+* [Visual Studio 2022 17.0 or later](https://visualstudio.microsoft.com/downloads/?utm_medium=microsoft&utm_source=docs.microsoft.com&utm_campaign=inline+link&utm_content=download+vs2019), with the ASP.NET and web development workload

+* [.NET 6.0 SDK](https://dotnet.microsoft.com/download/dotnet)

+* [.NET 6.0 SDK](https://dotnet.microsoft.com/download/dotnet)

+1. Under **Redirect URI**, select **Web** and then, in the URL box, enter `https://localhost:44316/signin-oidc`.

+1. Go to `https://localhost:44316`.

+The endpoints are in the `{host}/scim/` directory, and you can use standard HTTP requests to interact with them. To modify the `/scim/` route, see *TokenController.cs* in **SCIMReferenceCode** > **Microsoft.SCIM.WebHostSample** > **Controllers**.

+> [Tutorial: Configure provisioning for a gallery app](configure-automatic-user-provisioning-portal.md)

+## February 2022

+### Updated articles

+- [Reference for writing expressions for attribute mappings in Azure Active Directory](functions-for-customizing-application-data.md)

+## February 2022

+### Updated articles

+- [Plan an Azure AD Application Proxy deployment](application-proxy-deployment-plan.md)

+- [Secure access to on-premises APIs with Azure Active Directory Application Proxy](application-proxy-secure-api-access.md)

+| Giesecke + Devrient (G+D) | ![y] | ![y]| ![y]| ![y]| ![n] | https://www.gi-de.com/en/identities/enterprise-security/hardware-based-authentication |

+## View a training video on configuring and onboarding an AWS account

+To view a video on how to configure and onboard AWS accounts in CloudKnox, select [Configure and onboard AWS accounts](https://www.youtube.com/watch?v=R6K21wiWYmE).

+## View a training video on enabling CloudKnox in your Azure AD tenant

+To view a video on how to enable CloudKnox in your Azure AD tenant, select [Enable CloudKnox in your Azure AD tenant](https://www.youtube.com/watch?v=-fkfeZyevoo).

+- To view a video on how to enable CloudKnox in your Azure AD tenant, select [Enable CloudKnox in your Azure AD tenant](https://www.youtube.com/watch?v=-fkfeZyevoo).

+- To view a video on how to configure and onboard AWS accounts in CloudKnox, select [Configure and onboard AWS accounts](https://www.youtube.com/watch?v=R6K21wiWYmE).

+## Configure and onboard Amazon Web Services (AWS) accounts

+To view a video on how to configure and onboard Amazon Web Services (AWS) accounts in CloudKnox Permissions Management, select [Configure and onboard AWS accounts](https://www.youtube.com/watch?v=R6K21wiWYmE).

+ - If you are installing against the **US government** cloud, and your firewall or proxy allows you to specify safe suffixes, add connections to:

+ - *.microsoftonline.us

+ - *.microsoft.us

+ - *.msappproxy.us

+ - *.windowsazure.us

+

+Cloud sync has many different dependencies and interactions, which can give rise to various problems. This article helps you troubleshoot these problems. It introduces the typical areas for you to focus on, how to gather additional information, and the various techniques you can use to track down problems.

+When you troubleshoot agent problems, you verify that the agent was installed correctly, and that it communicates with Azure Active Directory (Azure AD). In particular, some of the first things that you want to verify with the agent are:

+- Is it installed?

+- Is the agent running locally?

+- Is the agent in the portal?

+- Is the agent marked as healthy?

+You can verify these items in the Azure portal and on the local server that's running the agent.

+To verify that Azure detects the agent, and that the agent is healthy, follow these steps:

+ 

+1. On the **On-premises provisioning agents** screen, you see the agents you've installed. Verify that the agent in question is there. If all is well, you will see the *active* (green) status for the agent.

+ 

+### Verify the required open ports

+Verify that the Azure AD Connect provisioning agent is able to communicate successfully with Azure datacenters. If there's a firewall in the path, make sure that the following ports to outbound traffic are open:

+| 80 | Downloading certificate revocation lists (CRLs), while validating the TLS/SSL certificate. |

+| 443 | Handling all outbound communication with the Application Proxy service. |

+If your firewall enforces traffic according to originating users, also open ports 80 and 443 for traffic from Windows services that run as a network service.

+| `*.msappproxy.net` <br> `*.servicebus.windows.net` | 443/HTTPS | Communication between the connector and the Application Proxy cloud service. |

+You can allow connections to `*.msappproxy.net`, `*.servicebus.windows.net`, and other of the preceding URLs, if your firewall or proxy lets you configure access rules based on domain suffixes. If not, you need to allow access to the [Azure IP ranges and service tags - public cloud](https://www.microsoft.com/download/details.aspx?id=56519). The IP ranges are updated each week.

+> Avoid all forms of inline inspection and termination on outbound TLS communications between Azure AD Application Proxy connectors and Azure AD Application Proxy cloud services.

+Public DNS records for Azure AD Application Proxy endpoints are chained CNAME records, pointing to an A record. This ensures fault tolerance and flexibility. ItΓÇÖs guaranteed that the Azure AD Application Proxy connector always accesses host names with the domain suffixes `*.msappproxy.net` or `*.servicebus.windows.net`.

+However, during the name resolution, the CNAME records might contain DNS records with different host names and suffixes. Due to this, you must ensure that the device can resolve all the records in the chain, and allows connection to the resolved IP addresses. Because the DNS records in the chain might be changed from time to time, we can't provide you with any list DNS records.

+To verify that the agent is running, follow these steps:

+1. On the server with the agent installed, open **Services**. Do this by going to **Start** > **Run** > **Services.msc**.

+1. Under **Services**, make sure **Microsoft Azure AD Connect Agent Updater** and **Microsoft Azure AD Connect Provisioning Agent** are there. Also confirm that their status is *Running*.

+ 

+The following sections describe some common agent installation problems, and typical resolutions of those problems.

+*Service 'Microsoft Azure AD Connect Provisioning Agent' failed to start. Verify that you have sufficient privileges to start the system services.*

+This problem is typically caused by a group policy. The policy prevented permissions from being applied to the local NT Service sign-in account created by the installer (`NT SERVICE\AADConnectProvisioningAgent`). These permissions are required to start the service.

+To resolve this problem, follow these steps:

+1. Open **Services** by going to **Start** > **Run** > **Services.msc**.

+ 

+#### Agent times out or certificate isn't valid

+

+This problem is usually caused by the agent being unable to connect to the hybrid identity service. To resolve this problem, configure an outbound proxy.

+The provisioning agent supports the use of an outbound proxy. You can configure it by editing the following agent .config file: *C:\Program Files\Microsoft Azure AD Connect Provisioning Agent\AADConnectProvisioningAgent.exe.config*.

+Add the following lines into it, toward the end of the file, just before the closing `</configuration>` tag. Replace the variables `[proxy-server]` and `[proxy-port]` with your proxy server name and port values.

+You might get an error message when you install the cloud provisioning agent. This problem is typically caused by the agent being unable to run the PowerShell registration scripts, due to local PowerShell execution policies.

+To resolve this problem, change the PowerShell execution policies on the server. You need to have machine and user policies set as `Undefined` or `RemoteSigned`. If they're set as `Unrestricted`, you'll see this error. For more information, see [PowerShell execution policies](/powershell/module/microsoft.powershell.core/about/about_execution_policies).

+By default, the agent emits minimal error messages and stack trace information. You can find these trace logs in the following folder: *C:\ProgramData\Microsoft\Azure AD Connect Provisioning Agent\Trace*.

+1. [Install the AADCloudSyncTools PowerShell module](reference-powershell.md#install-the-aadcloudsynctools-powershell-module).

+1. Use the `Export-AADCloudSyncToolsLogs` PowerShell cmdlet to capture the information. You can use the following options to fine-tune your data collection.

+ - `SkipVerboseTrace` to only export current logs without capturing verbose logs (default = false).

+ - `TracingDurationMins` to specify a different capture duration (default = 3 minutes).

+ - `OutputPath` to specify a different output path (default = userΓÇÖs Documents folder).

+In the Azure portal, you can use provisioning logs to help track down and troubleshoot object synchronization problems. To view the logs, select **Logs**.

+

+

+You can filter the view to focus on specific problems, such as dates. Double-click an individual event to see additional information.

+

+Cloud sync monitors the health of your configuration, and places unhealthy objects in a quarantine state. If most or all of the calls made against the target system consistently fail because of an error (for example, invalid admin credentials), the sync job is marked as in quarantine.

+

+Right-clicking on the status will bring up additional options to:

+- View the provisioning logs.

+- View the agents.

+- Clear the quarantine.

+There are two different ways to resolve a quarantine. You can clear the quarantine, or you can restart the provisioning job.

+#### Clear the quarantine

+To clear the watermark and run a delta sync on the provisioning job after you have verified it, simply right-click on the status and select **Clear quarantine**.

+

+Use the Azure portal to restart the provisioning job. On the agent configuration page, select **Restart sync**.

+ 

+Alternatively, you can use Microsoft Graph to [restart the provisioning job](/graph/api/synchronization-synchronizationjob-restart?tabs=http&view=graph-rest-beta&preserve-view=true). You have full control over what you restart. You can choose to clear:

+- Escrows, to restart the escrow counter that accrues toward quarantine status.

+- Quarantine, to remove the application from quarantine.

+- Watermarks.

+Use the following request:

+## Repair the cloud sync service account

+If you need to repair the cloud sync service account, you can use the `Repair-AADCloudSyncToolsAccount` command.

+ 1. [Install the AADCloudSyncTools PowerShell module](reference-powershell.md#install-the-aadcloudsynctools-powershell-module).

+ 1. From a PowerShell session with administrative privileges, type, or copy and paste, the following:

+ 1. Enter your Azure AD global admin credentials.

+ 1. Type, or copy and paste, the following:

+ 1. After this completes, it should say that the account was repaired successfully.

+To enable and use password writeback with cloud sync, keep the following in mind:

+- If you need to update the [gMSA permissions](how-to-gmsa-cmdlets.md#using-set-aadcloudsyncpermissions), it might take an hour or more for these permissions to replicate to all the objects in your directory. If you don't assign these permissions, writeback can appear to be configured correctly, but users might encounter errors when they update their on-premises passwords from the cloud. Permissions must be applied to **This object and all descendant objects** for **Unexpire Password** to appear.

+- If passwords for some user accounts aren't written back to the on-premises directory, make sure that inheritance isn't disabled for the account in the on-premises Active Directory Domain Services (AD DS) environment. Write permissions for passwords must be applied to descendant objects for the feature to work correctly.

+- Password policies in the on-premises AD DS environment might prevent password resets from being correctly processed. If you're testing this feature and want to reset passwords for users more than once per day, the group policy for the minimum password age must be set to 0. You can find this setting in the following location: **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Account Policies**, within **gpmc.msc**.

+ - If you update the group policy, wait for the updated policy to replicate, or use the `gpupdate /force` command.

+ - For passwords to be changed immediately, the minimum password age must be set to 0. However, if users adhere to the on-premises policies, and the minimum password age is set to a value greater than 0, password writeback doesn't work after the on-premises policies are evaluated.

+### Linux and macOS

+On Linux, MSAL.NET opens the default OS browser with a tool like [xdg-open](http://manpages.ubuntu.com/manpages/focal/man1/xdg-open.1.html). Opening the browser with `sudo` is unsupported by MSAL and will cause MSAL to throw an exception.

+On macOS, the browser is opened by invoking `open <url>`.

+### Customizing the experience

+MSAL.NET can respond with an HTTP message or HTTP redirect when a token is received or an error occurs.

+1. Select **Expose an API**

+1. Select **Set** next to **Application ID URI** if you haven't yet configured one.

+ You can use the default value of `api://<application-client-id>` or another [supported App ID URI pattern](reference-app-manifest.md#identifieruris-attribute). The App ID URI acts as the prefix for the scopes you'll reference in your API's code, and it must be globally unique.

+1. Select **Add a scope**:

+## February 2022

+### Updated articles

+- [Add Google as an identity provider for B2B guest users](google-federation.md)

+- [External Identities in Azure Active Directory](external-identities-overview.md)

+- [Overview: Cross-tenant access with Azure AD External Identities (Preview)](cross-tenant-access-overview.md)

+- [B2B collaboration overview](what-is-b2b.md)

+- [Federation with SAML/WS-Fed identity providers for guest users (preview)](direct-federation.md)

+- [Quickstart: Add a guest user with PowerShell](b2b-quickstart-invite-powershell.md)

+- [Tutorial: Bulk invite Azure AD B2B collaboration users](tutorial-bulk-invite.md)

+- [Azure Active Directory B2B best practices](b2b-fundamentals.md)

+- [Azure Active Directory B2B collaboration FAQs](faq.yml)

+- [Email one-time passcode authentication](one-time-passcode.md)

+- [Azure Active Directory B2B collaboration invitation redemption](redemption-experience.md)

+- [Troubleshooting Azure Active Directory B2B collaboration](troubleshoot.md)

+- [Properties of an Azure Active Directory B2B collaboration user](user-properties.md)

+- [Authentication and Conditional Access for External Identities](authentication-conditional-access.md)

+> Data of users included in multi-stage access reviews are a part of the audit record at the start of the review. Administrators may delete the data at any time by deleting the multi-stage access review series. For general information about GDPR and protecting user data, see the [GDPR section of the Microsoft Trust Center](https://www.microsoft.com/trust-center/privacy/gdpr-overview) and the [GDPR section of the Service Trust portal](https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted).

+And the IssuerUri on the new domain has been set to `https://bmcontoso.com/adfs/services/trust`

+## February 2022

+### New articles

+- [Tutorial: Manage application access and security](tutorial-manage-access-security.md)

+- [Tutorial: Configure F5ΓÇÖs BIG-IP Easy Button for SSO to Oracle PeopleSoft](f5-big-ip-oracle-peoplesoft-easy-button.md)

+- [Tutorial: Govern and monitor applications](tutorial-govern-monitor.md)

+- [Properties of an enterprise application](application-properties.md)

+### Updated articles

+- [Tutorial: Manage application access and security](tutorial-manage-access-security.md)

+- [Tutorial: Configure F5ΓÇÖs BIG-IP Easy Button for SSO to Oracle JDE](f5-big-ip-oracle-jde-easy-button.md)

+- [Tutorial: Configure F5ΓÇÖs BIG-IP Easy Button for SSO to Oracle EBS](f5-big-ip-oracle-enterprise-business-suite-easy-button.md)

+- [Tutorial: Configure F5 BIG-IP Easy Button for Kerberos SSO](f5-big-ip-kerberos-easy-button.md)

+- [Tutorial: Configure F5ΓÇÖs BIG-IP Easy Button for header-based SSO](f5-big-ip-headers-easy-button.md)

+- [Tutorial: Configure F5 BIG-IP Easy Button for header-based and LDAP SSO](f5-big-ip-ldap-header-easybutton.md)

+- [Configure sign-in behavior using Home Realm Discovery](configure-authentication-for-federated-users-portal.md)

+- [Home Realm Discovery for an application](home-realm-discovery-policy.md)

+- [Disable auto-acceleration sign-in](prevent-domain-hints-with-home-realm-discovery.md)

+- [Configure enterprise application properties](add-application-portal-configure.md)

+- [What is application management in Azure Active Directory?](what-is-application-management.md)

+- [Overview of enterprise application ownership in Azure Active Directory](overview-assign-app-owners.md)

+- [Tutorial: Configure F5 BIG-IP SSL-VPN for Azure AD SSO](f5-aad-password-less-vpn.md)

+- [Configure F5 BIG-IP Access Policy Manager for form-based SSO](f5-big-ip-forms-advanced.md)

+- [Tutorial: Configure F5 BIG-IPΓÇÖs Access Policy Manager for header-based SSO](f5-big-ip-header-advanced.md)

+- [Tutorial: Configure F5 BIG-IP Access Policy Manager for Kerberos authentication](f5-big-ip-kerberos-advanced.md)

+- [Integrate F5 BIG-IP with Azure Active Directory](f5-aad-integration.md)

+ <set-url>@($"https://accounting.acme.com/salesdata?from={(string)context.Variables["fromDate"]}&to={(string)context.Variables["fromDate"]}")</set-url>

+ <set-url>@($"https://inventory.acme.com/materiallevels?from={(string)context.Variables["fromDate"]}&to={(string)context.Variables["fromDate"]}")</set-url>

+<set-url>@($"https://production.acme.com/throughput?from={(string)context.Variables["fromDate"]}&to={(string)context.Variables["fromDate"]}")</set-url>

+<set-url>@($"https://production.acme.com/accidentdata?from={(string)context.Variables["fromDate"]}&to={(string)context.Variables["fromDate"]}")</set-url>

+ It can take 15 to 45 minutes to update the API Management instance. The Developer tier has downtime during the process. The Basic and higher SKUs don't have downtime during the process.

+It can take 15 to 45 minutes to update the API Management instance. The Developer tier has downtime during the process. The Basic and higher SKUs don't have downtime during the process.

+> [!IMPORTANT]

+ Title: Upcoming Breaking Changes in Azure API Management | Microsoft Docs

+description: A list of all the upcoming breaking changes for Azure API Management

+documentationcenter: ''

+# Upcoming breaking changes

+The following table lists all the upcoming breaking changes and feature retirements for Azure API Management.

+| Change Title | Effective Date |

+|:-|:|

+| [Resource Provider Source IP Address Update][bc1] | March 31, 2023 |

+<!-- Links -->

+[bc1]: ./rp-source-ip-address-change-mar2023.md

+ Title: Azure API Management IP address change (March 2023) | Microsoft Docs

+description: Azure API Management is updating the source IP address of the resource provider in certain regions. If your service is hosted in a Microsoft Azure Virtual Network, you may need to update network settings to continue managing your service.

+documentationcenter: ''

+# Resource Provider source IP address updates (March 2023)

+On 31 March, 2023 as part of our continuing work to increase the resiliency of API Management services, we're making the resource providers for Azure API Management zone redundant in each region. The IP address that the resource provider uses to communicate with your service will change in seven regions:

+| Region | Old IP Address | New IP Address |

+|:-|:--:|:--:|

+| Canada Central | 52.139.20.34 | 20.48.201.76 |

+| Brazil South | 191.233.24.179 | 191.238.73.14 |

+| Germany West Central | 51.116.96.0 | 20.52.94.112 |

+| South Africa North | 102.133.0.79 | 102.37.166.220 |

+| Korea Central | 40.82.157.167 | 20.194.74.240 |

+| Central India | 13.71.49.1 | 20.192.45.112 |

+| South Central US | 20.188.77.119 | 20.97.32.190 |

+This change will have NO effect on the availability of your API Management service. However, you **may** have to take steps described below to configure your API Management service beyond 31 March, 2023.

+## Is my service affected by this change?

+Your service is impacted by this change if:

+* The API Management service is in one of the seven regions listed in the table above.

+* The API Management service is running inside an Azure virtual network.

+* The Network Security Group (NSG) or User-defined Routes (UDRs) for the virtual network are configured with explicit source IP addresses.

+## What is the deadline for the change?

+The source IP addresses for the affected regions will be changed on 31 March, 2023. Complete all required networking changes before then.

+After 31 March 2023, if you prefer not to make changes to your IP addresses, your services will continue to run but you will not be able to add or remove APIs, or change API policy, or otherwise configure your API Management service.

+## Can I avoid this sort of change in the future?

+Yes, you can.

+API Management publishes a _service tag_ that you can use to configure the NSG for your virtual network. The service tag includes information about the source IP addresses that API Management uses to manage your service. For more information on this topic, read [Configure NSG Rules] in the API Management documentation.

+## What do I need to do?

+Update the NSG security rules that allow the API Management resource provider to communicate with your API Management instance. For detailed instructions on how to manage a NSG, review [Create, change, or delete a network security group] in the Azure Virtual Network documentation.

+1. Go to the [Azure portal](https://portal.azure.com) to view your NSGs. Search for and select **Network security groups**.

+2. Select the name of the NSG associated with the virtual network hosting your API Management service.

+3. In the menu bar, choose **Inbound security rules**.

+4. The inbound security rules should already have an entry that mentions a Source address matching the _Old IP Address_ from the table above. If it doesn't, you're not using explicit source IP address filtering, and can skip this update.

+5. Select **Add**.

+6. Fill in the form with the following information:

+

+ 1. Source: **Service Tag**

+ 2. Source Service Tag: **ApiManagement**

+ 3. Source port ranges: __*__

+ 4. Destination: **VirtualNetwork**

+ 5. Destination port ranges: **3443**

+ 6. Protocol: **TCP**

+ 7. Action: **Allow**

+ 8. Priority: Pick a suitable priority to place the new rule next to the existing rule.

+ The Name and Description fields can be set to anything you wish. All other fields should be left blank.

