+description: Learn how to cache the authentication token in the Immersive Reader app.

+This article demonstrates how to cache the authentication token in order to improve the performance of your application.

+Import the `Microsoft.Identity.Client` NuGet package, which is used to acquire a token. For details, see [Install Identity Client NuGet package](quickstarts/client-libraries.md?pivots=programming-language-csharp#install-identity-client-nuget-package).

+> The [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory) NuGet package and Azure AD Authentication Library (ADAL) have been deprecated. No new features have been added since June 30, 2020. We strongly encourage you to upgrade. To learn more, see the [migration guide](../../active-directory/develop/msal-migration.md).

+The `AuthenticationResult` object has an `AccessToken` property, which is the actual token you use when launching the Immersive Reader using the SDK. It also has an `ExpiresOn` property that denotes when the token expires. Before launching the Immersive Reader, you can check whether the token is expired, and acquire a new token only if it expired.

+Add the [request](https://www.npmjs.com/package/request) npm package to your project. Use the following code to acquire a token, using the authentication values you got when you [created the Immersive Reader resource](./how-to-create-immersive-reader.md).

+The `expires_on` property is the date and time at which the token expires, expressed as the number of seconds since January 1, 1970 UTC. Use this value to determine whether your token is expired before attempting to acquire a new one.

+## Next step

+> [!div class="nextstepaction"]

+> [Explore the Immersive Reader SDK reference](reference.md)

+description: Learn how to configure the various options for Read Aloud in Immersive Reader.

+This article demonstrates how to configure the various options for Read Aloud in your Immersive Reader application.

+Set `voice` to either `male` or `female`. Not all languages support both voices. For more information, see [Language support](./language-support.md).

+Set `speed` to a number between `0.5` (50%) and `2.5` (250%) inclusive. Values outside this range get clamped to either 0.5 or 2.5.

+## Next step

+> [!div class="nextstepaction"]

+> [Explore the Immersive Reader SDK reference](reference.md)

+ Title: Configure translation in Immersive Reader

+description: Learn how to configure the various Immersive Reader options for translation.

+The `options` parameter contains all of the flags that can be used to configure Translation. Set the `language` parameter to the language you wish to translate to. For the full list of supported languages, see [Language support](language-support.md).

+Set `autoEnableDocumentTranslation` to `true` to enable automatic translation of the entire document when the Immersive Reader loads.

+## Enable automatic word translation

+## Next step

+> [!div class="nextstepaction"]

+> [Explore the Immersive Reader SDK reference](reference.md)

+description: Learn how to customize the button that launches the Immersive Reader app.

+This article demonstrates how to customize the button that launches the Immersive Reader, to fit the needs of your application.

+The [Immersive Reader SDK](https://github.com/microsoft/immersive-reader-sdk) provides default styling for the button that launches the Immersive Reader. To enable this styling, use the `immersive-reader-button` class attribute.

+To set the style of the button, use the `data-button-style` attribute. The allowed values are `icon`, `text`, and `iconAndText`. The default value is `icon`.

+Use the following code to render the icon button.

+Use the following code to render the button text.

+Use the following code to render both the button and the text.

+To configure the language and the alt text for the button, use the `data-locale` attribute. The default language is English.

+To configure the size of the Immersive Reader icon, use the `data-icon-px-size` attribute. This sets the size of the icon in pixels. The default size is 20 px.

+## Next step

+> [!div class="nextstepaction"]

+> [Explore the Immersive Reader SDK reference](reference.md)

+ Title: Integrate multiple Immersive Reader resources

+description: Learn how to create a Node.js application using multiple Immersive Reader resources.

+In the [overview](overview.md), you learned about the Immersive Reader and how it implements proven techniques to improve reading comprehension for language learners, emerging readers, and students with learning differences. In the [quickstart](quickstarts/client-libraries.md), you learned how to use Immersive Reader with a single resource. This tutorial covers how to integrate multiple Immersive Reader resources in the same application.

+In this tutorial, you learn how to:

+> [!div class="checklist"]

+> * Create multiple Immersive Reader resource under an existing resource group.

+> * Launch the Immersive Reader using multiple resources.

+* An Azure subscription. If you don't have one, create a [free account](https://azure.microsoft.com/free/ai-services).

+* A single Immersive Reader resource configured for Microsoft Entra authentication. Follow [these instructions](how-to-create-immersive-reader.md) to get set up.

+* A [NodeJS web app](quickstarts/client-libraries.md?pivots=programming-language-nodejs) that launches Immersive Reader.

+## Create multiple resources

+Follow [these instructions](how-to-create-immersive-reader.md) again to create each Immersive Reader resource. The `Create-ImmersiveReaderResource` script has `ResourceName`, `ResourceSubdomain`, and `ResourceLocation` as parameters. These parameters should be unique for each resource being created. The remaining parameters should be the same as what you used when setting up your first Immersive Reader resource. This way, each resource can be linked to the same Azure resource group and Microsoft Entra application.

+The following example shows how to create two resources, one in **WestUS** and another in **EastUS**. Each resource has unique values for `ResourceName`, `ResourceSubdomain`, and `ResourceLocation`.

+ -SubscriptionName <SUBSCRIPTION_NAME>

+ -ResourceName Resource_name_westus

+ -ResourceSubdomain resource-subdomain-westus

+ -ResourceSKU <RESOURCE_SKU>

+ -ResourceLocation westus

+ -ResourceGroupName <RESOURCE_GROUP_NAME>

+ -ResourceGroupLocation <RESOURCE_GROUP_LOCATION>

+ -AADAppDisplayName <MICROSOFT_ENTRA_DISPLAY_NAME>

+ -AADAppIdentifierUri <MICROSOFT_ENTRA_IDENTIFIER_URI>

+ -AADAppClientSecret <MICROSOFT_ENTRA_CLIENT_SECRET>

+ -SubscriptionName <SUBSCRIPTION_NAME>

+ -ResourceName Resource_name_eastus

+ -ResourceSubdomain resource-subdomain-eastus

+ -ResourceSKU <RESOURCE_SKU>

+ -ResourceLocation eastus

+ -ResourceGroupName <RESOURCE_GROUP_NAME>

+ -ResourceGroupLocation <RESOURCE_GROUP_LOCATION>

+ -AADAppDisplayName <MICROSOFT_ENTRA_DISPLAY_NAME>

+ -AADAppIdentifierUri <MICROSOFT_ENTRA_IDENTIFIER_URI>

+ -AADAppClientSecret <MICROSOFT_ENTRA_CLIENT_SECRET>

+In the quickstart, you created an environment configuration file that contains the `TenantId`, `ClientId`, `ClientSecret`, and `Subdomain` parameters. Since all of your resources use the same Microsoft Entra application, you can use the same values for the `TenantId`, `ClientId`, and `ClientSecret`. The only change that needs to be made is to list each subdomain for each resource.

+Your new *.env* file should now look something like:

+> [!NOTE]

+> Be sure not to commit this file into source control because it contains secrets that shouldn't be made public.

+Next, modify the *routes\index.js* file that you created to support your multiple resources. Replace its content with the following code.

+The `getimmersivereaderlaunchparams` API endpoint should be secured behind some form of authentication (for example, [OAuth](https://oauth.net/2/)) to prevent unauthorized users from obtaining tokens to use against your Immersive Reader service and billing; that work is beyond the scope of this tutorial.

+## Add sample content

+Open *views\index.pug*, and replace its content with the following code. This code populates the page with some sample content, and adds two buttons that launch the Immersive Reader. One that launches Immersive Reader for the **EastUS** resource, and another for the **WestUS** resource.

+```pug

+doctype html

+html

+ head

+ title Immersive Reader Quickstart Node.js

+ link(rel='stylesheet', href='https://stackpath.bootstrapcdn.com/bootstrap/3.4.1/css/bootstrap.min.css')

+ // A polyfill for Promise is needed for IE11 support.

+ script(src='https://cdn.jsdelivr.net/npm/promise-polyfill@8/dist/polyfill.min.js')

+ script(src='https://ircdname.azureedge.net/immersivereadersdk/immersive-reader-sdk.1.2.0.js')

+ script(src='https://code.jquery.com/jquery-3.3.1.min.js')

+ style(type="text/css").

+ .immersive-reader-button {

+ background-color: white;

+ margin-top: 5px;

+ border: 1px solid black;

+ float: right;

+ }

+ body

+ div(class="container")

+ button(class="immersive-reader-button" data-button-style="icon" data-locale="en" onclick='handleLaunchImmersiveReader("wus")') WestUS Immersive Reader

+ button(class="immersive-reader-button" data-button-style="icon" data-locale="en" onclick='handleLaunchImmersiveReader("eus")') EastUS Immersive Reader

+ h1(id="ir-title") About Immersive Reader

+ div(id="ir-content" lang="en-us")

+ p Immersive Reader is a tool that implements proven techniques to improve reading comprehension for emerging readers, language learners, and people with learning differences. The Immersive Reader is designed to make reading more accessible for everyone. The Immersive Reader

+ ul

+ li Shows content in a minimal reading view

+ li Displays pictures of commonly used words

+ li Highlights nouns, verbs, adjectives, and adverbs

+ li Reads your content out loud to you

+ li Translates your content into another language

+ li Breaks down words into syllables

+ h3 The Immersive Reader is available in many languages.

+ p(lang="es-es") El Lector inmersivo está disponible en varios idiomas.

+ p(lang="zh-cn") 沉浸式阅读器支持许多语言

+ p(lang="de-de") Der plastische Reader ist in vielen Sprachen verf├╝gbar.

+ p(lang="ar-eg" dir="rtl" style="text-align:right") يتوفر \"القارئ الشامل\" في العديد من اللغات.

+script(type="text/javascript").

+function getTokenAndSubdomainAsync(region) {

+ return new Promise(function (resolve, reject) {

+ $.ajax({

+ url: "/GetTokenAndSubdomain",

+ type: "GET",

+ data: {

+ region: region

+ },

+ success: function (data) {

+ if (data.error) {

+ reject(data.error);

+ } else {

+ resolve(data);

+ },

+ error: function (err) {

+ reject(err);

+ }

+ });

+ }

+ function handleLaunchImmersiveReader(region) {

+ getTokenAndSubdomainAsync(region)

+ .then(function (response) {

+ const token = response["token"];

+ const subdomain = response["subdomain"];

+ // Learn more about chunk usage and supported MIME types https://learn.microsoft.com/azure/ai-services/immersive-reader/reference#chunk

+ const data = {

+ Title: $("#ir-title").text(),

+ chunks: [{

+ content: $("#ir-content").html(),

+ mimeType: "text/html"

+ }]

+ };

+ // Learn more about options https://learn.microsoft.com/azure/ai-services/immersive-reader/reference#options

+ const options = {

+ "onExit": exitCallback,

+ "uiZIndex": 2000

+ };

+ ImmersiveReader.launchAsync(token, subdomain, data, options)

+ .catch(function (error) {

+ alert("Error in launching the Immersive Reader. Check the console.");

+ console.log(error);

+ });

+ })

+ .catch(function (error) {

+ alert("Error in getting the Immersive Reader token and subdomain. Check the console.");

+ console.log(error);

+ });

+ }

+ function exitCallback() {

+ console.log("This is the callback function. It is executed when the Immersive Reader closes.");

+ }

+```

+Your web app is now ready. Start the app by running:

+```bash

+npm start

+```

+Open your browser and navigate to `http://localhost:3000`. You should see the above content on the page. Select either the **EastUS Immersive Reader** button or the **WestUS Immersive Reader** button to launch the Immersive Reader using those respective resources.

+## Next step

+> [!div class="nextstepaction"]

+> [Explore the Immersive Reader SDK](https://github.com/microsoft/immersive-reader-sdk)

+description: Learn how to structure HTML and retrieve your content for use with Immersive Reader.

+This article shows you how to structure your HTML and retrieve the content, so that your Immersive Reader application can use it.

+Place the content that you want to render in the Immersive Reader inside of a container element. Be sure that the container element has a unique `id`. To learn more about how the Immersive Reader provides support for basic HTML elements, see the [SDK reference](reference.md#html-support).

+## Next step

+> [!div class="nextstepaction"]

+> [Explore the Immersive Reader SDK reference](reference.md)

+ Title: Store user preferences for Immersive Reader

+description: Learn how to store user preferences via the Immersive Reader SDK options.

+This article demonstrates how to store the user's UI settings, or *user preferences*, via the [-preferences](./reference.md#options) and [-onPreferencesChanged](./reference.md#options) Immersive Reader SDK options.

+When the [CookiePolicy](./reference.md#cookiepolicy-options) SDK option is set to *Enabled*, the Immersive Reader application stores user preferences, such as text size, theme color, and font, by using cookies. These cookies are local to a specific browser and device. Each time the user launches the Immersive Reader on the same browser and device, it opens with the user's preferences from their last session on that device. However, if the user opens the Immersive Reader app on a different browser or device, the settings are initially configured with the Immersive Reader's default settings, and the user needs to set their preferences again for each device they use. The `-preferences` and `-onPreferencesChanged` Immersive Reader SDK options provide a way for applications to roam a user's preferences across various browsers and devices, so that the user has a consistent experience wherever they use the application.

+First, by supplying the `-onPreferencesChanged` callback SDK option when launching the Immersive Reader application, the Immersive Reader sends a `-preferences` string back to the host application each time the user changes their preferences during the Immersive Reader session. The host application is then responsible for storing the user preferences in their own system. Then, when that same user launches the Immersive Reader again, the host application can retrieve that user's preferences from storage, and supply them as the `-preferences` string SDK option when launching the Immersive Reader application, so that the user's preferences are restored.

+This functionality can be used as an alternate means to storing user preferences when using cookies isn't desirable or feasible.

+> Don't attempt to programmatically change the values of the `-preferences` string sent to and from the Immersive Reader application because this might cause unexpected behavior resulting in a degraded user experience. Host applications should never assign a custom value to or manipulate the `-preferences` string. When using the `-preferences` string option, use only the exact value that was returned from the `-onPreferencesChanged` callback option.

+## Enable storing user preferences

+The Immersive Reader SDK [launchAsync](./reference.md#launchasync) `options` parameter contains the `-onPreferencesChanged` callback. This function is called anytime the user changes their preferences. The `value` parameter contains a string, which represents the user's current preferences. This string is then stored, for that user, by the host application.

+## Load user preferences

+Pass in the user's preferences to the Immersive Reader app by using the `-preferences` option. A trivial example to store and load the user's preferences is as follows:

+## Next step

+> [!div class="nextstepaction"]

+> [Explore the Immersive Reader SDK reference](reference.md)

+description: Learn how to display math in the Immersive Reader app.

+The Immersive Reader can display math expressions when provided in the form of Mathematical Markup Language ([MathML](https://developer.mozilla.org/docs/Web/MathML)).

+## Send math to the Immersive Reader

+In order to display math in the Immersive Reader app, supply a [chunk](../reference.md#chunk) that contains MathML, and set the MIME type to `application/mathml+xml`. To learn more, see [supported MIME types](../reference.md#supported-mime-types).

+For example, see the following content:

+You can then display your content by using the following JavaScript.

+## Next step

+> [!div class="nextstepaction"]

+> [Explore the Immersive Reader SDK reference](../reference.md)

+ Title: "Set Immersive Reader cookie policy"

+description: Learn how to set the cookie policy for the Immersive Reader app.

+The Immersive Reader disables cookie usage by default. If you enable cookie usage, then the Immersive Reader can use cookies to maintain user preferences and track feature usage. If you enable cookie usage in the Immersive Reader, consider the requirements of the EU Cookie Compliance Policy. It's the responsibility of the host application to obtain any necessary user consent in accordance with the EU Cookie Compliance Policy.

+## Enable cookie usage

+const options = {

+## Disable cookie usage

+const options = {

+## Next step

+> [!div class="nextstepaction"]

+> [View the quickstart guides](../quickstarts/client-libraries.md?pivots=programming-language-nodejs)

+ Title: "Quickstart: Build an Immersive Reader app"

+description: Learn how to build an Immersive Reader app using C#, Node.js, Java, Kotlin, and Swift to help improve reading comprehension.

+# Quickstart: Build an Immersive Reader app

+[Immersive Reader](https://www.onenote.com/learningtools) is an inclusively designed tool that implements proven techniques to improve reading comprehension for new readers, language learners, and people with learning differences such as dyslexia. You can use Immersive Reader in your applications to isolate text to improve focus, display pictures for commonly used words, highlight parts of speech, read selected text out loud, translate words and phrases in real-time, and more.

+Use this article to learn how to use Azure OpenAI On Your Data securely by protecting data and resources with Microsoft Entra ID role-based access control, virtual networks, and private endpoints.

+This step can be skipped only if you have a [shared private link](#create-shared-private-link) for your Azure AI Search resource.

+You can use basic pricing tier and higher for the configuration below. It's not necessary, but if you use the S2 pricing tier you will see [additional options](#create-shared-private-link) available for selection.

+The private endpoint resource is provisioned in a Microsoft managed tenant, while the linked resource is in your tenant. You can't access the private endpoint resource by just clicking the **private endpoint** link (in blue font) in the **Private access** tab of the **Networking page**. Instead, click elsewhere on the row, then the **Approve** button above should be clickable.

+### Create shared private link

+> [!TIP]

+> If you are using a basic or standard pricing tier, or if it is your first time to setup all of your resources securely, you should skip this advanced topic.

+This section is only applicable for S2 pricing tier search resource, because it requires [private endpoint support for indexers with a skill set](/azure/search/search-limits-quotas-capacity#shared-private-link-resource-limits).

+To create shared private link from your search resource connecting to your Azure OpenAI resource, see the [search documentation](/azure/search/search-indexer-howto-access-private). Select **Resource type** as `Microsoft.CognitiveServices/accounts` and **Group ID** as `openai_account`.

+With shared private link, [step eight](#data-ingestion-architecture) of the data ingestion architecture diagram is changed from **bypass trusted service** to **private endpoint**.

+The Azure AI Search shared private link you created is also in a Microsoft managed virtual network, not your virtual network. The difference compared to the other managed private endpoint created [earlier](#disable-public-network-access-1) is that the managed private endpoint `[1]` from Azure OpenAI to Azure Search is provisioned through the [form application](#disable-public-network-access-1), while the managed private endpoint `[2]` from Azure Search to Azure OpenAI is provisioned via Azure portal or REST API of Azure Search.

+| `Storage Blob Data Contributor` | Azure AI Search | Storage Account | Reads blob and writes knowledge store. |

+> A Speech resource can inherit or be assigned multiple roles. The final level of access to the resource is a combination of all role permissions.

+A role definition is a collection of permissions. When you create a Speech resource, the built-in roles in the following table are available for assignment.

+> [!WARNING]

+> Speech service architecture differs from other Azure AI services in the way it uses [Azure control plane and data plane](../../azure-resource-manager/management/control-plane-and-data-plane.md). Speech service is extensively using data plane comparing to other Azure AI services, and this requires different set up for the roles. Because of this some general Cognitive Services roles have actual access right set that doesn't exactly match their name when used in Speech services scenario. For instance *Cognitive Services User* provides in effect the Contributor rights, while *Cognitive Services Contributor* provides no access at all. The same is true for generic *Owner* and *Contributor* roles which have no data plane rights and consequently provide no access to Speech resource. To keep consistency we recommend to use roles containing *Speech* in their names. These roles are *Cognitive Services Speech User* and *Cognitive Services Speech Contributor*. Their access right sets were designed specifically for the Speech service. In case you would like to use general Cognitive Services roles and Azure generic roles, we ask you to very carefully study the following access right table.

+|**Owner** |Yes |None |No |

+|**Contributor** |Yes |None |No |

+|**Cognitive Services Contributor** |Yes |None |No |

+In the deployment detail page, switch to the **Test** tab.

+In the deployment detail page, switch to the **Consume** tab. You can find the REST endpoint and key/token to consume your endpoint. There's also sample code for you to consume the endpoint in different languages.

+You need to input values for `RequestBody` or `data` and `api_key`. For example, if your flow has 2 inputs `location` and `url`, then you need to specify data as following.

+```json

+ {

+"location": "LA",

+"url": "<the_url_to_be_classified>"

+}

+```

+| prompt | string | Text prompt that the language model uses to generate its response. The Jinja template for composing prompts in this tool follows a similar structure to the chat API in the LLM tool. To represent an image input within your prompt, you can use the syntax ``. Image input can be passed in the `user`, `system` and `assistant` messages. | Yes |

+## Next step

+- Learn more about [how to process images in prompt flow](../flow-process-image.md).

+- [Learn more about how to create a flow](../flow-develop.md).

+1. Go to **AI project settings**, then select **New Connection**.

+1. Select **Custom** service. You can define your connection name, and you can add multiple *Key-value pairs* to store your credentials and keys by selecting **Add key-value pairs**.

+ :::image type="content" source="../../media/prompt-flow/create-connection.png" alt-text="Screenshot that shows create connection in AI Studio." lightbox = "../../media/prompt-flow/create-connection.png":::

+| Storage | [Catalogic](#catalogic) <br> [Veeam](#veeam) |

+| CloudCasa by Catalogic | Migration <br> Storage |

+CloudCasa by Catalogic is a Kubernetes backup, recovery, and migration solution that is fully compatible with AKS, as well as all other major Kubernetes distributions and managed services.

+For more information, see [CloudCasa by Catalogic Solutions](https://cloudcasa.io/) and [CloudCasa by Catalogic on Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/catalogicsoftware1625626770507.cloudcasa-aks-app).

+ * Mounting of a CIFS share fails because FIPS disables some authentication modules. To work around this issue, see [Errors when mounting a file share on a FIPS-enabled node pool][errors-mount-file-share-fips].

+[errors-mount-file-share-fips]: /troubleshoot/azure/azure-kubernetes/fail-to-mount-azure-file-share#fipsnodepool

+The following table lists a few example operations related to AKS that may be created in the [Activity log](../azure-monitor/essentials/activity-log-insights.md). Use the Activity log to track information such as when a cluster is created or had its configuration change. You can view this information in the portal or by using [other methods](../azure-monitor/essentials/activity-log.md#other-methods-to-retrieve-activity-log-events). You can also use it to create an [Activity log alert]() to be proactively notified when an event occurs.

+Azure App Service provides built-in tools to monitor the status and health of your resources. Resource events help you understand any changes that were made to your underlying web app resources and take action as necessary. Event examples include: scaling of instances, updates to application settings, restarting of the web app, and many more. In this article, you'll learn how to view [Azure Activity Logs](../azure-monitor/essentials/activity-log-insights.md#view-the-activity-log) and enable [Event Grid](../event-grid/index.yml) to monitor App Service resource events.

+[View and retrieve Azure Activity log events.](../azure-monitor/essentials/activity-log-insights.md#view-the-activity-log)

+In this quickstart, you use the Azure portal to create an [Azure Application Gateway](overview.md) and test it to make sure it works correctly. You assign listeners to ports, create rules, and add resources to a backend pool. For the sake of simplicity, a simple setup is used with a public frontend IP address, a basic listener to host a single site on the application gateway, a basic request routing rule, and two virtual machines (VMs) in the backend pool.

+An Azure account with an active subscription is required. If you don't already have an account, you can [create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+Create the application gateway using the tabs on the **Create application gateway** page.

+ - Use the default selections for other settings.

+ 

+ - **Subnet name** (Application Gateway subnet): The **Subnets** list shows a subnet named *default*. Change the name of this subnet to *myAGSubnet*.<br>The application gateway subnet can contain only application gateways. No other resources are allowed. The default IP address range provided is 10.0.0.0/24.

+ 

+3. Select **Next: Frontends**.

+ 

+ 

+ 

+5. For the **Backend setting**, select **Add new** to add a new Backend setting. The Backend setting determines the behavior of the routing rule. In the **Add Backend setting** window that opens, enter *myBackendSetting* for the **Backend settings name** and *80* for the **Backend port**. Accept the default values for the other settings in the **Add Backend setting** window, then select **Add** to return to the **Add a routing rule** window.

+ 

+ 

+ 

+1. Add a backend subnet.

+2. Create two new VMs, *myVM* and *myVM2*, to be used as backend servers.

+3. Install IIS on the virtual machines to verify that the application gateway was created successfully.

+4. Add the backend servers to the backend pool.

+### Add a backend subnet

+The subnet *myAGSubnet* can only contain the application gateway, so we need another subnet to add backend targets.

+To create a backend subnet:

+1. Select the **myVNet** resource. You can select it under **Deployment details** after deployment of the application gateway is complete, or you can search for Virtual networks and select it from the list.

+2. Under **Settings**, select **Subnets** and then select **+ Subnet** to begin adding a new subnet.

+ - **Name**: Enter *myBackendSubnet*.

+ - **Subnet address range**: Enter an address range that doesn't overlap with the address range of *myAGSubnet*. For example, if the address range of *myAGSubnet* is 10.0.0.0/24, enter *10.0.1.0/24* for the address range of *myBackendSubnet*. This address range might be already entered by default.

+3. Use the default settings for other items and then select **Save**.

+ 

+ 

+3. Create a second virtual machine and install IIS by using the steps that you previously completed. Use *myVM2* for the virtual machine name and for the `VMName` setting of the **Set-AzVMExtension** cmdlet.

+ 

+4. Enter *myResourceGroupAG* under **TYPE THE RESOURCE GROUP NAME** and then select **Delete**.

+Kubernetes [ClusterRoleBinding and RoleBinding](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding) object types help to define authorization in Kubernetes natively. With Azure role-based access control (Azure RBAC), you can use Microsoft Entra ID and role assignments in Azure to control authorization checks on the cluster. This allows the benefits of Azure role assignments, such as activity logs showing all Azure RBAC changes to an Azure resource, to be used with your Azure Arc-enabled Kubernetes cluster.

+On the cluster side, a reverse proxy agent called `clusterconnect-agent`, deployed as part of the agent Helm chart, makes outbound calls to the Azure Arc service to establish the session.

+The [activity log](../../azure-monitor/essentials/activity-log-insights.md) is an Azure platform log that provides insight into subscription-level events. This includes tracking when the Azure Arc resource bridge is modified, deleted, or added. You can [view the activity log](../../azure-monitor/essentials/activity-log-insights.md#view-the-activity-log) in the Azure portal or retrieve entries with PowerShell and Azure CLI. By default, activity log events are [retained for 90 days](../../azure-monitor/essentials/activity-log-insights.md#retention-period) and then deleted.

+For **Arc-enabled VMware vSphere**, manual upgrade and cloud upgrade are available. Appliances on version 1.0.15 and higher are automatically opted-in to cloud-managed upgrade. With cloud-managed upgrade, Microsoft may attempt to upgrade your Arc resource bridge at any time if it is on an appliance version that will soon be out of support. In order for either upgrade option to work, the upgrade prerequisites must be met. While Microsoft offers cloud-managed upgrade, youΓÇÖre still responsible for checking that your resource bridge is healthy, online, in a "Running" status, and within the supported n-3 versions. Disruptions could cause cloud-managed upgrades to fail.ΓÇ» Any appliances that are earlier than version 1.0.15 must be manually upgraded. A manual upgrade only upgrades the appliance to the next version, not the latest version. If you have multiple versions to upgrade, another option is to review the steps for [performing a recovery](/azure/azure-arc/vmware-vsphere/recover-from-resource-bridge-deletion), then delete the appliance VM and perform the recovery steps. This deploys a new Arc resource bridge using the latest version and reconnects pre-existing Azure resources.

+For **Azure Arc VM management (preview) on Azure Stack HCI**, appliance version 1.0.15 or higher is only available on Azure Stack HCI build 23H2. In HCI 23H2, the LCM tool manages upgrades across all HCI, Arc resource bridge, and extension components as a "validated recipe" package. Any preview version of Arc resource bridge must be removed prior to updating from 22H2 to 23H2. Attempting to upgrade Arc resource bridge independent of other HCI environment components may cause problems in your environment that could result in a disaster recovery scenario. For more information, visit the [Arc VM management FAQ page](/azure-stack/hci/manage/azure-arc-vms-faq).

+- The appliance VM must be online, healthy, status is "Running" and the [credentials in the appliance VM](maintenance.md#update-credentials-in-the-appliance-vm) must be valid.

+Arc resource bridges on a supported [private cloud provider](#private-cloud-providers) with an appliance version 1.0.15 or higher are automatically opted into cloud-managed upgrade. With cloud-managed upgrade, Microsoft may attempt to upgrade your Arc resource bridge at any time if it is on an appliance version that will soon be out of support. The upgrade prerequisites must be met for cloud-managed upgrade to work. While Microsoft offers cloud-managed upgrade, youΓÇÖre still responsible for checking that your resource bridge is healthy, online, in a "Running" status, and within the supported n-3 versions. Disruptions could cause cloud-managed upgrades to fail.

+To check your resource bridge status and the appliance version run the `az arcappliance show` command from your management machine or check the Azure resource of your Arc resource bridge. If your appliance VM isn't in a healthy, Running state, cloud-managed upgrade might fail.

+The Arc resource bridge version is tied to the versions of underlying components used in the appliance image, such as the Kubernetes version. When there's a change in the appliance image, the Arc resource bridge version gets incremented. This generally happens when a new `az arcappliance` CLI extension version is released. A new extension is typically released on a monthly cadence at the end of the month or early in the month. For detailed release info, see the [Arc resource bridge release notes](https://github.com/Azure/ArcResourceBridge/releases) on GitHub.

+Download for [Windows](https://download.microsoft.com/download/4/8/f/48f69eb1-f7ce-499f-b9d3-5087f330ae79/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)

+If you onboarded to Azure Arc-enabled SCVMM before **September 22, 2023**, and your VMs were Azure-enabled, you'll no longer be able to perform any operations on the VMs, except the **Remove from Azure** operation.

+To continue using these machines, follow these instructions to switch to the new version.

+If you onboarded to Arc-enabled SCVMM before September 22, 2023, for VMs that are Azure-enabled, follow these steps to switch to the new version:

+> By default, all Azure Cache for Redis tiers use Microsoft managed keys to encrypt disks mounted to cache instances. However, in the Basic and Standard tiers, the C0 and C1 SKUs do not support any disk encryption.

+- persistence disk: holds persisted RDB or AOF files as part of [data persistence](cache-how-to-premium-persistence.md)

+- the OS disk

+In the **Enterprise Flash** tier, keys and values are also partially stored on-disk using nonvolatile memory express (NVMe) flash storage. However, this disk isn't the same as the one used for persisted data. Instead, it's ephemeral, and data isn't persisted after the cache is stopped, deallocated, or rebooted. MMK is only supported on this disk because this data is transient and ephemeral.

+- Changing between MMK and CMK on an existing cache instance triggers a long-running maintenance operation. We don't recommend this for production use because a service disruption occurs.

+1. On the **Advanced** page, go to the section titled **Customer-managed key encryption at rest** and enable the **Use a customer-managed key** option.

+1. Select your chosen user assigned managed identity, and then choose the key input method to use.

+1. If using the **Select Azure key vault and key** input method, choose the Key Vault instance that holds your customer managed key. This instance must be in the same region as your cache.

+1. Go to the **Encryption** in the Resource menu of your cache instance. If CMK is already set up, you see the key information.

+1. If you haven't set up or if you want to change CMK settings, select **Change encryption settings**

+1. Select **Use a customer-managed key** to see your configuration options.

+1. Select your chosen user assigned managed identity, and then choose which key input method to use.

+1. If using the **Select Azure key vault and key** input method, choose the Key Vault instance that holds your customer managed key. This instance must be in the same region as your cache.

+description: Learn how to monitor the health and performance your Azure Cache for Redis instances.

+- set alerts when certain conditions are met

+The **Monitoring** section in the Resource menu contains **Insights**. When you select **Insights**, you see groupings of three types of charts: **Overview**, **Performance**, and **Operations**.

+- **Max** shows the maximum value of a data point in the time granularity.

+- **Min** shows the minimum value of a data point in the time granularity.

+ - This metric isn't available for caches that are affected by Cloud Service retirement. See more information [here](cache-faq.yml#caches-with-a-dependency-on-cloud-services--classic)

+ - **Failover** ΓÇô when a cache fails over (subordinate promotes to primary).

+ - **Dataloss** ΓÇô when there's data loss on the cache.

+ - **UnresponsiveClients** ΓÇô when the clients aren't reading data from the server fast enough, and specifically, when the number of bytes in the Redis server output buffer for a client goes over 1,000,000 bytes.

+ - **AOF** ΓÇô when there's an issue related to AOF persistence.

+ - **RDB** ΓÇô when there's an issue related to RDB persistence.

+ - **Import** ΓÇô when there's an issue related to Import RDB.

+ - **Export** ΓÇô when there's an issue related to Export RDB.

+ - **AADAuthenticationFailure** (preview) - when there's an authentication failure using Microsoft Entra access token. Not recommended. Use **MicrosoftEntraAuthenticationFailure** instead.

+ - **AADTokenExpired** (preview) - when a Microsoft Entra access token used for authentication isn't renewed and it expires. Not recommended. Use **MicrosoftEntraTokenExpired** instead.

+ - **MicrosoftEntraAuthenticationFailure** (preview) - when there's an authentication failure using Microsoft Entra access token.

+ - **MicrosoftEntraTokenExpired** (preview) - when a Microsoft Entra access token used for authentication isn't renewed and it expires.

+> Metrics for errors aren't available when using the Enterprise tiers.

+ - Sum of the number of get commands run on the cache during the specified reporting interval. The sum is a combined total of the increases in the `cmdstat` counts reported by the Redis INFO all command for all commands in the _get_ family, including `GET`, `HGET` , `MGET`, and others. This value can differ from the total number of hits and misses because some individual commands access multiple keys. For example: `MGET key1 key2 key3` only increments the number of gets by one but increments the combined number of hits and misses by three.

+ - The total number of commands processed per second by the cache server during the specified reporting interval. This value maps to "instantaneous_ops_per_sec" from the Redis INFO command.

+ - Sum of the number of set commands run on the cache during the specified reporting interval. This sum is a combined total of the increases in the `cmdstat` counts reported by the Redis INFO all command for all commands in the _set_ family, including `SET`, `HSET` , `MSET`, and others.

+- **Geo-Replication Dashboard** pulls geo-replication health and status metrics from both the geo-primary and geo-secondary cache instances to give a complete picture of geo-replication health. Using this dashboard is recommended, as some geo-replication metrics are only emitted from either the geo-primary or geo-secondary.

+## February 2024

+Support for using customer managed keys for disk (CMK) encryption has now reached General Availability (GA).

+For more information, see [How to configure CMK encryption on Enterprise caches](cache-how-to-encryption.md#how-to-configure-cmk-encryption-on-enterprise-caches).

+All tiers of Azure Cache for Redis now support TLS 1.3.

+Microsoft Entra ID based [authentication and authorization](cache-azure-active-directory-for-authentication.md) is now available for public preview with Azure Cache for Redis. With this Microsoft Entra ID integration, users can connect to their cache instance without an access key and use [role-based access control](cache-configure-role-based-access-control.md) to connect to their cache instance.

+This example reads a mandatory parameter, named `id`, and an optional parameter `name` from the route path, and uses them to build a JSON document returned to the client, with content type `application/json`.

+### HTTP streams (preview)

+You can now stream requests to and responses from your HTTP endpoint in Node.js v4 function apps. For more information, see [HTTP streams](functions-reference-node.md?pivots=nodejs-model-v4#http-streams-preview).

+> Even though host.json supports custom ranges for `version`, you should use a version range value from this table, such as `[4.0.0, 5.0.0)`.

+ "version": "[4.0.0, 5.0.0)"

+| provideAnonymousTelemetry | true | Determines whether to send anonymous usage and error telemetry to Microsoft. This telemetry may be used if you contact Microsoft to help troubleshoot problems with the Snapshot Debugger. It's also used to monitor usage patterns. |

+| snapshotsPerTenMinutesLimit | 1 | The maximum number of snapshots allowed in 10 minutes. Although there's no upper bound on this value, exercise caution increasing it on production workloads because it could impact the performance of your application. Creating a snapshot is fast, but creating a minidump of the snapshot and uploading it to the Snapshot Debugger service is a much slower operation that will compete with your application for resources (both CPU and I/O). |

+|DisableColors|false| Suppresses log formatting in the container logs on Linux. Set to true if you're seeing unwanted ANSI control characters in the container logs when running on Linux. |

+| defaultExecutablePath | n/a | The executable to start as the custom handler process. It's a required setting when using custom handlers and its value is relative to the function app root. |

+| workingDirectory | *function app root* | The working directory in which to start the custom handler process. It's an optional setting and its value is relative to the function app root. |

+|fileLoggingMode|debugOnly|Determines the file logging behavior when running in Azure. Options are `never`, `always`, and `debugOnly`. This setting isn't used when running locally. When possible, you should use Application Insights when debugging your functions in Azure. Using `always` negatively impacts your app's cold start behavior and data throughput. The default `debugOnly` setting generates log files when you're debugging using the Azure portal. |

+An array of one or more names of files that are monitored for changes that require your app to restart. This guarantees that when code in these files is changed, the updates are picked up by your functions.

