Updates from: 02/09/2024 02:34:53
Service Microsoft Docs article Related commit history on GitHub Change details
advisor Advisor Reference Reliability Recommendations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/advisor/advisor-reference-reliability-recommendations.md
In active-active configuration, both instances of the VPN gateway establish S2S
Learn more about [Virtual network gateway - VNetGatewayActiveActive (Enable Active-Active gateways for redundancy)](https://aka.ms/aa_vpnha_learnmore).
+<!--
### Use HEAD health probes For health probes, itΓÇÖs a good practice to use the HEAD method, which reduces the amount of traffic load on your origins. Learn more about [Front Door - Use HEAD health probes](https://aka.ms/afd-use-health-probes).-
+-->
### Use managed TLS certificates Front Door management of your TLS certificates reduces your operational costs and helps you to avoid costly outages caused by forgetting to renew a certificate.
If you only have a single origin, Front Door always routes traffic to that origi
Learn more about [Health probe best practices](https://aka.ms/afd-disable-health-probes).
+### Use the same domain name on Azure Front Door and your origin
+
+We recommend that you preserve the original HTTP host name when you use a reverse proxy in front of a web application. Having a different host name at the reverse proxy than the one that's provided to the back-end application server can lead to cookies or redirect URLs that don't work properly. For example, session state can get lost, authentication can fail, or back-end URLs can inadvertently be exposed to end users. You can avoid these problems by preserving the host name of the initial request so that the application server sees the same domain as the web browser.
+
+Learn more about [Use the same domain name on Azure Front Door and your origin](https://aka.ms/afd-same-domain-origin).
+ ## SAP for Azure ### Enable the 'concurrent-fencing' parameter in Pacemaker cofiguration in ASCS HA setup in SAP workloads
ai-services Use Native Documents https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/native-document-support/use-native-documents.md
A native document refers to the file format used to create the original document
* [Document summarization](../summarization/overview.md). Document summarization uses natural language processing to generate extractive (salient sentence extraction) or abstractive (contextual word extraction) summaries for documents. Both `AbstractiveSummarization` and `ExtractiveSummarization` APIs support native document processing.
-## Development options
-
-Native document support can be integrated into your applications using the [Azure AI Language REST API](/rest/api/language/). The REST API is a language agnostic interface that enables you to create HTTP requests for text-based data analysis.
-
-|Service|Description|API Reference (Latest GA version)|API Reference (Latest Preview version)|
-|--|--|--|--|
-| Text analysis - runtime | &bullet; Runtime prediction calls to extract **Personally Identifiable Information (PII)**.</br>&bullet; Custom redaction for native documents is supported in the latest **2023-04-14-preview**.|[`2023-04-01`](/rest/api/language/2023-04-01/text-analysis-runtime)|[`2023-04-15-preview`.](/rest/api/language/2023-04-15-preview/text-analysis-runtime)|
-| Summarization for documents - runtime|Runtime prediction calls to **query summarization for documents models**.|[`2023-04-01`](/rest/api/language/2023-04-01/text-analysis-runtime/submit-job)|[`2023-04-15-preview`](/rest/api/language/2023-04-15-preview/text-analysis-runtime)|
- ## Supported document formats Applications use native file formats to create, save, or open native documents. Currently **PII** and **Document summarization** capabilities supports the following native document formats:
Before you run the **POST** request, replace `{your-language-resource-endpoint}`
***PowerShell*** ```powershell
- cmd /c curl "{your-language-resource-endpoint}/language/analyze-text/jobs?api-version=2023-04-01" -i -X POST --header "Content-Type: application/json" --header "Ocp-Apim-Subscription-Key: {your-key}" --data "@document-summarization.json"
+ cmd /c curl "{your-language-resource-endpoint}/language/analyze-documents/jobs?api-version=2023-11-15-preview" -i -X POST --header "Content-Type: application/json" --header "Ocp-Apim-Subscription-Key: {your-key}" --data "@document-summarization.json"
``` ***command prompt / terminal*** ```bash
- curl -v -X POST "{your-language-resource-endpoint}/language/analyze-text/jobs?api-version=2023-04-01" --header "Content-Type: application/json" --header "Ocp-Apim-Subscription-Key: {your-key}" --data "@document-summarization.json"
+ curl -v -X POST "{your-language-resource-endpoint}/language/analyze-documents/jobs?api-version=2023-11-15-preview" --header "Content-Type: application/json" --header "Ocp-Apim-Subscription-Key: {your-key}" --data "@document-summarization.json"
``` Here's a sample response:
ai-services Gpt With Vision https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/concepts/gpt-with-vision.md
Enhancements let you incorporate other Azure AI services (such as Azure AI Visio
**Object grounding**: Azure AI Vision complements GPT-4 Turbo with VisionΓÇÖs text response by identifying and locating salient objects in the input images. This lets the chat model give more accurate and detailed responses about the contents of the image. > [!IMPORTANT]
-> To use Vision enhancement, you need a Computer Vision resource. It must be in the paid (S0) tier and in the same Azure region as your GPT-4 Turbo with Vision resource.
+> To use Vision enhancement, you need a Computer Vision resource. It must be in the paid (S1) tier and in the same Azure region as your GPT-4 Turbo with Vision resource.
:::image type="content" source="../media/concepts/gpt-v/object-grounding.png" alt-text="Screenshot of an image with object grounding applied. Objects have bounding boxes with labels.":::
Base Pricing for GPT-4 Turbo with Vision is:
See the [Tokens section of the overview](/azure/ai-services/openai/overview#tokens) for information on how text and images translate to tokens.
-Additionally, if you use video prompt integration with the Video Retrieval add-on, it accrues other costs:
-- Ingestion: $0.05 per minute of video-- Transactions: $0.25 per 1000 queries of the Video Retrieval index
+If you turn on Enhancements, additional usage applies for using GPT-4 Turbo with Vision with Azure AI Vision functionality.
+
+| Model | Price |
+|--|--|
+| + Enhanced add-on features for OCR | $1.5 per 1000 transactions |
+| + Enhanced add-on features for Object Detection | $1.5 per 1000 transactions |
+| + Enhanced add-on feature for ΓÇ£Add your ImageΓÇ¥ Image Embeddings | $1.5 per 1000 transactions |
+| + Enhanced add-on feature for ΓÇ£Video RetrievalΓÇ¥ integration **<sup>1</sup>** | Ingestion: $0.05 per minute of video <br>Transactions: $0.25 per 1000 queries of the Video Retrieval index |
+
+**<sup>1</sup>** Processing videos involves the use of extra tokens to identify key frames for analysis. The number of these additional tokens will be roughly equivalent to the sum of the tokens in the text input, plus 700 tokens.
+
+### Example image price calculation
+> [!IMPORTANT]
+> The following content is an example only, and prices are subject to change in the future.
+
+For a typical use case, take an image with both visible objects and text and a 100-token prompt input. When the service processes the prompt, it generates 100 tokens of output. In the image, both text and objects can be detected. The price of this transaction would be:
+
+| Item | Detail | Total Cost |
+|--|--|--|
+| GPT-4 Turbo with Vision input tokens | 100 text tokens | $0.001 |
+| Enhanced add-on features for OCR | $1.50 / 1000 transactions | $0.0015 |
+| Enhanced add-on features for Object Grounding | $1.50 / 1000 transactions | $0.0015 |
+| Output Tokens | 100 tokens (assumed) | $0.003 |
+| **Total Cost** | | $0.007 |
-Processing videos involves the use of extra tokens to identify key frames for analysis. The number of these additional tokens will be roughly equivalent to the sum of the tokens in the text input, plus 700 tokens.
-### Example price calculation
+### Example video price calculation
> [!IMPORTANT] > The following content is an example only, and prices are subject to change in the future.
ai-studio Configure Managed Network https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/how-to/configure-managed-network.md
You need to configure following network isolation configurations.
- Choose network isolation mode. You have two options: allow internet outbound mode or allow only approved outbound mode. - Create private endpoint outbound rules to your private Azure resources. Note that private Azure AI Services and Azure AI Search are not supported yet. -- If you use Visual Studio Code integration with allow only approved outbound mode, create FQDN outbound rules described [here](#scenario-use-visual-studio-code).-- If you use HuggingFace models in Models with allow only approved outbound mode, create FQDN outbound rules described [here](#scenario-use-huggingface-models).
+- If you use Visual Studio Code integration with allow only approved outbound mode, create FQDN outbound rules described in the [use Visual Studio Code](#scenario-use-visual-studio-code) section.
+- If you use HuggingFace models in Models with allow only approved outbound mode, create FQDN outbound rules described in the [use HuggingFace models](#scenario-use-huggingface-models) section.
## Network isolation architecture and isolation modes
There are three different configuration modes for outbound traffic from the mana
* Always use private endpoints to access Azure resources. * You must add rules for each outbound connection you need to allow.
-* Adding FQDN outbound rules increase your costs as this rule type uses Azure Firewall.
+* Adding FQDN outbound rules __increase your costs__ as this rule type uses Azure Firewall.
* The default rules for _allow only approved outbound_ are designed to minimize the risk of data exfiltration. Any outbound rules you add might increase your risk. The managed VNet is preconfigured with [required default rules](#list-of-required-rules). It's also configured for private endpoint connections to your Azure AI, Azure AI's default storage, container registry and key vault __if they're configured as private__ or __the Azure AI isolation mode is set to allow only approved outbound__. After choosing the isolation mode, you only need to consider other outbound requirements you might need to add.
If you plan to use __Visual Studio Code__ with Azure AI, add outbound _FQDN_ rul
* `update.code.visualstudio.com` * `*.vo.msecnd.net` * `marketplace.visualstudio.com`
-* `ghcr.io`
* `pkg-containers.githubusercontent.com` * `github.com`
The Azure AI managed VNet feature is free. However, you're charged for the follo
* Managed VNet uses private endpoint connection to access your private resources. You can't have a private endpoint and a service endpoint at the same time for your Azure resources, such as a storage account. We recommend using private endpoints in all scenarios. * The managed VNet is deleted when the Azure AI is deleted. * Data exfiltration protection is automatically enabled for the only approved outbound mode. If you add other outbound rules, such as to FQDNs, Microsoft can't guarantee that you're protected from data exfiltration to those outbound destinations.
+* Using FQDN outbound rules increases the cost of the managed VNet because FQDN rules use Azure Firewall. For more information, see [Pricing](#pricing).
ai-studio Deploy Chat Web App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/tutorials/deploy-chat-web-app.md
- ignite-2023 Previously updated : 11/15/2023 Last updated : 2/8/2024
Follow these steps to deploy a chat model and test it without your data.
1. Sign in to [Azure AI Studio](https://ai.azure.com). 1. Go to your project or [create a new project](../how-to/create-projects.md) in Azure AI Studio.
-1. Select **Build** from the top menu and then select **Deployments** > **Create**.
+1. Select **Build** from the top menu and then select **Deployments** > **Create** > **Real-time endpoint**.
:::image type="content" source="../media/tutorials/chat-web-app/deploy-create.png" alt-text="Screenshot of the deployments page without deployments." lightbox="../media/tutorials/chat-web-app/deploy-create.png":::
Follow these steps to add your data to the playground to help the assistant answ
:::image type="content" source="../media/tutorials/chat-web-app/chat-with-data.png" alt-text="Screenshot of the assistant's reply with grounding data." lightbox="../media/tutorials/chat-web-app/chat-with-data.png":::
-### Remarks about adding your data
-
-Although it's beyond the scope of this tutorial, to understand more about how the model uses your data, you can export the playground setup to prompt flow.
--
-Following through from there you can see the graphical representation of how the model uses your data to construct the response. For more information about prompt flow, see [prompt flow](../how-to/prompt-flow.md).
- ## Deploy your web app Once you're satisfied with the experience in Azure AI Studio, you can deploy the model as a standalone web application.
To deploy the web app:
- **Resource group**: Select a resource group in which to deploy the web app. You can use the same resource group as the Azure AI hub resource. - **Location**: Select a location in which to deploy the web app. You can use the same location as the Azure AI hub resource. - **Pricing plan**: Choose a pricing plan for the web app.
- - **Enable chat history in the web app**: For the tutorial, make sure this box isn't selected.
+ - **Enable chat history in the web app**: For the tutorial, the chat history box isn't selected. If you enable the feature, your users will have access to their individual previous queries and responses. For more information, see [chat history remarks](#chat-history).
- **I acknowledge that web apps will incur usage to my account**: Selected 1. Wait for the app to be deployed, which might take a few minutes.
You're almost there! Now you can test the web app.
To avoid incurring unnecessary Azure costs, you should delete the resources you created in this quickstart if they're no longer needed. To manage resources, you can use the [Azure portal](https://portal.azure.com?azure-portal=true).
+## Remarks
+
+### Remarks about adding your data
+
+Although it's beyond the scope of this tutorial, to understand more about how the model uses your data, you can export the playground setup to prompt flow.
++
+Following through from there you can see the graphical representation of how the model uses your data to construct the response. For more information about prompt flow, see [prompt flow](../how-to/prompt-flow.md).
+
+### Chat history
+
+With the chat history feature, your users will have access to their individual previous queries and responses.
+
+You can enable chat history when you [deploy the web app](#deploy-the-web-app). Select the **Enable chat history in the web app** checkbox.
++
+> [!IMPORTANT]
+> Enabling chat history will create a [Cosmos DB instance](/azure/cosmos-db/introduction) in your resource group, and incur [additional charges](https://azure.microsoft.com/pricing/details/cosmos-db/autoscale-provisioned/) for the storage used.
+> Deleting your web app does not delete your Cosmos DB instance automatically. To delete your Cosmos DB instance, along with all stored chats, you need to navigate to the associated resource in the Azure portal and delete it.
+
+Once you've enabled chat history, your users will be able to show and hide it in the top right corner of the app. When the history is shown, they can rename, or delete conversations. As they're logged into the app, conversations will be automatically ordered from newest to oldest, and named based on the first query in the conversation.
+
+If you delete the Cosmos DB resource but keep the chat history option enabled on the studio, your users will be notified of a connection error, but can continue to use the web app without access to the chat history.
+ ## Next steps - [Create a project in Azure AI Studio](../how-to/create-projects.md).
ai-studio Deploy Copilot Ai Studio https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/tutorials/deploy-copilot-ai-studio.md
description: Use this article to build and deploy a question and answer copilot
Previously updated : 11/15/2023 Last updated : 2/8/2024
Once a project is created, you can access the **Tools**, **Components**, and **S
Follow these steps to deploy an Azure OpenAI chat model for your copilot. 1. Sign in to [Azure AI Studio](https://ai.azure.com) with credentials that have access to your Azure OpenAI resource. During or after the sign-in workflow, select the appropriate directory, Azure subscription, and Azure OpenAI resource. You should be on the Azure AI Studio **Home** page.
-1. Select **Build** from the top menu and then select **Deployments** > **Create**.
+1. Select **Build** from the top menu and then select **Deployments** > **Create** > **Real-time endpoint**.
:::image type="content" source="../media/tutorials/copilot-deploy-flow/deploy-create.png" alt-text="Screenshot of the deployments page with a button to create a new project." lightbox="../media/tutorials/copilot-deploy-flow/deploy-create.png":::
ai-studio Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/whats-new.md
+
+ Title: What's new in Azure AI Studio?
+
+description: This article provides you with information about new releases and features.
+
+keywords: Release notes
++ Last updated : 2/7/2024+++++
+# What's new in Azure AI Studio?
++
+Azure AI Studio is updated on an ongoing basis. To stay up-to-date with recent developments, this article provides you with information about new releases and features.
+
+## February 2024
+
+### Azure AI hub
+
+Azure AI resource is renamed Azure AI hub resource. For additional information about the Azure AI hub resource, check out [the Azure AI hub resource documentation](./concepts/ai-resources.md).
+
+## January 2024
+
+### Benchmarks
+
+New models, datasets, and metrics are released for benchmarks. For additional information about the benchmarks experience, check out [the model catalog documentation](./how-to/model-catalog.md).
+
+Added models:
+- `microsoft-phi-2`
+- `mistralai-mistral-7b-instruct-v01`
+- `mistralai-mistral-7b-v01`
+- `codellama-13b-hf`
+- `codellama-13b-instruct-hf`
+- `codellama-13b-python-hf`
+- `codellama-34b-hf`
+- `codellama-34b-instruct-hf`
+- `codellama-34b-python-hf`
+- `codellama-7b-hf`
+- `codellama-7b-instruct-hf`
+- `codellama-7b-python-hf`
+
+Added datasets:
+- `truthfulqa_generation`
+- `truthfulqa_mc1`
+
+Added metrics:
+- `Coherence`
+- `Fluency`
+- `GPTSimilarity`
+
+## November 2023
+
+### Benchmarks
+
+Benchmarks are released as public preview in Azure AI Studio. For additional information about the Benchmarks experience, check out [the model catalog documentation](./how-to/model-catalog.md).
+
+Added models:
+- `gpt-35-turbo-0301`
+- `gpt-4-0314`
+- `gpt-4-32k-0314`
+- `llama-2-13b-chat`
+- `llama-2-13b`
+- `llama-2-70b-chat`
+- `llama-2-70b`
+- `llama-2-7b-chat`
+- `llama-2-7b`
+
+Added datasets:
+- `boolq`
+- `gsm8k`
+- `hellaswag`
+- `human_eval`
+- `mmlu_humanities`
+- `mmlu_other`
+- `mmlu_social_sciences`
+- `mmlu_stem`
+- `openbookqa`
+- `piqa`
+- `social_iqa`
+- `winogrande`
+
+Added tasks:
+- `Question Answering`
+- `Text Generation`
+
+Added metrics:
+- `Accuracy`
+
+## Related content
+
+- Learn more about the [Azure AI Studio](./what-is-ai-studio.md).
+- Learn about [what's new in Azure OpenAI Service](../ai-services/openai/whats-new.md).
aks Auto Upgrade Node Os Image https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/auto-upgrade-node-os-image.md
It's best to use both cluster-level [auto-upgrades][Autoupgrade] and the node OS
## Channels for node OS image upgrades
-The selected channel determines the timing of upgrades. When making changes to node OS auto-upgrade channels, allow up to 24 hours for the changes to take effect.
+The selected channel determines the timing of upgrades. When making changes to node OS auto-upgrade channels, allow up to 24 hours for the changes to take effect. Once you change from one channel to another channel, a reimage will be triggered leading to rolling nodes.
> [!NOTE] > Node OS image auto-upgrade won't affect the cluster's Kubernetes version. It only works for a cluster in a [supported version][supported].
aks Enable Authentication Microsoft Entra Id https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/enable-authentication-microsoft-entra-id.md
Title: Enable managed identity authentication on Azure Kubernetes Service description: Learn how to enable Microsoft Entra ID on Azure Kubernetes Service with kubelogin and authenticate Azure users with credentials or managed roles. Previously updated : 11/22/2023 Last updated : 02/08/2024 # Enable Azure managed identity authentication for Kubernetes clusters with kubelogin
-The AKS-managed Microsoft Entra integration simplifies the Microsoft Entra integration process. Previously, you were required to create a client and server app, and the Microsoft Entra tenant had to grant Directory Read permissions. Now, the AKS resource provider manages the client and server apps for you.
+The AKS-managed Microsoft Entra integration simplifies the Microsoft Entra integration process. Previously, you were required to create a client and server app, and the Microsoft Entra tenant had to assign [Directory Readers][directory-readers-rbac-role] role permissions. Now, the AKS resource provider manages the client and server apps for you.
Cluster administrators can configure Kubernetes role-based access control (Kubernetes RBAC) based on a user's identity or directory group membership. Microsoft Entra authentication is provided to AKS clusters with OpenID Connect. OpenID Connect is an identity layer built on top of the OAuth 2.0 protocol. For more information on OpenID Connect, see the [OpenID Connect documentation][open-id-connect]. Learn more about the Microsoft Entra integration flow in the [Microsoft Entra documentation](concepts-identity.md#azure-ad-integration).
+This article provides details on how to enable and use managed identities for Azure resources with your AKS cluster.
+ ## Limitations The following are constraints integrating Azure managed identity authentication on AKS.
If you lack administrative access to a valid Microsoft Entra group, you can foll
* Learn about [Microsoft Entra integration with Kubernetes RBAC][azure-ad-rbac]. * Learn more about [AKS and Kubernetes identity concepts][aks-concepts-identity].
+* Learn how to [use kubelogin][kubelogin-authentication] for all supported Microsoft Entra authentication methods in AKS.
* Use [Azure Resource Manager (ARM) templates][aks-arm-template] to create AKS-managed Microsoft Entra ID enabled clusters.- <!-- LINKS - external --> [aks-arm-template]: /azure/templates/microsoft.containerservice/managedclusters [kubelogin]: https://github.com/Azure/kubelogin [azure-kubelogin-known-issues]: https://azure.github.io/kubelogin/known-issues.html <!-- LINKS - Internal -->
+[directory-readers-rbac-role]: /entra/identity/role-based-access-control/permissions-reference#directory-readers
[aks-concepts-identity]: concepts-identity.md [azure-ad-rbac]: azure-ad-rbac.md [az-aks-create]: /cli/azure/aks#az_aks_create
If you lack administrative access to a valid Microsoft Entra group, you can foll
[az-group-create]: /cli/azure/group#az_group_create [open-id-connect]:../active-directory/develop/v2-protocols-oidc.md [az-aks-update]: /cli/azure/aks#az_aks_update
+[kubelogin-authentication]: kubelogin-authentication.md
aks Upgrade Cluster https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/upgrade-cluster.md
Title: Upgrade options for Azure Kubernetes Service (AKS) clusters description: Learn the different ways to upgrade an Azure Kubernetes Service (AKS) cluster. Previously updated : 01/26/2024 Last updated : 02/08/2024 # Upgrade options for Azure Kubernetes Service (AKS) clusters
-This article shares different upgrade options for AKS clusters. To perform a basic Kubernetes version upgrade, see [Upgrade an AKS cluster](./upgrade-aks-cluster.md).
+This article covers the different upgrade options for AKS clusters. To perform a basic Kubernetes version upgrade, see [Upgrade an AKS cluster](./upgrade-aks-cluster.md).
For AKS clusters that use multiple node pools or Windows Server nodes, see [Upgrade a node pool in AKS][nodepool-upgrade]. To upgrade a specific node pool without performing a Kubernetes cluster upgrade, see [Upgrade a specific node pool][specific-nodepool].
To configure automatic upgrades, see the following articles:
## Special considerations for node pools that span multiple availability zones
-AKS uses best-effort zone balancing in node groups. During an upgrade surge, the zones for the surge nodes in Virtual Machine Scale Sets are unknown ahead of time, which can temporarily cause an unbalanced zone configuration during an upgrade. However, AKS deletes surge nodes once the upgrade completes and preserves the original zone balance. If you want to keep your zones balanced during upgrades, you can increase the surge to a multiple of *three nodes*, and Virtual Machine Scale Sets balances your nodes across availability zones with best-effort zone balancing.
+AKS uses best-effort zone balancing in node groups. During an upgrade surge, the zones for the surge nodes in Virtual Machine Scale Sets are unknown ahead of time, which can temporarily cause an unbalanced zone configuration during an upgrade. However, AKS deletes surge nodes once the upgrade completes and preserves the original zone balance. If you want to keep your zones balanced during upgrades, you can increase the surge to a multiple of *three nodes*, and Virtual Machine Scale Sets balances your nodes across availability zones with best-effort zone balancing. With best-effort zone balance, the scale set attempts to scale in and out while maintaining balance. However, if for some reason this is not possible (for example, if one zone goes down, the scale set cannot create a new VM in that zone), the scale set allows temporary imbalance to successfully scale in or out.
Persistent volume claims (PVCs) backed by Azure locally redundant storage (LRS) Disks are bound to a particular zone and might fail to recover immediately if the surge node doesn't match the zone of the PVC. If the zones don't match, it can cause downtime on your application when the upgrade operation continues to drain nodes but the PVs are bound to a zone. To handle this case and maintain high availability, configure a [Pod Disruption Budget](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) on your application to allow Kubernetes to respect your availability requirements during the drain operation.
The combination of [Planned Maintenance Window][planned-maintenance], [Max Surge
* [Node drain timeout][drain-timeout] on the node pool allows you to configure the wait duration for eviction of pods and graceful termination per node during an upgrade. This option is useful when dealing with long running workloads. When the node drain timeout is specified (in minutes), AKS respects waiting on pod disruption budgets. If not specified, the default timeout is 30 minutes. * [Node soak time][soak-time] (preview) helps stagger node upgrades in a controlled manner and can minimize application downtime during an upgrade. You can specify a wait time, preferably as reasonably close to 0 minutes as possible, to check application readiness between node upgrades. If not specified, the default value is 0 minutes. Node soak time works together with the max surge and node drain timeout properties available in the node pool to deliver the right outcomes in terms of upgrade speed and application availability.
- > [!NOTE]
- > To use node soak duration (preview), you must have the aks-preview Azure CLI extension version 0.5.173 or later installed.
+ > [!NOTE]
+ > To use node soak duration (preview), you must have the `aks-preview` Azure CLI extension version 0.5.173 or later installed.
## Next steps
aks Use Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-managed-identity.md
- devx-track-azurecli - ignite-2023 Previously updated : 01/25/2024 Last updated : 02/08/2024 # Use a managed identity in Azure Kubernetes Service (AKS)
-Azure Kubernetes Service (AKS) clusters require an identity to access Azure resources like load balancers and managed disks. This identity can be a *managed identity* or *service principal*. A system-assigned managed identity is automatically created when you create an AKS cluster. This identity is managed by the Azure platform and doesn't require you to provision or rotate any secrets. For more information about managed identities in Microsoft Entra ID, see [Managed identities for Azure resources][managed-identity-resources-overview].
+Azure Kubernetes Service (AKS) clusters require an identity to access Azure resources like load balancers and managed disks. The identity can be a *managed identity* or a *service principal*.
-AKS doesn't automatically create a [service principal](kubernetes-service-principal.md), so you have to create one. Clusters that use a service principal eventually expire, and the service principal must be renewed to avoid impacting cluster authentication with the identity. Managing service principals adds complexity, so it's easier to use managed identities instead. The same permission requirements apply for both service principals and managed identities. Managed identities use certificate-based authentication. Each managed identity's credentials have an expiration of *90 days* and are rolled after *45 days*. AKS uses both system-assigned and user-assigned managed identity types, and these identities are immutable.
+This article provides details on how to enable the following managed identity types on a new or existing AKS cluster:
+
+* System-assigned managed identity
+* Bring your own user-assigned managed identity
+* Pre-created Kubelet managed identity
+
+## Overview
+
+When you deploy an AKS cluster, a system-assigned managed identity is automatically created, and it's managed by the Azure platform, so it doesn't require you to provision or rotate any secrets. For more information, see [managed identities for Azure resources][managed-identity-resources-overview].
+
+AKS doesn't automatically create a [service principal](kubernetes-service-principal.md), so you have to create one. Clusters that use a service principal eventually expire, and the service principal must be renewed to avoid impacting cluster authentication with the identity. Managing service principals adds complexity, so it's easier to use managed identities instead. The same permission requirements apply for both service principals and managed identities. Managed identities use certificate-based authentication. Each managed identity's credentials have an expiration of *90 days* and are rolled after *45 days*.
+
+AKS uses both system-assigned and user-assigned managed identity types, and these identities are immutable.
> [!IMPORTANT] > The open source [Microsoft Entra pod-managed identity][entra-id-pod-managed-identity] (preview) in Azure Kubernetes Service was deprecated on 10/24/2022, and the project archived in Sept. 2023. For more information, see the [deprecation notice](https://github.com/Azure/aad-pod-identity#-announcement). The AKS Managed add-on begins deprecation in Sept. 2024.
AKS uses several managed identities for built-in services and add-ons.
| Add-on | Ingress application gateway | Manages required network resources. | Contributor role for node resource group | No | Add-on | omsagent | Used to send AKS metrics to Azure Monitor. | Monitoring Metrics Publisher role | No | Add-on | Virtual-Node (ACIConnector) | Manages required network resources for Azure Container Instances (ACI). | Contributor role for node resource group | No
-| Add-on | Cost analysis | Used to gather cost allocation data | |
+| Add-on | Cost analysis | Used to gather cost allocation data | |
| OSS project | Microsoft Entra ID-pod-identity | Enables applications to access cloud resources securely with Microsoft Entra ID. | N/A | Steps to grant permission at [Microsoft Entra Pod Identity Role Assignment configuration](./use-azure-ad-pod-identity.md). ## Enable managed identities on a new AKS cluster
Now you can create your AKS cluster with your existing identities. Make sure to
## Next steps
-Use [Azure Resource Manager templates][aks-arm-template] to create a managed identity-enabled cluster.
+* Use [Azure Resource Manager templates][aks-arm-template] to create a managed identity-enabled cluster.
+* Learn how to [use kubelogin][kubelogin-authentication] for all supported Microsoft Entra authentication methods in AKS.
<!-- LINKS - external --> [aks-arm-template]: /azure/templates/microsoft.containerservice/managedclusters
api-center Enable Api Center Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-center/enable-api-center-portal.md
First configure an app registration in your Microsoft Entra ID tenant. The app r
1. On the **Overview** page, copy the **Application (client) ID**. You use this value when you configure the identity provider for the portal in your API center. 1. On the **API permissions** page, select **+ Add a permission**.
- 1. On the **Request API permissions** page, select the **APIs my organization uses** tab. Search for and select **Azure API Center**.
+ 1. On the **Request API permissions** page, select the **APIs my organization uses** tab. Search for and select **Azure API Center**. You can also search for and select application ID `c3ca1a77-7a87-4dba-b8f8-eea115ae4573`.
1. On the **Request permissions** page, select **user_impersonation**. 1. Select **Add permissions**.
If the user is assigned the role, there might be a problem with the registration
az provider register --namespace Microsoft.ApiCenter ```
-For more information and steps to register the resource provider using other tools, see [Register resource provider](../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider).
+### Unable to select Azure API Center permissions in Microsoft Entra app registration
+
+If you're unable to request API permissions to Azure API Center in your Microsoft Entra app registration for the API Center portal, check that you are searching for **Azure API Center** (or application ID `c3ca1a77-7a87-4dba-b8f8-eea115ae4573`).
+
+If the app isn't present, there might be a problem with the registration of the **Microsoft.ApiCenter** resource provider in your subscription. You might need to re-register the resource provider. To do this, run the following command in the Azure CLI:
+
+```azurecli
+az provider register --namespace Microsoft.ApiCenter
+```
+
+After re-registering the resource provider, try again to request API permissions.
## Related content
For more information and steps to register the resource provider using other too
* [Azure CLI reference for API Center](/cli/azure/apic) * [What is Azure role-based access control (RBAC)?](../role-based-access-control/overview.md) * [Best practices for Azure RBAC](../role-based-access-control/best-practices.md)
+* [Register a resource provider](../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider)
api-management Api Management Debug Policies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-debug-policies.md
Title: Debug Azure API Management policies in Visual Studio Code | Microsoft Docs
-description: Learn how to debug Azure API Management Policies using the Azure API Management Visual Studio Code extension
+description: Learn how to debug Azure API Management Policies using the Azure API Management Visual Studio Code extension
- Last updated 09/22/2020
If there is an error during policy execution, you will see the details of the er
+ Learn more about the [API Management extension for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-apimanagement). + Report issues in the [GitHub repository](https://github.com/Microsoft/vscode-apimanagement)-
api-management Api Management Error Handling Policies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-error-handling-policies.md
ms.assetid: 3c777964-02b2-4f55-8731-8c3bd3c0ae27 - Last updated 01/10/2020
api-management Api Management Howto Cache https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-cache.md
ms.assetid: 740f6a27-8323-474d-ade2-828ae0c75e7a - Last updated 11/13/2020 - # Add caching to improve performance in Azure API Management
api-management Api Management Howto Create Or Invite Developers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-create-or-invite-developers.md
- Last updated 02/13/2018 - # How to manage user accounts in Azure API Management
api-management Api Management Howto Create Subscriptions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-create-subscriptions.md
- Last updated 08/03/2022
Get more information on API Management:
+ Learn other [concepts](api-management-terminology.md) in API Management. + Follow our [tutorials](import-and-publish.md) to learn more about API Management.
-+ Check our [FAQ page](api-management-faq.yml) for common questions.
++ Check our [FAQ page](api-management-faq.yml) for common questions.
api-management Api Management Howto Provision Self Hosted Gateway https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-provision-self-hosted-gateway.md
- Last updated 03/31/2020 - # Provision a self-hosted gateway in Azure API Management
api-management Api Management Kubernetes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-kubernetes.md
- Last updated 12/14/2019
api-management Api Management Log To Eventhub Sample https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-log-to-eventhub-sample.md
ms.assetid: c528cf6f-5f16-4a06-beea-fa1207541a47 - ms.devlang: csharp
api-management Api Management Terminology https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-terminology.md
- Last updated 05/09/2022
api-management Api Management Troubleshoot Cannot Add Custom Domain https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-troubleshoot-cannot-add-custom-domain.md
- Last updated 07/19/2019
api-management Automation Manage Api Management https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/automation-manage-api-management.md
ms.assetid: 2e53c9af-f738-47f8-b1b6-593050a7c51b - Last updated 02/13/2018 - # Managing Azure API Management using Azure Automation This guide introduces you to the Azure Automation service, and how it can be used to simplify management of Azure API Management.
Here are some examples of using API Management with PowerShell:
## Next Steps Now that you've learned the basics of Azure Automation and how it can be used to manage Azure API Management, follow these links to learn more.
-* See the Azure Automation [getting started tutorial](../automation/learn/powershell-runbook-managed-identity.md).
+* See the Azure Automation [getting started tutorial](../automation/learn/powershell-runbook-managed-identity.md).
api-management Edit Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/edit-api.md
description: Learn how to use API Management to edit an API. Add, delete, or ren
- Last updated 01/19/2022 - # Edit an API
api-management How To Configure Cloud Metrics Logs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-configure-cloud-metrics-logs.md
- Last updated 04/30/2020 - # Configure cloud metrics and logs for Azure API Management self-hosted gateway
If a gateway is deployed in [Azure Kubernetes Service](https://azure.microsoft.c
* To learn more about the [observability capabilities of the Azure API Management gateways](observability.md). * To learn more about the self-hosted gateway, see [Azure API Management self-hosted gateway overview](self-hosted-gateway-overview.md)
-* Learn about [configuring and persisting logs locally](how-to-configure-local-metrics-logs.md)
+* Learn about [configuring and persisting logs locally](how-to-configure-local-metrics-logs.md)
api-management How To Configure Local Metrics Logs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-configure-local-metrics-logs.md
- Last updated 05/11/2021 - # Configure local metrics and logs for Azure API Management self-hosted gateway
api-management How To Deploy Self Hosted Gateway Kubernetes Opentelemetry https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-deploy-self-hosted-gateway-kubernetes-opentelemetry.md
description: Learn how to deploy a self-hosted gateway component of Azure API Ma
- Last updated 12/17/2021
api-management How To Deploy Self Hosted Gateway Kubernetes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-deploy-self-hosted-gateway-kubernetes.md
description: Learn how to deploy a self-hosted gateway component of Azure API Ma
- Last updated 05/22/2023
api-management How To Self Hosted Gateway On Kubernetes In Production https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-self-hosted-gateway-on-kubernetes-in-production.md
description: Learn about guidance to run an API Management self-hosted gateway o
- Last updated 01/17/2023
api-management Import Function App As Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/import-function-app-as-api.md
- Last updated 04/16/2021 - # Import an Azure Function App as an API in Azure API Management
api-management Import Logic App As Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/import-logic-app-as-api.md
- Last updated 04/16/2021
api-management Observability https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/observability.md
- Last updated 06/01/2020 - # Observability in Azure API Management
api-management Vscode Create Service Instance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/vscode-create-service-instance.md
Title: Quickstart - Create Azure API Management instance - VS Code description: Use this quickstart to create an Azure API Management instance with the API Management extension for Visual Studio Code. -
app-service Overview App Gateway Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/overview-app-gateway-integration.md
ms.assetid: 073eb49c-efa1-4760-9f0c-1fecd5c251cc - Last updated 09/29/2023
app-service Overview Nat Gateway Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/overview-nat-gateway-integration.md
ms.assetid: 0a84734e-b5c1-4264-8d1f-77e781b28426 - Last updated 04/08/2022
app-service Quickstart Java https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/quickstart-java.md
keywords: azure, app service, web app, windows, linux, java, maven, quickstart
ms.assetid: 582bb3c2-164b-42f5-b081-95bfcb7a502a ms.devlang: java Previously updated : 08/31/2023 Last updated : 02/10/2024 zone_pivot_groups: app-service-java-hosting adobe-target: true
::: zone-end ::: zone-end
app-service Samples Resource Manager Templates https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/samples-resource-manager-templates.md
To learn about the JSON syntax and properties for App Services resources, see [M
|-|-| | [App Service plan and basic Linux app](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.web/webapp-basic-linux) | Deploys an App Service app that is configured for Linux. | | [App Service plan and basic Windows app](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.web/webapp-basic-windows) | Deploys an App Service app that is configured for Windows. |
+| [App Service plan and basic Windows container app](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.web/app-service-docs-windows-container) | Deploys an App Service app that is configured for a Windows container. |
| [App linked to a GitHub repository](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.web/web-app-github-deploy)| Deploys an App Service app that pulls code from GitHub. | | [App with custom deployment slots](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.web/webapp-custom-deployment-slots)| Deploys an App Service app with custom deployment slots/environments. | | [App with Private Endpoint](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.web/private-endpoint-webapp)| Deploys an App Service app with a Private Endpoint. |
app-service Samples Terraform https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/samples-terraform.md
Last updated 11/18/2022
- # Terraform samples for Azure App Service
app-service Scenario Secure App Access Microsoft Graph As App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/scenario-secure-app-access-microsoft-graph-as-app.md
- Last updated 04/05/2023
app-service Scenario Secure App Access Microsoft Graph As User https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/scenario-secure-app-access-microsoft-graph-as-user.md
- Last updated 09/15/2023
app-service Scenario Secure App Access Storage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/scenario-secure-app-access-storage.md
- Last updated 07/31/2023
app-service Scenario Secure App Authentication App Service https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/scenario-secure-app-authentication-app-service.md
- Last updated 06/25/2023
-#Customer intent: As an application developer, enable authentication and authorization for a web app running on Azure App Service.
+#Customer intent: As an application developer, enable authentication and authorization for a web app running on Azure App Service.
# Tutorial: Add app authentication to your web app running on Azure App Service
app-service Scenario Secure App Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/scenario-secure-app-overview.md
Title: Tutorial - Build a secure web app on Azure App Service | Azure
-description: In this tutorial, you learn how to build a web app by using Azure App Service, enable authentication, call Azure Storage, and call Microsoft Graph.
+description: In this tutorial, you learn how to build a web app by using Azure App Service, enable authentication, call Azure Storage, and call Microsoft Graph.
- Last updated 12/10/2021
-#Customer intent: As an application developer, I want to learn how to secure access to a web app running on Azure App Service.
+#Customer intent: As an application developer, I want to learn how to secure access to a web app running on Azure App Service.
# Tutorial: Enable authentication in App Service and access storage and Microsoft Graph
app-service Powershell Deploy Private Endpoint https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/scripts/powershell-deploy-private-endpoint.md
Last updated 12/06/2022 -
app-service Template Deploy Private Endpoint https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/scripts/template-deploy-private-endpoint.md
Last updated 07/08/2020 -
app-service Terraform Secure Backend Frontend https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/scripts/terraform-secure-backend-frontend.md
Last updated 12/06/2022 -
app-service Tutorial Connect App Access Microsoft Graph As App Javascript https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/tutorial-connect-app-access-microsoft-graph-as-app-javascript.md
- Last updated 03/14/2023
app-service Tutorial Connect App Access Microsoft Graph As User Javascript https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/tutorial-connect-app-access-microsoft-graph-as-user-javascript.md
- Last updated 03/08/2022
app-service Tutorial Connect App Access Sql Database As User Dotnet https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/tutorial-connect-app-access-sql-database-as-user-dotnet.md
description: Secure database connectivity with Microsoft Entra authentication fr
- ms.devlang: csharp
app-service Tutorial Connect App Access Storage Javascript https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/tutorial-connect-app-access-storage-javascript.md
- Last updated 07/31/2023
application-gateway Create Gateway Internal Load Balancer App Service Environment https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/create-gateway-internal-load-balancer-app-service-environment.md
-
+ Title: Troubleshoot an Application Gateway in Azure ΓÇô ILB ASE | Microsoft Docs description: Learn how to troubleshoot an application gateway by using an Internal Load Balancer with an App Service Environment in Azure
- Last updated 06/10/2022
application-gateway Ipv6 Application Gateway Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/ipv6-application-gateway-portal.md
description: Learn how to configure Application Gateway with a frontend public I
Previously updated : 11/06/2023 Last updated : 02/08/2024
The IPv6 Application Gateway preview is available to all public cloud regions wh
* IPv6 private Link is currently not supported * IPv6-only Application Gateway is currently not supported. Application Gateway must be dual stack (IPv6 and IPv4) * Deletion of frontend IP addresses aren't supported
+* Application Gateway Ingress Controller (AGIC) does not support IPv6 configuration
* Existing IPv4 Application Gateways cannot be upgraded to dual stack Application Gateways > [!NOTE]
To opt out of the public preview for the enhanced Application Gateway network co
## Next steps -- [What is Azure Application Gateway v2?](overview-v2.md)
+- [What is Azure Application Gateway v2?](overview-v2.md)
application-gateway Ipv6 Application Gateway Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/ipv6-application-gateway-powershell.md
Previously updated : 08/17/2023 Last updated : 02/08/2024
The IPv6 Application Gateway preview is available to all public cloud regions wh
* IPv6 private Link is currently not supported * IPv6-only Application Gateway is currently not supported. Application Gateway must be dual stack (IPv6 and IPv4) * Deletion of frontend IP addresses aren't supported
+* Application Gateway Ingress Controller (AGIC) does not support IPv6 configuration
* Existing IPv4 Application Gateways cannot be upgraded to dual stack Application Gateways > [!NOTE]
application-gateway Create Vmss Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/scripts/create-vmss-cli.md
tags: azure-resource-manager
vm-windows- Last updated 01/29/2018
application-gateway Create Vmss Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/scripts/create-vmss-powershell.md
tags: azure-resource-manager
vm-windows- Last updated 01/29/2018
application-gateway Create Vmss Waf Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/scripts/create-vmss-waf-cli.md
tags: azure-resource-manager
vm-windows- Last updated 01/29/2018
application-gateway Create Vmss Waf Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/scripts/create-vmss-waf-powershell.md
tags: azure-resource-manager
vm-windows- Last updated 01/29/2018
automanage Arm Deploy Arc https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/arm-deploy-arc.md
Title: Onboard an Azure Arc-enabled server to Azure Automanage with an ARM template description: Learn how to onboard an Azure Arc-enabled server to Azure Automanage with an Azure Resource Manager template. - Last updated 02/25/2022
automanage Arm Deploy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/arm-deploy.md
Title: Onboard a machine to Azure Automanage with an ARM template description: Learn how to onboard a machine to Azure Automanage with an Azure Resource Manager template. - Last updated 12/10/2021
automanage Automanage Account https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/automanage-account.md
Title: Azure Automanage Account description: Learn how an Automanage Account works and how to create one. - Last updated 12/10/2021
az deployment sub create --location <location> --template-file azuredeploy2.json
``` ## Next steps
-* Learn about Automanage services for [Linux](./automanage-linux.md) and [Windows](./automanage-windows-server.md)
+* Learn about Automanage services for [Linux](./automanage-linux.md) and [Windows](./automanage-windows-server.md)
automanage Automanage Arc https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/automanage-arc.md
Title: Azure Automanage for Azure Arc-enabled servers
description: Learn about Azure Automanage for Azure Arc-enabled servers - Last updated 05/12/2022
automanage Automanage Linux https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/automanage-linux.md
description: Learn about Azure Automanage for virtual machines best practices fo
- Last updated 12/10/2021
automanage Automanage Smb Over Quic https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/automanage-smb-over-quic.md
Title: SMB over QUIC with Azure Automanage machine best practices
-description: Overview of managing SMB over QUIC with Azure Automanage machine best practices
+description: Overview of managing SMB over QUIC with Azure Automanage machine best practices
- Last updated 11/1/2021-+ # SMB over QUIC with Automanage machine best practices
It may take a couple of hours for machine best practices to be configured and th
## Next steps > [!div class="nextstepaction"]
-> [Learn more about SMB over QUIC](/windows-server/storage/file-server/smb-over-quic)
+> [Learn more about SMB over QUIC](/windows-server/storage/file-server/smb-over-quic)
automanage Automanage Upgrade https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/automanage-upgrade.md
Title: Upgrade your Azure Automanage machines to the latest Automanage version
description: Learn how to upgrade your machines to the latest Azure Automanage version - Last updated 9/1/2022
automanage Automanage Windows Server https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/automanage-windows-server.md
Title: Azure Automanage for Windows Server
description: Learn about Azure Automanage for virtual machines best practices for services that are automatically onboarded and configured for Windows Server machines. - Last updated 03/22/2022
automanage Common Errors https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/common-errors.md
Title: Troubleshoot common Azure Automanage onboarding errors description: Common Automanage onboarding errors and how to troubleshoot them - Last updated 12/10/2021
If you don't see any failed deployments in the resource group or subscription co
* [Learn more about Azure Automanage](./overview-about.md) > [!div class="nextstepaction"]
-> [Enable Automanage for machines in the Azure portal](quick-create-virtual-machines-portal.md)
+> [Enable Automanage for machines in the Azure portal](quick-create-virtual-machines-portal.md)
automanage How To Disable Automanage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/how-to-disable-automanage.md
Title: Disable Azure Automanage for virtual machines
description: Learn how to disable Azure Automanage for Automanaged virtual machines. - Last updated 09/07/2022
First and foremost, we will not off-board the virtual machine from any of the se
Get the most frequently asked questions answered in our FAQ. > [!div class="nextstepaction"]
-> [Frequently Asked Questions](faq.yml)
+> [Frequently Asked Questions](faq.yml)
automanage Move Automanaged Configuration Profile https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/move-automanaged-configuration-profile.md
Title: Move an Azure Automanage configuration profile across regions description: Learn how to move an Automanage Configuration Profile across regions - Last updated 05/01/2022
automanage Move Automanaged Vms https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/move-automanaged-vms.md
Title: Move an Azure Automanage virtual machine across regions description: Learn how to move an Automanaged virtual machine across regions - Last updated 12/10/2021
Once you have moved your VMs across regions, you may re-enable Automanage on the
## Next steps * [Learn more about Azure Automanage](./overview-about.md)
-* [View frequently asked questions about Azure Automanage](./faq.yml)
+* [View frequently asked questions about Azure Automanage](./faq.yml)
automanage Overview About https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/overview-about.md
Title: About Azure Automanage Machine Best Practices
description: Learn about Azure Automanage machine best practices. - Last updated 9/07/2022
automanage Overview Azure Disk Encryption https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/overview-azure-disk-encryption.md
Title: Azure disk encryption
description: Learn about Azure disk encryption on Azure Automanaged enabled virtual machines. - Last updated 9/07/2022
In this article, you learned that Automanage for machines provides a means for w
Try enabling Automanage for Azure virtual machines or Arc-enabled servers in the Azure portal. > [!div class="nextstepaction"]
-> [Enable Automanage for virtual machines in the Azure portal](quick-create-virtual-machines-portal.md)
+> [Enable Automanage for virtual machines in the Azure portal](quick-create-virtual-machines-portal.md)
automanage Overview Configuration Profiles https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/overview-configuration-profiles.md
Title: Automanage Configuration profiles
description: Learn about Azure Automanage configuration profiles for virtual machines. - Last updated 9/07/2022
In this article, you learned that Automanage for machines provides a means for w
Try enabling Automanage for Azure virtual machines or Arc-enabled servers in the Azure portal. > [!div class="nextstepaction"]
-> [Enable Automanage for virtual machines in the Azure portal](quick-create-virtual-machines-portal.md)
+> [Enable Automanage for virtual machines in the Azure portal](quick-create-virtual-machines-portal.md)
automanage Overview Vm Status https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/overview-vm-status.md
Title: Check an Automanaged VM status
description: Learn about Azure Automanage configuration profile statuses for virtual machines. - Last updated 9/07/2022
In this article, you learned that Automanage for machines provides a means for w
Try enabling Automanage for Azure virtual machines or Arc-enabled servers in the Azure portal. > [!div class="nextstepaction"]
-> [Enable Automanage for virtual machines in the Azure portal](quick-create-virtual-machines-portal.md)
+> [Enable Automanage for virtual machines in the Azure portal](quick-create-virtual-machines-portal.md)
automanage Quick Create Virtual Machines Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/quick-create-virtual-machines-portal.md
Last updated 12/10/2021 -
automanage Quick Go Sdk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/quick-go-sdk.md
Title: Azure Quickstart SDK for Go
description: Create configuration profile assignments using the GO SDK for Automanage. - Last updated 08/24/2022
automanage Quick Java Sdk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/quick-java-sdk.md
Title: Azure Quickstart SDK for Java
description: Create configuration profile assignments using the Java SDK for Automanage. - Last updated 08/24/2022
automanage Quick Javascript Sdk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/quick-javascript-sdk.md
Title: Azure Quickstart SDK for JavaScript
description: Create configuration profile assignments using the JavaScript SDK for Automanage. - Last updated 08/24/2022
automanage Quick Python Sdk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/quick-python-sdk.md
Title: Azure Quickstart SDK for Python
description: Create configuration profile assignments using the Python SDK for Automanage. - Last updated 08/24/2022
automanage Reference Sdk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/reference-sdk.md
Title: SDK Overview
description: Get started with the Automanage SDKs. - Last updated 11/17/2022
automanage Repair Automanage Account https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/repair-automanage-account.md
Title: Repair a broken Azure Automanage Account
-description: If you've recently moved a subscription that contains an Automanage Account to a new tenant, you need to reconfigure it. In this article, you'll learn how.
+description: If you've recently moved a subscription that contains an Automanage Account to a new tenant, you need to reconfigure it. In this article, you'll learn how.
- Last updated 11/05/2020
automanage Tutorial Create Assignment Python https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/tutorial-create-assignment-python.md
Title: Tutorial - python
description: Create a virtual machine and assign an automanage best practices configuration profile to it. - Last updated 08/25/2022
automanage Virtual Machines Best Practices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/virtual-machines-best-practices.md
Title: Azure Automanage Machine Best Practices
description: Learn about the Azure Automanage machine best practices for services that are automatically onboarded and configured for you. - Last updated 12/10/2021
automanage Virtual Machines Custom Profile https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/virtual-machines-custom-profile.md
Title: Create a custom profile in Azure Automanage for VMs
description: Learn how to create a custom profile in Azure Automanage and select your services and settings. - Last updated 07/01/2023
automanage Virtual Machines Policy Enable https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/virtual-machines-policy-enable.md
Title: Enable Automanage for virtual machines through Azure Policy
description: Learn how to enable Azure Automanage for VMs through a built-in Azure Policy in the Azure portal. - Last updated 12/10/2021
Sign in to the [Azure portal](https://portal.azure.com/).
Learn another way to enable Azure Automanage for virtual machines through the Azure portal. > [!div class="nextstepaction"]
-> [Enable Automanage for virtual machines in the Azure portal](quick-create-virtual-machines-portal.md)
+> [Enable Automanage for virtual machines in the Azure portal](quick-create-virtual-machines-portal.md)
automation Guidance Migration Log Analytics Monitoring Agent https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/change-tracking/guidance-migration-log-analytics-monitoring-agent.md
Previously updated : 11/03/2023 Last updated : 02/07/2024 + # Migration guidance from Change Tracking and inventory using Log Analytics to Change Tracking and inventory using Azure Monitoring Agent version
Using the Azure portal, you can migrate from Change Tracking & Inventory with LA
#### Prerequisites -- Ensure to have the Windows PowerShell console installed. We recommend that you use PowerShell version 7.2 or higher. Follow the steps to [Install PowerShell on Windows](/powershell/scripting/install/installing-powershell-on-windows).
+- Ensure you have PowerShell installed. The latest version of PowerShell 7 or higher is recommended. Follow the steps to [Install PowerShell on Windows, Linux, and macOS](/powershell/scripting/install/installing-powershell).
- Obtain Read access for the specified workspace resources.-- Ensure that you have `Az.Accounts` and `Az.OperationalInsights` modules installed. The `Az.PowerShell` module is used to pull workspace agent configuration information.-- Ensure to have the Azure credentials to run `Connect-AzAccount` and `Select Az-Context` that set the context for the script to run.
+- [Install the latest version of the Az PowerShell module](/powershell/azure/install-azure-powershell). The **Az.Accounts** and **Az.OperationalInsights** modules are required to pull workspace agent configuration information.
+- Ensure you have Azure credentials to run `Connect-AzAccount` and `Select-AzContext` which set the script's context.
Follow these steps to migrate using scripts. #### Migration guidance 1. Install the script and run it to conduct migrations.
-1. Ensure that the new workspace resource ID is different to the one with which it's associated to in the Change Tracking and Inventory using the LA version.
+1. Ensure the new workspace resource ID is different from the one associated with the Change Tracking and Inventory using the LA version.
1. Migrate settings for the following data types: - Windows Services - Linux Files - Windows Files - Windows Registry - Linux Daemons
-1. Generate and associates a new DCR to transfer the settings to the Change Tracking and Inventory using AMA.
+1. Generate and associate a new DCR to transfer the settings to the Change Tracking and Inventory using AMA.
#### Onboard at scale
-Use the [script](https://github.com/mayguptMSFT/AzureMonitorCommunity/blob/master/Azure%20Services/Azure%20Monitor/Agents/Migration%20Tools/DCR%20Config%20Generator/CTDcrGenerator/CTWorkSpaceSettingstoDCR.ps1) to migrate Change tracking workspace settings to data collection rule.
+Use the [script](https://github.com/mayguptMSFT/AzureMonitorCommunity/blob/master/Azure%20Services/Azure%20Monitor/Agents/Migration%20Tools/DCR%20Config%20Generator/CTDcrGenerator/CTWorkSpaceSettingstoDCR.ps1) to migrate Change tracking workspace settings to a data collection rule.
#### Parameters **Parameter** | **Required** | **Description** | | | |
-`InputWorkspaceResourceId`| Yes | Resource ID of the workspace associated to Change Tracking & Inventory with Log Analytics. |
-`OutputWorkspaceResourceId`| Yes | Resource ID of the workspace associated to Change Tracking & Inventory with Azure Monitoring Agent. |
+`InputWorkspaceResourceId`| Yes | Resource ID of the workspace associated with Change Tracking & Inventory with Log Analytics. |
+`OutputWorkspaceResourceId`| Yes | Resource ID of the workspace associated with Change Tracking & Inventory with Azure Monitoring Agent. |
`OutputDCRName`| Yes | Custom name of the new DCR created. | `OutputDCRLocation`| Yes | Azure location of the output workspace ID. | `OutputDCRTemplateFolderPath`| Yes | Folder path where DCR templates are created. |
To obtain the Log Analytics Workspace resource ID, follow these steps:
### [Using PowerShell script](#tab/limit-policy)
-1. For File Content changes-based settings, you have to migrate manually from LA version to AMA version of Change Tracking & Inventory. Follow the guidance listed in [Track file contents](manage-change-tracking.md#track-file-contents).
-1. Any VM with > 100 file/registry settings for migration via portal isn't supported now.
+1. For File Content changes-based settings, you must migrate manually from LA version to AMA version of Change Tracking & Inventory. Follow the guidance listed in [Track file contents](manage-change-tracking.md#track-file-contents).
+1. Any VM with > 100 file/registry settings for migration via Azure Portal isn't supported.
1. Alerts that you configure using the Log Analytics Workspace must be [manually configured](configure-alerts.md).
automation Quickstart Create Automation Account Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/quickstart-create-automation-account-template.md
description: This article shows how to create an Automation account by using the
Last updated 04/12/2023 -
azure-arc Managed Instance Disaster Recovery Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/managed-instance-disaster-recovery-cli.md
Follow the steps below if Azure Arc data services are deployed in `indirectly` c
2. Switch context to the secondary cluster by running ```kubectl config use-context <secondarycluster>``` and provision the managed instance in the secondary site that will be the disaster recovery instance. At this point, the system databases are not part of the contained availability group. > [!NOTE]
- > It is important to specify `--license-type DisasterRecovery` **during** the Azure Arc-enabled SQL MI creation. This will allow the DR instance to be seeded from the primary instance in the primary data center. Updating this property post deployment will not have the same effect.
+ > It is important to specify `--license-type DisasterRecovery` **during** the managed instance. This will allow the DR instance to be seeded from the primary instance in the primary data center. Updating this property post deployment will not have the same effect.
```azurecli az sql mi-arc create --name <secondaryinstance> --tier bc --replicas 3 --license-type DisasterRecovery --k8s-namespace <namespace> --use-k8s ```
-3. Mirroring certificates - The binary data inside the Mirroring Certificate property of the Azure Arc-enabled SQL MI is needed for the Instance Failover Group CR (Custom Resource) creation.
+3. Mirroring certificates - The binary data inside the Mirroring Certificate property of the managed instance is needed for the Instance Failover Group CR (Custom Resource) creation.
This can be achieved in a few ways: (a) If using `az` CLI, generate the mirroring certificate file first, and then point to that file while configuring the Instance Failover Group so the binary data is read from the file and copied over into the CR. The cert files are not needed after failover group creation.
- (b) If using `kubectl`, directly copy and paste the binary data from the Azure Arc-enabled SQL MI CR into the yaml file that will be used to create the Instance Failover Group.
+ (b) If using `kubectl`, directly copy and paste the binary data from the managed instance CR into the yaml file that will be used to create the Instance Failover Group.
Using (a) above:
Use `az sql instance-failover-group-arc update ...` command group to initiate a
Run the following command to initiate a manual failover, in `direct` connected mode using ARM APIs: ```azurecli
-az sql instance-failover-group-arc update --name <shared name of failover group> --mi <primary Azure Arc-enabled SQL MI> --role secondary --resource-group <resource group>
+az sql instance-failover-group-arc update --name <shared name of failover group> --mi <primary instance> --role secondary --resource-group <resource group>
``` Example:
On the geo-secondary DR instance, run the following command to promote it to pri
### Directly connected mode ```azurecli
-az sql instance-failover-group-arc update --name <shared name of failover group> --mi <secondary Azure Arc-enabled SQL MI> --role force-primary-allow-data-loss --resource-group <resource group> --partner-sync-mode async
+az sql instance-failover-group-arc update --name <shared name of failover group> --mi <instance> --role force-primary-allow-data-loss --resource-group <resource group> --partner-sync-mode async
``` Example:
az sql instance-failover-group-arc update --name myfog --mi sqlmi2 --role force-
az sql instance-failover-group-arc update --k8s-namespace my-namespace --name secondarycr --use-k8s --role force-primary-allow-data-loss --partner-sync-mode async ```
-When the geo-primary Azure Arc-enabled SQL MI instance becomes available, run the below command to bring it into the failover group and synchronize the data:
+When the geo-primary instance becomes available, run the below command to bring it into the failover group and synchronize the data:
### Directly connected mode ```azurecli
-az sql instance-failover-group-arc update --name <shared name of failover group> --mi <old primary Azure Arc-enabled SQL MI> --role force-secondary --resource-group <resource group>
+az sql instance-failover-group-arc update --name <shared name of failover group> --mi <old primary instance> --role force-secondary --resource-group <resource group>
``` ### Indirectly connected mode
azure-arc Deployment Options https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/deployment-options.md
The following table highlights each method so that you can determine which works
| Interactively | Manually install the agent on a single or small number of machines by [connecting machines using a deployment script](onboard-portal.md).<br> From the Azure portal, you can generate a script and execute it on the machine to automate the install and configuration steps of the agent.| | Interactively | [Connect machines from Windows Admin Center](onboard-windows-admin-center.md) | | Interactively or at scale | [Connect machines using PowerShell](onboard-powershell.md) |
-| Interactively or at scale | [Connect machines using Windows PowerShell Desired State Configuration (DSC)](onboard-dsc.md) |
| At scale | [Connect machines using a service principal](onboard-service-principal.md) to install the agent at scale non-interactively.| | At scale | [Connect machines by running PowerShell scripts with Configuration Manager](onboard-configuration-manager-powershell.md) | At scale | [Connect machines with a Configuration Manager custom task sequence](onboard-configuration-manager-custom-task.md)
azure-arc Manage Automatic Vm Extension Upgrade https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/manage-automatic-vm-extension-upgrade.md
Automatic extension upgrade supports the following extensions:
- Key Vault Extension - Linux only - Azure Update Manager - Linux and Windows - Azure Automation Hybrid Runbook Worker - Linux and Windows-- Azure Arc-enabled SQL Server agent - Linux and Windows
+- Azure extension for SQL Server - Linux and Windows
More extensions will be added over time. Extensions that do not support automatic extension upgrade today are still configured to enable automatic upgrades by default. This setting will have no effect until the extension publisher chooses to support automatic upgrades.
azure-arc Onboard Dsc https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/onboard-dsc.md
- Title: Install Connected Machine agent using Windows PowerShell DSC
-description: In this article, you learn how to connect machines to Azure using Azure Arc-enabled servers using Windows PowerShell DSC.
Previously updated : 08/17/2021---
-# How to install the Connected Machine agent using Windows PowerShell DSC
-
-Using [Windows PowerShell Desired State Configuration](/powershell/dsc/getting-started/winGettingStarted) (DSC), you can automate software installation and configuration for a Windows computer. This article describes how to use DSC to install the Azure Connected Machine agent on hybrid Windows machines.
-
->[!NOTE]
-> The PowerShell module described in this article is not currently supported by Microsoft. Any changes or improvements are only handled as a best-effort by the community.
->
-
-## Requirements
--- Windows PowerShell version 4.0 or higher--- The AzureConnectedMachineDsc module--- A service principal to connect the machines to Azure Arc-enabled servers non-interactively. Follow the steps under the section [Create a Service Principal for onboarding at scale](onboard-service-principal.md#create-a-service-principal-for-onboarding-at-scale) if you have not created a service principal for Azure Arc-enabled servers already.-
-## Install the ConnectedMachine DSC module
-
-1. To manually install the module, download the source code from GitHub. Save the content to the
-`$env:ProgramFiles\WindowsPowerShell\Modules folder`.
-
- ```powershell
- git clone https://github.com/azure/AzureConnectedMachineDsc
- ```
-
-2. To confirm installation, run the following command and ensure you see the Azure Connected Machine DSC resources available.
-
- ```powershell
- Get-DscResource -Module AzureConnectedMachineDsc
- ```
-
- In the output, you should see something similar to the following:
-
- ![Confirmation of Connected Machine DSC module installation example](./media/onboard-dsc/confirm-module-installation.png)
-
-## Install the agent and connect to Azure
-
-The resources in this module are designed to manage the Azure Connected Machine agent configuration. Also included is a PowerShell script `AzureConnectedMachineAgent.ps1`, found in the `AzureConnectedMachineDsc\examples` folder. It uses community resources to automate the download and installation, and establish a connection with Azure Arc. This script performs similar steps described in the [Connect hybrid machines to Azure from the Azure portal](onboard-portal.md) article.
-
-If the machine needs to communicate through a proxy server to the service, after you install the agent you need to run a command that's described [here](manage-agent.md#update-or-remove-proxy-settings). This sets the proxy server system environment variable `https_proxy`. Instead of running the command manually, you can perform this step with DSC by using the [ComputeManagementDsc](https://www.powershellgallery.com/packages/ComputerManagementDsc) module. Using this configuration, the agent communicates through the proxy server using the HTTP protocol.
-
->[!NOTE]
->To allow DSC to run, Windows needs to be configured to receive PowerShell remote commands even when you're running a localhost configuration. To easily configure your environment correctly, just run `Set-WsManQuickConfig -Force` in an elevated PowerShell Terminal.
->
-
-Configuration documents (MOF files) can be applied to the machine using the `Start-DscConfiguration` cmdlet.
-
-The following are the parameters you pass to the PowerShell script to use.
--- `TenantId`: The unique identifier (GUID) that represents your dedicated instance of Microsoft Entra ID.--- `SubscriptionId`: The subscription ID (GUID) of your Azure subscription that you want the machines in.--- `ResourceGroup`: The resource group name where you want your connected machines to belong to.--- `Location`: See [supported Azure regions](overview.md#supported-regions). This location can be the same or different, as the resource group's location.--- `Tags`: String array of tags that should be applied to the connected machine resource.--- `Credential`: A PowerShell credential object with the **ApplicationId** and **password** used to register machines at scale using a [service principal](onboard-service-principal.md).-
-1. In a PowerShell console, navigate to the folder where you saved the `.ps1` file.
-
-2. Run the following PowerShell commands to compile the MOF document (for information about compiling DSC configurations, see [DSC Configurations](/powershell/dsc/configurations/configurations):
-
- ```powershell
- .\`AzureConnectedMachineAgent.ps1 -TenantId <TenantId GUID> -SubscriptionId <SubscriptionId GUID> -ResourceGroup '<ResourceGroupName>' -Location '<LocationName>' -Tags '<Tag>' -Credential <psCredential>
- ```
-
-3. This will create a `localhost.mof file` in a new folder named `C:\dsc`.
-
-After you install the agent and configure it to connect to Azure Arc-enabled servers, go to the Azure portal to verify that the server has been successfully connected. View your machines in the [Azure portal](https://aka.ms/hybridmachineportal).
-
-## Adding to existing configurations
-
-This resource can be added to existing DSC configurations to represent an end-to-end configuration for a machine. For example, you might wish to add this resource to a configuration that sets secure operating system settings.
-
-The [CompositeResource](https://www.powershellgallery.com/packages/compositeresource) module from the PowerShell Gallery can be used to create a [composite resource](/powershell/dsc/resources/authoringResourceComposite) of the example configuration, to further simplify combining configurations.
-
-## Next steps
-
-* Troubleshooting information can be found in the [Troubleshoot Connected Machine agent guide](troubleshoot-agent-onboard.md).
-
-* Review the [Planning and deployment guide](plan-at-scale-deployment.md) to plan for deploying Azure Arc-enabled servers at any scale and implement centralized management and monitoring.
-
-* Learn how to manage your machine using [Azure Policy](../../governance/policy/overview.md), for such things as VM [guest configuration](../../governance/machine-configuration/overview.md), verifying the machine is reporting to the expected Log Analytics workspace, enable monitoring with [VM insights](../../azure-monitor/vm/vminsights-enable-policy.md), and much more.
azure-arc Run Command https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/run-command.md
Title: How to remotely and securely configure servers using Run command (Preview) description: Learn how to remotely and securely configure servers using Run Command. Previously updated : 12/22/2023 Last updated : 02/07/2024
Run Command on Azure Arc-enabled servers (Public Preview) uses the Connected Mac
- **Configuration:** Run Command doesn't require more configuration or the deployment of any extensions. The Connected Machine agent version must be 1.33 or higher. +
+## Limiting access to Run Command using RBAC
+
+Listing the run commands or showing details of a command requires the `Microsoft.HybridCompute/machines/runCommands/read` permission. The built-in [Reader](/azure/role-based-access-control/built-in-roles) role and higher levels have this permission.
+
+Running a command requires the `Microsoft.HybridCompute/machines/runCommands/write` permission. The [Azure Connected Machine Resource Administrator](/azure/role-based-access-control/built-in-roles) role and higher levels have this permission.
+
+You can use one of the [built-in roles](/azure/role-based-access-control/built-in-roles) or create a [custom role](/azure/role-based-access-control/custom-roles) to use Run Command.
+
+## Blocking run commands locally
+
+The Connected Machine agent supports local configurations that allow you to set an allowlist or a blocklist. See [Extension allowlists and blocklists](security-overview.md#extension-allowlists-and-blocklists) to learn more.
+
+For Windows:
+
+`azcmagent config set extensions.blocklist " microsoft.cplat.core/runcommandhandlerwindows"`
+
+For Linux:
+
+`azcmagent config set extensions.blocklist " microsoft.cplat.core/runcommandhandlerlinux"`
++
+## Azure CLI
+
+The following examples use [az connectedmachine run-command](/cli/azure/connectedmachine/run-command) to run a shell script on an Azure Windows machine.
+
+### Execute a script with the machine
+
+This command delivers the script to the machine, executes it, and returns the captured output.
+
+```azurecli
+az connectedmachine run-command create ΓÇô-name "myRunCommand" --machine-name "myMachine" --resource-group "myRG" --script "Write-Host Hello World!"
+```
+
+### List all deployed RunCommand resources on a machine
+
+This command returns a full list of previously deployed run commands along with their properties.
+
+```azurecli
+az connectedmachine run-command list --machine-name "myMachine" --resource-group "myRG"
+```
+
+### Get execution status and results
+
+This command retrieves current execution progress, including latest output, start/end time, exit code, and terminal state of the execution.
+
+```azurecli
+az connectedmachine run-command show --name "myRunCommand" --machine-name "myMachine" --resource-group "myRG"
+```
+
+> [!NOTE]
+> Output and error fields in `instanceView` is limited to the last 4KB. To access the full output and error, you can forward the output and error data to storage append blobs using `-outputBlobUri` and `-errorBlobUri` parameters while executing Run Command.
+>
+
+### Delete RunCommand resource from the machine
+
+Remove the RunCommand resource previously deployed on the machine. If the script execution is still in progress, execution will be terminated.
+
+```azurecli
+az connectedmachine run-command delete --name "myRunCommand" --machine-name "myMachine" --resource-group "myRG"
+```
+
+## PowerShell
+
+### Execute a script with the machine
+
+```powershell
+New-AzConnectedMachineRunCommand -ResourceGroupName "myRG" -MachineName "myMachine" -Location "EastUS" -RunCommandName "RunCommandName" ΓÇôSourceScript "echo Hello World!"
+```
+
+### Execute a script on the machine using SourceScriptUri parameter
+
+`OutputBlobUri` and `ErrorBlobUri` are optional parameters.
+
+```powershell
+New-AzConnectedMachineRunCommand -ResourceGroupName -MachineName -RunCommandName -SourceScriptUri ΓÇ£< SAS URI of a storage blob with read access or public URI>ΓÇ¥ -OutputBlobUri ΓÇ£< SAS URI of a storage append blob with read, add, create, write access>ΓÇ¥ -ErrorBlobUri ΓÇ£< SAS URI of a storage append blob with read, add, create, write access>ΓÇ¥
+```
+
+### List all deployed RunCommand resources on a machine
+
+This command returns a full list of previously deployed Run Commands along with their properties.
+
+```powershell
+Get-AzConnectedMachineRunCommand -ResourceGroupName "myRG" -MachineName "myMachine"
+```
+
+### Get execution status and results
+
+This command retrieves current execution progress, including latest output, start/end time, exit code, and terminal state of the execution.
+
+```powershell
+Get-AzConnectedMachineRunCommand -ResourceGroupName "myRG" - MachineName "myMachine" -RunCommandName "RunCommandName"
+```
+
+### Create or update Run Command on a machine using SourceScriptUri (storage blob SAS URL)
+
+Create or update Run Command on a Windows machine using a SAS URL of a storage blob that contains a PowerShell script. `SourceScriptUri` can be a storage blobΓÇÖs full SAS URL or public URL.
+
+```powershell
+New-AzConnectedMachineRunCommand -ResourceGroupName MyRG0 -MachineName MyMachine -RunCommandName MyRunCommand -Location EastUS2EUAP -SourceScriptUri <SourceScriptUri>
+```
+
+> [!NOTE]
+> SAS URL must provide read access to the blob. An expiration time of 24 hours is suggested for SAS URL. SAS URLs can be generated on the Azure portal using blob options, or SAS token using `New-AzStorageBlobSASToken`. If generating SAS token using `New-AzStorageBlobSASToken`, your SAS URL = "base blob URL" + "?" + "SAS token from `New-AzStorageBlobSASToken`"
+>
+
+### Get a Run Command Instance View for a machine after creating or updating Run Command
+
+Get a Run Command for machine with Instance View. Instance View contains the execution state of run command (Succeeded, Failed, etc.), exit code, standard output, and standard error generated by executing the script using Run Command. A non-zero ExitCode indicates an unsuccessful execution.
+
+```powershell
+Get-AzConnectedMachineRunCommand -ResourceGroupName MyRG -MachineName MyMachine -RunCommandName MyRunCommand
+```
+
+`InstanceViewExecutionState`: Status of user's Run Command script. Refer to this state to know whether your script was successful or not.
+
+`ProvisioningState`: Status of general extension provisioning end to end (whether extension platform was able to trigger Run Command script or not).
+
+### Create or update Run Command on a machine using SourceScript (script text)
+
+Create or update Run Command on a machine passing the script content directly to `-SourceScript` parameter. Use `;` to separate multiple commands.
+
+```powershell
+New-AzConnectedMachineRunCommand -ResourceGroupName MyRG0 -MachineName MyMachine -RunCommandName MyRunCommand2 -Location EastUS2EUAP -SourceScript "id; echo HelloWorld"
+```
+
+### Create or update Run Command on a machine using OutputBlobUri, ErrorBlobUri to stream standard output and standard error messages to output and error Append blobs
+
+Create or update Run Command on a machine and stream standard output and standard error messages to output and error Append blobs.
+
+```powershell
+New-AzConnectedMachineRunCommand -ResourceGroupName MyRG0 - MachineName MyMachine -RunCommandName MyRunCommand3 -Location EastUS2EUAP -SourceScript "id; echo HelloWorld"-OutputBlobUri <OutPutBlobUrI> -ErrorBlobUri <ErrorBlobUri>
+```
+
+> [!NOTE]
+> Output and error blobs must be the AppendBlob type and their SAS URLs must provide read, append, create, write access to the blob. An expiration time of 24 hours is suggested for SAS URL. If output or error blob does not exist, a blob of type AppendBlob will be created. SAS URLs can be generated on Azure portal using blob's options, or SAS token from using `New-AzStorageBlobSASToken`.
+>
+
+### Create or update Run Command on a machine as a different user using RunAsUser and RunAsPassword parameters
+
+Create or update Run Command on a machine as a different user using `RunAsUser` and `RunAsPassword` parameters. For RunAs to work properly, contact the administrator the of machine and make sure user is added on the machine, user has access to resources accessed by the Run Command (directories, files, network etc.), and in case of Windows machine, 'Secondary Logon' service is running on the machine.
+
+```powershell
+New-AzMachineRunCommand -ResourceGroupName MyRG0 -MachineName MyMachine -RunCommandName MyRunCommand -Location EastUS2EUAP -SourceScript "id; echo HelloWorld" -RunAsUser myusername -RunAsPassword mypassword
+```
+
+### Create or update Run Command on a machine resource using SourceScriptUri (storage blob SAS URL)
+
+Create or update Run Command on a Windows machine resource using a SAS URL of a storage blob that contains a PowerShell script.
++
+```powershell
+New-AzMachineRunCommand -ResourceGroupName MyRG0 -MachineName MyMachine -RunCommandName MyRunCommand -Location EastUS2EUAP -SourceScriptUri <SourceScriptUri>
+```
+
+> [!NOTE]
+> SAS URL must provide read access to the blob. An expiry time of 24 hours is suggested for SAS URL. SAS URLs can be generated on Azure portal using blob options or SAS token using `New-AzStorageBlobSASToken`. If generating SAS token using `New-AzStorageBlobSASToken`, the SAS URL format is: base blob URL + "?" + the SAS token from `New-AzStorageBlobSASToken`.
+>
+
+### Create or update Run Command on a machine instance using Parameter and ProtectedParameter parameters (Public and Protected Parameters to script)
+
+Use ProtectedParameter to pass any sensitive inputs to script such as passwords, keys etc.
+
+- Windows: Parameters and ProtectedParameters are passed to script as arguments are passed to script and run like this: `myscript.ps1 -publicParam1 publicParam1value -publicParam2 publicParam2value -secret1 secret1value -secret2 secret2value`
+
+- Linux: Named Parameters and its values are set to environment config, which should be accessible within the .sh script. For Nameless arguments, pass an empty string to name input. Nameless arguments are passed to script and run like this: `myscript.sh publicParam1value publicParam2value secret1value secret2value`
+
+### Delete RunCommand resource from the machine
+
+Remove the RunCommand resource previously deployed on the machine. If the script execution is still in progress, execution will be terminated.
+
+```powershell
+Remove-AzConnetedMachineRunCommand -ResourceGroupName "myRG" -MachineName "myMachine" -RunCommandName "RunCommandName"
+```
+ ## Run Command operations Run Command on Azure Arc-enabled servers supports the following operations:
azure-boost Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-boost/overview.md
description: Learn more about how Azure Boost can Learn more about how Azure Boo
- - ignite-2023 Last updated 11/07/2023
azure-cache-for-redis Cache How To Monitor https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/cache-how-to-monitor.md
In contrast, for clustered caches, we recommend using the metrics with the suffi
- If the geo-replication link is unhealthy for over an hour, [file a support request](../azure-portal/supportability/how-to-create-azure-support-request.md). - Gets
- - The number of get operations from the cache during the specified reporting interval. This value is the sum of the following values from the Redis INFO all command: `cmdstat_get`, `cmdstat_hget`, `cmdstat_hgetall`, `cmdstat_hmget`, `cmdstat_mget`, `cmdstat_getbit`, and `cmdstat_getrange`, and is equivalent to the sum of cache hits and misses during the reporting interval.
+ - Sum of the number of get commands run on the cache during the specified reporting interval. This is a combined total of the increases in the `cmdstat` counts reported by the Redis INFO all command for all commands in the _get_ family, including `GET`, `HGET` , `MGET`, and others. This value can differ from the total number of hits and misses because some individual commands access multiple keys. For example: `MGET key1 key2 key3` only increments the number of gets by one but increments the combined number of hits and misses by three.
- Operations per Second - The total number of commands processed per second by the cache server during the specified reporting interval. This value maps to "instantaneous_ops_per_sec" from the Redis INFO command. - Server Load
In contrast, for clustered caches, we recommend using the metrics with the suffi
> The _Server Load_ metric can present incorrect data for Enterprise and Enterprise Flash tier caches. Sometimes _Server Load_ is represented as being over 100. We are investigating this issue. We recommend using the CPU metric instead in the meantime. - Sets
- - The number of set operations to the cache during the specified reporting interval. This value is the sum of the following values from the Redis INFO all command: `cmdstat_set`, `cmdstat_hset`, `cmdstat_hmset`, `cmdstat_hsetnx`, `cmdstat_lset`, `cmdstat_mset`, `cmdstat_msetnx`, `cmdstat_setbit`, `cmdstat_setex`, `cmdstat_setrange`, and `cmdstat_setnx`.
+ - Sum of the number of set commands run on the cache during the specified reporting interval. This is a combined total of the increases in the `cmdstat` counts reported by the Redis INFO all command for all commands in the _set_ family, including `SET`, `HSET` , `MSET`, and others.
- Total Keys - The maximum number of keys in the cache during the past reporting time period. This number maps to `keyspace` from the Redis INFO command. Because of a limitation in the underlying metrics system for caches with clustering enabled, Total Keys return the maximum number of keys of the shard that had the maximum number of keys during the reporting interval. - Total Operations
In contrast, for clustered caches, we recommend using the metrics with the suffi
- The amount of cache memory in MB that is used for key/value pairs in the cache during the specified reporting interval. This value maps to `used_memory` from the Redis INFO command. This value doesn't include metadata or fragmentation. - On the Enterprise and Enterprise Flash tier, the Used Memory value includes the memory in both the primary and replica nodes. This can make the metric appear twice as large as expected. - Used Memory Percentage
- - The percent of total memory that is being used during the specified reporting interval. This value references the `used_memory` value from the Redis INFO command to calculate the percentage. This value doesn't include fragmentation.
+ - The percent of total memory that is being used during the specified reporting interval. This value references the `used_memory` value from the Redis INFO command to calculate the percentage. This value doesn't include fragmentation.
- Used Memory RSS - The amount of cache memory used in MB during the specified reporting interval, including fragmentation. This value maps to `used_memory_rss` from the Redis INFO command. This metric isn't available in Enterprise or Enterprise Flash tier caches.
azure-government Documentation Accelerate Compliance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/compliance/documentation-accelerate-compliance.md
- Last updated 05/30/2023
azure-government Documentation Government Cognitiveservices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-cognitiveservices.md
cloud: gov
- Last updated 08/30/2021
azure-government Documentation Government Connect Ssms https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-connect-ssms.md
description: Manage your subscription in Azure Government by connecting with SQL
- Last updated 10/01/2021
azure-government Documentation Government Connect Vs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-connect-vs.md
cloud: gov - Last updated 03/09/2021
azure-government Documentation Government Csp Application https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-csp-application.md
cloud: gov
- Last updated 05/30/2023
azure-government Documentation Government Developer Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-developer-guide.md
Title: Azure Government developer guide
description: Provides guidance on developing applications for Azure Government - recommendations: false
azure-government Documentation Government Extension https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-extension.md
cloud: gov
- Previously updated : 08/31/2021 Last updated : 08/31/2021 # Azure Government virtual machine extensions
azure-government Documentation Government Get Started Connect With Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-get-started-connect-with-cli.md
cloud: gov - Last updated 03/09/2021 #Customer intent: As a developer working for a federal government agency "x", I want to connect to Azure Government using CLI so I can start developing against Azure Government's secure isolated datacenters.
azure-government Documentation Government Get Started Connect With Ps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-get-started-connect-with-ps.md
Title: Connect to Azure Government with PowerShell
description: Information on connecting to your subscription in Azure Government with PowerShell. - Last updated 01/18/2023
azure-government Documentation Government How To Access Enterprise Agreement Billing Account https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-how-to-access-enterprise-agreement-billing-account.md
- Last updated 11/08/2023
azure-government Documentation Government Howto Deploy Webandmobile https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-howto-deploy-webandmobile.md
cloud: gov
- Last updated 08/10/2018- #Customer intent: As a developer working for a federal government agency "x", I want to connect to Azure Government and deploy an Azure App Services app in the Azure Government cloud because i want to be sure that my agency meets government security and compliance requirements.
This tutorial showed you how to deploy an Azure App Services app to Azure Govern
> [!div class="nextstepaction"] > [Microsoft Azure Government Blog](https://blogs.msdn.microsoft.com/azuregov/).-
azure-government Documentation Government Image Gallery https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-image-gallery.md
cloud: gov
- Previously updated : 08/31/2021 Last updated : 08/31/2021 # Azure Government Marketplace images
azure-government Documentation Government Manage Marketplace Partners https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-manage-marketplace-partners.md
cloud: gov
- Last updated 08/31/2021
Make sure that any virtual machine extensions your solution template relies on a
- Subscribe to the [Azure Government blog](https://blogs.msdn.microsoft.com/azuregov/) - Get help on Stack Overflow by using the [azure-gov](https://stackoverflow.com/questions/tagged/azure-gov) tag--
azure-government Documentation Government Manage Oms https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-manage-oms.md
cloud: gov
- Last updated 12/05/2016
This is just one example of an out-of-box Azure Monitor logs solution that can b
Azure Monitor continues to update its machine learning to fight the latest threats automatically for you, and we continue to roll out new solutions to the Azure marketplace as well.
-For more information about Azure Monitor logs, see [our documentation page](./documentation-government-overview.md).
+For more information about Azure Monitor logs, see [our documentation page](./documentation-government-overview.md).
azure-government Documentation Government Plan Compliance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-plan-compliance.md
Title: Azure Government compliance
description: Provides an overview of the available compliance assurances for Azure Government -
azure-government Documentation Government Quickstarts Vm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-quickstarts-vm.md
cloud: gov
- Last updated 08/10/2018- #Customer intent: As a developer working for a federal government agency "x", I want to connect to Azure Government and provision a VM in the Azure Government cloud because i want to be sure that my agency meets government security and compliance requirements.
This tutorial showed you how to create Virtual Machines in Azure Government. To
> [!div class="nextstepaction"] > [Microsoft Azure Government Blog](https://blogs.msdn.microsoft.com/azuregov/).-
azure-government Documentation Government Welcome https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-welcome.md
Title: Azure Government Overview
description: Overview of Azure Government capabilities -
azure-monitor Agents Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/agents/agents-overview.md
View [supported operating systems for Azure Arc Connected Machine agent](../../a
| Windows Server 2016 Core | Γ£ô | | Γ£ô | | Windows Server 2012 R2 | Γ£ô | Γ£ô | Γ£ô | | Windows Server 2012 | Γ£ô | Γ£ô | Γ£ô |
-| Windows Server 2008 R2 SP1 | Γ£ô | Γ£ô | Γ£ô |
-| Windows Server 2008 R2 | | | Γ£ô |
-| Windows Server 2008 SP2 | | Γ£ô | |
| Windows 11 Client and Pro | Γ£ô<sup>2</sup>, <sup>3</sup> | | | | Windows 11 Enterprise<br>(including multi-session) | Γ£ô | | | | Windows 10 1803 (RS4) and higher | Γ£ô<sup>2</sup> | | |
azure-monitor Azure Monitor Agent Manage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/agents/azure-monitor-agent-manage.md
The following prerequisites must be met prior to installing Azure Monitor Agent.
- `<virtual-machine-region-name>`.handler.control.monitor.azure.com (example: westus.handler.control.monitor.azure.com) - `<log-analytics-workspace-id>`.ods.opinsights.azure.com (example: 12345a01-b1cd-1234-e1f2-1234567g8h99.ods.opinsights.azure.com) (If you use private links on the agent, you must also add the [dce endpoints](../essentials/data-collection-endpoint-overview.md#components-of-a-data-collection-endpoint)).
+- **Disk Space**: Required disk space can vary greatly depending upon how an agent is utilized or if the agent is unable to communicate with the destinations where it is instructed to send monitoring data. The following provides guidance for capacity planning:
+
+| Purpose | Environment | Path | Suggested Space |
+|:|:|:|:|
+| Download and install packages | Linux | /var/lib/waagent/Microsoft.Azure.Monitor.AzureMonitorLinuxAgent-{Version}/ | 500 MB |
+| Download and install packages | Windows | C:\Packages\Plugins\Microsoft.Azure.Monitor.AzureMonitorWindowsAgent | 500 MB|
+| Extension Logs | Linux (Azure VM) | /var/log/azure/Microsoft.Azure.Monitor.AzureMonitorLinuxAgent/ | 100 MB |
+| Extension Logs | Linux (Azure Arc) | /var/lib/GuestConfig/extension_logs/Microsoft.Azure.Monitor.AzureMonitorLinuxAgent-{version}/ | 100 MB |
+| Extension Logs | Windows (Azure VM) | C:\WindowsAzure\Logs\Plugins\Microsoft.Azure.Monitor.AzureMonitorWindowsAgent | 100 MB |
+| Extension Logs | Windows (Azure Arc) | C:\ProgramData\GuestConfig\extension_logs\Microsoft.Azure.Monitor.AzureMonitorWindowsAgent | 100 MB |
+| Agent Cache | Linux | /etc/opt/microsoft/azuremonitoragent, /var/opt/microsoft/azuremonitoragent | 500 MB |
+| Agent Cache | Windows (Azure VM) | C:\WindowsAzure\Resources\AMADataStore.{DataStoreName} | 10.5 GB |
+| Agent Cache | Windows (Azure Arc) | C:\Resources\Directory\AMADataStore. {DataStoreName} | 10.5 GB |
+| Event Cache | Linux | /var/opt/microsoft/azuremonitoragent/events | 10 GB |
> [!NOTE] > This article only pertains to agent installation or management. After you install the agent, you must review the next article to [configure data collection rules and associate them with the machines](./data-collection-rule-azure-monitor-agent.md) with agents installed. *Azure Monitor Agents can't function without being associated with data collection rules.*
azure-monitor Api Custom Events Metrics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/api-custom-events-metrics.md
The recommended way to send request telemetry is where the request acts as an <a
You can correlate telemetry items together by associating them with operation context. The standard request-tracking module does this for exceptions and other events that are sent while an HTTP request is being processed. In [Search](./transaction-search-and-diagnostics.md?tabs=transaction-search) and [Analytics](../logs/log-query-overview.md), you can easily find any events associated with the request by using its operation ID.
-For more information on correlation, see [Telemetry correlation in Application Insights](distributed-tracing-telemetry-correlation.md).
+For more information on correlation, see [Telemetry correlation in Application Insights](distributed-trace-data.md).
When you track telemetry manually, the easiest way to ensure telemetry correlation is by using this pattern:
azure-monitor App Map https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/app-map.md
To provide feedback, use the feedback option.
## Next steps
-* To learn more about how correlation works in Application Insights, see [Telemetry correlation](distributed-tracing-telemetry-correlation.md).
+* To learn more about how correlation works in Application Insights, see [Telemetry correlation](distributed-trace-data.md).
* The [end-to-end transaction diagnostic experience](./transaction-search-and-diagnostics.md?tabs=transaction-diagnostics) correlates server-side telemetry from across all your Application Insights-monitored components into a single view. * For advanced correlation scenarios in ASP.NET Core and ASP.NET, see [Track custom operations](custom-operations-tracking.md).
azure-monitor Custom Operations Tracking https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/custom-operations-tracking.md
This article provides guidance on how to track custom operations with the Applic
## Overview
-An operation is a logical piece of work run by an application. It has a name, start time, duration, result, and a context of execution like user name, properties, and result. If operation A was initiated by operation B, then operation B is set as a parent for A. An operation can have only one parent, but it can have many child operations. For more information on operations and telemetry correlation, see [Application Insights telemetry correlation](distributed-tracing-telemetry-correlation.md).
+An operation is a logical piece of work run by an application. It has a name, start time, duration, result, and a context of execution like user name, properties, and result. If operation A was initiated by operation B, then operation B is set as a parent for A. An operation can have only one parent, but it can have many child operations. For more information on operations and telemetry correlation, see [Application Insights telemetry correlation](distributed-trace-data.md).
In the Application Insights .NET SDK, the operation is described by the abstract class [OperationTelemetry](https://github.com/microsoft/ApplicationInsights-dotnet/blob/7633ae849edc826a8547745b6bf9f3174715d4bd/BASE/src/Microsoft.ApplicationInsights/Extensibility/Implementation/OperationTelemetry.cs) and its descendants [RequestTelemetry](https://github.com/microsoft/ApplicationInsights-dotnet/blob/7633ae849edc826a8547745b6bf9f3174715d4bd/BASE/src/Microsoft.ApplicationInsights/DataContracts/RequestTelemetry.cs) and [DependencyTelemetry](https://github.com/microsoft/ApplicationInsights-dotnet/blob/7633ae849edc826a8547745b6bf9f3174715d4bd/BASE/src/Microsoft.ApplicationInsights/DataContracts/DependencyTelemetry.cs).
Each Application Insights operation (request or dependency) involves `Activity`.
## Next steps -- Learn the basics of [telemetry correlation](distributed-tracing-telemetry-correlation.md) in Application Insights.
+- Learn the basics of [telemetry correlation](distributed-trace-data.md) in Application Insights.
- Check out how correlated data powers [transaction diagnostics experience](./transaction-search-and-diagnostics.md?tabs=transaction-diagnostics) and [Application Map](./app-map.md). - See the [data model](./data-model-complete.md) for Application Insights types and data model. - Report custom [events and metrics](./api-custom-events-metrics.md) to Application Insights.
azure-monitor Data Model Complete https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/data-model-complete.md
The following types of telemetry are used to monitor the execution of your app.
* [Request](#request): Generated to log a request received by your app. For example, the Application Insights web SDK automatically generates a Request telemetry item for each HTTP request that your web app receives.
- An *operation* is made up of the threads of execution that process a request. You can also [write code](./api-custom-events-metrics.md#trackrequest) to monitor other types of operation, such as a "wake up" in a web job or function that periodically processes data. Each operation has an ID. The ID can be used to [group](distributed-tracing-telemetry-correlation.md) all telemetry generated while your app is processing the request. Each operation either succeeds or fails and has a duration of time.
+ An *operation* is made up of the threads of execution that process a request. You can also [write code](./api-custom-events-metrics.md#trackrequest) to monitor other types of operation, such as a "wake up" in a web job or function that periodically processes data. Each operation has an ID. The ID can be used to [group](distributed-trace-data.md) all telemetry generated while your app is processing the request. Each operation either succeeds or fails and has a duration of time.
* [Exception](#exception): Typically represents an exception that causes an operation to fail. * [Dependency](#dependency): Represents a call from your app to an external service or storage, such as a REST API or SQL. In ASP.NET, dependency calls to SQL are defined by `System.Data`. Calls to HTTP endpoints are defined by `System.Net`.
Every telemetry item can define the [context information](#context) like applica
You can use session ID to calculate an outage or an issue impact on users. Calculating the distinct count of session ID values for a specific failed dependency, error trace, or critical exception gives you a good understanding of an impact.
-The Application Insights telemetry model defines a way to [correlate](distributed-tracing-telemetry-correlation.md) telemetry to the operation of which it's a part. For example, a request can make a SQL Database call and record diagnostics information. You can set the correlation context for those telemetry items that tie it back to the request telemetry.
+The Application Insights telemetry model defines a way to [correlate](distributed-trace-data.md) telemetry to the operation of which it's a part. For example, a request can make a SQL Database call and record diagnostics information. You can set the correlation context for those telemetry items that tie it back to the request telemetry.
## Schema improvements
The Application Insights web SDK sends a request name "as is" about letter case.
### ID
-ID is the identifier of a request call instance. It's used for correlation between the request and other telemetry items. The ID should be globally unique. For more information, see [Telemetry correlation in Application Insights](distributed-tracing-telemetry-correlation.md).
+ID is the identifier of a request call instance. It's used for correlation between the request and other telemetry items. The ID should be globally unique. For more information, see [Telemetry correlation in Application Insights](distributed-trace-data.md).
**Maximum length:** 128 characters
URL is the request URL with all query string parameters.
### Source
-Source is the source of the request. Examples are the instrumentation key of the caller or the IP address of the caller. For more information, see [Telemetry correlation in Application Insights](distributed-tracing-telemetry-correlation.md).
+Source is the source of the request. Examples are the instrumentation key of the caller or the IP address of the caller. For more information, see [Telemetry correlation in Application Insights](distributed-trace-data.md).
**Maximum length:** 1,024 characters
This field is the name of the command initiated with this dependency call. It ha
### ID
-ID is the identifier of a dependency call instance. It's used for correlation with the request telemetry item that corresponds to this dependency call. For more information, see [Telemetry correlation in Application Insights](distributed-tracing-telemetry-correlation.md).
+ID is the identifier of a dependency call instance. It's used for correlation with the request telemetry item that corresponds to this dependency call. For more information, see [Telemetry correlation in Application Insights](distributed-trace-data.md).
### Data
This field is the dependency type name. It has a low cardinality value for logic
### Target
-This field is the target site of a dependency call. Examples are server name and host address. For more information, see [Telemetry correlation in Application Insights](distributed-tracing-telemetry-correlation.md).
+This field is the target site of a dependency call. Examples are server name and host address. For more information, see [Telemetry correlation in Application Insights](distributed-trace-data.md).
### Duration
Originally, this field was used to indicate the type of the device the user of t
### Operation ID
-This field is the unique identifier of the root operation. This identifier allows grouping telemetry across multiple components. For more information, see [Telemetry correlation](distributed-tracing-telemetry-correlation.md). Either a request or a page view creates the operation ID. All other telemetry sets this field to the value for the containing request or page view.
+This field is the unique identifier of the root operation. This identifier allows grouping telemetry across multiple components. For more information, see [Telemetry correlation](distributed-trace-data.md). Either a request or a page view creates the operation ID. All other telemetry sets this field to the value for the containing request or page view.
**Maximum length:** 128 ### Parent operation ID
-This field is the unique identifier of the telemetry item's immediate parent. For more information, see [Telemetry correlation](distributed-tracing-telemetry-correlation.md).
+This field is the unique identifier of the telemetry item's immediate parent. For more information, see [Telemetry correlation](distributed-trace-data.md).
**Maximum length:** 128
azure-monitor Kubernetes Codeless https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/kubernetes-codeless.md
Title: Monitor applications on AKS with Application Insights - Azure Monitor | M
description: Azure Monitor integrates seamlessly with your application running on Azure Kubernetes Service and allows you to spot the problems with your apps quickly. Previously updated : 11/15/2022 Last updated : 02/29/2024
Troubleshoot the following issue.
## Next steps * Learn more about [Azure Monitor](../overview.md) and [Application Insights](./app-insights-overview.md).
-* Get an overview of [distributed tracing](distributed-tracing-telemetry-correlation.md) and see what [Application Map](./app-map.md?tabs=net) can do for your business.
+* Get an overview of [distributed tracing](distributed-trace-data.md) and see what [Application Map](./app-map.md?tabs=net) can do for your business.
azure-monitor Monitor Functions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/monitor-functions.md
To collect custom telemetry from services such as Redis, Memcached, and MongoDB,
## Next steps * Read more instructions and information about [monitoring Azure Functions](../../azure-functions/functions-monitoring.md).
-* Get an overview of [distributed tracing](distributed-tracing-telemetry-correlation.md).
+* Get an overview of [distributed tracing](distributed-trace-data.md).
* See what [Application Map](./app-map.md?tabs=net) can do for your business. * Read about [requests and dependencies for Java apps](./java-in-process-agent.md). * Learn more about [Azure Monitor](../overview.md) and [Application Insights](./app-insights-overview.md).
azure-monitor Opentelemetry Add Modify https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/opentelemetry-add-modify.md
The distros automatically collect data by bundling OpenTelemetry instrumentation
Requests - [ASP.NET
- Core](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc9.14/src/OpenTelemetry.Instrumentation.AspNetCore/README.md) ┬╣
+ Core](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc9.14/src/OpenTelemetry.Instrumentation.AspNetCore/README.md) ┬╣┬▓
Dependencies-- [HttpClient](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc9.14/src/OpenTelemetry.Instrumentation.Http/README.md) ┬╣
+- [HttpClient](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc9.14/src/OpenTelemetry.Instrumentation.Http/README.md) ┬╣┬▓
- [SqlClient](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc9.14/src/OpenTelemetry.Instrumentation.SqlClient/README.md) ┬╣ Logging - `ILogger`
-
+ For more information about `ILogger`, see [Logging in C# and .NET](/dotnet/core/extensions/logging) and [code examples](https://github.com/open-telemetry/opentelemetry-dotnet/tree/main/docs/logs). #### [.NET](#tab/net)
Instrumentations can be configured using AzureMonitorOpenTelemetryOptions
``` - #### [Python](#tab/python) Requests
azure-monitor Opentelemetry Configuration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/opentelemetry-configuration.md
This article covers configuration settings for the Azure Monitor OpenTelemetry distro. - ## Connection string A connection string in Application Insights defines the target location for sending telemetry data, ensuring it reaches the appropriate resource for monitoring and analysis.
A connection string in Application Insights defines the target location for send
Use one of the following three ways to configure the connection string: -- Add `UseAzureMonitor()` to your application startup. Depending on your version of .NET, it is in either your `startup.cs` or `program.cs` class.
+- Add `UseAzureMonitor()` to your application startup. This is in your `program.cs` class.
+ ```csharp // Create a new ASP.NET Core web application builder. var builder = WebApplication.CreateBuilder(args);
Use one of the following three ways to configure the connection string:
// Start the ASP.NET Core web application. app.Run(); ```+ - Set an environment variable:+ ```console APPLICATIONINSIGHTS_CONNECTION_STRING=<Your Connection String> ```+ - Add the following section to your `appsettings.json` config file:+ ```json { "AzureMonitor": {
Use one of the following three ways to configure the connection string:
Use one of the following two ways to configure the connection string: - Add the Azure Monitor Exporter to each OpenTelemetry signal in application startup.+ ```csharp // Create a new OpenTelemetry tracer provider. // It is important to keep the TracerProvider instance active throughout the process lifetime.
Use one of the following two ways to configure the connection string:
}); }); ```+ - Set an environment variable: ```console APPLICATIONINSIGHTS_CONNECTION_STRING=<Your Connection String>
To set the connection string, see [Connection string](java-standalone-config.md#
Use one of the following two ways to configure the connection string: - Set an environment variable:
-
+ ```console APPLICATIONINSIGHTS_CONNECTION_STRING=<Your Connection String> ```
Use one of the following two ways to configure the connection string:
Use one of the following two ways to configure the connection string: - Set an environment variable:
-
+ ```console APPLICATIONINSIGHTS_CONNECTION_STRING=<Your Connection String> ```
useAzureMonitor(options);
Set the Cloud Role Name and the Cloud Role Instance via [Resource](https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/resource/sdk.md#resource-sdk) attributes. Cloud Role Name uses `service.namespace` and `service.name` attributes, although it falls back to `service.name` if `service.namespace` isn't set. Cloud Role Instance uses the `service.instance.id` attribute value. For information on standard attributes for resources, see [OpenTelemetry Semantic Conventions](https://github.com/open-telemetry/semantic-conventions/blob/main/docs/README.md). Set Resource attributes using the `OTEL_RESOURCE_ATTRIBUTES` and/or `OTEL_SERVICE_NAME` environment variables. `OTEL_RESOURCE_ATTRIBUTES` takes series of comma-separated key-value pairs. For example, to set the Cloud Role Name to `my-namespace.my-helloworld-service` and set Cloud Role Instance to `my-instance`, you can set `OTEL_RESOURCE_ATTRIBUTES` and `OTEL_SERVICE_NAME` as such:+ ``` export OTEL_RESOURCE_ATTRIBUTES="service.namespace=my-namespace,service.instance.id=my-instance" export OTEL_SERVICE_NAME="my-helloworld-service" ``` If you don't set the `service.namespace` Resource attribute, you can alternatively set the Cloud Role Name with only the OTEL_SERVICE_NAME environment variable or the `service.name` Resource attribute. For example, to set the Cloud Role Name to `my-helloworld-service` and set Cloud Role Instance to `my-instance`, you can set `OTEL_RESOURCE_ATTRIBUTES` and `OTEL_SERVICE_NAME` as such:+ ``` export OTEL_RESOURCE_ATTRIBUTES="service.instance.id=my-instance" export OTEL_SERVICE_NAME="my-helloworld-service"
export OTEL_SERVICE_NAME="my-helloworld-service"
You might want to enable sampling to reduce your data ingestion volume, which reduces your cost. Azure Monitor provides a custom *fixed-rate* sampler that populates events with a sampling ratio, which Application Insights converts to `ItemCount`. The *fixed-rate* sampler ensures accurate experiences and event counts. The sampler is designed to preserve your traces across services, and it's interoperable with older Application Insights SDKs. For more information, see [Learn More about sampling](sampling.md#brief-summary).
-> [!NOTE]
+> [!NOTE]
> Metrics and Logs are unaffected by sampling. #### [ASP.NET Core](#tab/aspnetcore)
We support the credential classes provided by [Azure Identity](https://github.co
- Provide the tenant ID, client ID, and client secret to the constructor. 1. Install the latest [Azure.Identity](https://www.nuget.org/packages/Azure.Identity) package:+ ```dotnetcli dotnet add package Azure.Identity ```
-
+ 1. Provide the desired credential class:+ ```csharp // Create a new ASP.NET Core web application builder. var builder = WebApplication.CreateBuilder(args);
We support the credential classes provided by [Azure Identity](https://github.co
- Provide the tenant ID, client ID, and client secret to the constructor. 1. Install the latest [Azure.Identity](https://www.nuget.org/packages/Azure.Identity) package:+ ```dotnetcli dotnet add package Azure.Identity ```
-1. Provide the desired credential class:
+1. Provide the desired credential class:
+ ```csharp // Create a DefaultAzureCredential. var credential = new DefaultAzureCredential();
We support the credential classes provided by [Azure Identity](https://github.co
}); }); ```
-
+ #### [Java](#tab/java) For more information about Java, see the [Java supplemental documentation](java-standalone-config.md).
useAzureMonitor(options);
``` #### [Python](#tab/python)
-
+ ```python # Import the `ManagedIdentityCredential` class from the `azure.identity` package. from azure.identity import ManagedIdentityCredential
configure_azure_monitor(
- ## Offline Storage and Automatic Retries To improve reliability and resiliency, Azure Monitor OpenTelemetry-based offerings write to offline/local storage by default when an application loses its connection with Application Insights. It saves the application telemetry to disk and periodically tries to send it again for up to 48 hours. In high-load applications, telemetry is occasionally dropped for two reasons. First, when the allowable time is exceeded, and second, when the maximum file size is exceeded or the SDK doesn't have an opportunity to clear out the file. If we need to choose, the product saves more recent events over old ones. [Learn More](/previous-versions/azure/azure-monitor/app/data-retention-privacy#does-the-sdk-create-temporary-local-storage)
You might want to enable the OpenTelemetry Protocol (OTLP) Exporter alongside th
``` 1. Add the following code snippet. This example assumes you have an OpenTelemetry Collector with an OTLP receiver running. For details, see the [example on GitHub](https://github.com/open-telemetry/opentelemetry-dotnet/blob/main/examples/Console/TestOtlpExporter.cs).