+7. Select **OK**.

+In addition, you may have to adjust the network routing for the virtual network to accommodate the new control plane IP addresses. If you've configured a default route (`0.0.0.0/0`) forcing all traffic from the API Management subnet to flow through a firewall instead of directly to the Internet, then additional configuration is required.

+If you configured user-defined routes (UDRs) for control plane IP addresses, the new IP addresses must be routed the same way. For more details on the changes necessary to handle network routing of management requests, review [Force tunneling traffic] documentation.

+Finally, check for any other systems that may impact the communication from the API Management resource provider to your API Management service subnet. For more information about virtual network configuration, review the [Virtual Network] documentation.

+## More Information

+* [Virtual Network](/azure/virtual-network)

+* [API Management VNET Reference](../virtual-network-reference.md)

+* [Microsoft Q&A](/answers/topics/azure-api-management.html)

+<!-- Links -->

+[Configure NSG Rules]: ../api-management-using-with-internal-vnet.md#configure-nsg-rules

+[Virtual Network]: /azure/virtual-network

+[Force tunneling traffic]: ../virtual-network-reference.md#force-tunneling-traffic-to-on-premises-firewall-using-expressroute-or-network-virtual-appliance

+[Create, change, or delete a network security group]: /azure/virtual-network/manage-network-security-group

+description: This article shows you how to use API Management to import a Logic App (Consumption) resource as an API.

+> [!NOTE]

+> API Management supports automated import of a Logic App (Consumption) resource. which runs in the multi-tenant Logic Apps environment. Learn more about [single-tenant versus muti-tenant Logic Apps](../logic-apps/single-tenant-overview-compare.md).

+- Make sure there is a Consumption plan-based Logic App resource in your subscription that exposes an HTTP endpoint. For more information, [Trigger workflows with HTTP endpoints](../logic-apps/logic-apps-http-endpoint.md)

+ Title: Set up private endpoint for Azure API Management Preview

+* Use a [Resource Manager template](https://azure.microsoft.com/resources/templates/api-management-private-endpoint/) to create an API Management instance and a private endpoint with private DNS integration.

+ | **Mount path** | Directory inside your file/blob storage that you want to mount. Do not use a root directory (`[C-Z]:\` or `/`) or the `home` directory (`[C-Z]:\home`, or `/home`).|

+### Application services extension v 0.12.2 (March 2022)

+- Update to resolve upgrade failures when upgrading from v 0.12.0 when extension name length is over 35 characters

+If your extension was in the stable version and auto-upgrade-minor-version is set to true, the extension upgrades automatically. To manually upgrade the extension to the latest version, you can run the command:

+```azurecli-interactive

+ az k8s-extension update --cluster-type connectedClusters -c <clustername> -g <resource group> -n <extension name> --release-train stable --version 0.12.2

+```

+There are three types of routing to consider when you configure regional virtual network integration. [Application routing](#application-routing) defines what traffic is routed from your app and into the virtual network. [Configuration routing](#configuration-routing) affects operations that happen before or during startup of you app. Examples are container image pull and app settings with Key Vault reference. [Network routing](#network-routing) is the ability to handle how both app and configuration traffic is routed from your virtual network and out.

+Application routing affects all the traffic that is sent from your app after it has been started. See [configuration routing](#configuration-routing) for traffic during start up. When you configure application routing, you can either route all traffic or only private traffic (also known as [RFC1918](https://datatracker.ietf.org/doc/html/rfc1918#section-3) traffic) into your virtual network. You configure this behavior through the **Route All** setting. If **Route All** is disabled, your app only routes private traffic into your virtual network. If you want to route all your outbound app traffic into your virtual network, make sure that **Route All** is enabled.

+> * When **Route All** is enabled, all app traffic is subject to the NSGs and UDRs that are applied to your integration subnet. When **Route All** is enabled, outbound traffic is still sent from the addresses that are listed in your app properties, unless you provide routes that direct the traffic elsewhere.

+We recommend that you use the **Route All** configuration setting to enable routing of all traffic. Using the configuration setting allows you to audit the behavior with [a built-in policy](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F33228571-70a4-4fa1-8ca1-26d0aba8d6ef). The existing `WEBSITE_VNET_ROUTE_ALL` app setting can still be used, and you can enable all traffic routing with either setting.

+When you are using virtual network integration, you can configure how parts of the configuration traffic is managed. By default, configuration traffic will go directly over the public route, but individual components you actively configure it to be routed through the virtual network integration.

+> [!NOTE]

+> * Windows containers don't support routing App Service Key Vault references or pulling custom container images over virtual network integration.

+> * Backup/restore to private storage accounts is currently not supported.

+> * Configure SSL/TLS certificates from private Key Vaults is currently not supported.

+> * Diagnostics logs to private storage accounts is currently not supported.

+##### App settings using Key Vault references

+App settings using Key Vault references will attempt to get secrets over the public route. If the Key Vault is blocking public traffic and the app is using virtual network integration, an attempt will then be made to get the secrets through the virtual network integration.

+description: This article shows you have to deploy a Node.js app using Express.js and a MongoDB database to Azure. Azure App Service is used to host the web application and Azure Cosmos DB to host the database using the 100% compatible MongoDB API built into Cosmos DB.

+In this tutorial, you'll deploy a sample **Express.js** app using a **MongoDB** database to Azure. The Express.js app will be hosted in Azure App Service, which supports hosting Node.js apps in both Linux (Node versions 12, 14, and 16) and Windows (versions 12 and 14) server environments. The MongoDB database will be hosted in Azure Cosmos DB, a cloud native database offering a [100% MongoDB compatible API](../cosmos-db/mongodb/mongodb-introduction.md).

+This article assumes you're already familiar with [Node.js development](/learn/paths/build-javascript-applications-nodejs/) and have Node and MongoDB installed locally. You'll also need an Azure account with an active subscription. If you don't have an Azure account, you [can create one for free](https://azure.microsoft.com/free/nodejs/).

+* Install the package dependencies by running `npm install`.

+* Copy the `.env.sample` file to `.env` and populate the DATABASE_URL value with your MongoDB URL (for example *mongodb://localhost:27017/*).

+* Start the application using `npm start`.

+* To view the app, browse to `http://localhost:3000`.

+Azure App Service is used to host the Express.js web app. When setting up the App Service for the application, you'll specify:

+* The **Name** for the web app. It's the name used as part of the DNS name for your webapp in the form of `https://<app-name>.azurewebsites.net`.

+* The **Runtime** for the app. It's where you select the version of Node to use for your app.

+* The **Resource Group** for the app. A resource group lets you group (in a logical container) all the Azure resources needed for the application.

+Create Azure resources using the [Azure portal](https://portal.azure.com/), VS Code using the [Azure Tools extension pack](https://marketplace.visualstudio.com/items?itemName=ms-vscode.vscode-node-azure-pack), or the Azure CLI.

+| [!INCLUDE [Create app service step 4](<./includes/tutorial-nodejs-mongodb-app/create-app-service-azure-portal-4.md>)] | :::image type="content" source="./media/tutorial-nodejs-mongodb-app/create-app-service-azure-portal-4-240px.png" alt-text="A screenshot of the Spec Picker dialog that lets you select the App Service plan to use for your web app." lightbox="./media/tutorial-nodejs-mongodb-app/create-app-service-azure-portal-4.png"::: |

+Azure Cosmos DB is a fully managed NoSQL database for modern app development. Among its features are a 100% MongoDB compatible API allowing you to use your existing MongoDB tools, packages, and applications with Cosmos DB.

+You must sign in to the [Azure portal](https://portal.azure.com/) to finish these steps to create a Cosmos DB.

+| [!INCLUDE [Create Cosmos DB step 1](<./includes/tutorial-nodejs-mongodb-app/create-cosmos-db-visual-studio-code-1.md>)] | :::image type="content" source="./media/tutorial-nodejs-mongodb-app/create-cosmos-db-visual-studio-code-1-240px.png" alt-text="A screenshot showing the database component of the Azure Tools VS Code extension and the location of the button to create a new database." lightbox="./media/tutorial-nodejs-mongodb-app/create-cosmos-db-visual-studio-code-1.png"::: |

+To connect to your Cosmos DB database, you need to provide the connection string for the database to your application. It's done in the sample application by reading the `DATABASE_URL` environment variable. When you locally run it, the sample application uses the [dotenv package](https://www.npmjs.com/package/dotenv) to read the connection string value from the `.env` file.

+When you run in Azure, configuration values like connection strings can be stored in the *application settings* of the App Service hosting the web app. These values are then made available to your application as environment variables during runtime. In this way, the application uses the connection string from `process.env` the same way whether being run locally or in Azure. Further, it eliminates the need to manage and deploy environment specific config files with your application.

+| [!INCLUDE [Connection string step 2](<./includes/tutorial-nodejs-mongodb-app/connection-string-azure-portal-2.md>)] | :::image type="content" source="./media/tutorial-nodejs-mongodb-app/connection-string-azure-portal-2-240px.png" alt-text="A screenshot showing how to search for and go to the App Service, where the connection string needs to store the connection string." lightbox="./media/tutorial-nodejs-mongodb-app/connection-string-azure-portal-2.png"::: |

+| [!INCLUDE [Connection string step 3](<./includes/tutorial-nodejs-mongodb-app/connection-string-azure-portal-3.md>)] | :::image type="content" source="./media/tutorial-nodejs-mongodb-app/connection-string-azure-portal-3-240px.png" alt-text="A screenshot showing how to use the Application settings within an App Service." lightbox="./media/tutorial-nodejs-mongodb-app/connection-string-azure-portal-3.png"::: |

+Azure App Service captures all messages logged to the console to assist you in diagnosing issues with your application. The sample app outputs console log messages in each of its endpoints to demonstrate this capability. For example, the `get` endpoint outputs a message about the number of tasks retrieved from the database and an error message appears if something goes wrong.

+Azure App Service provides a web-based diagnostics console named [Kudu](./resources-kudu.md) that lets you examine the server hosting environment for your web app. Using Kudu, you can view the files deployed to Azure, review the deployment history of the application, and even open an SSH session into the hosting environment.

+To access Kudu, go to one of the following URLs. You'll need to sign into the Kudu site with your Azure credentials.

+* For apps deployed in Free, Shared, Basic, Standard, and Premium App Service plans - `https://<app-name>.scm.azurewebsites.net`.

+* For apps deployed in Isolated service plans - `https://<app-name>.scm.<ase-name>.p.azurewebsites.net`.

+Selecting the *Site wwwroot* link under the Browse Directory heading lets you browse and view the files on the web server.

+

+When you're finished, you can delete all the resources from Azure by deleting the resource group for the application.

+Follow these steps while you're signed-in to the Azure portal to delete a resource group.

+| [!INCLUDE [Remove resource group Azure portal 1](<./includes/tutorial-nodejs-mongodb-app/remove-resource-group-azure-portal-1.md>)] | :::image type="content" source="./media/tutorial-nodejs-mongodb-app/remove-resource-group-azure-portal-1-240px.png" alt-text="A screenshot showing how to search for and go to a resource group in the Azure portal." lightbox="./media/tutorial-nodejs-mongodb-app/remove-resource-group-azure-portal-1.png"::: |

+If your command runs successfully, then your MySQL server is running. If not, ensure that your local MySQL server is started by following the [MySQL post-installation steps](https://dev.mysql.com/doc/refman/5.7/en/postinstallation.html).

+1. Ensure the default branch is `main`.

+ > The branch name change isn't required by App Service. But, since many repositories are changing their default branch to `main`, this tutorial also shows you how to deploy a repository from `main`. For more information, see [Change deployment branch](deploy-local-git.md#change-deployment-branch).

+1. Go to `http://localhost:8000` in a browser. Add a few tasks in the page.

+1. To stop PHP, enter `Ctrl + C` in the terminal.

+In this step, you create a MySQL database in [Azure Database for MySQL](../mysql/index.yml). Later, you set up the PHP application to connect to this database.

+1. Exit the server connection by entering `quit`.

+> To secure your MySQL connection information, this file is already excluded from the Git repository (See _.gitignore_ in the repository root). Later, you learn how to set up the environment variables in App Service to connect to your database in Azure Database for MySQL. With environment variables, you don't need the *.env* file in App Service.

+1. Go to `http://localhost:8000`. If the page loads without errors, the PHP application is connecting to the MySQL database in Azure.

+1. To stop PHP, enter `Ctrl + C` in the terminal.

+[Laravel application lifecycle](https://laravel.com/docs/5.4/lifecycle) begins in the _public_ directory instead of the application's root directory. The default PHP Docker image for App Service uses Apache, and it doesn't let you customize the `DocumentRoot` for Laravel. But you can use `.htaccess` to rewrite all requests to point to _/public_ instead of the root directory. In the repository root, an `.htaccess` is added already for this purpose. With it, your Laravel application is ready to be deployed.

+For the tasks scenario, you change the application so that you can mark a task as complete.

+1. In the local terminal window, go to the root of the Git repository.

+1. To see the task status change, go to `http://localhost:8000` and select the checkbox.

+1. To stop PHP, enter `Ctrl + C` in the terminal.

+1. Once the `git push` is complete, go to the Azure app and test the new functionality.

+If you add any task, they're retained in the database. Updates to the data schema leave existing data intact.

+To stop log streaming at any time, enter `Ctrl`+`C`.

+1. From the left menu, select **App Services**, and then select the name of your Azure app.

+ You see your app's Overview page. In this page, you can do basic management tasks like stop, start, restart, browse, and delete.

+This tutorial shows how to deploy a data-driven Python [Django](https://www.djangoproject.com/) web app to [Azure App Service](overview.md) and connect it to an Azure Database for Postgres database. You can also select the option above to try the PostgresSQL Flexible Server. Flexible Server provides a simpler deployment mechanism and lower ongoing costs.

+> * Set up your initial environment with Python and the Azure CLI.

+> * Create an Azure Database for PostgreSQL database.

+> * Deploy code to Azure App Service and connect to PostgreSQL.

+> * Update your code and redeploy.

+> * View diagnostic logs.

+> * Manage the web app in the Azure portal.

+This tutorial shows how to deploy a data-driven Python [Django](https://www.djangoproject.com/) web app to [Azure App Service](overview.md) and connect it to an [Azure Database for PostgreSQL Flexible Server](../postgresql/flexible-server/index.yml) database. If you can't use PostgreSQL Flexible Server, then select the Single Server option above.

+> * Set up your initial environment with Python and the Azure CLI.

+> * Create an Azure Database for PostgreSQL Flexible Server database.

+> * Deploy code to Azure App Service and connect to PostgreSQL Flexible Server.

+> * Update your code and redeploy.

+> * View diagnostic logs.

+> * Manage the web app in the Azure portal.

+1. Install the <a href="/cli/azure/install-azure-cli" target="_blank">Azure CLI</a> 2.18.0 or higher, with which you run commands in any shell, to set up and configure Azure resources.

+Open a terminal window and check that your Python version is 3.6 or higher:

+Then sign in to Azure using the CLI:

+Then go into that folder:

+For Flexible Server, use the flexible-server branch of the sample that contains a few necessary changes such as:

+- How the database server URL is set.

+- Adding `'OPTIONS': {'sslmode': 'require'}` to the Django database configuration as required by Azure PostgreSQL Flexible Server.

+Go to [https://github.com/Azure-Samples/djangoapp](https://github.com/Azure-Samples/djangoapp).

+If the `az` command isn't recognized, be sure you have the Azure CLI installed as described in [Set up your initial environment](#1-set-up-your-initial-environment).

+- For *\<admin-username>* and *\<admin-password>*, specify credentials to create an admin user for this Postgres server.

+- The admin username can't be *azure_superuser*, *azure_pg_admin*, *admin*, *administrator*, *root*, *guest*, or *public*. It can't start with *pg_*.

+- The password must contain 8 to 128 characters from either:

+ - English uppercase letters.

+ - English lowercase letters.

+ - Numbers (0 through 9).

+ - Non-alphanumeric characters (for example, !, #, %).

+- The password can't contain username.

+- Don't use the `$` character in the username or password. Later you create environment variables with these values where the `$` character has special meaning within the Linux container used to run Python apps.

+This command does the following actions, which may take a few minutes:

+- Create an admin account using the `--admin-user` and `--admin-password` arguments. You can omit these arguments to allow the command to generate unique credentials for you.

+- Allow access from your local IP address.

+- Allow access from Azure services.

+1. Allow parameters caching with the Azure CLI so you don't need to provide those parameters with every command. (Cached values are saved in the *.azure* folder.)

+ If the `az` command isn't recognized, be sure you have the Azure CLI installed as described in [Set up your initial environment](#1-set-up-your-initial-environment).

+ The [az postgres flexible-server create](/cli/azure/postgres/flexible-server#az_postgres_flexible_server_create) command does the following actions, which take a few minutes:

+ - Create an admin account with a username and password. You can specify these values directly with the `--admin-user` and `--admin-password` parameters.

+ - Allows complete public access, which you can control using the `--public-access` parameter.

+1. When the command completes, **copy the command's JSON output to a file** because you need values from the output later in this tutorial, specifically the host, username, and password, along with the database name.

+In the terminal, ensure you're in the *djangoapp* repository folder that contains the app code.

+This command does the following actions, which may take a few minutes:

+- Allow default logging for the app, if not already enabled.

+- Cache common parameters, such as the name of the resource group and App Service plan, into the file *.azure/config*. As a result, you don't need to specify again all the same parameters with later commands. For example, to redeploy the app after making changes, you can just run `az webapp up` again without any parameters. Commands that come from CLI extensions, such as `az postgres up` don't use the cache now, which is why you must specify the resource group and location here with the initial use of `az webapp up`.

+1. In the terminal, ensure you're in the *djangoapp* repository folder that contains the app code.

+ This command does the following actions, which may take a few minutes, using resource group and location cached from the previous `az group create` command (the group `Python-Django-PGFlex-rg` in the `centralus` region in this example).

+ - Allow default logging for the app.

+When deployed successfully, the command generates JSON output like the following example:

+The app code expects to find database information in four environment variables such as `DBHOST`, `DBNAME`, `DBUSER`, and `DBPASS`.

+- Replace *\<username>* and *\<password>* with the admin credentials that you used with the earlier `az postgres up` command, or those that `az postgres up` generated for you. The code in *azuresite/production.py* automatically constructs the full Postgres username from `DBUSER` and `DBHOST`, so don't include the `@server` portion. (Also, as noted earlier, you shouldn't use the `$` character in either value because it has a special meaning for Linux environment variables.)

+In your Python code, you use these settings as environment variables with statements like `os.environ.get('DBHOST')`. For more information, see [Access environment variables](configure-language-python.md#access-environment-variables).

+Django database migrations ensure that the schema in the PostgreSQL on Azure database matches with those described in your code.

+ If you can't connect to the SSH session, then the app itself has failed to start. [Check the diagnostic logs](#6-stream-diagnostic-logs) for details. For example, if you haven't created the necessary app settings in the previous section, the logs indicate `KeyError: 'DBNAME'`.

+1. The `createsuperuser` command prompts you for superuser credentials. For the purposes of this tutorial, use the default username `root`, press **Enter** for the email address to leave it blank, and type `Pollsdb1` for the password.

+1. If you see an error that the database is locked, ensure that you ran the `az webapp settings` command in the previous section. Without those settings, the migrate command can't communicate with the database, resulting in the error.

+ If you see "Application Error", then it's likely that you either didn't create the required settings in the previous step, [Configure environment variables to connect the database](#42-configure-environment-variables-to-connect-the-database), or that those value contain errors. Run the command `az webapp config appsettings list` to check the settings. You can also [check the diagnostic logs](#6-stream-diagnostic-logs) to see specific errors during app startup. For example, if you didn't create the settings, the logs show the error, `KeyError: 'DBNAME'`.

+1. Return to the main website (`http://<app-name>.azurewebsites.net`) to confirm that the questions are now presented to the user. Answer questions however you like to generate some data in the database.

+When you run it locally, the app is using a local Sqlite3 database and doesn't interfere with your production database. If needed, to better simulate your production environment, you can also use a local PostgreSQL database.

+Browse to the app again (using `az webapp browse` or navigating to `http://<app-name>.azurewebsites.net`) and test the app again in production. (You changed only the length of a database field. So the change is only noticeable if you typed a longer response when you create a question.)

+You can use the console logs generated from inside the container that hosts the app on Azure.

+If you'd like to keep the app or continue to the other tutorials, skip ahead to [Next steps](#next-steps). Otherwise, to avoid incurring ongoing charges you can delete the resource group created for this tutorial:

+If you delete the resource group, you also deallocate and delete all the resources contained within it. Ensure you no longer need the resources in the group before using the command.