+| 2.x | n/a | 3.x | 14.x, 12.x, 10.x | Reached end of support on December 13, 2022. See [Functions Versions](./functions-versions.md) for more info. |

+| 1.x | n/a | 2.x | 10.x, 8.x | Reached end of support on December 13, 2022. See [Functions Versions](./functions-versions.md) for more info. |

+The `app`, `trigger`, `input`, and `output` objects exported by the `@azure/functions` module provide type-specific methods for most types. For all the types that aren't supported, a `generic` method is provided to allow you to manually specify the configuration. The `generic` method can also be used if you want to change the default settings provided by a type-specific method.

+| **`bodyUsed`** | `boolean` | A boolean indicating if the body is already read. |

+## HTTP streams (preview)

+HTTP streams is a feature that makes it easier to process large data, stream OpenAI responses, deliver dynamic content, and support other core HTTP scenarios. It lets you stream requests to and responses from HTTP endpoints in your Node.js function app. Use HTTP streams in scenarios where your app requires real-time exchange and interaction between client and server over HTTP. You can also use HTTP streams to get the best performance and reliability for your apps when using HTTP.

+HTTP streams is currently in preview.

+>[!IMPORTANT]

+>HTTP streams aren't supported in the v3 model. [Upgrade to the v4 model](./functions-node-upgrade-v4.md) to use the HTTP streaming feature.

+The existing `HttpRequest` and `HttpResponse` types in programming model v4 already support various ways of handling the message body, including as a stream.

+

+### Prerequisites

+- The [`@azure/functions` npm package](https://www.npmjs.com/package/@azure/functions) version 4.3.0 or later.

+- [Azure Functions runtime](./functions-versions.md) version 4.28 or later.

+- [Azure Functions Core Tools](./functions-run-local.md) version 4.0.5530 or a later version, which contains the correct runtime version.

+### Enable streams

+Use these steps to enable HTTP streams in your function app in Azure and in your local projects:

+1. If you plan to stream large amounts of data, modify the [`FUNCTIONS_REQUEST_BODY_SIZE_LIMIT`](./functions-app-settings.md#functions_request_body_size_limit) setting in Azure. The default maximum body size allowed is `104857600`, which limits your requests to a size of ~100 MB.

+1. For local development, also add `FUNCTIONS_REQUEST_BODY_SIZE_LIMIT` to the [local.settings.json file](./functions-develop-local.md#local-settings-file).

+1. Add the following code to your app in any file included by your [main field](./functions-reference-node.md#registering-a-function).

+ #### [JavaScript](#tab/javascript)

+

+ ```javascript

+ const { app } = require('@azure/functions');

+

+ app.setup({ enableHttpStream: true });

+ ```

+ #### [TypeScript](#tab/typescript)

+

+ ```typescript

+ import { app } from '@azure/functions';

+

+ app.setup({ enableHttpStream: true });

+ ```

+

+

+### Stream examples

+This example shows an HTTP triggered function that receives data via an HTTP POST request, and the function streams this data to a specified output file:

+#### [JavaScript](#tab/javascript)

+#### [TypeScript](#tab/typescript)

+This example shows an HTTP triggered function that streams a file's content as the response to incoming HTTP GET requests:

+#### [JavaScript](#tab/javascript)

+#### [TypeScript](#tab/typescript)

+

+### Stream considerations

+ "version": "[4.0.0, 5.0.0)"

+ "version": "[4.0.0, 5.0.0)"

+ Title: Links to the Azure Maps Rest API

+description: Links to the Azure Maps Rest API.

+# Azure Maps Rest API

+Azure Maps is a set of mapping and geospatial services that enable developers and organizations to build intelligent location-based experiences for applications across many different industries and use cases. Use Azure Maps to bring maps, geocoding, location search, routing, real-time traffic, geolocation, time zone information and weather data into your web, mobile and server-side solutions.

+The following tables show overviews of the services that Azure Maps offers:

+## Latest release

+The most recent stable release of the Azure Maps services.

+| API | Description |

+|--|-|

+| [Data] | The Azure Maps Data v2 service is deprecated and will be retired on 9/16/24. To avoid service disruptions, all calls to the Data service need to be updated to use the Azure Maps [Data registry] service by 9/16/24. For more information, see [How to create data registry]. |

+| [Data Registry] | Programmatically store and update geospatial data to use in spatial operations. |

+| [Geolocation] | Convert IP addresses to country/region ISO codes. |

+| [Render] | Get road, satellite/aerial, weather, traffic map tiles, and static map images. |

+| [Route] | Calculate optimized travel times and distances between locations for multiple modes of transportation and get localized travel instructions. |

+| [Search] | Geocode addresses and coordinates, search for business listings and places by name or category and get administrative boundary polygons. |

+| [Spatial] | Use geofences, great circle distances and other spatial operations to analyze location data. |

+| [Timezone] | Get time zone and sunrise/sunset information for specified locations. |

+| [Traffic] | Get current traffic information including traffic flow and traffic incident details. |

+| [Weather] | Get current, forecasted, and historical weather conditions, air quality, tropical storm details and weather along a route. |

+## Previous release

+A previous stable release of an Azure Maps service that is still in use. The services in this list will generally have a more recent version available, and are slated for retirement. If using a previous release, update to the latest version before it's retired to avoid disruption of service.

+| API | Description |

+|--|-|

+| [Data][Data-v1] | The Azure Maps Data v1 service is deprecated and will be retired on 9/16/24. To avoid service disruptions, all calls to the Data service need to be updated to use the Azure Maps [Data registry] service by 9/16/24. For more information, see [How to create data registry]. |

+| [Render][Render v1] | Get road, satellite/aerial, weather, traffic map tiles and static map images.<BR>The Azure Maps [Render v1] service is now deprecated and will be retired on 9/17/26. To avoid service disruptions, all calls to Render v1 API needs to be updated to use the latest version of the [Render] API by 9/17/26. |

+| [Search][Search-v1] | Geocode addresses and coordinates, search for business listings and places by name or category and get administrative boundary polygons. This is version 1.0 of the Search service. For the latest version, see [Search]. |

+## Latest preview

+Prerelease version of an Azure Maps service. Preview releases contain new functionality or updates to existing functionality that will be included in a future release.

+| API | Description |

+|--|-|

+| [Route][Route-2023-10-01-preview] | Returns the ideal route in GeoJSON between locations for multiple modes of transportation.<BR><BR>Some of the updates in this version of the Route service include:<ul><li>Routes with "via" waypoints that the route must pass through.</li><li>More geographies</li><li>More languages available for localized travel instructions.</li></ul> |

+<! Links to latest versions of each service ->

+[Data]: /rest/api/maps/data

+[How to create data registry]: /azure/azure-maps/how-to-create-data-registries

+[Data Registry]: /rest/api/maps/data-registry

+[Geolocation]: /rest/api/maps/geolocation

+[Render]: /rest/api/maps/render

+[Route]: /rest/api/maps/route

+[Search]: /rest/api/maps/search

+[Spatial]: /rest/api/maps/spatial

+[Timezone]: /rest/api/maps/timezone

+[Traffic]: /rest/api/maps/traffic

+[Weather]: /rest/api/maps/weather

+<! Links to previous versions of each service -->

+[Data-v1]: /rest/api/maps/data?view=rest-maps-1.0

+[Render v1]: /rest/api/maps/render?view=rest-maps-1.0

+[Search-v1]: /rest/api/maps/search?view=rest-maps-1.0

+<! 2023-10-01-preview is the latest preview release of the Route service,

+ currently the only Azure Maps service in Preview -->

+[Route-2023-10-01-preview]: /rest/api/maps/route?view=rest-maps-2023-10-01-preview

+ Title: Links to the Azure Maps Creator Rest API

+description: Links to the Azure Maps Creator Rest API

+# Creator Rest API

+Indoor mapping is a technology that enables the creation of digital maps of the interior of buildings. It helps visitors navigate through buildings and locate points of interest such as restrooms, conference rooms, and offices. Indoor mapping can be used to create a more convenient and enjoyable visitor experience. Visitors can spend less time searching for building directories and more time discovering new points of interest. With Azure Maps Creator, you can create indoor maps that enable customers to zoom in and out of a building to see each floor and navigate to any desired location using Creator's wayfinding service. In addition to common mapping functionality, Azure Maps Creator offers an array of useful services that enable you to implement functionality such as asset tracking, facility management, workspace optimization, hybrid work models to support a blend of in-office, remote, and on-the-go working, and much more.

+The following tables offer high-level overviews of the services that Azure Maps Creator offers:

+## Latest release

+The most recent stable release of the Creator services.

+| API | Description |

+|--|-|

+| [Alias] | This API allows the caller to assign an alias to reference a resource. |

+| [Conversion] | Used to import a set of DWG design files as a zipped [Drawing Package](https://aka.ms/am-drawing-package) into Azure Maps.|

+| [Dataset] | A collection containing the indoor map [features](/azure/azure-maps/glossary#feature) of a facility. This API allows the caller to create a dataset from previously uploaded data. |

+| [Feature State] | The Feature stateset can be used to dynamically render features in a facility according to their current state and respective map style. |

+| [Tileset] | A `tileset` is a collection of vector tiles that render on the map, created from an existing dataset. |

+| [WFS] | Use the Web Feature Service (WFS) API to query for all feature collections or a specific collection within a dataset. For example, you can use WFS to find all mid-size meeting rooms in a specific building and floor level. |

+## Latest preview

+Pre-release version of a Creator service. Preview releases contain new functionality or updates to existing functionality that will be included in a future release.

+| API | Description |

+|--|-|

+| [Alias][Alias-preview] | This API allows the caller to assign an alias to reference a resource. |

+| [Conversion][Conversion-preview] | Used to import a set of DWG design files as a zipped [Drawing Package](https://aka.ms/am-drawing-package) into Azure Maps.|

+| [Dataset][Dataset-preview] | A collection of indoor map [features](/azure/azure-maps/glossary#feature) in a facility. This API allows the caller to create a dataset from previously uploaded data. |

+| [Feature State][Feature State-preview] | The Feature stateset can be used to dynamically render features in a facility according to their current state and respective map style. |

+| [Features] | An instance of an object produced from the [Conversion][Conversion-preview] service that combines a geometry with metadata information. |

+| [Map Configuration] | Map Configuration in indoor mapping refers to the default settings of a map that are applied when the map is loaded. It includes the default zoom level, center point, and other map settings. |

+| [Routeset] | Use the routeset API to create the data that the wayfinding service needs to generate paths. |

+| [Style] | Use the Style API to customize your facility's look and feel. Everything is configurable from the color of a feature, the icon that renders, or the zoom level when a feature should appear or disappear. |

+| [Tileset][Tileset-preview] | A collection of vector tiles that render on the map, created from an existing dataset. |

+| [Wayfinding] | Wayfinding is a technology that helps people navigate through complex indoor environments such as malls, offices, stadiums, airports and office buildings. |

+<! V2 is the latest stable release of each Creator service >

+[Alias]: /rest/api/maps-creator/alias

+[Conversion]: /rest/api/maps-creator/conversion

+[Dataset]: /rest/api/maps-creator/dataset

+[Feature State]: /rest/api/maps-creator/feature-state

+[Tileset]: /rest/api/maps-creator/tileset

+[WFS]: /rest/api/maps-creator/wfs

+<! 2023-03-01-preview is the latest preview release of each Creator service ->

+[Alias-preview]: /rest/api/maps-creator/alias?view=rest-maps-creator-2023-03-01-preview

+[Conversion-preview]: /rest/api/maps-creator/conversion?view=rest-maps-creator-2023-03-01-preview

+[Dataset-preview]: /rest/api/maps-creator/dataset?view=rest-maps-creator-2023-03-01-preview

+[Feature State-preview]: /rest/api/maps-creator/feature-state?view=rest-maps-creator-2023-03-01-preview

+[Features]: /rest/api/maps-creator/features?view=rest-maps-creator-2023-03-01-preview

+[Map configuration]: /rest/api/maps-creator/map-configuration?view=rest-maps-creator-2023-03-01-preview

+[Routeset]: /rest/api/maps-creator/routeset?view=rest-maps-creator-2023-03-01-preview

+[Style]: /rest/api/maps-creator/style?view=rest-maps-creator-2023-03-01-preview

+[Tileset-preview]: /rest/api/maps-creator/tileset?view=rest-maps-creator-2023-03-01-preview

+[Wayfinding]: /rest/api/maps-creator/wayfinding?view=rest-maps-creator-2023-03-01-preview

+### [ASP.NET Core](#tab/aspnetcore)

+### [.NET](#tab/net)

+### [Java](#tab/java)

+### [Node.js](#tab/nodejs)

+### [Python](#tab/python)

+#### [ASP.NET Core](#tab/aspnetcore)

+#### [.NET](#tab/net)

+#### [Java](#tab/java)

+#### [Node.js](#tab/nodejs)

+#### [Python](#tab/python)

+#### [ASP.NET Core](#tab/aspnetcore)

+#### [.NET](#tab/net)

+#### [Java](#tab/java)

+#### [Node.js](#tab/nodejs)

+#### [Python](#tab/python)

+#### [ASP.NET Core](#tab/aspnetcore)

+#### [.NET](#tab/net)

+#### [Java](#tab/java)

+#### [Node.js](#tab/nodejs)

+#### [Python](#tab/python)

+#### [ASP.NET Core](#tab/aspnetcore)

+#### [.NET](#tab/net)

+#### [Java](#tab/java)

+#### [Node.js](#tab/nodejs)

+#### [Python](#tab/python)

+#### [ASP.NET Core](#tab/aspnetcore)

+#### [.NET](#tab/net)

+#### [Java](#tab/java)

+#### [Node.js](#tab/nodejs)

+#### [Python](#tab/python)

+#### [ASP.NET Core](#tab/aspnetcore)

+#### [.NET](#tab/net)

+#### [Java](#tab/java)

+#### [Node.js](#tab/nodejs)

+#### [Python](#tab/python)

+#### [ASP.NET Core](#tab/aspnetcore)

+#### [.NET](#tab/net)

+#### [Java](#tab/java)

+#### [Node.js](#tab/nodejs)

+#### [Python](#tab/python)

+##### [ASP.NET Core](#tab/aspnetcore)

+#### [.NET](#tab/net)

+##### [Java](#tab/java)

+##### [Node.js](#tab/nodejs)

+##### [Python](#tab/python)

+##### [ASP.NET Core](#tab/aspnetcore)

+#### [.NET](#tab/net)

+##### [Java](#tab/java)

+##### [Node.js](#tab/nodejs)

+##### [Python](#tab/python)

+##### [ASP.NET Core](#tab/aspnetcore)

+##### [.NET](#tab/net)

+##### [Java](#tab/java)

+#### [Node.js](#tab/nodejs)

+##### [Python](#tab/python)

+#### [ASP.NET Core](#tab/aspnetcore)

+#### [.NET](#tab/net)

+#### [Java](#tab/java)

+#### [Node.js](#tab/nodejs)

+#### [Python](#tab/python)

+### [ASP.NET Core](#tab/aspnetcore)

+### [.NET](#tab/net)

+### [Java](#tab/java)

+### [Node.js](#tab/nodejs)

+### [Python](#tab/python)

+### [ASP.NET Core](#tab/aspnetcore)

+### [.NET](#tab/net)

+### [Java](#tab/java)

+### [Node.js](#tab/nodejs)

+### [Python](#tab/python)

+### [ASP.NET Core](#tab/aspnetcore)

+#### [.NET](#tab/net)

+### [Java](#tab/java)

+### [Node.js](#tab/nodejs)

+### [Python](#tab/python)

+Use the [View change history](../essentials/activity-log-insights.md#view-change-history) feature to call the Azure Monitor Change Analysis service backend to view changes associated with an operation. Changes returned include:

+This feature performs a polling operation against the metrics endpoints including `/api/v1/nodes`, `/apis/metrics.k8s.io/v1beta1/nodes`, and `/api/v1/pods`. The interval is every five seconds by default. This data is cached in your browser and charted in four performance charts included in Container insights. Each subsequent poll is charted into a rolling five-minute visualization window. To see the charts, slide the **Live** option to **On**.

+With both the underlying platform and agent deprecations, on August 31, 2024 the [Container Monitoring Solution](./containers.md) will be retired. If you use the Container Monitoring Solution to ingest data to your Log Analytics workspace, make sure to transition to using [Container Insights](./container-insights-overview.md) prior to that date.

+A list of Azure Monitor billing meter names is available [here](cost-meters.md).

+To limit the view to Azure Monitor charges, [create a filter](../cost-management-billing/costs/group-filter.md) for the following **Service names**. See [Azure Monitor billing meter names](cost-meters.md) for the different billing meters that are included in each service.

+ Title: Azure activity log and activity log insights

+# Customer intent: As an IT manager, I want to understand how I can use the activity log and activity log insights to monitor changes to resources and resource groups in an Azure subscription.

+# Use the Azure Monitor activity log and activity log insights

+The Azure Monitor activity log is a platform log that provides insight into subscription-level events. The activity log includes information like when a resource is modified or a virtual machine is started. This article provides information on how to view the activity log and send it to different destinations.

+## View the activity log

+You can access the activity log from most menus in the Azure portal. The menu that you open it from determines its initial filter. If you open it from the **Monitor** menu, the only filter is on the subscription. If you open it from a resource's menu, the filter is set to that resource. You can always change the filter to view all other entries. Select **Add Filter** to add more properties to the filter.

+<!-- convertborder later -->

+For a description of activity log categories, see [Azure activity log event schema](activity-log-schema.md#categories).

+## Download the activity log

+Select **Download as CSV** to download the events in the current view.

+<!-- convertborder later -->

+### View change history

+For some events, you can view the change history, which shows what changes happened during that event time. Select an event from the activity log you want to look at more deeply. Select the **Change history** tab to view any changes on the resource up to 30 minutes before and after the time of the operation.

+If any changes are associated with the event, you'll see a list of changes that you can select. Selecting a change opens the **Change history** page. This page displays the changes to the resource. In the following example, you can see that the VM changed sizes. The page displays the VM size before the change and after the change. To learn more about change history, see [Get resource changes](../../governance/resource-graph/how-to/get-resource-changes.md).

+## Retention period

+Activity log events are retained in Azure for *90 days* and then deleted. There's no charge for entries during this time regardless of volume. For more functionality, such as longer retention, create a diagnostic setting and route the entries to another location based on your needs. See the criteria in the preceding section.

+## Activity log insights

+Activity log insights provide you with a set of dashboards that monitor the changes to resources and resource groups in a subscription. The dashboards also present data about which users or services performed activities in the subscription and the activities' status. This article explains how to onboard and view activity log insights in the Azure portal.

+Azure Monitor stores all activity logs you send to a [Log Analytics workspace](../logs/log-analytics-workspace-overview.md) in a table called `AzureActivity`. Before you use activity log insights, you must [enable sending logs to your Log Analytics workspace](./diagnostic-settings.md).

+ Title: Stream Azure activity log data

+description: Send Azure Monitor activity log data to Azure Monitor Logs, Azure Event Hubs, and Azure Storage.

+# Stream Azure Monitor activity log data

+The Azure Monitor activity log is a platform log that provides insight into subscription-level events. The activity log includes information like when a resource is modified or a virtual machine is started. You can view the activity log in the Azure portal or retrieve entries with PowerShell and the Azure CLI. This article provides information on how to view the activity log and send it to different destinations.

+### Other methods to retrieve activity log events

+You can also access activity log events by using the following methods:

+- Use the [Get-AzLog](/powershell/module/az.monitor/get-azlog) cmdlet to retrieve the activity log from PowerShell. See [Azure Monitor PowerShell samples](../powershell-samples.md#retrieve-activity-log).

+- Use [az monitor activity-log](/cli/azure/monitor/activity-log) to retrieve the activity log from the CLI. See [Azure Monitor CLI samples](../cli-samples.md#view-activity-log).

+- Use the [Azure Monitor REST API](/rest/api/monitor/) to retrieve the activity log from a REST client.

+-

+-

+ Title: Stream Azure resource log data

+description: Learn how to stream Azure resource logs to a Log Analytics workspace, event hub, or Azure Storage in Azure Monitor.

+# Stream Azure resource log data

+A list of Azure Monitor billing meter names is available [here](../cost-meters.md).

+A list of Azure Monitor billing meter names, including these legacy tiers, is available [here](../cost-meters.md).

+| Activity log | See [activity log](../essentials/activity-log-insights.md#view-the-activity-log) entries filtered for the current virtual machine. Use this log to view the recent activity of the machine, such as any configuration changes and when it was stopped and started.

+| Activity log | See [activity log](../essentials/activity-log-insights.md#view-the-activity-log) entries filtered for all resources. Create a filter for a **Resource Type** of virtual machines or Virtual Machine Scale Sets to view events for all your machines. |

+You can [view the activity log](../essentials/activity-log-insights.md#view-the-activity-log) for an individual machine or for all resources in a subscription. [Create a diagnostic setting](../essentials/diagnostic-settings.md) to send this data into the same Log Analytics workspace used by Azure Monitor Agent to analyze it with the other monitoring data collected for the virtual machine. There's no cost for ingestion or retention of activity log data.

+* Korea South

+* UK West

+To view notifications from previous sessions, look for events in the Activity log. For more information, see [View the Activity log](../azure-monitor/essentials/activity-log-insights.md#view-the-activity-log).

+`az rest --method delete --url` [URL](https://management.azure.com/subscriptions/%3Csubscrption-id%3E/resourcegroups/%3Cresource-group-name%3E/providers/Microsoft.AVS/privateClouds/%3Cprivate-cloud-name%3E/addons/arc?api-version=2022-05-01%22)

+3. To assign the *Storage Blob Data Contributor* role to the extension identity, run the following command:

+ az role assignment create --assignee-object-id $(az k8s-extension show --name azure-aks-backup --cluster-name aksclustername --resource-group aksclusterresourcegroup --cluster-type managedClusters --query aksAssignedIdentity.principalId --output tsv) --role 'Storage Blob Data Contributor' --scope /subscriptions/subscriptionid/resourceGroups/storageaccountresourcegroup/providers/Microsoft.Storage/storageAccounts/storageaccountname

+**Cause**: The Backup extension should have the *Storage Blob Data Contributor* role on the Backup Storage Location (storage account). The Extension Identity gets this role assigned.

+**Cause**: During extension installation, a Backup Storage Location is to be provided as input that includes a storage account and blob container. The Backup extension should have *Storage Blob Data Contributor* role on the Backup Storage Location (storage account). The Extension Identity gets this role assigned.

+* **Backup Contributor**: To create and manage backups, except deleting Recovery Services vault and giving access to others

+* **Backup Operator**: Everything a contributor does except removing backup and managing backup policies

+* **Backup Reader**: permissions to view all backup management operations

+With Azure Backup, which includes virtual machine backup and SQL and SAP HANA in VM backup, the backup data is stored in Azure storage and the guest has no direct access to backup storage or its contents. With the virtual machine backup, the backup snapshot creation and storage are done by Azure fabric where the guest has no involvement other than quiescing the workload for application consistent backups. With SQL and SAP HANA, the backup extension gets temporary access to write to specific blobs. In this way, even in a compromised environment, existing backups can't be tampered with or deleted by the guest.

+* Backup data is automatically encrypted using [platform-managed keys](backup-encryption.md), and you don't need to take any explicit action to enable it. You can also encrypt your backed-up data using [customer managed keys](encryption-at-rest-with-cmk.md) stored in the Azure Key Vault. It applies to all workloads being backed up to your Recovery Services vault.

+## Security posture and security levels

+Azure Backup provides security features at the vault level to safeguard backup data stored in it. These security measures encompass the settings associated with the Azure Backup solution for the vaults, and the protected data sources contained in the vaults.

+Security levels for Azure Backup vaults are categorized as follows:

+- **Excellent (Maximum)**: This level represents the highest security, which ensures comprehensive protection. You can achieve this when all backup data is protected from accidental deletions and defends from ransomware attacks. To achieve this high level of security, the following conditions must be met:

+ - [Immutability](backup-azure-immutable-vault-concept.md) or [soft-delete](backup-azure-security-feature-cloud.md) vault setting must be enabled and irreversible (locked/always-on).

+ - [Multi-user authorization (MUA)](multi-user-authorization-concept.md) must be enabled on the vault.

+- **Good (Adequate)**: This signifies a robust security level, which ensures dependable data protection. It shields existing backups from unintended removal and enhances the potential for data recovery. To attain this level of security, you must enable either immutability with a lock or soft-delete.

+- **Fair (Minimum/Average)**: This represents a basic level of security, appropriate for standard protection requirements. Essential backup operations benefit from an extra layer of protection. To attain minimal security, you must enable Multi-user Authorization (MUA) on the vault.

+- **Poor (Bad/None)**: This indicates a deficiency in security measures, which is less suitable for data protection. In this level, neither advanced protective features nor solely reversible capabilities are in place. The None level security gives protection primarily from accidental deletions only.

+You can [view and manage the security levels across all datasources in their respective vaults through Azure Business Continuity Center](../business-continuity-center/security-levels-concept.md).

+# Replicate a DNS outage by using the NSG fault

+This article walks you through creating a chaos experiment that blocks all traffic to external (internet) DNS servers for 15 minutes. You can validate that resources connected to the Azure virtual network associated with the target NSG don't have a dependency on external DNS servers. In this way, you can validate one of the risk-threat model requirements.

+ Title: Quickstart - Integrate Azure OpenAI with Job Router

+description: In this quickstart, you learn how to integrate Azure OpenAI with ACS Job Router using an Azure Function App to match workers to jobs based on worker's performance.

+# Quick Start: Integrating Azure OpenAI with ACS Job Router

+Integrate ACS Job Router with Azure OpenAI. Use Azure OpenAI to pair your jobs to agents.

+### Prerequisites

+- Create an Azure OpenAI resource. [Setup Guide](../../../ai-services/openai/how-to/create-resource.md)

+- Create an Azure Communication Services resource. [Setup Guide](../create-communication-resource.md)

+- Clone the GitHub solution. [Integrating Azure OpenAI with ACS Job Router](https://github.com/Azure-Samples/communication-services-dotnet-quickstarts/tree/main/JobRouterOpenAIIntegration)

+- Visual Studio Code Installed. [Visual Studio Code](https://code.visualstudio.com/)

+- Azure Functions Extension for Visual Studio Code. [Azure Function Extension for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-azurefunctions)

+### Overview

+This quick start demonstrates how to integrate Azure OpenAI with ACS Job Router to intelligently choose the best-suited worker based on performance indicators for an incoming job.

+### Console application

+- Manages ACS resources including policies and queues.

+- Simulates job queuing and allocation.

+### Azure Function project

+- Hosts API for Azure OpenAI integration.

+- Manages worker scoring and job labels.

+#### This guide covers two main projects:

+- A .NET console application to interact with ACS Job Router.

+- An Azure Function project for OpenAI integration with ACS Job Router.

+

+#### The console application is set up to provision the following ACS resources:

+- A distribution policy that lets ACS Job Router understand how to generate offers for workers. This application is configured to provision a Best-Worker mode distribution policy that uses a Function Router Rule for scoring workers.

+- A queue with the best-worker mode distribution policy attached.

+- Five workers that are registered to a queue with three chosen performance indicator values populated as labels.

+- Creates a Job in ACS Job Router and lets the user know which worker Azure OpenAI scored the highest based on the performance indicator labels.

+ :::image type="content" source="./media/overview-sequence-diagram.png" lightbox="./media/overview-sequence-diagram-expanded.png" alt-text="Screenshot of Job Router with Azure OpenAI integration SequenceDiagram.":::

+

+#### The Azure Function project is set up to interact with a deployed Azure OpenAI model:

+- The Azure function receives a request from ACS Job Router with a payload containing the worker's labels (performance indicators).

+- The Azure function extracts those values from the request.

+- The Azure function was preconfigured with a prompt to explain to the Azure OpenAI model how to interpret each one of these performance indicators and to ask Azure OpenAI to score each worker based on these values to find the most suitable agent for a new job.

+ > [!NOTE]

+ > The prompt can be updated for any desired outcome. For example, you could modify the prompt to weigh the Average Handling Time as the most important data point or ask the model to optimize for customer satisfaction.

+- The Azure Function sends a request with the configured prompts and worker performance indicators, and Azure OpenAI responds back with a JSON Object containing the scores generated by Azure OpenAI.

+- The Azure Function then sends these scores back to ACS Job Router.

+- ACS Job Router then sends an offer to the worker that was scored the highest by Azure OpenAI.

+## Performance indicators used in this project

+In this guide, we've chosen three performance indicators based on typical contact center performance data points.

+Workers are evaluated based on:

+- **CSAT**: Customer satisfaction.

+- **Outcome**: Issue resolution rate.

+- **AHT**: Average handling time.

+## Understanding ACS Job Router

+- Learn about ACS Job Router. [Job Router Concepts](../../concepts/router/concepts.md)

+- Configure the BestWorker Distribution Policy using an Azure Function Scoring Rule. [Customize Worker Scoring](../../how-tos/router-sdk/customize-worker-scoring.md)

+## Understanding Azure Function deployments

+- Learn about Azure Function Deployments. [Azure Function Deployments](../../../azure-functions/functions-deployment-technologies.md)

+## Understanding Azure OpenAI prompts

+- Learn about Azure OpenAI prompt Engineering Techniques. [Prompt Engineering Techniques](../../../ai-services/openai/concepts/advanced-prompt-engineering.md)

+## Deployment and execution

+1. Open the OpenAiScoringFunction project in Visual Studio Code with the Azure Function Extension installed. Select 'Create Function App in Azure...'

+ :::image type="content" source="./media/create-azure-function-from-code.png" alt-text="Screenshot of CreateFunctionApp in VS Code.":::

+2. After selecting your Subscription, enter a unique name for your function app.

+ :::image type="content" source="./media/function-select-subscription.png" alt-text="Screenshot of selecting subscription in VS Code.":::

+3. Once your Function App is created, right-click on your App and select 'Deploy Function App...'

+4. Open the Azure portal and go to your Azure OpenAI resource, then go to Azure AI Studio. From here, navigate to the Deployments tab and select "+ Create new deployment"

+ - a. Select a model that can perform completions

+ [Azure OpenAI Service models](../../../ai-services/openai/concepts/models.md)

+ - b. Give your model a Deployment name and select ΓÇ£CreateΓÇ¥

+ :::image type="content" source="./media/azure-openai-model-creation.png" alt-text="Screenshot of creating azure OpenAI model.":::

+5. Once your Azure OpenAI Model is created, copy down the 'Endpoint', 'Keys', and 'Region'

+ :::image type="content" source="./media/azure-openai-keys-and-endpoints.png" alt-text="Screenshot of key and endpoint page for Azure OpenAI.":::

+6. In the Azure portal, navigate to your newly created Function App Environmental Variables blade and create the following variables:

+ :::image type="content" source="./media/azure-function-environment-settings.png" alt-text="Screenshot of Azure function environment settings example.":::

+| Name | Value | Description |

+|--||--|

+| OpenAIBaseURI | {Endpoint} | Endpoint URI from OpenAI Resource |

+| OpenAIAPIKey | {Key} | Key from OpenAI Resource |

+| DeploymentName | {DeploymentName} | Deployment Name from OpenAI Resource |

+| Preprompt | You're helping pair a customer with an agent in a contact center. You'll evaluate the best available agent based on their performance indicators below. CSAT holds the average customer satisfaction score between 1 and 3, higher is better. Outcome is a score between 0 and 1, higher is better. AHT is average handling time, lower is better. If AHT provided is 00:00, please ignore it in the scoring.| Prompt containing preprocessing instructions for the Azure OpenAI model |

+| Postprompt | Respond with only a json object with agent ID as the key, and scores based on suitability for this customer as the value in a range of 0 to 1. Don't include any other information.| Prompt containing postprocessing instructions for the Azure OpenAI model |

+| DefaultCSAT | 1.5 | Default CSAT score for workers missing this label |

+| DefaultOutcome | 0.5 | Default Outcome score for workers missing this label |

+| DefaultAHT | 10:00 | Default AHT for workers missing this label |

+7. On the Overview blade of your function app, copy the function URL. On the Functions --> Keys blade of your function app, copy the master or default key.

+8. Navigate to your ACS resource and copy down your connection string.

+9. Open the JR_AOAI_Integration Console application and open the `appsettings.json` file to update the following config settings.

+ :::image type="content" source="./media/appsettings-configuration.png" alt-text="Screenshot of AppSettings.":::

+10. Run the application and follow the on-screen instructions to Create a Job.

+## Experimentation

+Various experiments can be conducted within this project, such as:

+- Experimenting with the PrePrompt string (in the Environment Variables of the Azure Function) to further tune scores provided by Azure OpenAI.

+- Add other performance indicator labels to workers, updating the OpenAiScorer class in the OpenAIScorerFunction project to account for new labels and updating the prompts, default performance indicators in the Environment Variables of your function, and add the new performance indicators into the `appSettings.json` file under each worker.

+- Implement logic to update the values of the performance indicator labels as jobs are completed by each worker. This could be by adding persistence or a cache to your application to store these values. Labels are routable attributes in Job Router. If a worker's labels are updated, any offers issued for that worker will be revoked. Consider updating labels at a point when the worker isn't expecting offers (AvailableForOffers ΓÇô false, or when the workerΓÇÖs capacity is consumed).

+Azure AI-powered Call Automation API actions are now generally available for developers who want to create enhanced calling workflows using Azure AI Speech-to-Text, Text-to-Speech and other language understanding engines. These actions allow developers to play dynamic audio prompts and recognize voice input from callers, enabling natural conversational experiences and more efficient task handling. Developers can use these actions with any of the four major SDKs - .NET, Java, JavaScript and Python - and integrate them with their Azure OpenAI solutions to create virtual assistants that go beyond simple IVRs. You can learn more about this release and its capabilities from the Microsoft Ignite 2023 announcements blog and on-demand session.

+If you use the Service Bus managed connector, you need this endpoint URL if you select either authentication type for **Microsoft Entra integrated** or **Logic Apps Managed Identity**. The endpoint URL starts with the **sb://** prefix.

+ * Review the Databricks runtime version, the Spark version. Then find the [maven coordinates](https://mvnrepository.com/artifact/com.datastax.spark/spark-cassandra-connector-assembly) that are compatible with the Cassandra Spark connector, and attach it to the cluster. See ["Upload a Maven package or Spark package"](/azure/databricks/libraries/) article to attach the connector library to the cluster. We recommend selecting Databricks runtime version 10.4 LTS, which supports Spark 3.2.1. To add the Apache Spark Cassandra Connector, your cluster, select **Libraries** > **Install New** > **Maven**, and then add `com.datastax.spark:spark-cassandra-connector-assembly_2.12:3.2.0` in Maven coordinates. If using Spark 2.x, we recommend an environment with Spark version 2.4.5, using spark connector at maven coordinates `com.datastax.spark:spark-cassandra-connector_2.11:2.4.3`.

+using Microsoft.Azure.Cosmos;

+If you have permission to view a resource, you should be able to access its audit logs. Review the logs to find the user who was responsible for the most recent changes to a resource. To learn more, see [View and retrieve Azure Activity log events](../../azure-monitor/essentials/activity-log-insights.md#view-the-activity-log).

+## Support for Resource type in AWS and GCP

+For multicloud support of resource types (or services) in our foundational multicloud CSPM tier, see the [table of multicloud resource and service types for AWS and GCP](multicloud-resource-types-support-foundational-cspm.md).

+- Wildcards can only be used in the last segment of a path, such as `C:\folder\file` or `/etc/*.conf`

+ ```kusto

+ ```kusto

+In this article, you learned about File Integrity Monitoring (FIM) in Defender for Cloud.

