+> Password reset and Azure AD Multi-Factor Authentication don't support phone extensions. Even in the *+1 4251234567X12345* format, extensions are removed before the call is placed.

+>[!NOTE]

+> When Staged rollout is enabled for a user, the user is considered a managed user and all authentication will happen at Azure AD. For a federated Tenant, if CBA is enabled on Staged Rollout, password authentication only works if PHS is enabled too otherwise password authentication will fail.

+## MFA with Single-factor certificate-based authentication

+Azure AD CBA supports second factors to meet MFA requirements with single-factor certificates. Users can use either passwordless sign-in or FIDO2 security keys as second factors when the first factor is single-factor CBA. Users need to have another way to get MFA and register passwordless sign-in or FIDO2 in advance to signing in with Azure AD CBA.

+>[!IMPORTANT]

+>A user will be considered MFA capable when a user is in scope for Certificate-based authentication auth method. This means user will not be able to use proof up as part of their authentication to registerd other available methods. More info on [Azure AD MFA](../authentication/concept-mfa-howitworks.md)

+A group Managed Service Account is a managed domain account that provides automatic password management, simplified service principal name (SPN) management, the ability to delegate the management to other administrators, and also extends this functionality over multiple servers. Azure AD Connect Cloud Sync supports and uses a gMSA for running the agent. You will be prompted for administrative credentials during setup, in order to create this account. The account will appear as (domain\provAgentgMSA$). For more information on a gMSA, see [group Managed Service Accounts](/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview)

+For steps on how to upgrade an existing agent to use a gMSA account see [group Managed Service Accounts](how-to-install.md#group-managed-service-accounts).

+For more information on how to prepare your Active Directory for group Managed Service Account, see [group Managed Service Accounts Overview](/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview).

+3. If there's a firewall between your servers and Azure AD, see [Firewall and proxy requirements](#firewall-and-proxy-requirements) below.

+>

+> # Quickstart: Acquire a token and call Microsoft Graph API from a Python console app using app's identity

+> [!div renderon="portal" id="display-on-portal" class="sxs-lookup"]

+> > [Scenario: Web app that signs in users](scenario-web-app-sign-user-overview.md?tabs=java)

+description: Learn how to enable Azure AD Multi-Factor Authentication and SSO for an Oracle E-Business Suite application via Datawiza.

+# Configure Datawiza for Azure AD Multi-Factor Authentication and single sign-on to Oracle EBS

+In this article, learn how to enable Azure Active Directory (Azure AD) Multi-Factor Authentication and single sign-on (SSO) for an Oracle E-Business Suite (Oracle EBS) application via Datawiza.

+Here are some benefits of integrating applications with Azure AD via Datawiza:

+* A [Zero Trust](https://www.microsoft.com/security/business/zero-trust) security model adapts to modern environments and embraces a hybrid workplace while it helps protect people, devices, apps, and data.

+* [Single sign-on](https://azure.microsoft.com/solutions/active-directory-sso/#overview) provides secure and seamless access for device users and apps from any location.

+* [Multi-Factor Authentication](../authentication/concept-mfa-howitworks.md) prompts users during sign-in for forms of identification, such as a code on their device or a fingerprint scan.

+* [Conditional Access](../conditional-access/overview.md) provides policies as if/then statements. If a user wants to access a resource, then they must complete an action.

+* [Datawiza](https://www.microsoft.com/security/blog/2022/05/17/easy-authentication-and-authorization-in-azure-active-directory-with-no-code-datawiza/) provides authentication and authorization in Azure AD with no code. Use web applications such as Oracle JDE, Oracle EBS, Oracle Siebel, and home-grown apps.

+* Use the [Datawiza Cloud Management Console](https://console.datawiza.com) (DCMC) to manage access to applications in public clouds and on-premises.

+This article focuses on modern identity providers (IdPs) integrating with the legacy Oracle EBS application. The application requires a set of Oracle EBS service account credentials and an Oracle EBS database container (DBC) file.

+The solution has the following components:

+* **Azure AD**: Microsoft's cloud-based identity and access management service, which helps users sign in and access external and internal resources.

+* **Oracle EBS**: The legacy application that Azure AD will help protect.

+* **Datawiza Access Proxy (DAP)**: A lightweight container-based reverse proxy that implements OIDC/OAuth or SAML for user sign-on flow. It transparently passes identity to applications through HTTP headers.

+* **DCMC**: A centralized management console that manages DAP. The console provides UI and RESTful APIs for administrators to manage the configurations of DAP and its granular access control policies.

+## Prerequisites

+To complete the steps in this article, you need:

+* An Azure subscription. If you don't have one, you can get an [Azure free account](https://azure.microsoft.com/free/).

+* An Azure AD tenant linked to the Azure subscription.

+* An account with Azure AD Application Administrator permissions. For more information, see [Azure AD built-in roles](../roles/permissions-reference.md).

+* Docker and Docker Compose, to run DAP. For more information, see [Get Docker](https://docs.docker.com/get-docker/) and [Docker Compose Overview](https://docs.docker.com/compose/install/).

+* User identities synchronized from an on-premises directory to Azure AD, or created in Azure AD and flowed back to your on-premises directory. For more information, see [Azure AD Connect sync: Understand and customize synchronization](../hybrid/how-to-connect-sync-whatis.md).

+* An Oracle EBS environment.

+1. Sign in to the Oracle EBS management console as an administrator.

+2. Scroll down the navigation pane, expand **User Management**, and then select **Users**.

+ [](./media/datawiza-azure-ad-sso-mfa-oracle-ebs/navigator-user-management.png#lightbox)

+3. Add a user account. Select **Create User** > **User Account**.

+ [](./media/datawiza-azure-ad-sso-mfa-oracle-ebs/user-account.png#lightbox)

+8. Assign **Apps Schema Connect Role** to the user.

+ [](./media/datawiza-azure-ad-sso-mfa-oracle-ebs/assign-role.png#lightbox)

+In the Oracle EBS Linux environment, generate a new DBC file for DAP. You need the app's user credentials and the default DBC file (under `$FND_SECURE`) that the application tier uses.

+1. Configure the environment for Oracle EBS by using a command similar to `./u01/install/APPS/EBSapps.env run`.

+2. Use the AdminDesktop utility to generate the new DBC file. Specify the name of a new desktop node for this DBC file:

+ `java oracle.apps.fnd.security.AdminDesktop apps/apps CREATE NODE_NAME=\<ebs domain name> DBC=/u01/install/APPS/fs1/inst/apps/EBSDB_apps/appl/fnd/12.0.0/secure/EBSDB.dbc`

+ This action generates a file called `ebsdb_\<ebs domain name>.dbc` in the location where you ran the command.

+3. Copy the DBC file's content to a notebook. You'll use the content later.

+1. To integrate JDE with Azure AD, sign in to the [Datawiza Cloud Management Console](https://console.datawiza.com/).

+ The welcome page appears.

+1. Select the orange **Getting started** button.

+ 

+1. For **Name**, enter a name for the deployment.

+ [](./media/datawiza-azure-ad-sso-mfa-oracle-ebs/deployment-name.png#lightbox)

+1. For **Description**, enter a description of the deployment.

+1. Select **Next**.

+1. On **Add Application**, for **Platform**, select **Oracle E-Business Suite**.

+1. For **App Name**, enter the app name.

+1. For **Public Domain**, enter the external-facing URL of the application. For example, enter `https://ebs-external.example.com`. You can use localhost DNS for testing.

+1. For **Listen Port**, select the port that DAP listens on. You can use the port in **Public Domain** if you aren't deploying the DAP behind a load balancer.

+1. For **Upstream Servers**, enter the URL and port combination of the Oracle EBS implementation that you want to protect.

+1. For **EBS Service Account**, enter the username from the service account (**DWSSOUSER**).

+1. For **EBS Account Password**, enter the password for the service account.

+1. For **EBS User Mapping**, the product decides the attribute to be mapped to the Oracle EBS username for authentication.

+1. For **EBS DBC Content**, use the content that you copied.

+1. Select **Next**.

+[](./media/datawiza-azure-ad-sso-mfa-oracle-ebs/add-application.png#lightbox)

+Use the DCMC one-click integration to help you complete Azure AD configuration. With this feature, you can reduce management costs and the likelihood of configuration errors.

+[](./media/datawiza-azure-ad-sso-mfa-oracle-ebs/configure-idp.png#lightbox)

+Configuration on the management console is complete. You're prompted to deploy DAP with your application. Make a note of the deployment Docker Compose file. The file includes the DAP image, `PROVISIONING_KEY`, and `PROVISIONING_SECRET`. DAP uses this information to pull the latest configuration and policies from DCMC.

+

+1. For certificate configuration, select the **Advanced** tab on your application page. Then select **SSL** > **Edit**.

+ [](./media/datawiza-azure-ad-sso-mfa-oracle-ebs/advanced-tab.png#lightbox)

+2. Turn on the **Enable SSL** toggle.

+3. For **Cert Type**, select a certificate type.

+ [](./media/datawiza-azure-ad-sso-mfa-oracle-ebs/cert-type.png#lightbox)

+ There's a self-signed certificate for localhost. To use that certificate for testing, select **Self Signed**.

+ [](./media/datawiza-azure-ad-sso-mfa-oracle-ebs/self-signed-cert-type.png#lightbox)

+ Optionally, you can upload a certificate from a file. For **Cert Type**, select **Upload**. Then, for **Select Option**, select **File Based**.

+ [](./media/datawiza-azure-ad-sso-mfa-oracle-ebs/file-based-cert-option.png#lightbox)

+4. Select **Save**.

+### Optional: Enable Multi-Factor Authentication on Azure AD

+To provide more security for sign-ins, you can enable Multi-Factor Authentication in the Azure portal:

+1. Sign in to the Azure portal as a Global Administrator.

+2. Select **Azure Active Directory** > **Manage** > **Properties**.

+3. Under **Properties**, select **Manage security defaults**.

+ [](./media/datawiza-azure-ad-sso-mfa-oracle-ebs/manage-security-defaults.png#lightbox)

+ [](./media/datawiza-azure-ad-sso-mfa-oracle-ebs/enable-security-defaults.png#lightbox)

+5. Select **Save**.

+## Next steps

+- [Video: Enable SSO and MFA for Oracle JD Edwards with Azure AD via Datawiza](https://www.youtube.com/watch?v=_gUGWHT5m90)

+- [Datawiza user guides](https://docs.datawiza.com/)

+>[!NOTE]

+>To assign/unassign Managed identities please follow below links

+- [Documentation for VM](qs-configure-portal-windows-vm.md)

+- [Documentation for VMSS](qs-configure-portal-windows-vmss.md)

+In the source tenant: Using this feature requires Azure AD Premium P1 licenses. Each user who is synchronized with cross-tenant synchronization must have a P1 license in their home/source tenant. To find the right license for your requirements, see [Compare generally available features of Azure AD](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing).

+In the target tenant: Cross-tenant sync relies on the Azure AD External Identities billing model. To understand the external identities licensing model, see [MAU billing model for Azure AD External Identities](../external-identities/external-identities-pricing.md)

+The new deployment slot has no content, even if you clone the settings from a different slot. For example, you can [publish to this slot with Git](./deploy-local-git.md). You can deploy to the slot from a different repository branch or a different repository. Get publish profile [from Azure App Service](/visualstudio/azure/how-to-get-publish-profile-from-azure-app-service) can provide required information to deploy to the slot. The profile can be imported by Visual Studio to deploy contents to the slot.

+Search for and select your app. Select **Deployment slots** > *\<slot to delete>* > **Overview**. The app type is shown as **App Service (Slot)** to remind you that you're viewing a deployment slot. Before deleting a slot, make sure to stop the slot and set the traffic in the slot to zero. Select **Delete** on the command bar.

+ Title: Language Support Policy

+description: App Service language runtime support policies

+# App Service language runtime support policy

+This document describes the App Service language runtime support policy for updating existing stacks and retiring process for upcoming end-of-life stacks. This policy is to clarify existing practices and doesn't represent a change to customer commitments.

+## Updates to existing stacks

+App Service will update existing stacks after they become available from each community. App Service will update major versions of stacks but can't guarantee any specific patch versions. Patch versions are controlled by the platform, and it is not possible for App Service to pin a specific patch version. For example, Python 3.10 will be updated by App Service, but a specific Python 3.10.x version won't be guaranteed. If you need a specific patch version, use a [custom container](quickstart-custom-container.md).

+## Retirements

+App Service follows community support timelines for the lifecycle of the runtime. Once community support for a given language reaches end-of-life, your applications will continue to run unchanged. However, App Service cannot provide security patches or related customer support for that runtime version past its end-of-life date. If your application has any issues past the end-of-life date for that version, you should move up to a supported version to receive the latest security patches and features.

+> [!IMPORTANT]

+> You're encouraged to upgrade the language version of your affected apps to a supported version. If you're running apps using an unsupported language version, you'll be required to upgrade before receiving support for your app.

+>

+## Notifications

+End-of-life dates for runtime versions are determined independently by their respective stacks and are outside the control of App Service. App Service will send reminder notifications to subscription owners for upcoming end-of-life runtime versions 12 months prior to the end-of-life date.

+Those who receive notifications include account administrators, service administrators, and co-administrators. Contributors, readers, or other roles won't directly receive notifications, unless they opt-in to receive notification emails, using [Service Health Alerts](/service-health/alerts-activity-log-service-notifications-portal.md).

+## Language runtime version support timelines

+To learn more about specific language support policy timelines, visit the following resources:

+- [ASP.NET](https://aka.ms/aspnetrelease)

+- [.NET](https://aka.ms/dotnetrelease)

+- [Node](https://aka.ms/noderelease)

+- [Java](https://aka.ms/javarelease)

+- [Python](https://aka.ms/pythonrelease)

+- [PHP](https://aka.ms/phprelease)

+- [Go](https://aka.ms/gorelease)

+## Configure language versions

+To learn more about how to update your App Service application language versions, see the following resources:

+- [.NET](https://github.com/Azure/app-service-linux-docs/blob/master/Runtime_Support/dot_net_core.md#how-to-update-your-app-to-target-a-different-version-of-net-or-net-core)

+- [Node](https://github.com/Azure/app-service-linux-docs/blob/master/Runtime_Support/node_support.md#node-on-linux-app-service)

+- [Java](https://github.com/Azure/app-service-linux-docs/blob/master/Runtime_Support/java_support.md#java-on-app-service)

+- [Python](https://github.com/Azure/app-service-linux-docs/blob/master/Runtime_Support/python_support.md#how-to-update-your-app-to-target-a-different-version-of-python)

+- [PHP](https://github.com/Azure/app-service-linux-docs/blob/master/Runtime_Support/php_support.md#how-to-update-your-app-to-target-a-different-version-of-php)

+# Buy an App Service domain and configure an app with it

+| [Create a configuration store with the specified parameters](scripts/powershell-create-service.md) | Creates an Azure App Configuration store with some specified parameters. |

+| [Delete a configuration store](scripts/powershell-delete-service.md) | Deletes an Azure App Configuration store. |

+# Create an Azure App Configuration store with the Azure CLI

+This sample script creates a new instance of Azure App Configuration using the Azure CLI in a new resource group.

+- This tutorial requires version 2.0 or later of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.

+Make a note of the actual name generated for the new resource group. You'll use that resource group name when you want to delete all group resources.

+More App Configuration CLI script samples can be found in the [Azure App Configuration CLI samples](../cli-samples.md).

+# Delete an Azure App Configuration store with the Azure CLI

+This sample script deletes an instance of Azure App Configuration using the Azure CLI.

+ Title: PowerShell script sample - Create an Azure App Configuration store

+description: Create an Azure App Configuration store using a sample PowerShell script. See reference article links to commands used in the script.

+# Create an Azure App Configuration store with PowerShell

+This sample script creates a new instance of Azure App Configuration in a new resource group using PowerShell.

+To execute the sample scripts, you need a functional setup of [Azure PowerShell](/powershell/azure/).

+Open a PowerShell window with admin rights and run `Install-Module -Name Az` to install Azure PowerShell

+## Sample script

+```powershell

+# Create a resource group

+New-AzResourceGroup -Name <resource-group-name> -Location <location>

+# Create an App Configuration store

+New-AzAppConfigurationStore -Name <store-name> -ResourceGroupName <resource-group-name> -Location <location> -Sku <sku>

+# Get the App Configuration connection string

+Get-AzAppConfigurationStoreKey -Name <store-name> -ResourceGroupName <resource-group-name>

+```

+## Clean up resources

+Clean up the resources you deployed by deleting the resource group.

+```powershell

+Remove-AzResourceGroup -Name <resource-group-name>

+```

+## Script explanation

+This script uses the following commands to create a new resource group and an App Configuration store. Each command in the table links to command specific documentation.

+| Command | Notes |

+|||

+| [New-AzResourceGroup](/powershell/module/az.resources/new-azresourcegroup) | Creates a resource group in which all resources are stored. |

+| [New-AzAppConfigurationStore](/powershell/module/az.appconfiguration/new-azappconfigurationstore) | Creates an App Configuration store resource. |

+| [Get-AzAppConfigurationStoreKey](/powershell/module/az.appconfiguration/get-azappconfigurationstorekey) | Lists access keys for an App Configuration store. |

+## Next steps

+For more information about Azure PowerShell, check out the [Azure PowerShell documentation](/powershell/azure/).

+More App Configuration script samples for PowerShell can be found in the [Azure App Configuration PowerShell samples](../powershell-samples.md).

+ Title: PowerShell script sample - Delete an Azure App Configuration store

+description: Delete an Azure App Configuration store using a sample PowerShell script. See reference article links to commands used in the script.

+# Delete an Azure App Configuration store with PowerShell

+This sample script deletes an instance of Azure App Configuration using PowerShell.

+To execute this sample script, you need a functional setup of [Azure PowerShell](/powershell/azure/).

+Open a PowerShell window with admin rights and run `Install-Module -Name Az` to install Azure PowerShell

+## Sample script

+```powershell

+# Delete an App Configuration store

+Remove-AzAppConfigurationStore -Name <store-name> -ResourceGroupName <resource-group-name>

+```

+## Script explanation

+This script uses the following command to delete an App Configuration store. Each command in the table links to command specific documentation.

+| Command | Notes |

+|||

+| [Remove-AzAppConfigurationStore](/powershell/module/az.appconfiguration/Remove-AzAppConfigurationStore) | Deletes an App Configuration store. |

+## Next steps

+For more information about Azure PowerShell, check out the [Azure PowerShell documentation](/powershell/azure/).

+More App Configuration script samples for PowerShell can be found in the [Azure App Configuration PowerShell samples](../powershell-samples.md).

+ - Kafka separate mode

+* FluxConfig CRD: Custom Resource Definition for `fluxconfigs.clusterconfig.azure.com` custom resources that define `FluxConfig` Kubernetes objects.

+Connectivity to the Arc Kubernetes-based endpoints is required for all Kubernetes-based Arc offerings, including:

+This section describes requirements specific to Azure Arc-enabled data services, in addition to the Arc-enabled Kubernetes endpoints listed above.

+This section describes additional networking requirements specific to deploying Azure Arc resource bridge (preview) in your enterprise. These requirements also apply to Azure Arc-enabled VMware vSphere (preview) and Azure Arc-enabled System Center Virtual Machine Manager (preview).

+Azure Arc-enabled System Center Virtual Machine Manager (SCVMM) also requires:

+Azure Arc-enabled VMware vSphere also requires:

+For more information, see [Support matrix for Azure Arc-enabled VMware vSphere (preview)](vmware-vsphere/support-matrix-for-arc-enabled-vmware-vsphere.md).

+## Additional endpoints

+Depending on your scenario, you may need connectivity to other URLs, such as those used by the Azure portal, management tools, or other Azure services. In particular, review these lists to ensure that you allow connectivity to any necessary endpoints:

+- [Azure portal URLs](../azure-portal/azure-portal-safelist-urls.md)

+- [Azure CLI endpoints for proxy bypass](/cli/azure/azure-cli-endpoints)

+There are no limits to the number of Azure Arc-enabled servers you can register in any single resource group, subscription or tenant.

+Each Azure Arc-enabled server is associated with an Azure Active Directory object and will count against your directory quota. See [Azure AD service limits and restrictions](../../active-directory/enterprise-users/directory-service-limits-restrictions.md) for information about the maximum number of objects you can have in an Azure AD directory.

+- Private endpoints

+* ARM, Bicep, and Terraform templates:

+ * [Private HTTP Triggered Function App](https://github.com/Azure-Samples/function-app-with-private-http-endpoint)

+ * [Private Event Hubs Triggered Function App](https://github.com/Azure-Samples/function-app-with-private-eventhub)

+* ARM templates only:

+### [Azure Active Directory B2C](../active-directory-b2c/index.yml)

+Azure Active Directory B2C is **not available** in Azure Government.

+## Multi-factor authentication (MFA)

+The CJIS Security Policy v5.9.2 revised multi-factor authentication (MFA) requirements for CJI protection. MFA requires the use of two or more different factors defined as follows:

+- Something you know, for example, username/password or personal identification number (PIN)

+- Something you have, for example, a hard token such as a cryptographic key stored on or a one-time password (OTP) transmitted to a specialized hardware device

+- Something you are, for example, biometric information

+According to the CJIS Security Policy, identification and authentication of organizational users requires MFA to privileged and non-privileged accounts as part of CJI access control requirements. MFA is required at Authenticator Assurance Level 2 (AAL2), as described in the National Institute of Standards and Technology (NIST) [SP 800-63](https://pages.nist.gov/800-63-3/sp800-63-3.html) *Digital Identity Guidelines*. Authenticators and verifiers operated at AAL2 shall be validated to meet the requirements of FIPS 140 Level 1.

+The [Microsoft Authenticator app](../active-directory/authentication/concept-authentication-authenticator-app.md) provides an extra level of security to your Azure Active Directory (Azure AD) account. It's available on mobile phones running Android and iOS. With the Microsoft Authenticator app, you can provide secondary verification for MFA scenarios to meet your CJIS Security Policy MFA requirements. As mentioned previously, CJIS Security Policy requires that solutions for hard tokens use cryptographic modules validated at FIPS 140 Level 1. The Microsoft Authenticator app meets FIPS 140 Level 1 validation requirements for all Azure AD authentications, as explained in [Authentication methods in Azure Active Directory - Microsoft Authenticator app](../active-directory/authentication/concept-authentication-authenticator-app.md#fips-140-compliant-for-azure-ad-authentication). FIPS 140 compliance for Microsoft Authenticator is currently in place for iOS and in progress for Android.

+Moreover, Azure can help you meet and **exceed** your CJIS Security Policy MFA requirements by supporting the highest Authenticator Assurance Level 3 (AAL3). According to [NIST SP 800-63B Section 4.3](https://pages.nist.gov/800-63-3/sp800-63b.html#sec4), multi-factor **authenticators** used at AAL3 shall rely on hardware cryptographic modules validated at FIPS 140 Level 2 overall with at least FIPS 140 Level 3 for physical security, which exceeds the CJIS Security Policy MFA requirements. **Verifiers** at AAL3 shall be validated at FIPS 140 Level 1 or higher.

+Azure Active Directory (Azure AD) supports both authenticator and verifier NIST SP 800-63B AAL3 requirements:

+- **Authenticator requirements:** FIDO2 security keys, smartcards, and Windows Hello for Business can help you meet AAL3 requirements, including the underlying FIPS 140 validation requirements. Azure AD support for NIST SP 800-63B AAL3 **exceeds** the CJIS Security Policy MFA requirements.

+- **Verifier requirements:** Azure AD uses the [Windows FIPS 140 Level 1](/windows/security/threat-protection/fips-140-validation) overall validated cryptographic module for all its authentication related cryptographic operations. It is therefore a FIPS 140 compliant verifier.

+For more information, see [Azure NIST SP 800-63 documentation](/azure/compliance/offerings/offering-nist-800-63).

+This guide shows you how to prepare your Drawing Package for the [Azure Maps Conversion service] using specific CAD commands to correctly prepare your DWG files and manifest file for the Conversion service.

+If you don't have your own package to reference along with this guide, you may download the [sample drawing package].

+>For more information about drawing package requirements that aren't covered in this guide, see [Drawing Package Requirements].

+| Term | Definition |

+|:--|:|

+| Layer | An AutoCAD DWG layer from the drawing file. |

+| Entity | An AutoCAD DWG entity from the drawing file. |

+| Level | An area of a building at a set elevation. For example, the floor of a building.ΓÇ»|

+Each floor of a facility must be provided as one DWG file. If there are no external references, then nothing more needs to be done. However, if there are any external references, they must be bound to a single drawing. To bind an external reference, you may use the `XREF` command. Each external reference drawing will be added as a block reference after binding. If you need to make changes to any of these layers, remember to explode the block references by using the `XPLODE` command.

+Each floor of a facility is provided as an individual DWG file. As a result, it's possible that the floors aren't perfectly aligned when stacked on top of each other. Azure Maps Conversion service requires that all drawings be aligned with the physical space. To verify alignment, use a reference point that can span across floors, such as an elevator or column that spans multiple floors. you can view all the floors by opening a new drawing, and then use the `XATTACH` command to load all floor drawings. If you need to fix any alignment issues, you can use the reference points and the `MOVE` command to realign the floors that require it.

+For a better understanding of layers and feature classes, see [Drawing Package Requirements].

+The following image is taken from the [sample drawing package] and shows the unit label layer and unit layer in red. All other layers are turned off to help with visualization. Also, one unit is selected to help show that each unit is a closed Polyline.

+The following image is taken from the [sample drawing package] and shows a unit with a door (in red) drawn on the unit boundary.

+The wall layer is meant to represent the physical extents of a facility such as walls and columns. The Azure Maps Conversion service perceives walls as physical structures that are an obstruction to routing. With that in mind, a wall should be thought as a physical structure that one can see, but not walk through. Anything that canΓÇÖt be seen won't captured in this layer. If a wall has inner walls or columns inside, then only the exterior should be captured.

+To achieve a successful conversion, all ΓÇ£requiredΓÇ¥ properties must be defined. A sample manifest file can be found inside the [sample drawing package]. This guide doesn't cover properties supported by the manifest. For more information about manifest properties, see [Manifest File Properties].

+The following example is taken from the [sample drawing package]. The facility has three levels: basement, ground, and level 2. The filename contains the full file name and path of the file relative to the manifest file within the .zip Drawing package.

+The following image is taken from the [sample drawing package]. It displays the unit label that's associated to the unit property in the manifest.

+You should now have all the DWG drawings prepared to meet Azure Maps Conversion service requirements. A manifest file has also been created to help describe the facility. All files will need to be zipped into a single archive file, with the `.zip` extension. It's important that the manifest file is named `manifest.json` and is placed in the root directory of the zipped package. All other files can be in any directory of the zipped package if the filename includes the relative path to the manifest. For an example of a drawing package, see the [sample drawing package].

+> [Tutorial: Creating a Creator indoor map]

+[Azure Maps Conversion service]: /rest/api/maps/v2/conversion

+[sample drawing package]: https://github.com/Azure-Samples/am-creator-indoor-data-examples

+[Manifest File Properties]: drawing-requirements.md#manifest-file-requirements

+[Drawing Package Requirements]: drawing-requirements.md

+[Tutorial: Creating a Creator indoor map]: tutorial-creator-indoor-maps.md

+> [!NOTE]

+> The recommendation is to enable [Automatic Extension Upgrade](../../virtual-machines/automatic-extension-upgrade.md) which may take **up to 5 weeks** after a new extension version is released for it to update installed extensions to the released (latest) version across all regions. Upgrades are issued in batches, so you may see some of your virtual machines, scale-sets or Arc-enabled servers get upgraded before others. If you need to upgrade an extension immediately, you may use the manual instructions below.

+- [Performance anomalies](./smart-detection-performance.md)

+* [Smart detection - Performance Anomalies](./smart-detection-performance.md). Notifies if response time of an operation or dependency duration is slowing down, compared to historical baseline. It also notifies if we identify an anomalous pattern in response time, or page load time.

+- [Performance anomalies](./smart-detection-performance.md)

+* [Smart Detection of performance anomalies](smart-detection-performance.md) also uses machine intelligence to discover unusual patterns in your metrics, and no configuration by you is required. But unlike Smart Detection of Failure Anomalies, the purpose of Smart Detection of performance anomalies is to find segments of your usage manifold that might be badly served - for example, by specific pages on a specific type of browser. The analysis is performed daily, and if any result is found, it's likely to be much less urgent than an alert. By contrast, the analysis for Failure Anomalies is performed continuously on incoming application data, and you will be notified within minutes if server failure rates are greater than expected.

+ Title: Smart detection - performance anomalies | Microsoft Docs

+description: Smart detection analyzes your app telemetry and warns you of potential problems. This feature needs no setup.

+# Smart detection - Performance Anomalies

+>[!NOTE]

+>You can migrate your Application Insight resources to alerts-based smart detection (preview). The migration creates alert rules for the different smart detection modules. Once created, you can manage and configure these rules just like any other Azure Monitor alert rules. You can also configure action groups for these rules, thus enabling multiple methods of taking actions or triggering notification on new detections.

+>

+> For more information on the migration process, see [Smart Detection Alerts migration](./alerts-smart-detections-migration.md).

+[Application Insights](../app/app-insights-overview.md) automatically analyzes the performance of your web application, and can warn you about potential problems.

+This feature requires no special setup, other than configuring your app for Application Insights for your [supported language](../app/app-insights-overview.md#supported-languages). It's active when your app generates enough telemetry.