+> [Configure Python app](configure-language-python.md)

+| Australia East | `https://sharedeau.eau.attest.azure.net` |

+| Australia SouthEast | `https://sharedsau.sau.attest.azure.net` |

+Microsoft Azure Attestation is a unified solution for remotely verifying the trustworthiness of a platform and integrity of the binaries running inside it. The service supports attestation of the platforms backed by Trusted Platform Modules (TPMs) alongside the ability to attest to the state of Trusted Execution Environments (TEEs) such as [Intel® Software Guard Extensions](https://www.intel.com/content/www/us/en/architecture-and-technology/software-guard-extensions.html) (SGX) enclaves, [Virtualization-based Security](/windows-hardware/design/device-experiences/oem-vbs) (VBS) enclaves, [Trusted Platform Modules (TPMs)](/windows/security/information-protection/tpm/trusted-platform-module-overview), [Trusted launch for Azure VMs](/azure/virtual-machines/trusted-launch#microsoft-defender-for-cloud-integration) and [Azure confidential VMs](/azure/confidential-computing/confidential-vm-overview).

+- Offers [regional shared providers](basic-concepts.md#regional-shared-provider) which can attest with no configuration from users

+1. Construct a Python script with the registration command using PowerShell for later execution on your Azure Linux VM by running the following code:

+You receive the following message when you try to add a Hybrid Runbook Worker by using the `sudo python /opt/microsoft/omsconfig/.../onboarding.py --register` Python script:

+Additionally, attempting to deregister a Hybrid Runbook Worker by using the `sudo python /opt/microsoft/omsconfig/.../onboarding.py --deregister` Python script:

+ * If you want to install only security and critical updates, but skip one or more updates for Python to avoid breaking your legacy application, you should select **Security** and **Critical** under **Update classifications**. Then for the **Exclude** option add the Python packages to skip.

+In your console window, navigate to the directory containing the *app-configuration-quickstart.py* file and execute the following Python command to run the app:

+> This script requires the installation of Python and the [Docker CLI](https://docs.docker.com/install/).

+|`arcdata` Azure CLI extension version| 1.2.3|

+|Arc enabled Kubernetes helm chart extension version|1.1.18911000|

+| `https://login.microsoftonline.com`, `https://<region>.login.microsoft.com`, `login.windows.net` (for Azure Cloud), `https://login.microsoftonline.us` (for Azure US Government) | Required to fetch and update Azure Resource Manager tokens. |

+### Flux v2 - General

+To help troubleshoot issues with `fluxConfigurations` resource (Flux v2), run these az commands with `--debug` parameter specified:

+```azurecli

+az provider show -n Microsoft.KubernetesConfiguration --debug

+az k8s-configuration flux create <parameters> --debug

+```

+### Flux v2 - Webhook/dry run errors

+If you see Flux fail to reconcile with an error like `dry-run failed, error: admission webhook "<webhook>" does not support dry run`, you can resolve the issue by finding the `ValidatingWebhookConfiguration` or the `MutatingWebhookConfiguration` and setting the `sideEffects` to `None` or `NoneOnDryRun`:

+For more information, see [How do I resolve `webhook does not support dry run` errors?](https://fluxcd.io/docs/faq/#how-do-i-resolve-webhook-does-not-support-dry-run-errors)

+>GitOps with Flux v2 is in public preview. In preparation for general availability, features are still being added to the preview. One important feature, multi-tenancy, could affect some users when it is released. To prepare yourself for the release of multi-tenancy, [please review these details](#multi-tenancy).

+> [!TIP]

+> For help resolving any errors, see the Flux v2 suggestions in [Azure Arc-enabled Kubernetes and GitOps troubleshooting](troubleshooting.md#flux-v2general).

+>You need to prepare for the multi-tenancy feature release if you have any cross-namespace sourceRef for HelmRelease, Kustomization, ImagePolicy, or other objects, or [if you use a Kubernetes version less than 1.20.6](https://fluxcd.io/blog/2022/01/january-update/#flux-v026-more-secure-by-default). To prepare, take these actions:

+> * Upgrade to Kubernetes version 1.20.6 or greater.

+> * In your Kubernetes manifests assure that all sourceRef are to objects within the same namespace as the GitOps configuration.

+> * If you need time to update your manifests, you can opt-out of multi-tenancy. However, you still need to upgrade your Kubernetes version.

+## AzureWebJobsKubernetesSecretName

+Indicates the Kubernetes Secrets resource used for storing keys. Supported only when running in Kubernetes. Requires that `AzureWebJobsSecretStorageType` be set to `kubernetes`. When `AzureWebJobsKubernetesSecretName` isn't set, the repository is considered read-only. In this case, the values must be generated before deployment. The [Azure Functions Core Tools](functions-run-local.md) generates the values automatically when deploying to Kubernetes.

+|Key|Sample value|

+|||

+|AzureWebJobsKubernetesSecretName|`<SECRETS_RESOURCE>`|

+To learn more, see [Secret repositories](security-concepts.md#secret-repositories).

+## AzureWebJobsSecretStorageKeyVaultClientId

+The client ID of the user-assigned managed identity or the app registration used to access the vault where keys are stored. Requires that `AzureWebJobsSecretStorageType` be set to `keyvault`. Supported in version 4.x and later versions of the Functions runtime.

+|Key|Sample value|

+|||

+|AzureWebJobsSecretStorageKeyVaultClientId|`<CLIENT_ID>`|

+To learn more, see [Secret repositories](security-concepts.md#secret-repositories).

+## AzureWebJobsSecretStorageKeyVaultClientSecret

+The secret for client ID of the user-assigned managed identity or the app registration used to access the vault where keys are stored. Requires that `AzureWebJobsSecretStorageType` be set to `keyvault`. Supported in version 4.x and later versions of the Functions runtime.

+|AzureWebJobsSecretStorageKeyVaultClientSecret|`<CLIENT_SECRET>`|

+To learn more, see [Secret repositories](security-concepts.md#secret-repositories).

+## AzureWebJobsSecretStorageKeyVaultName

+The name of a key vault instance used to store keys. This setting is only supported for version 3.x of the Functions runtime. For version 4.x, instead use `AzureWebJobsSecretStorageKeyVaultUri`. Requires that `AzureWebJobsSecretStorageType` be set to `keyvault`.

+The vault must have an access policy corresponding to the system-assigned managed identity of the hosting resource. The access policy should grant the identity the following secret permissions: `Get`,`Set`, `List`, and `Delete`. <br/>When running locally, the developer identity is used, and settings must be in the [local.settings.json file](functions-develop-local.md#local-settings-file).

+|Key|Sample value|

+|||

+|AzureWebJobsSecretStorageKeyVaultName|`<VAULT_NAME>`|

+To learn more, see [Secret repositories](security-concepts.md#secret-repositories).

+## AzureWebJobsSecretStorageKeyVaultTenantId

+The tenant ID of the app registration used to access the vault where keys are stored. Requires that `AzureWebJobsSecretStorageType` be set to `keyvault`. Supported in version 4.x and later versions of the Functions runtime. To learn more, see [Secret repositories](security-concepts.md#secret-repositories).

+|Key|Sample value|

+|||

+|AzureWebJobsSecretStorageKeyVaultTenantId|`<TENANT_ID>`|

+## AzureWebJobsSecretStorageKeyVaultUri

+The URI of a key vault instance used to store keys. Supported in version 4.x and later versions of the Functions runtime. This is the recommended setting for using a key vault instance for key storage. Requires that `AzureWebJobsSecretStorageType` be set to `keyvault`.

+The `AzureWebJobsSecretStorageKeyVaultTenantId` value should be the full value of **Vault URI** displayed in the **Key Vault overview** tab, including `https://`.

+The vault must have an access policy corresponding to the system-assigned managed identity of the hosting resource. The access policy should grant the identity the following secret permissions: `Get`,`Set`, `List`, and `Delete`. <br/>When running locally, the developer identity is used, and settings must be in the [local.settings.json file](functions-develop-local.md#local-settings-file).

+|Key|Sample value|

+|||

+|AzureWebJobsSecretStorageKeyVaultUri|`https://<VAULT_NAME>.vault.azure.net`|

+To learn more, see [Use Key Vault references for Azure Functions](../app-service/app-service-key-vault-references.md?toc=/azure/azure-functions/toc.json).

+## AzureWebJobsSecretStorageSas

+A Blob Storage SAS URL for a second storage account used for key storage. By default, Functions uses the account set in `AzureWebJobsStorage`. When using this secret storage option, make sure that `AzureWebJobsSecretStorageType` isn't explicitly set or is set to `blob`. To learn more, see [Secret repositories](security-concepts.md#secret-repositories).

+|Key|Sample value|

+|--|--|

+|AzureWebJobsSecretStorageSa| `<BLOB_SAS_URL>` |

+## AzureWebJobsSecretStorageType

+Specifies the repository or provider to use for key storage. Keys are always encrypted before being stored using a secret unique to your function app.

+|Key| Value| Description|

+||||

+|AzureWebJobsSecretStorageType|`blob`|Keys are stored in a Blob storage container in the account provided by the `AzureWebJobsStorage` setting. This is the default behavior when `AzureWebJobsSecretStorageType` isn't set.<br/>To specify a different storage account, use the `AzureWebJobsSecretStorageSas` setting to indicate the SAS URL of a second storage account. |

+|AzureWebJobsSecretStorageType | `files` | Keys are persisted on the file system. This is the default for Functions v1.x.|

+|AzureWebJobsSecretStorageType |`keyvault` | Keys are stored in a key vault instance set by `AzureWebJobsSecretStorageKeyVaultName`. |

+|Kubernetes Secrets | `kubernetes` | Supported only when running the Functions runtime in Kubernetes. When `AzureWebJobsKubernetesSecretName` isn't set, the repository is considered read-only. In this case, the values must be generated before deployment. The [Azure Functions Core Tools](functions-run-local.md) generates the values automatically when deploying to Kubernetes.|

+To learn more, see [Secret repositories](security-concepts.md#secret-repositories).

+ displayName: "Setting Python version to 3.7 as required by functions"

+ displayName: "Setting Python version to 3.6 as required by functions"

+ PYTHON_VERSION: '3.7' # set this to the Python version to use (supports 3.6, 3.7, 3.8)

+Since subnet size can't be changed after assignment, use a subnet that's large enough to accommodate whatever scale your app might reach. To avoid any issues with subnet capacity for Functions Premium plans, you should use a /24 with 256 addresses for Windows and a /26 with 64 addresses for Linux. When creating subnets in Azure portal as part of integrating with the virtual network, a minimum size of /24 and /26 is required for Windows and Linux respectively.

+Replace `<FUNCTION_APP>` with the name of your function app. Also replace `<RESOURCE_GROUP>` with the name of the resource group for your function app. Also, replace `<LINUX_FX_VERSION>` with the Python version you want to use, prefixed by `python|` e.g. `python|3.9`

+##### Understanding async in Python worker

+> If your function is declared as `async` without any `await` inside its implementation, the performance of your function will be severely impacted since the event loop will be blocked which prohibit the Python worker to handle concurrent requests.

+By default, keys are stored in a Blob storage container in the account provided by the `AzureWebJobsStorage` setting. You can use the [AzureWebJobsSecretStorageType](functions-app-settings.md#azurewebjobssecretstoragetype) setting to override this behavior and store keys in a different location.

+|Location | Value | Description |

+||||

+|Second storage account | `blob` | Stores keys in Blob storage of a different storage account, based on the SAS URL in [AzureWebJobsSecretStorageSas](functions-app-settings.md#azurewebjobssecretstoragesas). |

+|File system | `files` | Keys are persisted on the file system, which is the default in Functions v1.x. |

+|Azure Key Vault | `keyvault` | The key vault set in [AzureWebJobsSecretStorageKeyVaultUri](functions-app-settings.md#azurewebjobssecretstoragekeyvaulturi) is used to store keys. To learn more, see [Use Key Vault references for Azure Functions](../app-service/app-service-key-vault-references.md?toc=/azure/azure-functions/toc.json). |

+|Kubernetes Secrets |`kubernetes` | The resource set in [AzureWebJobsKubernetesSecretName](functions-app-settings.md#azurewebjobskubernetessecretname) is used to store keys. Supported only when running the Functions runtime in Kubernetes. The [Azure Functions Core Tools](functions-run-local.md) generates the values automatically when deploying to Kubernetes.|

+When using Key Vault for key storage, the app settings you need depend on the managed identity type. Functions runtime version 3.x only supports system-assigned managed identities.

+# [Version 4.x](#tab/v4)

+| Setting name | System-assigned | User-assigned | App registration |

+| | | | |

+| [AzureWebJobsSecretStorageKeyVaultUri](functions-app-settings.md#azurewebjobssecretstoragekeyvaulturi) | Γ£ô | Γ£ô | Γ£ô |

+| [AzureWebJobsSecretStorageKeyVaultClientId](functions-app-settings.md#azurewebjobssecretstoragekeyvaultclientid) | X | Γ£ô |Γ£ô |

+| [AzureWebJobsSecretStorageKeyVaultClientSecret](functions-app-settings.md#azurewebjobssecretstoragekeyvaultclientsecret) | X | X | Γ£ô |

+| [AzureWebJobsSecretStorageKeyVaultTenantId](functions-app-settings.md#azurewebjobssecretstoragekeyvaulttenantid) | X | X | Γ£ô |

+# [Version 3.x](#tab/v3)

+| Setting name | System-assigned | User-assigned | App registration |

+| | | | |

+| [AzureWebJobsSecretStorageKeyVaultName](functions-app-settings.md#azurewebjobssecretstoragekeyvaultname) | Γ£ô | X | X |

+| [Azure Maps Jupyter Notebook samples](https://github.com/Azure-Samples/Azure-Maps-Jupyter-Notebook) | A collection of Python samples using the Azure Maps REST services. |

+Any destinations for the diagnostic setting must be created before creating the diagnostic settings. The destination does not have to be in the same subscription as the resource sending logs as long as the user who configures the setting has appropriate Azure RBAC access to both subscriptions. Using Azure Lighthouse, it is also possible to have diagnostic settings sent to a workspace, storage account or Event Hub in another Azure Active Directory tenant. The following table provides unique requirements for each destination including any regional restrictions.

+* [Virtual network peering](../virtual-network/virtual-network-peering-overview.md)

+## The mount instructions of a volume include a list of IP addresses. Which IP address should I use?

+Application volume group ensures that SAP HANA data and log volumes for one HANA host will always have separate storage endpoints with different IP addresses to achieve best performance. To host your data, log and shared volumes across the Azure NetApp Files storage resource(s) up to six storage endpoints can be created per used Azure NetApp Files storage resource. For this reason, it is recommended to size the delegated subnet accordingly. See [Requirements and considerations for application volume group for SAP HANA](application-volume-group-considerations.md). Although all listed IP addresses can be used for mounting, the first listed IP address is the one that provides the lowest latency. It is recommended to always use the first IP address.

+## What is the optimal mount option for SAP HANA?

+To have an optimal SAP HANA experience, there is more to do on the Linux client than just mounting the volumes. A complete setup and configuration guide is available for SAP HANA on Azure NetApp Files. It includes many recommended Linux settings and recommended mount options. See the SAP HANA solutions overview on [SAP HANA on Azure NetApp Files](azure-netapp-files-solution-architectures.md#sap-hana) to select the guide for your system architecture.

+4. Sign into Docker with the Azure Container registry (ACR) credentials that you saved after creating the registry using below command in terminal. Note that this command would give a warning that using --password or -p via CLI is insecure. Therefore, if you want a more secure login for your future solution development, use `--password-stdin` instead by following [this instruction](https://docs.docker.com/engine/reference/commandline/login/).

+

+

+ - `Output alias` - A unique alias for the output

+

+ - `Select Group workspace from your subscriptions` - Select this radio button

+ - `Group workspace` - Select your target group workspace

+ - `Dataset name` - Enter a dataset name

+ - `Table name` - Enter a table name

+ - `Authentication mode` - User token

+ 

+ 5. <strong>Select a Python alias to create a virtual environment</strong>: Choose the location of your Python interpreter. If the location isn't shown, type in the full path to your Python binary. Select skip virtual environment you donΓÇÖt have Python installed.

+Because two containers that are running on the same host are on the same Docker network, you can easily access them by using the container name and the port address for the service. For example, if you're connecting to the instance of Azure SQL Edge from another Python module (container) on the same host, you can use a connection string similar to the following. (This example assumes that Azure SQL Edge is configured to listen on the default port.)

+You might want to connect to the instance of Azure SQL Edge from another machine on the network. To do so, use the IP address of the Docker host and the host port to which the Azure SQL Edge container is mapped. For example, if the IP address of the Docker host is *xxx.xxx.xxx.xxx*, and the Azure SQL Edge container is mapped to host port *1600*, then the server address for the instance of Azure SQL Edge would be *xxx.xxx.xxx.xxx,1600*. The updated Python script is:

+Azure AD-only authentication is a feature within [Azure SQL](../azure-sql-iaas-vs-paas-what-is-overview.md) that allows the service to only support Azure AD authentication, and is supported for [Azure SQL Database](sql-database-paas-overview.md) and [Azure SQL Managed Instance](../managed-instance/sql-managed-instance-paas-overview.md).

+Azure AD-only authentication is also available for dedicated SQL pools (formerly SQL DW) in standalone servers. Azure AD-only authentication can be enabled for the Azure Synapse workspace. For more information, see [Azure AD-only authentication with Azure Synapse workspaces](../../synapse-analytics/sql/active-directory-authentication.md).

+> [Create server with Azure AD-only authentication enabled in Azure SQL](authentication-azure-ad-only-authentication-create-server.md)

+description: User-assigned managed identities (UMI) in Azure AD (AD) for Azure SQL Database, SQL Managed Instance, and dedicated SQL pools in Azure Synapse Analytics.

+A system-assigned managed identity is automatically assigned to a managed instance when it is created. When using Azure AD authentication with Azure SQL Managed Instance, a managed identity must be assigned to the server identity. Previously, only a system-assigned managed identity could be assigned to the Managed Instance or SQL Database server identity. With support for user-assigned managed identity, the UMI can be assigned to Azure SQL Managed Instance or Azure SQL Database as the instance or server identity. This feature is now supported for SQL Database.

+> This article applies only to dedicated SQL pools (formerly SQL DW) in standalone Azure SQL servers. For more information on user-assigned managed identities for dedicated pools in Azure Synapse workspaces, see [Using a user-assigned managed identity](../../synapse-analytics/security/workspaces-encryption.md#using-a-user-assigned-managed-identity).

+### Grant permissions

+The following is a sample PowerShell script that will grant the necessary permissions for UMI or SMI. This sample will assign permissions to the UMI `umiservertest`. To execute the script, you must sign in as a user with a "Global Administrator" or "Privileged Role Administrator" role, and have the following [Microsoft Graph permissions](/graph/auth/auth-concepts#microsoft-graph-permissions):

+- User.Read.All

+- GroupMember.Read.All

+- Application.Read.ALL

+In the final steps of the script, if you have more UMIs with similar names, you have to use the proper `$MSI[ ]array` number, for example, `$AAD_SP.ObjectId[0]`.

+> [Create an Azure SQL Managed Instance with a user-assigned managed identity](../managed-instance/authentication-azure-ad-user-assigned-managed-identity-create-managed-instance.md)

+> [!div class="nextstepaction"]

+> [Using a user-assigned managed identity in Azure Synapse workspaces](../../synapse-analytics/security/workspaces-encryption.md#using-a-user-assigned-managed-identity)

+Existing APIs to perform Import and Export jobs have been enhanced to support Private Link. Refer to [Import Database API](/rest/api/sql/2021-08-01-preview/servers/import-database)

+- [Import a database from a BACPAC file](database-import.md)

+To allow applications hosted inside Azure to connect to your SQL server, Azure connections must be enabled. To enable Azure connections, there must be a firewall rule with starting and ending IP addresses set to 0.0.0.0. This recommended rule is only applicable to Azure SQL Database.

+# Outbound firewall rules for Azure SQL Database and Azure Synapse Analytics

+> [!IMPORTANT]

+> Outbound firewall rules are defined at the [logical SQL server](logical-servers.md). Geo-replication and Auto-failover groups require the same set of rules to be defined on the primary and all secondarys

+- **Fast geo-recovery** - When [active geo-replication](active-geo-replication-overview.md) is configured, the Business Critical tier has a guaranteed Recovery Point Objective (RPO) of 5 seconds and Recovery Time Objective (RTO) of 30 seconds for 100% of deployed hours.

+## Troubleshooting

+Issues with query execution are typically caused by managed instance not being able to access file location. The related error messages may report insufficient access rights, non-existing location or file path, file being used by another process, or that directory cannot be listed. In most cases this indicates that access to files is blocked by network traffic control policies or due to lack of access rights. This is what should be checked:

+- Wrong or mistyped location path.

