dashboards, alerting, event sourcing application, data warehousing, and offline analytics capabilities.

-You now have seen a variety of solution patterns using Azure Stream Analytics. Next, you can dive deep and create your first Stream Analytics job:

-> - GPU-accelerated pools are only available with the Apache Spark 3.1 and 3.2 runtime.

-Within Azure Synapse Analytics, users can quickly get started with Horovod using the default Apache Spark 3 runtime.For Spark ML pipeline applications using PyTorch, users can use the horovod.spark estimator API. This notebook uses an Apache Spark dataframe to perform distributed training of a distributed neural network (DNN) model on MNIST dataset. This tutorial leverages PyTorch and the Horovod Estimator to run the training process.

-At the start of the session, we will need to configure a few Apache Spark settings. In most cases, we only needs to set the numExecutors and spark.rapids.memory.gpu.reserve. For very large models, users may also need to configure the ```spark.kryoserializer.buffer.max``` setting. For Tensorflow models, users will need to set the ```spark.executorEnv.TF_FORCE_GPU_ALLOW_GROWTH``` to be true.

-In the example below, you can see how the Spark configurations can be passed with the ```%%configure``` command. The detailed meaning of each parameter is explained in the [Apache Spark configuration documentation](https://spark.apache.org/docs/latest/configuration.html). The values provided below are the suggested, best practice values for Azure Synapse GPU-large pools.

-In this tutorial, we will leverage PySpark to read and process the dataset. We will then use PyTorch and Horovod to build the distributed neural network (DNN) model and run the training process. To get started, we will need to import the following dependencies:

-We will need the Azure Data Lake Storage (ADLS) account for storing intermediate and model data. If you are using an alternative storage account, be sure to set up the [linked service](../../data-factory/concepts-linked-services.md) to automatically authenticate and read from the account. In addition, you will need to modify the following properties below: ```remote_url```, ```account_name```, and ```linked_service_name```.

-Once we have finished processing our dataset, we can now define our PyTorch model. The same code could also be used to train a single-node PyTorch model.

-Once the training process has finished, we can then evaluate the model on the test dataset.

-Within Azure Synapse Analytics, users can quickly get started with Horovod using the default Apache Spark 3 runtime.For Spark ML pipeline applications using TensorFlow, users can use ```HorovodRunner```. This notebook uses an Apache Spark dataframe to perform distributed training of a distributed neural network (DNN) model on MNIST dataset. This tutorial leverages TensorFlow and the ```HorovodRunner``` to run the training process.

-At the start of the session, we will need to configure a few Apache Spark settings. In most cases, we only needs to set the ```numExecutors``` and ```spark.rapids.memory.gpu.reserve```. For very large models, users may also need to configure the ```spark.kryoserializer.buffer.max``` setting. For TensorFlow models, users will need to set the ```spark.executorEnv.TF_FORCE_GPU_ALLOW_GROWTH``` to be true.

-In the example below, you can see how the Spark configurations can be passed with the ```%%configure``` command. The detailed meaning of each parameter is explained in the [Apache Spark configuration documentation](https://spark.apache.org/docs/latest/configuration.html). The values provided below are the suggested, best practice values for Azure Synapse GPU-large pools.

-For this tutorial, we will use the following configurations:

-We will need the Azure Data Lake Storage (ADLS) account for storing intermediate and model data. If you are using an alternative storage account, be sure to set up the [linked service](../../data-factory/concepts-linked-services.md) to automatically authenticate and read from the account.

-In this example, we will read from the primary Azure Synapse Analytics storage account. To do this, you will need to modify the following properties below: ```remote_url```.

-Next, we will prepare the dataset for training. In this tutorial, we will use the MNIST dataset from [Azure Open Datasets](../../open-datasets/dataset-mnist.md?tabs=azureml-opendatasets).

-Once we have finished processing our dataset, we can now define our TensorFlow model. The same code could also be used to train a single-node TensorFlow model.

-First, we will train our TensorFlow model on the driver node of the Apache Spark pool. Once we have finished the training process, we will evaluate the model and print the loss and accuracy scores.

-To do this, we will first define a training function for ```HorovodRunner```.

-Once we have defined the model, we will run the training process.

-The code below shows how to save the checkpoints to the Azure Data Lake Storage (ADLS) account.

-Once we have finished training our model, we can then take a look at the loss and accuracy for the final model.