+## When would I get a smart detection notification?

+Application Insights has detected that the performance of your application has degraded in one of these ways:

+* **Response time degradation** - Your app has started responding to requests more slowly than it used to. The change might have been rapid, for example because there was a regression in your latest deployment. Or it might have been gradual, maybe caused by a memory leak.

+* **Dependency duration degradation** - Your app makes calls to a REST API, database, or other dependency. The dependency is responding more slowly than it used to.

+* **Slow performance pattern** - Your app appears to have a performance issue that is affecting only some requests. For example, pages are loading more slowly on one type of browser than others; or requests are being served more slowly from one particular server. Currently, our algorithms look at page load times, request response times, and dependency response times.

+To establish a baseline of normal performance, smart detection requires at least eight days of sufficient telemetry volume. After your application has been running for that period, significant anomalies will result in a notification.

+## Does my app definitely have a problem?

+No, a notification doesn't mean that your app definitely has a problem. It's simply a suggestion about something you might want to look at more closely.

+## How do I fix it?

+The notifications include diagnostic information. Here's an example:

+

+1. **Triage**. The notification shows you how many users or how many operations are affected. This information can help you assign a priority to the problem.

+2. **Scope**. Is the problem affecting all traffic, or just some pages? Is it restricted to particular browsers or locations? This information can be obtained from the notification.

+3. **Diagnose**. Often, the diagnostic information in the notification will suggest the nature of the problem. For example, if response time slows down when request rate is high, it may indicate that your server or dependencies are beyond their capacity.

+ Otherwise, open the Performance pane in Application Insights. You'll find there [Profiler](../profiler/profiler.md) data. If exceptions are thrown, you can also try the [snapshot debugger](../snapshot-debugger/snapshot-debugger.md).

+## Configure Email Notifications

+Smart detection notifications are enabled by default. They are sent to users that have [Monitoring Reader](../../role-based-access-control/built-in-roles.md#monitoring-reader) and [Monitoring Contributor](../../role-based-access-control/built-in-roles.md#monitoring-contributor) access to the subscription in which the Application Insights resource resides. To change the default notification, either click **Configure** in the email notification, or open **Smart detection settings** in Application Insights.

+

+ 

+

+ * You can disable the default notification, and replace it with a specified list of emails.

+Emails about smart detection performance anomalies are limited to one email per day per Application Insights resource. The email will be sent only if there is at least one new issue that was detected on that day. You won't get repeats of any message.

+## Frequently asked questions

+* *So, Microsoft staff look at my data?*

+ * No. The service is entirely automatic. Only you get the notifications. Your data is [private](../app/data-retention-privacy.md).

+* *Do you analyze all the data collected by Application Insights?*

+ * Currently, we analyze request response time, dependency response time, and page load time. Analysis of other metrics is on our backlog looking forward.

+* What types of application does this detection work for?

+ * These degradations are detected in any application that generates the appropriate telemetry. If you installed Application Insights in your web app, then requests and dependencies are automatically tracked. But in backend services or other apps, if you inserted calls to [TrackRequest()](../app/api-custom-events-metrics.md#trackrequest) or [TrackDependency](../app/api-custom-events-metrics.md#trackdependency), then smart detection will work in the same way.

+* *Can I create my own anomaly detection rules or customize existing rules?*

+ * Not yet, but you can:

+ * [Set up alerts](./alerts-log.md) that tell you when a metric crosses a threshold.

+ * [Export telemetry](../app/export-telemetry.md) to a [database](../../stream-analytics/app-insights-export-sql-stream-analytics.md) or [to Power BI](../logs/log-powerbi.md), where you can analyze it yourself.

+* *How often is the analysis done?*

+ * We run the analysis daily on the telemetry from the previous day (full day in UTC timezone).

+* *Does this replace [metric alerts](./alerts-log.md)?*

+ * No. We don't commit to detecting every behavior that you might consider abnormal.

+* *If I don't do anything in response to a notification, will I get a reminder?*

+ * No, you get a message about each issue only once. If the issue persists, it will be updated in the smart detection feed pane.

+* *I lost the email. Where can I find the notifications in the portal?*

+ * In the Application Insights overview of your app, click the **Smart detection** tile. There you'll find all notifications up to 90 days back.

+## How can I improve performance?

+Slow and failed responses are one of the biggest frustrations for web site users, as you know from your own experience. So, it's important to address the issues.

+### Triage

+First, does it matter? If a page is always slow to load, but only 1% of your site's users ever have to look at it, maybe you have more important things to think about. However, if only 1% of users open it, but it throws exceptions every time, that might be worth investigating.

+Use the impact statement, such as affected users or % of traffic, as a general guide. Be aware that it may not be telling the whole story. Gather other evidence to confirm.

+Consider the parameters of the issue. If it's geography-dependent, set up [availability tests](../app/monitor-web-app-availability.md) including that region: there might be network issues in that area.

+### Diagnose slow page loads

+Where is the problem? Is the server slow to respond, is the page too long, or does the browser need too much work to display it?

+Open the Browsers metric pane. The segmented display of browser page load time shows where the time is going.

+* If **Send Request Time** is high, either the server is responding slowly, or the request is a post with large amount of data. Look at the [performance metrics](../app/performance-counters.md) to investigate response times.

+* Set up [dependency tracking](../app/asp-net-dependencies.md) to see whether the slowness is because of external services or your database.

+* If **Receiving Response** is predominant, your page and its dependent parts - JavaScript, CSS, images, and so on (but not asynchronously loaded data) are long. Set up an [availability test](../app/monitor-web-app-availability.md), and be sure to set the option to load dependent parts. When you get some results, open the detail of a result and expand it to see the load times of different files.

+* High **Client Processing time** suggests scripts are running slowly. If the reason isn't obvious, consider adding some timing code and send the times in trackMetric calls.

+### Improve slow pages

+There's a web full of advice on improving your server responses and page load times, so we won't try to repeat it all here. Here are a few tips that you probably already know about, just to get you thinking:

+* Slow loading because of large files: Load the scripts and other parts asynchronously. Use script bundling. Break the main page into widgets that load their data separately. Don't send plain old HTML for long tables: use a script to request the data as JSON or other compact format, then fill the table in place. There are great frameworks to help with such tasks. (They also include large scripts, of course.)

+* Slow server dependencies: Consider the geographical locations of your components. For example, if you're using Azure, make sure the web server and the database are in the same region. Do queries retrieve more information than they need? Would caching or batching help?

+* Capacity issues: Look at the server metrics of response times and request counts. If response times peak disproportionately with peaks in request counts, it's likely that your servers are stretched.

+## Server Response Time Degradation

+The response time degradation notification tells you:

+* The response time compared to normal response time for this operation.

+* How many users are affected.

+* Average response time and 90th percentile response time for this operation on the day of the detection and seven days before.

+* Count of this operation requests on the day of the detection and seven days before.

+* Correlation between degradation in this operation and degradations in related dependencies.

+* Links to help you diagnose the problem.

+ * Profiler traces can help you view where operation time is spent. The link is available if Profiler trace examples exist for this operation.

+ * Performance reports in Metric Explorer, where you can slice and dice time range/filters for this operation.

+ * Search for this call to view specific call properties.

+ * Failure reports - If count > 1, it means that there were failures in this operation that might have contributed to performance degradation.

+## Dependency Duration Degradation

+Modern applications often adopt a micro services design approach, which in many cases rely heavily on external services. For example, if your application relies on some data platform, or on a critical services provider such as cognitive services.

+Example of dependency degradation notification:

+

+Notice that it tells you:

+* The duration compared to normal response time for this operation

+* How many users are affected

+* Average duration and 90th percentile duration for this dependency on the day of the detection and seven days before

+* Number of dependency calls on the day of the detection and seven days before

+* Links to help you diagnose the problem

+ * Performance reports in Metric Explorer for this dependency

+ * Search for this dependency calls to view calls properties

+ * Failure reports - If count > 1, it means that there were failed dependency calls during the detection period that might have contributed to duration degradation.

+ * Open Analytics with queries that calculate this dependency duration and count

+## Smart detection of slow performing patterns

+Application Insights finds performance issues that might only affect some portion of your users, or only affect users in some cases. For example, if a page loads slower on a specific browser type compared to others, or if a particular server handles requests more slowly than other servers. It can also discover problems that are associated with combinations of properties, such as slow page loads in one geographical area for clients using particular operating system.

+Anomalies like these are hard to detect just by inspecting the data, but are more common than you might think. Often they only surface when your customers complain. By that time, it's too late: the affected users are already switching to your competitors!

+Currently, our algorithms look at page load times, request response times at the server, and dependency response times.

+You don't have to set any thresholds or configure rules. Machine learning and data mining algorithms are used to detect abnormal patterns.

+

+* **When** shows the time the issue was detected.

+* **What** describes the problem that was detected, and th characteristics of the set of events that we found, which displayed the problem behavior.

+* The table compares the poorly performing set with the average behavior of all other events.

+Click the links to open Metric Explorer to view reports, filtered by the time and properties of the slow performing set.

+Modify the time range and filters to explore the telemetry.

+## Next steps

+These diagnostic tools help you inspect the telemetry from your app:

+* [Profiler](../profiler/profiler.md)

+* [snapshot debugger](../snapshot-debugger/snapshot-debugger.md)

+* [Analytics](../logs/log-analytics-tutorial.md)

+* [Analytics smart diagnostics](../logs/log-query-overview.md)

+Smart detection is automatic. But maybe you'd like to set up some more alerts?

+* [Manually configured metric alerts](./alerts-log.md)

+* [Availability web tests](../app/monitor-web-app-availability.md)

+- Users with 'User Access Administrator' role in the subscription of the AKS cluster can be able to enable 'Monitoring Data Reader' role directly by deploying the template.

+In this json, `full_resource_id_1` and `full_resource_id_2` were already in the Azure Managed Grafana resource JSON, and they're added here to the ARM template. If you have no existing Grafana integrations, then don't include these entries for `full_resource_id_1` and `full_resource_id_2`.

+The final `azureMonitorWorkspaceResourceId` entry is already in the template and is used to link to the Azure Monitor Workspace resource ID provided in the parameters file.

+## [Bicep](#tab/bicep)

+### Prerequisites

+- Register the `AKS-PrometheusAddonPreview` feature flag in the Azure Kubernetes clusters subscription with the following command in Azure CLI: `az feature register --namespace Microsoft.ContainerService --name AKS-PrometheusAddonPreview`.

+- The Azure Monitor workspace and Azure Managed Grafana workspace must already be created.

+- The template needs to be deployed in the same resource group as the Azure Managed Grafana workspace.

+- Users with 'User Access Administrator' role in the subscription of the AKS cluster can be able to enable 'Monitoring Data Reader' role directly by deploying the template.

+### Minor Limitation while deploying through bicep

+Currently in bicep, there is no way to explicitly "scope" the Monitoring Data Reader role assignment on a string parameter "resource id" for Azure Monitor Workspace (like in ARM template). Bicep expects a value of type "resource | tenant" and currently there is no rest api [spec](https://github.com/Azure/azure-rest-api-specs) for Azure Monitor Workspace. So, as a workaround, the default scoping for Monitoring Data Reader role is on the resource group and thus the role is applied on the same Azure monitor workspace (by inheritance) which is the expected behavior. Thus, after deploying this bicep template, the Grafana resource will get read permissions in all the Azure Monitor Workspaces under the subscription.

+### Retrieve required values for Grafana resource

+From the **Overview** page for the Azure Managed Grafana instance in the Azure portal, select **JSON view**.

+If you're using an existing Azure Managed Grafana instance that already has been linked to an Azure Monitor workspace then you need the list of Grafana integrations. Copy the value of the `azureMonitorWorkspaceIntegrations` field. If it doesn't exist, then the instance hasn't been linked with any Azure Monitor workspace.

+```json

+"properties": {

+ "grafanaIntegrations": {

+ "azureMonitorWorkspaceIntegrations": [

+ {

+ "azureMonitorWorkspaceResourceId": "full_resource_id_1"

+ },

+ {

+ "azureMonitorWorkspaceResourceId": "full_resource_id_2"

+ }

+ ]

+ }

+}

+```

+### Download and edit templates and parameter file

+1. Download the main bicep template from [here](https://aka.ms/azureprometheus-enable-bicep-template) and save it as **FullAzureMonitorMetricsProfile.bicep**.

+2. Download the parameter file from [here](https://aka.ms/azureprometheus-enable-bicep-template-parameters) and save it as **FullAzureMonitorMetricsProfileParameters.json** in the same directory as the main bicep template.

+3. Download the [nested_azuremonitormetrics_dcra_clusterResourceId.bicep](https://aka.ms/nested_azuremonitormetrics_dcra_clusterResourceId) and [nested_azuremonitormetrics_profile_clusterResourceId.bicep](https://aka.ms/nested_azuremonitormetrics_profile_clusterResourceId) files in the same directory as the main bicep template.

+4. Edit the values in the parameter file.

+5. The main bicep template creates all the required resources and uses 2 modules for creating the dcra and monitormetrics profile resources from the other two bicep files.

+ | Parameter | Value |

+ |:|:|

+ | `azureMonitorWorkspaceResourceId` | Resource ID for the Azure Monitor workspace. Retrieve from the **JSON view** on the **Overview** page for the Azure Monitor workspace. |

+ | `azureMonitorWorkspaceLocation` | Location of the Azure Monitor workspace. Retrieve from the **JSON view** on the **Overview** page for the Azure Monitor workspace. |

+ | `clusterResourceId` | Resource ID for the AKS cluster. Retrieve from the **JSON view** on the **Overview** page for the cluster. |

+ | `clusterLocation` | Location of the AKS cluster. Retrieve from the **JSON view** on the **Overview** page for the cluster. |

+ | `metricLabelsAllowlist` | Comma-separated list of Kubernetes labels keys that will be used in the resource's labels metric. |

+ | `metricAnnotationsAllowList` | Comma-separated list of additional Kubernetes label keys that will be used in the resource's labels metric. |

+ | `grafanaResourceId` | Resource ID for the managed Grafana instance. Retrieve from the **JSON view** on the **Overview** page for the Grafana instance. |

+ | `grafanaLocation` | Location for the managed Grafana instance. Retrieve from the **JSON view** on the **Overview** page for the Grafana instance. |

+ | `grafanaSku` | SKU for the managed Grafana instance. Retrieve from the **JSON view** on the **Overview** page for the Grafana instance. Use the **sku.name**. |

+6. Open the template file and update the `grafanaIntegrations` property at the end of the file with the values that you retrieved from the Grafana instance. This will be similar to the following:

+ ```json

+ {

+ "type": "Microsoft.Dashboard/grafana",

+ "apiVersion": "2022-08-01",

+ "name": "[split(parameters('grafanaResourceId'),'/')[8]]",

+ "sku": {

+ "name": "[parameters('grafanaSku')]"

+ },

+ "location": "[parameters('grafanaLocation')]",

+ "properties": {

+ "grafanaIntegrations": {

+ "azureMonitorWorkspaceIntegrations": [

+ {

+ "azureMonitorWorkspaceResourceId": "full_resource_id_1"

+ },

+ {

+ "azureMonitorWorkspaceResourceId": "full_resource_id_2"

+ },

+ {

+ "azureMonitorWorkspaceResourceId": "[parameters('azureMonitorWorkspaceResourceId')]"

+ }

+ ]

+ }

+ }

+ ````

+In this json, `full_resource_id_1` and `full_resource_id_2` were already in the Azure Managed Grafana resource JSON, and they're added here to the ARM template. If you have no existing Grafana integrations, then don't include these entries for `full_resource_id_1` and `full_resource_id_2`.

+The final `azureMonitorWorkspaceResourceId` entry is already in the template and is used to link to the Azure Monitor Workspace resource ID provided in the parameters file.

+- Metrics addon doesn't work on AKS clusters configured with HTTP proxy.

+Currently, Azure CLI is the only option to remove the metrics addon and stop sending Prometheus metrics to Azure Monitor managed service for Prometheus.

+If you don't already have it, install the aks-preview extension with the following command.

+You can create multiple Data Collection Rules that point to the same Data Collection Endpoint for metrics to be sent to additional Azure Monitor Workspaces from the same Kubernetes cluster. In case you have a very high volume of metrics, a new Data Collection Endpoint can be created as well. Please refer to the service limits [document](../service-limits.md) regarding ingestion limits. Currently, this is only available through onboarding through Resource Manager templates. You can follow the [regular onboarding process](prometheus-metrics-enable.md) and then edit the same Resource Manager templates to add additional DCRs and DCEs(if applicable) for your additional Azure Monitor Workspaces. You'll need to edit the template to add an additional parameters for every additional Azure Monitor workspace, add another DCR for every additional Azure Monitor workspace, add another DCE (if applicable), add the Monitor Reader Role for the new Azure Monitor Workspace and add an additional Azure Monitor workspace integration for Grafana.

+- For high metric volume, add an additional Data Collection Endpoint. You *must* replace `<dceName>`:

+ ```json

+ {

+ "type": "Microsoft.Insights/dataCollectionEndpoints",

+ "apiVersion": "2021-09-01-preview",

+ "name": "[variables('dceName')]",

+ "location": "[parameters('azureMonitorWorkspaceLocation2')]",

+ "kind": "Linux",

+ "properties": {}

+ }

+ ```

+- Add an additional DCR with the same or a different Data Collection Endpoint. You *must* replace `<dcrName>`:

+- Add an additional DCRA with the relevant Data Collection Rule. You *must* replace `<dcraName>`:

+ ```json

+ {

+ "type": "Microsoft.Resources/deployments",

+ "name": "<dcraName>",

+ "apiVersion": "2017-05-10",

+ "subscriptionId": "[variables('clusterSubscriptionId')]",

+ "resourceGroup": "[variables('clusterResourceGroup')]",

+ "dependsOn": [

+ "[resourceId('Microsoft.Insights/dataCollectionEndpoints/', variables('dceName'))]",

+ "[resourceId('Microsoft.Insights/dataCollectionRules', variables('dcrName'))]"

+ ],

+ "properties": {

+ "mode": "Incremental",

+ "template": {

+ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {},

+ "variables": {},

+ "resources": [

+ {

+ "type": "Microsoft.ContainerService/managedClusters/providers/dataCollectionRuleAssociations",

+ "name": "[concat(variables('clusterName'),'/microsoft.insights/', variables('dcraName'))]",

+ "apiVersion": "2021-09-01-preview",

+ "location": "[parameters('clusterLocation')]",

+ "properties": {

+ "description": "Association of data collection rule. Deleting this association will break the data collection for this AKS Cluster.",

+ "dataCollectionRuleId": "[resourceId('Microsoft.Insights/dataCollectionRules', variables('dcrName'))]"

+ }

+ }

+ ]

+ },

+ "parameters": {}

+ }

+ }

+ ```

+ - Assign `Monitoring Data Reader` role to read data from the new Azure Monitor Workspace:

+ ```json

+ {

+ "type": "Microsoft.Authorization/roleAssignments",

+ "apiVersion": "2022-04-01",

+ "name": "[parameters('roleNameGuid')]",

+ "scope": "[parameters('azureMonitorWorkspaceResourceId2')]",

+ "properties": {

+ "roleDefinitionId": "[concat('/subscriptions/', variables('clusterSubscriptionId'), '/providers/Microsoft.Authorization/roleDefinitions/', 'b0d8363b-8ddd-447d-831f-62ca05bff136')]",

+ "principalId": "[reference(resourceId('Microsoft.Dashboard/grafana', split(parameters('grafanaResourceId'),'/')[8]), '2022-08-01', 'Full').identity.principalId]"

+ }

+ }

+ ```

+ > [!NOTE]

+ > Use [Connection Monitor](../../network-watcher/connection-monitor-overview.md) instead of Connection Monitor (Classic) when using VWAN with ExpressRoute.

+### Modify SMB share permissions

+You can modify SMB share permissions using Microsoft Management Console (MMC).

+>[!IMPORTANT]

+>Modifying SMB share permissions poses a risk. If the users or groups assigned to the share properties are removed from the Active Directory, or if the permissions for the share become unusable, then the entire share will become inaccessible.

+1. To open Computer Management MMC on any Windows server, in the Control Panel, select **Administrative Tools > Computer Management**.

+1. Select **Action > Connect to another computer**.

+1. In the **Select Computer** dialog box, enter the name of the Azure NetApp Files FQDN or IP address or select **Browse** to locate the storage system.

+1. Select **OK** to connect the MMC to the remote server.

+1. When the MMC connects to the remote server, in the navigation pane, select **Shared Folders > Shares**.

+1. In the display pane that lists the shares, double-click a share to display its properties. In the **Properties** dialog box, modify the properties as needed.

+You cannot set `maxfiles` limits for data protection volumes via a quota request. Azure NetApp Files automatically increases the `maxfiles` limit of a data protection volume to accommodate the number of files replicated to the volume. When a failover happens to a data protection volume, the `maxfiles` limit remains the last value before the failover. In this situation, you can submit a `maxfiles` [quota request](#request-limit-increase) for the volume.

+Both [Azure Active Directory Domain Services (Azure AD DS)](../active-directory-domain-services/overview.md) and [Active Directory Domain Services (AD DS)](/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview) are supported. You can use existing Active Directory domain controllers with Azure NetApp Files. Domain controllers can reside in Azure as virtual machines, or on premises via ExpressRoute or S2S VPN. Azure NetApp Files doesn't support AD join for [Azure Active Directory (Azure AD)](../active-directory/fundamentals/index.yml) at this time.

+See [Modify SMB share permissions](azure-netapp-files-create-volumes-smb.md#modify-smb-share-permissions) for more information on this procedure.

+* machines

+To get better performance, we recommend you send out no more than 150,000 data points per batch inference. *(Data points = Number of variables * Number of timestamps)*

+ Title: Service limits - Anomaly Detector service

+description: Service limits for Anomaly Detector service, including Univariate Anomaly Detection and Multivariate Anomaly Detection.

+# Anomaly Detector service quotas and limits

+This article contains both a quick reference and detailed description of Azure Anomaly Detector service quotas and limits for all pricing tiers. It also contains some best practices to help avoid request throttling.

+The quotas and limits apply to all the versions within Azure Anomaly Detector service.

+## Univariate Anomaly Detection

+|Quota¹|Free (F0)|Standard (S0)|

+|--|--|--|

+| **All APIs per second** | 10 | 500 |

+¹ All the quota and limit are defined for one Anomaly Detector resource.

+## Multivariate Anomaly Detection

+### API call per minute

+|Quota¹|Free (F0)²|Standard (S0)|

+|--|--|--|

+| **Training API per minute** | 1 | 20 |

+| **Get model API per minute** | 1 | 20 |

+| **Batch(async) inference API per minute** | 10 | 60 |

+| **Get inference results API per minute** | 10 | 60 |

+| **Last(sync) inference API per minute** | 10 | 60 |

+| **List model API per minute** | 1 | 20 |

+| **Delete model API per minute** | 1 | 20 |

+¹ All quotas and limits are defined for one Anomaly Detector resource.

+² For **Free (F0)** pricing tier see also monthly allowances at the [pricing page](https://azure.microsoft.com/pricing/details/cognitive-services/anomaly-detector/)

+### Concurrent models and inference tasks

+|Quota¹|Free (F0)|Standard (S0)|

+|--|--|--|

+| **Maximum models** *(created, running, ready, failed)*| 20 | 1000 |

+| **Maximum running models** *(created, running)* | 1 | 20 |

+| **Maximum running inference** *(created, running)* | 10 | 60 |

+¹ All quotas and limits are defined for one Anomaly Detector resource. If you want to increase the limit, please contact AnomalyDetector@microsoft.com for further communication.

+## How to increase the limit for your resource?

+For the Standard pricing tier, this limit can be increased. Increasing the **concurrent request limit** doesn't directly affect your costs. Anomaly Detector service uses "Pay only for what you use" model. The limit defines how high the Service may scale before it starts throttle your requests.

+The **concurrent request limit parameter** isn't visible via Azure portal, Command-Line tools, or API requests. To verify the current value, create an Azure Support Request.

+If you would like to increase your limit, you can enable auto scaling on your resource. Follow this document to enable auto scaling on your resource [enable auto scaling](../autoscale.md). You can also submit an increase Transactions Per Second (TPS) support request.

+### Have the required information ready

+* Anomaly Detector resource ID

+* Region

+#### Retrieve resource ID and region

+* Go to [Azure portal](https://portal.azure.com/)

+* Select the Anomaly Detector Resource for which you would like to increase the transaction limit

+* Select Properties (Resource Management group)

+* Copy and save the values of the following fields:

+ * Resource ID

+ * Location (your endpoint Region)

+### Create and submit support request

+To request a limit increase for your resource submit a **Support Request**:

+1. Go to [Azure portal](https://portal.azure.com/)

+2. Select the Anomaly Detector Resource for which you would like to increase the limit

+3. Select New support request (Support + troubleshooting group)

+4. A new window will appear with auto-populated information about your Azure Subscription and Azure Resource

+5. Enter Summary (like "Increase Anomaly Detector TPS limit")

+6. In Problem type, select *"Quota or usage validation"*

+7. Select Next: Solutions

+8. Proceed further with the request creation

+9. Under the Details tab enters the following in the Description field:

+ * A note, that the request is about Anomaly Detector quota.

+ * Provide a TPS expectation you would like to scale to meet.

+ * Azure resource information you collected.

+ * Complete entering the required information and select Create button in *Review + create* tab

+ * Note the support request number in Azure portal notifications. You'll be contacted shortly for further processing.

+string aadToken = browserToken.Token;

+# Set the LanguageIdMode (Optional; Either Continuous or AtStart are accepted; Default AtStart)

+speech_config.set_property(property_id=speechsdk.PropertyId.SpeechServiceConnection_LanguageIdMode, value='Continuous')

+You should receive a response with a JSON body that includes all supported locales, voices, gender, styles, and other details. The `WordsPerMinute` property for each voice can be used to estimate the length of the output speech. This JSON example shows partial results to illustrate the structure of a response:

+> [!TIP]

+> You can try speech-to-text and text-to-speech in [Speech Studio](https://aka.ms/speechstudio/) without signing up or writing any code.

+ <mstts:audioduration value="string"/>

+- `mstts:audioduration`: This element can't contain text or any other elements.

+| `type` | Specifies where and how to add silence. The following silence types are supported:<br/><ul><li>`Leading` ΓÇô Additional silence at the beginning of the text. The value that you set is added to the natural silence before the start of text.</li><li>`Leading-exact` ΓÇô Silence at the beginning of the text. The value is an absolute silence length.</li><li>`Tailing` ΓÇô Additional silence at the end of text. The value that you set is added to the natural silence after the last word.</li><li>`Tailing-exact` ΓÇô Silence at the end of the text. The value is an absolute silence length.</li><li>`Sentenceboundary` ΓÇô Additional silence between adjacent sentences. The actual silence length for this type includes the natural silence after the last word in the previous sentence, the value you set for this type, and the natural silence before the starting word in the next sentence.</li><li>`Sentenceboundary-exact` ΓÇô Silence between adjacent sentences. The value is an absolute silence length.</li><li>`Comma-exact` ΓÇô Silence at the comma in half-width or full-width format. The value is an absolute silence length.</li><li>`Semicolon-exact` ΓÇô Silence at the semicolon in half-width or full-width format. The value is an absolute silence length.</li><li>`Enumerationcomma-exact` ΓÇô Silence at the enumeration comma in full-width format. The value is an absolute silence length.</li></ul><br/>An absolute silence type (with the `-exact` suffix) replaces any otherwise natural leading or trailing silence. Absolute silence types take precedence over the corresponding non-absolute type. For example, if you set both `Leading` and `Leading-exact` types, the `Leading-exact` type will take effect.| Required |

+In this example, `mstts:silence` is used to add 50 ms of silence at the comma, 100 ms of silence at the semicolon, and 150 ms of silence at the enumeration comma.

+```xml

+<speak version="1.0" xmlns="http://www.w3.org/2001/10/synthesis" xmlns:mstts="http://www.w3.org/2001/mstts" xml:lang="zh-CN">

+<voice name="zh-CN-YunxiNeural">

+<mstts:silence type="comma-exact" value="50ms"/><mstts:silence type="semicolon-exact" value="100ms"/><mstts:silence type="enumerationcomma-exact" value="150ms"/>你好呀，云希、晓晓；你好呀。

+</voice>

+</speak>

+```

+## Audio duration

+Use the `mstts:audioduration` element to set the duration of the output audio. Use this element to help synchronize the timing of audio output completion. The audio duration can be decreased or increased between 0.5 to 2 times the rate of the original audio. The original audio here is the audio without any other rate settings. The speaking rate will be slowed down or sped up accordingly based on the set value.

+The audio duration setting is applied to all input text within its enclosing `voice` element. To reset or change the audio duration setting again, you must use a new `voice` element with either the same voice or a different voice.

+Usage of the `mstts:audioduration` element's attributes are described in the following table.