-
+ ```csharp // Create a new OpenTelemetry tracer provider and add the Azure Monitor trace exporter and the OTLP trace exporter. // It is important to keep the TracerProvider instance active throughout the process lifetime.
For more information about Java, see the [Java supplemental documentation](java-
1. Install the [opentelemetry-exporter-otlp](https://pypi.org/project/opentelemetry-exporter-otlp/) package. 1. Add the following code snippet. This example assumes you have an OpenTelemetry Collector with an OTLP receiver running. For details, see this [README](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/monitor/azure-monitor-opentelemetry-exporter/samples/traces#collector).
-
+ ```python # Import the `configure_azure_monitor()`, `trace`, `OTLPSpanExporter`, and `BatchSpanProcessor` classes from the appropriate packages. from azure.monitor.opentelemetry import configure_azure_monitor
For more information about Java, see the [Java supplemental documentation](java-
## OpenTelemetry configurations The following OpenTelemetry configurations can be accessed through environment variables while using the Azure Monitor OpenTelemetry Distros.+ ### [ASP.NET Core](#tab/aspnetcore) | Environment variable | Description |
The following OpenTelemetry configurations can be accessed through environment v
| `OTEL_RESOURCE_ATTRIBUTES` | Key-value pairs to be used as resource attributes. For more information about resource attributes, see the [Resource SDK specification](https://github.com/open-telemetry/opentelemetry-specification/blob/v1.5.0/specification/resource/sdk.md#specifying-resource-information-via-an-environment-variable). | | `OTEL_SERVICE_NAME` | Sets the value of the `service.name` resource attribute. If `service.name` is also provided in `OTEL_RESOURCE_ATTRIBUTES`, then `OTEL_SERVICE_NAME` takes precedence. | - ### [.NET](#tab/net) | Environment variable | Description |
azure-monitor Opentelemetry Enable https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/opentelemetry-enable.md
Follow the steps in this section to instrument your application with OpenTelemet
### [ASP.NET Core](#tab/aspnetcore) -- [ASP.NET Core Application](/aspnet/core/introduction-to-aspnet-core) using an officially supported version of [.NET Core](https://dotnet.microsoft.com/download/dotnet)
+- [ASP.NET Core Application](/aspnet/core/introduction-to-aspnet-core) using an officially supported version of [.NET](https://dotnet.microsoft.com/download/dotnet)
### [.NET](#tab/net)
pip install azure-monitor-opentelemetry
### Enable Azure Monitor Application Insights+ To enable Azure Monitor Application Insights, you make a minor modification to your application and set your "Connection String." The Connection String tells your application where to send the telemetry the Distro collects, and it's unique to you. #### Modify your Application ##### [ASP.NET Core](#tab/aspnetcore)
-Add `UseAzureMonitor()` to your application startup. Depending on your version of .NET, it is in either your `startup.cs` or `program.cs` class.
+Add `UseAzureMonitor()` to your application startup. This is in your `program.cs` class.
```csharp // Import the Azure.Monitor.OpenTelemetry.AspNetCore namespace.
using Azure.Monitor.OpenTelemetry.AspNetCore;
// Create a new WebApplicationBuilder instance. var builder = WebApplication.CreateBuilder(args);
-// Add the OpenTelemetry NuGet package to the application's services and configure OpenTelemetry to use Azure Monitor.
+// Add OpenTelemetry and configure it to use Azure Monitor.
builder.Services.AddOpenTelemetry().UseAzureMonitor(); // Build the application.
app.Run();
##### [.NET](#tab/net) Add the Azure Monitor Exporter to each OpenTelemetry signal in application startup. Depending on your version of .NET, it is in either your `startup.cs` or `program.cs` class.+ ```csharp // Create a new tracer provider builder and add an Azure Monitor trace exporter to the tracer provider builder. // It is important to keep the TracerProvider instance active throughout the process lifetime.
+// See https://github.com/open-telemetry/opentelemetry-dotnet/tree/main/docs/trace#tracerprovider-management
var tracerProvider = Sdk.CreateTracerProviderBuilder() .AddAzureMonitorTraceExporter(); // Add an Azure Monitor metric exporter to the metrics provider builder. // It is important to keep the MetricsProvider instance active throughout the process lifetime.
+// See https://github.com/open-telemetry/opentelemetry-dotnet/tree/main/docs/metrics#meterprovider-management
var metricsProvider = Sdk.CreateMeterProviderBuilder() .AddAzureMonitorMetricExporter(); // Create a new logger factory. // It is important to keep the LoggerFactory instance active throughout the process lifetime.
+// See https://github.com/open-telemetry/opentelemetry-dotnet/tree/main/docs/logs#logger-management
var loggerFactory = LoggerFactory.Create(builder => { builder.AddOpenTelemetry(options =>
input()
#### Copy the Connection String from your Application Insights Resource+ > [!TIP] > If you don't already have one, now is a great time to [Create an Application Insights Resource](create-workspace-resource.md#create-a-workspace-based-resource). Here's when we recommend you [create a new Application Insights Resource versus use an existing one](create-workspace-resource.md#when-to-use-a-single-application-insights-resource).
To paste your Connection String, select from the following options:
B. Set via Configuration File - Java Only (Recommended) Create a configuration file named `applicationinsights.json`, and place it in the same directory as `applicationinsights-agent-3.4.19.jar` with the following content:
-
+ ```json { "connectionString": "<Your Connection String>" } ```+ Replace `<Your Connection String>` in the preceding JSON with *your* unique connection string. C. Set via Code - ASP.NET Core, Node.js, and Python Only (Not recommended)
To paste your Connection String, select from the following options:
See [Connection String Configuration](opentelemetry-configuration.md#connection-string) for an example of setting Connection String via code. > [!NOTE]
- > If you set the connection string in more than one place, we adhere to the following precendence:
+ > If you set the connection string in more than one place, we adhere to the following precedence:
+ >
> 1. Code > 2. Environment Variable > 3. Configuration File
azure-monitor Sampling Classic Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/sampling-classic-api.md
In [`ApplicationInsights.config`](./configuration-with-applicationinsights-confi
* `<MaxTelemetryItemsPerSecond>5</MaxTelemetryItemsPerSecond>`
- The target rate of [logical operations](distributed-tracing-telemetry-correlation.md#data-model-for-telemetry-correlation) that the adaptive algorithm aims to collect **on each server host**. If your web app runs on many hosts, reduce this value so as to remain within your target rate of traffic at the Application Insights portal.
+ The target rate of [logical operations](distributed-trace-data.md#data-model-for-telemetry-correlation) that the adaptive algorithm aims to collect **on each server host**. If your web app runs on many hosts, reduce this value so as to remain within your target rate of traffic at the Application Insights portal.
* `<EvaluationInterval>00:00:15</EvaluationInterval>`
azure-monitor Transaction Search And Diagnostics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/transaction-search-and-diagnostics.md
This behavior is by design. All the related items, across all components, are al
### Is there a way to see fewer events per transaction when I use the Application Insights JavaScript SDK?
-The transaction diagnostics experience shows all telemetry in a [single operation](distributed-tracing-telemetry-correlation.md#data-model-for-telemetry-correlation) that shares an [Operation ID](data-model-complete.md#operation-id). By default, the Application Insights SDK for JavaScript creates a new operation for each unique page view. In a single-page application (SPA), only one page view event is generated and a single Operation ID is used for all telemetry generated. As a result, many events might be correlated to the same operation.
+The transaction diagnostics experience shows all telemetry in a [single operation](distributed-trace-data.md#data-model-for-telemetry-correlation) that shares an [Operation ID](data-model-complete.md#operation-id). By default, the Application Insights SDK for JavaScript creates a new operation for each unique page view. In a single-page application (SPA), only one page view event is generated and a single Operation ID is used for all telemetry generated. As a result, many events might be correlated to the same operation.
In these scenarios, you can use Automatic Route Tracking to automatically create new operations for navigation in your SPA. You must turn on [enableAutoRouteTracking](javascript.md#single-page-applications) so that a page view is generated every time the URL route is updated (logical page view occurs). If you want to manually refresh the Operation ID, call `appInsights.properties.context.telemetryTrace.traceID = Microsoft.ApplicationInsights.Telemetry.Util.generateW3CId()`. Manually triggering a PageView event also resets the Operation ID.
azure-monitor Worker Service https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/worker-service.md
Run your application. The workers from all the preceding examples make an HTTP c
Application Insights collects these ILogger logs, with a severity of Warning or above by default, and dependencies. They're correlated to `RequestTelemetry` with a parent-child relationship. Correlation also works across process/network boundaries. For example, if the call was made to another monitored component, it's correlated to this parent as well.
-This custom operation of `RequestTelemetry` can be thought of as the equivalent of an incoming web request in a typical web application. It isn't necessary to use an operation, but it fits best with the [Application Insights correlation data model](distributed-tracing-telemetry-correlation.md). `RequestTelemetry` acts as the parent operation and every telemetry generated inside the worker iteration is treated as logically belonging to the same operation.
+This custom operation of `RequestTelemetry` can be thought of as the equivalent of an incoming web request in a typical web application. It isn't necessary to use an operation, but it fits best with the [Application Insights correlation data model](distributed-trace-data.md). `RequestTelemetry` acts as the parent operation and every telemetry generated inside the worker iteration is treated as logically belonging to the same operation.
This approach also ensures all the telemetry generated, both automatic and manual, will have the same `operation_id`. Because sampling is based on `operation_id`, the sampling algorithm either keeps or drops all the telemetry from a single iteration.
azure-monitor Azure Monitor Operations Manager https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/azure-monitor-operations-manager.md
If your monitoring of a business application is limited to functionality provide
- Collect detailed application usage and performance data such as response time, failure rates, and request rates. - Collect browser data such as page views and load performance. - Detect exceptions and drill into stack trace and related requests.-- Perform advanced analysis using features such as [distributed tracing](app/distributed-tracing-telemetry-correlation.md) and [smart detection](alerts/proactive-diagnostics.md).
+- Perform advanced analysis using features such as [distributed tracing](app/distributed-trace-data.md) and [smart detection](alerts/proactive-diagnostics.md).
- Use [metrics explorer](essentials/metrics-getting-started.md) to interactively analyze performance data. - Use [log queries](logs/log-query-overview.md) to interactively analyze collected telemetry together with data collected for Azure services and VM insights.
azure-monitor Monitor Kubernetes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/containers/monitor-kubernetes.md
Following are common scenarios for monitoring your application.
- Use the **Performance** view in Application insights to view the performance of different operations in your application. - Use [Profiler](../profiler/profiler-overview.md) to capture and view performance traces for your application. - Use [Application Map](../app/app-map.md) to view the dependencies between your application components and identify any bottlenecks.-- Enable [distributed tracing](../app/distributed-tracing-telemetry-correlation.md), which provides a performance profiler that works like call stacks for cloud and microservices architectures, to gain better observability into the interaction between services.
+- Enable [distributed tracing](../app/distributed-trace-data.md), which provides a performance profiler that works like call stacks for cloud and microservices architectures, to gain better observability into the interaction between services.
**Application failures**<br> - Use the **Failures** tab of Application insights to view the number of failed requests and the most common exceptions.
azure-monitor Data Platform https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/data-platform.md
Title: Azure Monitor data platform
description: Overview of the Azure Monitor data platform and collection of observability data. - Last updated 08/09/2023
Read more about Azure Monitor logs including their sources of data in [Logs in A
Traces are series of related events that follow a user request through a distributed system. They can be used to determine the behavior of application code and the performance of different transactions. While logs will often be created by individual components of a distributed system, a trace measures the operation and performance of your application across the entire set of components.
-Distributed tracing in Azure Monitor is enabled with the [Application Insights SDK](app/distributed-tracing-telemetry-correlation.md). Trace data is stored with other application log data collected by Application Insights. This way it's available to the same analysis tools as other log data including log queries, dashboards, and alerts.
+Distributed tracing in Azure Monitor is enabled with the [Application Insights SDK](app/distributed-trace-data.md). Trace data is stored with other application log data collected by Application Insights. This way it's available to the same analysis tools as other log data including log queries, dashboards, and alerts.
-Read more about distributed tracing at [What is distributed tracing?](app/distributed-tracing-telemetry-correlation.md).
+Read more about distributed tracing at [What is distributed tracing?](app/distributed-trace-data.md).
### Changes
azure-monitor Data Sources https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/data-sources.md
When you enable Application Insights for an application by installing an instrum
| Destination | Description | Reference | |:|:|:| | Azure Monitor Logs | Operational data about your application including page views, application requests, exceptions, and traces. | [Analyze log data in Azure Monitor](logs/log-query-overview.md) |
-| | Dependency information between application components to support Application Map and telemetry correlation. | [Telemetry correlation in Application Insights](app/distributed-tracing-telemetry-correlation.md) <br> [Application Map](app/app-map.md) |
+| | Dependency information between application components to support Application Map and telemetry correlation. | [Telemetry correlation in Application Insights](app/distributed-trace-data.md) <br> [Application Map](app/app-map.md) |
| | Results of availability tests that test the availability and responsiveness of your application from different locations on the public Internet. | [Monitor availability and responsiveness of any web site](/previous-versions/azure/azure-monitor/app/monitor-web-app-availability) | | Azure Monitor Metrics | Application Insights collects metrics describing the performance and operation of the application in addition to custom metrics that you define in your application into the Azure Monitor metrics database. | [Log-based and pre-aggregated metrics in Application Insights](app/pre-aggregated-metrics-log-metrics.md)<br>[Application Insights API for custom events and metrics](app/api-custom-events-metrics.md) | | Azure Monitor Change Analysis | Change Analysis detects and provides insights on various types of changes in your application. | [Use Change Analysis in Azure Monitor](./change/change-analysis.md) |
azure-monitor Data Platform Metrics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/essentials/data-platform-metrics.md
description: Learn about metrics in Azure Monitor, which are lightweight monitor
- Last updated 04/25/2023
azure-monitor Availability Zones https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/availability-zones.md
Azure Monitor creates Log Analytics workspaces in a shared cluster, unless you [
### Shared clusters (default) All shared clusters in the following regions use availability zones. If your workspace is in one of these regions, Azure Monitor replicates your logs across the region-specific zones, as of January 2024.
-* Canada Central
-* France Central
-* North Europe
-* South Central US
-* Southeast Asia
-* UK South
-* West US 3
+| Americas | Europe | Middle East | Asia Pacific |
+| | | | |
+| Canada Central | France Central | UAE North | Australia East |
+| South Central US | North Europe | | Central India |
+| West US 3 | Norway East | | Southeast Asia |
+| | UK South | | |
+| | Sweden Central | | |
+ ### Dedicated clusters Azure Monitor currently supports data resilience for availability-zone-enabled dedicated clusters in these regions:
azure-monitor Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/whats-new.md
Title: "What's new in Azure Monitor documentation"
description: "What's new in Azure Monitor documentation" Previously updated : 10/11/2023 Last updated : 02/08/2024
This article lists significant changes to Azure Monitor documentation.
> > :::image type="content" source="./media//whats-new/rss.png" alt-text="An rss icon."::: https://aka.ms/azmon/rss +
+## [2024](#tab/2024)
+
+## January 2024
+
+|Subservice | Article | Description |
+||||
+Agents|[MMA Discovery and Removal Utility](agents/azure-monitor-agent-mma-removal-tool.md)|Added a PowerShell script that discovers and removes the Log Analytics agent from machines as part of the migration to Azure Monitor Agent.|
+Agents|[Send data to Event Hubs and Storage (Preview)](agents/azure-monitor-agent-send-data-to-event-hubs-and-storage.md)|Update azure-monitor-agent-send-data-to-event-hubs-and-storage.md|
+Alerts|[Resource Manager template samples for metric alert rules in Azure Monitor](alerts/resource-manager-alerts-metric.md)|We've added a clarification about the parameters used when creating metric alert rules programatically.|
+Alerts|[Manage your alert instances](alerts/alerts-manage-alert-instances.md)|We've added documentation about the new alerts timeline view.|
+Alerts|[Create or edit a log alert rule](alerts/alerts-create-log-alert-rule.md)|Added limitations to log search alert queries.|
+Alerts|[Create or edit a log alert rule](alerts/alerts-create-log-alert-rule.md)|We've added samples of log search alert rule queries that use Azure Data Explorer and Azure Resource Graph.|
+Application-Insights|[Data Collection Basics of Azure Monitor Application Insights](app/opentelemetry-overview.md)|We've provided information on how to get a list of Application Insights SDK versions and their names.|
+Application-Insights|[Application Insights logging with .NET](app/ilogger.md)|We've clarified steps to view ILogger telemetry.|
+Application-Insights|[Migrate to workspace-based Application Insights resources](app/convert-classic-resource.md)|The script to discover classic resources has been updated.|
+Application-Insights|[Migrate to workspace-based Application Insights resources](app/convert-classic-resource.md)|Extra details are now available on migrating from Continuous Export to Diagnostic Settings.|
+Application-Insights|[Telemetry processors (preview) - Azure Monitor Application Insights for Java](app/java-standalone-telemetry-processors.md)|Sample metrics filters have been added.|
+Application-Insights|[Log-based and preaggregated metrics in Application Insights](app/pre-aggregated-metrics-log-metrics.md)|We've clarified how custom metrics work.|
+Containers|[Default Prometheus metrics configuration in Azure Monitor](containers/prometheus-metrics-scrape-default.md)|Added default targets for Control Plane to minimal ingestion profile|
+Containers|[Azure Monitor features for Kubernetes monitoring](containers/container-insights-overview.md)|Rewritten to focus on role of log collection and added agent details.|
+Containers|[Configure data collection in Container insights using ConfigMap](containers/container-insights-data-collection-configmap.md)|New article to consolidate ConfigMap configuration of all cluster configurations.|
+Containers|[Configure data collection in Container insights using data collection rule](containers/container-insights-data-collection-dcr.md)|New article to consolidate DCR configuration of all cluster configurations.|
+Containers|[Container insights log schema](containers/container-insights-logs-schema.md)|Combine Prometheus and Container insights|
+Containers|[Enable monitoring for Kubernetes clusters](containers/container-insights-enable-aks.md)|New article to consolidate onboarding process for all container configurations and for both Prometheus and Container insights.|
+Containers|[Customize scraping of Prometheus metrics in Azure Monitor managed service for Prometheus](containers/prometheus-metrics-scrape-configuration.md)|[Azure Monitor Managed Prometheus] Docs for pod annotation scraping through configmap|
+Essentials|[Custom metrics in Azure Monitor (preview)](essentials/metrics-custom-overview.md)|Article refreshed an updated|
+General|[Disable monitoring of your Kubernetes cluster](containers/kubernetes-monitoring-disable.md)|New article to consolidate process for all container configurations and for both Prometheus and Container insights.|
+Logs|[ Best practices for Azure Monitor Logs](best-practices-logs.md)|Dedicated clusters are now available in all commitment tiers, with a minimum daily ingestion of 100 GB.|
+Logs|[Enhance data and service resilience in Azure Monitor Logs with availability zones](logs/availability-zones.md)|Availability zones are now supported in the Israel Central, Poland Central, and Italy North regions.|
+Virtual-Machines|[Dependency Agent](vm/vminsights-dependency-agent-maintenance.md)|VM Insights Dependency Agent now supports RHEL 8.6 Linux.|
+Visualizations|[Composite bar renderer](visualize/workbooks-composite-bar.md)|We've edited the Workbooks content to make some features and functionality easier to find based on customer feedback. We've also removed legacy content.|
++++ ## [2023](#tab/2023) ## December 2023
Alerts|[Create or edit an activity log, service health, or resource health alert
Alerts|[Create or edit a metric alert rule](alerts/alerts-create-new-alert-rule.md)|Added limitations for use of custom properties in alert rules. Added list of query plugins not supported by log alert rule queries.| Application-Insights|[Add, modify, and filter OpenTelemetry](app/opentelemetry-add-modify.md)|Custom events code samples and instructions have been added to .NET Core / .NET tabs.| Application-Insights|[Migrate availability tests](app/availability-test-migration.md)|We've clarified the URL ping tests retirement statement. Migrate your URL ping tests as soon as possible using the PowerShell scripts provided in this article.|
-Application-Insights|[Enable Azure Monitor Application Insights Real User Monitoring](app/javascript-sdk.md)|Additional guidance has been added on when to use the npm package.|
-Application-Insights|[Migrate to workspace-based Application Insights resources](app/convert-classic-resource.md)|We confirmed that migrating from classic to workspace-based resources doesn't introduce application downtime or restarts, and it does not change your existing instrumentation key or connection string.|
+Application-Insights|[Enable Azure Monitor Application Insights Real User Monitoring](app/javascript-sdk.md)|More guidance has been added on when to use the npm package.|
+Application-Insights|[Migrate to workspace-based Application Insights resources](app/convert-classic-resource.md)|We confirmed that migrating from classic to workspace-based resources doesn't introduce application downtime or restarts, and it doesn't change your existing instrumentation key or connection string.|
Logs|[Correlate data in Azure Data Explorer and Azure Resource Graph with data in a Log Analytics workspace](logs/azure-monitor-data-explorer-proxy.md)|Explained how to query Azure Data Explorer external tables using the `adx("")` expression. | Logs|[Logs Ingestion API in Azure Monitor](logs/logs-ingestion-api-overview.md)|Updated Log Ingestion API version.| Profiler|[Profile production applications in Azure with Application Insights Profiler](profiler/profiler-overview.md)|Add support for Java profiler and link to docs from .NET profiler overview.|
Alerts|[Create and manage action groups in the Azure portal](alerts/action-group
Alerts|[Create and manage action groups in the Azure portal](alerts/action-groups.md)|Added list of countries/regions supported by voice notifications.| Alerts|[Connect ServiceNow to Azure Monitor](alerts/itsmc-secure-webhook-connections-servicenow.md)|Added Tokyo to list of supported ServiceNow webhook integrations.| Application-Insights|[Application Insights SDK support guidance](app/sdk-support-guidance.md)|Release notes are now available for each SDK.|
-Application-Insights|[What is distributed tracing and telemetry correlation?](app/distributed-tracing-telemetry-correlation.md)|Merged our documents related to distributed tracing and telemetry correlation.|
+Application-Insights|[What is distributed tracing and telemetry correlation?](app/distributed-trace-data.md)|Merged our documents related to distributed tracing and telemetry correlation.|
Application-Insights|[Application Insights availability tests](app/availability-overview.md)|Separated and called out the two Classic Tests, which are older versions of availability tests.| Application-Insights|[Microsoft Azure Monitor Application Insights JavaScript SDK configuration](app/javascript-sdk-configuration.md)|JavaScript SDK configuration now includes npm setup, cookie configuration and management, source map un-minify support, and tree shaking optimized code.| Application-Insights|[Microsoft Azure Monitor Application Insights JavaScript SDK](app/javascript-sdk.md)|Our introductory article to the JavaScript SDK now provides only the fast and easy code-snippet method of getting started.|
azure-netapp-files Access Smb Volume From Windows Client https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/access-smb-volume-from-windows-client.md
Title: Access SMB volumes from Microsoft Entra joined Windows virtual machines description: Learn how to access Azure NetApp Files SMB volumes from an on-premises environment using Microsoft Entra ID. -
azure-netapp-files Application Volume Group Add Hosts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/application-volume-group-add-hosts.md
description: Describes how to add additional HANA hosts after you have created t
- Last updated 11/19/2021
azure-netapp-files Application Volume Group Add Volume Secondary https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/application-volume-group-add-volume-secondary.md
description: Describes using application volume group to add volumes for an SAP
- Last updated 11/19/2021
azure-netapp-files Application Volume Group Considerations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/application-volume-group-considerations.md
Title: Requirements and considerations for Azure NetApp Files application volume group for SAP HANA | Microsoft Docs
-description: Describes the requirements and considerations you need to be aware of before using Azure NetApp Files application volume group for SAP HANA.
+description: Describes the requirements and considerations you need to be aware of before using Azure NetApp Files application volume group for SAP HANA.
- Last updated 11/08/2023
azure-netapp-files Application Volume Group Delete https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/application-volume-group-delete.md
description: Describes how to delete an application volume group.
- Last updated 11/19/2021
azure-netapp-files Application Volume Group Deploy First Host https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/application-volume-group-deploy-first-host.md
Title: Deploy the first SAP HANA host using Azure NetApp Files application volume group for SAP HANA | Microsoft Docs
-description: Describes how to deploy the first SAP HANA host using Azure NetApp Files application volume group for SAP HANA.
+description: Describes how to deploy the first SAP HANA host using Azure NetApp Files application volume group for SAP HANA.
- Last updated 10/13/2022
azure-netapp-files Application Volume Group Disaster Recovery https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/application-volume-group-disaster-recovery.md
description: Describes using an application volume group to add volumes for an S
- Last updated 08/22/2022
azure-netapp-files Application Volume Group Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/application-volume-group-introduction.md
Title: Understand Azure NetApp Files application volume group for SAP HANA | Microsoft Docs
-description: Describes the use cases and key features of Azure NetApp Files application volume group for SAP HANA.
+description: Describes the use cases and key features of Azure NetApp Files application volume group for SAP HANA.
- Last updated 02/24/2023
azure-netapp-files Application Volume Group Manage Volumes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/application-volume-group-manage-volumes.md
Title: Manage volumes in Azure NetApp Files application volume group | Microsoft Docs
-description: Describes how to manage a volume from its application volume group, including resizing, deleting, or changing throughput for the volume.
+description: Describes how to manage a volume from its application volume group, including resizing, deleting, or changing throughput for the volume.
- Last updated 11/19/2021
azure-netapp-files Auxiliary Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/auxiliary-groups.md
Title: Understand auxiliary/supplemental groups with NFS in Azure NetApp Files
-description: Learn about auxiliary/supplemental groups with NFS in Azure NetApp Files.
+description: Learn about auxiliary/supplemental groups with NFS in Azure NetApp Files.
- Last updated 11/13/2023
For more information about the option, including how it behaves with different v
## Next steps * [Understand the use of LDAP with Azure NetApp Files](lightweight-directory-access-protocol.md)
-* [Allow local NFS users with LDAP option](configure-ldap-extended-groups.md)
+* [Allow local NFS users with LDAP option](configure-ldap-extended-groups.md)
azure-netapp-files Azacsnap Cmd Ref Backup https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azacsnap-cmd-ref-backup.md
Title: Back up using Azure Application Consistent Snapshot tool for Azure NetApp Files | Microsoft Docs
-description: Provides a guide for running the backup command of the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
+description: Provides a guide for running the backup command of the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
- Last updated 07/29/2022
azure-netapp-files Azacsnap Cmd Ref Configure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azacsnap-cmd-ref-configure.md
Title: Configure the Azure Application Consistent Snapshot tool for Azure NetApp Files
-description: Learn how to run the configure command of the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
+description: Learn how to run the configure command of the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
- Last updated 08/21/2023
azure-netapp-files Azacsnap Cmd Ref Delete https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azacsnap-cmd-ref-delete.md
Title: Delete using Azure Application Consistent Snapshot tool for Azure NetApp Files | Microsoft Docs
-description: Provides a guide for running the delete command of the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
+description: Provides a guide for running the delete command of the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
- Last updated 01/18/2023
azure-netapp-files Azacsnap Cmd Ref Details https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azacsnap-cmd-ref-details.md
Title: Obtain details using Azure Application Consistent Snapshot tool for Azure NetApp Files | Microsoft Docs
-description: Provides a guide for running the details command of the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
+description: Provides a guide for running the details command of the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
- Last updated 04/21/2021
azure-netapp-files Azacsnap Cmd Ref Restore https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azacsnap-cmd-ref-restore.md
Title: Restore using Azure Application Consistent Snapshot tool for Azure NetApp Files | Microsoft Docs
-description: Provides a guide for running the restore command of the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
+description: Provides a guide for running the restore command of the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
- Last updated 05/04/2023
azure-netapp-files Azacsnap Cmd Ref Runbefore Runafter https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azacsnap-cmd-ref-runbefore-runafter.md
Title: RunBefore and RunAfter using Azure Application Consistent Snapshot tool for Azure NetApp Files | Microsoft Docs
-description: Provides a guide for using the runbefore and runafter options of the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
+description: Provides a guide for using the runbefore and runafter options of the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
- Last updated 07/29/2022
PORTAL_GENERATED_SAS="https://<targetstorageaccount>.blob.core.windows.net/<blob
## Next steps - [Take a backup](azacsnap-cmd-ref-backup.md)-- [Get snapshot details](azacsnap-cmd-ref-details.md)
+- [Get snapshot details](azacsnap-cmd-ref-details.md)
azure-netapp-files Azacsnap Cmd Ref Test https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azacsnap-cmd-ref-test.md
Title: Test Azure Application Consistent Snapshot tool for Azure NetApp Files | Microsoft Docs
-description: Explains how to run the test command of the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
+description: Explains how to run the test command of the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
- Last updated 08/04/2021
azure-netapp-files Azacsnap Disaster Recovery https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azacsnap-disaster-recovery.md
Title: Disaster recovery using Azure Application Consistent Snapshot tool for Azure NetApp Files | Microsoft Docs
-description: Explains how to perform disaster recovery when using the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
+description: Explains how to perform disaster recovery when using the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
- Last updated 04/21/2021
azure-netapp-files Azacsnap Get Started https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azacsnap-get-started.md
Title: Get started with Azure Application Consistent Snapshot tool for Azure NetApp Files | Microsoft Docs
-description: Provides a guide for installing the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
+description: Provides a guide for installing the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
- Last updated 03/03/2022
The following guidance is provided to illustrate the usage of the snapshot tools
## Next steps - [Install Azure Application Consistent Snapshot tool](azacsnap-installation.md)-
azure-netapp-files Azacsnap Installation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azacsnap-installation.md
Title: Install the Azure Application Consistent Snapshot tool for Azure NetApp Files
-description: Learn how to install the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
+description: Learn how to install the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
- Last updated 08/21/2023
No special database configuration is required for Db2 because you're using the i
## Next steps - [Configure the Azure Application Consistent Snapshot tool](azacsnap-cmd-ref-configure.md)-
azure-netapp-files Azacsnap Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azacsnap-introduction.md
Title: What is the Azure Application Consistent Snapshot tool for Azure NetApp Files
-description: Get basic information about the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
+description: Get basic information about the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
- Last updated 08/21/2023
azure-netapp-files Azacsnap Preview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azacsnap-preview.md
Title: Preview features for the Azure Application Consistent Snapshot tool for Azure NetApp Files
-description: Learn about the preview features of the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
+description: Learn about the preview features of the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
- Last updated 08/21/2023
azure-netapp-files Azacsnap Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azacsnap-release-notes.md
Title: Release Notes for Azure Application Consistent Snapshot tool for Azure NetApp Files | Microsoft Docs
-description: Provides release notes for the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
+description: Provides release notes for the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
- Last updated 08/21/2023
AzAcSnap v5.0 Preview (Build: 20210318.30771) has been released with the followi
- [Get started with Azure Application Consistent Snapshot tool](azacsnap-get-started.md) - [Download the latest release of the installer](https://aka.ms/azacsnapinstaller)--
azure-netapp-files Azacsnap Tips https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azacsnap-tips.md
Title: Tips and tricks for using Azure Application Consistent Snapshot tool for Azure NetApp Files | Microsoft Docs
-description: Provides tips and tricks for using the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
+description: Provides tips and tricks for using the Azure Application Consistent Snapshot tool that you can use with Azure NetApp Files.
- Last updated 09/20/2023
azure-netapp-files Azacsnap Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azacsnap-troubleshoot.md
description: Troubleshoot communication issues, test failures, and other SAP HAN
- Last updated 01/16/2023
In the preceding example, adding the `DATABASE BACKUP ADMIN` privilege to the SY
- [Tips and tricks for using AzAcSnap](azacsnap-tips.md) - [AzAcSnap command reference](azacsnap-cmd-ref-configure.md)--
azure-netapp-files Azure Government https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-government.md
description: Learn how to connect to Azure Government to use Azure NetApp Files
- Last updated 11/02/2023
azure-netapp-files Azure Netapp Files Configure Export Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-configure-export-policy.md
- Last updated 07/28/2021
azure-netapp-files Azure Netapp Files Configure Nfsv41 Domain https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-configure-nfsv41-domain.md
Title: Configure NFSv4.1 ID domain for Azure NetApp Files | Microsoft Docs
description: Learn how to configure NFSv4.1 ID domain for using NFSv4.1 with Azure NetApp Files. - Last updated 07/12/2023
azure-netapp-files Azure Netapp Files Cost Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-cost-model.md
description: Describes the cost model for Azure NetApp Files for managing expens
- Last updated 11/08/2021
azure-netapp-files Azure Netapp Files Create Netapp Account https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-create-netapp-account.md
description: Learn how to access Azure NetApp Files and create a NetApp account
- Last updated 10/04/2021
azure-netapp-files Azure Netapp Files Create Volumes Smb https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-create-volumes-smb.md
description: This article shows you how to create an SMB3 volume in Azure NetApp
- Last updated 05/31/2023
azure-netapp-files Azure Netapp Files Create Volumes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-create-volumes.md
description: This article shows you how to create an NFS volume in Azure NetApp
- Last updated 05/28/2023
azure-netapp-files Azure Netapp Files Delegate Subnet https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-delegate-subnet.md
description: Learn how to delegate a subnet to Azure NetApp Files. Specify the d
- Last updated 09/28/2023
azure-netapp-files Azure Netapp Files Develop With Rest Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-develop-with-rest-api.md
description: The REST API for the Azure NetApp Files service defines HTTP operat
- Last updated 09/30/2022
azure-netapp-files Azure Netapp Files Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-introduction.md
description: Learn about Azure NetApp Files, an Azure native, first-party, enter
- Last updated 01/11/2024
azure-netapp-files Azure Netapp Files Manage Snapshots https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-manage-snapshots.md
Title: Create an on-demand snapshot using Azure NetApp Files | Microsoft Docs
-description: Describes how to create on-demand snapshots with Azure NetApp Files.
+description: Describes how to create on-demand snapshots with Azure NetApp Files.
- Last updated 10/25/2021
azure-netapp-files Azure Netapp Files Metrics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-metrics.md
description: Azure NetApp Files provides metrics on allocated storage, actual st
- Last updated 07/19/2023
azure-netapp-files Azure Netapp Files Mount Unmount Volumes For Virtual Machines https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-mount-unmount-volumes-for-virtual-machines.md
description: Learn how to mount an NFS volume for Windows or Linux virtual machi
- Last updated 09/07/2022
azure-netapp-files Azure Netapp Files Network Topologies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-network-topologies.md
description: Describes guidelines that can help you design an effective network
- Last updated 08/10/2023
azure-netapp-files Azure Netapp Files Performance Considerations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-performance-considerations.md
description: Learn about performance for Azure NetApp Files, including the relat
- Last updated 08/31/2023
azure-netapp-files Azure Netapp Files Performance Metrics Volumes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-performance-metrics-volumes.md
description: Learn about benchmark testing recommendations for volume performanc
- Last updated 05/08/2023
azure-netapp-files Azure Netapp Files Quickstart Set Up Account Create Volumes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-quickstart-set-up-account-create-volumes.md
description: Quickstart - Describes how to quickly set up Azure NetApp Files and
- Last updated 02/21/2023
azure-netapp-files Azure Netapp Files Register https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-register.md
description: Learn how to register the NetApp Resource Provider for Azure NetApp
- Last updated 01/21/2022
azure-netapp-files Azure Netapp Files Resize Capacity Pools Or Volumes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-resize-capacity-pools-or-volumes.md
description: Learn how to change the size of a capacity pool or a volume. Resizi
- Last updated 02/21/2023
azure-netapp-files Azure Netapp Files Resource Limits https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-resource-limits.md
description: Describes limits for Azure NetApp Files resources and how to reques
- Last updated 09/29/2023
azure-netapp-files Azure Netapp Files Sdk Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-sdk-cli.md
description: "Learn about supported SDKs for Azure NetApp Files and their publis
- Last updated 09/30/2022
azure-netapp-files Azure Netapp Files Service Levels https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-service-levels.md
description: Describes throughput performance for the service levels of Azure Ne
- Last updated 08/02/2022
azure-netapp-files Azure Netapp Files Set Up Capacity Pool https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-set-up-capacity-pool.md
Title: Create a capacity pool for Azure NetApp Files | Microsoft Docs
-description: Describes how to create a capacity pool so that you can create volumes within it.
+description: Describes how to create a capacity pool so that you can create volumes within it.
- Last updated 10/23/2023
azure-netapp-files Azure Netapp Files Smb Performance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-smb-performance.md
description: Helps you understand SMB performance and best practices for Azure N
- Last updated 02/07/2022
azure-netapp-files Azure Netapp Files Solution Architectures https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-solution-architectures.md
description: Provides references to best practices for solution architectures us
- Last updated 09/18/2023
azure-netapp-files Azure Netapp Files Troubleshoot Resource Provider Errors https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-troubleshoot-resource-provider-errors.md
description: Describes causes, solutions, and workarounds for common Azure NetAp
- Last updated 02/09/2022
azure-netapp-files Azure Netapp Files Understand Storage Hierarchy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-understand-storage-hierarchy.md
description: Describes the storage hierarchy, including Azure NetApp Files accou
- Last updated 07/27/2023
azure-netapp-files Azure Netapp Files Videos https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-videos.md
Title: Azure NetApp Files videos | Microsoft Docs
-description: Provides references to videos that contain discussions about using Azure NetApp Files.
+description: Provides references to videos that contain discussions about using Azure NetApp Files.
- Last updated 12/07/2023
azure-netapp-files Azure Policy Definitions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-policy-definitions.md
Title: Azure Policy definitions for Azure NetApp Files | Microsoft Docs
-description: Describes the Azure Policy custom definitions and built-in definitions that you can use with Azure NetApp Files.
+description: Describes the Azure Policy custom definitions and built-in definitions that you can use with Azure NetApp Files.
- Last updated 06/02/2022
azure-netapp-files Backup Configure Manual https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/backup-configure-manual.md
Title: Configure manual backups for Azure NetApp Files | Microsoft Docs
-description: Describes how to configure manual backups for Azure NetApp Files volumes.
+description: Describes how to configure manual backups for Azure NetApp Files volumes.
- Last updated 06/13/2023
If you havenΓÇÖt done so, enable the backup functionality for the volume before
* [Delete backups of a volume](backup-delete.md) * [Volume backup metrics](azure-netapp-files-metrics.md#volume-backup-metrics) * [Azure NetApp Files backup FAQs](faq-backup.md)--
azure-netapp-files Backup Configure Policy Based https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/backup-configure-policy-based.md
Title: Configure policy-based backups for Azure NetApp Files | Microsoft Docs
-description: Describes how to configure policy-based (scheduled) backups for Azure NetApp Files volumes.
+description: Describes how to configure policy-based (scheduled) backups for Azure NetApp Files volumes.
- Last updated 10/25/2023
azure-netapp-files Backup Delete https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/backup-delete.md
description: Describes how to delete individual backups that you no longer need
- Last updated 10/27/2022
azure-netapp-files Backup Disable https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/backup-disable.md
Title: Disable backup functionality for an Azure NetApp Files volume | Microsoft Docs
-description: Describes how to disable the backup functionality for a volume that no longer needs backup protection.
+description: Describes how to disable the backup functionality for a volume that no longer needs backup protection.
- Last updated 10/27/2022
azure-netapp-files Backup Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/backup-introduction.md
Title: Understand Azure NetApp Files backup | Microsoft Docs
-description: Describes what Azure NetApp Files backup does, supported regions, and the cost model.
+description: Describes what Azure NetApp Files backup does, supported regions, and the cost model.
- Last updated 09/29/2023
If you choose to restore a backup of, for example, 600 GiB to a new volume, you'
* [Volume backup metrics](azure-netapp-files-metrics.md#volume-backup-metrics) * [Azure NetApp Files backup FAQs](faq-backup.md) * [How Azure NetApp Files snapshots work](snapshots-introduction.md)--
azure-netapp-files Backup Manage Policies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/backup-manage-policies.md
Title: Manage backup policies for Azure NetApp Files | Microsoft Docs
-description: Describes how to modify or suspend a backup policy for Azure NetApp Files volumes.
+description: Describes how to modify or suspend a backup policy for Azure NetApp Files volumes.
- Last updated 07/31/2023
azure-netapp-files Backup Requirements Considerations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/backup-requirements-considerations.md
Title: Requirements and considerations for Azure NetApp Files backup | Microsoft Docs
-description: Describes the requirements and considerations you need to be aware of before using Azure NetApp Files backup.
+description: Describes the requirements and considerations you need to be aware of before using Azure NetApp Files backup.
- Last updated 08/15/2023
azure-netapp-files Backup Restore New Volume https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/backup-restore-new-volume.md
Title: Restore a backup to a new Azure NetApp Files volume | Microsoft Docs
-description: Describes how to restore a backup to a new volume.
+description: Describes how to restore a backup to a new volume.
- Last updated 10/17/2023
azure-netapp-files Backup Search https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/backup-search.md
Title: Search backups of Azure NetApp Files volumes | Microsoft Docs
-description: Describes how to display and search backups of Azure NetApp Files volumes at the volume level and the NetApp account level.
+description: Describes how to display and search backups of Azure NetApp Files volumes at the volume level and the NetApp account level.
- Last updated 09/27/2021
azure-netapp-files Backup Vault Manage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/backup-vault-manage.md
Title: Manage backup vaults for Azure NetApp Files | Microsoft Docs
-description: Describes how to use backup vaults to manage backups in Azure NetApp Files.
+description: Describes how to use backup vaults to manage backups in Azure NetApp Files.
- Last updated 10/27/2022
azure-netapp-files Configure Access Control Lists https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/configure-access-control-lists.md
Title: Configure access control lists with Azure NetApp Files | Microsoft Docs
description: This article shows you how to configure access control lists (ACLs) on NFSv4.1 with Azure NetApp Files. - Last updated 12/20/2022
azure-netapp-files Configure Application Volume Group Sap Hana Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/configure-application-volume-group-sap-hana-api.md
Title: Configure application volume groups for SAP HANA using REST API
-description: Setting up your application volume groups for the SAP HANA API requires special configurations.
+ Title: Configure application volume groups for SAP HANA using REST API
+description: Setting up your application volume groups for the SAP HANA API requires special configurations.
- Last updated 04/09/2023
azure-netapp-files Configure Customer Managed Keys https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/configure-customer-managed-keys.md
description: Describes how to configure customer-managed keys for Azure NetApp F
- Last updated 10/02/2023
azure-netapp-files Configure Kerberos Encryption https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/configure-kerberos-encryption.md
description: Describes how to configure NFSv4.1 Kerberos encryption for Azure Ne
- Last updated 01/10/2022
azure-netapp-files Configure Ldap Extended Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/configure-ldap-extended-groups.md
Title: Enable Active Directory Domain Services (AD DS) LDAP authentication for NFS volumes | Microsoft Docs
-description: Describes the considerations and steps for enabling LDAP with extended groups when you create an NFS volume by using Azure NetApp Files.
+description: Describes the considerations and steps for enabling LDAP with extended groups when you create an NFS volume by using Azure NetApp Files.
- Last updated 03/17/2023
azure-netapp-files Configure Ldap Over Tls https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/configure-ldap-over-tls.md
Title: Configure AD DS LDAP over TLS for Azure NetApp Files | Microsoft Docs
-description: Describes how to configure AD DS LDAP over TLS for Azure NetApp Files, including root CA certificate management.
+description: Describes how to configure AD DS LDAP over TLS for Azure NetApp Files, including root CA certificate management.
- Last updated 02/23/2023
azure-netapp-files Configure Network Features https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/configure-network-features.md
Title: Configure network features for an Azure NetApp Files volume | Microsoft Docs
-description: Describes the options for network features and how to configure the Network Features option for a volume.
+description: Describes the options for network features and how to configure the Network Features option for a volume.
- Last updated 11/07/2023
azure-netapp-files Configure Nfs Clients https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/configure-nfs-clients.md
Title: Configure an NFS client for Azure NetApp Files | Microsoft Docs
-description: Describes how to configure NFS clients to use with Azure NetApp Files.
+description: Describes how to configure NFS clients to use with Azure NetApp Files.
- Last updated 05/27/2022
azure-netapp-files Configure Unix Permissions Change Ownership Mode https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/configure-unix-permissions-change-ownership-mode.md
Title: Configure Unix permissions and change ownership mode for Azure NetApp Files NFS and dual-protocol volumes | Microsoft Docs
-description: Describes how to set the Unix permissions and the change ownership mode options for Azure NetApp Files NFS and dual-protocol volumes.
+description: Describes how to set the Unix permissions and the change ownership mode options for Azure NetApp Files NFS and dual-protocol volumes.
- Last updated 02/28/2023
azure-netapp-files Convert Nfsv3 Nfsv41 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/convert-nfsv3-nfsv41.md
Title: Convert an NFS volume between NFSv3 and NFSv4.1 with Azure NetApp Files | Microsoft Docs
-description: Describes how to convert an NFS volume between NFSv3 and NFSv4.1.
+description: Describes how to convert an NFS volume between NFSv3 and NFSv4.1.
- Last updated 11/08/2022
azure-netapp-files Cool Access Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/cool-access-introduction.md
description: Explains how to use standard storage with cool access to configure
- Last updated 11/01/2023
azure-netapp-files Create Active Directory Connections https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/create-active-directory-connections.md
description: This article shows you how to create and manage Active Directory co
- Last updated 11/07/2023
azure-netapp-files Create Cross Zone Replication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/create-cross-zone-replication.md
description: This article shows you how to create and manage cross-zone replicat
- Last updated 01/04/2023
azure-netapp-files Create Volumes Dual Protocol https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/create-volumes-dual-protocol.md
description: Describes how to create a volume that uses the dual protocol (NFSv3
- Last updated 06/22/2023
azure-netapp-files Cross Region Replication Create Peering https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/cross-region-replication-create-peering.md
description: Describes how to create volume replication peering for Azure NetApp
- Last updated 02/23/2023
azure-netapp-files Cross Region Replication Delete https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/cross-region-replication-delete.md
Title: Delete volume replications or volumes for Azure NetApp Files cross-region replication | Microsoft Docs
-description: Describes how to delete a replication connection that is no longer needed between the source and the destination volumes.
+description: Describes how to delete a replication connection that is no longer needed between the source and the destination volumes.
- Last updated 03/22/2023
azure-netapp-files Cross Region Replication Display Health Status https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/cross-region-replication-display-health-status.md
description: Describes how to view replication status on the source volume or th
- Last updated 05/16/2022
Create [alert rules in Azure Monitor](../azure-monitor/alerts/alerts-overview.md
* [Volume replication metrics](azure-netapp-files-metrics.md#replication) * [Delete volume replications or volumes](cross-region-replication-delete.md) * [Troubleshoot cross-region replication](troubleshoot-cross-region-replication.md)-
azure-netapp-files Cross Region Replication Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/cross-region-replication-introduction.md
Title: Cross-region replication of Azure NetApp Files volumes | Microsoft Docs
-description: Describes what Azure NetApp Files cross-region replication does, supported region pairs, service-level objectives, data durability, and cost model.
+description: Describes what Azure NetApp Files cross-region replication does, supported region pairs, service-level objectives, data durability, and cost model.
- Last updated 05/08/2023
azure-netapp-files Cross Region Replication Manage Disaster Recovery https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/cross-region-replication-manage-disaster-recovery.md
description: Describes how to manage disaster recovery by using Azure NetApp Fil
- Last updated 11/09/2022
After the resync operation from destination to source is complete, you need to b
* [Volume replication metrics](azure-netapp-files-metrics.md#replication) * [Delete volume replications or volumes](cross-region-replication-delete.md) * [Troubleshoot cross-region replication](troubleshoot-cross-region-replication.md)-
azure-netapp-files Cross Region Replication Requirements Considerations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/cross-region-replication-requirements-considerations.md
Title: Requirements and considerations for Azure NetApp Files cross-region replication | Microsoft Docs
-description: Describes the requirements and considerations for using the volume cross-region replication functionality of Azure NetApp Files.
+description: Describes the requirements and considerations for using the volume cross-region replication functionality of Azure NetApp Files.
- Last updated 02/28/2023
azure-netapp-files Cross Zone Replication Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/cross-zone-replication-introduction.md
description: Describes what Azure NetApp Files cross-zone replication does.
- Last updated 02/17/2023
Replicated volumes are hosted on a [capacity pool](azure-netapp-files-understand
* [Requirements and considerations for using cross-zone replication](cross-zone-replication-requirements-considerations.md) * [Create cross-zone replication](create-cross-zone-replication.md)-
azure-netapp-files Cross Zone Replication Requirements Considerations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/cross-zone-replication-requirements-considerations.md
description: Describes the requirements and considerations for using the volume
- Last updated 08/18/2023
azure-netapp-files Data Protection Disaster Recovery Options https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/data-protection-disaster-recovery-options.md
description: Learn about data protection and disaster recovery options available
- Last updated 07/11/2023
azure-netapp-files Default Individual User Group Quotas Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/default-individual-user-group-quotas-introduction.md
description: Helps you understand the use cases of managing default and individu
- Last updated 02/23/2023
In the following scenario, users `user4` and `user5` are members of `group2`. Th
* [Manage default and individual user and group quotas for a volume](manage-default-individual-user-group-quotas.md) * [Resource limits for Azure NetApp Files](azure-netapp-files-resource-limits.md)
-* [Security identifiers](/windows-server/identity/ad-ds/manage/understand-security-identifiers)
+* [Security identifiers](/windows-server/identity/ad-ds/manage/understand-security-identifiers)
azure-netapp-files Develop Rest Api Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/develop-rest-api-powershell.md
description: Describes how to get started with the Azure NetApp Files REST API u
- Last updated 09/30/2022
azure-netapp-files Disable Showmount https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/disable-showmount.md
description: Showmount on NFS clients has historically been how users can see ex
- Last updated 03/16/2023
The disable showmount capability is currently in preview. If you're using this f
```azurepowershell-interactive Unregister-AzProviderFeature -ProviderNamespace Microsoft.NetApp -FeatureName ANFDisableShowmount
- ```
+ ```
azure-netapp-files Double Encryption At Rest https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/double-encryption-at-rest.md
Title: Azure NetApp Files double encryption at rest | Microsoft Docs
-description: Explains Azure NetApp Files double encryption at rest to help you use this feature.
+description: Explains Azure NetApp Files double encryption at rest to help you use this feature.
- Last updated 08/28/2023
azure-netapp-files Dual Protocol Permission Behaviors https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/dual-protocol-permission-behaviors.md
Title: Understand dual-protocol security style and permission behaviors in Azure NetApp Files | Microsoft Docs
-description: This article helps you understand dual-protocol security style and permission when you use Azure NetApp Files.
+description: This article helps you understand dual-protocol security style and permission when you use Azure NetApp Files.
- Last updated 08/02/2023
The following figure shows an example of that kind of configuration.
* [Understand the use of LDAP with Azure NetApp Files](lightweight-directory-access-protocol.md) * [Create a dual-protocol volume for Azure NetApp Files](create-volumes-dual-protocol.md) * [Azure NetApp Files NFS FAQ](faq-nfs.md)
-* [Azure NetApp Files SMB FAQ](faq-smb.md)
+* [Azure NetApp Files SMB FAQ](faq-smb.md)
azure-netapp-files Dynamic Change Volume Service Level https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/dynamic-change-volume-service-level.md
description: Describes how to dynamically change the service level of a volume.
- Last updated 05/11/2023
The capacity pool that you want to move the volume to must already exist. The ca
* [Resource limits for Azure NetApp Files](azure-netapp-files-resource-limits.md) * [Cost model for Azure NetApp Files](azure-netapp-files-cost-model.md) * [Metrics for Azure NetApp Files](azure-netapp-files-metrics.md)
-* [Troubleshoot issues for changing the capacity pool of a volume](troubleshoot-capacity-pools.md#issues-when-changing-the-capacity-pool-of-a-volume)
+* [Troubleshoot issues for changing the capacity pool of a volume](troubleshoot-capacity-pools.md#issues-when-changing-the-capacity-pool-of-a-volume)
azure-netapp-files Enable Continuous Availability Existing SMB https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/enable-continuous-availability-existing-SMB.md
Title: Enable Continuous Availability on existing Azure NetApp Files SMB volumes | Microsoft Docs
-description: Describes how to enable SMB Continuous Availability on existing Azure NetApp Files SMB volume.
+description: Describes how to enable SMB Continuous Availability on existing Azure NetApp Files SMB volume.
- Last updated 05/31/2023
azure-netapp-files Faq Application Resilience https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/faq-application-resilience.md
Title: Application resilience FAQs for Azure NetApp Files | Microsoft Docs description: Answers frequently asked questions (FAQs) about Azure NetApp Files application resilience. -
azure-netapp-files Faq Application Volume Group https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/faq-application-volume-group.md
Title: FAQs About Azure NetApp Files application volume group | Microsoft Docs description: answers frequently asked questions (FAQs) about Azure NetApp Files application volume group. -
azure-netapp-files Faq Backup https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/faq-backup.md
Title: Azure NetApp Files backup FAQs | Microsoft Docs description: Answers frequently asked questions (FAQs) about using the Azure NetApp Files backup feature. -
azure-netapp-files Faq Capacity Management https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/faq-capacity-management.md
Title: FAQs About Azure NetApp Files | Microsoft Docs description: Answers frequently asked questions (FAQs) about Azure NetApp Files capacity management. -
azure-netapp-files Faq Data Migration Protection https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/faq-data-migration-protection.md
Title: Data migration and protection FAQs for Azure NetApp Files | Microsoft Docs description: Answers frequently asked questions (FAQs) about Azure NetApp Files data migration and protection. -
azure-netapp-files Faq Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/faq-integration.md
Title: Integration FAQs for Azure NetApp Files | Microsoft Docs description: Answers frequently asked questions (FAQs) about using other products or services with Azure NetApp Files. -
azure-netapp-files Faq Networking https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/faq-networking.md
Title: Networking FAQs for Azure NetApp Files | Microsoft Docs description: Answers frequently asked questions (FAQs) about Azure NetApp Files networking. -
azure-netapp-files Faq Nfs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/faq-nfs.md
Title: NFS FAQs for Azure NetApp Files | Microsoft Docs description: Answers frequently asked questions (FAQs) about the NFS protocol of Azure NetApp Files. -
azure-netapp-files Faq Performance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/faq-performance.md
Title: Performance FAQs for Azure NetApp Files | Microsoft Docs description: Answers frequently asked questions (FAQs) about Azure NetApp Files Performance. -
Jumbo frames are not supported with Azure virtual machines.
- [Data migration and protection FAQs](faq-data-migration-protection.md) - [Azure NetApp Files backup FAQs](faq-backup.md) - [Application resilience FAQs](faq-application-resilience.md)-- [Integration FAQs](faq-integration.md)
+- [Integration FAQs](faq-integration.md)
azure-netapp-files Faq Security https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/faq-security.md
Title: Security FAQs for Azure NetApp Files | Microsoft Docs description: Answers frequently asked questions (FAQs) about Azure NetApp Files security. -
The AD Connector credentials are stored in the Azure NetApp Files control plane
- [Data migration and protection FAQs](faq-data-migration-protection.md) - [Azure NetApp Files backup FAQs](faq-backup.md) - [Application resilience FAQs](faq-application-resilience.md)-- [Integration FAQs](faq-integration.md)
+- [Integration FAQs](faq-integration.md)
azure-netapp-files Faq Smb https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/faq-smb.md
Title: SMB FAQs for Azure NetApp Files | Microsoft Docs description: Answers frequently asked questions (FAQs) about the SMB protocol of Azure NetApp Files. -
azure-netapp-files Join Active Directory Domain https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/join-active-directory-domain.md
description: Describes how to join a Linux VM to a Microsoft Entra Domain
- Last updated 12/20/2022
azure-netapp-files Large Volumes Requirements Considerations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/large-volumes-requirements-considerations.md
Title: Requirements and considerations for large volumes | Microsoft Docs
-description: Describes the requirements and considerations you need to be aware of before using large volumes.
+description: Describes the requirements and considerations you need to be aware of before using large volumes.
- Last updated 11/02/2023
azure-netapp-files Lightweight Directory Access Protocol https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/lightweight-directory-access-protocol.md
Title: Understand the use of LDAP with Azure NetApp Files | Microsoft Learn
-description: This article helps you understand how Azure NetApp Files uses lightweight directory access protocol (LDAP).
+description: This article helps you understand how Azure NetApp Files uses lightweight directory access protocol (LDAP).
- Last updated 08/05/2023
azure-netapp-files Manage Availability Zone Volume Placement https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/manage-availability-zone-volume-placement.md
description: Describes how to create a volume with an availability zone by using
- Last updated 01/13/2023
azure-netapp-files Manage Billing Tags https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/manage-billing-tags.md
description: Describes how to manage Azure NetApp Files billing by using tags.
- Last updated 05/06/2021
Billing tags are assigned at the capacity pool level, not volume level.
## Next steps
-[Cost model for Azure NetApp Files](azure-netapp-files-cost-model.md)
+[Cost model for Azure NetApp Files](azure-netapp-files-cost-model.md)
azure-netapp-files Manage Cool Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/manage-cool-access.md
Title: Manage Azure NetApp Files standard storage with cool access
+ Title: Manage Azure NetApp Files standard storage with cool access
description: Learn how to free up storage by configuring inactive data to move from Azure NetApp Files Standard service-level storage (the hot tier) to an Azure storage account (the cool tier). - Last updated 01/16/2023
azure-netapp-files Manage Default Individual User Group Quotas https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/manage-default-individual-user-group-quotas.md
Title: Manage default and individual user and group quotas for Azure NetApp Files volumes | Microsoft Docs
+ Title: Manage default and individual user and group quotas for Azure NetApp Files volumes | Microsoft Docs
description: Describes the considerations and steps for managing user and group quotas for Azure NetApp Files volumes. - Last updated 06/14/2023
azure-netapp-files Manage Manual Qos Capacity Pool https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/manage-manual-qos-capacity-pool.md
description: Describes how to manage a capacity pool that uses the manual QoS ty
- Last updated 06/14/2021
azure-netapp-files Manage Smb Share Access Control Lists https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/manage-smb-share-access-control-lists.md
- Last updated 11/03/2023
azure-netapp-files Modify Active Directory Connections https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/modify-active-directory-connections.md
Title: Modify an Active Directory Connection for Azure NetApp Files | Microsoft
description: This article shows you how to modify Active Directory connections for Azure NetApp Files. - Last updated 02/21/2023
azure-netapp-files Monitor Azure Netapp Files https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/monitor-azure-netapp-files.md
description: Describes ways to monitor Azure NetApp Files, including the Activit
- Last updated 01/24/2022
azure-netapp-files Monitor Volume Capacity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/monitor-volume-capacity.md
Title: Monitor the capacity of an Azure NetApp Files volume | Microsoft Docs
-description: Describes ways to monitor the capacity utilization of an Azure NetApp Files volume.
+description: Describes ways to monitor the capacity utilization of an Azure NetApp Files volume.
- Last updated 09/30/2022
azure-netapp-files Mount Volumes Vms Smb https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/mount-volumes-vms-smb.md
description: Learn how to mount SMB volumes for Windows virtual machines.
- Last updated 08/18/2022
You can mount an SMB file for Windows virtual machines (VMs).
* [Mount NFS volumes for Windows or Linux VMs](azure-netapp-files-mount-unmount-volumes-for-virtual-machines.md) * [SMB FAQs](faq-smb.md)
-* [Network File System overview](/windows-server/storage/nfs/nfs-overview)
+* [Network File System overview](/windows-server/storage/nfs/nfs-overview)
azure-netapp-files Network Attached File Permissions Nfs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/network-attached-file-permissions-nfs.md
Title: Understand NFS file permissions in Azure NetApp Files
-description: Learn about mode bits in NFS workloads on Azure NetApp Files.
+description: Learn about mode bits in NFS workloads on Azure NetApp Files.
- Last updated 11/13/2023
drwxr-xr-x. 2 root root 4096 Apr 23 14:39 umask_dir
## Next steps * [Understand auxiliary/supplemental groups with NFS](auxiliary-groups.md)
-* [Understand NFSv4.x access control lists](nfs-access-control-lists.md)
+* [Understand NFSv4.x access control lists](nfs-access-control-lists.md)
azure-netapp-files Network Attached File Permissions Smb https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/network-attached-file-permissions-smb.md
Title: Understand SMB file permissions in Azure NetApp Files
-description: Learn about SMB file permissions options in Azure NetApp Files.
+description: Learn about SMB file permissions options in Azure NetApp Files.
- Last updated 11/13/2023
For a complete overview of NTFS-style ACLs, see [Microsoft Access Control overvi
## Next steps
-* [Create an SMB volume](azure-netapp-files-create-volumes-smb.md)
+* [Create an SMB volume](azure-netapp-files-create-volumes-smb.md)
azure-netapp-files Network Attached File Permissions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/network-attached-file-permissions.md
Title: Understand NAS file permissions in Azure NetApp Files
-description: Learn about NAS file permissions options in Azure NetApp Files.
+description: Learn about NAS file permissions options in Azure NetApp Files.
- Last updated 11/13/2023
Folders can be assigned inheritance flags, which means that parent folder permis
* [Understand NFS file permissions](network-attached-file-permissions-nfs.md) * [Understand SMB file permissions](network-attached-file-permissions-smb.md)
-* [Understand NAS share permissions in Azure NetApp Files](network-attached-storage-permissions.md)
+* [Understand NAS share permissions in Azure NetApp Files](network-attached-storage-permissions.md)
azure-netapp-files Network Attached Storage Concept https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/network-attached-storage-concept.md
Title: Understand NAS concepts in Azure NetApp Files | Microsoft Docs
-description: This article covers important information about NAS volumes when using Azure NetApp Files.
+description: This article covers important information about NAS volumes when using Azure NetApp Files.
- Last updated 06/26/2023
azure-netapp-files Network Attached Storage Permissions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/network-attached-storage-permissions.md
Title: Understand NAS share permissions in Azure NetApp Files
-description: Learn about NAS share permissions options in Azure NetApp Files.
+description: Learn about NAS share permissions options in Azure NetApp Files.
- Last updated 11/13/2023
azure-netapp-files Network Attached Storage Protocols https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/network-attached-storage-protocols.md
Title: Understand NAS protocols in Azure NetApp Files | Microsoft Learn
-description: Learn how SMB, NFS, and dual protocols operate in Azure NetApp Files.
+description: Learn how SMB, NFS, and dual protocols operate in Azure NetApp Files.
- Last updated 08/02/2023
azure-netapp-files Network File System Group Memberships https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/network-file-system-group-memberships.md
Title: Understand NFS group memberships and supplemental groups for Azure NetApp Files | Microsoft Learn
-description: This article helps you understand NFS group memberships and supplemental groups as they apply to Azure NetApp Files.
+description: This article helps you understand NFS group memberships and supplemental groups as they apply to Azure NetApp Files.
- Last updated 08/02/2023
azure-netapp-files Nfs Access Control Lists https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/nfs-access-control-lists.md
Title: Understand NFSv4.x access control lists in Azure NetApp Files
-description: Learn about using NFSv4.x access control lists in Azure NetApp Files.
+description: Learn about using NFSv4.x access control lists in Azure NetApp Files.
- Last updated 11/13/2023
Alternatively, in dual-protocol environments, NTFS ACLs can be used to granularl
## Next steps * [Configure NFS clients](configure-nfs-clients.md)
-* [Configure access control lists on NFSv4.1 volumes](configure-access-control-lists.md)
+* [Configure access control lists on NFSv4.1 volumes](configure-access-control-lists.md)
azure-netapp-files Performance Azure Vmware Solution Datastore https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/performance-azure-vmware-solution-datastore.md
description: Describes considerations for Azure VMware Solution (AVS) datastore
- Last updated 11/12/2023
azure-netapp-files Performance Benchmarks Azure Vmware Solution https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/performance-benchmarks-azure-vmware-solution.md
description: Describes performance benchmarks that Azure NetApp Files datastores
- Last updated 03/15/2023
azure-netapp-files Performance Benchmarks Linux https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/performance-benchmarks-linux.md
Title: Azure NetApp Files performance benchmarks for Linux | Microsoft Docs
-description: Describes performance benchmarks Azure NetApp Files delivers for Linux.
+description: Describes performance benchmarks Azure NetApp Files delivers for Linux.
- Last updated 09/29/2021
azure-netapp-files Performance Impact Kerberos https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/performance-impact-kerberos.md
Title: Performance impact of Kerberos on Azure NetApp Files NFSv4.1 volumes | Microsoft Docs
-description: Describes the available security options, the tested performance vectors, and the expected performance impact of kerberos on Azure NetApp Files NFSv4.1 volumes.
+description: Describes the available security options, the tested performance vectors, and the expected performance impact of kerberos on Azure NetApp Files NFSv4.1 volumes.
- Last updated 08/22/2022
azure-netapp-files Performance Linux Concurrency Session Slots https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/performance-linux-concurrency-session-slots.md
Title: Linux concurrency best practices for Azure NetApp Files - Session slots and slot table entries | Microsoft Docs
-description: Describes best practices about session slots and slot table entries for Azure NetApp Files NFS protocol.
+description: Describes best practices about session slots and slot table entries for Azure NetApp Files NFS protocol.
- Last updated 08/02/2021
azure-netapp-files Performance Linux Direct Io https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/performance-linux-direct-io.md
Title: Linux direct I/O best practices for Azure NetApp Files | Microsoft Docs
-description: Describes Linux direct I/O and the best practices to follow for Azure NetApp Files.
+description: Describes Linux direct I/O and the best practices to follow for Azure NetApp Files.
- Last updated 07/02/2021
azure-netapp-files Performance Linux Filesystem Cache https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/performance-linux-filesystem-cache.md
Title: Linux filesystem cache best practices for Azure NetApp Files | Microsoft Docs
-description: Describes Linux filesystem cache best practices to follow for Azure NetApp Files.
+description: Describes Linux filesystem cache best practices to follow for Azure NetApp Files.
- Last updated 07/02/2021
azure-netapp-files Performance Linux Mount Options https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/performance-linux-mount-options.md
Title: Linux NFS mount options best practices for Azure NetApp Files | Microsoft Docs
-description: Describes mount options and the best practices about using them with Azure NetApp Files.
+description: Describes mount options and the best practices about using them with Azure NetApp Files.
- Last updated 12/07/2022
azure-netapp-files Performance Linux Nfs Read Ahead https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/performance-linux-nfs-read-ahead.md
description: Describes filesystem cache and Linux NFS read-ahead best practices
- Last updated 09/29/2022
azure-netapp-files Performance Oracle Multiple Volumes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/performance-oracle-multiple-volumes.md
description: Migrating highly performant Exadata grade databases to the cloud is
- Last updated 05/04/2023
azure-netapp-files Performance Oracle Single Volumes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/performance-oracle-single-volumes.md
Title: Oracle database performance on Azure NetApp Files single volume | Microsoft Docs
-description: Describes performance test results of a Azure NetApp Files single volume on Oracle database.
+description: Describes performance test results of a Azure NetApp Files single volume on Oracle database.
- Last updated 08/04/2022
In summary, Azure NetApp Files helps you take your Oracle databases to the cloud
## Next steps - [Performance benchmark test recommendations for Azure NetApp Files](azure-netapp-files-performance-metrics-volumes.md)-- [Performance benchmarks for Linux](performance-benchmarks-linux.md)
+- [Performance benchmarks for Linux](performance-benchmarks-linux.md)
azure-netapp-files Performance Virtual Machine Sku https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/performance-virtual-machine-sku.md
Title: Azure virtual machine SKUs best practices for Azure NetApp Files | Microsoft Docs
-description: Describes Azure NetApp Files best practices about Azure virtual machine SKUs, including differences within and between SKUs.
+description: Describes Azure NetApp Files best practices about Azure virtual machine SKUs, including differences within and between SKUs.
- Last updated 07/02/2021
azure-netapp-files Reestablish Deleted Volume Relationships https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/reestablish-deleted-volume-relationships.md
Title: Re-establish deleted volume replication relationships in Azure NetApp Files
-description: You can re-establish the replication relationship between volumes.
+description: You can re-establish the replication relationship between volumes.
- Last updated 02/21/2023
azure-netapp-files Regional Capacity Quota https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/regional-capacity-quota.md
description: Explains regional capacity quota of Azure NetApp Files.
- Last updated 10/11/2021
azure-netapp-files Request Region Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/request-region-access.md
description: Describes how to request access to a region for using Azure NetApp
- Last updated 11/15/2021
azure-netapp-files Snapshots Delete https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/snapshots-delete.md
Title: Delete snapshots using Azure NetApp Files | Microsoft Docs
-description: Describes how to delete snapshots by using Azure NetApp Files.
+description: Describes how to delete snapshots by using Azure NetApp Files.
- Last updated 09/16/2021
azure-netapp-files Snapshots Edit Hide Path https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/snapshots-edit-hide-path.md
Title: Edit the Hide Snapshot Path option of Azure NetApp Files | Microsoft Docs
-description: Describes how to control the visibility of a snapshot volume with Azure NetApp Files.
+description: Describes how to control the visibility of a snapshot volume with Azure NetApp Files.
- Last updated 09/16/2021
The Hide Snapshot Path option controls whether the snapshot path of a volume is
## Next steps
-* [Learn more about snapshots](snapshots-introduction.md)
+* [Learn more about snapshots](snapshots-introduction.md)
azure-netapp-files Snapshots Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/snapshots-introduction.md
Title: How Azure NetApp Files snapshots work | Microsoft Docs
-description: Explains how Azure NetApp Files snapshots work, including ways to create snapshots, ways to restore snapshots, how to use snapshots in cross-region replication settings.
+description: Explains how Azure NetApp Files snapshots work, including ways to create snapshots, ways to restore snapshots, how to use snapshots in cross-region replication settings.
- Last updated 11/22/2022
azure-netapp-files Snapshots Manage Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/snapshots-manage-policy.md
Title: Manage snapshot policies in Azure NetApp Files | Microsoft Docs
-description: Describes how to create, manage, modify, and delete snapshot policies by using Azure NetApp Files.
+description: Describes how to create, manage, modify, and delete snapshot policies by using Azure NetApp Files.
- Last updated 05/18/2023
azure-netapp-files Snapshots Restore File Client https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/snapshots-restore-file-client.md
Title: Restore a file from a snapshot using a client with Azure NetApp Files | Microsoft Docs
-description: Describes how to restore a file from a snapshot using a client with the volume mounted using Azure NetApp Files.
+description: Describes how to restore a file from a snapshot using a client with the volume mounted using Azure NetApp Files.
- Last updated 09/16/2021
NFSv4.1 does not show the `.snapshot` directory (`ls -la`). However, when the Hi
* [Learn more about snapshots](snapshots-introduction.md) * [Resource limits for Azure NetApp Files](azure-netapp-files-resource-limits.md) * [Azure NetApp Files Snapshots 101 video](https://www.youtube.com/watch?v=uxbTXhtXCkw)
-* [Azure NetApp Files Snapshot Overview](https://anfcommunity.com/2021/01/31/azure-netapp-files-snapshot-overview/)
+* [Azure NetApp Files Snapshot Overview](https://anfcommunity.com/2021/01/31/azure-netapp-files-snapshot-overview/)
azure-netapp-files Snapshots Restore File Single https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/snapshots-restore-file-single.md
Title: Restore individual files in Azure NetApp Files using single-file snapshot restore | Microsoft Docs
-description: Describes how to recover individual files directly within a volume from a snapshot.
+description: Describes how to recover individual files directly within a volume from a snapshot.
- Last updated 05/04/2023
From the Azure portal:
* [Learn more about snapshots](snapshots-introduction.md) * [Resource limits for Azure NetApp Files](azure-netapp-files-resource-limits.md)
-* [Azure NetApp Files Snapshot Overview](https://anfcommunity.com/2021/01/31/azure-netapp-files-snapshot-overview/)
+* [Azure NetApp Files Snapshot Overview](https://anfcommunity.com/2021/01/31/azure-netapp-files-snapshot-overview/)
azure-netapp-files Snapshots Restore New Volume https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/snapshots-restore-new-volume.md
description: Describes how to create a new volume from a snapshot by using Azure
- Last updated 02/22/2023
azure-netapp-files Snapshots Revert Volume https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/snapshots-revert-volume.md
Title: Revert a volume using snapshot revert with Azure NetApp Files | Microsoft Docs
-description: Describes how to revert a volume to an earlier state using Azure NetApp Files.
+description: Describes how to revert a volume to an earlier state using Azure NetApp Files.
- Last updated 02/28/2023
azure-netapp-files Solutions Benefits Azure Netapp Files Electronic Design Automation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/solutions-benefits-azure-netapp-files-electronic-design-automation.md
Title: Benefits of using Azure NetApp Files for electronic design automation | Microsoft Docs
-description: Explains the solution Azure NetApp Files provides for meeting the needs of the semiconductor and chip design industry. Presents test scenarios running a standard industry benchmark for electronic design automation (EDA) using Azure NetApp Files.
+description: Explains the solution Azure NetApp Files provides for meeting the needs of the semiconductor and chip design industry. Presents test scenarios running a standard industry benchmark for electronic design automation (EDA) using Azure NetApp Files.
- Last updated 04/24/2020
azure-netapp-files Solutions Benefits Azure Netapp Files Oracle Database https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/solutions-benefits-azure-netapp-files-oracle-database.md
Title: Benefits of using Azure NetApp Files with Oracle Database | Microsoft Docs
-description: Describes the technology and provides a performance comparison between Oracle Direct NFS (dNFS) and the traditional NFS client. Shows the advantages of using dNFS with Azure NetApp Files.
+description: Describes the technology and provides a performance comparison between Oracle Direct NFS (dNFS) and the traditional NFS client. Shows the advantages of using dNFS with Azure NetApp Files.
- Last updated 08/04/2022
You can enhance the performance of Oracle dNFS with the Azure NetApp Files servi
## Next steps - [Solution architectures using Azure NetApp Files](azure-netapp-files-solution-architectures.md)-- [Overview of Oracle Applications and solutions on Azure](../virtual-machines/workloads/oracle/oracle-overview.md)
+- [Overview of Oracle Applications and solutions on Azure](../virtual-machines/workloads/oracle/oracle-overview.md)
azure-netapp-files Solutions Benefits Azure Netapp Files Sql Server https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/solutions-benefits-azure-netapp-files-sql-server.md
Title: Benefits of using Azure NetApp Files for SQL Server deployment | Microsoft Docs
-description: Shows a detailed cost analysis performance benefits about using Azure NetApp Files for SQL Server deployment.
+description: Shows a detailed cost analysis performance benefits about using Azure NetApp Files for SQL Server deployment.
- Last updated 05/19/2021
With Azure NetApp Files, you can increase SQL server performance while reducing
* [Create an SMB volume for Azure NetApp Files](azure-netapp-files-create-volumes-smb.md) * [Solution architectures using Azure NetApp Files ΓÇô SQL Server](azure-netapp-files-solution-architectures.md#sql-server) -
azure-netapp-files Solutions Windows Virtual Desktop https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/solutions-windows-virtual-desktop.md
description: Provides best practice guidance and sample blueprints on deploying
- Last updated 08/13/2020
When building a POD based architecture like this, assigning users to the correct
## Next steps -- [Solution architectures using Azure NetApp Files](azure-netapp-files-solution-architectures.md)
+- [Solution architectures using Azure NetApp Files](azure-netapp-files-solution-architectures.md)
azure-netapp-files Storage Service Add Ons https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/storage-service-add-ons.md
description: Describes the services provided through the storage service add-ons
- Last updated 06/15/2021
azure-netapp-files Terraform Manage Volume https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/terraform-manage-volume.md
Title: Update Terraform-managed Azure resource
-description: Learn how to safely update Terraform-managed Azure resources to ensure the safety of your data.
+ Title: Update Terraform-managed Azure resource
+description: Learn how to safely update Terraform-managed Azure resources to ensure the safety of your data.
- Last updated 12/20/2023
azure-netapp-files Test Disaster Recovery https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/test-disaster-recovery.md
Title: Test disaster recovery for Azure NetApp Files | Microsoft Docs
-description: Enhance your disaster recovery preparedness with this test plan for cross-region replication.
+description: Enhance your disaster recovery preparedness with this test plan for cross-region replication.
- Last updated 09/26/2023
azure-netapp-files Tools Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/tools-reference.md
Title: Azure NetApp Files tools
-description: Learn about the tools available to you to maximize your experience and savings with Azure NetApp Files.
+ Title: Azure NetApp Files tools
+description: Learn about the tools available to you to maximize your experience and savings with Azure NetApp Files.
- Last updated 01/12/2023
azure-netapp-files Troubleshoot Application Volume Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/troubleshoot-application-volume-groups.md
Title: Troubleshoot application volume group errors for Azure NetApp Files | Microsoft Docs
-description: Describes error or warning conditions and their resolutions for application volume groups for Azure NetApp Files.
+description: Describes error or warning conditions and their resolutions for application volume groups for Azure NetApp Files.
- Last updated 11/19/2021
azure-netapp-files Troubleshoot Capacity Pools https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/troubleshoot-capacity-pools.md
Title: Troubleshoot capacity pool errors for Azure NetApp Files | Microsoft Docs
-description: Describes potential issues you might have when managing capacity pools and provides solutions for the issues.
+description: Describes potential issues you might have when managing capacity pools and provides solutions for the issues.
- Last updated 04/18/2022
azure-netapp-files Troubleshoot Cross Region Replication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/troubleshoot-cross-region-replication.md
Title: Troubleshoot cross-region replication errors for Azure NetApp Files | Microsoft Docs
-description: Describes error messages and resolutions that can help you troubleshoot cross-region replication issues for Azure NetApp Files.
+description: Describes error messages and resolutions that can help you troubleshoot cross-region replication issues for Azure NetApp Files.
- Last updated 08/02/2022
azure-netapp-files Troubleshoot Diagnose Solve Problems https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/troubleshoot-diagnose-solve-problems.md
Title: Troubleshoot Azure NetApp Files using diagnose and solve problems tool
-description: Describes how to use the Azure diagnose and solve problems tool to troubleshoot issues of Azure NetApp Files.
+ Title: Troubleshoot Azure NetApp Files using diagnose and solve problems tool
+description: Describes how to use the Azure diagnose and solve problems tool to troubleshoot issues of Azure NetApp Files.
- Last updated 10/15/2023
For more information about using this tool, see [Diagnostics and solve tool - Az
* [Troubleshoot cross-region replication errors](troubleshoot-cross-region-replication.md) * [Troubleshoot Resource Provider errors](azure-netapp-files-troubleshoot-resource-provider-errors.md) * [Troubleshoot user access on LDAP volumes](troubleshoot-user-access-ldap.md)
-* [Troubleshoot file locks](troubleshoot-file-locks.md)
+* [Troubleshoot file locks](troubleshoot-file-locks.md)
azure-netapp-files Troubleshoot File Locks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/troubleshoot-file-locks.md
Title: Troubleshoot file locks for an Azure NetApp Files volume | Microsoft Docs
-description: This article explains how to break file locks in an Azure NetApp Files volume.
+description: This article explains how to break file locks in an Azure NetApp Files volume.
- Last updated 05/03/2023
You can break file locks for all files in a volume or break all file locks initi
## Next steps * [NFS FAQs for Azure NetApp Files](faq-nfs.md)
-* [SMB FAQs for Azure NetApp Files](faq-smb.md)
+* [SMB FAQs for Azure NetApp Files](faq-smb.md)
azure-netapp-files Troubleshoot Snapshot Policies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/troubleshoot-snapshot-policies.md
Title: Troubleshoot snapshot policy errors for Azure NetApp Files | Microsoft Docs
-description: Describes error messages and resolutions that can help you troubleshoot snapshot policy management issues for Azure NetApp Files.
+description: Describes error messages and resolutions that can help you troubleshoot snapshot policy management issues for Azure NetApp Files.
- Last updated 09/23/2020
azure-netapp-files Troubleshoot User Access Ldap https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/troubleshoot-user-access-ldap.md
Title: Troubleshoot user access on LDAP volumes | Microsoft Docs
-description: Describes the steps for troubleshooting user access on LDAP-enabled volumes.
+description: Describes the steps for troubleshooting user access on LDAP-enabled volumes.
- Last updated 09/06/2023
azure-netapp-files Troubleshoot Volumes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/troubleshoot-volumes.md
description: Describes error messages and resolutions that can help you troubles
- Last updated 02/21/2023
azure-netapp-files Understand Data Encryption https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/understand-data-encryption.md
+
+ Title: Understand data encryption in Azure NetApp Files
+description: Learn about data encryption at-rest and in-transit in Azure NetApp Files.
++++ Last updated : 02/02/2024++
+# Understand data encryption in Azure NetApp Files
+
+Azure NetApp Files encrypts data through two different methods:
+
+* **Encryption at-rest**: Data is encrypted in-place using FIPS 140-2 compliant standards.
+* **Encryption in-transit**: Data is encrypted in transit--or over the wire--as it's transferred between client and server.
+
+## Understand encryption at-rest
+
+Data at-rest in Azure NetApp Files can be encrypted in two ways:
+* Single encryption uses software-based encryption for Azure NetApp Files volumes.
+* [Double encryption](double-encryption-at-rest.md) adds hardware-level encryption at the physical storage device layer.
+
+Azure NetApp Files uses standard CryptoMod to generate AES-256 encryption keys. [CryptoMod](https://public.cyber.mil/pki-pke/cryptographic-modernization/) is listed on the CMVP FIPS 140-2 validated modules list; for more information, seeΓÇ»[FIPS 140-2 Cert #4144](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4144). Encryption keys are associated with the volumes and can be Microsoft [platform-managed keys](faq-security.md#how-are-encryption-keys-managed) or [customer-managed keys](configure-customer-managed-keys.md).
+
+## Understand data in-transit encryption
+
+In addition to securing data at-rest, Azure NetApp Files can secure data when it's in-transit between endpoints. The encryption method used depends on the protocol or feature. DNS isn't encrypted in-transit in Azure NetApp files. Continue reading to learn about SMB and NFS encryption, LDAP, and data replication in Azure NetApp Files.
+
+### SMB encryption
+
+Windows SMB clients using the SMB3.x protocol version natively support [SMB encryption](/windows-server/storage/file-server/smb-security). [SMB encryption is conducted end-to-end](network-attached-storage-permissions.md) and encrypts the entirety of the SMB conversation using AES-256-GCM/AES-128-GCM and AES-256-CCM/AES-128-CCM cryptographic suites.
+
+SMB encryption isn't required for Azure NetApp Files volumes, but can be used for extra security. SMB encryption does add a performance overhead. To learn more about performance considerations with SMB encryption, see [SMB performance best practices for Azure NetApp Files](azure-netapp-files-smb-performance.md).
+
+#### Requiring encryption for SMB connections
+
+Azure NetApp Files provides an option to [enforce encryption on all SMB connections](create-active-directory-connections.md). Enforcing encryption disallows unencrypted SMB communication and uses SMB3 and later for SMB connections. Encryption is performed using AES encryption and encrypts all SMB packets. For this feature to work properly, SMB clients must support SMB encryption. If the SMB client doesn't support encryption and SMB3, then SMB connections are disallowed. If this option is enabled, all shares that have the same IP address require encryption, thus overriding the SMB share property setting for encryption.
+
+#### SMB share-level encryption
+
+Alternatively, encryption can be set at the level of [individual share of an Azure NetApp Files volume](azure-netapp-files-create-volumes-smb.md#smb3-encryption).
+
+#### UNC hardening
+
+In 2015, Microsoft introduced UNC hardening ([MS15-011](https://technet.microsoft.com/library/security/ms15-011) and [MS15-014](https://technet.microsoft.com/library/security/ms15-014)) to address remote network path vulnerabilities that could allow remote code execution across SMB shares. For more information, see [MS15-011 & MS15-014: Hardening Group Policy](https://msrc.microsoft.com/blog/2015/02/ms15-011-ms15-014-hardening-group-policy/).
+
+UNC hardening provides three options for securing UNC paths:
+
+* `RequireMutualAuthentication` ΓÇô Identity authentication required/not required to block spoofing attacks.
+* `RequireIntegrity` ΓÇô Integrity checking required/not required to block tampering attacks.
+* `RequirePrivacy` ΓÇô Privacy (total encryption of SMB packets) enabled/disabled to prevent traffic sniffing.
+
+Azure NetApp Files supports all three forms of UNC hardening.
+
+### NFS Kerberos
+
+Azure NetApp Files also provides [the ability to encrypt NFSv4.1 conversations via Kerberos authentication](configure-kerberos-encryption.md) using AES-256-GCM/AES-128-GCM and AES-256-CCM/AES-128-CCM cryptographic suites.
+
+With NFS Kerberos, Azure NetApp Files supports three different security flavors:
+
+* Kerberos 5 (`krb5`) ΓÇô Initial authentication only; requires a Kerberos ticket exchange/user sign-in to access the NFS export. NFS packets are not encrypted.
+* Kerberos 5i (`krb5i`) ΓÇô Initial authentication and integrity checking; requires a Kerberos ticket exchange/user sign-in to access the NFS export and adds integrity checks to each NFS packet to prevent man-in-the-middle attacks (MITM).
+* Kerberos 5p (`krb5p`) ΓÇô Initial authentication, integrity checking and privacy; requires a Kerberos ticket exchange/user sign-in to access the NFS export, performs integrity checks and applies a GSS wrapper to each NFS packet to encrypt its contents.
+
+Each Kerberos encryption level has an effect on performance. As the encryption types and security flavors incorporate more secure methods, the performance effect increases. For instance, `krb5` performs better than `krb5i`, krb5i performs better than `krb5p`, AES-128 perform better than AES-256, and so on. For more information about the performance effect of NFS Kerberos in Azure NetApp Files, see [Performance impact of Kerberos on Azure NetApp Files NFSv4.1 volumes](performance-impact-kerberos.md).
+
+>[!NOTE]
+>NFS Kerberos is only supported with NFSv4.1 in Azure NetApp Files.
+
+In the following image, Kerberos 5 (`krb5`) is used; only the initial authentication request (the sign in/ticket acquisition) is encrypted. All other NFS traffic arrives in plain text.
++
+When using Kerberos 5i (`krb5i`; integrity checking), a trace show that the NFS packets aren't encrypted, but there's a GSS/Kerberos wrapper added to the packet that requires the client and server ensure the integrity of the data transferred using a checksum.
++
+Kerberos 5p (privacy; `krb5p`) provides end-to-end encryption of all NFS traffic as shown in the trace image using a GSS/Kerberos wrapper. This method creates the most performance overhead due to the need to process every NFS packetΓÇÖs encryption.
++
+## Data replication
+
+In Azure NetApp Files, you can replicate entire volumes [across zones or regions in Azure to provide data protection](data-protection-disaster-recovery-options.md). Since the replication traffic resides in the Azure cloud, the transfers take place in the secure Azure network infrastructure, which is limited in access to prevent packet sniffing and man-in-the-middle attacks (eavesdropping or impersonating in-between communication endpoints). In addition, the replication traffic is encrypted using FIPS 140-2 compliant TLS 1.2 standards. For details, see [Security FAQs](faq-security.md#is-azure-netapp-files-cross-region-and-cross-zone-replication-traffic-encrypted).
+
+## LDAP encryption
+
+Normally, LDAP search and bind traffic passes over the wire in plain text, meaning anyone with access to sniff network packets can gain information from the LDAP server such as usernames, numeric IDs, group memberships, etc. This information can then be used to spoof users, send emails for phishing attacks, etc.
+
+To protect LDAP communications from being intercepted and read, LDAP traffic can leverage over-the-wire encryption leveraging AES and TLS 1.2 via LDAP signing and LDAP over TLS, respectively. For details on configuring these options, see [Create and manage Active Directory connections](create-active-directory-connections.md#ldap-signing).
+
+### LDAP signing
+
+LDAP signing is specific to connections on Microsoft Active Directory servers that are hosting UNIX identities for users and groups. This functionality enables integrity verification for Simple Authentication and Security Layer (SASL) LDAP binds to AD servers hosting LDAP connections. Signing does not require configuration of security certificates because it uses GSS-API communication with Active DirectoryΓÇÖs Kerberos Key Distribution Center (KDC) services. LDAP signing only checks the integrity of an LDAP packet; it does not encrypt the payload of the packet.
++
+LDAP signing can also be [configured from the Windows server side](/troubleshoot/windows-server/identity/enable-ldap-signing-in-windows-server) via Group Policy to either be [opportunistic with LDAP signing (none ΓÇô support if requested by client) or to enforce LDAP signing (require)](/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements). LDAP signing can add some performance overhead to LDAP traffic that usually isn't noticeable to end users.
+
+Windows Active Directory also enables you to use LDAP signing and sealing (end-to-end encryption of LDAP packets). Azure NetApp Files doesn't support this feature.
+
+### LDAP channel binding
+
+Because of a security vulnerability discovered in Windows Active Directory domain controllers, a default setting was changed for Windows servers. For details, see [Microsoft Security Advisory ADV190023](https://portal.msrc.microsoft.com/security-guidance/advisory/ADV190023).
+
+Essentially, Microsoft recommends that administrators enable LDAP signing along with channel binding. If the LDAP client supports channel binding tokens and LDAP signing, channel binding and signing are required, and registry options are set by the new Microsoft patch.
+
+Azure NetApp Files, by default, supports LDAP channel binding opportunistically, meaning LDAP channel binding is used when the client supports it. If it doesn't support/send channel binding, communication is still allowed, and channel binding isn't enforced.
+
+### LDAP over SSL (port 636)
+
+LDAP traffic in Azure NetApp Files passes over port 389 in all cases. This port cannot be modified. LDAP over SSL (LDAPS) isn't supported and is considered legacy by most LDAP server vendors ([RFC 1777](https://www.ietf.org/rfc/rfc1777.txt) was published in 1995). If you want to use LDAP encryption with Azure NetApp Files, use LDAP over TLS.
+
+### LDAP over StartTLS
+
+LDAP over StartTLS was introduced with [RFC 2830](https://www.ietf.org/rfc/rfc2830.txt) in 2000 and was combined into the LDAPv3 standard with [RFC 4511](https://www.ietf.org/rfc/rfc2830.txt) in 2006. After StartTLS was made a standard, LDAP vendors began to refer to LDAPS as deprecated.
+
+LDAP over StartTLS uses port 389 for the LDAP connection. After the initial LDAP connection has been made, a StartTLS OID is exchanged and certificates are compared; then all LDAP traffic is encrypted by using TLS. The packet capture shown below shows the LDAP bind, StartTLS handshake and subsequent TLS-encrypted LDAP traffic.
++
+There are two main differences between LDAPS and StartTLS:
+
+* StartTLS is part of the LDAP standard; LDAPS isn't. As a result, LDAP library support on the LDAP servers or clients can vary, and functionality might or might not work in all cases.
+* If encryption fails, StartTLS allows the configuration to fall back to regular LDAP. LDAPS does not. As a result, StartTLS offers some flexibility and resiliency, but it also presents security risks if it's misconfigured.
+
+#### Security considerations with LDAP over StartTLS
+
+StartTLS enables administrators to fall back to regular LDAP traffic if they want. For security purposes, most LDAP administrators don't allow it. The following recommendations for StartTLS can help secure LDAP communication:
+
+* Ensure that StartTLS is enabled and that certificates are configured.
+* For internal environments, you can use self-signed certificates, but for external LDAP, use a certificate authority. For more information about certificates, see the [Difference Between Self Signed SSL & Certificate Authority](https://social.technet.microsoft.com/wiki/contents/articles/15189.difference-between-self-signed-ssl-certificate-authority.aspx).
+* Prevent LDAP queries and binds that do not use StartTLS. By default, Active Directory disables anonymous binds.
+
+## Active Directory security connection
+
+Active Directory connections with Azure NetApp Files volumes can be configured to try the strongest available Kerberos encryption type first: AES-256. When AES encryption is enabled, domain controller communications (such as scheduled SMB server password resets) use the highest available encryption type supported on the domain controllers. Azure NetApp Files supports the following encryption types for domain controller communications, in order of attempted authentication: AES-256, AES-128, RC4-HMAC, DES
+
+>[!NOTE]
+>It's not possible to disable weaker authentication types in Azure NetApp Files (such as RC4-HMAC and DES). Instead, if desired, these should be disabled from the domain controller so that authentication requests do not attempt to use them. If RC4-HMAC is disabled on the domain controllers, then AES encryption must be enabled in Azure NetApp Files for proper functionality.
+
+## Next steps
+* [Azure NetApp Files double encryption at rest](double-encryption-at-rest.md)
+* [Configure customer-managed keys for Azure NetApp Files volume encryption](configure-customer-managed-keys.md)
+* [Understand data protection and disaster recovery options in Azure NetApp Files](data-protection-disaster-recovery-options.md)
+* [Create and manage Active Directory connections](create-active-directory-connections.md)
azure-netapp-files Understand File Locks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/understand-file-locks.md
description: Understand the concept of file locking and the different types of N
- Last updated 06/12/2023
Manually locking files allows you to test file open and edit interactions and te
* [SMB FAQs for Azure NetApp Files](faq-smb.md) * [Troubleshoot file locks on an Azure NetApp Files volume](troubleshoot-file-locks.md) * [Application resilience FAQs for Azure NetApp Files](faq-application-resilience.md)-
azure-netapp-files Understand Guidelines Active Directory Domain Service Site https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/understand-guidelines-active-directory-domain-service-site.md
description: Proper Active Directory Domain Services (AD DS) design and planning
- Last updated 02/21/2023
azure-netapp-files Use Availability Zones https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/use-availability-zones.md
description: Azure availability zones are highly available, fault tolerant, and
- Last updated 11/17/2022
azure-netapp-files Use Dfs N And Dfs Root Consolidation With Azure Netapp Files https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/use-dfs-n-and-dfs-root-consolidation-with-azure-netapp-files.md
description: Learn how to configure DFS-N and DFS Root Consolidation with Azure
- Last updated 06/30/2022
azure-netapp-files Volume Delete https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/volume-delete.md
Title: Delete an Azure NetApp Files volume | Microsoft Docs
-description: Describes how to delete an Azure NetApp Files volume.
+description: Describes how to delete an Azure NetApp Files volume.
- Last updated 06/22/2023
azure-netapp-files Volume Hard Quota Guidelines https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/volume-hard-quota-guidelines.md
Title: What changing to volume hard quota means for your Azure NetApp Files service | Microsoft Docs
-description: Describes the change to using volume hard quota, how to plan for the change, and how to monitor and manage capacities.
+description: Describes the change to using volume hard quota, how to plan for the change, and how to monitor and manage capacities.
- Last updated 09/30/2022
azure-netapp-files Volume Quota Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/volume-quota-introduction.md
Title: Understand volume quota for Azure NetApp Files | Microsoft Docs
-description: Provides an overview about volume quota. Also provides references about monitoring and managing volume and pool capacity.
+description: Provides an overview about volume quota. Also provides references about monitoring and managing volume and pool capacity.
- Last updated 04/30/2021
This article provides an overview about volume quota for Azure NetApp Files. It
* [Cost model for Azure NetApp Files](azure-netapp-files-cost-model.md) * [Monitor the capacity of a volume](monitor-volume-capacity.md) * [Resize the capacity pool or a volume](azure-netapp-files-resize-capacity-pools-or-volumes.md)
-* [Capacity management FAQs](faq-capacity-management.md)
+* [Capacity management FAQs](faq-capacity-management.md)
azure-netapp-files Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/whats-new.md
description: Provides a summary about the latest new features and enhancements o
- Last updated 11/27/2023
azure-resource-manager Resource Name Rules https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/resource-name-rules.md
In the following tables, the term alphanumeric refers to:
> | | | | | > | factories | global | 3-63 | Alphanumerics and hyphens.<br><br>Start and end with alphanumeric. | > | factories / dataflows | factory | 1-260 | Can't use:<br>`<>*#.%&:\\+?/` or control characters<br><br>Start with alphanumeric. |
-> | factories / datasets | factory | 1-260 | Can't use:<br>`<>*#.%&:\\+?/` or control characters<br><br>Start with alphanumeric. |
+> | factories / datasets | factory | 1-260 | Can't use:<br>`<>*#.%&:\\+?/-` or control characters<br><br>Start with alphanumeric. |
> | factories / integrationRuntimes | factory | 3-63 | Alphanumerics and hyphens.<br><br>Start and end with alphanumeric. | > | factories / linkedservices | factory | 1-260 | Can't use:<br>`<>*#.%&:\\+?/` or control characters<br><br>Start with alphanumeric. | > | factories / pipelines | factory | 1-260 | Can't use:<br>`<>*#.%&:\\+?/` or control characters<br><br>Start with alphanumeric. |
backup Backup Azure Database Postgresql Flex Support Matrix https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-database-postgresql-flex-support-matrix.md
You can use [Azure Backup](./backup-overview.md) to protect Azure Database for P
## Supported regions
-Azure Database for PostgreSQL server backup (preview) currently supports East US, Central India, and West Europe regions.
+Azure Database for PostgreSQL server backup (preview) is now available in all public regions.
## Support scenarios
backup Backup Azure Security Feature Cloud https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-security-feature-cloud.md
Title: Soft delete for Azure Backup description: Learn how to use security features in Azure Backup to make backups more secure. Previously updated : 01/04/2024 Last updated : 02/08/2024
Follow these steps:
1. Identify the items that are in soft-deleted state. ```powershell-
- Get-AzRecoveryServicesBackupItem -BackupManagementType AzureVM -WorkloadType AzureVM -VaultId $myVaultID | Where-Object {$_.DeleteState -eq "ToBeDeleted"}
+ $vault = Get-AzRecoveryServicesVault -ResourceGroupName "yourResourceGroupName" -Name "yourVaultName"
+ Get-AzRecoveryServicesBackupItem -BackupManagementType AzureVM -WorkloadType AzureVM -VaultID $vault.ID | Where-Object {$_.DeleteState -eq "ToBeDeleted"}
Name ContainerType ContainerUniqueName WorkloadType ProtectionStatus HealthStatus DeleteState - - - - --
backup Backup Vault Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-vault-overview.md
Title: Overview of the Backup vaults description: An overview of Backup vaults. Previously updated : 02/01/2024 Last updated : 02/08/2024
This section discusses the options available for encrypting your backup data sto
### Encryption of backup data using platform-managed keys
-By default, all your data is encrypted using platform-managed keys. You don't need to take any explicit action from your end to enable this encryption. It applies to all workloads being backed up to your Backup vault.
+Azure Backup provides you two options (**Microsoft managed keys** and **Customer Managed keys**) to manage the backup data encryption for your Backup vault. By default, all your data is encrypted using Microsoft managed keys. Azure Backup uses the Backup Management Service app to access Azure Key Vault, but not the managed identity of the Backup vault.
+
+You can fetch your own keys to encrypt the backup data by using the **Customer Managed Keys** option under **Encryption settings** on the *Backup vault*.
## Cross Region Restore support for PostgreSQL using Azure Backup
cdn Cdn Billing https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cdn/cdn-billing.md
- Last updated 02/27/2023 - # Understanding Azure CDN billing
cdn Cdn Create Endpoint How To https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cdn/cdn-create-endpoint-how-to.md
- Last updated 02/27/2023
cdn Cdn Http Debug Headers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cdn/cdn-http-debug-headers.md
- Last updated 04/12/2018 - # X-EC-Debug HTTP headers for Azure CDN rules engine The debug cache request header, `X-EC-Debug`, provides additional information about the cache policy that is applied to the requested asset. These headers are specific to **Azure CDN Premium from Edgio** products.
cdn Cdn Manage Expiration Of Blob Content https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cdn/cdn-manage-expiration-of-blob-content.md
Title: Manage expiration of Azure Blob storage description: Learn about the options for controlling time-to-live for blobs in Azure CDN caching.-+ ms.assetid: ad4801e9-d09a-49bf-b35c-efdc4e6034e8 - ms.devlang: csharp Last updated 02/27/2023
cdn Cdn Manage Expiration Of Cloud Service Content https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cdn/cdn-manage-expiration-of-cloud-service-content.md
ms.assetid: bef53fcc-bb13-4002-9324-9edee9da8288 - ms.devlang: csharp Last updated 02/27/2023 - # Manage expiration of web content in Azure CDN > [!div class="op_single_selector"]
cdn Cdn Msft Http Debug Headers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cdn/cdn-msft-http-debug-headers.md
- Last updated 02/27/2023 - # Debug HTTP header for Azure CDN from Microsoft
cdn Cdn Pop Abbreviations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cdn/cdn-pop-abbreviations.md
- Last updated 02/27/2023 - # Azure CDN POP locations by abbreviation
cdn Cdn Pop Locations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cdn/cdn-pop-locations.md
ms.assetid: 669ef140-a6dd-4b62-9b9d-3f375a14215e - Last updated 05/30/2023 - # Azure CDN Coverage by Metro > [!div class="op_single_selector"]
cdn Cdn Resource Health https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cdn/cdn-resource-health.md
ms.assetid: bf23bd89-35b2-4aca-ac7f-68ee02953f31 - Last updated 02/27/2023 - # Monitor the health of Azure CDN resources
We're sorry, we're experiencing issues with some of our CDN providers | Check ba
- [Read an overview of Azure resource health](../service-health/resource-health-overview.md) - [Troubleshoot issues with CDN compression](./cdn-troubleshoot-compression.md)-- [Troubleshoot issues with 404 errors](./cdn-troubleshoot-endpoint.md)
+- [Troubleshoot issues with 404 errors](./cdn-troubleshoot-endpoint.md)
cdn Cdn Token Auth https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cdn/cdn-token-auth.md
ms.assetid: 837018e3-03e6-4f9c-a23e-4b63d5707a64 - Last updated 02/27/2023
cdn Cdn Verizon Http Headers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cdn/cdn-verizon-http-headers.md
- Last updated 02/27/2023 - # Edgio-specific HTTP headers for Azure CDN rules engine
cloud-services Mitigate Se https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cloud-services/mitigate-se.md
tags: azure-resource-manager keywords: spectre,meltdown,specter - vm-windows Last updated 02/21/2023
confidential-computing Attestation Solutions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/attestation-solutions.md
description: Learn what attestation is and how to use it at Microsoft
- Last updated 05/02/2023
confidential-computing Attestation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/attestation.md
- Last updated 12/20/2021
confidential-computing Concept Skr Attestation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/concept-skr-attestation.md
description: Concept guide on what SKR is and its usage with Azure Confidential
- Last updated 8/22/2023
confidential-computing Confidential Ai https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/confidential-ai.md
- Last updated 05/17/2023
Use a partner that has built Confidential AI solutions on top of the Azure confi
- [Mithril Security](https://www.mithrilsecurity.io/) provides tooling to help SaaS vendors serve AI models inside secure enclaves, and providing an on-premises level of security and control to data owners. Data owners can use their SaaS AI solutions while remaining compliant and in control of their data. -- [Opaque](https://opaque.co/) provides a confidential computing platform for collaborative analytics and AI, giving the ability to perform analytics while protecting data end-to-end and enabling organizations to comply with legal and regulatory mandates.