+- [Enable File Integrity Monitoring when using the Log Analytics agent](file-integrity-monitoring-enable-log-analytics.md)

+description: Learn how to configure the Microsoft Security DevOps GitHub action to enhance your project's security and DevOps processes.

+## Related content

+ Title: Drive remediation of recommendations with governance rules

+- For AWS accounts and GCP projects, you need **Contributor**, **Security Admin**, or **Owner** permissions on the Defender for Cloud AWS or GCP connectors.

+ - **By specific recommendations** - Select the specific built-in or custom recommendations that the rule applies to.

+## Next step

+description: How to protect your Docker hosts and verify they're compliant with the CIS Docker benchmark with Microsoft Defender for Cloud.

+ The recommendation page shows the affected resources (Docker hosts).

+ > Machines that aren't running Docker will be shown in the **Not applicable resources** tab. They'll appear in Azure Policy as Compliant.

+1. To view and remediate the CIS controls that a specific host failed, select the host you want to investigate.

+## Next step

+Docker hardening is just one aspect of Defender for Cloud's container security features.

+ Title: Supported resource and service types for multicloud in Foundational CSPM

+description: Learn more about the supported resource and service types for multicloud in Microsoft Defender for Cloud's Foundational CSPM.

+# Supported resource and service types for multicloud in foundational CSPM

+ This page lists the resource and service types that are supported for Amazon Web Services (AWS) and Google Cloud Platform (GCP) in Defender for CloudΓÇÖs foundational Cloud Security Posture Management (CSPM) tier.

+## Resource types supported in AWS

+| Provider Namespace | Resource Type Name |

+|-|-|

+| AccessAnalyzer | AnalyzerSummary |

+| ApiGateway | Stage |

+| AppSync | GraphqlApi |

+| ApplicationAutoScaling | ScalableTarget |

+| AutoScaling | AutoScalingGroup |

+| AWS | Account |

+| AWS | AccountInRegion |

+| CertificateManager | CertificateTags |

+| CertificateManager | CertificateDetail |

+| CertificateManager | CertificateSummary |

+| CloudFormation | StackSummary |

+| CloudFormation | StackTemplate |

+| CloudFormation | StackInstanceSummary |

+| CloudFormation | Stack |

+| CloudFormation | StackResourceSummary |

+| CloudFront | DistributionConfig |

+| CloudFront | DistributionSummary |

+| CloudFront | DistributionTags |

+| CloudTrail | EventSelector |

+| CloudTrail | Trail |

+| CloudTrail | TrailStatus |

+| CloudTrail | TrailTags |

+| CloudWatch | MetricAlarm |

+| CloudWatch | MetricAlarmTags |

+| CloudWatchLogs | LogGroup |

+| CloudWatchLogs | MetricFilter |

+| CodeBuild | Project |

+| CodeBuild | ProjectName |

+| CodeBuild | SourceCredentialsInfo |

+| ConfigService | ConfigurationRecorder |

+| ConfigService | ConfigurationRecorderStatus |

+| ConfigService | DeliveryChannel |

+| DAX | Cluster |

+| DAX | ClusterTags |

+| DatabaseMigrationService | ReplicationInstance |

+| DynamoDB | ContinuousBackupsDescription |

+| DynamoDB | TableDescription |

+| DynamoDB | TableTags |

+| DynamoDB | TableName |

+| EC2 | Snapshot |

+| EC2 | Subnet |

+| EC2 | Volume |

+| EC2 | VPC |

+| EC2 | VpcEndpoint |

+| EC2 | VpcPeeringConnection |

+| EC2 | Instance |

+| EC2 | AccountAttribute |

+| EC2 | Address |

+| EC2 | CreateVolumePermission |

+| EC2 | EbsEncryptionByDefault |

+| EC2 | FlowLog |

+| EC2 | Image |

+| EC2 | InstanceStatus |

+| EC2 | InstanceTypeInfo |

+| EC2 | NetworkAcl |

+| EC2 | NetworkInterface |

+| EC2 | Region |

+| EC2 | Reservation |

+| EC2 | RouteTable |

+| EC2 | SecurityGroup |

+| ECR | Image |

+| ECR | Repository |

+| ECR | RepositoryPolicy |

+| ECS | TaskDefinition |

+| ECS | ServiceArn |

+| ECS | Service |

+| ECS | ClusterArn |

+| ECS | TaskDefinitionTags |

+| ECS | TaskDefinitionArn |

+| EFS | FileSystemDescription |

+| EFS | MountTargetDescription |

+| EKS | Cluster |

+| EKS | Nodegroup |

+| EKS | NodegroupName |

+| EKS | ClusterName |

+| EMR | Cluster |

+| ElasticBeanstalk | ConfigurationSettingsDescription |

+| ElasticBeanstalk | EnvironmentDescription |

+| ElasticLoadBalancing | LoadBalancerTags |

+| ElasticLoadBalancing | LoadBalancer |

+| ElasticLoadBalancing | LoadBalancerAttributes |

+| ElasticLoadBalancing | LoadBalancerPolicy |

+| ElasticLoadBalancingV2 | LoadBalancerTags |

+| ElasticLoadBalancingV2 | Rule |

+| ElasticLoadBalancingV2 | TargetGroup |

+| ElasticLoadBalancingV2 | TargetHealthDescription |

+| ElasticLoadBalancingV2 | LoadBalancer |

+| ElasticLoadBalancingV2 | Listener |

+| ElasticLoadBalancingV2 | LoadBalancerAttribute |

+| Elasticsearch | DomainInfo |

+| Elasticsearch | DomainStatus |

+| Elasticsearch | DomainTags |

+| GuardDuty | DetectorId |

+| Iam | AccountAlias |

+| Iam | AttachedPolicyType |

+| Iam | CredentialReport |

+| Iam | Group |

+| Iam | InstanceProfile |

+| Iam | MFADevice |

+| Iam | PasswordPolicy |

+| Iam | ServerCertificateMetadata |

+| Iam | SummaryMap |

+| Iam | User |

+| Iam | UserPolicies |

+| Iam | VirtualMFADevice |

+| Iam | ManagedPolicy |

+| Iam | ManagedPolicy |

+| Iam | AccessKeyLastUsed |

+| Iam | AccessKeyMetadata |

+| Iam | PolicyVersion |

+| Iam | PolicyVersion |

+| Internal | Iam_EntitiesForPolicy |

+| Internal | Iam_EntitiesForPolicy |

+| Internal | AwsSecurityConnector |

+| KMS | KeyPolicyName |

+| KMS | KeyRotationStatus |

+| KMS | KeyTags |

+| KMS | KeyPolicy |

+| KMS | KeyMetadata |

+| KMS | KeyListEntry |

+| KMS| AliasListEntry |

+| Lambda | FunctionCodeLocation |

+| Lambda | FunctionConfiguration|

+| Lambda | FunctionPolicy |

+| Lambda | FunctionTags |

+| Macie2 | JobSummary |

+| Macie2 | MacieStatus |

+| NetworkFirewall | Firewall |

+| NetworkFirewall | FirewallMetadata |

+| NetworkFirewall | FirewallPolicy |

+| NetworkFirewall | FirewallPolicyMetadata |

+| NetworkFirewall | RuleGroup |

+| NetworkFirewall | RuleGroupMetadata |

+| RDS | ExportTask |

+| RDS | DBClusterSnapshot |

+| RDS | DBSnapshot |

+| RDS | DBSnapshotAttributesResult |

+| RDS | EventSubscription |

+| RDS | DBCluster |

+| RDS | DBInstance |

+| RDS | DBClusterSnapshotAttributesResult |

+| RedShift | LoggingStatus |

+| RedShift | Parameter |

+| Redshift | Cluster |

+| Route53 | HostedZone |

+| Route53 | ResourceRecordSet |

+| Route53Domains | DomainSummary |

+| S3 | S3Region |

+| S3 | S3BucketTags |

+| S3 | S3Bucket |

+| S3 | BucketPolicy |

+| S3 | BucketEncryption |

+| S3 | BucketPublicAccessBlockConfiguration |

+| S3 | BucketVersioning |

+| S3 | LifecycleConfiguration |

+| S3 | PolicyStatus |

+| S3 | ReplicationConfiguration |

+| S3 | S3AccessControlList |

+| S3 | S3BucketLoggingConfig |

+| S3Control | PublicAccessBlockConfiguration |

+| SNS | Subscription |

+| SNS | Topic |

+| SNS | TopicAttributes |

+| SNS | TopicTags |

+| SQS | Queue |

+| SQS | QueueAttributes |

+| SQS | QueueTags |

+| SageMaker | NotebookInstanceSummary |

+| SageMaker | DescribeNotebookInstanceTags |

+| SageMaker | DescribeNotebookInstanceResponse |

+| SecretsManager | SecretResourcePolicy |

+| SecretsManager | SecretListEntry |

+| SecretsManager | DescribeSecretResponse |

+| SimpleSystemsManagement | ParameterMetadata |

+| SimpleSystemsManagement | ParameterTags |

+| SimpleSystemsManagement | ResourceComplianceSummary |

+| SimpleSystemsManagement | InstanceInformation |

+| WAF | LoggingConfiguration |

+| WAF | WebACL |

+| WAF | WebACLSummary |

+| WAFV2 | ApplicationLoadBalancerForWebACL |

+| WAFV2 | WebACLSummary |

+## Resource types supported in GCP

+| Provider Namespace | Resource Type Name |

+|-|-|

+| ApiKeys | Key |

+| ArtifactRegistry | Image |

+| ArtifactRegistry | Repository |

+| ArtifactRegistry | RepositoryPolicy |

+| Bigquery | Dataset |

+| Bigquery | DatasetData |

+| Bigquery | Table |

+| Bigquery | TablePolicy |

+| Bigquery | TablesData |

+| CloudKMS | CryptoKey |

+| CloudKMS | CryptoKeyPolicy |

+| CloudKMS | KeyRing |

+| CloudKMS | KeyRingPolicy |

+| CloudResourceManager | Project |

+| CloudResourceManager | Ancestor |

+| CloudResourceManager | AncestorPolicy |

+| CloudResourceManager | EffectiveOrgPolicy |

+| CloudResourceManager | Folder |

+| CloudResourceManager | FolderPolicy |

+| CloudResourceManager | Organization |

+| CloudResourceManager | OrganizationPolicy |

+| CloudResourceManager | Policy |

+| Compute | Instance |

+| Compute | BackendService |

+| Compute | BackendService |

+| Compute | Disk |

+| Compute | EffectiveFirewalls |

+| Compute | Firewall |

+| Compute | ForwardingRule |

+| Compute | GlobalForwardingRule |

+| Compute | InstanceGroup |

+| Compute | InstanceGroupInstance |

+| Compute | InstanceGroupManager |

+| Compute | InstanceGroupManager |

+| Compute | InstanceTemplate |

+| Compute | MachineType |

+| Compute | ManagedInstance |

+| Compute | ManagedInstance |

+| Compute | Network |

+| Compute | NetworkEffectiveFirewalls |

+| Compute | Project |

+| Compute | SslPolicy |

+| Compute | Subnetwork |

+| Compute | TargetHttpProxy |

+| Compute | TargetHttpsProxy |

+| Compute | TargetPool |

+| Compute | TargetSslProxy |

+| Compute | TargetTcpProxy |

+| Compute | UrlMap |

+| Container | Cluster |

+| Dns | ManagedZone |

+| Dns | Policy |

+| IAM | OrganizationRole |

+| IAM | ProjectRole |

+| IAM | Role |

+| IAM | ServiceAccount |

+| IAM | ServiceAccountKey |

+| Internal | GcpSecurityConnector |

+| Logging | AncestorLogSink |

+| Logging | LogEntry |

+| Logging | LogMetric |

+| Logging | LogSink |

+| Monitoring | AlertPolicy |

+| OsConfig | OSPolicyAssignment |

+| OsConfig | OSPolicyAssignmentReport |

+| SQLAdmin | DatabaseInstance |

+| SecretManager | Secret |

+| SecretManager | SecretPolicy |

+| Storage | Bucket |

+| Storage | BucketPolicy |

+## Learn More

+- Review the [features supported in Azure cloud environments](support-matrix-cloud-environment.md) for information on commercial and national cloud coverage.

+- Watch [Predict future security incidents! Cloud Security Posture Management with Microsoft Defender](https://www.youtube.com/watch?v=jF3NSR_OepI).

+- Learn about [security standards and recommendations](security-policy-concept.md).

+- Learn about [secure score](secure-score-security-controls.md).

+This article describes how to configure your OT sensors for health monitoring via an authorized SNMP monitoring server. SNMP queries are polled up to 50 times a second, using UDP over port 161.

+Setup for SNMP monitoring includes configuring settings on your OT sensor and on your SNMP server. To define Defender for IoT sensors on your SNMP server, either define your settings manually or use a predefined SNMP MIB file downloaded from the Azure portal.

+To download a predefined SNMP MIB file from the Azure portal, you need access to the Azure portal as a [Security admin](../../role-based-access-control/built-in-roles.md#security-admin), [Contributor](../../role-based-access-control/built-in-roles.md#contributor), or [Owner](../../role-based-access-control/built-in-roles.md#owner) user. For more information, see [Azure user roles and permissions for Defender for IoT](roles-azure.md).

+Defender for IoT in the Azure portal provides a downloadable MIB file for you to load into your SNMP monitoring system to predefine Defender for IoT sensors.

+| **sysDescr** | 1.3.6.1.2.1.1.1 | DISPLAYSTRING | Returns ```Microsoft Defender for IoT``` |

+| **Platform** | 1.3.6.1.2.1.1.1.0 | STRING | Sensor or on-premises management console |

+| **sysObjectID** | 1.3.6.1.2.1.1.2 | DISPLAYSTRING | Returns the private MIB allocation, for example ```1.3.6.1.4.1.53313.1.1``` is the private OID root for 1.3.6.1.4.1.53313 |

+| **sysUpTime** | 1.3.6.1.2.1.1.3 | DISPLAYSTRING | Returns the sensor uptime in hundredths of a second |

+| **sysContact** | 1.3.6.1.2.1.1.4 | DISPLAYSTRING | Returns the textual name of the admin user for this sensor |

+| **Vendor** | 1.3.6.1.2.1.1.4.0 | STRING | Microsoft Support (support.microsoft.com) |

+| **sysName** | 1.3.6.1.2.1.1.5 | DISPLAYSTRING | Returns the appliance name |

+| **sysLocation** | 1.3.6.1.2.1.1.6 | DISPLAYSTRING | Returns the default location Portal.azure.com |

+| **sysServices** | 1.3.6.1.2.1.1.7 | INTEGER | Returns a value indicating the service this entity offers, for example, ```7``` signifies ΓÇ£applicationsΓÇ¥ |

+| **ifIndex** | 1.3.6.1.2.1.2.2.1.1 | GAUGE32 | Returns the sequential ID numbers for each network card |

+| **ifDescription** | 1.3.6.1.2.1.2.2.1.2 | DISPLAYSTRING | Returns a string of the hardware description for each network interface card |

+| **ifType** | 1.3.6.1.2.1.2.2.1.3 | INTEGER | Returns the type of network adapter, for example ```1.3.6.1.2.1.2.2.1.3.117``` signifies Gigabit Ethernet |

+| **ifMtu** | 1.3.6.1.2.1.2.2.1.4 | GAUGE32 | Returns the MTU value for this network adapter. **Note** monitoring interfaces don't show an MTU value |

+| **ifspeed** | 1.3.6.1.2.1.2.2.1.5 | GAUGE32 | Returns the interface speed for this network adapter |

+| **Service Status** | 1.3.6.1.4.1.53313.5 |STRING | Online or offline if one of the four crucial components has failed |

+- Hardware-related MIBs (CPU usage, CPU temperature, memory usage, disk usage) should be tested on all architectures and physical sensors. CPU temperature on virtual machines is expected to be non applicable.

+| **OT networks** | **Version 24.1.0**:<br>- [Alert suppression rules from the Azure portal (Public preview)](#alert-suppression-rules-from-the-azure-portal-public-preview)<br>- [Focused alerts in OT/IT environments](#focused-alerts-in-otit-environments)<br>- [Alert ID now aligned on the Azure portal and sensor console](#alert-id-now-aligned-on-the-azure-portal-and-sensor-console)<br>- [Newly supported protocols](#newly-supported-protocols)<br><br>**Cloud features**<br>- [New license renewal reminder in the Azure portal](#new-license-renewal-reminder-in-the-azure-portal) <br><br>- [New fields for SNMP MIB OIDs](#new-fields-for-snmp-mib-oids)|

+Organizations where sensors are deployed between OT and IT networks deal with many alerts, related to both OT and IT traffic. The amount of alerts, some of which are irrelevant, can cause alert fatigue and affect overall performance.

+When the license for one or more of your OT sites is about to expire, a note is visible at the top of Defender for IoT in the Azure portal, reminding you to renew your licenses. To continue to get security value from Defender for IoT, select the link in the note to renew the relevant licenses in the Microsoft 365 admin center. Learn more about [Defender for IoT billing](billing.md).

+### New fields for SNMP MIB OIDs

+Additional standard, generic fields have been added to the SNMP MiB OIDs. For the full list of fields, see [OT sensor OIDs for manual SNMP configurations](how-to-set-up-snmp-mib-monitoring.md#ot-sensor-oids-for-manual-snmp-configurations).

+If your DMS service failed with "Error: Service name 'x_y_z' is not valid", then you need to follow the Azure Database Migration Service Naming Rules. As Azure Database Migration Service uses Azure Data factory for its compute, it follows the exact same naming rules as mentioned [here](../data-factory/naming-rules.md).

+ **Maximum Resiliency (Recommended)** - This option provides the highest level of resiliency for your ExpressRoute circuit. It provides two ExpressRoute circuits with local redundancy in two different ExpressRoute locations.

+ > [!NOTE]

+ > Provides maximum protection against location wide outages and connectivity failures in an ExpressRoute location. This option is strongly recommended for mission-critical and production workloads.

+ > [!NOTE]

+ > Doesn't provide protection against location wide outages. This option is recommended for non-critical and non-production workloads.

+

+ **Maximum resiliency (Recommended)** - This option provides the highest level of resiliency to your virtual network. It provides two redundant connections from the virtual network gateway to two different ExpressRoute circuits in different ExpressRoute locations.

+ > [!NOTE]

+ > Provides maximum protection against location wide outages and connectivity failures in an ExpressRoute location. This option is strongly recommended for mission-critical and production workloads.

+ > [!NOTE]

+ > Doesn't provide protection against location wide outages. This option is recommended for non-critical and non-production workloads.

+[Activity log](../../../azure-monitor/essentials/activity-log-insights.md#view-the-activity-log). Use this

+## Load times

+The load time for ARG queries in Power BI is contingent on the query response size. Larger query results might lead to extended load times.

+- **Verify permissions**: Confirm that your [Azure role-based access control (Azure RBAC) permissions](../../../role-based-access-control/overview.md) are accurate, as the results of the queries are subject to Azure RBAC. Ensure you have at least read access to the resources you want to query. Queries don't return results without adequate permissions to the Azure object or object group.

+- **Check for comments**: Review your query and remove any comments (`//`) because Power BI doesn't support Kusto comments.

+| Scope check | If you're querying at the tenant scope, ensure the subscription ID and management group ID fields are empty. <br> <br> If you have inputs in the subscriptions ID or management group ID fields that you want to filter for, select either subscription or management group from the drop-down scope field. |

+> There is no time-based expiration for history/soft delete data. The only way to remove history/soft deleted data is with a hard delete or the purge history operation.\

+## Batch Bundles

+In FHIR, bundles can be considered as a container that holds multiple resources. Batch bundles enable users to submit a set of actions to be performed on a server in single HTTP request/response.

+A batch bundle interaction with FHIR service is performed with HTTP POST command at base URL.

+```rest

+POST {{fhir_url}}

+{

+ "resourceType": "Bundle",

+ "type": "batch",

+ "entry": [

+ {

+ "resource": {

+ "resourceType": "Patient",

+ "id": "patient-1",

+ "name": [

+ {

+ "given": ["Alice"],

+ "family": "Smith"

+ }

+ ],

+ "gender": "female",

+ "birthDate": "1990-05-15"

+ },

+ "request": {

+ "method": "POST",

+ "url": "Patient"

+ }

+ },

+ {

+ "resource": {

+ "resourceType": "Patient",

+ "id": "patient-2",

+ "name": [

+ {

+ "given": ["Bob"],

+ "family": "Johnson"

+ }

+ ],

+ "gender": "male",

+ "birthDate": "1985-08-23"

+ },

+ "request": {

+ "method": "POST",

+ "url": "Patient"

+ }

+ }

+ }

+ ]

+}

+```

+In the case of a batch, each entry is treated as an individual interaction or operation.

+> [!NOTE]

+> For batch bundles there should be no interdependencies between different entries in FHIR bundle. The success or failure of one entry should not impact the success or failure of another entry.

+### Batch bundle parallel processing in public preview

+Currently batch bundles are executed serially in FHIR service. To improve performance and throughput, we're enabling parallel processing of batch bundles in public preview.

+To use the capability of parallel batch bundle processing-

+* Set header ΓÇ£x-bundle-processing-logicΓÇ¥ value to ΓÇ£parallelΓÇ¥.

+* Ensure there's no overlapping resource ID that is executing on DELETE, POST, PUT or PATCH operations in the same bundle.

+> [!IMPORTANT]

+> Bundle parallel processing is currently in public preview. Preview APIs and SDKs are provided without a service-level agreement. We recommend that you don't use them for production workloads. Some features might not be supported, or they might have constrained capabilities. For more information, review Supplemental Terms of Use for Microsoft Azure Previews

+1. Conditional interactions can be complex and performance-intensive. To enhance the latency of queries involving conditional interactions, you have the option to utilize the request header **x-conditionalquery-processing-logic** . Setting this header to **parallel** allows concurrent execution of queries with conditional interactions.

+2. **x-ms-query-latency-over-efficiency** header value when set to "true", all queries are executed using maximum supported parallelism, which forces the scan of physical partitions to be executed concurrently. This feature was designed for accounts with a high number of physical partitions which queries can take longer due to the number of physical segments that need to be scanned.

+This table shows the difference between import modes

+|Areas|Initial mode |Incremental mode |

+|:- |:-|:--|

+|Capability|Initial load of data into FHIR service|Continuous ingestion of data into FHIR service (Incremental or Near Real Time).|

+|Concurrent API calls|Blocks concurrent write operations|Data can be ingested concurrently while executing API CRUD operations on the FHIR server.|

+|Ingestion of versioned resources|Not supported|Enables ingestion of multiple versions of FHIR resources in single batch while maintaining resource history.|

+|Retain lastUpdated field value|Not supported|Retain the lastUpdated field value in FHIR resources during the ingestion process.|

+|Billing| Does not incur any charge|Incurs charges based on successfully ingested resources. Charges are incurred per API pricing.|

+objectid=$(az ad app show --id $clientid --query Id --output tsv)

+If the Azure account executing the `az iot ops init` command doesn't have permissions to query the Microsoft Graph and create service principals, you can prepare these upfront and use extra arguments when running the CLI command as described in [Deploy Azure IoT Operations extensions](./howto-deploy-iot-operations.md?tabs=cli).

+First, register an application with Microsoft Entra ID:

+ When your application is created, you're directed to its resource page.

+Next, give your application permissions for key vault:

+Create a client secret that will be added to your Kubernetes cluster to authenticate to your key vault:

+Retrieve the service principal Object ID:

+1. On the **Overview** page for your app, under the section **Essentials**, click on the **Application name** link under **Managed application in local directory**. This opens the Enterprise Application properties. Copy the Object ID to use when you run `az iot ops init`.

+You'll need the Key Vault resource ID when you run `az iot ops init`. To retrieve the resource ID, run:

+### Set service principal access policy in Azure Key Vault

+When following the guide [Deploy Azure IoT Operations extensions](./howto-deploy-iot-operations.md?tabs=cli), you'll need to pass in additional flags to the `az iot ops init` command in order to use the pre-configured service principal and key vault.

+The CSI driver updates secrets by using a polling interval, therefore the new secret isn't available to the pod until the next polling interval. To update a component immediately, restart the pods for the component. For example, to restart the Data Processor component, run the following commands:

+```console

+kubectl delete pod aio-dp-reader-worker-0 -n azure-iot-operations

+kubectl delete pod aio-dp-runner-worker-0 -n azure-iot-operations

+```

+To access the lakehouse from a Data Processor pipeline, you need to enable your cluster to access the service principal details you created earlier. You need to configure your Azure Key Vault with the service principal details so that the cluster can retrieve them.

+To access the Azure Data Explorer database from a Data Processor pipeline, you need to enable your cluster to access the service principal details you created earlier. You need to configure your Azure Key Vault with the service principal details so that the cluster can retrieve them.

+To access the lakehouse from a Data Processor pipeline, you need to enable your cluster to access the service principal details you created earlier. You need to configure your Azure Key Vault with the service principal details so that the cluster can retrieve them.

+### Azure IoT Operations Preview - enabled by Azure Arc

+A unified data plane for the edge. It's a collection of modular, scalable, and highly available data services that run on Azure Arc-enabled edge Kubernetes clusters. It enables data capture from various different systems and integrates with data modeling applications such as Microsoft Fabric to help organizations deploy the industrial metaverse.

+[Learn more](../iot-operations/get-started/overview-iot-operations.md)

+On first mention in an article, use *Azure IoT Operations Preview - enabled by Azure Arc*. On subsequent mentions, you can use *Azure IoT Operations*. Never use an acronym.

+Casing rules: Always capitalize as *Azure IoT Operations Preview - enabled by Azure Arc* or *Azure IoT Operations*.

+Platform services provide all the building blocks for customized and flexible IoT applications. You have more options to choose and code when you connect your devices, and ingest, store, and analyze your data. Azure IoT platform services include Azure IoT Hub, Device Provisioning Service, and Azure Digital Twins. Other platform services that might be part of your IoT solution include Azure Data Explorer, Azure Storage platform, and Azure Functions.

+| Solution can be a single Azure service. | Solution is a collection of Azure services such as Azure IoT Hub, Device Provisioning Service, Azure Digital Twins, Azure Data Explorer, Azure Storage platform, and Azure Functions. |

+There's a wide variety of devices available from different manufacturers to build your solution. For prototyping a microprocessor device, you can use a device such as a [Raspberry Pi](https://www.raspberrypi.org/). The Raspberry Pi lets you attach many different types of sensor. For prototyping a microcontroller device, use devices such as the [ESPRESSIF ESP32](../iot-develop/quickstart-devkit-espressif-esp32-freertos-iot-hub.md), [STMicroelectronics B-U585I-IOT02A Discovery kit](../iot-develop/quickstart-devkit-stm-b-u585i-iot-hub.md), [STMicroelectronics B-L4S5I-IOT01A Discovery kit](../iot-develop/quickstart-devkit-stm-b-l4s5i-iot-hub.md), or [NXP MIMXRT1060-EVK Evaluation kit](../iot-develop/quickstart-devkit-nxp-mimxrt1060-evk-iot-hub.md). These boards typically have built-in sensors, such as temperature and accelerometer sensors.

+The [IoT Device SDKs](../iot-hub/iot-hub-devguide-sdks.md) and IoT Hub support common [communication protocols](../iot-hub/iot-hub-devguide-protocols.md) such as HTTP, MQTT, and AMQP for device-to-cloud and cloud-to-device communication. In some scenarios, you might need a gateway to connect your IoT devices to your cloud services.

+* Might only be reachable through the solution back end.

+* Might have limited power and processing resources.

+* Might have intermittent, slow, or expensive network connectivity.

+* Might need to use proprietary, custom, or industry-specific application protocols.

+* [Device management and control](iot-overview-device-management.md)

+* [Message processing in an IoT solution](iot-overview-message-processing.md)

+* [Extend your IoT solution](iot-overview-solution-extensibility.md)

+* [Analyze and visualize your IoT data](iot-overview-analyze-visualize.md)

+* [Security](iot-overview-security.md) including physical security, authentication, authorization, and encryption.

+## IoT Operations

+_Azure IoT Operations Preview ΓÇô enabled by Azure Arc_ is a unified data plane for the edge. Azure IoT Operations is a set of modular, scalable, and highly available data services that run on Azure Arc-enabled edge Kubernetes clusters. It enables data capture from various different systems and integrates with data modeling applications such as Microsoft Fabric to help organizations deploy the industrial metaverse. To learn more, see [What is Azure IoT Operations?](../iot-operations/get-started/overview-iot-operations.md).

+* [Azure IoT services and technologies](iot-services-and-technologies.md)

+- [Extend Azure IoT Central with custom analytics](../iot-central/core/howto-create-custom-analytics.md).

+[Power BI](/power-bi/fundamentals/power-bi-overview) is a collection of software services, apps, and connectors that work together to turn your unrelated sources of data into coherent, visually immersive, and interactive insights. Power BI lets you easily connect to your data sources, visualize and discover what's important, and share reports with anyone or everyone you want.

+[Azure Maps](../azure-maps/about-azure-maps.md) is a collection of geospatial services and SDKs that use fresh mapping data to provide geographic context to web and mobile applications. For an IoT example, see [Integrate with Azure Maps (Azure Digital Twins)](../digital-twins/how-to-integrate-maps.md).

+Every IoT hub has a unique hostname that you use to connect devices to the hub. The hostname is in the format `iothubname.azure-devices.net`. If you use one of the device SDKs, you don't need to know the full names of the individual endpoints because the SDKs provide higher level abstractions. However, the device does need to know the hostname of the IoT hub to which it's connecting.

+- The device ID registered with the IoT hub.

+## Authentication

+Industrial IoT scenarios often use the [open platform communications unified architecture (OPC UA)](https://opcfoundation.org/about/opc-technologies/opc-u).

+Field gateways (sometimes referred to as edge gateways) are typically deployed on-premises and close to your IoT devices. Field gateways handle communication with the cloud on behalf of your IoT devices. Field gateways can:

+- Filter, compress, or aggregate telemetry before sending it to the cloud.

+A device bridge enables devices that are connected to a non-Microsoft cloud to connect to your IoT solution. Examples of non-Microsoft clouds include [Sigfox](https://www.sigfox.com/), [Particle Device Cloud](https://www.particle.io/), and [The Things Network](https://www.thethingsnetwork.org/).

+The open source IoT Central Device Bridge acts as a translator that forwards telemetry to an IoT Central application. To learn more, see [Azure IoT Central Device Bridge](https://github.com/Azure/iotc-device-bridge). There are non-Microsoft bridge solutions, such as [Tartabit IoT Bridge](/shows/internet-of-things-show/onboarding-constrained-devices-into-azure-using-tartabits-iot-bridge), for connecting devices to an IoT hub.

+Now that you've seen an overview of device connectivity in Azure IoT solutions, some suggested next steps include:

+- Enables the device to keep functioning while disconnected from the cloud.

+- [Azure RTOS Middleware](https://github.com/eclipse-threadx)

+Although you're recommended to use one of the device SDKS, there might be scenarios where you prefer not to. In these scenarios, your device code must directly use one of the communication protocols that IoT Hub and the Device Provisioning Service (DPS) support.

+- *Properties* that represent the read-only or writable state of a device or other entity. For example, a device serial number might be a read-only property and a target temperature on a thermostat might be a writable property.

+If you use containers, such as in Docker, to run your device code you can deploy code to your devices by using the capabilities of the container infrastructure. Containers also let you define a runtime environment for your code with all the required library and package versions installed. Containers make it easier to deploy updates and to manage the lifecycle of your IoT devices.

+If you think a device is compromised or isn't functioning correctly, you can disable it in the device registry to prevent it from connecting to the cloud. To allow a device to connect back to a cloud after the issue is resolved, you can re-enable it in the device registry. You can also permanently remove a device from the device registry to completely prevent it from connecting to the cloud.

+You must configure each device in your solution with the details of the IoT hub it should connect to. You can manually configure each device in your solution, but this approach might not be practical for a large number of devices. To get around this problem, you can use the Device Provisioning Service (DPS) to automatically register each device with an IoT hub, and then provision each device with the required connection information. If your IoT solution uses multiple IoT hubs, you can use DPS to provision devices to a hub based on criteria such as which is the closest hub to the device. You can configure your DPS with rules for registering and provisioning your devices in advance of physically deploying the device in the field.

+During the lifecycle of your IoT solution, you might need to roll over the keys used to authenticate devices. For example, you might need to roll over your keys if you suspect that a key is compromised or if a certificate expires:

+As part of overall solution monitoring, you might want to monitor the health of your devices. For example, you might want to monitor the health of your devices or detect when a device is no longer connected to the cloud. Options for monitoring devices include:

+Now that you've seen an overview of device management and control in Azure IoT solutions, some suggested next steps include:

+To simplify downstream processing, you might want to add data to telemetry messages or modify their structure.

+- Use [transformations](../iot-central/core/howto-transform-data-internally.md) to manipulate the format and structure of the device data before you export it to a destination.

+An Azure IoT Edge module can process telemetry from an attached sensor or device before it sends it to an IoT hub. For example, before it sends data to the cloud an IoT Edge module can:

+[Azure Stream Analytics](../stream-analytics/stream-analytics-introduction.md) is a managed stream processing engine that is designed to analyze and process large volumes of streaming data. Stream Analytics can identify patterns in your data and then trigger actions such as creating alerts, sending information to a reporting tool, or storing the transformed data. Stream Analytics is also available on the Azure IoT Edge runtime, enabling it to process data at the edge rather than in the cloud.

+Now that you've seen an overview of device management and control in Azure IoT solutions, some suggested next steps include:

+- **Use Transport Layer Security (TLS) 1.2 to secure connections from devices**: IoT Hub and IoT Central use TLS to secure connections from IoT devices and services. Three versions of the TLS protocol are currently supported: 1.0, 1.1, and 1.2. TLS 1.0 and 1.1 are considered legacy. To learn more, see [Authentication and authorization](iot-overview-device-connectivity.md#authentication).

+An IoT solution might include other systems such as asset management, work scheduling, and control automation systems. Such systems might:

+[Azure Health Data Services](../healthcare-apis/healthcare-apis-overview.md) is a set of managed API services based on open standards and frameworks that enable workflows to improve healthcare and offer scalable and secure healthcare solutions. An IoT solution can use these services to integrate IoT data into a healthcare solution.

+To learn about securing your IoT solution, see [Secure your IoT solution](iot-overview-security.md).

+To learn more about the Azure Monitor service, see [Azure Monitor overview](../azure-monitor/overview.md).

+The app collects data from sensors on the phone to send as telemetry to the IoT service you're using. Sensor data is aggregated every five seconds by default, but you can change this period on the app settings page:

+1. On the list of devices, click on the device name and then select **Connect**. On the **Device connection** page you can see the QR code to scan in the smartphone app in the next section:

+1. Sign in to your IoT Central application and navigate to the **Devices** page. Your device is automatically assigned to the **Smartphone** device template.

+Now that your smartphone app is connected to IoT Central, a suggested next step is to learn more about [IoT Central](../iot-central/core/overview-iot-central.md).

+* [Azure portal help + support](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview)

+For quick and reliable answers on your technical product questions from Microsoft Engineers, Azure Most Valuable Professionals (MVPs), or our expert community, engage with us on [Microsoft Q&A](/answers/products/azure), Azure's preferred destination for community support.

+* [Azure IoT](/answers/topics/azure-iot.html)

+* [Azure IoT Central](/answers/topics/azure-iot-central.html)

+* [Azure IoT Edge](/answers/topics/azure-iot-edge.html)

+* [Azure IoT Hub and Azure IoT Hub Device Provisioning Service (DPS)](/answers/topics/azure-iot-hub.html)

+* [Azure IoT SDKs](/answers/topics/azure-iot-sdk.html)

+* [Azure Digital Twins](/answers/topics/azure-digital-twins.html)

+* [Azure IoT Plug and Play](/answers/topics/azure-iot-pnp.html)

+* [Azure RTOS](/answers/topics/azure-rtos.html)

+* [Azure Sphere](/answers/topics/azure-sphere.html)

+* [Azure Time Series Insights](/answers/topics/azure-time-series-insights.html)

+* [Azure Maps](/answers/topics/azure-maps.html)

+* [Azure IoT Central](https://stackoverflow.com/questions/tagged/azure-iot-central)

+* [Azure IoT Edge](https://stackoverflow.com/questions/tagged/azure-iot-edge)

+* [Azure IoT Hub](https://stackoverflow.com/questions/tagged/azure-iot-hub)

+* [Azure IoT Hub Device Provisioning Service](https://stackoverflow.com/questions/tagged/azure-iot-dps)

+* [Azure IoT SDKs](https://stackoverflow.com/questions/tagged/azure-iot-sdk)

+* [Azure Digital Twins](https://stackoverflow.com/questions/tagged/azure-digital-twins)

+* [Azure RTOS](https://stackoverflow.com/questions/tagged/azure-rtos)

+* [Azure Sphere](https://stackoverflow.com/questions/tagged/azure-sphere)

+* [Azure Time Series Insights](https://stackoverflow.com/questions/tagged/azure-timeseries-insights)

+[View the activity log](../../azure-monitor/essentials/activity-log-insights.md#view-the-activity-log) from the **Monitor** menu in the Azure portal. Use the filters if you want to show results from a specific subscription.