+| Attribute | Description | Required or optional |

+| - | - | - |

+| `value` | The requested duration of the output audio in either seconds (such as `2s`) or milliseconds (such as `2000ms`).<br/><br/>This value should be within 0.5 to 2 times the original audio without any other rate settings. For example, if the requested duration of your audio is `30s`, then the original audio must have otherwise been between 15 and 60 seconds. If you set a value outside of these boundaries, the duration is set according to the respective minimum or maximum multiple.<br/><br/>Given your requested output audio duration, the Speech service adjusts the speaking rate accordingly. Use the [voice list](rest-text-to-speech.md#get-a-list-of-voices) API and check the `WordsPerMinute` attribute to find out the speaking rate of the neural voice that you're using. You can divide the number of words in your input text by the value of the `WordsPerMinute` attribute to get the approximate original output audio duration. The output audio will sound most natural when you set the audio duration closest to the estimated duration.| Required |

+### mstts audio duration examples

+The supported values for attributes of the `mstts:audioduration` element were [described previously](#audio-duration).

+In this example, the original audio is around 15 seconds. The `mstts:audioduration` element is used to set the audio duration to 20 seconds (`20s`).

+```xml

+<speak version="1.0" xmlns="http://www.w3.org/2001/10/synthesis" xmlns:mstts="http://www.w3.org/2001/mstts" xml:lang="en-US">

+<voice name="en-US-JennyNeural">

+<mstts:audioduration value="20s"/>

+If we're home schooling, the best we can do is roll with what each day brings and try to have fun along the way.

+A good place to start is by trying out the slew of educational apps that are helping children stay happy and smash their schooling at the same time.

+</voice>

+</speak>

+```

+| `{LANGUAGES_LIST}` | List of language codes separated by commas. It's mandatory to have English (en) language as part of the list.| `en`, `fr`, `it`, `zu`, `uk` |

+docker run --rm -it -p 5000:5000 \

+<!--

+ > [!div class="nextstepaction"]

+-->

+<!-- [!div class="nextstepaction"]

+> [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Csharp&Product=Translator&Page=quickstart-translator&Section=set-up-your-visual-studio-project) -->

+<!-- > [!div class="nextstepaction"]

+> [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Csharp&Product=Translator&Page=quickstart-translator&Section=build-your-c#-application) -->

+<!--

+ > [!div class="nextstepaction"]

+> [My REST API call was successful](#next-steps) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Csharp&Product=Translator&Page=quickstart-translator&Section=run-your-c#-application) -->

+<!--

+ > [!div class="nextstepaction"]

+> [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Go&Product=Translator&Page=quickstart-translator&Section=set-up-your-go-environment) -->

+<!--

+ > [!div class="nextstepaction"]

+> [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Go&Product=Translator&Page=quickstart-translator&Section=build-your-go-application) -->

+<!--

+ > [!div class="nextstepaction"]

+> [My REST API call was successful](#next-steps) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Go&Product=Translator&Page=quickstart-translator&Section=run-your-go-application) -->

+<!--

+ > [!div class="nextstepaction"]

+> [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Java&Product=Translator&Page=quickstart-translator&Section=set-up-your-java-environment) -->

+<!-- > [!div class="nextstepaction"]

+> [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Java&Product=Translator&Page=quickstart-translator&Section=create-a-gradle-project) -->

+<!-- > [!div class="nextstepaction"]

+> [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Java&Product=Translator&Page=quickstart-translator&Section=create-your-java-application) -->

+<!-- > [!div class="nextstepaction"]

+> [My REST API call was successful](#next-steps) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Java&Product=Translator&Page=quickstart-translator&Section=build-and-run-your-java-application) -->

+<!-- > [!div class="nextstepaction"]

+> [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Python&Product=Translator&Page=quickstart-translator&Section=set-up-your-nodejs-express-project) -->

+<!--

+ > [!div class="nextstepaction"]

+> [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Python&Product=Translator&Page=quickstart-translator&Section=build-your-javascript-application) -->

+<!--

+ > [!div class="nextstepaction"]

+> [My REST API call was successful](#next-steps) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Java&Product=Translator&Page=quickstart-translator&Section=run-your-javascript-application) -->

+<!--

+ > [!div class="nextstepaction"]

+> [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Python&Product=Translator&Page=quickstart-translator&Section=set-up-your-python-project) -->

+<!--

+ > [!div class="nextstepaction"]

+> [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Python&Product=Translator&Page=quickstart-translator&Section=build-your-python-application) -->

+<!--

+ > [!div class="nextstepaction"]

+> [My REST API call was successful](#next-steps) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Python&Product=Translator&Page=quickstart-translator&Section=run-your-python-application) -->

+| [Computer Vision][cv-containers] | **Read OCR** ([image](https://hub.docker.com/_/microsoft-azure-cognitive-services-vision-read)) | The Read OCR container allows you to extract printed and handwritten text from images and documents with support for JPEG, PNG, BMP, PDF, and TIFF file formats. For more information, see the [Read API documentation](./computer-vision/overview-ocr.md). | Generally Available. Gated - [request access](https://aka.ms/csgate). <br>This container can also [run in disconnected environments](containers/disconnected-containers.md). |

+ Title: Triage incoming emails with Power Automate

+description: Learn how to use custom text classification to categorize and triage incoming emails with Power Automate

+# Tutorial: Triage incoming emails with power automate

+In this tutorial you will categorize and triage incoming email using custom text classification. Using this [Power Automate](/power-automate/getting-started) flow, when a new email is received, its contents will have a classification applied, and depending on the result, a message will be sent to a designated channel on [Microsoft Teams](https://www.microsoft.com/microsoft-teams).

+## Prerequisites

+* Azure subscription - [Create one for free](https://azure.microsoft.com/free/cognitive-services)

+* <a href="https://portal.azure.com/#create/Microsoft.CognitiveServicesTextAnalytics" title="Create a Language resource" target="_blank">A Language resource </a>

+ * A trained [custom text classification](../overview.md) model.

+ * You will need the key and endpoint from your Language resource to authenticate your Power Automate flow.

+* A successfully created and deployed [single text classification custom model](../quickstart.md)

+## Create a Power Automate flow

+1. [Sign in to power automate](https://make.powerautomate.com/)

+2. From the left side menu, select **My flows** and create a **Automated cloud flow**

+ :::image type="content" source="../media/create-flow.png" alt-text="A screenshot of the flow creation screen." lightbox="../media/create-flow.png":::

+3. Name your flow `EmailTriage`. Below **Choose your flow's triggers**, search for *email* and select **When a new email arrives**. Then click **create**

+ :::image type="content" source="../media/email-flow.png" alt-text="A screenshot of the email flow triggers." lightbox="../media/email-flow.png":::

+4. Add the right connection to your email account. This connection will be used to access the email content.

+5. To add a Language service connector, search for *Azure Language*.

+

+ :::image type="content" source="../media/language-connector.png" alt-text="A screenshot of available Azure Language service connectors." lightbox="../media/language-connector.png":::

+6. Search for *CustomSingleLabelClassification*.

+ :::image type="content" source="../media/single-classification.png" alt-text="A screenshot of Classification connector." lightbox="../media/single-classification.png":::

+7. Start by adding the right connection to your connector. This connection will be used to access the classification project.

+8. In the documents ID field, add **1**.

+9. In the documents text field, add **body** from **dynamic content**.

+10. Fill in the project name and deployment name of your deployed custom text classification model.

+ :::image type="content" source="../media/classification.png" alt-text="A screenshot project details." lightbox="../media/classification.png":::

+11. Add a condition to send a Microsoft Teams message to the right team by:

+ 1. Select **results** from **dynamic content**, and add the condition. For this tutorial, we are looking for `Computer_science` related emails. In the **Yes** condition, choose your desired option to notify a team channel. In the **No** condition, you can add additional conditions to perform alternative actions.

+ :::image type="content" source="../media/email-triage.png" alt-text="A screenshot of email flow." lightbox="../media/email-triage.png":::

+## Next steps

+* [Use the Language service with Power Automate](../../tutorials/power-automate.md)

+* [Available Language service connectors](/connectors/cognitiveservicestextanalytics)

+### Valid text formats for conversation features

+> [!NOTE]

+> This section applies to the following features:

+> * [PII detection for conversation](./personally-identifiable-information/overview.md)

+> * [Conversation summarization](./summarization/overview.md?tabs=conversation-summarization)

+If you're sending conversational text to supported features in Language Studio, be aware of the following input requirements:

+* The text you send must be a conversational dialog between two or more participants.

+* Each line must start with the name of the participant, followed by a `:`, and followed by what they say.

+* Each participant must be on a new line. If multiple participants' utterances are on the same line, it will be processed as one line of the conversation.

+See the following example for how you should structure conversational text you want to send.

+*Agent: Hello, you're chatting with Rene. How may I help you?*

+*Customer: Hi, I tried to set up wifi connection for Smart Brew 300 espresso machine, but it didn't work.*

+*Agent: IΓÇÖm sorry to hear that. LetΓÇÖs see what we can do to fix this issue.*

+Note that the names of the two participants in the conversation (*Agent* and *Customer*) begin each line, and that there is only one participant per line of dialog.

+> [!NOTE]

+> See the [Language Studio](../language-studio.md#valid-text-formats-for-conversation-features) article for information on formatting conversational text to submit using Language Studio.

+2. From the menu on the left side, select **Keys and Endpoint**. You'll need one of the keys and the endpoint to authenticate your API requests.

+* [Sentiment analysis and opinion mining overview](../overview.md)

+> [!NOTE]

+> See the [Language Studio](../../language-studio.md#valid-text-formats-for-conversation-features) article for information on formatting conversational text to submit using Language Studio.

+ Title: Use Language services in power automate

+description: Learn how to use Azure Cognitive Service for Language in power automate, without writing code.

+# Use the Language service in Power Automate

+You can use [Power Automate](/power-automate/getting-started) flows to automate repetitive tasks and bring efficiency to your organization. Using Azure Cognitive Service for Language, you can automate tasks like:

+* Send incoming emails to different departments based on their contents.

+* Analyze the sentiment of new tweets.

+* Extract entities from incoming documents.

+* Summarize meetings.

+* Remove personal data from files before saving them.

+In this tutorial, you'll create a Power Automate flow to extract entities found in text, using [Named entity recognition](../named-entity-recognition/overview.md).

+## Prerequisites

+* Azure subscription - [Create one for free](https://azure.microsoft.com/free/cognitive-services)

+* <a href="https://portal.azure.com/#create/Microsoft.CognitiveServicesTextAnalytics" title="Create a Language resource" target="_blank">A Language resource </a>

+ * (optional) A trained model if you're using a custom capability such as [custom NER](../custom-named-entity-recognition/overview.md), [custom text classification](../custom-text-classification/overview.md), or [conversational language understanding](../conversational-language-understanding/overview.md).

+ * You will need the key and endpoint from your Language resource to authenticate your Power Automate flow.

+## Create a Power Automate flow

+1. [Sign in to power automate](https://make.powerautomate.com/)

+2. From the left side menu, select **My flows** and create a **Automated cloud flow**

+ :::image type="content" source="../media/create-flow.png" alt-text="A screenshot of the menu for creating an automated cloud flow." lightbox="../media/create-flow.png":::

+3. Enter a name your flow. For example `Languageflow`.

+ :::image type="content" source="../media/language-flow.png" alt-text="A screenshot of automated cloud flow screen." lightbox="../media/language-flow.png":::

+4. Start by selecting **Manually trigger flow**.

+ :::image type="content" source="../media/trigger-flow.png" alt-text="A screenshot of how to manually trigger a flow." lightbox="../media/trigger-flow.png":::

+5. To add a Language service connector, search for **Azure Language**.

+ :::image type="content" source="../media/language-connector.png" alt-text="A screenshot of An Azure language connector." lightbox="../media/language-connector.png":::

+6. For this tutorial, you will create a flow that extracts named entities from text. Search for **Named entity recognition**, and select the connector.

+ :::image type="content" source="../media/entity-connector.png" alt-text="A screenshot of a named entity recognition connector." lightbox="../media/entity-connector.png":::

+7. Add endpoint and key for your Language resource, which will be used for authentication. You can find your key and endpoint by navigating to your resource in the [Azure portal](https://portal.azure.com), and selecting **Keys and endpoint** from the left navigation menu.

+ :::image type="content" source="../media/azure-portal-resource-credentials.png" alt-text="A screenshot of A language resource key and endpoint in the Azure portal." lightbox="../media/azure-portal-resource-credentials.png":::

+8. Once you have your key and endpoint, add it to the connector in Power Automate.

+

+ :::image type="content" source="../media/language-auth.png" alt-text="A screenshot of adding the language key and endpoint to the Power Automate flow." lightbox="../media/language-auth.png":::

+9. Add the data in the connector

+

+ > [!NOTE]

+ > You will need deployment name and project name if you are using custom language capability.

+

+9. From the top navigation menu, save the flow and select **Test the flow**. In the window that appears, select **Test**.

+10. After the flow runs, you will see the response in the **outputs** field.

+ :::image type="content" source="../media/response-connector.png" alt-text="A screenshot of flow response." lightbox="../media/response-connector.png":::

+## Next steps

+* [Triage incoming emails with custom text classification](../custom-text-classification/tutorials/triage-email.md)

+* [Available Language service connectors](/connectors/cognitiveservicestextanalytics)

+| Group of features | Capability | Supported |

+See [here](https://www.npmjs.com/package/@azure/communication-calling-effects) for more details on the calling commmunication effects npm package page.

+// Ensure you have initialized the Azure Communication Calling client library and have created a LocalVideoStream

+const videoEffectsFeatureApi = localVideoStream.feature(AzureCommunicationCallingSDK.Features.VideoEffects);

+| Outbound public IP | Used as the "from" IP for outbound connections that leave the virtual network. These connections aren't routed down a VPN. Using a NAT gateway or other proxy for outbound traffic from a Container App environment isn't supported. Outbound IPs aren't guaranteed and may change over time. |

+ 1. **Non-custom domains**: If you don't plan to use custom domains, create a private DNS zone that resolves the Container Apps environment's default domain to the static IP address of the Container Apps environment. You can use [Azure Private DNS](../dns/private-dns-overview.md) or your own DNS server. If you use Azure Private DNS, create a Private DNS Zone named as the Container App EnvironmentΓÇÖs default domain (`<UNIQUE_IDENTIFIER>.<REGION_NAME>.azurecontainerapps.io`), with an `A` record. The A record contains the name `*<DNS Suffix>` and the static IP address of the Container Apps environment.

+The static IP address of the Container Apps environment can be found in the Azure portal in **Custom DNS suffix** of the container app page or using the Azure CLI `az containerapp env list` command.

+- [Work with a collection](how-to-dotnet-manage-collections.md)

+ Title: Managed Airflow pricing

+description: This article describes the pricing for Managed Airflow.

+# Managed Airflow pricing

+This article describes the pricing for Managed Airflow usage within data factory.

+## Pricing details

+Managed Airflow supports either small (D2v4) or large (D4v4) node sizing. Small can support up to 50 DAGs simultaneously, and large can support up to 1000 DAGs. The following table describes pricing for each option:

+## Next steps

+- [Run an existing pipeline with Managed Airflow](tutorial-run-existing-pipeline-with-airflow.md)

+- [Refresh a Power BI dataset with Managed Airflow](tutorial-refresh-power-bi-dataset-with-airflow.md)

+- [Changing password for Airflow environments](password-change-airflow.md)

+ Title: What is Managed Airflow?

+description: Learn about when to use Managed Airflow, basic concepts and supported regions.

+# What is Azure Data Factory Managed Airflow?

+> [!NOTE]

+> This feature is in public preview. For questions or feature suggestions, please send an email to mailto:ManagedAirflow@microsoft.com with the details.

+> [!NOTE]

+> Managed Airflow for Azure Data Factory relies on the open source Apache Airflow application. Documentation and more tutorials for Airflow can be found on the Apache Airflow [Documentation](https://airflow.apache.org/docs/) or [Community](https://airflow.apache.org/community/) pages.

+Azure Data Factory offers serverless pipelines for data process orchestration, data movement with 100+ managed connectors, and visual transformations with the mapping data flow.

+Managed Airflow in Azure Data Factory is a managed orchestration service for [Apache Airflow](https://airflow.apache.org/) that simplifies the creation and management of Airflow environments on which you can operate end-to-end data pipelines at scale. Apache Airflow is an open-source tool used to programmatically author, schedule, and monitor sequences of processes and tasks referred to as "workflows." With Managed Airflow in Azure Data Factory, you can use Airflow and Python to create data workflows without managing the underlying infrastructure for scalability, availability, and security.

+## When to use Managed Airflow?

+Azure Data Factory offers [Pipelines](concepts-pipelines-activities.md) to visually orchestrate data processes (UI-based authoring). While Managed Airflow, offers Airflow based python DAGs (python code-centric authoring) for defining the data orchestration process. If you have the Airflow background, or are currently using Apace Airflow, you may prefer to use the Managed Airflow instead of the pipelines. On the contrary, if you wouldn't like to write/ manage python-based DAGs for data process orchestration, you may prefer to use pipelines.

+With Managed Airflow, Azure Data Factory now offers multi-orchestration capabilities spanning across visual, code-centric, OSS orchestration requirements.

+## Features

+- **Automatic Airflow setup** – Quickly set up Apache Airflow by choosing an [Apache Airflow version](concept-managed-airflow.md#supported-apache-airflow-versions) when you create a Managed Airflow environment. ADF Managed Airflow sets up Apache Airflow for you using the same Apache Airflow user interface and open-source code you can download on the Internet.

+- **Automatic scaling** – Automatically scale Apache Airflow Workers by setting the minimum and maximum number of Workers that run in your environment. ADF Managed Airflow monitors the Workers in your environment. It uses its autoscaling component to add Workers to meet demand until it reaches the maximum number of Workers you defined.

+- **Built-in authentication** – Enable Azure Active Directory (Azure AD) role-based authentication and authorization for your Airflow Web server by defining Azure AD RBAC's access control policies.

+- **Built-in security** – Metadata is also automatically encrypted by Azure-managed keys, so your environment is secure by default. Additionally, it supports double encryption with a Customer-Managed Key (CMK).

+- **Streamlined upgrades and patches** – Azure Data Factory Managed Airflow provide new versions of Apache Airflow periodically. The ADF Managed Airflow team will auto-update and patch the minor versions.

+- **Workflow monitoring** – View Airflow logs and Airflow metrics in Azure Monitor to identify Airflow task delays or workflow errors without needing additional third-party tools. Managed Airflow automatically sends environment metrics, and if enabled, Airflow logs to Azure Monitor.

+- **Azure integration** – Azure Data Factory Managed Airflow supports open-source integrations with Azure Data Factory pipelines, Azure Batch, Azure Cosmos DB, Azure Key Vault, ACI, ADLS Gen2, Azure Kusto, as well as hundreds of built-in and community-created operators and sensors.

+## Architecture

+ :::image type="content" source="media/concept-managed-airflow/architecture.png" alt-text="Screenshot shows architecture in Managed Airflow.":::

+## Region availability (public preview)

+* EastUs

+* SouthCentralUs

+* WestUs

+* UKSouth

+* NorthEurope

+* WestEurope

+* SouthEastAsia

+* EastUS2

+* WestUS2

+* GermanyWestCentral

+* AustraliaEast

+> [!NOTE]

+> By GA, all ADF regions will be supported. The Airflow environment region is defaulted to the Data Factory region and is not configurable, so ensure you use a Data Factory in the above supported region to be able to access the Managed Airflow preview.

+## Supported Apache Airflow versions

+* 1.10.14

+* 2.2.4

+## Integrations

+Apache Airflow integrates with Microsoft Azure services through microsoft.azure [provider](https://airflow.apache.org/docs/apache-airflow-providers-microsoft-azure/stable/https://docsupdatetracker.net/index.html).

+You can install any provider package by editing the airflow environment from the Azure Data Factory UI. It takes around a couple of minutes to install the package.

+ :::image type="content" source="media/concept-managed-airflow/airflow-integration.png" lightbox="media/concept-managed-airflow/airflow-integration.png" alt-text="Screenshot shows airflow integration.":::

+## Next steps

+- [Run an existing pipeline with Managed Airflow](tutorial-run-existing-pipeline-with-airflow.md)

+- [Refresh a Power BI dataset with Managed Airflow](tutorial-refresh-power-bi-dataset-with-airflow.md)

+- [Managed Airflow pricing](airflow-pricing.md)

+- [How to change the password for Managed Airflow environments](password-change-airflow.md)

+-

+Centralizing storage of application secrets in Azure Key Vault allows you to control their distribution. Key Vault greatly reduces the chances that secrets may be accidentally leaked. Instead of storing the connection string in the app's code, you can store it securely in Key Vault. Your applications can securely access the information they need by using URIs. These URIs allow the applications to retrieve specific versions of a secret. There's no need to write custom code to protect any of the secret information stored in Key Vault.

+ Title: How does Managed Airflow work?

+description: This article explains how to create a Managed Airflow instance and use DAG to make it work.

+# How does Azure Data Factory Managed Airflow work?

+> [!NOTE]

+> Managed Airflow for Azure Data Factory relies on the open source Apache Airflow application. Documentation and more tutorials for Airflow can be found on the Apache Airflow [Documentation](https://airflow.apache.org/docs/) or [Community](https://airflow.apache.org/community/) pages.

+Azure Data Factory Managed Airflow orchestrates your workflows using Directed Acyclic Graphs (DAGs) written in Python. You must provide your DAGs and plugins in Azure Blob Storage. Airflow requirements or library dependencies can be installed during the creation of the new Managed Airflow environment or by editing an existing Managed Airflow environment. Then run and monitor your DAGs by launching the Airflow UI from ADF using a command line interface (CLI) or a software development kit (SDK).

+## Create a Managed Airflow environment

+The following steps set up and configure your Managed Airflow environment.

+### Prerequisites

+**Azure subscription**: If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.

+ Create or select an existing Data Factory in the region where the managed airflow preview is supported.

+### Steps to create the environment

+1. Create new Managed Airflow environment.

+ Go to **Manage** hub -> **Airflow (Preview)** -> **+New** to create a new Airflow environment

+ :::image type="content" source="media/how-does-managed-airflow-work/create-new-airflow.png" alt-text="Screenshot that shows how to create a new Managed Apache Airflow environment.":::

+1. Provide the details (Airflow config)

+ :::image type="content" source="media/how-does-managed-airflow-work/airflow-environment-details.png" alt-text="Screenshot that shows some Managed Airflow environment details.":::

+ > [!IMPORTANT]

+ > When using **Basic** authentication, remember the username and password specified in this screen. It will be needed to login later in the Managed Airflow UI. The default option is **Azure AD** and it does not require creating username/ password for your Airflow environment, but instead uses the logged in user's credential to Azure Data Factory to login/ monitor DAGs.

+1. **Environment variables** a simple key value store within Airflow to store and retrieve arbitrary content or settings.

+1. **Requirements** can be used to pre-install python libraries. You can update these later as well.

+## Import DAGs

+The following steps describe how to import DAGs into Managed Airflow.

+### Prerequisites

+You'll need to upload a sample DAG onto an accessible Storage account.

+> [!NOTE]

+> Blob Storage behind VNet are not supported during the preview.

+[Sample Apache Airflow v2.x DAG](https://airflow.apache.org/docs/apache-airflow/stable/tutorial/fundamentals.html).

+[Sample Apache Airflow v1.10 DAG](https://airflow.apache.org/docs/apache-airflow/1.10.11/_modules/airflow/example_dags/tutorial.html).

+### Steps to import

+1. Copy-paste the content (either v2.x or v1.10 based on the Airflow environment that you have setup) into a new file called as **tutorial.py**.

+ Upload the **tutorial.py** to a blob storage. ([How to upload a file into blob](/storage/blobs/storage-quickstart-blobs-portal.md))

+ > [!NOTE]

+ > You will need to select a directory path from a blob storage account that contains folders named **dags** and **plugins** to import those into the Airflow environment. **Plugins** are not mandatory. You can also have a container named **dags** and upload all Airflow files within it.

+1. Select on **Airflow (Preview)** under **Manage** hub. Then hover over the earlier created **Airflow** environment and select on **Import files** to Import all DAGs and dependencies into the Airflow Environment.

+ :::image type="content" source="media/how-does-managed-airflow-work/import-files.png" alt-text="Screenshot shows import files in manage hub.":::

+1. Create a new Linked Service to the accessible storage account mentioned in the prerequisite (or use an existing one if you already have your own DAGs).

+ :::image type="content" source="media/how-does-managed-airflow-work/create-new-linked-service.png" alt-text="Screenshot that shows how to create a new linked service.":::

+1. Use the storage account where you uploaded the DAG (check prerequisite). Test connection, then select **Create**.

+ :::image type="content" source="media/how-does-managed-airflow-work/linked-service-details.png" alt-text="Screenshot shows some linked service details.":::

+1. Browse and select **airflow** if using the sample SAS URL or select the folder that contains **dags** folder with DAG files.

+ > [!NOTE]

+ > You can import DAGs and their dependencies through this interface. You will need to select a directory path from a blob storage account that contains folders named **dags** and **plugins** to import those into the Airflow environment. **Plugins** are not mandatory.

+ :::image type="content" source="media/how-does-managed-airflow-work/browse-storage.png" alt-text="Screenshot shows browse storage in import files.":::

+ :::image type="content" source="media/how-does-managed-airflow-work/browse.png" alt-text="Screenshot that shows browse in airflow.":::

+ :::image type="content" source="media/how-does-managed-airflow-work/import-in-import-files.png" alt-text="Screenshot shows import in import files.":::

+ :::image type="content" source="media/how-does-managed-airflow-work/import-dags.png" alt-text="Screenshot shows import dags.":::

+> [!NOTE]

+> Importing DAGs could take a couple of minutes during **Preview**. The notification center (bell icon in ADF UI) can be used to track the import status updates.

+## Troubleshooting import DAG issues

+* Problem: DAG import is taking over 5 minutes

+Mitigation: Reduce the size of the imported DAGs with a single import. One way to achieve this is by creating multiple DAG folders with lesser DAGs across multiple containers.

+* Problem: Imported DAGs don't show up when you sign in into the Airflow UI.

+Mitigation: Sign in into the Airflow UI and see if there are any DAG parsing errors. This could happen if the DAG files contain any incompatible code. You'll find the exact line numbers and the files, which have the issue through the Airflow UI.

+ :::image type="content" source="media/how-does-managed-airflow-work/import-dag-issues.png" alt-text="Screenshot shows import dag issues.":::

+## Monitor DAG runs

+To monitor the Airflow DAGs, sign in into Airflow UI with the earlier created username and password.

+1. Select on the Airflow environment created.

+ :::image type="content" source="media/how-does-managed-airflow-work/airflow-environment-monitor-dag.png" alt-text="Screenshot that shows the Airflow environment created.":::

+1. Sign in using the username-password provided during the Airflow Integration Runtime creation. ([You can reset the username or password by editing the Airflow Integration runtime]() if needed)

+ :::image type="content" source="media/how-does-managed-airflow-work/login-in-dags.png" alt-text="Screenshot that shows sign in using the username-password provided during the Airflow Integration Runtime creation.":::

+## Remove DAGs from the Airflow environment

+If you're using Airflow version 1.x, delete DAGs that are deployed on any Airflow environment (IR), you need to delete the DAGs in two different places.

+1. Delete the DAG from Airflow UI

+1. Delete the DAG in ADF UI

+> [!NOTE]

+> This is the current experience during the Public Preview, and we will be improving this experience. 

+## Next steps

+* [Run an existing pipeline with Managed Airflow](tutorial-run-existing-pipeline-with-airflow.md)

+* [Refresh a Power BI dataset with Managed Airflow](tutorial-refresh-power-bi-dataset-with-airflow.md)

+* [Managed Airflow pricing](airflow-pricing.md)

+* [How to change the password for Managed Airflow environments](password-change-airflow.md)

+ Title: Changing a password for a Managed Airflow environment

+description: This article describes how to change a password for a Managed Airflow environment.

+# Changing a password for a Managed Airflow environment

+This article describes how to change the password for a Managed Airflow environment in Azure Data Factory using **Basic** authentication.

+## Updating the password

+We recommend using **Azure AD** authentication in Managed Airflow environments. However, if you choose to use **Basic** authentication, you can still update the Airflow password by editing the Airflow environment configuration and updating the username/password in the integration runtime settings, as shown here:

+## Next steps

+- [Run an existing pipeline with Managed Airflow](tutorial-run-existing-pipeline-with-airflow.md)

+- [Refresh a Power BI dataset with Managed Airflow](tutorial-refresh-power-bi-dataset-with-airflow.md)

+- [Managed Airflow pricing](airflow-pricing.md)

+ Title: Refresh a Power BI dataset with Managed Airflow

+description: This tutorial provides step-by-step instructions for refreshing a Power BI dataset with Managed Airflow.

+# Refresh a Power BI dataset with Managed Airflow

+> [!NOTE]

+> Managed Airflow for Azure Data Factory relies on the open source Apache Airflow application. Documentation and more tutorials for Airflow can be found on the Apache Airflow [Documentation](https://airflow.apache.org/docs/) or [Community](https://airflow.apache.org/community/) pages.

+This tutorial shows you how to refresh a Power BI dataset with Managed Airflow in Azure Data Factory.

+## Prerequisites

+* **Azure subscription**. If you don't have an Azure subscription, create a [free Azure account](https://azure.microsoft.com/free/) before you begin.

+* **Azure storage account**. If you don't have a storage account, see [Create an Azure storage account](../storage/common/storage-account-create.md?tabs=azure-portal) for steps to create one. *Ensure the storage account allows access only from selected networks.*

+* **Setup a Service Principal**. You will need to [create a new service principal](../active-directory/develop/howto-create-service-principal-portal.md) or use an existing one and grant it permission to run the pipeline (example ΓÇô contributor role in the data factory where the existing pipelines exist), even if the Managed Airflow environment and the pipelines exist in the same data factory. You will need to get the Service PrincipalΓÇÖs Client ID and Client Secret (API Key).