+- [Opaque](https://opaque.co/) provides a confidential computing platform for collaborative analytics and AI, giving the ability to perform analytics while protecting data end-to-end and enabling organizations to comply with legal and regulatory mandates.
confidential-computing Confidential Computing Deployment Models https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/confidential-computing-deployment-models.md
description: Choose Between Deployment Models
- Last updated 11/04/2021
confidential-computing Confidential Computing Enclaves https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/confidential-computing-enclaves.md
description: Learn about Intel SGX hardware to enable your confidential computin
- Last updated 11/01/2021
confidential-computing Confidential Computing Solutions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/confidential-computing-solutions.md
description: Learn how to build solutions on Azure confidential computing
- Last updated 11/01/2021
confidential-computing Confidential Nodes Aks Addon https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/confidential-nodes-aks-addon.md
description: How to use the Intel SGX device plugin and Intel SGX quote helper d
- Last updated 11/01/2021
confidential-computing Create Confidential Vm From Compute Gallery https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/create-confidential-vm-from-compute-gallery.md
- Last updated 07/14/2022
confidential-computing Enclave Development Oss https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/enclave-development-oss.md
description: Learn how to use tools to develop Intel SGX applications for Azure
- Last updated 11/01/2021
confidential-computing Harden A Linux Image To Remove Azure Guest Agent https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/harden-a-linux-image-to-remove-azure-guest-agent.md
m - Last updated 8/03/2023
confidential-computing Harden The Linux Image To Remove Sudo Users https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/harden-the-linux-image-to-remove-sudo-users.md
m - Last updated 7/21/2023
confidential-computing How To Create Custom Image Confidential Vm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/how-to-create-custom-image-confidential-vm.md
m - Last updated 6/09/2023
confidential-computing How To Fortanix Confidential Computing Manager Node Agent https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/how-to-fortanix-confidential-computing-manager-node-agent.md
- Last updated 03/24/2021
confidential-computing How To Fortanix Confidential Computing Manager https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/how-to-fortanix-confidential-computing-manager.md
description: Learn how to deploy Fortanix Confidential Computing Manager (CCM) i
- Last updated 02/03/2021
confidential-computing How To Leverage Virtual Tpms In Azure Confidential Vms https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/how-to-leverage-virtual-tpms-in-azure-confidential-vms.md
m - Last updated 08/02/2023
confidential-computing Multi Party Data https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/multi-party-data.md
-- Last updated 04/20/2023 - # Cleanroom and Multi-party Data Analytics
confidential-computing Overview Azure Products https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/overview-azure-products.md
description: Learn about all the confidential computing services that Azure prov
- Last updated 06/09/2023
confidential-computing Anjuna https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/partner-pages/anjuna.md
- Last updated 03/29/2023
confidential-computing Beekeeperai https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/partner-pages/beekeeperai.md
- Last updated 03/29/2023
confidential-computing Decentriq https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/partner-pages/decentriq.md
- Last updated 03/29/2023
confidential-computing Edgeless https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/partner-pages/edgeless.md
- Last updated 03/29/2023
You can learn more and get started with these [Azure Marketplace solutions, here
- Learn more about [Edgeless Systems](https://www.edgeless.systems/). - Check out the [Azure confidential computing webinar series](https://vshow.on24.com/vshow/Azure_Confidential/exhibits/Home) for more such partners.-
confidential-computing Enclaive https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/partner-pages/enclaive.md
- Last updated 03/29/2023
confidential-computing Fortanix https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/partner-pages/fortanix.md
- Last updated 03/29/2023
You can learn more and get started with these [Azure Marketplace solutions, here
- Learn more about [Fortanix](https://www.fortanix.com/). - Check out the [Azure confidential computing webinar series](https://vshow.on24.com/vshow/Azure_Confidential/exhibits/Home) for more such partners.-
confidential-computing Habu https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/partner-pages/habu.md
- Last updated 03/29/2023
confidential-computing Mithril https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/partner-pages/mithril.md
- Last updated 03/29/2023
confidential-computing Opaque https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/partner-pages/opaque.md
- Last updated 03/29/2023
confidential-computing Partner Pages Index https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/partner-pages/partner-pages-index.md
description: Learn about how Azure confidential computing partners build on the
- Last updated 03/29/2023
Azure confidential computing enables an ecosystem of partners that build on our
- [Opaque Systems](../partner-pages/opaque.md) is a confidential computing and data clean room platform that enables secure data sharing, multi-party analytics and machine learning on encrypted data. -- [Scone](../partner-pages/scone.md) confidential computing platform facilitates always encrypted execution: one can run services and applications such that neither the data nor the code is ever accessible as plain text - not even for root users.
+- [Scone](../partner-pages/scone.md) confidential computing platform facilitates always encrypted execution: one can run services and applications such that neither the data nor the code is ever accessible as plain text - not even for root users.
confidential-computing Scone https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/partner-pages/scone.md
- Last updated 03/29/2023
This is the easiest way to get started with SCONE, now available on [Azure Mark
- Learn more about [Scontain](https://scontain.com/). - Check out the [Azure confidential computing webinar series](https://vshow.on24.com/vshow/Azure_Confidential/exhibits/Home) for more such partners.-
confidential-computing Quick Create Confidential Vm Arm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/quick-create-confidential-vm-arm.md
description: Learn how to quickly create and deploy an Azure confidential virtua
- Last updated 12/01/2023
confidential-computing Quick Create Confidential Vm Azure Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/quick-create-confidential-vm-azure-cli.md
m - Last updated 12/01/2023
confidential-computing Quick Create Confidential Vm Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/quick-create-confidential-vm-portal.md
description: Learn how to quickly create a confidential virtual machine (confide
- Last updated 12/01/2023
confidential-computing Quick Create Marketplace https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/quick-create-marketplace.md
description: Get started with your deployments by learning how to quickly create
- Last updated 11/01/2021
confidential-computing Quick Create Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/quick-create-portal.md
description: Get started with your deployments by learning how to quickly create
- Last updated 11/1/2021
confidential-computing Skr Flow Confidential Containers Azure Container Instance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/skr-flow-confidential-containers-azure-container-instance.md
description: Learn how to build an application that securely gets the key from A
- Last updated 3/9/2023
confidential-computing Skr Flow Confidential Vm Sev Snp https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/skr-flow-confidential-vm-sev-snp.md
description: Learn how to build an application that securely gets the key from A
- Last updated 2/2/2023
confidential-computing Skr Policy Examples https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/skr-policy-examples.md
description: Examples of AKV SKR policies across offered Azure Confidential Comp
- Last updated 3/5/2023
Follow the policy [grammar](../key-vault/keys/policy-grammar.md) for more exampl
[Microsoft Azure Attestation (MAA)](../attestation/overview.md)
-[Secure Key Release Concept and Basic Steps](concept-skr-attestation.md)
+[Secure Key Release Concept and Basic Steps](concept-skr-attestation.md)
confidential-computing Virtual Machine Solutions Sgx https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/virtual-machine-solutions-sgx.md
description: Learn about using Intel SGX virtual machines (VMs) in Azure confide
- Last updated 9/12/2023
confidential-computing Virtual Machine Solutions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/virtual-machine-solutions.md
- Last updated 11/15/2023
confidential-computing Vmss Deployment From Hardened Linux Image https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/vmss-deployment-from-hardened-linux-image.md
m - Last updated 9/12/2023
connectors Connectors Azure Monitor Logs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/connectors/connectors-azure-monitor-logs.md
ms.suite: integration Previously updated : 01/10/2024 Last updated : 02/08/2024 tags: connectors # Customer intent: As a developer, I want to get log data from my Log Analytics workspace or telemetry from my Application Insights resource to use with my workflow in Azure Logic Apps.
This how-to guide describes how to build a [Consumption logic app workflow](../l
For technical information about this connector's operations, see the [connector's reference documentation](/connectors/azuremonitorlogs/).
-> [!NOTE]
->
-> Both of the following actions can run a log query against a Log Analytics workspace or
-> Application Insights resource. The difference exists in the way that data is returned.
->
-> | Action | Description |
-> |--|-|
-> | [Run query and list results](/connectors/azuremonitorlogs/#run-query-and-list-results) | Returns each row as its own object. Use this action when you want to work with each row separately in the rest of the workflow. The action is typically followed by a [For each action](../logic-apps/logic-apps-control-flow-loops.md). |
-> | [Run query and visualize results](/connectors/azuremonitorlogs/#run-query-and-visualize-results) | Returns a JPG file that depicts the query result set. This action lets you use the result set in the rest of the workflow by sending the results in an email, for example. The action only returns a JPG file if the query returns results. |
+Both of the following actions can run a log query against a Log Analytics workspace or Application Insights resource. The difference exists in the way that data is returned.
+
+| Action | Description |
+|--|-|
+| [Run query and list results](/connectors/azuremonitorlogs/#run-query-and-list-results) | Returns each row as its own object. Use this action when you want to work with each row separately in the rest of the workflow. The action is typically followed by a [For each action](../logic-apps/logic-apps-control-flow-loops.md). |
+| [Run query and visualize results](/connectors/azuremonitorlogs/#run-query-and-visualize-results) | Returns a JPG file that depicts the query result set. This action lets you use the result set in the rest of the workflow by sending the results in an email, for example. The action only returns a JPG file if the query returns results. |
## Limitations
For technical information about this connector's operations, see the [connector'
- The [Consumption logic app workflow](../logic-apps/logic-apps-overview.md#resource-environment-differences) from where you want to access your Log Analytics workspace or Application Insights resource. To use an Azure Monitor Logs action, start your workflow with any trigger. This guide uses the [**Recurrence** trigger](connectors-native-recurrence.md).
- > [!NOTE]
- >
- > Although you can turn on the Log Analytics setting in a logic app resource to collect information about runtime data
- > and events as described in the how-to guide [Set up Azure Monitor logs and collect diagnostics data for Azure Logic Apps](../logic-apps/monitor-workflows-collect-diagnostic-data.md), this setting isn't required
- > for you to use the Azure Monitor Logs connector.
- - An Office 365 Outlook account to complete the example in this guide. Otherwise, you can use any email provider that has an available connector in Azure Logic Apps. ## Add an Azure Monitor Logs action
-1. In the [Azure portal](https://portal.azure.com), open your logic app workflow in the designer.
-
-1. In your workflow where you want to add the Azure Monitor Logs action, follow one of these steps:
-
- - To add an action under the last step, select **New step**.
-
- - To add an action between steps, move your pointer use over the connecting arrow. Select the plus sign (**+**) that appears, and then select **Add an action**.
-
- For more information about adding an action, see [Build a workflow by adding a trigger or action](../logic-apps/create-workflow-with-trigger-or-action.md).
+1. In the [Azure portal](https://portal.azure.com), open your Consumption logic app and workflow in the designer.
-1. Under the **Choose an operation** search box, select **Standard**. In the search box, enter **Azure Monitor Logs**.
-
-1. From the actions list, select the action that you want.
+1. In your workflow where you want to add the Azure Monitor Logs action, follow these general steps to add an Azure Monitor Logs action](../logic-apps/create-workflow-with-trigger-or-action.md?tabs=consumption#add-action).
This example continues with the action named **Run query and visualize results**.
For technical information about this connector's operations, see the [connector'
1. In the **Query** box, enter the following Kusto query to retrieve the specified log data from the following sources:
+ > [!NOTE]
+ >
+ > When you create your own queries, make sure they work correctly in Log Analytics before you add them to your Azure Monitor Logs action.
+ * Log Analytics workspace The following example query selects errors that occurred within the last day, reports their total number, and sorts them in ascending order.
For technical information about this connector's operations, see the [connector'
| evaluate autocluster() ```
- > [!NOTE]
- >
- > When you create your own queries, make sure they work correctly in Log Analytics before you add them to your Azure Monitor Logs action.
- 1. For **Time Range**, select **Set in query**.
+ The following table describes the options for **Time Range**:
+
+ | Time Range | Description |
+ ||-|
+ | **Exact** | Dynamically provide the start time and end time. |
+ | **Relative** | Set the relative value such as the last hour, last 12 hours, and so on. |
+ | **Set in query** | Applies when the **TimeGenerated** filter is included in query. |
+ 1. For **Chart Type**, select **Html Table**. 1. Save your workflow. On the designer toolbar, select **Save**.
container-apps Firewall Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/firewall-integration.md
The following tables describe how to configure a collection of NSG allow rules.
| Protocol | Source | Source ports | Destination | Destination ports | Description | |--|--|--|--|--|--|
-| TCP | Your client IPs | \* | Your container app's subnet<sup>1</sup> | `80`, `31080` | Allow your Client IPs to access Azure Container Apps when using HTTP. |
-| TCP | Your client IPs | \* | Your container app's subnet<sup>1</sup> | `443`, `31443` | Allow your Client IPs to access Azure Container Apps when using HTTPS. |
+| TCP | Your client IPs | \* | Your container app's subnet<sup>1</sup> | `80`, `31080` | Allow your Client IPs to access Azure Container Apps when using HTTP. `31080` is the port on which the Container Apps Environment Edge Proxy responds to the HTTP traffic. It is behind the internal load balancer. |
+| TCP | Your client IPs | \* | Your container app's subnet<sup>1</sup> | `443`, `31443` | Allow your Client IPs to access Azure Container Apps when using HTTPS. `31443` is the port on which the Container Apps Environment Edge Proxy responds to the HTTPS traffic. It is behind the internal load balancer. |
| TCP | AzureLoadBalancer | \* | Your container app's subnet | `30000-32676`<sup>2</sup> | Allow Azure Load Balancer to probe backend pools. | # [Consumption only environment](#tab/consumption-only)
container-registry Container Registry Private Link https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/container-registry-private-link.md
az acr update --name $REGISTRY_NAME --public-network-enabled false
## Execute the `az acr build` with private endpoint and private registry
-Consider the following options to execute the `az acr build` successfully.
> [!NOTE] > Once you disable public network [access here](#disable-public-access), then `az acr build` commands will no longer work.
+> Unless you are utilizing dedicated agent pools, it's typically require the public IP's. Tasks reserve a set of public IPs in each region for outbound requests. If needed, we have the option to add these IPs to our firewall's allowed list for seamless communication.`az acr build` command uses the same set of IPs as the tasks.
+
+Consider the following options to execute the `az acr build` successfully.
-1. Assign a [dedicated agent pool.](./tasks-agent-pools.md)
-2. If agent pool is not available in the region, add the regional [Azure Container Registry Service Tag IPv4](../virtual-network/service-tags-overview.md#use-the-service-tag-discovery-api) to the [firewall access rules.](./container-registry-firewall-access-rules.md#allow-access-by-ip-address-range)
-3. Create an ACR task with a managed identity, and enable trusted services to [access network restricted ACR.](./allow-access-trusted-services.md#example-acr-tasks)
+* Assign a [dedicated agent pool.](./tasks-agent-pools.md)
+* If agent pool is not available in the region, add the regional [Azure Container Registry Service Tag IPv4](../virtual-network/service-tags-overview.md#use-the-service-tag-discovery-api) to the [firewall access rules.](./container-registry-firewall-access-rules.md#allow-access-by-ip-address-range). Tasks reserve a set of public IPs in each region (a.k.a. AzureContainerRegistry Service Tag) for outbound requests. You can choose to add the IPs in the firewall allowed list.
+* Create an ACR task with a managed identity, and enable trusted services to [access network restricted ACR.](./allow-access-trusted-services.md#example-acr-tasks)
## Disable access to a container registry using a service endpoint
cosmos-db Access System Properties https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/gremlin/access-system-properties.md
Title: Access system document properties vian Azure Cosmos DB Graph
-description: Learn how read and write Azure Cosmos DB system document properties via API for Gremlin
+ Title: Access system document properties
+
+description: Learn how to read and write system document properties using Azure Cosmos DB for Apache Gremlin.
+++ Previously updated : 09/16/2021-- Last updated : 02/08/2024
-# System document properties
+# Access system document properties using Azure Cosmos DB for Apache Gremlin
+ [!INCLUDE[Gremlin](../includes/appliesto-gremlin.md)]
-Azure Cosmos DB has [system properties](/rest/api/cosmos-db/databases) such as ```_ts```, ```_self```, ```_attachments```, ```_rid```, and ```_etag``` on every document. Additionally, Gremlin engine adds ```inVPartition``` and ```outVPartition``` properties on edges. By default, these properties are available for traversal. However, it's possible to include specific properties, or all of them, in Gremlin traversal.
+Azure Cosmos DB for Gremlin has [system properties](/rest/api/cosmos-db/databases) such as `_ts`, `_self`, `_attachments`, `_rid`, and `_etag` on every item. Additionally, Gremlin engine adds `inVPartition` and `outVPartition` properties on edges. By default, these properties are available for traversal. However, it's possible to include specific properties, or all of them, in Gremlin traversal.
-```console
+```gremlin
g.withStrategies(ProjectionStrategy.build().IncludeSystemProperties('_ts').create()) ``` ## E-Tag
-This property is used for optimistic concurrency control. If application needs to break operation into a few separate traversals, it can use eTag property to avoid data loss in concurrent writes.
+This property is used for optimistic concurrency control. If an application needs to break an operation into separate traversals, use the eTag property to avoid data loss in concurrent writes.
-```console
+```gremlin
g.withStrategies(ProjectionStrategy.build().IncludeSystemProperties('_etag').create()).V('1').has('_etag', '"00000100-0000-0800-0000-5d03edac0000"').property('test', '1') ``` ## Time-to-live (TTL)
-If collection has document expiration enabled and documents have `ttl` property set on them, then this property will be available in Gremlin traversal as a regular vertex or edge property. `ProjectionStrategy` isn't necessary to enable time-to-live property exposure.
+If a graph has document expiration enabled and documents have `ttl` property set on them, then this property is available in Gremlin traversal as a regular vertex or edge property. `ProjectionStrategy` isn't necessary to enable time-to-live property exposure.
+
+- Use the following command to set time-to-live on a new vertex:
-* Use the following command to set time-to-live on a new vertex:
+ ```gremlin
+ g.addV(<ID>).property('ttl', <expirationTime>)
+ ```
- ```console
- g.addV(<ID>).property('ttl', <expirationTime>)
- ```
+ For example, a vertex created with the following traversal is automatically deleted after *123 seconds*:
- For example, a vertex created with the following traversal is automatically deleted after *123 seconds*:
+ ```gremlin
+ g.addV('vertex-one').property('ttl', 123)
+ ```
- ```console
- g.addV('vertex-one').property('ttl', 123)
- ```
+- Use the following command to set time-to-live on an existing vertex:
-* Use the following command to set time-to-live on an existing vertex:
+ ```gremlin
+ g.V().hasId(<ID>).has('pk', <pk>).property('ttl', <expirationTime>)
+ ```
- ```console
- g.V().hasId(<ID>).has('pk', <pk>).property('ttl', <expirationTime>)
- ```
+- Applying the time-to-live property on vertices doesn't automatically apply it to associated edges. This behavior occurs because edges are independent records in the database store. Use the following command to set time-to-live on vertices and all the incoming and outgoing edges of the vertex:
-* Applying time-to-live property on vertices does not automatically apply it to edges. Because edges are independent records in the database store. Use the following command to set time-to-live on vertices and all the incoming and outgoing edges of the vertex:
+ ```gremlin
+ g.V().hasId(<ID>).has('pk', <pk>).as('v').bothE().hasNot('ttl').property('ttl', <expirationTime>)
+ ```
- ```console
- g.V().hasId(<ID>).has('pk', <pk>).as('v').bothE().hasNot('ttl').property('ttl', <expirationTime>)
- ```
+> [!NOTE]
+> You can set time to Live (TTL) on the container to `-1` or to **On (no default)** from the Azure portal. Then, the TTL is infinite for any item unless the item has a TTL value explicitly set.
-You can set TTL on the container to -1 or set it to **On (no default)** from Azure portal, then the TTL is infinite for any item unless the item has TTL value explicitly set.
+## Next step
-## Next steps
-* [Azure Cosmos DB Optimistic Concurrency](../faq.yml#how-does-the-api-for-nosql-provide-concurrency-)
-* [Time to Live (TTL)](../time-to-live.md) in Azure Cosmos DB
+> [!div class="nextstepaction"]
+> [Time to Live (TTL) in Azure Cosmos DB](../time-to-live.md)
cosmos-db High Availability https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/high-availability.md
Service-managed failover allows Azure Cosmos DB to fail over the write region of
> [!IMPORTANT] > If you have chosen single-region write configuration with multiple read regions, we strongly recommend that you configure the Azure Cosmos DB accounts used for production workloads to *enable service-managed failover*. This configuration enables Azure Cosmos DB to fail over the account databases to available regions. > In the absence of this configuration, the account will experience loss of write availability for the whole duration of the write region outage. Manual failover won't succeed because of a lack of region connectivity.
->
+
+> [!WARNING]
+> Even with service-managed failover enabled, partial outage may require manual intervention for the Azure Cosmos DB service team. In these scenarios, it may take up to 1 hour (or more) for failover to take effect. For better write availability during partial outages, we recommend enabling availability zones in addition to service-managed failover.
+ ### Multiple write regions
The following table summarizes the high-availability capabilities of various acc
* Review the expected [behavior of the Azure Cosmos DB SDKs](troubleshoot-sdk-availability.md) during events and which configurations affect it.
-* To ensure high write and read availability, configure your Azure Cosmos DB account to span at least two regions (or three, if you're using strong consistency). Remember that the best configuration to achieve high availability for a region outage is a single write region with service-managed failover. To learn more, see [Tutorial: Set up Azure Cosmos DB global distribution using the API for NoSQL](nosql/tutorial-global-distribution.md).
+* To ensure high write and read availability, configure your Azure Cosmos DB account to span at least two regions (or three, if you're using strong consistency). To learn more, see [Tutorial: Set up Azure Cosmos DB global distribution using the API for NoSQL](nosql/tutorial-global-distribution.md).
* For multiple-region Azure Cosmos DB accounts that are configured with a single write region, [enable service-managed failover by using the Azure CLI or the Azure portal](how-to-manage-database-account.md#automatic-failover). After you enable service-managed failover, whenever there's a regional disaster, Azure Cosmos DB will fail over your account without any user input.
cosmos-db Concepts Authentication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/postgresql/concepts-authentication.md
Previously updated : 11/07/2023 Last updated : 02/06/2024 # Microsoft Entra ID and PostgreSQL authentication with Azure Cosmos DB for PostgreSQL [!INCLUDE [PostgreSQL](../includes/appliesto-postgresql.md)]
-> [!IMPORTANT]
-> Microsoft Entra ID (formerly Azure Active Directory) authentication in Azure Cosmos DB for PostgreSQL is currently in preview.
-> This preview version is provided without a service level agreement, and it's not recommended
-> for production workloads. Certain features might not be supported or might have constrained
-> capabilities.
->
-> You can see a complete list of other new features in [preview features](product-updates.md#features-in-preview).
- Azure Cosmos DB for PostgreSQL supports PostgreSQL authentication and integration with Microsoft Entra ID. Each Azure Cosmos DB for PostgreSQL cluster is created with native PostgreSQL authentication enabled and one built-in PostgreSQL role named `citus`. You can add more native PostgreSQL roles after cluster provisioning is completed. You can also enable Microsoft Entra ID (formerly Azure Active Directory) authentication on a cluster in addition to the PostgreSQL authentication method or instead of it. You can configure authentication methods on each Azure Cosmos DB for PostgreSQL cluster independently. If you need to change authentication method, you can do it at any time after cluster provisioning is completed. Changing authentication methods doesn't require cluster restart.
Notably, the `citus` role has some restrictions:
`citus` role can't be deleted but would be disabled if 'Microsoft Entra ID authentication only' authentication method is selected on cluster. <a name='azure-active-directory-authentication-preview'></a>
+<a name='microsoft-entra-id-authentication-preview'></a>
-## Microsoft Entra ID authentication (preview)
+## Microsoft Entra ID authentication
[Microsoft Entra ID](/entra/fundamentals/whatis) (formerly Azure Active Directory) authentication is a mechanism of connecting to Azure Cosmos DB for PostgreSQL using identities defined in Microsoft Entra ID. With Microsoft Entra ID authentication, you can manage database user identities and other Microsoft services in a central location, which simplifies permission management.
Benefits of using Microsoft Entra ID include:
### Manage PostgreSQL access for Microsoft Entra ID principals
-When Microsoft Entra ID authentication is enabled and Microsoft Entra ID principal is added as a Microsoft Entra ID administrator, the account gets the same privileges as [the `citus` role](#the-citus-role). The Microsoft Entra ID administrator sign-in can be a Microsoft Entra ID user, Service Principal or Managed Identity. Multiple Microsoft Entra ID administrators can be configured at any time and you can optionally disable PostgreSQL (password) authentication to the Azure Cosmos DB for PostgreSQL cluster for better auditing and compliance needs.
+When Microsoft Entra ID authentication is enabled and Microsoft Entra ID principal is added as a Microsoft Entra ID administrator, the account gets the same privileges as [the `citus` role](#the-citus-role). The Microsoft Entra ID administrator sign-in can be a Microsoft Entra ID user, Service Principal, or Managed Identity. Multiple Microsoft Entra ID administrators can be configured at any time and you can optionally disable PostgreSQL (password) authentication to the Azure Cosmos DB for PostgreSQL cluster for better auditing and compliance needs.
-Additionally, any number of non-admin Microsoft Entra ID roles can be added to a cluster at any time once Microsoft Entra ID authentication is enabled. Database permissions for non-admin Microsoft Entra ID roles are managed similar to regular roles.
+Additionally, any number of nonadmin Microsoft Entra ID roles can be added to a cluster at any time once Microsoft Entra ID authentication is enabled. Database permissions for nonadmin Microsoft Entra ID roles are managed similar to regular roles.
<a name='connect-using-azure-ad-identities'></a>
Once you've authenticated against the Microsoft Entra ID, you then retrieve a to
## Next steps -- Check out [Microsoft Entra ID limits and limitations in Azure Cosmos DB for PostgreSQL](./reference-limits.md#azure-active-directory-authentication)
+- Check out [Microsoft Entra ID limits and limitations in Azure Cosmos DB for PostgreSQL](./reference-limits.md#microsoft-entra-id-authentication)
- [Learn how to configure authentication for Azure Cosmos DB for PostgreSQL clusters](./how-to-configure-authentication.md) - Set up private network access to the cluster nodes, see [Manage private access](./howto-private-access.md) - Set up public network access to the cluster nodes, see [Manage public access](./howto-manage-firewall-using-portal.md)
cosmos-db How To Configure Authentication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/postgresql/how-to-configure-authentication.md
Previously updated : 11/06/2023 Last updated : 02/06/2024 # Use Microsoft Entra ID and native PostgreSQL roles for authentication with Azure Cosmos DB for PostgreSQL [!INCLUDE [PostgreSQL](../includes/appliesto-postgresql.md)]
-> [!IMPORTANT]
-> Microsoft Entra ID (formerly Azure Active Directory) authentication in Azure Cosmos DB for PostgreSQL is currently in preview.
-> This preview version is provided without a service level agreement, and it's not recommended
-> for production workloads. Certain features might not be supported or might have constrained
-> capabilities.
->
-> You can see a complete list of other new features in [preview features](product-updates.md#features-in-preview).
- In this article, you configure authentication methods for Azure Cosmos DB for PostgreSQL. You manage Microsoft Entra ID admin users and native PostgreSQL roles for authentication with Azure Cosmos DB for PostgreSQL. You also learn how to use a Microsoft Entra ID token with Azure Cosmos DB for PostgreSQL. An Azure Cosmos DB for PostgreSQL cluster is created with one built-in native PostgreSQL role named 'citus'. You can add more native PostgreSQL roles after cluster provisioning is completed.
You need to use Azure portal to configure authentication methods on an Azure Cos
Complete the following items on your Azure Cosmos DB for PostgreSQL cluster to enable or disable Microsoft Entra ID authentication and native PostgreSQL authentication. 1. On the cluster page, under the **Cluster management** heading, choose **Authentication** to open authentication management options.
-1. In **Authentication methods** section, choose **PostgreSQL authentication only**, **Microsoft Entra ID authentication (preview)**, or **PostgreSQL and Microsoft Entra ID authentication (preview)** as the authentication method based on your requirements.
+1. In **Authentication methods** section, choose **PostgreSQL authentication only**, **Microsoft Entra ID authentication**, or **PostgreSQL and Microsoft Entra ID authentication** as the authentication method based on your requirements.
-Once done proceed with [configuring Microsoft Entra ID authentication](#configure-azure-active-directory-authentication) or [adding native PostgreSQL roles](#configure-native-postgresql-authentication) on **Authentication** page.
+Once done proceed with [configuring Microsoft Entra ID authentication](#configure-azure-active-directory-authentication) or [adding native PostgreSQL roles](#configure-native-postgresql-authentication) on the same **Authentication** page.
<a name='configure-azure-active-directory-authentication'></a>
Users need to be allowed to sign in to Azure Cosmos DB for PostgreSQL in the Mic
1. Open 'Microsoft Entra ID' service. 1. On the **Overview** page of Microsoft Entra ID service in the **Overview** section, search for 'b4fa09d8-5da5-4352-83d9-05c2a44cf431' application ID. 1. Choose 'Azure Cosmos DB for PostgreSQL AAD Authentication' enterprise application in the search results.
-1. In the Azure Cosmos DB for PostgreSQL AAD Authentication enterprise application, choose **Properties** page.
+1. In the **Azure Cosmos DB for PostgreSQL AAD Authentication** enterprise application, choose **Properties** page.
1. Set **Enabled for users to sign-in?** to **Yes** and save the change. # [Azure CLI](#tab/cli)
az ad sp update --id b4fa09d8-5da5-4352-83d9-05c2a44cf431 --set accountEnabled=t
```
+> [!NOTE]
+> Editing enterprise application's properties such as 'Enabled for users to sign-in' requires permissions granted to the Global Administrator, Cloud Application Administrator, or Application Administrator roles. See [the list of built-in Microsoft Entra roles](/entra/identity/role-based-access-control/permissions-reference).
+ ### Add Microsoft Entra ID admins to Azure Cosmos DB for PostgreSQL cluster To add or remove Microsoft Entra ID roles on cluster, follow these steps on **Authentication** page:
-1. In **Microsoft Entra ID authentication (preview)** section, select **Add Microsoft Entra ID admins**.
+1. In **Microsoft Entra ID authentication** section, select **Add Microsoft Entra ID admins**.
1. In **Select Microsoft Entra ID Admins** panel, select one or more valid Microsoft Entra ID user or enterprise application in the current AD tenant to be a Microsoft Entra ID administrator on your Azure Cosmos DB for PostgreSQL cluster. 1. Use **Select** to confirm your choice. 1. In the **Authentication** page, select **Save** in the toolbar to save changes or proceed with adding native PostgreSQL roles.
az login
The command opens a browser window to the Microsoft Entra ID authentication page. It requires you to give your Microsoft Entra ID user name and password.
+The user account name you use to authenticate (for example, user@tenant.onmicrosoft.com) is the one the access token will be generated for in the next step.
+ <a name='retrieve-the-azure-ad-access-token'></a> ### Retrieve the Microsoft Entra ID access token
The command opens a browser window to the Microsoft Entra ID authentication page
Use the Azure CLI to acquire an access token for the Microsoft Entra ID authenticated user to access Azure Cosmos for PostgreSQL. Here's an example: ```azurecli-interactive
-az account get-access-token --resource https://postgres.cosmos.azure.com
+az account get-access-token --resource https://token.postgres.cosmos.azure.com
``` After authentication is successful, Microsoft Entra ID returns an access token for current Azure subscription:
After authentication is successful, Microsoft Entra ID returns an access token f
} ```
-The TOKEN is a Base64 string. It encodes all the information about the authenticated user and is targeted to the Azure Cosmos DB for PostgreSQL service. The token is valid for at least 5 minutes with the maximum of 90 minutes. The expiresOn defines actual token expiration time.
+The TOKEN is a Base64 string. It encodes all the information about the authenticated user and is associated with the Azure Cosmos DB for PostgreSQL service. The token is valid for at least 5 minutes with the maximum of 90 minutes. The **expiresOn** defines actual token expiration time.
### Use a token as a password for signing in with client psql
export PGPASSWORD=$(az account get-access-token --resource-type oss-rdbms --quer
> or clear the PGPASSWORD variable value to enter the password interactively. > Authentication would fail with the wrong value in PGPASSWORD.
-Now you can initiate a connection with Azure Cosmos DB for PostgreSQL as you usually would (without 'password' parameter in the command line):
+Now you can initiate a connection with Azure Cosmos DB for PostgreSQL using the Microsoft Entra ID user account that the access token was generated for. You would do it as you usually would with the user account as the user and without 'password' parameter in the command line:
```sql psql "host=mycluster.[uniqueID].postgres.cosmos.azure.com user=user@tenant.onmicrosoft.com dbname=[db_name] sslmode=require"
cosmos-db Product Updates https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/postgresql/product-updates.md
Previously updated : 01/21/2024 Last updated : 02/06/2024 # Product updates for Azure Cosmos DB for PostgreSQL
Updates that donΓÇÖt directly affect the internals of a cluster are rolled out g
Updates that change cluster internals, such as installing a [new minor PostgreSQL version](https://www.postgresql.org/developer/roadmap/), are delivered to existing clusters as part of the next [scheduled maintenance](concepts-maintenance.md) event. Such updates are available immediately to newly created clusters.
+### February 2024
+* General availability: [Microsoft Entra authentication](./concepts-authentication.md#microsoft-entra-id-authentication-preview) is now supported in addition to Postgres roles in [all supported regions](./resources-regions.md).
+ ### January 2024 * General availability: [32 TiB storage per node for multi-node configurations](./resources-compute.md#multi-node-cluster) in all supported regions. * See [how to get the most out of storage](./resources-compute.md#maximum-iops-for-your-compute--storage-configuration)
Updates that change cluster internals, such as installing a [new minor PostgreSQ
* General availability: Citus 12 is now available in [all supported regions](./resources-regions.md) with PostgreSQL 14 and PostgreSQL 15. * Check [what's new in Citus 12](https://www.citusdata.com/updates/v12-0/). * See [Postgres and Citus version in-place upgrade](./concepts-upgrade.md).
-* Preview: [Microsoft Entra authentication](./concepts-authentication.md#azure-active-directory-authentication-preview) is now supported in addition to Postgres roles.
+* Preview: [Microsoft Entra authentication](./concepts-authentication.md#microsoft-entra-id-authentication-preview) is now supported in addition to Postgres roles.
* Preview: Azure CLI is now supported for all Azure Cosmos DB for PostgreSQL management operations. * See [details](/cli/azure/cosmosdb/postgres).
might have capabilities with limitations. For more information, see
[Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)
-* [Microsoft Entra ID authentication](./concepts-authentication.md#azure-active-directory-authentication-preview)
+* There are no features in preview at this time.
## Contact us
cosmos-db How To Use Php https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/table/how-to-use-php.md
- Title: Use Azure Storage Table service or Azure Cosmos DB for Table from PHP
-description: Store structured data in the cloud using Azure Table storage or the Azure Cosmos DB for Table from PHP.
----- Previously updated : 07/23/2020-
-# How to use Azure Storage Table service or the Azure Cosmos DB for Table from PHP
--
-> [!WARNING]
-> This project is in the [community support](https://azure.github.io/azure-sdk/policies_support.html#package-lifecycle) stage of it's lifecycle. Eventually, all associated client libraries will be retired permanently. For more details on the retirement and alternatives to using this project, see [Retirement notice: Azure Storage PHP client libraries](https://azure.microsoft.com/updates/retirement-notice-the-azure-storage-php-client-libraries-will-be-retired-on-17-march-2024/).
--
-This article shows you how to create tables, store your data, and perform CRUD operations on the data. Choose either the Azure Table service or the Azure Cosmos DB for Table. The samples are written in PHP and use the [Azure Storage Table PHP Client Library][download]. The scenarios covered include **creating and deleting a table**, and **inserting, deleting, and querying entities in a table**. For more information on the Azure Table service, see the [Next steps](#next-steps) section.
-
-## Create an Azure service account
--
-**Create an Azure storage account**
--
-**Create an Azure Cosmos DB for Table account**
--
-## Create a PHP application
-
-The only requirement to create a PHP application to access the Storage Table service or Azure Cosmos DB for Table is to reference classes in the azure-storage-table SDK for PHP from within your code. You can use any development tools to create your application, including Notepad.
-
-In this guide, you use Storage Table service or Azure Cosmos DB features that can be called from within a PHP application locally, or in code running within an Azure web role, worker role, or website.
-
-## Get the client library
-
-1. Create a file named composer.json in the root of your project and add the following code to it:
- ```json
- {
- "require": {
- "microsoft/azure-storage-table": "*"
- }
- }
- ```
-2. Download [composer.phar](https://getcomposer.org/composer.phar) in your root.
-3. Open a command prompt and execute the following command in your project root:
- ```
- php composer.phar install
- ```
- Alternatively, go to the [Azure Storage Table PHP Client Library](https://github.com/Azure/azure-storage-php/tree/master/azure-storage-table) on GitHub to clone the source code.
-
-## Add required references
-
-To use the Storage Table service or Azure Cosmos DB APIs, you must:
-
-* Reference the autoloader file using the [require_once][require_once] statement, and
-* Reference any classes you use.
-
-The following example shows how to include the autoloader file and reference the **TableRestProxy** class.
-
-```php
-require_once 'vendor/autoload.php';
-use MicrosoftAzure\Storage\Table\TableRestProxy;
-```
-
-In the examples below, the `require_once` statement is always shown, but only the classes necessary for the example to execute are referenced.
-
-## Add your connection string
-
-You can either connect to the Azure storage account or the Azure Cosmos DB for Table account. Get the connection string based on the type of account you are using.
-
-### Add a Storage Table service connection
-
-To instantiate a Storage Table service client, you must first have a valid connection string. The format for the Storage Table service connection string is:
-
-```php
-$connectionString = "DefaultEndpointsProtocol=[http|https];AccountName=[yourAccount];AccountKey=[yourKey]"
-```
-
-### Add a Storage Emulator connection
-
-To access the emulator storage:
-
-```php
-UseDevelopmentStorage = true
-```
-
-### Add an Azure Cosmos DB connection
-
-To instantiate an Azure Cosmos DB Table client, you must first have a valid connection string. The format for the Azure Cosmos DB connection string is:
-
-```php
-$connectionString = "DefaultEndpointsProtocol=[https];AccountName=[myaccount];AccountKey=[myaccountkey];TableEndpoint=[https://myendpoint/]";
-```
-
-To create an Azure Table service client or Azure Cosmos DB client, you need to use the **TableRestProxy** class. You can:
-
-* Pass the connection string directly to it or
-* Use the **CloudConfigurationManager (CCM)** to check multiple external sources for the connection string:
- * By default, it comes with support for one external source - environmental variables.
- * You can add new sources by extending the `ConnectionStringSource` class.
-
-For the examples outlined here, the connection string is passed directly.
-
-```php
-require_once 'vendor/autoload.php';
-
-use MicrosoftAzure\Storage\Table\TableRestProxy;
-
-$tableClient = TableRestProxy::createTableService($connectionString);
-```
-
-## Create a table
-
-A **TableRestProxy** object lets you create a table with the **createTable** method. When creating a table, you can set the Table service timeout. (For more information about the Table service timeout, see [Setting Timeouts for Table Service Operations][table-service-timeouts].)
-
-```php
-require_once 'vendor\autoload.php';
-
-use MicrosoftAzure\Storage\Table\TableRestProxy;
-use MicrosoftAzure\Storage\Common\Exceptions\ServiceException;
-
-// Create Table REST proxy.
-$tableClient = TableRestProxy::createTableService($connectionString);
-
-try {
- // Create table.
- $tableClient->createTable("mytable");
-}
-catch(ServiceException $e){
- $code = $e->getCode();
- $error_message = $e->getMessage();
- // Handle exception based on error codes and messages.
- // Error codes and messages can be found here:
- // https://learn.microsoft.com/rest/api/storageservices/Table-Service-Error-Codes
-}
-```
-
-For information about restrictions on table names, see [Understanding the Table Service Data Model][table-data-model].
-
-## Add an entity to a table
-
-To add an entity to a table, create a new **Entity** object and pass it to **TableRestProxy->insertEntity**. Note that when you create an entity, you must specify a `PartitionKey` and `RowKey`. These are the unique identifiers for an entity and are values that can be queried much faster than other entity properties. The system uses `PartitionKey` to automatically distribute the table's entities over many Storage nodes. Entities with the same `PartitionKey` are stored on the same node. (Operations on multiple entities stored on the same node perform better than on entities stored across different nodes.) The `RowKey` is the unique ID of an entity within a partition.
-
-```php
-require_once 'vendor/autoload.php';
-
-use MicrosoftAzure\Storage\Table\TableRestProxy;
-use MicrosoftAzure\Storage\Common\Exceptions\ServiceException;
-use MicrosoftAzure\Storage\Table\Models\Entity;
-use MicrosoftAzure\Storage\Table\Models\EdmType;
-
-// Create table REST proxy.
-$tableClient = TableRestProxy::createTableService($connectionString);
-
-$entity = new Entity();
-$entity->setPartitionKey("tasksSeattle");
-$entity->setRowKey("1");
-$entity->addProperty("Description", null, "Take out the trash.");
-$entity->addProperty("DueDate",
- EdmType::DATETIME,
- new DateTime("2012-11-05T08:15:00-08:00"));
-$entity->addProperty("Location", EdmType::STRING, "Home");
-
-try{
- $tableClient->insertEntity("mytable", $entity);
-}
-catch(ServiceException $e){
- // Handle exception based on error codes and messages.
- // Error codes and messages are here:
- // https://learn.microsoft.com/rest/api/storageservices/Table-Service-Error-Codes
- $code = $e->getCode();
- $error_message = $e->getMessage();
-}
-```
-
-For information about Table properties and types, see [Understanding the Table Service Data Model][table-data-model].
-
-The **TableRestProxy** class offers two alternative methods for inserting entities: **insertOrMergeEntity** and **insertOrReplaceEntity**. To use these methods, create a new **Entity** and pass it as a parameter to either method. Each method will insert the entity if it does not exist. If the entity already exists, **insertOrMergeEntity** updates property values if the properties already exist and adds new properties if they do not exist, while **insertOrReplaceEntity** completely replaces an existing entity. The following example shows how to use **insertOrMergeEntity**. If the entity with `PartitionKey` "tasksSeattle" and `RowKey` "1" does not already exist, it will be inserted. However, if it has previously been inserted (as shown in the example above), the `DueDate` property is updated, and the `Status` property is added. The `Description` and `Location` properties are also updated, but with values that effectively leave them unchanged. If these latter two properties were not added as shown in the example, but existed on the target entity, their existing values would remain unchanged.
-
-```php
-require_once 'vendor/autoload.php';
-
-use MicrosoftAzure\Storage\Table\TableRestProxy;
-use MicrosoftAzure\Storage\Common\Exceptions\ServiceException;
-use MicrosoftAzure\Storage\Table\Models\Entity;
-use MicrosoftAzure\Storage\Table\Models\EdmType;
-
-// Create table REST proxy.
-$tableClient = TableRestProxy::createTableService($connectionString);
-
-//Create new entity.
-$entity = new Entity();
-
-// PartitionKey and RowKey are required.
-$entity->setPartitionKey("tasksSeattle");
-$entity->setRowKey("1");
-
-// If entity exists, existing properties are updated with new values and
-// new properties are added. Missing properties are unchanged.
-$entity->addProperty("Description", null, "Take out the trash.");
-$entity->addProperty("DueDate", EdmType::DATETIME, new DateTime()); // Modified the DueDate field.
-$entity->addProperty("Location", EdmType::STRING, "Home");
-$entity->addProperty("Status", EdmType::STRING, "Complete"); // Added Status field.
-
-try {
- // Calling insertOrReplaceEntity, instead of insertOrMergeEntity as shown,
- // would simply replace the entity with PartitionKey "tasksSeattle" and RowKey "1".
- $tableClient->insertOrMergeEntity("mytable", $entity);
-}
-catch(ServiceException $e){
- // Handle exception based on error codes and messages.
- // Error codes and messages are here:
- // https://learn.microsoft.com/rest/api/storageservices/Table-Service-Error-Codes
- $code = $e->getCode();
- $error_message = $e->getMessage();
- echo $code.": ".$error_message."<br />";
-}
-```
-
-## Retrieve a single entity
-
-The **TableRestProxy->getEntity** method allows you to retrieve a single entity by querying for its `PartitionKey` and `RowKey`. In the example below, the partition key `tasksSeattle` and row key `1` are passed to the **getEntity** method.
-
-```php
-require_once 'vendor/autoload.php';
-
-use MicrosoftAzure\Storage\Table\TableRestProxy;
-use MicrosoftAzure\Storage\Common\Exceptions\ServiceException;
-
-// Create table REST proxy.
-$tableClient = TableRestProxy::createTableService($connectionString);
-
-try {
- $result = $tableClient->getEntity("mytable", "tasksSeattle", 1);
-}
-catch(ServiceException $e){
- // Handle exception based on error codes and messages.
- // Error codes and messages are here:
- // https://learn.microsoft.com/rest/api/storageservices/Table-Service-Error-Codes
- $code = $e->getCode();
- $error_message = $e->getMessage();
- echo $code.": ".$error_message."<br />";
-}
-
-$entity = $result->getEntity();
-
-echo $entity->getPartitionKey().":".$entity->getRowKey();
-```
-
-## Retrieve all entities in a partition
-
-Entity queries are constructed using filters (for more information, see [Querying Tables and Entities][filters]). To retrieve all entities in partition, use the filter "PartitionKey eq *partition_name*". The following example shows how to retrieve all entities in the `tasksSeattle` partition by passing a filter to the **queryEntities** method.
-
-```php
-require_once 'vendor/autoload.php';
-
-use MicrosoftAzure\Storage\Table\TableRestProxy;
-use MicrosoftAzure\Storage\Common\Exceptions\ServiceException;
-
-// Create table REST proxy.
-$tableClient = TableRestProxy::createTableService($connectionString);
-
-$filter = "PartitionKey eq 'tasksSeattle'";
-
-try {
- $result = $tableClient->queryEntities("mytable", $filter);
-}
-catch(ServiceException $e){
- // Handle exception based on error codes and messages.
- // Error codes and messages are here:
- // https://learn.microsoft.com/rest/api/storageservices/Table-Service-Error-Codes
- $code = $e->getCode();
- $error_message = $e->getMessage();
- echo $code.": ".$error_message."<br />";
-}
-
-$entities = $result->getEntities();
-
-foreach($entities as $entity){
- echo $entity->getPartitionKey().":".$entity->getRowKey()."<br />";
-}
-```
-
-## Retrieve a subset of entities in a partition
-
-The same pattern used in the previous example can be used to retrieve any subset of entities in a partition. The subset of entities you retrieve are determined by the filter you use (for more information, see [Querying Tables and Entities][filters]).The following example shows how to use a filter to retrieve all entities with a specific `Location` and a `DueDate` less than a specified date.
-
-```php
-require_once 'vendor/autoload.php';
-
-use MicrosoftAzure\Storage\Table\TableRestProxy;
-use MicrosoftAzure\Storage\Common\Exceptions\ServiceException;
-
-// Create table REST proxy.
-$tableClient = TableRestProxy::createTableService($connectionString);
-
-$filter = "Location eq 'Office' and DueDate lt '2012-11-5'";
-
-try {
- $result = $tableClient->queryEntities("mytable", $filter);
-}
-catch(ServiceException $e){
- // Handle exception based on error codes and messages.
- // Error codes and messages are here:
- // https://learn.microsoft.com/rest/api/storageservices/Table-Service-Error-Codes
- $code = $e->getCode();
- $error_message = $e->getMessage();
- echo $code.": ".$error_message."<br />";
-}
-
-$entities = $result->getEntities();
-
-foreach($entities as $entity){
- echo $entity->getPartitionKey().":".$entity->getRowKey()."<br />";
-}
-```
-
-## Retrieve a subset of entity properties
-
-A query can retrieve a subset of entity properties. This technique, called *projection*, reduces bandwidth and can improve query performance, especially for large entities. To specify a property to retrieve, pass the name of the property to the **Query->addSelectField** method. You can call this method multiple times to add more properties. After executing **TableRestProxy->queryEntities**, the returned entities will only have the selected properties. (If you want to return a subset of Table entities, use a filter as shown in the queries above.)
-
-```php
-require_once 'vendor/autoload.php';
-
-use MicrosoftAzure\Storage\Table\TableRestProxy;
-use MicrosoftAzure\Storage\Common\Exceptions\ServiceException;
-use MicrosoftAzure\Storage\Table\Models\QueryEntitiesOptions;
-
-// Create table REST proxy.
-$tableClient = TableRestProxy::createTableService($connectionString);
-
-$options = new QueryEntitiesOptions();
-$options->addSelectField("Description");
-
-try {
- $result = $tableClient->queryEntities("mytable", $options);
-}
-catch(ServiceException $e){
- // Handle exception based on error codes and messages.
- // Error codes and messages are here:
- // https://learn.microsoft.com/rest/api/storageservices/Table-Service-Error-Codes
- $code = $e->getCode();
- $error_message = $e->getMessage();
- echo $code.": ".$error_message."<br />";
-}
-
-// All entities in the table are returned, regardless of whether
-// they have the Description field.
-// To limit the results returned, use a filter.
-$entities = $result->getEntities();
-
-foreach($entities as $entity){
- $description = $entity->getProperty("Description")->getValue();
- echo $description."<br />";
-}
-```
-
-## Update an entity
-
-You can update an existing entity by using the **Entity->setProperty** and **Entity->addProperty** methods on the entity, and then calling **TableRestProxy->updateEntity**. The following example retrieves an entity, modifies one property, removes another property, and adds a new property. Note that you can remove a property by setting its value to **null**.
-
-```php
-require_once 'vendor/autoload.php';
-
-use MicrosoftAzure\Storage\Table\TableRestProxy;
-use MicrosoftAzure\Storage\Common\Exceptions\ServiceException;
-use MicrosoftAzure\Storage\Table\Models\Entity;
-use MicrosoftAzure\Storage\Table\Models\EdmType;
-
-// Create table REST proxy.
-$tableClient = TableRestProxy::createTableService($connectionString);
-
-$result = $tableClient->getEntity("mytable", "tasksSeattle", 1);
-
-$entity = $result->getEntity();
-$entity->setPropertyValue("DueDate", new DateTime()); //Modified DueDate.
-$entity->setPropertyValue("Location", null); //Removed Location.
-$entity->addProperty("Status", EdmType::STRING, "In progress"); //Added Status.
-
-try {
- $tableClient->updateEntity("mytable", $entity);
-}
-catch(ServiceException $e){
- // Handle exception based on error codes and messages.
- // Error codes and messages are here:
- // https://learn.microsoft.com/rest/api/storageservices/Table-Service-Error-Codes
- $code = $e->getCode();
- $error_message = $e->getMessage();
- echo $code.": ".$error_message."<br />";
-}
-```
-
-## Delete an entity
-
-To delete an entity, pass the table name, and the entity's `PartitionKey` and `RowKey` to the **TableRestProxy->deleteEntity** method.
-
-```php
-require_once 'vendor/autoload.php';
-
-use MicrosoftAzure\Storage\Table\TableRestProxy;
-use MicrosoftAzure\Storage\Common\Exceptions\ServiceException;
-
-// Create table REST proxy.
-$tableClient = TableRestProxy::createTableService($connectionString);
-
-try {
- // Delete entity.
- $tableClient->deleteEntity("mytable", "tasksSeattle", "2");
-}
-catch(ServiceException $e){
- // Handle exception based on error codes and messages.
- // Error codes and messages are here:
- // https://learn.microsoft.com/rest/api/storageservices/Table-Service-Error-Codes
- $code = $e->getCode();
- $error_message = $e->getMessage();
- echo $code.": ".$error_message."<br />";
-}
-```
-
-For concurrency checks, you can set the Etag for an entity to be deleted by using the **DeleteEntityOptions->setEtag** method and passing the **DeleteEntityOptions** object to **deleteEntity** as a fourth parameter.
-
-## Batch table operations
-
-The **TableRestProxy->batch** method allows you to execute multiple operations in a single request. The pattern here involves adding operations to **BatchRequest** object and then passing the **BatchRequest** object to the **TableRestProxy->batch** method. To add an operation to a **BatchRequest** object, you can call any of the following methods multiple times:
-
-* **addInsertEntity** (adds an insertEntity operation)
-* **addUpdateEntity** (adds an updateEntity operation)
-* **addMergeEntity** (adds a mergeEntity operation)
-* **addInsertOrReplaceEntity** (adds an insertOrReplaceEntity operation)
-* **addInsertOrMergeEntity** (adds an insertOrMergeEntity operation)
-* **addDeleteEntity** (adds a deleteEntity operation)
-
-The following example shows how to execute **insertEntity** and **deleteEntity** operations in a single request.
-
-```php
-require_once 'vendor/autoload.php';
-
-use MicrosoftAzure\Storage\Table\TableRestProxy;
-use MicrosoftAzure\Storage\Common\Exceptions\ServiceException;
-use MicrosoftAzure\Storage\Table\Models\Entity;
-use MicrosoftAzure\Storage\Table\Models\EdmType;
-use MicrosoftAzure\Storage\Table\Models\BatchOperations;
-
-// Configure a connection string for Storage Table service.
-$connectionString = "DefaultEndpointsProtocol=[http|https];AccountName=[yourAccount];AccountKey=[yourKey]"
-
-// Create table REST proxy.
-$tableClient = TableRestProxy::createTableService($connectionString);
-
-// Create list of batch operation.
-$operations = new BatchOperations();
-
-$entity1 = new Entity();
-$entity1->setPartitionKey("tasksSeattle");
-$entity1->setRowKey("2");
-$entity1->addProperty("Description", null, "Clean roof gutters.");
-$entity1->addProperty("DueDate",
- EdmType::DATETIME,
- new DateTime("2012-11-05T08:15:00-08:00"));
-$entity1->addProperty("Location", EdmType::STRING, "Home");
-
-// Add operation to list of batch operations.
-$operations->addInsertEntity("mytable", $entity1);
-
-// Add operation to list of batch operations.
-$operations->addDeleteEntity("mytable", "tasksSeattle", "1");
-
-try {
- $tableClient->batch($operations);
-}
-catch(ServiceException $e){
- // Handle exception based on error codes and messages.
- // Error codes and messages are here:
- // https://learn.microsoft.com/rest/api/storageservices/Table-Service-Error-Codes
- $code = $e->getCode();
- $error_message = $e->getMessage();
- echo $code.": ".$error_message."<br />";
-}
-```
-
-For more information about batching Table operations, see [Performing Entity Group Transactions][entity-group-transactions].
-
-## Delete a table
-
-Finally, to delete a table, pass the table name to the **TableRestProxy->deleteTable** method.
-
-```php
-require_once 'vendor/autoload.php';
-
-use MicrosoftAzure\Storage\Table\TableRestProxy;
-use MicrosoftAzure\Storage\Common\Exceptions\ServiceException;
-
-// Create table REST proxy.
-$tableClient = TableRestProxy::createTableService($connectionString);
-
-try {
- // Delete table.
- $tableClient->deleteTable("mytable");
-}
-catch(ServiceException $e){
- // Handle exception based on error codes and messages.
- // Error codes and messages are here:
- // https://learn.microsoft.com/rest/api/storageservices/Table-Service-Error-Codes
- $code = $e->getCode();
- $error_message = $e->getMessage();
- echo $code.": ".$error_message."<br />";
-}
-```
-
-## Next steps
-
-Now that you've learned the basics of the Azure Table service and Azure Cosmos DB, follow these links to learn more.
-
-* [Microsoft Azure Storage Explorer](../../vs-azure-tools-storage-manage-with-storage-explorer.md) is a free, standalone app from Microsoft that enables you to work visually with Azure Storage data on Windows, macOS, and Linux.
-
-* [PHP Developer Center](https://azure.microsoft.com/develop/php/).
-
-[download]: https://packagist.org/packages/microsoft/azure-storage-table
-[require_once]: https://php.net/require_once
-[table-service-timeouts]: /rest/api/storageservices/setting-timeouts-for-table-service-operations
-
-[table-data-model]: /rest/api/storageservices/Understanding-the-Table-Service-Data-Model
-[filters]: /rest/api/storageservices/Querying-Tables-and-Entities
-[entity-group-transactions]: /rest/api/storageservices/Performing-Entity-Group-Transactions
cosmos-db How To Use Ruby https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/table/how-to-use-ruby.md
- Title: Use Azure Cosmos DB for Table and Azure Table Storage with Ruby
-description: Store structured data in the cloud using Azure Table storage or the Azure Cosmos DB for Table.
--- Previously updated : 07/23/2020----
-# How to use Azure Table Storage and the Azure Cosmos DB for Table with Ruby
--
-> [!WARNING]
-> This project is in the [community support](https://azure.github.io/azure-sdk/policies_support.html#package-lifecycle) stage of it's lifecycle. Eventually, all associated client libraries will be retired permanently. For more details on the retirement and alternatives to using this project, see [Retirement notice: Azure Storage PHP client libraries](https://azure.microsoft.com/updates/retirement-notice-the-azure-storage-ruby-client-libraries-will-be-retired-on-13-september-2024/).
--
-This article shows you how to create tables, store your data, and perform CRUD operations on the data. Choose either the Azure Table service or the Azure Cosmos DB for Table. The samples described in this article are written in Ruby and uses the [Azure Storage Table Client Library for Ruby](https://github.com/azure/azure-storage-ruby/tree/master/table). The scenarios covered include create a table, delete a table, insert entities, and query entities from the table.
-
-## Create an Azure service account
--
-**Create an Azure storage account**
--
-**Create an Azure Cosmos DB account**
--
-## Add access to Azure storage or Azure Cosmos DB
-
-To use Azure Storage or Azure Cosmos DB, you must download and use the Ruby Azure package that includes a set of convenience libraries that communicate with the Table REST services.
-
-### Use RubyGems to obtain the package
-
-1. Use a command-line interface such as **PowerShell** (Windows), **Terminal** (Mac), or **Bash** (Unix).
-2. Type **gem install azure-storage-table** in the command window to install the gem and dependencies.
-
-### Import the package
-
-Use your favorite text editor, add the following to the top of the Ruby file where you intend to use Storage:
-
-```ruby
-require "azure/storage/table"
-```
-
-## Add your connection string
-
-You can either connect to the Azure storage account or the Azure Cosmos DB for Table account. Get the connection string based on the type of account you are using.
-
-### Add an Azure Storage connection
-
-The Azure Storage module reads the environment variables **AZURE_STORAGE_ACCOUNT** and **AZURE_STORAGE_ACCESS_KEY** for information required to connect to your Azure Storage account. If these environment variables are not set, you must specify the account information before using **Azure::Storage::Table::TableService** with the following code:
-
-```ruby
-Azure.config.storage_account_name = "<your Azure Storage account>"
-Azure.config.storage_access_key = "<your Azure Storage access key>"
-```
-
-To obtain these values from a classic or Resource Manager storage account in the Azure portal:
-
-1. Log in to the [Azure portal](https://portal.azure.com).
-2. Navigate to the Storage account you want to use.
-3. In the Settings blade on the right, click **Access Keys**.
-4. In the Access keys blade that appears, you'll see the access key 1 and access key 2. You can use either of these.
-5. Click the copy icon to copy the key to the clipboard.
-
-### Add an Azure Cosmos DB connection
-
-To connect to Azure Cosmos DB, copy your primary connection string from the Azure portal, and create a **Client** object using your copied connection string. You can pass the **Client** object when you create a **TableService** object:
-
-```ruby
-common_client = Azure::Storage::Common::Client.create(storage_account_name:'myaccount', storage_access_key:'mykey', storage_table_host:'mycosmosdb_endpoint')
-table_client = Azure::Storage::Table::TableService.new(client: common_client)
-```
-
-## Create a table
-
-The **Azure::Storage::Table::TableService** object lets you work with tables and entities. To create a table, use the **create_table()** method. The following example creates a table or prints the error if there is any.
-
-```ruby
-azure_table_service = Azure::Storage::Table::TableService.new
-begin
- azure_table_service.create_table("testtable")
-rescue
- puts $!
-end
-```
-
-## Add an entity to a table
-
-To add an entity, first create a hash object that defines your entity properties. Note that for every entity you must specify a **PartitionKey** and **RowKey**. These are the unique identifiers of your entities, and are values that can be queried much faster than your other properties. Azure Storage uses **PartitionKey** to automatically distribute the table's entities over many storage nodes. Entities with the same **PartitionKey** are stored on the same node. The **RowKey** is the unique ID of the entity within the partition it belongs to.
-
-```ruby
-entity = { "content" => "test entity",
- :PartitionKey => "test-partition-key", :RowKey => "1" }
-azure_table_service.insert_entity("testtable", entity)
-```
-
-## Update an entity
-
-There are multiple methods available to update an existing entity:
-
-* **update_entity():** Update an existing entity by replacing it.
-* **merge_entity():** Updates an existing entity by merging new property values into the existing entity.
-* **insert_or_merge_entity():** Updates an existing entity by replacing it. If no entity exists, a new one will be inserted:
-* **insert_or_replace_entity():** Updates an existing entity by merging new property values into the existing entity. If no entity exists, a new one will be inserted.
-
-The following example demonstrates updating an entity using **update_entity()**:
-
-```ruby
-entity = { "content" => "test entity with updated content",
- :PartitionKey => "test-partition-key", :RowKey => "1" }
-azure_table_service.update_entity("testtable", entity)
-```
-
-With **update_entity()** and **merge_entity()**, if the entity that you are updating doesn't exist then the update operation will fail. Therefore, if you want to store an entity regardless of whether it already exists, you should instead use **insert_or_replace_entity()** or **insert_or_merge_entity()**.
-
-## Work with groups of entities
-
-Sometimes it makes sense to submit multiple operations together in a batch to ensure atomic processing by the server. To accomplish that, you first create a **Batch** object and then use the **execute_batch()** method on **TableService**. The following example demonstrates submitting two entities with RowKey 2 and 3 in a batch. Notice that it only works for entities with the same PartitionKey.
-
-```ruby
-azure_table_service = Azure::TableService.new
-batch = Azure::Storage::Table::Batch.new("testtable",
- "test-partition-key") do
- insert "2", { "content" => "new content 2" }
- insert "3", { "content" => "new content 3" }
-end
-results = azure_table_service.execute_batch(batch)
-```
-
-## Query for an entity
-
-To query an entity in a table, use the **get_entity()** method, by passing the table name, **PartitionKey** and **RowKey**.
-
-```ruby
-result = azure_table_service.get_entity("testtable", "test-partition-key",
- "1")
-```
-
-## Query a set of entities
-
-To query a set of entities in a table, create a query hash object and use the **query_entities()** method. The following example demonstrates getting all the entities with the same **PartitionKey**:
-
-```ruby
-query = { :filter => "PartitionKey eq 'test-partition-key'" }
-result, token = azure_table_service.query_entities("testtable", query)
-```
-
-> [!NOTE]
-> If the result set is too large for a single query to return, a continuation token is returned that you can use to retrieve subsequent pages.
--
-## Query a subset of entity properties
-
-A query to a table can retrieve just a few properties from an entity. This technique, called "projection," reduces bandwidth and can improve query performance, especially for large entities. Use the select clause and pass the names of the properties you would like to bring over to the client.
-
-```ruby
-query = { :filter => "PartitionKey eq 'test-partition-key'",
- :select => ["content"] }
-result, token = azure_table_service.query_entities("testtable", query)
-```
-
-## Delete an entity
-
-To delete an entity, use the **delete_entity()** method. Pass in the name of the table that contains the entity, the PartitionKey, and the RowKey of the entity.
-
-```ruby
-azure_table_service.delete_entity("testtable", "test-partition-key", "1")
-```
-
-## Delete a table
-
-To delete a table, use the **delete_table()** method and pass in the name of the table you want to delete.
-
-```ruby
-azure_table_service.delete_table("testtable")
-```
-
-## Next steps
-
-* [Microsoft Azure Storage Explorer](../../vs-azure-tools-storage-manage-with-storage-explorer.md) is a free, standalone app from Microsoft that enables you to work visually with Azure Storage data on Windows, macOS, and Linux.
-* [Ruby Developer Center](https://azure.microsoft.com/develop/ruby/)
-* [Microsoft Azure Storage Table Client Library for Ruby](https://github.com/azure/azure-storage-ruby/tree/master/table)
cost-management-billing Reservation Utilization https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/reservations/reservation-utilization.md
To view reservation utilization, you must have Azure RBAC access to the reservat
1. Sign in to the [Azure portal](https://portal.azure.com). 1. Go to [Reservations](https://portal.azure.com/#blade/Microsoft_Azure_Reservations/ReservationsBrowseBlade).
-1. The list shows all the reservations where you have the Owner or Reader role. Each reservation shows the last known utilization percentage.
+1. The list shows all the reservations where you have the Owner or Reader role. You can also view all reservations in your Microsoft Entra tenant (directory) if you have Reservation administrator or reader role. Each reservation shows the last known utilization percentage.
1. Select the utilization percentage to see the utilization history and details. The following video shows an example. > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4sYwk]
data-factory Configure Bcdr Azure Ssis Integration Runtime https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/configure-bcdr-azure-ssis-integration-runtime.md
Title: Configure Azure-SSIS integration runtime for business continuity and disa
description: This article describes how to configure Azure-SSIS integration runtime in Azure Data Factory with Azure SQL Database/Managed Instance failover group for business continuity and disaster recovery (BCDR). - ms.devlang: powershell
data-factory Connector Google Adwords https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/connector-google-adwords.md
Previously updated : 12/22/2023 Last updated : 01/18/2024 # Copy data from Google Ads using Azure Data Factory or Synapse Analytics
Last updated 12/22/2023
This article outlines how to use the Copy Activity in an Azure Data Factory or Synapse Analytics pipeline to copy data from Google Ads. It builds on the [copy activity overview](copy-activity-overview.md) article that presents a general overview of copy activity. > [!Important]
-> It is highly recommended to [upgrade your Google Ads driver version](#upgrade-the-google-ads-driver-version).
+> Please kindly [upgrade your Google Ads driver version](#upgrade-the-google-ads-driver-version) before **February 18, 2024**. If not, connection will start to fail with an [error](connector-troubleshoot-google-ads.md#error-code-deprecatedgoogleadslegacydriverversion) because of the deprecation of the legacy driver.
## Supported capabilities
The following properties are supported for Google Ads linked service:
| Property | Description | Required | |: |: |: | | type | The type property must be set to: **GoogleAdWords** | Yes |
-| googleAdsApiVersion | The Google Ads API version that you use. You can refer this [article](https://developers.google.com/google-ads/api/docs/release-notes) for API version information.| Yes |
+| googleAdsApiVersion | The Google Ads API version that you use when you select the recommended driver version. You can refer this [article](https://developers.google.com/google-ads/api/docs/release-notes) for API version information.| Yes |
| clientCustomerID | The Client customer ID of the Ads account that you want to fetch report data for. | Yes | | loginCustomerID | The customer ID of the Google Ads manager account through which you want to fetch report data of specific customer.| No | | developerToken | The developer token associated with the manager account that you use to grant access to the Ads API. You can choose to mark this field as a SecureString to store it securely, or store password in Azure Key Vault and let the copy activity pull from there when performing data copy - learn more from [Store credentials in Key Vault](store-credentials-in-key-vault.md). | Yes |
-| authenticationType | The OAuth 2.0 authentication mechanism used for authentication. ServiceAuthentication can only be used on self-hosted IR. <br/>Allowed values are: **ServiceAuthentication**, **UserAuthentication** | Yes |
+| authenticationType | The OAuth 2.0 authentication mechanism used for authentication. <br/>Allowed values are: **ServiceAuthentication**, **UserAuthentication**. <br/>ServiceAuthentication can only be used on self-hosted IR. | Yes |
+|*For **UserAuthentication***:|||
| refreshToken | The refresh token obtained from Google for authorizing access to Ads for UserAuthentication. You can choose to mark this field as a SecureString to store it securely, or store password in Azure Key Vault and let the copy activity pull from there when performing data copy - learn more from [Store credentials in Key Vault](store-credentials-in-key-vault.md). | No | | clientId | The client ID of the Google application used to acquire the refresh token. You can choose to mark this field as a SecureString to store it securely, or store password in Azure Key Vault and let the copy activity pull from there when performing data copy - learn more from [Store credentials in Key Vault](store-credentials-in-key-vault.md). | No | | clientSecret | The client secret of the google application used to acquire the refresh token. You can choose to mark this field as a SecureString to store it securely, or store password in Azure Key Vault and let the copy activity pull from there when performing data copy - learn more from [Store credentials in Key Vault](store-credentials-in-key-vault.md). | No |
+|*For **ServiceAuthentication***:|||
| email | The service account email ID that is used for ServiceAuthentication and can only be used on self-hosted IR. | No | | privateKey | The service private key that is used for ServiceAuthentication for recommended driver version and can only be used on self-hosted IR. You can choose to mark this field as a SecureString to store it securely, or store password in Azure Key Vault and let the copy activity pull from there when performing data copy - learn more from [Store credentials in Key Vault](store-credentials-in-key-vault.md).| No |
-| keyFilePath | The full path to the `.p12` or `.json` key file that is used to authenticate the service account email address and can only be used on self-hosted IR. Specify this property when you use ServiceAuthentication for the legacy driver version. | No |
-| trustedCertPath | The full path of the .pem file containing trusted CA certificates for verifying the server when connecting over TLS. This property can only be set when using TLS on self-hosted IR. The default value is the cacerts.pem file installed with the IR. Specify this property when you use ServiceAuthentication for the legacy driver version. | No |
-| useSystemTrustStore | Specifies whether to use a CA certificate from the system trust store or from a specified PEM file. The default value is false. Specify this property when you use ServiceAuthentication for the legacy driver version. | No |
+|*For **ServiceAuthentication** using the legacy driver version*:|||
+| email | The service account email ID that is used for ServiceAuthentication and can only be used on self-hosted IR. | No |
+| keyFilePath | The full path to the `.p12` or `.json` key file that is used to authenticate the service account email address and can only be used on self-hosted IR. | No |
+| trustedCertPath | The full path of the .pem file containing trusted CA certificates for verifying the server when connecting over TLS. This property can only be set when using TLS on self-hosted IR. The default value is the cacerts.pem file installed with the IR. | No |
+| useSystemTrustStore | Specifies whether to use a CA certificate from the system trust store or from a specified PEM file. The default value is false. | No |
+ **Example:**
To upgrade your Google Ads driver version, you need update your linked service a
### Update the linked service configuration
-Create a new Google Ads linked service and configure it by referring to [Linked service properties](#linked-service-properties).
+In **Edit linked service** page, select **Recommended** under **Driver version** and configure the linked service by referring to [Linked service properties](#linked-service-properties).
### Migrate from SQL to GAQL
Here are the concrete examples of the field name conversion:
| Segments | `DayOfWeek` | `segments.day_of_week` | | Metrics | `VideoViews` | `metrics.video_views` | +
+## Upgrade Google AdWords connector to Google Ads connector
+
+Upgrade your Google AdWords linked service to the latest Google Ads linked service following the steps below:
+
+1. Select **Recommended** as driver version to create a new Google Ads linked service and configure it by referring to [Linked service properties](connector-google-adwords.md#linked-service-properties).
+1. Update your pipelines that refer to the legacy Google AdWords linked service. Considering that the Google Ads linked service only supports using query to copy data, so:
+ 1. If your pipeline is directly retrieving data from the report of Google AdWords, find the corresponding resource name of Google Ads in the table below and use this [tool](https://developers.google.com/google-ads/api/fields/v15/overview_query_builder) to build the query.
+
+ | Google AdWords report| Google Ads resource |
+ || --|
+ | ACCOUNT_PERFORMANCE_REPORT | customer |
+ | AD_PERFORMANCE_REPORT | ad_group_ad |
+ | ADGROUP_PERFORMANCE_REPORT | ad_group |
+ | AGE_RANGE_PERFORMANCE_REPORT | age_range_view |
+ | AUDIENCE_PERFORMANCE_REPORT | campaign_audience_view,ad_group_audience_view |
+ | AUTOMATIC_PLACEMENTS_PERFORMANCE_REPORT | group_placement_view |
+ | BID_GOAL_PERFORMANCE_REPORT | bidding_strategy |
+ | BUDGET_PERFORMANCE_REPORT | campaign_budget |
+ | CALL_METRICS_CALL_DETAILS_REPORT | call_view |
+ | CAMPAIGN_AD_SCHEDULE_TARGET_REPORT | ad_schedule_view |
+ | CAMPAIGN_CRITERIA_REPORT | campaign_criterion |
+ | CAMPAIGN_PERFORMANCE_REPORT | campaign |
+ | CAMPAIGN_SHARED_SET_REPORT | campaign_shared_set |
+ | CAMPAIGN_LOCATION_TARGET_REPORT | location_view |
+ | CLICK_PERFORMANCE_REPORT | click_view |
+ | DISPLAY_KEYWORD_PERFORMANCE_REPORT | display_keyword_view |
+ | DISPLAY_TOPICS_PERFORMANCE_REPORT | topic_view |
+ | GENDER_PERFORMANCE_REPORT | gender_view |
+ | GEO_PERFORMANCE_REPORT | geographic_view,user_location_view |
+ | KEYWORDLESS_QUERY_REPORT | dynamic_search_ads_search_term_view |
+ | KEYWORDS_PERFORMANCE_REPORT | keyword_view |
+ | LABEL_REPORT | label |
+ | LANDING_PAGE_REPORT | landing_page_view,expanded_landing_page_view |
+ | PAID_ORGANIC_QUERY_REPORT | paid_organic_search_term_view |
+ | PARENTAL_STATUS_PERFORMANCE_REPORT | parental_status_view |
+ | PLACEHOLDER_FEED_ITEM_REPORT | feed_item,feed_item_target |
+ | PLACEHOLDER_REPORT | feed_placeholder_view |
+ | PLACEMENT_PERFORMANCE_REPORT | managed_placement_view |
+ | PRODUCT_PARTITION_REPORT | product_group_view |
+ | SEARCH_QUERY_PERFORMANCE_REPORT | search_term_view |
+ | SHARED_SET_CRITERIA_REPORT | shared_criterion |
+ | SHARED_SET_REPORT | shared_set |
+ | SHOPPING_PERFORMANCE_REPORT | shopping_performance_view |
+ | TOP_CONTENT_PERFORMANCE_REPORT | No longer available in the Google Ads API. |
+ | URL_PERFORMANCE_REPORT | detail_placement_view |
+ | USER_AD_DISTANCE_REPORT | distance_view |
+ | VIDEO_PERFORMANCE_REPORT | video |
+
+ 1. If the pipeline is using query to retrieve data from Google AdWords, use [Query Migration tool](https://developers.google.com/google-ads/scripts/docs/reference/query-migration-tool) to translate the AWQL (AdWords Query Language) into GAQL (Google Ads Query Language).
+
+1. Be aware that there are certain limitations with this upgrade:
+ 1. Not all report types from AWQL are supported in GAQL.
+ 1. Not all AWQL queries are cleanly translated to GAQL queries.
+ ## Related content For a list of data stores supported as sources and sinks by the copy activity, see [supported data stores](copy-activity-overview.md#supported-data-stores-and-formats).
data-factory Connector Mariadb https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/connector-mariadb.md
Previously updated : 01/18/2024 Last updated : 02/07/2024
To learn details about the properties, check [Lookup activity](control-flow-look
Here are steps that help you upgrade your MariaDB driver version:
-1. Create a new MariaDB linked service and configure it by referring to [Linked service properties](connector-mariadb.md#linked-service-properties).
+1. In **Edit linked service** page, select **Recommended** under **Driver version** and configure the linked service by referring to [Linked service properties](connector-mariadb.md#linked-service-properties).
1. The data type mapping for the latest MariaDB linked service is different from that for the legacy version. To learn the latest data type mapping, see [Data type mapping for MariaDB](connector-mariadb.md#data-type-mapping-for-mariadb).
-1. More MariaDB versions are supported for the latest driver version. For more information, see [Supported capabilities](connector-mariadb.md#supported-capabilities).
+1. The latest driver version v2 supports more MariaDB versions. For more information, see [Supported capabilities](connector-mariadb.md#supported-capabilities).
## Related content
data-factory Connector Mysql https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/connector-mysql.md
Previously updated : 01/16/2024 Last updated : 02/07/2024
To learn details about the properties, check [Lookup activity](control-flow-look
Here are steps that help you upgrade your MySQL driver version:
-1. Create a new MySQL linked service and configure it by referring toΓÇ»[Linked service properties](connector-mysql.md#linked-service-properties).
+1. In **Edit linked service** page, select **Recommended** under **Driver version** and configure the linked service by referring to [Linked service properties](connector-mysql.md#linked-service-properties).
1. The data type mapping for the latest MySQL linked service is different from that for the legacy version. To learn the latest data type mapping, see [Data type mapping for MySQL](connector-mysql.md#data-type-mapping-for-mysql).
-1. More MySQL versions are supported for the latest driver version. For more information, see [Supported capabilities](connector-mysql.md#supported-capabilities).
+1. The latest driver version v2 supports more MySQL versions. For more information, see [Supported capabilities](connector-mysql.md#supported-capabilities).
## Related content
data-factory Connector Salesforce Legacy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/connector-salesforce-legacy.md
Previously updated : 01/08/2024 Last updated : 01/26/2024 # Copy data from and to Salesforce using Azure Data Factory or Azure Synapse Analytics (legacy)
Last updated 01/08/2024
This article outlines how to use Copy Activity in Azure Data Factory and Azure Synapse pipelines to copy data from and to Salesforce. It builds on the [Copy Activity overview](copy-activity-overview.md) article that presents a general overview of the copy activity. >[!IMPORTANT]
->The service has released a new Salesforce connector which provides better native Salesforce support comparing to this ODBC-based implementation, refer to [Salesforce connector](connector-salesforce.md) article on details. This legacy Salesforce connector is kept supported as-is for backward compatibility, while for any new workload, please use the new connector.
+>The service has released a new Salesforce connector which provides better native Salesforce support, refer to [Salesforce connector](connector-salesforce.md) article on details. This legacy Salesforce connector is kept supported as-is for backward compatibility, while for any new workload, please use the new connector.
## Supported capabilities
data-factory Connector Salesforce Service Cloud Legacy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/connector-salesforce-service-cloud-legacy.md
Previously updated : 01/15/2024 Last updated : 01/26/2024 # Copy data from and to Salesforce Service Cloud using Azure Data Factory or Synapse Analytics (legacy)
Last updated 01/15/2024
This article outlines how to use Copy Activity in Azure Data Factory and Synapse Analytics pipelines to copy data from and to Salesforce Service Cloud. It builds on the [Copy Activity overview](copy-activity-overview.md) article that presents a general overview of the copy activity. >[!IMPORTANT]
->The service has released a new Salesforce Service Cloud connector which provides better native Salesforce Service Cloud support comparing to this ODBC-based implementation, refer to [Salesforce Service Cloud connector](connector-salesforce-service-cloud.md) article on details. This legacy Salesforce Service Cloud connector is kept supported as-is for backward compatibility, while for any new workload, please use the new connector.
+>The service has released a new Salesforce Service Cloud connector which provides better native Salesforce Service Cloud support, refer to [Salesforce Service Cloud connector](connector-salesforce-service-cloud.md) article on details. This legacy Salesforce Service Cloud connector is kept supported as-is for backward compatibility, while for any new workload, please use the new connector.
## Supported capabilities
data-factory Connector Salesforce Service Cloud https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/connector-salesforce-service-cloud.md
Previously updated : 01/15/2024 Last updated : 01/26/2024 # Copy data from and to Salesforce Service Cloud using Azure Data Factory or Azure Synapse Analytics
For a list of data stores that are supported as sources or sinks, see the [Suppo
Specifically, this Salesforce Service Cloud connector supports: - Salesforce Developer, Professional, Enterprise, or Unlimited editions.-- Copying data from and to custom domain.
+- Copying data from and to custom domain (Custom domain can be configured in both production and sanbox environments).
You can explicitly set the API version used to read/write data via [`apiVersion` property](#linked-service-properties) in linked service. When copying data to Salesforce Service Cloud, the connector uses BULK API 2.0.
You can explicitly set the API version used to read/write data via [`apiVersion`
> - The execution user must have the API Only permission. > - Access Token expire time could be changed through session policies instead of the refresh token.
-## Salesforce request limits
+## Salesforce Bulk API 2.0 Limits
-Salesforce has limits for both total API requests and concurrent API requests. Note the following points:
+We use Salesforce Bulk API 2.0 to query and ingest data. In Bulk API 2.0, batches are created for you automatically. You can submit up to **15,000** batches per rolling 24-hour period. If batches exceed the limit, you will see failures.
-- If the number of concurrent requests exceeds the limit, throttling occurs and you see random failures.-- If the total number of requests exceeds the limit, the Salesforce Service Cloud account is blocked for 24 hours.
+In Bulk API 2.0, only ingest jobs consume batches. Query jobs don't. For details, see [How Requests Are Processed in the Bulk API 2.0 Developer Guide](https://developer.salesforce.com/docs/atlas.en-us.api_asynch.meta/api_asynch/how_requests_are_processed.htm).
-You might also receive the "REQUEST_LIMIT_EXCEEDED" error message in both scenarios. For more information, see the "API request limits" section in [Salesforce developer limits](https://developer.salesforce.com/docs/atlas.en-us.218.0.salesforce_app_limits_cheatsheet.meta/salesforce_app_limits_cheatsheet/salesforce_app_limits_platform_api.htm).
+For more information, see the "General Limits" section in [Salesforce developer limits](https://developer.salesforce.com/docs/atlas.en-us.salesforce_app_limits_cheatsheet.meta/salesforce_app_limits_cheatsheet/salesforce_app_limits_platform_bulkapi.htm).
## Get started
The following properties are supported for the Salesforce Service Cloud linked s
|: |: |: | | type |The type property must be set to **SalesforceServiceCloudV2**. |Yes | | environmentUrl | Specify the URL of the Salesforce Service Cloud instance. <br>For example, specify `"https://<domainName>.my.salesforce.com"` to copy data from the custom domain. Learn how to configure or view your custom domain referring to this [article](https://help.salesforce.com/s/articleView?id=sf.domain_name_setting_login_policy.htm&type=5). |Yes |
+| authenticationType | Type of authentication used to connect to the Salesforce Service Cloud. <br/>The allowed value is **OAuth2ClientCredentials**. | Yes |
| clientId |Specify the client ID of the Salesforce OAuth 2.0 Connected App. For more information, go to this [article](https://help.salesforce.com/s/articleView?id=sf.connected_app_client_credentials_setup.htm&type=5) |Yes | | clientSecret |Specify the client secret of the Salesforce OAuth 2.0 Connected App. For more information, go to this [article](https://help.salesforce.com/s/articleView?id=sf.connected_app_client_credentials_setup.htm&type=5) |Yes |
-| apiVersion | Specify the Salesforce Bulk API 2.0 version to use, e.g. `52.0`. The Bulk API 2.0 only support API version >= 47.0. To learn about Bulk API 2.0 version, see [article](https://developer.salesforce.com/docs/atlas.en-us.api_asynch.meta/api_asynch/bulk_common_diff_two_versions.htm). If you use a lower API version, it will result in a failure. | Yes |
+| apiVersion | Specify the Salesforce Bulk API 2.0 version to use, e.g. `52.0`. The Bulk API 2.0 only supports API version >= 47.0. To learn about Bulk API 2.0 version, see [article](https://developer.salesforce.com/docs/atlas.en-us.api_asynch.meta/api_asynch/bulk_common_diff_two_versions.htm). If you use a lower API version, it will result in a failure. | Yes |
| connectVia | The [integration runtime](concepts-integration-runtime.md) to be used to connect to the data store. If not specified, it uses the default Azure Integration Runtime. | No | **Example: Store credentials**
The following properties are supported for the Salesforce Service Cloud linked s
"type": "SalesforceServiceCloudV2", "typeProperties": { "environmentUrl": "<environment URL>",
+ "authenticationType": "OAuth2ClientCredentials",
"clientId": "<client ID>", "clientSecret": { "type": "SecureString",
The following properties are supported for the Salesforce Service Cloud linked s
"type": "SalesforceServiceCloudV2", "typeProperties": { "environmentUrl": "<environment URL>",
+ "authenticationType": "OAuth2ClientCredentials",
"clientId": "<client ID>", "clientSecret": { "type": "AzureKeyVaultSecret",
data-factory Connector Salesforce https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/connector-salesforce.md
Previously updated : 01/08/2024 Last updated : 01/26/2024 # Copy data from and to Salesforce using Azure Data Factory or Azure Synapse Analytics
For a list of data stores that are supported as sources or sinks, see the [Suppo
Specifically, this Salesforce connector supports: - Salesforce Developer, Professional, Enterprise, or Unlimited editions.-- Copying data from and to custom domain.
+- Copying data from and to custom domain (Custom domain can be configured in both production and sanbox environments).
You can explicitly set the API version used to read/write data via [`apiVersion` property](#linked-service-properties) in linked service. When copying data to Salesforce, the connector uses BULK API 2.0.
You can explicitly set the API version used to read/write data via [`apiVersion`
> - The execution user must have the API Only permission. > - Access Token expire time could be changed through session policies instead of the refresh token.
-## Salesforce request limits
+## Salesforce Bulk API 2.0 Limits
-Salesforce has limits for both total API requests and concurrent API requests. Note the following points:
+We use Salesforce Bulk API 2.0 to query and ingest data. In Bulk API 2.0, batches are created for you automatically. You can submit up to **15,000** batches per rolling 24-hour period. If batches exceed the limit, you will see failures.
-- If the number of concurrent requests exceeds the limit, throttling occurs and you see random failures.-- If the total number of requests exceeds the limit, the Salesforce account is blocked for 24 hours.
+In Bulk API 2.0, only ingest jobs consume batches. Query jobs don't. For details, see [How Requests Are Processed in the Bulk API 2.0 Developer Guide](https://developer.salesforce.com/docs/atlas.en-us.api_asynch.meta/api_asynch/how_requests_are_processed.htm).
-You might also receive the "REQUEST_LIMIT_EXCEEDED" error message in both scenarios. For more information, see the "API request limits" section in [Salesforce developer limits](https://developer.salesforce.com/docs/atlas.en-us.218.0.salesforce_app_limits_cheatsheet.meta/salesforce_app_limits_cheatsheet/salesforce_app_limits_platform_api.htm).
+For more information, see the "General Limits" section in [Salesforce developer limits](https://developer.salesforce.com/docs/atlas.en-us.salesforce_app_limits_cheatsheet.meta/salesforce_app_limits_cheatsheet/salesforce_app_limits_platform_bulkapi.htm).
## Get started
The following properties are supported for the Salesforce linked service.
|: |: |: | | type |The type property must be set to **SalesforceV2**. |Yes | | environmentUrl | Specify the URL of the Salesforce instance. <br>For example, specify `"https://<domainName>.my.salesforce.com"` to copy data from the custom domain. Learn how to configure or view your custom domain referring to this [article](https://help.salesforce.com/s/articleView?id=sf.domain_name_setting_login_policy.htm&type=5). |Yes |
+| authenticationType | Type of authentication used to connect to the Salesforce. <br/>The allowed value is **OAuth2ClientCredentials**. | Yes |
| clientId |Specify the client ID of the Salesforce OAuth 2.0 Connected App. For more information, go to this [article](https://help.salesforce.com/s/articleView?id=sf.connected_app_client_credentials_setup.htm&type=5) |Yes | | clientSecret |Specify the client secret of the Salesforce OAuth 2.0 Connected App. For more information, go to this [article](https://help.salesforce.com/s/articleView?id=sf.connected_app_client_credentials_setup.htm&type=5) |Yes |
-| apiVersion | Specify the Salesforce Bulk API 2.0 version to use, e.g. `52.0`. The Bulk API 2.0 only support API version >= 47.0. To learn about Bulk API 2.0 version, see [article](https://developer.salesforce.com/docs/atlas.en-us.api_asynch.meta/api_asynch/bulk_common_diff_two_versions.htm). If you use a lower API version, it will result in a failure. | Yes |
+| apiVersion | Specify the Salesforce Bulk API 2.0 version to use, e.g. `52.0`. The Bulk API 2.0 only supports API version >= 47.0. To learn about Bulk API 2.0 version, see [article](https://developer.salesforce.com/docs/atlas.en-us.api_asynch.meta/api_asynch/bulk_common_diff_two_versions.htm). If you use a lower API version, it will result in a failure. | Yes |
| connectVia | The [integration runtime](concepts-integration-runtime.md) to be used to connect to the data store. If not specified, it uses the default Azure Integration Runtime. | No | **Example: Store credentials**
The following properties are supported for the Salesforce linked service.
"type": "SalesforceV2", "typeProperties": { "environmentUrl": "<environment URL>",
+ "authenticationType": "OAuth2ClientCredentials",
"clientId": "<client ID>", "clientSecret": { "type": "SecureString",
The following properties are supported for the Salesforce linked service.
"type": "SalesforceV2", "typeProperties": { "environmentUrl": "<environment URL>",
+ "authenticationType": "OAuth2ClientCredentials",
"clientId": "<client ID>", "clientSecret": { "type": "AzureKeyVaultSecret",
Note that by doing so, you will no longer be able to use the UI to edit settings
"type": "LinkedServiceReference" }, },
+ "authenticationType": "OAuth2ClientCredentials",
"clientId": { "type": "AzureKeyVaultSecret", "secretName": "<secret name of client ID in AKV>",
data-factory Connector Troubleshoot Google Ads https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/connector-troubleshoot-google-ads.md
+
+ Title: Troubleshoot the Google Ads connector
+
+description: Learn how to troubleshoot issues with the Google Ads connector in Azure Data Factory and Azure Synapse Analytics.
++++ Last updated : 01/19/2024++++
+# Troubleshoot the Google Ads connector in Azure Data Factory and Azure Synapse
++
+This article provides suggestions to troubleshoot common problems with the Google Ads connector in Azure Data Factory and Azure Synapse.
+
+## Error code: DeprecatedGoogleAdsLegacyDriverVersion
+
+- **Message**: `The Google Ads connectorΓÇÖs legacy driver has been deprecated. To ensure your pipeline works, please upgrade the driver version of Google Ads linked service. Detailed instructions can be found in this documentation: https://learn.microsoft.com/azure/data-factory/connector-google-adwords?tabs=data-factory#upgrade-the-google-ads-driver-version`
+
+- **Cause**: Your pipeline is still running on a legacy Google Ads connector's driver.
+
+- **Resolution**: Upgrade your Google Ads linked service's driver version to the Recommended version. Refer to this [article](connector-google-adwords.md#upgrade-the-google-ads-driver-version).
+
+
+## Error code: DeprecatedGoogleAdWordsOdbcConnector
+
+- **Message**: `The Google AdWords connector has been deprecated. To ensure your pipeline works, please create a new Google Ads linked service. Detailed instructions can be found in this documentation: https://learn.microsoft.com/azure/data-factory/connector-google-adwords#upgrade-google-adwords-connector-to-google-ads-connector`
+
+- **Cause**: Your pipeline is still running on a deprecated Google AdWords connector.
+
+- **Resolution**: Create a new Google Ads linked service. Refer to this [article](connector-google-adwords.md#upgrade-google-adwords-connector-to-google-ads-connector).
+
+## Related content
+
+For more troubleshooting help, try these resources:
+
+- [Connector troubleshooting guide](connector-troubleshoot-guide.md)
+- [Data Factory blog](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/bg-p/AzureDataFactoryBlog)
+- [Data Factory feature requests](/answers/topics/azure-data-factory.html)
+- [Azure videos](https://azure.microsoft.com/resources/videos/index/?sort=newest&services=data-factory)
+- [Microsoft Q&A page](/answers/topics/azure-data-factory.html)
+- [Stack Overflow forum for Data Factory](https://stackoverflow.com/questions/tagged/azure-data-factory)
+- [Twitter information about Data Factory](https://twitter.com/hashtag/DataFactory)
data-factory Copy Activity Performance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/copy-activity-performance.md
- Last updated 10/20/2023
data-factory Data Flow Sink https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/data-flow-sink.md
Mapping data flow follows an extract, load, and transform (ELT) approach and wor
| [Dataverse](connector-dynamics-crm-office-365.md#mapping-data-flow-properties) | | Γ£ô/Γ£ô | | [Dynamics 365](connector-dynamics-crm-office-365.md#mapping-data-flow-properties) | | Γ£ô/Γ£ô | | [Dynamics CRM](connector-dynamics-crm-office-365.md#mapping-data-flow-properties) | | Γ£ô/Γ£ô |
+| [Fabric Lakehouse](connector-microsoft-fabric-lakehouse.md#mapping-data-flow-properties) | | Γ£ô/Γ£ô |
| [SFTP](connector-sftp.md#mapping-data-flow-properties) | [Avro](format-avro.md#mapping-data-flow-properties) <br>[Delimited text](format-delimited-text.md#mapping-data-flow-properties) <br>[JSON](format-json.md#mapping-data-flow-properties) <br/>[ORC](format-orc.md#mapping-data-flow-properties)<br>[Parquet](format-parquet.md#mapping-data-flow-properties) | Γ£ô/Γ£ô <br>Γ£ô/Γ£ô <br>Γ£ô/Γ£ô <br>Γ£ô/Γ£ô<br>Γ£ô/Γ£ô| | [Snowflake](connector-snowflake.md) | | Γ£ô/Γ£ô | | [SQL Server](connector-sql-server.md) | | Γ£ô/Γ£ô |
data-factory Format Delta https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/format-delta.md
The below table lists the properties supported by a delta sink. You can edit the
| Format | Format must be `delta` | yes | `delta` | format | | File system | The container/file system of the delta lake | yes | String | fileSystem | | Folder path | The directory of the delta lake | yes | String | folderPath |
-| Compression type | The compression type of the delta table | no | `bzip2`<br>`gzip`<br>`deflate`<br>`ZipDeflate`<br>`snappy`<br>`lz4` | compressionType |
+| Compression type | The compression type of the delta table | no | `bzip2`<br>`gzip`<br>`deflate`<br>`ZipDeflate`<br>`snappy`<br>`lz4`<br>`TarGZip`<br>`tar` | compressionType |
| Compression level | Choose whether the compression completes as quickly as possible or if the resulting file should be optimally compressed. | required if `compressedType` is specified. | `Optimal` or `Fastest` | compressionLevel | | Vacuum | Deletes files older than the specified duration that is no longer relevant to the current table version. When a value of 0 or less is specified, the vacuum operation isn't performed. | yes | Integer | vacuum | | Table action | Tells ADF what to do with the target Delta table in your sink. You can leave it as-is and append new rows, overwrite the existing table definition and data with new metadata and data, or keep the existing table structure but first truncate all rows, then insert the new rows. | no | None, Truncate, Overwrite | deltaTruncate, overwrite |
data-factory Iterative Development Debugging https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/iterative-development-debugging.md
-
data-factory Solution Template Extract Data From Pdf https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/solution-template-extract-data-from-pdf.md
This article describes a solution template that you can use to extract data from
## About this solution template
-This template analyzes data from a PDF URL source using two Azure AI Document Intelligence calls. Then, it transforms the output to readable tables in a dataflow and outputs the data to a storage sink.
+This template analyzes data from a PDF URL source using two Azure AI Document Intelligence calls. Then, it transforms the output to readable tables in a dataflow and outputs the data to a storage sink.
This template contains two activities: -- **Web Activity** to call Azure AI Document Intelligence's layout model API
+- **Web Activity** to call Azure AI Document Intelligence's prebuilt read model API
- **Data flow** to transform extracted data from PDF
-This template defines 4 parameters:
-- *FormRecognizerURL* is the Azure AI Document Intelligence URL ("https://{endpoint}/formrecognizer/v2.1/layout/analyze"). Replace {endpoint} with the endpoint that you obtained with your Azure AI Document Intelligence subscription. You need to replace the default value with your own URL.-- *FormRecognizerKey* is the Azure AI Document Intelligence subscription key. You need to replace the default value with your own subscription key.-- *PDF_SourceURL* is the URL of your PDF source. You need to replace the default value with your own URL. -- *outputFolder* is the name of the folder path where you want your files to be in your destination store. You need to replace the default value with your own folder path.
+This template defines five parameters:
+- *CognitiveServicesURL* is the Azure AI Document Intelligence URL ("https://{endpoint}/formrecognizer/v2.1/layout/analyze"). Replace {endpoint} with the endpoint that you obtained with your Azure AI Document Intelligence subscription. You need to replace the default value with your own URL.
+- *CognitiveServicesKey* is the Azure AI Document Intelligence subscription key. You need to replace the default value with your own subscription key.
+- *PDF_SourceURL* is the URL of your PDF source. You need to replace the default value with your own URL.
+- *OutputContainer* is the name of the container path where you want your files to be in your destination store. You need to replace the default value with your own container.
+- *OutputFolder* is the name of the folder path where you want your files to be in your destination store. You need to replace the default value with your own folder path.
## Prerequisites
This template defines 4 parameters:
1. Go to template **Extract data from PDF**. Create a **New** connection to your Azure AI Document Intelligence resource or choose an existing connection.
- :::image type="content" source="media/solution-template-extract-data-from-pdf/extract-data-from-pdf-1.png" alt-text="Screenshot of how to create a new connection or select an existing connection from a drop down menu to Azure AI Document Intelligence in template set up.":::
+ :::image type="content" source="media/solution-template-extract-data-from-pdf/extract-data-from-pdf-1.png" alt-text="Screenshot of how to create a new connection or select an existing connection from a drop-down menu to an Azure AI Document Intelligence connection in template set-up.":::
- In your connection to Azure AI Document Intelligence, make sure to add a **Linked service Parameter**. You will need to use this parameter as your dynamic **Base URL**.
+ In your connection to Azure AI Document Intelligence, make sure to add a **Linked service Parameter**. You'll need to use this **url** parameter as your dynamic **Base URL**.
+ You will also need to add a new **Auth header** under **Auth headers**. The name should be **Ocp-Apim-Subscription-Key** and the value should be the key value you find from your Azure Resource.
- :::image type="content" source="media/solution-template-extract-data-from-pdf/extract-data-from-pdf-9.png" alt-text="Screenshot of where to add your Azure AI Document Intelligence linked service parameter.":::
-
- :::image type="content" source="media/solution-template-extract-data-from-pdf/extract-data-from-pdf-8.png" alt-text="Screenshot of the linked service base URL that references the linked service parameter.":::
+ :::image type="content" source="media/solution-template-extract-data-from-pdf/extract-data-from-pdf-3.png" alt-text="Screenshot of the linked service base URL that references the linked service parameter and Auth headers to add.":::
-2. Create a **New** connection to your destination storage store or choose an existing connection.
+3. Create a **New** connection to your destination storage store or choose an existing connection. The chosen destination is where the extracted PDF data is stored.
- :::image type="content" source="media/solution-template-extract-data-from-pdf/extract-data-from-pdf-2.png" alt-text="Screenshot of how to create a new connection or select existing connection from a drop down menu to your sink in template set up.":::
+ :::image type="content" source="media/solution-template-extract-data-from-pdf/extract-data-from-pdf-4.png" alt-text="Screenshot of how to create a new connection or select existing connection from a drop-down menu to your sink in template set-up.":::
-3. Select **Use this template**.
+4. Select **Use this template**.
+
+ :::image type="content" source="media/solution-template-extract-data-from-pdf/extract-data-from-pdf-5.png" alt-text="Screenshot of how to complete the template by clicking use this template at the bottom of the screen.":::
+
+5. You should see the following pipeline.
- :::image type="content" source="media/solution-template-extract-data-from-pdf/extract-data-from-pdf-3.png" alt-text="Screenshot of how to complete the template by clicking use this template at the bottom of the screen.":::
+ :::image type="content" source="media/solution-template-extract-data-from-pdf/extract-data-from-pdf-6.png" alt-text="Screenshot of pipeline view with web activity linking to a dataflow activity.":::
-4. You should see the following pipeline:
+6. Navigate to the **Data flow** activity and find **Settings**. Here you need to add dynamic content for your linked service **url** parameter. After clicking **Add dynamic content**, the Pipeline expression builder will open. Select **Cognitive Services - POST activity output**. Then, type or copy and paste ".output.ADFWebActivityResponseHeaders['Operation-Location']." You should see the following expression in your expression builder.
- :::image type="content" source="media/solution-template-extract-data-from-pdf/extract-data-from-pdf-4.png" alt-text="Screenshot of pipeline view with web activity linking to a dataflow activity.":::
+ :::image type="content" source="media/solution-template-extract-data-from-pdf/extract-data-from-pdf-7.png" alt-text="Screenshot of pipeline view of the dataflow activity settings.":::
-5. Select **Debug**.
+ :::image type="content" source="media/solution-template-extract-data-from-pdf/extract-data-from-pdf-7.png" alt-text="Screenshot of the Pipeline expression builder with the dataflow dynamic content displayed.":::
+
+8. Click **OK** to return back to the pipeline.
+
+9. Next, select **Debug**.
- :::image type="content" source="media/solution-template-extract-data-from-pdf/extract-data-from-pdf-5.png" alt-text="Screenshot of how to Debug pipeline using the debug button on the top banner of the screen.":::
+ :::image type="content" source="media/solution-template-extract-data-from-pdf/extract-data-from-pdf-9.png" alt-text="Screenshot of how to Debug pipeline using the debug button on the top banner of the screen.":::
-6. Enter parameter values, review results, and publish.
+10. Enter parameter values, review results, and publish.
- :::image type="content" source="media/solution-template-extract-data-from-pdf/extract-data-from-pdf-6.png" alt-text="Screesnhot of where to enter pipeline debug parameters on a panel to the right.":::
+ :::image type="content" source="media/solution-template-extract-data-from-pdf/extract-data-from-pdf-10.png" alt-text="Screesnhot of where to enter pipeline debug parameters on a panel to the right.":::
- :::image type="content" source="media/solution-template-extract-data-from-pdf/extract-data-from-pdf-7.png" alt-text="Screenshot of the results that return when the pipeline is triggered.":::
+ :::image type="content" source="media/solution-template-extract-data-from-pdf/extract-data-from-pdf-11.png" alt-text="Screenshot of the results that return when the pipeline is triggered.":::
## Related content - [What's New in Azure Data Factory](whats-new.md)
data-factory Tutorial Bulk Copy Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/tutorial-bulk-copy-portal.md
- Last updated 08/10/2023
data-factory Tutorial Control Flow Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/tutorial-control-flow-portal.md
Title: Branching and chaining activities in a pipeline using Azure portal
+ Title: Copy data and send email notifications on success and failure
description: Learn how to control flow of data in Azure Data Factory pipeline by using the Azure portal.