-Petastorm is an open source data access library which enables single-node or distributed training of deep learning models. This library enables training directly from datasets in Apache Parquet format and datasets that have already been loaded as an Apache Spark DataFrame. Petastorm supports popular training frameworks such as Tensorflow and PyTorch.

-At the start of the session, we will need to configure a few Apache Spark settings. In most cases, we only needs to set the ```numExecutors``` and ```spark.rapids.memory.gpu.reserve```. In the example below, you can see how the Spark configurations can be passed with the ```%%configure``` command. The detailed meaning of each parameter is explained in the [Apache Spark configuration documentation](https://spark.apache.org/docs/latest/configuration.html).

-In the sample below, we create a dataset using PySpark. We write the dataset to an Azure Data Lake Storage Gen2 account.

-In the example below, you can see how you can pass an ```abfs``` URL protocol.

-If you are using an alternative storage account, be sure to set up the [linked service](../../data-factory/concepts-linked-services.md) to automatically authenticate and read from the account. In addition, you will need to modify the following properties below: ```remote_url```, ```account_name```, and ```linked_service_name```.

-In the example below, you can see how you can pass an ```abfs``` URL protocol to read data in batches. This example uses the ```make_batch_reader``` class.

-To read a Petastorm dataset from PyTorch, you can use the adapter ```petastorm.pytorch.DataLoader``` class. This allows for custom PyTorch collating functions and transforms to be supplied.

- | **Node size family** | Hardware Accelerated | Choose Hardware Accelerated from the drop down menu |

-description: An article that teaches you to configure connectivity settings in Azure Synapse Analytics

-This article will explain connectivity settings in Azure Synapse Analytics and how to configure them where applicable.

-## Public network access

-Selecting the **Disable** option will not apply any firewall rules that you may configure. Additionally, your firewall rules will appear greyed out in the Network setting in Synapse portal. Your firewall configurations will be reapplied when you enable public network access again.

-1. Select the **Networking** tab when you create your workspace in [Azure portal](https://aka.ms/azureportal).

-2. Under Managed virtual network, select **Enable** to associate your workspace with managed virtual network and permit public network access.

- :::image type="content" source="./media/connectivity-settings/create-synapse-workspace-managed-virtual-network-1.png" alt-text="Create Synapse workspace, networking tab, Managed virtual network setting" lightbox="media/connectivity-settings/create-synapse-workspace-managed-virtual-network-1.png":::

-3. Under **Public network access**, select **Disable** to deny public access to your workspace. Select **Enable** if you want to allow public access to your workspace.

- :::image type="content" source="./media/connectivity-settings/create-synapse-workspace-public-network-access-2.png" alt-text="Create Synapse workspace, networking tab, public network access setting" lightbox="media/connectivity-settings/create-synapse-workspace-public-network-access-2.png":::

-4. Complete the rest of the workspace creation flow.

-1. Select your Synapse workspace in [Azure portal](https://aka.ms/azureportal).

-2. Select **Networking** from the left navigation.

-3. Select **Disabled** to deny public access to your workspace. Select **Enabled** if you want to allow public access to your workspace.

- :::image type="content" source="./media/connectivity-settings/synapse-workspace-networking-public-network-access-3.png" alt-text="In an existing Synapse workspace, networking tab, public network access setting is enabled" lightbox="media/connectivity-settings/synapse-workspace-networking-public-network-access-3.png":::

-4. When disabled, the **Firewall rules** gray out to indicate that firewall rules are not in effect. Firewall rule configurations will be retained.

- :::image type="content" source="./media/connectivity-settings/synapse-workspace-networking-firewall-rules-4.png" alt-text="In an existing Synapse workspace, networking tab, public network access setting is disabled, attention to the firewall rules" lightbox="media/connectivity-settings/synapse-workspace-networking-firewall-rules-4.png":::

-

-5. Select **Save** to save the change. A notification will confirm that the network setting was successfully saved.

-The connection policy for Synapse SQL in Azure Synapse Analytics is set to *Default*. You cannot change this in Azure Synapse Analytics. You can learn more about how that affects connections to Synapse SQL in Azure Synapse Analytics [here](/azure/azure-sql/database/connectivity-architecture#connection-policy).

-Starting in December 2021, a requirement for TLS 1.2 has been implemented for workspace-managed dedicated SQL pools in new Synapse workspaces. Login attempts from connections using a TLS version lower than 1.2 will fail. Customers can raise or lower the minimal TLS version using the API, for both new Synapse workspaces or existing workspaces, so users who need to use a lower client version in the workspaces can connect. Customers can also raise the minimum TLS version to meet their security needs. Learn more by reading [minimal TLS REST API](/rest/api/synapse/sqlserver/workspace-managed-sql-server-dedicated-sql-minimal-tls-settings/update).