+## Steps

+1. Create a new Python file **pbi-dataset-refresh.py** with the below contents:

+ ```python

+ from airflow import DAG

+ from airflow.operators.python_operator import PythonOperator

+ from datetime import datetime, timedelta

+ from powerbi.datasets import Datasets

+ # Default arguments for the DAG

+ default_args = {

+ 'owner': 'me',

+ 'start_date': datetime(2022, 1, 1),

+ 'depends_on_past': False,

+ 'retries': 1,

+ 'retry_delay': timedelta(minutes=5),

+ }

+ # Create the DAG

+ dag = DAG(

+ 'refresh_power_bi_dataset',

+ default_args=default_args,

+ schedule_interval=timedelta(hours=1),

+ )

+ # Define a function to refresh the dataset

+ def refresh_dataset(**kwargs):

+ # Create a Power BI client

+ datasets = Datasets(client_id='your_client_id',

+ client_secret='your_client_secret',

+ tenant_id='your_tenant_id')

+

+ # Refresh the dataset

+ dataset_name = 'your_dataset_name'

+ datasets.refresh(dataset_name)

+ print(f'Successfully refreshed dataset: {dataset_name}')

+ # Create a PythonOperator to run the dataset refresh

+ refresh_dataset_operator = PythonOperator(

+ task_id='refresh_dataset',

+ python_callable=refresh_dataset,

+ provide_context=True,

+ dag=dag,

+ )

+ refresh_dataset_operator

+ ```

+ You will have to fill in your **client_id**, **client_secret**, **tenant_id**, and **dataset_name** with your own values.

+ Also, you will need to install the **powerbi** python package to use the above code using Managed Airflow requirements. Edit a Managed Airflow environment and add the **powerbi** python package under **Airflow requirements**.

+1. Upload the **pbi-dataset-refresh.py** file to the blob storage within a folder named **DAG**.

+1. [Import the **DAG** folder into your Airflow environment](). If you do not have one, [create a new one]().

+ :::image type="content" source="media/tutorial-run-existing-pipeline-with-airflow/airflow-environment.png" alt-text="Screenshot showing the data factory management tab with the Airflow section selected.":::

+## Next Steps

+* [Run an existing pipeline with Managed Airflow](tutorial-run-existing-pipeline-with-airflow.md)

+* [Managed Airflow pricing](airflow-pricing.md)

+* [Changing password for Managed Airflow environments](password-change-airflow.md)

+ Title: Run an existing pipeline with Managed Airflow

+description: This tutorial provides step-by-step instructions for running an existing pipeline with Managed Airflow in Azure Data Factory.

+# Run an existing pipeline with Managed Airflow

+> [!NOTE]

+> Managed Airflow for Azure Data Factory relies on the open source Apache Airflow application. Documentation and more tutorials for Airflow can be found on the Apache Airflow [Documentation](https://airflow.apache.org/docs/) or [Community](https://airflow.apache.org/community/) pages.

+Data Factory pipelines provide 100+ data source connectors that provide scalable and reliable data integration/ data flows. There are scenarios where you would like to run an existing data factory pipeline from your Apache Airflow DAG. This tutorial shows you how to do just that.

+## Prerequisites

+* **Azure subscription**. If you don't have an Azure subscription, create a [free Azure account](https://azure.microsoft.com/free/) before you begin.

+* **Azure storage account**. If you don't have a storage account, see [Create an Azure storage account](../storage/common/storage-account-create.md?tabs=azure-portal) for steps to create one. *Ensure the storage account allows access only from selected networks.*

+* **Azure Data Factory pipeline**. You can follow any of the tutorials and create a new data factory pipeline in case you do not already have one, or create one with one click in [Get started and try out your first data factory pipeline](quickstart-get-started.md).

+* **Setup a Service Principal**. You will need to [create a new service principal](../active-directory/develop/howto-create-service-principal-portal.md) or use an existing one and grant it permission to run the pipeline (example ΓÇô contributor role in the data factory where the existing pipelines exist), even if the Managed Airflow environment and the pipelines exist in the same data factory. You will need to get the Service PrincipalΓÇÖs Client ID and Client Secret (API Key).

+## Steps

+1. Create a new Python file **adf.py** with the below contents:

+ ```python

+ from airflow import DAG

+ from airflow.operators.python_operator import PythonOperator

+ from azure.common.credentials import ServicePrincipalCredentials

+ from azure.mgmt.datafactory import DataFactoryManagementClient

+ from datetime import datetime, timedelta

+

+ # Default arguments for the DAG

+ default_args = {

+ 'owner': 'me',

+ 'start_date': datetime(2022, 1, 1),

+ 'depends_on_past': False,

+ 'retries': 1,

+ 'retry_delay': timedelta(minutes=5),

+ }

+ # Create the DAG

+ dag = DAG(

+ 'run_azure_data_factory_pipeline',

+ default_args=default_args,

+ schedule_interval=timedelta(hours=1),

+ )

+ # Define a function to run the pipeline

+

+ def run_pipeline(**kwargs):

+ # Create the client

+ credentials = ServicePrincipalCredentials(

+ client_id='your_client_id',

+ secret='your_client_secret',

+ tenant='your_tenant_id',

+ )

+ client = DataFactoryManagementClient(credentials, 'your_subscription_id')

+ # Run the pipeline

+ pipeline_name = 'your_pipeline_name'

+ run_response = client.pipelines.create_run(

+ 'your_resource_group_name',

+ 'your_data_factory_name',

+ pipeline_name,

+ )

+ run_id = run_response.run_id

+ # Print the run ID

+ print(f'Pipeline run ID: {run_id}')

+ # Create a PythonOperator to run the pipeline

+ run_pipeline_operator = PythonOperator(

+ task_id='run_pipeline',

+ python_callable=run_pipeline,

+ provide_context=True,

+ dag=dag,

+ )

+ # Set the dependencies

+ run_pipeline_operator

+ ```

+ You will have to fill in your **client_id**, **client_secret**, **tenant_id**, **subscription_id**, **resource_group_name**, **data_factory_name**, and **pipeline_name**.

+1. Upload the **adf.py** file to your blob storage within a folder called **DAG**.

+1. [Import the **DAG** folder into your Managed Airflow environment](./how-does-managed-airflow-work.md#import-dags). If you do not have one, [create a new one](./how-does-managed-airflow-work.md#create-a-managed-airflow-environment)

+ :::image type="content" source="media/tutorial-run-existing-pipeline-with-airflow/airflow-environment.png" alt-text="Screenshot showing the data factory management tab with the Airflow section selected.":::

+## Next steps

+* [Refresh a Power BI dataset with Managed Airflow](tutorial-refresh-power-bi-dataset-with-airflow.md)

+* [Managed Airflow pricing](airflow-pricing.md)

+* [Changing password for Managed Airflow environments](password-change-airflow.md)

+## Verify AKS is enabled

+To verify that AKS is enabled, go to your Azure Stack Edge resource in the Azure portal. In the **Overview** pane, select the **Azure Kubernetes Service** tile.

+ [](./media/azure-stack-edge-deploy-aks-on-azure-stack-edge/azure-stack-edge-azure-kubernetes-service-tile.png#lightbox)

+### Alert status synchronizations

+Alert status changes are synchronized from Microsoft Sentinel to Defender for IoT only, and not from Defender for IoT to Microsoft Sentinel.

+If you integrate Defender for IoT with Microsoft Sentinel, we recommend that you manage your alert statuses together with the related incidents in Microsoft Sentinel.

+After youΓÇÖve [configured your Defender for IoT data to trigger new incidents in Microsoft Sentinel](#detect-threats-out-of-the-box-with-defender-for-iot-data), start investigating those incidents in Microsoft Sentinel [as you would other incidents](/sentinel/investigate-cases).

+When investigating an incident in Microsoft Sentinel, in an incident details pane, select an IoT device entity from the **Entities** list to open its [device entity page]](/azure/sentinel/entity-pages).

+You can identify an IoT device by the IoT device icon: :::image type="icon" source="media/iot-solution/iot-device-icon.png" border="false":::

+### Investigate the alert in Defender for IoT

+To open an alert in Defender for IoT for further investigation, go to your incident details page and select **Investigate in Microsoft Defender for IoT**. For example:

+The Defender for IoT alert details page opens for the related alert. For more information, see [Investigate and respond to an OT network alert](respond-ot-alert.md).

+[Playbooks](/azure/sentinel/tutorial-respond-threats-playbook) are collections of automated remediation actions that can be run from Microsoft Sentinel as a routine. A playbook can help automate and orchestrate your threat response; it can be run manually or set to run automatically in response to specific alerts or incidents, when triggered by an analytics rule or an automation rule, respectively.

+Start by enabling the [Defender for IoT data connector](/azure/sentinel/data-connectors-reference.md#microsoft-defender-for-iot) to stream all your Defender for IoT events into Microsoft Sentinel.

+## Next steps

+The [Microsoft Defender for IoT](https://azuremarketplace.microsoft.com/marketplace/apps/azuresentinel.azure-sentinel-solution-unifiedmicrosoftsocforot?tab=Overview) solution is a set of bundled, out-of-the-box content that's configured specifically for Defender for IoT data, and includes analytics rules, workbooks, and playbooks.

+> [!div class="nextstepaction"]

+> [Install the **Microsoft Defender for IoT** solution](iot-advanced-threat-monitoring.md)

+ Title: Respond to an alert in the Azure portal - Microsoft Defender for IoT

+description: Learn about how to fully respond to OT network alerts in Microsoft Defender for IoT.

+# Investigate and respond to an OT network alert

+This article describes how to investigate and respond to an OT network alert in Microsoft Defender for IoT.

+You might be a security operations center (SOC) engineer using Microsoft Sentinel, who's seen a new incident in your Microsoft Sentinel workspace and is continuing in Defender for IoT for further details about related devices and recommended remediation steps.

+Alternately, you might be an OT engineer watching for operational alerts directly in Defender for IoT. Operational alerts might not be malicious but can indicate operational activity that can aid in security investigations.

+## Prerequisites

+Before you start, make sure that you have:

+- An Azure subscription. If you need to, [sign up for a free account](https://azure.microsoft.com/free/).

+- A cloud-connected [OT network sensor](onboard-sensors.md) onboarded to Defender for IoT, with alerts streaming into the Azure portal.

+- To investigate an alert from a Microsoft Sentinel incident, make sure that you've completed the following tutorials:

+ - [Tutorial: Connect Microsoft Defender for IoT with Microsoft Sentinel](iot-solution.md)

+ - [Tutorial: Investigate and detect threats for IoT devices](iot-advanced-threat-monitoring.md)

+- An alert details page open, accessed either from the Defender for IoT **Alerts** page in the [Azure portal](how-to-manage-cloud-alerts.md), a Defender for IoT [device details page](how-to-manage-device-inventory-for-organizations.md#view-the-device-inventory), or a Microsoft Sentinel [incident](/azure/sentinel/investigate-incidents).

+## Investigate an alert from the Azure portal

+On an alert details page in the Azure portal, start by changing the alert status to **Active**, indicating that it's currently under investigation.

+For example:

+> [!IMPORTANT]

+> If you're integrating with Microsoft Sentinel, make sure to manage your alert status only from the [incident](/azure/sentinel/investigate-incidents) in Microsoft Sentinel. Alerts statuses are not synchronized from Defender for IoT to Microsoft Sentinel.

+After updating the status, check the alert details page for the following details to aid in your investigation:

+- **Source and destination device details**. Source and destination devices are listed in **Alert details** tab, and also in the **Entities** area below, as Microsoft Sentinel *entities*, with their own [entity pages](iot-advanced-threat-monitoring.md#investigate-further-with-iot-device-entities). In the **Entities** area, you'll use the links in the **Name** column to open the relevant device details pages for [further investigation](#investigate-related-alerts-on-the-azure-portal).

+- **Site and/or zone**. These values help you understand the geographic and network location of the alert and if there are areas of the network that are now more vulnerable to attack.

+- **MITRE ATT&CK** tactics and techniques. Scroll down in the left pane to view all MITRE ATT&CK details. In addition to descriptions of the tactics and techniques, select the links to the MITRE ATT&CK site to learn more about each one.

+- **Download PCAP**. At the top of the page, select **Download PCAP** to [download the raw traffic files](how-to-manage-cloud-alerts.md#access-alert-pcap-data) for the selected alert.

+## Investigate related alerts on the Azure portal

+Look for other alerts triggered by the same source or destination device. Correlations between multiple alerts may indicate that the device is at risk and can be exploited.

+For example, a device that attempted to connect to a malicious IP, together with another alert about unauthorized PLC programming changes on the device, might indicate that an attacker has already gained control of the device.

+**To find related alerts in Defender for IoT**:

+1. On the **Alerts** page, select an alert to view details on the right.

+1. Locate the device links in the **Entities** area, either in the details pane on the right or in the alert details page. Select an entity link to open the related device details page, for both a source and destination device. <!--no links for some alerts?-->

+1. On the device details page, select the **Alerts** tab to view all alerts for that device. For example:

+ :::image type="content" source="media/iot-solution/device-details-alerts.png" alt-text="Screenshot of the Alerts tab on a device details page.":::

+## Investigate alert details on the OT sensor

+The OT sensor that triggered the alert will have more details to help your investigation.

+**To continue your investigation on the OT sensor**:

+1. Sign into your OT sensor as a **Viewer** or **Security Analyst** user.

+1. Select the **Alerts** page and find then alert you're investigating. Select **View more details to open the OT sensor's alert details page. For example:

+ :::image type="content" source="media/iot-solution/alert-on-sensor.png" alt-text="Screenshot of the alert on the sensor console.":::

+On the sensor's alert details page:

+- Select the **Map view** tab to view the alert inside the OT sensor's [device map](how-to-work-with-the-sensor-device-map.md), including any connected devices.

+- Select the **Event timeline** tab to view the alert's [full event timeline](how-to-track-sensor-activity.md), including other related activity also detected by the OT sensor.

+- Select **Export PDF** to download a PDF summary of the alert details.

+## Take remediation action

+The timing for when you take remediation actions may depend on the severity of the alert. For example, for high severity alerts, you might want to take action even before investigating, such as if you need to immediately quarantine an area of your network.

+For lower severity alerts, or for operational alerts, you might want to fully investigate before taking action.

+**To remediate an alert**, use the following Defender for IoT resources:

+- **On an alert details page** on either the Azure portal or the OT sensor, select the **Take action** tab to view details about recommended steps to mitigate the risk.

+- **On a device details page** in the Azure portal, for both the [source and destination devices](#investigate-an-alert-from-the-azure-portal):

+ - Select the **Vulnerabilities** tab and check for detected vulnerabilities on each device.

+ - Select the **Recommendations** tab and check for current security [recommendations](recommendations.md) for each device.

+Defender for IoT vulnerability data and security recommendations can provide simple actions you can take to mitigate the risks, such as updating firmware or applying a patch. Other actions may take more planning.

+When you've finished with mitigation activities and are ready to close the alert, make sure to update the alert status to **Closed** or notify your SOC team for further incident management.

+> [!NOTE]

+> If you integrate Defender for IoT with Microsoft Sentinel, alert status changes you make in Defender for IoT are *not* updated in Microsoft Sentinel. Make sure to manage your alerts in Microsoft Sentinel together with the related incident.

+## Triage alerts regularly

+Triage alerts on a regular basis to prevent alert fatigue in your network and ensure that you're able to see and handle important alerts in a timely manner.

+**To triage alerts**:

+1. In Defender for IoT in the Azure portal, go to the **Alerts** page. By default, alerts are sorted by the **Last detection** column, from most recent to oldest alert, so that you can first see the latest alerts in your network.

+1. Use other filters, such as **Sensor** or **Severity** to find specific alerts.

+1. Check the alert details and investigate as needed before you take any alert action. When you're ready, take action on an alert details page for a specific alert, or on the **Alerts** page for bulk actions.

+ For example, update alert status or severity, or [learn](how-to-manage-the-alert-event.md#learn-and-unlearn-alert-traffic) an alert to authorize the detected traffic. *Learned* alerts are not triggered again if the same exact traffic is detected again.

+ :::image type="content" source="media/iot-solution/learn-alert.png" alt-text="Screenshot of a Learn button on the alert details page.":::

+For high severity alerts, you may want to take action immediately.

+## Next steps

+> [!div class="nextstepaction"]

+> [Enhance security posture with security recommendations](recommendations.md)

+## February 2023

+|Service area |Updates |

+|||

+|**Cloud features** | [Alerts GA in the Azure portal](#alerts-ga-in-the-azure-portal) |

+### Alerts GA in the Azure portal

+The **Alerts** page in the Azure portal is now out for General Availability. Microsoft Defender for IoT alerts enhance your network security and operations with real-time details about events detected in your network. Alerts are triggered when OT or Enterprise IoT network sensors, or the [Defender for IoT micro agent](/azure/defender-for-iot/device-builders/), detect changes or suspicious activity in network traffic that need your attention.

+Specific alerts triggered by the Enterprise IoT sensor currently remain in public preview.

+For more information, see:

+- [View and manage alerts from the Azure portal](how-to-manage-cloud-alerts.md)

+- [Investigate and respond to an OT network alert](respond-ot-alert.md)

+- [OT monitoring alert types and descriptions](alert-engine-messages.md)

+1. Modify the `-LocalFilePath` parameter of the Add-AZVHD cmdlet to point to the location of the VHD file you want to upload.

+1. At a PowerShell command prompt, run the Add-AZVHD cmdlet with the modified `-LocalFilePath` parameter.

+The plugin works by calling the [Azure Digital Twins Query API](/rest/api/digital-twins/dataplane/query), and the [query language structure](concepts-query-language.md) is the same as when using the API, with two exceptions:

+When you run a query using the [Azure Digital Twins Query API](/rest/api/digital-twins/dataplane/query), you can examine the response header to track the number of QUs that the query consumed. Look for "query-charge" in the response sent back from Azure Digital Twins.

+The following code snippet demonstrates how you can extract the query charges incurred when calling the Query API. It iterates over the response pages first to access the query-charge header, and then iterates over the digital twin results within each page.

+Similarly, you can use private access endpoints for your Azure Digital Twins instance to allow clients located in your virtual network to have secure REST API access to the instance over Private Link. Configuring a private access endpoint for your Azure Digital Twins instance enables you to secure your Azure Digital Twins instance and eliminate public exposure. Additionally, it helps avoid data exfiltration from your [Azure Virtual Network (VNet)](../virtual-network/virtual-networks-overview.md).

+The private access endpoint uses an IP address from your Azure VNet address space. Network traffic between a client on your private network and the Azure Digital Twins instance traverses over the VNet and a Private Link on the Microsoft backbone network, eliminating exposure to the public internet. Here's a visual representation of this system:

+Configuring a private access endpoint for your Azure Digital Twins instance enables you to secure your Azure Digital Twins instance and eliminate public exposure, as well as avoid data exfiltration from your VNet.

+For instructions on how to set up Private Link for Azure Digital Twins, see [Enable private access with Private Link](how-to-enable-private-link.md).

+>[!NOTE]

+> Private network access with Azure Private Link applies to accessing Azure Digital Twins through its rest APIs. This feature does not apply to egress scenarios using Azure Digital Twins's [event routing](concepts-route-events.md) feature.

+You can configure your Azure Digital Twins instance to deny all public connections and allow only connections through private access endpoints to enhance the network security. This action is done with a *public network access flag*.

+To retrieve multiple twins using a single API call, see the Query API examples in [Query the twin graph](how-to-query-graph.md).

+Once you're done writing your models, see how to upload them (and do other management operations) with the Azure Digital Twins Models APIs:

+The article contains sample queries that illustrate the query language structure and common query operations for digital twins. It also describes how to run your queries after you've written them, using the [Azure Digital Twins Query API](/rest/api/digital-twins/dataplane/query) or an [SDK](concepts-apis-sdks.md#data-plane-apis).

+Next, edit the collection you've created to configure some access details. Highlight the collection you've created and select the **View more actions** icon to display action options. Select **Edit**.

+1. Set the Type to **OAuth 2.0** and paste your access token into the Access Token box. You must use the correct token for the type of API you're using, as there are different tokens for data plane APIs versus control plane APIs. Select **Save**.

+ > You can choose to turn on token sharing if you want to store the token with the request on Postman cloud, and potentially share your token with others.

+To proceed with an example query, this article will use the [Azure Digital Twins Query API](/rest/api/digital-twins/dataplane/query/querytwins) to query for all the digital twins in an instance.

+Azure Digital Twins provides a powerful [query APIΓÇï](/rest/api/digital-twins/dataplane/query) to help you extract insights from the live execution environment. The API can query with extensive search conditions, including property values, relationships, relationship properties, model information, and more. You can also combine queries, gathering a broad range of insights about your environment and answering custom questions that are important to you. For more details about the language used to craft these queries, see [Query language](concepts-query-language.md).

+| **Chennai** | Tata Communications | 2 | South India | Supported | BSNL, DE-CIX, Global CloudXchange (GCX), Lightstorm, SIFY, Tata Communications, VodafoneIdea |

+| **Chicago** | [Equinix CH1](https://www.equinix.com/locations/americas-colocation/united-states-colocation/chicago-data-centers/ch1/) | 1 | North Central US | Supported | Aryaka Networks, AT&T NetBond, British Telecom, CenturyLink Cloud Connect, Cologix, Colt, Comcast, Coresite, Equinix, InterCloud, Internet2, Level 3 Communications, Megaport, PacketFabric, PCCW Global Limited, Sprint, Tata Communications, Telia Carrier, Verizon, Zayo |

+| **Chicago2** | [CoreSite CH1](https://www.coresite.com/data-center/ch1-chicago-il) | 1 | North Central US | Supported | CoreSite, DE-CIX |

+| **Doha** | [MEEZA MV2](https://www.meeza.net/services/data-centre-services/) | 3 | Qatar Central | Supported | Ooredoo Cloud Connect |

+| **Doha2** | [Ooredoo](https://www.ooredoo.qa/portal/OoredooQatar/b2b-data-centre) | 3 | Qatar Central | Supported | Ooredoo Cloud Connect |

+| **Frankfurt2** | [Equinix FR7](https://www.equinix.com/locations/europe-colocation/germany-colocation/frankfurt-data-centers/fr7/) | 1 | Germany West Central | Supported | DE-CIX, Deutsche Telekom AG, Equinix, InterCloud |

+| **Hong Kong2** | [iAdvantage MEGA-i](https://www.iadvantage.net/index.php/locations/mega-i) | 2 | East Asia | Supported | China Mobile International, China Telecom Global, Deutsche Telekom AG, Equinix, iAdvantage, Megaport, PCCW Global Limited, SingTel |

+| **Kuala Lumpur** | [TIME dotCom Menara AIMS](https://www.time.com.my/enterprise/connectivity/direct-cloud) | 2 | n/a | n/a | DE-CIX, TIME dotCom |

+| **London** | [Equinix LD5](https://www.equinix.com/locations/europe-colocation/united-kingdom-colocation/london-data-centers/ld5/) | 1 | UK South | Supported | AT&T NetBond, Bezeq International, British Telecom, CenturyLink, Colt, Equinix, euNetworks, Intelsat, InterCloud, Internet Solutions - Cloud Connect, Interxion, Jisc, Level 3 Communications, Megaport, MTN, NTT Communications, Orange, PCCW Global Limited, Tata Communications, Telehouse - KDDI, Telenor, Telia Carrier, Verizon, Vodafone, Zayo |

+| **London2** | [Telehouse North Two](https://www.telehouse.net/data-centres/emea/uk-data-centres/london-data-centres/north-two) | 1 | UK South | Supported | BICS, British Telecom, CenturyLink Cloud Connect, Colt, Equinix, GTT, Interxion, IX Reach, JISC, Megaport, NTT Global DataCenters EMEA, Ooredoo Cloud Connect, Orange, SES, Sohonet, Telehouse - KDDI, Zayo |

+| **Los Angeles** | [CoreSite LA1](https://www.coresite.com/data-centers/locations/los-angeles/one-wilshire) | 1 | n/a | Supported | CoreSite, Cloudflare, Equinix*, Megaport, Neutrona Networks, NTT, Zayo</br></br> **New ExpressRoute circuits are no longer supported with Equinix in Los Angeles. Create new circuits in Los Angeles2.* |

+| **Los Angeles2** | [Equinix LA1](https://www.equinix.com/locations/americas-colocation/united-states-colocation/los-angeles-data-centers/la1/) | 1 | n/a | Supported | Equinix, PacketFabric |

+| **New York** | [Equinix NY5](https://www.equinix.com/locations/americas-colocation/united-states-colocation/new-york-data-centers/ny5/) | 1 | n/a | Supported | CenturyLink Cloud Connect, Coresite, Crown Castle, DE-CIX, Equinix, InterCloud, Lightpath, Megaport, NTT Communications, Packet, Zayo |

+| **Perth** | [NextDC P1](https://www.nextdc.com/data-centres/p1-perth-data-centre) | 2 | n/a | Supported | Equinix, Megaport, NextDC |

+| **Phoenix** | [EdgeConneX PHX01](https://www.edgeconnex.com/locations/north-america/phoenix-az/) | 1 | West US 3 | Supported | Cox Business Cloud Port, CenturyLink Cloud Connect, DE-CIX, Megaport, Zayo |

+| **Pune** | [STT GDC Pune DC1](https://www.sttelemediagdc.in/our-data-centres-in-india) | 2 | Central India| Supported | Lightstorm, Tata Communications |

+| **Singapore** | [Equinix SG1](https://www.equinix.com/data-centers/asia-pacific-colocation/singapore-colocation/singapore-data-center/sg1) | 2 | Southeast Asia | Supported | Aryaka Networks, AT&T NetBond, British Telecom, China Mobile International, Epsilon Global Communications, Equinix, InterCloud, Level 3 Communications, Megaport, NTT Communications, Orange, PCCW Global Limited, SingTel, Tata Communications, Telstra Corporation, Verizon, Vodafone |

+| **Stavanger** | [Green Mountain DC1](https://greenmountain.no/dc1-stavanger/) | 1 | Norway West | Supported |GlobalConnect, Megaport, Telenor |

+| **Tokyo3** | [NEC](https://www.nec.com/en/global/solutions/cloud/inzai_datacenter.html) | 2 | Japan East | Supported | NEC, SCSK |

+| **Washington DC** | [Equinix DC2](https://www.equinix.com/locations/americas-colocation/united-states-colocation/washington-dc-data-centers/dc2/), [Equinix DC6](https://www.equinix.com/data-centers/americas-colocation/united-states-colocation/washington-dc-data-centers/dc6) | 1 | East US, East US 2 | Supported | Aryaka Networks, AT&T NetBond, British Telecom, CenturyLink Cloud Connect, Cologix, Colt, Comcast, Coresite, Cox Business Cloud Port, Equinix, Internet2, InterCloud, Iron Mountain, IX Reach, Level 3 Communications, Lightpath, Megaport, Neutrona Networks, NTT Communications, Orange, PacketFabric, SES, Sprint, Tata Communications, Telia Carrier, Verizon, Zayo |

+| **[Bezeq International](https://selfservice.bezeqint.net/english)** | Supported | Supported | London |

+| **Cloudflare** |Supported |Supported | Los Angeles |

+| **Crown Castle** |Supported |Supported | New York |

+| **[DE-CIX](https://www.de-cix.net/en/de-cix-service-world/cloud-exchange/find-a-cloud-service/detail/microsoft-azure)** | Supported |Supported | Amsterdam2, Chennai, Chicago2, Dallas, Dubai2, Frankfurt, Frankfurt2, Kuala Lumpur, Madrid, Marseille, Mumbai, Munich, New York, Phoenix, Singapore2 |

+| **[Deutsche Telekom AG](https://www.t-systems.com/de/en/cloud-services/managed-platform-services/azure-managed-services/cloudconnect-for-azure)** | Supported |Supported | Frankfurt2, Hong Kong2 |

+| **[Equinix](https://www.equinix.com/partners/microsoft-azure/)** |Supported |Supported | Amsterdam, Amsterdam2, Atlanta, Berlin, Bogota, Canberra2, Chicago, Dallas, Dubai2, Dublin, Frankfurt, Frankfurt2, Geneva, Hong Kong SAR, Hong Kong2, London, London2, Los Angeles*, Los Angeles2, Melbourne, Miami, Milan, New York, Osaka, Paris, Paris2, Perth, Quebec City, Rio de Janeiro, Sao Paulo, Seattle, Seoul, Silicon Valley, Singapore, Singapore2, Stockholm, Sydney, Tokyo, Tokyo2, Toronto, Washington DC, Zurich</br></br> **New ExpressRoute circuits are no longer supported with Equinix in Los Angeles. Create new circuits in Los Angeles2.* |

+| **[InterCloud](https://www.intercloud.com/)** |Supported |Supported | Amsterdam, Chicago, Dallas, Frankfurt, Frankfurt2, Geneva, Hong Kong, London, New York, Paris, Sao Paulo, Silicon Valley, Singapore, Tokyo, Washington DC, Zurich |

+| **[Interxion](https://www.interxion.com/why-interxion/colocate-with-the-clouds/Microsoft-Azure/)** |Supported |Supported | Amsterdam, Amsterdam2, Copenhagen, Dublin, Dublin2, Frankfurt, London, London2, Madrid, Marseille, Paris, Stockholm, Zurich |

+| **KDDI** | Supported |Supported | Osaka, Tokyo, Tokyo2 |

+| **Lightpath** |Supported |Supported | New York, Washington DC |

+| **Lightstorm** |Supported |Supported | Pune, Chennai |

+| **NEC** |Supported |Supported | Tokyo3 |

+| **[NETSG](https://www.netsg.co/dc-cloud/cloud-and-dc-interconnect/)** |Supported |Supported | Melbourne, Sydney2 |

+| **[NTT Communications](https://www.ntt.com/en/services/network/virtual-private-network.html)** |Supported |Supported | Amsterdam, Hong Kong SAR, London, Los Angeles, New York, Osaka, Singapore, Sydney, Tokyo, Washington DC |

+| **[Ooredoo Cloud Connect](https://www.ooredoo.com.kw/portal/en/b2bOffConnAzureExpressRoute)** |Supported |Supported | Doha, Doha2, London2, Marseille |

+| **[PacketFabric](https://www.packetfabric.com/cloud-connectivity/microsoft-azure)** |Supported |Supported | Amsterdam, Chicago, Dallas, Denver, Las Vegas, London, Los Angeles2, Miami, New York, Silicon Valley, Toronto, Washington DC |

+| **[PCCW Global Limited](https://consoleconnect.com/clouds/#azureRegions)** |Supported |Supported | Chicago, Hong Kong, Hong Kong2, London, Singapore, Singapore2, Tokyo2 |

+| **[Tata Communications](https://www.tatacommunications.com/solutions/network/cloud-ready-networks/)** |Supported |Supported | Amsterdam, Chennai, Chicago, Hong Kong SAR, London, Mumbai, Pune, Sao Paulo, Silicon Valley, Singapore, Washington DC |

+| **Telenor** |Supported |Supported | Amsterdam, London, Oslo, Stavanger |

+Organizations can use Premium stock-keeping unit (SKU) features like IDPS and TLS inspection to prevent malware and viruses from spreading across networks in both lateral and horizontal directions. To meet the increased performance demands of IDPS and TLS inspection, Azure Firewall Premium uses a more powerful virtual machine SKU. Like the Standard SKU, the Premium SKU can seamlessly scale up to 100 Gbps and integrate with availability zones to support the service level agreement (SLA) of 99.99 percent. The Premium SKU complies with Payment Card Industry Data Security Standard (PCI DSS) environment needs.