+- SAS key validity: it could be expired i.e. out of its validity period, containing a typo, starting with a question mark.

+- SAS key persmissions allowed: Read at minimum, and List if wildcards are used

+- Blocked inbound traffic on the storage account. Check [Managing virtual network rules for Azure Storage](../../storage/common/storage-network-security.md?tabs=azure-portal#managing-virtual-network-rules) for more details and make sure that access from managed instance VNet is allowed.

+- Outbound traffic blocked on the managed instance using [storage endpoint policy](service-endpoint-policies-configure.md#configure-policies). Allow outbound traffic to the storage account.

+To use the link feature, you'll need:

+There's no need to have an existing availability group or multiple nodes. The link supports single node SQL Server instances without existing availability groups, and also multiple-node SQL Server instances with existing availability groups. Through the link, you can leverage the modern benefits of Azure without migrating your entire SQL Server data estate to the cloud.

+You can keep running the link for as long as you need it, for months and even years at a time. And for your modernization journey, if/when you're ready to migrate to Azure, the link enables a considerably-improved migration experience with the minimum possible downtime compared to all other options available today, providing a true online migration to SQL Managed Instance.

+## Limitations

+This section describes the productΓÇÖs functional limitations.

+### General functional limitations

+Managed Instance link has a set of general limitations, and those are listed in this section. Listed limitations are of a technical nature and are unlikely to be addressed in the foreseeable future.

+- Only user databases can be replicated. Replication of system databases isn't supported.

+- The solution doesn't replicate server level objects, agent jobs, nor user logins from SQL Server to Managed Instance.

+- Only one database can be placed into a single Availability Group per one Distributed Availability Group link.

+- Link can't be established between SQL Server and Managed Instance if functionality used on SQL Server isn't support on Managed Instance.

+ - File tables and file streams aren't supported for replication, as Managed Instance doesn't support this.

+ - Replicating Databases using Hekaton (In-Memory OLTP) isn't supported on Managed Instance General Purpose service tier. Hekaton is only supported on Managed Instance Business Critical service tier.

+ - For the full list of differences between SQL Server and Managed Instance, see [this article](./transact-sql-tsql-differences-sql-server.md).

+- In case Change data capture (CDC), log shipping, or service broker are used with database replicated on the SQL Server, and in case of database migration to Managed Instance, on the failover to the Azure, clients will need to connect using instance name of the current global primary replica. you'll need to manually re-configure these settings.

+- In case Transactional Replication is used with database replicated on the SQL Server, and in case of migration scenario, on failover to Azure, transactional replication on Azure SQL Managed instance will not continue. you'll need to manually re-configure Transactional Replication.

+- In case distributed transactions are used with database replicated from the SQL Server, and in case of migration scenario, on the cutover to the cloud, the DTC capabilities will not be transferred. There will be no possibility for migrated database to get involved in distributed transactions with SQL Server, as Managed Instance doesn't support distributed transactions with SQL Server at this time. For reference, Managed Instance today supports distributed transactions only between other Managed Instances, see [this article](../database/elastic-transactions-overview.md#transactions-for-sql-managed-instance).

+- Managed Instance link can replicate database of any size if it fits into chosen storage size of target Managed Instance.

+### Additional limitations

+Some Managed Instance link features and capabilities are limited **at this time**. Details can be found in the following list.

+- SQL Server 2019, Enterprise Edition or Developer Edition, CU15 (or higher) on Windows or Linux host OS is supported.

+- Private endpoint (VPN/VNET) is supported to connect Distributed Availability Groups to Managed Instance. Public endpoint can't be used to connect to Managed Instance.

+- Managed Instance Link authentication between SQL Server instance and Managed Instance is certificate-based, available only through exchange of certificates. Windows authentication between instances isn't supported.

+- Replication of user databases from SQL Server to Managed Instance is one-way. User databases from Managed Instance can't be replicated back to SQL Server.

+- Auto failover groups replication to secondary Managed Instance can't be used in parallel while operating the Managed Instance Link with SQL Server.

+ Title: Managed Instance link - Use SSMS to failover database

+description: This tutorial teaches you how to use Managed Instance link and SSMS to failover database from SQL Server to Azure SQL Managed Instance.

+ms.devlang:

+# Tutorial: Perform Managed Instance link database failover with SSMS

+Managed Instance link is in preview.

+Managed Instance link feature enables you to replicate and optionally migrate your database hosted on SQL Server to Azure SQL Managed Instance.

+Once Managed Instance link database failover is performed from SSMS, the Managed Instance link is cut. Database hosted on SQL Server will become independent from database on Managed Instance and both databases will be able to perform read-write workload. This tutorial will cover performing Managed Instance link database failover by using latest version of SSMS (v18.11 and newer).

+## Managed Instance link database failover (migration)

+Follow the steps described in this section to perform Managed Instance link database failover.

+1. Managed Instance link database failover starts with connecting to SQL Server from SSMS.

+ To perform Managed Instance link database failover and migrate database from SQL Server to Managed Instance, open the context menu of the SQL Server database. Then select Azure SQL Managed Instance link and then choose Failover database option.

+ :::image type="content" source="./media/managed-instance-link-ssms/link-failover-ssms-database-context-failover-database.png" alt-text="Screenshot showing database's context menu option for database failover.":::

+2. When the wizard starts, click Next.

+ :::image type="content" source="./media/managed-instance-link-ssms/link-failover-introduction.png" alt-text="Screenshot showing Introduction window.":::

+3. On the Log in to Azure window, sign-in to your Azure account, select Subscription that is hosting the Managed Instance and click Next.

+ :::image type="content" source="./media/managed-instance-link-ssms/link-failover-login-to-azure.png" alt-text="Screenshot showing Log in to Azure window.":::

+4. On the Failover type window, select the failover type, fill in the required details and click Next.

+ In regular situations you should choose planned manual failover option and confirm that the workload on SQL Server database is stopped.

+ :::image type="content" source="./media/managed-instance-link-ssms/link-failover-failover-type.png" alt-text="Screenshot showing Failover Type window.":::

+> [!NOTE]

+> If you are performing planned manual failover, you should stop the workload on the database hosted on the SQL Server to allow Managed Instance link to completely catch up with the replication, so that failover without data loss is possible.

+5. In case Availability Group and Distributed Availability Group were created only for the purpose of Managed Instance link, you can choose to drop these objects on the Clean-up window. Dropping these objects is optional. Click Next.

+ :::image type="content" source="./media/managed-instance-link-ssms/link-failover-cleanup-optional.png" alt-text="Screenshot showing Cleanup (optional) window.":::

+6. In the Summary window, you will be able to review the upcoming process. Optionally you can create the script to save it, or to execute it manually. If everything is as expected and you want to proceed with the Managed Instance link database failover, click Finish.

+ :::image type="content" source="./media/managed-instance-link-ssms/link-failover-summary.png" alt-text="Screenshot showing Summary window.":::

+7. You will be able to track the progress of the process.

+ :::image type="content" source="./media/managed-instance-link-ssms/link-failover-executing-actions.png" alt-text="Screenshot showing Executing actions window.":::

+8. Once all steps are completed, click Close.

+ :::image type="content" source="./media/managed-instance-link-ssms/link-failover-results.png" alt-text="Screenshot showing Results window.":::

+9. After this, Managed Instance link no longer exists. Both databases on SQL Server and Managed Instance can execute read-write workload and are independent.

+ With this step, the migration of the database from SQL Server to Managed Instance is completed.

+ Database on SQL Server.

+ :::image type="content" source="./media/managed-instance-link-ssms/link-failover-ssms-sql-server-database.png" alt-text="Screenshot showing database on SQL Server in SSMS.":::

+ Database on Managed Instance.

+ :::image type="content" source="./media/managed-instance-link-ssms/link-failover-ssms-managed-instance-database.png" alt-text="Screenshot showing database on Managed Instance in SSMS.":::

+## Next steps

+For more information about Managed Instance link feature, see the following resources:

+- [Managed Instance link feature](./link-feature.md)

+ :::image type="content" source="./media/managed-instance-link-ssms/link-replicate-ssms-database-context-replicate-database.png" alt-text="Screenshot showing database's context menu option for replicate database.":::

+ :::image type="content" source="./media/managed-instance-link-ssms/link-replicate-introduction.png" alt-text="Screenshot showing the introduction window for Managed Instance link replicate database wizard.":::

+ :::image type="content" source="./media/managed-instance-link-ssms/link-replicate-sql-server-requirements.png" alt-text="Screenshot showing SQL Server requirements window.":::

+ :::image type="content" source="./media/managed-instance-link-ssms/link-replicate-select-databases.png" alt-text="Screenshot showing Select Databases window.":::

+ :::image type="content" source="./media/managed-instance-link-ssms/link-replicate-login-to-azure.png" alt-text="Screenshot showing Login to Azure and select Managed Instance window.":::

+ :::image type="content" source="./media/managed-instance-link-ssms/link-replicate-login-to-azure-populated.png" alt-text="Screenshot showing Login to Azure and select Managed Instance populated window.":::

+ :::image type="content" source="./media/managed-instance-link-ssms/link-replicate-distributed-ag-options.png" alt-text="Screenshot showing Specify Distributed AG options window.":::

+ :::image type="content" source="./media/managed-instance-link-ssms/link-replicate-summary.png" alt-text="Screenshot showing Summary window.":::

+ :::image type="content" source="./media/managed-instance-link-ssms/link-replicate-executing-actions.png" alt-text="Screenshot showing Executing actions window.":::

+ :::image type="content" source="./media/managed-instance-link-ssms/link-replicate-results.png" alt-text="Screenshot showing Results window.":::

+ :::image type="content" source="./media/managed-instance-link-ssms/link-replicate-ssms-sql-server-database.png" alt-text="Screenshot showing the state of SQL Server database and Availability Group and Distributed Availability Group in SSMS.":::

+ :::image type="content" source="./media/managed-instance-link-ssms/link-replicate-ssms-managed-instance-database.png" alt-text="Screenshot showing the state of Managed Instance database.":::

+5. Select **Download Executable** (for Windows Azure VMs) or **Download Script** (for Linux Azure VMs, a Python script is generated) to download the software used to copy files from the recovery point.

+| Python | 2.6.6 and above |

+After you meet all the requirements listed in [Step 2](#step-2-ensure-the-machine-meets-the-requirements-before-executing-the-script), [Step 3](#step-3-os-requirements-to-successfully-run-the-script) and [Step 4](#step-4-access-requirements-to-successfully-run-the-script), generate a Python script for Linux machines. See [Step 1 to learn how to generate and download script](#step-1-generate-and-download-script-to-browse-and-recover-files). Download the script and copy it to the relevant/compatible Linux server. You may have to modify the permissions to execute it with ```chmod +x <python file name>```. Then run the Python file with ```./<python file name>```.

+Concerns about security issues, like malware, ransomware, and intrusion, are increasing. These security issues can be costly, in terms of both money and data. To guard against such attacks, Azure Backup now provides security features to help protect hybrid backups. This article covers how to enable and leverage these features to protect on-premises workloads using **Microsoft Azure Backup Server (MABS)**, **Data Protection Manager (DPM)**, and **Microsoft Azure Recovery Services (MARS) agent**. These features include:

+| Servers (64-bit) | Windows Server 2022, 2019, 2016, 2012 R2, 2012 <br /><br />(Including Windows Server Core edition) | Azure virtual machine (when workload is running as Azure virtual machine) <br><br> Physical server <br><br> Hyper-V virtual machine <br><br> VMware virtual machine <br><br> Azure Stack | V3 UR1 and V3 UR2 | Volume, share, folder, file <br><br> Deduped volumes (NTFS only) <br><br>When protecting a WS 2016 NTFS deduped volume with MABS v3 running on Windows Server 2019, the recoveries may be affected. We have a fix for doing recoveries in a non-deduped way that will be part of later versions of MABS. Contact MABS support if you need this fix on MABS v3 UR1.<br><br> When protecting a WS 2019 NTFS deduped volume with MABS v3 on Windows Server 2016, the backups and restores will be non-deduped. This means that the backups will consume more space on the MABS server than the original NTFS deduped volume. <br><br> System state and bare metal (Not supported when workload is running as Azure virtual machine) |

+* [Support matrix for backup with Microsoft Azure Backup Server or System Center DPM](backup-support-matrix-mabs-dpm.md)

+This script calls the **worker.py** file from your Python project. If the **PYTHON2** environment variable is set to **on**, then Python 2.7 is used, otherwise Python 3.8 is used.

+Sample code is available on GitHub for each of the Speech service features. These samples cover common scenarios, such as reading audio from a file or stream, continuous and single-shot recognition, and working with custom models. To view SDK and REST samples, see:

+| Sample format | PCM, at least 16-bit |

+| File format | RIFF (.wav) or .mp3, grouped into a .zip file |

+| Sample format |RIFF(.wav): PCM, at least 16-bit<br>mp3: at least 256 KBps bit rate|

+| File format | RIFF (.wav) or .mp3, grouped into a .zip file |

+| Sample format |RIFF(.wav): PCM, at least 16-bit<br>mp3: at least 256 KBps bit rate|

+With the recognizer created and the intents added, recognition can begin. The Speech SDK supports both single-shot and continuous recognition.

+| Single-shot | `RecognizeOnceAsync()` | Returns the recognized intent, if any, after one utterance. |

+The application uses single-shot mode and so calls `RecognizeOnceAsync()` to begin recognition. The result is an `IntentRecognitionResult` object containing information about the intent recognized. You extract the LUIS JSON response by using the following expression:

+Sample code is available on GitHub for the Speech service. These samples cover common scenarios like reading audio from a file or stream, continuous and single-shot recognition, and working with custom models. Use these links to view SDK and REST samples:

+[Use Speech service containers](speech-container-howto.md) to deploy API features on-premises. By using these Docker containers, you can bring the service closer to your data for compliance, security, or other operational reasons.

+| **Max number of transactions per second (TPS) per Speech service resource** | | |

+| Real-time API. Prebuilt neural voices and custom neural voices. | 20 per 60 seconds | 200⁴ |

+| **HTTP-specific quotas** | | |

+| **Websocket specific quotas** | | |

+#### Audio Content Creation tool

+| Quota | Free (F0)| Standard (S0) |

+|--|--|--|

+| File size | 3,000 characters per file | 20,000 characters per file |

+| Export to audio library | 1 concurrent task | N/A |

+Sample code for the Speech SDK is available on GitHub. These samples cover common scenarios like reading audio from a file or stream, continuous and single-shot recognition, and working with custom models:

+You'll find [Speech SDK speech-to-text and translation samples](https://github.com/Azure-Samples/cognitive-services-speech-sdk) on GitHub. These samples cover common scenarios, such as reading audio from a file or stream, continuous and single-shot recognition and translation, and working with custom models.

+Release note for `3.0.1-amd64-<locale>`:

+**Features**

+* Support new locale `uk-UA`.

+| `3.0.0-amd64-<locale>` | Replace `<locale>` with one of the available locales, listed below. For example `3.0.0-amd64-en-us`. |

+| Locale for v3.0.1 | Notes | Digest |

+|--|:--|:--|

+| `uk-ua` | Container image with the `uk-UA` locale. | `sha256:af8c370a7ed3e231a611ea37053e809fa7e52ea514c70f4c85f133c7b28a4fba` |

+> As you call `az containerapp create` to create the container app inside your environment, make sure the value for the `--image` parameter is in lower case.

+> [Managing autoscaling behavior](scale-app.md)

+## Slow requests on bulk mode

+[Bulk mode](tutorial-sql-api-dotnet-bulk-import.md) is a throughput optimized mode meant for high data volume operations, not a latency optimized mode; it's meant to saturate the available throughput. If you are experiencing slow requests when using bulk mode make sure that:

+* Your application is compiled in Release configuration.

+* You are not measuring latency while debugging the application (no debuggers attached).

+* The volume of operations is high, don't use bulk for less than 1000 operations. Your provisioned throughput dictates how many operations per second you can process, your goal with bulk would be to utilize as much of it as possible.

+* Monitor the container for [throttling scenarios](troubleshoot-request-rate-too-large.md). If the container is getting heavily throttled it means the volume of data is larger than your provisioned throughput, you need to either scale up the container or reduce the volume of data (maybe create smaller batches of data at a time).

+* You are correctly using the `async/await` pattern to process all concurrent Tasks and not [blocking any async operation](https://github.com/davidfowl/AspNetCoreDiagnosticScenarios/blob/master/AsyncGuidance.md#avoid-using-taskresult-and-taskwait).

+### Cancel a support plan bought from the Azure portal

+1. In the Azure portal, navigate to **Cost Management + Billing**.

+1. On the Overview page, find your plan and then select it.

+1. On the support plan page, select **Cancel**.

+1. In the Cancel support window, verify that you want to cancel and select **Yes, cancel**.

+ :::image type="content" source="./media/cancel-azure-subscription/cancel-legacy-support-plan.png" alt-text="Screenshot showing the legacy Cancel support plan page." lightbox="./media/cancel-azure-subscription/cancel-legacy-support-plan.png" :::

+### Cancel a support plan for a Microsoft Customer Agreement

+* If you select the **KingswaySoft's SSIS Integration Toolkit** component, you can install the [SSIS Integration Toolkit](https://www.kingswaysoft.com/products/ssis-integration-toolkit-for-microsoft-dynamics-365) suite of connectors for CRM/ERP/marketing/collaboration apps, such as Microsoft Dynamics/SharePoint/Project Server, Oracle/Salesforce Marketing Cloud, etc. from KingswaySoft on your Azure-SSIS IR by entering the product license key that you purchased from them in the **License key** box. The current integrated version is **21.2**.

+* If you select the **KingswaySoft's SSIS Productivity Pack** component, you can install the [SSIS Productivity Pack](https://www.kingswaysoft.com/products/ssis-productivity-pack) suite of components from KingswaySoft on your Azure-SSIS IR by entering the product license key that you purchased from them in the **License key** box. The current integrated version is **21.2**.

+* If you select the **CData's SSIS Standard Package** component, you can install the [SSIS Standard Package](https://www.cdata.com/kb/entries/ssis-adf-packages.rst#standard) suite of most popular components from CData, such as Microsoft SharePoint connectors, on your Azure-SSIS IR. To do so, enter the product license key that you purchased from them beforehand in the **License key** text box. The current integrated version is **21.7867**.

+* If you select the **CData's SSIS Extended Package** component, you can install the [SSIS Extended Package](https://www.cdata.com/kb/entries/ssis-adf-packages.rst#extended) suite of all components from CData, such as Microsoft Dynamics 365 Business Central connectors and other components in their **SSIS Standard Package**, on your Azure-SSIS IR. To do so, enter the product license key that you purchased from them beforehand in the **License key** text box. The current integrated version is **21.7867**. Due to its large size, to avoid installation timeout, please ensure that your Azure-SSIS IR has at least 4 CPU cores per node.

+When logged on locally to the Self Hosted Integration Runtime, specific events can be viewed using the [event viewer](/windows/win32/eventlog/viewing-the-event-log). The relevant events are captured in two event viewer journals named: **Connectors ΓÇô Integration Runtime** and **Integration Runtime** respectively. While itΓÇÖs possible to log on to to the Self Hosted Integration Runtime hosts individually to view these events, it's also possible to stream these events to a Log Analytics workspace in Azure monitor for ease of query and centralization purposes.

+Performance counters in Windows and Linux provide insight into the performance of hardware components, operating systems, and applications such as the Self Hosted Integration Runtime. The performance counters can be viewed and collected locally on the VM using the performance monitor tool. See the article on [using performance counters](/windows/win32/perfctrs/using-performance-counters) for more details.

+- Learn how to [create a self-hosted integration runtime in the Azure portal.](create-self-hosted-integration-runtime.md)

+ |`DeviceName`|The name of your device in the **Device** page in the local web UI of your device. <br> This field isn't required for a VPN certificate. |

+ |`NodeSerialNumber`|The `Node serial number` of the device node shown on the **Overview** page in the local web UI of your device. <br> This field isn't required for a VPN certificate. |

+ |`ExternalFQDN`|The `DNS domain` value in the **Device** page in the local web UI of your device. |

+ :::image type="content" source="media/deploy-vulnerability-assessment-tvm/deploy-vulnerability-assessment-solutions.png" alt-text="Selecting a vulnerability assessment solution from the recommendation.":::

+ - **(Recommended) Auto-provisioning** - Auto-provisioning is enabled by default in the onboarding process and requires owner permissions on the subscription. Arc auto-provisioning process is using the OS config agent on GCP end. Learn more about the [OS config agent availability on GCP machines](https://cloud.google.com/compute/docs/images/os-details#vm-manager).