Last updated 10/20/2023
-# Branching and chaining activities in an Azure Data Factory pipeline using the Azure portal
+# Copy data and send email notifications on success and failure
[!INCLUDE[appliesto-adf-xxx-md](includes/appliesto-adf-xxx-md.md)]
ddos-protection Alerts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/alerts.md
- Last updated 08/07/2023
ddos-protection Ddos Configure Log Analytics Workspace https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/ddos-configure-log-analytics-workspace.md
- Last updated 08/07/2023
ddos-protection Ddos Diagnostic Alert Templates https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/ddos-diagnostic-alert-templates.md
- Last updated 08/07/2023
ddos-protection Ddos Disaster Recovery Guidance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/ddos-disaster-recovery-guidance.md
description: Learn what to do in the event of an Azure service disruption impact
- Last updated 11/06/2023
ddos-protection Ddos Pricing Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/ddos-pricing-guide.md
- Last updated 07/19/2023
ddos-protection Ddos Protection Features https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/ddos-protection-features.md
- Last updated 11/06/2023
ddos-protection Ddos Protection Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/ddos-protection-overview.md
- Last updated 11/08/2023
ddos-protection Ddos Protection Reference Architectures https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/ddos-protection-reference-architectures.md
- Last updated 06/15/2023
ddos-protection Ddos Rapid Response https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/ddos-rapid-response.md
- Last updated 11/06/2023
ddos-protection Ddos Response Strategy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/ddos-response-strategy.md
- Last updated 06/01/2023
ddos-protection Ddos View Alerts Defender For Cloud https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/ddos-view-alerts-defender-for-cloud.md
- Last updated 08/08/2023
In this tutorial you learned how to view DDoS protection alerts in Microsoft Def
> [!div class="nextstepaction"] > [Engage with Azure DDoS Rapid Response](ddos-rapid-response.md)
-> [components of a DDoS Rapid Response Strategy](ddos-response-strategy.md)
+> [components of a DDoS Rapid Response Strategy](ddos-response-strategy.md)
ddos-protection Ddos View Diagnostic Logs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/ddos-view-diagnostic-logs.md
- Last updated 08/08/2023
ddos-protection Diagnostic Logging https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/diagnostic-logging.md
- Last updated 08/07/2023
ddos-protection Fundamental Best Practices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/fundamental-best-practices.md
- Last updated 10/06/2023
ddos-protection Inline Protection Glb https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/inline-protection-glb.md
- Last updated 11/06/2023
ddos-protection Manage Ddos Ip Protection Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/manage-ddos-ip-protection-cli.md
description: Learn how to create Azure DDoS IP Protection using Azure CLI
-+ Last updated 04/04/2023-
ddos-protection Manage Ddos Ip Protection Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/manage-ddos-ip-protection-portal.md
Title: 'Quickstart: Create and configure Azure DDoS IP Protection - Azure portal'
-description: Learn how to use Azure DDoS IP Protection to mitigate an attack.
+description: Learn how to use Azure DDoS IP Protection to mitigate an attack.
-+ Last updated 06/22/2023--
-# Customer intent As an IT admin, I want to learn how to enable DDoS IP Protection on my public IP address.
+ # Quickstart: Create and configure Azure DDoS IP Protection using Azure portal
ddos-protection Manage Ddos Ip Protection Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/manage-ddos-ip-protection-template.md
- Last updated 03/08/2023
ddos-protection Manage Ddos Protection Bicep https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/manage-ddos-protection-bicep.md
- Last updated 10/12/2022
ddos-protection Manage Ddos Protection Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/manage-ddos-protection-cli.md
- Last updated 05/23/2023
ddos-protection Manage Ddos Protection Powershell Ip https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/manage-ddos-protection-powershell-ip.md
Last updated 04/04/2023-
ddos-protection Manage Ddos Protection Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/manage-ddos-protection-powershell.md
- Last updated 05/23/2023
ddos-protection Manage Ddos Protection Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/manage-ddos-protection-template.md
- Last updated 11/06/2023
ddos-protection Manage Ddos Protection Terraform https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/manage-ddos-protection-terraform.md
description: In this article, you create and configure Azure DDoS Network Protec
- Last updated 4/14/2023
ddos-protection Manage Permissions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/manage-permissions.md
- Last updated 11/06/2023
ddos-protection Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/policy-reference.md
description: Lists Azure Policy built-in policy definitions for Azure DDoS Prote
- Last updated 02/06/2024
ddos-protection Telemetry https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/telemetry.md
- Last updated 11/06/2023
ddos-protection Test Through Simulations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/test-through-simulations.md
- Last updated 11/07/2023
ddos-protection Types Of Attacks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/types-of-attacks.md
- Last updated 12/07/2023
dedicated-hsm Deployment Architecture https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dedicated-hsm/deployment-architecture.md
- Last updated 06/03/2022
dedicated-hsm High Availability https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dedicated-hsm/high-availability.md
- Last updated 03/25/2021
dedicated-hsm Monitoring https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dedicated-hsm/monitoring.md
- Last updated 11/14/2022
dedicated-hsm Networking https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dedicated-hsm/networking.md
- Last updated 03/25/2021
dedicated-hsm Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dedicated-hsm/overview.md
tags: azure-resource-manager - Last updated 03/25/2021
dedicated-hsm Physical Security https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dedicated-hsm/physical-security.md
- Last updated 03/25/2021
dedicated-hsm Supportability https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dedicated-hsm/supportability.md
- Last updated 03/25/2021
dedicated-hsm Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dedicated-hsm/troubleshoot.md
tags: azure-resource-manager - Last updated 05/12/2022
defender-for-cloud Connect Azure Subscription https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/connect-azure-subscription.md
Title: Connect your Azure subscriptions description: Learn how to connect your Azure subscriptions to Microsoft Defender for Cloud Previously updated : 01/03/2024 Last updated : 02/08/2024
Microsoft Defender for Cloud is a cloud-native application protection platform (
- A cloud security posture management (CSPM) solution that surfaces actions that you can take to prevent breaches - A cloud workload protection platform (CWPP) with specific protections for servers, containers, storage, databases, and other workloads
-Defender for Cloud includes Foundational CSPM capabilities and access to [Microsoft Defender XDR](/microsoft-365/security/defender/microsoft-365-defender) for free. You can add additional paid plans to secure all aspects of your cloud resources. To learn more about these plans and their costs, see the Defender for Cloud [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/).
+Defender for Cloud includes Foundational CSPM capabilities and access to [Microsoft Defender XDR](/microsoft-365/security/defender/microsoft-365-defender) for free. You can add additional paid plans to secure all aspects of your cloud resources. You can try Defender for Cloud for free for the first 30 days. After 30 days charges begin in accordance with the plans enabled in your environment. To learn more about these plans and their costs, see the Defender for Cloud [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/).
+
+> [!IMPORTANT]
+> Malware scanning in Defender for Storage is not included for free in the first 30 day trial and will be charged from the first day in accordance with the pricing scheme available on the Defender for Cloud [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/).
Defender for Cloud helps you find and fix security vulnerabilities. Defender for Cloud also applies access and application controls to block malicious activity, detect threats using analytics and intelligence, and respond quickly when under attack.
defender-for-cloud Defender For Storage Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-storage-introduction.md
Title: Microsoft Defender for Storage - the benefits and features description: Learn about the benefits and features of Microsoft Defender for Storage. Previously updated : 08/21/2023 Last updated : 02/08/2024
Malware Scanning is charged on a per-gigabyte basis for scanned data. To ensure
By default, the limit is set to 5,000 GB per month per storage account. Once this threshold is exceeded, scanning will cease for the remaining blobs, with a 20-GB confidence interval. For configuration details, refer to [configure Defender for Storage](../storage/common/azure-defender-storage-configure.md).
+> [!IMPORTANT]
+> Malware scanning in Defender for Storage is not included for free in the first 30 day trial and will be charged from the first day in accordance with the pricing scheme available on the Defender for Cloud [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/).
+ ### Enablement at scale with granular controls Microsoft Defender for Storage enables you to secure your data at scale with granular controls. You can apply consistent security policies across all your storage accounts within a subscription or customize them for specific accounts to suit your business needs. You can also control your costs by choosing the level of protection you need for each resource. To get started, visit [enable Defender for Storage](../storage/common/azure-defender-storage-configure.md).
defender-for-cloud Defender For Storage Malware Scan https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-storage-malware-scan.md
Title: Malware scanning in Microsoft Defender for Storage description: Learn about the benefits and features of malware scanning in Microsoft Defender for Storage. Previously updated : 09/10/2023 Last updated : 02/08/2024
Learn more about [setting up logging for malware scanning](advanced-configuratio
Malware scanning is billed per GB scanned. To provide cost predictability, Malware Scanning supports setting a cap on the amount of GB scanned in a single month per storage account.
+> [!IMPORTANT]
+> Malware scanning in Defender for Storage is not included for free in the first 30 day trial and will be charged from the first day in accordance with the pricing scheme available on the Defender for Cloud [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/).
+ The "capping" mechanism is designed to set a monthly scanning limit, measured in gigabytes (GB), for each storage account, serving as an effective cost control. If a predefined scanning limit is established for a storage account in a single calendar month, the scanning operation would automatically halt once this threshold is reached (with up to a 20-GB deviation), and files wouldn't be scanned for malware. Updating the cap typically takes up to an hour to take effect. By default, a limit of 5 TB (5,000 GB) is established if no specific capping mechanism is defined.
By default, a limit of 5 TB (5,000 GB) is established if no specific capping mec
Follow [these steps](tutorial-enable-storage-plan.md#set-up-and-configure-microsoft-defender-for-storage) to configure the capping mechanism.
+## Additional costs of malware scanning
+
+Malware scanning uses other Azure services as its foundation. This means that when you enable Malware scanning, you will also be charged for the Azure services that it requires. These services include Azure Storage read operations, Azure Storage blob indexing and Azure Event Grid notifications.
+ ## Handling possible false positives and false negatives If you have a file that you suspect might be malware but isn't being detected (false negative) or is being incorrectly detected (false positive), you can submit it to us for analysis through the [sample submission portal](/microsoft-365/security/intelligence/submission-guide). Select ΓÇ£Microsoft Defender for StorageΓÇ¥ as the source.
defender-for-cloud Prepare Deprecation Log Analytics Mma Agent https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent.md
+
+ Title: Prepare for retirement of the Log Analytics agent
+description: Learn how to prepare for the deprecation of the Log Analytics (MMA) agent in Microsoft Defender for Cloud
+++ Last updated : 02/08/2024++
+# Prepare for retirement of the Log Analytics agent
+
+The Log Analytics agent, also known as the Microsoft Monitoring Agent (MMA), [will retire in August 2024](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/microsoft-defender-for-cloud-strategy-and-plan-towards-log/ba-p/3883341). As a result, the Defender for Servers and Defender for SQL on machines plans in Microsoft Defender for Cloud will be updated, and features that rely on the Log Analytics agent will be redesigned.
+
+This article summarizes plans for agent retirement.
+
+## Preparing Defender for Servers
+
+The Defender for Servers plan uses the Log Analytics agent in general availability (GA) and in AMA for [some features](plan-defender-for-servers-agents.md) (in preview). Here's what's happening with these features going forward:
+
+To simplify onboarding, all Defender for Servers security features and capabilities will be provided with a single agent ([Microsoft Defender for Endpoint (MDE))](integration-defender-for-endpoint.md), complemented by [agentless machine scanning](concept-agentless-data-collection.md), without any dependency on Log Analytics agent or AMA. Note that: 
+
+- Defender for Servers features, which are based on AMA, are currently in preview and wonΓÇÖt be released in GA.ΓÇ»
+- Features in preview that rely on AMA will remain supported until an alternative version of the feature is provided, based on Defender for Endpoint integration or agentless machine scanning.
+- By enabling Defender for Endpoint integration and agentless machine scanning early, your Defender for Servers deployment stays up to date and supported.
+
+### Feature functionality
+
+The following table summarizes how Defender for Servers features will be provided. Most features are already generally available using Defender for Endpoint integration or agentless machine scanning. The rest of the features will either be available in GA by the time the MMA is retired, or will be deprecated.
+
+| Feature | Current support | New support | New experience status |
+|-|-|-|-|
+| Microsoft Defender for Endpoint (MDE) integration for down-level Windows machines (Windows Server 2016/2012 R2) | Legacy Defender for Endpoint sensor, based on the Log Analytics agent | [Unified agent integration](/microsoft-365/security/defender-endpoint/configure-server-endpoints) | - Functionality with the unified agent is GA.<br/>- Functionality with the legacy Defender for Endpoint sensor using the Log Analytics agent will be deprecated in August 2024. |
+| OS-level threat detection | Log Analytics agent | Defender for Endpoint agent integration | Functionality with the Defender for Endpoint agent is GA. |
+| Adaptive application controls | Log Analytics agent (GA), AMA (Preview) | | The adaptive application control feature will be deprecated in August 2024. |
+| Endpoint protection discovery recommendations | Recommendations available in foundational CSPM and Defender for Servers, using the Log Analytics agent (GA), AMA (Preview)ΓÇ»| Agentless machine scanning | - Functionality with agentless machine scanning will be released to preview in February 2024 as part of Defender for Servers Plan 2 and the Defender CSPM plan.<br/>- Azure VMs, GCP instances, and AWS instances will be supported. On-premises machines wonΓÇÖt be supported. |
+| Missing OS update recommendation | Recommendations available in foundational CSPM and Defender for Servers using the Log Analytics agent. | Integration with Update Manager, Microsoft | New recommendations based on Azure Update Manager integration [are GA](release-notes-archive.md#two-recommendations-related-to-missing-operating-system-os-updates-were-released-to-ga), with no agent dependencies. |
+| OS misconfigurations (Microsoft Cloud Security Benchmark) | Recommendations available in foundational CSPM and Defender for Servers using the Log Analytics agent, Guest Configuration agent (Preview). | Microsoft Defender Vulnerability Management premium, as part of Defender for Servers Plan 2. | - Functionality based on integration with Microsoft Defender Vulnerability Management premium will be available in preview around April 2024.<br/>- Functionality with the Log Analytics agent will be deprecated in August 2024<br/>- Functionality with Guest Configuration agent (Preview) will deprecate when the Microsoft Defender Vulnerability Management is available.<br/>- Support of this feature for Docker-hub and VMMS will be deprecated in Aug 2024. |
+| File integrity monitoring | Log Analytics agent, AMA (Preview) | Defender for Endpoint agent integration | Functionality with the Defender for Endpoint agent will be available around April 2024.<br/>- Functionality with the Log Analytics agent will be deprecated in August 2024.<br/>- Functionality with AMA will deprecate when the Defender for Endpoint integration is released. |
+
+The [500-MB benefit](faq-defender-for-servers.yml#is-the-500-mb-of-free-data-ingestion-allowance-applied-per-workspace-or-per-machine-) for data ingestion over the defined tables will remain supported via the AMA agent for the machines under subscriptions covered by Defender for Servers Plan 2. Every machine is eligible for the benefit only once, even if both Log Analytics agent and Azure Monitor agent are installed on it.
+Learn more about how to [deploy AMA](/azure/azure-monitor/vm/monitor-virtual-machine-agent#agent-deployment-options).
+
+For SQL servers on machines, we recommend to [migrate to SQL server-targeted Azure Monitoring Agent's (AMA) autoprovisioning process](defender-for-sql-autoprovisioning.md).
+
+### Endpoint protection recommendations experience
+
+Endpoint discovery and recommendations are currently provided by Defender for Cloud foundational CSPM and the Defender for Servers plan using the Log Analytics agent in GA, or in preview via the AMA. This experience will be replaced by security recommendations that are gathered using agentless machine scanning.ΓÇ»
+
+Endpoint protection recommendations are constructed in two stages. The first stage is [EDR discovery](#edr-discovery) of an endpoint detection and response (EDR) solution. The second isΓÇ»[assessment](#edr-configuration-assessment) of the solutionΓÇÖs configuration. The following tables provide details of the current and new experiences for each stage.
+
+#### EDR discovery
+
+| Area | Current experience (based on AMA/MMA)| New experience (based on agentless machine scanning) |
+|-|-|-|
+|**What's needed to classify a resource as healthy?** | An anti-virus is in place. | An endpoint detection and response solution is in place. |
+| **What's needed to get the recommendation?** | Log Analytics agent | Agentless machine scanning |
+| **What plans are supported?** | - Foundational CSPM (free)<br/>- Defender for Servers Plan 1 and Plan 2 |- Defender CSPM<br/>- Defender for Servers Plan 2 |
+|**What fix is available?** | Install Microsoft anti-malware. | Install Defender for Endpoint on selected machines/subscriptions. |
+
+#### EDR configuration assessment
+
+| Area | Current experience (based on AMA/MMA)| New experience (based on agentless machine scanning) |
+|-|-|-|
+| Resources are classified as unhealthy if one or more of the security checks arenΓÇÖt healthy. | Three security checks:<br/>- Real time protection is off<br/>- Signatures are out of date.<br/>- Both quick scan and full scan haven't run for seven days. | Three security checks:<br/>- Anti-virus is off or partially configured<br/>- Signatures are out of date<br/>- Both quick scan and full scan haven't run for seven days. |
+| Prerequisites to get the recommendation | An anti-malware solution in place | An endpoint detection and response (EDR) solution in place. |
+
+#### Which recommendations are being deprecated?
+
+The following table summarizes the timetable for recommendations being deprecated and replaced.
+
+| Recommendation | Agent | Supported resources | Deprecation date | Replacement recommendation |
+|-|-|-|-|-|
+| [Endpoint protection should be installed on your machines](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/4fb67663-9ab9-475d-b026-8c544cced439) (public) | MM#changes-in-endpoint-protection-recommendations) |
+| [Endpoint protection health issues should be resolved on your machines](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/37a3689a-818e-4a0e-82ac-b1392b9bb000) (public)| MM#changes-in-endpoint-protection-recommendations) |
+| [Endpoint protection health failures on virtual machine scale sets should be resolved](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/e71020c2-860c-3235-cd39-04f3f8c936d2) | MMA | VMSS | August 2024 | No replacement |
+| [Endpoint protection solution should be installed on virtual machine scale sets](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/21300918-b2e3-0346-785f-c77ff57d243b) | MMA | VMSS | August 2024 | No replacement |
+| [Endpoint protection solution should be on machines](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/383cf3bc-fdf9-4a02-120a-3e7e36c6bfee) | MMA | Non-Azure resources (Windows)| August 2024 | No replacement |
+| [Install endpoint protection solution on your machines](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/83f577bd-a1b6-b7e1-0891-12ca19d1e6df) | MMA | Azure and non-Azure (Windows) | August 2024 | [New agentless recommendation](upcoming-changes.md#changes-in-endpoint-protection-recommendations) |
+| [Endpoint protection health issues on machines should be resolved](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a) | MMA | Azure and non-Azure (Windows and Linux) | August 2024 | [New agentless recommendation](upcoming-changes.md#changes-in-endpoint-protection-recommendations). |
+
+The [new recommendations](upcoming-changes.md#changes-in-endpoint-protection-recommendations) experience based on agentless machine scanning will support both Windows and Linux OS across multicloud machines.
+
+#### How will the replacement work?
+
+- Current recommendations provided by the Log Analytics Agent or the AMA will be deprecated over time.
+- Some of these existing recommendations will be replaced by new recommendations based on agentless machine scanning.
+- Recommendations currently in GA will remain in place until the Log Analytics agent retires.
+- Recommendations that are currently in preview will be replaced when the new recommendation is available in preview.
+
+#### What's happening with secure score?
+
+- Recommendations that are currently in GA will continue to impact secure score.ΓÇ»
+- Current and upcoming new recommendations are located under the same Microsoft Cloud Security Benchmark control. This ensures that thereΓÇÖs no duplicate impact on secure score.
+
+#### How do I prepare for the new recommendations?
+
+- Ensure that [agentless machine scanning is enabled](enable-agentless-scanning-vms.md) as part of Defender for Servers Plan 2 or Defender CSPM.
+- If suitable for your environment, for best experience we recommend that you remove deprecated recommendations when the replacement GA recommendation becomes available. To do that, disable the recommendation in the [built-in Defender for Cloud initiative in Azure Policy](policy-reference.md).
+
+## Preparing Defender for SQL on Machines
+
+You can learn more about the [Defender for SQL Server on machines Log Analytics agent's deprecation plan](upcoming-changes.md#defender-for-sql-server-on-machines).
+
+If you're using the current Log Analytics agent/Azure Monitor agent autoprovisioning process, you should migrate to the new Azure Monitoring Agent for SQL Server on machines autoprovisioning process. The migration process is seamless and provides continuous protection for all machines.
+
+### Migrate to the SQL server-targeted AMA autoprovisioning process
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Search for and select **Microsoft Defender for Cloud**.
+1. In the Defender for Cloud menu, select **Environment settings**.
+1. Select the relevant subscription.
+1. Under the Databases plan, select **Action required**.
+
+ :::image type="content" source="media/prepare-deprecation-log-analytics-mma-agent/select-action-required.png" alt-text="Screenshot that shows where to select Action required." lightbox="media/prepare-deprecation-log-analytics-mma-agent/select-action-required.png":::
+
+1. In the pop-up window, select **Enable**.
+
+ :::image type="content" source="media/prepare-deprecation-log-analytics-mma-agent/select-enable-sql.png" alt-text="Screenshot that shows selecting enable from popup window." lightbox="media/prepare-deprecation-log-analytics-mma-agent/select-enable-sql.png":::
+
+1. Select **Save**.
+
+Once the SQL server-targeted AMA autoprovisioning process has been enabled, you should disable the Log Analytics agent/Azure Monitor agent autoprovisioning process and uninstall the MMA on all SQL servers:
+
+To disable the Log Analytics agent:
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Search for and select **Microsoft Defender for Cloud**.
+1. In the Defender for Cloud menu, select **Environment settings**.
+1. Select the relevant subscription.
+1. Under the Database plan, select **Settings**.
+1. Toggle the Log Analytics agent to **Off**.
+
+ :::image type="content" source="media/prepare-deprecation-log-analytics-mma-agent/toggle-log-analytics-off.png" alt-text="Screenshot that shows toggling Log Analytics to Off." lightbox="media/prepare-deprecation-log-analytics-mma-agent/toggle-log-analytics-off.png":::
+
+1. Select **Continue**.
+1. Select **Save**.
+
+## Migration planning
+
+We recommend you plan agent migration in accordance with your business requirements. The table summarizes our guidance.
+
+| **Are you using Defender for Servers?** | **Are these Defender for Servers features required in GA: file integrity monitoring, endpoint protection recommendations, security baseline recommendations?** | **Are you using Defender for SQL servers on machines or AMA log collection?** | **Migration plan** |
+|-|-|-|-|
+| Yes | Yes | No | 1. Enable [Defender for Endpoint (MDE) integration](enable-defender-for-endpoint.md) and [agentless machine scanning](enable-agentless-scanning-vms.md).<br/>2. Wait for GA of all features with the alternative's platform (you can use preview version earlier).<br/>3. Once features are GA, disable the [Log Analytics agent](defender-for-sql-autoprovisioning.md#disable-the-log-analytics-agentazure-monitor-agent).
+| No | | No | You can remove the Log Analytics agent now. |
+| No | | Yes | 1. You can [migrate to SQL autoprovisioning for AMA](defender-for-sql-autoprovisioning.md) now.<br/>2. [Disable](defender-for-sql-autoprovisioning.md#disable-the-log-analytics-agentazure-monitor-agent) Log Analytics/Azure Monitor Agent. |
+| Yes | Yes | Yes | 1. Enable [Defender for Endpoint integration](enable-defender-for-endpoint.md) and [agentless machine scanning](enable-agentless-scanning-vms.md).<br/>2. You can use the Log Analytics agent and AMA side-by-side to get all features in GA. [Learn more](auto-deploy-azure-monitoring-agent.md#impact-of-running-with-both-the-log-analytics-and-azure-monitor-agents) about running agents side-by-side.<br>3. Migrate to [SQL autoprovisioning for AMA](defender-for-sql-autoprovisioning.md) in Defender for SQL on machines. Alternatively, start the migration from Log Analytics agent to AMA in April 2024.<br/>4. Once the migration is finished, [disable](defender-for-sql-autoprovisioning.md#disable-the-log-analytics-agentazure-monitor-agent) the Log Analytics agent. |
+| Yes | No | Yes | 1. Enable [Defender for Endpoint (MDE) integration](enable-defender-for-endpoint.md) and [agentless machine scanning](enable-agentless-scanning-vms.md).<br/>2. You can migrate to [SQL autoprovisioning for AMA](defender-for-sql-autoprovisioning.md) in Defender for SQL on machines now.<br/>3. [Disable](defender-for-sql-autoprovisioning.md#disable-the-log-analytics-agentazure-monitor-agent) the Log Analytics agent. |
+
+## Next steps
+
+See the [upcoming changes for the Defender for Cloud plan and strategy for the Log Analytics agent deprecation](upcoming-changes.md#defender-for-cloud-plan-and-strategy-for-the-log-analytics-agent-deprecation).
defender-for-cloud Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/release-notes.md
Title: Release notes description: This page is updated frequently with the latest updates in Defender for Cloud. Previously updated : 01/25/2024 Last updated : 02/07/2024 # What's new in Microsoft Defender for Cloud?
To learn about *planned* changes that are coming soon to Defender for Cloud, see
If you're looking for items older than six months, you can find them in the [Archive for What's new in Microsoft Defender for Cloud](release-notes-archive.md).
+## February 2024
+
+|Date | Update |
+|-|-|
+| February 8 | [Recommendations released for preview: four recommendations for Azure Stack HCI resource type](#recommendations-released-for-preview-four-recommendations-for-azure-stack-hci-resource-type) |
+
+### Recommendations released for preview: four recommendations for Azure Stack HCI resource type
+
+February 8, 2024
+
+We have added four new recommendations for Azure Stack HCI as a new resource type that can be managed through Microsoft Defender for Cloud. These new recommendations are currently in public preview.
+
+| Recommendation | Description | Severity |
+|-|-|-|
+| [(Preview) Azure Stack HCI servers should meet Secured-core requirements](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2f56c47221-b8b7-446e-9ab7-c7c9dc07f0ad)| Ensure that all Azure Stack HCI servers meet the Secured-core requirements. (Related policy: [Guest Configuration extension should be installed on machines - Microsoft Azure](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/6c99f570-2ce7-46bc-8175-cde013df43bc)) | Low |
+| [(Preview) Azure Stack HCI servers should have consistently enforced application control policies](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2f7384fde3-11b0-4047-acbd-b3cf3cc8ce07) | At a minimum, apply the Microsoft WDAC base policy in enforced mode on all Azure Stack HCI servers. Applied Windows Defender Application Control (WDAC) policies must be consistent across servers in the same cluster. (Related policy: [Guest Configuration extension should be installed on machines - Microsoft Azure](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/6c99f570-2ce7-46bc-8175-cde013df43bc)) | High |
+| [(Preview) Azure Stack HCI systems should have encrypted volumes](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2fae95f12a-b6fd-42e0-805c-6b94b86c9830) | Use BitLocker to encrypt the OS and data volumes on Azure Stack HCI systems. (Related policy: [Guest Configuration extension should be installed on machines - Microsoft Azure](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/6c99f570-2ce7-46bc-8175-cde013df43bc)) | High |
+| [(Preview) Host and VM networking should be protected on Azure Stack HCI systems](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2faee306e7-80b0-46f3-814c-d3d3083ed034) | Protect data on the Azure Stack HCI hostΓÇÖs network and on virtual machine network connections. (Related policy: [Guest Configuration extension should be installed on machines - Microsoft Azure](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/6c99f570-2ce7-46bc-8175-cde013df43bc)) | Low |
+
+See the [list of security recommendations](recommendations-reference.md).
+ ## January 2024 |Date | Update |
defender-for-cloud Upcoming Changes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/upcoming-changes.md
If you're looking for the latest release notes, you can find them in the [What's
| [Enforcement of Defender CSPM for Premium DevOps Security Capabilities](#enforcement-of-defender-cspm-for-premium-devops-security-value) | January 29, 2024 | March 2024 | | [Update to agentless VM scanning built-in Azure role](#update-to-agentless-vm-scanning-built-in-azure-role) |January 14, 2024 | February 2024 | | [Deprecation of two recommendations related to PCI](#deprecation-of-two-recommendations-related-to-pci) |January 14, 2024 | February 2024 |
-| [Four new recommendations for Azure Stack HCI resource type](#four-new-recommendations-for-azure-stack-hci-resource-type) | January 11, 2024 | February 2024 |
| [Defender for Servers built-in vulnerability assessment (Qualys) retirement path](#defender-for-servers-built-in-vulnerability-assessment-qualys-retirement-path) | January 9, 2024 | May 2024 | | [Retirement of the Defender for Cloud Containers Vulnerability Assessment powered by Qualys](#retirement-of-the-defender-for-cloud-containers-vulnerability-assessment-powered-by-qualys) | January 9, 2023 | March 2024 | | [New version of Defender Agent for Defender for Containers](#new-version-of-defender-agent-for-defender-for-containers) | January 4, 2024 | February 2024 |
These public preview recommendations will be deprecated.
| Recommendation | Agent | Deprecation date | Replacement recommendation | |--|--|--|--|
-| [Endpoint protection should be installed on your machines](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/4fb67663-9ab9-475d-b026-8c544cced439) (public) | MMA/AMA | February 2024 | New agentless recommendations. |
-| [Endpoint protection health issues should be resolved on your machines](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/37a3689a-818e-4a0e-82ac-b1392b9bb000) (public)| MMA/AMA | February 2024 | New agentless recommendations. |
+| [Endpoint protection should be installed on your machines](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/4fb67663-9ab9-475d-b026-8c544cced439) (public) | MMA/AMA | March 2024 | New agentless recommendations. |
+| [Endpoint protection health issues should be resolved on your machines](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/37a3689a-818e-4a0e-82ac-b1392b9bb000) (public)| MMA/AMA | March 2024 | New agentless recommendations. |
The current generally available recommendations will remain supported until August 2024.
As part of that deprecation, weΓÇÖll be introducing new agentless endpoint prote
| Endpoint Detection and Response (EDR) configuration issues should be resolved on EC2s | February 2024 | | Endpoint Detection and Response (EDR) configuration issues should be resolved on GCP virtual machines | February 2024 |
+Learn more about the [migration to the updated Endpoint protection recommendations experience](prepare-deprecation-log-analytics-mma-agent.md#endpoint-protection-recommendations-experience).
+ ## Change in pricing for multicloud container threat detection **Announcement date: January 30, 2024**
The following two recommendations related to PCI (Permission Creep Index) are se
- `Over-provisioned identities in accounts should be investigated to reduce the Permission Creep Index (PCI)` - `Over-Provisioned identities in subscriptions should be investigated to reduce the Permission Creep Index (PCI)`
-## Four new recommendations for Azure Stack HCI resource type
-
-**Announcement date: January 11, 2024**
-
-**Estimated date for change: February 2024**
-
-Azure Stack HCI is set to be a new resource type that can be managed through Microsoft Defender for Cloud. We're adding four recommendations that are specific to the HCI resource type:
-
-| Recommendation | Description | Severity |
-|-|-|-|
-| Azure Stack HCI servers should meet Secured-core requirements | Ensure that all Azure Stack HCI servers meet the Secured-core requirements. (Related policy: [Guest Configuration extension should be installed on machines - Microsoft Azure](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/6c99f570-2ce7-46bc-8175-cde013df43bc)) | Low |
-| Azure Stack HCI servers should have consistently enforced application control policies | At a minimum, apply the Microsoft WDAC base policy in enforced mode on all Azure Stack HCI servers. Applied Windows Defender Application Control (WDAC) policies must be consistent across servers in the same cluster. | High |
-| Azure Stack HCI systems should have encrypted volumes | Use BitLocker to encrypt the OS and data volumes on Azure Stack HCI systems | High |
-| Host and VM networking should be protected on Azure Stack HCI systems | Protect data on the Azure Stack HCI hostΓÇÖs network and on virtual machine network connections. | Low |
- ## Defender for Servers built-in vulnerability assessment (Qualys) retirement path **Announcement date: January 9, 2024**
defender-for-iot Tutorial Onboarding https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/tutorial-onboarding.md
Before you can start using your Defender for IoT sensor, you need to onboard you
1. In the **Add outbound allow rules** box, select the **Download endpoint details** link to download a JSON list of the endpoints you must configure as secure endpoints from your sensor.
- Save the downloaded file locally. Use the endpoints listed in the downloaded file to [later in this tutorial](#provision-for-cloud-management) to ensure that your new sensor can successfully connect to Azure.
+ Save the downloaded file locally. Use the endpoints listed in the downloaded file [later in this tutorial](#provision-for-cloud-management) to ensure that your new sensor can successfully connect to Azure.
> [!TIP] > You can also access the list of required endpoints from the **Sites and sensors** page. For more information, see [Sensor management options from the Azure portal](how-to-manage-sensors-on-the-cloud.md#sensor-management-options-from-the-azure-portal).
dns Dns Alerts Metrics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dns/dns-alerts-metrics.md
- Last updated 11/30/2023
dns Dns For Azure Services https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dns/dns-for-azure-services.md
ms.assetid: e9b5eb94-7984-4640-9930-564bb9e82b78
- Last updated 11/30/2023
dns Dns Operations Dnszones Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dns/dns-operations-dnszones-cli.md
ms.devlang: azurecli - Last updated 11/30/2023-+
dns Dns Operations Dnszones Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dns/dns-operations-dnszones-portal.md
- Last updated 11/30/2023
dns Dns Operations Dnszones https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dns/dns-operations-dnszones.md
- Last updated 11/30/2023-+
Learn how to [manage record sets and records](dns-operations-recordsets.md) in y
<br> Learn how to [delegate your domain to Azure DNS](dns-domain-delegation.md). <br>
-Review the [Azure DNS PowerShell reference documentation](/powershell/module/Az.dns).
+Review the [Azure DNS PowerShell reference documentation](/powershell/module/Az.dns).
dns Dns Operations Recordsets Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dns/dns-operations-recordsets-cli.md
ms.devlang: azurecli - Last updated 11/30/2023
dns Dns Operations Recordsets https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dns/dns-operations-recordsets.md
- Last updated 11/30/2023
dns Dns Private Records https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dns/dns-private-records.md
description: Overview of support for DNS records in Azure Private DNS.
- Last updated 02/07/2024
dns Dns Reverse Dns For Azure Services https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dns/dns-reverse-dns-for-azure-services.md
- Last updated 01/10/2024-+
dns Dns Reverse Dns Hosting https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dns/dns-reverse-dns-hosting.md
description: Learn how to use Azure DNS to host the reverse DNS lookup zones for
- Last updated 04/27/2023
dns Dns Reverse Dns Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dns/dns-reverse-dns-overview.md
- Last updated 04/27/2023
dns Dns Sdk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dns/dns-sdk.md
ms.assetid: eed99b87-f4d4-4fbf-a926-263f7e30b884
ms.devlang: csharp - Last updated 11/30/2023
dns Dns Zones Records https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dns/dns-zones-records.md
ms.assetid: be4580d7-aa1b-4b6b-89a3-0991c0cda897
- Last updated 11/21/2023
dns Tutorial Public Dns Zones Child https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dns/tutorial-public-dns-zones-child.md
ms.assetid: be4580d7-aa1b-4b6b-89a3-0991c0cda897 - Last updated 11/30/2023
event-grid Ensure Tags Exists On New Virtual Machines https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/ensure-tags-exists-on-new-virtual-machines.md
- Last updated 07/07/2020
expressroute Expressroute Locations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/expressroute-locations.md
- Last updated 01/26/2024
expressroute Using Expressroute For Microsoft Pstn https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/using-expressroute-for-microsoft-pstn.md
description: ExpressRoute circuits can be used for Microsoft PSTN services, inc
- Last updated 09/06/2023 - # Using ExpressRoute for routing traffic to Microsoft PSTN services
All Microsoft PSTN services supported for Microsoft Peering use the 52.120.0.0/1
[ExR-Intro]: ./expressroute-introduction.md [CreatePeering]: ./expressroute-howto-routing-portal-resource-manager.md [MGN]: https://azure.microsoft.com/blog/how-microsoft-builds-its-fast-and-reliable-global-network/
-[ExRRF]: ./how-to-routefilter-portal.md
+[ExRRF]: ./how-to-routefilter-portal.md
expressroute Using Expressroute For Microsoft365 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/using-expressroute-for-microsoft365.md
- Last updated 6/30/2023 - # Using ExpressRoute for routing Microsoft 365 traffic
When you're using ExpressRoute, you can apply a route filter to Microsoft peerin
[ExRRF]: ./how-to-routefilter-portal.md [Teams]: /microsoftteams/microsoft-teams-online-call-flows [Microsoft 365-Test]: https://connectivity.office.com/
-[Microsoft 365perf]: /microsoft-365/enterprise/performance-tuning-using-baselines-and-history
+[Microsoft 365perf]: /microsoft-365/enterprise/performance-tuning-using-baselines-and-history
firewall-manager Quick Firewall Policy Terraform https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/firewall-manager/quick-firewall-policy-terraform.md
Last updated 09/05/2023 - content_well_notifications: - AI-Contribution
firewall-manager Quick Secure Virtual Hub Terraform https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/firewall-manager/quick-secure-virtual-hub-terraform.md
Last updated 09/05/2023 - content_well_notifications: - AI-Contribution
frontdoor Apex Domain https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/apex-domain.md
- Last updated 02/07/2023
frontdoor Best Practices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/best-practices.md
- Last updated 02/23/2023
frontdoor Billing https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/billing.md
- Last updated 12/28/2023
frontdoor Classic Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/classic-overview.md
- Last updated 08/09/2023
-# Customer intent: As an IT admin, I want to learn about Front Door and what I can use it for.
+# Customer intent: As an IT admin, I want to learn about Front Door and what I can use it for.
# What is Azure Front Door (classic)?
Subscribe to the RSS feed and view the latest Azure Front Door feature updates o
## Next steps - Learn how to [create a Front Door (classic)](quickstart-create-front-door.md).-- Learn about [how Front Door (classic) works](front-door-routing-architecture.md?pivots=front-door-classic).
+- Learn about [how Front Door (classic) works](front-door-routing-architecture.md?pivots=front-door-classic).
frontdoor Create Front Door Bicep https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/create-front-door-bicep.md
Last updated 12/29/2023 - #Customer intent: As an IT admin, I want to direct user traffic to ensure high availability of web applications.
frontdoor Create Front Door Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/create-front-door-portal.md
- Last updated 10/02/2023
frontdoor Create Front Door Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/create-front-door-powershell.md
Last updated 06/28/2022 -
frontdoor Create Front Door Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/create-front-door-template.md
Last updated 07/12/2022 - #Customer intent: As an IT admin, I want to direct user traffic to ensure high availability of web applications.
frontdoor Create Front Door Terraform https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/create-front-door-terraform.md
Last updated 8/11/2023 - content_well_notification: - AI-contribution
frontdoor Domain https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/domain.md
- Last updated 10/31/2023
frontdoor Edge Locations By Abbreviation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/edge-locations-by-abbreviation.md
- Last updated 06/01/2023
frontdoor Edge Locations By Region https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/edge-locations-by-region.md
- Last updated 05/30/2023
frontdoor End To End Tls https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/end-to-end-tls.md
- Last updated 02/07/2023 zone_pivot_groups: front-door-tiers
frontdoor Endpoint https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/endpoint.md
- Last updated 08/09/2023
frontdoor Front Door Caching https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-caching.md
- Last updated 11/08/2023 zone_pivot_groups: front-door-tiers
frontdoor Front Door Cdn Comparison https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-cdn-comparison.md
- Last updated 10/13/2023
frontdoor Front Door Custom Domain Https https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-custom-domain-https.md
description: In this tutorial, you learn how to enable and disable HTTPS on your
- Last updated 08/09/2023
frontdoor Front Door Custom Domain https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-custom-domain.md
description: In this article, you learn how to onboard a custom domain to Azure
- Last updated 04/04/2023
frontdoor Front Door Ddos https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-ddos.md
- Last updated 10/23/2023
frontdoor Front Door Diagnostics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-diagnostics.md
- Last updated 12/19/2023 zone_pivot_groups: front-door-tiers
frontdoor Front Door Http Headers Protocol https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-http-headers-protocol.md
- Last updated 01/16/2023
frontdoor Front Door Http2 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-http2.md
- Last updated 09/28/2020
frontdoor Front Door Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-overview.md
- Last updated 10/12/2023
-# Customer intent: As an IT admin, I want to learn about Front Door and what I can use it for.
+# Customer intent: As an IT admin, I want to learn about Front Door and what I can use it for.
# What is Azure Front Door?
frontdoor Front Door Quickstart Template Samples https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-quickstart-template-samples.md
- Last updated 07/25/2023
frontdoor Front Door Route Matching https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-route-matching.md
- Last updated 12/04/2023 zone_pivot_groups: front-door-tiers
frontdoor Front Door Routing Architecture https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-routing-architecture.md
- Last updated 04/04/2023 zone_pivot_groups: front-door-tiers
Finally, the request is forwarded to the backend.
- Learn how to [create a Front Door profile](quickstart-create-front-door.md).
frontdoor Front Door Routing Limits https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-routing-limits.md
- Last updated 12/28/2023
frontdoor Front Door Rules Engine Actions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-rules-engine-actions.md
- Last updated 06/01/2023 zone_pivot_groups: front-door-tiers
frontdoor Front Door Rules Engine https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-rules-engine.md
Title: What is a rule set?
-description: This article provides an overview of the Azure Front Door Rule sets feature.
+description: This article provides an overview of the Azure Front Door Rule sets feature.
- Last updated 05/15/2023
frontdoor Front Door Security Headers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-security-headers.md
Title: 'Tutorial: Add security headers with Rules Engine - Azure Front Door'
-description: This tutorial teaches you how to configure a security header via Rules Engine on Azure Front Door
+description: This tutorial teaches you how to configure a security header via Rules Engine on Azure Front Door
- Last updated 10/05/2023
-# Customer intent: As an IT admin, I want to learn about Front Door and how to configure a security header via Rules Engine.
+# Customer intent: As an IT admin, I want to learn about Front Door and how to configure a security header via Rules Engine.
# Tutorial: Add Security headers with Rules Engine
frontdoor Front Door Traffic Acceleration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-traffic-acceleration.md
- Last updated 08/31/2023 zone_pivot_groups: front-door-tiers
frontdoor Front Door Tutorial Rules Engine https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-tutorial-rules-engine.md
- Last updated 06/06/2023-+ # Customer intent: As an IT admin, I want to learn about Front Door and how to configure Rules Engine feature via the Azure portal or Azure CLI.
frontdoor Front Door Url Redirect https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-url-redirect.md
- Last updated 04/04/2023 zone_pivot_groups: front-door-tiers
frontdoor Front Door Url Rewrite https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-url-rewrite.md
- Last updated 06/01/2023 zone_pivot_groups: front-door-tiers
frontdoor Front Door Waf https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-waf.md
Title: 'Tutorial: Scale and protect a web app by using Azure Front Door and Azure Web Application Firewall (WAF)'
+ Title: 'Tutorial: Scale and protect a web app by using Azure Front Door and Azure Web Application Firewall (WAF)'
description: This tutorial shows you how to use Azure Web Application Firewall with the Azure Front Door service. - Last updated 12/28/2023
frontdoor Front Door Wildcard Domain https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-wildcard-domain.md
Title: Support for wildcard domains
+ Title: Support for wildcard domains
description: This article helps you understand how Azure Front Door supports mapping and managing wildcard domains in the list of custom domains. - Last updated 02/07/2023 zone_pivot_groups: front-door-tiers
frontdoor Health Probes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/health-probes.md
- Last updated 05/15/2023
frontdoor Manager https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/manager.md
- Last updated 08/09/2023
frontdoor Origin Security https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/origin-security.md
- Last updated 10/02/2023 zone_pivot_groups: front-door-tiers
frontdoor Origin https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/origin.md
- Last updated 04/04/2023 zone_pivot_groups: front-door-tiers
frontdoor Quickstart Create Front Door Bicep https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/quickstart-create-front-door-bicep.md
Last updated 03/30/2022 - #Customer intent: As an IT admin, I want to direct user traffic to ensure high availability of web applications.
frontdoor Quickstart Create Front Door Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/quickstart-create-front-door-cli.md
- Last updated 3/28/2023 -+ ms.devlang: azurecli #Customer intent: As an IT admin, I want to direct user traffic to ensure high availability of web applications.
frontdoor Quickstart Create Front Door Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/quickstart-create-front-door-powershell.md
Last updated 04/19/2021 - #Customer intent: As an IT admin, I want to direct user traffic to ensure high availability of web applications.
frontdoor Quickstart Create Front Door Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/quickstart-create-front-door-template.md
Last updated 09/14/2020 - #Customer intent: As an IT admin, I want to direct user traffic to ensure high availability of web applications.
frontdoor Quickstart Create Front Door Terraform https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/quickstart-create-front-door-terraform.md
Last updated 8/11/2023 - content_well_notification: - AI-contribution
frontdoor Quickstart Create Front Door https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/quickstart-create-front-door.md
Last updated 10/02/2023 - #Customer intent: As an IT admin, I want to manage user traffic to ensure high availability of web applications.
frontdoor Scenario Storage Blobs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/scenario-storage-blobs.md
- Last updated 12/28/2023
frontdoor Scenarios https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/scenarios.md
- Last updated 02/13/2023
frontdoor How To Add Custom Domain https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/standard-premium/how-to-add-custom-domain.md
- Last updated 09/07/2023 #Customer intent: As a website owner, I want to add a custom domain to my Front Door configuration so that my users can use my custom domain to access my content.
frontdoor How To Cache Purge Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/standard-premium/how-to-cache-purge-cli.md
- Last updated 09/20/2022
frontdoor How To Cache Purge Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/standard-premium/how-to-cache-purge-powershell.md
- Last updated 09/20/2022
frontdoor How To Configure Https Custom Domain https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/standard-premium/how-to-configure-https-custom-domain.md
- Last updated 10/31/2023
frontdoor How To Enable Private Link Internal Load Balancer https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/standard-premium/how-to-enable-private-link-internal-load-balancer.md
In this section, you map the Private Link service to a private endpoint created
1. Select **+ Add an origin** to add new origin. Select or enter the following settings to configure the internal load balancer origin. > [!NOTE]
- > The hostname must be a valid domain name, IPv4 or IPv6. The hostname can be the private IP of the internal load balancer or a domain name. If you are using a domain name, you must have a DNS record that resolves to the private IP of the internal load balancer.
+ > The hostname must be a valid domain name, IPv4 or IPv6. The hostname can be the private IP of the internal load balancer or a domain name.
:::image type="content" source="../media/how-to-enable-private-link-internal-load-balancer/private-endpoint-internal-load-balancer-ip.png" alt-text="Screenshot of enabling private link to an internal load balancer using an IP address.":::
frontdoor Terraform Samples https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/terraform-samples.md
- Last updated 11/22/2022
frontdoor Troubleshoot Performance Issues https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/troubleshoot-performance-issues.md
- Last updated 08/30/2023 #Customer intent: As a <type of user>, I want <some goal> so that <some reason>.
genomics Troubleshooting Guide Genomics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/genomics/troubleshooting-guide-genomics.md
- Last updated 10/29/2018- # Troubleshooting guide
governance Migrating From Azure Automation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/machine-configuration/whats-new/migrating-from-azure-automation.md
Before removing a machine from Azure Automation State Configuration, onboard eac
Azure Policy can manage the machine. The machine can be onboarded to Azure Arc at any time, but you can use Azure Automation State Configuration to automate the process.
-You can register a machine to Azure Arc-enabled servers by using PowerShell DSC. For details, view
-the page [How to install the Connected Machine agent using Windows PowerShell DSC][15]. Remember
-however, that Azure Automation State Configuration can manage only one configuration per machine,
-per Automation Account. You can export, test, and prepare your content for machine configuration,
-and then switch the node configuration in Azure Automation to onboard to Azure Arc. As the last
-step, remove the node registration from Azure Automation State Configuration and move forward only
-managing the machine state through machine configuration.
- ## Troubleshooting issues when exporting content Details about known issues are provided in this section.
When using PowerShell on macOS and Linux, you may have issues dealing with the f
`Export-AzAutomationDSCConfiguration`. As a workaround, a module has been published to the PowerShell Gallery named
-[AADSCConfigContent][16]. The module has only one command, which exports the content of a
+[AADSCConfigContent][15]. The module has only one command, which exports the content of a
configuration stored in Azure Automation by making a REST request to the service. ## Next steps -- [Develop a custom machine configuration package][17].-- Use the **GuestConfiguration** module to [create an Azure Policy definition][19] for at-scale
+- [Develop a custom machine configuration package][16].
+- Use the **GuestConfiguration** module to [create an Azure Policy definition][18] for at-scale
management of your environment. - [Assign your custom policy definition][20] using Azure portal. - Learn how to view [compliance details for machine configuration][21] policy assignments.
configuration stored in Azure Automation by making a REST request to the service
[12]: ../../policy/assign-policy-portal.md [13]: /azure/automation/automation-dsc-onboarding#enable-physicalvirtual-linux-machines [14]: /azure/azure-arc/servers/overview
-[15]: /azure/azure-arc/servers/onboard-dsc
-[16]: https://www.powershellgallery.com/packages/AADSCConfigContent/
-[17]: ../how-to/develop-custom-package/overview.md
-[19]: ../how-to/create-policy-definition.md
-[20]: ../../policy/assign-policy-portal.md
-[21]: ../../policy/how-to/determine-non-compliance.md
+[15]: https://www.powershellgallery.com/packages/AADSCConfigContent/
+[16]: ../how-to/develop-custom-package/overview.md
+[17]: ../how-to/create-policy-definition.md
+[18]: ../../policy/assign-policy-portal.md
+[19]: ../../policy/how-to/determine-non-compliance.md
governance Scope https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/concepts/scope.md
the definition location to target for assignment. The [resources covered by Azur
If the definition location is a: -- **Subscription** - Only resources within that subscription can be assigned the policy definition.-- **Management group** - Only resources within child management groups and child subscriptions can
+- **Subscription** - The subscription where policy is defined and resources within that subscription can be assigned the policy definition.
+- **Management group** - The management group where the policy is defined and resources within child management groups and child subscriptions can
be assigned the policy definition. If you plan to apply the policy definition to several subscriptions, the location must be a management group that contains each subscription.
governance Index https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/index.md
Azure:
- [Microsoft cloud security benchmark](./azure-security-benchmark.md) - [Microsoft Cloud for Sovereignty Confidential](./mcfs-baseline-confidential.md) - [Microsoft Cloud for Sovereignty Global](./mcfs-baseline-global.md)-- [New Zealand ISM Restricted](./new-zealand-ism.md)-- [New Zealand ISM Restricted 3.5](./nz-ism-restricted-3-5.md) - [NIST SP 800-53 Rev. 4](./nist-sp-800-53-r4.md) - [NIST SP 800-53 Rev. 5](./nist-sp-800-53-r5.md) - [NIST SP 800-171 R2](./nist-sp-800-171-r2.md)
governance New Zealand Ism https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/new-zealand-ism.md
- Title: Regulatory Compliance details for New Zealand ISM Restricted
-description: Details of the New Zealand ISM Restricted Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment.
Previously updated : 01/22/2024---
-# Details of the New Zealand ISM Restricted Regulatory Compliance built-in initiative
-
-The following article details how the Azure Policy Regulatory Compliance built-in initiative
-definition maps to **compliance domains** and **controls** in New Zealand ISM Restricted.
-For more information about this compliance standard, see
-[New Zealand ISM Restricted](https://www.nzism.gcsb.govt.nz/ism-document). To understand
-_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and
-[Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md).
-
-The following mappings are to the **New Zealand ISM Restricted** controls. Many of the controls
-are implemented with an [Azure Policy](../overview.md) initiative definition. To review the complete
-initiative definition, open **Policy** in the Azure portal and select the **Definitions** page.
-Then, find and select the **New Zealand ISM Restricted** Regulatory Compliance built-in
-initiative definition.
-
-> [!IMPORTANT]
-> Each control below is associated with one or more [Azure Policy](../overview.md) definitions.
-> These policies may help you [assess compliance](../how-to/get-compliance-data.md) with the
-> control; however, there often is not a one-to-one or complete match between a control and one or
-> more policies. As such, **Compliant** in Azure Policy refers only to the policy definitions
-> themselves; this doesn't ensure you're fully compliant with all requirements of a control. In
-> addition, the compliance standard includes controls that aren't addressed by any Azure Policy
-> definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your
-> overall compliance status. The associations between compliance domains, controls, and Azure Policy
-> definitions for this compliance standard may change over time. To view the change history, see the
-> [GitHub Commit History](https://github.com/Azure/azure-policy/commits/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/nz_ism.json).
-
-## Information security monitoring
-
-### 6.2.5 Conducting vulnerability assessments
-
-**ID**: NZISM Security Benchmark ISM-3
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
-|[Vulnerability assessment should be enabled on SQL Managed Instance](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b7aa243-30e4-4c9e-bca8-d0d3022b634a) |Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnManagedInstance_Audit.json) |
-|[Vulnerability assessment should be enabled on your SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9) |Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json) |
-
-### 6.2.6 Resolving vulnerabilities
-
-**ID**: NZISM Security Benchmark ISM-4
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) |
-|[SQL databases should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) |Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. |AuditIfNotExists, Disabled |[4.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) |
-|[SQL servers on machines should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6ba6d016-e7c3-4842-b8f2-4992ebc0d72d) |SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerSQLVulnerabilityAssessment_Audit.json) |
-|[Vulnerabilities in container security configurations should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8cbc669-f12d-49eb-93e7-9273119e9933) |Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerBenchmark_Audit.json) |
-|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) |Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) |
-|[Vulnerabilities in security configuration on your virtual machine scale sets should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4) |Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssOSVulnerabilities_Audit.json) |
-
-### 6.4.5 Availability requirements
-
-**ID**: NZISM Security Benchmark ISM-7
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Audit virtual machines without disaster recovery configured](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56) |Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit [https://aka.ms/asr-doc](https://aka.ms/asr-doc). |auditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/RecoveryServices_DisasterRecovery_Audit.json) |
-
-## Physical Security
-
-### 8.3.5 Network infrastructure in unsecure areas
-
-**ID**: NZISM Security Benchmark PS-4
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Only secure connections to your Azure Cache for Redis should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F22bee202-a82f-4305-9a2a-6d7f44d4dedb) |Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_AuditSSLPort_Audit.json) |
-|[Secure transfer to storage accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F404c3081-a854-4457-ae30-26a93ef643f9) |Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_AuditForHTTPSEnabled_Audit.json) |
-
-## Infrastructure
-
-### 10.8.35 Security Architecture
-
-**ID**: NZISM Security Benchmark INF-9
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[API Management services should use a virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/ApiManagement_VNETEnabled_Audit.json) |
-|[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) |
-|[Azure Event Grid domains should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9830b652-8523-49cc-b1b3-e17dce1127ca) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/privateendpoints](https://aka.ms/privateendpoints). |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/Domains_PrivateEndpoint_Audit.json) |
-|[Azure Event Grid topics should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4b90e17e-8448-49db-875e-bd83fb6f804f) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/privateendpoints](https://aka.ms/privateendpoints). |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/Topics_PrivateEndpoint_Audit.json) |
-|[Azure Machine Learning workspaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F45e05259-1eb5-4f70-9574-baf73e9d219b) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link](../../../machine-learning/how-to-configure-private-link.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_PrivateEndpoint_Audit_V2.json) |
-|[Azure SignalR Service should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2393d2cf-a342-44cd-a2e2-fe0188fd1234) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: [https://aka.ms/asrs/privatelink](https://aka.ms/asrs/privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SignalR/SignalR_PrivateEndpointEnabled_Audit_v2.json) |
-|[Azure Spring Cloud should use network injection](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faf35e2a4-ef96-44e7-a9ae-853dd97032c4) |Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud. |Audit, Disabled, Deny |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Platform/Spring_VNETEnabled_Audit.json) |
-|[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) |
-|[Private endpoint connections on Azure SQL Database should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7698e800-9299-47a6-b3b6-5a0fee576eed) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. |Audit, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_PrivateEndpoint_Audit.json) |
-|[Private endpoint connections on Batch accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F009a0c92-f5b4-4776-9b66-4ed2b4775563) |Private endpoint connections allow secure communication by enabling private connectivity to Batch accounts without a need for public IP addresses at the source or destination. Learn more about private endpoints in Batch at [https://docs.microsoft.com/azure/batch/private-connectivity](../../../batch/private-connectivity.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_PrivateEndpoints_AuditIfNotExists.json) |
-|[Private endpoint should be enabled for MariaDB servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a1302fb-a631-4106-9753-f3d494733990) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MariaDB_EnablePrivateEndPoint_Audit.json) |
-|[Private endpoint should be enabled for MySQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7595c971-233d-4bcf-bd18-596129188c49) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnablePrivateEndPoint_Audit.json) |
-|[Private endpoint should be enabled for PostgreSQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0564d078-92f5-4f97-8398-b9f58a51f70b) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnablePrivateEndPoint_Audit.json) |
-|[Storage accounts should restrict network access using virtual network rules](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2a1a9cdf-e04d-429a-8416-3bfb72a1b26f) |Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountOnlyVnetRulesEnabled_Audit.json) |
-|[Storage accounts should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6edd7eda-6dd8-40f7-810d-67160c639cd9) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - [https://aka.ms/azureprivatelinkoverview](https://aka.ms/azureprivatelinkoverview) |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountPrivateEndpointEnabled_Audit.json) |
-|[VM Image Builder templates should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2154edb9-244f-4741-9970-660785bccdaa) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet](../../../virtual-machines/linux/image-builder-networking.md#deploy-using-an-existing-vnet). |Audit, Disabled, Deny |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/VM%20Image%20Builder/PrivateLinkEnabled_Audit.json) |
-
-## Product Security
-
-### 12.4.4 Patching vulnerabilities in products
-
-**ID**: NZISM Security Benchmark PRS-5
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[System updates on virtual machine scale sets should be installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc3f317a7-a95c-4547-b7e7-11017ebdf2fe) |Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingSystemUpdates_Audit.json) |
-|[System updates should be installed on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F86b3d65f-7626-441e-b690-81a8b71cff60) |Missing security system updates on your servers will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingSystemUpdates_Audit.json) |
-
-## Software security
-
-### 14.1.8 Developing hardened SOEs
-
-**ID**: NZISM Security Benchmark SS-2
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[App Service apps should have remote debugging turned off](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcb510bfd-1cba-4d9f-a230-cb0976f4bb71) |Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_WebApp_Audit.json) |
-|[Function apps should have remote debugging turned off](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e60b895-3786-45da-8377-9c6b4b6ac5f9) |Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json) |
-|[Management ports should be closed on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F22730e10-96f6-4aac-ad84-9383d35b5917) |Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OpenManagementPortsOnVirtualMachines_Audit.json) |
-
-### 14.1.9 Maintaining hardened SOEs
-
-**ID**: NZISM Security Benchmark SS-3
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Azure API for FHIR should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1ee56206-5dd1-42ab-b02d-8aae8b1634ce) |Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: [https://aka.ms/fhir-privatelink](https://aka.ms/fhir-privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_PrivateLink_Audit.json) |
-|[Azure Defender for App Service should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2913021d-f2fd-4f3d-b958-22354e2bdbcb) |Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnAppServices_Audit.json) |
-|[Azure Defender for Azure SQL Database servers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7fe3b40f-802b-4cdd-8bd4-fd799c948cc2) |Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServers_Audit.json) |
-|[Azure Defender for Key Vault should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e6763cc-5078-4e64-889d-ff4d9a839047) |Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnKeyVaults_Audit.json) |
-|[Azure Defender for servers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4da35fc9-c9e7-4960-aec9-797fe7d9051d) |Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnVM_Audit.json) |
-|[Azure Defender for SQL servers on machines should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6581d072-105e-4418-827f-bd446d56421b) |Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json) |
-|[Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F331e8ea8-378a-410f-a2e5-ae22f38bb0da) |This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionLinux_Prerequisite.json) |
-|[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) |
-|[Endpoint protection solution should be installed on virtual machine scale sets](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F26a828e1-e88f-464e-bbb3-c134a282b9de) |Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingEndpointProtection_Audit.json) |
-|[Management ports of virtual machines should be protected with just-in-time network access control](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb0f33259-77d7-4c9e-aac6-3aabcfae693c) |Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_JITNetworkAccess_Audit.json) |
-|[Microsoft Defender for Containers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) |Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) |
-|[Microsoft Defender for Storage should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F640d2586-54d2-465f-877f-9ffc1d2109f4) |Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_Microsoft_Defender_For_Storage_Full_Audit.json) |
-|[Monitor missing Endpoint Protection in Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faf6cd1bd-1635-48cb-bde7-5b15693900b9) |Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingEndpointProtection_Audit.json) |
-
-### 14.2.4 Application Whitelisting
-
-**ID**: NZISM Security Benchmark SS-5
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Adaptive application controls for defining safe applications should be enabled on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F47a6b606-51aa-4496-8bb7-64b11cf66adc) |Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveApplicationControls_Audit.json) |
-|[Allowlist rules in your adaptive application control policy should be updated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F123a3936-f020-408a-ba0c-47873faf1534) |Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveApplicationControlsUpdate_Audit.json) |
-
-### 14.5.8 Web applications
-
-**ID**: NZISM Security Benchmark SS-9
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[App Service apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_WebApp_Audit.json) |
-|[App Service apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) |
-|[Function apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0820b7b9-23aa-4725-a1ce-ae4558f718e5) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_FuntionApp_Audit.json) |
-|[Function apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceFunctionApp_AuditHTTP_Audit.json) |
-
-## Access Control and Passwords
-
-### 16.1.32 System User Identitfication
-
-**ID**: NZISM Security Benchmark AC-2
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[App Service apps should use managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2b9ad585-36bc-4615-b300-fd4435808332) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json) |
-|[Function apps should use managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) |
-|[Service Fabric clusters should only use Azure Active Directory for client authentication](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb54ed75b-3e1a-44ac-a333-05ba39b99ff0) |Audit usage of client authentication only via Azure Active Directory in Service Fabric |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json) |
-
-### 16.1.35 Methods for system user identification and authentication
-
-**ID**: NZISM Security Benchmark AC-3
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Accounts with read permissions on Azure resources should be MFA enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForAccountsWithReadPermissions_Audit.json) |
-
-### 16.1.40 Password selection policy
-
-**ID**: NZISM Security Benchmark AC-4
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Audit Linux machines that have accounts without passwords](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6ec09a3-78bf-4f8f-99dc-6c77182d0f99) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Linux machines that have accounts without passwords |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxPassword232_AINE.json) |
-|[Windows machines should meet requirements for 'Security Settings - Account Policies'](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff2143251-70de-4e81-87a8-36cee5a2f29d) |Windows machines should have the specified Group Policy settings in the category 'Security Settings - Account Policies' for password history, age, length, complexity, and storing passwords using reversible encryption. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecuritySettingsAccountPolicies_AINE.json) |
-
-### 16.1.46 Suspension of access
-
-**ID**: NZISM Security Benchmark AC-5
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Blocked accounts with owner permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0cfea604-3201-4e14-88fc-fae4c427a6c5) |Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithOwnerPermissions_Audit.json) |
-|[Blocked accounts with read and write permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8d7e1fde-fe26-4b5f-8108-f8e432cbc2be) |Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithReadWritePermissions_Audit.json) |
-
-### 16.3.5 Use of Privileged Accounts
-
-**ID**: NZISM Security Benchmark AC-9
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[A maximum of 3 owners should be designated for your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4f11b553-d42e-4e3a-89be-32ca364cad4c) |It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateLessThanXOwners_Audit.json) |
-
-### 16.4.30 Privileged Access Management
-
-**ID**: NZISM Security Benchmark AC-11
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Accounts with owner permissions on Azure resources should be MFA enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe3e008c3-56b9-4133-8fd7-d3347377402a) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForAccountsWithOwnerPermissions_Audit.json) |
-|[Accounts with write permissions on Azure resources should be MFA enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F931e118d-50a1-4457-a5e4-78550e086c52) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForAccountsWithWritePermissions_Audit.json) |
-|[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) |
-|[Audit Windows machines missing any of specified members in the Administrators group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter. |auditIfNotExists |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembersToInclude_AINE.json) |
-|[Audit Windows machines that have extra accounts in the Administrators group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3d2a3320-2a72-4c67-ac5f-caa40fbee2b2) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if the local Administrators group contains members that are not listed in the policy parameter. |auditIfNotExists |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembers_AINE.json) |
-|[Audit Windows machines that have the specified members in the Administrators group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. |auditIfNotExists |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembersToExclude_AINE.json) |
-|[Guest accounts with owner permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F339353f6-2387-4a45-abe4-7f529d121046) |External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveGuestAccountsWithOwnerPermissions_Audit.json) |
-|[Guest accounts with write permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F94e1c2ac-cbbe-4cac-a2b5-389c812dee87) |External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveGuestAccountsWithWritePermissions_Audit.json) |
-|[There should be more than one owner assigned to your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F09024ccc-0c5f-475e-9457-b7c0d9ed487b) |It is recommended to designate more than one subscription owner in order to have administrator access redundancy. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateMoreThanOneOwner_Audit.json) |
-
-### 16.5.10 Authentication
-
-**ID**: NZISM Security Benchmark AC-13
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Audit Linux machines that allow remote connections from accounts without passwords](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fea53dbee-c6c9-4f0e-9f9e-de0039b78023) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxPassword110_AINE.json) |
-
-### 16.6.9 Events to be logged
-
-**ID**: NZISM Security Benchmark AC-17
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[App Service apps should have resource logs enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F91a78b24-f231-4a8a-8da9-02c35b2b6510) |Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ResourceLoggingMonitoring_Audit.json) |
-|[Audit usage of custom RBAC roles](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) |Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) |
-|[Auditing on SQL server should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9) |Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json) |
-|[Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138) |Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_OSImage_VMSS_Audit.json) |
-|[Resource logs in Azure Data Lake Store should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F057ef27e-665e-4328-8ea3-04b3122bd9fb) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStore_AuditDiagnosticLog_Audit.json) |
-|[Resource logs in Azure Stream Analytics should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9be5368-9bf5-4b84-9e0a-7850da98bb46) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_AuditDiagnosticLog_Audit.json) |
-|[Resource logs in Batch accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F428256e6-1fac-4f48-a757-df34c2b3336d) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_AuditDiagnosticLog_Audit.json) |
-|[Resource logs in Data Lake Analytics should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc95c74d9-38fe-4f0d-af86-0c7d626a315c) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeAnalytics_AuditDiagnosticLog_Audit.json) |
-|[Resource logs in Event Hub should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F83a214f7-d01a-484b-91a9-ed54470c9a6a) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_AuditDiagnosticLog_Audit.json) |
-|[Resource logs in IoT Hub should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F383856f8-de7f-44a2-81fc-e5135b5c2aa4) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTHub_AuditDiagnosticLog_Audit.json) |
-|[Resource logs in Key Vault should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcf820ca0-f99e-4f3e-84fb-66e913812d21) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_AuditDiagnosticLog_Audit.json) |
-|[Resource logs in Logic Apps should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F34f95f76-5386-4de7-b824-0d8478470c9d) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Logic%20Apps/LogicApps_AuditDiagnosticLog_Audit.json) |
-|[Resource logs in Search services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb4330a05-a843-4bc8-bf9a-cacce50c67f4) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_AuditDiagnosticLog_Audit.json) |
-|[Resource logs in Service Bus should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff8d36e2f-389b-4ee4-898d-21aeb69a0f45) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Bus/ServiceBus_AuditDiagnosticLog_Audit.json) |
-
-## Cryptography
-
-### 17.1.45 Data Recovery
-
-**ID**: NZISM Security Benchmark CR-2
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Key vaults should have deletion protection enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0b60c0b2-2dc2-4e1c-b5c9-abbed971de53) |Malicious deletion of a key vault can lead to permanent data loss. You can prevent permanent data loss by enabling purge protection and soft delete. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Keep in mind that key vaults created after September 1st 2019 have soft-delete enabled by default. |Audit, Deny, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_Recoverable_Audit.json) |
-|[Key vaults should have soft delete enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d) |Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_SoftDeleteMustBeEnabled_Audit.json) |
-
-### 17.1.46 Reducing storage and physical transfer requirements
-
-**ID**: NZISM Security Benchmark CR-3
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f905d99-2ab7-462c-a6b0-f709acca6c8f) |Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/cosmosdb-cmk](https://aka.ms/cosmosdb-cmk). |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_CMK_Deny.json) |
-|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) |
-|[Cognitive Services accounts should enable data encryption with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F67121cc7-ff39-4ab8-b7e3-95b84dab487d) |Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed keys at [https://go.microsoft.com/fwlink/?linkid=2121321](https://go.microsoft.com/fwlink/?linkid=2121321). |Audit, Deny, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_CustomerManagedKey_Audit.json) |
-|[Container registries should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580) |Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/acr/CMK](https://aka.ms/acr/CMK). |Audit, Deny, Disabled |[1.1.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_CMKEncryptionEnabled_Audit.json) |
-|[MySQL servers should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F83cef61d-dbd1-4b20-a4fc-5fbc7da10833) |Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. |AuditIfNotExists, Disabled |[1.0.4](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnableByok_Audit.json) |
-|[PostgreSQL servers should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F18adea5e-f416-4d0f-8aa8-d24321e3e274) |Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. |AuditIfNotExists, Disabled |[1.0.4](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableByok_Audit.json) |
-|[SQL managed instances should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fac01ad65-10e5-46df-bdd9-6b0cad13e1d2) |Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_EnsureServerTDEisEncrypted_Deny.json) |
-|[SQL servers should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a370ff3-6cab-4e85-8995-295fd854c5b8) |Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. |Audit, Deny, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_EnsureServerTDEisEncryptedWithYourOwnKey_Deny.json) |
-|[Storage accounts should use customer-managed key for encryption](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6fac406b-40ca-413b-bf8e-0bf964659c25) |Secure your blob and file storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. |Audit, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountCustomerManagedKeyEnabled_Audit.json) |
-|[Transparent Data Encryption on SQL databases should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F17k78e20-9358-41c9-923c-fb736d382a12) |Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlDBEncryption_Audit.json) |
-|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse,](https://aka.ms/disksse,) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](https://aka.ms/diskencryptioncomparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |
-
-### 17.4.16 Using TLS
-
-**ID**: NZISM Security Benchmark CR-7
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[App Service apps should require FTPS only](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b) |Enable FTPS enforcement for enhanced security. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_WebApp_Audit.json) |
-|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_WebApp_Audit.json) |
-|[Function apps should require FTPS only](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F399b2637-a50f-4f95-96f8-3a145476eb15) |Enable FTPS enforcement for enhanced security. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_FunctionApp_Audit.json) |
-|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_FunctionApp_Audit.json) |
-|[Windows machines should be configured to use secure communication protocols](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5752e6d6-1206-46d8-8ab1-ecc2f71a8112) |To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines. |AuditIfNotExists, Disabled |[4.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecureWebProtocol_AINE.json) |
-
-### 17.5.7 Authentication mechanisms
-
-**ID**: NZISM Security Benchmark CR-9
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Authentication to Linux machines should require SSH keys](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F630c64f9-8b6b-4c64-b511-6544ceff6fd6) |Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: [https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed](../../../virtual-machines/linux/create-ssh-keys-detailed.md). |AuditIfNotExists, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxNoPasswordForSSH_AINE.json) |
-
-### 17.9.25 Contents of KMPs
-
-**ID**: NZISM Security Benchmark CR-14
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[IP Forwarding on your virtual machine should be disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbd352bd5-2853-4985-bf0d-73806b4a5744) |Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_IPForwardingOnVirtualMachines_Audit.json) |
-|[PostgreSQL servers should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F18adea5e-f416-4d0f-8aa8-d24321e3e274) |Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. |AuditIfNotExists, Disabled |[1.0.4](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableByok_Audit.json) |
-
-## Network security
-
-### 18.3.19 Content of a Denial of Service (DoS) response plan
-
-**ID**: NZISM Security Benchmark NS-5
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Azure DDoS Protection should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa7aca53f-2ed4-4466-a25e-0b45ade68efd) |DDoS protection should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. |AuditIfNotExists, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableDDoSProtection_Audit.json) |
-
-### 18.4.8 IDS/IPSs on gateways
-
-**ID**: NZISM Security Benchmark NS-7
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Web Application Firewall (WAF) should be enabled for Application Gateway](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F564feb30-bf6a-4854-b4bb-0d2d2d1e6c66) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AppGatewayEnabled_Audit.json) |
-|[Web Application Firewall (WAF) should use the specified mode for Application Gateway](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F12430be1-6cc8-4527-a9a8-e3d38f250096) |Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Application Gateway. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AppGatewayMode_Audit.json) |
-|[Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F425bea59-a659-4cbb-8d31-34499bd030b8) |Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Azure Front Door Service. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Mode_Audit.json) |
-
-## Gateway security
-
-### 19.1.11 Using Gateways
-
-**ID**: NZISM Security Benchmark GS-2
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa1817ec0-a368-432a-8057-8371e17ac6ee) |Service Bus clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Bus/ServiceBus_AuditNamespaceAccessRules_Audit.json) |
-|[Azure Key Vault Managed HSM should have purge protection enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc39ba22d-4428-4149-b981-70acb31fc383) |Malicious deletion of an Azure Key Vault Managed HSM can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge Azure Key Vault Managed HSM. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted Azure Key Vault Managed HSM. No one inside your organization or Microsoft will be able to purge your Azure Key Vault Managed HSM during the soft delete retention period. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/ManagedHsm_Recoverable_Audit.json) |
-|[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |
-|[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) |
-|[Public network access on Azure SQL Database should be disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b8ca024-1d5c-4dec-8995-b1a932b41780) |Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_PublicNetworkAccess_Audit.json) |
-|[Public network access should be disabled for MariaDB servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffdccbe47-f3e3-4213-ad5d-ea459b2fa077) |Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MariaDB_DisablePublicNetworkAccess_Audit.json) |
-|[Public network access should be disabled for MySQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd9844e8a-1437-4aeb-a32c-0c992f056095) |Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_DisablePublicNetworkAccess_Audit.json) |
-|[Public network access should be disabled for PostgreSQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb52376f7-9612-48a1-81cd-1ffe4b61032c) |Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. |Audit, Deny, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_DisablePublicNetworkAccess_Audit.json) |
-|[Storage account keys should not be expired](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F044985bb-afe1-42cd-8a36-9d5d42424537) |Ensure the user storage account keys are not expired when key expiration policy is set, for improving security of account keys by taking action when the keys are expired. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountKeysExpired_Restrict.json) |
-
-### 19.1.12 Configuration of Gateways
-
-**ID**: NZISM Security Benchmark GS-3
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[All network ports should be restricted on network security groups associated to your virtual machine](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9daedab3-fb2d-461e-b861-71790eead4f6) |Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnprotectedEndpoints_Audit.json) |
-|[Azure Cosmos DB accounts should have firewall rules](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb) |Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_NetworkRulesExist_Audit.json) |
-|[Cognitive Services accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) |
-|[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) |
-|[Storage accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F34c877ad-507e-4c82-993e-3452a6e0ad3c) |Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges |Audit, Deny, Disabled |[1.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_NetworkAcls_Audit.json) |
-|[Subnets should be associated with a Network Security Group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe71308d3-144b-4262-b144-efdc3cc90517) |Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnSubnets_Audit.json) |
-
-### 19.1.23 Testing of Gateways
-
-**ID**: NZISM Security Benchmark GS-5
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Adaptive network hardening recommendations should be applied on internet facing virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F08e6af2d-db70-460a-bfe9-d5bd474ba9d6) |Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveNetworkHardenings_Audit.json) |
-
-## Data management
-
-### 20.4.4 Database files
-
-**ID**: NZISM Security Benchmark DM-6
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Azure Defender for SQL should be enabled for unprotected Azure SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb4388-5bf4-4ad7-ba82-2cd2f41ceae9) |Audit SQL servers without Advanced Data Security |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_AdvancedDataSecurity_Audit.json) |
-|[Azure Defender for SQL should be enabled for unprotected SQL Managed Instances](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9) |Audit each SQL Managed Instance without advanced data security. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json) |
-
-## Next steps
-
-Additional articles about Azure Policy:
--- [Regulatory Compliance](../concepts/regulatory-compliance.md) overview.-- See the [initiative definition structure](../concepts/initiative-definition-structure.md).-- Review other examples at [Azure Policy samples](./index.md).-- Review [Understanding policy effects](../concepts/effects.md).-- Learn how to [remediate non-compliant resources](../how-to/remediate-resources.md).
governance Nz Ism Restricted 3 5 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/nz-ism-restricted-3-5.md
- Title: Regulatory Compliance details for NZ ISM Restricted v3.5
-description: Details of the NZ ISM Restricted v3.5 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment.
Previously updated : 01/22/2024---
-# Details of the NZ ISM Restricted v3.5 Regulatory Compliance built-in initiative
-
-The following article details how the Azure Policy Regulatory Compliance built-in initiative
-definition maps to **compliance domains** and **controls** in NZ ISM Restricted v3.5.
-For more information about this compliance standard, see
-[NZ ISM Restricted v3.5](https://www.nzism.gcsb.govt.nz/ism-document). To understand
-_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and
-[Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md).
-
-The following mappings are to the **NZ ISM Restricted v3.5** controls. Many of the controls
-are implemented with an [Azure Policy](../overview.md) initiative definition. To review the complete
-initiative definition, open **Policy** in the Azure portal and select the **Definitions** page.
-Then, find and select the **New Zealand ISM Restricted v3.5** Regulatory Compliance built-in
-initiative definition.
-
-> [!IMPORTANT]
-> Each control below is associated with one or more [Azure Policy](../overview.md) definitions.
-> These policies may help you [assess compliance](../how-to/get-compliance-data.md) with the
-> control; however, there often is not a one-to-one or complete match between a control and one or
-> more policies. As such, **Compliant** in Azure Policy refers only to the policy definitions
-> themselves; this doesn't ensure you're fully compliant with all requirements of a control. In
-> addition, the compliance standard includes controls that aren't addressed by any Azure Policy
-> definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your
-> overall compliance status. The associations between compliance domains, controls, and Azure Policy
-> definitions for this compliance standard may change over time. To view the change history, see the
-> [GitHub Commit History](https://github.com/Azure/azure-policy/commits/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/NZ_ISM_Restricted_v3_5.json).
-
-## Access Control and Passwords
-
-### 16.4.30 Privileged Access Management
-
-**ID**: NZISM Security Benchmark AC-11
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Accounts with owner permissions on Azure resources should be MFA enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe3e008c3-56b9-4133-8fd7-d3347377402a) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForAccountsWithOwnerPermissions_Audit.json) |
-|[Accounts with write permissions on Azure resources should be MFA enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F931e118d-50a1-4457-a5e4-78550e086c52) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForAccountsWithWritePermissions_Audit.json) |
-|[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) |
-|[Guest accounts with owner permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F339353f6-2387-4a45-abe4-7f529d121046) |External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveGuestAccountsWithOwnerPermissions_Audit.json) |
-|[Guest accounts with read permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe9ac8f8e-ce22-4355-8f04-99b911d6be52) |External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveGuestAccountsWithReadPermissions_Audit.json) |
-|[Guest accounts with write permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F94e1c2ac-cbbe-4cac-a2b5-389c812dee87) |External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveGuestAccountsWithWritePermissions_Audit.json) |
-|[There should be more than one owner assigned to your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F09024ccc-0c5f-475e-9457-b7c0d9ed487b) |It is recommended to designate more than one subscription owner in order to have administrator access redundancy. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateMoreThanOneOwner_Audit.json) |
-
-### 16.5.10 Authentication
-
-**ID**: NZISM Security Benchmark AC-13
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Audit Linux machines that allow remote connections from accounts without passwords](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fea53dbee-c6c9-4f0e-9f9e-de0039b78023) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxPassword110_AINE.json) |
-
-### 16.6.8 Logging Requirements
-
-**ID**: NZISM Security Benchmark AC-17
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Auto provisioning of the Log Analytics agent should be enabled on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F475aae12-b88a-4572-8b36-9b712b2b3a17) |To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Automatic_provisioning_log_analytics_monitoring_agent.json) |
-
-### 16.6.9 Events to be logged
-
-**ID**: NZISM Security Benchmark AC-18
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[App Service apps should have resource logs enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F91a78b24-f231-4a8a-8da9-02c35b2b6510) |Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ResourceLoggingMonitoring_Audit.json) |
-|[Audit usage of custom RBAC roles](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) |Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) |
-|[Auditing on SQL server should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9) |Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json) |
-|[Disconnections should be logged for PostgreSQL database servers.](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Feb6f77b9-bd53-4e35-a23d-7f65d5f0e446) |This policy helps audit any PostgreSQL databases in your environment without log_disconnections enabled. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableLogDisconnections_Audit.json) |
-|[Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4fe33eb-e377-4efb-ab31-0784311bc499) |This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLaAgentOnVm.json) |
-|[Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa3a6ea0c-e018-4933-9ef0-5aaa1501449b) |Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLaAgentOnVmss.json) |
-|[Log connections should be enabled for PostgreSQL database servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Feb6f77b9-bd53-4e35-a23d-7f65d5f0e442) |This policy helps audit any PostgreSQL databases in your environment without log_connections setting enabled. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableLogConnections_Audit.json) |
-|[Resource logs in Azure Data Lake Store should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F057ef27e-665e-4328-8ea3-04b3122bd9fb) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStore_AuditDiagnosticLog_Audit.json) |
-|[Resource logs in Azure Kubernetes Service should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F245fc9df-fa96-4414-9a0b-3738c2f7341c) |Azure Kubernetes Service's resource logs can help recreate activity trails when investigating security incidents. Enable it to make sure the logs will exist when needed |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/Kubernetes_AuditDiagnosticLog_Audit.json) |
-|[Resource logs in Azure Stream Analytics should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9be5368-9bf5-4b84-9e0a-7850da98bb46) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_AuditDiagnosticLog_Audit.json) |
-|[Resource logs in Batch accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F428256e6-1fac-4f48-a757-df34c2b3336d) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_AuditDiagnosticLog_Audit.json) |
-|[Resource logs in Data Lake Analytics should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc95c74d9-38fe-4f0d-af86-0c7d626a315c) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeAnalytics_AuditDiagnosticLog_Audit.json) |
-|[Resource logs in Event Hub should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F83a214f7-d01a-484b-91a9-ed54470c9a6a) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_AuditDiagnosticLog_Audit.json) |
-|[Resource logs in IoT Hub should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F383856f8-de7f-44a2-81fc-e5135b5c2aa4) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTHub_AuditDiagnosticLog_Audit.json) |
-|[Resource logs in Key Vault should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcf820ca0-f99e-4f3e-84fb-66e913812d21) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_AuditDiagnosticLog_Audit.json) |
-|[Resource logs in Logic Apps should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F34f95f76-5386-4de7-b824-0d8478470c9d) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Logic%20Apps/LogicApps_AuditDiagnosticLog_Audit.json) |
-|[Resource logs in Search services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb4330a05-a843-4bc8-bf9a-cacce50c67f4) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_AuditDiagnosticLog_Audit.json) |
-|[Resource logs in Service Bus should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff8d36e2f-389b-4ee4-898d-21aeb69a0f45) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Bus/ServiceBus_AuditDiagnosticLog_Audit.json) |
-|[SQL servers with auditing to storage account destination should be configured with 90 days retention or higher](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F89099bee-89e0-4b26-a5f4-165451757743) |For incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditingRetentionDays_Audit.json) |
-
-### 16.6.12 Event log protection
-
-**ID**: NZISM Security Benchmark AC-19
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Storage account containing the container with activity logs must be encrypted with BYOK](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffbb99e8e-e444-4da0-9ff1-75c92f5a85b2) |This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here [https://aka.ms/azurestoragebyok](https://aka.ms/azurestoragebyok). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_StorageAccountBYOK_Audit.json) |
-
-### 16.1.32 System User Identitfication
-
-**ID**: NZISM Security Benchmark AC-2
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[App Service apps should use managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2b9ad585-36bc-4615-b300-fd4435808332) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json) |
-|[Function apps should use managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) |
-|[Service Fabric clusters should only use Azure Active Directory for client authentication](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb54ed75b-3e1a-44ac-a333-05ba39b99ff0) |Audit usage of client authentication only via Azure Active Directory in Service Fabric |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json) |
-
-### 16.1.35 Methods for system user identification and authentication
-
-**ID**: NZISM Security Benchmark AC-3
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Accounts with read permissions on Azure resources should be MFA enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForAccountsWithReadPermissions_Audit.json) |
-
-### 16.1.46 Suspension of access
-
-**ID**: NZISM Security Benchmark AC-5
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Blocked accounts with owner permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0cfea604-3201-4e14-88fc-fae4c427a6c5) |Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithOwnerPermissions_Audit.json) |
-|[Blocked accounts with read and write permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8d7e1fde-fe26-4b5f-8108-f8e432cbc2be) |Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithReadWritePermissions_Audit.json) |
-
-### 16.3.5 Use of Privileged Accounts
-
-**ID**: NZISM Security Benchmark AC-9
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[A maximum of 3 owners should be designated for your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4f11b553-d42e-4e3a-89be-32ca364cad4c) |It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateLessThanXOwners_Audit.json) |
-
-## Cryptography
-
-### 17.5.7 Authentication mechanisms
-
-**ID**: NZISM Security Benchmark CR-10
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Authentication to Linux machines should require SSH keys](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F630c64f9-8b6b-4c64-b511-6544ceff6fd6) |Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: [https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed](../../../virtual-machines/linux/create-ssh-keys-detailed.md). |AuditIfNotExists, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxNoPasswordForSSH_AINE.json) |
-
-### 17.9.25 Contents of KMPs
-
-**ID**: NZISM Security Benchmark CR-15
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[IP Forwarding on your virtual machine should be disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbd352bd5-2853-4985-bf0d-73806b4a5744) |Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_IPForwardingOnVirtualMachines_Audit.json) |
-|[Key Vault keys should have an expiration date](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0) |Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Keys_ExpirationSet.json) |
-|[Key Vault secrets should have an expiration date](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F98728c90-32c7-4049-8429-847dc0f4fe37) |Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Secrets_ExpirationSet.json) |
-|[PostgreSQL servers should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F18adea5e-f416-4d0f-8aa8-d24321e3e274) |Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. |AuditIfNotExists, Disabled |[1.0.4](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableByok_Audit.json) |
-
-### 17.1.52 Data Recovery
-
-**ID**: NZISM Security Benchmark CR-2
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Key vaults should have deletion protection enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0b60c0b2-2dc2-4e1c-b5c9-abbed971de53) |Malicious deletion of a key vault can lead to permanent data loss. You can prevent permanent data loss by enabling purge protection and soft delete. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Keep in mind that key vaults created after September 1st 2019 have soft-delete enabled by default. |Audit, Deny, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_Recoverable_Audit.json) |
-|[Key vaults should have soft delete enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d) |Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_SoftDeleteMustBeEnabled_Audit.json) |
-
-### 17.1.53 Reducing storage and physical transfer requirements
-
-**ID**: NZISM Security Benchmark CR-3
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Automation account variables should be encrypted](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3657f5a0-770e-44a3-b44e-9431ba1e9735) |It is important to enable encryption of Automation account variable assets when storing sensitive data |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Automation/Automation_AuditUnencryptedVars_Audit.json) |
-|[Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f905d99-2ab7-462c-a6b0-f709acca6c8f) |Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/cosmosdb-cmk](https://aka.ms/cosmosdb-cmk). |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_CMK_Deny.json) |
-|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) |
-|[Cognitive Services accounts should enable data encryption with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F67121cc7-ff39-4ab8-b7e3-95b84dab487d) |Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed keys at [https://go.microsoft.com/fwlink/?linkid=2121321](https://go.microsoft.com/fwlink/?linkid=2121321). |Audit, Deny, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_CustomerManagedKey_Audit.json) |
-|[Container registries should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580) |Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/acr/CMK](https://aka.ms/acr/CMK). |Audit, Deny, Disabled |[1.1.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_CMKEncryptionEnabled_Audit.json) |
-|[MySQL servers should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F83cef61d-dbd1-4b20-a4fc-5fbc7da10833) |Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. |AuditIfNotExists, Disabled |[1.0.4](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnableByok_Audit.json) |
-|[Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F617c02be-7f02-4efd-8836-3180d47b6c68) |Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditClusterProtectionLevel_Audit.json) |
-|[SQL managed instances should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fac01ad65-10e5-46df-bdd9-6b0cad13e1d2) |Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_EnsureServerTDEisEncrypted_Deny.json) |
-|[SQL servers should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a370ff3-6cab-4e85-8995-295fd854c5b8) |Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. |Audit, Deny, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_EnsureServerTDEisEncryptedWithYourOwnKey_Deny.json) |
-|[Storage accounts should use customer-managed key for encryption](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6fac406b-40ca-413b-bf8e-0bf964659c25) |Secure your blob and file storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. |Audit, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountCustomerManagedKeyEnabled_Audit.json) |
-|[Transparent Data Encryption on SQL databases should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F17k78e20-9358-41c9-923c-fb736d382a12) |Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlDBEncryption_Audit.json) |
-|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse,](https://aka.ms/disksse,) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](https://aka.ms/diskencryptioncomparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |
-
-### 17.2.24 Using RSA
-
-**ID**: NZISM Security Benchmark CR-5
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Certificates using RSA cryptography should have the specified minimum key size](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcee51871-e572-4576-855c-047c820360f0) |Manage your organizational compliance requirements by specifying a minimum key size for RSA certificates stored in your key vault. |audit, Audit, deny, Deny, disabled, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_RSA_MinimumKeySize.json) |
-
-### 17.4.16 Using TLS
-
-**ID**: NZISM Security Benchmark CR-8
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_WebApp_Audit.json) |
-|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_FunctionApp_Audit.json) |
-|[Windows machines should be configured to use secure communication protocols](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5752e6d6-1206-46d8-8ab1-ecc2f71a8112) |To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines. |AuditIfNotExists, Disabled |[4.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecureWebProtocol_AINE.json) |
-
-## Gateway security
-
-### 19.1.11 Using Gateways
-
-**ID**: NZISM Security Benchmark GS-2
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa1817ec0-a368-432a-8057-8371e17ac6ee) |Service Bus clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Bus/ServiceBus_AuditNamespaceAccessRules_Audit.json) |
-|[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |
-|[Azure Key Vault Managed HSM should have purge protection enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc39ba22d-4428-4149-b981-70acb31fc383) |Malicious deletion of an Azure Key Vault Managed HSM can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge Azure Key Vault Managed HSM. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted Azure Key Vault Managed HSM. No one inside your organization or Microsoft will be able to purge your Azure Key Vault Managed HSM during the soft delete retention period. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/ManagedHsm_Recoverable_Audit.json) |
-|[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |
-|[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) |
-|[Non-internet-facing virtual machines should be protected with network security groups](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbb91dfba-c30d-4263-9add-9c2384e659a6) |Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternalVirtualMachines_Audit.json) |
-|[Public network access on Azure SQL Database should be disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b8ca024-1d5c-4dec-8995-b1a932b41780) |Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_PublicNetworkAccess_Audit.json) |
-|[Public network access should be disabled for MariaDB servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffdccbe47-f3e3-4213-ad5d-ea459b2fa077) |Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MariaDB_DisablePublicNetworkAccess_Audit.json) |
-|[Public network access should be disabled for MySQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd9844e8a-1437-4aeb-a32c-0c992f056095) |Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_DisablePublicNetworkAccess_Audit.json) |
-|[Public network access should be disabled for PostgreSQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb52376f7-9612-48a1-81cd-1ffe4b61032c) |Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. |Audit, Deny, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_DisablePublicNetworkAccess_Audit.json) |
-|[Storage account keys should not be expired](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F044985bb-afe1-42cd-8a36-9d5d42424537) |Ensure the user storage account keys are not expired when key expiration policy is set, for improving security of account keys by taking action when the keys are expired. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountKeysExpired_Restrict.json) |
-
-### 19.1.12 Configuration of Gateways
-
-**ID**: NZISM Security Benchmark GS-3
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[All network ports should be restricted on network security groups associated to your virtual machine](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9daedab3-fb2d-461e-b861-71790eead4f6) |Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnprotectedEndpoints_Audit.json) |
-|[Azure Cosmos DB accounts should have firewall rules](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb) |Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_NetworkRulesExist_Audit.json) |
-|[Cognitive Services accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) |
-|[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/privatelink,](https://aka.ms/acr/privatelink,) [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) |
-|[Storage accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F34c877ad-507e-4c82-993e-3452a6e0ad3c) |Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges |Audit, Deny, Disabled |[1.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_NetworkAcls_Audit.json) |
-|[Subnets should be associated with a Network Security Group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe71308d3-144b-4262-b144-efdc3cc90517) |Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnSubnets_Audit.json) |
-
-### 19.1.23 Testing of Gateways
-
-**ID**: NZISM Security Benchmark GS-5
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Adaptive network hardening recommendations should be applied on internet facing virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F08e6af2d-db70-460a-bfe9-d5bd474ba9d6) |Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveNetworkHardenings_Audit.json) |
-
-## Infrastructure
-
-### 10.8.35 Security Architecture
-
-**ID**: NZISM Security Benchmark INF-9
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[API Management services should use a virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/ApiManagement_VNETEnabled_Audit.json) |
-|[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) |
-|[Azure Event Grid domains should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9830b652-8523-49cc-b1b3-e17dce1127ca) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/privateendpoints](https://aka.ms/privateendpoints). |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/Domains_PrivateEndpoint_Audit.json) |
-|[Azure Event Grid topics should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4b90e17e-8448-49db-875e-bd83fb6f804f) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/privateendpoints](https://aka.ms/privateendpoints). |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/Topics_PrivateEndpoint_Audit.json) |
-|[Azure Machine Learning workspaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F45e05259-1eb5-4f70-9574-baf73e9d219b) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link](../../../machine-learning/how-to-configure-private-link.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_PrivateEndpoint_Audit_V2.json) |
-|[Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a15ec92-a229-4763-bb14-0ea34a568f8d) |Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_AzurePolicyAddOn_Audit.json) |
-|[Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fac4a19c2-fa67-49b4-8ae5-0b2e78c49457) |To provide granular filtering on the actions that users can perform, use Azure Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. |Audit, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableRBAC_KubernetesService_Audit.json) |
-|[Azure Spring Cloud should use network injection](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faf35e2a4-ef96-44e7-a9ae-853dd97032c4) |Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud. |Audit, Disabled, Deny |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Platform/Spring_VNETEnabled_Audit.json) |
-|[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) |
-|[Private endpoint connections on Azure SQL Database should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7698e800-9299-47a6-b3b6-5a0fee576eed) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. |Audit, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_PrivateEndpoint_Audit.json) |
-|[Private endpoint connections on Batch accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F009a0c92-f5b4-4776-9b66-4ed2b4775563) |Private endpoint connections allow secure communication by enabling private connectivity to Batch accounts without a need for public IP addresses at the source or destination. Learn more about private endpoints in Batch at [https://docs.microsoft.com/azure/batch/private-connectivity](../../../batch/private-connectivity.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_PrivateEndpoints_AuditIfNotExists.json) |
-|[Private endpoint should be enabled for MariaDB servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a1302fb-a631-4106-9753-f3d494733990) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MariaDB_EnablePrivateEndPoint_Audit.json) |
-|[Private endpoint should be enabled for MySQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7595c971-233d-4bcf-bd18-596129188c49) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnablePrivateEndPoint_Audit.json) |
-|[Private endpoint should be enabled for PostgreSQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0564d078-92f5-4f97-8398-b9f58a51f70b) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnablePrivateEndPoint_Audit.json) |
-|[Storage accounts should restrict network access using virtual network rules](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2a1a9cdf-e04d-429a-8416-3bfb72a1b26f) |Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountOnlyVnetRulesEnabled_Audit.json) |
-|[Storage accounts should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6edd7eda-6dd8-40f7-810d-67160c639cd9) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - [https://aka.ms/azureprivatelinkoverview](https://aka.ms/azureprivatelinkoverview) |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountPrivateEndpointEnabled_Audit.json) |
-|[VM Image Builder templates should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2154edb9-244f-4741-9970-660785bccdaa) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet](../../../virtual-machines/linux/image-builder-networking.md#deploy-using-an-existing-vnet). |Audit, Disabled, Deny |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/VM%20Image%20Builder/PrivateLinkEnabled_Audit.json) |
-
-## Information Security Incidents
-
-### 7.1.7 Preventing and detecting information security incidents
-
-**ID**: NZISM Security Benchmark ISI-2
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Azure Defender for App Service should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2913021d-f2fd-4f3d-b958-22354e2bdbcb) |Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnAppServices_Audit.json) |
-|[Azure Defender for Azure SQL Database servers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7fe3b40f-802b-4cdd-8bd4-fd799c948cc2) |Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServers_Audit.json) |
-|[Azure Defender for Key Vault should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e6763cc-5078-4e64-889d-ff4d9a839047) |Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnKeyVaults_Audit.json) |
-|[Azure Defender for open-source relational databases should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a9fbe0d-c5c4-4da8-87d8-f4fd77338835) |Azure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at [https://aka.ms/AzDforOpenSourceDBsDocu](https://aka.ms/AzDforOpenSourceDBsDocu). Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: [https://aka.ms/pricing-security-center](https://aka.ms/pricing-security-center) |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAzureDefenderOnOpenSourceRelationalDatabases_Audit.json) |
-|[Azure Defender for Resource Manager should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc3d20c29-b36d-48fe-808b-99a87530ad99) |Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at [https://aka.ms/defender-for-resource-manager](https://aka.ms/defender-for-resource-manager) . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: [https://aka.ms/pricing-security-center](https://aka.ms/pricing-security-center) . |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAzureDefenderOnResourceManager_Audit.json) |
-|[Azure Defender for servers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4da35fc9-c9e7-4960-aec9-797fe7d9051d) |Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnVM_Audit.json) |
-|[Azure Defender for SQL servers on machines should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6581d072-105e-4418-827f-bd446d56421b) |Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json) |
-|[Azure Defender for SQL should be enabled for unprotected Azure SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb4388-5bf4-4ad7-ba82-2cd2f41ceae9) |Audit SQL servers without Advanced Data Security |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_AdvancedDataSecurity_Audit.json) |
-|[Azure Defender for SQL should be enabled for unprotected SQL Managed Instances](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9) |Audit each SQL Managed Instance without advanced data security. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json) |
-|[Microsoft Defender for Containers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) |Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) |
-|[Microsoft Defender for Storage should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F640d2586-54d2-465f-877f-9ffc1d2109f4) |Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_Microsoft_Defender_For_Storage_Full_Audit.json) |
-
-## Information security monitoring
-
-### 6.2.5 Conducting vulnerability assessments
-
-**ID**: NZISM Security Benchmark ISM-3
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
-|[Vulnerability assessment should be enabled on SQL Managed Instance](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b7aa243-30e4-4c9e-bca8-d0d3022b634a) |Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnManagedInstance_Audit.json) |
-|[Vulnerability assessment should be enabled on your SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9) |Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json) |
-
-### 6.2.6 Resolving vulnerabilities
-
-**ID**: NZISM Security Benchmark ISM-4
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) |
-|[Email notification for high severity alerts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6e2593d9-add6-4083-9c9b-4b7d2188c899) |To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Email_notification.json) |
-|[Email notification to subscription owner for high severity alerts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0b15565f-aa9e-48ba-8619-45960f2c314d) |To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Email_notification_to_subscription_owner.json) |
-|[Enforce SSL connection should be enabled for MySQL database servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe802a67a-daf5-4436-9ea6-f6d821dd0c5d) |Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnableSSL_Audit.json) |
-|[Enforce SSL connection should be enabled for PostgreSQL database servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd158790f-bfb0-486c-8631-2dc6b4e8e6af) |Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableSSL_Audit.json) |
-|[SQL databases should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) |Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. |AuditIfNotExists, Disabled |[4.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) |
-|[SQL servers on machines should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6ba6d016-e7c3-4842-b8f2-4992ebc0d72d) |SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerSQLVulnerabilityAssessment_Audit.json) |
-|[Subscriptions should have a contact email address for security issues](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7) |To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Security_contact_email.json) |
-|[Vulnerabilities in container security configurations should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8cbc669-f12d-49eb-93e7-9273119e9933) |Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerBenchmark_Audit.json) |
-|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) |Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) |
-|[Vulnerabilities in security configuration on your virtual machine scale sets should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4) |Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssOSVulnerabilities_Audit.json) |
-
-### 6.4.5 Availability requirements
-
-**ID**: NZISM Security Benchmark ISM-7
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Audit virtual machines without disaster recovery configured](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56) |Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit [https://aka.ms/asr-doc](https://aka.ms/asr-doc). |auditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/RecoveryServices_DisasterRecovery_Audit.json) |
-
-## Network security
-
-### 18.3.19 Content of a Denial of Service (DoS) response plan
-
-**ID**: NZISM Security Benchmark NS-5
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Azure DDoS Protection should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa7aca53f-2ed4-4466-a25e-0b45ade68efd) |DDoS protection should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. |AuditIfNotExists, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableDDoSProtection_Audit.json) |
-
-### 18.4.7 Intrusion Detection and Prevention strategy (IDS/IPS)
-
-**ID**: NZISM Security Benchmark NS-7
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Connection throttling should be enabled for PostgreSQL database servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5345bb39-67dc-4960-a1bf-427e16b9a0bd) |This policy helps audit any PostgreSQL databases in your environment without Connection throttling enabled. This setting enables temporary connection throttling per IP for too many invalid password login failures. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_ConnectionThrottling_Enabled_Audit.json) |
-
-### 18.4.8 IDS/IPSs on gateways
-
-**ID**: NZISM Security Benchmark NS-8
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Azure Web Application Firewall should be enabled for Azure Front Door entry-points](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Enabled_Audit.json) |
-|[Web Application Firewall (WAF) should be enabled for Application Gateway](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F564feb30-bf6a-4854-b4bb-0d2d2d1e6c66) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AppGatewayEnabled_Audit.json) |
-|[Web Application Firewall (WAF) should use the specified mode for Application Gateway](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F12430be1-6cc8-4527-a9a8-e3d38f250096) |Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Application Gateway. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AppGatewayMode_Audit.json) |
-|[Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F425bea59-a659-4cbb-8d31-34499bd030b8) |Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Azure Front Door Service. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Mode_Audit.json) |
-
-## Product Security
-
-### 12.4.4 Patching vulnerabilities in products
-
-**ID**: NZISM Security Benchmark PRS-5
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[System updates on virtual machine scale sets should be installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc3f317a7-a95c-4547-b7e7-11017ebdf2fe) |Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingSystemUpdates_Audit.json) |
-|[System updates should be installed on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F86b3d65f-7626-441e-b690-81a8b71cff60) |Missing security system updates on your servers will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingSystemUpdates_Audit.json) |
-
-## Physical Security
-
-### 8.3.5 Network infrastructure in unsecure areas
-
-**ID**: NZISM Security Benchmark PS-4
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Only secure connections to your Azure Cache for Redis should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F22bee202-a82f-4305-9a2a-6d7f44d4dedb) |Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_AuditSSLPort_Audit.json) |
-|[Secure transfer to storage accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F404c3081-a854-4457-ae30-26a93ef643f9) |Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_AuditForHTTPSEnabled_Audit.json) |
-
-## Software security
-
-### 14.1.8 Developing hardened SOEs
-
-**ID**: NZISM Security Benchmark SS-2
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[App Service apps should have remote debugging turned off](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcb510bfd-1cba-4d9f-a230-cb0976f4bb71) |Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_WebApp_Audit.json) |
-|[Function apps should have remote debugging turned off](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e60b895-3786-45da-8377-9c6b4b6ac5f9) |Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json) |
-|[Management ports should be closed on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F22730e10-96f6-4aac-ad84-9383d35b5917) |Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OpenManagementPortsOnVirtualMachines_Audit.json) |
-
-### 14.1.9 Maintaining hardened SOEs
-
-**ID**: NZISM Security Benchmark SS-3
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Azure API for FHIR should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1ee56206-5dd1-42ab-b02d-8aae8b1634ce) |Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: [https://aka.ms/fhir-privatelink](https://aka.ms/fhir-privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_PrivateLink_Audit.json) |
-|[Endpoint protection health issues should be resolved on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2) |Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - [https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions](../../../security-center/security-center-services.md#supported-endpoint-protection-solutions). Endpoint protection assessment is documented here - [https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection](../../../security-center/security-center-endpoint-protection.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EndpointProtectionHealthIssues_Audit.json) |
-|[Endpoint protection should be installed on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f7c564c-0a90-4d44-b7e1-9d456cffaee8) |To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EndpointProtectionShouldBeInstalledOnYourMachines_Audit.json) |
-|[Endpoint protection solution should be installed on virtual machine scale sets](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F26a828e1-e88f-464e-bbb3-c134a282b9de) |Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingEndpointProtection_Audit.json) |
-|[Guest Configuration extension should be installed on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fae89ebca-1c92-4898-ac2c-9f63decb045c) |To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at [https://aka.ms/gcpol](https://aka.ms/gcpol). |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_GCExtOnVm.json) |
-|[Kubernetes cluster containers should not share host process ID or host IPC namespace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8) |Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[5.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockHostNamespace.json) |
-|[Kubernetes cluster containers should run with a read only root file system](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf49d893-a74c-421d-bc95-c663042e5b80) |Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ReadOnlyRootFileSystem.json) |
-|[Kubernetes cluster should not allow privileged containers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F95edb821-ddaf-4404-9732-666045e056b4) |Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[9.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerNoPrivilege.json) |
-|[Kubernetes clusters should be accessible only over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d) |Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc) |audit, Audit, deny, Deny, disabled, Disabled |[8.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/IngressHttpsOnly.json) |
-|[Kubernetes clusters should disable automounting API credentials](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F423dd1ba-798e-40e4-9c4d-b6902674b423) |Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[4.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockAutomountToken.json) |
-|[Kubernetes clusters should not allow container privilege escalation](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c6e92c9-99f0-4e55-9cf2-0c234dc48f99) |Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[7.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerNoPrivilegeEscalation.json) |
-|[Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd2e7ea85-6b44-4317-a0be-1b951587f626) |To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[5.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerDisallowedSysAdminCapability.json) |
-|[Kubernetes clusters should not use the default namespace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9f061a12-e40d-4183-a00e-171812443373) |Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[4.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockDefaultNamespace.json) |
-|[Management ports of virtual machines should be protected with just-in-time network access control](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb0f33259-77d7-4c9e-aac6-3aabcfae693c) |Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_JITNetworkAccess_Audit.json) |
-|[Monitor missing Endpoint Protection in Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faf6cd1bd-1635-48cb-bde7-5b15693900b9) |Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingEndpointProtection_Audit.json) |
-|[Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd26f7642-7545-4e18-9b75-8c9bbdee3a9a) |The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at [https://aka.ms/gcpol](https://aka.ms/gcpol) |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_GCExtOnVmWithNoSAMI.json) |
-|[Windows Defender Exploit Guard should be enabled on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbed48b13-6647-468e-aa2f-1af1d3f4dd40) |Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsDefenderExploitGuard_AINE.json) |
-
-### 14.2.4 Application Whitelisting
-
-**ID**: NZISM Security Benchmark SS-5
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Adaptive application controls for defining safe applications should be enabled on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F47a6b606-51aa-4496-8bb7-64b11cf66adc) |Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveApplicationControls_Audit.json) |
-|[Allowlist rules in your adaptive application control policy should be updated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F123a3936-f020-408a-ba0c-47873faf1534) |Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveApplicationControlsUpdate_Audit.json) |
-
-### 14.5.8 Web applications
-
-**ID**: NZISM Security Benchmark SS-9
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[\[Deprecated\]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Feaebaea7-8013-4ceb-9d14-7eb32271373c) |Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. This policy has been replaced by a new policy with the same name because Http 2.0 doesn't support client certificates. |Audit, Disabled |[3.1.0-deprecated](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_ClientCert.json) |
-|[App Service apps should have authentication enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F95bccee9-a7f8-4bec-9ee9-62c3473701fc) |Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the web app, or authenticate those that have tokens before they reach the web app. |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Authentication_WebApp_Audit.json) |
-|[App Service apps should have Client Certificates (Incoming client certificates) enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F19dd1db6-f442-49cf-a838-b0786b4401ef) |Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ClientCert_Webapp_Audit.json) |
-|[App Service apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_WebApp_Audit.json) |
-|[App Service apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) |
-|[App Service apps should require FTPS only](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b) |Enable FTPS enforcement for enhanced security. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_WebApp_Audit.json) |
-|[App Service apps should use latest 'HTTP Version'](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8c122334-9d20-4eb8-89ea-ac9a705b74ae) |Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. |AuditIfNotExists, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_HTTP_Latest.json) |
-|[Function apps should have authentication enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc75248c1-ea1d-4a9c-8fc9-29a6aabd5da8) |Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the Function app, or authenticate those that have tokens before they reach the Function app. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Authentication_functionapp_Audit.json) |
-|[Function apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0820b7b9-23aa-4725-a1ce-ae4558f718e5) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_FuntionApp_Audit.json) |
-|[Function apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceFunctionApp_AuditHTTP_Audit.json) |
-|[Function apps should require FTPS only](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F399b2637-a50f-4f95-96f8-3a145476eb15) |Enable FTPS enforcement for enhanced security. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_FunctionApp_Audit.json) |
-|[Function apps should use latest 'HTTP Version'](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe2c1c086-2d84-4019-bff3-c44ccd95113c) |Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. |AuditIfNotExists, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_HTTP_Latest.json) |
-
-## Next steps
-
-Additional articles about Azure Policy:
--- [Regulatory Compliance](../concepts/regulatory-compliance.md) overview.-- See the [initiative definition structure](../concepts/initiative-definition-structure.md).-- Review other examples at [Azure Policy samples](./index.md).-- Review [Understanding policy effects](../concepts/effects.md).-- Learn how to [remediate non-compliant resources](../how-to/remediate-resources.md).
guides Azure Operations Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/guides/operations/azure-operations-guide.md
tags: azure-resource-manager
- Last updated 12/03/2023
iot-central Overview Iot Central https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-central/core/overview-iot-central.md
The web UI lets you quickly connect devices, monitor device conditions, create r
This article provides an overview of the features of Azure IoT Central.