+Logged activity is available in the Azure portal for the past 90 days. You can also [store this data for a longer period](../../azure-monitor/essentials/activity-log-insights.md#retention-period) if needed.

+## Prerequisites

+### [Python SDK](#tab/sdk)

+To use the Python SDK code examples in this article:

+1. Install the [Python SDK v2](https://aka.ms/sdk-v2-install)

+2. Create a connection to your Azure Machine Learning subscription. The examples all rely on `ml_client`. To create a workspace, the connection does not need a workspace name, since you may not yet have one. All other examples in this article require that the workspace name is included in the connection.

+ ```python

+ # import required libraries

+ from azure.ai.ml import MLClient

+ from azure.ai.ml.entities import Workspace

+ from azure.identity import DefaultAzureCredential

+

+ # Enter details of your subscription

+ subscription_id = "<SUBSCRIPTION_ID>"

+ resource_group = "<RESOURCE_GROUP>"

+

+ # get a handle to the subscription (use this if you haven't created a workspace yet)

+ ml_client = MLClient(DefaultAzureCredential(), subscription_id, resource_group)

+

+ # all other examples in this article require the connection to include workspace name

+ workspace_name = "<WORKSPACE_NAME>"

+ ml_client = ml_client = MLClient(DefaultAzureCredential(), subscription_id, resource_group, workspace_name)

+ ```

+To use the Azure CLI code examples in this article, you need to have the Azure CLI installed and configured. You can install the Azure CLI from the [Install and set up the CLI (v2)](how-to-configure-cli.md).

+Once you have the Azure CLI installed, sign in to your Azure account:

+If you have access to multiple Azure subscriptions, you set your active subscription:

+### [Studio](#tab/azure-studio)

+Sign in to [Azure Machine Learning studio](https://ml.azure.com).

+## Workspace

+The workspace is the top-level resource for Azure Machine Learning, providing a centralized place to work with all the artifacts you create when you use Azure Machine Learning. The workspace keeps a history of all jobs, including logs, metrics, output, and a snapshot of your scripts. The workspace stores references to resources like datastores and compute. It also holds all assets like models, environments, components and data asset.

+### Create a workspace

+# specify the workspace details

+ws = Workspace(

+ name="my_workspace",

+ location="eastus",

+ display_name="My workspace",

+ description="This example shows how to create a workspace",

+ tags=dict(purpose="demo"),

+ml_client.workspaces.begin_create(ws) # use MLClient to connect to the subscription and resource group and create workspace

+### [Azure CLI](#tab/cli)

+To create a workspace using CLI v2, use the following command:

+```bash

+az ml workspace create --file my_workspace.yml

+```

+For the content of the file, see [workspace YAML examples](https://github.com/Azure/azureml-examples/tree/main/cli/resources/workspace).

+### [Studio](#tab/azure-studio)

+Create a workspace in the studio welcome page by selecting **Create workspace**.

+## Compute

+A compute is a designated compute resource where you run your job or host your endpoint. Azure Machine Learning supports the following types of compute:

+* **Compute instance** - a fully configured and managed development environment in the cloud. You can use the instance as a training or inference compute for development and testing. It's similar to a virtual machine on the cloud.

+* **Compute cluster** - a managed-compute infrastructure that allows you to easily create a cluster of CPU or GPU compute nodes in the cloud.

+* **Serverless compute** - a compute cluster you access on the fly. When you use serverless compute, you don't need to create your own cluster. All compute lifecycle management is offloaded to Azure Machine Learning.

+* **Inference cluster** - used to deploy trained machine learning models to Azure Kubernetes Service. You can create an Azure Kubernetes Service (AKS) cluster from your Azure Machine Learning workspace, or attach an existing AKS cluster.

+* **Attached compute** - You can attach your own compute resources to your workspace and use them for training and inference.

+### Create a compute

+To create a compute cluster using Python SDK v2, you can use the following code:

+### [Azure CLI](#tab/cli)

+To create a compute using CLI v2, use the following command:

+```bash

+az ml compute create --file my_compute.yml

+```

+For the content of the file, see [compute YAML examples](https://github.com/Azure/azureml-examples/tree/main/cli/resources/compute).

+.

+### [Studio](#tab/azure-studio)

+1. Select a workspace if you are not already in one.

+1. From the left-hand menu, select **Compute**.

+1. On the top, select a tab to specify the type of compute you want to create.

+1. Select **New** to create the new compute.

+### Create a datastore

+import AzureBlobDatastore

+ name="blob_example",

+To create a datastore using CLI v2, use the following command:

+az ml datastore create --file my_datastore.yml

+For the content of the file, see [datastore YAML examples](https://github.com/Azure/azureml-examples/tree/main/cli/resources/datastore).

+### [Studio](#tab/azure-studio)

+1. Select a workspace if you are not already in one.

+1. From the left-hand menu, select **Data**.

+1. On the top, select **Datastores**.

+1. Select **Create** to create a new datastore.

+## Model

+Azure Machine Learning models consist of the binary file(s) that represent a machine learning model and any corresponding metadata. Models can be created from a local or remote file or directory. For remote locations `https`, `wasbs` and `azureml` locations are supported. The created model will be tracked in the workspace under the specified name and version. Azure Machine Learning supports three types of storage format for models:

+* `custom_model`

+* `mlflow_model`

+* `triton_model`

+### Create a model in the model registry

+Model registration allows you to store and version your models in the Azure cloud, in your workspace. The model registry helps you organize and keep track of your trained models.

+For more information on how to create models in the registry, see [Work with models in Azure Machine Learning](how-to-manage-models.md).

+### [Python SDK](#tab/sdk)

+To create an environment using Python SDK v2, see [Create an environment](how-to-manage-environments-v2.md?tabs=python#create-an-environment).

+This [Jupyter notebook](https://github.com/Azure/azureml-examples/blob/main/sdk/python/assets/environment/environment.ipynb) shows more ways to create custom environments using SDK v2.

+### [Azure CLI](#tab/cli)

+To create an environment using CLI v2, see [Create an environment](how-to-manage-environments-v2.md?tabs=cli#create-an-environment).

+For more information, see [environment YAML schema](reference-yaml-environment.md).

+### [Studio](#tab/azure-studio)

+1. Select a workspace if you are not already in one.

+1. From the left-hand menu, select **Environments**.

+1. On the top, select **Custom environments**.

+1. Select **Create** to create a new custom environment.

+Your Azure Machine Learning workspace and managed online endpoint each have a `public_network_access` flag that you can use to configure their inbound communication. On the other hand, outbound communication from a deployment depends on the workspace's managed virtual network.

+#### Communication with the managed online endpoint

+#### Inbound communication to the Azure Machine Learning workspace

+You can use the `public_network_access` flag of your Azure Machine Learning workspace to enable or disable inbound workspace access.

+Typically, if you secure inbound communication to your workspace (by disabling the workspace's `public_network_access` flag) you also want to secure inbound communication to your managed online endpoint.

+The following chart shows a typical workflow for securing inbound communication to your Azure Machine Learning workspace and your managed online endpoint. For best security, we recommend that you disable the `public_network_access` flags for the workspace and the managed online endpoint to ensure that both can't be accessed via the public internet. If the workspace doesn't have a private endpoint, you can create one, making sure to include proper DNS resolution. You can then access the managed online endpoint by using the workspace's private endpoint.

+For more information on DNS resolution for your workspace and private endpoint, see [How to use your workspace with a custom DNS server](how-to-custom-dns.md).

+> [!NOTE]

+> Configuring job properties is only available in batch endpoints with Pipeline component deployments by the moment.

+ "apiVersion": "2023-10-01",

+__To get the values__ for the `cmk_keyvault` (ID of the Key Vault) and the `resource_cmk_uri` (key URI) parameters needed by this template, use the following steps:

+1. To get the Key Vault ID, use the following command:

+ # [Azure CLI](#tab/azcli)

+ ```azurecli

+ az keyvault show --name <keyvault-name> --query 'id' --output tsv

+ ```

+ # [Azure PowerShell](#tab/azpowershell)

+ ```azurepowershell

+ Get-AzureRMKeyVault -VaultName '<keyvault-name>'

+ ```

+

+ This command returns a value similar to `/subscriptions/{subscription-guid}/resourceGroups/<resource-group-name>/providers/Microsoft.KeyVault/vaults/<keyvault-name>`.

+1. To get the value for the URI for the customer managed key, use the following command:

+ # [Azure CLI](#tab/azcli)

+ ```azurecli

+ az keyvault key show --vault-name <keyvault-name> --name <key-name> --query 'key.kid' --output tsv

+ ```

+ # [Azure PowerShell](#tab/azpowershell)

+ ```azurepowershell

+ Get-AzureKeyVaultKey -VaultName '<keyvault-name>' -KeyName '<key-name>'

+ ```

+

+ This command returns a value similar to `https://mykeyvault.vault.azure.net/keys/mykey/{guid}`.

+> [!IMPORTANT]

+* Install and configure the [Azure CLI](/cli/azure/) and the `ml` extension to the Azure CLI. For more information, see [Install, set up, and use the CLI (v2)](how-to-configure-cli.md).

+ > Azure Machine Learning managed virtual network was introduced on May 23rd, 2023. If you have an older version of the ml extension, you might need to update it for the examples in this article to work. To update the extension, use the following Azure CLI command:

+#### Migrate from legacy network isolation method to managed virtual network

+If you've used the [legacy method](concept-secure-online-endpoint.md#secure-outbound-access-with-legacy-network-isolation-method) previously for network isolation of managed online endpoints, and you want to migrate to using a workspace managed virtual network to secure your endpoints, follow these steps:

+1. Delete all computes in your workspace.

+1. Enable managed virtual network for your workspace. For more information on how to configure a managed network for your workspace, see [Workspace Managed Virtual Network Isolation](how-to-managed-network.md).

+1. Configure private endpoints for outbound communication to private resources that your managed online endpoints need to access. These private resources include a storage account, Azure Key Vault, and Azure Container Registry (ACR).

+1. (Optional) If you're integrating with a user registry, configure private endpoints for outbound communication to your registry, its storage account, and its ACR.

+Set up connections to provisioned resources in prompt flow.

+| prompt | string | Text prompt that the language model uses to generate its response. The Jinja template for composing prompts in this tool follows a similar structure to the chat API in the LLM tool. To represent an image input within your prompt, you can use the syntax ``. Image input can be passed in the `user`, `system` and `assistant` messages. | Yes |

+## Next step

+Learn more about [how to process images in prompt flow](../how-to-process-image.md).

+| prompt | string | Text prompt that the language model uses to generate its response. The Jinja template for composing prompts in this tool follows a similar structure to the chat API in the LLM tool. To represent an image input within your prompt, you can use the syntax ``. Image input can be passed in the `user`, `system` and `assistant` messages. | Yes |

+| string | The text of one response of conversation |

+## Next step

+Learn more about [how to process images in prompt flow](../how-to-process-image.md).

+> ```

+In this article, you learn how to create Azure Machine Learning datasets to access data for your local or remote experiments with the Azure Machine Learning Python SDK. For more information about how datasets fit in Azure Machine Learning's overall data access workflow, visit the [Securely access data](concept-data.md#data-workflow) article.

+When you create a dataset, you create a reference to the data source location, along with a copy of its metadata. Because the data remains in its existing location, you incur no extra storage cost, and you don't risk the integrity of your data sources. Additionally, datasets are lazily evaluated, which helps improve workflow performance speeds. You can create datasets from datastores, public URLs, and [Azure Open Datasets](../../open-datasets/how-to-create-azure-machine-learning-dataset-from-open-dataset.md). For information about a low-code experience, visit [Create Azure Machine Learning datasets with the Azure Machine Learning studio](how-to-connect-data-ui.md#create-data-assets).

+* Keep a single copy of data in your storage, referenced by datasets

+* Seamlessly access data during model training without worrying about connection strings or data paths. For more information about dataset training, visit [Learn more about how to train with datasets](how-to-train-with-datasets.md)

+* Share data and collaborate with other users

+* An Azure subscription. If you don't have one, create a free account before you begin. Try the [free or paid version of Azure Machine Learning](https://azure.microsoft.com/free/)

+* An [Azure Machine Learning workspace](../quickstart-create-resources.md)

+* The [Azure Machine Learning SDK for Python installed](/python/api/overview/azure/ml/install), which includes the azureml-datasets package

+* Create an [Azure Machine Learning compute instance](how-to-create-manage-compute-instance.md), a fully configured and managed development environment that includes integrated notebooks and the SDK already installed

+* Work on your own Jupyter notebook and [install the SDK yourself](/python/api/overview/azure/ml/install)

+> Some dataset classes have dependencies on the [azureml-dataprep](https://pypi.org/project/azureml-dataprep/) package, which is only compatible with 64-bit Python. If you develop on __Linux__, these classes rely on .NET Core 2.1, and only specific distributions support them. For more information about the supported distros, read the .NET Core 2.1 column in the [Install .NET on Linux](/dotnet/core/install/linux) article.

+> While the package may work on older versions of Linux distros, we do not recommend use of a distro that is out of mainstream support. Distros that are out of mainstream support may have security vulnerabilities, because they do not receive the latest updates. We recommend using the latest supported version of your distro that is compatible with .

+When you create a dataset, review your compute processing power and the size of your data in memory. The size of your data in storage isn't the same as the size of data in a dataframe. For example, data in CSV files can expand up to 10 times in a dataframe, so a 1-GB CSV file can become 10 GB in a dataframe.

+Compressed data can expand further. Twenty GB of relatively sparse data stored in a compressed parquet format can expand to ~800 GB in memory. Since Parquet files store data in a columnar format, if you only need half of the columns, then you only need to load ~400 GB in memory.

+For more information, visit [Learn more about optimizing data processing in Azure Machine Learning](../concept-optimize-data-processing.md).

+There are two dataset types, based on how users consume datasets in training: FileDatasets and TabularDatasets. Azure Machine Learning training workflows that involve estimators, AutoML, hyperDrive, and pipelines can use both types.

+A [FileDataset](/python/api/azureml-core/azureml.data.file_dataset.filedataset) references single or multiple files in your datastores or public URLs. If your data is already cleaned, and ready to use in training experiments, you can [download or mount](how-to-train-with-datasets.md#mount-vs-download) the files to your compute as a FileDataset object.

+We recommend FileDatasets for your machine learning workflows, because the source files can be in any format. This enables a wider range of machine learning scenarios, including deep learning.

+Create a FileDataset with the [Python SDK](#create-a-filedataset) or the [Azure Machine Learning studio](how-to-connect-data-ui.md#create-data-assets).

+A [TabularDataset](/python/api/azureml-core/azureml.data.tabulardataset) parses the provided file or list of files, to represent data in a tabular format. You can then materialize the data into a pandas or Spark DataFrame, to work with familiar data preparation and training libraries while staying in your notebook. You can create a `TabularDataset` object from .csv, .tsv, [.parquet](/python/api/azureml-core/azureml.data.dataset_factory.tabulardatasetfactory#azureml-data-dataset-factory-tabulardatasetfactory-from-parquet-files), [.json lines files](/python/api/azureml-core/azureml.data.dataset_factory.tabulardatasetfactory#azureml-data-dataset-factory-tabulardatasetfactory-from-json-lines-files), and from [SQL query results](/python/api/azureml-core/azureml.data.dataset_factory.tabulardatasetfactory#azureml-data-dataset-factory-tabulardatasetfactory-from-sql-query).

+With TabularDatasets, you can specify a time stamp from a column in the data, or from the location where the path pattern data is stored, to enable a time series trait. This specification enables easy and efficient filtering by time. For an example, visit [Tabular time series-related API demo with NOAA weather data](https://github.com/Azure/MachineLearningNotebooks/blob/master/how-to-use-azureml/work-with-data/datasets-tutorial/timeseries-datasets/tabular-timeseries-dataset-filtering.ipynb).

+>

+>Also, for TabularDatasets generated from [SQL query results](/python/api/azureml-core/azureml.data.dataset_factory.tabulardatasetfactory#azureml-data-dataset-factory-tabulardatasetfactory-from-sql-query), T-SQL (e.g. 'WITH' sub query) or duplicate column names are not supported. Complex T-SQL queries can cause performance issues. Duplicate column names in a dataset can cause ambiguity issues.

+If your workspace is located in a virtual network, you must configure the dataset to skip validation. For more information about how to use datastores and datasets in a virtual network, visit [Secure a workspace and associated resources](how-to-secure-workspace-vnet.md#datastores-and-datasets).

+To make the data accessible by Azure Machine Learning, you must create datasets from paths in web URLs or [Azure Machine Learning datastores](how-to-access-data.md).

+> [!TIP]

+> You can create datasets directly from storage urls with identity-based data access. For more information, visit [Connect to storage with identity-based data access](how-to-identity-based-data-access.md).

+1. Create the dataset by referencing paths in the datastore. You can create a dataset from multiple paths in multiple datastores. There's no hard limit on the number of files or data size from which you can create a dataset.

+> For each data path, a few requests will be sent to the storage service to check whether it points to a file or a folder. This overhead may lead to degraded performance or failure. A dataset referencing one folder with 1000 files inside is considered referencing one data path. For optimal performance, we recommend creating datasets that reference less than 100 paths in datastores.

+Use the [`from_files()`](/python/api/azureml-core/azureml.data.dataset_factory.filedatasetfactory#azureml-data-dataset-factory-filedatasetfactory-from-files) method on the `FileDatasetFactory` class to load files in any format, and to create an unregistered FileDataset.

+If your storage is behind a virtual network or firewall, set the parameter `validate=False` in the `from_files()` method. This bypasses the initial validation step, and ensures that you can create your dataset from these secure files. For more information, visit [use datastores and datasets in a virtual network](how-to-secure-workspace-vnet.md#datastores-and-datasets).

+# create a FileDataset recursively pointing to files in 'animals' folder and its subfolder

+To upload all the files from a local directory, create a FileDataset in a single method with

+[`upload_directory()`](/python/api/azureml-core/azureml.data.dataset_factory.filedatasetfactory#azureml-data-dataset-factory-filedatasetfactory-upload-directory). This method uploads data to your underlying storage, and as a result you incur storage costs.

+To reuse and share datasets across experiments in your workspace, [register your dataset](#register-datasets).

+Use the [`from_delimited_files()`](/python/api/azureml-core/azureml.data.dataset_factory.tabulardatasetfactory#azureml-data-dataset-factory-tabulardatasetfactory-from-delimited-files) method on the `TabularDatasetFactory` class to read files in .csv or .tsv format, and to create an unregistered TabularDataset. To read in files from `.parquet` format, use the [`from_parquet_files()`](/python/api/azureml-core/azureml.data.dataset_factory.tabulardatasetfactory#azureml-data-dataset-factory-tabulardatasetfactory-from-parquet-files) method. If you're reading from multiple files, results are aggregated into one tabular representation.

+For information about supported file formats, visit the [TabularDatasetFactory reference documentation](/python/api/azureml-core/azureml.data.dataset_factory.tabulardatasetfactory), and information about syntax and design patterns such as [multiline support](/python/api/azureml-core/azureml.data.dataset_factory.tabulardatasetfactory#azureml-data-dataset-factory-tabulardatasetfactory-from-delimited-files).

+If your storage is behind a virtual network or firewall, set the parameter `validate=False` in your `from_delimited_files()` method. This bypasses the initial validation step, and ensures that you can create your dataset from these secure files. For more information about data storage resources behind a virtual network or firewall, visit [datastores and datasets in a virtual network](how-to-secure-workspace-vnet.md#datastores-and-datasets).

+This code gets the existing workspace and the desired datastore by name. It then passes the datastore and file locations to the `path` parameter to create a new TabularDataset named `weather_ds`:

+When you create a TabularDataset, column data types are automatically inferred by default. If the inferred types don't match your expectations, you can specify column types with the following code to update your dataset. The parameter `infer_column_type` is only applicable for datasets created from delimited files. For more information, visit [Learn more about supported data types](/python/api/azureml-core/azureml.data.dataset_factory.datatype).

+After you create and [register](#register-datasets) your dataset, you can load that dataset into your notebook for data wrangling and [exploration](#explore-data), before model training. You might not need to do any data wrangling or exploration. In that case, for more information about how to consume datasets in your training scripts for ML experiment submissions, visit [Train with datasets](how-to-train-with-datasets.md).

+Filtering capabilities depends on the type of dataset you have.

+> Filtering datasets with the [`filter()`](/python/api/azureml-core/azureml.data.tabulardataset#azureml-data-tabulardataset-filter) preview method is an [experimental](/python/api/overview/azure/ml/#stable-vs-experimental) preview feature, and may change at any time.

+For **TabularDatasets**, you can keep or remove columns with the [keep_columns()](/python/api/azureml-core/azureml.data.tabulardataset#azureml-data-tabulardataset-keep-columns) and [drop_columns()](/python/api/azureml-core/azureml.data.tabulardataset#azureml-data-tabulardataset-drop-columns) methods.

+To filter out rows by a specific column value in a TabularDataset, use the [filter()](/python/api/azureml-core/azureml.data.tabulardataset#azureml-data-tabulardataset-filter) method (preview).

+These examples return an unregistered dataset based on the specified expressions:

+In **FileDatasets**, each row corresponds to a path of a file, so filtering by column value doesn't help. However, you can [filter()](/python/api/azureml-core/azureml.data.tabulardataset#azureml-data-tabulardataset-filter) rows by metadata - for example, CreationTime, Size etc. These examples return an unregistered dataset based on the specified expressions:

+**Labeled datasets** created from [image labeling projects](../how-to-create-image-labeling-projects.md) are a special case. These datasets are a type of TabularDataset made up of image files. For these datasets, you can [filter()](/python/api/azureml-core/azureml.data.tabulardataset#azureml-data-tabulardataset-filter) images by metadata, and by `label` and `image_details` column values.

+To partition a dataset, include the `partitions_format` parameter when you create a TabularDataset or FileDataset.

+When you partition a dataset, the partition information of each file path is extracted into columns based on the specified format. The format should start from the position of first partition key and continue to the end of file path.

+For example, given the path `../Accounts/2019/01/01/data.jsonl`, where the partition is by department name and time, the `partition_format='/{Department}/{PartitionDate:yyyy/MM/dd}/data.jsonl'` creates a string column 'Department' with the value 'Accounts', and a datetime column 'PartitionDate' with the value `2019-01-01`.

+If your data already has existing partitions and you want to preserve that format, include the `partitioned_format` parameter in your [`from_files()`](/python/api/azureml-core/azureml.data.dataset_factory.filedatasetfactory#azureml-data-dataset-factory-filedatasetfactory-from-files) method, to create a FileDataset.

+To create a TabularDataset that preserves existing partitions, include the `partitioned_format` parameter in the [`from_parquet_files()`](/python/api/azureml-core/azureml.data.dataset_factory.tabulardatasetfactory#azureml-data-dataset-factory-tabulardatasetfactory-from-parquet-files) or the

+[`from_delimited_files()`](/python/api/azureml-core/azureml.data.dataset_factory.tabulardatasetfactory#azureml-data-dataset-factory-tabulardatasetfactory-from-delimited-files) method.

+This example

+* Creates a FileDataset from partitioned files

+* Creates a new, indexed FileDataset

+You can also create a new partitions structure for TabularDatasets with the [partition_by()](/python/api/azureml-core/azureml.data.tabulardataset#azureml-data-tabulardataset-partition-by) method.

+After you wrangle your data, you can [register](#register-datasets) your dataset, and then load it into your notebook for data exploration before model training.

+For FileDatasets, you can either **mount** or **download** your dataset, and apply the Python libraries you'd normally use for data exploration. For more information, visit [Learn more about mount vs download](how-to-train-with-datasets.md#mount-vs-download).

+For TabularDatasets, use the [`to_pandas_dataframe()`](/python/api/azureml-core/azureml.data.tabulardataset#azureml-data-tabulardataset-to-pandas-dataframe) method to view your data in a dataframe.

+To create a TabularDataset from an in-memory pandas dataframe, use the [`register_pandas_dataframe()`](/python/api/azureml-core/azureml.data.dataset_factory.tabulardatasetfactory#azureml-data-datset-factory-tabulardatasetfactory-register-pandas-dataframe) method. This method registers the TabularDataset to the workspace and uploads data to your underlying storage. This process incurs storage costs.

+> Create and register a TabularDataset from an in memory spark dataframe or a dask dataframe with the public preview methods, [`register_spark_dataframe()`](/python/api/azureml-core/azureml.data.dataset_factory.tabulardatasetfactory#azureml-data-dataset-factory-tabulardatasetfactory-register-spark-dataframe) and [`register_dask_dataframe()`](/python/api/azureml-core/azureml.data.dataset_factory.tabulardatasetfactory#azureml-data-dataset-factory-tabulardatasetfactory-register-dask-dataframe). These methods are [experimental](/python/api/overview/azure/ml/#stable-vs-experimental) preview features, and may change at any time.

+>

+> These methods upload data to your underlying storage, and as a result incur storage costs.

+To complete the creation process, register your datasets with a workspace. Use the [`register()`](/python/api/azureml-core/azureml.data.abstract_dataset.abstractdataset#azureml-data-abstract-dataset-abstractdataset-register) method to register datasets with your workspace, to share them with others and reuse them across experiments in your workspace:

+You can find many templates at [microsoft.machinelearningservices](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.machinelearningservices) that can be used to create datasets.

+For information about these templates, visit [Use an Azure Resource Manager template to create a workspace for Azure Machine Learning](../how-to-create-workspace-template.md).

+You can register a new dataset under the same name by creating a new version. A dataset version can bookmark the state of your data, to apply a specific version of the dataset for experimentation or future reproduction. For more information, visit [dataset versions](how-to-version-track-datasets.md).

+* Learn [how to train with datasets](how-to-train-with-datasets.md)

+* Use automated machine learning to [train with TabularDatasets](https://github.com/Azure/MachineLearningNotebooks/blob/master/how-to-use-azureml/automated-machine-learning/forecasting-energy-demand/auto-ml-forecasting-energy-demand.ipynb)

+* For more dataset training examples, see the [sample notebooks](https://github.com/Azure/MachineLearningNotebooks/tree/master/how-to-use-azureml/work-with-data/)

+| **Region name** |**Current Gateway IP address**| **Gateway IP address subnets** |

+|:-|:--|:--|

+| Australia Central | 20.36.105.32 | 20.36.105.32/29, 20.53.48.96/27 |

+| Australia Central2 | 20.36.113.32 | 20.36.113.32/29, 20.53.56.32/27 |

+| Australia East | 13.70.112.32 | 13.70.112.32/29, 40.79.160.32/29, 40.79.168.32/29, 40.79.160.32/29, 20.53.46.128/27 |

+| Australia South East |13.77.49.33 |3.77.49.32/29, 104.46.179.160/27|

+| Brazil South | 191.233.201.8, 191.233.200.16 | 191.234.153.32/27, 191.234.152.32/27, 191.234.157.136/29, 191.233.200.32/29, 191.234.144.32/29, 191.234.142.160/27|

+|Brazil Southeast|191.233.48.2|191.233.48.32/29, 191.233.15.160/27|

+| Canada Central | 13.71.168.32| 13.71.168.32/29, 20.38.144.32/29, 52.246.152.32/29, 20.48.196.32/27|

+| Canada East |40.69.105.32 | 40.69.105.32/29, 52.139.106.192/27 |

+| Central US | 52.182.136.37, 52.182.136.38 | 104.208.21.192/29, 13.89.168.192/29, 52.182.136.192/29, 20.40.228.128/27|

+| China East | 52.130.112.139 | 52.130.112.136/29, 52.130.13.96/2752.130.112.136/29, 52.130.13.96/27|

+| China East 2 | 40.73.82.1, 52.130.120.89 | 52.130.120.88/29, 52.130.7.0/27|

+| China North | 52.130.128.89| 52.130.128.88/29, 40.72.77.128/27 |

+| China North 2 |40.73.50.0 | 52.130.40.64/29, 52.130.21.160/27|

+| East Asia |13.75.33.20, 13.75.33.21 | 20.205.77.176/29, 20.205.83.224/29, 20.205.77.200/29, 13.75.32.192/29, 13.75.33.192/29, 20.195.72.32/27|

+| East US | 40.71.8.203, 40.71.83.113|20.42.65.64/29, 20.42.73.0/29, 52.168.116.64/29, 20.62.132.160/27|

+| East US 2 |52.167.105.38, 40.70.144.38| 104.208.150.192/29, 40.70.144.192/29, 52.167.104.192/29, 20.62.58.128/27|

+| France Central |40.79.129.1 | 40.79.128.32/29, 40.79.136.32/29, 40.79.144.32/29, 20.43.47.192/27 |

+| France South |40.79.176.40 | 40.79.176.40/29, 40.79.177.32/29, 52.136.185.0/27|

+| Germany North| 51.116.56.0| 51.116.57.32/29, 51.116.54.96/27|

+| Germany West Central | 51.116.152.0 | 51.116.152.32/29, 51.116.240.32/29, 51.116.248.32/29, 51.116.149.32/27|

+| India Central |20.192.96.33 | 40.80.48.32/29, 104.211.86.32/29, 20.192.96.32/29, 20.192.43.160/27|

+| India South | 40.78.192.32| 40.78.192.32/29, 40.78.193.32/29, 52.172.113.96/27|

+| India West | 104.211.144.32| 104.211.144.32/29, 104.211.145.32/29, 52.136.53.160/27|

+| Japan East | 40.79.184.8, 40.79.192.23| 13.78.104.32/29, 40.79.184.32/29, 40.79.192.32/29, 20.191.165.160/27 |

+| Japan West |40.74.96.6| 20.18.179.192/29, 40.74.96.32/29, 20.189.225.160/27 |

+| Jio India Central| 20.192.233.32|20.192.233.32/29, 20.192.48.32/27|

+| Jio India West|20.193.200.32|20.193.200.32/29, 20.192.167.224/27|

+| Korea Central | 52.231.17.13 | 20.194.64.32/29, 20.44.24.32/29, 52.231.16.32/29, 20.194.73.64/27|

+| Korea South |52.231.145.3| 52.231.151.96/27, 52.231.151.88/29, 52.231.145.0/29, 52.147.112.160/27 |

+| North Central US | 52.162.104.35, 52.162.104.36 | 52.162.105.200/29, 20.125.171.192/29, 52.162.105.192/29, 20.49.119.32/27|

+| North Europe |52.138.224.6, 52.138.224.7 |13.69.233.136/29, 13.74.105.192/29, 52.138.229.72/29, 52.146.133.128/27 |

+|Norway East|51.120.96.0|51.120.208.32/29, 51.120.104.32/29, 51.120.96.32/29, 51.120.232.192/27|

+|Norway West|51.120.216.0|51.120.217.32/29, 51.13.136.224/27|

+| South Africa North | 102.133.152.0 | 102.133.120.32/29, 102.133.152.32/29, 102.133.248.32/29, 102.133.221.224/27 |

+| South Africa West |102.133.24.0 | 102.133.25.32/29, 102.37.80.96/27|

+| South Central US | 20.45.120.0 |20.45.121.32/29, 20.49.88.32/29, 20.49.89.32/29, 40.124.64.136/29, 20.65.132.160/27|

+| South East Asia | 23.98.80.12, 40.78.233.2|13.67.16.192/29, 23.98.80.192/29, 40.78.232.192/29, 20.195.65.32/27 |

+| Sweden Central|51.12.96.32|51.12.96.32/29, 51.12.232.32/29, 51.12.224.32/29, 51.12.46.32/27|

+| Sweden South|51.12.200.32|51.12.201.32/29, 51.12.200.32/29, 51.12.198.32/27|

+| Switzerland North |51.107.56.0 |51.107.56.32/29, 51.103.203.192/29, 20.208.19.192/29, 51.107.242.32/27|

+| Switzerland West | 51.107.152.0| 51.107.153.32/29, 51.107.250.64/27|

+| UAE Central | 20.37.72.64| 20.37.72.96/29, 20.37.73.96/29, 20.37.71.64/27 |

+| UAE North |65.52.248.0 |20.38.152.24/29, 40.120.72.32/29, 65.52.248.32/29, 20.38.143.64/27 |

+| UK South | 51.105.64.0|51.105.64.32/29, 51.105.72.32/29, 51.140.144.32/29, 51.143.209.224/27|

+| UK West |51.140.208.98 |51.140.208.96/29, 51.140.209.32/29, 20.58.66.128/27 |

+| West Central US |13.71.193.34 | 13.71.193.32/29, 20.69.0.32/27 |

+| West Europe | 13.69.105.208,104.40.169.187|104.40.169.32/29, 13.69.112.168/29, 52.236.184.32/29, 20.61.99.192/27|

+| West US |13.86.216.212, 13.86.217.212 |20.168.163.192/29, 13.86.217.224/29, 20.66.3.64/27|

+| West US 2 | 13.66.136.192 | 13.66.136.192/29, 40.78.240.192/29, 40.78.248.192/29, 20.51.9.128/27|

+| West US 3 |20.150.184.2 | 20.150.168.32/29, 20.150.176.32/29, 20.150.184.32/29, 20.150.241.128/27 |

+Target and pricing settings | **Azure Hybrid Benefit** | Specify whether you already have a Windows Server and/or SQL Server license or Enterprise Linux subscription (RHEL and SLES). Azure Hybrid Benefit is a licensing benefit that helps you to significantly reduce the costs of running your workloads in the cloud. It works by letting you use your on-premises Software Assurance-enabled Windows Server and SQL Server licenses on Azure. For example, if you have a SQL Server license and they're covered with active Software Assurance of SQL Server Subscriptions, you can apply for the Azure Hybrid Benefit when you bring licenses to Azure.

+ - Azure Hybrid Benefit for SQL and Windows licenses or Enterprise Linux subscription (RHEL and SLES)

+ - In **Azure Hybrid Benefit**, specify whether you already have a Windows Server license or Enterprise Linux subscription (RHEL and SLES). If you do and they're covered with active Software Assurance of Windows Server or Enterprise Linux Subscriptions (RHEL and SLES), you can apply for the [Azure Hybrid Benefit](https://azure.microsoft.com/pricing/hybrid-use-benefit/) when you bring licenses to Azure.

+ Target and pricing settings | **Azure Hybrid Benefit** | Specify whether you already have a Windows Server and/or SQL Server license or Enterprise Linux subscription (RHEL and SLES). Azure Hybrid Benefit is a licensing benefit that helps you to significantly reduce the costs of running your workloads in the cloud. It works by letting you use your on-premises Software Assurance-enabled Windows Server and SQL Server licenses on Azure. For example, if you have a SQL Server license and they're covered with active Software Assurance of SQL Server Subscriptions, you can apply for the Azure Hybrid Benefit when you bring licenses to Azure.

+Azure Migrate doesn't move or store customer data outside of the region allocated, guaranteeing data residency and resiliency in the same geography.

+Azure Migrate provides an additional option for creating projects and ensuring data residency in preferred regions beyond the specified geographies. To avail this option, use the link - https://aka.ms/migrate/ProjectRegionSelection.

+ Title: Troubleshoot assessments FAQ in Azure Migrate

+description: FAQs for Troubleshooting assessments in Azure Migrate.

+ms.

+# Troubleshoot assessment - FAQ

+This article provides answers to some of the most common questions about troubleshoot issues with assessment. See articles [Troubleshoot](troubleshoot-assessment.md) issues with assessment and [Supported Scenarios](troubleshoot-assessment-supported-scenarios.md) for troubleshooting assessments.

+## Why is the recommended Azure disk SKU bigger than on-premises in an Azure VM assessment?