+

+ > [!NOTE]

+ > The Arc auto-provisioning process leverages the VM manager on your Google Cloud Platform, to enforce policies on the your VMs through the OS config agent. A VM with an [Active OS agent](https://cloud.google.com/compute/docs/manage-os#agent-state), will incur a cost according to GCP. Refer to [GCP's technical documentation](https://cloud.google.com/compute/docs/vm-manager#pricing) to see how this may affect your account.

+ > <br><br> Microsoft Defender for Servers does not install the OS config agent to a VM that does not have it installed. However, Microsoft Defender for Servers will enable communication between the OS config agent and the OS config service if the agent is already installed but not communicating with the service.

+ > <br><br> This can change the OS config agent from `inactive` to `active`, and will lead to additional costs.

+| Malware Test File Detected - EICAR AV Success | An EICAR AV test file was detected in traffic between two devices (over any transport - TCP or UDP). The file isn't malware. It's used to confirm that the antivirus software is installed correctly; demonstrate what happens when a virus is found, and check internal procedures and reactions when a virus is found. Antivirus software should detect EICAR as if it were a real virus. | Major |

+- **CVEs**: A list of devices detected with known vulnerabilities, along with CVSSv2 risk scores.

+- **Excluded CVEs**: A list of all the CVEs that were manually excluded. It is possible to customize the CVE list manually so that the VA reports and attack vectors more accurately reflect your network by excluding or including particular CVEs and updating the CVSSv2 score accordingly.

+| **Max Protected Devices** | 12,000 | 10,000 | 1,000 | 800 |

+| **Max protected devices** | 12,000 | 10,000 | 800 |

+3. On the **Event Hubs Cluster** page, select **Export template** in the **Automation** section on the left menu.

+1. On the **Template deplyment** page, select **Create**.

+1. Select **Build your own template in the editor**.

+1. Select **Load file**, and then follow the instructions to load the **template.json** file that you downloaded in the last section.

+https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Network/expressRouteProviderPorts

+### To get a list of all port pairs by location

+https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Network/expressRouteProviderPorts?location={locationName}

+### To get a specific port pair using the port pair descriptor ID.

+```rest

+### Move a target ExpressRoute Circuit to a specific port pair

+https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/expressRouteCrossConnections/{crossConnectionName}?api-version=2021-02-01

+For more information on all ExpressRoute REST APIs, see [ExpressRoute REST APIs](/rest/api/expressroute/).

+|Unable to see Network Rule Name in Azure Firewall Logs|Azure Firewall network rule log data does not show the Rule name for network traffic.|Network rule name logging is in preview. For for information, see [Azure Firewall preview features](firewall-preview.md#network-rule-name-logging-preview).|

+zone_pivot_groups: front-door-tiers

+In this article, you'll learn how Front Door Standard/Premium (Preview) Routes and Rule set behaves when you have caching enabled. Azure Front Door is a modern Content Delivery Network (CDN) with dynamic site acceleration and load balancing.

+## Request methods

+Only the GET request method can generate cached content in Azure Front Door. All other request methods are always proxied through the network.

+Refer to [improve performance by compressing files](standard-premium/how-to-compression.md) in Azure Front Door.

+* **Ignore query strings**: In this mode, Front Door passes the query strings from the requestor to the backend on the first request and caches the asset. All ensuing requests for the asset that are served from the Front Door environment ignore the query strings until the cached asset expires.

+* **Cache every unique URL**: In this mode, each request with a unique URL, including the query string, is treated as a unique asset with its own cache. For example, the response from the backend for a request for `www.example.ashx?q=test1` is cached at the Front Door environment and returned for ensuing caches with the same query string. A request for `www.example.ashx?q=test2` is cached as a separate asset with its own time-to-live setting.

+* You can also use Rule Set to specify **cache key query string** behavior, to include, or exclude specified parameters when cache key gets generated. For example, the default cache key is: /foo/image/asset.html, and the sample request is `https://contoso.com//foo/image/asset.html?language=EN&userid=100&sessionid=200`. There's a rule set rule to exclude query string 'userid'. Then the query string cache-key would be `/foo/image/asset.html?language=EN&sessionid=200`.

+See [Cache purging in Azure Front Door Standard/Premium (Preview)](standard-premium/how-to-cache-purge.md) to learn how to configure cache purge.

+* Learn more about [Rule Set Match Conditions](standard-premium/concept-rule-set-match-conditions.md)

+* Learn more about [Rule Set Actions](front-door-rules-engine-actions.md)

+If health probes fail for every backend in a backend pool, then Front Door considers all backends unhealthy and routes traffic in a round robin distribution across all of them.

+ Title: Azure Front Door - Routing rule matching

+description: This article helps you understand how Azure Front Door match incoming requests to a routing rule.

+zone_pivot_groups: front-door-tiers

+In Azure Front Door Standard/Premium tier a route defines how the traffic is handled when the incoming request arrives at the Azure Front Door environment. Through the route settings, an association is defined between a domain and a backend origin group. By turning on advance features such as Pattern to Match and Rule set, you can have a more granular control over traffic to your backend resources.

+> [!IMPORTANT]

+> Azure Front Door Standard/Premium (Preview) is currently in public preview.

+> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

+> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+> [!NOTE]

+> When you use the [Front Door rules engine](front-door-rules-engine.md), you can configure a rule to [override the origin group](front-door-rules-engine-actions.md#origin-group-override) for a request. The origin group set by the rules engine overrides the routing process described in this article.

+The decision of how to process the request, depends on whether caching is enabled or not for the Route. If a cached response isn't available, then the request is forwarded to the appropriate backend.

+After Azure Front Door determines the specific frontend host and filtering possible routing rules to just the routes with that frontend host, Front Door then filters the routing rules based on the request path. We use a similar logic as frontend hosts:

+1. If no exact match Paths, look for routing rules with a wildcard Path that matches.

+1. If no routing rules are found with a matching Path, then reject the request and return a 400: Bad Request error HTTP response.

+>[!NOTE]

+> * Any Paths without a wildcard are considered to be exact-match Paths. Even if the Path ends in a slash, it's still considered exact match.

+Once Azure Front Door Standard/Premium has matched to a single routing rule, it then needs to choose how to process the request. If Azure Front Door Standard/Premium has a cached response available for the matched routing rule, then the request gets served back to the client.

+Finally, Azure Front Door Standard/Premium evaluates whether or not you have a [rule set](front-door-rules-engine.md) for the matched routing rule. If there's no rule set defined, then the request gets forwarded to the origin group as-is. Otherwise, the rule sets get executed in the order they're configured. [Rule sets can override the route](front-door-rules-engine-actions.md#origin-group-override), forcing traffic to a specific origin group.

+Learn how to [create a Front Door Standard/Premium](standard-premium/create-front-door-portal.md).

+If the Front Door routing rule has [caching](front-door-caching.md) enabled, and the Front Door edge location's cache includes a valid response for the request, then Front Door returns the cached response.

+* *Rule Set*: A set of rules that gets associated to one or multiple [routes](front-door-route-matching.md).

+Review [Azure Front Door Caching](../front-door-caching.md) to understand how caching works.

+Learn about [caching with Azure Front Door Standard/Premium](../front-door-caching.md).

+- Ability to [query changes made to resource properties](./how-to/get-resource-changes.md)

+- View the last seven days of resource configuration changes to see what properties changed and

+1. Navigate to **Permissions > API tokens**.

+1. Click **+ New** or **Create an API token**.

+You can use the IoT Central _in-store analytics checkout_ application template to build an end-to-end solution. The application template lets you digitally connect to and monitor a retail store environment using different kinds of sensor devices. These sensor devices generate telemetry that you can convert into business insights to help the retailer reduce operating costs and create a great experience for their customers.

+1. Connect different kinds of IoT sensors to an IoT Central application instance.

+2. Monitor and manage the health of the sensor network and any gateway devices in the environment.

+3. Create custom rules around the environmental conditions within a store to trigger alerts for store managers.

+4. Transform the environmental conditions within your store into insights that the retail store team can use to improve the customer experience.

+5. Export the aggregated insights into existing or new business applications to provide useful and timely information to retail staff.

+During the lifecycle of your IoT solution, you'll need to roll certificates. Two of the main reasons for rolling certificates would be a security breach, and certificate expirations.

+There are many ways to obtain new certificates for your IoT devices. These include obtaining certificates from the device factory, generating your own certificates, and having a third party manage certificate creation for you.

+There are two different ways to obtain a signing certificate. The first way, which is recommended for production systems, is to purchase a signing certificate from a root certificate authority (CA). This way chains security down to a trusted source.

+Certificates on a device should always be stored in a safe place like a [hardware security module (HSM)](concepts-service.md#hardware-security-module). The way you roll device certificates will depend on how they were created and installed in the devices in the first place.

+If you got your certificates from a third party, you must look into how they roll their certificates. The process may be included in your arrangement with them, or it may be a separate service they offer.

+If you're managing your own device certificates, you'll have to build your own pipeline for updating certificates. Make sure both old and new leaf certificates have the same common name (CN). By having the same CN, the device can reprovision itself without creating a duplicate registration record.

+The mechanics of installing a new certificate on a device will often involve one of the following approaches:

+- You can trigger affected devices to send a new certificate signing request (CSR) to your PKI Certificate Authority (CA). In this case, each device will likely be able to download its new device certificate directly from the CA.

+- You can retain a CSR from each device and use that to get a new device certificate from the PKI CA. In this case, you'll need to push the new certificate to each device in a firmware update using a secure OTA update service like [Device Update for IoT Hub](/azure/iot-hub-device-update/).

+When a device is initially provisioned through auto-provisioning, it boots-up, and contacts the provisioning service. The provisioning service responds by performing an identity check before creating a device identity in an IoT hub using the deviceΓÇÖs leaf certificate as the credential. The provisioning service then tells the device which IoT hub it's assigned to, and the device then uses its leaf certificate to authenticate and connect to the IoT hub.

+Once a new leaf certificate has been rolled to the device, it can no longer connect to the IoT hub because itΓÇÖs using a new certificate to connect. The IoT hub only recognizes the device with the old certificate. The result of the device's connection attempt will be an "unauthorized" connection error. To resolve this error, you must update the enrollment entry for the device to account for the device's new leaf certificate. Then the provisioning service can update the IoT Hub device registry information as needed when the device is reprovisioned.

+1. Click **Individual Enrollments**, and click the registration ID entry in the list.

+3. Once the compromised certificate has been removed from the provisioning service, the certificate can still be used to make device connections to the IoT hub as long as a device registration for it exists there. You can address this two ways:

+ The first way would be to manually navigate to your IoT hub and immediately remove the device registration associated with the compromised certificate. Then when the device provisions again with an updated certificate, a new device registration will be created.

+1. Click **Individual Enrollments**, and click the registration ID entry in the list.

+ The first way would be to manually navigate to your IoT hub and immediately remove the device registration associated with the compromised certificate. Then when your devices provision again with updated certificates, a new device registration will be created for each one.

+ The first way would be to manually navigate to your IoT hub and immediately remove the device registration associated with the compromised certificate. Then when your devices provision again with updated certificates, a new device registration will be created for each one.

+3. Click **CA Certificate**, and select your new root CA certificate under the **Secondary Certificate** configuration. Then click **Save**.

+1. Click **Enrollment Groups**, and click the group name in the list.

+Once the certificate is rolled on both the device and the Device Provisioning Service, the device can reprovision itself by contacting the Device Provisioning Service.

+- To learn about how to use the portal to create an enrollment group, see [Managing device enrollments with Azure portal](how-to-manage-enrollments.md).

+ *YourIotHubName*. Replace this placeholder name and the curly brackets with the name you chose for your IoT hub. An IoT hub name must be globally unique in Azure. This placeholder is used in the rest of this quickstart to represent your IoT hub name.

+ Title: "Tutorial: Create a single instance inbound NAT rule - Azure portal"

+description: This tutorial shows how to configure port forwarding using Azure Load Balancer to create a connection to a single virtual machine in an Azure virtual network.

+# Tutorial: Create a single instance inbound NAT rule using the Azure portal

+Inbound NAT rules allow you to connect to virtual machines (VMs) in an Azure virtual network by using an Azure Load Balancer public IP address and port number.

+> * Create a virtual network and virtual machines

+> * Create a standard SKU public load balancer with frontend IP, health probe, backend configuration, load-balancing rule, and inbound NAT rules

+> * Create a NAT gateway for outbound internet access for the backend pool

+> * Install and configure a web server on the VMs to demonstrate the port forwarding and load-balancing rules

+3. In **Virtual machines**, select **+ Create** > **+ Virtual machine**.

+4. In **Create a virtual machine**, enter or select the following values in the **Basics** tab:

+ | Security type | Select **Standard**. |

+ | **Inbound port rules** | |

+ | Public inbound ports | Select **None**. |

+ | Region | Select **West US 2**. |

+ | Type | Select **Public**. |

+6. Enter **myFrontend** in **Name**.

+ | Frontend IP address | Select **myFrontend**. |

+ | Backend pool | Select **myBackendPool**. |

+ | Health probe | Select **Create new**. </br> In **Name**, enter **myHealthProbe**. </br> Select **TCP** in **Protocol**. </br> Leave the rest of the defaults, and select **OK**. |

+ | Frontend IP address | Select **myFrontend**. |

+ | Frontend Port | Enter **221**. |

+ | Service Tag | Select **Custom**. |

+ | Backend port | Enter **22**. |

+ | Protocol | Leave the default of **TCP**. |

+ | TCP Reset | Leave the default of unchecked. |

+ | Idle timeout (minutes) | Leave the default **4**. |

+ | Frontend IP address | Select **myFrontend**. |

+ | Frontend Port | Enter **222**. |

+ | Service Tag | Select **Custom**. |

+ | Backend port | Enter **22**. |

+ | Protocol | Leave the default of **TCP**. |

+ | TCP Reset | Leave the default of unchecked. |

+ | Idle timeout (minutes) | Leave the default **4**. |

+## Create NAT gateway

+In this section, you'll create a NAT gateway for outbound internet access for resources in the virtual network.

+For more information about outbound connections and Azure Virtual Network NAT, see [Using Source Network Address Translation (SNAT) for outbound connections](load-balancer-outbound-connections.md) and [What is Virtual Network NAT?](../virtual-network/nat-gateway/nat-overview.md).

+1. In the search box at the top of the portal, enter **NAT gateway**. Select **NAT gateways** in the search results.

+2. In **NAT gateways**, select **+ Create**.

+3. In **Create network address translation (NAT) gateway**, enter or select the following information:

+ | Setting | Value |

+ | - | -- |

+ | **Project details** | |

+ | Subscription | Select your subscription. |

+ | Resource group | Select **TutorialLBPF-rg**. |

+ | **Instance details** | |

+ | NAT gateway name | Enter **myNATgateway**. |

+ | Region | Select **West US 2**. |

+ | Availability zone | Select **None**. |

+ | Idle timeout (minutes) | Enter **15**. |

+4. Select the **Outbound IP** tab or select the **Next: Outbound IP** button at the bottom of the page.

+5. In **Outbound IP**, select **Create a new public IP address** next to **Public IP addresses**.

+6. Enter **myNATGatewayIP** in **Name** in **Add a public IP address**.

+7. Select **OK**.

+8. Select the **Subnet** tab or select the **Next: Subnet** button at the bottom of the page.

+9. In **Virtual network** in the **Subnet** tab, select **myVNet**.

+10. Select **myBackendSubnet** under **Subnet name**.

+11. Select the blue **Review + create** button at the bottom of the page, or select the **Review + create** tab.

+12. Select **Create**.

+3. Select **Fronted IP configuration** in **Settings**.

+3. In the **Frontend IP configuration**, make note of the **IP address** for **myFrontend**. In this example, it's **20.99.165.176**.

+ ssh -i .\Downloads\myKey.pem azureuser@20.99.165.176 -p 221

+ ssh -i .\Downloads\myKey.pem azureuser@20.99.165.176 -p 222

+2. In the address bar, enter the IP address for the load balancer. In this example, it's **20.99.165.176**.

+To help you manage [Azure resources](../azure-resource-manager/management/overview.md#terminology) more easily, you can create automated management tasks for a specific resource or resource group. These tasks vary in number and availability, based on the resource type. For example, for an [Azure storage account](../storage/common/storage-account-overview.md), you can set up an automation task that sends the monthly cost for that storage account. For an [Azure virtual machine](https://azure.microsoft.com/services/virtual-machines/), you can create an automation task that turns on or turns off that virtual machine on a predefined schedule.

+You can create an automation task from a specific automation task template. The following table lists the currently supported resource types and available task templates in this preview:

+Automation tasks are more basic and lightweight than [Azure Automation](../automation/automation-intro.md). Currently, you can create an automation task only at the Azure resource level. Behind the scenes, an automation task is actually a logic app resource that runs a workflow. This logic app workflow is powered by the [*multi-tenant* Azure Logic Apps service](logic-apps-overview.md). After you create the automation task, you can view and edit the underlying workflow by opening the task in the workflow designer. After a task finishes at least one run, you can review the run's status, history, inputs, and outputs.

+By comparison, Azure Automation is a cloud-based automation and configuration service that supports consistent management across your Azure and non-Azure environments. The service comprises [process automation for orchestrating processes](../automation/automation-intro.md#process-automation) that uses [runbooks](../automation/automation-runbook-execution.md), configuration management with [change tracking and inventory](../automation/change-tracking/overview.md), update management, shared capabilities, and heterogeneous features. Automation gives you complete control during deployment, operations, and decommissioning of workloads and resources.

+> [!NOTE]

+* An Office 365 account if you want to follow along with the example, which sends email by using Office 365 Outlook.

+<a name="create-automation-template"></a>

+## Create automation task template from workflow

+You can create your own automation task template by using any Consumption logic app workflow that starts with a recurring or event-based trigger, but not HTTP-based triggers or HTTP-based webhook triggers. For this task, you'll need the following items:

+* A [GitHub](https://github.com) account

+* Your forked version of the [Azure automation task templates GitHub repository](https://github.com/Azure/automation-task-template/tree/master/templates).

+ For more information about forks and creating a fork, review the following GitHub documentation:

+ * [About forks](https://docs.github.com/pull-requests/collaborating-with-pull-requests/working-with-forks/about-forks)

+ * [Fork a repo](https://docs.github.com/get-started/quickstart/fork-a-repo)

+* A working branch in your forked repository where you'll add your automation task template.

+ For more information about branches and creating a branch, review the following documentation:

+ * [About branches](https://docs.github.com/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-branches)

+ * [Create and delete branches](https://docs.github.com/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-and-deleting-branches-within-your-repository)

+* Your choice of a web debugging tool. This example uses Fiddler 4, but you can try the free trial available for [Fiddler Everywhere](https://www.telerik.com/fiddler/fiddler-everywhere).

+To create the template and make the template available for use in Azure, here are the high-level steps:

+1. [Export the workflow](#export-workflow) to an automation task template.

+1. [Upload your template](#upload-template) to your working branch in your forked repository.

+1. [Test your template](#test-template) by using your web debugging tool or Fiddler.

+1. [Create a pull request (PR) for your working branch](#create-pull-request) against the default branch in the Azure automation task templates GitHub repository.

+After the Azure Logic Apps team reviews and approves your PR for merging to the default branch, your template is live and available to all Azure customers.

+<a name="export-workflow"></a>

+### Export workflow to automation task template

+1. In the [Azure portal](https://portal.azure.com), open the logic app workflow that you want to export. Make sure that the workflow starts with a recurring or event-based trigger, not an HTTP-based trigger or HTTP-based webhook trigger.

+1. On the logic app resource menu, select **Overview**.

+1. On the **Overview** pane toolbar, select **Export** > **Export to Automation Task**.