+## Pricing
+
+Applications you create using the *standard* plan are billed on a per device basis, you can choose either **Standard 0**, **Standard 1**, or **Standard 2** pricing plan with the first two devices being free. Learn more about [IoT Central pricing](https://azure.microsoft.com/pricing/details/iot-central/).
+ ## Create an IoT Central application You can quickly deploy a new IoT Central application and then customize it to your specific requirements. Application templates in Azure IoT Central are a tool to help you kickstart your IoT solution development. You can use application templates for everything from getting a feel for what is possible, to fully customizing your application to fit your scenario.
Build IoT solutions such as:
IoT Central applications are fully hosted by Microsoft, which reduces the administration overhead of managing your applications. Administrators manage access to your application with [user roles and permissions](howto-administer.md) and track activity by using [audit logs](howto-use-audit-logs.md).
-## Pricing
-
-Applications you create using the *standard* plan are billed on a per device basis, you can choose either **Standard 0**, **Standard 1**, or **Standard 2** pricing plan with the first two devices being free. Learn more about [IoT Central pricing](https://azure.microsoft.com/pricing/details/iot-central/).
- ## User roles The IoT Central documentation refers to four user roles that interact with an IoT Central application:
iot-develop Quickstart Devkit Microchip Atsame54 Xpro https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-develop/quickstart-devkit-microchip-atsame54-xpro.md
In this quickstart, you built a custom image that contains Azure RTOS sample cod
As a next step, explore the following articles to learn more about using the IoT device SDKs to connect devices to Azure IoT.
-> [!div class="nextstepaction"]
-> [Connect a simulated device to IoT Central](quickstart-send-telemetry-central.md)
> [!div class="nextstepaction"] > [Connect a simulated device to IoT Hub](quickstart-send-telemetry-iot-hub.md)
iot-develop Quickstart Devkit Mxchip Az3166 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-develop/quickstart-devkit-mxchip-az3166.md
As a next step, explore the following articles to learn more about using the IoT
> [!div class="nextstepaction"] > [Connect an MXCHIP AZ3166 devkit to IoT Hub](quickstart-devkit-mxchip-az3166-iot-hub.md) > [!div class="nextstepaction"]
-> [Connect a simulated device to IoT Central](quickstart-send-telemetry-central.md)
-> [!div class="nextstepaction"]
> [Connect a simulated device to IoT Hub](quickstart-send-telemetry-iot-hub.md) > [!IMPORTANT]
iot-develop Quickstart Devkit Nxp Mimxrt1060 Evk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-develop/quickstart-devkit-nxp-mimxrt1060-evk.md
In this quickstart, you built a custom image that contains Azure RTOS sample cod
As a next step, explore the following articles to learn more about using the IoT device SDKs to connect devices to Azure IoT.
-> [!div class="nextstepaction"]
-> [Connect a device to IoT Central](quickstart-send-telemetry-central.md)
> [!div class="nextstepaction"] > [Connect a device to IoT Hub](quickstart-send-telemetry-iot-hub.md)
iot-develop Quickstart Devkit Renesas Rx65n Cloud Kit https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-develop/quickstart-devkit-renesas-rx65n-cloud-kit.md
In this quickstart, you built a custom image that contains Azure RTOS sample cod
As a next step, explore the following articles to learn more about using the IoT device SDKs to connect devices to Azure IoT.
-> [!div class="nextstepaction"]
-> [Connect a simulated device to IoT Central](quickstart-send-telemetry-central.md)
> [!div class="nextstepaction"] > [Connect a simulated device to IoT Hub](quickstart-send-telemetry-iot-hub.md)
iot-develop Quickstart Devkit Stm B L475e https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-develop/quickstart-devkit-stm-b-l475e.md
In this quickstart, you built a custom image that contains Azure RTOS sample cod
As a next step, explore the following articles to learn more about using the IoT device SDKs to connect devices to Azure IoT.
-> [!div class="nextstepaction"]
-> [Connect a simulated device to IoT Central](quickstart-send-telemetry-central.md)
> [!div class="nextstepaction"] > [Connect a simulated device to IoT Hub](quickstart-send-telemetry-iot-hub.md)
iot-develop Quickstart Devkit Stm B L4s5i https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-develop/quickstart-devkit-stm-b-l4s5i.md
In this quickstart, you built a custom image that contains Azure RTOS sample cod
As a next step, explore the following articles to learn more about using the IoT device SDKs to connect devices to Azure IoT.
-> [!div class="nextstepaction"]
-> [Connect a simulated device to IoT Central](quickstart-send-telemetry-central.md)
> [!div class="nextstepaction"] > [Connect a simulated device to IoT Hub](quickstart-send-telemetry-iot-hub.md)
iot-develop Quickstart Send Telemetry Central https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-develop/quickstart-send-telemetry-central.md
- Title: Quickstart - connect a device and send telemetry to Azure IoT Central
-description: "This quickstart shows device developers how to connect a device securely to Azure IoT Central. You use an Azure IoT device SDK for C, C#, Python, Node.js, or Java, to build a device client for Windows, Linux, or Raspberry Pi (Raspbian). Then you connect and send telemetry."
---- Previously updated : 1/23/2024-
-zone_pivot_groups: iot-develop-set1
-
-#Customer intent: As a device application developer, I want to learn the basic workflow of using an Azure IoT device SDK to build a client app on a device, connect the device securely to Azure IoT Central, and send telemetry.
--
-# Quickstart: Send telemetry from a device to Azure IoT Central
-
-**Applies to**: [General device developers](about-iot-develop.md#general-device-development)
----------------
-## View telemetry
-After the device connects to IoT Central, it begins sending telemetry. You can view the telemetry and other details about connected devices in IoT Central.
-
-In IoT Central, select **Devices**, select your device name, then select the **Overview** tab. This view displays a graph of the temperatures from the two thermostat devices.
--
-Select the **Raw data** tab. This view displays the telemetry each time a thermostat reading is sent.
--
-Your device is now securely connected and sending telemetry to Azure IoT.
-
-## Clean up resources
-If you no longer need the IoT Central resources created in this quickstart, you can delete them. Optionally, if you plan to continue following the documentation in this guide, you can keep the application you created and reuse it for other samples.
-
-To remove the Azure IoT Central sample application and all its devices and resources:
-1. Select **Administration** > **Your application**.
-1. Select **Delete**.
-
-## Next steps
-
-In this quickstart, you learned a basic Azure IoT application workflow for securely connecting a device to the cloud and sending device-to-cloud telemetry. You used Azure IoT Central to create an application and a device instance. Then you used an Azure IoT device SDK to create a temperature controller, connect to IoT Central, and send telemetry. You also used IoT Central to monitor the telemetry.
-
-As a next step, explore the following articles to learn more about building device solutions with Azure IoT.
-
-> [!div class="nextstepaction"]
-> [Send telemetry to Azure IoT hub](./quickstart-send-telemetry-iot-hub.md)
-> [!div class="nextstepaction"]
-> [Create an IoT Central application](../iot-central/core/quick-deploy-iot-central.md)
iot-dps Concepts Deploy At Scale https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-dps/concepts-deploy-at-scale.md
Previously updated : 06/27/2022 Last updated : 01/26/2024 # Best practices for large-scale IoT device deployments
-Scaling an IoT solution to millions of devices can be challenging. Large-scale solutions often need to be designed in accordance with service and subscription limits. When customers use Azure IoT Device Provisioning Service, they use it in combination with other Azure IoT platform services and components, such as IoT Hub and Azure IoT device SDKs. This article describes best practices, patterns, and sample code you can incorporate in your design to take advantage of these services and allow your deployments to scale out. By following these simple patterns and practices right from the design phase of the project, you can maximize the performance of your IoT devices.
+Scaling an IoT solution to millions of devices can be challenging. Large-scale solutions often need to be designed in accordance with service and subscription limits. When customers use Azure IoT Device Provisioning Service, they use it in combination with other Azure IoT platform services and components, such as IoT Hub and Azure IoT device SDKs. This article describes best practices, patterns, and sample code you can incorporate in your design to take advantage of these services and allow your deployments to scale out. By following these patterns and practices starting from the design phase of the project, you can maximize the performance of your IoT devices.
-## First-time device provisioning
+## Provision new devices
First-time provisioning is the process of onboarding a device for the first time as a part of an IoT solution. When working with large-scale deployments, it's important to schedule the provisioning process to avoid overload situations caused by all the devices attempting to connect at the same time.
-### Device deployment using a staggered provisioning schedule
+### Use a staggered provisioning schedule
-For deployment of devices in the scale of millions, registering all the devices at once may result in the DPS instance being overwhelmed due to throttling (HTTP response code `429, Too Many Requests`) and a failure to register your devices. To prevent such throttling, you should use a staggered registration schedule for the devices. The recommended batch size should be in accordance with DPS [quotas and limits](about-iot-dps.md#quotas-and-limits). For instance, if the registration rate is 200 devices per minute, the batch size for onboarding would be 200 devices per batch.
+For deployment of devices in the scale of millions, registering all the devices at once may result in the DPS instance being overwhelmed due to throttling (HTTP response code `429, Too Many Requests`) and a failure to register your devices. To prevent such throttling, use a staggered registration schedule for the devices. Configure your device registration batch sizes in accordance with DPS [quotas and limits](about-iot-dps.md#quotas-and-limits). For instance, if the registration rate is 200 devices per minute, the batch size for onboarding would be 200 devices per batch.
-### Timing logic when retrying operations
+### Retry operations
-If transient faults occur due to a service being busy, a retry logic enables devices to successfully connect to the IoT cloud. However, a large number of retries could further degrade a busy service that's running close to or at its capacity. As with any Azure service, you should implement an intelligent retry mechanism with exponential backoff. More information on different retry patterns can be found in [the Retry design pattern](/azure/architecture/patterns/retry) and [transient fault handling](/azure/architecture/best-practices/transient-faults).
+If transient faults occur due to a service being busy, retry logic enables devices to successfully connect to the IoT cloud. However, a large number of retries could further degrade a busy service that's running close to or at its capacity. As with any Azure service, you should implement an intelligent retry mechanism with exponential backoff. More information on different retry patterns can be found in [the retry design pattern](/azure/architecture/patterns/retry) and [transient fault handling](/azure/architecture/best-practices/transient-faults).
-Rather than immediately retrying a deployment when throttled, you should wait until the time specified in the `retry-after` header. If there's no retry header available from the service, this algorithm can help achieve a smoother device onboarding experience:
+Rather than immediately retrying a deployment when throttled, wait until the time specified in the `retry-after` header. If there's no retry header available from the service, this algorithm can help achieve a smoother device onboarding experience:
```console min_retry_delay_msec = 1000
max_retry_delay_msec = (1.0 / <load>) * <T> * 1000
max_random_jitter_msec = max_retry_delay_msec ```
-Where `<load>` is a configurable factor with values > 0 (indicates that the load will perform at an average of load time multiplied by the number of connections per second) and `<T>` is the absolute minimum time to cold boot the devices (calculated as `T = N / cps` where `N` is the total number of devices and `cps` is the service limit for number of connections per second). In this case, devices should delay reconnecting for a random amount of time, between `min_retry_delay_msec` and `max_retry_delay_msec`.
+With this logic, devices delay reconnecting for a random amount of time, between `min_retry_delay_msec` and `max_retry_delay_msec`. The maximum retry delay is calculated with the following variables:
+
+* `<load>` is a configurable factor with values > 0, which indicates that the load will perform at an average of load time multiplied by the number of connections per second
+* `<T>` is the absolute minimum time to cold boot the devices (calculated as `T = N / cps` where `N` is the total number of devices and `cps` is the service limit for number of connections per second).
For more information on the timing of retry operations, see [Retry timing](https://github.com/Azure/azure-sdk-for-c/blob/main/sdk/docs/iot/mqtt_state_machine.md#retry-timing).
-## Reprovisioning devices
+## Reprovision devices
-Reprovisioning is the process where the device needs to be provisioned to an IoT Hub after having been successfully connected previously. There can be many reasons that result in a need for device to reconnect to an IoT Hub, such as:
+Reprovisioning is the process where a device needs to be provisioned to an IoT Hub after having been successfully connected previously. There can be many reasons that result in a need for a device to reconnect to an IoT Hub, such as:
-- A device could reboot due to power outage, loss in network connectivity, geo-relocation, firmware updates, factory reset, or certificate key rotation.-- The IoT Hub instance could be unavailable due to an unplanned IoT Hub outage.
+* A device could reboot due to power outage, loss in network connectivity, geo-relocation, firmware updates, factory reset, or certificate key rotation.
+* The IoT Hub instance could be unavailable due to an unplanned IoT Hub outage.
-You shouldn't need to provision every time the device reboots. Most devices that are reprovisioned end up connected to the same IoT hub in most scenarios. Instead, the device should attempt to directly connect to its IoT hub using the information that was cached from a previous successful connection.
+You shouldn't need to go through the provisioning process every time a device reboots. Most devices that are reprovisioned end up connected to the same IoT hub. Instead, a device should attempt to connect to its IoT hub directly using the information that was cached from a previous successful connection.
### Devices that can store a connection string
-If the devices have the ability to store the connection string to the previously provisioned and connected IoT Hub, use the same string to skip the entire reprovisioning process and directly connect to the IoT Hub. This reduces the latency in successfully connecting to the appropriate IoT Hub. There are two possible cases here:
+Devices that have the ability to store their connection string after initial provisioning should do so and attempt to reconnect directly to IoT Hub after reboot. This pattern reduces the latency in successfully connecting to the appropriate IoT Hub. There are two possible cases here:
-- The IoT Hub to connect upon device reboot is the same as the previously connected IoT Hub.
+* The IoT Hub to connect upon device reboot is the same as the previously connected IoT Hub.
- The connection string retrieved from the cache should work fine and the device must attempt to reconnect to the same endpoint. No need for a fresh start for the provisioning process.
+ The connection string retrieved from the cache should work fine and the device can reconnect to the same endpoint. No need for a fresh start for the provisioning process.
-- The IoT Hub to connect upon device reboot is different from the previously connected IoT Hub.
+* The IoT Hub to connect upon device reboot is different from the previously connected IoT Hub.
The connection string stored in memory is inaccurate. Attempting to connect to the same endpoint won't be successful and so the retry mechanism for the IoT Hub connection is triggered. Once the threshold for the IoT Hub connection failure is reached, the retry mechanism automatically triggers a fresh start to the provisioning process. ### Devices that can't store a connection string
-In certain scenarios, devices don't have a large enough footprint or memory to accommodate caching of the connection string from a past successful IoT Hub connection. You can use the [Device Registration Status Lookup API](/rest/api/iot-dps/device/runtime-registration/device-registration-status-lookup) to retrieve the connection string from the previous time the device was provisioned and then attempt a connection to that IoT Hub. At every device reboot, that API needs to be invoked to get the device registration status. If data related to a previously connected IoT Hub was returned by the API call, you can connect to the same IoT Hub. If the API returns a null payload, then there's no previous connection available and the reprovisioning process through DPS is automatically triggered.
+Some devices don't have a large enough footprint or memory to accommodate caching of the connection string from a past successful IoT Hub connection. These devices need to reprovision through DPS after rebooting. Use the [DPS registration API](/rest/api/iot-dps/device/runtime-registration/register-device) to re-register. Keep in mind that the number of re-registrations per minute is limited based on the DPS [device registration limit](about-iot-dps.md#quotas-and-limits).
### Reprovisioning sample
-These code examples show a class for reading to and writing from the device cache, followed by code that attempts to reconnect a device to the IoT Hub if a connection string is found and reprovisioning through DPS if it isn't.
+The code examples in this section show a class for reading to and writing from the device cache, followed by code that attempts to reconnect a device to the IoT Hub if a connection string is found and reprovision through DPS if it isn't.
```csharp using Newtonsoft.Json;
if (provisioningDetails != null)
## IoT Hub connectivity considerations -- Any single IoT hub is limited to 1 million devices plus modules. If you plan to have more than a million devices, cap the number of devices to 1 million per hub and add hubs as needed when increasing the scale of your deployment. For more information, see [IoT Hub quotas](../iot-hub/iot-hub-devguide-quotas-throttling.md).-- If you have plans for more than a million devices and you need to support them in a specific region (such as in an EU region for data residency requirements), you can [contact us](../iot/iot-support-help.md) to ensure that the region you're deploying to has the capacity to support your current and future scale.
+Any single IoT hub is limited to 1 million devices plus modules. If you plan to have more than a million devices, cap the number of devices to 1 million per hub and add hubs as needed when increasing the scale of your deployment. For more information, see [IoT Hub quotas](../iot-hub/iot-hub-devguide-quotas-throttling.md). If you have plans for more than a million devices and you need to support them in a specific region (such as in an EU region for data residency requirements), you can [contact us](../iot/iot-support-help.md) to ensure that the region you're deploying to has the capacity to support your current and future scale.
+
+When connecting to IoT Hub via DPS, devices should use the following logic in response to error codes when connecting:
+
+* When receiving any of the 500-series of server error responses, retry the connection using either cached credentials or the results of a Device Registration Status Lookup API call.
+* When receiving `401, Unauthorized` or `403, Forbidden` or `404, Not Found`, perform a full re-registration by calling the [DPS registration API](/rest/api/iot-dps/device/runtime-registration/register-device).
-Recommended device logic when connecting to IoT Hub via DPS:
+At any time, devices should be capable of responding to a user-initiated reprovisioning command.
-- On first boot, devices should go use the [DPS registration API](/rest/api/iot-dps/device/runtime-registration/register-device) to register.-- On subsequent boots, devices should:
- - If possible, cache their provisioning details and connect using this information from this cache.
- - If they can't cache IoT hub connection information, use the [Device Registration Status Lookup API](/rest/api/iot-dps/device/runtime-registration/device-registration-status-lookup) to return connection information once registration has been done. This API call is a much lighter weight operation for DPS than a full device registration operation.
- - For devices in either case described above, devices should use the following logic in response to error codes when connecting:
- - When receiving any of the 500-series of server error responses, retry the connection using either cached credentials or the results of a Device Registration Status Lookup API call.
- - When receiving `401, Unauthorized` or `403, Forbidden` or `404, Not Found`, perform a full re-registration by calling the [DPS registration API](/rest/api/iot-dps/device/runtime-registration/register-device).
-- At any time, devices should be capable of responding to a user-initiated reprovisioning command.-- If devices get disconnected from IoT Hub, devices should try to reconnect directly to the same IoT Hub for at least 15 minutes (If scenario permits 30 minutes or more), before attempting to go back to DPS.
+If devices get disconnected from IoT Hub, devices should try to reconnect directly to the same IoT Hub for 15-30 minutes before attempting to go back to DPS.
Other IoT Hub scenarios when using DPS: -- IoT Hub failover: Devices should continue to work as connection information shouldn't change and logic is in place to retry the connection once the hub is available again.-- Change of IoT Hub: Assigning devices to a different IoT Hub should be done by using a [custom allocation policy](tutorial-custom-allocation-policies.md).-- Retry IoT Hub connection: You shouldn't use an aggressive retry strategy, instead allowing a gap of at least a minute before a retry.-- IoT Hub partitions: If your device strategy leans heavily on telemetry, the number of device-to-cloud partitions should be increased.
+* IoT Hub failover: Devices should continue to work as connection information shouldn't change and logic is in place to retry the connection once the hub is available again.
+* Change of IoT Hub: Assigning devices to a different IoT Hub should be done by using a [custom allocation policy](tutorial-custom-allocation-policies.md).
+* Retry IoT Hub connection: You shouldn't use an aggressive retry strategy. Instead, allow a gap of at least a minute before a retry.
+* IoT Hub partitions: If your device strategy leans heavily on telemetry, the number of device-to-cloud partitions should be increased.
-## Monitoring devices
+## Monitor devices
An important part of the overall deployment is monitoring the solution end-to-end to make sure that the system is performing appropriately. There are several ways to monitor the health of a service for large-scale deployment of IoT devices. The following patterns have proven effective in monitoring the service: -- Create an application to query each enrollment group on a DPS instance, get the total devices registered to that group, and then aggregate the numbers from across various enrollment groups. This number provides an exact count of the devices that are currently registered via DPS and can be used to monitor the state of the service.-- Monitor device registrations over a specific period. For instance, monitor registration rates for a DPS instance over the prior five days. Note that this approach only provides an approximate figure and is also capped to a time period.
+* Create an application to query each enrollment group on a DPS instance, get the total devices registered to that group, and then aggregate the numbers from across various enrollment groups. This number provides an exact count of the devices that are currently registered via DPS and can be used to monitor the state of the service.
+* Monitor device registrations over a specific period. For instance, monitor registration rates for a DPS instance over the prior five days. Note that this approach only provides an approximate figure and is also capped to a time period.
## Next steps -- [Provision devices across IoT Hubs](how-to-use-allocation-policies.md)-- [Retry timing](https://github.com/Azure/azure-sdk-for-c/blob/main/sdk/docs/iot/mqtt_state_machine.md#retry-timing) when retrying operations
+* [Provision devices across IoT Hubs](how-to-use-allocation-policies.md)
+* [Retry timing](https://github.com/Azure/azure-sdk-for-c/blob/main/sdk/docs/iot/mqtt_state_machine.md#retry-timing) when retrying operations
key-vault Multi Region Replication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/managed-hsm/multi-region-replication.md
Previously updated : 05/23/2023 Last updated : 02/07/2024
The following regions are supported as primary regions (Regions where you can re
- Europe North - France Central - Japan West-- US South
+- US South Central
- Poland Central - Switzerland West
key-vault Tls Offload Library https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/managed-hsm/tls-offload-library.md
description: Azure Managed HSM TLS Offload Library
- Last updated 02/25/2023
lab-services Class Type Jupyter Notebook https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/lab-services/class-type-jupyter-notebook.md
This lab uses one of the Data Science Virtual Machine Azure Marketplace images a
| Lab settings | Value | | | |
- | Virtual machine size | Select **Small** or **Medium** for a basic setup accessing Jupyter Notebooks. Select **Small GPU (Compute)** for compute-intensive and network-intensive applications used in Artificial Intelligence and Deep Learning classes. |
+ | Virtual machine size | Select **Small** or **Medium** for a basic setup accessing Jupyter Notebooks. Select **Alternative Small GPU (Compute)** for compute-intensive and network-intensive applications used in Artificial Intelligence and Deep Learning classes. |
| Virtual machine image | Choose **[Data Science Virtual Machine ΓÇô Windows Server 2019](https://azuremarketplace.microsoft.com/marketplace/apps/microsoft-dsvm.dsvm-win-2019)** or **[Data Science Virtual Machine ΓÇô Ubuntu](https://azuremarketplace.microsoft.com/marketplace/apps?search=Data%20science%20Virtual%20machine&page=1&filters=microsoft%3Blinux)** depending on your OS needs. | | Template virtual machine settings | Select **Use virtual machine without customization.**.
-1. When you create a lab with the **Small GPU (Compute)** size, follow these steps to [install GPU drivers](./how-to-setup-lab-gpu.md#ensure-that-the-appropriate-gpu-drivers-are-installed).
+1. When you create a lab with the **Alternative Small GPU (Compute)** size, follow these steps to [install GPU drivers](./how-to-setup-lab-gpu.md#ensure-that-the-appropriate-gpu-drivers-are-installed).
These process installs recent NVIDIA drivers and the Compute Unified Device Architecture (CUDA) toolkit, which you need to enable high-performance computing with the GPU. For more information, see [Set up a lab with GPU virtual machines](./how-to-setup-lab-gpu.md).
The **Data Science Virtual Machine ΓÇô Ubuntu** image is already provisioned wit
### Enabling tools to use GPUs
-If you're using the **Small GPU (Compute)** size, we recommend that you verify that the Data Science frameworks and libraries are properly set up to use GPUs. You might need to install a different version of the NVIDIA drivers and CUDA toolkit. To configure the GPUs, you should consult the framework's or library's documentation.
+If you're using the **Alternative Small GPU (Compute)** size, we recommend that you verify that the Data Science frameworks and libraries are properly set up to use GPUs. You might need to install a different version of the NVIDIA drivers and CUDA toolkit. To configure the GPUs, you should consult the framework's or library's documentation.
For example, to validate that TensorFlow uses the GPU, connect to the template VM and run the following Python-TensorFlow code in Jupyter Notebooks:
Follow these steps to configure an SSH tunnel between a user's local machine and
## Cost estimate
-This section provides a cost estimate for running this class for 25 lab users. There are 20 hours of scheduled class time. Also, each user gets 10 hours quota for homework or assignments outside scheduled class time. The VM size we chose was small GPU (compute), which is 139 lab units. If you want to use the Small (20 lab units) or Medium size (42 lab units), you can replace the lab unit part in the equation below with the correct number.
+This section provides a cost estimate for running this class for 25 lab users. There are 20 hours of scheduled class time. Also, each user gets 10 hours quota for homework or assignments outside scheduled class time. The VM size we chose was alternative small GPU (compute), which is 139 lab units. If you want to use the Small (20 lab units) or Medium size (42 lab units), you can replace the lab unit part in the equation below with the correct number.
Here's an example of a possible cost estimate for this class: 25 lab users \* (20 scheduled hours + 10 quota hours) \* 139 lab units \* 0.01 USD per hour = 1042.5 USD
lab-services Troubleshoot Connect Lab Vm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/lab-services/troubleshoot-connect-lab-vm.md
+
+ Title: Troubleshoot connectivity issues with Azure Lab Services
+
+description: Learn how to troubleshoot common connectivity issues with Azure Lab Services.
+++++ Last updated : 02/07/2024
+#customer intent: As an Azure Lab Services user, I want to troubleshoot connectivity issues so that I can access my virtual machines.
++
+# Troubleshoot connectivity issues with Azure Lab Services
+
+This article provides guidance on how to troubleshoot common connectivity issues with Azure Lab Services.
+
+> [!IMPORTANT]
+> Azure Lab Services is a managed offering where some of the backing resources for a Lab are not directly accessible. This impacts the ability to utilize other Azure VM troubleshooting guides like [Troubleshoot RDP connections on an Azure Virtual Machine](/troubleshoot/azure/virtual-machines/troubleshoot-rdp-connection).
+
+## Slow connection speed
+
+#### Symptoms
+
+- Slow Remote Desktop Protocol (RDP) connection
+
+#### Causes
+
+- Specific lab VM
+- Use of VPN
+- Firewall on the network
+- Specific Internet Service Provider (ISP)
+
+#### Resolution
+
+- Quantify the RDP connection speed
+
+ The utility PsPing can be used to measure the response time to the machine. Steps are included in the blog [How to ensure the best RDP experience for lab users](https://techcommunity.microsoft.com/t5/azure-lab-services-blog/how-to-ensure-the-best-rdp-experience-for-lab-users/ba-p/2813369)
+
+- Determine the scope of the problem:
+
+ - Is it a specific machine
+ - Is there a VPN being used
+ - Is it slow on a specific network
+ - Is there a firewall on the network
+ - Is it slow with a specific ISP
+
+##### Specific machine
+Adjust the [settings in the client experience](/windows-server/administration/performance-tuning/role/remote-desktop/session-hosts#client-experience-settings) to reduce the volume of data being transmitted.
+
+##### Use of VPN
+A good troubleshooting step is to turn off the VPN to see if that improves the connection speed. If it's the VPN and it's required, then review the VPN settings and configuration to possibly allow RDP or SSH connections to be 'passed through' connections arenΓÇÖt routed to distant regions or routed incorrectly.
+
+##### Specific network or firewall
+A network can affect the connectivity to Azure Lab Services, from an enterprise level network to a student's home router/Wi-Fi combination. For example, a studentsΓÇÖ home router might have built-in firewalls that block or limit the RDP/SSH connections. Check if there's a firewall enabled on the network and if it's configured to limit the RDP/SSH connections.
+
+##### Specific internet service provider (ISP)
+It isn't common to have multiple ISPs to connect to. If the slowdown is on a specific network and other options were explored, then you might want to contact your ISP to see if they have any limiters on RDP/SSH connections.
+
+## Can't connect to the remote computer
+
+#### Symptoms
+
+- Students receive the message, "Remote Desktop can't connect to the remote computer … Make sure the remote computer is turned on and connected to the network, and that remote access is enabled"
+
+ :::image type="content" source="./media/troubleshoot-connect-lab-vm/rdp-error-cannot-connect-remote.png" alt-text="Modal for Remote Desktop Connection that shows an error stating that 'Remote Desktop can't connect to the remote computer … Make sure the remote computer is turned on and connected to the network, and that remote access is enabled'":::
+
+#### Causes
+
+- The virtual machine that the students are trying to connect to isn't running
+- The lab VM might still be starting
+- Idle settings can affect lab VM connections
+
+#### Resolution
+
+Open the [Lab portal](https://labs.azure.com) and check that the virtual machine shows as running. If it's not running, the student can start the virtual machine from their lab portal. It might take between 2 to 5 minutes to get the machine fully running.
+
+Adjusting the [lab automatic shutdown settings](/azure/lab-services/how-to-enable-shutdown-disconnect) might improve the student connection experience. Since turning on and off the virtual machine takes time, adjusting the settings can decrease the chances of the student trying to connect while the machine is changing state. The automatic shutdown settings are part of a cost savings strategy, though they might need to be adjusted to improve the student experience.
+
+- Shut down idle virtual machines: If the duration is too short, there might not be enough time from when the student starts the machine and then connects, or if the student isn't active (in-classroom learning for example), the virtual machine might be shut down.
+- Shut down virtual machines when users disconnect: If there's too small a time delay, you can run into issues where an accidental disconnect starts a shutdown. Students would need to start the virtual machine again to connect.
+- Shutdown virtual machines when users don't connect: If students don't connect to the virtual machine after some time and if the duration is too short, the virtual machine will be shutdown. The timing can affect students starting the virtual machine themselves, or if schedules are used in the lab. Changing the idle setting to a longer duration is an option but has potential cost implications. If schedules are being used, the virtual machines can be started closer to when the class time starts.
++
+## Outbound connection is restricted
+
+#### Symptoms
+
+- The network can be a point of interference when firewalls, switches, routers, or other network appliances block or limit RDP/SSH (3389/22) ports
+
+#### Causes
+
+- Local firewall from a school, university, enterprise, or home network restricting outbound RDP/SSH connections
+- Modern routers, especially WiFi 6, have default behavior to block or restrict the RDP/SSH connections
+- Operating system restricting outbound RDP/SSH connectivity
+
+#### Resolution
+
+Consider removing the RDP/SSH restriction or add an exemption for the [lab public IP address](/azure/lab-services/how-to-configure-firewall-settings#find-public-ip-for-a-lab), which can be added to the allowlist for the firewall or router.
+
+## Lab connection issue after admin changes
+
+#### Symptoms
+
+- Students are administrators on their lab VM, where they can make system changes including the network configuration
+
+#### Causes
+
+- Updating the IP Address to a static IP instead of specified as a dynamic IP
+- Disabling DCHP (preventing automatically getting an IP address)
+- Specifying DNS servers
+- Updating local user groups and permissions
+
+#### Resolution
+
+A lab template can be set up with a [script to autoreset the networking](https://techcommunity.microsoft.com/t5/azure-lab-services-blog/running-a-powershell-shutdown-script-on-windows-lab-services/ba-p/3273163) on machine shutdown. Otherwise, students or teachers would need to [reimage the lab VM](/azure/lab-services/how-to-reset-and-redeploy-vm#reimage-a-lab-vm), which get them back to a good state.
+
+If custom DNS is needed, use [Advanced Networking](/azure/lab-services/how-to-connect-vnet-injection) and specify custom DNS servers on the virtual network.
+
+## Lab VM unable to connect via outgoing VPN
+
+#### Symptoms
+
+- Students try to use a VPN connection from a student VM and the VPN fails to connect
+
+#### Causes
+
+- The VPN having issues with the Azure Lab Services network configuration
+
+#### Resolution
++
+## Unable to connect to lab VM after deployment
+
+#### Symptoms
+
+- If the lab has a failure the machine connections might not work properly
+
+#### Causes
+
+- The Azure activity log is the most comprehensive list of events and results
+
+#### Resolution
+
+The [activity log](/azure/azure-monitor/essentials/activity-log?tabs=powershell) can be filtered on the resource group that the lab is located in. The events can take a few minutes to be available in the log. These event logs contain more detailed information that can be used for troubleshooting and should be included if a support ticket needs to be created.
+
+## Unable to login with username and password
+
+#### Symptoms
+
+- Unable to connect to lab VM with username and password
+- Receive error message 'Your credentials did not work"
+
+#### Causes
+
+- Student using wrong credentials
+- Student forgot their password
+- Password associated with Azure Compute Gallery image
+- Machine was compromised
+
+#### Resolution
+
+##### Student using wrong credentials
+Confirm the student is using the correct username and password for their lab VM. If the lab was created with "Use same password for all virtual machines" enabled, then the username and password should be the same for each student.
+##### Student forgot their password
+If they have a custom password and forgot it, then the student can [reset the password on the machine from the lab](/azure/lab-services/how-to-set-virtual-machine-passwords). Additionally, the student can [reimage the machine](/azure/lab-services/how-to-reset-and-redeploy-vm#reimage-a-lab-vm), but any user data are deleted and not be retrievable.
+##### Password associated with Azure Compute Gallery image
+If other students canΓÇÖt login using the common lab username and password and the lab was created using an existing custom image this can be caused by a known [limitation](/azure/lab-services/troubleshoot-access-lab-vm#unable-to-login-with-the-credentials-you-used-for-creating-the-lab). The workaround is to use the username and password when the image was created or reset the password.
+##### Machine was compromised
+There are situations where a student password is fraudulently changed by a bad actor. The student can reset their password to regain access to the machine, but here are some suggestions to reduce the likelihood of this happening:
+- Don't use common passwords and uncheck the use same password option when creating the lab. Having individual specific passwords reduces the scope if the password is compromised
+- [Use strong passwords](https://support.microsoft.com/windows/create-and-use-strong-passwords-c5cebb49-8c53-4f5e-2bc4-fe357ca048eb) and secure them
+- [Restrict access to the lab](/azure/lab-services/how-to-manage-lab-users?tabs=manual), so that only those students that are in the class can access the machines. By default, the lab is restricted
+##### Remote Desktop Gateway
+While uncommon, the remote desktop client the students are using can have a Remote Desktop Gateway configured. If so, they would need to enter their gateway credentials first (to authenticate to the gateway) before connecting to their student VM.
+
+## Troubleshooting with Advanced Networking
+Some troubleshooting scenarios only apply to labs with [advanced networking](/azure/lab-services/concept-lab-services-supported-networking-scenarios).
+
+#### Missing a Network Security Group
+For a lab plan configured with advanced networking, one of the first checks is to confirm that the lab services network subnet has a network security group connected to it. This lets the RDP/SSH connections be allowed through. Without a network security group, all connections are blocked to the virtual machines (template VM and student VMs).
+
+#### Using Azure Virtual Machine RDP Troubleshooting
+There are unique troubleshooting techniques with labs that are configured with advanced networking. Advanced networking enables more troubleshooting by creating an Azure Virtual Machine connected directly to the virtual network that the lab plan is connected to. Using this Azure VM (outside of Azure Lab Services), you can use the Azure Virtual Machine RDP Troubleshooting guide, including the in-Azure connection troubleshooter, to determine if the network is configured correctly.
+
+#### NSG Rules are blocking RDP/SSH connections
+Using the Azure VM that is connected directly to the virtual network (from the previous section), you can diagnose virtual machine network connectivity directly in the Azure portal. The blocking or limiting of the RDP/SSH connections via security rules can be done at the subnet with a Network Security Group or by using Azure Virtual Network Manager. The easiest way to see the full list of rules is via the Azure Virtual Machine network effective security rules.
+
+#### Default User Defined Route (Route table problem)
+Advanced networking allows the network to be customized as needed, including modifying the route table. A user-defined route table directs traffic to the appropriate destinations. There's a special route, the ΓÇ£internet routeΓÇ¥ (0.0.0.0/0) which directs traffic not bound for another local address to the Internet. Azure Lab Services advanced networking doesn't support updating the ΓÇÿnext hopΓÇÖ for the 0.0.0.0/0 route to anything except the internet. Changing this to a specific IP address (for example, directing outbound internet traffic to a firewall or other network appliance) breaks connectivity to the lab by introducing an asymmetric routing issue. When debugging issues, check for a custom route table and make sure that the default route is set to have 0.0.0.0/0 to the Internet.
+
+## Further troubleshooting
+
+If you're still experiencing issues after following the above steps, you might need to collect more data for further troubleshooting. This could include logs from your virtual machine, network trace data, or other relevant information.
+
load-balancer Ipv6 Configure Template Json https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/basic/ipv6-configure-template-json.md
- Last updated 04/17/2023
load-balancer Components https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/components.md
- Last updated 05/08/2023
load-balancer Concepts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/concepts.md
- Last updated 05/08/2023
load-balancer Cross Region Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/cross-region-overview.md
- Last updated 06/23/2023
load-balancer Gateway Deploy Dual Stack Load Balancer https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/gateway-deploy-dual-stack-load-balancer.md
Title: Deploy a dual-stack Azure Gateway Load Balancer
+ Title: Deploy a dual-stack Azure Gateway Load Balancer
description: In this tutorial, you deploy IPv6 configurations to an existing IPv4-configured Azure Gateway Load Balancer - Last updated 09/25/2023
load-balancer Ipv6 Configure Standard Load Balancer Template Json https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/ipv6-configure-standard-load-balancer-template-json.md
- Last updated 12/04/2023
load-balancer Ipv6 Dual Stack Standard Internal Load Balancer Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/ipv6-dual-stack-standard-internal-load-balancer-powershell.md
- Last updated 06/27/2023
load-balancer Load Balancer Distribution Mode https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/load-balancer-distribution-mode.md
- Last updated 01/22/2024
load-balancer Load Balancer Floating Ip https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/load-balancer-floating-ip.md
- Last updated 02/28/2023
load-balancer Load Balancer Ha Ports Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/load-balancer-ha-ports-overview.md
description: Learn about high availability ports load balancing on an internal l
- Last updated 05/03/2023
load-balancer Load Balancer Insights https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/load-balancer-insights.md
- Last updated 05/08/2023
load-balancer Load Balancer Ipv6 For Linux https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/load-balancer-ipv6-for-linux.md
keywords: ipv6, azure load balancer, dual stack, public ip, native ipv6, mobile, iot - Last updated 04/21/2023
load-balancer Load Balancer Ipv6 Internet Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/load-balancer-ipv6-internet-cli.md
keywords: ipv6, azure load balancer, dual stack, public ip, native ipv6, mobile, iot - Last updated 05/30/2023
load-balancer Load Balancer Ipv6 Internet Ps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/load-balancer-ipv6-internet-ps.md
keywords: ipv6, azure load balancer, dual stack, public ip, native ipv6, mobile, iot - Last updated 05/30/2023
load-balancer Load Balancer Ipv6 Internet Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/load-balancer-ipv6-internet-template.md
keywords: ipv6, azure load balancer, dual stack, public ip, native ipv6, mobile, iot - Last updated 05/03/2023
load-balancer Load Balancer Ipv6 Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/load-balancer-ipv6-overview.md
keywords: ipv6, azure load balancer, dual stack, public ip, native ipv6, mobile, iot - Last updated 05/03/2023
load-balancer Load Balancer Multiple Ip Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/load-balancer-multiple-ip-cli.md
- Last updated 05/30/2023
load-balancer Load Balancer Multiple Ip Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/load-balancer-multiple-ip-powershell.md
- Last updated 06/27/2023
load-balancer Load Balancer Multivip Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/load-balancer-multivip-overview.md
- Last updated 12/04/2023
load-balancer Load Balancer Nat Pool Migration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/load-balancer-nat-pool-migration.md
- Last updated 05/01/2023
load-balancer Load Balancer Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/load-balancer-overview.md
description: Overview of Azure Load Balancer features, architecture, and impleme
-# Customer intent: As an IT administrator, I want to learn more about the Azure Load Balancer service and what I can use it for.
- Last updated 09/15/2023
+# Customer intent: As an IT administrator, I want to learn more about the Azure Load Balancer service and what I can use it for.
# What is Azure Load Balancer?
load-balancer Load Balancer Standard Availability Zones https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/load-balancer-standard-availability-zones.md
- Last updated 05/03/2023
load-balancer Load Balancer Standard Virtual Machine Scale Sets https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/load-balancer-standard-virtual-machine-scale-sets.md
- Last updated 05/03/2023
load-balancer Load Balancer Tcp Idle Timeout https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/load-balancer-tcp-idle-timeout.md
- Last updated 02/06/2024
load-balancer Load Balancer Tcp Reset https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/load-balancer-tcp-reset.md
- Last updated 01/19/2024
load-balancer Load Balancer Test Frontend Reachability https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/load-balancer-test-frontend-reachability.md
- Last updated 05/06/2023
load-balancer Load Balancer Troubleshoot Backend Traffic https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/load-balancer-troubleshoot-backend-traffic.md
- Last updated 06/27/2023
load-balancer Load Balancer Troubleshoot Health Probe Status https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/load-balancer-troubleshoot-health-probe-status.md
- Last updated 05/31/2023
load-balancer Load Balancer Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/load-balancer-troubleshoot.md
- Last updated 01/09/2024
load-balancer Manage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/manage.md
description: Get started learning about Azure Load Balancer portal settings.
- Last updated 01/19/2024
If you want to add an outbound rule to your load balancer, go to your load balan
In this article, you learned about the different terms and settings in the Azure portal for Azure Load Balancer. * [Learn](./load-balancer-overview.md) more about Azure Load Balancer.
-* [FAQs](./load-balancer-faqs.yml) for Azure Load Balancer.
+* [FAQs](./load-balancer-faqs.yml) for Azure Load Balancer.
load-balancer Quickstart Load Balancer Standard Internal Terraform https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/quickstart-load-balancer-standard-internal-terraform.md
- Last updated 01/02/2024
load-balancer Quickstart Load Balancer Standard Public Bicep https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/quickstart-load-balancer-standard-public-bicep.md
- Last updated 10/25/2023
load-balancer Quickstart Load Balancer Standard Public Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/quickstart-load-balancer-standard-public-template.md
- Last updated 10/25/2023
load-balancer Quickstart Load Balancer Standard Public Terraform https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/quickstart-load-balancer-standard-public-terraform.md
- Last updated 01/02/2024
load-balancer Skus https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/skus.md
- Last updated 07/10/2023
load-balancer Troubleshoot Rhc https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/troubleshoot-rhc.md
Title: Troubleshoot Azure Load Balancer resource health, frontend, and backend availability issues
+ Title: Troubleshoot Azure Load Balancer resource health, frontend, and backend availability issues
description: Use the available metrics to diagnose your degraded or unavailable Azure Standard Load Balancer. - Previously updated : 02/14/2023 Last updated : 02/08/2024
The below table describes the RHC logic used to determine the health state of yo
| Resource health status | Description | | | | | Available | Your standard load balancer resource is healthy and available. |
-| Degraded | Your standard load balancer has platform or user initiated events impacting performance. The Datapath Availability metric has reported less than 90% but greater than 25% health for at least two minutes. You'll experience moderate to severe performance impact.
-| Unavailable | Your standard load balancer resource isn't healthy. The Datapath Availability metric has reported less the 25% health for at least two minutes. You'll experience significant performance impact or lack of availability for inbound connectivity. There may be user or platform events causing unavailability. |
-| Unknown | Resource health status for your standard load balancer resource hasn't been updated yet or hasn't received Data Path availability information for the last 10 minutes. This state should be transient and will reflect correct status as soon as data is received. |
+| Degraded | Your standard load balancer has platform or user initiated events impacting performance. The Datapath Availability metric reported as less than 90% but greater than 25% health for at least two minutes. You experience moderate to severe performance degradation.
+| Unavailable | Your standard load balancer resource isn't healthy. The Datapath Availability metric reported less than 25% health for at least two minutes. You experience significant performance degradation or a lack of availability for inbound connectivity. There can be user or platform events causing unavailability. |
+| Unknown | Resource health status for your standard load balancer resource hasn't updated or received Data Path availability information in the last 10 minutes. This state is transient and will reflect correct status as soon as data is received. |
-## About the metrics we'll use
+## About the metrics we use
The two metrics to be used are *Data path availability* and *Health probe status* and it's important to understand their meaning to derive correct insights. ## Data path availability
-The data path availability metric is generated by a TCP ping every 25 seconds on all frontend ports that have load-balancing and inbound NAT rules configured. This TCP ping will then be routed to any of the healthy (probed up) backend instances. If the service receives a response to the ping, it's considered a success and the sum of the metric will be iterated once, if it fails it won't. The count of this metric is 1/100 of the total TCP pings per sample period. Thus, we want to consider the average, which will show the average of sum/count for the time period. The data path availability metric aggregated by average thus gives us a percentage success rate for TCP pings on your frontend IP:port for each of your load-balancing and inbound NAT rules.
+The data path availability metric is generated by a TCP ping every 25 seconds on all frontend ports that have load-balancing and inbound NAT rules configured. This TCP ping is routed to any of the healthy (probed up) backend instances. If the service receives a response to the ping, it's a successful response and the sum of the metric is iterated once. If there's no response, no iteration happens. The count of this metric is 1/100 of the total TCP pings per sample period. Thus, we want to consider the average, which is the average of sum/count for the time period. The data shows the path availability metric aggregated by average thus gives us a percentage success rate for TCP pings on your frontend IP:port for each of your load-balancing and inbound NAT rules.
## Health probe status The health probe status metric is generated by a ping of the protocol defined in the health probe. This ping is sent to each instance in the backend pool and on the port defined in the health probe. For HTTP and HTTPS probes, a successful ping requires an HTTP 200 OK response whereas with TCP probes any response is considered successful. The consecutive successes or failures of each probe determine the health of the backend instance and whether the assigned backend pool is able to receive traffic. Similar to data path availability we use the average aggregation, which tells us the average successful/total pings during the sampling interval. This health probe status value indicates the backend health in isolation from your load balancer by probing your backend instances without sending traffic through the frontend.
The health probe status metric is generated by a ping of the protocol defined in
>Health probe status is sampled on a one minute basis. This can lead to minor fluctuations in an otherwise steady value. For example, if there are two backend instances, one probed up and one probed down, the health probe service may capture 7 samples for the healthy instance and 6 for the unhealthy instance. This will lead to a previously steady value of 50 showing as 46.15 for a one minute interval. ## Diagnose degraded and unavailable load balancers
-As outlined in the [resource health article](load-balancer-standard-diagnostics.md#resource-health-status), a degraded load balancer is one that shows between 25% and 90% data path availability, and an unavailable load balancer is one with less than 25% data path availability, over a two-minute period. These same steps can be taken to investigate the failure you see in any health probe status or data path availability alerts you've configured. We'll explore the case where we've checked our resource health and found our load balancer to be unavailable with a data path availability of 0% - our service is down.
-First, we go to the detailed metrics view of our load balancer insights page in the Azure portal. You can do this via your load balancer resource page or the link in your resource health message. Next we navigate to the Frontend and Backend availability tab and review a thirty-minute window of the time period when the degraded or unavailable state occurred. If we see our data path availability has been 0%, we know there's an issue preventing traffic for all of our load-balancing and inbound NAT rules and can see how long this impact has lasted.
+As outlined in the [resource health article](load-balancer-standard-diagnostics.md#resource-health-status), a degraded load balancer is one that shows between 25% and 90% data path availability. An unavailable load balancer is one with less than 25% data path availability, over a two-minute period. The same steps can be taken to investigate the failure you see in any health probe status or data path availability alerts you've configured. We explore the case where we've checked our resource health and found our load balancer to be unavailable with a data path availability of 0% - our service is down.
-The next place we need to look is our health probe status metric to determine whether our data path is unavailable is because we have no healthy backend instances to serve traffic. If we have at least one healthy backend instance for all of our load-balancing and inbound rules, we know it isn't our configuration causing our data paths to be unavailable. This scenario indicates an Azure platform issue. While platform issues are rare, an automated alert is sent to our team to rapidly resolve all platform issues.
+First, we go to the detailed metrics view of our load balancer insights page in the Azure portal. Access the view from your load balancer resource page or the link in your resource health message. Next we navigate to the Frontend and Backend availability tab and review a thirty-minute window of the time period when the degraded or unavailable state occurred. If we see our data path availability is 0%, we know there's an issue preventing traffic for all of our load-balancing and inbound NAT rules, and we can see how long this issue has lasted.
+
+The next place we need to look is our health probe status metric to determine whether our data path is unavailable is because we have no healthy backend instances to serve traffic. If we have at least one healthy backend instance for all of our load-balancing and inbound rules, we know it isn't our configuration causing our data paths to be unavailable. This scenario indicates an Azure platform issue. While platform issues are rare, an automated alert is sent to our team to rapidly resolve all platform issues.
## Diagnose health probe failures Let's say we check our health probe status and find out that all instances are showing as unhealthy. This finding explains why our data path is unavailable as traffic has nowhere to go. We should then go through the following checklist to rule out common configuration errors:
Let's say we check our health probe status and find out that all instances are s
* You can check this by viewing the resource's Percentage CPU metric via the Metrics page. Learn how to [Troubleshoot high-CPU issues for Azure virtual machines](/troubleshoot/azure/virtual-machines/troubleshoot-high-cpu-issues-azure-windows-vm). * If using an HTTP or HTTPS probe check if the application is healthy and responsive. * Validate application is functional by directly accessing the applications through the private IP address or instance-level public IP address associated with your backend instance.
-* Review the Network Security Groups applied to our backend resources. Ensure that there are no rules of a higher priority than AllowAzureLoadBalancerInBound that will block the health probe.
- * You can do this by visiting the Networking blade of your backend VMs or Virtual Machine Scale Sets.
+* Review the Network Security Groups applied to our backend resources. Ensure that there are no rules of a higher priority than *AllowAzureLoadBalancerInBound* that blocks the health probe.
+ * You can do this by visiting the Networking settings of your backend VMs or Virtual Machine Scale Sets.
* If you find this NSG issue is the case, move the existing Allow rule or create a new high priority rule to allow AzureLoadBalancer traffic. * Check your OS. Ensure your VMs are listening on the probe port and review their OS firewall rules to ensure they aren't blocking the probe traffic originating from IP address `168.63.129.16`. * You can check listening ports by running `netstat -a` from a Windows command prompt or `netstat -l` from a Linux terminal. * Ensure you're using the right protocol. For example, a probe using HTTP to probe a port listening for a non-HTTP application fails.
-* Azure Firewall should not be placed in the backend pool of load balancers, see [Integrate Azure Firewall with Azure Standard Load Balancer](../firewall/integrate-lb.md) to properly integrate Azure Firewall with load balancer.
+* Azure Firewall shouldn't be placed in the backend pool of load balancers. See [Integrate Azure Firewall with Azure Standard Load Balancer](../firewall/integrate-lb.md) to properly integrate Azure Firewall with load balancer.
-If you've gone through this checklist and are still finding health probe failures, there may be rare platform issues impacting the probe service for your instances. In this case, Azure has your back and an automated alert is sent to our team to rapidly resolve all platform issues.
+If you've gone through this checklist and are still finding health probe failures, there can be rare platform issues impacting the probe service for your instances. In this case, Azure has your back and an automated alert is sent to our team to rapidly resolve all platform issues.
## Next steps
load-balancer Virtual Network Ipv4 Ipv6 Dual Stack Standard Load Balancer Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/virtual-network-ipv4-ipv6-dual-stack-standard-load-balancer-cli.md
- Last updated 04/17/2023
load-balancer Virtual Network Ipv4 Ipv6 Dual Stack Standard Load Balancer Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/virtual-network-ipv4-ipv6-dual-stack-standard-load-balancer-powershell.md
- Last updated 04/17/2023-+
load-testing How To Assign Roles https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-testing/how-to-assign-roles.md
Title: Manage roles in Azure Load Testing+ description: Learn how to manage access to an Azure load testing resource using Azure role-based access control (Azure RBAC).
Last updated 11/24/2023
+# CustomerIntent: As an administrator, I want understand the roles and permissions for Azure Load Testing, so that I can ensure users have the access they need to interact with the service.
# Manage access to Azure Load Testing
In this article, you learn how to manage access (authorization) to an Azure load
## Prerequisites
-To assign Azure roles, you must have:
+To assign Azure roles, your Azure account must have:
* `Microsoft.Authorization/roleAssignments/write` permissions, such as [User Access Administrator](../role-based-access-control/built-in-roles.md#user-access-administrator) or [Owner](../role-based-access-control/built-in-roles.md#owner).
+To create a new load testing resource, your Azure account must have:
+
+- Permission to create resources in the resource group for the load testing resource, such as the [Contributor](../role-based-access-control/built-in-roles.md#contributor) or [Owner](../role-based-access-control/built-in-roles.md#owner) role.
+ ## Roles in Azure Load Testing In Azure Load Testing, access is granted by assigning the appropriate Azure role to users, groups, and applications at the load testing resource scope. Following are the built-in roles supported by a load testing resource:
In Azure Load Testing, access is granted by assigning the appropriate Azure role
If you have the **Owner**, **Contributor**, or **Load Test Owner** role at the subscription level, you automatically have the same permissions as the **Load Test Owner** at the resource level.
-You encounter this message if your account doesn't have the necessary permissions to manage tests.
-- > [!IMPORTANT]
-> Role access can be scoped to multiple levels in Azure. For example, someone with owner access to a resource may not have owner access to the resource group that contains the resource. For more information, see [How Azure RBAC works](../role-based-access-control/overview.md#how-azure-rbac-works).
+> Role access can be scoped to multiple levels in Azure. For example, someone with owner access to a resource might not have owner access to the resource group that contains the resource. For more information, see [How Azure RBAC works](../role-based-access-control/overview.md#how-azure-rbac-works).
## Role permissions
You can also configure role-based access to a load testing resource using the fo
Remove-AzRoleAssignment -SignInName <sign-in Id of a user you wish to remove> -RoleDefinitionName 'Load Test Reader' -Scope '/subscriptions/<SubscriptionID>/resourcegroups/<Resource Group Name>/Providers/Microsoft.LoadTestService/loadtests/<Load Testing resource name>' ```
+## Troubleshooting
+
+This section lists steps to troubleshoot common problems with user access in Azure Load Testing.
+
+### Unable to create or run a test with `You are not authorized to use this resource`
+
+You encounter this message if your Azure account doesn't have the necessary permissions to manage tests. Make sure to grant the user the [Load Test Owner](#load-test-owner) or [Load Test Contributor](#load-test-contributor) role on the load testing resource.
++ ## Related content * Learn more about [Using managed identities](./how-to-use-a-managed-identity.md).
load-testing How To Export Test Results https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-testing/how-to-export-test-results.md
Previously updated : 02/10/2023 Last updated : 02/08/2024 -
+# CustomerIntent: As a tester, I want to understand how I can export the load test results, so that I can use other reporting tools to analyze the load test results.
# Export test results from Azure Load Testing for use in third-party tools
-In this article, you learn how to download the test results from Azure Load Testing in the Azure portal. You might use these results for reporting in third-party tools or for diagnosing test failures. Azure Load Testing generates the test results in comma-separated values (CSV) file format, and provides details of each application request for the load test.
+In this article, you learn how to export your Azure Load Testing test results. You can download the results by using the Azure portal, as an artifact in your CI/CD workflow, in JMeter by using a backend listener, or by copying the results from an Azure storage account. You might use these results for reporting in third-party tools or for diagnosing test failures. Azure Load Testing generates the test results in comma-separated values (CSV) file format, and provides details of each application request for the load test.
You can also use the test results to diagnose errors during a load test. The `responseCode` and `responseMessage` fields give you more information about failed requests. For more information about investigating errors, see [Diagnose failing load tests](./how-to-diagnose-failing-load-test.md).
You can generate the Apache JMeter dashboard from the CSV log file following the
- An Azure account with an active subscription. If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. - An Azure Load Testing resource that has a completed test run. If you need to create an Azure Load Testing resource, see [Create and run a load test](./quickstart-create-and-run-load-test.md).
-## Test results file
+## Test results file format
Azure Load Testing generates a test results CSV file for each [test engine instance](./concept-load-testing-concepts.md#test-engine). Learn how you can [scale out your load test](./how-to-high-scale-load.md).
timeStamp,elapsed,label,responseCode,responseMessage,threadName,dataType,success
``` ## Access and download load test results+
+After a load test run finishes, you can access and download the load test results through the Azure portal, or as an artifact in your CI/CD workflow.
+ >[!IMPORTANT] >For load tests with more than 45 engine instances or a greater than 3-hour test run duration, the results file is not available for download. You can [configure a JMeter Backend Listener to export the results](#export-test-results-using-jmeter-backend-listeners) to a data store of your choice or [copy the results from a storage account container](#copy-test-artifacts-from-a-storage-account-container). + # [Azure portal](#tab/portal) To download the test results for a test run in the Azure portal:
When you run a load test as part of your CI/CD pipeline, Azure Load Testing gene
:::image type="content" source="./media/how-to-export-test-results/azure-pipelines-run-summary.png" alt-text="Screenshot that shows the Azure Pipelines workflow summary page, highlighting the test results in the Stages section." lightbox="./media/how-to-export-test-results/azure-pipelines-run-summary.png":::
-## Export test results using JMeter Backend Listeners
-You can use [JMeter Backend Listeners](https://jmeter.apache.org/usermanual/component_reference.html#Backend_Listener) to export test results to databases like InfluxDB, MySQL or monitoring tools like AppInsights.
-You can use the backend listeners available by default in JMeter, backend listeners from [jmeter-plugins.org](https://jmeter-plugins.org), or a custom backend listener in the form of a Java archive (JAR) file.
+## Export test results using JMeter backend listeners
-A sample JMeter script that uses a [backend listener for Azure Application Insights](https://github.com/adrianmo/jmeter-backend-azure) is available [here](https://github.com/Azure-Samples/azure-load-testing-samples/tree/main/jmeter-backend-listeners).
+You can use a [JMeter backend listener](https://jmeter.apache.org/usermanual/component_reference.html#Backend_Listener) to export test results to databases like InfluxDB, MySQL, or monitoring tools like Azure Application Insights.
+
+You can use the default JMeter backend listeners, backend listeners from [jmeter-plugins.org](https://jmeter-plugins.org), or a custom backend listener in the form of a Java archive (JAR) file.
+
+The following code snippet shows an example of how to use the backend listener for Azure Application Insights, in a JMeter file (JMX):
-The following code snippet shows an example of a backend listener, for Azure Application Insights, in a JMX file:
:::code language="xml" source="~/azure-load-testing-samples/jmeter-backend-listeners/sample-backend-listener-appinsights.jmx" range="85-126" :::
+You can download the full [example of using the Azure Application Insights backend listener](https://github.com/Azure-Samples/azure-load-testing-samples/tree/main/jmeter-backend-listeners).
+ ## Copy test artifacts from a storage account container >[!IMPORTANT]
To copy the test results and log files for a test run from a storage account, in
The SAS URL is valid for 60 minutes from the time it gets generated. If the URL expires, select **Copy artifacts** to generate a new SAS URL.
-## Next steps
+## Related content
- Learn more about [Diagnosing failing load tests](./how-to-diagnose-failing-load-test.md).-- For information about comparing test results, see [Compare multiple test results](./how-to-compare-multiple-test-runs.md).-- To learn about performance test automation, see [Configure automated performance testing](./quickstart-add-load-test-cicd.md).
+- Learn more about [Comparing multiple test results](./how-to-compare-multiple-test-runs.md).
+- Learn more about [Configuring automated performance testing in Azure Pipelines](./quickstart-add-load-test-cicd.md).
load-testing How To Use A Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-testing/how-to-use-a-managed-identity.md
Title: Use managed identities for Azure Load Testing
-description: Learn how to enable a managed identity for Azure Load Testing. You can use managed identities for reading secrets or certificates from Azure Key Vault in your JMeter test script.
+description: Learn how to enable a managed identity in Azure Load Testing for reading secrets or certificates from Azure Key Vault in your test script.
Last updated 10/19/2023
+# CustomerIntent: As an administrator, I want to understand how to enable a managed identity in Azure Load Testing, so that test scripts can read secrets and certificates from Azure Key Vault.
# Use managed identities for Azure Load Testing
Azure Load Testing supports two types of identities:
- A **system-assigned identity** is associated with your load testing resource and is deleted when your resource is deleted. A resource can only have one system-assigned identity. - A **user-assigned identity** is a standalone Azure resource that you can assign to your load testing resource. When you delete the load testing resource, the managed identity remains available. You can assign multiple user-assigned identities to the load testing resource.
+Currently, you can only use the managed identity for accessing Azure Key Vault.
+ ## Prerequisites - An Azure account with an active subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
logic-apps Logic Apps Enterprise Integration Maps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/logic-apps-enterprise-integration-maps.md
ms.suite: integration Previously updated : 10/04/2023 Last updated : 02/08/2024 # Add maps for transformations in workflows with Azure Logic Apps + Workflow actions such as **Transform XML** and **Liquid** require a map to perform their tasks. For example, the **Transform XML** action requires a map to convert XML between formats. A map is an XML document that uses [Extensible Stylesheet Language Transformation (XSLT)](https://www.w3.org/TR/xslt/) language to describe how to convert data from XML to another format and has the .xslt file name extension. The map consists of a source XML schema as input and a target XML schema as output. You can define a basic transformation, such as copying a name and address from one document to another. Or, you can create more complex transformations using the out-of-the-box map operations. You can manipulate or control data by using different built-in functions, such as string manipulations, conditional assignments, arithmetic expressions, date time formatters, and even looping constructs. For example, suppose you regularly receive B2B orders or invoices from a customer who uses the YearMonthDay date format (YYYYMMDD). However, your organization uses the MonthDayYear date format (MMDDYYYY). You can define and use a map that transforms the YYYYMMDD format to the MMDDYYYY format before storing the order or invoice details in your customer activity database.
-This how-to guide shows how to add a map to your integration account. If you're working with a Standard logic app workflow, you can also add a map directly to your logic app resource.
+This guide shows how to add a map for your workflow to use. You can add maps either to your linked integration account, or if you have a Standard logic app, you can add maps directly to your logic app resource.
## Prerequisites
Your map must have the following attributes and a `CDATA` section that contains
* `namespace` is the namespace in your assembly that includes the custom code.
-The following example shows a map that references an assembly named `XslUtilitiesLib` and calls the `circumference` method from the assembly.
+The following example shows a map that references an assembly named **XslUtilitiesLib** and calls the `circumference` method from the assembly.
```xml <?xml version="1.0" encoding="UTF-8"?>
After your assembly finishes uploading, the assembly appears in the **Assemblies
### [Standard](#tab/standard)
-A Standard logic app resource supports referencing external assemblies from maps, which enable directly calling custom .NET code from XSLT maps. For more information about this capability, see [Create and run .NET Framework code from Standard workflows](create-run-custom-code-functions.md).
+A Standard logic app resource supports referencing external assemblies from maps, which enable directly calling custom .NET code from XSLT maps:
+
+| Assembly type | Description |
+||-|
+| **Client/SDK Assembly (.NET Framework)** | This assembly type provides storage and deployment of client and custom SDK for the .NET Framework. For example, the [SAP built-in connector](/azure/logic-apps/connectors/built-in/reference/sap/) uses these assemblies to load the SAP NCo non-redistributable DLL files. |
+| **Client/SDK Assembly (Java)** | This assembly type provides storage and deployment of custom SDK for Java. For example, the [JDBC built-in connector](/azure/logic-apps/connectors/built-in/reference/jdbc/) uses these JAR files to find JDBC drivers for custom relational databases (RDBs). |
+| **Custom Assembly (.NET Framework)** | This assembly type provides storage and deployment of custom DLLs. For example, the [**Transform XML** operation](logic-apps-enterprise-integration-transform.md) uses these assemblies for the custom transformation functions that are required during XML transformation. |
+
+For more information about this capability, see [Create and run .NET Framework code from Standard workflows](create-run-custom-code-functions.md).
+
+#### Azure portal
1. In the [Azure portal](https://portal.azure.com) search box, find and open your logic app resource.
A Standard logic app resource supports referencing external assemblies from maps
1. On the **Assemblies** page toolbar, select **Add**. On the **Add Assembly** pane, under **Assembly Type**, select the following type for your assembly, based on your scenario:
- | Assembly type | Description |
- ||-|
- | **Client/SDK Assembly (.NET Framework)** | This assembly type provides storage and deployment of client and custom SDK for the .NET Framework. For example, the [SAP built-in connector](/azure/logic-apps/connectors/built-in/reference/sap/) uses these assemblies to load the SAP NCo non-redistributable DLL files. |
- | **Client/SDK Assembly (Java)** | This assembly type provides storage and deployment of custom SDK for Java. For example, the [JDBC built-in connector](/azure/logic-apps/connectors/built-in/reference/jdbc/) uses these JAR files to find JDBC drivers for custom relational databases (RDBs). |
- | **Custom Assembly (.NET Framework)** | This assembly type provides storage and deployment of custom DLLs. For example, the [**Transform XML** operation](logic-apps-enterprise-integration-transform.md) uses these assemblies for the custom transformation functions that are required during XML transformation. |
- 1. Now, either drag-and-drop your assemblies to the **Upload Files** area, or browse to and select your assemblies. 1. When you're done, select **Upload Files**. Your selected assemblies now appear on your logic app's **Assemblies** page.
+#### Visual Studio Code
+
+1. In your Standard logic app project, open the following folders: **Artifacts** > **lib** > **custom** > **net472**.
+
+1. Add your assemblies to the **net472** folder.
+ <a name="add-map"></a>
The following steps apply only if you want to add a map directly to your Standar
1. On the **Maps** pane toolbar, select **Add**.
-1. On the **Add Map** pane, enter a unique name for your map and include the `.xslt` extension name.
+1. On the **Add Map** pane, enter a unique name for your map and include the **.xslt** extension name.
1. Next to the **Map** box, select the folder icon. Select the map to upload.
To update an existing map, you have to upload a new map file that has the change
1. On the **Maps** pane toolbar, select **Add**.
-1. Under **Add map**, enter a unique name for your map and include the `.xslt` extension name.
+1. Under **Add map**, enter a unique name for your map and include the **.xslt** extension name.
1. Next to the **Map** box, select the folder icon. Select the map to upload.
logic-apps Logic Apps Enterprise Integration Transform https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/logic-apps-enterprise-integration-transform.md
Previously updated : 10/04/2023 Last updated : 02/08/2024 # Transform XML in workflows with Azure Logic Apps [!INCLUDE [logic-apps-sku-consumption-standard](../../includes/logic-apps-sku-consumption-standard.md)]
-In enterprise integration business-to-business (B2B) scenarios, you might have to convert XML between formats. Your logic app workflow can transform XML by using the **Transform XML** action and a predefined [*map*](logic-apps-enterprise-integration-maps.md). For example, suppose you regularly receive B2B orders or invoices from a customer that uses the YearMonthDay date format (YYYYMMDD). However, your organization uses the MonthDayYear date format (MMDDYYYY). You can create and use a map that transforms the YearMonthDay format to the MonthDayYear format before storing the order or invoice details in your customer activity database.
+In enterprise integration business-to-business (B2B) scenarios, you might have to convert XML between formats. Your logic app workflow can transform XML by using the **Transform XML** action and a predefined [*map*](logic-apps-enterprise-integration-maps.md).
-If you're new to logic apps, review [What is Azure Logic Apps](logic-apps-overview.md)? For more information about B2B enterprise integration, review [B2B enterprise integration workflows with Azure Logic Apps and Enterprise Integration Pack](logic-apps-enterprise-integration-overview.md).
+For example, suppose you regularly receive B2B orders or invoices from a customer that uses the YearMonthDay date format (YYYYMMDD). However, your organization uses the MonthDayYear date format (MMDDYYYY). You can create and use a map that transforms the YearMonthDay format to the MonthDayYear format before storing the order or invoice details in your customer activity database.
## Prerequisites
If you're new to logic apps, review [What is Azure Logic Apps](logic-apps-overvi
> [!NOTE] >
- > The Liquid built-in connector lets you select a map that you previously uploaded to your logic app resource or to a linked integration account, but not both.
+ > The Liquid built-in connector lets you select a map that you previously uploaded to your logic app resource or to a linked integration account, but not both.
So, if you don't have or need an integration account, you can use the upload option. Otherwise, you can use the linking option. Either way, you can use these artifacts across all child workflows within the same logic app resource.
If you're new to logic apps, review [What is Azure Logic Apps](logic-apps-overvi
## Add Transform XML action
-1. In the [Azure portal](https://portal.azure.com), open your logic app resource and workflow in designer view.
+### [Standard](#tab/standard)
-1. If you have a blank workflow that doesn't have a trigger, add any trigger you want. This example uses the Request trigger. Otherwise, continue to the next step.
+1. In the [Azure portal](https://portal.azure.com), open your Standard logic app and workflow in the designer.
- To add the Request trigger, in the designer search box, enter `HTTP request`, and select the Request trigger named **When an HTTP request is received**.
+1. If you have a blank workflow that doesn't have a trigger, [follow these general steps to add any trigger you want](create-workflow-with-trigger-or-action.md?tabs=standard#add-trigger). Otherwise, continue to the next step.
-1. Under the step in your workflow where you want to add the **Transform XML** action, choose one of the following steps:
+ This example uses the **Request** trigger.
- For a Consumption or ISE-based logic app workflow, choose a step:
+1. Under the step in your workflow where you want to add the **Transform XML** action, [follow these general steps to add the action named **Transform XML**](create-workflow-with-trigger-or-action.md?tabs=standard#add-action).
- * To add the **Transform XML** action at the end of your workflow, select **New step**.
+1. In the **Content** box, specify the XML content that you want to transform using any XML data that you receive in the HTTP request.
- * To add the **Transform XML** action between existing steps, move your pointer over the arrow that connects those steps so that the plus sign (**+**) appears. Select that plus sign, and then select **Add an action**.
+ 1. To select outputs from previous operations in the workflow, in the **Transform XML** action, click inside the **Content** box, and select the dynamic content list option (lightning icon).
- For a Standard-based logic app workflow, choose a step:
+ 1. From the dynamic content list, select the token for the content that you want to transform.
- * To add the **Transform XML** action at the end of your workflow, select the plus sign (**+**), and then select **Add an action**.
+ ![Screenshot shows Standard workflow with opened dynamic content list.](./media/logic-apps-enterprise-integration-transform/open-dynamic-content-list-standard.png)
- * To add the **Transform XML** action between existing steps, select the plus sign (**+**) that appears between those steps, and then select **Add an action**.
+ This example selects the **Body** token from the trigger.
-1. Under **Choose an operation**, select **Built-in**. In the search box, enter `transform xml`. From the actions list, select **Transform XML**.
+ > [!NOTE]
+ >
+ > Make sure that you select XML content. If the content isn't XML or is base64-encoded,
+ > you must specify an expression that processes the content. For example, you can use
+ > [expression functions](workflow-definition-language-functions-reference.md),
+ > such as `base64ToBinary()` to decode content or `xml()` to process the content as XML.
+
+1. From the **Map Source** list, select the location where you uploaded your map, either your **LogicApp** resource or your **IntegrationAccount**.
+
+1. From the **Map** list, select your map.
+
+1. When you're done, save your workflow.
+
+ You're now finished setting up your **Transform XML** action. In a real world app, you might want to store the transformed data in a line-of-business (LOB) app such as SalesForce. To send the transformed output to Salesforce, add a Salesforce action.
+
+1. To test your transformation action, trigger and run your workflow. For example, for the Request trigger, send a request to the trigger's endpoint URL.
+
+ The **Transform XML** action runs after your workflow is triggered and when XML content is available for transformation.
-1. To specify the XML content for transformation, you can use any XML data you receive in the HTTP request. Click inside the **Content** box so that the dynamic content list appears.
+### [Consumption](#tab/consumption)
- The dynamic content list shows property tokens that represent the outputs from the previous steps in the workflow. If the list doesn't show an expected property, check the trigger or action heading in the list and whether you can select **See more**.
+1. In the [Azure portal](https://portal.azure.com), open your Consumption logic app and workflow in the designer.
- For a Consumption or ISE-based logic app workflow, the designer looks like this example:
+1. If you have a blank workflow that doesn't have a trigger, [follow these general steps to add any trigger you want](create-workflow-with-trigger-or-action.md?tabs=consumption#add-trigger). Otherwise, continue to the next step.
- ![Screenshot showing multi-tenant designer with opened dynamic content list, cursor in "Content" box, and opened dynamic content list.](./media/logic-apps-enterprise-integration-transform/open-dynamic-content-list-multi-tenant.png)
+ This example uses the **Request** trigger.
- For a Standard logic app workflow, the designer looks like this example:
+1. Under the step in your workflow where you want to add the **Transform XML** action, [follow these general steps to add the action named **Transform XML**](create-workflow-with-trigger-or-action.md?tabs=consumption#add-action).
- ![Screenshot showing single-tenant designer with opened dynamic content list, cursor in "Content" box, and opened dynamic content list](./media/logic-apps-enterprise-integration-transform/open-dynamic-content-list-single-tenant.png)
+1. In the **Content** box, specify the XML content that you want to transform using any XML data that you receive in the HTTP request.
-1. From the dynamic content list, select the property token for the content you want to validate.
+ 1. To select outputs from previous operations in the workflow, in the **Transform XML** action, click inside the **Content** box, which opens the dynamic content list.
- This example selects the **Body** token from the trigger.
+ 1. From the dynamic content list, select the token for the content that you want to transform.
- > [!NOTE]
- > Make sure that the content you select is XML. If the content is not XML or is base64-encoded, you must specify an expression
- > that processes the content. For example, you can use [expression functions](workflow-definition-language-functions-reference.md),
- > such as `base64ToBinary()` to decode content or `xml()` to process the content as XML.
+ ![Screenshot shows Consumption workflow with opened dynamic content list and cursor in Content box.](./media/logic-apps-enterprise-integration-transform/open-dynamic-content-list-consumption.png)
-1. To specify the map to use for transformation, open the **Map** list, and select the map that you previously added.
+ This example selects the **Body** token from the trigger.
-1. When you're done, make sure to save your logic app workflow.
+ > [!NOTE]
+ >
+ > Make sure that you select XML content. If the content isn't XML or is base64-encoded,
+ > you must specify an expression that processes the content. For example, you can use
+ > [expression functions](workflow-definition-language-functions-reference.md),
+ > such as `base64ToBinary()` to decode content or `xml()` to process the content as XML.
+
+1. From the **Map** list, select your map.
+
+1. When you're done, save your workflow.
You're now finished setting up your **Transform XML** action. In a real world app, you might want to store the transformed data in a line-of-business (LOB) app such as SalesForce. To send the transformed output to Salesforce, add a Salesforce action.
If you're new to logic apps, review [What is Azure Logic Apps](logic-apps-overvi
The **Transform XML** action runs after your workflow is triggered and when XML content is available for transformation. ++ ## Advanced capabilities ### Reference assemblies or call custom code from maps The **Transform XML** action supports referencing external assemblies from maps, which enable directly calling custom .NET code from XSLT maps. For more information, see [Add XSLT maps for workflows in Azure Logic Apps](logic-apps-enterprise-integration-maps.md).
+### Reference extension objects
+
+In Standard workflows, the **Transform XML** action supports specifying an XML extension object to use with your map.
+
+1. In the **Transform XML** action, open the **Advanced parameters** list, and select **XML Extension Object**, which adds the parameter to the action.
+
+1. In the **XML Extension Object** box, specify your extension object, for example:
+
+ :::image type="content" source="media/logic-apps-enterprise-integration-transform/xml-extension-object-standard.png" alt-text="Screenshot shows Transform XML action with XML Extension Object parameter and value." lightbox="media/logic-apps-enterprise-integration-transform/xml-extension-object-standard.png":::
+ ### Byte order mark By default, the response from the transformation starts with a byte order mark (BOM). You can access this functionality only when you work in the code view editor. To disable this functionality, set the `transformOptions` property to `disableByteOrderMark`:
logic-apps Logic Apps Http Endpoint https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/logic-apps-http-endpoint.md
Title: Create callable or nestable workflows description: Create workflows that receive inbound requests over HTTPS in Azure Logic Apps. -
machine-learning How To Managed Network https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-managed-network.md
There are two different configuration modes for outbound traffic from the manage
1: You can use outbound rules with _allow only approved outbound_ mode to achieve the same result as using allow internet outbound. The differences are: * You must add rules for each outbound connection you need to allow.
-* Adding FQDN outbound rules increase your costs as this rule type uses Azure Firewall.
+* Adding FQDN outbound rules __increase your costs__ as this rule type uses Azure Firewall. For more information, see [Pricing](#pricing)
* The default rules for _allow only approved outbound_ are designed to minimize the risk of data exfiltration. Any outbound rules you add may increase your risk. The managed VNet is preconfigured with [required default rules](#list-of-required-rules). It's also configured for private endpoint connections to your workspace, workspace's default storage, container registry and key vault __if they're configured as private__ or __the workspace isolation mode is set to allow only approved outbound__. After choosing the isolation mode, you only need to consider other outbound requirements you may need to add.
You can also define _outbound rules_ to define approved outbound communication.
> * If you add outbound rules, Microsoft can't guarantee data exfiltration. > [!WARNING]
-> FQDN outbound rules are implemented using Azure Firewall. If you use outbound FQDN rules, charges for Azure Firewall are included in your billing. For more information, see [Pricing](#pricing).
+> FQDN outbound rules are implemented using Azure Firewall. If you use outbound FQDN rules, charges for Azure Firewall are added to your billing. For more information, see [Pricing](#pricing).
```yaml managed_network:
You can configure a managed VNet using either the `az ml workspace create` or `a
The following YAML file defines a managed VNet for the workspace. It also demonstrates how to add an approved outbound to the managed VNet. In this example, an outbound rule is added for both a service tag: > [!WARNING]
- > FQDN outbound rules are implemented using Azure Firewall. If you use outbound FQDN rules, charges for Azure Firewall are included in your billing.For more information, see [Pricing](#pricing).
+ > FQDN outbound rules are implemented using Azure Firewall. If you use outbound FQDN rules, charges for Azure Firewall are added to your billing.For more information, see [Pricing](#pricing).
```yaml name: myworkspace_dep
To configure a managed VNet that allows only approved outbound communications, u
> * If you add outbound rules, Microsoft can't guarantee data exfiltration. > [!WARNING]
- > FQDN outbound rules are implemented using Azure Firewall. If you use outbound FQDN rules, charges for Azure Firewall are included in your billing. For more information, see [Pricing](#pricing).
+ > FQDN outbound rules are implemented using Azure Firewall. If you use outbound FQDN rules, charges for Azure Firewall are added to your billing. For more information, see [Pricing](#pricing).
```python # Basic managed VNet configuration
To configure a managed VNet that allows only approved outbound communications, u
> Adding an outbound for a service tag or FQDN is only valid when the managed VNet is configured to `IsolationMode.ALLOW_ONLY_APPROVED_OUTBOUND`. > [!WARNING]
- > FQDN outbound rules are implemented using Azure Firewall. If you use outbound FQDN rules, charges for Azure Firewall are included in your billing. For more information, see [Pricing](#pricing).
+ > FQDN outbound rules are implemented using Azure Firewall. If you use outbound FQDN rules, charges for Azure Firewall are added to your billing. For more information, see [Pricing](#pricing).
```python # Get the existing workspace
To configure a managed VNet that allows only approved outbound communications, u
If the destination type is __FQDN__, provide the following information: > [!WARNING]
- > FQDN outbound rules are implemented using Azure Firewall. If you use outbound FQDN rules, charges for Azure Firewall are included in your billing. For more information, see [Pricing](#pricing).
+ > FQDN outbound rules are implemented using Azure Firewall. If you use outbound FQDN rules, charges for Azure Firewall are added to your billing. For more information, see [Pricing](#pricing).
* __FQDN destination__: The fully qualified domain name to add to the approved outbound rules.
__Inbound__ service tag rules:
To allow installation of __Python packages for training and deployment__, add outbound _FQDN_ rules to allow traffic to the following host names: > [!WARNING]
-> FQDN outbound rules are implemented using Azure Firewall. If you use outbound FQDN rules, charges for Azure Firewall are included in your billing.For more information, see [Pricing](#pricing).
+> FQDN outbound rules are implemented using Azure Firewall. If you use outbound FQDN rules, charges for Azure Firewall are added to your billing. For more information, see [Pricing](#pricing).
[!INCLUDE [recommended outbound](includes/recommended-network-outbound.md)]
To allow installation of __Python packages for training and deployment__, add ou
If you plan to use __Visual Studio Code__ with Azure Machine Learning, add outbound _FQDN_ rules to allow traffic to the following hosts: > [!WARNING]
-> FQDN outbound rules are implemented using Azure Firewall. If you use outbound FQDN rules, charges for Azure Firewall are included in your billing. For more information, see [Pricing](#pricing).
+> FQDN outbound rules are implemented using Azure Firewall. If you use outbound FQDN rules, charges for Azure Firewall are added to your billing. For more information, see [Pricing](#pricing).
* `*.vscode.dev` * `vscode.blob.core.windows.net`
If you plan to use __Azure Machine Learning batch endpoints__ for deployment, ad
If you plan to use __HuggingFace models__ with Azure Machine Learning, add outbound _FQDN_ rules to allow traffic to the following hosts: > [!WARNING]
-> FQDN outbound rules are implemented using Azure Firewall. If you use outbound FQDN rules, charges for Azure Firewall are included in your billing. For more information, see [Pricing](#pricing).
+> FQDN outbound rules are implemented using Azure Firewall. If you use outbound FQDN rules, charges for Azure Firewall are added to your billing. For more information, see [Pricing](#pricing).
* `docker.io` * `*.docker.io`
When you create a private endpoint for Azure Machine Learning dependency resourc
The Azure Machine Learning managed VNet feature is free. However, you're charged for the following resources that are used by the managed VNet: * Azure Private Link - Private endpoints used to secure communications between the managed VNet and Azure resources relies on Azure Private Link. For more information on pricing, see [Azure Private Link pricing](https://azure.microsoft.com/pricing/details/private-link/).
-* FQDN outbound rules - FQDN outbound rules are implemented using Azure Firewall. If you use outbound FQDN rules, charges for Azure Firewall are included in your billing. The Azure Firewall (standard SKU) is provisioned by Azure Machine Learning.
+* FQDN outbound rules - FQDN outbound rules are implemented using Azure Firewall. If you use outbound FQDN rules, charges for Azure Firewall are added to your billing. The Azure Firewall (standard SKU) is provisioned by Azure Machine Learning.
> [!IMPORTANT]
- > The firewall isn't created until you add an outbound FQDN rule. If you don't use FQDN rules, you will not be charged for Azure Firewall. For more information on pricing, see [Azure Firewall pricing](https://azure.microsoft.com/pricing/details/azure-firewall/) and view prices for the _standard_ version.
+ > The firewall isn't created until you add an outbound FQDN rule. For more information on pricing, see [Azure Firewall pricing](https://azure.microsoft.com/pricing/details/azure-firewall/) and view prices for the _standard_ version.
## Limitations
The Azure Machine Learning managed VNet feature is free. However, you're charged
* Data exfiltration protection is automatically enabled for the only approved outbound mode. If you add other outbound rules, such as to FQDNs, Microsoft can't guarantee that you're protected from data exfiltration to those outbound destinations. * Creating a compute cluster in a different region than the workspace isn't supported when using a managed VNet. * Kubernetes and attached VMs aren't supported in an Azure Machine Learning managed VNet.
+* Using FQDN outbound rules increases the cost of the managed VNet because FQDN rules use Azure Firewall. For more information, see [Pricing](#pricing).
### Migration of compute resources
nat-gateway Nat Gateway Resource https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/nat-gateway/nat-gateway-resource.md
description: Learn about the NAT gateway resource of the Azure NAT Gateway servi
- Last updated 07/10/2023
network-watcher Connection Monitor Create Using Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/network-watcher/connection-monitor-create-using-powershell.md
- Last updated 01/07/2021-+ #Customer intent: I need to create a connection monitor by using PowerShell to monitor communication between one VM and another.
network-watcher Connection Monitor Schema https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/network-watcher/connection-monitor-schema.md
- Last updated 08/14/2021
network-watcher Diagnose Vm Network Routing Problem Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/network-watcher/diagnose-vm-network-routing-problem-cli.md
tags: azure-resource-manager
network-watcher- Last updated 03/18/2022
az group delete --name myResourceGroup --yes
In this article, you created a VM and diagnosed network routing from the VM. You learned that Azure creates several default routes and tested routing to two different destinations. Learn more about [routing in Azure](../virtual-network/virtual-networks-udr-overview.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json) and how to [create custom routes](../virtual-network/manage-route-table.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json#create-a-route).
-For outbound VM connections, you can also determine the latency and allowed and denied network traffic between the VM and an endpoint using Network Watcher's [connection troubleshoot](network-watcher-connectivity-cli.md) capability. You can monitor communication between a VM and an endpoint, such as an IP address or URL over time using the Network Watcher connection monitor capability. For more information, see [Monitor a network connection](monitor-vm-communication.md).
+For outbound VM connections, you can also determine the latency and allowed and denied network traffic between the VM and an endpoint using Network Watcher's [connection troubleshoot](network-watcher-connectivity-cli.md) capability. You can monitor communication between a VM and an endpoint, such as an IP address or URL over time using the Network Watcher connection monitor capability. For more information, see [Monitor a network connection](monitor-vm-communication.md).
network-watcher Diagnose Vm Network Routing Problem Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/network-watcher/diagnose-vm-network-routing-problem-powershell.md
tags: azure-resource-manager
network-watcher- Last updated 01/07/2021
network-watcher Network Watcher Analyze Nsg Flow Logs Graylog https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/network-watcher/network-watcher-analyze-nsg-flow-logs-graylog.md
tags: azure-resource-manager - Last updated 05/03/2023
network-watcher Network Watcher Connectivity Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/network-watcher/network-watcher-connectivity-cli.md
- Last updated 01/07/2021
network-watcher Network Watcher Connectivity Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/network-watcher/network-watcher-connectivity-powershell.md
- Last updated 01/07/2021
network-watcher Network Watcher Connectivity Rest https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/network-watcher/network-watcher-connectivity-rest.md
- Last updated 01/07/2021
The following example is the response from running the previous API call. As the
Learn how to automate packet captures with Virtual machine alerts by viewing [Create an alert triggered packet capture](network-watcher-alert-triggered-packet-capture.md).
-Find if certain traffic is allowed in or out of your VM by visiting [Check IP flow verify](diagnose-vm-network-traffic-filtering-problem.md).
+Find if certain traffic is allowed in or out of your VM by visiting [Check IP flow verify](diagnose-vm-network-traffic-filtering-problem.md).
network-watcher Network Watcher Delete Nsg Flow Log Blobs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/network-watcher/network-watcher-delete-nsg-flow-log-blobs.md
- Last updated 01/07/2021
Write-Output ('Retention policy for all NSGs evaluated and completed successfull
## Next steps - Customers can automate running the script by using [Azure Logic Apps](../logic-apps/logic-apps-overview.md) or [Azure Automation](https://azure.microsoft.com/services/automation/) - To learn more about NSG logging, see [Azure Monitor logs for network security groups (NSGs)](../virtual-network/virtual-network-nsg-manage-log.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json).-
network-watcher Network Watcher Diagnose On Premises Connectivity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/network-watcher/network-watcher-diagnose-on-premises-connectivity.md
ms.assetid: aeffbf3d-fd19-4d61-831d-a7114f7534f9 - Last updated 01/20/2021
Azure Network Watcher troubleshoot feature enables you to diagnose and troublesh
Learn to check VPN Gateway connectivity with PowerShell and Azure Automation by visiting [Monitor VPN gateways with Azure Network Watcher troubleshooting](network-watcher-monitor-with-azure-automation.md)
-[1]: ./media/network-watcher-diagnose-on-premises-connectivity/figure1.png
+[1]: ./media/network-watcher-diagnose-on-premises-connectivity/figure1.png
network-watcher Network Watcher Monitor With Azure Automation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/network-watcher/network-watcher-monitor-with-azure-automation.md
-
+ Title: Troubleshoot and monitor VPN gateways - Azure Automation description: This article describes how to diagnose On-premises connectivity with Azure Automation and Network Watcher
- Last updated 11/20/2020
Now that you have an understanding on how to integrate Network Watcher troublesh
[7]: ./media/network-watcher-monitor-with-azure-automation/figure7.png [8]: ./media/network-watcher-monitor-with-azure-automation/figure8.png [9]: ./media/network-watcher-monitor-with-azure-automation/figure9.png
-[10]: ./media/network-watcher-monitor-with-azure-automation/figure10.png
+[10]: ./media/network-watcher-monitor-with-azure-automation/figure10.png
network-watcher Network Watcher Next Hop Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/network-watcher/network-watcher-next-hop-overview.md
- Last updated 03/28/2023
network-watcher Network Watcher Nsg Auditing Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/network-watcher/network-watcher-nsg-auditing-powershell.md
- Last updated 03/28/2023
network-watcher Network Watcher Nsg Grafana https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/network-watcher/network-watcher-nsg-grafana.md
tags: azure-resource-manager - Last updated 05/03/2023
network-watcher Network Watcher Packet Capture Manage Portal Vmss https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/network-watcher/network-watcher-packet-capture-manage-portal-vmss.md
- Last updated 06/07/2022
If you selected **File** when you created the capture, you can view or download
## Next steps -- To determine whether specific traffic is allowed in or out of a virtual machine/ virtual machine scale set, see [Diagnose a virtual machine network traffic filter problem](diagnose-vm-network-traffic-filtering-problem.md).
+- To determine whether specific traffic is allowed in or out of a virtual machine/ virtual machine scale set, see [Diagnose a virtual machine network traffic filter problem](diagnose-vm-network-traffic-filtering-problem.md).
network-watcher Network Watcher Packet Capture Manage Powershell Vmss https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/network-watcher/network-watcher-packet-capture-manage-powershell-vmss.md
- Last updated 06/07/2022-+
https://{storageAccountName}.blob.core.windows.net/network-watcher-logs/subscrip
Find if certain traffic is allowed in or out of your VM by visiting [Check IP flow verify](diagnose-vm-network-traffic-filtering-problem.md)
-<!-- Image references -->
+<!-- Image references -->
network-watcher Network Watcher Packet Capture Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/network-watcher/network-watcher-packet-capture-overview.md
- Last updated 03/22/2023
network-watcher Network Watcher Read Nsg Flow Logs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/network-watcher/network-watcher-read-nsg-flow-logs.md
- Last updated 02/09/2021
network-watcher Network Watcher Security Group View Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/network-watcher/network-watcher-security-group-view-cli.md
- Last updated 12/09/2021
network-watcher Network Watcher Security Group View Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/network-watcher/network-watcher-security-group-view-powershell.md
- Last updated 11/20/2020
network-watcher Network Watcher Using Open Source Tools https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/network-watcher/network-watcher-using-open-source-tools.md
- Last updated 02/25/2021
network-watcher Network Watcher Visualize Nsg Flow Logs Open Source Tools https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/network-watcher/network-watcher-visualize-nsg-flow-logs-open-source-tools.md
- Last updated 05/03/2023
network-watcher Network Watcher Visualize Nsg Flow Logs Power Bi https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/network-watcher/network-watcher-visualize-nsg-flow-logs-power-bi.md
- Last updated 06/23/2021
network-watcher Packet Capture Vm Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/network-watcher/packet-capture-vm-cli.md
+
+ Title: Manage packet captures for VMs - Azure CLI
+
+description: Learn how to start, stop, download, and delete Azure virtual machines packet captures with the packet capture feature of Network Watcher using the Azure CLI.
++++ Last updated : 01/31/2024+
+#CustomerIntent: As an administrator, I want to capture IP packets to and from a virtual machine (VM) so I can review and analyze the data to help diagnose and solve network problems.
++
+# Manage packet captures for virtual machines with Azure Network Watcher using the Azure CLI
+
+The Network Watcher packet capture tool allows you to create capture sessions to record network traffic to and from an Azure virtual machine (VM). Filters are provided for the capture session to ensure you capture only the traffic you want. Packet capture helps in diagnosing network anomalies both reactively and proactively. Its applications extend beyond anomaly detection to include gathering network statistics, acquiring insights into network intrusions, debugging client-server communication, and addressing various other networking challenges. Network Watcher packet capture enables you to initiate packet captures remotely, alleviating the need for manual execution on a specific virtual machine.
+
+In this article, you learn how to remotely configure, start, stop, download, and delete a virtual machine packet capture using Azure PowerShell. To learn how to manage packet captures using the Azure portal or Azure CLI, see [Manage packet captures for virtual machines using the Azure portal](packet-capture-vm-portal.md) or [Manage packet captures for virtual machines using PowerShell](packet-capture-vm-powershell.md).
++
+## Prerequisites
+
+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+
+- Azure Cloud Shell or Azure CLI.
+
+ The steps in this article run the Azure CLI commands interactively in [Azure Cloud Shell](/azure/cloud-shell/overview). To run the commands in the Cloud Shell, select **Open Cloudshell** at the upper-right corner of a code block. Select **Copy** to copy the code, and paste it into Cloud Shell to run it. You can also run the Cloud Shell from within the Azure portal.
+
+ You can also [install Azure CLI locally](/cli/azure/install-azure-cli) to run the commands. If you run Azure CLI locally, sign in to Azure using the [az login](/cli/azure/reference-index#az-login) command.
+
+- A virtual machine with the following outbound TCP connectivity:
+ - to the storage account over port 443
+ - to 169.254.169.254 over port 80
+ - to 168.63.129.16 over port 8037
+
+> [!NOTE]
+> - Azure creates a Network Watcher instance in the the virtual machine's region if Network Watcher wasn't enabled for that region. For more information, see [Enable or disable Azure Network Watcher](network-watcher-create.md).
+> - Network Watcher packet capture requires Network Watcher agent VM extension to be installed on the target virtual machine. For more information, see [Install Network Watcher agent](#install-network-watcher-agent).
+> - The last two IP addresses and ports listed in the **Prerequisites** are common across all Network Watcher tools that use the Network Watcher agent and might occasionally change.
+
+If a network security group is associated to the network interface, or subnet that the network interface is in, ensure that rules exist to allow outbound connectivity over the previous ports. Similarly, ensure outbound connectivity over the previous ports when adding user-defined routes to your network.
+
+## Install Network Watcher agent
+
+### Step 1
+
+Run the `az vm extension set` command to install the packet capture agent on the guest virtual machine.
+
+For Windows virtual machines:
+
+```azurecli-interactive
+az vm extension set --resource-group resourceGroupName --vm-name virtualMachineName --publisher Microsoft.Azure.NetworkWatcher --name NetworkWatcherAgentWindows --version 1.4
+```
+
+For Linux virtual machines:
+
+```azurecli-interactive
+az vm extension set --resource-group resourceGroupName --vm-name virtualMachineName --publisher Microsoft.Azure.NetworkWatcher --name NetworkWatcherAgentLinux --version 1.4
+```
+
+### Step 2
+
+To ensure that the agent is installed, run the `vm extension show` command and pass it the resource group and virtual machine name. Check the resulting list to ensure the agent is installed.
+
+For Windows virtual machines:
+
+```azurecli-interactive
+az vm extension show --resource-group resourceGroupName --vm-name virtualMachineName --name NetworkWatcherAgentWindows
+```
+
+For Linux virtual machines:
+
+```azurecli-interactive
+az vm extension show --resource-group resourceGroupName --vm-name virtualMachineName --name AzureNetworkWatcherExtension
+```
+
+The following sample is an example of the response from running `az vm extension show`
+
+```json
+{
+ "autoUpgradeMinorVersion": true,
+ "forceUpdateTag": null,
+ "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachines/{vmName}/extensions/NetworkWatcherAgentWindows",
+ "instanceView": null,
+ "location": "westcentralus",
+ "name": "NetworkWatcherAgentWindows",
+ "protectedSettings": null,
+ "provisioningState": "Succeeded",
+ "publisher": "Microsoft.Azure.NetworkWatcher",
+ "resourceGroup": "{resourceGroupName}",
+ "settings": null,
+ "tags": null,
+ "type": "Microsoft.Compute/virtualMachines/extensions",
+ "typeHandlerVersion": "1.4",
+ "virtualMachineExtensionType": "NetworkWatcherAgentWindows"
+}
+```
+
+## Start a packet capture
+
+Once the preceding steps are complete, the packet capture agent is installed on the virtual machine.
+
+### Step 1
+
+Retrieve a storage account. This storage account is used to store the packet capture file.
+
+```azurecli-interactive
+az storage account list
+```
+
+### Step 2
+
+At this point, you are ready to create a packet capture. First, let's examine the parameters you may want to configure. Filters are one such parameter that can be used to limit the data that is stored by the packet capture. The following example sets up a packet capture with several filters. The first three filters collect outgoing TCP traffic only from local IP 10.0.0.3 to destination ports 20, 80 and 443. The last filter collects only UDP traffic.
+
+```azurecli-interactive
+az network watcher packet-capture create --resource-group {resourceGroupName} --vm {vmName} --name packetCaptureName --storage-account {storageAccountName} --filters "[{\"protocol\":\"TCP\", \"remoteIPAddress\":\"1.1.1.1-255.255.255.255\",\"localIPAddress\":\"10.0.0.3\", \"remotePort\":\"20\"},{\"protocol\":\"TCP\", \"remoteIPAddress\":\"1.1.1.1-255.255.255.255\",\"localIPAddress\":\"10.0.0.3\", \"remotePort\":\"80\"},{\"protocol\":\"TCP\", \"remoteIPAddress\":\"1.1.1.1-255.255.255.255\",\"localIPAddress\":\"10.0.0.3\", \"remotePort\":\"443\"},{\"protocol\":\"UDP\"}]"
+```
+
+The following example is the expected output from running the `az network watcher packet-capture create` command.
+
+```json
+{
+ "bytesToCapturePerPacket": 0,
+ "etag": "W/\"b8cf3528-2e14-45cb-a7f3-5712ffb687ac\"",
+ "filters": [
+ {
+ "localIpAddress": "10.0.0.3",
+ "localPort": "",
+ "protocol": "TCP",
+ "remoteIpAddress": "1.1.1.1-255.255.255.255",
+ "remotePort": "20"
+ },
+ {
+ "localIpAddress": "10.0.0.3",
+ "localPort": "",
+ "protocol": "TCP",
+ "remoteIpAddress": "1.1.1.1-255.255.255.255",
+ "remotePort": "80"
+ },
+ {
+ "localIpAddress": "10.0.0.3",
+ "localPort": "",
+ "protocol": "TCP",
+ "remoteIpAddress": "1.1.1.1-255.255.255.255",
+ "remotePort": "443"
+ },
+ {
+ "localIpAddress": "",
+ "localPort": "",
+ "protocol": "UDP",
+ "remoteIpAddress": "",
+ "remotePort": ""
+ }
+ ],
+ "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_westcentralus/pa
+cketCaptures/packetCaptureName",
+ "name": "packetCaptureName",
+ "provisioningState": "Succeeded",
+ "resourceGroup": "NetworkWatcherRG",
+ "storageLocation": {
+ "filePath": null,
+ "storageId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/gwteststorage123abc",
+ "storagePath": "https://gwteststorage123abc.blob.core.windows.net/network-watcher-logs/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/{resourceGroupName}/p
+roviders/microsoft.compute/virtualmachines/{vmName}/2017/05/25/packetcapture_16_22_34_630.cap"
+ },
+ "target": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachines/{vmName}",
+ "timeLimitInSeconds": 18000,
+ "totalBytesPerSession": 1073741824
+}
+```
+
+## Get a packet capture
+
+Running the `az network watcher packet-capture show-status` command, retrieves the status of a currently running, or completed packet capture.