+In this step, you'll create the Azure Front Door profile that your two App services will use as your origin.

+In this step, you'll create two web app instances that run in different Azure regions for this tutorial. Both the web application instances run in Active/Active mode, so either one can service traffic. This configuration differs from an *Active/Stand-By* configuration, where one acts as a failover.

+Once the app service plans have been created, run [az webapp create](/cli/azure/webapp#az-webapp-create) to create a web app in each of the app service plans in the previous step. Web app names have to be globally unique.

+In this step, you'll create an endpoint in your Front Door profile. In Front Door Standard/Premium, an *endpoint* is a logical grouping of one or more routes that are associated with domain names. Each endpoint is assigned a domain name by Front Door, and you can associate endpoints with custom domains by using routes. Front Door profiles can also contain multiple endpoints.

+Run [az afd endpoint create](/cli/azure/afd/endpoint#az-afd-endpoint-create) to create an endpoint in your profile.

+For more information about endpoints in Front Door, please read [Endpoints in Azure Front Door](/azure/frontdoor/endpoint).

+You'll now create an origin group that will define the traffic and expected responses for your app instances. Origin groups also define how origins should be evaluated by health probes, which you'll also define in this step.

+You'll now add both of your app instances created earlier as origins to your new origin group. Origins in Front Door refers to applications that Front Door will retrieve contents from when caching isn't enabled or when a cache gets missed.

+Run [az afd origin create](/cli/azure/afd/origin#az-afd-origin-create) to add your first app instance as an origin to your origin group.

+Repeat this step and add your second app instances as an origin to your origin group.

+For more information about origins, origin groups and health probes, please read [Origins and origin groups in Azure Front Door](/azure/frontdoor/origin)

+You'll now add a route to map the endpoint that you created earlier to the origin group. This route forwards requests from the endpoint to your origin group.

+Run [az afd route create](/cli/azure/afd/route#az-afd-route-create) to map your endpoint to the origin group.

+To learn more about routes in Azure Front Door, please read [Traffic routing methods to origin](/azure/frontdoor/routing-methods).

+Azure Web Application Firewall (WAF) on Front Door provides centralized protection for your web applications, defending them against common exploits and vulnerabilities.

+In this tutorial, you'll create a WAF policy that adds two managed rules. You can also create WAF policies with custom rules

+To learn more about WAF policy settings for Front Door, please read [Policy settings for Web Application Firewall on Azure Front Door](/azure/web-application-firewall/afds/waf-front-door-policy-settings).

+Azure-managed rule sets provide an easy way to protect your application against common security threats.

+To learn more about managed rules in Front Door, please read [Web Application Firewall DRS rule groups and rules](/azure/web-application-firewall/afds/waf-front-door-drs).

+You'll now apply these two WAF polcies to your Front Door by creating a security policy. This will apply the Azure-managed rules to the endpoint that you defined earlier.

+In this quickstart, you'll learn how to create an Azure Front Door profile using the Azure portal. You can create an Azure Front Door profile through *Quick create* with basic configurations or through the *Custom create* which allows a more advanced configuration.

+With *Custom create*, you deploy two App services. Then, you create the Azure Front Door profile using the two App services as your origin. Lastly, you'll verify connectivity to your App services using the Azure Front Door frontend hostname.

+In the previous tutorial, you created an Azure Front Door profile through *Quick create*, which created your profile with basic configurations.

+You'll now create an Azure Front Door profile using *Custom create* and deploy two App services that your Azure Front Door profile will use as your origin.

+In this example, we create two Web App instances that are deployed in two different Azure regions. Both web application instances will run in *Active/Active* mode, so either one can service incoming traffic. This configuration differs from an *Active/Stand-By* configuration, where one acts as a failover.

+1. After you create the first Web App, create a second Web App. Use the same settings as above, except for the following settings:

+Configure Azure Front Door to direct user traffic based on lowest latency between the two Web Apps origins. You'll also secure your Azure Front Door with a Web Application Firewall (WAF) policy.

+ > [!WARNING]

+ > Deleting the new profile will delete the production configuration once the **Migrate** step is initiated, which is an irreversible change.

+description: Set up TLS encryption for communication between Kafka clients and Kafka brokers, Set up SSL authentication of clients.

+1. On each of the worker nodes, execute the following steps using the code snippet.

+ > [!Note]

+ > FQDN_WORKER_NODE is Fully Qualified Domain Name of worker node machine.You can get that details from /etc/hosts file in head node

+

+ For example,

+ ```

+ wn0-espkaf.securehadooprc.onmicrosoft.com

+ wn0-kafka2.zbxwnwsmpcsuvbjqbmespcm1zg.bx.internal.cloudapp.net

+ ```

+ :::image type="content" source="./media/apache-kafka-ssl-encryption-authentication/etc-hosts.png" alt-text="Screenshot showing etc hosts output." border="true":::

+

+1. On the CA machine, run the following command to create ca-cert and ca-key files:

+1. Under **Custom kafka-broker** set the **ssl.client.auth** property to `required`.

+

+ > [!Note]

+ > Note: This step is only required if you are setting up authentication and encryption.

+

+1. Here's the screenshot that shows Ambari configuration UI with these changes.

+ For HDI version 4.0 or 5.0

+1. Start the admin client with producer and consumer options to verify that both producers and consumers are working on port 9093. Refer to [Verification](apache-kafka-ssl-encryption-authentication.md#verification) section for steps needed to verify the setup using console producer/consumer.

+The details of each step are given.

+* **FHIR SMART User**: Role allows to read and write FHIR data according to the SMART IG V1.0.0 specifications.

+ Title: How to use IotJsonPathContentTemplate mappings in the MedTech service device mappings - Azure Health Data Services

+description: This article describes how to use IotJsonPathContentTemplate mappings with the MedTech service device mappings.

+This article describes how to use IoTJsonPathContentTemplate mappings with the MedTech service [device mappings](how-to-configure-device-mappings.md).

+The assumption, when using this template, is the device messages being evaluated were sent using the [Azure IoT Hub Device SDKs](../../iot-hub/iot-hub-devguide-sdks.md#azure-iot-hub-device-sdks) or [Export Data (legacy)](../../iot-central/core/howto-export-data-legacy.md) feature of [Azure IoT Central](../../iot-central/core/overview-iot-central.md).

+ * A valid device message.

+ * An example of what the device message will look like after being received and processed by the IoT hub.

+ * Conforming and valid MedTech service device mappings for normalizing the device message after IoT hub processing.

+**A valid device message to send to your IoT hub.**

+**An example of what the device message will look like after being received and processed by the IoT hub.**

+**Conforming and valid MedTech service device mappings for normalizing device message data after IoT Hub processing.**

+**A valid IoT device message to send to your IoT hub.**

+**An example of what the device message will look like after being received and processed by the IoT hub.**

+> The IoT hyub enriches the device message before sending it to the MedTech service device event hub with all properties starting with `iothub`. For example: `iothub-creation-time-utc`.

+**Conforming and valid MedTech service device mappings for normalizing the device message after IoT hub processing.**

+> The IotJsonPathContentTemplate device mapping examples provided in this article may be combined into a single MedTech service device mappings as shown.

+> Additionally, the IotJasonPathContentTemplate can also be combined with with other template types such as [JsonPathContentTemplate mappings](how-to-use-jsonpath-content-mappings.md) to further expand your MedTech service device mapping.

+**Combined heart rate and blood pressure MedTech service device mappings example.**

+The IoT extension for the Azure CLI provides the [`compute-device-key`](/cli/azure/iot/dps/enrollment-group#az-iot-dps-enrollment-group-compute-device-key) command for generating derived device keys. This command can be used from Windows-based or Linux systems, in PowerShell or a Bash shell.

+az iot dps enrollment-group compute-device-key --key 8isrFI1sGsIlvvFSSFRiMfCNzv21fjbE/+ah/lSh3lF8e2YG1Te7w1KpZhJFFXJrqYKi9yegxkqIChbqOS9Egw== --registration-id sn-007-888-abc-mac-a1-b2-c3-d4-e5-f6

+| runtime.settings.registryCredentials.{registryId}.username | The username of the container registry. For Azure Container Registry, the username is usually the registry name.<br><br>Registry credentials are necessary for any private module images. | No |

+| runtime.settings.registryCredentials.{registryId}.password | The password for the container registry. | No |

+| runtime.settings.registryCredentials.{registryId}.address | The address of the container registry. For Azure Container Registry, the address is usually *{registry name}.azurecr.io*. | No |

+| systemModules.edgeAgent.startupOrder | An integer value for which spot a module has in the startup order. 0 is first and max integer (4294967295) is last. If a value isn't provided, the default is max integer. | No |

+| systemModules.edgeAgent.settings.createOptions | A stringified JSON containing the options for the creation of the IoT Edge agent container. [Docker create options](https://docs.docker.com/engine/api/v1.32/#operation/ContainerCreate) | No |

+| systemModules.edgeHub.settings.createOptions | A stringified JSON containing the options for the creation of the IoT Edge hub container. [Docker create options](https://docs.docker.com/engine/api/v1.32/#operation/ContainerCreate) | No |

+| systemModules.edgeAgent.exitCode | The exit code reported by the IoT Edge agent container if the container exits |

+| systemModules.edgeAgent.lastStartTimeUtc | Time when IoT Edge agent was last started |

+| systemModules.edgeAgent.lastExitTimeUtc | Time when IoT Edge agent last exited |

+| systemModules.edgeHub.lastStartTimeUtc | Time when IoT Edge hub was last started |

+| modules.{moduleId}.lastStartTimeUtc | Time when the module was last started |

+This article shows you how to use the [Azure IoT Tools for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=vsciot-vscode.azure-iot-toolkit) to create an Azure IoT hub. You can create one without an existing IoT project or create one from an existing IoT project.

+- [Azure IoT Tools](https://marketplace.visualstudio.com/items?itemName=vsciot-vscode.azure-iot-toolkit) installed for Visual Studio Code

+* [See the Azure IoT Hub for VS Code wiki page](https://github.com/microsoft/vscode-azure-iot-toolkit/wiki).

+* [Azure IoT Tools for VS Code](https://marketplace.visualstudio.com/items?itemName=vsciot-vscode.azure-iot-toolkit) or copy and paste this URL into a browser window: `vscode:extension/vsciot-vscode.azure-iot-toolkit`

+1. In a terminal window on your development machine, navigate to the root folder of the sample Node.js project that you downloaded. Then navigate to the **iot-hub\Tutorials\ConnectivityTests** folder.

+1. In the terminal window, run the following commands to install the required libraries and run the simulated device application. Use the device connection string you made a note of when you registered the device.

+ ```cmd/sh

+ npm install

+ node SimulatedDevice-1.js "{your_device_connection_string}"

+ ```

+ The terminal window displays a success message once it connects to your hub:

+ :::image type="content" source="media/tutorial-connectivity/sim-1-connected.png" alt-text="Screenshot that shows the simulated device connecting.":::

+1. To reset the primary device key for your device, run the [az iot hub device-identity update](/cli/azure/iot/hub/device-identity#az-iot-hub-device-identity-update) command:

+ ```azurecli-interactive

+ # Generate a new Base64 encoded key using the current date

+ read key < <(date +%s | sha256sum | base64 | head -c 32)

+ # Reset the primary device key for test device

+ az iot hub device-identity update --device-id {your_device_id} --set authentication.symmetricKey.primaryKey=$key --hub-name {your_iot_hub_name}

+ ```

+1. In the terminal window on your development machine, run the simulated device application again:

+ ```cmd/sh

+ npm install

+ node SimulatedDevice-1.js "{your_device_connection_string}"

+ ```

+ This time you see an authentication error when the application tries to connect:

+ :::image type="content" source="media/tutorial-connectivity/sim-1-fail.png" alt-text="Screenshot that shows the connection failing after the key reset.":::

+### Generate a shared access signature (SAS) token

+1. Run the [az iot hub genereate-sas-token](/cli/azure/iot/hub#az-iot-hub-generate-sas-token) command to generate a known-good SAS token using the CLI:

+ ```azurecli-interactive

+ az iot hub generate-sas-token --device-id {your_device_id} --hub-name {your_iot_hub_name}

+ ```

+1. Copy the full text of the generated SAS token. A SAS token looks like the following example: `SharedAccessSignature sr=tutorials-iot-hub.azure-devices.net%2Fdevices%2FmyDevice&sig=xxxxxx&se=111111`

+1. In a terminal window on your development machine, navigate to the root folder of the sample Node.js project you downloaded. Then navigate to the **iot-hub\Tutorials\ConnectivityTests** folder.

+1. In the terminal window, run the following commands to install the required libraries and run the simulated device application:

+ ```cmd/sh

+ npm install

+ node SimulatedDevice-2.js "{Your SAS token}"

+ ```

+ The terminal window displays a success message once it connects to your hub using the SAS token:

+ :::image type="content" source="media/tutorial-connectivity/sim-2-connected.png" alt-text="Screenshot that shows a successful connection using a SAS token.":::

+### Send device-to-cloud messages

+1. Since we reset the connection string for your device in the previous section, use the [az iot hub device-identity connection-string show](/cli/azure/iot/hub/device-identity/connection-string#az-iot-hub-device-identity-connection-string-show) command to retrieve the updated connection string:

+ ```azurecli-interactive

+ az iot hub device-identity connection-string show --device-id {your_device_id} --output table --hub-name {your_iot_hub_name}

+ ```

+1. To run a simulated device that sends messages, navigate to the **iot-hub\Tutorials\ConnectivityTests** folder in the code you downloaded.

+1. In the terminal window, run the following commands to install the required libraries and run the simulated device application:

+ ```cmd/sh

+ npm install

+ node SimulatedDevice-3.js "{your_device_connection_string}"

+ ```

+ The terminal window displays information as it sends telemetry to your hub:

+ :::image type="content" source="media/tutorial-connectivity/sim-3-sending.png" alt-text="Screenshot that shows the simulated device sending messages.":::

+### Monitor incoming messages

+You can use **Metrics** in the portal to verify that the telemetry messages are reaching your IoT hub.

+1. In the [Azure portal](https://portal.azure.com), select your IoT hub in the **Resource** drop-down.

+1. Select **Metrics** from the **Monitoring** section of the navigation menu.

+1. Select **Telemetry messages sent** as the metric, and set the time range to **Past hour**. The chart shows the aggregate count of messages sent by the simulated device:

+ :::image type="content" source="media/tutorial-connectivity/metrics-portal.png" alt-text="Screenshot showing left pane metrics." border="true":::

+1. In a terminal window, use the following command to run the simulated device application:

+ ```cmd/sh

+ node SimulatedDevice-3.js "{your_device_connection_string}"

+ ```

+1. In a separate window, use the [az iot hub invoke-device-method](/cli/azure/iot/hub#az-iot-hub-invoke-device-method) command to call a direct method on the device:

+ ```azurecli-interactive

+ az iot hub invoke-device-method --device-id {your_device_id} --method-name TestMethod --timeout 10 --method-payload '{"key":"value"}' --hub-name {your_iot_hub_name}

+ ```

+ The simulated device prints a message to the console when it receives a direct method call:

+ :::image type="content" source="media/tutorial-connectivity/receive-method-call.png" alt-text="Screenshot that shows the device confirming that the direct method was received.":::

+ When the simulated device successfully receives the direct method call, it sends an acknowledgment back to the hub:

+ :::image type="content" source="media/tutorial-connectivity/method-acknowledgement.png" alt-text="Screenshot showing that the device returns a direct method acknowledgment.":::

+1. In a terminal window, use the following command to run the simulated device application:

+ ```cmd/sh

+ node SimulatedDevice-3.js "{your_device_connection_string}"

+ ```

+1. In a separate window, run the [az iot hub device-twin show](/cli/azure/iot/hub/device-twin#az-iot-hub-device-twin-show) command to verify that the hub received the reported properties from the device:

+ ```azurecli-interactive

+ az iot hub device-twin show --device-id {your_device_id} --hub-name {your_iot_hub_name}

+ ```

+ In the output from the command, you can see the **devicelaststarted** property in the reported properties section. This property shows the date and time you last started the simulated device.

+ :::image type="content" source="media/tutorial-connectivity/reported-properties.png" alt-text="Screenshot showing the reported properties of a device.":::

+1. To verify that the hub can send desired property values to the device, use the [az iot hub device-twin update](/cli/azure/iot/hub/device-twin#az-iot-hub-device-twin-update) command:

+ ```azurecli-interactive

+ az iot hub device-twin update --set properties.desired='{"mydesiredproperty":"propertyvalue"}' --device-id {your_device_id} --hub-name {your_iot_hub_name}

+ ```

+ The simulated device prints a message when it receives a desired property update from the hub:

+ :::image type="content" source="media/tutorial-connectivity/desired-properties.png" alt-text="Screenshot that shows the device confirming that the desired properties update was received.":::

+- [Azure Key Vault certificate renewal frequently asked questions](faq.yml)

+ A Business Rules Engine policy is another kind of artifact that you can share across BizTalk Server applications deployed within the same [BizTalk group](/biztalk/core/biztalk-groups). If you have common Business Rules Engine rules, for example, related to message routing, you can manage these rules in one location and share them widely across installed BizTalk applications. The Business Rules Engine caches these rules, so if you make any updates to these rules, you must restart the Business Rules Engine Update Service. Otherwise, the changes are picked up in the next [Cache Timeout](/biztalk/core/rule-engine-configuration-and-tuning-parameters).

+1. To create a project, select **Add project**. Give the project an appropriate name. The project name can't be reused, even if the project is deleted in future.

+* How to label the object if there's no clear boundary of the object?

+* How to label the object that isn't the object class of interest but visually similar to an interested object type?

+The **ML-assisted labeling** page lets you trigger automatic machine learning models to accelerate labeling tasks. Medical images (".dcm") aren't included in assisted labeling.

+The exact number of labeled data necessary to start assisted labeling isn't a fixed number. This number can vary significantly from one labeling project to another. For some projects, is sometimes possible to see prelabel or cluster tasks after 300 items have been manually labeled. ML Assisted Labeling uses a technique called *Transfer Learning*, which uses a pre-trained model to jump-start the training process. If your dataset's classes are similar to those in the pre-trained model, pre-labels may be available after only a few hundred manually labeled items. If your dataset is significantly different from the data used to pre-train the model, it may take much longer.

+After some labels are submitted, the machine learning model for classification starts to group together similar items. These similar images are presented to the labelers on the same screen to speed up manual tagging. Clustering is especially useful when the labeler is viewing a grid of 4, 6, or 9 images.

+Once a machine learning model has been trained on your manually labeled data, the model is truncated to its last fully connected layer. Unlabeled images are then passed through the truncated model in a process commonly known as "embedding" or "featurization." This process embeds each image in a high-dimensional space defined by this model layer. Images that are nearest neighbors in the space are used for clustering tasks.

+The clustering phase doesn't appear for object detection models, or for text classification.

+The progress chart shows how many items have been labeled, skipped, in need of review, or not yet done. Hover over the chart to see the number of items in each section.

+The middle section shows the queue of tasks yet to be assigned. When ML assisted labeling is off, this section shows the number of manual tasks to be assigned. When ML assisted labeling is on, this section will also show:

+1. Under **Labeled datapoints**, select **Consensus labels in need of review**. This shows only those images where a consensus wasn't achieved among the labelers.

+* Change settings for ML assisted labeling, and kick off a labeling task

+## Start an ML assisted labeling task

+ * [COCO format](http://cocodataset.org/#format-data). The COCO file is created in the default blob store of the Azure Machine Learning workspace in a folder within *Labeling/export/coco*.

+Once you've exported your labeled data to an Azure Machine Learning dataset, you can use AutoML to build computer vision models trained on your labeled data. Learn more at [Set up AutoML to train computer vision models with Python](how-to-auto-train-image-models.md)

+For training the text DNN model used by ML-assist, the input text per training example will be limited to approximately the first 128 words in the document. For tabular input, all text columns are first concatenated before applying this limit. This is a practical limit imposed to allow for the model training to complete in a timely manner. The actual text in a document (for file input) or set of text columns (for tabular input) can exceed 128 words. The limit only pertains to what is internally used by the model during the training process.

+1. Under **Labeled datapoints**, select **Consensus labels in need of review**. This shows only those images where a consensus wasn't achieved among the labelers.

+* Change settings for ML assisted labeling, and kick off a labeling task

+## Start an ML assisted labeling task

+Additionally, you will need to:

+# [Azure CLI](#tab/cli)

+- Install the Azure CLI and the ml extension to the Azure CLI. For more information, see [Install, set up, and use the CLI (v2)](how-to-configure-cli.md).

+# [Python SDK](#tab/python)

+- Install the Azure Machine Learning SDK for Python

+

+ ```bash

+ pip install azure-ai-ml

+ ```

+### Connect to your workspace

+First, let's connect to Azure Machine Learning workspace where we are going to work on.

+# [Azure CLI](#tab/cli)

+```azurecli

+az account set --subscription <subscription>

+az configure --defaults workspace=<workspace> group=<resource-group> location=<location>

+```

+# [Python SDK](#tab/python)

+The workspace is the top-level resource for Azure Machine Learning, providing a centralized place to work with all the artifacts you create when you use Azure Machine Learning. In this section, we'll connect to the workspace in which you'll perform deployment tasks.

+1. Import the required libraries:

+ ```python

+ from azure.ai.ml import MLClient, Input

+ from azure.ai.ml.entities import Model

+ from azure.ai.ml.constants import AssetTypes

+ from azure.identity import DefaultAzureCredential

+ ```

+2. Configure workspace details and get a handle to the workspace:

+ ```python

+ subscription_id = "<SUBSCRIPTION_ID>"

+ resource_group = "<RESOURCE_GROUP>"

+ workspace = "<AML_WORKSPACE_NAME>"

+

+ ml_client = MLClient(DefaultAzureCredential(), subscription_id, resource_group, workspace)

+ ```

+> The compute cluster used to build Docker images needs to be able to access the package repositories that are used to train and deploy your models. You may need to add network security rules that allow access to public repos, [use private Python packages](how-to-use-private-python-packages.md), or use [custom Docker images](v1/how-to-train-with-custom-image.md) that already include the packages.

+Azure Machine Learning allows you to integrate with [Azure DevOps pipeline](/azure/devops/pipelines/) to automate the machine learning lifecycle. Some of the operations you can automate are:

+In this article, you learn about using Azure Machine Learning to set up an end-to-end MLOps pipeline that runs a linear regression to predict taxi fares in NYC. The pipeline is made up of components, each serving different functions, which can be registered with the workspace, versioned, and reused with various inputs and outputs. you're going to be using the [recommended Azure architecture for MLOps](/azure/architecture/data-guide/technology-choices/machine-learning-operations-v2) and [Azure MLOps (v2) solution accelerator](https://github.com/Azure/mlops-v2) to quickly setup an MLOps project in AzureML.

+- The [Terraform extension for Azure DevOps](https://marketplace.visualstudio.com/items?itemName=ms-devlabs.custom-terraform-tasks) if you're using Azure DevOps + Terraform to spin up infrastructure

+1. Copy the following bash commands to your computer and update the **projectName**, **subscriptionId**, and **environment** variables with the values for your project. If you're creating both a Dev and Prod environment, you'll need to run this script once for each environment, creating a service principal for each. This command will also grant the **Contributor** role to the service principal in the subscription provided. This is required for Azure DevOps to properly use resources in that subscription.

+1. Repeat **Step 3.** if you're creating service principals for Dev and Prod environments. For this demo, we'll be creating only one environment, which is Prod.

+6. Name the service connection **Azure-ARM-Prod**.

+7. Select **Grant access permission to all pipelines**, then select **Verify and Save**.

+ 

+1. Enter https://github.com/Azure/mlops-v2-ado-demo into the Clone URL field. Select import at the bottom of the page

+ 

+1. Under the Repos section, select **Repositories**. Select the repository you created in **Step 6.** Select the **Security** tab

+ 

+1. Open the **Pipelines** section in the left hand navigation pane and select on the 3 vertical dots next to the **Create Pipelines** button. Select **Manage Security**

+1. Go to your repository, `mlops-v2-ado-demo`, and select the **config-infra-prod.yml** file.

+ > [!IMPORTANT]

+ > Make sure you've selected the **main** branch of the repo.

+1. Select Commit and push code to get these values into the pipeline.

+ 

+1. Select the `main` branch and choose `mlops/devops-pipelines/cli-ado-deploy-infra.yml`, then select **Continue**.

+ 

+1. Select `main` as a branch and choose Managed Online Endpoint `/mlops/devops-pipelines/deploy-online-endpoint-pipeline.yml` then select **Continue**.

+1. Online endpoint names need to be unique, so change `taxi-online-$(namespace)$(postfix)$(environment)` to another unique name and then select **Run**. No need to change the default if it doesn't fail.

+ 

+See [this resource](./apache-spark-azure-ml-concepts.md) for more information about **Apache Spark in Azure Machine Learning** concepts.

+ Title: "Run batch endpoints from Azure Data Factory"

+# Run batch endpoints from Azure Data Factory

+| `endpoint_input_type` | The type of the input data you are providing. Currently batch endpoints support folders (`UriFolder`) and File (`UriFile`). Defaults to `UriFolder`. | `UriFolder` |

+| `endpoint_input_type` | The type of the input data you are providing. Currently batch endpoints support folders (`UriFolder`) and File (`UriFile`). Defaults to `UriFolder`. | `UriFolder` |

+To create this pipeline in your existing Azure Data Factory and invoke batch endpoints, follow these steps:

+1. Ensure the compute where the batch endpoint is running has permissions to mount the data Azure Data Factory is providing as input. Notice that access is still granted by the identity that invokes the endpoint (in this case Azure Data Factory). However, the compute where the batch endpoint runs needs to have permission to mount the storage account your Azure Data Factory provide. See [Accessing storage services](how-to-identity-based-service-authentication.md#accessing-storage-services) for details.

+### Data inputs

+* Only Azure Machine Learning data stores or Azure Storage Accounts (Azure Blob Storage, Azure Data Lake Storage Gen1, Azure Data Lake Storage Gen2) are supported as inputs. If your input data is in another source, use the Azure Data Factory Copy activity before the execution of the batch job to sink the data to a compatible store.

+### Data outputs

+

+* Only registered Azure Machine Learning data stores are supported by the moment. We recommend you to register the storage account your Azure Data Factory is using as a Data Store in Azure Machine Learning. In that way, you will be able to write back to the same storage account from where you are reading.

+* Only Azure Blob Storage Accounts are supported for outputs. For instance, Azure Data Lake Storage Gen2 isn't supported as output in batch deployment jobs. If you need to output the data to a different location/sink, use the Azure Data Factory Copy activity after the execution of the batch job.

+## Next steps

+* [Use low priority VMs in batch deployments](how-to-use-low-priority-batch.md)

+* [Authorization on batch endpoints](how-to-authenticate-batch-endpoint.md)

+* [Network isolation in batch endpoints](how-to-secure-batch-endpoint.md)

+* [Train models with Azure Machine Learning](concept-train-machine-learning-model.md)

+> * [Visualize runs with TensorBoard](v1/how-to-monitor-tensorboard.md)

+See [this resource](./apache-spark-azure-ml-concepts.md) for more information about **Apache Spark in Azure Machine Learning** concepts.