+ 

+1. On the **Export to Automation Task** pane that opens, provide the following information:

+ | Property | Required | Value | Description |

+ |-|-|-|-|

+ | **Template Name** | Yes | <*template-name*> | The friendly display name for the automation task template. <p><p>**Important**: Make sure that you use a concise and easy-to-understand name, for example, **List stale virtual machines**. |

+ | **Template Description** | Yes | <*template-description*> | A description for the template's task or purpose |

+ | **Supported Resource Types** | No | Empty or <*supported-Azure-resource-type-list*> | The first-class Azure resource types where you want to make the template available. Sub-resource types are currently unsupported. To include all first-class Azure resource types, leave this property empty. To specify multiple resource types, separate each name with a comma and use the following syntax: <p><p>**Microsoft.<*service-provider*>/<*entity*>** <p><p>For example, to make the template available for Azure resource groups, specify **Microsoft.Resources/resourceGroups**. For more information, review [Resource providers for Azure services](../azure-resource-manager/management/azure-services-resource-providers.md). |

+ | **Unsupported Resource Types** | No | Empty or <*unsupported-Azure-resource-type-list*> | If any, the Azure resource types where you specifically don't want to make the template available. To specify multiple resource types, separate each name with a comma and use the following syntax: <p><p>**Microsoft.<*service-provider*>/<*entity*>** <p><p>For example, to make the template unavailable for Azure resource groups, specify **Microsoft.Resources/resourceGroups**. For more information, review [Resource providers for Azure services](../azure-resource-manager/management/azure-services-resource-providers.md). |

+ | **Configure Parameters** | No | Varies | If your workflow includes cross-environment [parameter definitions](create-parameters-workflows.md), those parameters appear in this section for you to configure further. You can select whether each parameter value is provided either from the resource or the task creator. <p><p>- If you select **From Resource**, select a **Source Parameter** property value to use from that resource: <p>-- **Resource Name** <br>-- **Resource Type** <br>-- **Resource Id** <br>-- **Subscription Id** <br>-- **Resource Group** <br>-- **Resource Location**. <p><p>- If you select **User Provided**, select a **Template** format that determines how the task creator provides the parameter value: <p>-- **Default**: The parameter value is anything other than an interval, frequency, or time zone. <p>- Specify the parameter's display name, default value, and description. <p>- If the value is a timestamp (*hh:mm:ss*), set the **Format** property to **Time Format**. <p>- To mark the parameter as required, change the **Optional** to **Required**. <p>-- **Interval**: The parameter value is an interval, such as **1** or **12**. <p>-- **Frequency**: The parameter value is a frequency, such as **Hour**, **Day** or **Month**. <p>-- **Timezone**: The parameter value is a timezone, such as **(UTC-08:00) Pacific Time (US & Canada)**. |

+ |||||

+ The following example shows the properties for a sample automation task template that works only on an Azure resource group:

+ 

+ In this example, the task's underlying workflow includes the following parameter definitions and specifies that these parameter values are provided by the task creator:

+ | Parameter | Description |

+ |--|-|

+ | **emailAddress** | Specifies the email address for where to send the report. This parameter uses the **Default** template, which lets you specify the parameter's information, the expected format, and whether the parameter is optional or not. For this example parameter, the expected format is **None**, and the parameter is **Required**. |

+ | **numberOf** | Specifies the maximum number of time units that a virtual machine can stay idle. This parameter uses the **Default** template. |

+ | **timeUnit** | Specifies the time unit to use for the parameter value. This parameter uses the **Frequency** template, which shows the time units that the task creator can select, for example, **Hour**, **Day**, or **Month**. |

+ |||

+1. When you're done, select **Download Template**, and save the template using the **.json** file name extension. For a consistent template name, use only lowercase, hyphens between words, and the following syntax:

+ **<*action-verb*>-<*Azure-resource*>**

+ For example, based on the earlier example template name, you might name the template file as **list-stale-virtual-machines.json**.

+<a name="upload-template"></a>

+### Upload template to GitHub

+1. Go to [GitHub](https://github.com), and sign in with your GitHub account.

+1. Go to the [Azure automation task templates GitHub repository](https://github.com/Azure/automation-task-template/tree/master/templates), which takes you to the default branch in the repository.

+1. From the branch list, switch to your working branch.

+1. Above the files list, select **Add file** > **Upload files**.

+1. Either drag your workflow definition file to the specified area on the page, or select **choose your files**.

+1. After you add your template, in the same folder, open the **manifest.json** file, and add an entry for your **<*template-name*>.json** file.

+<a name="test-template"></a>

+### Test your template

+You can use your favorite web debugging tool to test the template you uploaded to your working directory. This example continues by using Fiddler with the script that modifies web requests. If you use a different tool, use the equivalent steps and script for your tool.

+1. In the Fiddler script, find the `onBeforeRequest()` function, and add the following code to the function, for example:

+ ```javascript

+ static function OnBeforeRequest(oSession: Session)

+ {

+ if (oSession.url == "raw.githubusercontent.com/azure/automation-task-template/master/templates/manifest.json") {

+ oSession.url = "raw.githubusercontent.com/<GitHub-username>/automation-task-template/<working-branch>/templates/manifest.json";

+ }

+ if (oSession.url == "raw.githubusercontent.com/azure/automation-task-template/master/templates/<template-name>") {

+ oSession.url = "raw.githubusercontent.com/<GitHub-username>/automation-task-template/<working-branch>/templates/<template-name>";

+ }

+ {...}

+ }

+ ```

+ This code gets the **manifest.json** and **<*template-name*>.json** files from your forked repository, rather than from the main Azure GitHub repository.

+ So, based on the example, the file redirection code looks like the following version:

+ ```javascript

+ static function OnBeforeRequest(oSession: Session)

+ {

+ if (oSession.url == "raw.githubusercontent.com/azure/automation-task-template/master/templates/manifest.json") {

+ oSession.url = "raw.githubusercontent.com/sophowe/automation-task-template/upload-auto-template/templates/manifest.json";

+ }

+ if (oSession.url == "raw.githubusercontent.com/azure/automation-task-template/master/templates/list-stale-virtual-machines.json") {

+ oSession.url = "raw.githubusercontent.com/sophowe/automation-task-template/upload-auto-template/templates/list-stale-virtual-machines.json";

+ }

+ {...}

+ }

+ ```

+1. Before you run your test, make sure to close all browser windows, and clear your browser cache in Fiddler.

+1. Open a new browser window, and sign in to the [Azure portal](https://portal.azure.com).

+1. Open the Azure resource where you expect to find your automation task. Create an automation task with your exported template. Run the task.

+If your task runs successfully, continue by creating a pull request from your working branch to the default branch.

+<a name="create-pull-request"></a>

+### Create your pull request

+1. Under **Commit changes**, enter a concise but descriptive title for your update. You can provide more information in the description box.

+1. Select **Create a new branch for this commit and start a pull request**. At the prompt, provide a name for your working branch, for example:

+ `<your-GitHub-alias>-<automation-task-name>-template`

+1. When you're ready, select **Propose changes**. On the next page, select **Create pull request**.

+1. Provide a name and description for your pull request. In the lower-right corner, select **Create pull request**.

+1. Wait for the Azure Logic Apps team to review your pull request.

+ - ```aznbcontent.net```

+ - ```aznbcontent.net```

+ - ```aznbcontent.net```

+ - ```instances.azureml.ms```

+ - ```aznbcontent.net```

+ - ```aznbcontent.net```

+ - ```aznbcontent.net```

+> [!NOTE]

+| Hospitality and Travel | Travel & Transportation<br>Hotels and Leisure<br>Restaurants and Food Services |

+- For step-by-step instructions on publishing an offer, see the commercial marketplace [publishing guide by offer type](./publisher-guide-by-offer-type.md).

+ Title: Add storage to a Media Services Account

+description: This article shows you how to add storage to a Media Services account.

+# Add storage to a Media Services Account

+<!-- NOTE: The following are in the includes folder and are reused in other How To articles. All task based content should be in the includes folder with the task- prefix prepended to the file name. -->

+This article shows you how to add storage to a Media Services account.

+## Methods

+You can use the following methods to add storage to a Media Services account.

+## CLI

+## [REST](#tab/rest/)

+See the Media Services [REST API](/rest/api/media/mediaservices/create-or-update).

+## [REST](#tab/rest/)

+See the Media Service [REST API](/rest/api/media/mediaservices/delete).

+ Title: List the assets in a Media Services account

+description: This article shows you how to list the assets in a Media Services account.

+# List the assets in a Media Services account

+This article shows you how to list the assets in a Media Services account.

+## Methods

+You can use the following methods to list the assets in a Media Services account.

+## [CLI](#tab/cli/)

+## [REST](#tab/rest/)

+ Title: List the transforms in a Media Services account

+description: This article shows you how to list the transforms in a Media Services account.

+# List the transforms in a Media Services account

+This article shows you how to list the transforms in a Media Services account.

+## Methods

+You can use the following methods to list the transforms in a Media Services account.

+## [CLI](#tab/cli/)

+## [REST](#tab/rest/)

+See the Media Services [REST API](/rest/api/media/transforms/list).

+ Title: Remove a storage account from a Media Services account

+description: This article shows you how to remove a storage account from a Media Services account

+# Remove a storage account from a Media Services account

+This article shows you how to remove a storage account from a Media Services account.

+## Methods

+You can use the following methods to remove a storage account from a Media Services account.

+## CLI

+ Title: Set the Media Services account encryption with customer managed keys

+description: This article shows you how to set the Media Services account encryption with customer managed keys.

+# Set the Media Services account encryption with customer managed keys

+This article shows you how to set the Media Services account encryption with customer managed keys.

+## Methods

+You can use the following methods to set the Media Services account encryption with customer managed keys.

+## CLI

+ Title: Set the Media Services account encryption with system managed keys

+description: This article shows you how to set the Media Services account encryption with system managed keys.

+# Set the Media Services account encryption with system managed keys

+This article shows you how to set the Media Services account encryption with system managed keys.

+## Methods

+You can use the following methods to set the Media Services account encryption with system managed keys.

+## CLI

+ Title: Set the Media Services storage authentication

+description: This article shows you how to set the Media Services storage authentication.

+# Set the Media Services storage authentication

+This article shows you how to set the Media Services storage authentication.

+## Methods

+You can use the following methods to set the Media Services storage authentication.

+## CLI

+ Title: Show the account encryption of a Media Services Account

+description: This article shows you how to show the account encryption of a Media Services Account.

+# Show the account encryption of a Media Services Account

+This article shows you how to show the account encryption of a Media Services Account.

+<!-- NOTE: The following are in the includes folder and are reused in other How To articles. All task based content should be in the includes folder with the task- prefix prepended to the file name. -->

+## Methods

+You can use the following methods to show the account encryption of a Media Services Account.

+## CLI

+## [REST](#tab/rest/)

+See the Media Services [REST API](/rest/api/media/mediaservices/update).

+ Title: Create a Media Services asset filter

+description: This article shows you how to create a Media Services asset filter.

+# Create an account filter

+This article shows you how to create a Media Services asset filter.

+<!-- NOTE: The following are in the includes folder and are reused in other How To articles. All task based content should be in the includes folder with the task- prefix prepended to the file name. -->

+## Methods

+You can use the following methods to create a Media Services asset filter.

+## [CLI](#tab/cli/)

+## [REST](#tab/rest/)

+See the Media Services [REST API](/rest/api/media/asset-filters/create-or-update).

+Use the following methods to create a Media Services asset.

+ Title: Delete a Media Services asset filter

+description: This article shows you how to delete a Media Services asset filter.

+# Delete an asset filter

+This article shows how to delete a Media Services asset filter.

+## Methods

+You can use the following methods to delete a Media Services asset filter.

+## [CLI](#tab/cli/)

+## [REST](#tab/rest/)

+See the Media Services [REST API](/rest/api/media/asset-filters/delete).

+ Title: Delete a Media Services asset

+description: This article shows you how to delete a Media Services asset.

+# Delete an asset

+This article shows how to delete a Media Services asset.

+## Methods

+You can use the following methods to delete a Media Services asset.

+## [CLI](#tab/cli/)

+## [REST](#tab/rest/)

+See the Media Services [REST API](/rest/api/media/assets/delete).

+ Title: Get a Media Services asset SAS URLs

+description: This article shows you how to get a Media Services asset's SAS URLs.

+# Get an asset's SAS URLs

+This article shows you how to get a Media Services asset's SAS URLs.

+## Methods

+You can use the following methods to get a Media Services asset's SAS URLs.

+## [CLI](#tab/cli/)

+## [REST](#tab/rest/)

+See the Media Services [REST API](/rest/api/media/assets/list-container-sas).

+ Title: Get a Media Services asset encryption key

+description: This article shows you how to get a Media Services asset encryption key.

+# Get an asset encryption key

+This article shows you how to get a Media Services asset encryption key.

+## Methods

+You can use the following methods to get a Media Services asset encryption key.

+## [CLI](#tab/cli/)

+## [REST](#tab/rest/)

+See the Media Services [REST API](/rest/api/media/assets/get-encryption-key).

+ Title: List the asset filters of a Media Services asset

+description: This article shows you how to list the asset filters of a Media Services asset.

+# List the asset filters of an asset

+This article shows you how to list the asset filters of a Media Services asset.

+## Methods

+You can use the following methods to list the asset filters of a Media Services asset.

+## [CLI](#tab/cli/)

+## [REST](#tab/rest/)

+See the Media Services [REST API](/rest/api/media/asset-filters/list).

+ Title: List the streaming locators of a Media Services asset

+description: This article shows you how to list the streaming locators of a Media Services asset.

+# List the streaming locators of an asset

+This article shows you how to list the streaming locators of a Media Services asset.

+## Methods

+You can use the following methods to list the streaming locators of a Media Services asset.

+## [CLI](#tab/cli/)

+## [REST](#tab/rest/)

+See the Media Services [REST API](/rest/api/media/assets/list-streaming-locators).

+ Title: Update a Media Services asset filter

+description: This article shows you how to update a Media Services asset filter.

+# Update an asset filter

+This article shows you how to update a Media Services asset filter.

+## Methods

+You can use the following methods to update a Media Services asset filter.

+## [CLI](#tab/cli/)

+## [REST](#tab/rest/)

+See the Media Services [REST API](/rest/api/media/asset-filters/update).

+ Title: Sync the storage keys of a Media Services storage account

+description: This article shows you how to sync the storage keys of a Media Services storage account.

+# Sync storage keys

+This article shows you how to sync the storage keys of a Media Services storage account.

+## Methods

+You can use the following methods to sync the storage keys of a Media Services storage account.

+## [CLI](#tab/cli/)

+## [REST](#tab/rest/)

+See the Media Services [REST API](/rest/api/media/mediaservices/sync-storage-keys).

+ Title: Add a custom transform output for a Media Services job

+description: This article shows you how to add a custom transform output for a Media Services job.

+# Add a custom transform output

+<!-- NOTE: The following are in the includes folder and are reused in other How To articles. All task based content should be in the includes folder with the task- prefix prepended to the file name. -->

+This article shows you how to add a custom transform output for a Media Services job.

+## Methods

+You can use the following methods to add a custom transform output for a Media Services job.

+## [CLI](#tab/cli/)

+## [REST](#tab/rest/)

+See the Media Services [REST API](/rest/api/media/transforms).

+ Title: Create a Media Service custom transform

+description: This article shows you how to create a Media Services custom transform.

+# Create a custom transform

+This article shows you how to create a Media Services custom transform.

+## Methods

+You can use the following methods to create a Media Services custom transform.

+## CLI

+## Methods

+You can use the following methods to create a transform.

+## [CLI](#tab/cli/)

+See the Media Services [REST API](/rest/api/media/transforms/create-or-update).

+ Title: Delete a Media Services transform

+description: This article shows you how to delete a Media Services transform.

+# Delete a transform

+This article shows you how to delete a Media Services transform.

+## Methods

+You can use the following methods to delete a Media Services transform.

+## [CLI](#tab/cli/)

+## [REST](#tab/rest/)

+See the Media Services [REST API](/rest/api/media/transforms/delete).

+ Title: Update a Media Services transform

+description: This article shows you how to update a Media Services transform.

+# Update a transform

+This article shows you how to update a Media Services transform.

+## Methods

+You can use the following methods to update a Media Services transform.

+## [CLI](#tab/cli/)

+## [REST](#tab/rest/)

+See the Media Services [REST API](/rest/api/media/transforms/update).

+ [Latest version](https://go.microsoft.com/fwlink/?linkid=2140337) | 7745817a5320628022719f24203ec0fbf56a0e0f02b4e7713386cbc003f0053c

+ [Latest version](https://go.microsoft.com/fwlink/?linkid=2140424) | 7745817a5320628022719f24203ec0fbf56a0e0f02b4e7713386cbc003f0053c

+ [Latest version](https://go.microsoft.com/fwlink/?linkid=2140338) | 7745817a5320628022719f24203ec0fbf56a0e0f02b4e7713386cbc003f0053c

+ [Latest version](https://go.microsoft.com/fwlink/?linkid=2116601) | 7745817a5320628022719f24203ec0fbf56a0e0f02b4e7713386cbc003f0053c

+ [Latest version](https://go.microsoft.com/fwlink/?linkid=2116657) | 7745817a5320628022719f24203ec0fbf56a0e0f02b4e7713386cbc003f0053c

+7745817a5320628022719f24203ec0fbf56a0e0f02b4e7713386cbc003f0053c

+ [Latest version](https://go.microsoft.com/fwlink/?linkid=2140334) | 7745817a5320628022719f24203ec0fbf56a0e0f02b4e7713386cbc003f0053c

+ [Latest version](https://go.microsoft.com/fwlink/?linkid=2160648) | 7745817a5320628022719f24203ec0fbf56a0e0f02b4e7713386cbc003f0053c

+ Physical (85 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2140334) | 7745817a5320628022719f24203ec0fbf56a0e0f02b4e7713386cbc003f0053c

+ Physical (85 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2140338) | 7745817a5320628022719f24203ec0fbf56a0e0f02b4e7713386cbc003f0053c

+ Physical (85 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2140334) | 7745817a5320628022719f24203ec0fbf56a0e0f02b4e7713386cbc003f0053c

+ Physical (85 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2140338) | 7745817a5320628022719f24203ec0fbf56a0e0f02b4e7713386cbc003f0053c

+ Hyper-V (85.8 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2140424) | 7745817a5320628022719f24203ec0fbf56a0e0f02b4e7713386cbc003f0053c

+ [Latest version](https://go.microsoft.com/fwlink/?linkid=2140334) | 7745817a5320628022719f24203ec0fbf56a0e0f02b4e7713386cbc003f0053c

+ VMware (85.8 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2140337) | 7745817a5320628022719f24203ec0fbf56a0e0f02b4e7713386cbc003f0053c

+1. Navigate to SQL Server Management Studio (SSMS), connect to the server, navigate to security, select and hold (or right-click) on login and create New login. Make sure to select "SQL authentication".

+1. Finally, [create a new credential](manage-credentials.md#create-a-new-credential) using the **username** and **password** to set up your scan.

+- Policy statements set below container level on a Storage account are supported. If no access has been provided at Storage account level or container level, then the App that requests the data must execute a direct access by providing a fully qualified name to the data object. If the App attempts to crawl down the hierarchy starting from the Storage account or Container, and there is no access at that level, the request will fail. The following documents show examples of how to do perform a direct access. See also blogs in the *Next steps* section of this tutorial.

+* [Demo of access policy for Azure Storage](https://docs.microsoft.com/video/media/8ce7c554-0d48-430f-8f63-edf94946947c/purview-policy-storage-dataowner-scenario_mid.mp4)

+* [Blog: What's New in Azure Purview at Microsoft Ignite 2021](https://techcommunity.microsoft.com/t5/azure-purview/what-s-new-in-azure-purview-at-microsoft-ignite-2021/ba-p/2915954)

+* [Blog: Accessing data when folder level permission is granted](https://techcommunity.microsoft.com/t5/azure-purview-blog/data-policy-features-accessing-data-when-folder-level-permission/ba-p/3109583)

+* [Blog: Accessing data when file level permission is granted](https://techcommunity.microsoft.com/t5/azure-purview-blog/data-policy-features-accessing-data-when-file-level-permission/ba-p/3102166)

+ subscriptionId=$(az account show --output tsv --query id)

+ Title: Create an index alias

+description: Create an alias to define a secondary name that can be used to refer to an index for querying, indexing, and other operations.

+# Create an index alias in Azure Cognitive Search

+> [!IMPORTANT]

+> Index aliases are currently in public preview and available under [supplemental terms of use](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+In Azure Cognitive Search, an alias is a secondary name that can be used to refer to an index for querying, indexing, and other operations. You can create an alias that maps to a search index and substitute the alias name in places where you would otherwise reference an index name. This gives you added flexibility if you ever need to change which index your application is pointing to. Instead of updating the references to the index name in your application, you can just update the mapping for your alias.

+The main goal of index aliases is to make it easier to manage your production indexes. For example, if you need to make a change to your index definition, such as editing a field or adding a new analyzer, you'll have to create a new search index because all search indexes are immutable. This means you either need to [drop and rebuild your index](search-howto-reindex.md) or create a new index and then migrate your application over to that index.

+Instead of dropping and rebuilding your index, you can use index aliases. A typical workflow would be to:

+1. Create your search index

+1. Create an alias that maps to your search index

+1. Have your application send querying/indexing requests to the alias rather than the index name

+1. When you need to make a change to your index that requires a rebuild, create a new search index

+1. When your new index is ready to go, update the alias to map to the new index and requests will automatically be routed to the new index

+## Create an alias

+You can create an alias using the preview REST API, the preview SDKs, or through [Visual Studio Code](search-get-started-vs-code.md). An alias consists of the `name` of the alias and the name of the search index that the alias is mapped to. Only one index name can be specified in the `indexes` array.

+### [**REST API**](#tab/rest)

+You can use the [Create or Update Alias (REST preview)](/rest/api/searchservice/preview-api/create-or-update-alias) to create an index alias.