-## Next steps

-With built-in support for NVIDIAΓÇÖs [RAPIDS Accelerator for Apache Spark](https://nvidia.github.io/spark-rapids/), GPU-accelerated Spark pools in Azure Synapse can provide significant performance improvements compared to standard analytical benchmarks without requiring any code changes. Built on top of NVIDIA CUDA and UCX, NVIDIA RAPIDS enables GPU-accelerated SQL, DataFrame operations, and Spark shuffles. Since there are no code changes required to leverage these accelerations, users can also accelerate their data pipelines that rely on Linux FoundationΓÇÖs Delta Lake or MicrosoftΓÇÖs Hyperspace indexing.

-Many organizations rely on large batch scoring jobs to frequently execute during narrow windows of time. To achieve improved batch scoring jobs, you can also use GPU-accelerated Spark pools with MicrosoftΓÇÖs [Hummingbird library](https://github.com/Microsoft/hummingbird). With Hummingbird, users can take their traditional, tree-based ML models and compile them into tensor computations. Hummingbird allows users to then seamlessly leverage native hardware acceleration and neural network frameworks to accelerate their ML model scoring without needing to rewrite their models.

-# Apache Spark GPU-accelerated pools in Azure Synapse Analytics

-description: How to customize feed for Azure Virtual Desktop users with PowerShell cmdlets.

-This article assumes you've already downloaded and installed the Azure Virtual Desktop PowerShell module. If you haven't, follow the instructions in [Set up the PowerShell module](powershell-module.md).

-## Customize the display name for a session host

-You can change the display name for a remote desktop for your users by setting its session host friendly name. By default, the session host friendly name is empty, so users only see the app name. You can set the session host friendly name using REST API.

->[!NOTE]

->The following instructions only apply to personal desktops, not pooled desktops. Also, personal host pools only allow and support desktop application groups.

-## Customize the display name for a RemoteApp

-You can change the display name for a published RemoteApp by setting the friendly name. By default, the friendly name is the same as the name of the RemoteApp program.

-To retrieve a list of published applications for an application group, run the following PowerShell cmdlet:

-```powershell

-Get-AzWvdApplication -ResourceGroupName <resourcegroupname> -ApplicationGroupName <appgroupname>

-```

-To assign a friendly name to a RemoteApp, run the following cmdlet with the required parameters:

-```powershell

-Update-AzWvdApplication -ResourceGroupName <resourcegroupname> -ApplicationGroupName <appgroupname> -Name <applicationname> -FriendlyName <newfriendlyname>

-```

-For example, let's say you retrieved the current applications with the following example cmdlet:

-```powershell

-Get-AzWvdApplication -ResourceGroupName 0301RG -ApplicationGroupName 0301RAG | format-list

-```

-The output would look like this:

-```powershell

-CommandLineArgument :

-CommandLineSetting : DoNotAllow

-Description :

-FilePath : C:\Program Files\Windows NT\Accessories\wordpad.exe

-FriendlyName : Microsoft Word

-IconContent : {0, 0, 1, 0…}

-IconHash : --iom0PS6XLu-EMMlHWVW3F7LLsNt63Zz2K10RE0_64

-IconIndex : 0

-IconPath : C:\Program Files\Windows NT\Accessories\wordpad.exe

-Id : /subscriptions/<subid>/resourcegroups/0301RG/providers/Microsoft.DesktopVirtualization/applicationgroups/0301RAG/applications/Microsoft Word

-Name : 0301RAG/Microsoft Word

-ShowInPortal : False

-Type : Microsoft.DesktopVirtualization/applicationgroups/applications

-```

-To update the friendly name, run this cmdlet:

-```powershell

-Update-AzWvdApplication -GroupName 0301RAG -Name "Microsoft Word" -FriendlyName "WordUpdate" -ResourceGroupName 0301RG -IconIndex 0 -IconPath "C:\Program Files\Windows NT\Accessories\wordpad.exe" -ShowInPortal:$true -CommandLineSetting DoNotallow -FilePath "C:\Program Files\Windows NT\Accessories\wordpad.exe"

-```

-To confirm you've successfully updated the friendly name, run this cmdlet:

-```powershell

-Get-AzWvdApplication -ResourceGroupName 0301RG -ApplicationGroupName 0301RAG | format-list FriendlyName

-```

-The cmdlet should give you the following output:

-```powershell

-FriendlyName : WordUpdate

-```

-## Customize the display name for a Remote Desktop

-You can change the display name for a published remote desktop by setting a friendly name. If you manually created a host pool and desktop application group through PowerShell, the default friendly name is "Session Desktop." If you created a host pool and desktop application group through the GitHub Azure Resource Manager template or the Azure Marketplace offering, the default friendly name is the same as the host pool name.