+
+```azurecli-interactive
+az network watcher packet-capture show-status --name packetCaptureName --location {networkWatcherLocation}
+```
+
+The following example is the output from the `az network watcher packet-capture show-status` command. The following example is when the capture is Stopped, with a StopReason of TimeExceeded.
+
+```
+{
+ "additionalProperties": {
+ "status": "Succeeded"
+ },
+ "captureStartTime": "2016-12-06T17:20:01.5671279Z",
+ "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_westcentralus/packetCaptures/packetCaptureName",
+ "name": "packetCaptureName",
+ "packetCaptureError": [],
+ "packetCaptureStatus": "Stopped",
+ "stopReason": "TimeExceeded"
+}
+```
+
+## Stop a packet capture
+
+By running the `az network watcher packet-capture stop` command, if a capture session is in progress it is stopped.
+
+```azurecli-interactive
+az network watcher packet-capture stop --name packetCaptureName --location westcentralus
+```
+
+> [!NOTE]
+> The command returns no response when ran on a currently running capture session or an existing session that has already stopped.
+
+## Delete a packet capture
+
+```azurecli-interactive
+az network watcher packet-capture delete --name packetCaptureName --location westcentralus
+```
+
+> [!NOTE]
+> Deleting a packet capture does not delete the file in the storage account.
+
+## Download a packet capture
+
+Once your packet capture session has completed, the capture file can be uploaded to blob storage or to a local file on the VM. The storage location of the packet capture is defined at creation of the session. A convenient tool to access these capture files saved to a storage account is Microsoft Azure Storage Explorer, which can be downloaded here: https://storageexplorer.com/
+
+If a storage account is specified, packet capture files are saved to a storage account at the following location:
+
+```
+https://{storageAccountName}.blob.core.windows.net/network-watcher-logs/subscriptions/{subscriptionId}/resourcegroups/{storageAccountResourceGroup}/providers/microsoft.compute/virtualmachines/{VMName}/{year}/{month}/{day}/packetCapture_{creationTime}.cap
+```
+
+## Related content
+
+- To learn how to automate packet captures with virtual machine alerts, see [Create an alert triggered packet capture](network-watcher-alert-triggered-packet-capture.md).
+- To determine whether specific traffic is allowed in or out of a virtual machine, see [Diagnose a virtual machine network traffic filter problem](diagnose-vm-network-traffic-filtering-problem.md).
network-watcher Packet Capture Vm Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/network-watcher/packet-capture-vm-portal.md
Last updated 02/07/2024
The Network Watcher packet capture tool allows you to create capture sessions to record network traffic to and from an Azure virtual machine (VM). Filters are provided for the capture session to ensure you capture only the traffic you want. Packet capture helps in diagnosing network anomalies both reactively and proactively. Its applications extend beyond anomaly detection to include gathering network statistics, acquiring insights into network intrusions, debugging client-server communication, and addressing various other networking challenges. Network Watcher packet capture enables you to initiate packet captures remotely, alleviating the need for manual execution on a specific virtual machine.
-In this article, you learn how to remotely configure, start, stop, download, and delete a virtual machine packet capture using the Azure portal. To learn how to manage packet captures using PowerShell or Azure CLI, see [Manage packet captures for virtual machines using PowerShell](packet-capture-vm-powershell.md) or [Manage packet captures for virtual machines using the Azure CLI](network-watcher-packet-capture-manage-cli.md).
+In this article, you learn how to remotely configure, start, stop, download, and delete a virtual machine packet capture using the Azure portal. To learn how to manage packet captures using PowerShell or Azure CLI, see [Manage packet captures for virtual machines using PowerShell](packet-capture-vm-powershell.md) or [Manage packet captures for virtual machines using the Azure CLI](packet-capture-vm-cli.md).
## Prerequisites
network-watcher Packet Capture Vm Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/network-watcher/packet-capture-vm-powershell.md
The Network Watcher packet capture tool allows you to create capture sessions to record network traffic to and from an Azure virtual machine (VM). Filters are provided for the capture session to ensure you capture only the traffic you want. Packet capture helps in diagnosing network anomalies both reactively and proactively. Its applications extend beyond anomaly detection to include gathering network statistics, acquiring insights into network intrusions, debugging client-server communication, and addressing various other networking challenges. Network Watcher packet capture enables you to initiate packet captures remotely, alleviating the need for manual execution on a specific virtual machine.
-In this article, you learn how to remotely configure, start, stop, download, and delete a virtual machine packet capture using Azure PowerShell. To learn how to manage packet captures using the Azure portal or Azure CLI, see [Manage packet captures for virtual machines using the Azure portal](packet-capture-vm-portal.md) or [Manage packet captures for virtual machines using the Azure CLI](network-watcher-packet-capture-manage-cli.md).
+In this article, you learn how to remotely configure, start, stop, download, and delete a virtual machine packet capture using Azure PowerShell. To learn how to manage packet captures using the Azure portal or Azure CLI, see [Manage packet captures for virtual machines using the Azure portal](packet-capture-vm-portal.md) or [Manage packet captures for virtual machines using the Azure CLI](packet-capture-vm-cli.md).
## Prerequisites
network-watcher Traffic Analytics Schema Update https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/network-watcher/traffic-analytics-schema-update.md
-
+ Title: Traffic analytics schema update - March 2020 description: Learn how to use queries to replace the deprecated fields in the Traffic Analytics schema with the new ones.
- Last updated 06/20/2023
network-watcher View Relative Latencies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/network-watcher/view-relative-latencies.md
- Last updated 04/20/2022
networking Azure For Network Engineers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/networking/azure-for-network-engineers.md
- Last updated 06/25/2020 - # Azure for network engineers As a conventional network engineer you have dealt with physical assets such as routers, switches, cables, firewalls to build infrastructure. At a logical layer you have configured virtual LAN (VLAN), Spanning Tree Protocol (STP), routing protocols (RIP, OSPF, BGP). You have managed your network using management tools and CLI. Networking in the cloud is different where network endpoints are logical and use of routing protocols is minimum. You will work with Azure Resource Manager API, Azure CLI, and PowerShell for configuring and managing assets in Azure. You will start your network journey in the cloud by understanding basic tenants of Azure networking.
networking Check Usage Against Limits https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/networking/check-usage-against-limits.md
tags: azure-resource-manager
- Last updated 06/05/2018 # Check resource usage against limits
networking Networking Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/networking/fundamentals/networking-overview.md
- Last updated 07/28/2023
networking Load Balancer Linux Cli Load Balance Multiple Websites Vm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/networking/scripts/load-balancer-linux-cli-load-balance-multiple-websites-vm.md
ms.devlang: azurecli - Last updated 07/07/2017
networking Traffic Manager Cli Websites High Availability https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/networking/scripts/traffic-manager-cli-websites-high-availability.md
ms.devlang: azurecli - Last updated 04/27/2023
networking Traffic Manager Powershell Websites High Availability https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/networking/scripts/traffic-manager-powershell-websites-high-availability.md
ms.devlang: powershell - Last updated 04/27/2023-+
notification-hubs Browser Push https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/browser-push.md
- mobile-multiple Last updated 12/06/2023
notification-hubs Configure Apple Push Notification Service https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/configure-apple-push-notification-service.md
Title: Configure Apple Push Notification Service in Azure Notification Hubs | Microsoft Docs
-description: Learn how to configure an Azure notification hub with Apple Push Notification Service (APNS) settings.
+description: Learn how to configure an Azure notification hub with Apple Push Notification Service (APNS) settings.
- Last updated 06/22/2020
notification-hubs Configure Baidu Cloud Push https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/configure-baidu-cloud-push.md
Title: Configure Baidu Cloud Push in Azure Notification Hubs | Microsoft Docs
-description: Learn how to configure Baidu settings for an Azure notification hub.
+description: Learn how to configure Baidu settings for an Azure notification hub.
- Last updated 03/25/2019
notification-hubs Configure Google Firebase Cloud Messaging https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/configure-google-firebase-cloud-messaging.md
Title: Configure Google Firebase Cloud Messaging in Azure Notification Hubs | Microsoft Docs
-description: Learn how to configure an Azure notification hub with Google Firebase Cloud Messaging settings.
+description: Learn how to configure an Azure notification hub with Google Firebase Cloud Messaging settings.
- Last updated 06/30/2023
The following procedure describes the steps to configure Google Firebase Cloud M
## Next steps For a tutorial with step-by-step instructions for sending notifications to Android devices by using Azure Notification Hubs and Google Firebase Cloud Messaging, see [Send push notifications to Android devices by using Notification Hubs and Google FCM](notification-hubs-android-push-notification-google-fcm-get-started.md).-
notification-hubs Configure Microsoft Push Notification Service https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/configure-microsoft-push-notification-service.md
Title: Configure Microsoft Push Notification Service in Azure Notification Hubs | Microsoft Docs
-description: Learn how to configure Microsoft Push Notification Service settings for an Azure notification hub.
+description: Learn how to configure Microsoft Push Notification Service settings for an Azure notification hub.
- Last updated 08/23/2021
notification-hubs Configure Notification Hub Portal Pns Settings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/configure-notification-hub-portal-pns-settings.md
- Last updated 06/30/2023
To learn more about how to push notifications to various platforms, see these tu
* [Send notifications to a UWP app running on a Windows device](notification-hubs-windows-store-dotnet-get-started-wns-push-notification.md) * [Send notifications to a Windows Phone 8 app by using MPNS](notification-hubs-windows-mobile-push-notifications-mpns.md) * [Send notifications by using Notification Hubs and Baidu cloud push](notification-hubs-baidu-china-android-notifications-get-started.md)-
notification-hubs Configure Windows Push Notification Service https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/configure-windows-push-notification-service.md
Title: Configure Windows Push Notification Service in Azure Notification Hubs | Microsoft Docs
-description: Learn how to configure Windows Push Notification Service settings for an Azure notification hub.
+description: Learn how to configure Windows Push Notification Service settings for an Azure notification hub.
- Last updated 08/04/2020
notification-hubs Create Notification Hub Azure Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/create-notification-hub-azure-cli.md
editor: sethmanheim ms.devlang: azurecli- Last updated 05/27/2020
notification-hubs Create Notification Hub Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/create-notification-hub-portal.md
Last updated 07/17/2023 -
notification-hubs Notification Hubs Android Push Notification Google Fcm Get Started https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/notification-hubs-android-push-notification-google-fcm-get-started.md
- mobile-android ms.devlang: java
notification-hubs Notification Hubs App Service https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/notification-hubs-app-service.md
- multiple
notification-hubs Notification Hubs Aspnet Backend Ios Apple Apns Notification https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/notification-hubs-aspnet-backend-ios-apple-apns-notification.md
Title: Send push notifications to specific users using Azure Notification Hubs | Microsoft Docs
-description: Learn how to send push notifications to specific iOS users by using Azure Notification Hubs.
+description: Learn how to send push notifications to specific iOS users by using Azure Notification Hubs.
- ios ms.devlang: objective-c
notification-hubs Notification Hubs Aspnet Backend Ios Apple Push Notification Service Apns Rich https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/notification-hubs-aspnet-backend-ios-apple-push-notification-service-apns-rich.md
- ios ms.devlang: objective-c
notification-hubs Notification Hubs Aspnet Backend Ios Push Apple Apns Secure Notification https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/notification-hubs-aspnet-backend-ios-push-apple-apns-secure-notification.md
- ios ms.devlang: objective-c
notification-hubs Notification Hubs Aspnet Backend Windows Dotnet Wns Notification https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/notification-hubs-aspnet-backend-windows-dotnet-wns-notification.md
Title: Send notifications to specific users using Azure Notification Hubs | Microsoft Docs
-description: Learn how to send notifications to specific users using Universal Windows Platform (UWP) applications.
+description: Learn how to send notifications to specific users using Universal Windows Platform (UWP) applications.
- mobile-windows ms.devlang: csharp
notification-hubs Notification Hubs Aspnet Backend Windows Dotnet Wns Secure Push Notification https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/notification-hubs-aspnet-backend-windows-dotnet-wns-secure-push-notification.md
editor: thsomasu
- windows ms.devlang: csharp
notification-hubs Notification Hubs Aspnet Cross Platform Notification https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/notification-hubs-aspnet-cross-platform-notification.md
editor: thsomasu - mobile-windows ms.devlang: csharp
Now that you've completed this tutorial, find out more about Notification Hubs a
[Azure Notification Hubs]: https://go.microsoft.com/fwlink/p/?LinkId=314257 [Send notifications to specific users by using Azure Notification Hubs]: notification-hubs-aspnet-backend-windows-dotnet-wns-notification.md [Templates]: /previous-versions/azure/azure-services/jj927170(v=azure.100)
-[Notification Hub How to for Windows Store]: /previous-versions/azure/azure-services/jj927170(v=azure.100)
+[Notification Hub How to for Windows Store]: /previous-versions/azure/azure-services/jj927170(v=azure.100)
notification-hubs Notification Hubs Baidu China Android Notifications Get Started https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/notification-hubs-baidu-china-android-notifications-get-started.md
ms.devlang: java mobile-baidu- Last updated 07/17/2023
notification-hubs Notification Hubs Deploy And Manage Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/notification-hubs-deploy-and-manage-powershell.md
editor: jwargo
ms.assetid: 7c58f2c8-0399-42bc-9e1e-a7f073426451 - powershell
notification-hubs Notification Hubs Enterprise Push Notification Architecture https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/notification-hubs-enterprise-push-notification-architecture.md
editor: jwargo
ms.assetid: 903023e9-9347-442a-924b-663af85e05c6 - mobile-windows ms.devlang: csharp
notification-hubs Notification Hubs Ios Aspnet Register User From Backend To Push Notification https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/notification-hubs-ios-aspnet-register-user-from-backend-to-push-notification.md
- ios ms.devlang: objective-c
notification-hubs Notification Hubs Ios Xplat Localized Apns Push Notification https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/notification-hubs-ios-xplat-localized-apns-push-notification.md
Title: Send localized push notifications to iOS using Azure Notification Hubs | Microsoft Docs
-description: Learn how to use push localized notifications to iOS devices by using Azure Notification Hubs.
+description: Learn how to use push localized notifications to iOS devices by using Azure Notification Hubs.
editor: jwargo
ms.assetid: 484914b5-e081-4a05-a84a-798bbd89d428 - ios ms.devlang: objective-c
notification-hubs Notification Hubs Ios Xplat Segmented Apns Push Notification https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/notification-hubs-ios-xplat-segmented-apns-push-notification.md
Title: Send push notifications to specific iOS devices using Azure Notification Hubs | Microsoft Docs
-description: In this tutorial, you learn how to use Azure Notification Hubs to send push notifications to specific iOS devices.
+description: In this tutorial, you learn how to use Azure Notification Hubs to send push notifications to specific iOS devices.
- mobile-ios ms.devlang: objective-c
notification-hubs Notification Hubs Java Push Notification Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/notification-hubs-java-push-notification-tutorial.md
- java ms.devlang: java
notification-hubs Notification Hubs Nodejs Push Notification Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/notification-hubs-nodejs-push-notification-tutorial.md
- ms.devlang: javascript Last updated 08/23/2021
notification-hubs Notification Hubs Php Push Notification Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/notification-hubs-php-push-notification-tutorial.md
- php ms.devlang: php
notification-hubs Notification Hubs Push Bing Spatial Data Geofencing Notification https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/notification-hubs-push-bing-spatial-data-geofencing-notification.md
editor: jwargo
ms.assetid: f41beea1-0d62-4418-9ffc-c9d70607a1b7 - mobile-windows-phone ms.devlang: csharp
notification-hubs Notification Hubs Push Notification Fixer https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/notification-hubs-push-notification-fixer.md
- ms.devlang: csharp Last updated 06/08/2023
notification-hubs Notification Hubs Push Notification Http2 Token Authentication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/notification-hubs-push-notification-http2-token-authentication.md
editor: jwargo - mobile-multiple ms.devlang: csharp
notification-hubs Notification Hubs Push Notification Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/notification-hubs-push-notification-overview.md
ms.assetid: fcfb0ce8-0e19-4fa8-b777-6b9f9cdda178 - multiple
Get started with creating and using a notification hub by following the [Tutoria
[Azure portal]: https://portal.azure.com [tags]: (https://msdn.microsoft.com/library/azure/dn530749.aspx)-
notification-hubs Notification Hubs Push Notification Registration Management https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/notification-hubs-push-notification-registration-management.md
- mobile-multiple ms.devlang: csharp
notification-hubs Notification Hubs Push Notification Security https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/notification-hubs-push-notification-security.md
editor: jwargo - mobile-multiple Last updated 09/23/2019
notification-hubs Notification Hubs Python Push Notification Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/notification-hubs-python-push-notification-tutorial.md
- python ms.devlang: php
notification-hubs Notification Hubs Sdks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/notification-hubs-sdks.md
editor: jwargo
ms.assetid: 91188310-307a-11e9-b210-d663bd873d93 - Last updated 02/14/2019
Microsoft and third-parties publish SDKs for Azure Notification Hubs. The Micros
> [!Note] > Microsoft is not responsible for the quality, usefulness, or supportability of any third-party solutions.
-Please let us know if there any missing.
+Please let us know if there any missing.
notification-hubs Notification Hubs Send Push Notifications Scheduled https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/notification-hubs-send-push-notifications-scheduled.md
editor: jwargo
ms.assetid: 6b718c75-75dd-4c99-aee3-db1288235c1a - mobile-android ms.devlang: csharp
notification-hubs Notification Hubs Tags Segment Push Message https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/notification-hubs-tags-segment-push-message.md
editor: jwargo
ms.assetid: 0fffb3bb-8ed8-4e0f-89e8-0de24a47f644 - mobile-multiple ms.devlang: csharp
notification-hubs Notification Hubs Templates Cross Platform Push Messages https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/notification-hubs-templates-cross-platform-push-messages.md
- mobile-multiple Last updated 02/16/2021
notification-hubs Notification Hubs Tls12 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/notification-hubs-tls12.md
- mobile-multiple Last updated 04/29/2020
notification-hubs Notification Hubs Windows Notification Dotnet Push Xplat Segmented Wns https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/notification-hubs-windows-notification-dotnet-push-xplat-segmented-wns.md
- mobile-windows ms.devlang: csharp
In this article, you learned how to broadcast breaking news by category. The bac
[Submit an app page]: https://go.microsoft.com/fwlink/p/?LinkID=266582 [My Applications]: https://go.microsoft.com/fwlink/p/?LinkId=262039 [Live SDK for Windows]: https://go.microsoft.com/fwlink/p/?LinkId=262253
-[wns object]: /previous-versions/azure/reference/jj860484(v=azure.100)
+[wns object]: /previous-versions/azure/reference/jj860484(v=azure.100)
notification-hubs Notification Hubs Windows Store Dotnet Get Started Wns Push Notification https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/notification-hubs-windows-store-dotnet-get-started-wns-push-notification.md
- mobile-windows ms.devlang: csharp
notification-hubs Notification Hubs Windows Store Dotnet Xplat Localized Wns Push Notification https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/notification-hubs-windows-store-dotnet-xplat-localized-wns-push-notification.md
- mobile-windows ms.devlang: csharp
In this tutorial, you learned how to push localized notifications to specific de
[wns object]: /previous-versions/azure/reference/jj860484(v=azure.100) [Notification Hubs Guidance]: /previous-versions/azure/azure-services/jj927170(v=azure.100) [Notification Hubs How-To for iOS]: /previous-versions/azure/azure-services/jj927170(v=azure.100)
-[Notification Hubs How-To for Windows Store]: /previous-versions/azure/azure-services/jj927170(v=azure.100)
+[Notification Hubs How-To for Windows Store]: /previous-versions/azure/azure-services/jj927170(v=azure.100)
notification-hubs Push Notifications Android Specific Devices Firebase Cloud Messaging https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/push-notifications-android-specific-devices-firebase-cloud-messaging.md
- mobile-android ms.devlang: java
In this tutorial, you sent broadcast notifications to specific Android devices t
[My Applications]: https://go.microsoft.com/fwlink/p/?LinkId=262039 [Live SDK for Windows]: https://go.microsoft.com/fwlink/p/?LinkId=262253 [Azure portal]: https://portal.azure.com
-[wns object]: /previous-versions/azure/reference/jj860484(v=azure.100)
+[wns object]: /previous-versions/azure/reference/jj860484(v=azure.100)
notification-hubs Push Notifications Android Specific Users Firebase Cloud Messaging https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/push-notifications-android-specific-users-firebase-cloud-messaging.md
- mobile-android ms.devlang: java
notification-hubs Samples Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/samples-powershell.md
Title: Azure PowerShell Samples for Azure Notification Hubs | Microsoft Docs
-description: Azure PowerShell Samples - Scripts to help you create and manage notification hubs.
+description: Azure PowerShell Samples - Scripts to help you create and manage notification hubs.
editor: jwargo - Last updated 01/04/2019
notification-hubs Samples https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/samples.md
- Last updated 08/06/2020
This article provides links to samples that demonstrate key features in Azure No
## Next steps
-See tutorials in the **Tutorials** section of the table of contents.
+See tutorials in the **Tutorials** section of the table of contents.
notification-hubs Create Notification Hub Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/scripts/create-notification-hub-powershell.md
Title: Create an Azure notification hub using PowerShell | Microsoft Docs
-description: Learn how to use a PowerShell script to create an Azure notification hub.
+description: Learn how to use a PowerShell script to create an Azure notification hub.
editor: sethmanheim - Last updated 01/14/2020-+ - # Use PowerShell to create an Azure notification hub
notification-hubs Xamarin Notification Hubs Ios Push Notification Apns Get Started https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/xamarin-notification-hubs-ios-push-notification-apns-get-started.md
- mobile-xamarin-ios ms.devlang: csharp
notification-hubs Xamarin Notification Hubs Push Notifications Android Gcm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/notification-hubs/xamarin-notification-hubs-push-notifications-android-gcm.md
- mobile-xamarin-android ms.devlang: csharp
Last updated 02/06/2024
ms.lastreviewed: 02/06/2024- # Tutorial: Send push notifications to Xamarin.Android apps using Notification Hubs
operator-insights Data Product Create https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/operator-insights/data-product-create.md
In this article, you learn how to create an Azure Operator Insights Data Product
- (Optional) If you plan to integrate Data Product with Microsoft Purview, you must have an active Purview account. Make note of the Purview collection ID when you [set up Microsoft Purview with a Data Product](purview-setup.md). - After obtaining your subscription access, register the Microsoft.NetworkAnalytics and Microsoft.HybridNetwork Resource Providers (RPs) to continue. For guidance on registering RPs in your subscription, see [Register resource providers in Azure](../azure-resource-manager/management/resource-providers-and-types.md#azure-portal).
-### For CMK-based data encryption or Microsoft Purview
+## Prepare your Azure portal or Azure CLI environment
+
+You can use the Azure portal or the Azure CLI to follow the steps in this article.
++
+# [Portal](#tab/azure-portal)
+
+Confirm that you can sign in to the [Azure portal](https://portal.azure.com) and can access the subscription.
+
+# [Azure CLI](#tab/azure-cli)
+
+You can run Azure CLI commands in one of two ways:
+
+- You can run CLI commands from within the Azure portal, in Azure Cloud Shell.
+- You can install the CLI and run CLI commands locally.
+
+### Use Azure Cloud Shell
+
+Azure Cloud Shell is a free Bash shell that you can run directly within the Azure portal. The Azure CLI is preinstalled and configured to use with your account. Select the **Cloud Shell** button on the menu in the upper-right section of the Azure portal:
+
+[![Screenshot of Cloud Shell menu.](./media/dp-quickstart-create/cloud-shell-menu.png)](https://portal.azure.com)
+
+The button launches an interactive shell that you can use to run the steps outlined in this how-to article:
+
+[![Screenshot showing the Cloud Shell window in the portal.](./media/dp-quickstart-create/cloud-shell.png)](https://portal.azure.com)
++
+### Install the Azure CLI locally
+
+You can also install and use the Azure CLI locally. If you plan to use Azure CLI locally, make sure you have installed the latest version of the Azure CLI. See [Install the Azure CLI](/cli/azure/install-azure-cli).
+
+To log into your local installation of the CLI, run the az sign-in command:
+
+```azurecli-interactive
+az login
+```
+
+### Change the active subscription
+
+Azure subscriptions have both a name and an ID. You can switch to a different subscription with [az account set](/cli/azure/account#az-account-set), specifying the desired subscription name or ID.
+
+- To use the name to change the active subscription:
+ ```azurecli-interactive
+ az account set --subscription "<SubscriptionName>"
+ ```
+- To use the ID to change the active subscription:
+ ```azurecli-interactive
+ az account set --subscription "<SubscriptionID>"
+ ```
+
+> [!NOTE]
+> Replace any values shown in the form \<KeyVaultName\> with the values for your deployment.
+++
+## Create a resource group
+
+A resource group is a logical container into which Azure resources are deployed and managed.
+
+# [Portal](#tab/azure-portal)
+
+If you plan to use CMK-based data encryption or Microsoft Purview, set up a resource group now:
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Select **Resource groups**.
+1. Select **Create** and follow the prompts.
+
+For more information, see [Create resource groups](../azure-resource-manager/management/manage-resource-groups-portal.md#create-resource-groups).
+
+If you don't plan to use CMK-based date encryption or Microsoft Purview, you can set up a resource group now or when you [create the Data Product resource](#create-an-azure-operator-insights-data-product-resource).
+
+# [Azure CLI](#tab/azure-cli)
+
+Use the `az group create` command to create a resource group named \<ResourceGroup\> in the region where you want to deploy.
+
+```azurecli-interactive
+az group create --name "<ResourceGroup>" --location "<Region>"
+```
++
+## Set up resources for CMK-based data encryption or Microsoft Purview
If you're using CMK-based data encryption or Microsoft Purview, you must set up Azure Key Vault and user-assigned managed identity (UAMI) as prerequisites.
-#### Set up Azure Key Vault
+### Set up Azure Key Vault
Azure key Vault Resource is used to store your Customer Managed Key (CMK) for data encryption. Data Product uses this key to encrypt your data over and above the standard storage encryption. You need to have Subscription/Resource group owner permissions to perform this step.
-1. [Create an Azure Key Vault resource](../key-vault/general/quick-create-portal.md) in the same subscription and resource group where you intend to deploy the Data Product resource.
+
+# [Portal](#tab/azure-portal)
+
+1. [Create an Azure Key Vault resource](../key-vault/general/quick-create-portal.md) in the same subscription and resource group that you set up in [Create a resource group](#create-a-resource-group).
1. Provide your user account with the Key Vault Administrator role on the Azure Key Vault resource. This is done via the **Access Control (IAM)** tab on the Azure Key Vault resource. 1. Navigate to the object and select **Keys**. Select **Generate/Import**. 1. Enter a name for the key and select **Create**. 1. Select the newly created key and select the current version of the key. 1. Copy the Key Identifier URI to your clipboard to use when creating the Data Product.
-#### Set up user-assigned managed identity
+# [Azure CLI](#tab/azure-cli)
+
+<!-- CLI link is [Create an Azure Key Vault resource](../key-vault/general/quick-create-cli.md) in the same subscription and resource group where you intend to deploy the Data Product resource. -->
+
+#### Create a key vault
+
+Use the Azure CLI `az keyvault create` command to create a Key Vault in the resource group from the previous step. You must provide:
+
+- A name for the key vault: A string of 3 to 24 characters that can contain only numbers (0-9), letters (a-z, A-Z), and hyphens (-). Each key vault must have a unique name.
+- The resource group that you created in [Create a resource group](#create-a-resource-group).
+- The region in which you created the resource group.
+
+```azurecli-interactive
+az keyvault create --name "<KeyVaultName>" --resource-group "<ResourceGroup>" --location "<Region>"
+```
+
+The output of this command shows properties of the newly created key vault. Take note of:
+
+- Vault Name: The name you provided to the `--name` parameter you ran.
+- Vault URI: In the example, the URI is `https://<KeyVaultName>.vault.azure.net/`. Applications that use your vault through its REST API must use this URI.
+
+At this point, your Azure account is the only one authorized to perform any operations on this new vault.
+
+#### Assign roles for the key vault
+
+Provide your user account with the Key Vault Administrator role on the Azure Key Vault resource.
+
+```azurecli-interactive
+az role assignment create --role "Key Vault Administrator" --assignee <YourEmailAddress> --scope /subscriptions/<SubscriptionID>/resourcegroups/<ResourceGroup>/providers/Microsoft.KeyVault/vaults/<KeyVaultName>
+```
+
+#### Create a key
+
+```azurecli-interactive
+az keyvault key create --vault-name "<KeyVaultName>" -n <keyName> --protection software
+```
+
+From the output screen, copy the `KeyID` and store it in your clipboard for later use.
+++
+<!-- PowerShell link is [Create an Azure Key Vault resource](../key-vault/general/quick-create-powershell.md) in the same subscription and resource group where you intend to deploy the Data Product resource. -->
+
+### Set up a user-assigned managed identity
+
+# [Portal](#tab/azure-portal)
1. [Create a user-assigned managed identity](../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md?pivots=identity-mi-methods-azp#create-a-user-assigned-managed-identity) using Microsoft Entra ID for CMK-based encryption. The Data Product also uses the user-assigned managed identity (UAMI) to interact with the Microsoft Purview account. 1. Navigate to the Azure Key Vault resource that you created earlier and assign the UAMI with **Key Vault Administrator** role.
+# [Azure CLI](#tab/azure-cli)
+
+<!-- Managed identity link for the CLI: /entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-azcli -->
+
+#### Create a user-assigned managed identity
+
+To create a user-assigned managed identity, your account needs the Managed Identity Contributor role assignment.
+
+Use the `az identity create` command to create a user-assigned managed identity. The -g parameter specifies the resource group where to create the user-assigned managed identity. The -n parameter specifies its name. Replace the \<ResourceGroup\> and \<UserAssignedIdentityName\> parameter values with your own values.
+
+> [!IMPORTANT]
+> When you create user-assigned managed identities, only alphanumeric characters (0-9, a-z, and A-Z) and the hyphen (-) are supported.
+
+```azurecli-interactive
+az identity create -g <ResourceGroup> -n <UserAssignedIdentityName>
+```
+
+Copy the `principalId` from the output screen and store it in your clipboard for later use.
-## Create an Azure Operator Insights Data Product resource in the Azure portal
+#### Assign the user-assigned managed identity to the key vault
+
+```azurecli-interactive
+az role assignment create --role "Key Vault Administrator" --assignee <principalId> --scope /subscriptions/<SubscriptionID>/resourcegroups/<ResourceGroup>/providers/Microsoft.KeyVault/vaults/<KeyVaultName>
+```
+++
+<!-- Managed identity link for PowerShell: /entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-powershell -->
+
+## Create an Azure Operator Insights Data Product resource
You create the Azure Operator Insights Data Product resource.
+# [Portal](#tab/azure-portal)
+ 1. Sign in to the [Azure portal](https://portal.azure.com/). 1. In the search bar, search for Operator Insights and select **Azure Operator Insights - Data Products**. 1. On the Azure Operator Insights - Data Products page, select **Create**.
You create the Azure Operator Insights Data Product resource.
1. Select **Review + create**. 1. Select **Create**. Your Data Product instance is created in about 20-25 minutes. During this time, all the underlying components are provisioned. After this process completes, you can work with your data ingestion, explore sample dashboards and queries, and so on.
-## Deploy Sample Insights
+# [Azure CLI](#tab/azure-cli)
+
+To create an Azure Operator Insights Data Product with the minimum required parameters, use the following command:
+
+```azurecli-interactive
+az network-analytics data-product create --name <DataProductName> --resource-group <ResourceGroup> --location <Region> --publisher Microsoft --product <ProductName> --major-version <ProductMajorVersion>
+```
+
+Use the following values for \<ProductName\> and \<ProductMajorVersion>.
++
+|Date Product |\<ProductName\> |\<ProductMajorVersion>|
+||||
+|Quality of Experience - Affirmed MCC GIGW |`Quality of Experience - Affirmed MCC GIGW`|`1.0`|
+|Quality of Experience - Affirmed MCC PGW or GGSN |`Quality of Experience - Affirmed MCC PGW or GGSN`|`1.0`|
+|Monitoring - Affirmed MCC|`Monitoring - Affirmed MCC`|`0` or `1`|
++
+To create an Azure Operator Insights DataProduct with all parameters, use the following command:
+
+```azurecli-interactive
+az network-analytics data-product create --name <DataProductName> --resource-group <ResourceGroup> --location <Region> --publisher Microsoft --product <ProductName> --major-version <ProductMajorVersion --owners <<xyz@email>> --customer-managed-key-encryption-enabled Enabled --key-encryption-enable Enabled --encryption-key '{"keyVaultUri":"<VaultURI>","keyName":"<KeyName>","keyVersion":"<KeyVersion>"}' --purview-account <PurviewAccount> --purview-collection <PurviewCollection> --identity '{"type":"userAssigned","userAssignedIdentities":{"/subscriptions/<SubscriptionID>/resourceGroups/<ResourceGroup>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<UserAssignedIdentityName>"}}' --tags '{"key1":"value1","key2":"value2"}'
+```
+++
+## Deploy sample insights
Once your Data Product instance is created, you can deploy a sample insights dashboard. This dashboard works with the sample data that came along with the Data Product instance.
The consumption URL also allows you to write your own Kusto query to get insight
When you have finished exploring Azure Operator Insights Data Product, you should delete the resources you've created to avoid unnecessary Azure costs.
+# [Portal](#tab/azure-portal)
+ 1. On the **Home** page of the Azure portal, select **Resource groups**. 1. Select the resource group for your Azure Operator Insights Data Product and verify that it contains the Azure Operator Insights Data Product instance. 1. At the top of the Overview page for your resource group, select **Delete resource group**. 1. Enter the resource group name to confirm the deletion, and select **Delete**.+
+# [Azure CLI](#tab/azure-cli)
+
+```azurecli-interactive
+az group delete --name "ResourceGroup"
+```
+
operator-insights Purview Setup https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/operator-insights/purview-setup.md
You can access your Purview account through the Azure portal by going to `https:
To begin to catalog a data product in this account, [create a collection](../purview/how-to-create-and-manage-collections.md) to hold the Data Product.
-Provide the user-assigned managed identity (UAMI) for your Azure Operator Insights Data Product with necessary roles in the Microsoft Purview compliance portal. This UAMI was set up when the Data Product was created. For information on how to set up this UAMI, see [Set up user-assigned managed identity](data-product-create.md#set-up-user-assigned-managed-identity). At the desired collection, assign this UAMI to the **Collection admin**, **Data source admin**, and **Data curator** roles. Alternately, you can apply the UAMI at the root collection/account level. All collections would inherit these role assignments by default.
+Provide the user-assigned managed identity (UAMI) for your Azure Operator Insights Data Product with necessary roles in the Microsoft Purview compliance portal. This UAMI was set up when the Data Product was created. For information on how to set up this UAMI, see [Set up a user-assigned managed identity](data-product-create.md#set-up-a-user-assigned-managed-identity). At the desired collection, assign this UAMI to the **Collection admin**, **Data source admin**, and **Data curator** roles. Alternately, you can apply the UAMI at the root collection/account level. All collections would inherit these role assignments by default.
:::image type="content" source="media/purview-setup/data-product-role-assignments.png" alt-text="Screenshot of collections with Role assignment tab open and icon to add the UAMI to the collection admins role highlighted.":::
operator-nexus Howto Platform Prerequisites https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/operator-nexus/howto-platform-prerequisites.md
Terminal Server has been deployed and configured as follows:
| TS_NET2_NETMASK | The terminal server PE2 to TS NET2 netmask | | TS_NET2_GW | The terminal server PE2 to TS NET2 gateway |
-3. Setup support admin user:
+3. Clear net3 interface if existing:
- For each port
+ Check for any interface configured on physical interface net3 and "Default IPv4 Static Address":
+ ```bash
+ ogcli get conns
+ **description="Default IPv4 Static Address"**
+ **name="$TS_NET3_CONN_NAME"**
+ **physif="net3"**
+ ```
+
+ Remove if existing:
+ ```bash
+ ogcli delete conn "$TS_NET3_CONN_NAME"
+ ```
+
+ | Parameter name | Description |
+ | -- | |
+ | TS_NET3_CONN_NAME | The terminal server NET3 Connection name |
+
+4. Setup support admin user:
+
+ For each user
```bash ogcli create user << 'END' description="Support Admin User"
Terminal Server has been deployed and configured as follows:
| Parameter name | Description | | | -- |
- | SUPPORT_USER | Support admin user |
+ | SUPPORT_USER | Support admin user |
| HASHED_SUPPORT_PWD | Encoded support admin user password |
-4. Verify settings:
+5. Add sudo support for admin users (added at admin group level):
-```bash
- ping $PE1_IP -c 3 # ping test to PE1
- ping $PE2_IP -c 3 # ping test to PE2
- ogcli get conns # verify NET1, NET2
- ogcli get users # verify support admin user
- ogcli get static_routes # there should be no static routes
- ip r # verify only interface routes
- ip a # verify loopback, NET1, NET2
-```
+ ```bash
+ sudo vi /etc/sudoers.d/opengear
+ %netgrp ALL=(ALL) ALL
+ %admin ALL=(ALL) NOPASSWD: ALL
+ ```
+
+6. Start/Enable the LLDP service if it is not running:
+
+ Check if LLDP service is running on TS:
+ ```bash
+ sudo systemctl status lldpd
+ lldpd.service - LLDP daemon
+ Loaded: loaded (/lib/systemd/system/lldpd.service; enabled; vendor preset: disabled)
+ Active: active (running) since Thu 2023-09-14 19:10:40 UTC; 3 months 25 days ago
+ Docs: man:lldpd(8)
+ Main PID: 926 (lldpd)
+ Tasks: 2 (limit: 9495)
+ Memory: 1.2M
+ CGroup: /system.slice/lldpd.service
+ Γö£ΓöÇ926 lldpd: monitor.
+ ΓööΓöÇ992 lldpd: 3 neighbors.
+
+ Notice: journal has been rotated since unit was started, output may be incomplete.
+ ```
+
+ If the service is not active (running), start the service:
+ ```bash
+ sudo systemctl start lldpd
+ ```
+
+ Enable the service on reboot:
+ ```bash
+ sudo systemctl enable lldpd
+ ```
+7. Check system date/time:
+
+ ```bash
+ date
+ ```
+
+ To fix date if incorrect:
+ ```bash
+ ogcli replace system/time
+ Reading information from stdin. Press Ctrl-D to submit and Ctrl-C to cancel.
+ time="$CURRENT_DATE_TIME"
+ ```
+
+ | Parameter name | Description |
+ | | |
+ | CURRENT_DATE_TIME | Current date time in format hh:mm MMM DD, YYY |
+
+8. Label TS Ports (if missing/incorrect):
+
+ ```bash
+ ogcli update port "port-<PORT_#>" label=\"<NEW_NAME>\" <PORT_#>
+ ```
+
+ | Parameter name | Description |
+ | -| |
+ | NEW_NAME | Port label name |
+ | PORT_# | Terminal Server port number |
+
+9. Settings required for PURE Array serial connections:
+
+ ```bash
+ ogcli update port ports-<PORT_#> 'baudrate="115200"' <PORT_#> Pure Storage Controller console
+ ogcli update port ports-<PORT_#> 'pinout="X1"' <PORT_#> Pure Storage Controller console
+ ```
+
+ | Parameter name | Description |
+ | -| |
+ | PORT_# | Terminal Server port number |
+
+10. Verify Settings
+
+ ```bash
+ ping $PE1_IP -c 3 # ping test to PE1 //TS subnet +2
+ ping $PE2_IP -c 3 # ping test to PE2 //TS subnet +2
+ ogcli get conns # verify NET1, NET2, NET3 Removed
+ ogcli get users # verify support admin user
+ ogcli get static_routes # there should be no static routes
+ ip r # verify only interface routes
+ ip a # verify loopback, NET1, NET2
+ date # check current date/time
+ pmshell # Check ports labelled
+
+ sudo lldpctl
+ sudo lldpcli show neighbors # to check the LLDP neighbors - should show date from NET1 and NET2
+ # Should include
+ -
+ LLDP neighbors:
+ -
+ Interface: net2, via: LLDP, RID: 2, Time: 0 day, 20:28:36
+ Chassis:
+ ChassisID: mac 12:00:00:00:00:85
+ SysName: austx502xh1.els-an.att.net
+ SysDescr: 7.7.2, S9700-53DX-R8
+ Capability: Router, on
+ Port:
+ PortID: ifname TenGigE0/0/0/0/3
+ PortDescr: GE10_Bundle-Ether83_austx4511ts1_net2_net2_CircuitID__austxm1-AUSTX45_[CBB][MCGW][AODS]
+ TTL: 120
+ -
+ Interface: net1, via: LLDP, RID: 1, Time: 0 day, 20:28:36
+ Chassis:
+ ChassisID: mac 12:00:00:00:00:05
+ SysName: austx501xh1.els-an.att.net
+ SysDescr: 7.7.2, S9700-53DX-R8
+ Capability: Router, on
+ Port:
+ PortID: ifname TenGigE0/0/0/0/3
+ PortDescr: GE10_Bundle-Ether83_austx4511ts1_net1_net1_CircuitID__austxm1-AUSTX45_[CBB][MCGW][AODS]
+ TTL: 120
+ -
+ ```
## Set up storage array
partner-solutions Add Connectors https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/partner-solutions/apache-kafka-confluent-cloud/add-connectors.md
Title: Azure services and Confluent Cloud integration description: This article describes how to use Azure services and install connectors for Confluent Cloud integration.-
+# customerIntent: As a developer I want set up connectors between Confluent Cloud and Azure services.
Previously updated : 11/20/2023 Last updated : 1/31/2024 # Azure services and Confluent Cloud integrations
-This article describes how to use Azure services like Azure Functions, and how to install connectors to Azure resources for Confluent Cloud.
+This article describes how to use Azure services like Azure Functions, and how to install connectors to Azure resources for Apache Kafka® & Apache Flink® on Confluent Cloud™ - An Azure Native ISV Service.
## Azure Cosmos DB connector
To set up your connector, see [Azure Cosmos DB Sink Connector for Confluent Clou
## Next steps -- For help with troubleshooting, see [Troubleshooting Apache Kafka on Confluent Cloud solutions](troubleshoot.md).-- Get started with Apache Kafka on Confluent Cloud - An Azure Native ISV Service on
+- For help with troubleshooting, see [Troubleshooting Apache Kafka & Apache Flink on Confluent Cloud solutions](troubleshoot.md).
+- Get started with Apache Kafka & Apache Flink on Confluent Cloud - An Azure Native ISV Service on
> [!div class="nextstepaction"] > [Azure portal](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Confluent%2Forganizations)
partner-solutions Create Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/partner-solutions/apache-kafka-confluent-cloud/create-cli.md
Title: Create Apache Kafka for Confluent Cloud through Azure CLI
-description: This article describes how to use the Azure CLI to create an instance of Apache Kafka for Confluent Cloud.
-
+ Title: 'Create Apache Kafka & Apache Flink on Confluent Cloud through Azure CLI'
+description: This quickstart describes how to use the Azure CLI to create an instance of Apache Kafka & Apache Flink on Confluent Cloud.
+# customerIntent: As a developer I want to create a new instance of Apache Kafka & Apache Flink on Confluent Cloud using the Azure CLI.
Previously updated : 11/20/2023 Last updated : 1/31/2024
-# QuickStart: Get started with Apache Kafka for Confluent Cloud - Azure CLI
+# QuickStart: Get started with Apache Kafka & Apache Flink on Confluent Cloud - Azure CLI
-In this quickstart, you'll use the Azure Marketplace and Azure CLI to create an instance of Apache Kafka for Confluent Cloud.
+In this quickstart, you'll use the Azure Marketplace and Azure CLI to create an instance of Apache Kafka® & Apache Flink® on Confluent Cloud™ - An Azure Native ISV Service.
## Prerequisites
In this quickstart, you'll use the Azure Marketplace and Azure CLI to create an
## Find offer
-Use the Azure portal to find the Apache Kafka for Confluent Cloud application.
+Use the Azure portal to find the Apache Kafka & Apache Flink on Confluent Cloud application.
1. In a web browser, go to the [Azure portal](https://portal.azure.com/) and sign in.
Use the Azure portal to find the Apache Kafka for Confluent Cloud application.
1. From the **Marketplace** page, you have two options based on the type of plan you want. You can sign up for a pay-as-you-go plan or commitment plan. Pay-as-you-go is publicly available. The commitment plan is available to customers who have been approved for a private offer.
- - For **pay-as-you-go** customers, search for _Apache Kafka on Confluent Cloud_. Select the offer for Apache Kafka on Confluent Cloud.
+ - For **pay-as-you-go** customers, search for _Apache Kafka & Apache Flink on Confluent Cloud_. Select the offer for Apache Kafka & Apache Flink on Confluent Cloud.
:::image type="content" source="media/search-pay-as-you-go.png" alt-text="search Azure Marketplace offer.":::
Use the Azure portal to find the Apache Kafka for Confluent Cloud application.
:::image type="content" source="media/view-private-offers.png" alt-text="view private offers.":::
- Look for _Apache Kafka on Confluent Cloud_.
+ Look for _Apache Kafka & Apache Flink on Confluent Cloud_.
:::image type="content" source="media/select-from-private-offers.png" alt-text="select private offer."::: ## Create resource
-After you've selected the offer for Apache Kafka on Confluent Cloud, you're ready to set up the application.
+After you've selected the offer for Apache Kafka & Apache Flink on Confluent Cloud, you're ready to set up the application.
Start by preparing your environment for the Azure CLI:
az confluent organization create --name "myOrganization" --resource-group "myRes
> [!NOTE] > If you want the command to return before the create operation completes, add the optional parameter `--no-wait`. The operation continues to run until the Confluent organization is created.
-
+ To pause CLI execution until an organization's specific event or condition occurs, use the [az confluent organization wait](/cli/azure/confluent/organization#az-confluent-organization-wait) command. For example, to wait until an organization is created: ```azurecli
Or, view the organization by resource ID:
az confluent organization show --ids "/subscriptions/{SubID}/resourceGroups/{myResourceGroup}/providers/Microsoft.Confluent/organizations/{myOrganization}" ```
-If you get an error, see [Troubleshooting Apache Kafka for Confluent Cloud solutions](troubleshoot.md).
+If you get an error, see [Troubleshooting Apache Kafka & Apache Flink on Confluent Cloud solutions](troubleshoot.md).
## Next steps
partner-solutions Create Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/partner-solutions/apache-kafka-confluent-cloud/create-powershell.md
Title: Create Apache Kafka for Confluent Cloud through Azure PowerShell
-description: This article describes how to use Azure PowerShell to create an instance of Apache Kafka for Confluent Cloud.
-
+ Title: Create Apache Kafka & Apache Flink on Confluent Cloud through Azure PowerShell
+description: This article describes how to use Azure PowerShell to create an instance of Apache Kafka & Apache Flink on Confluent Cloud.
+# customerIntent: As a developer I want create a new instance of Apache Kafka & Apache Flink on Confluent Cloud using Azure PowerShell.
Previously updated : 11/20/2023 Last updated : 1/31/2024
-# QuickStart: Get started with Apache Kafka for Confluent Cloud - Azure PowerShell
+# QuickStart: Get started with Apache Kafka & Apache Flink on Confluent Cloud - Azure PowerShell
-In this quickstart, you'll use the Azure Marketplace and Azure PowerShell to create an instance of Apache Kafka for Confluent Cloud.
+In this quickstart, you'll use the Azure Marketplace and Azure PowerShell to create an instance of Apache Kafka® & Apache Flink® on Confluent Cloud™ - An Azure Native ISV Service.
## Prerequisites
In this quickstart, you'll use the Azure Marketplace and Azure PowerShell to cre
## Find offer
-Use the Azure portal to find the Apache Kafka for Confluent Cloud application.
+Use the Azure portal to find the Apache Kafka & Apache Flink on Confluent Cloud application.
1. In a web browser, go to the [Azure portal](https://portal.azure.com/) and sign in.
Use the Azure portal to find the Apache Kafka for Confluent Cloud application.
1. From the **Marketplace** page, you have two options based on the type of plan you want. You can sign up for a pay-as-you-go plan or commitment plan. Pay-as-you-go is publicly available. The commitment plan is available to customers who have been approved for a private offer.
- - For **pay-as-you-go** customers, search for _Apache Kafka on Confluent Cloud_. Select the offer for Apache Kafka on Confluent Cloud.
+ - For **pay-as-you-go** customers, search for _Apache Kafka on Confluent Cloud_. Select the offer for Apache Kafka & Apache Flink on Confluent Cloud.
:::image type="content" source="media/search-pay-as-you-go.png" alt-text="search Azure Marketplace offer.":::
Use the Azure portal to find the Apache Kafka for Confluent Cloud application.
:::image type="content" source="media/view-private-offers.png" alt-text="view private offers.":::
- Look for _Apache Kafka on Confluent Cloud_.
+ Look for _Apache Kafka & Apache Flink on Confluent Cloud_.
:::image type="content" source="media/select-from-private-offers.png" alt-text="select private offer."::: ## Create resource
-After you've selected the offer for Apache Kafka on Confluent Cloud, you're ready to set up the application.
+After you've selected the offer for Apache Kafka & Apache Flink on Confluent Cloud, you're ready to set up the application.
Start by preparing your environment for Azure PowerShell:
You can view the organization by name:
Get-AzConfluentOrganization -Name myOrganization -ResourceGroupName myResourceGroup ```
-If you get an error, see [Troubleshooting Apache Kafka for Confluent Cloud solutions](troubleshoot.md).
+If you get an error, see [Troubleshooting Apache Kafka & Apache Flink on Confluent Cloud solutions](troubleshoot.md).
## Next steps
partner-solutions Create https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/partner-solutions/apache-kafka-confluent-cloud/create.md
Title: Create Apache Kafka for Confluent Cloud through Azure portal description: This article describes how to use the Azure portal to create an instance of Apache Kafka for Confluent Cloud.
+# customerIntent: As a developer I want create a new instance of Apache Kafka & Apache Flink on Confluent Cloud using the Azure portal.
Previously updated : 11/20/2023 Last updated : 1/31/2024
-# QuickStart: Get started with Apache Kafka on Confluent Cloud - Azure portal
+# QuickStart: Get started with Apache Kafka & Apache Flink on Confluent Cloud - Azure portal
-In this quickstart, you'll use the Azure portal to create an instance of Apache Kafka on Confluent Cloud.
+In this quickstart, you'll use the Azure portal to create an instance of Apache Kafka® & Apache Flink® on Confluent Cloud™ - An Azure Native ISV Service.
## Prerequisites
Use the Azure portal to find the Apache Kafka on Confluent Cloud application.
1. From the **Marketplace** page, you have two options based on the type of plan you want. You can sign up for a pay-as-you-go plan or commitment plan. Pay-as-you-go is publicly available. The commitment plan is available to customers who have been approved for a private offer.
- - For **pay-as-you-go** customers, search for _Apache Kafka on Confluent Cloud_. Select the offer for Apache Kafka on Confluent Cloud.
+ - For **pay-as-you-go** customers, search for _Apache Kafka® & Apache Flink® on Confluent Cloud™_ and select the corresponding offer.
:::image type="content" source="media/search-pay-as-you-go.png" alt-text="search Azure Marketplace offer.":::
- - For **commitment** customers, select the link to **View Private offers**. The commitment requires you to sign up for a minimum spend amount. Use this option only when you know you need the service for an extended time.
+ - For **commitment** customers, select the link to **View Private plans**. The commitment requires you to sign up for a minimum spend amount. Use this option only when you know you need the service for an extended time.
:::image type="content" source="media/view-private-offers.png" alt-text="view private offers.":::
After you've selected the offer for Apache Kafka on Confluent Cloud, you're read
If you didn't select private offers, you'll only have the pay-as-you-go option.
- Pick the plan to use, and select **Set up + subscribe**.
+ Pick the plan to use, and select **Subscribe**.
- :::image type="content" source="media/setup-subscribe.png" alt-text="Set up and subscribe.":::
+ :::image type="content" source="media/create/setup-subscribe.png" alt-text="Set up and subscribe.":::
-1. On the **Create Confluent Cloud Resource** basics page, provide the following values. When you've finished, select **Next: Tags**.
+1. On the **Create a Confluent organization** basics page, provide the following values. When you've finished, select **Next: Tags**.
- :::image type="content" source="media/setup-basics.png" alt-text="Form to set up Confluent Cloud resource.":::
+ :::image type="content" source="media/create/setup-basics.png" alt-text="Form to set up Confluent Cloud resource.":::
| Property | Description | | - | - | | **Subscription** | From the drop-down menu, select the Azure subscription to deploy to. You must have _Owner_ or _Contributor_ access. | | **Resource group** | Specify whether you want to create a new resource group or use an existing resource group. A resource group is a container that holds related resources for an Azure solution. For more information, see [Azure Resource Group overview](../../azure-resource-manager/management/overview.md). |
- | **Confluent organization name** | To create a new Confluent organization, select **Create a new organization** and provide a name for the Confluent organization. To link to an existing Confluent organization, select **Link Subscription to an existing organization** option. Select the option **Link to an existing organization**. Sign in to your Confluent account, and select the existing organization. |
+ | **Resource name** | Instance name is automatically generated based on the name of the Confluent organization. |
| **Region** | From the drop-down menu, select one of these regions: Australia East, Canada Central, Central US, East US, East US 2, France Central, North Europe, Southeast Asia, UK South, West Central US, West Europe, West US 2 |
- | **Plan** | Select **Pay as you go** or **Commitment**. |
+ | **Organization** | To create a new Confluent organization, select **Create a new organization** and provide a name for the Confluent organization. To link to an existing Confluent organization, select **Link Subscription to an existing organization** option, sign in to your Confluent account, and select the existing organization. |
+ | **Plan** | Optionally change plan. |
| **Billing term** | Prefilled based on the selected billing plan. |
- | **Price** | Prefilled based on the selected Confluent plan. |
+ | **Price + Payment options** | Prefilled based on the selected Confluent plan. |
+ | **Subtotal** | Prefilled based on the selected Confluent plan. |
1. On **Tags**, provide the **name** and **value** pairs for tags you want to apply to resource. After you enter the tags, select **Review + Create**.
- :::image type="content" source="media/setup-tags.png" alt-text="Add project tags.":::
+ :::image type="content" source="media/create/setup-tags.png" alt-text="Add project tags.":::
1. Review the settings you provided. When ready, select **Create**. 1. It takes a few minutes to create the resource. You can view the deployment status in **Notifications**. After the deployment is finished, select the resource to view the **Overview** page.
- :::image type="content" source="media/deployment-status.png" alt-text="Deployment status.":::
+ :::image type="content" source="media/create/deployment-status.png" alt-text="Deployment status.":::
- If you get an error, see [Troubleshooting Apache Kafka for Confluent Cloud solutions](troubleshoot.md).
+ If you get an error, see [Troubleshooting Apache Kafka & Apache Flink on Confluent Cloud solutions](troubleshoot.md).
## Next steps > [!div class="nextstepaction"]
- > [Manage the Confluent Cloud resource](manage.md)
+ > [Manage the Confluent organization](manage.md)
- Get started with Apache Kafka on Confluent Cloud - An Azure Native ISV Service on
partner-solutions Get Support https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/partner-solutions/apache-kafka-confluent-cloud/get-support.md
Title: Contact support for Confluent Cloud description: This article describes how to contact support for Confluent Cloud on the Azure portal.
+# customerIntent: As a developer I want learn how I can contact support for Apache Kafka & Apache Flink on Confluent Cloud.
- Previously updated : 11/20/2023 Last updated : 1/31/2024 # Get support for Confluent Cloud resource
-This article describes how to contact support for your instance of Apache Kafka for Confluent Cloud on Azure.
+This article describes how to contact support for your instance of Apache Kafka® & Apache Flink® on Confluent Cloud™ on Azure.
## Contact support
To submit a support request to Confluent, either contact [Confluent support](htt
> [!NOTE] > For first time users, reset your password before you sign in to the Confluent support portal. If you don't have an account with Confluent Cloud, send an email to `cloud-support@confluent.io` for further assistance.
-In the portal, you can either submit a request through Azure Help and Support, or directly from your instance of Apache Kafka for Confluent Cloud on Azure.
+In the portal, you can either submit a request through Azure Help and Support, or directly from your instance of Apache Kafka & Apache Flink on Confluent Cloud on Azure.
To submit a request through Azure Help and Support:
To submit a request from your resource, follow these steps:
## Next steps -- For help with troubleshooting, see [Troubleshooting Apache Kafka on Confluent Cloud solutions](troubleshoot.md).-- Get started with Apache Kafka on Confluent Cloud - An Azure Native ISV Service on
+- For help with troubleshooting, see [Troubleshooting Apache Kafka & Apache Flink on Confluent Cloud solutions](troubleshoot.md).
+- Get started with Apache Kafka & Apache Flink on Confluent Cloud - An Azure Native ISV Service on
> [!div class="nextstepaction"] > [Azure portal](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Confluent%2Forganizations)
partner-solutions Manage Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/partner-solutions/apache-kafka-confluent-cloud/manage-access.md
description: This article describes how to use Confluent Access Management in th
subservice: confluent Previously updated : 11/29/2023
-# CustomerIntent: As an organization admin, I want to manage user permissions in Apache Kafka on Confluent Cloud so that I can add, delete and manage users.
Last updated : 1/31/2024
+# CustomerIntent: As an organization admin, I want to manage user permissions in Apache Kafka & Apache Flink on Confluent Cloud so that I can add, delete and manage users.
# How to manage user permissions in a Confluent organization User access management is a feature that enables the organization admin to add, view and remove users and roles inside a Confluent organization. By managing user permissions, you can ensure that only authorized users can access and perform actions on your Confluent Cloud resources.
-This guide presents step by step instructions to manage users and roles in Apache Kafka on Confluent Cloud - An Azure Native ISV Service, via Azure portal.
+This guide presents step by step instructions to manage users and roles in Apache Kafka® & Apache Flink® on Confluent Cloud™ - An Azure Native ISV Service, via Azure portal.
The following actions are supported:
Remove a permission assigned to a user in the Confluent organization.
## Related content
-* For help with troubleshooting, see [Troubleshooting Apache Kafka on Confluent Cloud solutions](troubleshoot.md).
+* For help with troubleshooting, see [Troubleshooting Apache Kafka & Apache Flink on Confluent Cloud solutions](troubleshoot.md).
* If you need to contact support, see [Get support for Confluent Cloud resource](get-support.md). * To learn more about managing Confluent Cloud, go to [Manage the Confluent Cloud resource](manage.md).
partner-solutions Manage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/partner-solutions/apache-kafka-confluent-cloud/manage.md
Title: Manage a Confluent Cloud description: This article describes management of a Confluent Cloud on the Azure portal. How to set up single sign-on, delete a Confluent organization, and get support.-
+# customerIntent: As a developer I want to learn how to manage Apache Kafka & Apache Flink on Confluent Cloud, so that I can enable single sign-on, delete a Confluent organization, and get support.
Previously updated : 11/20/2023 Last updated : 1/31/2024 # Manage the Confluent Cloud resource
-This article describes how to manage your instance of Apache Kafka for Confluent Cloud on Azure. It shows how to set up single sign-on (SSO) and delete a Confluent organization.
+This article describes how to manage your instance of Apache Kafka® & Apache Flink® on Confluent Cloud™ on Azure. It shows how to set up single sign-on (SSO) and delete a Confluent organization.
## Single sign-on
You're billed for prorated usage up to the time of cluster deletion. After your
## Next steps
-* For help with troubleshooting, see [Troubleshooting Apache Kafka on Confluent Cloud solutions](troubleshoot.md).
+* For help with troubleshooting, see [Troubleshooting Apache Kafka & Apache Flink on Confluent Cloud solutions](troubleshoot.md).
* If you need to contact support, see [Get support for Confluent Cloud resource](get-support.md). * To learn about managing user permissions, go to [How to manage user permissions in a Confluent organization](manage.md).
partner-solutions Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/partner-solutions/apache-kafka-confluent-cloud/overview.md
Title: Apache Kafka on Confluent Cloud overview
-description: Learn about using Apache Kafka on Confluent Cloud in the Azure Marketplace.
+ Title: Apache Kafka & Apache Flink on Confluent Cloud - An Azure Native ISV Service overview
+description: Learn about using Apache Kafka & Apache Flink on Confluent Cloud in the Azure Marketplace.
+# customerIntent: As a developer I want to understand what is Apache Kafka & Apache Flink on Confluent Cloud available in the Azure Marketplace
- Previously updated : 11/20/2023 Last updated : 1/31/2024
-# What is Apache Kafka on Confluent Cloud - An Azure Native ISV Service?
+# What is Apache Kafka & Apache Flink on Confluent Cloud - An Azure Native ISV Service?
Azure Native ISV Services enable you to easily provision, manage, and tightly integrate independent software vendor (ISV) software and services on Azure. This Azure Native ISV Service is developed and managed by Microsoft and Confluent.
-You can find Apache Kafka on Confluent Cloud - An Azure Native ISV Service in the [Azure portal](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Confluent%2Forganizations) or get it on [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/confluentinc.confluent-cloud-azure-prod?tab=Overview).
+You can find Apache Kafka® & Apache Flink® on Confluent Cloud™ - An Azure Native ISV Service in the [Azure portal](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Confluent%2Forganizations) or get it on [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/confluentinc.confluent-cloud-azure-prod?tab=Overview).
-Apache Kafka on Confluent Cloud is an Azure Marketplace offering that provides Apache Kafka as a service. It's fully managed so you can focus on building your applications rather than managing the clusters.
+Apache Kafka & Apache Flink on Confluent Cloud - An Azure Native ISV Service is an Azure Marketplace offering that provides Apache Kafka and Apache Flink as a managed service. It's fully managed so you can focus on building your applications rather than managing the clusters.
To reduce the burden of cross-platform management, Microsoft partnered with Confluent Cloud to build an integrated provisioning layer from Azure to Confluent Cloud. It provides a consolidated experience for using Confluent Cloud on Azure. You can easily integrate and manage Confluent Cloud with your Azure applications.
You decide which billing option to use when you create the service.
## Confluent links
-For more help with using Apache Kafka for Confluent Cloud, see the following links to the [Confluent site](https://docs.confluent.io/home/overview.html).
+For more help with using Apache Kafka & Apache Flink on Confluent Cloud, see the following links to the [Confluent site](https://docs.confluent.io/home/overview.html).
To learn about billing options, see:
To learn more, see Confluent blog articles about Azure services that integrate w
## Next steps -- To create an instance of Apache Kafka on Confluent Cloud, see [QuickStart: Get started with Confluent Cloud on Azure](create.md).
+- To create an instance of Apache Kafka & Apache Flink on Confluent Cloud, see [QuickStart: Get started with Confluent Cloud on Azure](create.md).
- Get started with Apache Kafka on Confluent Cloud - An Azure Native ISV Service on > [!div class="nextstepaction"]
partner-solutions Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/partner-solutions/apache-kafka-confluent-cloud/troubleshoot.md
Title: Troubleshooting Apache Kafka for Confluent Cloud
+ Title: Troubleshooting Apache Kafka & Apache Flink on Confluent Cloud
description: This article provides information about troubleshooting and frequently asked questions (FAQ) for Confluent Cloud on Azure.
+# customerIntent: As a developer I want to troubleshoot an error or get an answer to questions I have about using Apache Kafka & Apache Flink on Confluent Cloud.
- Previously updated : 11/20/2023 Last updated : 1/31/2024
-# Troubleshooting Apache Kafka on Confluent Cloud solutions
+# Troubleshooting Apache Kafka & Apache Flink on Confluent Cloud solutions
-This document contains information about troubleshooting your solutions that use Apache Kafka on Confluent Cloud.
+This document contains information about troubleshooting your solutions that use Apache Kafka® & Apache Flink® on Confluent Cloud™ - An Azure Native ISV Service.
If you don't find an answer or can't resolve a problem, [create a request through the Azure portal](get-support.md) or contact [Confluent support](https://support.confluent.io).
If you don't find an answer or can't resolve a problem, [create a request throug
To find the offer in the Azure Marketplace, use the following steps: 1. In the [Azure portal](https://portal.azure.com), select **Create a resource**.
-1. Search for _Apache Kafka on Confluent Cloud_.
+1. Search for _Apache Kafka® & Apache Flink® on Confluent Cloud™ - An Azure Native ISV Service_.
1. Select the application tile. If the offer isn't displayed, contact [Confluent support](https://support.confluent.io). Your Microsoft Entra tenant ID must be on the list of allowed tenants. To learn how to find your tenant ID, see [How to find your Microsoft Entra tenant ID](/azure/active-directory-b2c/tenant-management-read-tenant-name).
If the problem persists, contact [Confluent support](https://support.confluent.i
## Next steps -- Learn about [managing your instance](manage.md) of Apache Kafka on Confluent Cloud.-- Get started with Apache Kafka on Confluent Cloud - An Azure Native ISV Service on
+- Learn about [managing your instance](manage.md) of Apache Kafka & Apache Flink on Confluent Cloud.
+- Get started with Apache Kafka & Apache Flink on Confluent Cloud - An Azure Native ISV Service on
> [!div class="nextstepaction"] > [Azure portal](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Confluent%2Forganizations)
payment-hsm Certification Compliance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/payment-hsm/certification-compliance.md
tags: azure-resource-manager - Last updated 01/31/2024
payment-hsm Deployment Scenarios https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/payment-hsm/deployment-scenarios.md
-
+ Title: Azure Payment HSM deployment scenarios description: Azure HSM deployment scenarios for high availability deployment and disaster recovery deployment
tags: azure-resource-manager - Last updated 03/25/2023 - # Deployment scenarios
payment-hsm Fastpathenabled https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/payment-hsm/fastpathenabled.md
-
+ Title: Azure Payment HSM "fastpathenabled" feature flag and tag description: The "fastpathenabled" feature flag and tag, as it relates to Azure Payment HSM and affiliated subscriptions and virtual networks - Last updated 03/25/2023 - # Fastpathenabled
payment-hsm Getting Started https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/payment-hsm/getting-started.md
tags: azure-resource-manager - Last updated 01/25/2024
payment-hsm Known Issues https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/payment-hsm/known-issues.md
tags: azure-resource-manager - Last updated 01/31/2024
payment-hsm Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/payment-hsm/overview.md
-
+ Title: What is Azure Payment HSM? description: Learn how Azure Payment HSM is an Azure service that provides cryptographic key operations for real-time, critical payment transactions
tags: azure-resource-manager - Last updated 01/31/2024 -- # What is Azure Payment HSM?
payment-hsm Peer Vnets https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/payment-hsm/peer-vnets.md
- Last updated 01/31/2024
payment-hsm Solution Design https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/payment-hsm/solution-design.md
tags: azure-resource-manager - Last updated 01/31/2024 - # Azure Payment HSM solution design
payment-hsm Support Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/payment-hsm/support-guide.md
tags: azure-resource-manager - Last updated 01/31/2024 - # Azure Payment HSM service support guide
peering-service Azure Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/peering-service/azure-portal.md
Previously updated : 10/09/2023 Last updated : 02/08/2024
-#CustomerIntent: As an administrator, I want learn how to manage a Peering Service connection using Azure portal so that I can create, change, or delete a Peering Service connection when needed.
+#CustomerIntent: As an administrator, I want to learn how to create and manage a Peering Service connection using the Azure portal so I can enhance the connectivity to Microsoft services over the public internet.
# Create, change, or delete a Peering Service connection using the Azure portal
-> [!div class="op_single_selector"]
-> * [Portal](azure-portal.md)
-> * [PowerShell](powershell.md)
-> * [Azure CLI](cli.md)
- Azure Peering Service is a networking service that enhances connectivity to Microsoft cloud services such as Microsoft 365, Dynamics 365, software as a service (SaaS) services, Azure, or any Microsoft services accessible via the public internet.
-In this article, you learn how to create, change, and delete a Peering Service connection using the Azure portal.
-
-If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
+In this article, you learn how to create, change, and delete a Peering Service connection using the Azure portal. To learn how to manage a Peering Service connection using Azure PowerShell or the Azure CLI, see [Create or change a Peering Service connection using PowerShell](powershell.md) or [Create, change, or delete a Peering Service connection using the Azure CLI](cli.md).
## Prerequisites -- An Azure subscription.
+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
-- A connectivity provider. For more information, see [Peering Service partners](./location-partners.md).
+- A connectivity provider. For more information, see [Peering Service partners](location-partners.md).
## Sign in to Azure
peering-service Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/peering-service/cli.md
Title: Create, change, or delete a Peering Service connection - Azure CLI description: Learn how to create, change, or delete a Peering Service connection using the Azure CLI.- + Previously updated : 01/19/2023-- Last updated : 02/08/2024++
+#CustomerIntent: As an administrator, I want to learn how to create and manage a Peering Service connection using the Azure CLI so I can enhance the connectivity to Microsoft services over the public internet.
# Create, change, or delete a Peering Service connection using the Azure CLI
-> [!div class="op_single_selector"]
-> * [Portal](azure-portal.md)
-> * [PowerShell](powershell.md)
-> * [Azure CLI](cli.md)
- Azure Peering Service is a networking service that enhances customer connectivity to Microsoft cloud services such as Microsoft 365, Dynamics 365, software as a service (SaaS) services, Azure, or any Microsoft services accessible via the public internet.
-In this article, you'll learn how to create, change, and delete a Peering Service connection using the Azure CLI.
+In this article, you learn how to create, change, and delete a Peering Service connection using the Azure CLI. To learn how to manage a Peering Service connection using the Azure portal or Azure PowerShell, see [Create, change, or delete a Peering Service connection using the Azure portal](azure-portal.md) or [Create or change a Peering Service connection using PowerShell](powershell.md).
-If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
+## Prerequisites
+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
-If you decide to install and use Azure CLI locally, this article requires you to use version 2.0.28 or later of the Azure CLI. Run [az version](/cli/azure/reference-index#az-version) to find the version and dependent libraries that are installed. To upgrade to the latest version, run [az upgrade](/cli/azure/reference-index#az-upgrade). If using Azure Cloud Shell, the latest version is already installed.
+- Azure Cloud Shell or Azure CLI installed locally.
-## Prerequisites
+ The steps in this article run the Azure CLI commands interactively in [Azure Cloud Shell](/azure/cloud-shell/overview). To run the commands in the Cloud Shell, select **Open Cloudshell** at the upper-right corner of a code block. Select **Copy** to copy the code, and paste it into Cloud Shell to run it. You can also run the Cloud Shell from within the Azure portal.
-- An Azure subscription.
+ You can also [install Azure CLI locally](/cli/azure/install-azure-cli) to run the commands. This article requires the Azure CLI version 2.0.28 or later. Run [az version](/cli/azure/reference-index#az-version) to find the version and dependent libraries that are installed. To upgrade to the latest version, run [az upgrade](/cli/azure/reference-index#az-upgrade). If you run Azure CLI locally, sign in to Azure using the [az login](/cli/azure/reference-index#az-login) command.
- A connectivity provider. For more information, see [Peering Service partners](./location-partners.md).
To delete a Peering Service connection, use [az peering service delete](/cli/azu
az peering service delete --peering-service-name "myPeeringService" --resource-group "myResourceGroup" ```
-## Next steps
+## Related content
- To learn more about Peering Service connections, see [Peering Service connection](connection.md). - To learn more about Peering Service connection telemetry, see [Access Peering Service connection telemetry](connection-telemetry.md).
peering-service Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/peering-service/powershell.md
Title: Create or change a Peering Service connection - Azure PowerShell description: Learn how to create or change a Peering Service connection using PowerShell.- + Previously updated : 01/19/2023-- Last updated : 02/08/2024++
+#CustomerIntent: As an administrator, I want to learn how to create and manage a Peering Service connection using Azure PowerShell so I can enhance the connectivity to Microsoft services over the public internet.
# Create or change a Peering Service connection using PowerShell
-> [!div class="op_single_selector"]
-> * [Portal](azure-portal.md)
-> * [PowerShell](powershell.md)
-> * [Azure CLI](cli.md)
- Azure Peering Service is a networking service that enhances connectivity to Microsoft cloud services such as Microsoft 365, Dynamics 365, software as a service (SaaS) services, Azure, or any Microsoft services accessible via the public internet.
-In this article, you'll learn how to create and change a Peering Service connection using PowerShell.
+In this article, you learn how to create and change a Peering Service connection using Azure PowerShell. To learn how to manage a Peering Service connection using the Azure portal or Azure CLI, see [Create, change, or delete a Peering Service connection using the Azure portal](azure-portal.md) or [Create, change, or delete a Peering Service connection using the Azure CLI](cli.md).
-If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
--
-If you decide to install and use PowerShell locally instead, this article requires you to use Azure PowerShell module version 1.0.0 or later. To find the installed version, run `Get-Module -ListAvailable Az`. For installation and upgrade information, see [Install Azure PowerShell module](/powershell/azure/install-azure-powershell).
+## Prerequisites
-Finally, if you're running PowerShell locally, you'll also need to run `Connect-AzAccount`. That command creates a connection with Azure.
+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
-Use the Azure PowerShell module to register and manage Peering Service. You can register or manage Peering Service from the PowerShell command line or in scripts.
+- Azure Cloud Shell or Azure PowerShell installed locally.
-## Prerequisites
+ The steps in this article run the Azure PowerShell cmdlets interactively in [Azure Cloud Shell](/azure/cloud-shell/overview). To run the commands in the Cloud Shell, select **Open Cloudshell** at the upper-right corner of a code block. Select **Copy** to copy the code and then paste it into Cloud Shell to run it. You can also run the Cloud Shell from within the Azure portal.
-- An Azure subscription.
+ You can also [install Azure PowerShell locally](/powershell/azure/install-azure-powershell) to run the cmdlets. This article requires the Azure PowerShell module version 1.0.0 or later. To find the installed version, run `Get-Module -ListAvailable Az`. If you need to upgrade, see [Install Azure PowerShell module](/powershell/azure/install-Az-ps). If you run PowerShell locally, sign in to Azure using the [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount) cmdlet.
-- A connectivity provider. For more information, see [Peering Service partners](./location-partners.md).
+- A connectivity provider. For more information, see [Peering Service partners](location-partners.md).
## Register your subscription with the resource provider and feature flag
To remove the Peering Service prefix, use [Remove-AzPeeringServicePrefix](/power
Remove-AzPeeringServicePrefix -ResourceGroupName myResourceGroup -Name myPeeringService -PrefixName myPrefix ```
-## Next steps
+## Related content
- To learn more about Peering Service connections, see [Peering Service connection](connection.md). - To learn more about Peering Service connection telemetry, see [Access Peering Service connection telemetry](connection-telemetry.md).
playwright-testing Resource Limits Quotas Capacity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/playwright-testing/resource-limits-quotas-capacity.md
Title: Service limits
-description: 'Service limitations and quotas for running Playwright testing with Microsoft Playwright Testing Preview.'
+ Title: Limits and configuration reference guide
+description: 'Service limitations, quotas, and configuration settings for running Playwright testing with Microsoft Playwright Testing Preview.'
Previously updated : 10/04/2023 Last updated : 02/08/2024
While the service is in preview, the following limits apply on a per-subscriptio
To raise the resource quota above the default limit for your subscription, [create an issue in the Playwright Testing GitHub repository](https://github.com/microsoft/playwright-testing-service/issues/new/choose).
+## Outbound IP addresses
+
+This section lists the outbound IP address ranges that Microsoft Playwright Testing requires to communicate through your firewall.
+
+| Azure region | IP address range |
+|--||
+| East US | 52.190.15.208/28 |
+| West US3 | 20.172.9.112/28 |
+| East Asia | 20.24.220.64/28 |
+| West Europe | 98.71.172.224/28 |
+ ## Related content - Get started and [run Playwright tests at scale](quickstart-run-end-to-end-tests.md)
postgresql Concepts Pgbouncer https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/flexible-server/concepts-pgbouncer.md
Previously updated : 1/25/2024 Last updated : 2/8/2024 # PgBouncer in Azure Database for PostgreSQL - Flexible Server
Last updated 1/25/2024
Azure Database for PostgreSQL flexible server offers [PgBouncer](https://github.com/pgbouncer/pgbouncer) as a built-in connection pooling solution. This is an optional service that can be enabled on a per-database server basis and is supported with both public and private access. PgBouncer runs in the same virtual machine as the Azure Database for PostgreSQL flexible server database server. Postgres uses a process-based model for connections, which makes it expensive to maintain many idle connections. So, Postgres itself runs into resource constraints once the server runs more than a few thousand connections. The primary benefit of PgBouncer is to improve idle connections and short-lived connections at the database server.
-PgBouncer uses a more lightweight model that utilizes asynchronous I/O, and only uses actual Postgres connections when needed, that is, when inside an open transaction, or when a query is active. This model can support thousands of connections more easily with low overhead and allows scaling to up to 10,000 connections with low overhead.
+PgBouncer uses a more lightweight model that utilizes asynchronous I/O, and only uses actual Postgres connections when needed, that is, when inside an open transaction, or when a query is active. This model can support thousands of connections more easily with low overhead and allows scaling to up to 10,000 connections with low overhead. When enabled, PgBouncer runs on port 6432 on your database server. You can change your applicationΓÇÖs database connection configuration to use the same host name, but change the port to 6432 to start using PgBouncer and benefit from improved idle connection scaling.
-When enabled, PgBouncer runs on port 6432 on your database server. You can change your applicationΓÇÖs database connection configuration to use the same host name, but change the port to 6432 to start using PgBouncer and benefit from improved idle connection scaling.
+PgBouncer in Azure database for PostgreSQL flexible server supports [Microsoft Entra authentication (AAD)](./concepts-azure-ad-authentication.md) authentication.
> [!NOTE] > PgBouncer is supported on General Purpose and Memory Optimized compute tiers in both public access and private access networking.
reliability Reliability Traffic Manager https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/reliability/reliability-traffic-manager.md
Previously updated : 02/02/2024 Last updated : 02/06/2024
role-based-access-control Best Practices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/best-practices.md
- Last updated 01/30/2024 - #Customer intent: As a dev, devops, or it admin, I want to learn how to best use Azure RBAC.
role-based-access-control Built In Roles https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/built-in-roles.md
Previously updated : 01/30/2024 Last updated : 02/07/2024
The following table provides a brief description of each built-in role. Click th
> | [Attestation Contributor](#attestation-contributor) | Can read write or delete the attestation provider instance | bbf86eb8-f7b4-4cce-96e4-18cddf81d86e | > | [Attestation Reader](#attestation-reader) | Can read the attestation provider properties | fd1bd22b-8476-40bc-a0bc-69b95687b9f3 | > | [Key Vault Administrator](#key-vault-administrator) | Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model. | 00482a5a-887f-4fb3-b363-3b7fe8e74483 |
+> | [Key Vault Certificate User](#key-vault-certificate-user) | Read certificate contents. Only works for key vaults that use the 'Azure role-based access control' permission model. | db79e9a7-68ee-4b58-9aeb-b90e7c24fcba |
> | [Key Vault Certificates Officer](#key-vault-certificates-officer) | Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. | a4417e6f-fecd-4de8-b567-7b0420556985 | > | [Key Vault Contributor](#key-vault-contributor) | Manage key vaults, but does not allow you to assign roles in Azure RBAC, and does not allow you to access secrets, keys, or certificates. | f25e0fa2-a7c8-4377-a976-54943a77a395 | > | [Key Vault Crypto Officer](#key-vault-crypto-officer) | Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. | 14b46e9e-c2b7-41b4-b07b-48a6ebf60603 |
The following table provides a brief description of each built-in role. Click th
> | [Cost Management Contributor](#cost-management-contributor) | Can view costs and manage cost configuration (e.g. budgets, exports) | 434105ed-43f6-45c7-a02f-909b2ba83430 | > | [Cost Management Reader](#cost-management-reader) | Can view cost data and configuration (e.g. budgets, exports) | 72fafb9e-0641-4937-9268-a91bfd8191a3 | > | [Hierarchy Settings Administrator](#hierarchy-settings-administrator) | Allows users to edit and delete Hierarchy Settings | 350f8d15-c687-4448-8ae1-157740a3936d |
+> | [Kubernetes Agentless Operator](#kubernetes-agentless-operator) | Grants Microsoft Defender for Cloud access to Azure Kubernetes Services | d5a2ae44-610b-4500-93be-660a0c5f5ca6 |
> | [Kubernetes Cluster - Azure Arc Onboarding](#kubernetes-clusterazure-arc-onboarding) | Role definition to authorize any user/service to create connectedClusters resource | 34e09817-6cbe-4d01-b1a2-e0eac5743d41 | > | [Kubernetes Extension Contributor](#kubernetes-extension-contributor) | Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations | 85cb6faf-e071-4c9b-8136-154b5a04f717 | > | [Managed Application Contributor Role](#managed-application-contributor-role) | Allows for creating managed application resources. | 641177b8-a67a-45b9-a033-47bc880bb21e |
Perform all data plane operations on a key vault and all objects in it, includin
} ```
+### Key Vault Certificate User
+
+Read certificate contents. Only works for key vaults that use the 'Azure role-based access control' permission model.
+
+[Learn more](/azure/key-vault/general/rbac-guide)
+
+> [!div class="mx-tableFixed"]
+> | Actions | Description |
+> | | |
+> | *none* | |
+> | **NotActions** | |
+> | *none* | |
+> | **DataActions** | |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/certificates/read | List certificates in a specified key vault, or get information about a certificate. |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/secrets/getSecret/action | Gets the value of a secret. |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/secrets/readMetadata/action | List or view the properties of a secret, but not its value. |
+> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keys/read | List keys in the specified vault, or read properties and public material of a key. For asymmetric keys, this operation exposes public key and includes ability to perform public key algorithms such as encrypt and verify signature. Private keys and symmetric keys are never exposed. |
+> | **NotDataActions** | |
+> | *none* | |
+
+```json
+{
+ "assignableScopes": [
+ "/"
+ ],
+ "description": "Read certificate contents. Only works for key vaults that use the 'Azure role-based access control' permission model.",
+ "id": "/providers/Microsoft.Authorization/roleDefinitions/db79e9a7-68ee-4b58-9aeb-b90e7c24fcba",
+ "name": "db79e9a7-68ee-4b58-9aeb-b90e7c24fcba",
+ "permissions": [
+ {
+ "actions": [],
+ "notActions": [],
+ "dataActions": [
+ "Microsoft.KeyVault/vaults/certificates/read",
+ "Microsoft.KeyVault/vaults/secrets/getSecret/action",
+ "Microsoft.KeyVault/vaults/secrets/readMetadata/action",
+ "Microsoft.KeyVault/vaults/keys/read"
+ ],
+ "notDataActions": []
+ }
+ ],
+ "roleName": "Key Vault Certificate User",
+ "roleType": "BuiltInRole",
+ "type": "Microsoft.Authorization/roleDefinitions"
+}
+```
+ ### Key Vault Certificates Officer Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.
Microsoft Sentinel Responder
> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/automationRules/* | | > | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/cases/* | | > | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/incidents/* | |
+> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/entities/runPlaybook/action | Run playbook on entity |
> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/threatIntelligence/indicators/appendTags/action | Append tags to Threat Intelligence Indicator | > | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/threatIntelligence/indicators/query/action | Query Threat Intelligence Indicators | > | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/threatIntelligence/bulkTag/action | Bulk Tags Threat Intelligence |
Microsoft Sentinel Responder
"Microsoft.SecurityInsights/automationRules/*", "Microsoft.SecurityInsights/cases/*", "Microsoft.SecurityInsights/incidents/*",
+ "Microsoft.SecurityInsights/entities/runPlaybook/action",
"Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action", "Microsoft.SecurityInsights/threatIntelligence/indicators/query/action", "Microsoft.SecurityInsights/threatIntelligence/bulkTag/action",
Allows users to edit and delete Hierarchy Settings
} ```
+### Kubernetes Agentless Operator
+
+Grants Microsoft Defender for Cloud access to Azure Kubernetes Services
+
+[Learn more](/azure/defender-for-cloud/defender-for-containers-architecture)
+
+> [!div class="mx-tableFixed"]
+> | Actions | Description |
+> | | |
+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/trustedAccessRoleBindings/write | Create or update trusted access role bindings for managed cluster |
+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/trustedAccessRoleBindings/read | Get trusted access role bindings for managed cluster |
+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/trustedAccessRoleBindings/delete | Delete trusted access role bindings for managed cluster |
+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/read | Get a managed cluster |
+> | [Microsoft.Features](resource-provider-operations.md#microsoftfeatures)/features/read | Gets the features of a subscription. |
+> | [Microsoft.Features](resource-provider-operations.md#microsoftfeatures)/providers/features/read | Gets the feature of a subscription in a given resource provider. |
+> | [Microsoft.Features](resource-provider-operations.md#microsoftfeatures)/providers/features/register/action | Registers the feature for a subscription in a given resource provider. |
+> | [Microsoft.Security](resource-provider-operations.md#microsoftsecurity)/pricings/securityoperators/read | Gets the security operators for the scope |
+> | **NotActions** | |
+> | *none* | |
+> | **DataActions** | |
+> | *none* | |
+> | **NotDataActions** | |
+> | *none* | |
+
+```json
+{
+ "assignableScopes": [
+ "/"
+ ],
+ "description": "Grants Microsoft Defender for Cloud access to Azure Kubernetes Services",
+ "id": "/providers/Microsoft.Authorization/roleDefinitions/d5a2ae44-610b-4500-93be-660a0c5f5ca6",
+ "name": "d5a2ae44-610b-4500-93be-660a0c5f5ca6",
+ "permissions": [
+ {
+ "actions": [
+ "Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write",
+ "Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read",
+ "Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete",
+ "Microsoft.ContainerService/managedClusters/read",
+ "Microsoft.Features/features/read",
+ "Microsoft.Features/providers/features/read",
+ "Microsoft.Features/providers/features/register/action",
+ "Microsoft.Security/pricings/securityoperators/read"
+ ],
+ "notActions": [],
+ "dataActions": [],
+ "notDataActions": []
+ }
+ ],
+ "roleName": "Kubernetes Agentless Operator",
+ "roleType": "BuiltInRole",
+ "type": "Microsoft.Authorization/roleDefinitions"
+}
+```
+ ### Kubernetes Cluster - Azure Arc Onboarding Role definition to authorize any user/service to create connectedClusters resource
role-based-access-control Change History Report https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/change-history-report.md
- Last updated 03/01/2021 -+ ms.devlang: azurecli # View activity logs for Azure RBAC changes
role-based-access-control Check Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/check-access.md
- Last updated 07/18/2023
role-based-access-control Classic Administrators https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/classic-administrators.md
- Last updated 01/26/2024
role-based-access-control Conditions Authorization Actions Attributes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/conditions-authorization-actions-attributes.md
- Last updated 01/30/2024 -
-#Customer intent: As a dev, devops, or it admin, I want to
+#Customer intent: As a dev, devops, or it admin, I want to
# Authorization actions and attributes
role-based-access-control Conditions Custom Security Attributes Example https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/conditions-custom-security-attributes-example.md
- Last updated 11/15/2023 -
-#Customer intent: As a dev, devops, or it admin, I want to
+#Customer intent: As a dev, devops, or it admin, I want to
# Scale the management of Azure role assignments by using conditions and custom security attributes
role-based-access-control Conditions Custom Security Attributes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/conditions-custom-security-attributes.md
- Last updated 12/01/2023
role-based-access-control Conditions Faq https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/conditions-faq.md
- Last updated 05/09/2023 -
-#Customer intent:
# FAQ for Azure role assignment conditions
role-based-access-control Conditions Format https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/conditions-format.md
- Last updated 11/15/2023 - #Customer intent: As a dev, devops, or it admin, I want to learn about the conditions so that I write more complex conditions.
The following table lists the supported environment attributes for conditions.
<sup>1</sup> For copy operations, the `Is private link`, `Private endpoint`, and `Subnet` attributes only apply to the destination, such a storage account, not the source. For more information about the copy operations this applies to, select each attribute in the table to see more details.<br /> <sup>2</sup> You can only use the `Private endpoint` attribute if you currently have at least one private endpoint configured in your subscription.<br />
-<sup>3</sup> You can only use the `Subnet` attribute if you currently have at least one virtual network subnet configured in your subscription.<br />
+<sup>3</sup> You can only use the `Subnet` attribute if you currently have at least one virtual network subnet using [service endpoints](../storage/common/storage-network-security.md#grant-access-from-a-virtual-network) configured in your subscription.<br />
#### Principal attributes
role-based-access-control Conditions Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/conditions-overview.md
- Last updated 12/01/2023 - #Customer intent: As a dev, devops, or it admin, I want to learn how to constrain access within a role assignment by using conditions.
role-based-access-control Conditions Prerequisites https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/conditions-prerequisites.md
- Last updated 12/01/2023
For more information about custom security attributes, see:
- [Principal does not appear in Attribute source](conditions-troubleshoot.md#symptomprincipal-does-not-appear-in-attribute-source) - [Add or deactivate custom security attributes in Microsoft Entra ID](../active-directory/fundamentals/custom-security-attributes-add.md)
+## Environment attributes
+
+To use the [Private endpoint](../storage/blobs/storage-auth-abac-attributes.md#private-endpoint) attribute, you must have at least one private endpoint configured in your subscription.
+
+To use the [Subnet](../storage/blobs/storage-auth-abac-attributes.md#subnet) attribute, you must have at least one virtual network subnet using [service endpoints](../storage/common/storage-network-security.md#grant-access-from-a-virtual-network) configured in your subscription.
+ ## Next steps - [Example Azure role assignment conditions for Blob Storage](../storage/blobs/storage-auth-abac-examples.md)
role-based-access-control Conditions Role Assignments Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/conditions-role-assignments-cli.md
- Last updated 01/02/2024
role-based-access-control Conditions Role Assignments Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/conditions-role-assignments-portal.md
- Last updated 11/15/2023
role-based-access-control Conditions Role Assignments Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/conditions-role-assignments-powershell.md
- Last updated 10/24/2022
role-based-access-control Conditions Role Assignments Rest https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/conditions-role-assignments-rest.md
- Last updated 10/24/2022
role-based-access-control Conditions Role Assignments Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/conditions-role-assignments-template.md
- Last updated 10/24/2022
role-based-access-control Conditions Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/conditions-troubleshoot.md
- Last updated 11/15/2023
When you try to add a role assignment with a condition, you get an error similar
`The given role assignment condition is invalid.`
-**Cause**
+**Cause 1**
+
+The `conditionVersion` property is set to "1.0".
+
+**Solution 1**
+
+Set `conditionVersion` property to "2.0".
+
+**Cause 2**
Your condition is not formatted correctly.
-**Solution**
+**Solution 2**
Fix any [condition format or syntax](conditions-format.md) issues. Alternatively, add the condition using the [visual editor in the Azure portal](conditions-role-assignments-portal.md).
role-based-access-control Custom Roles Bicep https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/custom-roles-bicep.md
- Last updated 12/01/2023-+ #Customer intent: As an IT admin, I want to create custom and/or roles using Bicep so that I can start automating custom role processes.
role-based-access-control Custom Roles Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/custom-roles-cli.md
ms.assetid: 3483ee01-8177-49e7-b337-4d5cb14f5e32
- Last updated 12/01/2023
role-based-access-control Custom Roles Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/custom-roles-portal.md
- Last updated 04/05/2023
role-based-access-control Custom Roles Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/custom-roles-powershell.md
ms.assetid: 9e225dba-9044-4b13-b573-2f30d77925a9 - Last updated 12/01/2023 -+ # Create or update Azure custom roles using Azure PowerShell
role-based-access-control Custom Roles Rest https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/custom-roles-rest.md
ms.assetid: 1f90228a-7aac-4ea7-ad82-b57d222ab128 - rest-api Last updated 12/01/2023 - # Create or update Azure custom roles using the REST API
role-based-access-control Custom Roles Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/custom-roles-template.md
- Last updated 12/01/2023-+ #Customer intent: As an IT admin, I want to create custom roles by using an Azure Resource Manager template so that I can start automating custom role processes.
role-based-access-control Custom Roles https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/custom-roles.md
- Last updated 11/15/2023
role-based-access-control Delegate Role Assignments Examples https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/delegate-role-assignments-examples.md
- Last updated 01/30/2024
role-based-access-control Delegate Role Assignments Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/delegate-role-assignments-overview.md
- Last updated 01/30/2024 - #Customer intent: As a dev, devops, or it admin, I want to delegate Azure role assignment management to other users who are closer to the decision, but want to limit the scope of the role assignments.
role-based-access-control Delegate Role Assignments Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/delegate-role-assignments-portal.md
- Last updated 01/30/2024 - #Customer intent: As a dev, devops, or it admin, I want to delegate Azure role assignment management to other users who are closer to the decision, but want to limit the scope of the role assignments.
role-based-access-control Deny Assignments Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/deny-assignments-portal.md
ms.assetid: 8078f366-a2c4-4fbb-a44b-fc39fd89df81 - Last updated 01/24/2022
role-based-access-control Deny Assignments Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/deny-assignments-powershell.md
- Last updated 01/24/2022 -+
role-based-access-control Deny Assignments Rest https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/deny-assignments-rest.md
- rest-api Last updated 10/19/2022 - # List Azure deny assignments using the REST API
role-based-access-control Deny Assignments https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/deny-assignments.md
- Last updated 03/25/2022
role-based-access-control Elevate Access Global Admin https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/elevate-access-global-admin.md
- Last updated 03/21/2023
role-based-access-control Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/overview.md
- Last updated 01/12/2022
role-based-access-control Quickstart Assign Role User Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/quickstart-assign-role-user-portal.md
- Last updated 10/15/2021 - #Customer intent: As a new user, I want to see how to grant access to resources in the portal, so that I can start granting access to others.- # Tutorial: Grant a user access to Azure resources using the Azure portal
role-based-access-control Quickstart Role Assignments Bicep https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/quickstart-role-assignments-bicep.md
- Last updated 12/01/2023 #Customer intent: As a new user, I want to see how to grant access to resources using Bicep so that I can start automating role assignment processes.
role-based-access-control Quickstart Role Assignments Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/quickstart-role-assignments-template.md
- Last updated 12/01/2023 #Customer intent: As a new user, I want to see how to grant access to resources by using Azure Resource Manager template so that I can start automating role assignment processes.
role-based-access-control Rbac And Directory Admin Roles https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/rbac-and-directory-admin-roles.md
ms.assetid: 174f1706-b959-4230-9a75-bf651227ebf6 - Last updated 01/26/2024
role-based-access-control Resource Provider Operations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/resource-provider-operations.md
Previously updated : 11/30/2023 Last updated : 02/07/2024
Click the resource provider name in the following table to see the list of opera
| **Web** | | [Microsoft.AppPlatform](#microsoftappplatform) | | [Microsoft.CertificateRegistration](#microsoftcertificateregistration) |
+| [Microsoft.Communication](#microsoftcommunication) |
| [Microsoft.DomainRegistration](#microsoftdomainregistration) | | [Microsoft.Maps](#microsoftmaps) | | [Microsoft.Media](#microsoftmedia) |
Click the resource provider name in the following table to see the list of opera
| **Integration** | | [Microsoft.ApiManagement](#microsoftapimanagement) | | [Microsoft.AppConfiguration](#microsoftappconfiguration) |
+| [Microsoft.AVS](#microsoftavs) |
| [Microsoft.AzureStack](#microsoftazurestack) | | [Microsoft.AzureStackHCI](#microsoftazurestackhci) | | [Microsoft.DataBoxEdge](#microsoftdataboxedge) |
role-based-access-control Role Assignments Alert https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/role-assignments-alert.md
- Last updated 11/15/2023
role-based-access-control Role Assignments Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/role-assignments-cli.md
- Last updated 01/02/2024
role-based-access-control Role Assignments External Users https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/role-assignments-external-users.md
- Last updated 06/07/2023 - # Assign Azure roles to external guest users using the Azure portal
role-based-access-control Role Assignments List Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/role-assignments-list-cli.md
ms.assetid: 3483ee01-8177-49e7-b337-4d5cb14f5e32
- Last updated 01/02/2024
role-based-access-control Role Assignments List Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/role-assignments-list-portal.md
- Last updated 01/30/2024
role-based-access-control Role Assignments List Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/role-assignments-list-powershell.md
ms.assetid: 9e225dba-9044-4b13-b573-2f30d77925a9 - Last updated 07/28/2020 -+ # List Azure role assignments using Azure PowerShell
role-based-access-control Role Assignments List Rest https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/role-assignments-list-rest.md
- rest-api Last updated 10/19/2022 - # List Azure role assignments using the REST API
role-based-access-control Role Assignments Portal Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/role-assignments-portal-managed-identity.md
- Last updated 02/15/2021
role-based-access-control Role Assignments Portal Subscription Admin https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/role-assignments-portal-subscription-admin.md
- Last updated 01/30/2024
role-based-access-control Role Assignments Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/role-assignments-portal.md
- Last updated 01/30/2024
role-based-access-control Role Assignments Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/role-assignments-powershell.md
- Last updated 12/01/2023
role-based-access-control Role Assignments Remove https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/role-assignments-remove.md
- Last updated 01/02/2024-+ ms.devlang: azurecli
role-based-access-control Role Assignments Rest https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/role-assignments-rest.md
- rest-api Last updated 12/01/2023 - # Assign Azure roles using the REST API
role-based-access-control Role Assignments Steps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/role-assignments-steps.md
- Last updated 12/01/2023
role-based-access-control Role Assignments Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/role-assignments-template.md
- Last updated 10/19/2022-+ ms.devlang: azurecli
role-based-access-control Role Assignments https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/role-assignments.md
- Last updated 10/03/2022
role-based-access-control Role Definitions List https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/role-definitions-list.md
- Last updated 03/28/2023--++ ms.devlang: azurecli
role-based-access-control Role Definitions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/role-definitions.md
- Last updated 11/06/2023
role-based-access-control Scope Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/scope-overview.md
- Last updated 06/02/2023
role-based-access-control Transfer Subscription https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/transfer-subscription.md
- Last updated 01/02/2024
role-based-access-control Troubleshoot Limits https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/troubleshoot-limits.md
- Last updated 01/12/2024
role-based-access-control Troubleshooting https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/troubleshooting.md
ms.assetid: df42cca2-02d6-4f3c-9d56-260e1eb7dc44 - Last updated 01/26/2024
role-based-access-control Tutorial Custom Role Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/tutorial-custom-role-cli.md
- Last updated 12/01/2023-+ - #Customer intent: As a dev or devops, I want step-by-step instructions for how to grant custom permissions because the current built-in roles do not meet my permission needs.- # Tutorial: Create an Azure custom role using Azure CLI
role-based-access-control Tutorial Custom Role Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/tutorial-custom-role-powershell.md
- Last updated 12/01/2023 #Customer intent: As a dev or devops, I want step-by-step instructions for how to grant custom permissions because the current built-in roles do not meet my permission needs.
role-based-access-control Tutorial Role Assignments Group Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/tutorial-role-assignments-group-powershell.md
- Last updated 02/02/2019 #Customer intent: As a dev or devops, I want step-by-step instructions for how to grant permissions for groups to resources so that they can perform their job.
role-based-access-control Tutorial Role Assignments User Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/tutorial-role-assignments-user-powershell.md
- Last updated 02/02/2019 #Customer intent: As a dev or devops, I want step-by-step instructions for how to grant permissions for users to resources so that they can perform their job.
sap Reference Bash https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/automation/reference-bash.md
keywords: 'Azure, SAP'
- Last updated 11/17/2021
sap Ha Setup With Fencing Device https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/large-instances/ha-setup-with-fencing-device.md
vm-linux- Last updated 9/01/2021
sap Hana Additional Network Requirements https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/large-instances/hana-additional-network-requirements.md
vm-linux- Last updated 6/3/2021
sap Hana Architecture https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/large-instances/hana-architecture.md
vm-linux- Last updated 07/21/2021
sap Hana Available Skus https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/large-instances/hana-available-skus.md
vm-linux- Last updated 02/11/2022
sap Hana Backup Restore https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/large-instances/hana-backup-restore.md
vm-linux- Last updated 7/02/2021
sap Hana Certification https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/large-instances/hana-certification.md
vm-linux- Last updated 02/11/2022
sap Hana Concept Preparation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/large-instances/hana-concept-preparation.md
vm-linux- Last updated 7/01/2021
sap Hana Connect Azure Vm Large Instances https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/large-instances/hana-connect-azure-vm-large-instances.md
vm-linux- Last updated 05/28/2021
sap Hana Connect Vnet Express Route https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/large-instances/hana-connect-vnet-express-route.md
vm-linux- Last updated 6/1/2021
sap Hana Data Tiering Extension Nodes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/large-instances/hana-data-tiering-extension-nodes.md
vm-linux- Last updated 05/17/2021
sap Hana Example Installation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/large-instances/hana-example-installation.md
vm-linux- Last updated 6/4/2021 - # Install HANA on SAP HANA on Azure (Large Instances)
sap Hana Failover Procedure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/large-instances/hana-failover-procedure.md
vm-linux- Last updated 6/16/2021
sap Hana Installation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/large-instances/hana-installation.md
vm-linux- Last updated 02/11/2022 - # Install and configure SAP HANA (Large Instances) on Azure
sap Hana Know Terms https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/large-instances/hana-know-terms.md
vm-linux- Last updated 4/16/2021 - # Know the terms
sap Hana Large Instance Enable Kdump https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/large-instances/hana-large-instance-enable-kdump.md
vm-linux- Last updated 06/22/2021
sap Hana Large Instance Virtual Machine Migration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/large-instances/hana-large-instance-virtual-machine-migration.md
vm-linux- Last updated 02/11/2022 - # SAP HANA on Azure Large Instance migration to Azure Virtual Machines This article describes possible Azure Large Instance deployment scenarios and offers planning and migration approach with minimized transition downtime.
sap Hana Li Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/large-instances/hana-li-portal.md
tags: azure-resource-manager
- Last updated 07/01/2021
sap Hana Monitor Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/large-instances/hana-monitor-troubleshoot.md
vm-linux- Last updated 6/18/2021
sap Hana Network Architecture https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/large-instances/hana-network-architecture.md
vm-linux- Last updated 07/21/2021
sap Hana Onboarding Requirements https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/large-instances/hana-onboarding-requirements.md
vm-linux- Last updated 05/14/2021
sap Hana Operations Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/large-instances/hana-operations-model.md
vm-linux- Last updated 05/17/2021
sap Hana Overview Architecture https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/large-instances/hana-overview-architecture.md
vm-linux- Last updated 09/28/2022 - # What is SAP HANA on Azure (Large Instances)?
sap Hana Overview High Availability Disaster Recovery https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/large-instances/hana-overview-high-availability-disaster-recovery.md
vm-linux- Last updated 03/01/2021
sap Hana Overview Infrastructure Connectivity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/large-instances/hana-overview-infrastructure-connectivity.md
vm-linux- Last updated 6/1/2021
sap Hana Setup Smt https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/large-instances/hana-setup-smt.md
vm-linux- Last updated 06/25/2021
sap Hana Sizing https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/large-instances/hana-sizing.md
vm-linux- Last updated 07/16/2021
sap Hana Storage Architecture https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/large-instances/hana-storage-architecture.md
vm-linux- Last updated 07/22/2021
sap Hana Supported Scenario https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/large-instances/hana-supported-scenario.md
vm-linux- Last updated 07/19/2021
sap Large Instance Os Backup https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/large-instances/large-instance-os-backup.md
vm-linux- Last updated 06/22/2021
sap Os Backup Hli Type Ii Skus https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/large-instances/os-backup-hli-type-ii-skus.md
vm-linux- Last updated 07/12/2019 - # OS backup and restore for Type II SKUs of Revision 3 stamps
If any post checks fail, please engage the OS vendor and Microsoft for console a
``` [![hana status](media/HowToHLI/OSBackupTypeIISKUs/hana-status.png)](media/HowToHLI/OSBackupTypeIISKUs/hana-status.png#lightbox)
-6. If any post checks fail, please engage OS vendor and Microsoft for console access.