+```http

+POST /aliases?api-version=2021-04-30-preview

+{

+ "name": "my-alias",

+ "indexes": ["hotel-samples-index"]

+}

+```

+### [**Visual Studio Code**](#tab/vscode)

+To create an alias in Visual Studio Code:

+1. Follow the steps in the [Visual Studio Code Quickstart](search-get-started-vs-code.md) to install the [Azure Cognitive Search extension](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-azurecognitivesearch) and connect to your Azure Subscription.

+1. Navigate to your search service.

+1. Under your search service, right-click on **Aliases** and select **Create new alias**.

+1. Provide the name of your alias and the name of the search index you'd like to map it to and then save the file to create the alias.

+ 

+## Send requests

+Once you've created your alias, you're ready to start using it. Aliases can be used for all [document operations](/rest/api/searchservice/document-operations) including querying, indexing, suggestions, and autocomplete.

+In the query below, instead of sending the request to `hotel-samples-index`, you can instead send the request to `my-alias` and it will be routed accordingly.

+```http

+POST /indexes/my-alias/docs/search?api-version=2021-04-30-preview

+{

+ "search": "pool spa +airport",

+ "searchMode": any,

+ "queryType": "simple",

+ "select": "HotelId, HotelName, Category, Description",

+ "count": true

+}

+```

+If you expect that you may need to make updates to your index definition for your production indexes, you should use an alias rather than the index name for requests in your client-side application. Scenarios that require you to create a new index are outlined under these [rebuild conditions](search-howto-reindex.md#rebuild-conditions).

+> [!NOTE]

+> You can only use an alias with [document operations](/rest/api/searchservice/document-operations). Aliases can't be used to get or update an index definition, can't be used with the Analyze Text API, and can't be used as the `targetIndexName` on an indexer.

+## Swap indexes

+Now, whenever you need to update your application to point to a new index, all you need to do is update the mapping in your alias. PUT is required for updates as described in [Create or Update Alias (REST preview)](/rest/api/searchservice/preview-api/create-or-update-alias).

+```http

+PUT /aliases/my-alias?api-version=2021-04-30-preview

+{

+ "name": "my-alias",

+ "indexes": ["hotel-samples-index2"]

+}

+```

+After you make the update to the alias, requests will automatically start to be routed to the new index.

+> [!NOTE]

+> An update to an alias may take up to 10 seconds to propogate through the system so you should wait at least 10 seconds before deleting the index that the alias was previously mapped to.

+## See also

+This article explains how to drop and rebuild an Azure Cognitive Search index, the circumstances under which rebuilds are required, and recommendations for mitigating the impact of rebuilds on ongoing query requests. If you frequently have to rebuild your search index, we recommend using [index aliases](search-how-to-alias.md) to make it easier to swap which index your application is pointing to.

+## Index alias limits

+Maximum number of [index aliases](search-how-to-alias.md) varies by tier. In all tiers, the maximum number of aliases is the same as the maximum number of indexes.

+| Resource | Free | Basic | S1 | S2 | S3 | S3-HD |L1 | L2 |

+| -- | --| |-|-|-|-||-|

+| Maximum aliases |3 |5 or 15 |50 |200 |200 |1000 per partition or 3000 per service |10 |10 |

+## February 2022

+|Feature&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | Description | Availability |

+||--||

+| [Index aliases](search-how-to-alias.md) | An index alias is a secondary name that can be used to refer to an index for querying, indexing, and other operations. You can create an alias that maps to a search index and substitute the alias name in places where you would otherwise reference an index name. This gives you added flexibility if you ever need to change which index your application is pointing to. Instead of updating the references to the index name in your application, you can just update the mapping for your alias. | Public preview REST APIs (no portal support at this time).|

+| [Enhanced configuration for semantic search](semantic-how-to-query-request.md#create-a-semantic-configuration) | Semantic configurations are a multi-part specification of the fields used during semantic ranking, captions, and answers. This is a new addition to the 2021-04-30-Preview API, and are now required for semantic queries. | Public preview in the portal and preview REST APIs.|

+ Title: Zero Trust security in Azure

+description: Learn about the guiding principles of Zero Trust and find resources to help you implement Zero Trust.

+# Zero Trust security

+Zero Trust is a new security model that assumes breach and verifies each request as though it originated from an uncontrolled network. In this article, you'll learn about the guiding principles of Zero Trust and find resources to help you implement Zero Trust.

+## Guiding principles of Zero Trust

+Today, organizations need a new security model that effectively adapts to the complexity of the modern environment, embraces the mobile workforce, and protects people, devices, applications, and data wherever they are located.

+To address this new world of computing, Microsoft highly recommends the Zero Trust security model, which is based on these guiding principles:

+- **Verify explicitly** - Always authenticate and authorize based on all available data points.

+- **Use least privilege access** - Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection.

+- **Assume breach** - Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses.

+For more information about Zero Trust, see [Microsoft's Zero Trust Guidance Center](/security/zero-trust).

+## Zero Trust architecture

+A Zero Trust approach extends throughout the entire digital estate and serves as an integrated security philosophy and end-to-end strategy.

+This illustration provides a representation of the primary elements that contribute to Zero Trust.

+

+In the illustration:

+- Security policy enforcement is at the center of a Zero Trust architecture. This includes Multi Factor authentication with conditional access that takes into account user account risk, device status, and other criteria and policies that you set.

+- [Identities](/security/zero-trust/deploy/identity), [devices](/security/zero-trust/deploy/endpoints) (also called endpoints), [data](/security/zero-trust/deploy/data), [applications](/security/zero-trust/deploy/applications), [network](/security/zero-trust/deploy/networks), and other [infrastructure](/security/zero-trust/deploy/infrastructure) components are all configured with appropriate security. Policies that are configured for each of these components are coordinated with your overall Zero Trust strategy. For example, device policies determine the criteria for healthy devices and conditional access policies require healthy devices for access to specific apps and data.

+- Threat protection and intelligence monitors the environment, surfaces current risks, and takes automated action to remediate attacks.

+For more information about deploying technology components of the Zero Trust architecture, see Microsoft's [Deploying Zero Trust solutions](/security/zero-trust/deploy/overview).

+As an alternative to deployment guidance that provides configuration steps for each of the technology components protected by Zero Trust principles, [Rapid Modernization Plan (RaMP)](/security/zero-trust/zero-trust-ramp-overview) guidance is based on initiatives and gives you a set of deployment paths to more quickly implement key layers of protection.

+## From security perimeter to Zero Trust

+The traditional approach of access control for IT has been based on restricting access to a corporate network and then supplementing it with more controls as appropriate. This model restricts all resources to a corporate owned network connection and has become too restrictive to meet the needs of a dynamic enterprise.

+

+Organizations must embrace a Zero Trust approach to access control as they embrace remote work and use cloud technology to digitally transform their business model, customer engagement model, employee engagement, and empowerment model.

+Zero trust principles help establish and continuously improve security assurances, while maintaining flexibility to keep pace with this new world. Most zero trust journeys start with access control and focus on identity as a preferred and primary control while they continue to embrace network security technology as a key element. Network technology and the security perimeter tactic are still present in a modern access control model, but they aren't the dominant and preferred approach in a complete access control strategy.

+For more information on the Zero Trust transformation of access control, see the Cloud Adoption Framework's [access control](/azure/cloud-adoption-framework/secure/access-control).

+## Conditional access with Zero Trust

+The Microsoft approach to Zero Trust includes [Conditional Access](../../active-directory/conditional-access/overview.md) as the main policy engine. Conditional Access is used as the policy engine for a Zero Trust architecture that covers both policy definition and policy enforcement. Based on various signals or conditions, Conditional Access can block or give limited access to resources.

+To learn more about creating an access model based on Conditional Access that's aligned with the guiding principles of Zero Trust, see [Conditional Access for Zero Trust](/azure/architecture/guide/security/conditional-access-design).

+## Develop apps using Zero Trust principles

+Zero Trust is a security framework that does not rely on the implicit trust afforded to interactions behind a secure network perimeter. Instead, it uses the principles of explicit verification, least privileged access, and assuming breach to keep users and data secure while allowing for common scenarios like access to applications from outside the network perimeter.

+As a developer, it is essential that you use Zero Trust principles to keep users safe and data secure. App developers can improve app security, minimize the impact of breaches, and ensure that their applications meet their customers' security requirements by adopting Zero Trust principles.

+For more information on best practices key to keeping your apps secure, see:

+- [Microsoft's Building apps with a Zero Trust approach to identity](/security/zero-trust/develop/identity#top-recommendations-for-zero-trust)

+- [Build Zero Trust-ready apps using Microsoft identity platform features and tools](../../active-directory/develop/zero-trust-for-developers.md)

+## Zero Trust and Microsoft 365

+Microsoft 365 is built with many security and information protection capabilities to help you build Zero Trust into your environment. Many of the capabilities can be extended to protect access to other SaaS apps your organization uses and the data within these apps. See [deploying Zero Trust for Microsoft 365](/microsoft-365/security/microsoft-365-zero-trust#deploying-zero-trust-for-microsoft-365) to learn more.

+To learn about recommendations and core concepts for deploying secure email, docs, and apps policies and configurations for Zero Trust access to Microsoft 365, see [Zero Trust identity and device access configurations](/microsoft-365/security/office-365-security/microsoft-365-policies-configurations).

+## Next steps

+- To learn how to enhance your security solutions by integrating with Microsoft products, see Integrate with [Microsoft's Zero Trust solutions](/security/zero-trust/integrate/overview)

+|<a name="dvcidtype"></a>**DvcIdType** | Enumerated | The type of the device ID stored in DvcId fields. Supported values include `AzureResourceId`, `MDEid`, `MD4IoTid`, `VMConnectionId`, `AwsVpcId`, `VectraId`, and `Other`. For more information, see [The Device entity](#the-device-entity). |

+1. If deploying an update, delete older versions of the functions using the portal or the [function delete PowerShell tool](https://aka.ms/ASimDelFunctionScript).

+| **eventresultdetails_in** | dynamic | Filter only web sessions for which the HTTP status code, stored in the [EventResultDetails](#eventresultdetails) field, is any of the values listed. |

+cd serviceconnector-webapp-storageblob-dotnet

+Then grant this identity access to the vault secrets - refer to the [official documentation](/rest/api/keyvault/keyvault/vaults/update-access-policy) for current information:

+For more details, please see [Vaults - Update Access Policy](/rest/api/keyvault/keyvault/vaults/update-access-policy).

+For more details, please see [Vaults - Update Access Policy](/rest/api/keyvault/keyvault/vaults/update-access-policy).

+* [Deploy an application with Managed Identity to a Service Fabric managed cluster](how-to-managed-cluster-application-managed-identity.md)

+To enable Accelerated Networking on an existing Service Fabric cluster, you need to first [Scale a Service Fabric cluster out by adding a Virtual Machine Scale Set](virtual-machine-scale-set-scale-node-type-scale-out.md), to perform the following:

+The rules described below are the recommended minimum for a typical configuration. We also include what rules are mandatory for an operational cluster if optional rules are not desired. It allows a complete security lockdown with network peering and jumpbox concepts like Azure Bastion. Failure to open the mandatory ports or approving the IP/URL will prevent proper operation of the cluster and may not be supported.

+|Priority |Name |Port |Protocol |Source |Destination |Action |Mandatory

+|3900 |Azure portal |19080 |TCP |ServiceFabric |Any |Allow |Yes

+|3910 |Client API |19000 |TCP |Internet |Any |Allow |No

+|3920 |SFX + Client API |19080 |TCP |Internet |Any |Allow |No

+|3930 |Cluster |1025-1027 |TCP |VirtualNetwork |Any |Allow |Yes

+|3940 |Ephemeral |49152-65534 |TCP |VirtualNetwork |Any |Allow |Yes

+|3950 |Application |20000-30000 |TCP |VirtualNetwork |Any |Allow |Yes

+|3960 |RDP |3389-3488 |TCP |Internet |Any |Deny |No

+|3970 |SSH |22 |TCP |Internet |Any |Deny |No

+|3980 |Custom endpoint |443 |TCP |Internet |Any |Deny |No

+* **Azure portal**. This port is used by the Service Fabric Resource Provider to query information about your cluster in order to display in the Azure Management Portal. If this port is not accessible from the Service Fabric Resource Provider then you will see a message such as 'Nodes Not Found' or 'UpgradeServiceNotReachable' in the Azure portal and your node and application list will appear empty. This means that if you wish to have visibility of your cluster in the Azure Management Portal then your load balancer must expose a public IP address and your NSG must allow incoming 19080 traffic. This port is recommended for extended management operations from the Service Fabric Resource Provider to guarantee higher reliability.

+* **Client API**. The client connection endpoint for APIs used by PowerShell.

+* **SFX + Client API**. This port is used by Service Fabric Explorer to browse and manage your cluster. In the same way it's used by most common APIs like REST/PowerShell (Microsoft.ServiceFabric.PowerShell.Http)/CLI/.NET.

+* **Cluster**. Used for inter-node communication.

+|Priority |Name |Port |Protocol |Source |Destination |Action |Mandatory

+| | | | | | | |

+|4010 |Resource Provider |443 |TCP |Any |ServiceFabric |Allow |Yes

+|4020 |Download Binaries |443 |TCP |Any |AzureFrontDoor.FirstParty |Allow |Yes

+### Common scenarios needing additional rules

+All additional scenarios can be covered with [Azure Service Tags](../virtual-network/service-tags-overview.md).

+#### Azure DevOps

+The classic PowerShell tasks in Azure DevOps (Service Tag: AzureCloud) need Client API access to the cluster, examples are application deployments or operational tasks. This does not apply to the ARM templates only approach, including [ARM application resources](service-fabric-application-arm-resource.md).

+|Priority |Name |Port |Protocol |Source |Destination |Action |Direction

+| | | | | | | |

+|3915 |Azure DevOps |19000 |TCP |AzureCloud |Any |Allow |Inbound

+#### Updating Windows

+Best practice to patch the Windows operating system is replacing the OS disk by [automatic OS image upgrades](../virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade.md), no additional rule is required.

+The [Patch Orchestration Application](service-fabric-patch-orchestration-application.md) is managing in-VM upgrades where Windows Updates applies operating system patches, this needs access to the Download Center (Service Tag: AzureUpdateDelivery) to download the update binaries.

+|Priority |Name |Port |Protocol |Source |Destination |Action |Direction

+| | | | | | | |

+|4015 |Windows Updates |443 |TCP |Any |AzureUpdateDelivery |Allow |Outbound

+#### API Management

+The integration of Azure API Management (Service Tag: ApiManagement) need Client API access to query endpoint information from the cluster.

+|Priority |Name |Port |Protocol |Source |Destination |Action |Direction

+| | | | | | | |

+|3920 |API Management |19080 |TCP |ApiManagement |Any |Allow |Inbound

+* For Windows Containers hosted on air-gapped machines that can't pull base layers from Azure cloud storage, override the foreign layer behavior, by using the [--allow-nondistributable-artifacts](https://docs.microsoft.com/virtualization/windowscontainers/about/faq#how-do-i-make-my-container-images-available-on-air-gapped-machines) flag in the Docker daemon.

+18.04 LTS |[9.47](https://support.microsoft.com/topic/update-rollup-60-for-azure-site-recovery-k5011122-883a93a7-57df-4b26-a1c4-847efb34a9e8) | 5.4.0-92-generic </br> 4.15.0-166-generic </br> 4.15.0-1129-azure </br> 5.4.0-1065-azure </br> 4.15.0-1130-azure </br> 4.15.0-167-generic </br> 5.4.0-1067-azure </br> 5.4.0-1068-azure </br> 5.4.0-94-generic </br> 5.4.0-96-generic </br> 5.4.0-97-generic </br> 5.4.0-99-generic </br> 4.15.0-1131-azure </br> 4.15.0-169-generic </br> 5.4.0-100-generic </br> 5.4.0-1069-azure </br> 5.4.0-1070-azure |

+20.04 LTS |[9.47](https://support.microsoft.com/topic/update-rollup-60-for-azure-site-recovery-k5011122-883a93a7-57df-4b26-a1c4-847efb34a9e8) | 5.4.0-1065-azure </br> 5.4.0-92-generic </br> 5.8.0-1033-azure </br> 5.8.0-1036-azure </br> 5.8.0-1039-azure </br> 5.8.0-1040-azure </br> 5.8.0-1041-azure </br> 5.8.0-1042-azure </br> 5.8.0-1043-azure </br> 5.8.0-23-generic </br> 5.8.0-25-generic </br> 5.8.0-28-generic </br> 5.8.0-29-generic </br> 5.8.0-31-generic </br> 5.8.0-33-generic </br> 5.8.0-34-generic </br> 5.8.0-36-generic </br> 5.8.0-38-generic </br> 5.8.0-40-generic </br> 5.8.0-41-generic </br> 5.8.0-43-generic </br> 5.8.0-44-generic </br> 5.8.0-45-generic </br> 5.8.0-48-generic </br> 5.8.0-49-generic </br> 5.8.0-50-generic </br> 5.8.0-53-generic </br> 5.8.0-55-generic </br> 5.8.0-59-generic </br> 5.8.0-63-generic </br> 5.4.0-1067-azure </br> 5.4.0-1068-azure </br> 5.4.0-94-generic </br> 5.4.0-96-generic </br> 5.4.0-97-generic </br> 5.4.0-99-generic </br> 5.4.0-100-generic </br> 5.4.0-1069-azure </br> 5.4.0-1070-azure |

+SUSE Linux Enterprise Server 12 (SP1, SP2, SP3, SP4, SP5) | [9.47](https://support.microsoft.com/topic/update-rollup-60-for-azure-site-recovery-k5011122-883a93a7-57df-4b26-a1c4-847efb34a9e8) | All [stock SUSE 12 SP1,SP2,SP3,SP4,SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported.</br></br> 4.12.14-16.85-azure:5 </br> 4.12.14-122.106-default:5 </br> 4.12.14-16.88-azure:5 </br> 4.12.14-122.110-default:5 |

+SUSE Linux Enterprise Server 15, SP1, SP2 | [9.47](https://support.microsoft.com/topic/update-rollup-60-for-azure-site-recovery-k5011122-883a93a7-57df-4b26-a1c4-847efb34a9e8) | By default, all [stock SUSE 15, SP1, SP2 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported.</br></br> 5.3.18-36-azure </br> 5.3.18-38.11-azure </br> 5.3.18-38.14-azure </br> 5.3.18-38.17-azure </br> 5.3.18-38.22-azure </br> 5.3.18-38.25-azure </br> 5.3.18-38.28-azure </br> 5.3.18-38.3-azure </br> 5.3.18-38.31-azure </br> 5.3.18-38.8-azure </br> 5.3.18-57-default </br> 5.3.18-59.10-default </br> 5.3.18-59.13-default </br> 5.3.18-59.16-default </br> 5.3.18-59.19-default </br> 5.3.18-59.24-default </br> 5.3.18-59.27-default </br> 5.3.18-59.30-default </br> 5.3.18-59.34-default </br> 5.3.18-59.37-default </br> 5.3.18-59.5-default </br> 5.3.18-150300.38.37-azure:3 </br> 5.3.18-38.34-azure:3 </br> 5.3.18-150300.59.43-default:3 </br> 5.3.18-150300.59.46-default:3 </br> 5.3.18-59.40-default:3 </br> 5.3.18-150300.38.40-azure:3 </br> 5.3.18-150300.59.49-default:3

+ npm install -g @azure/static-web-apps-cli azure-functions-core-tools

+Azure Storage supports using Azure Active Directory (Azure AD) to authorize requests to blob data. With Azure AD, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal, which may be a user, group, or application service principal. The security principal is authenticated by Azure AD to return an OAuth 2.0 token. The token can then be used to authorize a request against the Blob service. Note that this is only supported for API versions 2017-11-09 and later. For more information, see [Versioning for the Azure Storage services](/rest/api/storageservices/versioning-for-the-azure-storage-services#specifying-service-versions-in-requests).

+# This command requires you to be logged into your Azure account and set the subscription your storage account is under, run:

+# Connect-AzAccount -SubscriptionId ΓÇÿxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxΓÇÖ

+# if you haven't already logged in.

+If you still need help, [contact support](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade) to get your problem resolved quickly.

+> - We strongly recommend using [**Stream Analytics tools for Visual Studio Code**](./quick-create-visual-studio-code.md) for best local development experience. There are known feature gaps in Stream Analytics tools for Visual Studio 2019 (version 2.6.3000.0) and it won't be improved going forward.

+Make sure that the firewall on your network and local computer allows outgoing communication on TCP ports 80, 443 and 1433 for Synapse Studio.

+### Run the script

+## Clean up resources

+az group delete --name $resourceGroup1

+az group delete --name $resourceGroup2

+## Sample reference

+Additional App Service CLI script samples can be found in the [Azure Networking documentation](../cli-samples.md).