-To retrieve the remote desktop resource, run the following PowerShell cmdlet:

-```powershell

-Get-AzWvdDesktop -ResourceGroupName <resourcegroupname> -ApplicationGroupName <appgroupname> -Name <applicationname>

-```

-To assign a friendly name to the remote desktop resource, run the following PowerShell cmdlet:

-```powershell

-Update-AzWvdDesktop -ResourceGroupName <resourcegroupname> -ApplicationGroupName <appgroupname> -Name <applicationname> -FriendlyName <newfriendlyname>

-```

-## Customize a display name in the Azure portal

-You can change the display name for a published remote desktop by setting a friendly name using the Azure portal.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-2. Search for **Azure Virtual Desktop**.

-3. Under Services, select **Azure Virtual Desktop**.

-4. On the Azure Virtual Desktop page, select **Application groups** on the left side of the screen, then select the name of the application group you want to edit. (For example, if you want to edit the display name of the desktop application group, select the application group named **Desktop**.)

-5. Select **Applications** in the menu on the left side of the screen.

-6. Select the application you want to update, then enter a new **Display name**.

-7. Select **Save**. The application you edited should now display the updated name.

-## Next steps

-Now that you've customized the feed for users, you can sign in to an Azure Virtual Desktop client to test it out. To do so, continue to the Connect to Azure Virtual Desktop How-tos:

- * [Connect with Windows](./users/connect-windows.md)

- * [Connect with the web client](./users/connect-web.md)

- * [Connect with the Android client](./users/connect-android-chrome-os.md)

- * [Connect with the iOS client](./users/connect-ios-ipados.md)

- * [Connect with the macOS client](./users/connect-macos.md)

-Cost information isn't presented during the virtual machine creation process for Terraform like it is for the [Azure portal](quick-create-portal.md). If you want to learn more about how cost works for virtual machines, see the [Cost optimization Overview page](../plan-to-manage-costs.md).

-Cost information isn't presented during the virtual machine creation process for Bicep like it is for the [Azure portal](quick-create-portal.md). If you want to learn more about how cost works for virtual machines, see the [Cost optimization Overview page](../plan-to-manage-costs.md).

-Cost information isn't presented during the virtual machine creation process for CLI like it is for the [Azure portal](quick-create-portal.md). If you want to learn more about how cost works for virtual machines, see the [Cost optimization Overview page](../plan-to-manage-costs.md).

- If you want to learn more about how cost works for virtual machines, see the [Cost optimization Overview page](../plan-to-manage-costs.md).

-Cost information isn't presented during the virtual machine creation process for PowerShell like it is for the [Azure portal](quick-create-portal.md). If you want to learn more about how cost works for virtual machines, see the [Cost optimization Overview page](../plan-to-manage-costs.md).

-Cost information isn't presented during the virtual machine creation process for ARM templates like it is for the [Azure portal](quick-create-portal.md). If you want to learn more about how cost works for virtual machines, see the [Cost optimization Overview page](../plan-to-manage-costs.md).

-Cost information isn't presented during the virtual machine creation process for Terraform like it is for the [Azure portal](quick-create-portal.md). If you want to learn more about how cost works for virtual machines, see the [Cost optimization Overview page](../plan-to-manage-costs.md).

-This quickstart shows you how to create a virtual network with two virtual machines (VMs), and then deploy Azure Bastion on the virtual network, by using Bicep templates. You then securely connect to the VMs from the internet by using Azure Bastion, and communicate privately between the VMs.

- 1. [Install Azure CLI locally](/cli/azure/install-azure-cli) to run the commands. You need Azure CLI version 2.0.28 or later. Run [az version](/cli/azure/reference-index?#az-version) to find your installed version and dependent libraries, and run [az upgrade](/cli/azure/reference-index?#az-upgrade) to upgrade.