+ * [Visualize runs with TensorBoard](how-to-monitor-tensorboard.md)

+* [Train with a custom Docker image](how-to-train-with-custom-image.md)

+ Title: Visualize experiments with TensorBoard

+description: Launch TensorBoard to visualize experiment job histories and identify potential areas for hyperparameter tuning and retraining.

+[//]: # (needs PM review; Do URL Links names change if it includes 'Run')

+# Visualize experiment jobs and metrics with TensorBoard and Azure Machine Learning

+In this article, you learn how to view your experiment jobs and metrics in TensorBoard using [the `tensorboard` package](/python/api/azureml-tensorboard/) in the main Azure Machine Learning SDK. Once you've inspected your experiment jobs, you can better tune and retrain your machine learning models.

+[TensorBoard](/python/api/azureml-tensorboard/azureml.tensorboard.tensorboard) is a suite of web applications for inspecting and understanding your experiment structure and performance.

+How you launch TensorBoard with Azure Machine Learning experiments depends on the type of experiment:

+> [!TIP]

+> The information in this document is primarily for data scientists and developers who want to monitor the model training process. If you are an administrator interested in monitoring resource usage and events from Azure Machine learning, such as quotas, completed training jobs, or completed model deployments, see [Monitoring Azure Machine Learning](../monitor-azure-machine-learning.md).

+## Prerequisites

+* To launch TensorBoard and view your experiment job histories, your experiments need to have previously enabled logging to track its metrics and performance.

+* The code in this document can be run in either of the following environments:

+ * Azure Machine Learning compute instance - no downloads or installation necessary

+ * Complete the [Quickstart: Get started with Azure Machine Learning](../quickstart-create-resources.md) to create a dedicated notebook server pre-loaded with the SDK and the sample repository.

+ * In the samples folder on the notebook server, find two completed and expanded notebooks by navigating to these directories:

+ * **SDK v1 > how-to-use-azureml > track-and-monitor-experiments > tensorboard > export-run-history-to-tensorboard > export-run-history-to-tensorboard.ipynb**

+ * **SDK v1 > how-to-use-azureml > track-and-monitor-experiments > tensorboard > tensorboard > tensorboard.ipynb**

+ * Your own Juptyer notebook server

+ * [Install the Azure Machine Learning SDK](/python/api/overview/azure/ml/install) with the `tensorboard` extra

+ * [Create an Azure Machine Learning workspace](../quickstart-create-resources.md).

+ * [Create a workspace configuration file](how-to-configure-environment-v1.md).

+## Option 1: Directly view job history in TensorBoard

+This option works for experiments that natively outputs log files consumable by TensorBoard, such as PyTorch, Chainer, and TensorFlow experiments. If that is not the case of your experiment, use [the `export_to_tensorboard()` method](#option-2-export-history-as-log-to-view-in-tensorboard) instead.

+The following example code uses the [MNIST demo experiment](https://raw.githubusercontent.com/tensorflow/tensorflow/r1.8/tensorflow/examples/tutorials/mnist/mnist_with_summaries.py) from TensorFlow's repository in a remote compute target, Azure Machine Learning Compute. Next, we will configure and start a job for training the TensorFlow model, and then

+start TensorBoard against this TensorFlow experiment.

+### Set experiment name and create project folder

+Here we name the experiment and create its folder.

+

+```python

+from os import path, makedirs

+experiment_name = 'tensorboard-demo'

+# experiment folder

+exp_dir = './sample_projects/' + experiment_name

+if not path.exists(exp_dir):

+ makedirs(exp_dir)

+```

+### Download TensorFlow demo experiment code

+TensorFlow's repository has an MNIST demo with extensive TensorBoard instrumentation. We do not, nor need to, alter any of this demo's code for it to work with Azure Machine Learning. In the following code, we download the MNIST code and save it in our newly created experiment folder.

+```python

+import requests

+import os

+tf_code = requests.get("https://raw.githubusercontent.com/tensorflow/tensorflow/r1.8/tensorflow/examples/tutorials/mnist/mnist_with_summaries.py")

+with open(os.path.join(exp_dir, "mnist_with_summaries.py"), "w") as file:

+ file.write(tf_code.text)

+```

+Throughout the MNIST code file, mnist_with_summaries.py, notice that there are lines that call `tf.summary.scalar()`, `tf.summary.histogram()`, `tf.summary.FileWriter()` etc. These methods group, log, and tag key metrics of your experiments into job history. The `tf.summary.FileWriter()` is especially important as it serializes the data from your logged experiment metrics, which allows for TensorBoard to generate visualizations off of them.

+ ### Configure experiment

+In the following, we configure our experiment and set up directories for logs and data. These logs will be uploaded to the job history, which TensorBoard accesses later.

+> [!Note]

+> For this TensorFlow example, you will need to install TensorFlow on your local machine. Further, the TensorBoard module (that is, the one included with TensorFlow) must be accessible to this notebook's kernel, as the local machine is what runs TensorBoard.

+```Python

+import azureml.core

+from azureml.core import Workspace

+from azureml.core import Experiment

+ws = Workspace.from_config()

+# create directories for experiment logs and dataset

+logs_dir = os.path.join(os.curdir, "logs")

+data_dir = os.path.abspath(os.path.join(os.curdir, "mnist_data"))

+if not path.exists(data_dir):

+ makedirs(data_dir)

+os.environ["TEST_TMPDIR"] = data_dir

+# Writing logs to ./logs results in their being uploaded to the job history,

+# and thus, made accessible to our TensorBoard instance.

+args = ["--log_dir", logs_dir]

+# Create an experiment

+exp = Experiment(ws, experiment_name)

+```

+### Create a cluster for your experiment

+We create an AmlCompute cluster for this experiment, however your experiments can be created in any environment and you are still able to launch TensorBoard against the experiment job history.

+```Python

+from azureml.core.compute import ComputeTarget, AmlCompute

+cluster_name = "cpu-cluster"

+cts = ws.compute_targets

+found = False

+if cluster_name in cts and cts[cluster_name].type == 'AmlCompute':

+ found = True

+ print('Found existing compute target.')

+ compute_target = cts[cluster_name]

+if not found:

+ print('Creating a new compute target...')

+ compute_config = AmlCompute.provisioning_configuration(vm_size='STANDARD_D2_V2',

+ max_nodes=4)

+ # create the cluster

+ compute_target = ComputeTarget.create(ws, cluster_name, compute_config)

+compute_target.wait_for_completion(show_output=True, min_node_count=None)

+# use get_status() to get a detailed status for the current cluster.

+# print(compute_target.get_status().serialize())

+```

+### Configure and submit training job

+Configure a training job by creating a ScriptRunConfig object.

+```Python

+from azureml.core import ScriptRunConfig

+from azureml.core import Environment

+# Here we will use the TensorFlow 2.2 curated environment

+tf_env = Environment.get(ws, 'AzureML-TensorFlow-2.2-GPU')

+src = ScriptRunConfig(source_directory=exp_dir,

+ script='mnist_with_summaries.py',

+ arguments=args,

+ compute_target=compute_target,

+ environment=tf_env)

+run = exp.submit(src)

+```

+### Launch TensorBoard

+You can launch TensorBoard during your run or after it completes. In the following, we create a TensorBoard object instance, `tb`, that takes the experiment job history loaded in the `job`, and then launches TensorBoard with the `start()` method.

+

+The [TensorBoard constructor](/python/api/azureml-tensorboard/azureml.tensorboard.tensorboard) takes an array of jobs, so be sure and pass it in as a single-element array.

+```python

+from azureml.tensorboard import Tensorboard

+tb = Tensorboard([job])

+# If successful, start() returns a string with the URI of the instance.

+tb.start()

+# After your job completes, be sure to stop() the streaming otherwise it will continue to run.

+tb.stop()

+```

+> [!Note]

+> While this example used TensorFlow, TensorBoard can be used as easily with PyTorch or Chainer. TensorFlow must be available on the machine running TensorBoard, but is not necessary on the machine doing PyTorch or Chainer computations.

+## Option 2: Export history as log to view in TensorBoard

+The following code sets up a sample experiment, begins the logging process using the Azure Machine Learning job history APIs, and exports the experiment job history into logs consumable by TensorBoard for visualization.

+### Set up experiment

+The following code sets up a new experiment and names the job directory `root_run`.

+```python

+from azureml.core import Workspace, Experiment

+import azureml.core

+# set experiment name and job name

+ws = Workspace.from_config()

+experiment_name = 'export-to-tensorboard'

+exp = Experiment(ws, experiment_name)

+root_run = exp.start_logging()

+```

+Here we load the diabetes dataset-- a built-in small dataset that comes with scikit-learn, and split it into test and training sets.

+```Python

+from sklearn.datasets import load_diabetes

+from sklearn.linear_model import Ridge

+from sklearn.metrics import mean_squared_error

+from sklearn.model_selection import train_test_split

+X, y = load_diabetes(return_X_y=True)

+columns = ['age', 'gender', 'bmi', 'bp', 's1', 's2', 's3', 's4', 's5', 's6']

+x_train, x_test, y_train, y_test = train_test_split(X, y, test_size=0.2, random_state=0)

+data = {

+ "train":{"x":x_train, "y":y_train},

+ "test":{"x":x_test, "y":y_test}

+}

+```

+### Run experiment and log metrics

+For this code, we train a linear regression model and log key metrics, the alpha coefficient, `alpha`, and mean squared error, `mse`, in run history.

+```Python

+from tqdm import tqdm

+alphas = [.1, .2, .3, .4, .5, .6 , .7]

+# try a bunch of alpha values in a Linear Regression (aka Ridge regression) mode

+for alpha in tqdm(alphas):

+ # create child runs and fit lines for the resulting models

+ with root_run.child_run("alpha" + str(alpha)) as run:

+

+ reg = Ridge(alpha=alpha)

+ reg.fit(data["train"]["x"], data["train"]["y"])

+

+ preds = reg.predict(data["test"]["x"])

+ mse = mean_squared_error(preds, data["test"]["y"])

+ # End train and eval

+# log alpha, mean_squared_error and feature names in run history

+ root_run.log("alpha", alpha)

+ root_run.log("mse", mse)

+```

+### Export jobs to TensorBoard

+With the SDK's [export_to_tensorboard()](/python/api/azureml-tensorboard/azureml.tensorboard.export) method, we can export the job history of our Azure machine learning experiment into TensorBoard logs, so we can view them via TensorBoard.

+In the following code, we create the folder `logdir` in our current working directory. This folder is where we will export our experiment job history and logs from `root_run` and then mark that job as completed.

+```Python

+from azureml.tensorboard.export import export_to_tensorboard

+import os

+logdir = 'exportedTBlogs'

+log_path = os.path.join(os.getcwd(), logdir)

+try:

+ os.stat(log_path)

+except os.error:

+ os.mkdir(log_path)

+print(logdir)

+# export job history for the project

+export_to_tensorboard(root_run, logdir)

+root_run.complete()

+```

+> [!Note]

+> You can also export a particular run to TensorBoard by specifying the name of the run `export_to_tensorboard(run_name, logdir)`

+### Start and stop TensorBoard

+Once our job history for this experiment is exported, we can launch TensorBoard with the [start()](/python/api/azureml-tensorboard/azureml.tensorboard.tensorboard#start-start-browser-false-) method.

+```Python

+from azureml.tensorboard import Tensorboard

+# The TensorBoard constructor takes an array of jobs, so be sure and pass it in as a single-element array here

+tb = Tensorboard([], local_root=logdir, port=6006)

+# If successful, start() returns a string with the URI of the instance.

+tb.start()

+```

+When you're done, make sure to call the [stop()](/python/api/azureml-tensorboard/azureml.tensorboard.tensorboard#stop--) method of the TensorBoard object. Otherwise, TensorBoard will continue to run until you shut down the notebook kernel.

+```python

+tb.stop()

+```

+## Next steps

+In this how-to you, created two experiments and learned how to launch TensorBoard against their job histories to identify areas for potential tuning and retraining.

+* If you are satisfied with your model, head over to our [How to deploy a model](how-to-deploy-and-where.md) article.

+* Learn more about [hyperparameter tuning](../how-to-tune-hyperparameters.md).

+> The compute cluster used to build Docker images needs to be able to access the package repositories that are used to train and deploy your models. You may need to add network security rules that allow access to public repos, [use private Python packages](how-to-use-private-python-packages.md), or use [custom Docker images](how-to-train-with-custom-image.md) that already include the packages.

+> Optionally, you can just capture all your dependencies directly in a custom Docker image or Dockerfile, and create your environment from that. For more information, see [Train with custom image](how-to-train-with-custom-image.md).

+> Optionally, you can just capture all your dependencies directly in a custom Docker image or Dockerfile, and create your environment from that. For more information, see [Train with custom image](how-to-train-with-custom-image.md).

+ Title: Train a model by using a custom Docker image

+description: Learn how to use your own Docker images, or curated ones from Microsoft, to train models in Azure Machine Learning.

+# Train a model by using a custom Docker image

+In this article, learn how to use a custom Docker image when you're training models with Azure Machine Learning. You'll use the example scripts in this article to classify pet images by creating a convolutional neural network.

+Azure Machine Learning provides a default Docker base image. You can also use Azure Machine Learning environments to specify a different base image, such as one of the maintained [Azure Machine Learning base images](https://github.com/Azure/AzureML-Containers) or your own [custom image](../how-to-deploy-custom-container.md). Custom base images allow you to closely manage your dependencies and maintain tighter control over component versions when running training jobs.

+## Prerequisites

+Run the code on either of these environments:

+* Azure Machine Learning compute instance (no downloads or installation necessary):

+ * Complete the [Quickstart: Get started with Azure Machine Learning](../quickstart-create-resources.md) tutorial to create a dedicated notebook server preloaded with the SDK and the sample repository.

+* Your own Jupyter Notebook server:

+ * Create a [workspace configuration file](../how-to-configure-environment.md#local-and-dsvm-only-create-a-workspace-configuration-file).

+ * Install the [Azure Machine Learning SDK](/python/api/overview/azure/ml/install).

+ * Create an [Azure container registry](../../container-registry/index.yml) or other Docker registry that's available on the internet.

+## Set up a training experiment

+In this section, you set up your training experiment by initializing a workspace, defining your environment, and configuring a compute target.

+### Initialize a workspace

+The [Azure Machine Learning workspace](../concept-workspace.md) is the top-level resource for the service. It gives you a centralized place to work with all the artifacts that you create. In the Python SDK, you can access the workspace artifacts by creating a [`Workspace`](/python/api/azureml-core/azureml.core.workspace.workspace) object.

+Create a `Workspace` object from the config.json file that you created as a [prerequisite](#prerequisites).

+```Python

+from azureml.core import Workspace

+ws = Workspace.from_config()

+```

+### Define your environment

+Create an `Environment` object.

+```python

+from azureml.core import Environment

+fastai_env = Environment("fastai2")

+```

+The specified base image in the following code supports the fast.ai library, which allows for distributed deep-learning capabilities. For more information, see the [fast.ai Docker Hub repository](https://hub.docker.com/u/fastdotai).

+When you're using your custom Docker image, you might already have your Python environment properly set up. In that case, set the `user_managed_dependencies` flag to `True` to use your custom image's built-in Python environment. By default, Azure Machine Learning builds a Conda environment with dependencies that you specified. The service runs the script in that environment instead of using any Python libraries that you installed on the base image.

+```python

+fastai_env.docker.base_image = "fastdotai/fastai2:latest"

+fastai_env.python.user_managed_dependencies = True

+```

+#### Use a private container registry (optional)

+To use an image from a private container registry that isn't in your workspace, use `docker.base_image_registry` to specify the address of the repository and a username and password:

+```python

+# Set the container registry information.

+fastai_env.docker.base_image_registry.address = "myregistry.azurecr.io"

+fastai_env.docker.base_image_registry.username = "username"

+fastai_env.docker.base_image_registry.password = "password"

+```

+#### Use a custom Dockerfile (optional)

+It's also possible to use a custom Dockerfile. Use this approach if you need to install non-Python packages as dependencies. Remember to set the base image to `None`.

+```python

+# Specify Docker steps as a string.

+dockerfile = r"""

+FROM mcr.microsoft.com/azureml/openmpi3.1.2-ubuntu18.04:20210615.v1

+RUN echo "Hello from custom container!"

+"""

+# Set the base image to None, because the image is defined by Dockerfile.

+fastai_env.docker.base_image = None

+fastai_env.docker.base_dockerfile = dockerfile

+# Alternatively, load the string from a file.

+fastai_env.docker.base_image = None

+fastai_env.docker.base_dockerfile = "./Dockerfile"

+```

+>[!IMPORTANT]

+> Azure Machine Learning only supports Docker images that provide the following software:

+> * Ubuntu 18.04 or greater.

+> * Conda 4.7.# or greater.

+> * Python 3.7+.

+> * A POSIX compliant shell available at /bin/sh is required in any container image used for training.

+For more information about creating and managing Azure Machine Learning environments, see [Create and use software environments](../how-to-use-environments.md).

+### Create or attach a compute target

+You need to create a [compute target](concept-azure-machine-learning-architecture.md#compute-targets) for training your model. In this tutorial, you create `AmlCompute` as your training compute resource.

+Creation of `AmlCompute` takes a few minutes. If the `AmlCompute` resource is already in your workspace, this code skips the creation process.

+As with other Azure services, there are limits on certain resources (for example, `AmlCompute`) associated with the Azure Machine Learning service. For more information, see [Default limits and how to request a higher quota](../how-to-manage-quotas.md).

+```python

+from azureml.core.compute import ComputeTarget, AmlCompute

+from azureml.core.compute_target import ComputeTargetException

+# Choose a name for your cluster.

+cluster_name = "gpu-cluster"

+try:

+ compute_target = ComputeTarget(workspace=ws, name=cluster_name)

+ print('Found existing compute target.')

+except ComputeTargetException:

+ print('Creating a new compute target...')

+ compute_config = AmlCompute.provisioning_configuration(vm_size='STANDARD_NC6',

+ max_nodes=4)

+ # Create the cluster.

+ compute_target = ComputeTarget.create(ws, cluster_name, compute_config)

+ compute_target.wait_for_completion(show_output=True)

+# Use get_status() to get a detailed status for the current AmlCompute.

+print(compute_target.get_status().serialize())

+```

+>[!IMPORTANT]

+>Use CPU SKUs for any image build on compute.

+## Configure your training job

+For this tutorial, use the training script *train.py* on [GitHub](https://github.com/Azure/azureml-examples/blob/main/v1/python-sdk/workflows/train/fastai/pets/src/train.py). In practice, you can take any custom training script and run it, as is, with Azure Machine Learning.

+Create a `ScriptRunConfig` resource to configure your job for running on the desired [compute target](how-to-set-up-training-targets.md).

+```python

+from azureml.core import ScriptRunConfig

+src = ScriptRunConfig(source_directory='fastai-example',

+ script='train.py',

+ compute_target=compute_target,

+ environment=fastai_env)

+```

+## Submit your training job

+When you submit a training run by using a `ScriptRunConfig` object, the `submit` method returns an object of type `ScriptRun`. The returned `ScriptRun` object gives you programmatic access to information about the training run.

+```python

+from azureml.core import Experiment

+run = Experiment(ws,'Tutorial-fastai').submit(src)

+run.wait_for_completion(show_output=True)

+```

+> [!WARNING]

+> Azure Machine Learning runs training scripts by copying the entire source directory. If you have sensitive data that you don't want to upload, use an [.ignore file](../concept-train-machine-learning-model.md#understand-what-happens-when-you-submit-a-training-job) or don't include it in the source directory. Instead, access your data by using a [datastore](/python/api/azureml-core/azureml.data).

+## Next steps

+In this article, you trained a model by using a custom Docker image. See these other articles to learn more about Azure Machine Learning:

+* [Track run metrics](../how-to-log-view-metrics.md) during training.

+* [Deploy a model](../how-to-deploy-custom-container.md) by using a custom Docker image.

+> This article uses the [`azureml.contrib.train.rl`](/python/api/azureml-contrib-reinforcementlearning/azureml.contrib.train.rl) package, which will no longer be supported after June 2022. We recommend customers instead use the [Ray on Azure Machine Learning library](https://github.com/microsoft/ray-on-aml) for reinforcement learning experiments with Azure Machine Learning. For an example, see the notebook [Reinforcement Learning in Azure Machine Learning - Pong problem](https://github.com/Azure/MachineLearningNotebooks/blob/master/how-to-use-azureml/reinforcement-learning/atari-on-distributed-compute/pong_rllib.ipynb).

+ Title: Find help or open a support ticket for Azure Managed Grafana

+description: Learn how to find help or open a support ticket for Azure Managed Grafana

+# Find help or open a support ticket for Azure Managed Grafana

+In the page below, find out how you can get technical information about Azure Managed Grafana, look up answers to your questions or open a support ticket.

+## Find help without opening a support ticket

+Before creating a support ticket, check out the following resources for answers and information.

+* [Technical documentation for Azure Managed Grafana](/index.yml): find content such as how-to guides, tutorials and the [troubleshooting guide](troubleshoot-managed-grafana.md) for Azure Managed Grafana.

+* [Microsoft Q&A](/answers/tags/249/azure-managed-grafana): browse existing questions and answers, and ask your questions around Azure Managed Grafana.

+* [Microsoft Technical Community](https://techcommunity.microsoft.com/) is the place for IT professionals and customers to collaborate, share, and learn. The website contains [Grafana-related content](https://techcommunity.microsoft.com/t5/forums/searchpage/tab/message?q=grafana).

+## Open a support ticket

+If you're unable to find answers using the above self-help resources, open an online support ticket.

+### How to open a support ticket for Azure Managed Grafana in the Azure portal

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Open an Azure Managed Grafana instance.

+1. In the left menu, under **Support + troubleshooting**, select **New Support Request**.

+ :::image type="content" source="media/support/open-ticket.png" alt-text="Screenshot of how to find help and submit support ticket part 1.":::

+1. In the **1. Problem description** tab:

+ 1. For **Summary**, describe your issue.

+ 1. For **Issue type**, select **Technical**.

+ 1. For **Subscription**, select your Azure subscription.

+ 1. For **Service**, select **Azure Managed Grafana**.

+ 1. For **Resource**, select your resource.

+ 1. For **Problem type**, select a type of issue and then a subtype.

+ 1. Select **Next**.

+1. In the **2. Recommended solution** tab, read the recommended solution. If it doesn't resolve your problem, select the back arrow or close the solution with **X**, and then select **Next**.

+1. In the **3. Additional details** tab, fill out the required details. For example:

+ 1. Share the time and date when the problem occurred.

+ 1. Add more details to describe the problem.

+ 1. Optionally, add a screenshot or another file type under **File upload**

+ 1. Under **Advanced diagnostic information**, select **Yes (Recommended)** to allow Microsoft support to access your Azure resources for faster problem resolution.

+ 1. Select a **[Severity](https://azure.microsoft.com/support/plans/response)**, and your preferred contact method.

+ 1. Select your preferred **Support language**.

+ 1. Enter your **contact information**

+1. Select **Next**.

+1. Under **4. Review + create**, check that the summary of your support ticket is accurate and then select **Create** to open a support ticket, or select **Previous** to amend your submission.

+1. If the details of your support ticket are accurate, select **Create** to submit the support ticket. Otherwise, select **Previous** to make corrections.

+## Next steps

+> [!div class="nextstepaction"]

+> [Microsoft Q&A](/answers/tags/249/azure-managed-grafana)

+> [!div class="nextstepaction"]

+> [Troubleshooting](troubleshoot-managed-grafana.md)

+> [Support](./find-help-open-support-ticket.md)

+ - If either the _Per_ *vCPU* _size_ or _Per market and_ vCPU _size_ price input options are used, under **Pricing**, verify the price and make any necessary adjustments for the new vCPU sizes that have been added.

+ - If your price input option is set to _Free_, _Flat rate_, or _Per_ *vCPU*, go to step 7.

+Select **Select only Microsoft Tax** Remitted to select only countries/regions in which Microsoft remits sales and uses tax on your behalf. Publishing to China is limited to plans that are either *Free* or *Bring-your-own-license* (BYOL).

+For **Per** vCPU **size** and **Per market and** **vCPU** **size**, enter a **Price per** vCPU, and then select **Generate prices**. The tables of price/hour calculations are populated for you. You can then adjust the price per vCPU if you choose. If using the *Per market and* vCPU *size* pricing option, you can additionally customize the price/hour calculation tables for each market thatΓÇÖs selected for this plan.

+With data encryption with customer-managed keys for Azure Database for MySQL - Flexible Server, you can bring your own key (BYOK) for data protection at rest and implement separation of duties for managing keys and data. With customer managed keys (CMKs), the customer is responsible for and ultimately controls the key lifecycle management (key creation, upload, rotation, deletion), key usage permissions, and auditing operations on keys.

+- [Data encryption with Azure CLI](how-to-data-encryption-cli.md)

+- [Data encryption with Azure portal](how-to-data-encryption-portal.md)

+- [Active Directory authentication](concepts-azure-ad-authentication.md)

+> [!NOTE]

+> You must download this [SSL certificate](https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem) for your servers in Azure Government cloud.

+This tutorial shows you how to set up and manage data encryption for your Azure Database for MySQL - Flexible Server using Azure CLI.

+- [Customer managed keys data encryption](concepts-customer-managed-key.md)

+- [Data encryption with Azure portal](how-to-data-encryption-portal.md)

+- [Customer managed keys data encryption](concepts-customer-managed-key.md)

+- [Data encryption with Azure CLI](how-to-data-encryption-cli.md)

+|[Netfosys](https://www.netfosys.com/azurewan)|||[Netfosys Managed Services for Azure vWAN](https://azuremarketplace.microsoft.com/en-ca/marketplace/apps/netfosys1637934664103.azure-vwan?tab=Overview)|||

+[Amdocs](https://www.amdocs.com/); [Cirrus Core Networks](https://cirruscorenetworks.com/); [Cognizant](https://www.cognizant.com/us/en/glossary/cloud-enablement); [InterCloud](https://intercloud.com/what-we-do/partners/microsoft-azure); [KINX](https://www.kinx.net/service/cloud/?lang=en); [OmniClouds](https://omniclouds.com/); [Sejong Telecom](https://www.sejongtelecom.net/en/pages/service/cloud_ms); [SES](https://www.ses.com/networks/cloud/ses-and-azure-expressroute);

+Sign up for the [Preview](https://go.microsoft.com/fwlink/?linkid=2223706).

+## Overview

+The EU Data Boundary is a geographically defined boundary within which Microsoft has committed to store and process customer data for our major commercial enterprise online services, including Azure, Dynamics 365, Power Platform, and Microsoft 365, subject to limited circumstances where customer data will continue to be transferred outside the EU Data Boundary. Notification Hubs meets the EU Data Boundary commitment to store and process customer data. For more information about how to configure services for use in the EU Data Boundary, [see the Azure EU Data Boundary documentation](/privacy/eudb/eu-data-boundary-learn).

+> [!IMPORTANT]

+> For complete details about Microsoft's EU Data Boundary commitment, [see the Azure EU Data Boundary documentation](/privacy/eudb/eu-data-boundary-learn).

+- **Dynatrace environment** - The Dynatrace environment on Dynatrace _Software as a Service_ (SaaS). When you create a new environment, the environment on Dynatrace SaaS is automatically created, in addition to the Dynatrace resource in Azure.

+ :::image type="content" source="media/dynatrace-create/dynatrace-search-marketplace.png" alt-text="Screenshot showing a search for Marketplace in the Azure portal.":::

+ :::image type="content" source="media/dynatrace-create/dynatrace-marketplace.png" alt-text="Screenshot showing the Azure Native Dynatrace Service offering.":::

+ :::image type="content" source="media/dynatrace-create/dynatrace-subscribe.png" alt-text="Screenshot showing Dynatrace in the working pane to create a subscription.":::

+1. When creating a Dynatrace resource, you see two options: one to create a new Dynatrace environment, and another to link Azure subscription to an existing Dynatrace environment. If you want to create a new Dynatrace environment, select **Create** action under the **Create a new Dynatrace environment** option.

+ :::image type="content" source="media/dynatrace-create/dynatrace-create-new-link-existing.png" alt-text="Screenshot showing two options: new Dynatrace or existing Dynatrace.":::

+ :::image type="content" source="media/dynatrace-create/dynatrace-basic-properties.png" alt-text="Screenshot of basic properties needed for new Dynatrace instance.":::

+ Provide the following values:

+ | **Subscription** | Select the Azure subscription you want to use for creating the Dynatrace resource. You must have owner or contributor access.|

+ | **Resource group** | Specify whether you want to create a new resource group or use an existing one. A [resource group](../../azure-resource-manager/management/overview.md) is a container that holds related resources for an Azure solution. |

+ | **Resource name** | Specify a name for the Dynatrace resource. This name will be the friendly name of the new Dynatrace environment.|

+ | **Location** | Select the region. Select the region where the Dynatrace resource in Azure and the Dynatrace environment is created.|

+ | **Pricing plan** | Select from the list of available plans. |

+1. Select **Next: Metrics and Logs**.

+1. Your next step is to configure metrics and logs for your resources. Azure Native Dynatrace Service supports the metrics for both compute and non-compute resources. Compute resources include VMs, app services and more. If you have an _owner role_ in the subscription, you see the option to enable metrics collection.