+Azure VM assessment might recommend a bigger disk based on the type of assessment:

+- Disk sizing depends on two assessment properties: sizing criteria and storage type.

+- If the sizing criteria are **Performance-based** and the storage type is set to **Automatic**, the IOPS and throughput values of the disk are considered when identifying the target disk type (Standard HDD, Standard SSD, Premium, or Ultra disk). A disk SKU from the disk type is then recommended, and the recommendation considers the size requirements of the on-premises disk.

+- If the sizing criteria are **Performance-based** and the storage type is **Premium**, a premium disk SKU in Azure is recommended based on the IOPS, throughput, and size requirements of the on-premises disk. The same logic is used to perform disk sizing when the sizing criteria is **As on-premises** and the storage type is **Standard HDD**, **Standard SSD**, **Premium**, or **Ultra disk**.

+For example, say you have an on-premises disk with 32 GB of memory, but the aggregated read and write IOPS for the disk is 800 IOPS. The Azure VM assessment recommends a premium disk because of the higher IOPS requirements. It also recommends a disk SKU that can support the required IOPS and size. The nearest match in this example would be P15 (256 GB, 1100 IOPS). Even though the size required by the on-premises disk was 32 GB, the Azure VM assessment recommended a larger disk because of the high IOPS requirement of the on-premises disk.

+## Why is performance data missing for some or all VMs in my assessment report?

+For **Performance-based** assessment, the assessment report export says 'PercentageOfCoresUtilizedMissing' or 'PercentageOfMemoryUtilizedMissing' when the Azure Migrate appliance can't collect performance data for the on-premises VMs. Make sure to check:

+- If the VMs are powered on for the duration for which you're creating the assessment.

+- If only memory counters are missing and you're trying to assess Hyper-V VMs, check if you have dynamic memory enabled on these VMs. Because of a known issue, currently the Azure Migrate appliance can't collect memory utilization for such VMs.

+- If all of the performance counters are missing, ensure the port access requirements for assessment are met. Learn more about the port access requirements for [VMware](./migrate-support-matrix-vmware.md#port-access-requirements), [Hyper-V](./migrate-support-matrix-hyper-v.md#port-access), and [physical](./migrate-support-matrix-physical.md#port-access) assessments.

+If any of the performance counters are missing, Azure Migrate: Discovery and assessment fall back to the allocated cores/memory on-premises and recommend a VM size accordingly.

+## Why is performance data missing for some or all servers in my Azure VM or Azure VMware Solution assessment report?

+For **Performance-based** assessment, the assessment report export says **PercentageOfCoresUtilizedMissing** or **PercentageOfMemoryUtilizedMissing** when the Azure Migrate appliance can't collect performance data for the on-premises servers. Make sure to check:

+- If the servers are powered on for the duration for which you're creating the assessment.

+- If only memory counters are missing and you're trying to assess servers in a Hyper-V environment. In this scenario, enable dynamic memory on the servers and recalculate the assessment to reflect the latest changes. The appliance can collect memory utilization values for servers in a Hyper-V environment only when the server has dynamic memory enabled.

+- If all of the performance counters are missing, ensure that outbound connections on ports 443 (HTTPS) are allowed.

+ > [!Note]

+ > If any of the performance counters are missing, Azure Migrate: Discovery and assessment falls back to the allocated cores/memory on-premises and recommends a VM size accordingly.

+## Why is performance data missing for some or all SQL instances or databases in my Azure SQL assessment?

+To ensure performance data is collected, make sure to check:

+- If the SQL servers are powered on for the duration for which you're creating the assessment.

+- If the connection status of the SQL agent in Azure Migrate is **Connected**, and also check the last heartbeat.

+- If the Azure Migrate connection status for all SQL instances is **Connected** in the discovered SQL instance pane.

+- If all of the performance counters are missing, ensure that outbound connections on port 443 (HTTPS) are allowed.

+If any of the performance counters are missing, the Azure SQL assessment recommends the smallest Azure SQL configuration for that instance or database.

+## Why is the confidence rating of my assessment low?

+The confidence rating is calculated for **Performance-based** assessments based on the percentage of [available data points](./concepts-assessment-calculation.md#ratings) needed to compute the assessment. An assessment could get a low confidence rating for the following reasons:

+- You didn't profile your environment for the duration for which you're creating the assessment. For example, if you're creating an assessment with performance duration set to one week, you need to wait for at least a week after you start the discovery for all the data points to get collected. If you can't wait for the duration, change the performance duration to a shorter period and recalculate the assessment.

+- The assessment isn't able to collect the performance data for some or all the servers in the assessment period. For a high confidence rating, ensure that:

+ - Servers are powered on for the duration of the assessment.

+ - Outbound connections on ports 443 are allowed.

+ - For Hyper-V Servers, dynamic memory is enabled.

+ - The connection status of agents in Azure Migrate is **Connected**. Also check the last heartbeat.

+ - For Azure SQL assessments, Azure Migrate connection status for all SQL instances is **Connected** in the discovered SQL instance pane.

+ Recalculate the assessment to reflect the latest changes in confidence rating.

+- For Azure VM and Azure VMware Solution assessments, few servers were created after discovery had started. For example, say you're creating an assessment for the performance history of the past month, but a few servers were created in the environment only a week ago. In this case, the performance data for the new servers won't be available for the entire duration and the confidence rating would be low. [Learn more](./concepts-assessment-calculation.md#confidence-ratings-performance-based).

+- For Azure SQL assessments, few SQL instances or databases were created after discovery had started. For example, say you're creating an assessment for the performance history of the past month, but a few SQL instances or databases were created in the environment only a week ago. In this case, the performance data for the new servers won't be available for the entire duration and the confidence rating would be low. [Learn more](./concepts-azure-sql-assessment-calculation.md#confidence-ratings).

+## Why is my RAM utilization greater than 100%?

+By design, in Hyper-V if maximum memory provisioned is less than what is required by the VM, the assessment will show memory utilization to be more than 100%.

+## Is the operating system license included in an Azure VM assessment?

+An Azure VM assessment currently considers the operating system license cost only for Windows servers. License costs for Linux servers aren't currently considered.

+## How performance-based sizing works in an Azure VM assessment?

+An Azure VM assessment continuously collects performance data of on-premises servers and uses it to recommend the VM SKU and disk SKU in Azure. [Learn more](concepts-assessment-calculation.md#calculate-sizing-performance-based) about how performance-based data is collected.

+## Can I migrate my disks to an Ultra disk by using Azure Migrate?

+No. Currently, both Azure Migrate and Azure Site Recovery don't support migration to Ultra disks. [Learn more](../virtual-machines/disks-enable-ultra-ssd.md?tabs=azure-portal#deploy-an-ultra-disk) about deploying an Ultra disk.

+## Why are the provisioned IOPS and throughput in my Ultra disk more than my on-premises IOPS and throughput?

+As per the [official pricing page](https://azure.microsoft.com/pricing/details/managed-disks/), Ultra disk is billed based on the provisioned size, provisioned IOPS, and provisioned throughput. For example, if you provisioned a 200-GiB Ultra disk with 20,000 IOPS and 1,000 MB/second and deleted it after 20 hours, it will map to the disk size offer of 256 GiB. You'll be billed for 256 GiB, 20,000 IOPS, and 1,000 MB/second for 20 hours.

+IOPS to be provisioned = (Throughput discovered) * 1024/256

+## Does the Ultra disk recommendation consider latency?

+No, currently only disk size, total throughput, and total IOPS are used for sizing and costing.

+## I can see M series supports Ultra disk, but in my assessment where Ultra disk was recommended, it says "No VM found for this location"

+This result is possible because not all VM sizes that support Ultra disks are present in all Ultra disk supported regions. Change the target assessment region to get the VM size for this server.

+## Why is my assessment showing a warning that it was created with an invalid offer?

+Your assessment was created with an offer that is no longer valid and hence, the **Edit** and **Recalculate** buttons are disabled. You can create a new assessment with any of the valid offers - *Pay as you go*, *Pay as you go Dev/Test*, and *Enterprise Agreement*. You can also use the **Discount(%)** field to specify any custom discount on top of the Azure offer. [Learn more](how-to-create-assessment.md).

+## Why is my assessment showing a warning that it was created with a target Azure location that has been deprecated?

+Your assessment was created with an Azure region that has been deprecated and hence the **Edit** and **Recalculate** buttons are disabled. You can [create a new assessment](how-to-create-assessment.md) with any of the valid target locations. [Learn more](concepts-assessment-calculation.md#whats-in-an-azure-vm-assessment).

+## Why is my assessment showing a warning that it was created with an invalid combination of Reserved Instances, VM uptime, and Discount (%)?

+When you select **Reserved Instances**, the **Discount (%)** and **VM uptime** properties aren't applicable. As your assessment was created with an invalid combination of these properties, the **Edit** and **Recalculate** buttons are disabled. Create a new assessment. [Learn more](./concepts-assessment-calculation.md#whats-an-assessment).

+## Why are some of my assessments marked as "to be upgraded to latest assessment version"?

+Recalculate your assessment to view the upgraded Azure SQL assessment experience to identify the ideal migration target for your SQL deployments across Azure SQL Managed Instances, SQL Server on Azure VM, and Azure SQL DB:

+ - We recommended migrating instances to *SQL Server on Azure VM* as per the Azure best practices.

+ - *Right sized Lift and Shift* - Server to *SQL Server on Azure VM*. We recommend this when SQL Server credentials are not available.

+ - Enhanced user-experience that covers readiness and cost estimates for multiple migration targets for SQL deployments in one assessment.

+We recommend that you export your existing assessment before recalculating.

+## I don't see performance data for some network adapters on my physical servers

+This issue can happen if the physical server has Hyper-V virtualization enabled. On these servers, because of a product gap, Azure Migrate currently discovers both the physical and virtual network adapters. The network throughput is captured only on the virtual network adapters discovered.

+## The recommended Azure VM SKU for my physical server is oversized

+This issue can happen if the physical server has Hyper-V virtualization enabled. On these servers, Azure Migrate currently discovers both the physical and virtual network adapters. As a result, the number of network adapters discovered is higher than the actual number. The Azure VM assessment picks an Azure VM that can support the required number of network adapters, which can potentially result in an oversized VM. [Learn more](./concepts-assessment-calculation.md#calculating-sizing) about the impact of the number of network adapters on sizing. This product gap will be addressed going forward.

+## The readiness category is marked "Not ready" for my physical server

+The readiness category might be incorrectly marked as **Not ready** in the case of a physical server that has Hyper-V virtualization enabled. On these servers, because of a product gap, Azure Migrate currently discovers both the physical and virtual adapters. As a result, the number of network adapters discovered is higher than the actual number. In both **As on-premises** and **Performance-based** assessments, the Azure VM assessment picks an Azure VM that can support the required number of network adapters. If the number of network adapters is discovered to be higher than 32, the maximum number of NICs supported on Azure VMs, the server will be marked **Not ready**. [Learn more](./concepts-assessment-calculation.md#calculating-sizing) about the impact of number of NICs on sizing.

+## The number of discovered NICs is higher than actual for physical servers

+This issue can happen if the physical server has Hyper-V virtualization enabled. On these servers, Azure Migrate currently discovers both the physical and virtual adapters. As a result, the number of NICs discovered is higher than the actual number.

+## Capture network traffic

+To collect network traffic logs:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Select F12 to start Developer Tools. If needed, clear the **Clear entries on navigation** setting.

+1. Select the **Network** tab, and start capturing network traffic:

+ - In Chrome, select **Preserve log**. The recording should start automatically. A red circle indicates that traffic is being captured. If the red circle doesn't appear, select the black circle to start.

+ - In Microsoft Edge and Internet Explorer, recording should start automatically. If it doesn't, select the green play button.

+1. Try to reproduce the error.

+1. After you've encountered the error while recording, stop recording and save a copy of the recorded activity:

+ - In Chrome, right-click and select **Save as HAR with content**. This action compresses and exports the logs as a .har file.

+ - In Microsoft Edge or Internet Explorer, select the **Export captured traffic** option. This action compresses and exports the log.

+1. Select the **Console** tab to check for any warnings or errors. To save the console log:

+ - In Chrome, right-click anywhere in the console log. Select **Save as** to export, and zip the log.

+ - In Microsoft Edge or Internet Explorer, right-click the errors and select **Copy all**.

+1. Close Developer Tools.

+## Where is the Operating System data in my assessment discovered from?

+- For VMware VMs, by default, it's the operating system data provided by the vCenter Server.

+ - For VMware Linux VMs, if application discovery is enabled, the OS details are fetched from the guest VM. To check which OS details are in the assessment, go to the **Discovered servers** view, and hover over the value in the **Operating system** column. In the text that pops up, you'd be able to see whether the OS data you see is gathered from the vCenter Server or from the guest VM by using the VM credentials.

+ - For Windows VMs, the operating system details are always fetched from the vCenter Server.

+- For Hyper-V VMs, the operating system data is gathered from the Hyper-V host.

+- For physical servers, it is fetched from the server.

+## Next steps

+[Create](how-to-create-assessment.md) or [customize](how-to-modify-assessment.md) an assessment.

+ Title: Troubleshooting supported scenarios for Assessments

+description: Get help for resolving issues with assessments in supported scenarios using Azure Migrate.

+ms.

+# Troubleshoot assessment - supported scenarios

+This article provides supported scenarios for troubleshooting assessments. See articles [Troubleshoot](troubleshoot-assessment.md) issues with assessment and [FAQ](troubleshoot-assessment-faq.md) for commonly questions about troubleshoot issues with assessment.

+## Scenario: Unknown migration tool for import-based Azure VMware Solution assessment

+### Cause

+For servers imported via a CSV file, the default migration tool in an Azure VMware Solution assessment is unknown.

+### Resolution

+For servers in a VMware environment, use the VMware Hybrid Cloud Extension (HCX) solution. [Learn more](../azure-vmware/configure-vmware-hcx.md).

+## Scenario: Linux VMs are "conditionally ready" in an Azure VM assessment

+### Cause

+In the case of VMware and Hyper-V VMs, an Azure VM assessment marks Linux VM as **conditionally ready** because of a known gap.

+- The gap prevents it from detecting the minor version of the Linux OS installed on the on-premises VMs.

+- For example, for RHEL 6.10, currently an Azure VM assessment detects only RHEL 6 as the OS version. This behavior occurs because the vCenter Server and the Hyper-V host don't provide the kernel version for Linux VM operating systems.

+- Since Azure endorses only specific versions of Linux, the Linux VMs are currently marked as **conditionally ready** in an Azure VM assessment.

+- You can determine whether the Linux OS running on the on-premises VM is endorsed in Azure by reviewing [Azure Linux support](../virtual-machines/linux/endorsed-distros.md).

+- After you've verified the endorsed distribution, you can ignore this warning.

+### Resolution

+This gap can be addressed by enabling [application discovery](./how-to-discover-applications.md) on the VMware VMs. An Azure VM assessment uses the operating system detected from the VM by using the guest credentials provided. This Operating System data identifies the right OS information in the case of both Windows and Linux VMs.

+## Scenario: Operating system version not available

+### Cause

+For physical servers, the operating system minor version information should be available. If it isn't available, contact Microsoft Support. For servers in a VMware environment, Azure Migrate uses the operating system information specified for the VM in the vCenter Server. But vCenter Server doesn't provide the minor version for operating systems.

+### Resolution

+To discover the minor version, set up [application discovery](./how-to-discover-applications.md). For Hyper-V VMs, operating system minor version discovery isn't supported.

+## Scenario: Azure SKUs bigger than on-premises in an Azure VM assessment

+### Cause

+An Azure VM assessment might recommend Azure VM SKUs with more cores and memory than the current on-premises allocation based on the type of assessment:

+- The VM SKU recommendation depends on the assessment properties.

+- The recommendation is affected by the type of assessment you perform in an Azure VM assessment. The two types are **Performance-based** or **As on-premises**.

+- For performance-based assessments, the Azure VM assessment considers the utilization data of the on-premises VMs (CPU, memory, disk, and network utilization) to determine the right target VM SKU for your on-premises VMs. It also adds a comfort factor when determining effective utilization.

+- For on-premises sizing, performance data isn't considered, and the target SKU is recommended based on on-premises allocation.

+### Resolution

+Let's look at an example recommendation:

+We have an on-premises VM with 4 cores and 8 GB of memory, with 50% CPU utilization and 50% memory utilization, and a specified comfort factor of 1.3.

+- If the assessment is **As on-premises**, an Azure VM SKU with 4 cores and 8 GB of memory is recommended.

+- If the assessment is **Performance-based**, based on effective CPU and memory utilization (50% of 4 cores * 1.3 = 2.6 cores and 50% of 8 GB memory * 1.3 = 5.2 GB memory), the cheapest VM SKU of 4 cores (nearest supported core count) and 8 GB of memory (nearest supported memory size) is recommended.

+- [Learn more](concepts-assessment-calculation.md#types-of-assessments) about assessment sizing.

+## Next steps

+[Create](how-to-create-assessment.md) or [customize](how-to-modify-assessment.md) an assessment.

+ Title: Common issues in Azure Migrate assessments

+description: Get help with assessment issues in Azure Migrate.

+# Common issues in Azure Migrate assessments

+This article helps you troubleshoot issues with assessment and dependency visualization with [Azure Migrate: Discovery and assessment](migrate-services-overview.md#azure-migrate-discovery-and-assessment-tool). See articles [Supported Scenarios](troubleshoot-assessment-supported-scenarios.md) for troubleshooting assessments scenarios and [FAQ](troubleshoot-assessment-faq.md) for commonly questions about troubleshoot issues with assessment.

+### Error Code: 60001:UnableToConnectToPhysicalServer

+#### Cause

+Either the prerequisites to connect to the server have not been met or there are network issues in connecting to the server, for instance some proxy settings.

+#### Recommended Action

+- Ensure that the server meets the prerequisites and port access requirements.

+- Add the IP addresses of the remote machines (discovered servers) to the WinRM TrustedHosts list on the Azure Migrate appliance and retry the operation. This is to allow remote inbound connections on servers: *Windows: WinRM port 5985 (HTTP) and Linux: SSH port 22 (TCP)*.

+- Ensure that you have chosen the correct authentication method on the appliance to connect to the server. <br/><br/> - If the issue persists, submit a Microsoft support case, providing the appliance machine ID (available in the footer of the appliance configuration manager).

+### Error Code: 60002: InvalidServerCredentials

+#### Cause

+Unable to connect to server due to incorrect credentials on the appliance, or the credentials previously provided have expired or the server credentials have changed.

+#### Recommended Action

+

+- Ensure that you have provided the correct credentials for the server on the appliance. You can check that by trying to connect to the server using those credentials.

+- If the credentials added are incorrect or have expired, edit the credentials on the appliance and revalidate the added servers. If the validation succeeds, the issue is resolved.

+- If the issue persists, submit a Microsoft support case, providing the appliance machine ID (available in the footer of the appliance configuration manager).

+### Error Code: 60004: NoPerfDataAvailableForServers

+#### Cause

+The appliance is unable to fetch the required performance data from the server due to network issues or the credentials provided on the appliance do not have enough permissions to fetch the metadata.

+#### Recommended Action

+

+- Ensure that the guest credentials provided on the appliance have [required permissions](migrate-support-matrix-physical.md#physical-server-requirements).

+- If the issue persists, submit a Microsoft support case, providing the appliance machine ID (available in the footer of the appliance configuration manager).

+### Error Code: 60005: SSHOperationTimeout

+#### Cause

+The operation took longer than expected either due to network latency issues or due to the lack of latest updates on Linux server.

+#### Recommended Action

+- Ensure that the impacted server has the latest kernel and OS updates installed.

+- Ensure that there is no network latency between the appliance and the server. It is recommended to have the appliance and source server on the same domain to avoid latency issues.

+- Connect to the impacted server from the appliance and run the commands documented here to check if they return null or empty data.

+- If the issue persists, submit a Microsoft support case providing the appliance machine ID (available in the footer of the appliance configuration manager).

+### Error Code: 60006: ServerAccessDenied

+#### Cause

+The operation could not be completed due to forbidden access on the server. The guest credentials provided do not have enough permissions to access the servers.

+### Error Code: 60011: ServerWindowsWMICallFailed

+#### Cause

+WMI call failed due to WMI service failure. This might be a transient error, if the server is unreachable due to network issue or in case of physical sever the server might be switched off.

+#### Recommended Action

+- Ensure WinRM is running and the server is reachable from the appliance VM.

+- Ensure that the server is switched on.

+- For troubleshooting with physical servers, follow the [instructions](migrate-support-matrix-physical.md#physical-server-requirements).

+- If the issue persists, submit a Microsoft support case providing the appliance machine ID (available in the footer of the appliance configuration manager).

+### Error Code: 10004: CredentialNotProvidedForGuestOSType

+#### Cause

+The credentials for the server OS type weren't added on the appliance.

+#### Recommended Action

+- Ensure that you add the credentials for the OS type of the affected server on the appliance.

+- You can now add multiple server credentials on the appliance.

+### Error Code: 751: Unable to connect to Server

+#### Cause

+Unable to connect to the server due to connectivity issues.

+#### Recommended Action

+Resolve the connectivity issue mentioned in the error message.

+### Error Code: 754: Performance Data not available

+#### Cause

+Azure Migrate is unable to collect performance data if the vCentre is not configured to give out the performance data.

+#### Recommended Action

+Configure the statistics level on VCentre server to 3 to make the performance data available. Wait for a day before running the assessment for the data to populate.

+### Error Code: 757: Virtual Machine not found

+#### Cause

+The Azure Migrate service is unable to locate the specified virtual machine. This may occur if the virtual machine has been deleted by the administrator on the VMware environment.

+#### Recommended Action

+Verify that the virtual machine still exists in the VMware environment.

+### Error Code: 758: Request timeout while fetching Performance data

+#### Cause

+Azure Migrate assessment service is unable to retrieve performance data. This could happen if the vCenter server is not reachable.

+#### Recommended Action

+- Verify the vCenter server credentials are correct.

+- Ensure that the server is reachable before attempting to retrieve performance data again.

+- If the issue persists, submit a Microsoft support case, providing the appliance machine ID (available in the footer of the appliance configuration manager).

+### Error Code: 760: Unable to get Performance counters

+#### Cause

+Azure Migrate assessment service is unable to retrieve performance counters. This can happen due to multiple reasons. Check the error message to find the exact reason.

+#### Recommended Action

+- Ensure that you resolve the error flagged in the error message.

+- If the issue persists, submit a Microsoft support case, providing the appliance machine ID (available in the footer of the appliance configuration manager).

+### Error Code: 8002: Virtual Machine could not be found

+#### Cause

+Azure Migrate discovery service could not find the virtual machine. This could happen if the virtual machine is deleted or its UUID has changed.

+#### Recommended Action

+- Ensure that the on-premises virtual machine exists and then restart the job.

+- If the issue persists, submit a Microsoft support case, providing the appliance machine ID (available in the footer of the appliance configuration manager).

+### Error Code: 9003: Operating system type running on the server isn't supported.

+#### Cause

+The operating system running on the server isn't Windows or Linux.

+#### Recommended Action

+Only Windows and Linux OS types are supported. If the server is running Windows or Linux OS, check the operating system type specified in vCenter Server.

+### Error Code: 9004: Server isn't in a running state.

+#### Cause

+The server is in a powered-off state.

+#### Recommended Action

+Ensure that the server is in a running state.

+### Error Code: 9010: The server is powered off.

+#### Cause

+The server is in a powered-off state.

+#### Recommended Action

+Ensure that the server is in a running state.

+### Error Code: 9014: Unable to retrieve the file containing the discovered metadata because of an error encountered on the ESXi host

+#### Cause

+The error details will be mentioned with the error.

+#### Recommended Action

+Ensure that port 443 is open on the ESXi host on which the server is running. Learn more on how to remediate the issue.

+### Error Code: 9015: The vCenter Server user account provided for server discovery doesn't have guest operations privileges enabled.

+#### Cause

+The required privileges of guest operations haven't been enabled on the vCenter Server user account.

+#### Recommended Action

+Ensure that the vCenter Server user account has privileges enabled for **Virtual Machines** > **Guest Operations** to interact with the server and pull the required data. Learn more on how to set up the vCenter Server account with required privileges.

+### Error Code: 9022: The access is denied to run the Get-WmiObject cmdlet on the server.

+#### Cause

+The role associated with the credentials provided on the appliance or a group policy on-premises is restricting access to the WMI object. You encounter this issue when you try the following credentials on the server: `FriendlyNameOfCredentials`.

+#### Recommended Action

+Check if the credentials provided on the appliance have created file administrator privileges and have WMI enabled.<br/><br/> If the credentials on the appliance don't have the required permissions, either provide another set of credentials or edit an existing one. (Find the friendly name of the credentials tried by Azure Migrate in the possible causes.) <br/><br/> [Learn more](tutorial-discover-vmware.md#prepare-vmware) on how to remediate the issue.

+This section helps on fixing the following assessment readiness issues.

+### Issue: Unsupported boot type

+#### Fix

+Azure does not support UEFI boot type for VMs with the Windows Server 2003/Windows Server 2003 R2/Windows Server 2008/Windows Server 2008 R2 operating systems. Check the list of operating systems that support UEFI-based machines [here](./common-questions-server-migration.md#which-operating-systems-are-supported-for-migration-of-uefi-based-machines-to-azure).

+### Issue: Conditionally supported Windows operating system

+#### Fix

+The operating system has passed its end-of-support date and needs a Custom Support Agreement for [support in Azure](/troubleshoot/azure/virtual-machines/server-software-support). Consider upgrading before you migrate to Azure. Review information about [preparing servers running Windows Server 2003](prepare-windows-server-2003-migration.md) for migration to Azure.

+### Issue: Unsupported Windows operating system

+#### Fix

+Azure supports only [selected Windows OS versions](/troubleshoot/azure/virtual-machines/server-software-support). Consider upgrading the server before you migrate to Azure.

+### Issue: Conditionally endorsed Linux OS

+#### Fix

+Azure endorses only [selected Linux OS versions](../virtual-machines/linux/endorsed-distros.md). Consider upgrading the server before you migrate to Azure.

+### Issue: Unendorsed Linux OS

+#### Fix

+The server might start in Azure, but Azure provides no operating system support. Consider upgrading to an [endorsed Linux version](../virtual-machines/linux/endorsed-distros.md) before you migrate to Azure.

+### Issue: Unknown operating system

+#### Fix

+The operating system of the VM was specified as **Other** in vCenter Server or could not be identified as a known OS in Azure Migrate. This behavior blocks Azure Migrate from verifying the Azure readiness of the VM. Ensure that the operating system is [supported](./migrate-support-matrix-vmware-migration.md#azure-vm-requirements) by Azure before you migrate the server.

+### Issue: Unsupported bit version

+#### Fix

+VMs with a 32-bit operating system might boot in Azure, but we recommend that you upgrade to 64-bit before you migrate to Azure.

+### Issue: Requires a Microsoft Visual Studio subscription

+#### Fix

+The server is running a Windows client operating system, which is supported only through a Visual Studio subscription.

+### Issue: VM not found for the required storage performance

+#### Fix

+The storage performance (input/output operations per second (IOPS) and throughput) required for the server exceeds Azure VM support. Reduce storage requirements for the server before migration.

+### Issue: VM not found for the required network performance

+#### Fix

+The network performance (in/out) required for the server exceeds Azure VM support. Reduce the networking requirements for the server.

+### Issue: VM not found in the specified location

+#### Fix

+Use a different target location before migration.

+### Issue: One or more unsuitable disks

+#### Fix

+One or more disks attached to the VM don't meet Azure requirements.<br><br> Azure Migrate: Discovery and assessment assess the disks based on the disk limits for Ultra disks (64 TB).<br><br> For each disk attached to the VM, make sure that the size of the disk is < 64 TB (supported by Ultra SSD disks).<br><br> If it isn't, reduce the disk size before you migrate to Azure, or use multiple disks in Azure and [stripe them together](../virtual-machines/premium-storage-performance.md#disk-striping) to get higher storage limits. Make sure that the performance (IOPS and throughput) needed by each disk is supported by [Azure managed virtual machine disks](../azure-resource-manager/management/azure-subscription-service-limits.md#azure-storage-limits).

+### Issue: One or more unsuitable network adapters

+#### Fix

+Remove unused network adapters from the server before migration.

+### Issue: Disk count exceeds limit

+#### Fix

+Remove unused disks from the server before migration.

+### Issue: Disk size exceeds limit

+#### Fix

+Azure Migrate: Discovery and assessment support disks with up to 64 TB size (Ultra disks). Shrink disks to less than 64 TB before migration, or use multiple disks in Azure and [stripe them together](../virtual-machines/premium-storage-performance.md#disk-striping) to get higher storage limits.

+### Issue: Disk unavailable in the specified location

+#### Fix

+Make sure the disk is in your target location before you migrate.

+### Issue: Disk unavailable for the specified redundancy

+#### Fix

+The disk should use the redundancy storage type defined in the assessment settings (LRS by default).

+### Issue: Couldn't determine disk suitability because of an internal error

+#### Fix

+Try creating a new assessment for the group.

+### Issue: VM with required cores and memory not found

+#### Fix

+Azure couldn't find a suitable VM type. Reduce the memory and number of cores of the on-premises server before you migrate.

+### Issue: Couldn't determine VM suitability because of an internal error

+#### Fix

+Try creating a new assessment for the group.

+### Issue: Couldn't determine suitability for one or more disks because of an internal error

+#### Fix

+Try creating a new assessment for the group.

+### Issue: Couldn't determine suitability for one or more network adapters because of an internal error

+#### Fix

+Try creating a new assessment for the group.

+### Issue: No VM size found for offer currency Reserved Instance (RI)

+#### Fix

+Server marked not suitable because the VM size wasn't found for the selected combination of RI, offer, and currency. Edit the assessment properties to choose the valid combinations and recalculate the assessment.

+## Azure VMware Solution (AVS) assessment readiness issues

+This section provides help for fixing the following assessment readiness issues.

+### Issue: Unsupported IPv6

+#### Fix

+Only applicable to Azure VMware Solution assessments. Azure VMware Solution doesn't support IPv6 internet addresses. Contact the Azure VMware Solution team for remediation guidance if your server is detected with IPv6.

+### Issue: Unsupported OS

+#### Fix

+Support for certain Operating System versions has been deprecated by VMware and the assessment recommends you to upgrade the operating system before migrating to Azure VMware Solution. [Learn more](https://www.vmware.com/resources/compatibility/search.php?deviceCategory=software).

+Here, typical App Service assessment errors are summarized.

+### Error: Application pool check

+#### Cause

+The IIS site is using the following application pools: {0}.

+#### Recommended Action

+Azure App Service doesn't support more than one application pool configuration per App Service application. Move the workloads to a single application pool and remove other application pools.

+### Error: Application pool identity check

+#### Cause

+The site's application pool is running as an unsupported user identity type: {0}.

+#### Recommended Action

+App Service doesn't support using the LocalSystem or SpecificUser application pool identity types. Set the application pool to run as ApplicationPoolIdentity.

+### Error: Authorization check

+#### Cause

+The following unsupported authentication types were found: {0}.

+#### Recommended Action

+App Service supported authentication types and configuration are different from on-premises IIS. Disable the unsupported authentication types on the site. After the migration is complete, it will be possible to configure the site by using one of the App Services supported authentication types.

+### Error: Authorization check unknown

+#### Cause

+Unable to determine enabled authentication types for all of the site configuration.

+#### Recommended Action

+Unable to determine authentication types. Fix all configuration errors and confirm that all site content locations are accessible to the administrator's group.

+### Error: Configuration error check

+#### Cause

+The following configuration errors were found: {0}.

+#### Recommended Action

+Migration readiness can't be determined without reading all applicable configuration. Fix all configuration errors. Make sure configuration is valid and accessible.

+### Error: Content size check

+#### Cause

+The site content appears to be greater than the maximum allowed of 2 GB for successful migration.

+#### Recommended Action

+For successful migration, site content should be less than 2 GB. Evaluate if the site could switch to using non-file-system-based storage options for static content, such as Azure Storage.

+### Error: Content size check unknown

+#### Cause

+File content size couldn't be determined, which usually indicates an access issue.

+#### Recommended Action

+Content must be accessible to migrate the site. Confirm that the site isn't using UNC shares for content and that all site content locations are accessible to the administrator's group.

+### Error: Global module check

+#### Cause

+The following unsupported global modules were detected: {0}.

+#### Recommended Action

+App Service supports limited global modules. Remove the unsupported modules from the GlobalModules section, along with all associated configuration.

+### Error: ISAPI filter check

+#### Cause

+The following unsupported ISAPI filters were detected: {0}.

+#### Recommended Action

+Automatic configuration of custom ISAPI filters isn't supported. Remove the unsupported ISAPI filters.

+### Error: ISAPI filter check unknown

+#### Cause

+Unable to determine ISAPI filters present for all of the site configuration.

+#### Recommended Action

+Automatic configuration of custom ISAPI filters isn't supported. Fix all configuration errors and confirm that all site content locations are accessible to the administrator's group.

+### Error: Location tag check

+#### Cause

+The following location paths were found in the applicationHost.config file: {0}.

+#### Recommended Action

+The migration method doesn't support moving location path configuration in applicationHost.config. Move the location path configuration to either the site's root web.config file or to a web.config file associated with the specific application to which it applies.

+### Error: Protocol check

+#### Cause

+Bindings were found by using the following unsupported protocols: {0}.

+#### Recommended Action

+App Service only supports the HTTP and HTTPS protocols. Remove the bindings with protocols that aren't HTTP or HTTPS.

+### Error: Virtual directory check

+#### Cause

+The following virtual directories are hosted on UNC shares: {0}.

+#### Recommended Action

+Migration doesn't support migrating site content hosted on UNC shares. Move content to a local file path or consider changing to a non-file-system-based storage option, such as Azure Storage. If you use shared configuration, disable shared configuration for the server before you modify the content paths.

+### Error: HTTPS binding check

+#### Cause

+The application uses HTTPS.

+#### Recommended Action

+More manual steps are required for HTTPS configuration in App Service. Other post-migration steps are required to associate certificates with the App Service site.

+### Error: TCP port check

+#### Cause

+Bindings were found on the following unsupported ports: {0}.

+#### Recommended Action

+App Service supports only ports 80 and 443. Clients making requests to the site should update the port in their requests to use 80 or 443.

+### Error: Framework check

+#### Cause

+The following non-.NET frameworks or unsupported .NET framework versions were detected as possibly in use by this site: {0}.

+#### Recommended Action

+Migration doesn't validate the framework for non-.NET sites. App Service supports multiple frameworks, but these have different migration options. Confirm that the non-.NET frameworks aren't being used by the site, or consider using an alternate migration option.

+ - In **Azure Hybrid Benefit**, specify whether you already have a Windows Server license or Enterprise Linux subscription (RHEL and SLES). If you do and they're covered with active Software Assurance of Windows Server or Enterprise Linux Subscriptions (RHEL and SLES), you can apply for the [Azure Hybrid Benefit](https://azure.microsoft.com/pricing/hybrid-use-benefit/) when you bring licenses to Azure.

+ - In **Azure Hybrid Benefit**, specify whether you already have a Windows Server license or Enterprise Linux subscription (RHEL and SLES). If you do and they're covered with active Software Assurance of Windows Server or Enterprise Linux Subscriptions (RHEL and SLES), you can apply for the [Azure Hybrid Benefit](https://azure.microsoft.com/pricing/hybrid-use-benefit/) when you bring licenses to Azure.

+ - In **Azure Hybrid Benefit**, specify whether you already have a Windows Server license or Enterprise Linux subscription (RHEL and SLES). If you do and they're covered with active Software Assurance of Windows Server or Enterprise Linux Subscriptions (RHEL and SLES), you can apply for the [Azure Hybrid Benefit](https://azure.microsoft.com/pricing/hybrid-use-benefit/) when you bring licenses to Azure.

+ - In **Azure Hybrid Benefit**, specify whether you already have a Windows Server license or Enterprise Linux subscription (RHEL and SLES). If you do and they're covered with active Software Assurance of Windows Server or Enterprise Linux Subscriptions (RHEL and SLES), you can apply for the [Azure Hybrid Benefit](https://azure.microsoft.com/pricing/hybrid-use-benefit/) when you bring licenses to Azure.

+ Target and pricing settings | **Azure Hybrid Benefit** | Specify whether you already have a Windows Server and/or SQL Server license or Enterprise Linux subscription (RHEL and SLES). Azure Hybrid Benefit is a licensing benefit that helps you to significantly reduce the costs of running your workloads in the cloud. It works by letting you use your on-premises Software Assurance-enabled Windows Server and SQL Server licenses on Azure. For example, if you have a SQL Server license and they're covered with active Software Assurance of SQL Server Subscriptions, you can apply for the Azure Hybrid Benefit when you bring licenses to Azure.

+ - In **Azure Hybrid Benefit**, specify whether you already have a Windows Server license or Enterprise Linux subscription (RHEL and SLES). If you do and they're covered with active Software Assurance of Windows Server or Enterprise Linux Subscriptions (RHEL and SLES), you can apply for the [Azure Hybrid Benefit](https://azure.microsoft.com/pricing/hybrid-use-benefit/) when you bring licenses to Azure.

+ Target and pricing settings | **Azure Hybrid Benefit** | Specify whether you already have a Windows Server and/or SQL Server license or Enterprise Linux subscription (RHEL and SLES). Azure Hybrid Benefit is a licensing benefit that helps you to significantly reduce the costs of running your workloads in the cloud. It works by letting you use your on-premises Software Assurance-enabled Windows Server and SQL Server licenses on Azure. For example, if you have a SQL Server license and they're covered with active Software Assurance of SQL Server Subscriptions, you can apply for the Azure Hybrid Benefit when you bring licenses to Azure.

+- Public preview: Envision savings with Azure Hybrid Benefits by bringing your existing Enterprise Linux subscriptions (RHEL and SLES) to Azure using Azure VM assessments and business case.

+- `audit_log_include_users`: MySQL users to be included for logging. The default value for this parameter is empty, which will include all the users for logging. This has higher priority over `audit_log_exclude_users`. Max length of the parameter is 512 characters. For example, wildcard value of `dev*` includes all the users with entries starting with keyword `dev` like "dev1,dev_user,dev_2". Another example for wildcard entry for including user is `*dev` in this example, all users ending with value "dev" like "stage_dev,prod_dev,user_dev" are included in the audit log entries. Additionally, the use of a question mark `(?)` as a wildcard character is permitted in patterns.

+- `audit_log_exclude_users`: MySQL users to be excluded from logging. The Max length of the parameter is 512 characters. Wildcard entries for user are also accepted to exclude users in audit logs. For example, wildcard value of `stage*` excludes all the users with entries starting with keyword `stage` like "stage1,stage_user,stage_2". Another example for wildcard entry for excluding user is `*com` in this example, all users ending with value `com` will be excluded from the audit log entries. Additionally, the use of a question mark `(?)` as a wildcard character is permitted in patterns.

+| `CONNECTION` | - Connection initiation<br />- Connection termination |

+| `CONNECTION_V2` | - Connection initiation (successful or unsuccessful attempt error code)<br />- Connection termination<br /> |

+| `status_d` | Connection [Error code](https://dev.mysql.com/doc/mysql-errors/8.0/en/server-error-reference.html) entry for CONNECTIONS_V2 event. |

+- List CONNECTION_V2 events on a particular server, `status_d` column denotes the client connection [error code](https://dev.mysql.com/doc/mysql-errors/8.0/en/server-error-reference.html) faced by the client application while connecting.

+ ```kusto

+ AzureDiagnostics

+ | where Resource == '<your server name>' //Server name must be in Upper case

+ | where Category == 'MySqlAuditLogs' and event_subclass_s == "CONNECT"

+ | project TimeGenerated, Resource, event_class_s, event_subclass_s, user_s, ip_s, status_d

+ | order by TimeGenerated asc nulls last

+ ```

+## February 2024

+- **Audit logs now supports wild card entries**

+ The server parameters now supports wildcards in `audit_log_include_users` and `audit_log_exclude_users`, enhancing flexibility for specifying user inclusions and exclusions in audit logs. [Learn more](./concepts-audit-logs.md#configure-audit-logging)

+- **Enhanced Audit Logging with CONNECTION_V2 for Comprehensive MySQL User Audits**

+

+ Server parameter [audit_log_events](./concepts-audit-logs.md#configure-audit-logging) now supports event CONNECTION_V2 for detailed connection logs, providing insights into user audits, connection status, and [error codes in MySQL](https://dev.mysql.com/doc/mysql-errors/8.0/en/server-error-reference.html) interactions.[Learn more](./concepts-audit-logs.md#analyze-logs-in-azure-monitor-logs)

+| **Region name** |**Current Gateway IP address**| **Gateway IP address subnets** |

+|:-|:--|:--|

+| Australia Central | 20.36.105.32 | 20.36.105.32/29, 20.53.48.96/27 |

+| Australia Central2 | 20.36.113.32 | 20.36.113.32/29, 20.53.56.32/27 |

+| Australia East | 13.70.112.32 | 13.70.112.32/29, 40.79.160.32/29, 40.79.168.32/29, 40.79.160.32/29, 20.53.46.128/27 |

+| Australia South East |13.77.49.33 |3.77.49.32/29, 104.46.179.160/27|

+| Brazil South | 191.233.201.8, 191.233.200.16 | 191.234.153.32/27, 191.234.152.32/27, 191.234.157.136/29, 191.233.200.32/29, 191.234.144.32/29, 191.234.142.160/27|

+|Brazil Southeast|191.233.48.2|191.233.48.32/29, 191.233.15.160/27|

+| Canada Central | 13.71.168.32| 13.71.168.32/29, 20.38.144.32/29, 52.246.152.32/29, 20.48.196.32/27|

+| Canada East |40.69.105.32 | 40.69.105.32/29, 52.139.106.192/27 |

+| Central US | 52.182.136.37, 52.182.136.38 | 104.208.21.192/29, 13.89.168.192/29, 52.182.136.192/29, 20.40.228.128/27|

+| China East | 52.130.112.139 | 52.130.112.136/29, 52.130.13.96/2752.130.112.136/29, 52.130.13.96/27|

+| China East 2 | 40.73.82.1, 52.130.120.89 | 52.130.120.88/29, 52.130.7.0/27|

+| China North | 52.130.128.89| 52.130.128.88/29, 40.72.77.128/27 |

+| China North 2 |40.73.50.0 | 52.130.40.64/29, 52.130.21.160/27|

+| East Asia |13.75.33.20, 13.75.33.21 | 20.205.77.176/29, 20.205.83.224/29, 20.205.77.200/29, 13.75.32.192/29, 13.75.33.192/29, 20.195.72.32/27|

+| East US | 40.71.8.203, 40.71.83.113|20.42.65.64/29, 20.42.73.0/29, 52.168.116.64/29, 20.62.132.160/27|

+| East US 2 |52.167.105.38, 40.70.144.38| 104.208.150.192/29, 40.70.144.192/29, 52.167.104.192/29, 20.62.58.128/27|

+| France Central |40.79.129.1 | 40.79.128.32/29, 40.79.136.32/29, 40.79.144.32/29, 20.43.47.192/27 |

+| France South |40.79.176.40 | 40.79.176.40/29, 40.79.177.32/29, 52.136.185.0/27|

+| Germany North| 51.116.56.0| 51.116.57.32/29, 51.116.54.96/27|

+| Germany West Central | 51.116.152.0 | 51.116.152.32/29, 51.116.240.32/29, 51.116.248.32/29, 51.116.149.32/27|

+| India Central |20.192.96.33 | 40.80.48.32/29, 104.211.86.32/29, 20.192.96.32/29, 20.192.43.160/27|

+| India South | 40.78.192.32| 40.78.192.32/29, 40.78.193.32/29, 52.172.113.96/27|

+| India West | 104.211.144.32| 104.211.144.32/29, 104.211.145.32/29, 52.136.53.160/27|

+| Japan East | 40.79.184.8, 40.79.192.23| 13.78.104.32/29, 40.79.184.32/29, 40.79.192.32/29, 20.191.165.160/27 |

+| Japan West |40.74.96.6| 20.18.179.192/29, 40.74.96.32/29, 20.189.225.160/27 |

+| Jio India Central| 20.192.233.32|20.192.233.32/29, 20.192.48.32/27|

+| Jio India West|20.193.200.32|20.193.200.32/29, 20.192.167.224/27|

+| Korea Central | 52.231.17.13 | 20.194.64.32/29, 20.44.24.32/29, 52.231.16.32/29, 20.194.73.64/27|

+| Korea South |52.231.145.3| 52.231.151.96/27, 52.231.151.88/29, 52.231.145.0/29, 52.147.112.160/27 |

+| North Central US | 52.162.104.35, 52.162.104.36 | 52.162.105.200/29, 20.125.171.192/29, 52.162.105.192/29, 20.49.119.32/27|

+| North Europe |52.138.224.6, 52.138.224.7 |13.69.233.136/29, 13.74.105.192/29, 52.138.229.72/29, 52.146.133.128/27 |

+|Norway East|51.120.96.0|51.120.208.32/29, 51.120.104.32/29, 51.120.96.32/29, 51.120.232.192/27|

+|Norway West|51.120.216.0|51.120.217.32/29, 51.13.136.224/27|

+| South Africa North | 102.133.152.0 | 102.133.120.32/29, 102.133.152.32/29, 102.133.248.32/29, 102.133.221.224/27 |

+| South Africa West |102.133.24.0 | 102.133.25.32/29, 102.37.80.96/27|

+| South Central US | 20.45.120.0 |20.45.121.32/29, 20.49.88.32/29, 20.49.89.32/29, 40.124.64.136/29, 20.65.132.160/27|

+| South East Asia | 23.98.80.12, 40.78.233.2|13.67.16.192/29, 23.98.80.192/29, 40.78.232.192/29, 20.195.65.32/27 |

+| Sweden Central|51.12.96.32|51.12.96.32/29, 51.12.232.32/29, 51.12.224.32/29, 51.12.46.32/27|

+| Sweden South|51.12.200.32|51.12.201.32/29, 51.12.200.32/29, 51.12.198.32/27|

+| Switzerland North |51.107.56.0 |51.107.56.32/29, 51.103.203.192/29, 20.208.19.192/29, 51.107.242.32/27|

+| Switzerland West | 51.107.152.0| 51.107.153.32/29, 51.107.250.64/27|

+| UAE Central | 20.37.72.64| 20.37.72.96/29, 20.37.73.96/29, 20.37.71.64/27 |

+| UAE North |65.52.248.0 |20.38.152.24/29, 40.120.72.32/29, 65.52.248.32/29, 20.38.143.64/27 |

+| UK South | 51.105.64.0|51.105.64.32/29, 51.105.72.32/29, 51.140.144.32/29, 51.143.209.224/27|

+| UK West |51.140.208.98 |51.140.208.96/29, 51.140.209.32/29, 20.58.66.128/27 |

+| West Central US |13.71.193.34 | 13.71.193.32/29, 20.69.0.32/27 |

+| West Europe | 13.69.105.208,104.40.169.187|104.40.169.32/29, 13.69.112.168/29, 52.236.184.32/29, 20.61.99.192/27|

+| West US |13.86.216.212, 13.86.217.212 |20.168.163.192/29, 13.86.217.224/29, 20.66.3.64/27|

+| West US 2 | 13.66.136.192 | 13.66.136.192/29, 40.78.240.192/29, 40.78.248.192/29, 20.51.9.128/27|

+| West US 3 |20.150.184.2 | 20.150.168.32/29, 20.150.176.32/29, 20.150.184.32/29, 20.150.241.128/27 |

+The Cluster upgrade is in-progress when detailedStatus is set to `Updating` and detailedStatusMessage shows the progress of upgrade. Some examples of upgrade progress shown in detailedStatusMessage are `Waiting for control plane upgrade to complete...`, `Waiting for nodepool "<rack-id>" to finish upgrading...`, etc.

+The Cluster upgrade is complete when detailedStatus is set to `Running` and detailedStatusMessage shows message `Cluster is up and running`

+We can identify when this is the case by looking at the Cluster's logs, detailed message, and detailed status message. If a timeout has occurred, we would observe that the Cluster is continuously reconciling over the same indefinitely and not moving forward. From here, we recommend checking Cluster logs or configured LAW, to see if there's a failure, or a specific upgrade that is causing the lack of progress.

+View the status of the cluster on the portal, or via the Azure CLI:

+The Cluster deployment is in-progress when detailedStatus is set to `Deploying` and detailedStatusMessage shows the progress of deployment.

+Some examples of deployment progress shown in detailedStatusMessage are `Hardware validation is in progress.` (if cluster is deployed with hardware validation) ,`Cluster is bootstrapping.`, `KCP initialization in progress.`, `Management plane deployment in progress.`, `Cluster extension deployment in progress.`, `waiting for "<rack-ids>" to be ready`, etc.

+- `install.sh`: Install Azure Monitoring Agent on each VM to collect monitoring data from Azure Virtual Machines.

+#### Install Azure monitoring agent

+Use the included **`install.sh`** which creates a Kubernetes daemonSet on the Nexus Kubernetes cluster.

+It deploys a pod to each cluster node and installs the Azure Monitoring Agent (AMA).

+> [!NOTE]

+> To install Azure Monitoring Agent, you must first Arc connect the Nexus Kubernetes cluster VMs. This process is automated if you are using the latest version bundle. However, if the version bundle you use does not support cluster VM Arc enrollment by default, you will need to upgrade your cluster to the latest version bundle. For more information about the version bundle, please refer [Nexus Kubernetes cluster supported versions](reference-nexus-kubernetes-cluster-supported-versions.md)

+ --cluster-type connectedClusters

+| 1.25.6 | 4 | Calico v3.26.1<br>metrics-server v0.6.3<br>Multus v3.8.0<br>azure-arc-servers v1.0.0<br>CoreDNS v1.9.3<br>etcd v3.5.6-5<br>sriov-dp v3.7.0-48 | Azure Linux 2.0 | No breaking changes | Cluster nodes are Azure Arc-enabled |

+| 1.25.11 | 2 | Calico v3.26.1<br>metrics-server v0.6.3<br>Multus v3.8.0<br>azure-arc-servers v1.0.0<br>CoreDNS v1.9.3<br>etcd v3.5.6-5<br>sriov-dp v3.7.0-48 | Azure Linux 2.0 | No breaking changes | Cluster nodes are Azure Arc-enabled |

+| 1.26.3 | 4 | Calico v3.26.1<br>metrics-server v0.6.3<br>Multus v3.8.0<br>azure-arc-servers v1.0.0<br>CoreDNS v1.9.3<br>etcd v3.5.6-5<br>sriov-dp v3.7.0-48 | Azure Linux 2.0 | No breaking changes | Cluster nodes are Azure Arc-enabled |

+| 1.26.6 | 2 | Calico v3.26.1<br>metrics-server v0.6.3<br>Multus v3.8.0<br>azure-arc-servers v1.0.0<br>CoreDNS v1.9.3<br>etcd v3.5.6-5<br>sriov-dp v3.7.0-48 | Azure Linux 2.0 | No breaking changes | Cluster nodes are Azure Arc-enabled |

+| 1.27.1 | 4 | Calico v3.26.1<br>metrics-server v0.6.3<br>Multus v3.8.0<br>azure-arc-servers v1.0.0<br>CoreDNS v1.9.3<br>etcd v3.5.6-5<br>sriov-dp v3.7.0-48 | Azure Linux 2.0 | No breaking changes | Cluster nodes are Azure Arc-enabled |

+| 1.27.3 | 2 | Calico v3.26.1<br>metrics-server v0.6.3<br>Multus v3.8.0<br>azure-arc-servers v1.0.0<br>CoreDNS v1.9.3<br>etcd v3.5.6-5<br>sriov-dp v3.7.0-48 | Azure Linux 2.0 | No breaking changes | Cluster nodes are Azure Arc-enabled |

+| 1.28.0 | 2 | Calico v3.26.1<br>metrics-server v0.6.3<br>Multus v3.8.0<br>azure-arc-servers v1.0.0<br>CoreDNS v1.9.3<br>etcd v3.5.6-5<br>sriov-dp v3.7.0-48 | Azure Linux 2.0 | No breaking changes | Cluster nodes are Azure Arc-enabled |

+Azure private MEC solution partners include technology partners, application independent software vendors (ISVs), and system integrators.

+- **System Integrators and Operators** are responsible for planning, deployment, and operation of a customerΓÇÖs Azure private MEC implementation. These providers bring assets and expertise such as spectrum, radio frequency (RF) planning, installation, maintenance, and support. System Integrators and Operators enable customers to rapidly deploy the Azure private MEC solution without requiring in-house expertise in complexities surrounding mobile network technologies.

+Networking independent software vendor (ISV) partners include software vendors that provide network functions such as firewalls and SD-WAN. The breadth of third-party network functions available enable customers to securely integrate the Azure private MEC solution into their existing edge and cloud environments. The Azure private MEC current network function partners include:

+|[Trend Micro](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/trendmicro.mobile-network-security?tab=Overview) | [VMware SD-WAN by Velocloud](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/vmware-inc.vmware_sdwan_edge_zones?exp=ubp8&tab=Overview) |

+Microsoft partners with Application ISVs to make their software available through the Azure Marketplace. Our ISV partners use a combination of private 5G and edge compute capabilities to create new experiences for customers.

+- [Fractal Analytics](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/neal_analytics.stockview-retail?tab=Overview)

+- [Glartek](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/glarevisionsa1698227199975.glartek?tab=Overview)

+- [inVia Robotics](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/inviaroboticsinc1629911110634.inviarobotics1?tab=Overview)

+- [Nsion](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/nsionltd1591969784743.nsc3_saas?tab=Overview)

+- [MEEP](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/eepadvancedenterprisecommunicationltd1676190998651.synch-ptt?tab=overview)

+- [Scenera](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/scenerainc1695952178961.scenera-maistro-saas-1?tab=Overview)

+- [Trilogy Networks](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/trilogynetworksinc1688507869081.farmgrid-preview?tab=Overview&flightCodes=dec2dcd1-ef23-41d8-bf58-ce0c9d9b17c1)

+- [Unmanned Life](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/unmanned_life.robot-orchestration?tab=Overview)

+- [Zebra](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/zebratechnologiescorporation1702409620263.offer_2?tab=Overview)

+||Spain Central* ||||

+>[!IMPORTANT]

+>Today, Microsoft Purview doesn't support automated disaster recovery. Until that support is added, you're responsible to take care of backup and restore activities. You can manually create a secondary Microsoft Purview account as a warm standby instance in another region.

+To implement disaster recovery for Microsoft Purview, see the [Microsoft Purview disaster recovery documentation.](/purview/disaster-recovery)

+ Title: Deploy SAP dialog instances with SAP ASCS/SCS high-availability VMs on RHEL | Microsoft Docs

+description: Configure SAP dialog instances on SAP ASCS/SCS high-availability VMs on RHEL.

+# Deploy SAP dialog instances with SAP ASCS/SCS high-availability VMs on RHEL

+This article describes how to install and configure Primary Application Server (PAS) and Additional Application Server (AAS) dialog instances on the same ABAP SAP Central Services (ASCS)/SAP Central Services (SCS) high-availability cluster running on Red Hat Enterprise Linux (RHEL).

+ * A list of Azure virtual machine (VM) sizes that are supported for the deployment of SAP software.

+ * Important capacity information for Azure VM sizes.

+ * Supported SAP software and operating system (OS) and database combinations.

+ * Required SAP kernel version for Windows and Linux on Azure.

+* SAP Note [2002167](https://launchpad.support.sap.com/#/notes/2002167) lists the recommended OS settings for Red Hat Enterprise Linux 7.x.

+* SAP Note [2772999](https://launchpad.support.sap.com/#/notes/2772999) lists the recommended OS settings for Red Hat Enterprise Linux 8.x.

+* SAP Note [2009879](https://launchpad.support.sap.com/#/notes/2009879) has SAP HANA guidelines for Red Hat Enterprise Linux.

+* SAP Note [1999351](https://launchpad.support.sap.com/#/notes/1999351) has more troubleshooting information for the Azure Enhanced Monitoring Extension for SAP.

+* [SAP Netweaver in Pacemaker cluster](https://access.redhat.com/articles/3150081)

+* General RHEL documentation:

+ * [High-Availability Add-On Overview](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/high_availability_add-on_overview/index)

+ * [High-Availability Add-On Administration](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/high_availability_add-on_administration/index)

+ * [High-Availability Add-On Reference](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/high_availability_add-on_reference/index)

+ * [Support Policies for RHEL High-Availability Clusters - Microsoft Azure Virtual Machines as Cluster Members](https://access.redhat.com/articles/3131341)

+This article describes the cost optimization scenario where you deploy PAS and AAS dialog instances with SAP ASCS/SCS and Enqueue Replication Server (ERS) instances in a high-availability setup. To minimize the number of VMs for a single SAP system, you want to install PAS and AAS on the same host where SAP ASCS/SCS and SAP ERS are running. With SAP ASCS/SCS being configured in a high-availability cluster setup, you want PAS and AAS also to be managed by cluster. The configuration is basically an addition to an already configured SAP ASCS/SCS cluster setup. In this setup, PAS and AAS are installed on a virtual host name, and its instance directory is managed by the cluster.

+For this setup, PAS and AAS require a highly available instance directory (`/usr/sap/<SID>/D<nr>`). You can place the instance directory file system on the same high-available storage that you used for ASCS and ERS instance configuration. The presented architecture showcases [NFS on Azure Files](../../storage/files/files-nfs-protocol.md) or [Azure NetApp Files](../../azure-netapp-files/azure-netapp-files-introduction.md) for a highly available instance directory for the setup.

+The example shown in this article to describe deployment uses the following system information:

+| Instance name | Instance number | Virtual host name | Virtual IP (Probe port) |

+> Install more SAP application instances on separate VMs if you want to scale out.

+

+### Important considerations for the cost-optimization solution

+* Only two dialog instances, PAS and one AAS, can be deployed with an SAP ASCS/SCS cluster setup.

+* If you want to scale out your SAP system with more application servers (like **sapa03** and **sapa04**), you can install them in separate VMs. With PAS and AAS being installed on virtual host names, you can install more application servers by using either a physical or virtual host name in separate VMs. To learn more about how to assign a virtual host name to a VM, see the blog [Use SAP Virtual Host Names with Linux in Azure](https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/use-sap-virtual-host-names-with-linux-in-azure/ba-p/3251593).

+* With a PAS and AAS deployment with an SAP ASCS/SCS cluster setup, the instance numbers of ASCS, ERS, PAS, and AAS must be different.

+* Consider sizing your VM SKUs appropriately based on the sizing guidelines. You must factor in the cluster behavior where multiple SAP instances (ASCS, ERS, PAS, and AAS) might run on a single VM when another VM in the cluster is unavailable.

+* The dialog instances (PAS and AAS) running with an SAP ASCS/SCS cluster setup must be installed by using a virtual host name.

+* You also must use the same storage solution of the SAP ASCS/SCS cluster setup to deploy PAS and AAS instances. For example, if you configured an SAP ASCS/SCS cluster by using NFS on Azure Files, the same storage solution must be used to deploy PAS and AAS.

+* The instance directory `/usr/sap/<SID>/D<nr>` of PAS and AAS must be mounted on an NFS file system and are managed as a resource by the cluster.

+* To install more application servers on separate VMs, you can either use NFS shares or a local managed disk for an instance directory file system. If you're installing more application servers for an SAP J2EE system, `/usr/sap/<SID>/J<nr>` on NFS on Azure Files isn't supported.

+* In a traditional SAP ASCS/SCS high-availability configuration, application server instances running on separate VMs aren't affected when there's any effect on SAP ASCS and ERS cluster nodes. But with the cost-optimization configuration, either the PAS or AAS instance restarts when there's an effect on one of the nodes in the cluster.

+* See [NFS on Azure Files considerations](high-availability-guide-rhel-nfs-azure-files.md#important-considerations-for-nfs-on-azure-files-shares) and [Azure NetApp Files considerations](high-availability-guide-rhel-netapp-files.md#important-considerations) because the same considerations apply to this setup.

+## Prerequisites

+The configuration described in this article is an addition to your already configured SAP ASCS/SCS cluster setup. In this configuration, PAS and AAS are installed on a virtual host name, and its instance directory is managed by the cluster. Based on your storage, use the steps described in the following articles to configure the `SAPInstance` resource for the SAP ASCS and SAP ERS instance in the cluster.

+* **NFS on Azure Files**: [Azure VMs high availability for SAP NW on RHEL with NFS on Azure Files](high-availability-guide-rhel-nfs-azure-files.md)

+* **Azure NetApp Files**: [Azure VMs high availability for SAP NW on RHEL with Azure NetApp Files](high-availability-guide-rhel-netapp-files.md)

+After you install the **ASCS**, **ERS**, and **Database** instance by using Software Provisioning Manager (SWPM), follow the next steps to install the PAS and AAS instances.

+This article assumes that you already configured the load balancer for the SAP ASCS/SCS cluster setup as described in [Configure Azure Load Balancer](./high-availability-guide-rhel-nfs-azure-files.md#configure-azure-load-balancer). In the same Azure Load Balancer instance, follow these steps to create more front-end IPs and load-balancing rules for PAS and AAS.

+1. Open the internal load balancer that was created for the SAP ASCS/SCS cluster setup.

+1. **Frontend IP Configuration**: Create two front-end IPs, one for PAS and another for AAS (for example, **10.90.90.30** and **10.90.90.31**).

+1. **Backend Pool**: This pool remains the same because we're deploying PAS and AAS on the same back-end pool.

+1. **Inbound rules**: Create two load-balancing rules, one for PAS and another for AAS. Follow the same steps for both load-balancing rules.

+1. **Frontend IP address**: Select the front-end IP.

+ 1. **Backend pool**: Select the back-end pool.

+ 1. **High availability ports**: Select this option.

+ 1. **Protocol**: Select **TCP**.

+ 1. **Health Probe**: Create a health probe with the following details (applies for both PAS and AAS):

+ 1. **Protocol**: Select **TCP**.

+ 1. **Port**: For example, **620<Instance-no.>** for PAS and **620<Instance-no.>** for AAS.

+ 1. **Interval**: Enter **5**.

+ 1. **Probe Threshold**: Enter **2**.

+ 1. **Idle timeout (minutes)**: Enter **30**.

+ 1. **Enable Floating IP**: Select this option.

+The health probe configuration property `numberOfProbes`, otherwise known as **Unhealthy threshold** in the Azure portal, isn't respected. To control the number of successful or failed consecutive probes, set the property `probeThreshold` to `2`. It's currently not possible to set this property by using the Azure portal. Use either the [Azure CLI](/cli/azure/network/lb/probe) or the [PowerShell](/powershell/module/az.network/new-azloadbalancerprobeconfig) command.

+> Floating IP isn't supported on a NIC secondary IP configuration in load-balancing scenarios. For more information, see [Azure Load Balancer limitations](../../load-balancer/load-balancer-multivip-overview.md#limitations). If you need more IP addresses for the VMs, deploy a second NIC.

+When VMs without public IP addresses are placed in the back-end pool of an internal (no public IP address) Standard Azure Load Balancer instance, there's no outbound internet connectivity unless more configuration is performed to allow routing to public endpoints. For steps on how to achieve outbound connectivity, see [Public endpoint connectivity for virtual machines using Azure Standard Load Balancer in SAP high-availability scenarios](high-availability-guide-standard-load-balancer-outbound-connections.md).

+> Don't enable TCP timestamps on Azure VMs placed behind Azure Load Balancer. Enabling TCP timestamps causes the health probes to fail. Set the parameter `net.ipv4.tcp_timestamps` to `0`. For more information, see [Load Balancer health probes](../../load-balancer/load-balancer-custom-probe-overview.md).

+When steps in this document are marked with the following prefixes, they mean:

+- **[A]**: Applicable to all nodes.

+- **[1]**: Only applicable to node 1.

+- **[2]**: Only applicable to node 2.

+1. **[A]** Set up host name resolution.

+ You can either use a DNS server or modify `/etc/hosts` on all nodes. This example shows how to use the `/etc/hosts` file. Replace the IP address and the host name in the following commands:

+1. **[1]** Create the SAP directories on the NFS share. Mount the NFS share **sapnw1** temporarily on one of the VMs, and create the SAP directories to be used as nested mount points.

+ 1. If you're using NFS on Azure Files:

+ 1. If you're using Azure NetApp Files:

+1. **[A]** Create the shared directories.

+1. **[A]** Configure swap space. When you install a dialog instance with central services, you must configure more swap space.

+1. **[A]** Add firewall rules for PAS and AAS.

+## Install an SAP Netweaver PAS instance

+1. **[1]** Check the status of the cluster. Before you configure a PAS resource for installation, make sure the ASCS and ERS resources are configured and started.

+1. **[1]** Create file system, virtual IP, and health probe resources for the PAS instance.

+ Make sure that the cluster status is okay and that all resources are started. It isn't important on which node the resources are running.

+1. **[1]** Change the ownership of the `/usr/sap/SID/D02` folder after the file system is mounted.

+1. **[1]** Install the SAP Netweaver PAS.

+ Install the SAP NetWeaver PAS as a root on the first node by using a virtual host name that maps to the IP address of the load balancer front-end configuration for the PAS. For example, use **sappas**, **10.90.90.30**, and the instance number that you used for the probe of the load balancer, for example **02**.

+ You can use the sapinst parameter `SAPINST_REMOTE_ACCESS_USER` to allow a nonroot user to connect to sapinst.

+1. Update the `/usr/sap/sapservices` file.

+ To prevent the start of the instances by the sapinit startup script, all instances managed by Pacemaker must be commented out from the `/usr/sap/sapservices` file.

+1. **[1]** Create the PAS cluster resource.

+ Check the status of the cluster.

+1. Configure a constraint to start the PAS resource group only after the ASCS instance is started.

+## Install an SAP Netweaver AAS instance

+1. **[2]** Check the status of the cluster. Before you configure an AAS resource for installation, make sure the ASCS, ERS, and PAS resources are started.

+1. **[2]** Create file system, virtual IP, and health probe resources for the AAS instance.

+ Make sure that the cluster status is okay and that all resources are started. It isn't important on which node the resources are running. Because the g-NW1_PAS resource group is stopped, all the PAS resources are stopped in the (disabled) state.

+1. **[2]** Change the ownership of the `/usr/sap/SID/D03` folder after the file system is mounted.

+1. **[2]** Install an SAP Netweaver AAS.

+ Install an SAP NetWeaver AAS as the root on the second node by using a virtual host name that maps to the IP address of the load balancer front-end configuration for the PAS. For example, use **sapaas**, **10.90.90.31**, and the instance number that you used for the probe of the load balancer, for example, **03**.

+ You can use the sapinst parameter `SAPINST_REMOTE_ACCESS_USER` to allow a nonroot user to connect to sapinst.

+1. Update the `/usr/sap/sapservices` file.

+ To prevent the start of the instances by the sapinit startup script, all instances managed by Pacemaker must be commented out from the `/usr/sap/sapservices` file.

+1. **[2]** Create an AAS cluster resource.

+ Check the status of the cluster.

+1. Configure a constraint to start the AAS resource group only after the ASCS instance is started.

+1. **[1]** To ensure the PAS and AAS instances don't run on the same nodes whenever both nodes are running, add a negative colocation constraint with the following command:

+ The score of -1000 ensures that if only one node is available, both the instances continue to run on the other node. If you want to keep the AAS instance down in such a situation, you can use `score=-INFINITY` to enforce this condition.

+1. Check the status of the cluster.

+Thoroughly test your Pacemaker cluster by running [the typical failover tests](high-availability-guide-rhel.md#test-the-cluster-setup).

+ Title: Deploy SAP ASCS/SCS and SAP ERS with SAP HANA high-availability VMs on RHEL | Microsoft Docs

+description: Configure SAP ASCS/SCS and SAP ERS with SAP HANA high-availability VMs on RHEL.

+# Deploy SAP ASCS/ERS with SAP HANA high-availability VMs on RHEL

+This article describes how to install and configure SAP HANA along with ABAP SAP Central Services (ASCS)/SAP Central Services (SCS) and Enqueue Replication Server (ERS) instances on the same high-availability cluster running on Red Hat Enterprise Linux (RHEL).

+ * A list of Azure virtual machine (VM) sizes that are supported for the deployment of SAP software.

+ * Important capacity information for Azure VM sizes.

+ * Supported SAP software and operating system (OS) and database combinations.

+ * Required SAP kernel version for Windows and Linux on Azure.

+* SAP Note [2002167](https://launchpad.support.sap.com/#/notes/2002167) lists the recommended OS settings for Red Hat Enterprise Linux 7.x.

+* SAP Note [2772999](https://launchpad.support.sap.com/#/notes/2772999) lists the recommended OS settings for Red Hat Enterprise Linux 8.x.

+* SAP Note [2009879](https://launchpad.support.sap.com/#/notes/2009879) has SAP HANA guidelines for Red Hat Enterprise Linux.

+* SAP Note [1999351](https://launchpad.support.sap.com/#/notes/1999351) has more troubleshooting information for the Azure Enhanced Monitoring Extension for SAP.

+* [SAP Netweaver in Pacemaker cluster](https://access.redhat.com/articles/3150081)

+* General RHEL documentation:

+ * [High-Availability Add-On Overview](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/high_availability_add-on_overview/index)

+ * [High-Availability Add-On Administration](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/high_availability_add-on_administration/index)

+ * [Support Policies for RHEL High-Availability Clusters - Microsoft Azure Virtual Machines as Cluster Members](https://access.redhat.com/articles/3131341)

+This article describes the cost-optimization scenario where you deploy SAP HANA, SAP ASCS/SCS, and SAP ERS instances in the same high-availability setup. To minimize the number of VMs for a single SAP system, you want to install SAP ASCS/SCS and SAP ERS on the same hosts where SAP HANA is running. With SAP HANA being configured in a high-availability cluster setup, you want SAP ASCS/SCS and SAP ERS also to be managed by cluster. The configuration is basically an addition to an already configured SAP HANA cluster setup. In this setup, SAP ASCS/SCS and SAP ERS are installed on a virtual host name, and its instance directory is managed by the cluster.

+The presented architecture showcases [NFS on Azure Files](../../storage/files/files-nfs-protocol.md) or [Azure NetApp Files](../../azure-netapp-files/azure-netapp-files-introduction.md) for a highly available instance directory for the setup.

+The example shown in this article to describe deployment uses the following system information:

+| Instance name | Instance number | Virtual host name | Virtual IP (Probe port) |

+> Install SAP dialog instances (PAS and AAS) on separate VMs.

+

+### Important considerations for the cost-optimization solution

+* SAP dialog instances (PAS and AAS) (like **sapa01** and **sapa02**) should be installed on separate VMs. Install SAP ASCS and ERS with virtual host names. To learn more about how to assign a virtual host name to a VM, see the blog [Use SAP Virtual Host Names with Linux in Azure](https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/use-sap-virtual-host-names-with-linux-in-azure/ba-p/3251593).

+* With an HANA DB, ASCS/SCS, and ERS deployment in the same cluster setup, the instance number of HANA DB, ASCS/SCS, and ERS must be different.

+* Consider sizing your VM SKUs appropriately based on the sizing guidelines. You must factor in the cluster behavior where multiple SAP instances (HANA DB, ASCS/SCS, and ERS) might run on a single VM when another VM in the cluster is unavailable.

+ > Database file systems like /hana/data and /hana/log aren't supported on NFS on Azure Files.

+* To install more application servers on separate VMs, you can either use NFS shares or a local managed disk for an instance directory file system. If you're installing more application servers for SAP J2EE system, `/usr/sap/<SID>/J<nr>` on NFS on Azure Files isn't supported.

+* See [NFS on Azure Files considerations](high-availability-guide-rhel-nfs-azure-files.md#important-considerations-for-nfs-on-azure-files-shares) and [Azure NetApp Files considerations](high-availability-guide-rhel-netapp-files.md#important-considerations) because the same considerations apply to this setup.

+The configuration described in this article is an addition to your already-configured SAP HANA cluster setup. In this configuration, an SAP ASCS/SCS and ERS instance are installed on a virtual host name. The instance directory is managed by the cluster.

+Install a HANA database and set up a HANA system replication (HSR) and Pacemaker cluster by following the steps in [High availability of SAP HANA on Azure VMs on Red Hat Enterprise Linux](sap-hana-high-availability-rhel.md) or [High availability of SAP HANA Scale-up with Azure NetApp Files on Red Hat Enterprise Linux](sap-hana-high-availability-netapp-files-red-hat.md) depending on what storage option you're using.

+After you install, configure, and set up the **HANA Cluster**, follow the next steps to install ASCS and ERS instances.

+This article assumes that you already configured the load balancer for a HANA cluster setup as described in [Configure Azure Load Balancer](./sap-hana-high-availability-rhel.md#configure-azure-load-balancer). In the same Azure Load Balancer instance, follow these steps to create more front-end IPs and load-balancing rules for ASCS and ERS.

+1. **Frontend IP Configuration**: Create two front-end IPs, one for ASCS and another for ERS (for example, **10.66.0.20** and **10.66.0.30**).

+1. **Backend Pool**: This pool remains the same because we're deploying ASCS and ERS on the same back-end pool.

+1. **Inbound rules**: Create two load-balancing rules, one for ASCS and another for ERS. Follow the same steps for both load-balancing rules.

+1. **Frontend IP address**: Select the front-end IP.

+ 1. **Backend pool**: Select the back-end pool.

+ 1. **High availability ports**: Select this option.

+ 1. **Protocol**: Select **TCP**.

+ 1. **Health Probe**: Create a health probe with the following details (applies for both ASCS and ERS):

+ 1. **Protocol**: Select **TCP**.

+ 1. **Port**: For example, **620<Instance-no.>** for ASCS and **621<Instance-no.>** for ERS.

+ 1. **Interval**: Enter **5**.

+ 1. **Probe Threshold**: Enter **2**.

+ 1. **Idle timeout (minutes)**: Enter **30**.

+ 1. **Enable Floating IP**: Select this option.

+The health probe configuration property `numberOfProbes`, otherwise known as **Unhealthy threshold** in the Azure portal, isn't respected. To control the number of successful or failed consecutive probes, set the property `probeThreshold` to `2`. It's currently not possible to set this property by using the Azure portal. Use either the [Azure CLI](/cli/azure/network/lb/probe) or the [PowerShell](/powershell/module/az.network/new-azloadbalancerprobeconfig) command.

+> Floating IP isn't supported on a NIC secondary IP configuration in load-balancing scenarios. For more information, see [Azure Load Balancer limitations](../../load-balancer/load-balancer-multivip-overview.md#limitations). If you need more IP addresses for the VMs, deploy a second NIC.

+When VMs without public IP addresses are placed in the back-end pool of an internal (no public IP address) Standard Azure Load Balancer instance, there's no outbound internet connectivity unless more configuration is performed to allow routing to public endpoints. For steps on how to achieve outbound connectivity, see [Public endpoint connectivity for virtual machines using Azure Standard Load Balancer in SAP high-availability scenarios](high-availability-guide-standard-load-balancer-outbound-connections.md).

+> Don't enable TCP timestamps on Azure VMs placed behind Azure Load Balancer. Enabling TCP timestamps causes the health probes to fail. Set the parameter `net.ipv4.tcp_timestamps` to `0`. For more information, see [Load Balancer health probes](../../load-balancer/load-balancer-custom-probe-overview.md).

+## SAP ASCS/SCS and ERS setup

+Based on your storage, follow the steps described in the following articles to configure a `SAPInstance` resource for the SAP ASCS/SCS and SAP ERS instance in the cluster.

+* **NFS on Azure Files**: [Azure VMs high availability for SAP NW on RHEL with NFS on Azure Files](high-availability-guide-rhel-nfs-azure-files.md#prepare-for-an-sap-netweaver-installation)

+* **Azure NetApp Files**: [Azure VMs high availability for SAP NW on RHEL with Azure NetApp Files](high-availability-guide-rhel-netapp-files.md#prepare-for-the-sap-netweaver-installation)

+Thoroughly test your Pacemaker cluster:

+* [Run the typical Netweaver failover tests](high-availability-guide-rhel.md#test-the-cluster-setup)

+* [Run the typical HANA DB failover tests](sap-hana-high-availability-rhel.md#test-the-cluster-setup)

+

+- [Register for the preview](https://aka.ms/azure-cognitive-search/indexer-preview) to provide scenario feedback. You can access the feature automatically after form submission.

+ Title: Deploy the Microsoft Sentinel for SAP data connector with SNC

+description: Deploy the Microsoft Sentinel for SAP data connector to ingest NetWeaver and ABAP logs over a secure connection by using Secure Network Communications (SNC).

+# CustomerIntent: As an SAP admin and Microsoft Sentinel user, I want to know how to use SNC to deploy the Microsoft Sentinel for SAP data connector over a secure connection.

+# Deploy the Microsoft Sentinel for SAP data connector by using SNC

+This article shows you how to deploy the Microsoft Sentinel for SAP data connector to ingest SAP NetWeaver and SAP ABAP logs over a secure connection by using Secure Network Communications (SNC).

+The SAP data connector agent typically connects to an SAP ABAP server by using a remote function call (RFC) connection and a username and password for authentication.

+However, some environments might require the connection to be made on an encrypted channel, and some environments might require client certificates to be used for authentication. In these cases, you can use SNC from SAP to securely connect your data connector. Complete the steps as they're outlined in this article.

+To deploy the Microsoft Sentinel for SAP data connector by using SNC, you need:

+- The [SAP Cryptographic Library](https://help.sap.com/viewer/d1d04c0d65964a9b91589ae7afc1bd45/5.0.4/en-US/86921b29cac044d68d30e7b125846860.html).

+- Network connectivity. SNC uses port 48*xx* (where *xx* is the SAP instance number) to connect to the ABAP server.

+- An SAP server configured to support SNC authentication.

+- A self-signed or enterprise certificate authority (CA)-issued certificate for user authentication.

+> This article describes a sample case for configuring SNC. In a production environment, we strongly recommended that you consult with SAP administrators to create a deployment plan.

+## Export the server certificate

+To begin, export the server certificate:

+1. On the left pane, go to **SNC SAPCryptolib** and expand the section.

+1. Select the system, and then select a value for **Subject**.

+ The server certificate information is shown in the **Certificate** section.

+1. Select **Export certificate**.

+ 

+1. In the **Export Certificate** dialog:

+ 1. For file format, select **Base64**.

+ 1. Next to **File Path**, select the double boxes icon.

+ 1. Select a filename to export the certificate to.

+ 1. Select the green checkmark to export the certificate.

+## Import your certificate

+This section explains how to import a certificate so that it's trusted by your ABAP server. It's important to understand which certificate needs to be imported into the SAP system. Only public keys of the certificates need to be imported into the SAP system.

+- **If the user certificate is self-signed**: Import a user certificate.

+- **If the user certificate is issued by an enterprise CA**: Import an enterprise CA certificate. If both root and subordinate CA servers are used, import both the root and the subordinate CA public certificates.

+To import your certificate:

+1. Select **Import certificate**.

+1. In the **Import certificate** dialog:

+ 1. Next to **File path**, select the double boxes icon and go to the certificate.

+ 1. Go to the file that contains the certificate (for a public key only) and select the green checkmark to import the certificate.

+ The certificate information is displayed in the **Certificate** section.

+ 1. Select **Add to Certificate List**.

+ The certificate appears in the **Certificate List** section.

+## Associate the certificate with a user account

+To associate the certificate with a user account:

+1. In **Table/View**, enter **USRACLEXT**, and then select **Maintain**.

+1. Review the output and identify whether the target user already has an associated SNC name. If no SNC name is associated with the user, select **New Entries**.

+ 

+1. For **User**, enter the user's username. For **SNC Name**, enter the user's certificate subject name prefixed with **p:**, and then select **Save**.

+ 

+## Grant logon rights by using the certificate

+To grant logon rights:

+1. In **Table/View**, enter **VSNCSYSACL**, and then select **Maintain**.

+1. In the informational prompt that appears, confirm that the table is cross-client.

+1. In **Determine Work Area: Entry**, enter **E** for **Type of ACL entry**, and then select the green checkmark.

+1. Review the output and identify whether the target user already has an associated SNC name. If the user doesn't have an associated SNC name, select **New Entries**.

+ 

+ 

+1. Ensure that the checkboxes for **Entry for RFC activated** and **Entry for certificate activated** are selected, and then select **Save**.

+## Map users of the ABAP service provider to external user IDs

+To map ABAP service provider users to external user IDs:

+1. In **Table/View**, enter **VUSREXTID**, and then select **Maintain**.

+1. In **Determine Work Area: Entry**, select the **DN** ID type for **Work Area**.

+1. Enter the following values:

+ - For **External ID**, enter **CN=Sentinel**, **C=US**.

+ - For **Seq. No**, enter **000**.

+ - For **User**, enter **SENTINEL**.

+1. Select **Save**, and then select **Enter**.

+ :::image type="content" source="media/configure-snc/vusrextid-table-configuration.png" alt-text="Screenshot that shows how to set up the SAP VUSREXTID table.":::

+## Set up the container

+> If you set up the SAP data connector agent container by using the UI, don't complete the steps that are described in this section. Instead, continue to set up the connector [on the connector page](deploy-data-connector-agent-container.md).

+To set up the container:

+1. Transfer the *libsapcrypto.so* and *sapgenpse* files to the system where the container will be created.

+1. Transfer the client certificate (both private and public keys) to the system where the container will be created.

+ The client certificate and key can be in *.p12*, *.pfx*, or Base64 *.crt* and *.key* format.

+1. Transfer the server certificate (public key only) to the system where the container will be created.

+ The server certificate must be in Base64 *.crt* format.

+1. If the client certificate was issued by an enterprise certification authority, transfer the issuing CA and root CA certificates to the system where the container will be created.

+1. Get the kickstart script from the Microsoft Sentinel GitHub repository:

+1. Run the script and specify the following base parameters:

+ If the client certificate is in *.crt* or *.key* format, use the following switches:

+ If the client certificate is in *.pfx* or *.p12* format, use these switches:

+For more information about options that are available in the kickstart script, see [Reference: Kickstart script](reference-kickstart.md).

+## Troubleshooting and reference

+For troubleshooting information, see these articles:

+- [Troubleshoot your Microsoft Sentinel solution for SAP applications deployment](sap-deploy-troubleshoot.md)

+- [Microsoft Sentinel solutions](../sentinel-solutions.md)

+For reference, see these articles:

+- [Microsoft Sentinel solution for SAP applications data reference](sap-solution-log-reference.md)

+- [Microsoft Sentinel solution for SAP applications: Security content reference](sap-solution-security-content.md)

+## Related content

+- [Deploy Microsoft Sentinel solution for SAP applications](deployment-overview.md)

+- [Prerequisites for deploying Microsoft Sentinel solution for SAP applications](prerequisites-for-deploying-sap-continuous-threat-monitoring.md)

+- [Deploy SAP change requests and configure authorization](preparing-sap.md)

+ Title: Microsoft Sentinel solution for SAP apps across multiple workspaces

+description: Learn how to work with the Microsoft Sentinel solution for SAP applications in multiple workspaces for different deployment scenarios.

+# customer intent: As a security admin or SAP admin, I want to know how to use the Microsoft Sentinel solution for SAP applications in multiple workspaces so that I can plan a deployment.

+# Work with the Microsoft Sentinel solution for SAP applications in multiple workspaces

+When you set up your Microsoft Sentinel workspace, you have [multiple architecture options](../design-your-workspace-architecture.md#decision-tree) and factors to consider. Taking into account geography, regulation, access control, and other factors, you might choose to have multiple Microsoft Sentinel workspaces in your organization.

+This article discusses how to work with the Microsoft Sentinel solution for SAP applications in multiple workspaces for different deployment scenarios.

+The Microsoft Sentinel solution for SAP applications natively supports a cross-workspace architecture to support improved flexibility for:

+- Managed security service providers (MSSPs) or a global or federated security operations center (SOC).

+- Data residency requirements.

+- Organizational hierarchy and IT design.

+- Insufficient role-based access control (RBAC) in a single workspace.

+> Working with multiple workspaces is currently in preview. This feature is provided without a service-level agreement. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+You can define multiple workspaces when you [deploy SAP security content](deploy-sap-security-content.md#deploy-the-security-content-from-the-content-hub).

+A common use case is one in which collaboration between the SOC and SAP teams in your organization requires a multi-workspace setup.

+Your organization's SAP team has technical knowledge that's critical to successfully and effectively implement the Microsoft Sentinel solution for SAP applications. Therefore, it's important for the SAP team see the relevant data and to collaborate with the SOC about the required configuration and incident response procedures.

+There are two possible scenarios for SOC and SAP team collaboration, depending on your organization's needs:

+- Scenario 1: **SAP data and SOC data maintained in separate workspaces**. Both teams can see the SAP data by using [cross-workspace queries](#scenario-1-sap-data-and-soc-data-maintained-in-separate-workspaces).

+- Scenario 2: **SAP data kept only in the SOC workspace**. The SAP team can query the data by using [resource context queries](#scenario-2-sap-data-kept-only-in-the-soc-workspace).

+## Scenario 1: SAP data and SOC data maintained in separate workspaces

+In this scenario, the SAP team and the SOC team have separate Microsoft Sentinel workspaces where team data is kept.

+When your organization [deploys the Microsoft Sentinel solution for SAP applications](deploy-sap-security-content.md#deploy-the-microsoft-sentinel-solution-for-sap-applications-from-the-content-hub), each team specifies its SAP workspace.

+A common practice is to provide some or all SOC team members with the Sentinel Reader role for the SAP workspace.

+- Microsoft Sentinel can trigger alerts that include both SOC and SAP data, and it can run those alerts on the SOC workspace.

+ > For larger SAP landscapes, running queries that are made by the SOC on data from the SAP workspace can affect performance. The SAP data must travel to the SOC workspace when it's being queried. For improved performance and cost optimizations, consider having both the SOC and SAP workspaces on the same [dedicated cluster](../../azure-monitor/logs/logs-dedicated-clusters.md?tabs=cli#cluster-pricing-model).

+- The SAP team has its own Microsoft Sentinel workspace that includes all features except detections that include both SOC and SAP data.

+- Flexibility. The SAP team can focus on the control of internal threats in its landscape, and the SOC can focus on external threats.

+- There's no additional charge for ingestion fees, because data is ingested only once into Microsoft Sentinel. However, each workspace has its own [pricing tier](../design-your-workspace-architecture.md#step-5-collecting-any-non-soc-data).

+- The SOC can see and investigate SAP incidents. If the SAP team faces an event that it can't explain by using existing data, the team can assign the incident to the SOC.

+The following table maps the access of data and features for the SAP and SOC teams in this scenario:

+¹ The SOC team can see these functions in both workspaces. The SAP team can see these functions only in the SAP workspace.

+## Scenario 2: SAP data kept only in the SOC workspace

+In this scenario, you want to keep all the data in one workspace and to apply access controls. You can do this by using Log Analytics in Azure Monitor to [manage access to data by resource](../resource-context-rbac.md). You can also associate SAP resources with an Azure resource ID by specifying the required `azure_resource_id` field in the [connector configuration section](reference-systemconfig.md#connector-configuration-section) on the data collector that you use to ingest data from the SAP system into Microsoft Sentinel.

+After the data collector agent is configured with the correct resource ID, the SAP team can access the specific SAP data in the SOC workspace by using a resource-scoped query. The SAP team can't read any of the other, non-SAP data types.

+There are no costs associated with this approach because the data is ingested only once into Microsoft Sentinel. When you use this mode of access, the SAP team sees only raw and unformatted data. The SAP team can't use any Microsoft Sentinel features. In addition to accessing the raw data via Log Analytics, the SAP team can access the same data [via Power BI](../resource-context-rbac.md).

+## Next step

+In this article, you learned about working with Microsoft Sentinel solution for SAP applications in multiple workspaces for different deployment scenarios. Next, learn how to deploy the solution:

+> [Deploy the Microsoft Sentinel solution for SAP applications](deployment-overview.md)

+ Title: Deploy Microsoft Sentinel solution for SAP BTP

+description: Learn how to deploy the Microsoft Sentinel solution for SAP Business Technology Platform (BTP) system.

+# customer intent: As an SAP admin, I want to know how to deploy the Microsoft Sentinel solution for SAP BTP so that I can plan a deployment.

+# Deploy the Microsoft Sentinel solution for SAP BTP

+This article describes how to deploy the Microsoft Sentinel solution for SAP Business Technology Platform (BTP) system. The Microsoft Sentinel solution for SAP BTP monitors and protects your SAP BTP system. It collects audit logs and activity logs from the BTP infrastructure and BTP-based apps, and then detects threats, suspicious activities, illegitimate activities, and more. [Read more about the solution](sap-btp-solution-overview.md).

+> The Microsoft Sentinel solution for SAP BTP solution is currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+- The Microsoft Sentinel solution is enabled.

+- You have a defined Microsoft Sentinel workspace, and you have read and write permissions to the workspace.

+- You have the SAP BTP auditlog-management service and service key (see [Set up the BTP account and solution](#set-up-the-btp-account-and-solution)).

+- You can create an [Azure function app](../../azure-functions/functions-overview.md) by using the Microsoft.Web/Sites, Microsoft.Web/ServerFarms, Microsoft.Insights/Components, and Microsoft.Storage/StorageAccounts permissions.

+- You can create [data collection rules and endpoints](../../azure-monitor/essentials/data-collection-rule-overview.md) by using these permissions:

+ - Microsoft.Insights/DataCollectionEndpoints and Microsoft.Insights/DataCollectionRules.

+ - Assign the Monitoring Metrics Publisher role to the function app.

+- You have an [Azure Key Vault](../../key-vault/general/overview.md) to hold the SAP BTP client secret.

+To set up the BTP account and the solution:

+1. After you can sign in to your BTP account (see the [prerequisites](#prerequisites)), follow the [audit log retrieval steps](https://help.sap.com/docs/btp/sap-business-technology-platform/audit-log-retrieval-api-usage-for-subaccounts-in-cloud-foundry-environment) on the SAP BTP system.

+1. In the SAP BTP cockpit, select the **Audit Log Management Service**.

+ :::image type="content" source="./media/deploy-sap-btp-solution/btp-audit-log-management-service.png" alt-text="Screenshot that shows selecting the BTP Audit Log Management Service." lightbox="./media/deploy-sap-btp-solution/btp-audit-log-management-service.png":::

+1. Create an instance of the Audit Log Management Service in the BTP subaccount.

+ :::image type="content" source="./media/deploy-sap-btp-solution/btp-audit-log-sub-account.png" alt-text="Screenshot that shows creating an instance of the BTP subaccount." lightbox="./media/deploy-sap-btp-solution/btp-audit-log-sub-account.png":::

+1. Create a service key and record the values for `url`, `uaa.clientid`, `uaa.clientecret`, and `uaa.url`. These values are required to deploy the data connector.

+ Here are examples of these field values:

+1. Go to the Microsoft Sentinel service.

+ :::image type="content" source="./media/deploy-sap-btp-solution/sap-btp-create-solution.png" alt-text="Screenshot that shows how to create the Microsoft Sentinel solution for SAP BTP." lightbox="./media/deploy-sap-btp-solution/sap-btp-create-solution.png":::

+1. Select the resource group and the Microsoft Sentinel workspace in which to deploy the solution.

+1. Select **Next** until you pass validation, and then select **Create**.

+1. When the solution deployment is finished, return to your Microsoft Sentinel workspace and select **Data connectors**.

+1. In the search bar, enter **BTP**, and then select **SAP BTP (using Azure Function)**.

+1. On the connector page, make sure that you meet the required prerequisites and complete the configuration steps. In step 2 of the data connector configuration, specify the parameters that you defined in step 4 in this section.

+ > Retrieving audits for the global account doesn't automatically retrieve audits for the subaccount. Follow the connector configuration steps for each of the subaccounts you want to monitor, and also follow these steps for the global account. Review these [account auditing configuration considerations](#consider-your-account-auditing-configurations).

+1. Complete all configuration steps, including the function app deployment and the Azure Key Vault access policy configuration.

+ 1. Sign in to your BTP subaccount and run a few activities that generate logs, such as sign-ins, adding users, changing permissions, and changing settings.

+ 1. Allow 20 to 30 minutes for the logs to start flowing.

+ 1. On the **SAP BTP** connector page, confirm that Microsoft Sentinel receives the BTP data, or query the **SAPBTPAuditLog_CL** table directly.

+1. Enable the [workbook](sap-btp-security-content.md#sap-btp-workbook) and the [analytics rules](sap-btp-security-content.md#built-in-analytics-rules) that are provided as part of the solution by following [these guidelines](../sentinel-solutions-deploy.md#analytics-rule).

+## Consider your account auditing configurations

+The final step in the deployment process is to consider your global account and subaccount auditing configurations.

+When you enable audit log retrieval in the BTP cockpit for the global account: If the subaccount for which you want to entitle the Audit Log Management Service is under a directory, you must entitle the service at the directory level first. Only then can you entitle the service at the subaccount level.

+### Subaccount auditing configuration

+To enable auditing for a subaccount, complete the steps in the [SAP subaccounts audit retrieval API documentation](https://help.sap.com/docs/btp/sap-business-technology-platform/audit-log-retrieval-api-usage-for-subaccounts-in-cloud-foundry-environment).

+The API documentation describes how to enable the audit log retrieval by using the Cloud Foundry CLI.

+You also can retrieve the logs via the UI:

+1. In your subaccount in SAP Service Marketplace, create an instance of **Audit Log Management Service**.

+1. In the new instance, create a service key.

+1. View the service key and retrieve the required parameters from step 4 of the configuration instructions in the data connector UI (**url**, **uaa.url**, **uaa.clientid**, and **uaa.clientsecret**).

+## Related content

+- [Learn how to enable the security content](../sentinel-solutions-deploy.md#analytics-rule)

+- [Review the solution's security content](sap-btp-security-content.md)

+ Title: Deploy Microsoft Sentinel for SAP apps from the content hub

+description: Learn how to deploy the Microsoft Sentinel solution for SAP applications security content from the content hub to your Microsoft Sentinel workspace.

+# customer intent: As an SAP admin, I want to know how to deploy the Microsoft Sentinel solution for SAP applications from the content hub so that I can plan a deployment.

+# Deploy the Microsoft Sentinel solution for SAP applications from the content hub

+This article shows you how to deploy the Microsoft Sentinel solution for SAP applications security content from the content hub to your Microsoft Sentinel workspace. This content makes up the remaining parts of the Microsoft Sentinel solution for SAP.

+## Prerequisites

+To deploy the Microsoft Sentinel solution for SAP applications from the content hub, you need:

+- A Microsoft Sentinel instance.

+- A defined Microsoft Sentinel workspace, and read and write permissions to the workspace.

+- A Microsoft Sentinel for SAP data connector set up.

+## Check deployment milestones

+1. [Work with the solution in multiple workspaces](cross-workspace.md) (preview)

+1. [Prepare your SAP environment](preparing-sap.md)

+1. [Deploy the data connector agent](deploy-data-connector-agent-container.md)

+1. **Deploy the Microsoft Sentinel solution for SAP applications from the content hub** (*You are here*)

+1. [Configure the Microsoft Sentinel solution for SAP applications](deployment-solution-configuration.md)

+1. Optional deployment steps:

+ - [Configure the SAP data connector to use SNC](configure-snc.md)

+ - [Deploy the SAP data connector manually](sap-solution-deploy-alternate.md)

+Deploying the Microsoft Sentinel solution for SAP applications causes the Microsoft Sentinel for SAP data connector to be displayed in the Microsoft Sentinel **Data connectors** area. The solution also deploys the **SAP - System Applications and Products** workbook and SAP-related analytics rules.

+To deploy SAP solution security content:

+1. To open the SAP solution page, select **Microsoft Sentinel solution for SAP applications**.

+ :::image type="content" source="./media/deploy-sap-security-content/sap-solution.png" alt-text="Screenshot that shows the Microsoft Sentinel solution for SAP applications solution pane." lightbox="./media/deploy-sap-security-content/sap-solution.png":::

+1. To start the solution deployment wizard, select **Create**, and then enter the details of the Azure subscription and resource group.

+1. For the **Deployment target workspace**, select the Log Analytics workspace (the one that Microsoft Sentinel uses) where you want to deploy the solution.<a id="multi-workspace"></a>

+1. If you want to [work with the Microsoft Sentinel solution for SAP applications in multiple workspaces](cross-workspace.md) (preview), select **Some of the data is on a different workspace**, and then do the following steps:

+ 1. Under **Configure the workspace where the SOC data resides in**, select the SOC subscription and workspace.

+ 1. Under **Configure the workspace where the SAP data resides in**, select the SAP subscription and workspace.

+ For example:

+ :::image type="content" source="./media/deploy-sap-security-content/sap-multi-workspace.png" alt-text="Screenshot that shows how to configure the Microsoft Sentinel solution for SAP applications to work across multiple workspaces.":::

+ > [!NOTE]

+ > If you want the SAP and SOC data to be kept on the same workspace with no additional access controls, do not select **Some of the data is on a different workspace**. If you want the SOC and SAP data to be kept on the same workspace, but to apply additional access controls, review [this scenario](cross-workspace.md#scenario-2-sap-data-kept-only-in-the-soc-workspace).

+1. Select **Next** to cycle through the **Data Connectors**, **Analytics**, and **Workbooks** tabs, where you can learn about the components that are deployed with this solution.

+ For more information, see [Microsoft Sentinel solution for SAP applications: security content reference](sap-solution-security-content.md).

+1. On the **Review + create tab** pane, wait for the **Validation Passed** message, and then select **Create** to deploy the solution.

+ > [!TIP]

+ > You can also select **Download a template** for a link to deploy the solution as code.

+1. When deployment is finished, to display the newly deployed content:

+ - For the [built-in SAP workbooks](sap-solution-security-content.md#built-in-workbooks), go to **Threat Management** > **Workbooks** > **My workbooks**.

+ - For a series of [SAP-related analytics rules](sap-solution-security-content.md#built-in-analytics-rules), go to **Configuration** > **Analytics**.

+1. In Microsoft Sentinel, go to the **Microsoft Sentinel for SAP** data connector to confirm the connection:

+ :::image type="content" source="./media/deploy-sap-security-content/sap-data-connector.png" alt-text="Screenshot that shows the Microsoft Sentinel for SAP data connector page." lightbox="media/deploy-sap-security-content/sap-data-connector.png":::

+ SAP ABAP logs are displayed on the Microsoft Sentinel **Logs** page, under **Custom logs**:

+ :::image type="content" source="./media/deploy-sap-security-content/sap-logs-in-sentinel.png" alt-text="Screenshot that shows the SAP ABAP logs in the Custom Logs area in Microsoft Sentinel." lightbox="media/deploy-sap-security-content/sap-logs-in-sentinel.png":::

+ For more information, see [Microsoft Sentinel solution for SAP applications solution logs reference](sap-solution-log-reference.md).

+## Troubleshooting and reference

+For troubleshooting information, see these articles:

+- [Troubleshoot your Microsoft Sentinel solution for SAP applications deployment](sap-deploy-troubleshoot.md)

+- [Microsoft Sentinel solutions](../sentinel-solutions.md)

+For reference, see these articles:

+- [Microsoft Sentinel solution for SAP applications solution data reference](sap-solution-log-reference.md)

+- [Microsoft Sentinel solution for SAP applications: Security content reference](sap-solution-security-content.md)

+## Related content

+- [Deploy Microsoft Sentinel solution for SAP applications](deployment-overview.md)

+- [Prerequisites for deploying Microsoft Sentinel solution for SAP applications](prerequisites-for-deploying-sap-continuous-threat-monitoring.md)

+- [Deploy SAP Change Requests and configure authorization](preparing-sap.md)

+ Title: Deploy Microsoft Sentinel solution for SAP applications

+description: Get an introduction to the process of deploying the Microsoft Sentinel solution for SAP applications.

+# customer intent: As a business user or decision maker, I want to get an overview of how to deploy the Microsoft Sentinel solution for SAP applications so that I know the scope of the information I need and how to access it.

+# Deploy Microsoft Sentinel solution for SAP applications

+This article introduces you to the process of deploying the Microsoft Sentinel solution for SAP applications. The full process is detailed in a set of articles linked under [Deployment milestones](#deployment-milestones).

+Microsoft Sentinel solution for SAP applications is certified for SAP S/4HANA Cloud, Private Edition RISE with SAP, and SAP S/4 on-premises. Learn more about this [certification](solution-overview.md#certification).

+> [Update an existing Microsoft Sentinel for SAP data connector](update-sap-data-connector.md) to the latest version.

+## What is the Microsoft Sentinel solution for SAP applications?

+The Microsoft Sentinel solution for SAP applications is a [Microsoft Sentinel solution](../sentinel-solutions.md) that you can use to monitor your SAP systems. Use the solution to detect sophisticated threats throughout the business logic and application layers of your SAP applications. The solution includes the following components:

+- Functions that you can use for easy data access.

+- Workbooks that you can use to create interactive data visualization.

+- Playbooks that you can use to automate responses to threats.

+>

+The Microsoft Sentinel for SAP data connector is an agent that's installed on a virtual machine (VM), physical server, or Kubernetes cluster. The agent collects application logs for all of your SAP SIDs from across the entire SAP system landscape, and then sends those logs to your Log Analytics workspace in Microsoft Sentinel. Use the other content in the [Threat Monitoring for SAP solution](sap-solution-security-content.md), including the analytics rules, workbooks, and watchlists, to gain insight into your organization's SAP environment and to detect and respond to security threats.

+For example, the following image shows a multi-SID SAP landscape with a split between production and nonproduction systems, including the SAP Business Technology Platform. All the systems in this image are onboarded to Microsoft Sentinel for the SAP solution.

+Follow your deployment journey through this series of articles, in which you learn how to navigate each of the following steps.

+> [Update an existing Microsoft Sentinel for SAP data connector](update-sap-data-connector.md) to the latest version.

+| **1. Deployment overview** | *YOU ARE HERE* |

+| **2. Plan your architecture** | Learn how to [work with the solution in multiple workspaces](cross-workspace.md) (preview) |

+| **3. Deployment prerequisites** | [Prerequisites for deploying the Microsoft Sentinel solution for SAP](prerequisites-for-deploying-sap-continuous-threat-monitoring.md) |

+| **4. Prepare your SAP environment** | [Deploy SAP change requests and configure authorization](preparing-sap.md) |

+| **6. Deploy the solution content from the content hub** | [Deploy the Microsoft Sentinel solution for SAP applications from the content hub](deploy-sap-security-content.md) |

+| **7. Deploy the data connector agent** | [Deploy and configure the container hosting the data connector agent](deploy-data-connector-agent-container.md) |

+| **8. Configure the Microsoft Sentinel solution for SAP** | [Configure the Microsoft Sentinel solution for SAP](deployment-solution-configuration.md) |

+| **9. Optional steps** | - [Configure the Microsoft Sentinel for SAP data connector to use SNC](configure-snc.md)<br>- [Collect SAP HANA audit logs](collect-sap-hana-audit-logs.md)<br>- [Configure audit log monitoring rules](configure-audit-log-rules.md)<br>- [Deploy SAP connector manually](sap-solution-deploy-alternate.md)<br>- [Select SAP ingestion profiles](select-ingestion-profiles.md) |

+## Next step

+Begin the deployment of the Microsoft Sentinel solution for SAP applications by reviewing the prerequisites:

+18.04 LTS | [9.60]() | 4.15.0-1168-azure <br> 4.15.0-1169-azure <br> 4.15.0-1170-azure <br> 4.15.0-1171-azure <br> 4.15.0-1172-azure <br> 4.15.0-1173-azure <br> 4.15.0-214-generic <br> 4.15.0-216-generic <br> 4.15.0-218-generic <br> 4.15.0-219-generic <br> 4.15.0-220-generic <br> 4.15.0-221-generic <br> 5.4.0-1110-azure <br> 5.4.0-1111-azure <br> 5.4.0-1112-azure <br> 5.4.0-1113-azure <br> 5.4.0-1115-azure <br> 5.4.0-1116-azure <br> 5.4.0-1117-azure <br> 5.4.0-1118-azure <br> 5.4.0-1119-azure <br> 5.4.0-1120-azure <br> 5.4.0-1121-azure <br> 5.4.0-1122-azure <br> 5.4.0-152-generic <br> 5.4.0-153-generic <br> 5.4.0-155-generic <br> 5.4.0-156-generic <br> 5.4.0-159-generic <br> 5.4.0-162-generic <br> 5.4.0-163-generic <br> 5.4.0-164-generic <br> 5.4.0-165-generic <br> 5.4.0-166-generic <br> 5.4.0-167-generic <br> 5.4.0-169-generic <br> 5.4.0-170-generic |

+20.04 LTS | [9.60]() | 5.15.0-1054-azure <br> 5.15.0-92-generic <br> 5.4.0-1122-azure <br> 5.4.0-170-generic |

+22.04 LTS |[9.60]()| 5.19.0-1025-azure <br> 5.19.0-1026-azure <br> 5.19.0-1027-azure <br> 5.19.0-41-generic <br> 5.19.0-42-generic <br> 5.19.0-43-generic <br> 5.19.0-45-generic <br> 5.19.0-46-generic <br> 5.19.0-50-generic <br> 6.2.0-1005-azure <br> 6.2.0-1006-azure <br> 6.2.0-1007-azure <br> 6.2.0-1008-azure <br> 6.2.0-1011-azure <br> 6.2.0-1012-azure <br> 6.2.0-1014-azure <br> 6.2.0-1015-azure <br> 6.2.0-1016-azure <br> 6.2.0-1017-azure <br> 6.2.0-1018-azure <br> 6.2.0-25-generic <br> 6.2.0-26-generic <br> 6.2.0-31-generic <br> 6.2.0-32-generic <br> 6.2.0-33-generic <br> 6.2.0-34-generic <br> 6.2.0-35-generic <br> 6.2.0-36-generic <br> 6.2.0-37-generic <br> 6.2.0-39-generic <br> 6.5.0-1007-azure <br> 6.5.0-1009-azure <br> 6.5.0-1010-azure <br> 6.5.0-14-generic <br> 5.15.0-1054-azure <br> 5.15.0-92-generic <br>6.2.0-1019-azure <br>6.5.0-1011-azure <br>6.5.0-15-generic |

+ Title: Use Application Configuration Service for Tanzu

+To manage the service settings, open the **Settings** section. In this section, you can configure the following key aspects:

+- **Generation**: Upgrade the service generation.

+- **Refresh Interval**: Adjust the frequency at which the service checks for updates from Git repositories.

+- **Repositories**: Add new entries, or modify existing ones. This function enables you to control which repositories the service monitors use to pull data.

+If your current service generation is **Gen1**, you can upgrade to **Gen2** for better performance. For more information, see the [Upgrade from Gen1 to Gen2](#upgrade-from-gen1-to-gen2) section.

+The **Refresh Interval** specifies the frequency (in seconds) for checking updates in the repository. The minimum value is *0*, which disables automatic refresh. For optimal performance, set this interval to a minimum value of 60 seconds.

+The following table describes the properties for each repository entry:

+- *{profile}* - Optional. The name of a profile whose properties you can retrieve. An empty value, or the value `default`, includes properties that are shared across profiles. Non-default values include properties for the specified profile and properties for the default profile.

+1. Select the **Settings** section and then select **Gen2** in the **Generation** dropdown menu.

+ :::image type="content" source="media/how-to-enterprise-application-configuration-service/configuration-server-upgrade-gen2-settings.png" alt-text="Screenshot of the Azure portal that shows the Application Configuration Service page and the Settings tab with the Validate button highlighted." lightbox="media/how-to-enterprise-application-configuration-service/configuration-server-upgrade-gen2-settings.png":::

+When you modify and commit your configurations in a Git repository, several steps are involved before these changes are reflected in your applications. This process, though automated, involves the following distinct stages and components, each with its own timing and behavior:

+- Polling by Application Configuration Service: The Application Configuration Service regularly polls the backend Git repositories to detect any changes. This polling occurs at a set frequency, defined by the refresh interval. When a change is detected, Application Configuration Service updates the Kubernetes `ConfigMap`.

+- ConfigMap update and interaction with kubelet cache: In Azure Spring Apps, this `ConfigMap` is mounted as a data volume to the relevant application. However, there's a natural delay in this process due to the frequency at which the kubelet refreshes its cache to recognize changes in `ConfigMap`.

+- Application reads updated configuration: Your application running in the Azure Spring Apps environment can access the updated configuration values. The existing beans in the Spring Context aren't automatically refreshed to use the updated configurations.