-This quickstart uses the [Two VMs in VNET](https://github.com/Azure/azure-quickstart-templates/blob/master/quickstarts/microsoft.compute/2-vms-internal-load-balancer/main.bicep) Bicep template from [Azure Quickstart Templates](https://github.com/Azure/azure-quickstart-templates) to create the virtual network, resource subnet, and VMs. The Bicep template defines the following Azure resources:

-1. Deploy the Bicep file by using either Azure CLI or Azure PowerShell.

-Azure Bastion uses your browser to connect to VMs in your virtual network over secure shell (SSH) or remote desktop protocol (RDP) by using their private IP addresses. The VMs don't need public IP addresses, client software, or special configuration. For more information about Azure Bastion, see [Azure Bastion](~/articles/bastion/bastion-overview.md).

->[!NOTE]

->[!INCLUDE [Pricing](../../includes/bastion-pricing.md)]

-Use the [Azure Bastion as a service](https://github.com/Azure/azure-quickstart-templates/blob/master/quickstarts/microsoft.network/azure-bastion/main.bicep) Bicep template from [Azure Quickstart Templates](https://github.com/Azure/azure-quickstart-templates) to deploy and configure Azure Bastion in your virtual network. This Bicep template defines the following Azure resources:

-

- The first 18 lines of your Bicep file should now look like this:

-

-1. Deploy the Bicep file by using either Azure CLI or Azure PowerShell.

->[!NOTE]

->VMs in a virtual network with a Bastion host don't need public IP addresses. Bastion provides the public IP, and the VMs use private IPs to communicate within the network. You can remove the public IPs from any VMs in Bastion-hosted virtual networks. For more information, see [Dissociate a public IP address from an Azure VM](ip-services/remove-public-ip-address-vm.md).

-Use Azure CLI, Azure PowerShell, or the Azure portal to review the deployed resources.

-1. In the [Azure portal](https://portal.azure.com), search for and select *resource groups*, and on the **Resource groups** page, select **TestRG** from the list of resource groups.

-1. On the **Overview** page for **TestRG**, review all the resources that you created, including the virtual network, the two VMs, and the Azure Bastion host.

-1. Select the **VNet** virtual network, and on the **Overview** page for **VNet**, note the defined address space of **10.0.0.0/16**.

-1. Select **Subnets** from the left menu, and on the **Subnets** page, note the deployed subnets of **backendSubnet** and **AzureBastionSubnet** with the assigned values from the Bicep files.

- :::image type="content" source="./media/quick-create-bicep/connect-to-virtual-machine.png" alt-text="Screenshot of connecting to VM1 with Azure Bastion." border="true":::

-1. On the **Bastion** page, enter the username and password you created for the VM, and then select **Connect**.

-1. From the desktop of BackendVM1, open PowerShell.

- The ping fails because it uses the Internet Control Message Protocol (ICMP). By default, ICMP isn't allowed through Windows firewall.

-1. To allow ICMP to inbound through Windows firewall on this VM, enter the following command:

-1. Close the Bastion connection to BackendVM1.

-1. Repeat the steps in [Connect to a VM](#connect-to-a-vm) to connect to BackendVM0.

-1. From PowerShell on BackendVM0, enter `ping BackendVM1`.

- This time you get a success reply similar to the following message, because you allowed ICMP through the firewall on VM1.

-1. Close the Bastion connection to BackendVM0.

-When you're done with the virtual network, use Azure CLI, Azure PowerShell, or the Azure portal to delete the resource group and all its resources.

-1. On the **Delete a resource group** page, under **Enter resource group name to confirm deletion**, enter *TestRG*, and then select **Delete**.

-In this quickstart, you created a virtual network with two subnets, one containing two VMs and the other for Azure Bastion. You deployed Azure Bastion and used it to connect to the VMs, and securely communicated between the VMs. To learn more about virtual network settings, see [Create, change, or delete a virtual network](manage-virtual-network.md).

-Private communication between VMs is unrestricted in a virtual network. Continue to the next article to learn more about configuring different types of VM network communications.

-description: Learn how to use Azure CLI to create and connect through an Azure virtual network and virtual machines.

-#Customer intent: I want to use Azure CLI to create a virtual network so that virtual machines can communicate privately with each other and with the internet.

-# Quickstart: Use Azure CLI to create a virtual network

-This quickstart shows you how to create a virtual network by using Azure CLI, the Azure command-line interface. You then create two virtual machines (VMs) in the network, securely connect to the VMs from the internet, and communicate privately between the VMs.

-1. Use [az group create](/cli/azure/group#az-group-create) to create a resource group to host the virtual network. Use the following code to create a resource group named **test-rg** in the **eastus2** Azure region.

- ```azurecli-interactive

- az group create \

- --name test-rg \

- --location eastus2

- ```

-1. Use [az network vnet create](/cli/azure/network/vnet#az-network-vnet-create) to create a virtual network named **vnet-1** with a subnet named **subnet-1** in the **test-rg** resource group.

- ```azurecli-interactive

- az network vnet create \

- --name vnet-1 \

- --resource-group test-rg \

- --address-prefix 10.0.0.0/16 \

- --subnet-name subnet-1 \

- --subnet-prefixes 10.0.0.0/24

- ```

-Azure Bastion uses your browser to connect to VMs in your virtual network over secure shell (SSH) or remote desktop protocol (RDP) by using their private IP addresses. The VMs don't need public IP addresses, client software, or special configuration.

-1. Use [az network vnet subnet create](/cli/azure/network/vnet/subnet#az-network-vnet-subnet-create) to create an Azure Bastion subnet for your virtual network. This subnet is reserved exclusively for Azure Bastion resources and must be named **AzureBastionSubnet**.

-1. Create a public IP address for Azure Bastion. This IP address is used to connect to the Bastion host from the internet. Use [az network public-ip create](/cli/azure/network/public-ip#az-network-public-ip-create) to create a public IP address named **public-ip** in the **test-rg** resource group.

-1. Use [az network bastion create](/cli/azure/network/bastion#az-network-bastion-create) to create an Azure Bastion host in the AzureBastionSubnet of your virtual network.

-It takes about 10 minutes for the Bastion resources to deploy. You can create VMs in the next section while Bastion deploys to your virtual network.

-Use [az vm create](/cli/azure/vm#az-vm-create) to create two VMs named **VM1** and **VM2** in the **subnet-1** subnet of the virtual network. When you're prompted for credentials, enter user names and passwords for the VMs.

->[!TIP]

->You can also use the `--no-wait` option to create a VM in the background while you continue with other tasks.

-The VMs take a few minutes to create. After Azure creates each VM, Azure CLI returns output similar to the following message:

->[!NOTE]

->VMs in a virtual network with a Bastion host don't need public IP addresses. Bastion provides the public IP, and the VMs use private IPs to communicate within the network. You can remove the public IPs from any VMs in Bastion-hosted virtual networks. For more information, see [Dissociate a public IP address from an Azure VM](ip-services/remove-public-ip-address-vm.md).

-1. In the **Overview** of **vm-1**, select **Connect**.

-1. In the **Connect to virtual machine** page, select the **Bastion** tab.

-1. Enter the username and password you created when you created the VM, and then select **Connect**.

-## Communicate between VMs

-1. Close the Bastion connection to VM1.

-1. Repeat the steps in [Connect to a virtual machine](#connect-to-a-virtual-machine) to connect to VM2.

-1. Close the Bastion connection to VM2.

-When you're done with the virtual network and the VMs, use [az group delete](/cli/azure/group#az-group-delete) to remove the resource group and all its resources.

-In this quickstart, you created a virtual network with a default subnet that contains two VMs. You deployed Azure Bastion and used it to connect to the VMs, and securely communicated between the VMs. To learn more about virtual network settings, see [Create, change, or delete a virtual network](manage-virtual-network.md).

-Private communication between VMs in a virtual network is unrestricted by default. Continue to the next article to learn more about configuring different types of VM network communications.

-#Customer intent: I want to use the Azure portal to create a virtual network so that virtual machines can communicate privately with each other and with the internet.

-This quickstart shows you how to create a virtual network by using the Azure portal. You then create two virtual machines (VMs) in the network, deploy Azure Bastion to securely connect to the VMs from the internet, and communicate privately between the VMs.

-1. In the **Overview** of **vm-1**, select **Connect**.

-1. In the **Connect to virtual machine** page, select the **Bastion** tab.

-1. Enter the username and password you created when you created the VM, and then select **Connect**.

-## Communicate between VMs

-1. Close the Bastion connection to VM1.

-1. Repeat the steps in [Connect to a virtual machine](#connect-to-a-virtual-machine) to connect to VM2.

-1. Close the Bastion connection to VM2.

-In this quickstart, you created a virtual network with two subnets, one containing two VMs and the other for Azure Bastion. You deployed Azure Bastion and used it to connect to the VMs, and securely communicated between the VMs. To learn more about virtual network settings, see [Create, change, or delete a virtual network](manage-virtual-network.md).

-Private communication between VMs is unrestricted in a virtual network. Continue to the next article to learn more about configuring different types of VM network communications.

-#Customer intent: I want to use PowerShell to create a virtual network so that virtual machines can communicate privately with each other and with the internet.

-This quickstart shows you how to create a virtual network by using Azure PowerShell. You then create two virtual machines (VMs) in the network, securely connect to the VMs from the internet, and communicate privately between the VMs.

- The steps in this quickstart run the Azure PowerShell cmdlets interactively in [Azure Cloud Shell](/azure/cloud-shell/overview). To run the commands in the Cloud Shell, select **Open Cloudshell** at the upper-right corner of a code block. Select **Copy** to copy the code and then paste it into Cloud Shell to run it. You can also run the Cloud Shell from within the Azure portal.

-1. Use [New-AzResourceGroup](/powershell/module/az.Resources/New-azResourceGroup) to create a resource group to host the virtual network. Run the following code to create a resource group named **test-rg** in the **eastus2** Azure region.

- ```azurepowershell-interactive

- $rg = @{

- Name = 'test-rg'

- Location = 'eastus2'

- }

- New-AzResourceGroup @rg

- ```

-

-1. Use [New-AzVirtualNetwork](/powershell/module/az.network/new-azvirtualnetwork) to create a virtual network named **vnet-1** with IP address prefix **10.0.0.0/16** in the **test-rg** resource group and **eastus2** location.

-1. Azure deploys resources to a subnet within a virtual network. Use [Add-AzVirtualNetworkSubnetConfig](/powershell/module/az.network/add-azvirtualnetworksubnetconfig) to create a subnet configuration named **subnet-1** with address prefix **10.0.0.0/24**.

-1. Then associate the subnet configuration to the virtual network with [Set-AzVirtualNetwork](/powershell/module/az.network/Set-azVirtualNetwork).

-Azure Bastion uses your browser to connect to VMs in your virtual network over secure shell (SSH) or remote desktop protocol (RDP) by using their private IP addresses. The VMs don't need public IP addresses, client software, or special configuration. For more information about Azure Bastion, see [Azure Bastion](/azure/bastion/bastion-overview).

-1. Configure an Azure Bastion subnet for your virtual network. This subnet is reserved exclusively for Azure Bastion resources and must be named **AzureBastionSubnet**.

-1. Set the configuration.

-1. Create a public IP address for Azure Bastion. The bastion host uses the public IP to access secure shell (SSH) and remote desktop protocol (RDP) over port 443.

-1. Use the [New-AzBastion](/powershell/module/az.network/new-azbastion) command to create a new Standard SKU Azure Bastion host in the AzureBastionSubnet.

-It takes about 10 minutes for the Bastion resources to deploy. You can create VMs in the next section while Bastion deploys to your virtual network.

-Use [New-AzVM](/powershell/module/az.compute/new-azvm) to create two VMs named **vm-1** and **vm-2** in the **subnet-1** subnet of the virtual network. When you're prompted for credentials, enter user names and passwords for the VMs.

- # Set the administrator and password for the VMs. ##

- ## Create network interface for virtual machine. ##

- ## Create a virtual machine configuration for VMs ##

- ## Create the virtual machine for VMs ##

- # Set the administrator and password for the VMs. ##

- ## Create network interface for virtual machine. ##

- ## Create a virtual machine configuration for VMs ##

- ## Create the virtual machine for VMs ##

-

->[!TIP]

->You can use the `-AsJob` option to create a VM in the background while you continue with other tasks. For example, run `New-AzVM @vm1 -AsJob`. When Azure starts creating the VM in the background, you get something like the following output:

->```powershell

->Id Name PSJobTypeName State HasMoreData Location Command

->-- - - -- -- -- -

->1 Long Running... AzureLongRun... Running True localhost New-AzVM

->```

->[!NOTE]

->VMs in a virtual network with a Bastion host don't need public IP addresses. Bastion provides the public IP, and the VMs use private IPs to communicate within the network. You can remove the public IPs from any VMs in Bastion-hosted virtual networks. For more information, see [Dissociate a public IP address from an Azure VM](ip-services/remove-public-ip-address-vm.md).

-1. In the **Overview** of **vm-1**, select **Connect**.

-1. In the **Connect to virtual machine** page, select the **Bastion** tab.

-1. Enter the username and password you created when you created the VM, and then select **Connect**.

-## Communicate between VMs

-1. Close the Bastion connection to VM1.

-1. Repeat the steps in [Connect to a virtual machine](#connect-to-a-virtual-machine) to connect to VM2.

-1. Close the Bastion connection to VM2.

-When you're done with the virtual network and the VMs, use [Remove-AzResourceGroup](/powershell/module/az.resources/remove-azresourcegroup) to remove the resource group and all its resources.

-In this quickstart, you created a virtual network with a default subnet that contains two VMs. You deployed Azure Bastion and used it to connect to the VMs, and securely communicated between the VMs. To learn more about virtual network settings, see [Create, change, or delete a virtual network](manage-virtual-network.md).

-Private communication between VMs in a virtual network is unrestricted. Continue to the next article to learn more about configuring different types of VM network communications.

-description: Learn how to use a Resource Manager template to create an Azure virtual network.

-# Quickstart: Create a virtual network - Resource Manager template

-In this quickstart, you learn how to create a virtual network with two subnets using the Azure Resource Manager template. A virtual network is the fundamental building block for your private network in Azure. It enables Azure resources, like VMs, to securely communicate with each other and with the internet.

-You can also complete this quickstart using the [Azure portal](quick-create-portal.md), [Azure PowerShell](quick-create-powershell.md), or [Azure CLI](quick-create-cli.md).

-The template used in this quickstart is from [Azure Quickstart Templates](https://github.com/Azure/azure-quickstart-templates/blob/master/quickstarts/microsoft.network/vnet-two-subnets/azuredeploy.json)

-The following Azure resources have been defined in the template:

-Deploy Resource Manager template to Azure:

-2. In the portal, on the **Create a Virtual Network with two Subnets** page, type or select the following values:

- - **Resource group**: Select **Create new**, type **CreateVNetQS-rg** for the resource group name, and select **OK**.

- - **Virtual Network Name**: Type a name for the new virtual network.

-3. Select **Review + create**, and then select **Create**.

-1. When deployment completes, select on **Go to resource** button to review the resources deployed.

-Explore the resources that were created with the virtual network by browsing the settings blades for **VNet1**.

-1. On the **Overview** tab, you'll see the defined address space of **10.0.0.0/16**.

-2. On the **Subnets** tab, you'll see the deployed subnets of **Subnet1** and **Subnet2** with the appropriate values from the template.

-When you no longer need the resources that you created with the virtual network, delete the resource group. This removes the virtual network and all the related resources.

-In this quickstart, you deployed an Azure virtual network with two subnets. To learn more about Azure virtual networks, continue to the tutorial for virtual networks.

-description: In this quickstart, you create an Azure Virtual Network and Subnets using Terraform. You use Azure CLI to verify the resources.

-# Customer intent: As a Network Administrator, I want to create a virtual network and subnets using Terraform.

-# Quickstart: Create an Azure Virtual Network and subnets using Terraform

-In this quickstart, you learn about a Terraform script that creates an Azure resource group and a virtual network with two subnets. The names of the resource group and the virtual network are generated using a random pet name with a prefix. The script also outputs the names of the created resources.

-The script uses the Azure Resource Manager (azurerm) and Random (random) providers. The azurerm provider is used to interact with Azure resources, while the random provider is used to generate random pet names for the resources.

-> The sample code for this article is located in the [Azure Terraform GitHub repo](https://github.com/Azure/terraform/tree/master/quickstart/101-virtual-network-create-two-subnets). You can view the log file containing the [test results from current and previous versions of Terraform](https://github.com/Azure/terraform/tree/master/quickstart/101-virtual-network-create-two-subnets/TestRecord.md).

->

-> See more [articles and sample code showing how to use Terraform to manage Azure resources](/azure/terraform)

-1. Create a directory in which to test and run the sample Terraform code and make it the current directory.

-1. Create a file named `main.tf` and insert the following code:

-1. Create a file named `outputs.tf` and insert the following code:

-1. Create a file named `providers.tf` and insert the following code:

-1. Create a file named `variables.tf` and insert the following code:

-1. Get the Azure resource group name.

-1. Get the virtual network name.

-1. Use [`az network vnet show`](/cli/azure/network/vnet#az-network-vnet-show) to display the details of your newly created virtual network.

- For more information about troubleshooting Terraform, see [Troubleshoot common problems when using Terraform on Azure](/azure/developer/terraform/troubleshoot).

-> [!div class="nextstepaction"]

-> [Learn more about using Terraform in Azure](/azure/terraform)