+6. If any post checks fail, please engage OS vendor and Microsoft for console access.
sap Os Compatibility Matrix Hana Large Instance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/large-instances/os-compatibility-matrix-hana-large-instance.md
vm-linux- Last updated 05/18/2021
sap Os Upgrade Hana Large Instance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/large-instances/os-upgrade-hana-large-instance.md
vm-linux- Last updated 06/24/2021
sap Troubleshooting Monitoring https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/large-instances/troubleshooting-monitoring.md
vm-linux- Last updated 10/19/2022
sap Businessobjects Deployment Guide Linux https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/businessobjects-deployment-guide-linux.md
- Last updated 06/15/2023
sap Businessobjects Deployment Guide Windows https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/businessobjects-deployment-guide-windows.md
- Last updated 06/16/2023
sap Businessobjects Deployment Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/businessobjects-deployment-guide.md
- Last updated 06/15/2023
sap Cal S4h https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/cal-s4h.md
vm-linux- Last updated 02/15/2023 - # SAP Cloud Appliance Library
This solution comes as a standard S/4HANA system installation including High Ava
_Within a few hours, a healthy SAP S/4HANA appliance or product is deployed in Azure._
-If you bought an SAP CAL subscription, SAP fully supports deployments through SAP CAL on Azure. The support queue is BC-VCM-CAL.
+If you bought an SAP CAL subscription, SAP fully supports deployments through SAP CAL on Azure. The support queue is BC-VCM-CAL.
sap Certifications https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/certifications.md
vm-linux- Last updated 01/25/2022 - # SAP certifications and configurations running on Microsoft Azure
sap Dbms Guide Ibm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/dbms-guide-ibm.md
keywords: 'Azure, Db2, SAP, IBM'
- Last updated 08/24/2022
sap Dbms Guide Maxdb https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/dbms-guide-maxdb.md
tags: azure-resource-manager
- Last updated 08/24/2022
sap Dbms Guide Oracle https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/dbms-guide-oracle.md
keywords: 'SAP, Azure, Oracle, Data Guard'
- Last updated 01/21/2024
The disk selection for hosting Oracle's online redo logs should be driven by IOP
### Next steps Read the article -- [Considerations for Azure Virtual Machines DBMS deployment for SAP workload](dbms-guide-general.md)
+- [Considerations for Azure Virtual Machines DBMS deployment for SAP workload](dbms-guide-general.md)
sap Dbms Guide Sapase https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/dbms-guide-sapase.md
tags: azure-resource-manager
- Last updated 11/30/2022 - # SAP ASE Azure Virtual Machines DBMS deployment for SAP workload
sap Dbms Guide Sapiq https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/dbms-guide-sapiq.md
- Last updated 06/19/2023
sap Dbms Guide Sqlserver https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/dbms-guide-sqlserver.md
keywords: 'Azure, SQL Server, SAP, AlwaysOn, Always On'
- Last updated 11/14/2022
sap Deployment Checklist https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/deployment-checklist.md
tags: azure-resource-manager
- Last updated 06/14/2023
sap Deployment Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/deployment-guide.md
tags: azure-resource-manager
- Last updated 06/14/2023
sap Disaster Recovery Overview Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/disaster-recovery-overview-guide.md
- Last updated 06/19/2023
sap Disaster Recovery Sap Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/disaster-recovery-sap-guide.md
- Last updated 01/31/2023
sap Disaster Recovery Sap Hana https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/disaster-recovery-sap-hana.md
- Last updated 01/16/2024-+ # Add HSR third site to HANA Pacemaker cluster
sap Exchange Online Integration Sap Email Outbound https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/exchange-online-integration-sap-email-outbound.md
- Last updated 03/11/2022 - # Exchange Online Integration for Email-Outbound from SAP NetWeaver
The example architecture shown illustrates multiple SAP application servers with
[Understand mass-mailing with Azure Twilio - SendGrid](https://docs.sendgrid.com/for-developers/partners/microsoft-azure-2021)
-[Understand Exchange Online Service limitations (e.g., attachment size, message limits, throttling etc.)](/office365/servicedescriptions/exchange-online-service-description/exchange-online-limits)
+[Understand Exchange Online Service limitations (e.g., attachment size, message limits, throttling etc.)](/office365/servicedescriptions/exchange-online-service-description/exchange-online-limits)
sap Expose Sap Odata To Power Query https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/expose-sap-odata-to-power-query.md
Title: Enable SAP Principal Propagation for live OData feeds with Power Query
-description: Learn about configuring SAP Principal Propagation for live OData feeds with Power Query
+ Title: Enable SAP Principal Propagation for live OData feeds with Power Query
+description: Learn about configuring SAP Principal Propagation for live OData feeds with Power Query
- Last updated 06/10/2022
sap Expose Sap Process Orchestration On Azure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/expose-sap-process-orchestration-on-azure.md
- Last updated 07/19/2022 - # Expose SAP legacy middleware securely with Azure PaaS
sap Get Started https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/get-started.md
- Last updated 01/22/2024
In the SAP workload documentation space, you can find the following areas:
## Change Log
+- February 07, 2024: Clarified disk allocation when using PPGs to bind availability set in specific Availability Zone in [Configuration options for optimal network latency with SAP applications](./proximity-placement-scenarios.md#combine-availability-sets-and-availability-zones-with-proximity-placement-groups)
- February 01, 2024: Added guidance for [SAP front-end printing to Universal Print](./universal-print-sap-frontend.md). - January 24, 2024: Split [SAP RISE integration documentation](./rise-integration.md) into multiple segments for improved legibility, additional overview information added. - January 22, 2024: Changes in all high availability documentation to include guidelines for setting the ΓÇ£probeThresholdΓÇ¥ property to 2 in the load balancerΓÇÖs health probe configuration.
sap Hana Get Started https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/hana-get-started.md
vm-linux- Last updated 02/11/2022 - # Installation of SAP HANA on Azure virtual machines ## Introduction
sap Hana Tiering Guidance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/hana-tiering-guidance.md
Title: Managing SAP HANA data footprint for balancing cost and performance description: Learn about HANA database archiving strategies to manage data footprint and reduce costs.- Last updated 09/27/2023 - # Managing SAP HANA data footprint for balancing cost and performance
sap Hana Vm Operations Netapp https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/hana-vm-operations-netapp.md
keywords: 'SAP, Azure, ANF, HANA, Azure NetApp Files, snapshot'
- Last updated 08/02/2023
sap Hana Vm Operations Storage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/hana-vm-operations-storage.md
keywords: 'SAP, Azure HANA, Storage Ultra disk, Premium storage'
- Last updated 08/03/2023
sap Hana Vm Operations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/hana-vm-operations.md
tags: azure-resource-manager
- Last updated 11/09/2023
sap Hana Vm Premium Ssd V1 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/hana-vm-premium-ssd-v1.md
keywords: 'SAP, Azure HANA, Storage Ultra disk, Premium storage'
- Last updated 11/15/2023
sap Hana Vm Premium Ssd V2 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/hana-vm-premium-ssd-v2.md
keywords: 'SAP, Azure HANA, Storage Ultra disk, Premium storage, Premium SSD v2'
- Last updated 11/17/2023
sap Hana Vm Ultra Disk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/hana-vm-ultra-disk.md
keywords: 'SAP, Azure HANA, Storage Ultra disk, Premium storage'
- Last updated 1/17/2023
sap High Availability Guide Rhel Glusterfs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/high-availability-guide-rhel-glusterfs.md
- Last updated 07/03/2023
sap High Availability Guide Rhel Ibm Db2 Luw https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/high-availability-guide-rhel-ibm-db2-luw.md
vm-linux- Last updated 01/18/2024
sap High Availability Guide Rhel Multi Sid https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/high-availability-guide-rhel-multi-sid.md
- Last updated 01/18/2024
sap High Availability Guide Rhel Netapp Files https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/high-availability-guide-rhel-netapp-files.md
- Last updated 01/18/2024
sap High Availability Guide Rhel Nfs Azure Files https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/high-availability-guide-rhel-nfs-azure-files.md
- Last updated 02/05/2024
sap High Availability Guide Rhel Pacemaker https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/high-availability-guide-rhel-pacemaker.md
vm-windows- Last updated 10/09/2023 - # Set up Pacemaker on Red Hat Enterprise Linux in Azure
sap High Availability Guide Rhel With Dialog Instance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/high-availability-guide-rhel-with-dialog-instance.md
tags: azure-resource-manager
- Last updated 01/21/2024
sap High Availability Guide Rhel With Hana Ascs Ers Dialog Instance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance.md
tags: azure-resource-manager
- Last updated 08/16/2022
sap High Availability Guide Rhel https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/high-availability-guide-rhel.md
- Last updated 01/18/2024
sap High Availability Guide Standard Load Balancer Outbound Connections https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections.md
Title: Public endpoint connectivity for Azure VMs&Standard ILB in SAP HA scenarios description: Public endpoint connectivity for Virtual Machines using Azure Standard Load Balancer in SAP high-availability scenarios-+ tags: azure-resource-manager
vm-windows- Last updated 3/9/2023 - # Public endpoint connectivity for Virtual Machines using Azure Standard Load Balancer in SAP high-availability scenarios
sap High Availability Guide Suse Multi Sid https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/high-availability-guide-suse-multi-sid.md
- Last updated 01/17/2024
sap High Availability Guide Suse Netapp Files https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/high-availability-guide-suse-netapp-files.md
- Last updated 01/17/2024
sap High Availability Guide Suse Nfs Azure Files https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/high-availability-guide-suse-nfs-azure-files.md
- Last updated 02/05/2024
sap High Availability Guide Suse Nfs Simple Mount https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/high-availability-guide-suse-nfs-simple-mount.md
- Last updated 02/05/2024
sap High Availability Guide Suse Nfs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/high-availability-guide-suse-nfs.md
- Last updated 01/17/2024
sap High Availability Guide Suse Pacemaker https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/high-availability-guide-suse-pacemaker.md
- Previously updated : 01/22/2024 Last updated : 02/08/2024
To create the iSCSI disks for the clusters to be used by your SAP systems, run t
- **nw1-xscs-0** and **nw1-xscs-1**: The hostnames of the **NW1** ASCS cluster nodes. - **nw1-db-0** and **nw1-db-1**: The hostnames of the database cluster nodes.
-In the following instructions, replace the bold-formatted placeholder text with the hostnames of your cluster nodes and the SID of your SAP system.
+In the following instructions, replace adjust the hostnames of your cluster nodes and the SID of your SAP system.
1. Create the root folder for all SBD devices.
Make sure to assign the custom role to the service principal at all VM (cluster
vm.swappiness = 10 ```
-5. **[A]** Configure *cloud-netconfig-azure* for the high availability cluster.
+5. **[A]** Check the *cloud-netconfig-azure* package version.
- > [!NOTE]
- > Check the installed version of the *cloud-netconfig-azure* package by running **zypper info cloud-netconfig-azure**. If the version in your environment is 1.3 or later, it's no longer necessary to suppress the management of network interfaces by the cloud network plug-in. If the version is earlier than 1.3, we recommend that you update the *cloud-netconfig-azure* package to the latest available version.
+
+ Check the installed version of the *cloud-netconfig-azure* package by running **zypper info cloud-netconfig-azure**. If the version is earlier than 1.3, we recommend that you update the *cloud-netconfig-azure* package to the latest available version.
- To prevent the cloud network plug-in from removing the virtual IP address (Pacemaker must control the assignment), change the configuration file for the network interface as shown in the following code. For more information, see [SUSE KB 7023633](https://www.suse.com/support/kb/doc/?id=7023633).
+ > [!TIP]
+ > If the version in your environment is 1.3 or later, it's no longer necessary to suppress the management of network interfaces by the cloud network plug-in.
+
+ **Only if the version of cloud-netconfig-azure is lower than 1.3**, change the configuration file for the network interface as shown in the following code to prevent the cloud network plug-in from removing the virtual IP address (Pacemaker must control the assignment). For more information, see [SUSE KB 7023633](https://www.suse.com/support/kb/doc/?id=7023633).
```bash # Edit the configuration file
Make sure to assign the custom role to the service principal at all VM (cluster
sudo vi /etc/corosync/corosync.conf ```
- a. Add the following bold-formatted content to the file if the values aren't there or are different. Be sure to change the token to 30000 to allow memory-preserving maintenance. For more information, see the "Maintenance for virtual machines in Azure" article for [Linux][virtual-machines-linux-maintenance] or [Windows][virtual-machines-windows-maintenance].
+ a. Check the following section in the file and adjust, if the values aren't there or are different. Be sure to change the token to 30000 to allow memory-preserving maintenance. For more information, see the "Maintenance for virtual machines in Azure" article for [Linux][virtual-machines-linux-maintenance] or [Windows][virtual-machines-windows-maintenance].
```text [...]
Make sure to assign the custom role to the service principal at all VM (cluster
> [!NOTE] > The 'pcmk_host_map' option is required in the command only if the hostnames and the Azure VM names are *not* identical. Specify the mapping in the format *hostname:vm-name*.
- > Refer to the bold section in the following command.
+ #### [Managed identity](#tab/msi) ```bash
- # replace the bold strings with your subscription ID and resource group of the VM
+ # Adjust the command with your subscription ID and resource group of the VM
sudo crm configure primitive rsc_st_azure stonith:fence_azure_arm \ params msi=true subscriptionId="subscription ID" resourceGroup="resource group" \
Make sure to assign the custom role to the service principal at all VM (cluster
#### [Service principal](#tab/spn) ```bash
- # replace the bold strings with your subscription ID, resource group of the VM, tenant ID, service principal application ID and password
+ # Adjust the command with your subscription ID, resource group of the VM, tenant ID, service principal application ID and password
sudo crm configure primitive rsc_st_azure stonith:fence_azure_arm \ params subscriptionId="subscription ID" resourceGroup="resource group" tenantId="tenant ID" login="application ID" passwd="password" \
sap High Availability Guide Suse https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/high-availability-guide-suse.md
- Last updated 01/17/2024
sap High Availability Guide Windows Azure Files Smb https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/high-availability-guide-windows-azure-files-smb.md
vm-windows- Last updated 12/01/2021 - # Install HA SAP NetWeaver with Azure Files SMB
sap High Availability Guide Windows Dfs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/high-availability-guide-windows-dfs.md
vm-windows- Last updated 11/12/2021 - # Using Windows DFS-N to support flexible SAPMNT share creation for SMB-based file share
In the portal, get the mount instructions for the volume you want to use as a fo
![Screenshot of folder setup for an SAP landscape](media/virtual-machines-shared-sap-high-availability-guide/dfs-add-folder-08.png)
-This screen shows as an example the folder setup for an SAP landscape.
+This screen shows as an example the folder setup for an SAP landscape.
sap High Availability Guide Windows Netapp Files Smb https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/high-availability-guide-windows-netapp-files-smb.md
vm-windows- Last updated 12/16/2022 - # High availability for SAP NetWeaver on Azure VMs on Windows with Azure NetApp Files(SMB) for SAP applications
sap High Availability Zones https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/high-availability-zones.md
- Last updated 06/01/2023
The following considerations apply for this configuration:
Here are some next steps for deploying across Azure Availability Zones: - [Cluster an SAP ASCS/SCS instance on a Windows failover cluster by using a cluster shared disk in Azure](./sap-high-availability-guide-wsfc-shared-disk.md)-- [Prepare Azure infrastructure for SAP high availability by using a Windows failover cluster and file share for SAP ASCS/SCS instances](./sap-high-availability-infrastructure-wsfc-file-share.md)
+- [Prepare Azure infrastructure for SAP high availability by using a Windows failover cluster and file share for SAP ASCS/SCS instances](./sap-high-availability-infrastructure-wsfc-file-share.md)
sap Lama Installation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/lama-installation.md
vm-linux- Last updated 07/29/2019 - # SAP LaMa connector for Azure
sap Planning Guide Storage Azure Files https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/planning-guide-storage-azure-files.md
tags: azure-resource-manager
- Last updated 04/26/2023
Carefully consider when consolidating multiple activities into one file share or
For more information, see: - [Azure Storage types for SAP workload](planning-guide-storage.md) - [SAP HANA High Availability guide for Azure virtual machines](sap-hana-availability-overview.md)--
sap Planning Guide Storage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/planning-guide-storage.md
ms.assetid: d7c59cc1-b2d0-4d90-9126-628f9c7a5538
- Last updated 07/13/2023
sap Planning Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/planning-guide.md
vm-linux- Last updated 05/30/2023
sap Planning Supported Configurations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/planning-supported-configurations.md
ms.assetid: d7c59cc1-b2d0-4d90-9126-628f9c7a5538
- Last updated 01/27/2022
sap Proximity Placement Scenarios https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/proximity-placement-scenarios.md
Previously updated : 12/18/2022 Last updated : 02/07/2024
By using proximity placement groups, you can bypass this restriction. Here's the
- Create an availability set that references the Azure proximity group. (See the command later in this article.) - Deploy the application layer VMs by referencing the availability set and the proximity placement group. +
+> [!IMPORTANT]
+> It is important to understand that disks of the application layer VMs are not guaranteed to be allocated in the same Availability Zone as the VMs are directed to using the proximity placement group. The result of the deployment shown in the next steps may be that the VMs are allocated in the same network spine and with that the same Availability Zone as the anchor VM. But the respctive disks (base VHD and mounted Azure block storage disks) may not be allocated under the same network spine or even the same availabity zone. Instead the disks of those VMs can be allocated in any of the datacenters of the specific region. Though the disks of the anchor VM that got deployed by defining a zone are going to be deployed in the same zone as the VM got deployed.
++ Instead of deploying the first VM as demonstrated in the previous section, you reference an Availability Zone and the proximity placement group when you deploy the VM: ```azurepowershell-interactive New-AzVm -ResourceGroupName "ppgexercise" -Name "centralserviceszone1" -Location "westus2" -OpenPorts 80,3389 -Zone "1" -ProximityPlacementGroup "collocate" -Size "Standard_E8s_v4" ```
-A successful deployment of this virtual machine would host the ASCS/SCS instance of the SAP system in one Availability Zone. The scope of the proximity placement group is fixed to one of the network spines in the Availability Zone you defined.
+A successful deployment of this virtual machine would host the ASCS/SCS instance of the SAP system in one Availability Zone. In this case, the VM and the base VHD of the VM and potentially mounted Azure block storage disks are allocated within the same Availability Zone. The scope of the proximity placement group is fixed to one of the network spines in the Availability Zone you defined.
In the next step, you need to create the availability sets you want to use for the application layer of your SAP system.
Ideally, you should use three fault domains. But the number of supported fault d
```azurepowershell-interactive New-AzVm -ResourceGroupName "ppgexercise" -Name "appinstance1" -Location "westus2" -OpenPorts 80,3389 -AvailabilitySetName "myppgavset" -ProximityPlacementGroup "collocate" -Size "Standard_E16s_v4" ```
+> [!NOTE]
+> The disks of the VMs deployed into the availability set above are not forced to be allocated in the same Availability Zone as the VM is. Though you achieved that the application layer VMs are spread across different fault domains under the same network spine as the anchor VM is allocated, the disks, though also allocated in different fault domains may be allocated in different locations on a region wide scope.
+ The result of this deployment is:
sap Rise Integration Network https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/rise-integration-network.md
vm-linux- Last updated 12/21/2023 - # Connectivity with SAP RISE
Check out the documentation:
- [Integrating Azure services with SAP RISE](./rise-integration-services.md) - [Identity and security in Azure with SAP RISE](./rise-integration-security.md) - [Virtual network peering](../../virtual-network/virtual-network-peering-overview.md)-- [DNS integration with SAP RISE in multicloud environment series guide ΓÇô Azure | SAP Blogs](https://blogs.sap.com/2023/02/27/dns-integration-with-sap-rise-in-multi-cloud-environment-series-guide-azure/)
+- [DNS integration with SAP RISE in multicloud environment series guide ΓÇô Azure | SAP Blogs](https://blogs.sap.com/2023/02/27/dns-integration-with-sap-rise-in-multi-cloud-environment-series-guide-azure/)
sap Rise Integration Security https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/rise-integration-security.md
vm-linux- Last updated 12/21/2023 - # Azure identity and security services with SAP RISE
sap Rise Integration Services https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/rise-integration-services.md
vm-linux- Last updated 12/21/2023 - # Integrating Azure services with SAP RISE
sap Rise Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/rise-integration.md
vm-linux- Last updated 12/21/2023 - # Integrating Azure with SAP RISE managed workloads
sap Sap Ascs Ha Multi Sid Wsfc File Share https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/sap-ascs-ha-multi-sid-wsfc-file-share.md
Title: SAP ASCS/SCS instance multi-SID high availability with Windows Server Failover Clustering and file share on Azure
+ Title: SAP ASCS/SCS instance multi-SID high availability with Windows Server Failover Clustering and file share on Azure
description: Multi-SID high availability for SAP ASCS/SCS instances with Windows Server Failover Clustering and file share on Azure
vm-windows- Last updated 12/16/2022
sap Sap Ascs Ha Multi Sid Wsfc Shared Disk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/sap-ascs-ha-multi-sid-wsfc-shared-disk.md
vm-windows- Last updated 12/16/2022 - # SAP ASCS/SCS instance multi-SID high availability with Windows Server Failover Clustering and shared disk on Azure
sap Sap Hana Availability Across Regions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/sap-hana-availability-across-regions.md
tags: azure-resource-manager
- Last updated 06/19/2023
sap Sap Hana Availability One Region https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/sap-hana-availability-one-region.md
- Last updated 06/19/2023
sap Sap Hana Availability Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/sap-hana-availability-overview.md
tags: azure-resource-manager
- Last updated 03/05/2018
sap Sap Hana High Availability Netapp Files Red Hat https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/sap-hana-high-availability-netapp-files-red-hat.md
vm-linux - Last updated 01/17/2024
sap Sap Hana High Availability Netapp Files Suse https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/sap-hana-high-availability-netapp-files-suse.md
- Last updated 01/16/2024
sap Sap Hana High Availability Rhel https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/sap-hana-high-availability-rhel.md
- Last updated 01/22/2024
sap Sap Hana High Availability Scale Out Hsr Suse https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/sap-hana-high-availability-scale-out-hsr-suse.md
- Last updated 01/16/2024
sap Sap Hana High Availability https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/sap-hana-high-availability.md
- Last updated 01/16/2024
sap Sap Hana Scale Out Standby Netapp Files Rhel https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/sap-hana-scale-out-standby-netapp-files-rhel.md
vm-windows- Last updated 07/11/2023
In this example for deploying SAP HANA in scale-out configuration with standby n
* [Azure Virtual Machines deployment for SAP][deployment-guide] * [Azure Virtual Machines DBMS deployment for SAP][dbms-guide] * [NFS v4.1 volumes on Azure NetApp Files for SAP HANA](./hana-vm-operations-netapp.md)
-* To learn how to establish high availability and plan for disaster recovery of SAP HANA on Azure VMs, see [High Availability of SAP HANA on Azure Virtual Machines (VMs)][sap-hana-ha].
+* To learn how to establish high availability and plan for disaster recovery of SAP HANA on Azure VMs, see [High Availability of SAP HANA on Azure Virtual Machines (VMs)][sap-hana-ha].
sap Sap Hana Scale Out Standby Netapp Files Suse https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/sap-hana-scale-out-standby-netapp-files-suse.md
vm-windows- Last updated 07/11/2023
sap Sap High Availability Architecture Scenarios https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/sap-high-availability-architecture-scenarios.md
vm-windows- Last updated 06/02/2023
sap Sap High Availability Guide Start https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/sap-high-availability-guide-start.md
vm-windows- Last updated 12/16/2022 - # Azure Virtual Machines high availability for SAP NetWeaver
The article covers both ![Windows logo.][Logo_Windows] **Windows** and ![Linux l
* ![RHEL][Logo_Linux] [Install SAP NetWeaver ASCS/SCS in high availability configuration on RHEL][sap-rhel-ascs-ha] * ![RHEL][Logo_Linux] [Install SAP NetWeaver ASCS/SCS in high availability configuration on RHEL with Azure NetApp Files][sap-rhel-ascs-ha-sap-installation-anf]-
sap Sap High Availability Guide Wsfc File Share https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/sap-high-availability-guide-wsfc-file-share.md
vm-windows- Last updated 12/16/2022 - # Cluster an SAP ASCS/SCS instance on a Windows failover cluster by using a file share in Azure
sap Sap High Availability Guide Wsfc Shared Disk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/sap-high-availability-guide-wsfc-shared-disk.md
vm-windows- Last updated 12/16/2022 -
sap Sap High Availability Infrastructure Wsfc File Share https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/sap-high-availability-infrastructure-wsfc-file-share.md
vm-windows- Last updated 12/16/2022
sap Sap High Availability Infrastructure Wsfc Shared Disk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/sap-high-availability-infrastructure-wsfc-shared-disk.md
vm-windows- Last updated 01/19/2024
sap Sap High Availability Installation Wsfc File Share https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/sap-high-availability-installation-wsfc-file-share.md
vm-windows- Last updated 12/16/2022
sap Sap High Availability Installation Wsfc Shared Disk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/sap-high-availability-installation-wsfc-shared-disk.md
vm-windows- Last updated 12/16/2022 - # Install SAP NetWeaver HA on a Windows failover cluster and shared disk for an SAP ASCS/SCS instance in Azure
For the outlined failover tests, we assume that SAP ASCS is active on node A.
![Figure 9: SIOS DataKeeper replicates the local volume from cluster node B to cluster node A][sap-ha-guide-figure-5003]
- _SIOS DataKeeper replicates the local volume from cluster node B to cluster node A_
+ _SIOS DataKeeper replicates the local volume from cluster node B to cluster node A_
sap Sap Higher Availability Architecture Scenarios https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/sap-higher-availability-architecture-scenarios.md
vm-windows- Last updated 12/16/2022 - # Utilize Azure infrastructure VM restart to achieve ΓÇ£higher availabilityΓÇ¥ of an SAP system
sap Sap Information Lifecycle Management https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/sap-information-lifecycle-management.md
vm-linux- Last updated 01/28/2022 - # SAP Information Lifecycle Management (ILM) with Microsoft Azure Blob Storage
to store archive files from S/4 HANA System.
## Next steps
-* [SAP ILM on the SAP help portal](https://help.sap.com/doc/c3b6eda797634474b7a3aac5a48e84d5/1610%20001/en-US/frameset.htm)
+* [SAP ILM on the SAP help portal](https://help.sap.com/doc/c3b6eda797634474b7a3aac5a48e84d5/1610%20001/en-US/frameset.htm)
sap Supported Product On Azure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/supported-product-on-azure.md
ms.assetid: d7c59cc1-b2d0-4d90-9126-628f9c7a5538
- Last updated 02/02/2022
sap Universal Print Sap Frontend https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/universal-print-sap-frontend.md
vm-linux- Last updated 01/31/2024 - # SAP front-end printing with Universal Print
sap Virtual Machine Scale Set Sap Deployment Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/virtual-machine-scale-set-sap-deployment-guide.md
- Last updated 09/25/2023
sap Virtual Machine Scale Set Sap Faq https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/virtual-machine-scale-set-sap-faq.md
- Last updated 06/01/2023
sap Vm Extension For Sap New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/vm-extension-for-sap-new.md
vm-linux- Last updated 06/22/2021
sap Vm Extension For Sap Standard https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/vm-extension-for-sap-standard.md
vm-linux- Last updated 06/22/2021
sap Vm Extension For Sap https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/vm-extension-for-sap.md
vm-linux- Last updated 06/22/2021
We currently recommend using the standard version of the extension for each inst
## Next steps * [Standard Version of Azure VM extension for SAP solutions][std-extension] * [New Version of Azure VM extension for SAP solutions][new-extension]-
search Cognitive Search Custom Skill Web Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/cognitive-search-custom-skill-web-api.md
The "output" corresponds to the response returned from your Web API. The Web API
"hitPositions": [] }, "errors": null,
- "warnings": {
+ "warnings": [
+ {
"message": "No occurrences of 'Hi' were found in the input text"
- }
+ }
+ ]
}, ] }
search Search Language Support https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-language-support.md
Non-string fields and non-searchable string fields don't undergo lexical analysi
## Add text translation
-This article assumes translated strings alreach exist. If that's not the case, you can attach Azure AI services to an [enrichment pipeline](cognitive-search-concept-intro.md), invoking text translation during indexing. Text translation takes a dependency on the indexer feature and Azure AI services, but all setup is done within Azure AI Search.
+This article assumes translated strings already exist. If that's not the case, you can attach Azure AI services to an [enrichment pipeline](cognitive-search-concept-intro.md), invoking text translation during indexing. Text translation takes a dependency on the indexer feature and Azure AI services, but all setup is done within Azure AI Search.
To add text translation, follow these steps:
security Encryption Models https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/encryption-models.md
ms.assetid: 9dcb190e-e534-4787-bf82-8ce73bf47dba
Previously updated : 02/07/2024 Last updated : 02/08/2024 # Data encryption models
The Azure services that support each encryption model:
| Azure NetApp Files | Yes | Yes | Yes | | Archive Storage | Yes | Yes | - | | StorSimple | Yes | Yes | Yes |
-| Azure Backup | Yes | Yes | Yes |
+| Azure Backup | Yes | Yes, including Managed HSM | Yes |
| Data Box | Yes | - | Yes | | Data Box Edge | Yes | Yes | - | | **Other** | | | |
security Steps Secure Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/steps-secure-identity.md
description: This document outlines a list of important actions administrators s
- Last updated 08/17/2022
sentinel Connect Cef Ama https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/connect-cef-ama.md
The setup process for the CEF via AMA connector has two parts:
- If your log forwarder *isn't* an Azure virtual machine, it must have the Azure Arc [Connected Machine agent](../azure-arc/servers/overview.md) installed on it. -- The Linux log forwarder VM must have Python 2.7 or 3 installed. Use the ``python --version`` or ``python3 --version`` command to check.
+- The Linux log forwarder VM must have Python 2.7 or 3 installed. Use the ``python --version`` or ``python3 --version`` command to check. If using Python 3 make sure it's set as the default command on the machine, or run the scripts below with the 'python3' command instead of 'python'.
- The log forwarder must have either the `syslog-ng` or `rsyslog` daemon enabled.
sentinel Connect Cef Syslog https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/connect-cef-syslog.md
Before you begin, verify that you have:
- The Microsoft Sentinel solution enabled. - A defined Microsoft Sentinel workspace. - A Linux machine to collect logs.
- - The Linux machine must have Python 2.7 or 3 installed on the Linux machine. Use the ``python --version`` or ``python3 --version`` command to check.
+ - The Linux machine must have Python 2.7 or 3 installed on the Linux machine. Use the ``python --version`` or ``python3 --version`` command to check. If using Python 3 make sure it's set as the default command on the machine, or run the scripts below with the 'python3' command instead of 'python'.
- For space requirements for your log forwarder, see the [Azure Monitor Agent Performance Benchmark](../azure-monitor/agents/azure-monitor-agent-performance.md). You can also review this blog post, which includes [designs for scalable ingestion](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/designs-for-accomplishing-microsoft-sentinel-scalable-ingestion/ba-p/3741516). - Either the `syslog-ng` or `rsyslog` daemon enabled. - To collect events from any system that isn't an Azure virtual machine, ensure that [Azure Arc](../azure-monitor/agents/azure-monitor-agent-manage.md) is installed.
sentinel Use Matching Analytics To Detect Threats https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/use-matching-analytics-to-detect-threats.md
Take advantage of threat intelligence produced by Microsoft to generate high fid
## Prerequisites
-Install the appropriate solutions from the content hub and connect the data connectors to get following data sources in Microsoft Sentinel:
+In order to produce high fidelity alerts and incidents, one or more of the supported data connectors must be installed, but a premium MDTI license is not required. Install the appropriate solutions from the content hub to connect these data sources.
- Common Event Format (CEF) - DNS (Preview)
service-fabric Cli Deploy Application https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/scripts/cli-deploy-application.md
-
+ Title: Azure Service Fabric CLI (sfctl) Script Deploy Sample description: Deploy an application to an Azure Service Fabric cluster using the Azure Service Fabric CLI
tags: azure-service-management - Last updated 04/16/2018
service-fabric Cli Remove Application https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/scripts/cli-remove-application.md
tags: azure-service-management - Last updated 12/06/2017
service-fabric Service Fabric Powershell Add Application Certificate https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/scripts/service-fabric-powershell-add-application-certificate.md
tags: azure-service-management - Last updated 01/18/2018
service-fabric Service Fabric Powershell Add Nsg Rule https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/scripts/service-fabric-powershell-add-nsg-rule.md
tags: azure-service-management - Last updated 11/28/2017
service-fabric Service Fabric Powershell Change Rdp Port Range https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/scripts/service-fabric-powershell-change-rdp-port-range.md
- Last updated 03/19/2018
service-fabric Service Fabric Powershell Change Rdp User And Pw https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/scripts/service-fabric-powershell-change-rdp-user-and-pw.md
tags: azure-service-management - Last updated 03/19/2018
service-fabric Service Fabric Powershell Create Secure Cluster Cert https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/scripts/service-fabric-powershell-create-secure-cluster-cert.md
tags: azure-service-management
ms.assetid: 0f9c8bc5-3789-4eb3-8deb-ae6e2200795a - Last updated 01/19/2018
service-fabric Service Fabric Powershell Deploy Application https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/scripts/service-fabric-powershell-deploy-application.md
tags: azure-service-management - Last updated 01/18/2018
service-fabric Service Fabric Powershell Open Port In Load Balancer https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/scripts/service-fabric-powershell-open-port-in-load-balancer.md
tags: azure-service-management - Last updated 05/18/2018
service-fabric Service Fabric Powershell Remove Application https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/scripts/service-fabric-powershell-remove-application.md
tags: azure-service-management - Last updated 01/18/2018
service-fabric Service Fabric Powershell Upgrade Application https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/scripts/service-fabric-powershell-upgrade-application.md
tags: azure-service-management - Last updated 01/18/2018
service-fabric Sfctl List Applications https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/scripts/sfctl-list-applications.md
- Last updated 04/13/2018
service-fabric Sfctl Upgrade Application https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/scripts/sfctl-upgrade-application.md
- Last updated 12/06/2017-+ # Update an application using the Service Fabric CLI
site-recovery Site Recovery Failover To Azure Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/site-recovery-failover-to-azure-troubleshoot.md
- Last updated 08/01/2023
To resolve the issue:
- Troubleshoot [RDP connection to Windows VM](/troubleshoot/azure/virtual-machines/troubleshoot-rdp-connection) - Troubleshoot [SSH connection to Linux VM](/troubleshoot/azure/virtual-machines/detailed-troubleshoot-ssh-connection)
-If you need more help, then post your query on [Microsoft Q&A question page for Site Recovery](/answers/topics/azure-site-recovery.html) or leave a comment at the end of this document. We have an active community that should be able to assist you.
+If you need more help, then post your query on [Microsoft Q&A question page for Site Recovery](/answers/topics/azure-site-recovery.html) or leave a comment at the end of this document. We have an active community that should be able to assist you.
site-recovery Site Recovery Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/site-recovery-overview.md
Title: About Azure Site Recovery
description: Provides an overview of the Azure Site Recovery service, and summarizes disaster recovery and migration deployment scenarios. Previously updated : 09/20/2023 Last updated : 02/07/2024
Site Recovery can manage replication for:
**VMware VM replication** | You can replicate VMware VMs to Azure using the improved Azure Site Recovery replication appliance that offers better security and resilience than the configuration server. For more information, see [Disaster recovery of VMware VMs](vmware-azure-about-disaster-recovery.md). **On-premises VM replication** | You can replicate on-premises VMs and physical servers to Azure, or to a secondary on-premises datacenter. Replication to Azure eliminates the cost and complexity of maintaining a secondary datacenter. **Workload replication** | Replicate any workload running on supported Azure VMs, on-premises Hyper-V and VMware VMs, and Windows/Linux physical servers.
-**Data resilience** | Site Recovery orchestrates replication without intercepting application data. When you replicate to Azure, data is stored in Azure storage, with the resilience that provides. When failover occurs, Azure VMs are created based on the replicated data. This also applies to Public MEC to Azure region Azure Site Recovery scenario. In case of Azure Public MEC to Public MEC Azure Site Recovery scenario (the Azure Site Recovery functionality for Public MEC is in preview state), data is stored in the Public MEC.
-**RTO and RPO targets** | Keep recovery time objectives (RTO) and recovery point objectives (RPO) within organizational limits. Site Recovery provides continuous replication for Azure VMs and VMware VMs, and replication frequency as low as 30 seconds for Hyper-V. You can reduce RTO further by integrating with [Azure Traffic Manager](https://azure.microsoft.com/blog/reduce-rto-by-using-azure-traffic-manager-with-azure-site-recovery/).
+**Data resilience** | Site Recovery orchestrates replication without intercepting application data. When you replicate to Azure, data is stored in Azure storage, with the resilience that provides. When failover occurs, Azure VMs are created based on the replicated data. This also applies to Public MEC to Azure region Azure Site Recovery scenario. In case of Azure Public MEC to Public MEC Azure Site Recovery scenario (the ASR functionality for Public MEC is in preview state), data is stored in the Public MEC.
+**RTO and RPO targets** | Keep recovery time objectives (RTO) and recovery point objectives (RPO) within organizational limits. Site Recovery provides continuous replication for Azure VMs and VMware VMs, and replication frequency as low as 30 seconds for Hyper-V. You can reduce RTO further by integrating with [Azure Traffic Manager](./concepts-traffic-manager-with-site-recovery.md).
**Keep apps consistent over failover** | You can replicate using recovery points with application-consistent snapshots. These snapshots capture disk data, all data in memory, and all transactions in process. **Testing without disruption** | You can easily run disaster recovery drills, without affecting ongoing replication. **Flexible failovers** | You can run planned failovers for expected outages with zero-data loss. Or, unplanned failovers with minimal data loss, depending on replication frequency, for unexpected disasters. You can easily fail back to your primary site when it's available again.
sql-server-stretch-database Sql Server Stretch Database Encryption Tde https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sql-server-stretch-database/sql-server-stretch-database-encryption-tde.md
description: Enable Transparent Data Encryption (TDE) for SQL Server Stretch Dat
ms.assetid: a44ed8f5-b416-4c41-9b1e-b7271f10bdc3 - Last updated 06/14/2016
sql-server-stretch-database Sql Server Stretch Database Index All Articles https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sql-server-stretch-database/sql-server-stretch-database-index-all-articles.md
description: Table of all topics for the Azure service named SQL Server Stretch
ms.assetid: b1718024-84d6-4f5c-a912-3a99edb3f632 - Last updated 10/05/2016
This topic lists every topic that applies directly to the **SQL Server Stretch D
| Title | Description | |: |: | |[Backup Stretch-enabled databases](/sql/sql-server/stretch-database/backup-stretch-enabled-databases-stretch-database) |Learn how to back up Stretch\-enabled databases. |
-|[Restore Stretch-enabled databases](/sql/sql-server/stretch-database/restore-stretch-enabled-databases-stretch-database) |Learn how to restore Stretch\-enabled databases. |
+|[Restore Stretch-enabled databases](/sql/sql-server/stretch-database/restore-stretch-enabled-databases-stretch-database) |Learn how to restore Stretch\-enabled databases. |
sql-server-stretch-database Sql Server Stretch Database Tde Tsql https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sql-server-stretch-database/sql-server-stretch-database-tde-tsql.md
description: Enable Transparent Data Encryption (TDE) for SQL Server Stretch Dat
ms.assetid: 27753d91-9ca2-4d47-b34d-b5e2c2f029bb - Last updated 01/23/2017
static-web-apps Deploy Nextjs Hybrid https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/static-web-apps/deploy-nextjs-hybrid.md
Begin by initializing a new Next.js application.
## Configure your Next.js app for deployment to Static Web Apps
-To configure your Next.js app for deployment to Static Web Apps, enable the standalone feature for your Next.js project. This step reduces the size of your Next.js project to ensure it's below the size limits for Static Web Apps. Refer to the [standalone](#enable-standalone-feature) section for more information.
+To configure your Next.js app for deployment to Static Web Apps, enable the standalone feature for your Next.js project in the `next.config.js` file. This step reduces the size of your Next.js project to ensure it's below the size limits for Static Web Apps. Refer to the [standalone](#enable-standalone-feature) section for more information.
```js module.exports = {
storage Storage Auth Abac Attributes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-auth-abac-attributes.md
Previously updated : 01/26/2024 Last updated : 02/07/2024
The following table summarizes the available attributes by source:
> | Property | Value | > | | | > | **Display name** | Subnet |
-> | **Description** | The subnet over which an object is accessed.<br/>Use to restrict access to a specific subnet.<br/>*Available only for storage accounts in subscriptions that have at least one virtual network subnet configured.* |
+> | **Description** | The subnet over which an object is accessed.<br/>Use to restrict access to a specific subnet.<br/>*Available only for storage accounts in subscriptions that have at least one virtual network subnet using [service endpoints](../common/storage-network-security.md#grant-access-from-a-virtual-network) configured.* |
> | **Attribute** | `Microsoft.Network/virtualNetworks/subnets` | > | **Attribute source** | [Environment](../../role-based-access-control/conditions-format.md#environment-attributes) | > | **Attribute type** | [String](../../role-based-access-control/conditions-format.md#string-comparison-operators) |
storage Storage Auth Abac Examples https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-auth-abac-examples.md
Previously updated : 01/19/2024 Last updated : 02/08/2024 #Customer intent: As a dev, devops, or it admin, I want to learn about the conditions so that I write more complex conditions.
Set-AzRoleAssignment -InputObject $testRa -PassThru
### Example: Allow access to blobs in specific containers from a specific subnet
-This condition allows read, write, add and delete access to blobs in `container1` only from subnet `default` on virtual network `virtualnetwork1`.
+This condition allows read, write, add and delete access to blobs in `container1` only from subnet `default` on virtual network `virtualnetwork1`. To use the [Subnet](storage-auth-abac-attributes.md#subnet) attribute in this example, the subnet must have [service endpoints enabled](../common/storage-network-security.md#grant-access-from-a-virtual-network) for Azure Storage.
There are five potential actions for read, write, add and delete access to existing blobs. To make this condition effective for principals that have multiple role assignments, you must add this condition to all role assignments that include any of the following actions.
storage Redundancy Migration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/redundancy-migration.md
Previously updated : 01/11/2024 Last updated : 02/07/2024
-# Change how a storage account is replicated
+<!--
+Initial: 81 (3717/68)
+Current: 98 (3765/4)
+-->
-Azure Storage always stores multiple copies of your data so that it's protected from planned and unplanned events. This including transient hardware failures, network or power outages, and massive natural disasters. Redundancy ensures that your storage account meets the [Service-Level Agreement (SLA) for Azure Storage](https://azure.microsoft.com/support/legal/sla/storage/) even in the face of failures.
+# Change the redundancy configuration for a storage account
-In this article, you'll learn how to change the replication setting(s) for an existing storage account.
+Azure Storage always stores multiple copies of your data to protect it in the face of both planned and unplanned events. These events include transient hardware failures, network or power outages, and massive natural disasters. Data redundancy ensures that your storage account meets the [Service-Level Agreement (SLA) for Azure Storage](https://azure.microsoft.com/support/legal/sla/storage/), even in the face of failures.
+
+This article describes the process of changing replication setting(s) for an existing storage account.
## Options for changing the replication type
-Four aspects of the redundancy configuration of a storage account determine how your data is replicated and accessible:
+When deciding which redundancy configuration is best for your scenario, consider the tradeoffs between lower costs and higher availability. The factors that help determine which redundancy configuration you should choose include:
-- **Local redundancy** - your data is always replicated three times within the local or primary region (LRS)-- **Zone redundancy** - whether your data is replicated between different zones within the primary region (LRS vs. ZRS)-- **Geo-redundancy** - replication within a single "local" region or between a primary and a secondary region (LRS vs. GRS)-- **Read access (RA)** - read access to the secondary region when geo-redundancy is used (GRS vs. RA-GRS)
+- **How your data is replicated within the primary region.** Data in the primary region can be replicated locally using [locally redundant storage (LRS)](storage-redundancy.md#locally-redundant-storage), or across Azure availability zones using [zone-redundant storage (ZRS)](storage-redundancy.md#zone-redundant-storage).
+- **Whether your data is geo-replicated.** Geo-replication provides protection against regional disasters by replicating your data to a second region that is geographically distant to the primary region. Geo-replicated configurations include [geo-redundant storage (GRS)](storage-redundancy.md#geo-redundant-storage) and [geo-zone-redundant storage (GZRS)](storage-redundancy.md#geo-zone-redundant-storage).
+- **Whether your application requires read access to the replicated data in the secondary region.** You can configure your storage account to allow read access to data replicated to the secondary region if the primary region becomes unavailable for any reason. Configurations that provide [read access to data in the secondary region](storage-redundancy.md#read-access-to-data-in-the-secondary-region) include read-access geo-redundant storage (RA-GRS) and read-access geo-zone-redundant storage (RA-GZRS).
-For an overview of all of the redundancy options, see [Azure Storage redundancy](storage-redundancy.md).
+For a detailed overview of all of the redundancy options, see [Azure Storage redundancy](storage-redundancy.md).
-You can change how your storage account is replicated from any redundancy configuration to any other with some limitations. Before making any changes, review those [limitations](#limitations-for-changing-replication-types) along with the [downtime requirements](#downtime-requirements) to ensure you have a plan that provides the best end result within a time frame that suits your needs, and that satisfies your uptime requirements.
+You can change your storage account's redundancy configurations as needed, though some configurations are subject to [limitations](#limitations-for-changing-replication-types) and [downtime requirements](#downtime-requirements). Reviewing these limitations and requirements before making any changes within your environment helps avoid conflicts with your own timeframe and uptime requirements.
There are three ways to change the replication settings: -- [Use the Azure portal, Azure PowerShell, or the Azure CLI](#change-the-replication-setting-using-the-portal-powershell-or-the-cli) to add or remove geo-replication or read access to the secondary region.-- [Perform a conversion](#perform-a-conversion) to add or remove zone-redundancy.-- [Perform a manual migration](#manual-migration) in scenarios where the first two options aren't supported, or to ensure the change completes within a specific time.
+- [Add or remove geo-replication or read access](#change-the-redundancy-configuration-using-azure-portal-powershell-or-azure-cli) to the secondary region.
+- [Add or remove zone-redundancy](#perform-a-conversion) by performing a conversion.
+- [Perform a manual migration](#manual-migration) in scenarios where the first two options aren't supported, or to ensure the change is completed within a specific timeframe.
-If you want to change both zone-redundancy and either geo-replication or read-access, a two-step process is required. Geo-redundancy and read-access can be changed at the same time, but the zone-redundancy conversion must be performed separately. These steps can be performed in any order.
+Geo-redundancy and read-access can be changed at the same time. However, any change that also involves zone-redundancy requires a conversion and must be performed separately using a two-step process. These two steps can be performed in any order.
-### Replication change table
+### Changing redundancy configuration
-The following table provides an overview of how to switch from each type of replication to another.
+The following table provides an overview of how to switch between replication types.
> [!NOTE]
-> Manual migration is an option for any scenario in which you want to change the replication setting within the [limitations for changing replication types](#limitations-for-changing-replication-types). The manual migration option has been omitted from the provided table to simplify it.
+> Manual migration is an option for any scenario in which you want to change the replication setting within the [limitations for changing replication types](#limitations-for-changing-replication-types). The manual migration option is excluded from the following table for simplification.
| Switching | …to LRS | …to GRS/RA-GRS <sup>6</sup> | …to ZRS | …to GZRS/RA-GZRS <sup>2,6</sup> | |--|-||-||
-| **…from LRS** | **N/A** | [Use Azure portal, PowerShell, or CLI](#change-the-replication-setting-using-the-portal-powershell-or-the-cli) <sup>1,2</sup> | [Perform a conversion](#perform-a-conversion)<sup>2,3,4,5</sup> | [Switch to GRS/RA-GRS first](#change-the-replication-setting-using-the-portal-powershell-or-the-cli) <sup>1</sup>, then [perform a conversion](#perform-a-conversion) to GZRS/RA-GZRS <sup>3,4,5</sup> |
-| **…from GRS/RA-GRS** | [Use Azure portal, PowerShell, or CLI](#change-the-replication-setting-using-the-portal-powershell-or-the-cli) | **N/A** | [Switch to LRS first](#change-the-replication-setting-using-the-portal-powershell-or-the-cli), then [perform a conversion](#perform-a-conversion) to ZRS <sup>3,5</sup> | [Perform a conversion](#perform-a-conversion)<sup>3,5</sup> |
-| **…from ZRS** | [Perform a conversion](#perform-a-conversion)<sup>3</sup> | [Switch to GZRS/RA-GZRS first](#change-the-replication-setting-using-the-portal-powershell-or-the-cli)<sup>1</sup>, then [perform a conversion](#perform-a-conversion) to GRS/RA-GRS<sup>3</sup> | **N/A** | [Use Azure portal, PowerShell, or CLI](#change-the-replication-setting-using-the-portal-powershell-or-the-cli) <sup>1</sup> |
-| **…from GZRS/RA-GZRS** | [Switch to ZRS first](#change-the-replication-setting-using-the-portal-powershell-or-the-cli), then [perform a conversion](#perform-a-conversion) to LRS <sup>3</sup> | [Perform a conversion](#perform-a-conversion)<sup>3</sup> | [Use Azure portal, PowerShell, or CLI](#change-the-replication-setting-using-the-portal-powershell-or-the-cli)| **N/A** |
+| **…from LRS** | **N/A** | Use [Azure portal](redundancy-migration.md?tabs=portal#change-the-redundancy-configuration-using-azure-portal-powershell-or-azure-cli), [PowerShell](redundancy-migration.md?tabs=powershell#change-the-redundancy-configuration-using-azure-portal-powershell-or-azure-cli), or [CLI](redundancy-migration.md?tabs=azure-cli#change-the-redundancy-configuration-using-azure-portal-powershell-or-azure-cli) <sup>1,2</sup> | [Perform a conversion](#perform-a-conversion)<sup>2,3,4,5</sup> | First, use the [Portal](redundancy-migration.md?tabs=portal#change-the-redundancy-configuration-using-azure-portal-powershell-or-azure-cli), [PowerShell](redundancy-migration.md?tabs=powershell#change-the-redundancy-configuration-using-azure-portal-powershell-or-azure-cli), or [CLI](redundancy-migration.md?tabs=azure-cli#change-the-redundancy-configuration-using-azure-portal-powershell-or-azure-cli) to switch to GRS/RA-GRS <sup>1</sup>, then [perform a conversion](#perform-a-conversion) to GZRS/RA-GZRS <sup>3,4,5</sup> |
+| **…from GRS/RA-GRS** | Use [Azure portal](redundancy-migration.md?tabs=portal#change-the-redundancy-configuration-using-azure-portal-powershell-or-azure-cli), [PowerShell](redundancy-migration.md?tabs=powershell#change-the-redundancy-configuration-using-azure-portal-powershell-or-azure-cli), or [CLI](redundancy-migration.md?tabs=azure-cli#change-the-redundancy-configuration-using-azure-portal-powershell-or-azure-cli) | **N/A** | First, use the [Portal](redundancy-migration.md?tabs=portal#change-the-redundancy-configuration-using-azure-portal-powershell-or-azure-cli), [PowerShell](redundancy-migration.md?tabs=powershell#change-the-redundancy-configuration-using-azure-portal-powershell-or-azure-cli), or [CLI](redundancy-migration.md?tabs=azure-cli#change-the-redundancy-configuration-using-azure-portal-powershell-or-azure-cli) to switch to LRS, then [perform a conversion](#perform-a-conversion) to ZRS <sup>3,5</sup> | [Perform a conversion](#perform-a-conversion)<sup>3,5</sup> |
+| **…from ZRS** | [Perform a conversion](#perform-a-conversion)<sup>3</sup> | First, use the [Portal](redundancy-migration.md?tabs=portal#change-the-redundancy-configuration-using-azure-portal-powershell-or-azure-cli), [PowerShell](redundancy-migration.md?tabs=powershell#change-the-redundancy-configuration-using-azure-portal-powershell-or-azure-cli), or [CLI](redundancy-migration.md?tabs=azure-cli#change-the-redundancy-configuration-using-azure-portal-powershell-or-azure-cli) to switch to GZRS/RA-GZRS, then [perform a conversion](#perform-a-conversion) to GRS/RA-GRS<sup>3</sup> | **N/A** | Use [Azure portal](redundancy-migration.md?tabs=portal#change-the-redundancy-configuration-using-azure-portal-powershell-or-azure-cli), [PowerShell](redundancy-migration.md?tabs=powershell#change-the-redundancy-configuration-using-azure-portal-powershell-or-azure-cli), or [CLI](redundancy-migration.md?tabs=azure-cli#change-the-redundancy-configuration-using-azure-portal-powershell-or-azure-cli) <sup>1</sup> |
+| **…from GZRS/RA-GZRS** | First, use the [Portal](redundancy-migration.md?tabs=portal#change-the-redundancy-configuration-using-azure-portal-powershell-or-azure-cli), [PowerShell](redundancy-migration.md?tabs=powershell#change-the-redundancy-configuration-using-azure-portal-powershell-or-azure-cli), or [CLI](redundancy-migration.md?tabs=azure-cli#change-the-redundancy-configuration-using-azure-portal-powershell-or-azure-cli) to switch to ZRS, then [perform a conversion](#perform-a-conversion) to LRS <sup>3</sup> | [Perform a conversion](#perform-a-conversion)<sup>3</sup> | [Use Azure portal, PowerShell, or CLI](#change-the-redundancy-configuration-using-azure-portal-powershell-or-azure-cli)| **N/A** |
<sup>1</sup> [Adding geo-redundancy incurs a one-time egress charge](#costs-associated-with-changing-how-data-is-replicated).<br /> <sup>2</sup> If your storage account contains blobs in the archive tier, review the [access tier limitations](#access-tier) before changing the redundancy type to geo- or zone-redundant.<br />
-<sup>3</sup> The type of conversion supported depends on the storage account type. See [the storage account table](#storage-account-type) for more details.<br />
-<sup>4</sup> Conversion to ZRS or GZRS for an LRS account resulting from a failover isn't supported. For more details, see [Failover and failback](#failover-and-failback).<br />
-<sup>5</sup> Converting from LRS to ZRS is [not supported if the NFSv3 protocol support is enabled for Azure Blob Storage or if the storage account contains Azure Files NFSv4.1 shares](#protocol-support). <br />
-<sup>6</sup> Even though enabling geo-redundancy appears to occur instantaneously, failover to the secondary region cannot be initiated until data synchronization between the two regions has completed.<br />
+<sup>3</sup> The type of conversion supported depends on the storage account type. For more information, see the [storage account table](#storage-account-type).<br />
+<sup>4</sup> Conversion to ZRS or GZRS for an LRS account resulting from a failover isn't supported. For more information, see [Failover and failback](#failover-and-failback).<br />
+<sup>5</sup> Converting from LRS to ZRS [isn't supported if the NFSv3 protocol support is enabled for Azure Blob Storage or if the storage account contains Azure Files NFSv4.1 shares](#protocol-support). <br />
+<sup>6</sup> Even though enabling geo-redundancy appears to occur instantaneously, failover to the secondary region can't be initiated until data synchronization between the two regions is complete.<br />
## Change the replication setting
-Depending on your scenario from the [replication change table](#replication-change-table), use one of the following methods to change your replication settings.
+Depending on your scenario from the [changing redundancy configuration](#changing-redundancy-configuration) section, use one of the following methods to change your replication settings.
-### Change the replication setting using the portal, PowerShell, or the CLI
+### Change the redundancy configuration using Azure portal, PowerShell, or Azure CLI
-In most cases you can use the Azure portal, PowerShell, or the Azure CLI to change the geo-redundant or read access (RA) replication setting for a storage account. If you are initiating a zone redundancy conversion, you can change the setting from within the Azure portal, but not from PowerShell or the Azure CLI.
+In most cases you can use the Azure portal, PowerShell, or the Azure CLI to change the geo-redundant or read access (RA) replication setting for a storage account.
Changing how your storage account is replicated in the Azure portal doesn't result in down time for your applications, including changes that require a conversion.
To change the redundancy option for your storage account in the Azure portal, fo
1. Update the **Redundancy** setting. 1. Select **Save**.
- :::image type="content" source="media/redundancy-migration/change-replication-option.png" alt-text="Screenshot showing how to change replication option in portal." lightbox="media/redundancy-migration/change-replication-option.png":::
+ :::image type="content" source="media/redundancy-migration/change-replication-option-sml.png" alt-text="Screenshot showing how to change replication option in portal." lightbox="media/redundancy-migration/change-replication-option.png":::
# [PowerShell](#tab/powershell)
-To change the redundancy option for your storage account with PowerShell, call the [Set-AzStorageAccount](/powershell/module/az.storage/set-azstorageaccount) command and specify the `-SkuName` parameter:
+You can use Azure PowerShell to change the redundancy options for your storage account.
+
+To change between locally redundant and geo-redundant storage, call the [Set-AzStorageAccount](/powershell/module/az.storage/set-azstorageaccount) cmdlet and specify the `-SkuName` parameter.
```powershell Set-AzStorageAccount -ResourceGroupName <resource_group> `
Set-AzStorageAccount -ResourceGroupName <resource_group> `
# [Azure CLI](#tab/azure-cli)
-To change the redundancy option for your storage account with Azure CLI, call the [az storage account update](/cli/azure/storage/account#az-storage-account-update) command and specify the `--sku` parameter:
+You can use the Azure CLI to change the redundancy options for your storage account.
+
+To change between locally redundant and geo-redundant storage, call the [az storage account update](/cli/azure/storage/account#az-storage-account-update) command and specify the `--sku` parameter:
```azurecli-interactive az storage account update \
- --name <storage-account>
+ --name <storage-account> \
--resource-group <resource_group> \ --sku <sku> ```
az storage account update \
A redundancy "conversion" is the process of changing the zone-redundancy aspect of a storage account.
-During a conversion, [there is no data loss or application downtime required](#downtime-requirements).
+During a conversion, there's [no data loss or application downtime required](#downtime-requirements).
There are two ways to initiate a conversion: - [Customer-initiated](#customer-initiated-conversion)-- [Support-requested](#support-requested-conversion)
+- [Support-initiated](#support-initiated-conversion)
> [!TIP]
-> Microsoft recommends you use customer-initiated conversion instead of support-requested conversion when possible. With customer-initiated conversion you can start and monitor the progress of the conversion request directly from the Azure portal, and there is no need to open and manage a support request.
+> Microsoft recommends using a customer-initiated conversion instead of support-initiated conversion whenever possible. A customer-initiated conversion allows you to initiate the conversion and monitor its progress directly from within the Azure portal. Because the conversion is initiated by the customer, there is no need to create and manage a support request.
#### Customer-initiated conversion
-Customer-initiated conversion adds a new option for customers to start a conversion. Now, instead of needing to open a support request, customers can start and monitor the progress of the conversion directly from the Azure portal. Once initiated, the conversion could still take up to 72 hours to actually **begin**, but potential delays related to opening and managing a support request are eliminated.
+Instead of opening a support request, customers in most regions can start a conversion and monitor its progress. This option eliminates potential delays related to creating and managing support requests. For help determining the regions in which customer-initiated conversion is supported, see the [region limitations](#region) article.
+
+Customer-initiated conversion can be completed in supported regions using the Azure portal, PowerShell, or the Azure CLI. After initiation, the conversion could still take up to 72 hours to begin.
> [!IMPORTANT]
-> A customer-initiated conversion could take up to 72 hours to actually **begin** after you initiate it.
+> There is no SLA for completion of a conversion.
>
-> There is no SLA for completion of a customer-initiated conversion.
+> If you need more control over when a conversion begins and finishes, consider a [Manual migration](#manual-migration). Generally, the more data you have in your account, the longer it takes to replicate that data to other zones or regions.
>
-> For more details about the timing of a customer-initiated conversion, see [Timing and frequency](#timing-and-frequency).
+> For more information about the timing of a customer-initiated conversion, see [Timing and frequency](#timing-and-frequency).
-Customer-initiated conversion is only available from the Azure portal, not from PowerShell or the Azure CLI. To initiate the conversion, perform the same steps used for changing other replication settings in the Azure portal as described in [Change the replication setting using the portal, PowerShell, or the CLI](#change-the-replication-setting-using-the-portal-powershell-or-the-cli).
+# [Portal](#tab/portal)
-Customer-initiated conversion is not available in all regions. See the [region limitations](#region) for more details.
+To add or modify a storage account's zonal-redundancy within the Azure portal, perform these steps:
-##### Monitoring customer-initiated conversion progress
+1. Navigate to your storage account in the Azure portal.
+1. Under **Data management** select **Redundancy**.
+1. Update the **Redundancy** setting.
+1. Select **Save**.
-The status of your customer-initiated conversion is displayed on the **Redundancy** page of the storage account:
+ :::image type="content" source="media/redundancy-migration/change-replication-zone-option-sml.png" alt-text="Screenshot showing how to change the zonal-replication option in portal." lightbox="media/redundancy-migration/change-replication-zone-option.png":::
+
+# [PowerShell](#tab/powershell)
+To change between locally redundant and zone-redundant storage with PowerShell, call the [Start-AzStorageAccountMigration](/powershell/module/az.storage/start-azstorageaccountmigration) command and specify the `-TargetSku` parameter:
+
+```powershell
+Start-AzStorageAccountMigration
+ -AccountName <String>
+ -ResourceGroupName <String>
+ -TargetSku <String>
+ -AsJob
+```
+
+# [Azure CLI](#tab/azure-cli)
+
+To change between locally redundant and zone-redundant storage with Azure CLI, call the [az storage account migration start](/cli/azure/storage/account/migration#az-storage-account-migration-start) command and specify the `--sku` parameter:
+
+```azurecli-interactive
+az storage account migration start \
+ -- account-name <string> \
+ -- g <string> \
+ --sku <string> \
+ --no-wait
+```
+++
+##### Monitoring customer-initiated conversion progress
-As the conversion request is evaluated and processed, the status should progress through the list shown in the table below:
+As the conversion request is evaluated and processed, the status should progress through the list shown in the following table:
| Status | Explanation | ||--| | Submitted for conversion | The conversion request was successfully submitted for processing. |
-| In Progress<sup>1</sup> | The actual conversion has begun. |
-| Completed<br>**- or -**</br>Failed<sup>2</sup> | The conversion has successfully completed.<br>**- or -**</br>The conversion failed. |
+| In Progress<sup>1</sup> | The conversion is in progress. |
+| Completed<br>**- or -**</br>Failed<sup>2</sup> | The conversion is completed successfully.<br>**- or -**</br>The conversion failed. |
-<sup>1</sup> Once initiated, the conversion could take up to 72 hours to actually **begin**. If the conversion does not enter the "In Progress" status within 96 hours of initiating the request, submit a support request to Microsoft to determine why. For more details about the timing of a customer-initiated conversion, see [Timing and frequency](#timing-and-frequency).<br />
+<sup>1</sup> Once initiated, the conversion could take up to 72 hours to begin. If the conversion doesn't enter the "In Progress" status within 96 hours of initiating the request, submit a support request to Microsoft to determine why. For more information about the timing of a customer-initiated conversion, see [Timing and frequency](#timing-and-frequency).<br />
<sup>2</sup> If the conversion fails, submit a support request to Microsoft to determine the reason for the failure.<br /> > [!NOTE]
As the conversion request is evaluated and processed, the status should progress
> > Generally, the more data you have in your account, the longer it takes to replicate that data to other zones in the region.
-#### Support-requested conversion
+# [Portal](#tab/portal)
+
+The status of your customer-initiated conversion is displayed on the **Redundancy** page of the storage account:
++
+# [PowerShell](#tab/powershell)
+
+To track the current migration status of the conversion initiated on your storage account, call the [Get-AzStorageAccountMigration](/powershell/module/az.storage/get-azstorageaccountmigration) cmdlet:
+
+```powershell
+Get-AzStorageAccountMigration
+ -AccountName <String>
+ -ResourceGroupName <String>
+```
+
+# [Azure CLI](#tab/azure-cli)
+
+To track the current migration status of the conversion initiated on your storage account, call the [Get-AzStorageAccountMigration](/powershell/module/az.storage/get-azstorageaccountmigration) cmdlet:
+
+```powershell
+Get-AzStorageAccountMigration
+ -AccountName <String>
+ -ResourceGroupName <String>
+```
+++
+#### Support-initiated conversion
Customers can still request a conversion by opening a support request with Microsoft.
Follow these steps to request a conversion from Microsoft:
- **Problem type**: Choose **Data Migration**. - **Problem subtype**: Choose **Migrate to ZRS, GZRS, or RA-GZRS**.
- :::image type="content" source="media/redundancy-migration/request-live-migration-problem-desc-portal.png" alt-text="Screenshot showing how to request a conversion - Problem description tab." lightbox="media/redundancy-migration/request-live-migration-problem-desc-portal.png":::
+ :::image type="content" source="media/redundancy-migration/request-live-migration-problem-desc-portal-sml.png" alt-text="Screenshot showing how to request a conversion - Problem description tab." lightbox="media/redundancy-migration/request-live-migration-problem-desc-portal.png":::
1. Select **Next**. The **Recommended solution** tab might be displayed briefly before it switches to the **Solutions** page. On the **Solutions** page, you can check the eligibility of your storage account(s) for conversion: - **Target replication type**: (choose the desired option from the drop-down) - **Storage accounts from**: (enter a single storage account name or a list of accounts separated by semicolons) - Select **Submit**.
- :::image type="content" source="media/redundancy-migration/request-live-migration-solutions-portal.png" alt-text="Screenshot showing how to check the eligibility of your storage account(s) for conversion - Solutions page." lightbox="media/redundancy-migration/request-live-migration-solutions-portal.png":::
+ :::image type="content" source="media/redundancy-migration/request-live-migration-solutions-portal-sml.png" alt-text="Screenshot showing how to check the eligibility of your storage account(s) for conversion - Solutions page." lightbox="media/redundancy-migration/request-live-migration-solutions-portal.png":::
-1. Take the appropriate action if the results indicate your storage account is not eligible for conversion. If it is eligible, select **Return to support request**.
+1. Take the appropriate action if the results indicate your storage account isn't eligible for conversion. Otherwise, select **Return to support request**.
1. Select **Next**. If you have more than one storage account to migrate, on the **Details** tab, specify the name for each account, separated by a semicolon.
- :::image type="content" source="media/redundancy-migration/request-live-migration-details-portal.png" alt-text="Screenshot showing how to request a conversion - Additional details tab." lightbox="media/redundancy-migration/request-live-migration-details-portal.png":::
+ :::image type="content" source="media/redundancy-migration/request-live-migration-details-portal-sml.png" alt-text="Screenshot showing how to request a conversion - Additional details tab." lightbox="media/redundancy-migration/request-live-migration-details-portal.png":::
-1. Fill out the additional required information on the **Additional details** tab, then select **Review + create** to review and submit your support ticket. A support person will contact you to provide any assistance you may need.
+1. Provide the required information on the **Additional details** tab, then select **Review + create** to review and submit your support ticket. An Azure support agent reviews your case and contacts you to provide assistance.
### Manual migration
-A manual migration provides more flexibility and control than a conversion. You can use this option if you need your data moved by a certain date, or if conversion is [not supported for your scenario](#limitations-for-changing-replication-types). Manual migration is also useful when moving a storage account to another region. See [Move an Azure Storage account to another region](storage-account-move.md) for more details.
+A manual migration provides more flexibility and control than a conversion. You can use this option if you need your data moved by a certain date, or if conversion [isn't supported for your scenario](#limitations-for-changing-replication-types). Manual migration is also useful when moving a storage account to another region. For more detail, see [Move an Azure Storage account to another region](storage-account-move.md).
You must perform a manual migration if: - You want to migrate your storage account to a different region. - Your storage account is a block blob account.-- Your storage account includes data in the archive tier and rehydrating the data is not desired.
+- Your storage account includes data in the archive tier and rehydrating the data isn't desired.
> [!IMPORTANT] > A manual migration can result in application downtime. If your application requires high availability, Microsoft also provides a [conversion](#perform-a-conversion) option. A conversion is an in-place migration with no downtime. With a manual migration, you copy the data from your existing storage account to a new storage account. To perform a manual migration, you can use one of the following options: -- Copy data by using an existing tool such as AzCopy, one of the Azure Storage client libraries, or a reliable third-party tool.
+- Copy data by using an existing tool such as AzCopy, one of the Azure Storage client libraries, or a reliable non-Microsoft tool.
- If you're familiar with Hadoop or HDInsight, you can attach both the source storage account and destination storage account to your cluster. Then, parallelize the data copy process with a tool like DistCp. For more detailed guidance on how to perform a manual migration, see [Move an Azure Storage account to another region](storage-account-move.md). ## Limitations for changing replication types
+> [!IMPORTANT]
+> Boot diagnostics doesn't support premium storage accounts or zone-redundant storage accounts. When either premium or zone-redundant storage accounts are used for boot diagnostics, users receive a `StorageAccountTypeNotSupported` error upon starting their virtual machine (VM).
+ Limitations apply to some replication change scenarios depending on: - [Region](#region)
Limitations apply to some replication change scenarios depending on:
### Region
-Make sure the region where your storage account is located supports all of the desired replication settings. For example, if you are converting your account to zone-redundant (ZRS, GZRS, or RA-GZRS), make sure your storage account is in a region that supports it. See the lists of supported regions for [Zone-redundant storage](storage-redundancy.md#zone-redundant-storage) and [Geo-zone-redundant storage](storage-redundancy.md#geo-zone-redundant-storage).
+Make sure the region where your storage account is located supports all of the desired replication settings. For example, if you're converting your account to zone-redundant (ZRS, GZRS, or RA-GZRS), make sure your storage account is in a region that supports it. See the lists of supported regions for [Zone-redundant storage](storage-redundancy.md#zone-redundant-storage) and [Geo-zone-redundant storage](storage-redundancy.md#geo-zone-redundant-storage).
> [!IMPORTANT] > [Customer-initiated conversion](#customer-initiated-conversion) from LRS to ZRS is available in all public regions that support ZRS except for the following: > > - (Europe) Italy North
+> - (Europe) UK South
> - (Europe) Poland Central > - (Europe) West Europe
-> - (Europe) UK South
> - (Middle East) Israel Central > - (North America) Canada Central > - (North America) East US
Make sure the region where your storage account is located supports all of the d
### Feature conflicts
-Some storage account features are not compatible with other features or operations. For example, the ability to failover to the secondary region is the key feature of geo-redundancy, but other features are not compatible with failover. For more information about features and services not supported with failover, see [Unsupported features and services](storage-disaster-recovery-guidance.md#unsupported-features-and-services). Converting an account to GRS, GZRS, or RA-GZRS might be blocked if a conflicting feature is enabled, or it might be necessary to disable the feature later before initiating a failover.
+Some storage account features aren't compatible with other features or operations. For example, the ability to fail over to the secondary region is the key feature of geo-redundancy, but other features aren't compatible with failover. For more information about features and services not supported with failover, see [Unsupported features and services](storage-disaster-recovery-guidance.md#unsupported-features-and-services). The conversion of an account to GRS, GZRS, or RA-GZRS might be blocked if a conflicting feature is enabled, or it might be necessary to disable the feature later before initiating a failover.
### Storage account type When planning to change your replication settings, consider the following limitations related to the storage account type.
-Some storage account types only support certain redundancy configurations, which affects whether they can be converted or migrated and, if so, how. For more details on Azure storage account types and the supported redundancy options, see [the storage account overview](storage-account-overview.md#types-of-storage-accounts).
+Some storage account types only support certain redundancy configurations, which affect whether they can be converted or migrated and, if so, how. For more information on Azure storage account types and the supported redundancy options, see [the storage account overview](storage-account-overview.md#types-of-storage-accounts).
The following table provides an overview of redundancy options available for storage account types and whether conversion and manual migration are supported:
The following table provides an overview of redundancy options available for sto
| Premium page blob | &#x2705; | | | | | | Managed disks<sup>2</sup> | &#x2705; | &#x2705; | &#x2705; | | &#x2705; | | Standard general purpose v1 | &#x2705; | | <sup>3</sup> | | &#x2705; |
-| ZRS Classic<sup>4</sup><br /><sub>(available in standard general purpose v1 accounts)</sub> | &#x2705; | | | |
+| ZRS Classic<sup>4</sup><br /><sub>(available in standard general purpose v1 accounts)</sub> | &#x2705; | | | | |
+
-<sup>1</sup> Conversion for premium file shares is only available by [opening a support request](#support-requested-conversion); [Customer-initiated conversion](#customer-initiated-conversion) is not currently supported.<br />
-<sup>2</sup> Managed disks are available for LRS and ZRS, though ZRS disks have some [limitations](../../virtual-machines/disks-redundancy.md#limitations). If a LRS disk is regional (no zone specified) it may be converted by [changing the SKU](../../virtual-machines/disks-convert-types.md). If a LRS disk is zonal, then it can only be manually migrated by following the process in [Migrate your managed disks](../../reliability/migrate-vm.md#migrate-your-managed-disks). You can store snapshots and images for standard SSD managed disks on standard HDD storage and [choose between LRS and ZRS options](https://azure.microsoft.com/pricing/details/managed-disks/). For information about integration with availability sets, see [Introduction to Azure managed disks](../../virtual-machines/managed-disks-overview.md#integration-with-availability-sets).<br />
-<sup>3</sup> If your storage account is v1, you'll need to upgrade it to v2 before performing a conversion. To learn how to upgrade your v1 account, see [Upgrade to a general-purpose v2 storage account](storage-account-upgrade.md).<br />
-<sup>4</sup> ZRS Classic storage accounts have been deprecated. For information about converting ZRS Classic accounts, see [Converting ZRS Classic accounts](#converting-zrs-classic-accounts).<br />
+<sup>1</sup> Conversion for premium file shares is only available by [opening a support request](#support-initiated-conversion); [Customer-initiated conversion](#customer-initiated-conversion) isn't currently supported.<br />
+<sup>2</sup> Managed disks are available for LRS and ZRS, though ZRS disks have some [limitations](../../virtual-machines/disks-redundancy.md#limitations). If an LRS disk is regional (no zone specified), it can be converted by [changing the SKU](../../virtual-machines/disks-convert-types.md). If an LRS disk is zonal, then it can only be manually migrated by following the process in [Migrate your managed disks](../../reliability/migrate-vm.md#migrate-your-managed-disks). You can store snapshots and images for standard SSD managed disks on standard HDD storage and [choose between LRS and ZRS options](https://azure.microsoft.com/pricing/details/managed-disks/). For information about integration with availability sets, see [Introduction to Azure managed disks](../../virtual-machines/managed-disks-overview.md#integration-with-availability-sets).<br />
+<sup>3</sup> If your storage account is v1, you need to upgrade it to v2 before performing a conversion. To learn how to upgrade your v1 account, see [Upgrade to a general-purpose v2 storage account](storage-account-upgrade.md).<br />
+<sup>4</sup> ZRS Classic storage accounts are deprecated. For information about converting ZRS Classic accounts, see [Converting ZRS Classic accounts](#converting-zrs-classic-accounts).<br />
#### Converting ZRS Classic accounts
The following table provides an overview of redundancy options available for sto
ZRS Classic was available only for **block blobs** in general-purpose V1 (GPv1) storage accounts. For more information about storage accounts, see [Azure storage account overview](storage-account-overview.md).
-ZRS Classic accounts asynchronously replicated data across data centers within one to two regions. Replicated data was not available unless Microsoft initiated a failover to the secondary. A ZRS Classic account can't be converted to or from LRS, GRS, or RA-GRS. ZRS Classic accounts also don't support metrics or logging.
+ZRS Classic accounts asynchronously replicated data across data centers within one to two regions. Replicated data wasn't available unless Microsoft initiated a failover to the secondary. A ZRS Classic account can't be converted to or from LRS, GRS, or RA-GRS. ZRS Classic accounts also don't support metrics or logging.
To change ZRS Classic to another replication type, use one of the following methods:
az storage account update -g <resource_group> -n <storage_account> --set kind=St
To manually migrate your ZRS Classic account data to another type of replication, follow the steps to [perform a manual migration](#manual-migration).
-If you want to migrate your data into a zone-redundant storage account located in a region different from the source account, you must perform a manual migration. For more details, see [Move an Azure Storage account to another region](storage-account-move.md).
+If you want to migrate your data into a zone-redundant storage account located in a region different from the source account, you must perform a manual migration. For more information, see [Move an Azure Storage account to another region](storage-account-move.md).
### Access tier
-Make sure the desired redundancy option supports the access tiers currently used in the storage account. For example, ZRS, GZRS and RA-GZRS storage accounts do not support the archive tier. See [Hot, Cool, and Archive access tiers for blob data](../blobs/access-tiers-overview.md) for more details. To convert an LRS, GRS or RA-GRS account to one that supports zone-redundancy, first move the archived blobs to a storage account that supports blobs in the archive tier. Then convert the source account to ZRS, GZRS and RA-GZRS.
+Make sure the desired redundancy option supports the access tiers currently used in the storage account. For example, ZRS, GZRS and RA-GZRS storage accounts don't support the archive tier. For more information, see [Hot, Cool, and Archive access tiers for blob data](../blobs/access-tiers-overview.md). To convert an LRS, GRS or RA-GRS account to one that supports zone-redundancy, first move the archived blobs to a storage account that supports blobs in the archive tier. Then convert the source account to ZRS, GZRS and RA-GZRS.
-To switch an LRS storage account that contains blobs in the archive tier to GRS or RA-GRS, you must first rehydrate all archived blobs to the Hot or Cool tier or perform a [manual migration](#manual-migration).
+An LRS storage account containing blobs in the archive tier can be switched to GRS or RA-GRS after rehydrating all archived blobs to the Hot or Cool tier. You can also perform a [manual migration](#manual-migration).
> [!TIP] > Microsoft recommends that you avoid changing the redundancy configuration for a storage account that contains archived blobs if at all possible, because rehydration operations can be costly and time-consuming. But if you must change it, a [manual migration](#manual-migration) can save you the expense of rehydration. ### Protocol support
-Converting your storage account to zone-redundancy (ZRS, GZRS or RA-GZRS) is not supported if either of the following is true:
+You can't convert storage accounts to zone-redundancy (ZRS, GZRS or RA-GZRS) if either of the following cases are true:
- NFSv3 protocol support is enabled for Azure Blob Storage - The storage account contains Azure Files NFSv4.1 shares ### Failover and failback
-After an account failover to the secondary region, it's possible to initiate a failback from the new primary back to the new secondary with PowerShell or Azure CLI (version 2.30.0 or later). For more information, see [How customer-managed storage account failover works](storage-failover-customer-managed-unplanned.md).
+After an account failover to the secondary region, it's possible to initiate a failback from the new primary back to the new secondary with PowerShell or Azure CLI (version 2.30.0 or later). [Initiate the failover](storage-initiate-account-failover.md#initiate-the-failover).
-If you performed an account failover for your GRS or RA-GRS account, the account is locally redundant (LRS) in the new primary region after the failover. Conversion to ZRS or GZRS for an LRS account resulting from a failover is not supported. This is true even in the case of so-called failback operations. For example, if you perform an account failover from RA-GRS to LRS in the secondary region, and then configure it again as RA-GRS, it will be LRS in the new secondary region (the original primary). If you then perform another account failover to failback to the original primary region, it will be LRS again in the original primary. In this case, you can't perform a conversion to ZRS, GZRS or RA-GZRS in the primary region. Instead, you'll need to perform a manual migration to add zone-redundancy.
+If you performed a customer-managed account failover to recover from an outage for your GRS or RA-GRS account, the account becomes locally redundant (LRS) in the new primary region after the failover. Conversion to ZRS or GZRS for an LRS account resulting from a failover isn't supported, even for so-called failback operations. For example, if you perform an account failover from RA-GRS to LRS in the secondary region, and then configure it again as RA-GRS, it remains LRS in the new secondary region (the original primary). If you then perform another account failover to failback to the original primary region, it remains LRS again in the original primary. In this case, you can't perform a conversion to ZRS, GZRS or RA-GZRS in the primary region. Instead, perform a manual migration to add zone-redundancy.
## Downtime requirements
-During a [conversion](#perform-a-conversion), you can access data in your storage account with no loss of durability or availability. [The Azure Storage SLA](https://azure.microsoft.com/support/legal/sla/storage/) is maintained during the migration process and there is no data loss associated with a conversion. Service endpoints, access keys, shared access signatures, and other account options remain unchanged after the migration.
+During a [conversion](#perform-a-conversion), you can access data in your storage account with no loss of durability or availability. [The Azure Storage SLA](https://azure.microsoft.com/support/legal/sla/storage/) is maintained during the migration process and no data is lost during a conversion. Service endpoints, access keys, shared access signatures, and other account options remain unchanged after the migration.
If you choose to perform a manual migration, downtime is required but you have more control over the timing of the migration process. ## Timing and frequency
-If you initiate a zone-redundancy [conversion](#customer-initiated-conversion) from the Azure portal, the conversion process could take up to 72 hours to actually **begin**. It could take longer to start if you [request a conversion by opening a support request](#support-requested-conversion). If a customer-initiated conversion does not enter the "In Progress" status within 96 hours of initiating the request, submit a support request to Microsoft to determine why. To monitor the progress of a customer-initiated conversion, see [Monitoring customer-initiated conversion progress](#monitoring-customer-initiated-conversion-progress).
+If you initiate a zone-redundancy [conversion](#customer-initiated-conversion) from the Azure portal, the conversion process could take up to 72 hours to begin. It could take longer to start if you [request a conversion by opening a support request](#support-initiated-conversion). If a customer-initiated conversion doesn't enter the "In Progress" status within 96 hours of initiating the request, submit a support request to Microsoft to determine why. To monitor the progress of a customer-initiated conversion, see [Monitoring customer-initiated conversion progress](#monitoring-customer-initiated-conversion-progress).
> [!IMPORTANT] > There is no SLA for completion of a conversion. If you need more control over when a conversion begins and finishes, consider a [Manual migration](#manual-migration). Generally, the more data you have in your account, the longer it takes to replicate that data to other zones or regions.
After a zone-redundancy conversion, you must wait at least 72 hours before chang
## Costs associated with changing how data is replicated
-Ordering from the least to the most expensive, Azure Storage redundancy offerings include LRS, ZRS, GRS, RA-GRS, GZRS, and RA-GZRS.
+Azure Storage offers several options for configuring replication. These options, ordered by least- to most-expensive, include:
+
+- LRS
+- ZRS
+- GRS
+- RA-GRS
+- GZRS
+- RA-GZRS
-The costs associated with changing how data is replicated in your storage account depend on which [aspects of your redundancy configuration](#options-for-changing-the-replication-type) you change. A combination of data storage and egress bandwidth pricing determine the cost of making a change. For details on pricing, see [Azure Storage Pricing page](https://azure.microsoft.com/pricing/details/storage/blobs/).
+The costs associated with changing how data is replicated in your storage account depend on which [aspects of your redundancy configuration](#options-for-changing-the-replication-type) you change. A combination of data storage and egress bandwidth pricing determines the cost of making a change. For details on pricing, see [Azure Storage Pricing page](https://azure.microsoft.com/pricing/details/storage/blobs/).
-If you add zone-redundancy in the primary region, there is no initial cost associated with making that conversion, but the ongoing data storage cost will be higher due to the additional replication and storage space required.
+If you add zone-redundancy in the primary region, there's no initial cost associated with making that conversion, but the ongoing data storage cost is higher due to the increased replication and storage space required.
-If you add geo-redundancy, you will incur an egress bandwidth charge at the time of the change because your entire storage account is being replicated to the secondary region. All subsequent writes to the primary region also incur egress bandwidth charges to replicate the write to the secondary region.
+Geo-redundancy incurs an egress bandwidth charge at the time of the change because your entire storage account is being replicated to the secondary region. All subsequent writes to the primary region also incur egress bandwidth charges to replicate the write to the secondary region.
-If you remove geo-redundancy (change from GRS to LRS), there is no cost for making the change, but your replicated data is deleted from the secondary location.
+If you remove geo-redundancy (change from GRS to LRS), there's no cost for making the change, but your replicated data is deleted from the secondary location.
> [!IMPORTANT] > If you remove read access to the secondary region (RA) (change from RA-GRS to GRS or LRS), that account is billed as RA-GRS for an additional 30 days beyond the date that it was converted.
storage Geo Redundant Storage For Large File Shares https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/files/geo-redundant-storage-for-large-file-shares.md
The steps to enable geo-redundancy for large file shares will vary based on the
#### Existing storage accounts with a redundancy option of LRS or ZRS
-1. [Change the redundancy option](../common/redundancy-migration.md?tabs=portal#change-the-replication-setting-using-the-portal-powershell-or-the-cli) for your storage account to GRS or GZRS.
+1. [Change the redundancy option](../common/redundancy-migration.md?tabs=portal#change-the-redundancy-configuration-using-azure-portal-powershell-or-azure-cli) for your storage account to GRS or GZRS.
1. Verify that the [large file shares setting is enabled](storage-how-to-create-file-share.md#enable-large-file-shares-on-an-existing-account) on your storage account. 1. **Optional:** [Increase the file share quota](storage-how-to-create-file-share.md?tabs=azure-portal#expand-existing-file-shares) up to 100 TiB.
traffic-manager Cli Samples https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/traffic-manager/cli-samples.md
- Last updated 10/23/2018-+
The following table includes links to bash scripts for Traffic Manager built usi
|Title |Description | ||| |[Direct traffic across multiple regions for high application availability](./scripts/traffic-manager-cli-websites-high-availability.md) | Creates two app service plans, two web apps, a traffic manager profile, and two traffic manager endpoints. |--
traffic-manager Powershell Samples https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/traffic-manager/powershell-samples.md
- Last updated 04/27/2023
traffic-manager Quickstart Create Traffic Manager Profile Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/traffic-manager/quickstart-create-traffic-manager-profile-cli.md
- Last updated 02/18/2023
traffic-manager Quickstart Create Traffic Manager Profile Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/traffic-manager/quickstart-create-traffic-manager-profile-powershell.md
Last updated 02/18/2023 - #Customer intent: As an IT admin, I want to direct user traffic to ensure high availability of web applications.
traffic-manager Quickstart Create Traffic Manager Profile https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/traffic-manager/quickstart-create-traffic-manager-profile.md
Last updated 02/18/2023 - #Customer intent: As an IT admin, I want to direct user traffic to ensure high availability of web applications.
traffic-manager Traffic Manager Cli Websites High Availability https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/traffic-manager/scripts/traffic-manager-cli-websites-high-availability.md
ms.devlang: azurecli - Last updated 04/27/2023
traffic-manager Traffic Manager Powershell Websites High Availability https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/traffic-manager/scripts/traffic-manager-powershell-websites-high-availability.md
tags: azure-infrastructure
ms.devlang: powershell - Last updated 04/27/2023-+
traffic-manager Traffic Manager Faqs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/traffic-manager/traffic-manager-FAQs.md
- Last updated 01/29/2024-+ # Traffic Manager Frequently Asked Questions (FAQ)
traffic-manager Traffic Manager Configure Geographic Routing Method https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/traffic-manager/traffic-manager-configure-geographic-routing-method.md
- Last updated 10/15/2020
traffic-manager Traffic Manager Configure Multivalue Routing Method https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/traffic-manager/traffic-manager-configure-multivalue-routing-method.md
Title: Configure MultiValue traffic routing - Azure Traffic Manager
-description: This article explains how to configure Traffic Manager to route traffic to A/AAAA endpoints.
+description: This article explains how to configure Traffic Manager to route traffic to A/AAAA endpoints.
- Last updated 05/07/2023
traffic-manager Traffic Manager Configure Performance Routing Method https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/traffic-manager/traffic-manager-configure-performance-routing-method.md
Title: Configure performance traffic routing method using Azure Traffic Manager | Microsoft Docs
-description: This article explains how to configure Traffic Manager to route traffic to the endpoint with lowest latency
+description: This article explains how to configure Traffic Manager to route traffic to the endpoint with lowest latency
- Last updated 05/30/2023
traffic-manager Traffic Manager Configure Priority Routing Method https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/traffic-manager/traffic-manager-configure-priority-routing-method.md
- Last updated 04/26/2023
traffic-manager Traffic Manager Configure Subnet Routing Method https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/traffic-manager/traffic-manager-configure-subnet-routing-method.md
- Last updated 09/17/2018
traffic-manager Traffic Manager Configure Weighted Routing Method https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/traffic-manager/traffic-manager-configure-weighted-routing-method.md
- Last updated 04/26/2023
If you not longer need the Traffic Manager profile, locate the profile and selec
To learn more about weighted routing method, see: > [!div class="nextstepaction"]
-> [Weighted traffic routing method](traffic-manager-routing-methods.md#weighted)
+> [Weighted traffic routing method](traffic-manager-routing-methods.md#weighted)
traffic-manager Traffic Manager Create Rum Visual Studio https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/traffic-manager/traffic-manager-create-rum-visual-studio.md
ms.devlang: java - Last updated 07/13/2023
To use Real User Measurements, complete the following procedure:
- Learn more about [App Center](/appcenter) - [Set up](/appcenter/dashboard/#set-up-your-app-center-account) an App Center account - Learn more about the [traffic-routing methods](traffic-manager-routing-methods.md) supported by Traffic Manager-- Learn how to [create a Traffic Manager profile](./quickstart-create-traffic-manager-profile.md)
+- Learn how to [create a Traffic Manager profile](./quickstart-create-traffic-manager-profile.md)
traffic-manager Traffic Manager Create Rum Web Pages https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/traffic-manager/traffic-manager-create-rum-web-pages.md
- Last updated 04/06/2021-+
traffic-manager Traffic Manager Diagnostic Logs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/traffic-manager/traffic-manager-diagnostic-logs.md
- Last updated 05/17/2023
traffic-manager Traffic Manager Endpoint Types https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/traffic-manager/traffic-manager-endpoint-types.md
- Last updated 04/27/2023
If all endpoints in a profile get disabled, or if the profile itself get disable
* Learn [how Traffic Manager works](traffic-manager-how-it-works.md). * Learn about Traffic Manager [endpoint monitoring and automatic failover](traffic-manager-monitoring.md).
-* Learn about Traffic Manager [traffic routing methods](traffic-manager-routing-methods.md).
+* Learn about Traffic Manager [traffic routing methods](traffic-manager-routing-methods.md).
traffic-manager Traffic Manager Geographic Regions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/traffic-manager/traffic-manager-geographic-regions.md
- Last updated 04/27/2023
This article lists the countries and regions used by the **Geographic** traffic
## Next steps -- Learn more about [Geographic traffic routing method in Azure Traffic Manager](traffic-manager-routing-methods.md#geographic).
+- Learn more about [Geographic traffic routing method in Azure Traffic Manager](traffic-manager-routing-methods.md#geographic).
traffic-manager Traffic Manager How It Works https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/traffic-manager/traffic-manager-how-it-works.md
- Last updated 08/14/2023
traffic-manager Traffic Manager Manage Endpoints https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/traffic-manager/traffic-manager-manage-endpoints.md
- Last updated 10/02/2023
For more information, see: [How do I move my Traffic Manager profile's Azure end
* [Traffic Manager endpoint monitoring](traffic-manager-monitoring.md) * [Troubleshooting Traffic Manager degraded state](traffic-manager-troubleshooting-degraded.md) * [Traffic Manager performance considerations](traffic-manager-performance-considerations.md)
-* [Operations on Traffic Manager (REST API Reference)](/previous-versions/azure/reference/hh758255(v=azure.100))
+* [Operations on Traffic Manager (REST API Reference)](/previous-versions/azure/reference/hh758255(v=azure.100))
traffic-manager Traffic Manager Manage Profiles https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/traffic-manager/traffic-manager-manage-profiles.md
- Last updated 08/14/2023
You can disable an existing profile so that Traffic Manager does not refer user
* [Configure Priority routing method](traffic-manager-configure-priority-routing-method.md) * [Configure Geographic routing method](traffic-manager-configure-geographic-routing-method.md) * [Configure Weighted routing method](traffic-manager-configure-weighted-routing-method.md)
-* [Configure Performance routing method](traffic-manager-configure-performance-routing-method.md)
+* [Configure Performance routing method](traffic-manager-configure-performance-routing-method.md)
traffic-manager Traffic Manager Metrics Alerts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/traffic-manager/traffic-manager-metrics-alerts.md
- Last updated 04/27/2023
For more information about probes and monitoring, see [Traffic Manager endpoint
## Next steps - Learn more about [Azure Monitor service](../azure-monitor/essentials/metrics-supported.md)-- Learn how to [create a chart in Azure Monitor](../azure-monitor/essentials/analyze-metrics.md#create-a-metric-chart)
+- Learn how to [create a chart in Azure Monitor](../azure-monitor/essentials/analyze-metrics.md#create-a-metric-chart)
traffic-manager Traffic Manager Monitoring https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/traffic-manager/traffic-manager-monitoring.md
- Last updated 06/21/2023
traffic-manager Traffic Manager Nested Profiles https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/traffic-manager/traffic-manager-nested-profiles.md
- Last updated 11/10/2022
Learn how to [create a Traffic Manager profile](./quickstart-create-traffic-mana
[8]: ./media/traffic-manager-nested-profiles/figure-8.png [9]: ./media/traffic-manager-nested-profiles/figure-9.png [10]: ./media/traffic-manager-nested-profiles/figure-10.png
-[11]: ./media/traffic-manager-nested-profiles/figure-11.png
+[11]: ./media/traffic-manager-nested-profiles/figure-11.png
traffic-manager Traffic Manager Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/traffic-manager/traffic-manager-overview.md
- Last updated 08/14/2023
-#Customer intent: As an IT admin, I want to learn about Traffic Manager and what I can use it for.
+#Customer intent: As an IT admin, I want to learn about Traffic Manager and what I can use it for.
# What is Traffic Manager?
For pricing information, see [Traffic Manager Pricing](https://azure.microsoft.c
- Learn how to [create a Traffic Manager profile](./quickstart-create-traffic-manager-profile.md). - Learn [how Traffic Manager Works](traffic-manager-how-it-works.md).-- View [frequently asked questions](traffic-manager-FAQs.md) about Traffic Manager.
+- View [frequently asked questions](traffic-manager-FAQs.md) about Traffic Manager.
traffic-manager Traffic Manager Performance Considerations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/traffic-manager/traffic-manager-performance-considerations.md
- Last updated 01/27/2023
traffic-manager Traffic Manager Point Internet Domain https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/traffic-manager/traffic-manager-point-internet-domain.md
- Last updated 04/27/2023
All traffic requests to *www\.contoso.com* get directed to *contoso.trafficmanag
* [Traffic Manager routing methods](traffic-manager-routing-methods.md) * [Traffic Manager - Disable, enable or delete a profile](./traffic-manager-manage-profiles.md)
-* [Traffic Manager - Disable or enable an endpoint](./traffic-manager-manage-endpoints.md)
+* [Traffic Manager - Disable or enable an endpoint](./traffic-manager-manage-endpoints.md)
traffic-manager Traffic Manager Powershell Arm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/traffic-manager/traffic-manager-powershell-arm.md
- Last updated 03/16/2017-+
traffic-manager Traffic Manager Routing Methods https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/traffic-manager/traffic-manager-routing-methods.md
- Last updated 11/30/2022
Subnet routing can be used to deliver a different experience for users connectin
## Next steps
-Learn how to develop high-availability applications using [Traffic Manager endpoint monitoring](traffic-manager-monitoring.md)
+Learn how to develop high-availability applications using [Traffic Manager endpoint monitoring](traffic-manager-monitoring.md)
traffic-manager Traffic Manager Rum Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/traffic-manager/traffic-manager-rum-overview.md
description: In this introduction, learn how Azure Traffic Manager Real User Mea
--+ Last updated 04/27/2023
When you use Real User Measurements, you are billed based on the number of measu
- Learn [how Traffic Manager works](traffic-manager-overview.md) - Learn more about [Mobile Center](/mobile-center/) - Learn more about the [traffic-routing methods](traffic-manager-routing-methods.md) supported by Traffic Manager-- Learn how to [create a Traffic Manager profile](./quickstart-create-traffic-manager-profile.md)
+- Learn how to [create a Traffic Manager profile](./quickstart-create-traffic-manager-profile.md)
traffic-manager Traffic Manager Testing Settings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/traffic-manager/traffic-manager-testing-settings.md
- Last updated 05/22/2023
traffic-manager Traffic Manager Traffic View Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/traffic-manager/traffic-manager-traffic-view-overview.md
- Last updated 03/22/2023
When you use Traffic View, you're billed based on the number of data points used
- Learn how to [create a Traffic Manager profile](./quickstart-create-traffic-manager-profile.md) <!--Image references-->
-[1]: ./media/traffic-manager-traffic-view-overview/trafficview.png
+[1]: ./media/traffic-manager-traffic-view-overview/trafficview.png
traffic-manager Traffic Manager Troubleshooting Degraded https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/traffic-manager/traffic-manager-troubleshooting-degraded.md
- Last updated 05/03/2017
traffic-manager Tutorial Traffic Manager Improve Website Response https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/traffic-manager/tutorial-traffic-manager-improve-website-response.md
- Last updated 03/06/2023
traffic-manager Tutorial Traffic Manager Subnet Routing https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/traffic-manager/tutorial-traffic-manager-subnet-routing.md
Title: 'Tutorial: Configure subnet traffic routing with Azure Traffic Manager'
-description: This tutorial explains how to configure Traffic Manager to route traffic from user subnets to specific endpoints.
+description: This tutorial explains how to configure Traffic Manager to route traffic from user subnets to specific endpoints.
- Last updated 03/08/2021
update-manager Manage Dynamic Scoping https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/update-manager/manage-dynamic-scoping.md
To view the list of Dynamic scopes associated to a given maintenance configurati
1. The schedules associated to dynamic scopes are displayed in the following two areas: - **Update manager** > **Machines** > **Associated schedules** column - In your virtual machine home page > **Updates** > **Scheduling** tab.
-1. To view the VMs that are associated to the schedule, go to the existing schedule and view under **Dynamic scopes** tab.
+ - To view the VMs that are associated to the schedule, go to the existing schedule and view under **Dynamic scopes** tab.
## Edit a Dynamic scope
virtual-desktop Whats New Agent https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/whats-new-agent.md
Title: What's new in the Azure Virtual Desktop Agent? - Azure
description: New features and product updates for the Azure Virtual Desktop Agent. Previously updated : 01/25/2024 Last updated : 02/08/2024
A rollout may take several weeks before the agent is available in all environmen
| Release | Latest version | |--|--|
-| Production | 1.0.7909.2600 |
-| Validation | 1.0.8297.400 |
+| Production | 1.0.8297.800 |
+| Validation | 1.0.8431.300 |
> [!TIP] > The Azure Virtual Desktop Agent is automatically installed when adding session hosts in most scenarios. If you need to install the agent manually, you can download it at [Register session hosts to a host pool](add-session-hosts-host-pool.md#register-session-hosts-to-a-host-pool), together with the steps to install it.
-## Version 1.0.8297.400 (validation)
+## Version 1.0.8431.300 (validation)
+
+*Published: February 2024*
+
+In this update, we've made the following changes:
+
+- General improvements and bug fixes.
+
+## Version 1.0.8297.800
+
+*Published: February 2024*
+
+In this update, we've made the following changes:
+
+- General improvements and bug fixes.
+
+## Version 1.0.8297.400
*Published: January 2024*
virtual-machine-scale-sets Azure Hybrid Benefit Linux https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machine-scale-sets/azure-hybrid-benefit-linux.md
Title: Azure Hybrid Benefit for Linux Virtual Machine Scale Sets
+ Title: Azure Hybrid Benefit for Linux Virtual Machine Scale Sets
description: Learn how Azure Hybrid Benefit can apply to Virtual Machine Scale Sets and save you money on Linux virtual machines in Azure.
- Last updated 11/22/2022
virtual-machine-scale-sets Instance Generalized Image Version https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machine-scale-sets/instance-generalized-image-version.md
- Last updated 11/22/2022
virtual-machine-scale-sets Instance Specialized Image Version https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machine-scale-sets/instance-specialized-image-version.md
- Last updated 11/22/2022-+
virtual-machine-scale-sets Spot Priority Mix https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machine-scale-sets/spot-priority-mix.md
- Last updated 07/01/2023
Spot VMs, and therefore Spot Priority Mix, are available in all global Azure reg
> [!div class="nextstepaction"] > [Learn more about Spot virtual machines](../virtual-machines/spot-vms.md)--
virtual-machine-scale-sets Spot Vm Size Recommendation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machine-scale-sets/spot-vm-size-recommendation.md
- Last updated 11/22/2022
You can access Azure's size recommendations through the Virtual Machine Scale Se
## Next steps > [!div class="nextstepaction"]
-> [Learn more about Spot virtual machines](../virtual-machines/spot-vms.md)
+> [Learn more about Spot virtual machines](../virtual-machines/spot-vms.md)
virtual-machine-scale-sets Virtual Machine Scale Sets Manage Fault Domains https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machine-scale-sets/virtual-machine-scale-sets-manage-fault-domains.md
Virtual Machine Scale Sets are created with five fault domains by default in Azu
You can also consider aligning the number of scale set fault domains with the number of Managed Disks fault domains. This alignment can help prevent loss of quorum if an entire Managed Disks fault domain goes down. The FD count can be set to less than or equal to the number of Managed Disks fault domains available in each of the regions. Refer to this [document](../virtual-machines/availability-set-overview.md) to learn about the number of Managed Disks fault domains by region. ## REST API
-You can set the property `properties.platformFaultDomainCount` to 1, 2, or 3 (default of 3 if not specified). Refer to the documentation for REST API [here](/rest/api/compute/virtualmachinescalesets/createorupdate).
+You can set the property `properties.platformFaultDomainCount` to 1, 2, or 3 (default of 1 if not specified). Refer to the documentation for REST API [here](/rest/api/compute/virtualmachinescalesets/createorupdate).
## Azure CLI
virtual-machines Acu https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/acu.md
- Last updated 04/27/2022
virtual-machines Attach Os Disk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/attach-os-disk.md
Title: Attach an existing OS disk to a VM
description: Create a new Windows VM by attaching a specialized OS disk. - Last updated 03/30/2023
virtual-machines Automatic Extension Upgrade https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/automatic-extension-upgrade.md
Title: Automatic Extension Upgrade for VMs and Scale Sets in Azure
description: Learn how to enable the Automatic Extension Upgrade for your virtual machines and virtual machine scale sets in Azure. - Last updated 11/7/2023
virtual-machines Automatic Vm Guest Patching https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/automatic-vm-guest-patching.md
description: Learn how to automatically patch virtual machines in Azure.