+These stages are summarized in the following diagram:

+You can adjust the polling refresh interval of the Application Configuration Service to align with your specific needs. To apply the updated configurations in your application, a restart or refresh action is necessary.

+In Spring applications, properties are held or referenced as beans within the Spring Context. To load new configurations, consider using the following methods:

+ To use this method, add the following dependency to your configuration clientΓÇÖs *pom.xml* file.

+ ```xml

+ <dependency>

+ <groupId>org.springframework.boot</groupId>

+ <artifactId>spring-boot-starter-actuator</artifactId>

+ </dependency>

+ ```

+ You can also enable the actuator endpoint by adding the following configuration:

+ ```properties

+ management.endpoints.web.exposure.include=refresh, bus-refresh, beans, env

+ ```

+ After you reload the property sources by calling the `/actuator/refresh` endpoint, the attributes bound with `@Value` in the beans having the annotation `@RefreshScope` are refreshed.

+ ```java

+ @Service

+ @Getter @Setter

+ @RefreshScope

+ public class MyService {

+ @Value

+ private Boolean activated;

+ }

+ ```

+ Use curl with the application endpoint to refresh the new configuration, as shown in the following example:

+ ```bash

+ curl -X POST http://{app-endpoint}/actuator/refresh

+ ```

+- Use `FileSystemWatcher` to watch the file change and refresh the context on demand. `FileSystemWatcher` is a class shipped with `spring-boot-devtools` that watches specific directories for file changes, or you can use another utility with similar function. The previous option requires users to initiate the refresh actively, while the latter can monitor for file changes and automatically invoke the refresh upon detecting updates. You can retrieve the file path by using the environment variable `AZURE_SPRING_APPS_CONFIG_FILE_PATH`, as mentioned in the [Polyglot support](#polyglot-support) section.

+1. Select **Bind app** and choose one app from the dropdown. Select **Apply** to bind.

+1. In the navigation menu, select **Apps** to view the list of all the apps.

+1. Select the target app to configure patterns for the `name` column.

+1. In the **Config file patterns** dropdown, choose one or more patterns from the list. For more information, see the [Pattern](#pattern) section.

+1. Select **Save**.

+> There might could be a few minutes delay before the logs are available in Log Analytics.

+## Troubleshoot known issues

+If the latest changes aren't reflected in the applications, check the following items based on the [Refresh strategies](#refresh-strategies) section:

+- Confirm that the Git repo is updated correctly by checking the following items:

+ - Confirm that the branch of the desired config file changes is updated.

+ - Confirm that the pattern configured in the Application Configuration Service matches the updated config files.

+ - Confirm that the application is bound to the Application Configuration Service.

+- Confirm that the `ConfigMap` of the app is updated. If it isn't updated, raise a ticket.

+- Confirm that the `ConfigMap` is mounted to the application as a file by using `web shell`. If the file isn't updated, wait for the Kubernetes refresh interval (1 minute), or force a refresh by restarting the application.

+After checking these items, the applications should be able to read the updated configurations. If the applications still aren't updated, raise a ticket.

+## Related content

+[Azure Spring Apps](index.yml)

+# Connect Azure Elastic SAN volumes to an Azure Kubernetes Service cluster

+| V17.0 Release - [KB5023053](https://support.microsoft.com/topic/azure-file-sync-agent-v17-release-december-2023-flighting-2d8cba16-c035-4c54-b35d-1bd8fd795ba9)| 17.0.0.0 | December 6, 2023 | Supported |

+| V14 Release | 14.0.0.0 | N/A | Not Supported - Agent versions expired on February 8, 2024 |

+Windows Server 2012 R2 reached [end of support](/lifecycle/announcements/windows-server-2012-r2-end-of-support) on October 10, 2023. Azure File Sync will continue to support Windows Server 2012 R2 until the v17.x agent is expired on March 4, 2025. Once the v17 agent is expired, Windows Server 2012 R2 servers will stop syncing to your Azure file shares.

+### Action Required

+- Option #2: Deploy a new Azure File Sync server that's running a [supported operation system version](file-sync-planning.md#operating-system-requirements) to replace your Windows 2012 R2 servers. For guidance, see [Replace an Azure File Sync server](file-sync-replace-server.md).

+>[!NOTE]

+>[!NOTE]

+>If your server has v17.1 agent installed, you don't need to install the v17.2 agent.

+Before deploying Azure File Sync, you should evaluate whether it's compatible with your system using the Azure File Sync evaluation tool. This tool is an Azure PowerShell cmdlet that checks for potential issues with your file system and dataset, such as unsupported characters or an unsupported OS version. For installation and usage instructions, see [Evaluation Tool](file-sync-planning.md#evaluation-cmdlet) section in the planning guide.

+- The agent isn't supported on Nano Server deployment option.

+> [!NOTE]

+> Azure File Sync always encrypts data in transit. Data is always encrypted at rest in Azure.

+> [!NOTE]

+> When creating the cloud endpoint, the storage sync service and storage account must be in the same Azure AD tenant. Once the cloud endpoint is created, the storage sync service and storage account can be moved to different Azure AD tenants.

+- When copying files using Robocopy, use the /MIR option to preserve file timestamps. This will ensure that older files are tiered sooner than recently accessed files.

+The following release notes are for Azure File Sync version 17.1.0.0 (released February 13, 2024). This release contains a security update for the Azure File Sync agent. These notes are in addition to the release notes listed for version 17.0.0.0.

+The following release notes are for Azure File Sync version 16.2.0.0 (released February 13, 2024). This release contains security updates for the Azure File Sync agent. These notes are in addition to the release notes listed for version 16.0.0.0.

+ - Azure File Sync now supports an expanded list of characters. This expansion allows for users to create and sync SMB file shares with file and directory names on par with NTFS file system, for valid Unicode characters. For more information on unsupported characters, refer to the documentation [here](/troubleshoot/azure/azure-storage/file-sync-troubleshoot-sync-errors?toc=%2Fazure%2Fstorage%2Ffile-sync%2Ftoc.json&tabs=portal1%2Cazure-portal#handling-unsupported-characters).

+Before deploying Azure File Sync, you should evaluate whether it's compatible with your system using the Azure File Sync evaluation tool. This tool is an Azure PowerShell cmdlet that checks for potential issues with your file system and dataset, such as unsupported characters or an unsupported OS version. For installation and usage instructions, see [Evaluation Tool](file-sync-planning.md#evaluation-cmdlet) section in the planning guide.

+- The agent isn't supported on Nano Server deployment option.

+- The agent installation package is for a specific operating system version. If a server with an Azure File Sync agent installed is upgraded to a newer operating system version, the existing agent must be uninstalled. Restart the server and then install the agent for the new server operating system (Windows Server 2016, Windows Server 2019, or Windows Server 2022).

+> [!NOTE]

+> Azure File Sync always encrypts data in transit. Data is always encrypted at rest in Azure.

+> [!NOTE]

+> When creating the cloud endpoint, the storage sync service and storage account must be in the same Microsoft Entra tenant. After you create the cloud endpoint, you can move the storage sync service and storage account to different Microsoft Entra tenants.

+ - Azure File Sync uses the [Windows USN journal](/windows/win32/fileio/change-journals) feature on Windows Server to immediately detect files that were changed and upload them to the Azure file share. If files changed are missed due to journal wrap or other issues, the files won't sync to the Azure file share until the changes are detected. Azure File Sync has a server change enumeration job that runs every 24 hours on the server endpoint path to detect changes that were missed by the USN journal. If you don't want to wait until the next server change enumeration job runs, you can now use the `Invoke-StorageSyncServerChangeDetection` PowerShell cmdlet to immediately run server change enumeration on a server endpoint path.

+ > [!NOTE]

+Before deploying Azure File Sync, you should evaluate whether it's compatible with your system using the Azure File Sync evaluation tool. This tool is an Azure PowerShell cmdlet that checks for potential issues with your file system and dataset, such as unsupported characters or an unsupported OS version. For installation and usage instructions, see [Evaluation Tool](file-sync-planning.md#evaluation-cmdlet) section in the planning guide.

+- The agent isn't supported on Nano Server deployment option.

+- The agent installation package is for a specific operating system version. If a server with an Azure File Sync agent installed is upgraded to a newer operating system version, you must uninstall the existing agent, restart the server, and install the agent for the new server operating system (Windows Server 2016, Windows Server 2019, or Windows Server 2022).

+- The Storage Sync Agent (FileSyncSvc) service doesn't support server endpoints located on a volume that has the system volume information (SVI) directory compressed. This configuration will lead to unexpected results.

+- Running sysprep on a server that has the Azure File Sync agent installed isn't supported and can lead to unexpected results. The Azure File Sync agent should be installed after deploying the server image and completing sysprep mini-setup.

+> [!NOTE]

+> Azure File Sync always encrypts data in transit. Data is always encrypted at rest in Azure.

+- Cloud tiering isn't supported on the system volume. To create a server endpoint on the system volume, disable cloud tiering when creating the server endpoint.

+- Don't store an OS or application paging file within a server endpoint location.

+> [!NOTE]

+> When creating the cloud endpoint, the storage sync service and storage account must be in the same Azure AD tenant. Once the cloud endpoint is created, the storage sync service and storage account can be moved to different Azure AD tenants.

+- When copying files using Robocopy, use the /MIR option to preserve file timestamps. This will ensure older files are tiered sooner than recently accessed files.

+### Improvements and issues that are fixed

+### Improvements and issues that are fixed

+ In this mode, Azure File Sync does two things to free up space on the volume:

+ - Tiered files accessed by the user will not be persisted to the disk.

+- Fixed a cloud tiering issue that caused high CPU usage after v15.0 agent is installed.

+- Reduced transactions when cloud change enumeration job runs

+ - Azure File Sync has a cloud change enumeration job that runs every 24 hours to detect changes made directly in the Azure file share and sync those changes to servers in your sync groups. In the v14 release, we made improvements to reduce the number of transactions when this job runs, and in the v15 release we made further improvements. The transaction cost is also more predictable, as each job will now produce one List transaction per directory, per day.

+ - The `Get-StorageSyncCloudTieringStatus` cmdlet will show cloud tiering status for a specific server endpoint or for a specific volume (depending on path specified). The cmdlet will show current policies, current distribution of tiered versus fully downloaded data, and last tiering session statistics if the server endpoint path is specified. If the volume path is specified, it will show the effective volume free space policy, the server endpoints located on that volume, and whether these server endpoints have cloud tiering enabled.

+- New diagnostic and troubleshooting tool

+ - The `Debug-StorageSyncServer` cmdlet will diagnose common issues like certificate misconfiguration and incorrect server time. Also, we've simplified Azure File Sync troubleshooting by merging the functionality of some of existing scripts and cmdlets (AFSDiag.ps1, FileSyncErrorsReport.ps1, Test-StorageSyncNetworkConnectivity) into the `Debug-StorageSyncServer` cmdlet.

+Before deploying Azure File Sync, you should evaluate whether it's compatible with your system using the Azure File Sync evaluation tool. This tool is an Azure PowerShell cmdlet that checks for potential issues with your file system and dataset, such as unsupported characters or an unsupported OS version. For installation and usage instructions, see [Evaluation Tool](file-sync-planning.md#evaluation-cmdlet) section in the planning guide.

+- The agent isn't supported on Nano Server deployment option.

+- The Storage Sync Agent (FileSyncSvc) service doesn't support server endpoints located on a volume that has the system volume information (SVI) directory compressed. This configuration will lead to unexpected results.

+- Running sysprep on a server that has the Azure File Sync agent installed isn't supported and can lead to unexpected results. The Azure File Sync agent should be installed after deploying the server image and completing sysprep mini-setup.

+> [!NOTE]

+> Azure File Sync always encrypts data in transit. Data is always encrypted at rest in Azure.

+- Cloud tiering isn't supported on the system volume. To create a server endpoint on the system volume, disable cloud tiering when creating the server endpoint.

+- Don't store an OS or application paging file within a server endpoint location.

+> [!NOTE]

+> When creating the cloud endpoint, the storage sync service and storage account must be in the same Azure AD tenant. Once the cloud endpoint is created, the storage sync service and storage account can be moved to different Azure AD tenants.

+- When copying files using Robocopy, use the /MIR option to preserve file timestamps. This will ensure older files are tiered sooner than recently accessed files.

+1. Deploy a new on-premises server or Azure virtual machine that's running a [supported Windows Server operating system version](file-sync-planning.md#operating-system-requirements).

+2. [Install the latest Azure File Sync agent](file-sync-deployment-guide.md#install-the-azure-file-sync-agent) on the new server, then [register the server](file-sync-deployment-guide.md#register-windows-server-with-storage-sync-service) to the same Storage Sync Service as the server that's being replaced (referred to as "old server" in this guide).

+3. Create file shares on the new server and verify that the share-level permissions match the permissions configured on the old server.

+ RobocopyΓÇ»<source> <destination> /MT:16 /R:2 /W:1 /COPY:DATSO /MIR /DCOPY:DAT /XA:O /B /IT /UNILOG:RobocopyLog.txt

+ For example, if the old server has four server endpoints (four sync groups), then you should create four server endpoints on the new server.

+| :::image type="content" source="./media/data-management/coginiti.svg" alt-text="The logo of Coginiti."::: |**Coginiti**<br>Coginiti is an analytics development tool. It puts the full power of Microsoft's Synapse platform in the hands of analysts and engineers. The rich and intuitive SQL development environment allows team members to connect to over a dozen industry leading analytics platforms. It allows users to ingest data in a variety of formats, and quickly build complex business calculation to serve the results into Business Intelligence and Machine Learning use cases. The entire application is built around a central catalog which makes collaboration across the analytics team a reality, and the sophisticated management capabilities and fine grained security make governance a breeze. |[Coginiti](https://www.coginiti.co/database)<br> |

+ Title: Deploy a DHCP server in Azure on a virtual machine

+description: Learn about how to deploy a Dynamic Host Configuration Protocol (DHCP) server in Azure on a virtual machine as a target for an on-premises DHCP relay agent.

+#customer intent: As a Network Administrator, I want to deploy a highly available DHCP server in Azure so that I can provide DHCP services to my on-premises network.

+# Deploy a DHCP server in Azure on a virtual machine

+Learn how to deploy a highly available DHCP server in Azure on a virtual machine. This server is used as a target for an on-premises DHCP relay agent to provide dynamic IP address allocation to on-premises clients. Broadcast packets directly from clients to a DHCP Server don't work in an Azure Virtual Network by design.

+## Prerequisites

+- An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio).

+## Create internal load balancer

+In this section, you create an internal load balancer that load balances virtual machines. An internal load balancer is used to load balance traffic inside a virtual network with a private IP address.

+During the creation of the load balancer, you configure:

+* Frontend IP address

+* Backend pool

+* Inbound load-balancing rules

+1. In the search box at the top of the portal, enter **Load balancer**. Select **Load balancers** in the search results.

+1. In the **Load balancer** page, select **Create**.

+1. In the **Basics** tab of the **Create load balancer** page, enter, or select the following information:

+ | Setting | Value |

+ | | |

+ | **Project details** | |

+ | Subscription | Select your subscription. |

+ | Resource group | Select **test-rg**. |

+ | **Instance details** | |

+ | Name | Enter **load-balancer** |

+ | Region | Select **(US) East US 2**. |

+ | SKU | Leave the default **Standard**. |

+ | Type | Select **Internal**. |

+ | Tier | Leave the default **Regional**. |

+1. Select **Next: Frontend IP configuration** at the bottom of the page.

+1. In **Frontend IP configuration**, select **+ Add a frontend IP configuration**.

+1. Enter **frontend-1** in **Name**.

+1. Select **subnet-1 (10.0.0.0/24)** in **Subnet**.

+1. In **Assignment**, select **Static**.

+1. In **IP address**, enter **10.0.0.100**.

+1. Select **Add**.

+1. Select **Next: Backend pools** at the bottom of the page.

+1. In the **Backend pools** tab, select **+ Add a backend pool**.

+1. Enter **backend-pool** for **Name** in **Add backend pool**.

+1. Select **NIC** or **IP Address** for **Backend Pool Configuration**.

+1. Select **Save**.

+1. Select the blue **Review + create** button at the bottom of the page.

+1. Select **Create**.

+## Configure second load balancer frontend

+A second frontend is required for the load balancer to provide high availability for the DHCP server. Use the following steps to add a second frontend to the load balancer.

+1. In the Azure portal, search for and select **Load balancers**.

+1. Select **load-balancer**.

+1. In **Settings**, select **Frontend IP configuration**.

+1. Select **+ Add**.

+1. Enter or select the following information in **Add frontend IP configuration**:

+ | Setting | Value |

+ | | |

+ | **Name** | Enter **frontend-2**. |

+ | **Subnet** | Select **subnet-1 (10.0.0.0/24)**. |

+ | **Assignment** | Select **Static**. |

+ | **IP address** | Enter **10.0.0.200**. |

+ | **Availability zone** | Select **Zone-redundant**. |

+1. Select **Add**.

+1. Verify that in **Frontend IP configuration**, you have **frontend-1** and **frontend-2**.

+## Create load balancer rules

+The load balancer rules are used to distribute traffic to the virtual machines. Use the following steps to create the load balancer rules.

+1. In the Azure portal, search for and select **Load balancers**.

+1. Select **load-balancer**.

+1. In **Settings**, select **Load balancing rules**.

+1. Select **+ Add**.

+1. Enter or select the following information in **Add load balancing rule**:

+ | Setting | Value |

+ | | |

+ | **Name** | Enter **lb-rule-1**. |

+ | **IP version** | Select **IPv4**. |

+ | **Frontend IP address** | Select **frontend-1**. |

+ | **Backend pool** | Select **backend-pool**. |

+ | **Protocol** | Select **UDP**. |

+ | **Port** | Enter **67**. |

+ | **Backend port** | Enter **67**. |

+ | **Health probe** | Select **Create new**. </br> Enter **dhcp-health-probe** for **Name**. </br> Select **TCP** for **Protocol**. </br> Enter **3389** for **Port**. </br> Enter **67** for **Interval**. </br> Enter **5** for **Unhealthy threshold**. </br> Select **Save**. |

+ | **Enable Floating IP** | Select the box. |

+1. Select **Save**.

+1. Repeat the previous steps to create the second load balancing rule. Replace the following values with the values for the second frontend:

+ | Setting | Value |

+ | | |

+ | **Name** | Enter **lb-rule-2**. |

+ | **Frontend IP address** | Select **frontend-2**. |

+ | **Health probe** | Select **dhcp-health-probe**. |

+## Configure DHCP server network adapters

+You'll sign-in to the virtual machines with Azure Bastion and configure the network adapter settings and DHCP server role for each virtual machine.

+1. In the Azure portal, search for and select **Virtual machines**.

+1. Select **vm-1**.

+1. In the **vm-1** page, select **Connect** then **Connect via Bastion**.

+1. Enter the username and password you created when you created the virtual machine.

+1. Open **PowerShell** as an administrator.

+1. Run the following command to install the DHCP server role:

+ ```powershell

+ Install-WindowsFeature -Name DHCP -IncludeManagementTools

+ ```

+### Install Microsoft Loopback Adapter

+Use the following steps to install the Microsoft Loopback Adapter by using the Hardware Wizard:

+1. Open **Device Manager** on the virtual machine.

+1. Select the computer name **vm-1** in **Device Manager**.

+1. In the menu bar, select **Action** then **Add legacy hardware**.

+1. In the **Add Hardware Wizard**, select **Next**.

+1. Select **Install the hardware that I manually select from a list (Advanced)**, and then select **Next**

+1. In the **Common hardware types** list, select **Network adapters**, and then select **Next**.

+1. In the **Manufacturers** list box, select **Microsoft**.

+1. In the **Network Adapter** list box, select **Microsoft Loopback Adapter**, and then select **Next**.

+1. select **Next** to start installing the drivers for your hardware.

+1. select **Finish**.

+1. In **Device Manager**, expand **Network adapters**. Verify that **Microsoft Loopback Adapter** is listed.

+1. Close **Device Manager**.

+### Set static IP address for Microsoft Loopback Adapter

+Use the following steps to set a static IP address for the Microsoft Loopback Adapter:

+1. Open **Network and Internet settings** on the virtual machine.

+1. Select **Change adapter options**.

+1. Right-click **Microsoft Loopback Adapter** and select **Properties**.

+1. Select **Internet Protocol Version 4 (TCP/IPv4)** and select **Properties**.

+1. Select **Use the following IP address**.

+1. Enter the following information:

+ | Setting | Value |

+ | | |

+ | **IP address** | Enter **10.0.0.100**. |

+ | **Subnet mask** | Enter **255.255.255.0**. |

+1. Select **OK**.

+1. Select **Close**.

+### Enable routing between the loopback interface and the network adapter

+Use the following steps to enable routing between the loopback interface and the network adapter:

+1. Open **CMD** as an administrator.

+1. Run the following command to list the network interfaces:

+ ```cmd

+ netsh int ipv4 show int

+ ```

+ ```output

+ C:\Users\azureuser>netsh int ipv4 show int

+ Idx Met MTU State Name

+ - -

+ 1 75 4294967295 connected Loopback Pseudo-Interface 1

+ 6 5 1500 connected Ethernet

+ 11 25 1500 connected Ethernet 3

+ ```

+ In this example, the network interface connected to the Azure Virtual network is **Ethernet**. The loopback interface that you installed in the previous section is **Ethernet 3**.

+ **Make note of the `Idx` number for the primary network adapter and the loopback adapter. In this example the primary network adapter is `6` and the loopback adapter is `11`. You'll need these values for the next steps.**

+ > [!CAUTION]

+ > Don't confuse the **Loopback Loopback Pseudo-Interface 1** with the **Microsoft Loopback Adapter**. The **Loopback Pseudo-Interface 1** isn't used in this scenario.

+1. Run the following command to enable **weakhostreceive** and **weakhostsend** on the primary network adapter:

+ ```cmd

+ netsh int ipv4 set int 6 weakhostreceive=enabled weakhostsend=enabled

+ ```

+1. Run the following command to enable **weakhostreceive** and **weakhostsend** on the loopback adapter:

+ ```cmd

+ netsh int ipv4 set int 11 weakhostreceive=enabled weakhostsend=enabled

+ ```

+1. Close the bastion connection to **vm-1**.

+1. Repeat the previous steps to configure **vm-2**. Replace the IP address of **10.0.0.100** with **10.0.0.200** in the static IP address configuration of the loopback adapter.

+## Next step

+In this article, you learned how to deploy a highly available DHCP server in Azure on a virtual machine. You also learned how to configure the network adapters and installed the DHCP role on the virtual machines. Further configuration of the DHCP server is required to provide DHCP services to on-premises clients from the Azure Virtual Machines. The DHCP relay agent on the on-premises network must be configured to forward DHCP requests to the DHCP servers in Azure. Consult the manufacturer's documentation for the DHCP relay agent for configuration steps.

+| **AzureBotService** | Azure Bot Service. | Both | No | Yes |

+Azure virtual networks provide DHCP service and DNS to Azure Virtual Machines. However, you can also deploy a DHCP Server in an Azure VM to serve the on-prem clients via a DHCP Relay Agent.

+DHCP Server in Azure was previously marked as unsupported since the traffic to port UDP/67 was rate limited in Azure. However, recent platform updates have removed the rate limitation, enabling this capability.

+> [!NOTE]

+> The on-premises client to DHCP Server (source port UDP/68, destination port UDP/67) is still not supported in Azure, since this traffic is intercepted and handled differently. So, this will result in some timeout messages at the time of DHCP RENEW at T1 when the client directly attempts to reach the DHCP Server in Azure, but this should succeed when the DHCP RENEW attempt is made at T2 via DHCP Relay Agent. For more details on the T1 and T2 DHCP RENEW timers, see [RFC 2131](https://www.ietf.org/rfc/rfc2131.txt).

+description: Learn about VPN Gateway topologies and designs you can use to connect on-premises locations to virtual networks.

+# VPN Gateway topology and design

+There are many different configuration options available for VPN Gateway connections. Use the diagrams and descriptions in the following sections to help you select the connection topology that meets your requirements. The diagrams show the main baseline topologies, but it's possible to build more complex configurations using the diagrams as guidelines.

+A site-to-site (S2S) VPN gateway connection is a connection over IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. Site-to-site connections can be used for cross-premises and hybrid configurations. A site-to-site connection requires a VPN device located on-premises that has a public IP address assigned to it. For information about selecting a VPN device, see the [VPN Gateway FAQ - VPN devices](vpn-gateway-vpn-faq.md#s2s).

+VPN Gateway can be configured in active-standby mode using one public IP or in active-active mode using two public IPs. In active-standby mode, one IPsec tunnel is active and the other tunnel is in standby. In this setup, traffic flows through the active tunnel, and if some issue happens with this tunnel, the traffic switches over to the standby tunnel. Setting up VPN Gateway in active-active mode is *recommended* in which both the IPsec tunnels are simultaneously active, with data flowing through both tunnels at the same time. Another advantage of active-active mode is that customers experience higher throughputs.

+A point-to-site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer. A point-to-site connection is established by starting it from the client computer. This solution is useful for telecommuters who want to connect to Azure virtual networks from a remote location, such as from home or a conference. Point-to-site VPN is also a useful solution to use instead of site-to-site VPN when you have only a few clients that need to connect to a virtual network.

+Unlike site-to-site connections, point-to-site connections don't require an on-premises public-facing IP address or a VPN device. Point-to-site connections can be used with site-to-site connections through the same VPN gateway, as long as all the configuration requirements for both connections are compatible. For more information about point-to-site connections, see [About point-to-site VPN](point-to-site-about.md).

+### P2S VPN client configuration

+Connecting a virtual network to another virtual network (VNet-to-VNet) is similar to connecting a virtual network to an on-premises site location. Both connectivity types use a VPN gateway to provide a secure tunnel using IPsec/IKE. You can even combine VNet-to-VNet communication with multi-site connection configurations. This lets you establish network topologies that combine cross-premises connectivity with inter-virtual network connectivity.

+The virtual networks you connect can be:

+* in the same or different subscriptions

+In some cases, you might want to use virtual network peering instead of VNet-to-VNet to connect your virtual networks. Virtual network peering doesn't use a virtual network gateway. For more information, see [Virtual network peering](../virtual-network/virtual-network-peering-overview.md).

+You can configure a site-to-site VPN as a secure failover path for ExpressRoute, or use site-to-site VPNs to connect to sites that aren't part of your network, but that are connected through ExpressRoute. Notice that this configuration requires two virtual network gateways for the same virtual network, one using the gateway type *Vpn*, and the other using the gateway type *ExpressRoute*.

+### Deployment models and methods for S2S and ExpressRoute coexisting connections

+VPN gateway connection architecture relies on the configuration of multiple resources, each of which contains configurable settings. The sections in this article discuss the resources and settings that relate to a VPN gateway for a virtual network created in [Resource Manager deployment model](../azure-resource-manager/management/deployment-models.md). You can find descriptions and topology diagrams for each connection solution in the [VPN Gateway topology and design](design.md) article.

+The values in this article specifically apply to VPN gateways (virtual network gateways that use the -GatewayType Vpn). If you're looking for information about the following types of gateways, see the following articles:

+* For values that apply to -GatewayType 'ExpressRoute', see [Virtual network gateways for ExpressRoute](../expressroute/expressroute-about-virtual-network-gateways.md).

+## <a name="gwtype"></a>Gateways and gateway types

+ A virtual network gateway is composed of two or more Azure-managed VMs that are automatically configured and deployed to a specific subnet that you create called the **gateway subnet**. The gateway VMs contain routing tables and run specific gateway services.

+When you create a virtual network gateway, the gateway VMs are automatically deployed to the gateway subnet (always named *GatwaySubnet*), and configured with the settings that you specified. This process can take 45 minutes or more to complete, depending on the gateway SKU that you selected.

+One of the settings that you specify when creating a virtual network gateway is the **gateway type**. The gateway type determines how the virtual network gateway is used and the actions that the gateway takes. A virtual network can have two virtual network gateways; one VPN gateway and one ExpressRoute gateway. The gateway type 'Vpn' specifies that the type of virtual network gateway created is a **VPN gateway**. This distinguishes it from an ExpressRoute gateway, which uses a different gateway type.

+When you're creating a virtual network gateway, you must make sure that the gateway type is correct for your configuration. The available values for -GatewayType are:

+## <a name="vpntype"></a>VPN types

+Azure supports two different VPN types for VPN gateways: policy-based and route-based. Route-based VPN gateways are built on a different platform than policy-based VPN gateways. This results in different gateway specifications.

+In most cases, you'll create a route-based VPN gateway. Previously, the older gateway SKUs didn't support IKEv1 for route-based gateways. Now, most of the current gateway SKUs support both IKEv1 and IKEv2. If you already have a policy-based gateway, you aren't required to upgrade your gateway to route-based.

+If you want to create a policy-based gateway, use PowerShell or CLI. As of Oct 1, 2023, you can't create a policy-based VPN gateway through Azure portal, only route-based gateways are available.

+Before you create a VPN gateway, you must create a gateway subnet. The gateway subnet contains the IP addresses that the virtual network gateway VMs and services use. When you create your virtual network gateway, gateway VMs are deployed to the gateway subnet and configured with the required VPN gateway settings. Never deploy anything else (for example, more VMs) to the gateway subnet. The gateway subnet must be named 'GatewaySubnet' to work properly. Naming the gateway subnet 'GatewaySubnet' lets Azure know that this is the subnet to which it should deploy the virtual network gateway VMs and services.

+A local network gateway is different than a virtual network gateway. When you're working with a VPN gateway site-to-site architecture, the local network gateway usually represents your on-premises network and the corresponding VPN device. In the classic deployment model, the local network gateway is referred to as a *Local Site*.

+When you configure a local network gateway, you specify the name, the public IP address or the fully qualified domain name (FQDN) of the on-premises VPN device, and the address prefixes that are located on the on-premises location. Azure looks at the destination address prefixes for network traffic, consults the configuration that you specified for your local network gateway, and routes packets accordingly. If you use Border Gateway Protocol (BGP) on your VPN device, you provide the BGP peer IP address of your VPN device and the autonomous system number (ASN) of your on-premises network. You also specify local network gateways for VNet-to-VNet configurations that use a VPN gateway connection.

+For technical resources and specific syntax requirements when using REST APIs, PowerShell cmdlets, or Azure CLI for VPN Gateway configurations, see the following pages:

+description: Learn what VPN Gateway is, and how to use a VPN gateway to connect to IPsec IKE site-to-site, VNet-to-VNet, and point-to-site VPN virtual networks.

+Azure VPN Gateway is a service that can be used to send encrypted traffic between an Azure virtual network and on-premises locations over the public Internet. You can also use VPN Gateway to send encrypted traffic between Azure virtual networks over the Microsoft network. VPN Gateway uses a specific type of Azure virtual network gateway called a VPN gateway. Multiple connections can be created to the same VPN gateway. When you create multiple connections, all VPN tunnels share the available gateway bandwidth.

+## Why use VPN Gateway?

+Here are some of the key scenarios for VPN Gateway:

+* Send encrypted traffic between an Azure virtual network and on-premises locations over the public Internet. You can do this by using the following types of connections:

+ * **Site-to-site connection:** A cross-premises IPsec/IKE VPN tunnel connection between the VPN gateway and an on-premises VPN device.

+ * **Point-to-site connection:** VPN over OpenVPN, IKEv2, or SSTP. This type of connection lets you connect to your virtual network from a remote location, such as from a conference or from home.

+* Send encrypted traffic between virtual networks. You can do this by using the following types of connections:

+ * **VNet-to-VNet:** An IPsec/IKE VPN tunnel connection between the VPN gateway and another Azure VPN gateway that uses a *VNet-to-VNet* connection type. This connection type is designed specifically for VNet-to-VNet connections.

+ * **Site-to-site connection:** An IPsec/IKE VPN tunnel connection between the VPN gateway and another Azure VPN gateway. This type of connection, when used in the VNet-to-VNet architecture, uses the *Site-to-site (IPsec)* connection type, which allows cross-premises connections to the gateway in addition connections between VPN gateways.

+* Configure a site-to-site VPN as a secure failover path for [ExpressRoute](../expressroute/expressroute-introduction.md). You can do this by using:

+ * **ExpressRoute + VPN Gateway:** A combination of ExpressRoute + VPN Gateway connections (coexisting connections).

+* Use site-to-site VPNs to connect to sites that aren't connected through [ExpressRoute](../expressroute/expressroute-introduction.md). You can do this with:

+ * **ExpressRoute + VPN Gateway:** A combination of ExpressRoute + VPN Gateway connections (coexisting connections).

+## <a name="connectivity"></a> Planning and design

+Because you can create multiple connection configurations using VPN Gateway, you need to determine which configuration best fits your needs. Point-to-site, site-to-site, and coexisting ExpressRoute/site-to-site connections all have different instructions and resource configuration requirements.

+See the [VPN Gateway topology and design](design.md) article for design topologies and links to configuration instructions. The following sections of the article highlight some of the design topologies that are most often used.

+* [Site-to-site VPN connections](design.md#s2smulti)

+* [Point-to-site VPN connections](design.md#P2S)

+The following table can help you decide the best connectivity option for your solution.

+### <a name="availability"></a>Availability Zones

+VPN gateways can be deployed in Azure Availability Zones. This brings resiliency, scalability, and higher availability to virtual network gateways. Deploying gateways in Azure Availability Zones physically and logically separates gateways within a region, while protecting your on-premises network connectivity to Azure from zone-level failures. See [About zone-redundant virtual network gateways in Azure Availability Zones](about-zone-redundant-vnet-gateways.md).

+## <a name="configuring"></a>Configuring VPN Gateway

+A VPN gateway connection relies on multiple resources that are configured with specific settings. In some cases, resources must be configured in a certain order. The settings that you chose for each resource are critical to creating a successful connection.

+For information about individual resources and settings for VPN Gateway, see [About VPN Gateway settings](vpn-gateway-about-vpn-gateway-settings.md) and [About gateway SKUs](about-gateway-skus.md). These articles contain information to help you understand gateway types, gateway SKUs, VPN types, connection types, gateway subnets, local network gateways, and various other resource settings that you might want to consider.

+For design diagrams and links to configuration articles, see the [VPN Gateway topology and design](design.md) article.

+## <a name="new"></a>What's new?

+Azure VPN Gateway is updated regularly. To stay current with the latest announcements, see the [What's new?](whats-new.md) article. The article highlights the following points of interest:

+* Recent releases

+* Previews underway with known limitations (if applicable)

+* Known issues

+* Deprecated functionality (if applicable)

+You can also subscribe to the RSS feed and view the latest VPN Gateway feature updates on the [Azure Updates](https://azure.microsoft.com/updates/?category=networking&query=VPN%20Gateway) page.

+## <a name="faq"></a>FAQ

+For frequently asked questions about VPN gateway, see the [VPN Gateway FAQ](vpn-gateway-vpn-faq.md).

+* [Tutorial: Create and manage a VPN Gateway](tutorial-create-gateway-portal.md).

+* [Learn module: Introduction to Azure VPN Gateway](/training/modules/intro-to-azure-vpn-gateway).

+* [Learn module: Connect your on-premises network to Azure with VPN Gateway](/training/modules/connect-on-premises-network-with-vpn-gateway/).

+* [Subscription and service limits](../azure-resource-manager/management/azure-subscription-service-limits.md#vpn-gateway-limits).

+Azure Web Application Firewall on Azure Front Door protects web applications from common vulnerabilities and exploits. Azure-managed rule sets provide an easy way to deploy protection against a common set of security threats. Because Azure manages these rule sets, the rules are updated as needed to protect against new attack signatures.

+By default, the Microsoft Threat Intelligence Collection rules replace some of the built-in DRS rules, causing them to be disabled. For example, rule ID 942440, *SQL Comment Sequence Detected*, has been disabled and replaced by the Microsoft Threat Intelligence Collection rule 99031002. The replaced rule reduces the risk of false positive detections from legitimate requests.

+A single *Critical* rule match is enough for the WAF to block a request when in Prevention mode with the anomaly score action set to Block because the overall anomaly score is 5. However, one *Warning* rule match only increases the anomaly score by 3, which isn't enough by itself to block the traffic. When an anomaly rule is triggered, it shows a "matched" action in the logs. If the anomaly score is 5 or greater, there a separate rule is triggered with the anomaly score action configured for the rule set. Default anomaly score action is Block, which results in a log entry with the action `blocked`.