+

+ - **Metrics for compute resources** ΓÇô Users can send metrics for the compute resources, virtual machines and app services, by installing the Dynatrace OneAgent extension on the compute resources after the Dynatrace resource has been created.

+ - **Metrics for non-compute resources** ΓÇô These metrics can be collected by configuring the Dynatrace resource to automatically query Azure monitor for metrics. To enable metrics collection, select the checkbox. If you have an **owner access** in your subscription, you can enable and disable the metrics collection using the checkbox. Proceed to the configuring logs. However, if you have contributor access, use the information in the following step.

+

+1. If you have a _contributor role_ in the subscription, you don't see the option to enable metrics collection because in Azure a contributor can't assign a _monitoring reader_ role to a resource that is required by the metrics crawler to collect metrics.

+ :::image type="content" source="media/dynatrace-create/dynatrace-metrics-and-logs.png" alt-text="Screenshot showing options for metrics and logs.":::

+

+ Complete the resource provisioning excluding the metrics configuration and ask an owner to assign an appropriate role manually to your resource. If you have an _owner role_ in the subscription, you can take the following steps to grant a monitoring reader identity to a contributor user:

+ 1. Go to the resource created by a contributor.

+

+ 1. Go to **Access control** in the resource menu on the left and select **Add** then **Add role assignment**.

+ :::image type="content" source="media/dynatrace-create/dynatrace-contributor-guide-1.png" alt-text="Screenshot showing the access control page.":::

+ 1. In the list, scroll down and select on **Monitoring reader**. Then, select **Next**.

+ :::image type="content" source="media/dynatrace-create/dynatrace-contributor-guide-2.png" alt-text="Screenshot showing the process for selecting Monitoring reader role.":::

+ 1. In **Assign access to**, select **Managed identity**. Then, **Select members**.

+ :::image type="content" source="media/dynatrace-create/dynatrace-contributor-guide-3.png" alt-text="Screenshot showing the process to assign a role to a managed identity.":::

+ 1. Select the **Subscription**. In **Managed identity**, select **Dynatrace** and the Dynatrace resource created by the contributor. After you select the resource, use **Select** to continue.

+ :::image type="content" source="media/dynatrace-create/dynatrace-contributor-select.png" alt-text="Screenshot showing the Dynatrace resource with a new contributor selected.":::

+ 1. When you have completed the selection, select **Review + assign**

+ :::image type="content" source="media/dynatrace-create/dynatrace-review-and-assign.png" alt-text="Screenshot showing Add role assignment working pane with Review and assign with a red box around it.":::

+1. When creating the Dynatrace resource, you can set up automatic log forwarding for three types of logs:

+ - **Subscription activity logs** - These logs provide insight into the operations on your resources at the [control plane](/azure/azure-resource-manager/management/control-plane-and-data-plane). Updates on service-health events are also included. Use the activity log to determine the what, who, and when for any write operations (PUT, POST, DELETE). There's a single activity log for each Azure subscription.

+ - **Azure resource logs** - These logs provide insight into operations that were taken on an Azure resource at the [data plane](/azure/azure-resource-manager/management/control-plane-and-data-plane). For example, getting a secret from a Key Vault is a data plane operation. Or, making a request to a database is also a data plane operation. The content of resource logs varies by the Azure service and resource type.

+

+ - **Azure Active Directory logs** ΓÇô The global administrator or security administrator for your Azure Active Directory (Azure AD) tenant can enable Azure AD logs so that you can route the audit, sign-in, and provisioning logs to Dynatrace. The details are listed in [Azure AD activity logs in Azure Monitor](../../active-directory/reports-monitoring/concept-activity-logs-azure-monitor.md).

+1. To send Azure resource logs to Dynatrace, select **Send Azure resource logs for all defined resources**. The types of Azure resource logs are listed in [Azure Monitor Resource Log categories](/azure/azure-monitor/essentials/resource-logs-categories).

+## Reconfigure rules for metrics and logs

+To see the list of resources emitting logs to Dynatrace, select **Monitored Resources** in the left pane.

+| Column | Description |

+| **Name** | Virtual machine name. |

+| **Status** | Indicates whether the virtual machine is stopped or running. Dynatrace OneAgent can only be installed on virtual machines that are running. If the virtual machine is stopped, installing the Dynatrace OneAgent will be disabled. |

+| **OneAgent status** | Whether the Dynatrace OneAgent is running on the virtual machine. |

+| **OneAgent version** | The Dynatrace OneAgent version number. |

+| **Auto-update** | Whether auto-update has been enabled for the OneAgent. |

+| **Log monitoring** | Whether log monitoring option was selected when OneAgent was installed. |

+| **Monitoring mode** | Whether the Dynatrace OneAgent is monitoring hosts in [full-stack monitoring mode or infrastructure monitoring mode](https://www.dynatrace.com/support/help/how-to-use-dynatrace/hosts/basic-concepts/get-started-with-infrastructure-monitoring). |

+You can install Dynatrace OneAgent on an App Service as an extension. Select an App Service in the Resource menu. In the working pane, you see a list of any App Service in the subscription.

+For each App Service, the following information is displayed:

+| Column | Description |

+| **Name** | App Service name. |

+| **Status** | Indicates whether the App Service is running or stopped. Dynatrace OneAgent can only be installed on an App Service that is running. |

+| **App Service plan** | The plan configured for the App Service. |

+| **OneAgent version** | The Dynatrace OneAgent version. |

+| **OneAgent status** | status of the agent. |

+To install the Dynatrace OneAgent, select the App Service and select **Install Extension.** The application settings for the selected App Service are updated and the App Service is restarted to complete the configuration of the Dynatrace OneAgent.

+### Metrics checkbox disabled

+- To collect metrics you must have owner permission on the subscription. If you are a contributor, refer to the contributor guide mentioned in [Configure metrics and logs](dynatrace-create.md#configure-metrics-and-logs).

+> pg_cron extension is preloaded in shared_preload_libraries for every Azure Database for PostgreSQL -Flexible Server inside postgres database to provide you with ability to schedule jobs to run in other databases within your PostgreSQL DB instance without compromising security. However, for security reasons, you still have to [allow list](#how-to-use-postgresql-extensions) pg_cron extension and install it using [CREATE EXTENSION](https://www.postgresql.org/docs/current/sql-createextension.html) command.

+>[!NOTE]

+> cron_schedule_in_database function allows for user name as optional parameter. Setting the username to a non-null value requires PostgreSQL superuser privilege and is not supported in Azure Database for PostgreSQL - Flexible Server. Above examples show running this function with optional user name parameter ommitted or set to null, which runs the job in context of user scheduling the job, which should have azure_pg_admin role priviledges.

+| Brazil South | :heavy_check_mark: (v3 only) | :x: $ | :heavy_check_mark: | :x: |

+| UAE North | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :x: |

+- Ensure you can sign in to the Azure portal using an account with access to the active subscription you used to create your private mobile network. This account must have permission to manage applications in Azure AD. [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference) that have the required permissions include, for example, Application administrator, Application developer, and Cloud application administrator.

+## Disable network policy

+Before a private link service can be created in the virtual network, the setting `privateLinkServiceNetworkPolicies` must be disabled.

+* Disable the network policy with [Set-AzVirtualNetwork](/powershell/module/az.network/Set-AzVirtualNetwork).

+```azurepowershell-interactive

+## Place the subnet name into a variable. ##

+$subnet = 'mySubnet'

+## Place the virtual network configuration into a variable. ##

+$net = @{

+ Name = 'myVNet'

+ ResourceGroupName = 'CreatePrivLinkService-rg'

+}

+$vnet = Get-AzVirtualNetwork @net

+## Set the policy as disabled on the virtual network. ##

+($vnet | Select -ExpandProperty subnets | Where-Object {$_.Name -eq $subnet}).privateLinkServiceNetworkPolicies = "Disabled"

+## Save the configuration changes to the virtual network. ##

+$vnet | Set-AzVirtualNetwork

+```

+```azurepowershell-interactive

+When using the portal to create a Private Link service, this setting is automatically disabled as part of the create process. Deployments using any Azure client (PowerShell, CLI or templates), require an extra step to change this property.

+You can use the following to enable or disable the setting:

+* Azure PowerShell

+* Azure CLI

+* Azure Resource Manager templates

+The following examples describe how to enable and disable `privateLinkServiceNetworkPolicies` for a virtual network named **myVNet** with a **default** subnet of **10.1.0.0/24** hosted in a resource group named **myResourceGroup**.

+# [**PowerShell**](#tab/private-link-network-policy-powershell)

+This section describes how to disable subnet private endpoint policies using Azure PowerShell. In the following code, replace "default" with the name of your virtual subnet.

+```azurepowershell

+$subnet = 'default'

+$net = @{

+ Name = 'myVNet'

+ ResourceGroupName = 'myResourceGroup'

+}

+$vnet = Get-AzVirtualNetwork @net

+($vnet | Select -ExpandProperty subnets | Where-Object {$_.Name -eq $subnet}).privateLinkServiceNetworkPolicies = "Disabled"

+$vnet | Set-AzVirtualNetwork

+# [**CLI**](#tab/private-link-network-policy-cli)

+ --name default \

+ --resource-group myResourceGroup \

+ --vnet-name myVNet \

+ --disable-private-link-service-network-policies true

+# [**JSON**](#tab/private-link-network-policy-json)

+ "name": "myVNet",

+ "10.1.0.0/16"

+ "addressPrefix": "10.1.0.0/24",

+When adding assets, you can select the container(s) that you would like to share.

+1. Finds documents where the price is at least $60 and less than $300.

+[4]: ./media/search-lucene-query-architecture/azSearch-queryparsing-spacious2.png

+| [Microsoft Defender for Containers](../../defender-for-cloud/defender-for-containers-introduction.md) | A cloud-native solution that is used to secure your containers so you can improve, monitor, and maintain the security of your clusters, containers, and their applications. |

+> The Microsoft 365 Defender connector is now generally available!

+- To make any changes to the connector settings, your user must be a member of the same Azure Active Directory tenant with which your Microsoft Sentinel workspace is associated.

+In Microsoft Sentinel, select **Data connectors**, select **Microsoft 365 Defender** from the gallery and select **Open connector page**.

+## Connector data

+### Incidents

+| Data type | Commercial / GCC<br>(Azure Commercial) | GCC-High / DoD<br>(Azure Government) |

+| -- | - | -- |

+| **Incidents** | Generally available | Generally available |

+### Alerts

+#### From Microsoft 365 Defender

+| Data type | Commercial / GCC<br>(Azure Commercial) | GCC-High / DoD<br>(Azure Government) |

+| -- | - | -- |

+| **Microsoft 365 Defender alerts: *SecurityAlert*** | Generally available | Public preview |

+#### From standalone component connectors

+| Data type | Commercial | GCC | GCC-High / DoD |

+| -- | - | | - |

+| **Microsoft Defender for Endpoint: *SecurityAlert (MDATP)*** | Generally available | Generally available | Generally available |

+| **Microsoft Defender for Office 365: *SecurityAlert (OATP)*** | Public preview | Public preview | Public preview |

+| **Microsoft Defender for Identity: *SecurityAlert (AATP)*** | Generally available | Unsupported | Unsupported |

+| **Microsoft Defender for Cloud Apps: *SecurityAlert (MCAS)*** | Generally available | Generally available | Unsupported |

+| **Microsoft Defender for Cloud Apps: *McasShadowItReporting*** | Generally available | Generally available | Unsupported |

+## Raw event data

+### Microsoft Defender for Endpoint

+| Data type | Commercial / GCC<br>(Azure Commercial) | GCC-High / DoD<br>(Azure Government) |

+| | - | -- |

+| **DeviceInfo** | Generally available | Microsoft 365 Defender: Generally available<br>Microsoft Sentinel: Public preview |

+| **DeviceNetworkInfo** | Generally available | Microsoft 365 Defender: Generally available<br>Microsoft Sentinel: Public preview |

+| **DeviceProcessEvents** | Generally available | Microsoft 365 Defender: Generally available<br>Microsoft Sentinel: Public preview |

+| **DeviceNetworkEvents** | Generally available | Microsoft 365 Defender: Generally available<br>Microsoft Sentinel: Public preview |

+| **DeviceFileEvents** | Generally available | Microsoft 365 Defender: Generally available<br>Microsoft Sentinel: Public preview |

+| **DeviceRegistryEvents** | Generally available | Microsoft 365 Defender: Generally available<br>Microsoft Sentinel: Public preview |

+| **DeviceLogonEvents** | Generally available | Microsoft 365 Defender: Generally available<br>Microsoft Sentinel: Public preview |

+| **DeviceImageLoadEvents** | Generally available | Microsoft 365 Defender: Generally available<br>Microsoft Sentinel: Public preview |

+| **DeviceEvents** | Generally available | Microsoft 365 Defender: Generally available<br>Microsoft Sentinel: Public preview |

+| **DeviceFileCertificateInfo** | Generally available | Microsoft 365 Defender: Generally available<br>Microsoft Sentinel: Public preview |

+### Microsoft Defender for Identity

+| Data type | Commercial / GCC<br>(Azure Commercial) | GCC-High / DoD<br>(Azure Government) |

+| | - | -- |

+| **IdentityDirectoryEvents** | Generally available | Unsupported |

+| **IdentityLogonEvents** | Generally available | Unsupported |

+| **IdentityQueryEvents** | Generally available | Unsupported |

+### Microsoft Defender for Cloud Apps

+| Data type | Commercial / GCC<br>(Azure Commercial) | GCC-High / DoD<br>(Azure Government) |

+| | - | -- |

+| **CloudAppEvents** | Generally available | Unsupported |

+### Microsoft Defender for Office 365

+| Data type | Commercial / GCC<br>(Azure Commercial) | GCC-High / DoD<br>(Azure Government) |

+| | - | -- |

+| **EmailEvents** | Generally available | Public preview |

+| **EmailAttachmentInfo** | Generally available | Public preview |

+| **EmailUrlInfo** | Generally available | Public preview |

+| **EmailPostDeliveryEvents** | Generally available | Public preview |

+| **UrlClickEvents** | Generally available | Public preview |

+### Alerts

+| Data type | Commercial / GCC<br>(Azure Commercial) | GCC-High / DoD<br>(Azure Government) |

+| -- | - | -- |

+| **AlertInfo** | Generally available | Public preview |

+| **AlertEvidence** | Generally available | Public preview |

+- Learn about [Microsoft 365 Defender integration with Microsoft Sentinel](microsoft-365-defender-sentinel-integration.md).

+- Learn how to [get visibility into your data and potential threats](get-visibility.md).

+- **Microsoft Defender for Endpoint (MDE)**

+- **Microsoft Defender for Identity (MDI)**

+- **Microsoft Defender for Office 365 (MDO)**

+- **Microsoft Defender for Cloud Apps (MDA)**

+> The Microsoft 365 Defender connector is now generally available!

+- Check [availability of different Microsoft 365 Defender data types](microsoft-365-defender-cloud-support.md) in the different Microsoft 365 and Azure clouds.

+- Create [custom alerts](detect-threats-custom.md) and [investigate incidents](investigate-incidents.md).

+- [Microsoft 365 Defender data connector is now generally available](#microsoft-365-defender-data-connector-is-now-generally-available)

+### Microsoft 365 Defender data connector is now generally available

+Microsoft 365 Defender incidents, alerts, and raw event data can be ingested into Microsoft Sentinel using this connector. It also enables the bi-directional synchronization of incidents between Microsoft 365 Defender and Microsoft Sentinel. This integration allows you to manage all of your incidents in Microsoft Sentinel, while taking advantage of Microsoft 365 Defender's specialized tools and capabilities to investigate those incidents that originated in Microsoft 365.

+- Learn more about [Microsoft 365 Defender integration with Microsoft Sentinel](microsoft-365-defender-sentinel-integration.md).

+- Learn how to [connect Microsoft 365 Defender to Microsoft Sentinel](connect-microsoft-365-defender.md).

+You'll learn the following:

+In this tutorial, you'll build and run the multi-tier application in an Azure cloud service. The front end is an ASP.NET MVC web role and the back end is a worker-role that uses a Service Bus queue. You can create the same multi-tier application with the front end as a web project that is deployed to an Azure website instead of a cloud service. You can also try out the [.NET on-premises/cloud hybrid application](../azure-relay/service-bus-dotnet-hybrid-app-using-service-bus-relay.md) tutorial.

+the web tier doesn't connect to the middle tier directly; instead it

+* **Temporal decoupling.** When you use the asynchronous messaging pattern, producers and consumers don't need to be online at the same time. Service Bus reliably stores messages until the consuming party is ready to receive them. This enables the components of the distributed application to be disconnected, either voluntarily, for example, for maintenance, or due to a component crash, without impacting the system as a whole. Furthermore, the consuming application might only need to come online during certain times of the day.

+ worker machines differ in terms of processing power, as they'll

+ Studio: right-click the **Visual Studio** program icon, and then select **Run as administrator**. The Azure Compute Emulator,

+ In Visual Studio, on the **File** menu, select **New**, and then

+ select **Project**.

+4. Hover over **WebRole1** under **Azure Cloud Service solution**, select

+ the pencil icon, and rename the web role to **FrontendWebRole**. Then select **OK**. (Make sure you enter "Frontend" with a lower-case 'e,' not "FrontEnd".)

+8. In **Solution Explorer**, in the **FrontendWebRole** project, right-click **References**, then select

+9. Select the **Browse** tab, then search for **Azure.Messaging.ServiceBus**. Select the **Azure.Messaging.ServiceBus** package, select **Install**, and accept the terms of use.

+10. In **Solution Explorer**, expand **FronendWebRole**, right-click **Models** and select **Add**,

+ then select **Class**. In the **Name** box, type the name

+ **OnlineOrder.cs**. Then select **Add**.

+4. From the **Build** menu, select **Build Solution** to test the accuracy of your work so far.

+ the `ViewBag.MessageCount` is empty. You'll populate it later.

+1. In **Solution Explorer**, right-click **FrontendWebRole** (right-click the project, not the role). Select **Add**, and then select **Class**.

+2. Name the class **QueueConnector.cs**. Select **Add** to create the class.

+You'll now create the worker role that processes the order

+3. Select **Add**, and then select **New Worker Role Project**. The **Add New Role Project** dialog box appears.

+5. In the **Name** box, name the project **OrderProcessingRole**. Then select **Add**.

+1. Create an **OnlineOrder** class to represent the orders as you process them from the queue. You can reuse a class you have already created. In **Solution Explorer**, right-click the **OrderProcessingRole** class (right-click the class icon, not the role). Select **Add**, then select **Existing Item**.

+14. You've completed the application. You can test the full

+ selecting **Set as Startup Project**, and then pressing F5. The

+ message count doesn't increment, because the worker role processes items

+ :::image type="content" source="./media/service-bus-dotnet-multi-tier-app-using-service-bus-queues/getting-started-multi-tier-38.png" alt-text="Screenshot of what appears when you select the emulator icon. Show Compute Emulator UI is in the list of options.":::

+After the namespace and topic/subscriptions are provisioned, and you have the connection string to the namespace, you're ready to create filter rules on the subscriptions, then send and receive messages. You can examine the code in [this GitHub sample folder](https://github.com/Azure/azure-service-bus/tree/master/samples/Java/azure-servicebus/TopicFilters).

+3. Obtain the connection string you copied to Notepad earlier in this tutorial. You also need the name of the topic you created in the previous section.

+ Title: Deprecation of Azure Site Recovery data encryption feature

+description: Get details about the Azure Site Recovery data encryption feature.

+# Deprecation of the Site Recovery data encryption feature

+This article describes the deprecation details and the remediation action that you need to take if you're using the Azure Site Recovery data encryption feature while configuring disaster recovery of Hyper-V virtual machines (VMs) to Azure.

+The Site Recovery data encryption feature was available for customers who wanted to protect replicated data for Hyper-V VMs against security threats. This feature was deprecated on *April 30, 2022*. It was replaced by the [encryption at rest](https://azure.microsoft.com/blog/azure-site-recovery-encryption-at-rest/) feature, which uses [service-side encryption](../storage/common/storage-service-encryption.md) (SSE).

+With SSE, data is encrypted before persisting to storage and decrypted on retrieval. Upon failover to Azure, your VMs will run from the encrypted storage accounts to help improve recovery time objective (RTO).

+If you're an existing customer who's using this feature, you should have received communications with the deprecation details and remediation steps.

+As of *April 30, 2022*, any VMs that still use the retired encryption feature can't perform failover.

+To continue successful failover operations and replications, follow these steps for each VM:

+1. [Disable replication](./site-recovery-manage-registration-and-protection.md#disable-protection-for-a-hyper-v-virtual-machine-replicating-to-azure-using-the-system-center-vmm-to-azure-scenario).

+2. [Create a new replication policy](./hyper-v-azure-tutorial.md#replication-policy).

+3. [Enable replication](./hyper-v-vmm-azure-tutorial.md#enable-replication) and select a storage account with SSE enabled.

+After you complete the initial replication to storage accounts with SSE enabled, your VMs will use encryption at rest with Azure Site Recovery.

+Plan for performing the remediation steps, and execute them as soon as possible. If you have any questions about this deprecation, contact Microsoft Support. To read more about the scenario of Hyper-V replication to Azure, see [this article](hyper-v-vmm-architecture.md).

+ Title: Upgrade Windows Server and System Center VMM 2012 R2 to 2016

+description: Learn how to upgrade Windows Server 2012 R2 hosts and System Center Virtual Machine Manager 2012 R2 configured with Azure Site Recovery to Windows Server 2016 and Virtual Machine Manager 2016.

+# Upgrade Windows Server and System Center VMM 2012 R2 to 2016

+This article shows you how to upgrade Windows Server 2012 R2 hosts and System Center Virtual Machine Manager (VMM) 2012 R2 configured with Azure Site Recovery to Windows Server 2016 and VMM 2016.

+Site Recovery contributes to your business continuity and disaster recovery (BCDR) strategy. The service ensures that your virtual machine (VM) workloads remain available when expected and unexpected outages occur.

+> When you upgrade Windows Server 2012 R2 hosts that are already configured for replication with Azure Site Recovery, you must follow the steps mentioned in this article. Any alternative path chosen for upgrade can result in unsupported states and can affect replication or the ability to perform failover.

+> * Windows Server 2012 R2 hosts that VMM doesn't manage

+> * Windows Server 2012 R2 hosts that a standalone VMM 2012 R2 server manages

+> * Windows Server 2012 R2 hosts that a highly available VMM 2012 R2 server manages

+## Prerequisites and factors to consider

+Before you upgrade, note the following:

+- If you have Windows Server 2012 R2 hosts that VMM doesn't manage, and it's a standalone environment setup, there will be a break in replication if you try to perform the upgrade.

+- If you selected **Do not store my keys in Active Directory under Distributed Key Management** while installing VMM 2012 R2, the upgrades won't finish successfully.

+- If you're using VMM 2012 R2:

+ - Check the database information on VMM. You can find it by going to the VMM console and selecting **Settings** > **General** > **Database connection**.

+ - Check the service accounts that you're using for the System Center Virtual Machine Manager Agent service.

+ - Make sure that you have a backup of the VMM database.

+ - Note down the database names of the VMM servers involved. You can find them by going to the VMM console and selecting **Settings** > **General** > **Database connection**.

+ - Note down the VMM IDs of the 2012 R2 primary and recovery VMM servers. You can find the VMM IDs in the registry: *HKLM:\SOFTWARE\Microsoft\Microsoft System Center Virtual Machine Manager Server\Setup*.

+ - Ensure that the new VMM instances that you add to the cluster have the same names as before.

+- If you're replicating between two sites managed by VMM on both sides, ensure that you upgrade the recovery side before you upgrade the primary side.

+ > When you're upgrading VMM 2012 R2, under **Distributed Key Management**, select **Store encryption keys in Active Directory**. Choose the settings for the service account and distributed key management carefully. Based on your selections, encrypted data such as passwords in templates might not be available after the upgrade and can potentially affect replication with Azure Site Recovery.

+For more information, see the detailed VMM [documentation of prerequisites](/system-center/vmm/upgrade-vmm?view=sc-vmm-2016&preserve-view=true#requirements-and-limitations).

+## Windows Server 2012 R2 hosts that VMM doesn't manage

+The following steps apply to the user configuration from [Hyper-V hosts to Azure](./hyper-v-azure-architecture.md). You can complete this configuration by following [this tutorial](./hyper-v-prepare-on-premises-tutorial.md).

+> As mentioned in the prerequisites, these steps apply only to a clustered environment scenario and not in a standalone Hyper-V host configuration.

+1. Follow the [steps to perform the rolling cluster upgrade](/windows-server/failover-clustering/cluster-operating-system-rolling-upgrade#cluster-os-rolling-upgrade-process).

+2. With every new Windows Server 2016 host that's introduced in the cluster, remove the reference of a Windows Server 2012 R2 host from Azure Site Recovery by [following these steps](/azure/site-recovery/site-recovery-manage-registration-and-protection). This should be the host that you chose to drain and evict from the cluster.

+3. Run the `Update-VMVersion` command for all virtual machines to complete the upgrades.

+4. [Use these steps](./hyper-v-azure-tutorial.md#source-settings) to register the new Windows Server 2016 host to Azure Site Recovery. Note that the Hyper-V site is already active and you just need to register the new host in the cluster.

+5. Go to the Azure portal and verify the replicated health status inside the Recovery Services vault.

+## Upgrade Windows Server 2012 R2 hosts that a standalone VMM 2012 R2 server manages

+Before you upgrade your Windows Server 2012 R2 hosts, you need to upgrade VMM 2012 R2 to VMM 2016. Use the following steps.

+### Upgrade standalone VMM 2012 R2 to VMM 2016

+1. Uninstall the Azure Site Recovery provider. Go to **Control Panel** > **Programs** > **Programs and Features** > **Microsoft Azure Site Recovery**, and then select **Uninstall**.

+2. [Retain the VMM database and upgrade the operating system](/system-center/vmm/upgrade-vmm?view=sc-vmm-2016&preserve-view=true#back-up-and-upgrade-the-operating-system):

+ a. In **Add or remove programs**, select **VMM** > **Uninstall**.

+ b. Select **Remove Features**, and then select **VMM management Server and VMM Console**.

+ c. In **Database Options**, select **Retain database**.

+ d. Review the summary and select **Uninstall**.

+4. [Install VMM 2016](/system-center/vmm/upgrade-vmm?view=sc-vmm-2016&preserve-view=true#install-vmm-2016).

+5. Open VMM and check the status of each host under the **Fabrics** tab. Select **Refresh** to get the most recent status. You should see a status of **Needs Attention**.

+6. [Install the latest Azure Site Recovery provider (direct download)](https://aka.ms/downloaddra) on VMM.

+7. Install the latest [Microsoft Azure Recovery Services (MARS) agent (direct download)](https://aka.ms/azurebackup_agent) on each host of the cluster. Refresh to ensure that VMM can successfully query the hosts.

+## Upgrade Windows Server 2012 R2 hosts to Windows Server 2016

+1. Follow [these steps](/windows-server/failover-clustering/cluster-operating-system-rolling-upgrade#cluster-os-rolling-upgrade-process) to perform the rolling cluster upgrade.

+2. After you add the new host to the cluster, refresh the host from the VMM console to install the VMM agent on this updated host.

+3. Run `Update-VMVersion` to update the versions of the virtual machines.

+4. Go to the Azure portal and verify the replicated health status of the virtual machines inside the Recovery Services vault.

+## Upgrade Windows Server 2012 R2 hosts that a highly available VMM 2012 R2 server manages

+Before you upgrade your Windows Server 2012 R2 hosts, you need to upgrade VMM 2012 R2 to VMM 2016. The following modes of upgrade are supported while you're upgrading VMM 2012 R2 servers configured with Site Recovery mixed mode (either with or without additional VMM servers).

+### Upgrade VMM 2012 R2 to VMM 2016

+1. Uninstall the Azure Site Recovery provider. Go to **Control Panel** > **Programs** > **Programs and Features** > **Microsoft Azure Site Recovery**, and then select **Uninstall**.

+2. Follow [these steps](/system-center/vmm/upgrade-vmm?view=sc-vmm-2016&preserve-view=true#upgrade-a-standalone-vmm-server) based on the mode of upgrade that you want to execute.

+3. Open the VMM console and check the status of each host under the **Fabrics** tab. Select **Refresh** to get the most recent status. You should see a status of **Needs Attention**.

+4. [Install the latest Azure Site Recovery provider (direct download)](https://aka.ms/downloaddra) on VMM.

+5. Update the latest [MARS agent (direct download)](https://aka.ms/azurebackup_agent) on each host of the cluster. Refresh to ensure that VMM can successfully query the hosts.

+### Upgrade Windows Server 2012 R2 hosts to Windows Server 2016

+1. Follow [these steps](/windows-server/failover-clustering/cluster-operating-system-rolling-upgrade#cluster-os-rolling-upgrade-process) to perform the rolling cluster upgrade.

+2. After you add the new host to the cluster, refresh the host from the VMM console to install the VMM agent on this updated host.

+3. Run `Update-VMVersion` to update the VM versions of the virtual machines.

+4. Go to the Azure portal and verify the replicated health status of the virtual machines inside the Recovery Services vault.

+After you upgrade the hosts, you can perform a [test failover](tutorial-dr-drill-azure.md) to test the health of your replication and disaster recovery status.

+ Title: Configure the Azure Static Web Apps CLI

+description: Configure the Azure Static Web Apps CLI

+# Configure the Azure Static Web Apps CLI

+The Azure Static Web Apps (SWA) CLI gets configuration information for your static web app in one of two ways:

+- CLI options (passed in at runtime)

+- A CLI configuration file named *swa-cli.config.json*

+> [!NOTE]

+> By default, the SWA CLI looks for a configuration file named *swa-cli.config.json* in the current directory.

+The configuration file can contain multiple configurations, each identified by a unique configuration name.

+- If only a single configuration is present in the *swa-cli.config.json* file, `swa start` uses it by default.

+- If options are loaded from a config file, then command line options are ignored. For example, if you run `swa start app --ssl`, the `ssl=true` option is not be picked up by the CLI.

+## Configuration file example

+```json

+{

+ "configurations": {

+ "app": {

+ "appDevserverUrl": "http://localhost:3000",

+ "apiLocation": "api",

+ "run": "npm run start",

+ "swaConfigLocation": "./my-app-source"

+ }

+ }

+}

+```

+## Initialize a configuration file

+Use `swa init` to kickstart the workflow to create a configuration file for a new or existing project. If the project exists, `swa init` tries to guess the configuration settings for you.

+By default, the process creates these settings in a *swa-cli.config.json* in the current working directory of your project. This directory is the default file name and location used by `swa` when searching for project configuration values.

+```azstatic-cli

+swa --config <PATH>

+```

+If the file contains only one named configuration, then it is used by default. If multiple configurations are defined, you need to specify the one to use as an option.

+```azstatic-cli

+swa --config-name

+```

+When the configuration file option is used, the settings are stored in JSON format. Once created, you can manually edit the file to update settings or use `swa init` to make updates.

+## View configuration

+The Static Webs CLI provides a `--print-config` option so you can determine resolved options for your current setup.

+Here is an example of what that output looks like when run on a new project with default settings.

+```azstatic-cli

+swa --print-config

+Options:

+ - port: 4280

+ - host: localhost

+ - apiPort: 7071

+ - appLocation: .

+ - apiLocation: <undefined>

+ - outputLocation: .

+ - swaConfigLocation: <undefined>

+ - ssl: false

+ - sslCert: <undefined>

+ - sslKey: <undefined>

+ - appBuildCommand: <undefined>

+ - apiBuildCommand: <undefined>

+ - run: <undefined>

+ - verbose: log

+ - serverTimeout: 60

+ - open: false

+ - githubActionWorkflowLocation: <undefined>

+ - env: preview

+ - appName: <undefined>

+ - dryRun: false

+ - subscriptionId: <undefined>

+ - resourceGroupName: <undefined>

+ - tenantId: <undefined>

+ - clientId: <undefined>

+ - clientSecret: <undefined>

+ - useKeychain: true

+ - clearCredentials: false

+ - config: swa-cli.config.json

+ - printConfig: true

+```

+Running `swa --print-config` provide's the current configuration defaults.

+> [!NOTE]

+> If the project has not yet defined a configuration file, this automatically triggers the `swa init` workflow to help you create one.

+## Validate configuration

+The swa-cli.config.json file can be validated against the following schema: https://aka.ms/azure/static-web-apps-cli/schema

+ Title: Deploy a static web app with Azure Static Web Apps CLI

+description: Deploy a static web app with Azure Static Web Apps CLI

+# Deploy a static web app with Azure Static Web Apps CLI

+The `deploy` command deploys the current project to Azure Static Web Apps.

+Some common use cases include:

+- Deploy a front-end app without an API

+- Deploy a front-end app with an API

+- Deploy a Blazor app

+## Deployment token

+The SWA CLI supports deploying using a deployment token. This is usually useful when deploying from a CI/CD environment. You can get a deployment token either from:

+- The [Azure portal](https://portal.azure.com/): **Home → Static Web App → Your Instance → Overview → Manage deployment token**

+- If you are using the [Azure CLI](https://aka.ms/azcli), you can get the deployment token of your project using the following command:

+```azstatic-cli

+az staticwebapp secrets list --name <APPLICATION_NAME> --query "properties.apiKey"

+```

+- If you are using the Azure Static Web Apps CLI, you can use the following command:

+```azstatic-cli

+swa deploy --print-token

+```

+You can then use that value with the `--deployment-token <token>` or you can create an environment variable called `SWA_CLI_DEPLOYMENT_TOKEN` and set it to the deployment token.

+> [!IMPORTANT]

+> Don't store deployment tokens in a public repository.

+## Deploy a front-end app without an API

+You can deploy a front-end application without an API to Azure Static Web Apps by running the following steps:

+If your front-end application requires a build step, run `swa build` or refer to your application build instructions.

+* **Option 1:** From build folder you would like to deploy, run the deploy command:

+ ```azstatic-cli

+ cd build/

+ swa deploy

+ ```

+ > [!NOTE]

+ > The *build* folder must contain the static content of your app to be deployed.

+* **Option 2:** You can also deploy a specific folder:

+ 1. If your front-end application requires a build step, run `swa build` or refer to your application build instructions.

+ 2. Deploy your app:

+ ```azstatic-cli

+ swa deploy ./my-dist

+ ```

+## Deploy a front-end app with an API

+To deploy both the front-end app and an API to Azure Static Web Apps, use the following steps.

+1. If your front-end application requires a build step, run `swa build` or refer to your application build instructions.

+2. Make sure the API language runtime version in the *staticwebapp.config.json* file is set correctly, for example:

+```json

+{

+ "platform": {

+ "apiRuntime": "node:16"

+ }

+}

+```

+> [!NOTE]

+> If your project doesn't have the *staticwebapp.config.json* file, add one under your `outputLocation` folder.

+3. Deploy your app:

+```azstatic-cli

+swa deploy ./my-dist --api-location ./api

+```

+### Deploy a Blazor app

+To deploy a Blazor app with an API to Azure Static Web Apps, use the following steps:

+1. Build your Blazor app in **Release** mode:

+```azstatic-cli

+dotnet publish -c Release -o bin/publish

+```

+2. From the root of your project, run the deploy command:

+```azstatic-cli

+swa deploy ./bin/publish/wwwroot --api-location ./Api

+```

+## Deploy using the `swa-cli.config.json`

+> [!NOTE]

+> The path for `outputLocation` must be relative to the `appLocation`.

+If you are using a [`swa-cli.config.json`](./static-web-apps-cli-configuration.md) configuration file in your project and have a single configuration entry, for example:

+```json

+{

+ "configurations": {

+ "my-app": {

+ "appLocation": "./",

+ "apiLocation": "api",

+ "outputLocation": "frontend",

+ "start": {

+ "outputLocation": "frontend"

+ },

+ "deploy": {

+ "outputLocation": "frontend"

+ }

+ }

+ }

+}

+```

+Then you can deploy your application by running the following steps:

+1. If your front-end application requires a build step, run `swa build` or refer to your application build instructions.

+2. Deploy your app:

+```azstatic-cli

+swa deploy

+```

+If you have multiple configuration entries, you can provide the entry ID to specify which one to use:

+```azstatic-cli

+swa deploy my-otherapp

+```

+## Options

+Here are the options you can use with `swa deploy`:

+- `-a, --app-location <path>`: the folder containing the source code of the front-end application (default: "`.`")

+- `-i, --api-location <path>`: the folder containing the source code of the API application

+- `-O, --output-location <path>`: the folder containing the built source of the front-end application. The path is relative to `--app-location` (default: "`.`")

+- `-w, --swa-config-location <swaConfigLocation>`: the directory where the staticwebapp.config.json file is located

+- `-d, --deployment-token <secret>`: the secret token used to authenticate with the Static Web Apps

+- `-dr, --dry-run`: simulate a deploy process without actually running it (default: `false`)

+- `-pt, --print-token`: print the deployment token (default: `false`)

+- `--env [environment]`: the type of deployment environment where to deploy the project (default: "`preview`")

+- `-S, --subscription-id <subscriptionId>`: Azure subscription ID used by this project (default: `process.env.AZURE_SUBSCRIPTION_ID`)

+- `-R, --resource-group <resourceGroupName>`: Azure resource group used by this project

+- `-T, --tenant-id <tenantId>`: Azure tenant ID (default: `process.env.AZURE_TENANT_ID`)

+- `-C, --client-id <clientId>`: Azure client ID

+- `-CS, --client-secret <clientSecret>`: Azure client secret

+- `-n, --app-name <appName>`: Azure Static Web App application name

+- `-cc, --clear-credentials`: clear persisted credentials before login (default: `false`)

+- `-u, --use-keychain`: enable using the operating system native keychain for persistent credentials (default: `true`)

+- `-nu, --no-use-keychain`: disable using the operating system native keychain

+- `-h, --help`: display help for command

+## Usage

+Deploy using a deployment token.

+```azstatic-cli

+swa deploy ./dist/ --api-location ./api/ --deployment-token <TOKEN>

+```

+Deploy using a deployment token from the environment variables.

+```azstatic-cli

+SWA_CLI_DEPLOYMENT_TOKEN=123 swa deploy ./dist/ --api-location ./api/

+```

+Deploy using `swa-cli.config.json` file

+```azstatic-cli

+swa deploy

+swa deploy myconfig

+```

+Print the deployment token.

+```azstatic-cli

+swa deploy --print-token

+```

+Deploy to a specific environment.

+```azstatic-cli

+swa deploy --env production

+```

+- An Azure Databricks workspace. See [Create an Azure Databricks workspace](/azure/databricks/getting-started/#--create-an-azure-databricks-workspace).

+- An Azure Databricks cluster. See [Create a cluster](/azure/databricks/getting-started/quick-start#step-1-create-a-cluster).

+## Download the flight data

+2. In the sidebar, select **Workspace**.

+3. In the Workspace folder, select **Create > Notebook**.

+ > [!div class="mx-imgBorder"]

+ > 

+4. In the **Create Notebook** dialog, enter a name and then select **Python** in the **Default Language** drop-down list. This selection determines the default language of the notebook.

+5. In the **Cluster** drop-down list, make sure that the cluster you created earlier is selected.

+6. Click **Create**. The notebook opens with an empty cell at the top.

+7. Copy and paste the following code block into the first cell, but don't run this code yet.

+Inspect the minimum value in the file by using Spark, and check that some dates are less than 0001-01-03. If you stored the files by using the Spark 2.4 version or with the higher Spark version that still uses legacy datetime storage format, the datetime values before are written by using the Julian calendar that isn't aligned with the proleptic Gregorian calendar used in serverless SQL pools.

+Consider [migrating to Spark 3.1 or higher](https://spark.apache.org/docs/latest/sql-migration-guide.html) and switching to the proleptic Gregorian calendar. The latest Spark versions use by default a proleptic Gregorian calendar that's aligned with the calendar in serverless SQL pool. Reload your legacy data with the higher version of Spark, and use the following setting to correct the dates:

+- [Troubleshoot a slow query on a dedicated SQL Pool](/troubleshoot/azure/synapse-analytics/dedicated-sql/troubleshoot-dsql-perf-slow-query)

+Update management center (preview) is a unified service to help manage and govern updates for all your machines. You can monitor Windows and Linux update compliance across your deployments in Azure, on-premises, and on the other cloud platforms from a single dashboard. In addition, you can use the Update management center (preview) to make real-time updates or schedule them within a defined maintenance window.

+ The extension agent installation and configuration are managed by the update management center (preview). There's no manual intervention required as long as the Azure VM agent or Azure Arc-enabled server agent is functional. The update management center (preview) extension runs code locally on the machine to interact with the operating system, and it includes:

+You need the following permissions to create and manage update deployments. The following table shows the permissions needed when using the update management center (preview).

+- [Manage multiple machines using update management center](manage-multiple-machines.md)

+|Give and take control |Yes|Yes|

+|Noise suppression|Yes|Yes|

+|Give and take control |1.2.2924 and later|10.7.10 and later|1.0.2006.11001 and later (Windows), 1.31.2211.15001 and later (macOS)|Updates within 90 days of the current version|

+|Noise suppression|1.2.3316 and later|10.8.1 and later|1.0.2006.11001 and later|Updates within 90 days of the current version|

+<#

+ .SYNOPSIS

+ This script will scan all VMs in the provided subscription and upgrade any out of date AzureNetworkWatcherExtensions

+ .DESCRIPTION

+ This script should be no-op if AzureNetworkWatcherExtensions are up to date

+ Requires Azure PowerShell 4.2 or higher to be installed (e.g. Install-Module AzureRM).

+ .EXAMPLE

+ .\UpdateVMAgentsInSub.ps1 -SubID F4BC4873-5DAB-491E-B713-1358EF4992F2 -NoUpdate

+

+[CmdletBinding()]

+param(

+ [Parameter(Mandatory=$true)]

+ [string] $SubID,

+ [Parameter(Mandatory=$false)]

+ [Switch] $NoUpdate = $false,

+ [Parameter(Mandatory=$false)]

+ [string] $MinVersion = "1.4.2423.1"

+)

+function NeedsUpdate($version)

+{

+ if ([Version]$version -lt [Version]$MinVersion)

+ {

+ $lessThan = $true

+ }else{

+ $lessThan = $false

+ }

+ return $lessThan

+}

+Write-Host "Scanning all VMs in the subscription: $($SubID)"

+Set-AzContext -SubscriptionId $SubID

+$vms = Get-AzVM

+$foundVMs = $false

+Write-Host "Starting VM search, this may take a while"

+foreach ($vmName in $vms)

+{

+ # Get Detailed VM info

+ $vm = Get-AzVM -ResourceGroupName $vmName.ResourceGroupName -Name $vmName.name -Status

+ $isitWindows = $vm.OsName -like "*Windows*"

+

+ foreach ($extension in $vm.Extensions)

+ {

+ if ($extension.Name -eq "AzureNetworkWatcherExtension")

+ {

+ if (NeedsUpdate($extension.TypeHandlerVersion))

+ {

+ $foundVMs = $true

+ if (-not ($NoUpdate))

+ {

+ Write-Host "Found VM that needs to be updated: subscriptions/$($SubID)/resourceGroups/$($vm.ResourceGroupName)/providers/Microsoft.Compute/virtualMachines/$($vm.Name) -> Updating " -NoNewline

+ Remove-AzVMExtension -ResourceGroupName $vm.ResourceGroupName -VMName $vm.Name -Name "AzureNetworkWatcherExtension" -Force

+ Write-Host "... " -NoNewline

+ $type = if ($isitWindows) { "NetworkWatcherAgentWindows" } else { "NetworkWatcherAgentLinux" }

+ Set-AzVMExtension -ResourceGroupName $vm.ResourceGroupName -Location $vmName.Location -VMName $vm.Name -Name "AzureNetworkWatcherExtension" -Publisher "Microsoft.Azure.NetworkWatcher" -Type $type -typeHandlerVersion $MinVersion

+ Write-Host "Done"

+ }

+ else

+ {

+ Write-Host "Found $(if ($isitWindows) {"Windows"} else {"Linux"}) VM that needs to be updated: subscriptions/$($SubID)/resourceGroups/$($vm.ResourceGroupName)/providers/Microsoft.Compute/virtualMachines/$($vm.Name)"

+ }

+ }

+ }

+ }

+

+if ($foundVMs)

+{

+ Write-Host "Finished $(if ($NoUpdate) {"searching"} else {"updating"}) out of date AzureNetworkWatcherExtension on VMs"

+}

+else

+{

+ Write-Host "All AzureNetworkWatcherExtensions up to date"

+| RedHat | RHEL 8.7 | 8.7 | RedHat:RHEL:8_7:latest | OS and data disk (see note below) |

+| RedHat | RHEL 8.7 Gen 2 | 8.7 | RedHat:RHEL:87-gen2:latest | OS and data disk (see note below) |

+| RedHat | RHEL 8.6 Gen 2 | 8.6 | RedHat:RHEL:86-gen2:latest | OS and data disk (see note below) |

+Get-AzVMRunCommand -ResourceGroupName "myRG" -VMName "myVM" -RunCommandName "RunCommandName" -Expand InstanceView

+Configuring high availability for SAP Central Services protects resources and processes from local incidents. To achieve DR for SAP Central Services, you can use Azure Site Recovery. Azure Site Recovery replicates VMs and the attached managed disks, but there are additional considerations for the DR strategy. Check the section below for more information, based on the operating system used for SAP central services.

+#### [Windows](#tab/windows)

+For SAP system, the redundancy of SPOF component in the primary region is achieved by configuring high availability. To achieve similar high availability setup in the disaster recovery region after failover, you need to consider additional points like cluster reconfiguration, SAP shared directories availability, alongside of replicating VMs and attached managed disk to DR site using Azure Site Recovery. On Windows, the high availability of SAP application can be achieved using Windows Server Failover Cluster (WSFC). The diagram below shows the different components involved in configuring high availability of SAP central services with WSFC. Each component must be evaluated to achieve similar high availability set up in the DR site. If you have configured SAP Web Dispatcher using WSFC, similar consideration would apply as well.

+

+##### SAP system configured with File share

+If you've configured your SAP system using file share on primary region, you need to make sure all components and the data in the file share (SMB on Azure Files, SMB on ANF) are replicated to the disaster recovery region if there is failover. You can use Azure Site Recovery to replicate the cluster VMs and other application server VMs to the disaster recovery region. There are some additional considerations that are outlined below.

+###### Load balancer

+Azure Site Recovery replicates VMs to the DR site, but it doesnΓÇÖt replicate Azure load balancer. You'll need to create a separate internal load balancer on DR site beforehand or after failover. If you create internal load balancer beforehand, create an empty backend pool and add VMs after the failover event.

+###### Quorum (cloud witness)

+If you have configured cluster with cloud witness at its quorum mechanism, then you would need to create a separate storage account on DR region. On the event of failover, quorum setting must be updated with the new storage account name and access keys.

+###### Windows server failover cluster

+If there is failover, SAP ASCS/ERS VMs configured with WSFC wonΓÇÖt work out-of-the-box. Additional reconfiguration is required to start SAP system on the DR region.

+Read [SAP NetWeaver HA deployment with File Share running on Windows failover to DR Region using ASR](https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-netweaver-ha-deployment-with-file-share-running-on-windows/ba-p/3727034) blog to learn more about the additional steps that are required in the DR region.

+###### File share directories

+The high availability setup of SAP NetWeaver or ABAP platform uses enqueue replication server for achieving application level redundancy for the enqueue service of SAP system with WSFC configuration. The high availability setup of SAP central services (ASCS and ERS) with file share uses SMB shares. You will need to make sure that the SAP binaries and data on these SMB shares are replicated to the DR site. Azure Site Recovery replicates VMs and local managed disk attached, but it doesn't replicate the file shares. Choose the replication method, based on the type of file share storage you've configured for the setup. The cross regional replication methodology for each storage is presented at abstract level. You need to confirm exact steps to replicate storage and perform testing.

+| SAP file share directories | Cross region replication mechanism |

+| -- | |

+| SMB on Azure Files | [Robocopy](../../../storage/files/storage-files-migration-robocopy.md) |

+| SMB on Azure NetApp Files | [Cross Region Replication](../../../azure-netapp-files/cross-region-replication-introduction.md) |

+In the primary region, the redundancy of the SAP application servers is achieved by installing instances in multiple VMs. To have DR for SAP application servers, [Azure Site Recovery](../../../site-recovery/azure-to-azure-tutorial-enable-replication.md) can be set up for each application server VM. For shared storages (transport filesystem, interface data filesystem) that is attached to the application servers, follow the appropriate DR practice based on the type of [shared storage](disaster-recovery-overview-guide.md#storage).

+- February 02, 2023: Add new HA provider susChkSrv for [SAP HANA Scale-out HA on SUSE](sap-hana-high-availability-scale-out-hsr-suse.md) and change from SAPHanaSR to SAPHanaSrMultiTarget provider, enabling HANA multi-target replication

+In the example configurations, installation commands, and so on, the HANA instance is **03** and the HANA system ID is **HN1**.

+* **[A]**: Applicable to all nodes, including majority maker

+* **[M]**: Applicable to the majority maker node only

+ > [!NOTE]

+ > SAPHanaSR-ScaleOut version 0.181 or higher must be installed.

+1. **[AH]** Prepare the OS for running SAP HANA on NetApp Systems with NFS, as described in SAP note [3024346 - Linux Kernel Settings for NetApp NFS](https://launchpad.support.sap.com/#/notes/3024346). Create configuration file */etc/sysctl.d/91-NetApp-HANA.conf* for the NetApp configuration settings.

+2. **[AH]** Adjust the sunrpc settings, as recommended in SAP note [3024346 - Linux Kernel Settings for NetApp NFS](https://launchpad.support.sap.com/#/notes/3024346).

+## Implement HANA HA hooks SAPHanaSrMultiTarget and susChkSrv

+This important step is to optimize the integration with the cluster and detection when a cluster failover is possible. It is highly recommended to configure SAPHanaSrMultiTarget Python hook. For HANA 2.0 SP5 and higher, implementing both SAPHanaSrMultiTarget and susChkSrv hooks is recommended.

+> [!NOTE]

+> SAPHanaSrMultiTarget HA provider replaces SAPHanaSR for HANA scale-out. SAPHanaSR was described in earlier version of this document.

+> See [SUSE blog post](https://www.suse.com/c/sap-hana-scale-out-multi-target-upgrade/) about changes with the new HANA HA hook.

+Provided steps for SAPHanaSrMultiTarget hook are for a new installation. Upgrading an existing environment from SAPHanaSR to SAPHanaSrMultiTarget provider requires several changes and are _NOT_ described in this document. If the existing environment uses no third site for disaster recovery and [HANA multi-target system replication](https://help.sap.com/docs/SAP_HANA_PLATFORM/4e9b18c116aa42fc84c7dbfd02111aba/ba457510958241889a459e606bbcf3d3.html) is not used, SAPHanaSR HA provider can remain in use.

+SusChkSrv extends the functionality of the main SAPHanaSrMultiTarget HA provider. It acts in the situation when HANA process hdbindexserver crashes. If a single process crashes typically HANA tries to restart it. Restarting the indexserver process can take a long time, during which the HANA database isn't responsive. With susChkSrv implemented, an immediate and configurable action is executed, instead of waiting on hdbindexserver process to restart on the same node. In HANA scale-out susChkSrv acts for every HANA VM independently. The configured action will kill HANA or fence the affected VM, which triggers a failover in the configured timeout period.

+SUSE SLES 15 SP1 or higher is required for operation of both HANA HA hooks. Following table shows other dependencies.

+|SAP HANA HA hook | HANA version required | SAPHanaSR-ScaleOut required |

+|-| -- | |

+| SAPHanaSrMultiTarget | HANA 2.0 SPS4 or higher | 0.180 or higher |

+| susChkSrv | HANA 2.0 SPS5 or higher | 0.184.1 or higher |

+Steps to implement both hooks:

+2. **[1,2]** Adjust `global.ini` on each cluster site. If the prerequisites for susChkSrv hook aren't met, entire block `[ha_dr_provider_suschksrv]` shouldn't be configured.

+You can adjust the behavior of susChkSrv with parameter action_on_lost. Valid values are `[ ignore | stop | kill | fence ]`.

+ # add to global.ini on both sites. Do not copy global.ini between sites.

+ [ha_dr_provider_saphanasrmultitarget]

+ provider = SAPHanaSrMultiTarget

+ ha_dr_saphanasrmultitarget = info

+ Default location of the HA hooks as deliveredy SUSE is /usr/share/SAPHanaSR-ScaleOut. Using the standard location brings a benefit, that the python hook code is automatically updated through OS or package updates and gets used by HANA at next restart. With an optional own path, such as /hana/shared/myHooks you can decouple OS updates from the used hook version.

+3. **[AH]** The cluster requires sudoers configuration on the cluster nodes for <sid\>adm. In this example that is achieved by creating a new file. Execute the commands as `root` adapt the values of hn1 with correct lowercase SID.

+ # SAPHanaSR-ScaleOut needs for HA/DR hook scripts

+ so1adm ALL=(ALL) NOPASSWD: /usr/sbin/crm_attribute -n hana_hn1_site_srHook_*

+ so1adm ALL=(ALL) NOPASSWD: /usr/sbin/crm_attribute -n hana_hn1_gsh *

+ so1adm ALL=(ALL) NOPASSWD: /usr/sbin/SAPHanaSR-hookHelper --sid=hn1 *

+5. **[A]** Verify the hook installation is active on all cluster nodes. Execute as <sid\>adm.

+ grep HADR.*load.*SAPHanaSrMultiTarget nameserver_*.trc | tail -3

+ # nameserver_hana-s1-db1.31001.000.trc:[14162]{-1}[-1/-1] 2023-01-26 12:53:55.728027 i ha_dr_provider HADRProviderManager.cpp(00083) : loading HA/DR Provider 'SAPHanaSrMultiTarget' from /usr/share/SAPHanaSR-ScaleOut/

+ grep SAPHanaSr.*init nameserver_*.trc | tail -3

+ # Example output

+ # nameserver_hana-s1-db1.31001.000.trc:[17636]{-1}[-1/-1] 2023-01-26 16:30:19.256705 i ha_dr_SAPHanaSrM SAPHanaSrMultiTarget.py(00080) : SAPHanaSrMultiTarget.init() CALLING CRM: <sudo /usr/sbin/crm_attribute -n hana_hn1_gsh -v 2.2 -l reboot> rc=0

+ # nameserver_hana-s1-db1.31001.000.trc:[17636]{-1}[-1/-1] 2023-01-26 16:30:19.256739 i ha_dr_SAPHanaSrM SAPHanaSrMultiTarget.py(00081) : SAPHanaSrMultiTarget.init() Running srHookGeneration 2.2, see attribute hana_hn1_gsh too

+ Verify the susChkSrv hook installation. Execute as <sid\>adm.

+3. **[1]** Place the cluster out of maintenance mode. Make sure that the cluster status is ok and that all of the resources are started.

+4. **[1]** Verify the communication between the HANA HA hook and the cluster, showing status SOK for SID and both replication sites with status P(rimary) or S(econdary).

+ ```bash

+ sudo /usr/sbin/SAPHanaSR-showAttr

+ # Expected result

+ # Global cib-time maintenance prim sec sync_state upd

+ #

+ # HN1 Fri Jan 27 10:38:46 2023 false HANA_S1 - SOK ok

+ #

+ # Sites lpt lss mns srHook srr

+ # --

+ # HANA_S1 1674815869 4 hana-s1-db1 PRIM P

+ # HANA_S2 30 4 hana-s2-db1 SWAIT S

+ ```

+* NAT gateway will send a TCP Rest (RST) packet to the connection endpoint that attempts to communicate on a connection flow that does not exist. This connection flow may no longer exist if the NAT gateway idle timeout was reached or the connection was closed earlier. When the NAT gateway TCP RST packet is received by the connection endpoint, this signifies that the connection is no longer usable.

+* To learn more about architecture options for Azure Virtual Network NAT, see [Azure Well-Architected Framework review of an Azure NAT gateway](/azure/architecture/networking/guide/well-architected-network-address-translation-gateway).

+ Get-AzVirtualHubVnetConnection -ResourceGroupName "[Resource group name]" -VirtualHubName "[virtual hub name]" -Name "[Virtual hub connection name]"

+* For more information about Virtual WAN, see the [Virtual WAN FAQ](virtual-wan-faq.md).

+In this example, we'll NAT site1 to 172.30.0.0.0/24. The Virtual WAN spoke virtual networks and branches other will automatically learn this post-NAT address space.

+ In this example, the **Ingress NAT Rule** will need to translate 10.30.0.132 to 172.30.0.132. In order to do that, click 'Edit VPN site' to configure VPN site Link A BGP address to reflect this translated BGP peer address (172.30.0.132).

+ For instance, if the on-premises BGP IP address is 10.30.0.133 and there is an **Ingress NAT Rule** that translates 10.30.0.0/24 to 172.30.0.0/24, the VPN site's **Link Connection BGP Address** must be configured to be the translated address (172.30.0.133).

+ >* [Scenario: BGP peering with a virtual hub](scenario-bgp-peering-hub.md)

+ >* [How to create BGP peering with virtual hub - Azure portal](create-bgp-peering-hub-portal.md)

+* **Virtual WAN:** The *virtualWAN* resource represents a virtual overlay of your Azure network and is a collection of multiple resources. It contains links to all your virtual hubs that you would like to have within the virtual WAN. Virtual WANs are isolated from each other and can't contain a common hub. Virtual hubs in different virtual WANs don't communicate with each other.

+1. **Locate the virtual hub**. In the Azure portal, go to your Virtual WAN resource and locate the virtual hub that your VPN site is connected to.

+Network throughput is per service in a virtual WAN hub. In each hub, the VPN aggregate throughput is up to 20 Gbps, the ExpressRoute aggregate throughput is up to 20 Gbps, and the User VPN/point-to-site VPN aggregate throughput is up to 200 Gbps. The router in virtual hub supports up to 50 Gbps for VNet-to-VNet traffic flows and assumes a total of 2000 VM workload across all VNets connected to a single virtual hub.

+When you're planning your gateway subnet size, refer to the documentation for the configuration that you're planning to create. For example, the ExpressRoute/VPN Gateway coexist configuration requires a larger gateway subnet than most other configurations. Additionally, you may want to make sure your gateway subnet contains enough IP addresses to accommodate possible future additional configurations. While you can create a gateway subnet as small as /29 (applicable to Basic SKU only), we recommend that you create a gateway subnet of /27 or larger (/27, /26 etc.). This will accommodate most configurations.