- Last updated 10/20/2021
virtual-machines Capacity Reservation Associate Virtual Machine Scale Set Flex https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/capacity-reservation-associate-virtual-machine-scale-set-flex.md
This content applies to the flexible orchestration mode. For uniform orchestrati
> [!IMPORTANT]
-> Capacity Reservations with virtual machine set using flexible orchestration is currently in public preview. This preview version is provided without a service-level agreement, and we don't recommend it for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+> Capacity Reservations with virtual machine set using flexible orchestration is currently in public preview for FD>1. This preview version is provided without a service-level agreement, and we don't recommend it for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
> During the preview, always attach reserved capacity during creation of new scale sets using flexible orchestration mode. There are known issues attaching capacity reservations to existing scale sets using flexible orchestration. Microsoft will update this page as more options become enabled during preview. ## Associate a new virtual machine scale set to a Capacity Reservation group
virtual-machines Capture Image Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/capture-image-portal.md
description: Create an image of a VM using the Azure portal.
- Last updated 04/12/2022
virtual-machines Capture Image Resource https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/capture-image-resource.md
description: Create a legacy managed image of a generalized VM or VHD in Azure.
- Last updated 03/15/2023
virtual-machines Classic Vm Deprecation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/classic-vm-deprecation.md
Title: We're retiring Azure VMs (classic) on September 6, 2023
+ Title: We're retiring Azure VMs (classic) on September 6, 2023
description: This article provides a high-level overview of the retirement of VMs created using the classic deployment model. - Last updated 02/10/2020
virtual-machines Copy Files To Vm Using Scp https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/copy-files-to-vm-using-scp.md
Title: Use SCP to move files to and from a VM
description: Securely move files to and from a Linux VM in Azure using SCP and an SSH key pair. - Last updated 12/9/2022
The `-r` flag instructs SCP to recursively copy the files and directories from t
## Next steps
-* [Manage users, SSH, and check or repair disks on Azure Linux VMs using the 'VMAccess' Extension](./extensions/vmaccess-linux.md)
+* [Manage users, SSH, and check or repair disks on Azure Linux VMs using the 'VMAccess' Extension](./extensions/vmaccess-linux.md)
virtual-machines Create Fqdn https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/create-fqdn.md
- Last updated 02/25/2023
virtual-machines Create Gallery https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/create-gallery.md
- Last updated 03/23/2023 -+ ms.devlang: azurecli- # Create a gallery for storing and sharing resources
virtual-machines Custom Domain https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/custom-domain.md
Title: Create and use a custom domain
+ Title: Create and use a custom domain
description: Connect a custom domain to a virtual machine in Azure. - Last updated 02/23/2023
After the record is created it usually takes about an hour for DNS propagate, bu
## Next steps [Overview of TLS termination and end to end TLS with Application Gateway](../application-gateway/ssl-overview.md).-
virtual-machines Dedicated Hosts How To https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/dedicated-hosts-how-to.md
- Last updated 07/12/2023
virtual-machines Dedicated Hosts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/dedicated-hosts.md
description: Learn more about how Azure Dedicated Hosts can be used for deployin
- Last updated 1/25/2023 - #Customer intent: As an IT administrator, I want to learn more about using a dedicated host for my Azure virtual machines
Azure monitors and manages the health status of your hosts. The following states
- There's a [sample template](https://github.com/Azure/azure-quickstart-templates/blob/master/quickstarts/microsoft.compute/vm-dedicated-hosts/README.md) that uses both zones and fault domains for maximum resiliency in a region. - You can also save on costs with a [Reserved Instance of Azure Dedicated Hosts](prepay-dedicated-hosts-reserved-instances.md).----
virtual-machines Delete https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/delete.md
Title: Delete a VM and attached resources
description: Learn how to delete a VM and the resources attached to the VM. - - Last updated 05/09/2022
virtual-machines Ephemeral Os Disks Deploy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/ephemeral-os-disks-deploy.md
Title: Deploy Ephemeral OS disks
description: Learn to deploy ephemeral OS disks for Azure VMs. - Last updated 07/23/2020
virtual-machines Ephemeral Os Disks Faq https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/ephemeral-os-disks-faq.md
Title: FAQ Ephemeral OS disks
+ Title: FAQ Ephemeral OS disks
description: Frequently asked questions on ephemeral OS disks for Azure VMs. - Last updated 05/26/2022 -+ # Frequently asked questions about Ephemeral OS disks
virtual-machines Ephemeral Os Disks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/ephemeral-os-disks.md
Title: Ephemeral OS disks
description: Learn more about ephemeral OS disks for Azure VMs. - Last updated 07/23/2020
virtual-machines Error Codes Spot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/error-codes-spot.md
Title: Error codes for Azure Spot Virtual Machines and scale sets instances
+ Title: Error codes for Azure Spot Virtual Machines and scale sets instances
description: Learn about error codes that you could possibly see when using Azure Spot Virtual Machines and scale set instances. - Last updated 02/28/2023
virtual-machines Hpc Compute Infiniband Linux https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/extensions/hpc-compute-infiniband-linux.md
vm-linux- Last updated 04/21/2023
virtual-machines Hpc Compute Infiniband Windows https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/extensions/hpc-compute-infiniband-windows.md
vm-windows- Last updated 1/13/2022
virtual-machines Hpccompute Amd Gpu Windows https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/extensions/hpccompute-amd-gpu-windows.md
Title: AMD GPU Driver Extension - Azure Windows VMs
+ Title: AMD GPU Driver Extension - Azure Windows VMs
description: Microsoft Azure extension for installing AMD GPU drivers on NVv4-series VMs running Windows.
vm-windows- Last updated 10/14/2021-+ # AMD GPU Driver Extension for Windows
virtual-machines Hpccompute Gpu Linux https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/extensions/hpccompute-gpu-linux.md
vm-linux - Last updated 07/28/2023
virtual-machines Hpccompute Gpu Windows https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/extensions/hpccompute-gpu-windows.md
vm-windows - Last updated 04/06/2023
virtual-machines Iaas Antimalware Windows https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/extensions/iaas-antimalware-windows.md
vm-windows- Last updated 04/10/2023
virtual-machines Issues Using Vm Extensions Python 3 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/extensions/issues-using-vm-extensions-python-3.md
Title: Issues using VM extensions in Python 3-enabled Linux Azure Virtual Machines systems
+ Title: Issues using VM extensions in Python 3-enabled Linux Azure Virtual Machines systems
description: Learn about using VM extensions in Python 3-enabled Linux systems
- Last updated 03/15/2023
virtual-machines Flash Azure Monitor https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/flash-azure-monitor.md
+
+ Title: Project Flash - Use Azure Monitor to monitor Azure Virtual Machine availability
+description: This article covers important concepts for monitoring Azure virtual machine availability using the Azure Monitor VM availability metric.
++++ Last updated : 01/31/2024+++
+# Project Flash - Use Azure Monitor to monitor Azure Virtual Machine availability
+
+Azure Monitor is one solution offered by Flash. Flash is the internal name for a project dedicated to building a robust, reliable, and rapid mechanism for customers to monitor virtual machine (VM) health.
+
+This article covers the use of the Azure Monitor VM availability metric to monitor Azure Virtual Machine availability. For a general overview of Flash solutions, see the [Flash overview](flash-overview.md).
+
+For documentation specific to the other solutions offered by Flash, choose from the following articles:
+* [Use Azure Resource Health to monitor Azure Virtual Machine availability](flash-azure-resource-health.md)
+* [Use Azure Resource Graph to monitor Azure Virtual Machine availability](flash-azure-resource-graph.md)
+* [Use Event Grid system topics to monitor Azure Virtual Machine availability](flash-event-grid-system-topic.md)
+
+## Azure monitor - VM availability metric
+
+Currently in public preview. It's well-suited for tracking trends, aggregating platform metrics (such as CPU and disk usage) and configuring precise threshold-based alerts. Customers can utilize this out-of-the-box [VM availability metric](../azure-monitor/platform/alerts-overview.md) in [Azure Monitor](../azure-monitor/platform/alerts-overview.md). This metric displays the trend of VM availability over time, so users can:
+
+- Set up [threshold-based metric alerts](../azure-monitor/alerts/alerts-create-new-alert-rule.md?tabs=metric) on dipping VM availability to quickly trigger appropriate mitigation actions.
+- Correlate the VM availability metric with existing [platform metrics](../azure-monitor/essentials/data-platform-metrics.md) like memory, network, or disk for deeper insights into concerning changes that impact the overall performance of workloads.
+- Easily interact with and chart metric data during any relevant time window on [Metrics Explorer](../azure-monitor/essentials/metrics-getting-started.md), for quick and easy debugging.
+- Route metrics to downstream tooling like [Grafana dashboards](../azure-monitor/visualize/grafana-plugin.md), for constructing custom visualizations and dashboards.
+
+### Get started
+
+Users can either consume the metric programmatically via the [Azure Monitor REST API](/rest/api/monitor/metrics) or directly from the [Azure portal](https://portal.azure.com/). The following steps highlight metric consumption from the Azure portal.
+
+Once on the Azure portal, navigate to the VM overview blade. The new metric is displayed as VM Availability (Preview), along with other platform metrics under the Monitoring tab.
+
+ :::image type="content" source="media/flash/virtual-machine-availability-metric.png" alt-text="Screenshot of virtual machine availability metric on a virtual machine's overview page on the Azure portal." lightbox="media/flash/virtual-machine-availability-metric.png" :::
+
+Select (single click) the VM availability metric chart on the overview page, to navigate to [Metrics Explorer](../azure-monitor/essentials/metrics-getting-started.md) for further analysis.
+Select the VM availability metric chart on the overview page, to navigate to [Metrics Explorer](../azure-monitor/essentials/metrics-getting-started.md) for further analysis.
+
+ :::image type="content" source="media/flash/metrics-explorer-virtual-machine-availability.png" alt-text="Screenshot of the newly added VM availability Metric on Metrics Explorer on Azure portal." lightbox="media/flash/metrics-explorer-virtual-machine-availability.png" :::
+
+### Metric description
+
+| **Display Name** | **VM Availability (preview)** |
+| | |
+| Metric Values | 1 during expected behavior; corresponds to VM in Available state. 0 when VM is impacted by rebootful disruptions; corresponds to VM in Unavailable state. NULL (shows a dotted or dashed line on charts) when the Azure service that is emitting the metric is down or is unaware of the exact status of the VM; corresponds to VM in Unknown state. |
+| Aggregation | The default aggregation of the metric is Average, for prioritized investigations based on extent of downtime incurred. The other aggregations available are: Min, to immediately pinpoint to all the times where VM was unavailable. Max, to immediately pinpoint to all the instances where VM was Available. For more information on chart range, granularity, and data aggregation, see [Azure Monitor Metrics aggregation and display explained](../azure-monitor/essentials/metrics-aggregation-explained.md). |
+| Data Retention | Data for the VM availability metric is [stored for 93 days](../azure-monitor/essentials/data-platform-metrics.md#retention-of-metrics) to help trend analysis and historical lookback. |
+| Pricing | Refer to the [Pricing breakdown](https://azure.microsoft.com/pricing/details/monitor/#pricing), specifically in the "Metrics" and "Alert Rules" sections. |
+
+We plan to include impact details (user vs platform initiated, planned vs unplanned) as dimensions to the metric, so users are well equipped to interpret dips, and set up much more targeted metric alerts. With the emission of dimensions in 202, we also anticipate transitioning the offering to a general availability status.
+
+### Useful links
+
+- [How to filter events for Azure Event Grid - Azure Event Grid | Microsoft Learn](../event-grid/how-to-filter-events.md)
+- [Event filtering for Azure Event Grid - Azure Event Grid | Microsoft Learn](../event-grid/event-filtering.md#advanced-filtering)
+
+## Next steps
+
+To learn more about the solutions offered, proceed to corresponding solution article:
+* [Use Azure Resource Health to monitor Azure Virtual Machine availability](flash-azure-resource-health.md)
+* [Use Azure Resource Graph to monitor Azure Virtual Machine availability](flash-azure-resource-graph.md)
+* [Use Event Grid system topics to monitor Azure Virtual Machine availability](flash-event-grid-system-topic.md)
+
+For a general overview of how to monitor Azure Virtual Machines, see [Monitor Azure virtual machines](monitor-vm.md) and the [Monitoring Azure virtual machines reference](monitor-vm-reference.md).
virtual-machines Flash Azure Resource Graph https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/flash-azure-resource-graph.md
+
+ Title: Project Flash - Use Azure Resource Graph to monitor Azure Virtual Machine availability
+description: This article covers important concepts for monitoring Azure virtual machine availability using Azure Resource Graph.
++++ Last updated : 01/31/2024+++
+# Project Flash - Use Azure Resource Graph to monitor Azure Virtual Machine availability
+
+Azure Resource Graph is one solution offered by Flash. Flash is the internal name for a project dedicated to building a robust, reliable, and rapid mechanism for customers to monitor virtual machine (VM) health.
+
+This article covers the use of Azure Resource Graph to monitor Azure Virtual Machine availability. For a general overview of Flash solutions, see the [Flash overview](flash-overview.md).
+
+For documentation specific to the other solutions offered by Flash, choose from the following articles:
+* [Use Event Grid system topics to monitor Azure Virtual Machine availability](flash-event-grid-system-topic.md)
+* [Use Azure Monitor to monitor Azure Virtual Machine availability](flash-azure-monitor.md)
+* [Use Azure Resource Health to monitor Azure Virtual Machine availability](flash-azure-resource-health.md)
+
+## Azure Resource Graph - HealthResources
+
+This feature is currently generally available. It's useful for conducting large-scale investigations. It offers a highly user-friendly experience for [information retrieval](../governance/resource-graph/samples/samples-by-table.md) with its use of [kusto query language](../governance/resource-graph/concepts/query-language.md) (KQL). It can also serve as a central hub for resource information and allows easy retrieval of historical data.
+
+In addition to already flowing [VM availability states](../service-health/resource-health-overview.md#health-status), we published [VM availability annotations](../service-health/resource-health-vm-annotation.md) to [Azure Resource Graph](../governance/resource-graph/overview.md) (ARG) for detailed failure attribution and downtime analysis, along with enabling a 14-day [change tracking](../governance/resource-graph/how-to/get-resource-changes.md?tabs=azure-cli) mechanism to trace historical changes in VM availability for quick debugging. With these new additions, we're excited to announce the general availability of VM availability information in the HealthResources dataset in ARG! With this offering users can:
+
+- Efficiently query the latest snapshot of VM availability across all Azure subscriptions at once and at low latencies for periodic and fleetwide monitoring.
+- Accurately assess the impact to fleetwide business SLAs and quickly trigger decisive mitigation actions, in response to disruptions and type of failure signature.
+- Set up custom dashboards to supervise the comprehensive health of applications by [joining VM availability information](../governance/resource-graph/concepts/work-with-data.md) with [resource metadata present in ARG](../governance/resource-graph/samples/samples-by-table.md?tabs=azure-cli).
+- Track relevant changes in VM availability across a rolling 14-day window, by using the [change-tracking mechanism](../governance/resource-graph/how-to/get-resource-changes.md?tabs=azure-cli) for conducting detailed investigations.
+
+### Sample queries
+
+- [Azure Resource Graph sample queries for Azure Service Health - Azure Service Health | Microsoft Learn](../service-health/resource-graph-samples.md#resource-health)
+- [VM availability information in Azure Resource Graph - Azure Virtual Machines | Microsoft Learn](resource-graph-availability.md)
+- [List of sample Azure Resource Graph queries by table - Azure Resource Graph | Microsoft Learn](../governance/resource-graph/samples/samples-by-table.md?tabs=azure-cli#healthresources)
+
+### Get started
+
+Users can query ARG via [PowerShell](../governance/resource-graph/first-query-powershell.md), [REST API](../governance/resource-graph/first-query-rest-api.md), [Azure CLI](../governance/resource-graph/first-query-azurecli.md), or even the [Azure portal](https://portal.azure.com/). The following steps detail how data can be accessed from Azure portal.
+
+1. Once on the Azure portal, navigate to Resource Graph Explorer.
+
+ :::image type="content" source="media/flash/resource-graph-explorer-landing-page.png" alt-text="Screenshot of the Azure Resource Graph Explorer landing page on the Azure portal." lightbox="media/flash/resource-graph-explorer-landing-page.png" :::
+
+1. Select the Table tab and (single) click on the HealthResources table to retrieve the latest snapshot of VM availability information (availability state and health annotations).
+
+ :::image type="content" source="media/flash/health-resources-table.png" alt-text="Screenshot of an Azure Resource Graph Explorer Window depicting the latest VM availability states and VM availability annotations in the Health Resources table." lightbox="media/flash/health-resources-table.png" :::
+
+There are two types of events populated in the HealthResources table:
+
+ :::image type="content" source="media/flash/health-resources-table-events.png" alt-text="Snapshot of the type of events in the Health Resources table, as shown in Resource Graph Explorer on the Azure portal." lightbox="media/flash/health-resources-table-events.png" :::
+
+- resourcehealth/availabilitystatuses
+
+This event denotes the latest availability status of a VM, based on the health checks performed by the underlying Azure platform. The availability states we currently emit for VMs are:
+
+- Available: The VM is up and running as expected.
+- Unavailable: We detected disruptions to the normal functioning of the VM, and therefore, applications won't run as expected.
+- Unknown: The platform is unable to accurately detect the health of the VM. Users can usually check back in a few minutes for an updated state.
+
+To poll the latest VM availability state, refer to the properties field, which contains the following details:
+
+### Sample
+```
+{
+ "targetResourceType": "Microsoft.Compute/virtualMachines",
+ "previousAvailabilityState": "Available",
+ "targetResourceId": "/subscriptions//resourceGroups//providers/Microsoft.Compute/virtualMachines/",
+ "occurredTime": "2022-10-11T11:13:59.9570000Z",
+ "availabilityState": "Unavailable"
+ }
+```
+
+### Property description
+
+| **Property** | **Description** | **[Corresponding resource health category (RHC)](../azure-monitor/essentials/activity-log-schema.md#resource-health-category)** |
+| - | - | - |
+| targetResourceType | Type of resource for which health data is flowing | resourceType |
+| targetResourceId | Resource ID | resourceId |
+| occurredTime | Timestamp when the platform emits the latest availability state | eventTimestamp |
+| previousAvailabilityState | Previous availability state of the VM | previousHealthStatus |
+| availabilityState | Current availability state of the VM | currentHealthStatus |
+
+See the [HealthResources section of the samples queries documentation](../governance/resource-graph/samples/samples-by-table.md?tabs=azure-cli#healthresources) for a list of starter queries to further explore this data.
+
+- resourcehealth/resourceannotations (NEWLY ADDED)
+
+This event contextualizes any changes to VM availability, by detailing necessary failure attributes to help users investigate and mitigate the disruption as needed. [See the full list of VM availability annotations](../service-health/resource-health-vm-annotation.md) emitted by the platform.
+ These annotations can be broadly classified into three buckets:
+
+- Downtime Annotations: These annotations are emitted when the platform detects VM availability transitioning to Unavailable. (For example, during unexpected host crashes, rebootful repair operations).
+- Informational Annotations: These annotations are emitted during control plane activities with no impact to VM availability. (Such as VM allocation/Stop/Delete/Start). Usually, no further customer action is required in response.
+- Degraded Annotations: These annotations are emitted when VM availability is detected to be at risk. (For example, when [failure prediction models](https://azure.microsoft.com/blog/advancing-failure-prediction-and-mitigation-introducing-narya) predict a degraded hardware component that can cause the VM to reboot at any given time). We strongly urge users to redeploy by the deadline specified in the annotation message, to avoid any unanticipated loss of data or downtime. You may receive an alert in Azure virtual machine scale sets Resource Health or Activity log in one of the following scenarios:
+ - VMs in the Azure virtual machine scale sets are in the process of being stopped, deallocated, deleted, or started.
+ - You performed scaling in or out operations on the virtual machine scale sets.
+ - The alert indicates that the aggregated platform health of [the virtual machine scale sets is in a transient state of "Degraded."](/troubleshoot/azure/virtual-machine-scale-sets/resource-health-degraded-state)
+
+To poll the associated VM availability annotations for a resource, if any, refer to the properties field, which contains the following details:
+
+### Sample
+```
+{
+ "targetResourceType": "Microsoft.Compute/virtualMachines", "targetResourceId": "/subscriptions//resourceGroups//providers/Microsoft.Compute/virtualMachines/",
+ "annotationName": "VirtualMachineHostRebootedForRepair",
+ "occurredTime": "2022-09-25T20:21:37.5280000Z",
+ "category": "Unplanned",
+ "summary": "We're sorry, your virtual machine isn't available because an unexpected failure on the host server. Azure has begun the auto-recovery process and is currently rebooting the host server. No further action is required from you at this time. The virtual machine will be back online after the reboot completes.",
+ "context": "Platform Initiated",
+ "reason": "Unexpected host failure"
+ }
+```
+
+### Property description
+
+| **Property** | **Description** | **[Corresponding RHC](../azure-monitor/essentials/activity-log-schema.md#resource-health-category)** |
+| - | - | - |
+| targetResourceType | Type of resource for which health data is flowing | resourceType |
+| targetResourceId | Resource ID | resourceId |
+| occurredTime | Timestamp when the latest availability state is emitted by the platform | eventTimestamp |
+| annotationName | Name of the Annotation emitted | eventName |
+| reason | Brief overview of the availability impact observed by the customer | title |
+| category | Denotes whether the platform activity that triggered the annotation was either planned maintenance or unplanned repair. This field isn't applicable to customer/VM-initiated events. Possible values: Planned, Unplanned, Not Applicable, Null | category |
+| context | Denotes whether the activity that triggered the annotation was due to an authorized user or process (customer-initiated), the Azure platform (platform-initiated), or activity in the guest OS that resulted in availability impact (VM initiated). Possible values: Platform-initiated, User-initiated, VM-initiated, Not Applicable, Null | context |
+| summary | Statement detailing the cause for annotation emission, along with remediation steps that users can take | summary |
+
+See the [HealthResources section of the samples queries documentation](../governance/resource-graph/samples/samples-by-table.md?tabs=azure-cli#healthresources) for a list of starter queries to further explore this data.
+
+We have multiple enhancements planned for the annotation metadata that is surfaced in the HealthResources dataset. These enrichments give users access to richer failure attributes to decisively prepare a response to a disruption. In parallel, we aim to extend the duration of historical lookback to a minimum of 30 days so users can comprehensively track past changes in VM availability.
+
+## Next steps
+
+To learn more about the solutions offered, proceed to corresponding solution article:
+* [Use Event Grid system topics to monitor Azure Virtual Machine availability](flash-event-grid-system-topic.md)
+* [Use Azure Monitor to monitor Azure Virtual Machine availability](flash-azure-monitor.md)
+* [Use Azure Resource Health to monitor Azure Virtual Machine availability](flash-azure-resource-health.md)
+
+For a general overview of how to monitor Azure Virtual Machines, see [Monitor Azure virtual machines](monitor-vm.md) and the [Monitoring Azure virtual machines reference](monitor-vm-reference.md).
virtual-machines Flash Azure Resource Health https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/flash-azure-resource-health.md
+
+ Title: Project Flash - Use Azure Resource Health to monitor Azure Virtual Machine availability
+description: This article covers important concepts for monitoring Azure virtual machine availability using Azure Resource Health.
++++ Last updated : 01/31/2024+++
+# Project Flash - Use Azure Resource Health to monitor Azure Virtual Machine availability
+
+Azure Resource Health is one solution offered by Flash. Flash is the internal name for a project dedicated to building a robust, reliable, and rapid mechanism for customers to monitor virtual machine (VM) health.
+
+This article covers the use of Azure Resource Health to monitor Azure Virtual Machine availability. For a general overview of Flash solutions, see the [Flash overview](flash-overview.md).
+
+For documentation specific to the other solutions offered by Flash, choose from the following articles:
+* [Use Azure Resource Graph to monitor Azure Virtual Machine availability](flash-azure-resource-graph.md)
+* [Use Event Grid system topics to monitor Azure Virtual Machine availability](flash-event-grid-system-topic.md)
+* [Use Azure Monitor to monitor Azure Virtual Machine availability](flash-azure-monitor.md)
+
+## Azure Resource Health
+
+It offers immediate and user-friendly health checks for individual resources through the portal. Customers can quickly access the [resource health](../service-health/resource-health-overview.md) blade on the portal and also review a 30-day historical record of health checks, making it an excellent tool for fast and straightforward troubleshooting. The existing Azure Resource Health feature helps you to diagnose and get support for service problems that affect your Azure resources. It reports on the current and past health of your resources, showing any time ranges that each of your resources have been unavailable.
+
+But we know that our customers and partners are interested in understanding what causes underlying technical issues, and in improving how they can receive communications about any issuesΓÇöto feed into monitoring processes, to explain hiccups to other stakeholders, and ultimately to inform business decisions.
+
+### Root causes for VM issues in Azure Resource Health
+
+We recently shipped an improvement to the resource health experience that will enhance the information we share with customers about VM failures and provide further context on the root cause that led to the issue. Now, in addition to getting a fast notification when a VM's availability is impacted, customers can expect a root cause to be added at a later point once our automated Root Cause Analysis (RCA) system identifies the failing Azure platform component that led to the VM failure. Let's walk through an example to see how this works process in practice:
+
+At time T1, a server rack goes offline due to a networking issue, causing VMs on the rack to lose connectivity. Recent reliability improvements related to network architecture will be shared in a future [Advancing Reliability](https://www.aka.ms/AdvancingReliability) blog postΓÇöwatch this space!
+
+At time T2, Azure's internal monitoring recognizes that it's unable to reach VMs on the rack and begins to mitigate by redeploying the impacted VMs to a new rack. During this time, an annotation is sent to resource health notifying customers that their VM is currently impacted and unavailable.
+
+ :::image type="content" source="media/flash/azure-portal-resource-health-history.png" alt-text="Screenshot of the Azure portal resource health blade showing the health history of a resource." lightbox="media/flash/azure-portal-resource-health-history.png" :::
+
+At time T3, platform telemetry from the top of rack switch, the host machine, and internal monitoring systems are correlated together in our RCA engine to derive the root cause of the failure. Once computed, the RCA is then published back into resource health along with relevant architectural resiliency recommendations that customers can implement to minimize the probability of impact in the future.
+
+ :::image type="content" source="media/flash/azure-portal-resource-health-history-root-cause.png" alt-text="Screenshot of the Azure portal health history blade showing root cause details for an example of a VM issue." lightbox="media/flash/azure-portal-resource-health-history-root-cause.png" :::
+
+While the initial downtime notification functionality is several years old, the publishing of a root cause statement is a new addition. Now, let's dive into the details of how we derive these root causes.
+
+### Root Cause Analysis engine
+
+Let's take a closer look at the prior example and walk through the details of how the RCA engine works and the technology behind it. At the core of our RCA engine for VMs is [Azure Data Explorer](/azure/data-explorer/data-explorer-overview) (ADX), a big data service optimized for high volume log telemetry analytics. Azure Data Explorer enables the ability to easily parse terabytes of log telemetry from devices and services that comprise the Azure platform, join them together, and interpret the correlated information streams to derive a root cause for different failure scenarios. This ends up being a multistep data engineering process:
+
+Phase 1: Detecting downtime
+
+The first phase in root cause analysis is to define the trigger under which the analysis is executed. For Virtual Machines, we want to determine root causes whenever a VM unexpectedly reboots, so the trigger is a VM transitioning from an up state to a down state. Identifying these transitions from platform telemetry is straightforward in most scenarios, but more complicated around certain kinds of infrastructure failure where platform telemetry might get lost due to device failure or power loss. To handle these classes of failures, other techniques are requiredΓÇölike tracking data loss as a possible indication of a VM availability transition. Azure Data Explorer excels at this time of series analysis, and a more detailed look at techniques around this process can be found in the Microsoft Tech Community: [Calculating downtime using Window functions and Time Series functions in Azure Data Explorer](https://techcommunity.microsoft.com/t5/azure-data-explorer/calculating-downtime-using-window-functions-and-time-series/ba-p/1345430).
+
+Phase 2: Correlation analysis
+
+Once a trigger event is defined (in this case, a VM transitioning to an unhealthy state) the next phase is correlation analysis. In this step, we use the presence of the trigger event to correlate telemetry from points across the Azure platform, like:
+
+- Azure host: the physical blade hosting VMs.
+- TOR: the top of rack network switch.
+- Azure Storage: the service that hosts Virtual Disks for Azure Virtual Machines.
+
+Each of these systems has their own telemetry feeds that need to get parsed and correlated with the VM downtime trigger event. This process is done through understanding the dependency graph for a VM and the underlying systems that can cause a VM to fail, and then joining all these dependent systems' health telemetry together, filtered on events that occurred close to the time of the VM transition. Azure Data Explorer's intuitive and powerful query language helps by offering documented patterns like [time window join](/azure/data-explorer/kusto/query/join-timewindow) for correlating temporal telemetry streams together. At the end of this correlation process, we have a dataset that represents VM downtime transitions with correlated platform telemetry from all the dependent systems that could cause or could have information useful in determining what led to the VM failure.
+
+Phase 3: Root cause attribution
+
+The next step in the process is attribution. Now that we've collected all the relevant data together in a single dataset, attribution rules get applied to interpret the information and translate it into a customer-facing root cause statement. If you go back to our original example of a TOR failure, after our correlation analysis we might have many interesting pieces of information to interpret. For example, systems monitoring the Azure hosts might have logs indicating they lost connectivity to the hosts during this time. We might also have signals related to virtual disk connectivity problems, and explicit signals from the TOR device about the failure. All these pieces of information are now scanned over, and the explicit TOR failure signal is prioritized over the other signals as the root cause. This prioritization process, and the rules behind it, are constructed with domain experts and modified as the Azure platform evolves. Machine learning and anomaly detection mechanisms sit on top of these attributed root causes, to help identify opportunities to improve these classification rules and detect pattern changes in the rate of these failures to feed back into [safe deployment pipelines](https://azure.microsoft.com/blog/advancing-safe-deployment-with-aiops-introducing-gandalf/).
+
+Phase 4: RCA publishing
+
+The last step is publishing root causes to Azure Resource Health, where they become visible to customers. Publishing is done by a simple [Azure Functions](https://azure.microsoft.com/services/functions/) application, which periodically queries the processed root cause data in Azure Data Explorer, and emits the results to the resource health backend. Because information streams can come in with various data delays, RCAs can occasionally be updated in this process to reflect better sources of information having arrived leading to a more specific root cause that what was originally published.
+
+### Going forward
+
+Identifying and communicating the root cause of any issues to our customers and partners is just the beginning. Our customers may need to take these RCAs and share them with their customers and coworkers. We want to build on the work here to make it easier to identify and track resource RCAs, and easily share them out. To accomplish that, we're working on backend changes to generate unique per-resource and per-downtime tracking IDs that we can expose to you, so that you can easily match downtimes to their RCAs. We're also working on new features to make it easier to email RCAs out, and eventually subscribe to RCAs for your VMs. This feature will make it possible to sign up for RCAs directly in your inbox after an unavailability event with no further action needed on your part.
+
+## Next steps
+
+To learn more about the solutions offered, proceed to corresponding solution article:
+* [Use Azure Resource Graph to monitor Azure Virtual Machine availability](flash-azure-resource-graph.md)
+* [Use Event Grid system topics to monitor Azure Virtual Machine availability](flash-event-grid-system-topic.md)
+* [Use Azure Monitor to monitor Azure Virtual Machine availability](flash-azure-monitor.md)
+
+For a general overview of how to monitor Azure Virtual Machines, see [Monitor Azure virtual machines](monitor-vm.md) and the [Monitoring Azure virtual machines reference](monitor-vm-reference.md).
virtual-machines Flash Event Grid System Topic https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/flash-event-grid-system-topic.md
+
+ Title: Project Flash - Use Azure Event Grid to monitor Azure Virtual Machine availability
+description: This article covers important concepts for monitoring Azure virtual machine availability using Azure Event Grid system topics.
++++ Last updated : 01/31/2024+++
+# Project Flash - Use Azure Event Grid to monitor Azure Virtual Machine availability
+
+Azure Event Grid is one solution offered by Flash. Flash is the internal name for a project dedicated to building a robust, reliable, and rapid mechanism for customers to monitor virtual machine (VM) health.
+
+This article covers the use of Azure Event Grid system topics to monitor Azure Virtual Machine availability. For a general overview of Flash solutions, see the [Flash overview](flash-overview.md).
+
+For documentation specific to the other solutions offered by Flash, choose from the following articles:
+* [Use Azure Monitor to monitor Azure Virtual Machine availability](flash-azure-monitor.md)
+* [Use Azure Resource Health to monitor Azure Virtual Machine availability](flash-azure-resource-health.md)
+* [Use Azure Resource Graph to monitor Azure Virtual Machine availability](flash-azure-resource-graph.md)
+
+## Azure Event Grid system topic - HealthResources
+
+To ensure seamless operation of business-critical applications, it's crucial to have real time awareness of any event that might adversely impact VM availability. This awareness enables you to swiftly take remedial actions to shield end-users from any disruption. To support you in your daily operations, we're delighted to announce the public preview of the [HealthResources Event Grid system topic](../event-grid/event-schema-health-resources.md?tabs=event-grid-event-schema) with newly added [VM availability annotations](../service-health/resource-health-vm-annotation.md)!
+
+This system topic provides in-depth VM [health data](../event-grid/event-schema-health-resources.md?tabs=event-grid-event-schema#event-types), giving you immediate insights into changes in VM availability states along with the necessary context. You can receive events on single-instance VMs and [Virtual Machine Scale Set](../virtual-machine-scale-sets/overview.md) VMs for the Azure subscription for which this topic was created. Data is published to this topic by [Azure Resource Notifications](../event-grid/event-schema-resource-notifications.md) (ARN), our state-of-the-art publisher-subscriber service, equipped with robust Role-Based Access Control (RBAC) and advanced filtering capabilities. This empowers you to effortlessly subscribe to an Event Grid system topic and seamlessly direct relevant events utilizing the [advanced filtering](../event-grid/event-filtering.md) capabilities provided by Event Grid, to downstream tools in real-time. This enables you to respond and mitigate issues instantly.
+
+### Get started
+
+- Step 1: Users start by [creating a system](../event-grid/create-view-manage-system-topics.md#create-a-system-topic)topic within the Azure subscription for which they want to receive notifications.
+- Step 2: Users then proceed to [create an event subscription](../event-grid/subscribe-through-portal.md#create-event-subscriptions) within the system topic in Step 1. During this step, they specify the [endpoint](../event-grid/event-handlers.md) (such as, Event Hubs) to which the events are routed. Users can also configure event filters to narrow down the scope of delivered events.
+
+As you start subscribing to events from the HealthResources system topic, consider the following best practices:
+
+- Choose an appropriate [destination or event handler](../event-grid/event-handlers.md) based on the anticipated scale and size of events.
+- For fan-in scenarios where notifications from multiple system topics need to be consolidated, [event hubs](../event-grid/handler-event-hubs.md) are highly recommended as a destination. This practice is especially useful for real-time processing scenarios to maintain data freshness and for periodic processing for analytics, with configurable retention periods.
+
+We have plans to transition the preview into a fully fledged general availability feature. As part of the preview, we emit events scoped to changes in VM availability states with the following sample [schema](../event-grid/event-schema.md):
+
+### Sample
+```
+{
+ "id": "4c70abbc-4aeb-4cac-b0eb-ccf06c7cd102",
+ "topic": "/subscriptions/,
+ "subject": "/subscriptions//resourceGroups//providers/Microsoft.Compute/virtualMachines//providers/Microsoft.ResourceHealth/AvailabilityStatuses/current",
+ "data": {
+ "resourceInfo": {
+ "id":"/subscriptions//resourceGroups//providers/Microsoft.Compute/virtualMachines//providers/Microsoft.ResourceHealth/AvailabilityStatuses/current",
+ "properties": {
+ "targetResourceId":"/subscriptions//resourceGroups//providers/Microsoft.Compute/virtualMachines/"
+ "targetResourceType": "Microsoft.Compute/virtualMachines",
+ "occurredTime": "2022-09-25T20:21:37.5280000Z"
+ "previousAvailabilityState": "Available",
+ "availabilityState": "Unavailable"
+ }
+ },
+ "apiVersion": "2020-09-01"
+ },
+ "eventType": "Microsoft.ResourceNotifications.HealthResources.AvailabilityStatusesChanged",
+ "dataVersion": "1",
+ "metadataVersion": "1",
+ "eventTime": "2022-09-25T20:21:37.5280000Z"
+ }
+```
+
+The properties field is fully consistent with the `microsoft.resourcehealth/availabilitystatuses` event in ARG. The Event Grid solution offers near-real-time alerting capabilities on the data present in ARG.
+
+## Next steps
+
+To learn more about the solutions offered, proceed to corresponding solution article:
+* [Use Azure Monitor to monitor Azure Virtual Machine availability](flash-azure-monitor.md)
+* [Use Azure Resource Health to monitor Azure Virtual Machine availability](flash-azure-resource-health.md)
+* [Use Azure Resource Graph to monitor Azure Virtual Machine availability](flash-azure-resource-graph.md)
+
+For a general overview of how to monitor Azure Virtual Machines, see [Monitor Azure virtual machines](monitor-vm.md) and the [Monitoring Azure virtual machines reference](monitor-vm-reference.md).
virtual-machines Flash Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/flash-overview.md
+
+ Title: Project Flash - Advancing Azure Virtual Machine availability monitoring
+description: This article covers important concepts for monitoring Azure virtual machine availability using the features of Project Flash.
++++ Last updated : 01/31/2024+++
+# Project Flash - Advancing Azure Virtual Machine availability monitoring
+
+Flash, as the project is internally known, derives its name from our steadfast commitment to building a robust, reliable, and rapid mechanism for customers to monitor virtual machine (VM) health. Our primary objective is to ensure customers can reliably access actionable and precise telemetry, promptly receive alerts on changes, and periodically monitor data at scale. We also place strong emphasis on developing a centralized and coherent experience that customers can conveniently use to meet their unique observability requirements. It's our mission to ensure you can:
+
+- **Consume accurate and actionable data** on VM availability disruptions (for example, VM reboots and restarts, application freezes due to network driver updates, and 30-second host OS updates), along with precise failure details (for example, platform versus user-initiated, reboot versus freeze, planned versus unplanned).
+- **Analyze and alert on trends in VM availability** for quick debugging and month-over-month reporting.
+- **Periodically monitor data at scale** and build custom dashboards to stay updated on the latest availability states of all resources.
+- **Receive automated root cause analyses (RCAs)** detailing impacted VMs, downtime cause and duration, consequent fixes, and similarΓÇöall to enable targeted investigations and post-mortem analyses.
+- **Receive instantaneous notifications** on critical changes in VM availability to quickly trigger remediation actions and prevent end-user impact.
+- **Dynamically tailor and automate platform recovery policies** , based on ever-changing workload sensitivities and failover needs.
+
+## Flash solutions
+
+The Flash initiative is dedicated to developing solutions over the years that cater to the diverse monitoring needs of our customers. To help you determine the most suitable Flash monitoring solution(s) for your specific requirements, refer to the following table:
+
+| **Solution** | **Description** |
+| | |
+| Azure Resource Graph (General Availability) | For investigations at scale, centralized resource repository and history lookup, large customers want to periodically consume resource availability telemetry across all their workloads, at once, using Azure Resource Graph (ARG). |
+| Event Grid system topic (Public Preview) | To trigger time-sensitive and critical mitigations (redeploy, restart VM actions) for prevention of end-user impact, customers (for example, Pearl Abyss, Krafton) want to receive alerts within seconds of critical changes in resource availability via Event Handlers in Event Grid. |
+| Azure Monitor (Public Preview) | To track trends, aggregate platform metrics (CPU, disk etc.), and set up precise threshold-based alerts, customers want to consume an out-of-box VM Availability metric via Azure Monitor. |
+| Resource Health (General Availability) | To perform instantaneous and convenient Portal UI health checks per-resource customers can quickly view the RHC blade on the portal. They can also access a 30-day historical view of health checks for that resource for quick and easy troubleshooting. |
+
+## Holistic VM availability monitoring
+
+For a holistic approach to monitoring VM availability, including scenarios of routine maintenance, live migration, service healing, and VM degradation, we recommend you utilize both [scheduled events](../virtual-machines/windows/scheduled-event-service.md) (SE) and Flash health events.
+
+Scheduled events are designed to offer an early warning, giving up to 15-minute advance notice prior to maintenance activities. This lead time enables you to make informed decisions regarding upcoming downtime, allowing you to either avoid or prepare for it. You have the flexibility to either acknowledge these events or delay actions during this 15-minute period, depending on your readiness for the upcoming maintenance.
+
+On the other hand, Flash Health events are focused on real-time tracking of ongoing and completed availability disruptions, including VM degradation. This feature empowers you to effectively monitor and manage downtime, supporting automated mitigation, investigations, and post-mortem analysis.
+
+To get started on your observability journey, you can explore the suite of Azure products to which we emit high-quality VM availability data. These products include [resource health](../service-health/resource-health-overview.md), [activity logs](../azure-monitor/essentials/activity-log.md?tabs=powershell), [Azure resource graph](../governance/resource-graph/samples/samples-by-table.md?tabs=azure-cli#healthresources), [Azure monitor metrics](../virtual-machines/monitor-vm-reference.md) and [Azure Event Grid system topic](../event-grid/event-schema-health-resources.md?tabs=event-grid-event-schema).
+
+## Next steps
+
+To learn more about the solutions offered, proceed to corresponding solution article:
+* [Use Azure Resource Graph to monitor Azure Virtual Machine availability](flash-azure-resource-graph.md)
+* [Use Event Grid system topics to monitor Azure Virtual Machine availability](flash-event-grid-system-topic.md)
+* [Use Azure Monitor to monitor Azure Virtual Machine availability](flash-azure-monitor.md)
+* [Use Azure Resource Health to monitor Azure Virtual Machine availability](flash-azure-resource-health.md)
+
+For a general overview of how to monitor Azure Virtual Machines, see [Monitor Azure virtual machines](monitor-vm.md) and the [Monitoring Azure virtual machines reference](monitor-vm-reference.md).
virtual-machines Generalize https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/generalize.md
description: Generalized or deprovision VM to remove machine specific informatio
- Last updated 03/15/2023
virtual-machines Generation 2 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/generation-2.md
description: Overview of Azure support for generation 2 VMs
- Last updated 08/26/2022
virtual-machines Hbv2 Performance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/hbv2-performance.md
description: Learn about performance testing results for HBv2-series VM sizes in
- Last updated 03/04/2023
virtual-machines Hbv2 Series Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/hbv2-series-overview.md
tags: azure-resource-manager
- Last updated 01/18/2024
virtual-machines Hbv3 Performance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/hbv3-performance.md
description: Learn about performance and scalability of HBv3-series VM sizes in
- Last updated 03/04/2023
virtual-machines Hbv3 Series Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/hbv3-series-overview.md
tags: azure-resource-manager
- Last updated 04/21/2023
virtual-machines Hbv4 Performance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/hbv4-performance.md
Title: HBv4-series VM sizes performance and scalability
-description: Learn about performance and scalability of HBv4-series VM sizes in Azure.
--
+description: Learn about performance and scalability of HBv4-series VM sizes in Azure.
++ -- Previously updated : 05/22/2023 + Last updated : 05/22/2023
numactl --physcpubind=[INSERT CORE #] ib_send_lat -a
- Review the performance and scalability results of HPC applications on the HBv4 VMs at the [TechCommunity article](https://techcommunity.microsoft.com/t5/azure-compute/hpc-performance-and-scalability-results-with-azure-hbv4-vms/bc-p/2235843). - Read about the latest announcements, HPC workload examples, and performance results at the [Azure HPC Microsoft Community Hub](https://techcommunity.microsoft.com/t5/azure-high-performance-computing/bg-p/AzureHighPerformanceComputingBlog). - For a higher-level architectural view of running HPC workloads, see [High Performance Computing (HPC) on Azure](/azure/architecture/topics/high-performance-computing/).--
virtual-machines Hbv4 Series Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/hbv4-series-overview.md
Title: HBv4-series VM overview, architecture, topology - Azure Virtual Machines | Microsoft Docs
-description: Learn about the HBv4-series VM size in Azure.
-
-tags: azure-resource-manager
-
+ Title: HBv4-series VM overview, architecture, topology - Azure Virtual Machines | Microsoft Docs
+description: Learn about the HBv4-series VM size in Azure.
+
+tags: azure-resource-manager
+ --+ Last updated 05/23/2023
When paired in a striped array, the NVMe SSD provides up to 12 GB/s reads and 7
- Read about the latest announcements, HPC workload examples, and performance results at the [Azure Compute Tech Community Blogs](https://techcommunity.microsoft.com/t5/azure-compute/bg-p/AzureCompute). - For a higher level architectural view of running HPC workloads, see [High Performance Computing (HPC) on Azure](/azure/architecture/topics/high-performance-computing/).--
virtual-machines Hibernate Resume Troubleshooting https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/hibernate-resume-troubleshooting.md
Title: Troubleshoot VM hibernation
description: Learn how to troubleshoot VM hibernation. - Last updated 10/31/2023
virtual-machines Hibernate Resume https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/hibernate-resume.md
Title: Learn about hibernating your VM
description: Learn how to hibernate a VM. - Last updated 10/31/2023
virtual-machines How To Enable Write Accelerator https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/how-to-enable-write-accelerator.md
- Last updated 04/11/2023
virtual-machines Hx Performance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/hx-performance.md
Title: HX-series VM sizes performance and scalability
-description: Learn about performance and scalability of HX-series VM sizes in Azure.
--
+description: Learn about performance and scalability of HX-series VM sizes in Azure.
++ -- Previously updated : 05/23/2023 + Last updated : 05/23/2023
NUMA node affinity for InfiniBand NIC is NUMA0.
- Review the performance and scalability results of HPC applications on the HX VMs at the [TechCommunity article](https://techcommunity.microsoft.com/t5/azure-compute/hpc-performance-and-scalability-results-with-azure-hbv4-vms/bc-p/2235843). - Read about the latest announcements, HPC workload examples, and performance results at the [Azure HPC Microsoft Community Hub](https://techcommunity.microsoft.com/t5/azure-high-performance-computing/bg-p/AzureHighPerformanceComputingBlog). - For a higher-level architectural view of running HPC workloads, see [High Performance Computing (HPC) on Azure](/azure/architecture/topics/high-performance-computing/).--
virtual-machines Hx Series Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/hx-series-overview.md
Title: HX-series VM overview, architecture, topology - Azure Virtual Machines | Microsoft Docs
-description: Learn about the HX-series VM size in Azure.
-
-tags: azure-resource-manager
-
+ Title: HX-series VM overview, architecture, topology - Azure Virtual Machines | Microsoft Docs
+description: Learn about the HX-series VM size in Azure.
+
+tags: azure-resource-manager
+ --+ Last updated 05/23/2023
When paired in a striped array, the NVMe SSD provides up to 12 GB/s reads and 7
- Read about the latest announcements, HPC workload examples, and performance results at the [Azure Compute Tech Community Blogs](https://techcommunity.microsoft.com/t5/azure-compute/bg-p/AzureCompute). - For a higher level architectural view of running HPC workloads, see [High Performance Computing (HPC) on Azure](/azure/architecture/topics/high-performance-computing/).--
virtual-machines Image Builder Api Update Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/image-builder-api-update-release-notes.md
Title: What's new in Azure VM Image Builder
+ Title: What's new in Azure VM Image Builder
description: This article offers the latest release notes, known issues, bug fixes, deprecated functionality, and upcoming changes. - Last updated 11/10/2023 -- # What's new in Azure VM Image Builder
virtual-machines Image Version Encryption https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/image-version-encryption.md
description: Create an image version in an Azure Compute Gallery, by using custo
- Last updated 02/22/2023-+ ms.devlang: azurecli
virtual-machines Image Version https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/image-version.md
- Last updated 09/20/2023 - # Create an image definition and an image version
virtual-machines Infrastructure Automation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/infrastructure-automation.md
description: Learn how to use infrastructure automation tools such as Ansible, C
- Last updated 09/21/2023
virtual-machines Instance Metadata Service https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/instance-metadata-service.md
- Last updated 04/11/2023
virtual-machines Isolation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/isolation.md
Title: Isolation for VMs in Azure
+ Title: Isolation for VMs in Azure
description: Learn about VM isolation works in Azure. - Last updated 04/20/2023
virtual-machines Linux Vm Connect https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux-vm-connect.md
description: Learn how to connect to a Linux VM in Azure.
- Last updated 04/06/2023
virtual-machines Azure Hybrid Benefit Linux https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/azure-hybrid-benefit-linux.md
- Last updated 05/02/2023
virtual-machines Azure To Guest Disk Mapping https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/azure-to-guest-disk-mapping.md
Title: How to map Azure Disks to Linux VM guest disks
description: How to determine the Azure Disks that underlay a Linux VM's guest disks. - Last updated 11/17/2020 - # How to map Azure Disks to Linux VM guest disks
virtual-machines Build Image With Packer https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/build-image-with-packer.md
- Last updated 04/11/2023
virtual-machines Disable Provisioning https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/disable-provisioning.md
- Last updated 04/11/2023
virtual-machines Flatcar Create Upload Vhd https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/flatcar-create-upload-vhd.md
Title: Create and upload a Flatcar Container Linux VHD for use in Azure
+ Title: Create and upload a Flatcar Container Linux VHD for use in Azure
description: Learn to create and upload a VHD that contains a Flatcar Container Linux operating system. - Last updated 07/16/2020 - # Using a prebuilt Flatcar image for Azure
virtual-machines Freebsd Intro On Azure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/freebsd-intro-on-azure.md
Title: Introduction to FreeBSD on Azure
+ Title: Introduction to FreeBSD on Azure
description: Learn about using FreeBSD virtual machines on Azure - Last updated 09/13/2017 - # Introduction to FreeBSD on Azure
virtual-machines Imaging https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/imaging.md
- Last updated 09/01/2023
virtual-machines Incremental Snapshots https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/incremental-snapshots.md
Title: Use incremental snapshots for backup and recovery of unmanaged disks
+ Title: Use incremental snapshots for backup and recovery of unmanaged disks
description: Create a custom solution for backup and recovery of your Azure virtual machine disks using incremental snapshots. - Last updated 09/15/2018 - # Back up Azure unmanaged Virtual Machine disks with incremental snapshots
virtual-machines Mac Create Ssh Keys https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/mac-create-ssh-keys.md
description: How to create and use an SSH public-private key pair for Linux VMs
- Last updated 01/02/2024
virtual-machines Multiple Nics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/multiple-nics.md
- Last updated 04/06/2023
virtual-machines N Series Driver Setup https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/n-series-driver-setup.md
- Last updated 04/06/2023
virtual-machines No Agent https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/no-agent.md
- Last updated 04/11/2023
virtual-machines Openshift Azure Stack https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/openshift-azure-stack.md
Title: Deploy OpenShift to Azure Stack Hub
+ Title: Deploy OpenShift to Azure Stack Hub
description: Deploy OpenShift to Azure Stack Hub.
- Last updated 02/13/2023- # Deploy OpenShift Container Platform or OKD to Azure Stack Hub
virtual-machines Openshift Container Platform 4X https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/openshift-container-platform-4x.md
Title: Deploy OpenShift Container Platform 4.x in Azure
+ Title: Deploy OpenShift Container Platform 4.x in Azure
description: Deploy OpenShift Container Platform 4.x in Azure.
- Last updated 10/14/2019
virtual-machines Oracle Create Upload Vhd https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/oracle-create-upload-vhd.md
- Last updated 11/09/2021
virtual-machines Os Disk Swap https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/os-disk-swap.md
Title: Swap between OS disks using the Azure CLI '
description: Change the operating system disk used by an Azure virtual machine using the Azure CLI. - Last updated 04/24/2018
virtual-machines Provisioning https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/provisioning.md
- Last updated 06/22/2020 -
virtual-machines Proximity Placement Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/proximity-placement-groups.md
- Last updated 4/6/2023
virtual-machines Quick Cluster Create Terraform https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/quick-cluster-create-terraform.md
- Last updated 07/24/2023
virtual-machines Quick Create Bicep https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/quick-create-bicep.md
- Last updated 03/10/2022 tags: azure-resource-manager, bicep
virtual-machines Quick Create Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/quick-create-cli.md
- Last updated 06/01/2022
virtual-machines Quick Create Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/quick-create-portal.md
- Last updated 01/04/2024
virtual-machines Quick Create Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/quick-create-powershell.md
- Last updated 06/01/2022
virtual-machines Quick Create Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/quick-create-template.md
- Last updated 04/13/2023
virtual-machines Quick Create Terraform https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/quick-create-terraform.md
- Last updated 07/24/2023
virtual-machines Redhat Create Upload Vhd https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/redhat-create-upload-vhd.md
- vm-linux
virtual-machines Scheduled Events https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/scheduled-events.md
Title: Scheduled Events for Linux VMs in Azure
+ Title: Scheduled Events for Linux VMs in Azure
description: Scheduled events using the Azure Metadata Service for your Linux virtual machines. - Last updated 01/25/2023
virtual-machines Shared Images Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/shared-images-portal.md
Title: Create shared Azure Linux VM images using the portal
+ Title: Create shared Azure Linux VM images using the portal
description: Learn how to use Azure portal to create and share Linux virtual machine images. - Last updated 06/21/2021
virtual-machines Spot Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/spot-cli.md
description: Learn how to use the CLI to deploy Azure Spot Virtual Machines to s
- Last updated 05/31/2023
virtual-machines Spot Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/spot-template.md
description: Learn how to use a template to deploy Azure Spot Virtual Machines t
- Last updated 05/31/2023
virtual-machines Ssh From Windows https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/ssh-from-windows.md
description: Learn how to generate and use SSH keys from a Windows computer to c
- Last updated 12/13/2021
virtual-machines Static Dns Name Resolution For Linux On Azure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/static-dns-name-resolution-for-linux-on-azure.md
description: How to create virtual network interface cards and use internal DNS
- Last updated 04/06/2023
virtual-machines Storage Performance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/storage-performance.md
Title: Optimize performance on Lsv3, Lasv3, and Lsv2-series Linux VMs
+ Title: Optimize performance on Lsv3, Lasv3, and Lsv2-series Linux VMs
description: Learn how to optimize performance for your solution on the Lsv3, Lasv3, and Lsv2-series Linux virtual machines (VMs) on Azure.--++ ---++
+ vm-linux
Last updated 06/01/2022-+ # Optimize performance on Lsv3, Lasv3, and Lsv2-series Linux VMs
virtual-machines Suse Create Upload Vhd https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/suse-create-upload-vhd.md
- Last updated 12/14/2022
virtual-machines Time Sync https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/time-sync.md
- Last updated 04/26/2023
virtual-machines Tutorial Config Management https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/tutorial-config-management.md
Title: Tutorial - Manage Linux virtual machine configuration in Azure
+ Title: Tutorial - Manage Linux virtual machine configuration in Azure
description: In this tutorial, you learn how to identify changes and manage package updates on a Linux virtual machine - Last updated 09/27/2019 - #Customer intent: As an IT administrator, I want to learn about tracking configuration changes and perform software updates so that I can review changes made and install updates on Linux virtual machines. # Tutorial: Monitor changes and update a Linux virtual machine in Azure
In this tutorial, you configured and reviewed Change Tracking and Update Managem
Advance to the next tutorial to learn about monitoring your VM. > [!div class="nextstepaction"]
-> [Monitor virtual machines](/previous-versions/azure/virtual-machines/linux/tutorial-monitor)
+> [Monitor virtual machines](/previous-versions/azure/virtual-machines/linux/tutorial-monitor)
virtual-machines Tutorial Custom Images https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/tutorial-custom-images.md
Title: Tutorial - Create custom VM images with the Azure CLI
+ Title: Tutorial - Create custom VM images with the Azure CLI
description: In this tutorial, you learn how to use the Azure CLI to create a custom virtual machine image in Azure - Last updated 01/25/2023 - #Customer intent: As an IT administrator, I want to learn about how to create custom VM images to minimize the number of post-deployment configuration tasks.
virtual-machines Tutorial Devops Azure Pipelines Classic https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/tutorial-devops-azure-pipelines-classic.md
azure-pipelines- Last updated 08/15/2022
No. Your pipelines will still be available in Azure DevOps.
How can I configure different deployment strategies?
-The current experience uses [deployment groups](/azure/devops/pipelines/process/deployment-group-phases) to create deployment strategies. You can use deployment groups or release pipeline [Stage Templates](/azure/devops/pipelines/release/env-templates) to build your pipeline with templates.
+The current experience uses [deployment groups](/azure/devops/pipelines/process/deployment-group-phases) to create deployment strategies. You can use deployment groups or release pipeline [Stage Templates](/azure/devops/pipelines/release/env-templates) to build your pipeline with templates.
virtual-machines Tutorial Elasticsearch https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/tutorial-elasticsearch.md
Title: Deploy ElasticSearch on a development virtual machine in Azure
+ Title: Deploy ElasticSearch on a development virtual machine in Azure
description: Install the Elastic Stack (ELK) onto a development Linux VM in Azure - ms.devlang: azurecli
virtual-machines Tutorial Lamp Stack https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/tutorial-lamp-stack.md
description: In this tutorial, you learn how to install the LAMP stack, and Word
- ms.devlang: azurecli
virtual-machines Tutorial Manage Disks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/tutorial-manage-disks.md
Title: Tutorial - Manage Azure disks with the Azure CLI
+ Title: Tutorial - Manage Azure disks with the Azure CLI
description: In this tutorial, you learn how to use the Azure CLI to create and manage Azure disks for virtual machines - Last updated 08/20/2020 - #Customer intent: As an IT administrator, I want to learn about Azure Managed Disks so that I can create and manage storage for Linux VMs in Azure.
virtual-machines Use Remote Desktop https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/use-remote-desktop.md
- Last updated 03/28/2023
virtual-machines Using Cloud Init https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/using-cloud-init.md
Title: Overview of cloud-init support for Linux VMs in Azure
+ Title: Overview of cloud-init support for Linux VMs in Azure
description: Overview of cloud-init capabilities to configure a VM at provisioning time in Azure. - Last updated 12/21/2022 - # cloud-init support for virtual machines in Azure
virtual-machines Maintenance And Updates https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/maintenance-and-updates.md
Title: Maintenance and updates
+ Title: Maintenance and updates
description: Overview of maintenance and updates for virtual machines running in Azure. - Last updated 04/13/2023 #pmcontact:shants
virtual-machines Maintenance Configurations Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/maintenance-configurations-cli.md
- Last updated 11/20/2020
virtual-machines Maintenance Configurations Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/maintenance-configurations-portal.md
- Last updated 03/24/2022 #pmcontact: shants
virtual-machines Maintenance Configurations Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/maintenance-configurations-powershell.md
- Last updated 11/19/2020
virtual-machines Maintenance Configurations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/maintenance-configurations.md
- Last updated 10/06/2021
virtual-machines Maintenance Notifications Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/maintenance-notifications-cli.md
Title: Get maintenance notifications using the CLI
description: View maintenance notifications for virtual machines running in Azure, and start self-service maintenance, using the Azure CLI. - Last updated 11/19/2019
virtual-machines Maintenance Notifications Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/maintenance-notifications-portal.md
Title: Use the portal for maintenance notifications
description: View maintenance notifications for virtual machines running in Azure, and start self-service maintenance, using the portal. - Last updated 11/14/2022
virtual-machines Maintenance Notifications Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/maintenance-notifications-powershell.md
Title: Get maintenance notifications for Azure VMs using PowerShell
description: View maintenance notifications for virtual machines running in Azure and start self-service maintenance using PowerShell. - Last updated 11/19/2019
virtual-machines Maintenance Notifications https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/maintenance-notifications.md
Title: Maintenance notifications
+ Title: Maintenance notifications
description: Overview of maintenance notifications for virtual machines running in Azure. - Last updated 8/12/2020 #pmcontact: shants
virtual-machines Managed Disk From Image Version https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/managed-disk-from-image-version.md
- Last updated 12/12/2022
virtual-machines Marketplace Images https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/marketplace-images.md
Title: Specify Marketplace purchase plan information using Azure PowerShell
+ Title: Specify Marketplace purchase plan information using Azure PowerShell
description: Learn how to specify Azure Marketplace purchase plan details when creating images in an Azure Compute Gallery (formerly known as Shared Image Gallery). - Last updated 12/5/2022
-
# Supply Azure Marketplace purchase plan information when creating images
virtual-machines Migration Classic Resource Manager Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/migration-classic-resource-manager-cli.md
- Last updated 04/12/2023
virtual-machines Migration Classic Resource Manager Community Tools https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/migration-classic-resource-manager-community-tools.md
Title: Community tools - Move classic resources to Azure Resource Manager
+ Title: Community tools - Move classic resources to Azure Resource Manager
description: This article catalogs the tools that have been provided by the community to help migrate IaaS resources from classic to the Azure Resource Manager deployment model. - Last updated 01/25/2023
virtual-machines Migration Classic Resource Manager Deep Dive https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/migration-classic-resource-manager-deep-dive.md
- Last updated 1/25/2023
virtual-machines Migration Classic Resource Manager Errors https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/migration-classic-resource-manager-errors.md
Title: Common errors during Classic to Azure Resource Manager migration
+ Title: Common errors during Classic to Azure Resource Manager migration
description: This article catalogs the most common errors and mitigations during the migration of IaaS resources from Azure Service Management to Azure Resource Manager. - Last updated 03/08/2023-+
virtual-machines Migration Classic Resource Manager Plan https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/migration-classic-resource-manager-plan.md
- Last updated 01/25/2023
virtual-machines Migration Classic Resource Manager Ps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/migration-classic-resource-manager-ps.md
Title: Migrate to Resource Manager with PowerShell
+ Title: Migrate to Resource Manager with PowerShell
description: This article walks through the platform-supported migration of IaaS resources such as virtual machines (VMs), virtual networks, and storage accounts from classic to Azure Resource Manager by using Azure PowerShell commands - Last updated 04/14/2023-+
virtual-machines Mitigate Se https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/mitigate-se.md
keywords: spectre,meltdown,specter - Last updated 07/12/2022
virtual-machines Nda100 V4 Series https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/nda100-v4-series.md
Last updated 03/13/2023
# ND A100 v4-series
-**Applies to:** :heavy_check_mark: Linux VMs :heavy_check_mark: Flexible scale sets :heavy_check_mark: Uniform scale sets
+**Applies to:** :heavy_check_mark: Linux VMs :heavy_check_mark: Flexible scale sets :heavy_check_mark: Uniform scale sets.
The ND A100 v4 series virtual machine(VM) is a new flagship addition to the Azure GPU family. It's designed for high-end Deep Learning training and tightly coupled scale-up and scale-out HPC workloads.
These instances provide excellent performance for many AI, ML, and analytics too
NVIDIA NVLink Interconnect: Supported<br> [Nested Virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization): Not Supported <br> <br>
-The ND A100 v4 series supports the following kernel versions: <br>
-CentOS 7.9 HPC: 3.10.0-1160.24.1.el7.x86_64 <br>
-Ubuntu 18.04: 5.4.0-1043-azure <br>
-Ubuntu 20.04: 5.4.0-1046-azure <br>
-<br>
| Size | vCPU | Memory: GiB | Temp Storage (SSD): GiB | GPU | GPU Memory: GiB | Max data disks | Max uncached disk throughput: IOPS / MBps | Max network bandwidth | Max NICs | |||||||||||
-| Standard_ND96asr_v4 | 96 | 900 | 6000 | 8 A100 40 GB GPUs (NVLink 3.0) | 320 | 32 | 80,000 / 800 | 24,000 Mbps | 8 |
+| Standard_ND96asr_v4 | 96 | 900 | 6000 | 8 A100 40-GB GPUs (NVLink 3.0) | 320 | 32 | 80,000 / 800 | 24,000 Mbps | 8 |
[!INCLUDE [virtual-machines-common-sizes-table-defs](../../includes/virtual-machines-common-sizes-table-defs.md)]
virtual-machines Prepay Dedicated Hosts Reserved Instances https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/prepay-dedicated-hosts-reserved-instances.md
- Last updated 06/05/2023
To learn more about Azure Reservations, see the following articles:
- [Windows software costs not included with reservations](../cost-management-billing/reservations/reserved-instance-windows-software-costs.md) - [Azure Reservations in Partner Center Cloud Solution Provider (CSP) program](/partner-center/azure-reservations)--
virtual-machines Prepay Reserved Vm Instances https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/prepay-reserved-vm-instances.md
- Last updated 01/09/2023
virtual-machines Quotas https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/quotas.md
description: Check your vCPU quotas for Azure virtual-machines.
- Last updated 02/15/2023
virtual-machines Regions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/regions.md
- Last updated 02/21/2023
virtual-machines Reserved Vm Instance Size Flexibility https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/reserved-vm-instance-size-flexibility.md
Title: Virtual machine size flexibility -Azure Reserved VM Instances
+ Title: Virtual machine size flexibility -Azure Reserved VM Instances
description: Learn what size series a reservation discount applies to when you by a reserved VM instance. - Last updated 04/06/2021
virtual-machines Copy Managed Disks To Same Or Different Subscription https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/scripts/copy-managed-disks-to-same-or-different-subscription.md
ms.devlang: azurecli - Last updated 02/22/2023
virtual-machines Copy Managed Disks Vhd To Storage Account https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/scripts/copy-managed-disks-vhd-to-storage-account.md
- Last updated 02/23/2022
virtual-machines Copy Snapshot To Same Or Different Subscription https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/scripts/copy-snapshot-to-same-or-different-subscription.md
- Last updated 02/22/2023
virtual-machines Copy Snapshot To Storage Account https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/scripts/copy-snapshot-to-storage-account.md
ms.devlang: azurecli - Last updated 02/23/2022
virtual-machines Create Managed Disk From Snapshot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/scripts/create-managed-disk-from-snapshot.md
ms.devlang: azurecli vm-linux- Last updated 01/19/2024
virtual-machines Create Managed Disk From Vhd https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/scripts/create-managed-disk-from-vhd.md
ms.devlang: azurecli - Last updated 02/23/2022
virtual-machines Create Vm From Managed Os Disks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/scripts/create-vm-from-managed-os-disks.md
Title: Create a VM by attaching a managed disk as OS disk - CLI Sample
+ Title: Create a VM by attaching a managed disk as OS disk - CLI Sample
description: Azure CLI Script Sample - Create a VM by attaching a managed disk as OS disk
ms.devlang: azurecli vm-linux- Last updated 02/23/2022
virtual-machines Create Vm From Snapshot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/scripts/create-vm-from-snapshot.md
ms.devlang: azurecli vm-linux- Last updated 02/23/2022
virtual-machines Virtual Machines Powershell Sample Copy Managed Disks Vhd https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/scripts/virtual-machines-powershell-sample-copy-managed-disks-vhd.md
vm-windows- Last updated 03/01/2023
virtual-machines Virtual Machines Powershell Sample Copy Snapshot To Same Or Different Subscription https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/scripts/virtual-machines-powershell-sample-copy-snapshot-to-same-or-different-subscription.md
Title: Copy snapshot of managed disk to subscription (Windows) - PowerShell
+ Title: Copy snapshot of managed disk to subscription (Windows) - PowerShell
description: Azure PowerShell Script Sample - Copy (move) snapshot of a managed disk to same or different subscription
vm-windows- Last updated 03/01/2023
virtual-machines Virtual Machines Powershell Sample Copy Snapshot To Storage Account https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/scripts/virtual-machines-powershell-sample-copy-snapshot-to-storage-account.md
Title: PowerShell Sample - Export/Copy snapshot as VHD to a storage account in different region
+ Title: PowerShell Sample - Export/Copy snapshot as VHD to a storage account in different region
description: Azure PowerShell Script Sample - Export/Copy snapshot as VHD to a storage account in same different region - Last updated 06/05/2017
virtual-machines Virtual Machines Powershell Sample Create Managed Disk From Snapshot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/scripts/virtual-machines-powershell-sample-create-managed-disk-from-snapshot.md
vm-windows - Last updated 01/19/2024
virtual-machines Virtual Machines Powershell Sample Create Managed Disk From Vhd https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/scripts/virtual-machines-powershell-sample-create-managed-disk-from-vhd.md
- Last updated 12/04/2023
virtual-machines Virtual Machines Powershell Sample Create Snapshot From Vhd https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/scripts/virtual-machines-powershell-sample-create-snapshot-from-vhd.md
vm-windows - Last updated 06/05/2017
virtual-machines Security Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/security-policy.md
description: Learn about security and policies for virtual machines in Azure.
- Last updated 11/27/2018
virtual-machines Share Gallery Community https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/share-gallery-community.md
- Last updated 09/20/2023
virtual-machines Share Gallery Direct https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/share-gallery-direct.md
- Last updated 02/14/2023 -+ ms.devlang: azurecli- # Share a gallery with all users in a subscription or tenants (preview)
virtual-machines Share Gallery https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/share-gallery.md
- Last updated 02/14/2023 -+ ms.devlang: azurecli- # Share gallery resources across subscriptions and tenants with RBAC
virtual-machines Share Using App Registration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/share-using-app-registration.md
Title: "Share gallery images across tenants using an app registration"
description: Learn how to share Azure Compute Gallery images across Azure tenants using an app registration. - Last updated 02/02/2023-+
virtual-machines Sizes Compute https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/sizes-compute.md
- Last updated 12/21/2022 - # Compute optimized virtual machine sizes
virtual-machines Sizes Field Programmable Gate Arrays https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/sizes-field-programmable-gate-arrays.md
- Last updated 02/27/2023
virtual-machines Sizes General https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/sizes-general.md
- Last updated 08/26/2022
virtual-machines Sizes Gpu https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/sizes-gpu.md
- Last updated 10/27/2022
virtual-machines Sizes Hpc https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/sizes-hpc.md
description: Lists the different sizes available for high performance computing
- Last updated 12/7/2023
virtual-machines Sizes Memory https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/sizes-memory.md
keywords: VM isolation,isolated VM,isolation,isolated
- Last updated 08/26/2022- # Memory optimized virtual machine sizes
virtual-machines Sizes Storage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/sizes-storage.md
Title: Storage optimized virtual machine sizes
-description: Learn about the different storage optimized sizes available for Azure Virtual Machines (Azure VMs). Find information about the number of vCPUs, data disks, NICs, storage throughput, and network bandwidth for sizes in this series.
+description: Learn about the different storage optimized sizes available for Azure Virtual Machines (Azure VMs). Find information about the number of vCPUs, data disks, NICs, storage throughput, and network bandwidth for sizes in this series.
--+ Last updated 06/01/2022-+ # Storage optimized virtual machine sizes
virtual-machines Sizes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/sizes.md
- Last updated 03/06/2023
virtual-machines Resize Vm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/sizes/resize-vm.md
Title: Resize a virtual machine
description: Change the VM size used for an Azure virtual machine. - Last updated 01/31/2024
For a work-around, see [How do I migrate from a VM size with local temp disk to
- For more SKU selection information, see [Sizes for virtual machines in Azure](../sizes.md). - To determine VM sizes by workload type, OS and software, or deployment region, see [Azure VM Selector](https://azure.microsoft.com/pricing/vm-selector/). - For more information on Virtual Machine Scale Sets (VMSS) sizes, see [Automatically scale machines in a VMSS](../../virtual-machine-scale-sets/tutorial-autoscale-powershell.md).-- For more cost management planning information, see the [Plan and manage your Azure costs](/training/modules/plan-manage-azure-costs/1-introduction) module.
+- For more cost management planning information, see the [Plan and manage your Azure costs](/training/modules/plan-manage-azure-costs/1-introduction) module.
virtual-machines Snapshot Copy Managed Disk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/snapshot-copy-managed-disk.md
description: Learn how to create a copy of an Azure VM to use as a backup or for
- Last updated 04/22/2022
virtual-machines Spot Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/spot-portal.md
Title: Use the portal to deploy Azure Spot Virtual Machines
-description: How to use the Portal to deploy Spot Virtual Machines
+description: How to use the Portal to deploy Spot Virtual Machines
- Last updated 02/28/2023
virtual-machines Spot Vms https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/spot-vms.md
Title: Use Azure Spot Virtual Machines
+ Title: Use Azure Spot Virtual Machines
description: Learn how to use Azure Spot Virtual Machines to save on costs. - Last updated 03/09/2023
virtual-machines Ssh Keys Azure Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/ssh-keys-azure-cli.md
description: Learn how to generate and store SSH keys, before creating a VM, wit
- Last updated 04/13/2023
virtual-machines Ssh Keys Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/ssh-keys-portal.md
Title: Create SSH keys in the Azure portal
+ Title: Create SSH keys in the Azure portal
description: Learn how to generate and store SSH keys in the Azure portal for connecting the Linux VMs. - Last updated 04/27/2023 - # Generate and store SSH keys in the Azure portal
virtual-machines Troubleshoot Maintenance Configurations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/troubleshoot-maintenance-configurations.md
- Last updated 10/13/2023
virtual-machines Troubleshooting Shared Images https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/troubleshooting-shared-images.md
Title: Troubleshoot problems with shared images in Azure
+ Title: Troubleshoot problems with shared images in Azure
description: Learn how to troubleshoot problems with shared images in Azure Compute Galleries.
- Last updated 02/28/2023
virtual-machines Unmanaged Disks Deprecation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/unmanaged-disks-deprecation.md
Title: We're retiring Azure unmanaged disks by September 30, 2025
description: This article provides a high-level overview of the retirement of Azure unmanaged disks and how to migrate to Azure managed disks. - Last updated 06/28/2023
virtual-machines User Data https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/user-data.md
- Last updated 02/28/2023
virtual-machines Using Managed Disks Template Deployments https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/using-managed-disks-template-deployments.md
Title: Deploying disks with Azure Resource Manager templates
description: Details how to use managed and unmanaged disks in Azure Resource Manager templates for Azure VMs. - Last updated 06/01/2017
virtual-machines Virtual Machine Scale Sets Maintenance Control Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/virtual-machine-scale-sets-maintenance-control-cli.md
description: Learn how to control when automatic OS image upgrades are rolled ou
- Last updated 11/22/2022-+ ms.devlang: azurecli #pmcontact: PPHILLIPS
virtual-machines Virtual Machine Scale Sets Maintenance Control Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/virtual-machine-scale-sets-maintenance-control-portal.md
description: Learn how to control when automatic OS image upgrades are rolled ou
- Last updated 11/22/2022-+ #pmcontact: PPHILLIPS
virtual-machines Virtual Machine Scale Sets Maintenance Control Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/virtual-machine-scale-sets-maintenance-control-powershell.md
description: Learn how to control when automatic OS image upgrades are rolled ou
- Last updated 11/22/2022-+ #pmcontact: PPHILLIPS
virtual-machines Virtual Machine Scale Sets Maintenance Control Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/virtual-machine-scale-sets-maintenance-control-template.md
description: Learn how to control when automatic OS image upgrades are rolled ou
- Last updated 11/22/2022-+ #pmcontact: PPHILLIPS
virtual-machines Virtual Machine Scale Sets Maintenance Control https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/virtual-machine-scale-sets-maintenance-control.md
description: Learn how to control when automatic OS image upgrades are rolled ou
- Last updated 11/22/2022 #pmcontact: PPHILLIPS
virtual-machines Vm Applications How To https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/vm-applications-how-to.md
- Last updated 09/08/2023
virtual-machines Vm Applications https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/vm-applications.md
description: Learn more about VM application packages in an Azure Compute Galler
- Last updated 09/18/2023
virtual-machines Vm Generalized Image Version https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/vm-generalized-image-version.md
- Last updated 08/15/2023 -+ - # Create a VM from a generalized image version
virtual-machines Vm Specialized Image Version https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/vm-specialized-image-version.md
description: Create a VM using a specialized image version in an Azure Compute G
- Last updated 08/15/2023
az vm create\
- [Create an Azure Compute Gallery](create-gallery.md) - [Create an image in an Azure Compute Gallery](image-version.md)-
virtual-machines Vm Usage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/vm-usage.md
Title: Understanding Azure virtual machine usage
+ Title: Understanding Azure virtual machine usage
description: Understand virtual machine usage details
vm- Last updated 05/01/2023
virtual-machines Azure To Guest Disk Mapping https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/azure-to-guest-disk-mapping.md
description: How to determine the Azure Disks that underlay a Windows VM's guest
- Last updated 11/17/2020-+ # How to map Azure Disks to Windows VM guest disks
virtual-machines Build Image With Packer https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/build-image-with-packer.md
- Last updated 03/31/2023
virtual-machines Change Drive Letter https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/change-drive-letter.md
- Last updated 01/02/2018
virtual-machines Cli Ps Findimage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/cli-ps-findimage.md
description: Use Azure PowerShell to find image URNs and purchase plan parameter
- Last updated 03/17/2021
virtual-machines Client Images https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/client-images.md
Title: Use Windows client images in Azure
+ Title: Use Windows client images in Azure
description: How to use Visual Studio subscription benefits to deploy Windows 7, Windows 8, or Windows 10 in Azure for dev/test scenarios - Last updated 12/15/2017- # Use Windows client in Azure for dev/test scenarios
virtual-machines Compute Benchmark Scores https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/compute-benchmark-scores.md
Title: Compute benchmark scores for Azure Windows VMs
+ Title: Compute benchmark scores for Azure Windows VMs
description: Compare Coremark compute benchmark scores for Azure VMs running Windows Server. - Last updated 05/31/2022 - # Compute benchmark scores for Windows VMs
virtual-machines Connect Rdp https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/connect-rdp.md
Title: Connect using Remote Desktop to an Azure VM running Windows
description: Learn how to connect using Remote Desktop and sign on to a Windows VM using the Azure portal and the Resource Manager deployment model. - Last updated 02/24/2022
virtual-machines Connect Ssh https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/connect-ssh.md
Title: Connect using SSH to an Azure VM running Windows
description: Learn how to connect using Secure Shell and sign on to a Windows VM. - Last updated 06/29/2022
virtual-machines Create Powershell Availability Zone https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/create-powershell-availability-zone.md
description: Create a virtual machine in an availability zone with Azure PowerSh
- Last updated 03/27/2018
virtual-machines Detach Disk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/detach-disk.md
description: Detach a data disk from a virtual machine in Azure using the Resour
- Last updated 08/09/2023-+ # How to detach a data disk from a Windows virtual machine
virtual-machines Download Vhd https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/download-vhd.md
Title: Download a Windows VHD from Azure
+ Title: Download a Windows VHD from Azure
description: Download a Windows VHD using the Azure portal. - Last updated 10/17/2023
virtual-machines Extensions Diagnostics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/extensions-diagnostics.md
- Last updated 04/06/2018
virtual-machines External Ntpsource Configuration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/external-ntpsource-configuration.md
- Last updated 08/05/2022
virtual-machines Hybrid Use Benefit Licensing https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/hybrid-use-benefit-licensing.md
Title: Explore Azure Hybrid Benefit for Windows VMs
+ Title: Explore Azure Hybrid Benefit for Windows VMs
description: Learn how to maximize your Windows Software Assurance benefits to bring on-premises licenses to Azure. - Last updated 4/18/2023-+ ms.devlang: azurecli- # Explore Azure Hybrid Benefit for Windows VMs
virtual-machines Incremental Snapshots https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/incremental-snapshots.md
Title: Use incremental snapshots for backup and recovery of unmanaged Azure Windows VM disks
+ Title: Use incremental snapshots for backup and recovery of unmanaged Azure Windows VM disks
description: Create a custom solution for backup and recovery of your Azure Windows virtual machine disks using incremental snapshots. - Last updated 01/23/2017 - # Back up Azure unmanaged VM disks with incremental snapshots
virtual-machines Java https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/java.md
description: Use Java and Azure Resource Manager to deploy a virtual machine and
- Last updated 10/09/2021
virtual-machines Key Vault Setup https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/key-vault-setup.md
description: How to set up Key Vault for use with a virtual machine using PowerS
- Last updated 01/24/2017--++ ms.devlang: azurecli- # Set up Key Vault for virtual machines using Azure PowerShell
virtual-machines Multiple Nics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/multiple-nics.md
- Last updated 09/26/2017
virtual-machines N Series Amd Driver Setup https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/n-series-amd-driver-setup.md
Title: Azure N-series AMD GPU driver setup for Windows
+ Title: Azure N-series AMD GPU driver setup for Windows
description: How to set up AMD GPU drivers for N-series VMs running Windows Server or Windows in Azure
- Last updated 04/13/2023 - # Install AMD GPU drivers on N-series VMs running Windows
virtual-machines On Prem To Azure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/on-prem-to-azure.md
Title: Migrate from AWS and other platforms to managed disks in Azure
+ Title: Migrate from AWS and other platforms to managed disks in Azure
description: Create VMs in Azure using VHDs uploaded from other clouds like AWS or other virtualization platforms and use Azure managed disks. - vm-windows Last updated 10/07/2017 - # Migrate from Amazon Web Services (AWS) and other platforms to managed disks in Azure
Review the [pricing for managed disks](https://azure.microsoft.com/pricing/detai
## Next Steps -- Before uploading any VHD to Azure, you should follow [Prepare a Windows VHD or VHDX to upload to Azure](prepare-for-upload-vhd-image.md)
+- Before uploading any VHD to Azure, you should follow [Prepare a Windows VHD or VHDX to upload to Azure](prepare-for-upload-vhd-image.md)
virtual-machines Os Disk Swap https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/os-disk-swap.md
Title: Swap OS disk for an Azure VM with PowerShell
description: Change the operating system disk used by an Azure virtual machine using PowerShell. - Last updated 04/24/2018-+ # Change the OS disk used by an Azure VM using PowerShell
virtual-machines Proximity Placement Groups Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/proximity-placement-groups-portal.md
Title: Create a proximity placement group using the portal
-description: Learn how to create a proximity placement group using the Azure portal.
+ Title: Create a proximity placement group using the portal
+description: Learn how to create a proximity placement group using the Azure portal.
- Last updated 3/12/2023 - # Create a proximity placement group using the Azure portal
virtual-machines Ps Common Network Ref https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/ps-common-network-ref.md
description: Common PowerShell commands to get you started creating a virtual ne
- Last updated 07/17/2017
virtual-machines Ps Common Ref https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/ps-common-ref.md
description: Common PowerShell commands to get you started creating and managing
- Last updated 09/07/2023
virtual-machines Quick Cluster Create Terraform https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/quick-cluster-create-terraform.md
- Last updated 07/24/2023
virtual-machines Quick Create Bicep https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/quick-create-bicep.md
- Last updated 03/11/2022
virtual-machines Quick Create Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/quick-create-portal.md
- Last updated 01/04/2024
virtual-machines Quick Create Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/quick-create-powershell.md
- Last updated 04/04/2023
virtual-machines Quick Create Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/quick-create-template.md
- Last updated 04/03/2023
virtual-machines Quick Create Terraform https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/quick-create-terraform.md
- Last updated 07/17/2023
virtual-machines Scheduled Events https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/scheduled-events.md
Title: Scheduled Events for Windows VMs in Azure
+ Title: Scheduled Events for Windows VMs in Azure
description: Scheduled events using the Azure Metadata Service for your Windows virtual machines. - Last updated 06/01/2020
-ms.reviwer: mimckitt
+ms.reviwer: mimckitt
# Azure Metadata Service: Scheduled Events for Windows VMs
virtual-machines Spot Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/spot-powershell.md
description: Learn how to use Azure PowerShell to deploy Azure Spot Virtual Mach
- Last updated 02/28/2023 -+
virtual-machines Storage Performance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/storage-performance.md
Title: Optimize performance on Lsv3, Lasv3, and Lsv2-series Windows VMs description: Learn how to optimize performance for your solution on the Lsv2-series Windows virtual machines (VMs) on Azure.-----++++ Last updated 06/01/2022-+ # Optimize performance on Lsv3, Lasv3, and Lsv2-series Windows VMs
virtual-machines Template Description https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/template-description.md
Title: Virtual machines in an Azure Resource Manager template | Microsoft Azure
description: Learn more about how the virtual machine resource is defined in an Azure Resource Manager template. - Last updated 04/11/2023
virtual-machines Time Sync https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/time-sync.md
- Last updated 09/17/2018
virtual-machines Tutorial Automate Vm Deployment https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/tutorial-automate-vm-deployment.md
- Last updated 04/07/2023
virtual-machines Tutorial Config Management https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/tutorial-config-management.md
- Last updated 12/05/2018
virtual-machines Tutorial Custom Images https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/tutorial-custom-images.md
- Last updated 02/24/2023
virtual-machines Tutorial Manage Vm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/tutorial-manage-vm.md
description: In this tutorial, you learn how to use Azure PowerShell to create a
- Last updated 03/29/2022
virtual-machines Tutorial Secure Web Server https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/tutorial-secure-web-server.md
- Last updated 04/05/2023
virtual-machines Tutorial Virtual Network https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/tutorial-virtual-network.md
vm-windows- Last updated 08/04/2020
virtual-machines Windows Desktop Multitenant Hosting Deployment https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/windows-desktop-multitenant-hosting-deployment.md
Title: How to deploy Windows 11 on Azure
+ Title: How to deploy Windows 11 on Azure
description: Learn how to maximize your Windows Software Assurance benefits to bring on-premises licenses to Azure with Multitenant Hosting Rights. - Last updated 10/24/2022 - # How to deploy Windows 11 on Azure **Applies to:** :heavy_check_mark: Windows VMs :heavy_check_mark: Flexible scale sets
virtual-machines Ibm Db2 Purescale Azure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/workloads/mainframe-rehosting/ibm/ibm-db2-purescale-azure.md
Title: IBM DB2 pureScale on Azure
description: In this article, we show an architecture for running an IBM DB2 pureScale environment on Azure. -+ - Last updated 11/09/2018
On Azure, DB2 pureScale needs to use TCP/IP as the network connection for storag
## Next steps -- [Deploy this architecture on Azure](deploy-ibm-db2-purescale-azure.md)
+- [Deploy this architecture on Azure](deploy-ibm-db2-purescale-azure.md)
virtual-machines Oracle Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/workloads/oracle/oracle-overview.md
vm-linux- Last updated 04/10/2023
virtual-network Accelerated Networking How It Works https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/accelerated-networking-how-it-works.md
vm-linux - Last updated 04/18/2023
virtual-network Accelerated Networking Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/accelerated-networking-overview.md
Title: Accelerated Networking overview description: Learn how Accelerated Networking can improve the networking performance of Azure VMs.-+ Last updated 04/18/2023-+ # Accelerated Networking overview
Accelerated Networking has the following benefits:
- You can't deploy virtual machines (classic) with Accelerated Networking through Azure Resource Manager.
+- The Azure platform does not update the Mellanox NIC drivers in the VM. For VMs running Linux and FreeBSD, customers are encouraged to stay current with the latest kernel updates offered by the distribution. For VMs running Windows, customers should apply updated drivers from the Nvidia support page if any issues are later encountered with the driver delivered with the Marketplace image or applied to a custom image.
+ ### Supported regions Accelerated Networking is available in all global Azure regions and the Azure Government Cloud.
virtual-network Create Peering Different Deployment Models Subscriptions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/create-peering-different-deployment-models-subscriptions.md
- Last updated 06/25/2020
virtual-network Create Peering Different Deployment Models https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/create-peering-different-deployment-models.md
tags: azure-resource-manager
- Last updated 11/15/2018
virtual-network Create Ptr For Smtp Service https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/create-ptr-for-smtp-service.md
virtual-network- Last updated 10/31/2018
virtual-network Create Vm Accelerated Networking Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/create-vm-accelerated-networking-cli.md
For more information about application binding requirements, see [How Accelerate
<a name="enable-accelerated-networking-on-existing-vms"></a>
+In order to ensure that your custom image or applications correctly support the dynamic binding and revocation of virtual functions, the functionality can be tested on any Windows Hyper-V server. Use a local Windows Server running Hyper-V in the following configuration:
+ - Ensure you have a physical network adapter that supports SR-IOV.
+ - An external virtual switch is created on top of this SR-IOV adapter with "Enable single-root I/O virtualization (SR-IOV)" checked.
+ - A virtual machine running your operating system image or application is created/deployed.
+ - The network adapters for this virtual machine, under Hardware Acceleration, have "Enable SR-IOV" selected.
+
+Once you've verified your virtual machine and application are leveraging a network adapter using SR-IOV, you can modify the following example commands to toggle SR-IOV off/on in order to revoke and add the virtual function which will simulate what happens during Azure host servicing:
+
+``` Powershell
+# Get the virtual network adapter to test
+$vmNic = Get-VMNetworkAdapter -VMName "myvm" | where {$_.MacAddress -eq "001122334455"}
+
+# Enable SR-IOV on a virtual network adapter
+Set-VMNetworkAdapter $vmNic -IovWeight 100 -IovQueuePairsRequested 1
+
+# Disable SR-IOV on a virtual network adapter
+Set-VMNetworkAdapter $vmNic -IovWeight 0
+```
+ ## Manage Accelerated Networking on existing VMs It's possible to enable Accelerated Networking on an existing VM. The VM must meet the following requirements to support Accelerated Networking:
virtual-network Create Vm Accelerated Networking Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/create-vm-accelerated-networking-powershell.md
vm-windows - Last updated 03/20/2023
virtual-network Diagnose Network Routing Problem https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/diagnose-network-routing-problem.md
Title: Diagnose an Azure virtual machine routing problem description: Learn how to diagnose a virtual machine routing problem by viewing the effective routes for a virtual machine. -+ tags: azure-resource-manager - Last updated 05/30/2018-+ ms.devlang: azurecli
virtual-network Diagnose Network Traffic Filter Problem https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/diagnose-network-traffic-filter-problem.md
tags: azure-resource-manager
ms.assetid: a54feccf-0123-4e49-a743-eb8d0bdd1ebc - Last updated 05/29/2018-+ ms.devlang: azurecli
virtual-network Associate Public Ip Address Vm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/ip-services/associate-public-ip-address-vm.md
- Last updated 08/24/2023
virtual-network Ipv6 Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/ip-services/ipv6-overview.md
Last updated 08/24/2023 - # What is IPv6 for Azure Virtual Network?
virtual-network Ipv6 Virtual Machine Scale Set https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/ip-services/ipv6-virtual-machine-scale-set.md
Last updated 08/24/2023 - # Deploy virtual machine scale sets with IPv6 in Azure
virtual-network Remove Public Ip Address Vm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/ip-services/remove-public-ip-address-vm.md
Last updated 08/24/2023
-
virtual-network Routing Preference Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/ip-services/routing-preference-cli.md
-
virtual-network Routing Preference Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/ip-services/routing-preference-portal.md
- # Configure routing preference for a public IP address using the Azure portal
You can associate the above created public IP address with a [Windows](../../vir
- [Configure routing preference for a VM](./tutorial-routing-preference-virtual-machine-portal.md). - [Configure routing preference for a public IP address using the PowerShell](routing-preference-powershell.md). - Learn more about [public IP addresses](public-ip-addresses.md#public-ip-addresses) in Azure.-- Learn more about all [public IP address settings](virtual-network-public-ip-address.md#create-a-public-ip-address).
+- Learn more about all [public IP address settings](virtual-network-public-ip-address.md#create-a-public-ip-address).
virtual-network Routing Preference Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/ip-services/routing-preference-powershell.md
-
Remove-AzResourceGroup -Name myResourceGroup
## Next steps - Learn more about [routing preference in public IP addresses](routing-preference-overview.md).-- [Configure routing preference for a VM using the Azure PowerShell](./configure-routing-preference-virtual-machine-powershell.md).
+- [Configure routing preference for a VM using the Azure PowerShell](./configure-routing-preference-virtual-machine-powershell.md).
virtual-network Virtual Network Deploy Static Pip Arm Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/ip-services/virtual-network-deploy-static-pip-arm-portal.md
- # Create a virtual machine with a static public IP address using the Azure portal
In this article, you learned how to create a VM with a static public IP.
- Learn how to [Assign multiple IP addresses to virtual machines](./virtual-network-multiple-ip-addresses-portal.md) using the Azure portal. - Learn more about [public IP addresses](./public-ip-addresses.md#public-ip-addresses) in Azure.--
virtual-network Virtual Network Network Interface Addresses https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/ip-services/virtual-network-network-interface-addresses.md
-
virtual-network Manage Network Security Group https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/manage-network-security-group.md
- Last updated 04/24/2023
virtual-network Manage Route Table https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/manage-route-table.md
- Last updated 04/24/2023
virtual-network Network Security Groups Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/network-security-groups-overview.md
- Last updated 10/27/2023
virtual-network Virtual Network Cli Sample Peer Two Virtual Networks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/scripts/virtual-network-cli-sample-peer-two-virtual-networks.md
ms.devlang: azurecli - Last updated 02/03/2022-+
This script uses the following commands to create a resource group, virtual mach
For more information on the Azure CLI, see [Azure CLI documentation](/cli/azure).
-Additional virtual network CLI script samples can be found in [Virtual network CLI samples](../cli-samples.md).
+Additional virtual network CLI script samples can be found in [Virtual network CLI samples](../cli-samples.md).
virtual-network Service Tags Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/service-tags-overview.md
- Last updated 1/26/2023
virtual-network Subnet Extension https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/subnet-extension.md
description: Learn about subnet extension in Azure.
- Last updated 04/06/2023
virtual-network Troubleshoot Outbound Smtp Connectivity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/troubleshoot-outbound-smtp-connectivity.md
- Last updated 12/20/2023
If you change your subscription type from Enterprise Agreement or MCA-E to anoth
## Need help? Contact support
-If you're using an Enterprise Agreement or MCA-E subscription and still need help, [contact support](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade) to get your problem resolved quickly. Use this issue type: **Technical** > **Virtual Network** > **Cannot send email (SMTP/Port 25)**.
+If you're using an Enterprise Agreement or MCA-E subscription and still need help, [contact support](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade) to get your problem resolved quickly. Use this issue type: **Technical** > **Virtual Network** > **Cannot send email (SMTP/Port 25)**.
virtual-network Tutorial Connect Virtual Networks Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/tutorial-connect-virtual-networks-cli.md
description: In this article, you learn how to connect virtual networks with vir
tags: azure-resource-manager
-# Customer intent: I want to connect two virtual networks so that virtual machines in one virtual network can communicate with virtual machines in the other virtual network.
ms.devlang: azurecli virtual-network- Last updated 03/13/2018
+# Customer intent: I want to connect two virtual networks so that virtual machines in one virtual network can communicate with virtual machines in the other virtual network.
# Connect virtual networks with virtual network peering using the Azure CLI
virtual-network Tutorial Connect Virtual Networks Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/tutorial-connect-virtual-networks-powershell.md
description: In this article, you learn how to connect virtual networks with vir
tags: azure-resource-manager
-# Customer intent: I want to connect two virtual networks so that virtual machines in one virtual network can communicate with virtual machines in the other virtual network.
virtual-network- Last updated 03/13/2018
+# Customer intent: I want to connect two virtual networks so that virtual machines in one virtual network can communicate with virtual machines in the other virtual network.
# Connect virtual networks with virtual network peering using PowerShell
virtual-network Tutorial Create Route Table Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/tutorial-create-route-table-cli.md
ms.devlang: azurecli virtual-network- Last updated 04/20/2022
virtual-network Tutorial Create Route Table Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/tutorial-create-route-table-powershell.md
tags: azure-resource-manager
-# Customer intent: I want to route traffic from one subnet, to a different subnet, through a network virtual appliance.
virtual-network- Last updated 03/13/2018
+# Customer intent: I want to route traffic from one subnet, to a different subnet, through a network virtual appliance.
# Route network traffic with a route table using PowerShell
virtual-network Tutorial Filter Network Traffic Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/tutorial-filter-network-traffic-cli.md
tags: azure-resource-manager
-# Customer intent: I want to filter network traffic to virtual machines that perform similar functions, such as web servers.
ms.devlang: azurecli virtual-network- Last updated 03/30/2018
+# Customer intent: I want to filter network traffic to virtual machines that perform similar functions, such as web servers.
# Filter network traffic with a network security group using the Azure CLI
az group delete --name myResourceGroup --yes
In this article, you created a network security group and associated it to a virtual network subnet. To learn more about network security groups, see [Network security group overview](./network-security-groups-overview.md) and [Manage a network security group](manage-network-security-group.md).
-Azure routes traffic between subnets by default. You may instead, choose to route traffic between subnets through a VM, serving as a firewall, for example. To learn how, see [Create a route table](tutorial-create-route-table-cli.md).
+Azure routes traffic between subnets by default. You may instead, choose to route traffic between subnets through a VM, serving as a firewall, for example. To learn how, see [Create a route table](tutorial-create-route-table-cli.md).
virtual-network Tutorial Filter Network Traffic Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/tutorial-filter-network-traffic-powershell.md
description: In this article, you learn how to filter network traffic to a subne
tags: azure-resource-manager
-# Customer intent: I want to filter network traffic to virtual machines that perform similar functions, such as web servers.
virtual-network- Last updated 03/30/2018
+# Customer intent: I want to filter network traffic to virtual machines that perform similar functions, such as web servers.
# Filter network traffic with a network security group using PowerShell
Remove-AzResourceGroup -Name myResourceGroup -Force
In this article, you created a network security group and associated it to a virtual network subnet. To learn more about network security groups, see [Network security group overview](./network-security-groups-overview.md) and [Manage a network security group](manage-network-security-group.md).
-Azure routes traffic between subnets by default. You may instead, choose to route traffic between subnets through a VM, serving as a firewall, for example. To learn how, see [Create a route table](tutorial-create-route-table-powershell.md).
+Azure routes traffic between subnets by default. You may instead, choose to route traffic between subnets through a VM, serving as a firewall, for example. To learn how, see [Create a route table](tutorial-create-route-table-powershell.md).
virtual-network Tutorial Restrict Network Access To Resources Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/tutorial-restrict-network-access-to-resources-cli.md
tags: azure-resource-manager
-# Customer intent: I want only resources in a virtual network subnet to access an Azure PaaS resource, such as an Azure Storage account.
ms.devlang: azurecli virtual-network- Last updated 03/14/2018
+# Customer intent: I want only resources in a virtual network subnet to access an Azure PaaS resource, such as an Azure Storage account.
# Restrict network access to PaaS resources with virtual network service endpoints using the Azure CLI
virtual-network Tutorial Restrict Network Access To Resources Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/tutorial-restrict-network-access-to-resources-powershell.md
tags: azure-resource-manager
-# Customer intent: I want only resources in a virtual network subnet to access an Azure PaaS resource, such as an Azure Storage account.
- Last updated 03/14/2018
+# Customer intent: I want only resources in a virtual network subnet to access an Azure PaaS resource, such as an Azure Storage account.
# Restrict network access to PaaS resources with virtual network service endpoints using PowerShell
virtual-network Tutorial Tap Virtual Network Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/tutorial-tap-virtual-network-cli.md
tags: azure-resource-manager - Last updated 03/18/2018-+
virtual-network Virtual Network Bandwidth Testing https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/virtual-network-bandwidth-testing.md
- Last updated 11/01/2023
virtual-network Virtual Network Configure Vnet Connections https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/virtual-network-configure-vnet-connections.md
ms.assetid: 0433a4f4-b5a0-476d-b398-1506c57eafa2 - Last updated 08/28/2019
virtual-network Virtual Network For Azure Services https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/virtual-network-for-azure-services.md
- Last updated 05/03/2023
virtual-network Virtual Network Manage Subnet https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/virtual-network-manage-subnet.md
- - devx-track-azurecli - devx-track-azurepowershell
virtual-network Virtual Network Network Interface Vm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/virtual-network-network-interface-vm.md
tags: azure-resource-manager - Last updated 11/16/2022
virtual-network Virtual Network Nsg Manage Log https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/virtual-network-nsg-manage-log.md
- Last updated 03/22/2023-+ ms.devlang: azurecli
virtual-network Virtual Network Optimize Network Bandwidth https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/virtual-network-optimize-network-bandwidth.md
- Last updated 03/24/2023 - # Optimize network throughput for Azure virtual machines
virtual-network Virtual Network Peering Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/virtual-network-peering-overview.md
- Last updated 05/28/2023 # Customer intent: As a cloud architect, I need to know how to use virtual network peering for connecting virtual networks. This will allow me to design connectivity correctly, understand future scalability options, and limitations.
virtual-network Virtual Network Service Endpoint Policies Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/virtual-network-service-endpoint-policies-cli.md
ms.devlang: azurecli virtual-network- Last updated 02/03/2020
virtual-network Virtual Network Service Endpoint Policies Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/virtual-network-service-endpoint-policies-portal.md
virtual-network- Last updated 02/21/2020
virtual-network Virtual Network Service Endpoint Policies Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/virtual-network-service-endpoint-policies-powershell.md
tags: azure-resource-manager
-# Customer intent: I want only resources in a virtual network subnet to access an Azure PaaS resource, such as an Azure Storage account.
- Last updated 02/03/2020
+# Customer intent: I want only resources in a virtual network subnet to access an Azure PaaS resource, such as an Azure Storage account.
# Manage data exfiltration to Azure Storage accounts with Virtual network service endpoint policies using Azure PowerShell
virtual-network Virtual Network Service Endpoints Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/virtual-network-service-endpoints-overview.md
- Last updated 10/27/2023
virtual-network Virtual Network Tcpip Performance Tuning https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/virtual-network-tcpip-performance-tuning.md
Title: TCP/IP performance tuning for Azure VMs
-description: Learn various common TCP/IP performance tuning techniques and their relationship to Azure VMs.
+description: Learn various common TCP/IP performance tuning techniques and their relationship to Azure VMs.
- Last updated 04/02/2019
virtual-network Virtual Network Test Latency https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/virtual-network-test-latency.md
- Last updated 03/23/2023
virtual-network Virtual Network Troubleshoot Cannot Delete Vnet https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/virtual-network-troubleshoot-cannot-delete-vnet.md
tags: azure-resource-manager - Last updated 10/31/2018
virtual-network Virtual Network Troubleshoot Nva https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/virtual-network-troubleshoot-nva.md
tags: azure-resource-manager - Last updated 10/26/2018
Capture a simultaneous network trace on the source VM, the NVA, and the destinat
If you do not see the packets incoming to the backend VM trace, there is likely an NSG or UDR interfering or the NVA routing tables are incorrect.
-If you do see the packets coming in but no response, then you may need to address a VM application or a firewall issue. For either of these issues, [contact the NVA vendor for assistance as needed](https://mskb.pkisolutions.com/kb/2984655).
+If you do see the packets coming in but no response, then you may need to address a VM application or a firewall issue. For either of these issues, [contact the NVA vendor for assistance as needed](https://mskb.pkisolutions.com/kb/2984655).
virtual-network Virtual Network Troubleshoot Peering Issues https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/virtual-network-troubleshoot-peering-issues.md
tags: virtual-network
ms.assetid: 1a3d1e84-f793-41b4-aa04-774a7e8f7719 - Last updated 08/28/2019
virtual-network Virtual Network Vnet Plan Design Arm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/virtual-network-vnet-plan-design-arm.md
- Last updated 04/08/2020
virtual-network Virtual Networks Faq https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/virtual-networks-faq.md
description: Answers to the most frequently asked questions about Microsoft Azur
- Last updated 06/26/2020
virtual-network Virtual Networks Name Resolution Ddns https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/virtual-networks-name-resolution-ddns.md
ms.assetid: c315961a-fa33-45cf-82b9-4551e70d32dd - Last updated 04/27/2023
virtual-network Virtual Networks Udr Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/virtual-networks-udr-overview.md
- Last updated 05/27/2023
virtual-network Virtual Networks Viewing And Modifying Hostnames https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/virtual-networks-viewing-and-modifying-hostnames.md
ms.assetid: c668cd8e-4e43-4d05-acc3-db64fa78d828 - Last updated 03/29/2023
web-application-firewall Waf Front Door Custom Rules https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/web-application-firewall/afds/waf-front-door-custom-rules.md
Here's an example JSON description of the custom rule:
"action": "Block" } ```
+## Copying and duplicating custom rules
+
+Custom rules can be duplicated within a given policy. When duplicating a rule, you need to specify a unique name for the rule and a unique priority value. Additionally, custom rules can be copied from one Azure Front Door WAF policy to another as long as the policies are both in the same subscription. When copying a rule from one policy to another, you need to select the Azure Front Door WAF policy you wish to copy the rule into. Once you select the WAF policy you need to give the rule a unique name, and assign a priority rank.
## Next steps - [Configure a WAF policy by using Azure PowerShell](waf-front-door-custom-rules-powershell.md).