+- A scale set with 2 VMs in zone 1, 3 VMs in zone 2, and 3 VMs in zone 3 is considered balanced. There is only one zone with a different VM count and it is only 1 less than the other zones.

+- [Azure CLI](#use-the-azure-cli)

+Add the `--zones` parameter to the [az vmss create](/cli/azure/vmss) command and specify which zone to use (such as zone *1*, *2*, or *3*).

+### Single-zone scale set

+The following example creates a single-zone scale set named *myScaleSet* in zone *1*:

+For a complete example of a single-zone scale set and network resources, see [this sample CLI script](scripts/cli-sample-single-availability-zone-scale-set.md#sample-script)

+It takes a few minutes to create and configure all the scale set resources and VMs in the zone(s) that you specify. For a complete example of a zone-redundant scale set and network resources, see [this sample CLI script](scripts/cli-sample-zone-redundant-scale-set.md#sample-script)

+### Single-zone scale set

+### Single-zone scale set

+* Azure Southeast Asia region & OCI Singapore (Singapore)

+Azure provides ~64,000 SNAT ports per public IP address. For each public IP address attached to NAT gateway, the entire inventory of ports provided by those IPs is made available to any virtual machine instance within a subnet that is also attached to NAT gateway. NAT gateway selects a port at random out of the available inventory of ports to make new outbound connections. If NAT gateway doesn't find any available SNAT ports, then it will reuse a SNAT port. A port can be reused so long as it's going to a different destination endpoint. As mentioned in the [Performance](#performance) section, NAT gateway supports up to 50,000 concurrent connections per public IP address to the same destination endpoint over the internet.

+A NAT gateway will likely translate flow 4 to a source port that may be used for other destinations as well. See [Scale NAT](#scale-nat) for more discussion on correctly sizing your IP address provisioning.

+- NAT gateway reuses SNAT ports for connections to different destination endpoints if no other source ports are available, whereas Load Balancer looks to select the lowest available SNAT port in sequential order.

+SNAT ports to different destinations are most likely to be reused when possible. As SNAT port exhaustion approaches, flows may not succeed.

+Azure Virtual WAN helps you aggregate, connect, centrally manage, and secure all of your global deployments. Your global deployments could include any combination of branches, point of presence (PoP), private users, offices, Azure virtual networks, and other multiple-cloud deployments.

+You can use SD-WAN, site-to-site VPN, point-to-site VPN, and Azure ExpressRoute to connect your sites to a virtual hub. If you have multiple virtual hubs, all the hubs are connected in full mesh in a standard Virtual WAN deployment.

+In this article, let's look at how to architect various types of back-end connectivity that Virtual WAN supports for disaster recovery.

+## Back-end connectivity options for Virtual WAN

+Virtual WAN supports the following back-end connectivity options:

+For each of these connectivity options, Virtual WAN deploys a separate set of gateway instances within a virtual hub.

+Virtual WAN offers a carrier-grade, high-availability network aggregation solution. For high availability, Virtual WAN instantiates multiple instances when each type of gateway is deployed in a Virtual WAN hub. To learn more about ExpressRoute high availability, see [Designing for high availability with ExpressRoute](../expressroute/designing-for-high-availability-with-expressroute.md).

+With the point-to-site VPN gateway, the minimum number of instances deployed is two. You choose the number of instances via *gateway scale units*. You choose gateway scale units according to the number of clients or users you intend to connect to the virtual hub. From the perspective of client connectivity, the point-to-site VPN gateway instances are hidden behind the fully qualified domain name (FQDN) of the gateway.

+For the site-to-site VPN gateway, two instances of the gateway are deployed within a virtual hub. Each gateway instance is deployed with its own set of public and private IP addresses.

+The following screen capture shows the IP addresses associated with the two instances of an example site-to-site VPN gateway configuration. In other words, the two instances provide two independent tunnel endpoints for establishing site-to-site VPN connectivity from your branches. To maximize high availability, you can create two tunnels that end on the two instances of the VPN gateway for each link from your branch sites.

+Maximizing the high availability of your network architecture is a key first step for business continuity and disaster recovery (BCDR). In the rest of this article, let's go beyond high availability and discuss how to architect your Virtual WAN connectivity network for BCDR.

+Disaster can strike at any time, anywhere. Disasters can occur in a cloud provider's regions or network, within a service provider's network, or within an on-premises network. Regional impact of a cloud or network service due to factors such as natural calamity, human errors, war, terrorism, or misconfiguration is hard to rule out.

+For the continuity of your business-critical applications, you need to have a disaster recovery design. For a comprehensive disaster recovery design, you need to identify all the dependencies that can possibly fail in your end-to-end communication path, and then create non-overlapping redundancy for each dependency.

+Whether you run your mission-critical applications in an Azure region, on-premises, or anywhere else, you can use another Azure region as your failover site. The following articles address disaster recovery from the perspectives of applications and front-end access:

+When you interconnect the same set of networks by using more than one connection, you introduce parallel paths between the networks. Parallel paths, when not properly architected, could lead to asymmetrical routing. If you have stateful entities (for example, NAT or firewalls) in a path, asymmetrical routing could block traffic flow.

+Over private connectivity, you typically won't have or come across stateful entities such as NAT or firewalls. Asymmetrical routing over private connectivity doesn't necessarily block traffic flow.

+However, if you load balance traffic across geo-redundant parallel paths, you'll experience inconsistent network performance because of the difference in the physical path of the parallel connections. So you need to consider network traffic performance during both the steady state (non-failure state) and a failure state as part of your disaster recovery design.

+## Redundant access networks

+Most SD-WAN services (managed solutions or otherwise) provide network connectivity via multiple transport types (for example, internet broadband, MPLS, LTE). To safeguard against transport network failures, choose connectivity over more than one transport network. For a home user scenario, consider using a mobile network as a backup for broadband network connectivity.

+If network connectivity over various transport types isn't possible, choose network connectivity via more than one service provider. If you're getting connectivity via more than one service provider, ensure that the service providers maintain independent access networks that don't overlap.

+Point-to-site VPN establishes private connectivity between an end device and a network. After a network failure, the end device drops and tries to re-establish the VPN tunnel.

+For point-to-site VPN, your disaster recovery design should aim to minimize the recovery time after a failure. The following options for network redundancy can help minimize the recovery time. Depending on how critical the connections are, you can choose either or both of these options.

+- Redundant access networks (as discussed earlier)

+- Managing a redundant virtual hub for point-to-site VPN termination

+When you have multiple virtual hubs with point-to-site gateways, Virtual WAN provides a global profile that lists all the point-to-site endpoints. With the global profile, your end devices can connect to the closest available virtual hub that offers the best network performance.

+If all your Azure deployments are in a single region and the end devices that connect are in close proximity to the region, you can have redundant virtual hubs within the region. If your deployment and end devices are spread across multiple regions, you can deploy a virtual hub with a point-to-site gateway in each of your selected regions.

+The following diagram shows the concept of managing redundant virtual hubs with their respective point-to-site gateways within a region.

+In the diagram, the solid green lines show the primary site-to-site VPN connections. The dotted yellow lines show the standby backup connections. The Virtual WAN point-to-site global profile selects primary and backup connections based on the network performance. For more information about global profiles, see [Download a global profile for User VPN clients](global-hub-profile.md).

+Let's consider the example site-to-site VPN connection shown in the following diagram for our discussion. To establish a site-to-site VPN connection with high-availability active/active tunnels, see [Tutorial: Create a site-to-site connection using Azure Virtual WAN](virtual-wan-site-to-site-portal.md).

+> For easy understanding of the concepts discussed in this section, we're not repeating the discussion of the high-availability feature of site-to-site VPN gateways that lets you create two tunnels to two different endpoints for each VPN link that you configure. While you're deploying any of the suggested architectures in this section, remember to configure two tunnels for each link that you establish.

+### Multiple-link topology

+To protect against failures of VPN customer premises equipment (CPE) at a branch site, you can configure parallel VPN links to a VPN gateway from parallel CPE devices at the branch site. To protect against network failures of a last-mile service provider to the branch office, you can configure different VPN links over different service provider networks.

+The following diagram shows multiple VPN links originating from two CPEs of a branch site and ending on the same VPN gateway.

+You can configure up to four links to a branch site from a virtual hub's VPN gateway. While you're configuring a link to a branch site, you can identify the service provider and the throughput speed associated with the link. When you configure parallel links between a branch site and a virtual hub, the VPN gateway will load balance traffic across the parallel links by default. The gateway load balances traffic according to equal-cost multi-path (ECMP) on a per-flow basis.

+### Multiple-hub, multiple-link topology

+A multiple-hub, multiple-link topology helps protect against failures of CPE devices and a service provider's network at the on-premises branch location. It also helps protect against any downtime of a virtual hub's VPN gateway. The following diagram shows the topology.

+In this topology, latency over the connection between the hubs within an Azure region is insignificant. So you can use all the site-to-site VPN connections between the on-premises branch location and the two virtual hubs in active/active state by spreading the spoke virtual networks across the hubs.

+By default, traffic between the on-premises branch location and a spoke virtual network traverses directly through the virtual hub to which the spoke virtual network is connected during the steady state. The traffic uses another virtual hub as a backup only during a failure state. Traffic traverses through the directly connected hub in the steady state because the BGP routes advertised by the directly connected hub have a shorter autonomous systems (AS) path compared to the backup hub.

+The multiple-hub, multiple-link topology provides protection and business continuity in most failure scenarios. But it's not sufficient if a catastrophic failure takes down the entire Azure region.

+### Multiple-region, multiple-link topology

+A multiple-region, multiple-link topology helps protect against a catastrophic failure of an entire region, along with providing the protections of a multiple-hub, multiple-link topology. The following diagram shows the multiple-region, multiple-link topology.

+From a traffic engineering point of view, you need consider one substantial difference between having redundant hubs within a region and having the backup hub in a different region. The difference is the latency that results from the physical distance between the primary and secondary regions. You might want to deploy your steady-state service resources in the region closest to your branch and end users, and then use the remote region purely for backup.

+If your on-premises branch locations are spread around two or more Azure regions, the multiple-region, multiple-link topology would be more effective in spreading the load and in gaining better network experience during the steady state. The following diagram shows the multiple-region, multiple-link topology with branches in different regions. In such a scenario, the topology would provide effective BCDR.

+Disaster recovery considerations for ExpressRoute private peering are discussed in [Designing for disaster recovery with ExpressRoute private peering](../expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering.md#small-to-medium-on-premises-network-considerations). The concepts described in that article equally apply to ExpressRoute gateways created within a virtual hub. Using a redundant virtual hub within the region, as shown in the following diagram, is the only topology enhancement that we recommend for [small to medium on-premises networks](../expressroute/index.yml).

+In the preceding diagram, the second ExpressRoute instance ends on a separate ExpressRoute gateway within a second virtual hub in the region.

+This article discussed design considerations for Virtual WAN disaster recovery. The following articles address disaster recovery from the perspectives of applications and front-end access:

+To create a point-to-site connectivity to Virtual WAN, see [Tutorial: Create a User VPN connection using Azure Virtual WAN](virtual-wan-point-to-site-portal.md).

+To create a site-to-site connectivity to Virtual WAN, see [Tutorial: Create a site-to-site connection using Azure Virtual WAN](virtual-wan-site-to-site-portal.md).

+To associate an ExpressRoute circuit with Virtual WAN, see [Tutorial: Create an ExpressRoute association using Azure Virtual WAN](virtual-wan-expressroute-portal.md).

+Azure Virtual WAN offers two types of connectivity for remote users: global and hub-based. Use the following sections to learn about profile types and how to download them.

+> RADIUS authentication supports only the hub-based profile.

+The global profile associated with a User VPN configuration points to a load balancer that includes all active User VPN hubs that are using that User VPN configuration. A user connected to the global profile is directed to the hub that's closest to the user's geographic location. This type of connectivity is useful when users travel to different locations frequently.

+For example, you can associate a VPN configuration with two Virtual WAN hubs, one in West US and one in Southeast Asia. If a user connects to the global profile associated with the User VPN configuration, they'll connect to the closest Virtual WAN hub based on their location.

+To download the global profile:

+1. Go to the virtual WAN.

+2. Select **User VPN configurations**.

+3. Select the configuration for which you want to download the profile.

+4. Select **Download virtual WAN user VPN profile**.

+

+### Include or exclude a hub from a global profile

+By default, every hub that uses a specific User VPN configuration is included in the corresponding global VPN profile. You can choose to exclude a hub from the global VPN profile. If you do, a user won't be load balanced to connect to that hub's gateway if they're using the global VPN profile.

+1. Go to the hub.

+1. On the left panel, go to **User VPN (Point to site)** under **Connectivity**.

+1. See **Gateway attachment state** to determine if this hub is included in the global VPN profile. If the state is **attached**, the hub is included. If the state is **detached**, the hub is not included.

+ :::image type="content" source="./media/global-hub-profile/attachment-state.png" alt-text="Screenshot that shows the attachment state of a gateway."lightbox="./media/global-hub-profile/attachment-state.png":::

+1. Select **Include/Exclude Gateway from Global Profile**.

+ :::image type="content" source="./media/global-hub-profile/include-exclude-1.png" alt-text="Screenshot that shows the button for including or excluding a hub from a profile." lightbox="./media/global-hub-profile/include-exclude-1.png":::

+1. Make one of the following choices:

+ - Select **Exclude** if you want to remove this hub's gateway from the Virtual WAN global User VPN profile. Users who are using the hub-level User VPN profile will still be able to connect to this gateway. Users who are using the WAN-level profile will not be able to connect to this gateway.

+ - Select **Include** if you want to include this hub's gateway in the Virtual WAN global User VPN profile. Users who are using this WAN-level profile will be able to connect to this gateway.

+ :::image type="content" source="./media/global-hub-profile/include-exclude.png" alt-text="Screenshot that shows the Exclude and Include buttons." lightbox="./media/global-hub-profile/include-exclude.png":::

+The profile points to a single hub. The user can connect to only the particular hub by using this profile. To download the hub-based profile:

+1. Go to the virtual WAN.

+2. On the **Overview** page, select the hub.

+ 

+

+3. Select **User VPN (Point to site)**.

+4. Select **Download virtual Hub User VPN profile**.

+

+ :::image type="content" source="./media/global-hub-profile/hub2.png" alt-text="Screenshot that shows how to download a hub profile."lightbox="./media/global-hub-profile/hub2.png":::

+5. Select **EAPTLS** as the authentication type.

+6. Select **Generate and download profile**.

+ 

+To learn more about Virtual WAN, see the [Virtual WAN overview](virtual-wan-about.md) article.

+### Virtual Hub Router

+The following metric is available for Virtual Hub Router within a Virtual Hub:

+#### Virtual Hub Router Metric

+| Metric | Description|

+| | |

+| **Virtual Hub Data Processed** | Data in bytes/second on how much traffic traverses the Virtual Hub Router in a given time period. Please note only the following flows use the Virtual Hub Router - VNET to VNET same hub and inter hub Branch to VNET interhub via VPN or Express Route Gateways.|

+##### PowerShell Commands

+To query via PowerShell, use the following commands:

+**Step 1:**

+```azurepowershell-interactive

+$MetricInformation = Get-AzMetric -ResourceId "/subscriptions/<SubscriptionID>/resourceGroups/<ResourceGroupName>/providers/Microsoft.Network/VirtualHubs/<VirtualHubName>" -MetricName "VirtualHubDataProcessed" -TimeGrain 00:05:00 -StartTime 2022-2-20T01:00:00Z -EndTime 2022-2-20T01:30:00Z -AggregationType Average

+```

+**Step 2:**

+```azurepowershell-interactive

+$MetricInformation.Data

+```

+**Resource ID** - Your Virtual Hub's Resource ID can be found on the Azure portal. Navigate to the Virtual Hub page within vWAN and select JSON View under Essentials.

+**Metric Name** - Refers to the name of the metric you are querying, which in this case is called 'VirtualHubDataProcessed'. This metric shows all the data that the Virtual Hub Router has processed in the selected time period of the hub.

+**Time Grain** - Refers to the frequency at which you want see the aggregation of. In the current command, you will see a selected aggregated unit per 5 mins. You can select ΓÇô 5M/15M/30M/1H/6H/12H and 1D.

+**Start Time and End Time** - This time is based on UTC, so please ensure that you are entering UTC values when inputting these parameters. If these parameters are not used, by default the past one hour's worth of data is shown.

+**Aggregation Types** - Average/Minimum/Maximum/Total

+* Average - Total average of bytes/sec per the selected time period

+* Minimum ΓÇô Minimum bytes that were sent during the selected time grain period.

+* Maximum ΓÇô Maximum bytes that were sent during the selected time grain period

+* Total ΓÇô Total bytes/sec that were sent during the selected time grain period.

+

+### What happens during a Gateway Reset in a Virtual WAN VPN Gateway?

+The Gateway Reset button should be used if your on-premises devices are all working as expected but Site to Site VPN connections in Azure are in a Disconnected state. Virtual WAN VPN Gateways are always deployed in an Active-Active state for high availability. This means there is always more than one instance deployed in a VPN Gateway at any point of time. When the Gateway Reset button is used, it reboots the instances in the VPN Gateway in a sequential manner, so your connections are not disrupted. There will be a brief gap as connections move from one instance to the other, but this gap should be less than a minute. Additionally, please note that resetting the gateways will not change your Public IPs.

+ Title: Web application firewall exclusion lists in Azure Application Gateway - Azure portal

+description: This article provides information on Web Application Firewall exclusion lists configuration in Application Gateway with the Azure portal.

+# Web Application Firewall exclusion lists

+The Azure Application Gateway Web Application Firewall (WAF) provides protection for web applications. This article describes the configuration for WAF exclusion lists. These settings are located in the WAF Policy associated to your Application Gateway. To learn more about WAF Policies, see [Azure Web Application Firewall on Azure Application Gateway](ag-overview.md) and [Create Web Application Firewall policies for Application Gateway](create-waf-policy-ag.md)

+To set exclusion lists in the Azure portal, configure **Exclusions** in the WAF policy resource's **Policy settings** page:

+## Attributes

+## Examples

+### Example 1

+### Example 2

+ Title: Web application firewall request size limits in Azure Application Gateway - Azure portal

+description: This article provides information on Web Application Firewall request size limits in Application Gateway with the Azure portal.

+# Web Application Firewall request size limits

+Web Application Firewall allows you to configure request size limits within lower and upper bounds.

+Request size limits are global in scope.

+## Limits

+The following two size limits configurations are available:

+- The maximum request body size field is specified in kilobytes and controls overall request size limit excluding any file uploads. This field has a minimum value of 8 KB and a maximum value of 128 KB. The default value for request body size is 128 KB.

+- The file upload limit field is specified in MB and it governs the maximum allowed file upload size. This field can have a minimum value of 1 MB and the following maximums:

+ - 100 MB for v1 Medium WAF gateways

+ - 500 MB for v1 Large WAF gateways

+ - 750 MB for v2 WAF gateways

+The default value for file upload limit is 100 MB.

+For CRS 3.2 (on the WAF_v2 SKU) and newer, these limits are as follows when using a WAF policy for Appplication Gateway:

+

+ - 2MB request body size limit

+ - 4GB file upload limit

+To set request size limits in the Azure portal, configure **Global parameters** in the WAF policy resource's **Policy settings** page:

+## Request body inspection

+WAF offers a configuration setting to enable or disable the request body inspection. By default, the request body inspection is enabled. If the request body inspection is disabled, WAF doesn't evaluate the contents of an HTTP message's body. In such cases, WAF continues to enforce WAF rules on headers, cookies, and URI. If the request body inspection is turned off, then maximum request body size field isn't applicable and can't be set.

+Turning off the request body inspection allows for messages larger than 128 KB to be sent to WAF, but the message body isn't inspected for vulnerabilities.

+When your WAF receives a request that's over the size limit, the behavior depends on the mode of your WAF and the version of the managed ruleset you use.

+- When your WAF policy is in prevention mode, WAF blocks requests that are over the size limit.

+- When your WAF policy is in detection mode:

+ - If you use CRS 3.2 or newer, WAF inspects the body up to the limit specified and ignores the rest.

+ - If you use CRS 3.1 or earlier, WAF inspects the entire message.

+## Next steps

+After you configure your WAF settings, you can learn how to view your WAF logs. For more information, see [Application Gateway diagnostics](../../application-gateway/application-gateway-diagnostics.md#diagnostic-logging).

+ See [WAF configuration](application-gateway-waf-configuration.md) for more information about exclusion lists.

+This is a field you can exclude. To learn more about exclusion lists, See [Web application firewall exclusion lists](application-gateway-waf-configuration.md). You can exclude the evaluation in this case by configuring the following exclusion: