+ :::image type="content" source="./media/configure-authentication-sample-web-app/web-app-sign-in.png" alt-text="Screenshot of the sign in and sign up button on the project Welcome page.":::

+ :::image type="content" source="./media/configure-authentication-sample-web-app/web-app-token-claims.png" alt-text="Screenshot of the web app token claims.":::

+ There are two projects in the sample solution:

+* A managed domain must be deployed in its own subnet. Don't use an existing subnet or a gateway subnet. This includes the usage of remote gateways settings in the virtual network peering which puts the managed domain in an unsupported state.

+* [Azure network security groups](../virtual-network/network-security-groups-overview.md)

+* Provisioning multiple roles on a user isn't supported by on-demand provisioning.

+* [Troubleshooting provisioning](./application-provisioning-config-problem.md)

+- To view a video on how to configure and onboard GCP accounts in CloudKnox, select [Configure and onboard GCP accounts](https://www.youtube.com/watch?app=desktop&v=W3epcOaec28).

+## View a training video on configuring and onboarding a GCP account

+To view a video on how to configure and onboard GCP accounts in CloudKnox, select [Configure and onboard GCP accounts](https://www.youtube.com/watch?app=desktop&v=W3epcOaec28).

+ You can either download and run the script at this point or you can do it in the Google Cloud Shell, as described [later in this article](cloudknox-onboard-gcp.md#4-run-scripts-in-cloud-shell-optional-if-not-already-executed).

+## Onboard CloudKnox in your organization

+### Enable CloudKnox in your Azure Active Directory (Azure AD) tenant

+To view a video on how to enable CloudKnox in your Azure AD tenant, select [Enable CloudKnox in your Azure AD tenant](https://www.youtube.com/watch?v=-fkfeZyevoo).

+### Configure and onboard Amazon Web Services (AWS) accounts

+To view a video on how to configure and onboard Amazon Web Services (AWS) accounts in CloudKnox, select [Configure and onboard AWS accounts](https://www.youtube.com/watch?v=R6K21wiWYmE).

+### Configure and onboard Google Cloud Platform (GCP) accounts

+To view a video on how to configure and onboard Google Cloud Platform (GCP) accounts in CloudKnox, select [Configure and onboard GCP accounts](https://www.youtube.com/watch?app=desktop&v=W3epcOaec28).

+## Next steps

+- For an overview of CloudKnox, see [What's CloudKnox Permissions Management?](cloudknox-overview.md)

+- For a list of frequently asked questions (FAQs) about CloudKnox, see [FAQs](cloudknox-faqs.md).

+- For information on how to start viewing information about your authorization system in CloudKnox, see [View key statistics and data about your authorization system](cloudknox-ui-dashboard.md).

+### RequestedAuthnContext

+Unless specified otherwise, there are no default values for optional parameters. There is, however, default behavior for a request omitting optional parameters. The default behavior is to either sign in the sole current user, show the account picker if there are multiple users, or show the login page if there are no users signed in.

+You can bulk-invite external users to an organization from email addresses that you've stored in a .CSV file.

+This cmdlet sends an invitation to the email addresses in invitations.csv. More features of this cmdlet include:

+The code sample illustrates how to call the invitation API and get the redemption URL. Use the redemption URL to send a custom invitation email. The email can be composed with an HTTP client, so you can customize how it looks and send it through the Microsoft Graph API.

+# [HTTP](#tab/http)

+```http

+POST https://graph.microsoft.com/v1.0/invitations

+Content-type: application/json

+{

+ "invitedUserEmailAddress": "david@fabrikam.com",

+ "invitedUserDisplayName": "David",

+ "inviteRedirectUrl": "https://myapp.contoso.com",

+ "sendInvitationMessage": true

+}

+```

+# [C#](#tab/csharp)

+using System;

+using System.Threading.Tasks;

+using Microsoft.Graph;

+using Azure.Identity;

+ /// This is the tenant ID of the tenant you want to invite users to.

+ static async Task Main(string[] args)

+ string InviteRedeemUrl = await SendInvitation();

+ private static async string SendInvitation()

+ /// Get the access token for our application to talk to Microsoft Graph.

+ var scopes = new[] { "https://graph.microsoft.com/.default" };

+ var clientSecretCredential = new ClientSecretCredential(TenantID, TestAppClientId, TestAppClientSecret);

+ var graphClient = new GraphServiceClient(clientSecretCredential, scopes);

+ // Create the invitation object.

+ var invitation = new Invitation

+ {

+ InvitedUserEmailAddress = InvitedUserEmailAddress,

+ InvitedUserDisplayName = InvitedUserDisplayName,

+ InviteRedirectUrl = "https://www.microsoft.com",

+ SendInvitationMessage = true

+ };

+ // Send the invitation

+ var GraphResponse = await graphClient.Invitations

+ .Request()

+ .AddAsync(invitation);

+ // Return the invite redeem URL

+ return GraphResponse.InviteRedeemUrl;

+ }

+}

+```

+# [JavaScript](#tab/javascript)

+Install the following npm packages:

+```bash

+npm install express

+npm install isomorphic-fetch

+npm install @azure/identity

+npm install @microsoft/microsoft-graph-client

+```

+```javascript

+const express = require('express')

+const app = express()

+const { Client } = require("@microsoft/microsoft-graph-client");

+const { TokenCredentialAuthenticationProvider } = require("@microsoft/microsoft-graph-client/authProviders/azureTokenCredentials");

+const { ClientSecretCredential } = require("@azure/identity");

+require("isomorphic-fetch");

+// This is the application id of the application that is registered in the above tenant.

+const CLIENT_ID = ""

+// Client secret of the application.

+const CLIENT_SECRET = ""

+// This is the tenant ID of the tenant you want to invite users to. For example fabrikam.onmicrosoft.com

+const TENANT_ID = ""

+async function sendInvite() {

+ // Initialize a confidential client application. For more info, visit: https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/AzureIdentityExamples.md#authenticating-a-service-principal-with-a-client-secret

+ const credential = new ClientSecretCredential(TENANT_ID, CLIENT_ID, CLIENT_SECRET);

+ // Initialize the Microsoft Graph authentication provider. For more info, visit: https://docs.microsoft.com/en-us/graph/sdks/choose-authentication-providers?tabs=Javascript#using--for-server-side-applications

+ const authProvider = new TokenCredentialAuthenticationProvider(credential, { scopes: ['https://graph.microsoft.com/.default'] });

+ // Create MS Graph client instance. For more info, visit: https://github.com/microsoftgraph/msgraph-sdk-javascript/blob/dev/docs/CreatingClientInstance.md

+ const client = Client.initWithMiddleware({

+ debugLogging: true,

+ authProvider,

+ });

+ // Create invitation object

+ const invitation = {

+ invitedUserEmailAddress: 'david@fabrikam.com',

+ invitedUserDisplayName: 'David',

+ inviteRedirectUrl: 'https://www.microsoft.com',

+ sendInvitationMessage: true

+ };

+

+ // Execute the MS Graph command. For more information, visit: https://docs.microsoft.com/en-us/graph/api/invitation-post

+ graphResponse = await client.api('/invitations')

+ .post(invitation);

+

+ // Return the invite redeem URL

+ return graphResponse.inviteRedeemUrl

+const inviteRedeemUrl = await sendInvite();

+|Attribute Name |Value |

+|`http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` | emailaddress |

+ - **Global privacy contact.** Type the email address for the person to contact for inquiries about personal data privacy. This person is also who Microsoft contacts if there's a data breach related to Azure Active Directory services . If there's no person listed here, Microsoft contacts your global administrators. For Microsoft 365 related privacy incident notifications please see [Microsoft 365 Message center FAQs](https://docs.microsoft.com/microsoft-365/admin/manage/message-center?view=o365-worldwide#frequently-asked-questions&preserve-view=true)

+- [Add or change profile information for a user in Azure Active Directory](active-directory-users-profile-azure-portal.md)

+| Azure Data Share | [Roles and requirements for Azure Data Share](../../data-share/concepts-roles-permissions.md) |

+| Azure DevTest Labs | [Enable user-assigned managed identities on lab virtual machines in Azure DevTest Labs](../../devtest-labs/enable-managed-identities-lab-vms.md) |

+1. Install Microsoft.Graph module using [Install-module](/powershell/azure/active-directory/install-adv2).

+3. In a PowerShell window, Use [Connect-MgGraph](/graph/powershell/get-started) to sign into and use Microsoft Graph PowerShell cmdlets.

+ Connect-MgGraph

+4. Use the [List transitiveRoleAssignments](/graph/api/rbacapplication-list-transitiveroleassignments) API to get roles assigned directly and transitively to a user.

+ $response = $null

+ $uri = "https://graph.microsoft.com/beta/roleManagement/directory/transitiveRoleAssignments?`$count=true&`$filter=principalId eq '6b937a9d-c731-465b-a844-2d5b5368c161'"

+ $method = 'GET'

+ $headers = @{'ConsistencyLevel' = 'eventual'}

+

+ $response = (Invoke-MgGraphRequest -Uri $uri -Headers $headers -Method $method -Body $null).value

+1. Use the [List transitiveRoleAssignments](/graph/api/rbacapplication-list-transitiveroleassignments) API to get roles assigned directly and transitively to a user. Add following query to the URL.

+ GET https://graph.microsoft.com/beta/rolemanagement/directory/transitiveRoleAssignments?$count=true&$filter=principalId eq '6b937a9d-c731-465b-a844-2d5b5368c161'

+3. Navigate to **Request headers** tab. Add `ConsistencyLevel` as key and `Eventual` as its value.

+5. Select **Run query**.

+> | [Hybrid Identity Administrator](#hybrid-identity-administrator) | Can manage AD to Azure AD cloud provisioning, Azure AD Connect, Pass-through Authentication (PTA), Password hash synchronization (PHS), Seamless Single sign-on (Seamless SSO), and federation settings. | 8ac3fc64-6eca-42ea-9e69-59f4c7b60eb2 |

+Users in this role can create, manage and deploy provisioning configuration setup from AD to Azure AD using Cloud Provisioning as well as manage Azure AD Connect, Pass-through Authentication (PTA), Password hash synchronization (PHS), Seamless Single Sign-On (Seamless SSO), and federation settings. Users can also troubleshoot and monitor logs using this role.

+When a new pod is created in a namespace monitored by the add-on, OSM will inject an [envoy proxy sidecar](https://docs.openservicemesh.io/docs/guides/app_onboarding/sidecar_injection/) in that pod. Information regarding how to update the envoy version can be found in the [Upgrade Guide](https://docs.openservicemesh.io/docs/getting_started/) on the OpenServiceMesh docs site.

+This example shows how to perform content filtering by removing data elements from the response received from the backend service when using the `Starter` product. The example backend response includes root-level properties similar to the [OpenWeather One Call API](https://openweathermap.org/api/one-call-api).

+<!-- Copy this snippet into the outbound section to remove a number of data elements from the response received from the backend service based on the name of the product -->

+ foreach (var key in new [] {"current", "minutely", "hourly", "daily", "alerts"}) {

+This example shows how to configure API Management response caching duration that matches the response caching of the backend service as specified by the backend service's `Cache-Control` directive.

+This example shows how to configure API Management response caching duration that matches the response caching of the backend service as specified by the backend service's `Cache-Control` directive.

+ <cross-domain-policy>

+ </cross-domain-policy>

+- **Policy scopes:** global

+When you create a custom role, it's easier to start with one of the built-in roles. Edit the attributes to add **Actions**, **NotActions**, or **AssignableScopes**, and then save the changes as a new role. The following example begins with the "API Management Service Reader" role and creates a custom role called "Calculator API Editor." You can assign the custom role at the scope of a specific API. Consequently, this role only has access to that API.

+$role.AssignableScopes.Add('/subscriptions/<Azure subscription ID>/resourceGroups/<resource group name>/providers/Microsoft.ApiManagement/service/<APIM service instance name>/apis/<API name>')

+New-AzRoleAssignment -ObjectId <object ID of the user account> -RoleDefinitionName 'Calculator API Contributor' -Scope '/subscriptions/<subscription ID>/resourceGroups/<resource group name>/providers/Microsoft.ApiManagement/service/<APIM service instance name>/apis/<API name>'

+ This example shows how to perform content filtering by removing data elements from the response received from a backend service when using the `Starter` product. The example backend response includes root-level properties similar to the [OpenWeather One Call API](https://openweathermap.org/api/one-call-api).

+<!-- Copy this snippet into the outbound section to remove a number of data elements from the response received from the backend service based on the name of the product -->

+ foreach (var key in new [] {"current", "minutely", "hourly", "daily", "alerts"}) {

+ This example shows how to apply policy at the API level to supply context information to the backend service.

+> Exceptions include standardized headers whose values:

+ This example shows how to apply policy at the API level to supply context information to the backend service.

+### Container images

+We provide a variety of container images for self-hosted gateways to meet your needs:

+| Tag convention | Recommendation | Example | Rolling tag | Recommended for production |

+| - | -- | - | - | - |

+| `{major}.{minor}.{patch}` | Use this tag to always to run the same version of the gateway |`2.0.0` | ❌ | ✔️ |

+| `v{major}` | Use this tag to always run a major version of the gateway with every new feature and patch. |`v2` | ✔️ | ❌ |

+| `v{major}-preview` | Use this tag if you always want to run our latest preview container image. | `v2-preview` | ✔️ | ❌ |

+| `latest` | Use this tag if you want to evaluate the self-hosted gateway. | `latest` | ✔️ | ❌ |

+You can find a full list of available tags [here](https://mcr.microsoft.com/v2/azure-api-management/gateway/tags/list).

+#### Use of tags in our official deployment options

+Our deployment options in the Azure portal use the `v2` tag which allows customers to use the most recent version of the self-hosted gateway v2 container image with all feature updates and patches.

+> [!NOTE]

+> We provide the command and YAML snippets as reference, feel free to use a more specific tag if you wish to.

+When installing with our Helm chart, image tagging is optimized for you. The Helm chart's application version pins the gateway to a given version and does not rely on `latest`.

+Learn more on how to [install an API Management self-hosted gateway on Kubernetes with Helm](how-to-deploy-self-hosted-gateway-kubernetes-helm.md).

+#### Risk of using rolling tags

+Rolling tags are tags that are potentially updated when a new version of the container image is released. This allows container users to receive updates to the container image without having to update their deployments.

+This means that you can potentially run different versions in parallel without noticing it, for example when you perform scaling actions once `v2` tag was updated.

+Example - `v2` tag was released with `2.0.0` container image, but when `2.1.0` will be released, the `v2` tag will be linked to the `2.1.0` image.

+> [!IMPORTANT]

+> Consider using a specific version tag in production to avoid unintentional upgrade to a newer version.

+>- Health check doesn't follow 302 redirects.

+>- At most one instance will be replaced per hour, with a maximum of three instances per day per App Service Plan.

+>- If your health check is giving the status `Waiting for health check response` then the check is likely failing due to an HTTP status code of 307, which can happen if you have HTTPS redirect enabled but have `HTTPS Only` disabled.

+[Azure App Service](overview.md) provides a highly scalable, self-patching web hosting service. This quickstart shows how to use the [Azure CLI](/cli/azure/get-started-with-azure-cli) with the [Azure Web App Plugin for Maven](https://github.com/Microsoft/azure-maven-plugins/tree/develop/azure-webapp-maven-plugin) to deploy a .jar file, or .war file. Use the tabs to switch between Java SE and Tomcat instructions.

+The deployment process to Azure App Service will use your Azure credentials from the Azure CLI automatically. If the Azure CLI isn't installed locally, then the Maven plugin will authenticate with Oauth or device sign in. For more information, see [authentication with Maven plugins](https://github.com/microsoft/azure-maven-plugins/wiki/Authentication).

+mvn com.microsoft.azure:azure-webapp-maven-plugin:2.5.0:config

+You can modify the configurations for App Service directly in your `pom.xml`. Some common configurations are listed below:

+`<pricingTier>` | false | The pricing tier for your Web App. The default value is **P1v2** for production workload, while **B2** is the recommended minimum for Java dev/test. For more information, see [App Service Pricing](https://azure.microsoft.com/pricing/details/app-service/linux/)| 0.1.0+

+`<runtime>` | false | The runtime environment configuration. For more information, see [Configuration Details](https://github.com/microsoft/azure-maven-plugins/wiki/Azure-Web-App:-Configuration-Details). | 0.1.0+

+`<deployment>` | false | The deployment configuration. For more information, see [Configuration Details](https://github.com/microsoft/azure-maven-plugins/wiki/Azure-Web-App:-Configuration-Details). | 0.1.0+

+Be careful about the values of `<appName>` and `<resourceGroup>` (`helloworld-1590394316693` and `helloworld-1590394316693-rg` accordingly in the demo), they'll be used later.

+Once deployment is completed, your application will be ready at `http://<appName>.azurewebsites.net/` (`http://helloworld-1590394316693.azurewebsites.net` in the demo). Open the url with your local web browser, you should see

+In the preceding steps, you created Azure resources in a resource group. If you don't need the resources in the future, delete the resource group from portal, or by running the following command in the Cloud Shell:

+- Install [Node.js LTS and npm](https://nodejs.org). Run the command `node --version` to verify that Node.js is installed.

+- Install [Node.js LTS and npm](https://nodejs.org). Run the command `node --version` to verify that Node.js is installed.

+ npx express-generator myExpressApp --view ejs

+ cd myExpressApp && npm install

+1. Start the development server with debug information.

+ DEBUG=myexpressapp:* npm start

+In the terminal, make sure you're in the *myExpressApp* directory, and deploy the code in your local folder (*myExpressApp*) using the [az webapp up](/cli/azure/webapp#az-webapp-up) command:

+1. From the sample project, open *views/index.ejs* and change

+ ```html

+ <p>Welcome to <%= title %></p>

+ ```html

+ <p>Welcome to Azure</p>

+2. Save your changes, then redeploy the app using the [az webapp up](/cli/azure/webapp#az-webapp-up) command again with no arguments:

+You can also include the `--logs` parameter with then [az webapp up](/cli/azure/webapp#az-webapp-up) command to automatically open the log stream on deployment.

+## Build mode

+## Compare model features

+|Feature|Custom template (form) | Custom neural (document) |

+||||

+|Document structure|Template, form, and structured | Structured, semi-structured, and unstructured|

+|Training time | 1 to 5 minutes | 20 minutes to 1 hour |

+|Data extraction | Key-value pairs, tables, selection marks, coordinates, and signatures | Key-value pairs and selection marks |

+|Document variations | Requires a model per each variation | Uses a single model for all variations |

+|Language support | Multiple [language support](language-support.md#read-layout-and-custom-form-template-model) | United States English (en-US) [language support](language-support.md#custom-neural-model) |

+The general document API supports most form types and will analyze your documents and extract keys and associated values. It's ideal for extracting common key-value pairs from documents. You can use the general document model as an alternative to training a custom model without labels.

+* The general document model is a pre-trained model, doesn't require labels or training.

+Key-value pairs are specific spans within the document that identify a label or key and its associated response or value. In a structured form, these pairs could be the label and the value the user entered for that field or in an unstructured document they could be the date a contract was executed on based on the text in a paragraph. The AI model is trained to extract identifiable keys and values based on a wide variety of document types, formats, and structures.

+Keys can also exist in isolation when the model detects that a key exists, with no associated value or when processing optional fields. For example, a middle name field may be left blank on a form in some instances. key-value pairs are always spans of text contained in the document and if you have documents where same value is described in different ways, for example, a customer or a user, the associated key will be either customer or user based on what the document contained.

+The key value pair extraction model and entity identification model are run in parallel on the entire document and not just on the values of the extracted key-value pairs. This process ensures that complex structures where a key can't be identified is still enriched by identifying the entities referenced. You can still match keys or values to entities based on the offsets of the identified spans.

+## Data extraction

+See how data is extracted from forms and documents using the Form Recognizer Studio or Sample Labeling tool. You'll need the following resources:

+*See* [Language Support](language-support.md) for a complete list of supported handwritten and printed languages.

+## Data extraction

+The layout model extracts table structures, selection marks, printed and handwritten text, and bounding box coordinates from your documents.

+The layout model extracts text from documents and images with multiple text angles and colors. It accepts photos of documents, faxes, printed and/or handwritten (English only) text, and mixed modes. Printed and handwritten text is extracted from lines and words. The service then returns bounding box coordinates, confidence scores, and style (handwritten or other). All the text information is included in the `readResults` section of the JSON output.

+| 🆕[W-2 (preview)](#w-2-preview) | Extract employee, employer, wage information, etc. from US W-2 forms. |

+[:::image type="icon" source="media/studio/read-card.png" :::](https://formrecognizer.appliedai.azure.com/studio/read)

+### W-2 (preview)

+[:::image type="icon" source="media/studio/w2.png":::](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=tax.us.w2)

+The W-2 model analyzes and extracts key information reported in each box on a W-2 form. The model supports standard and customized forms from 2018 to the present, including both single form and multiple forms (copy A, B, C, D, 1, 2) on one page.

+***Sample W-2 document processed using [Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=tax.us.w2)***:

+> [!div class="nextstepaction"]

+> [Learn more: W-2 model](concept-w2.md)

+[:::image type="icon" source="media/studio/general-document.png":::](https://formrecognizer.appliedai.azure.com/studio/document)

+[:::image type="icon" source="media/studio/layout.png":::](https://formrecognizer.appliedai.azure.com/studio/layout)

+[:::image type="icon" source="media/studio/invoice.png":::](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=invoice)

+[:::image type="icon" source="media/studio/receipt.png":::](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=receipt)

+[:::image type="icon" source="media/studio/id-document.png":::](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=idDocument)

+[:::image type="icon" source="media/studio/business-card.png":::](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=businessCard)

+ [:::image type="icon" source="media/studio/custom.png":::](https://formrecognizer.appliedai.azure.com/studio/custommodel/projects)

+## Model data extraction

+| |:: |::|:: |:: |:: |:: |

+|🆕 [prebuilt-read](concept-read.md#data-extraction) | ✓ | || | | |

+|🆕 [prebuilt-tax.us.w2](concept-w2.md#field-extraction) | ✓ | ✓ | ✓ | ✓ | ✓ ||

+|🆕 [prebuilt-document](concept-general-document.md#data-extraction)| ✓ | ✓ || ✓ | ✓ | ✓ |

+| [prebuilt-layout](concept-layout.md#data-extraction) | Γ£ô | || Γ£ô | Γ£ô | |

+| [prebuilt-invoice](concept-invoice.md#field-extraction) | Γ£ô | Γ£ô |Γ£ô| Γ£ô | Γ£ô ||

+| [prebuilt-receipt](concept-receipt.md#field-extraction) | Γ£ô | Γ£ô |Γ£ô| | ||

+| [prebuilt-idDocument](concept-id-document.md#field-extraction) | Γ£ô | Γ£ô |Γ£ô| | ||

+| [prebuilt-businessCard](concept-business-card.md#field-extraction) | Γ£ô | Γ£ô | Γ£ô| | ||

+| [Custom](concept-custom.md#compare-model-features) |Γ£ô | Γ£ô || Γ£ô | Γ£ô | Γ£ô |

+* [**Read (preview)**](concept-read.md) model is a new API that extracts text lines, words, their locations, detected languages, and handwritten text, if detected.

+The Form Recognizer v3.0 preview includes the new Read API. Read extracts text lines, words, their locations, detected languages, and handwritten style if detected from documents (PDF and TIFF) and images (JPG, PNG, and BMP).

+## Data extraction

+| **Read model** | **Text Extraction** | **[Language detection](language-support.md#detected-languages-by-read)** |

+| | | |

+prebuilt-read | Γ£ô |Γ£ô |

+See how text is extracted from forms and documents using the Form Recognizer Studio. You'll need the following assets:

+* Image dimensions must be between 50 x 50 pixels and 10,000 x 10,000 pixels.

+Read API in v3.0 preview 2 adds [language detection](language-support.md#detected-languages-by-read) as a new feature for text lines. Read will predict the language at the text line level along with the confidence score.

+|**W-2 model**|<ul><li> [**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com)</li><li>[**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v3-0-preview-2/operations/AnalyzeDocument)</li><li>[**C# SDK**](quickstarts/try-v3-csharp-sdk.md#prebuilt-model)</li><li>[**Python SDK**](quickstarts/try-v3-python-sdk.md#prebuilt-model)</li><li>[**Java SDK**](quickstarts/try-v3-java-sdk.md#prebuilt-model)</li><li>[**JavaScript SDK**](quickstarts/try-v3-javascript-sdk.md#prebuilt-model)</li></ul>|**prebuilt-tax.us.w2**|

+| Employer.IdNumber | b | String | Employer's ID number (EIN), the business equivalent of a social security number| 12-1234567 |

+| Employer.Name | c | String | Employer's name | Contoso |

+| Employer.Address | c | String | Employer's address (with city) | 123 Example Street Sample City, CA |

+| Employer.ZipCode | c | String | Employer's zip code | 12345 |

+| ControlNumber | d | String | A code identifying the unique W-2 in the records of employer | R3D1 |

+| Employee.Name | e | String | Full name of the employee | Henry Ross|

+| Employee.Address | f | String | Employee's address (with city) | 123 Example Street Sample City, CA |

+| Employee.ZipCode | f | String | Employee's zip code | 12345 |

+| WagesTipsAndOtherCompensation | 1 | Number | A summary of your pay, including wages, tips and other compensation | 50000 |

+| FederalIncomeTaxWithheld | 2 | Number | Federal income tax withheld | 1111 |

+| SocialSecurityWages | 3 | Number | Social security wages | 35000 |

+| SocialSecurityTaxWithheld | 4 | Number | Social security tax with held | 1111 |

+| MedicareWagesAndTips | 5 | Number | Medicare wages and tips | 45000 |

+| MedicareTaxWithheld | 6 | Number | Medicare tax with held | 1111 |

+| SocialSecurityTips | 7 | Number | Social security tips | 1111 |

+| AllocatedTips | 8 | Number | Allocated tips | 1111 |

+| DependentCareBenefits | 10 | Number | Dependent care benefits | 1111 |

+| NonqualifiedPlans | 11 | Number | The non-qualified plan, a type of retirement savings plan that is employer-sponsored and tax-deferred | 1111 |

+| AdditionalInfo | | Array of objects | An array of LetterCode and Amount | |

+| LetterCode | 12a, 12b, 12c, 12d | String | Letter code Refer to [IRS/W-2](https://www.irs.gov/pub/irs-prior/fw2--2014.pdf) for the semantics of the code values. | D |

+| IsStatutoryEmployee | 13 | String | Whether the RetirementPlan box is checked or not | true |

+| IsRetirementPlan | 13 | String | Whether the RetirementPlan box is checked or not | true |

+| IsThirdPartySickPay | 13 | String | Whether the ThirdPartySickPay box is checked or not | false |

+| Other | 14 | String | Other info employers may use this field to report | |

+| StateTaxInfos | | Array of objects | An array of state tax info including State, EmployerStateIdNumber, StateIncomeTax, StageWagesTipsEtc | |

+| EmployerStateIdNumber | 15 | String | Employer state number | 123-123-1234 |

+| StateIncomeTax | 17 | Number | State income tax | 1535 |

+| LocalTaxInfos | | Array of objects | An array of local income tax info including LocalWagesTipsEtc, LocalIncomeTax, LocalityName | |

+| LocalIncomeTax | 19 | Number | Local income tax | 750 |

+ | W2Copy | | String | Copy of W-2 forms A, B, C, D, 1, or 2 | Copy A For Social Security Administration |

+| TaxYear | | Number | Tax year | 2020 |

+| W2FormVariant | | String | The variants of W-2 forms, including "W-2", "W-2AS", "W-2CM", "W-2GU", "W-2VI" | W-2 |

+|Programming language | :::image type="content" source="media/form-recognizer-icon.png" alt-text="Form Recognizer icon from the Azure portal."::: |Programming language

+|::|::|::|

+|[**C#**](quickstarts/try-v3-csharp-sdk.md#prebuilt-model)||[**JavaScript**](quickstarts/try-v3-javascript-sdk.md#prebuilt-model)|

+|[**Java**](quickstarts/try-v3-java-sdk.md#prebuilt-model)||[**Python**](quickstarts/try-v3-python-sdk.md#prebuilt-model)|

+|[**REST API**](quickstarts/try-v3-rest-api.md#prebuilt-model)|||

+Form Recognizer uses the following models to easily identify, extract, and analyze document data:

+* [**W-2 form model**](concept-w2.md) | Extract text and key information from US W2 tax forms.

+* [**Read model**](concept-read.md) | Extract printed and handwritten text lines, words, locations, and detected languages from documents and images.

+* [**General document model**](concept-general-document.md) | Extract key-value pairs, selection marks, and entities from documents.

+* [**Invoice model**](concept-invoice.md) | Extract text, selection marks, tables, key-value pairs, and key information from invoices.

+* [**Receipt model**](concept-receipt.md) | Extract text and key information from receipts.

+* [**ID document model**](concept-id-document.md) | Extract text and key information from driver licenses and international passports.

+* [**Business card model**](concept-business-card.md) | Extract text and key information from business cards.

+## Which Form Recognizer feature should I use?

+This section helps you decide which Form Recognizer v3.0 supported feature you should use for your application:

+| What type of document do you want to analyze?| How is the document formatted? | Your best solution |

+| --|-| -|

+|<ul><li>**W-2 Form**</li></yl>| Is your W-2 document composed in United States English (en-US) text?|<ul><li>If **Yes**, use the [**W-2 Form**](concept-w2.md) model.<li>If **No**, use the [**Layout**](concept-layout.md) or [**General document (preview)**](concept-general-document.md) model.</li></ul>|

+|<ul><li>**Text-only document**</li></yl>| Is your text-only document _printed_ in a [supported language](language-support.md#read-layout-and-custom-form-template-model) or, if handwritten, is it composed in English?|<ul><li>If **Yes**, use the [**Read**](concept-invoice.md) model.<li>If **No**, use the [**Layout**](concept-layout.md) or [**General document (preview)**](concept-general-document.md) model.</li></ul>

+|<ul><li>**Invoice**</li></yl>| Is your invoice document composed in English or Spanish text?|<ul><li>If **Yes**, use the [**Invoice**](concept-invoice.md) model.<li>If **No**, use the [**Layout**](concept-layout.md) or [**General document (preview)**](concept-general-document.md) model.</li></ul>

+|<ul><li>**Receipt**</li><li>**Business card**</li></ul>| Is your receipt or business card document composed in English text? | <ul><li>If **Yes**, use the [**Receipt**](concept-receipt.md) or [**Business Card**](concept-business-card.md) model.</li><li>If **No**, use the [**Layout**](concept-layout.md) or [**General document (preview)**](concept-general-document.md) model.</li></ul>|

+|<ul><li>**ID document**</li></ul>| Is your ID document a US driver's license or an international passport?| <ul><li>If **Yes**, use the [**ID document**](concept-id-document.md) model.</li><li>If **No**, use the[**Layout**](concept-layout.md) or [**General document (preview)**](concept-general-document.md) model</li></ul>|

+ |<ul><li>**Form** or **Document**</li></ul>| Is your form or document an industry-standard format commonly used in your business or industry?| <ul><li>If **Yes**, use the [**Layout**](concept-layout.md) or [**General document (preview)**](concept-general-document.md).</li><li>If **No**, you can [**Train and build a custom model**](quickstarts/try-sample-label-tool.md#train-a-custom-form-model).

+|[🆕 **Read**](concept-read.md)|Extract text lines, words, detected languages, and handwritten style if detected.|<ul ><li>[**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com/studio/read)</li><li>[**REST API**](quickstarts/try-v3-rest-api.md#general-document-model)</li><li>[**C# SDK**](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/formrecognizer/Azure.AI.FormRecognizer/samples/Sample_AnalyzePrebuiltRead.md)</li><li>[**Python SDK**](https://github.com/Azure/azure-sdk-for-python/blob/azure-ai-formrecognizer_3.2.0b3/sdk/formrecognizer/azure-ai-formrecognizer/samples/v3.2-bet#general-document-model)</li><li>[**JavaScript**](https://github.com/Azure/azure-sdk-for-js/blob/118feb81eb57dbf6b4f851ef2a387ed1b1a86bde/sdk/formrecognizer/ai-form-recognizer/samples/v4-beta/javascript/readDocument.js)</li></ul> |

+|[🆕 **W-2 Form**](concept-w2.md) | Extract information reported in each box on a W-2 form.|<ul ><li>[**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=tax.us.w2)<li>[**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v3-0-preview-2/operations/AnalyzeDocument)</li><li>[**C# SDK**](quickstarts/try-v3-csharp-sdk.md#prebuilt-model)</li><li>[**Python SDK**](quickstarts/try-v3-python-sdk.md#prebuilt-model)</li><li>[**Java SDK**](quickstarts/try-v3-java-sdk.md#prebuilt-model)</li><li>[**JavaScript**](quickstarts/try-v3-javascript-sdk.md#prebuilt-model)</li></ul> |

+|[🆕 **General document model**](concept-general-document.md)|Extract text, tables, structure, key-value pairs and, named entities.|<ul ><li>[**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com/studio/document)</li><li>[**REST API**](quickstarts/try-v3-rest-api.md#general-document-model)</li><li>[**C# SDK**](quickstarts/try-v3-csharp-sdk.md#general-document-model)</li><li>[**Python SDK**](quickstarts/try-v3-python-sdk.md#general-document-model)</li><li>[**Java SDK**](quickstarts/try-v3-java-sdk.md#general-document-model)</li><li>[**JavaScript**](quickstarts/try-v3-javascript-sdk.md#general-document-model)</li></ul> |

+|[**Layout model**](concept-layout.md) | Extract text, selection marks, and tables structures, along with their bounding box coordinates, from forms and documents.</br></br> Layout API has been updated to a prebuilt model. | <ul><li>[**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com/studio/layout)</li><li>[**REST API**](quickstarts/try-v3-rest-api.md#layout-model)</li><li>[**C# SDK**](quickstarts/try-v3-csharp-sdk.md#layout-model)</li><li>[**Python SDK**](quickstarts/try-v3-python-sdk.md#layout-model)</li><li>[**Java SDK**](quickstarts/try-v3-java-sdk.md#layout-model)</li><li>[**JavaScript**](quickstarts/try-v3-javascript-sdk.md#layout-model)</li></ul>|

+[Reference documentation](/dotnet/api/azure.ai.formrecognizer.documentanalysis?view=azure-dotnet-preview&preserve-view=true) | [Library Source Code](https://github.com/Azure/azure-sdk-for-net/tree/Azure.AI.FormRecognizer_4.0.0-beta.3/sdk/formrecognizer/Azure.AI.FormRecognizer/) | [Package (NuGet)](https://www.nuget.org/packages/Azure.AI.FormRecognizer/4.0.0-beta.3) | [Samples](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/formrecognizer/Azure.AI.FormRecognizer/samples/README.md)

+* After your resource deploys, select **Go to resource**. You need the key and endpoint from the resource you create to connect your application to the Form Recognizer API. You'll paste your key and endpoint into the code below later in the quickstart:

+In this example, we'll analyze an invoice using the **prebuilt-invoice** model.

+> [!TIP]

+> You aren't limited to invoicesΓÇöthere are several prebuilt models to choose from, each of which has its own set of supported fields. The model to use for the analyze operation depends on the type of document to be analyzed. See [**model data extraction**](../concept-model-overview.md#model-data-extraction).

+> * Analyze an invoice using the prebuilt-invoice model. You can use our [sample invoice document](https://raw.githubusercontent.com/Azure-Samples/cognitive-services-REST-api-samples/master/curl/form-recognizer/sample-invoice.pdf) for this quickstart.

+## Prebuilt models

+Prebuilt models help you add Form Recognizer features to your apps without having to build, train, and publish your own models. You can choose from several prebuilt models, each of which has its own set of supported data fields. The choice of model to use for the analyze operation depends on the type of document to be analyzed. The following prebuilt models are currently supported by Form Recognizer:

+* [🆕 **General document**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=document): extract text, tables, structure, key-value pairs and named entities.

+* [🆕**W-2**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=tax.us.w2): extract text and key information from W-2 tax forms.

+* [🆕 **Read**](https://formrecognizer.appliedai.azure.com/studio/read): extract text lines, words, their locations, detected languages, and handwritten style if detected from documents (PDF, TIFF) and images (JPG, PNG, BMP).

+* [**Layout**](https://formrecognizer.appliedai.azure.com/studio/layout): extract text, tables, selection marks, and structure information from documents (PDF, TIFF) and images (JPG, PNG, BMP).

+* [**Invoice**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=invoice): extract text, selection marks, tables, key-value pairs, and key information from invoices.

+* [**Receipt**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=receipt): extract text and key information from receipts.

+* [**ID document**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=idDocument): extract text and key information from driver licenses and international passports.

+* [**Business card**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=businessCard): extract text and key information from business cards.

+After you've completed the prerequisites, navigate to the [Form Recognizer Studio General Documents preview](https://formrecognizer.appliedai.azure.com). In the following example, we use the General Documents feature. The steps to use other pre-trained features like [W2 tax form](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=tax.us.w2), [Read](https://formrecognizer.appliedai.azure.com/studio/read), [Layout](https://formrecognizer.appliedai.azure.com/studio/layout), [Invoice](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=invoice), [Receipt](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=receipt), [Business card](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=businessCard), and [ID documents](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=idDocument) models are similar.

+1. This is a one-time step unless you've already selected the service resource from prior use. Select your Azure subscription, resource group, and resource. (You can change the resources anytime in "Settings" in the top menu.) Review and confirm your selections.

+[CORS (Cross Origin Resource Sharing)](/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services) needs to be configured on your Azure storage account for it to be accessible from the Form Recognizer Studio. To configure CORS in the Azure portal, you'll need access to the CORS blade of your storage account.

+7. Select the save button at the top of the page to save the changes.

+1. From the labeling view, define the labels and their types that you're interested in extracting.

+1. Use the Delete command to delete models that aren't required.

+For custom form models, while creating your custom models, you may need to extract data collections from your documents. Data collections may appear in a couple of formats. Using tables as the visual pattern:

+ You'll create the following directory structure:

+In this example, we'll analyze an invoice using the **prebuilt-invoice** model.

+> [!TIP]

+> You aren't limited to invoicesΓÇöthere are several prebuilt models to choose from, each of which has its own set of supported fields. The model to use for the analyze operation depends on the type of document to be analyzed. See [**model data extraction**](../concept-model-overview.md#model-data-extraction).

+> * Analyze an invoice using the prebuilt-invoice model. You can use our [sample invoice document](https://raw.githubusercontent.com/Azure-Samples/cognitive-services-REST-api-samples/master/curl/form-recognizer/sample-invoice.pdf) for this quickstart.

+In this example, we'll analyze an invoice using the **prebuilt-invoice** model.

+> [!TIP]

+> You aren't limited to invoicesΓÇöthere are several prebuilt models to choose from, each of which has its own set of supported fields. The model to use for the analyze operation depends on the type of document to be analyzed. See [**model data extraction**](../concept-model-overview.md#model-data-extraction).

+> * Analyze an invoice using the prebuilt-invoice model. You can use our [sample invoice document](https://raw.githubusercontent.com/Azure-Samples/cognitive-services-REST-api-samples/master/curl/form-recognizer/sample-invoice.pdf) for this quickstart.

+* After your resource deploys, select **Go to resource**. You need the key and endpoint from the resource you create to connect your application to the Form Recognizer API. You'll paste your key and endpoint into the code below later in the quickstart:

+In this example, we'll analyze an invoice using the **prebuilt-invoice** model.

+> [!TIP]

+> You aren't limited to invoicesΓÇöthere are several prebuilt models to choose from, each of which has its own set of supported fields. The model to use for the analyze operation depends on the type of document to be analyzed. See [**model data extraction**](../concept-model-overview.md#model-data-extraction).

+> * Analyze an invoice using the prebuilt-invoice model. You can use our [sample invoice document](https://raw.githubusercontent.com/Azure-Samples/cognitive-services-REST-api-samples/master/curl/form-recognizer/sample-invoice.pdf) for this quickstart.

+* [🆕 **General document**](#general-document-model)—Analyze and extract text, tables, structure, key-value pairs, and named entities.

+* [**Layout**](#layout-model)ΓÇöAnalyze and extract tables, lines, words, and selection marks like radio buttons and check boxes in forms documents, without the need to train a model.

+* [**Prebuilt Model**](#prebuilt-model)ΓÇöAnalyze and extract data from common document types, using a pre-trained model.

+* [**General document**](#general-document-model)

+* [**Layout**](#layout-model)

+* [**Prebuilt Model**](#prebuilt-model)

+## General document model

+You'll receive a `200 (Success)` response with JSON output. The first field, `"status"`, indicates the status of the operation. If the operation isn't complete, the value of `"status"` will be `"running"` or `"notStarted"`, and you should call the API again, either manually or through a script. We recommend an interval of one second or more between calls.

+## Layout model

+## Prebuilt model

+In this example, we'll analyze an invoice using the **prebuilt-invoice** model.

+> [!TIP]

+> You aren't limited to invoicesΓÇöthere are several prebuilt models to choose from, each of which has its own set of supported fields. The model to use for the analyze operation depends on the type of document to be analyzed. See [**model data extraction**](../concept-model-overview.md#model-data-extraction).

+#### Try the prebuilt invoice model

+> [!div class="checklist"]

+>

+> * Analyze an invoice document using a prebuilt model.

+> * You can use our [sample invoice document](https://raw.githubusercontent.com/Azure-Samples/cognitive-services-REST-api-samples/master/curl/form-recognizer/sample-invoice.pdf) for this quickstart.

+ Title: Onboard an Azure Arc-enabled server to Azure Automanage with an ARM template

+description: Learn how to onboard an Azure Arc-enabled server to Azure Automanage with an Azure Resource Manager template.

+# Onboard an Azure Arc-enabled server to Automanage with an Azure Resource Manager template (ARM template)

+Follow the steps to onboard an Azure Arc-enabled server to Automanage Best Practices using an ARM template.

+## Prerequisites

+* You must have an Azure Arc-enabled server already registered in your subscription

+* You must have necessary [Role-based access control permissions](./automanage-virtual-machines.md#required-rbac-permissions)

+* You must use one of the [supported operating systems](./automanage-arc.md#supported-operating-systems)

+## ARM template overview

+The following ARM template will onboard your specified Azure Arc-enabled server onto Azure Automanage Best Practices. Details on the ARM template and steps on how to deploy are located in the ARM template deployment [section](#arm-template-deployment).

+```json

+{

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "machineName": {

+ "type": "String"

+ },

+ "configurationProfile": {

+ "type": "String"

+ }

+ },

+ "resources": [

+ {

+ "type": "Microsoft.HybridCompute/machines/providers/configurationProfileAssignments",

+ "apiVersion": "2021-04-30-preview",

+ "name": "[concat(parameters('machineName'), '/Microsoft.Automanage/default')]",

+ "properties": {

+ "configurationProfile": "[parameters('configurationProfile')]"

+ }

+ }

+ ]

+}

+```

+## ARM template deployment

+This ARM template will create a configuration profile assignment for your specified Azure Arc-enabled machine.

+The `configurationProfile` value can be one of the following values:

+* "/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction"

+* "/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesDevTest"

+Follow these steps to deploy the ARM template:

+1. Save this ARM template as `azuredeploy.json`.

+1. Run this ARM template deployment with `az deployment group create --resource-group myResourceGroup --template-file azuredeploy.json`.

+1. Provide the values for machineName, and configurationProfileAssignment when prompted.

+1. You're ready to deploy.

+As with any ARM template, it's possible to factor out the parameters into a separate `azuredeploy.parameters.json` file and use that as an argument when deploying.

+## Next steps

+Learn more about Automanage for [Azure Arc](./automanage-arc.md).

+Learn more about Automanage for [Linux](./automanage-linux.md) and [Windows](./automanage-windows-server.md)

+- When you start PowerShell 7 runbook using the webhook, it auto-converts the webhook input parameter to an invalid JSON.

+ Title: Connect VMware vCenter Server to Azure Arc by using the helper script

+description: In this quickstart, you'll learn how to use the helper script to connect your VMware vCenter Server instance to Azure Arc.

+# Customer intent: As a VI admin, I want to connect my vCenter Server instance to Azure to enable self-service through Azure Arc.

+# Quickstart: Connect VMware vCenter Server to Azure Arc by using the helper script

+To start using the Azure Arc-enabled VMware vSphere (preview) features, you need to connect your VMware vCenter Server instance to Azure Arc. This quickstart shows you how to connect your VMware vCenter Server instance to Azure Arc by using a helper script.

+First, the script deploys a virtual appliance called [Azure Arc resource bridge (preview)](../resource-bridge/overview.md) in your vCenter environment. Then, it installs a VMware cluster extension to provide a continuous connection between vCenter Server and Azure Arc.

+> In the interest of ensuring that new features are documented no later than their release, this article might include documentation for features that aren't yet publicly available.

+- A resource group in the subscription where you're a member of the *Owner/Contributor* role.

+- vCenter Server version 6.7.

+- Inbound connections allowed on TCP port (usually 443) so that the Azure Arc resource bridge and VMware cluster extension can communicate with the vCenter Server instance.

+- A resource pool or a cluster with a minimum capacity of 16 GB of RAM and four vCPUs.

+> Azure Arc-enabled VMware vSphere (preview) supports vCenter Server instances with a maximum of 2,500 virtual machines (VMs). If your vCenter Server instance has more than 2,500 VMs, we don't recommend that you use Azure Arc-enabled VMware vSphere with it at this point.

+### vSphere account

+You need a vSphere account that can:

+- Read all inventory.

+- Deploy and update VMs to all the resource pools (or clusters), networks, and VM templates that you want to use with Azure Arc.

+This account is used for the ongoing operation of Azure Arc-enabled VMware vSphere (preview) and the deployment of the Azure Arc resource bridge (preview) VM.

+You need a Windows or Linux machine that can access both your vCenter Server instance and the internet, directly or through a proxy.

+2. Ensure that the vSphere accounts have the appropriate permissions.

+1. Go to the Azure portal.

+2. Search for **Azure Arc** and select it.

+3. On the **Overview** page, select **Add** under **Add your infrastructure for free** or move to the **Infrastructure** tab.

+4. In the **Platform** section, select **Add** under **VMware vCenter**.

+ :::image type="content" source="media/add-vmware-vcenter.png" alt-text="Screenshot that shows how to add VMware vCenter through Azure Arc.":::

+5. Select **Create a new resource bridge**, and then select **Next**.

+6. Provide a name of your choice for the Azure Arc resource bridge. For example: **contoso-nyc-resourcebridge**.

+7. Select a subscription and resource group where the resource bridge will be created.

+8. Under **Region**, select an Azure location where the resource metadata will be stored. Currently, supported regions are **East US** and **West Europe**.

+9. Provide a name for **Custom location**. This is the name that you'll see when you deploy VMs. Name it for the datacenter or the physical location of your datacenter. For example: **contoso-nyc-dc**.

+10. Leave **Use the same subscription and resource group as your resource bridge** selected.

+11. Provide a name for your vCenter Server instance in Azure. For example: **contoso-nyc-vcenter**.

+12. Select **Next: Download and run script**.

+13. If your subscription is not registered with all the required resource providers, a **Register** button will appear. Select the button before you proceed to the next step.

+ :::image type="content" source="media/register-arc-vmware-providers.png" alt-text="Screenshot that shows the button to register required resource providers during vCenter onboarding to Azure Arc.":::

+14. Based on the operating system of your workstation, download the PowerShell or Bash script and copy it to the [workstation](#prerequisites).

+15. If you want to see the status of your onboarding after you run the script on your workstation, select **Next: Verification**. Closing this page won't affect the onboarding.

+Use the following instructions to run the script, depending on which operating system your machine is using.

+### Windows

+1. Open a PowerShell window and go to the folder where you've downloaded the PowerShell script.

+2. Run the following command to allow the script to run, because it's an unsigned script. (If you close the session before you complete all the steps, run this command again for the new session.)

+3. Run the script:

+1. Open the terminal and go to the folder where you've downloaded the Bash script.

+2. Run the script by using the following command:

+A typical onboarding that uses the script takes 30 to 60 minutes. During the process, you're prompted for the following details:

+| **Requirement** | **Details** |

+| **Azure login** | When you're prompted, go to the [device sign-in page](https://www.microsoft.com/devicelogin), enter the authorization code shown in the terminal, and sign in to Azure. |

+| **vCenter FQDN/Address** | Enter the fully qualified domain name for the vCenter Server instance (or an IP address). For example: **10.160.0.1** or **nyc-vcenter.contoso.com**. |

+| **vCenter Username** | Enter the username for the vSphere account. The required permissions for the account are listed in the [prerequisites](#prerequisites). |

+| **vCenter password** | Enter the password for the vSphere account. |

+| **Data center selection** | Select the name of the datacenter (as shown in the vSphere client) where the Azure Arc resource bridge's VM should be deployed. |

+| **Network selection** | Select the name of the virtual network or segment to which the VM must be connected. This network should allow the appliance to communicate with vCenter Server and the Azure endpoints (or internet). |

+| **Static IP / DHCP** | If you have DHCP server in your network and want to use it, enter **y**. Otherwise, enter **n**. </br>When you choose a static IP configuration, you're asked for the following information: </br> 1. **Static IP address prefix**: Network address in CIDR notation. For example: **192.168.0.0/24**. </br> 2. **Static gateway**: Gateway address. For example: **192.168.0.0**. </br> 3. **DNS servers**: Comma-separated list of DNS servers. </br> 4. **Start range IP**: Minimum size of two available IP addresses is required. One IP address is for the VM, and the other is reserved for upgrade scenarios. Provide the starting IP of that range. </br> 5. **End range IP**: Last IP address of the IP range requested in the previous field. </br> 6. **VLAN ID** (optional) |

+| **Resource pool** | Select the name of the resource pool to which the Azure Arc resource bridge's VM will be deployed. |

+| **Data store** | Select the name of the datastore to be used for the Azure Arc resource bridge's VM. |

+| **Folder** | Select the name of the vSphere VM and the template folder where the Azure Arc resource bridge's VM will be deployed. |

+| **VM template Name** | Provide a name for the VM template that will be created in your vCenter Server instance based on the downloaded OVA file. For example: **arc-appliance-template**. |

+| **Control Pane IP** | Provide a reserved IP address in your DHCP range, or provide a static IP address that's outside the DHCP range but still available on the network. Ensure that this IP address isn't assigned to any other machine on the network. |

+| **Appliance proxy settings** | Enter **y** if there's a proxy in your appliance network. Otherwise, enter **n**. </br> You need to populate the following boxes when you have a proxy set up: </br> 1. **Http**: Address of the HTTP proxy server. </br> 2. **Https**: Address of the HTTPS proxy server. </br> 3. **NoProxy**: Addresses to be excluded from the proxy. </br> 4. **CertificateFilePath**: For SSL-based proxies, the path to the certificate to be used.

+After the command finishes running, your setup is complete. You can now try out the capabilities of Azure Arc-enabled VMware vSphere.

+> [!IMPORTANT]

+> WEBSITE_VNET_ROUTE_ALL is a legacy app setting that has been replaced by the [vnetRouteAllEnabled configuration setting](../app-service/configure-vnet-integration-routing.md).

+Messaging-specific parameter types contain additional message metadata. The specific types supported by the Service Bus trigger depend on the Functions runtime version, the extension package version, and the C# modality used.

+[BrokeredMessage]: /dotnet/api/microsoft.servicebus.messaging.brokeredmessage

+Add the extension to your project installing this [NuGet package](https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Extensions.ServiceBus).

+[Update your extensions]: ./functions-bindings-register.md

+1. Ensure that the **Route All** configuration setting is set to **Enabled**.

+ :::image type="content" source="./media/functions-create-vnet/10-enable-route-all.png" alt-text="Screenshot of how to enable route all functionality.":::

+The following table compares the scaling behaviors of the various hosting plans.

+Maximum instances are given on a per-function app (Consumption) or per-plan (Premium/Dedicated) basis, unless otherwise indicated.

+| [Azure Queue Storage](../storage/queues/storage-queues-introduction.md) | Used by [task hubs in Durable Functions](durable/durable-functions-task-hubs.md) and for failure and retry handling by [specific Azure Functions](./functions-bindings-storage-blob-trigger.md) triggers. |

+|OPINSIGHTS_PROXY_URL | URI for the proxy to use. Example: OPINSIGHTS_PROXY_URL=IPAddress:Port or OPINSIGHTS_PROXY_URL=FQDN:Port |

+The Log Analytics gateway is an HTTP forward proxy that supports HTTP tunneling using the HTTP CONNECT command. This gateway sends data to Azure Automation and a Log Analytics workspace in Azure Monitor on behalf of the computers that cannot directly connect to the internet. The gateway is only for log agent related connectivity and does not support Azure Automation features like runbook, DSC, and others.

+**SCOPE**

+Each alert processing rule has a scope. A scope is a list of one or more specific Azure resources, or specific resource group, or an entire subscription. **The alert processing rule will apply to alerts that fired on resources within that scope**.

+**FILTERS**

+You can also define filters to narrow down which specific subset of alerts are affected within the scope. The available filters are:

+* **Alert rule id** - the rule will apply only to alerts from a specific alert rule. The value should be the full resource ID, for example `/subscriptions/SUB1/resourceGroups/RG1/providers/microsoft.insights/metricalerts/MY-API-LATENCY`.

+You can locate the alert rule ID by opening a specific alert rule in the portal, clicking "Properties", and copying the "Resource ID" value.

+You can also locate it by listing your alert rules from PowerShell or CLI.

+For example, you can use this filter with "Does not equal" to exclude one or more resources when the rule's scope is a subscription.

+For example, you can use this filter with "Does not equal" to exclude one or more resource groups when the rule's scope is a subscription.

+* **Resource type** - the rule will apply only to alerts on resource from the specified resource types, such as virtual machines. You can use "Equals" to match one or more specific resources, or you can use contains to match a resource type and all its child resources.

+For example, use "contains MICROSOFT.SQL/SERVERS" to match both SQL servers and all their child resources, like databases.

+* **Severity** - the rule will apply only to alerts with the selected severities.

+**FILTERS BEHAVIOR**

+* If you define multiple filters in a rule, all of them apply - there is a logical AND between all filters.

+ For example, if you set both `resource type = "Virtual Machines` and `severity = "Sev0`, then the rule will apply only for Sev0 alerts on virtual machines in the scope.

+* Each filter may include up to five values, and there is a logical OR between the values.

+ For example, if you set `description contains ["this", "that"]`, then the rule will apply only to alerts whose description contains either "this" or "that".

+You can use the Azure CLI to work with alert processing rules. See the `az monitor alert-processing-rules` [page in the Azure CLI docs](/cli/azure/monitor/alert-processing-rule) for detailed documentation and examples.

+ If you're using a local installation of the CLI, sign in using the `az login` [command](/cli/azure/reference-index#az-login). Follow the steps displayed in your terminal to complete the authentication process.

+ --name 'AddActionGroupToSubscription' \

+ --rule-type AddActionGroups \

+ --scopes "/subscriptions/SUB1" \

+ --action-groups "/subscriptions/SUB1/resourcegroups/RG1/providers/microsoft.insights/actiongroups/AG1" \

+ --resource-group RG1 \

+ --description "Add action group AG1 to all alerts in the subscription"

+You can use PowerShell to work with alert processing rules. See the `*-AzAlertProcessingRule` commands [in the PowerShell docs](/powershell/module/az.alertsmanagement) for detailed documentation and examples.

+Set-AzAlertProcessingRule `

+ -Name AddActionGroupToSubscription `

+ -AlertProcessingRuleType AddActionGroups `

+ -Scope /subscriptions/SUB1 `

+ -ActionGroupId /subscriptions/SUB1/resourcegroups/RG1/providers/microsoft.insights/actiongroups/AG1 `

+ -ResourceGroupName RG1 `

+ -Description "Add action group AG1 to all alerts in the subscription"

+The [PowerShell documentation](/cli/azure/monitor/alert-processing-rule#az-monitor-alert-processing-rule-create) include more examples and an explanation of each parameter.

+az monitor alert-processing-rules show --resource-group RG1 --name MyRule

+az monitor alert-processing-rules update --resource-group RG1 --name MyRule --status Disabled

+az monitor alert-processing-rules delete --resource-group RG1 --name MyRule

+Get-AzAlertProcessingRule -ResourceGroupName RG1 -Name MyRule | Format-List

+Update-AzAlertProcessingRule -ResourceGroupName RG1 -Name MyRule -Enabled False

+Remove-AzAlertProcessingRule -ResourceGroupName RG1 -Name MyRule

+Insert a few lines of code in your application to find out what users are doing with it, or to help diagnose issues. You can send telemetry from device and desktop apps, web clients, and web servers. Use the [Azure Application Insights](./app-insights-overview.md) core telemetry API to send custom events and metrics, and your own versions of standard telemetry. This API is the same API that the standard Application Insights data collectors use.

+When using Flush(), we recommend this [pattern](./console.md#full-example):

+When using FlushAsync(), we recommend this pattern:

+```csharp

+await telemetryClient.FlushAsync()

+```

+We recommend always flushing as part of the application shutdown to guarantee that telemetry is not lost.

+> [!NOTE]

+> The Java and Javascript SDKs automatically flush on application shutdown.

+> [Connection strings](./sdk-connection-string.md?tabs=net) are the new preferred method of setting custom endpoints within Application Insights.

+The Application Insights SDK for [ASP.NET](https://nuget.org/packages/Microsoft.ApplicationInsights.Web) and [ASP.NET Core](https://nuget.org/packages/Microsoft.ApplicationInsights.AspNetCore) detect, using environment variables, if code is deployed to a Web App and non-Windows container. This determines whether it collects performance counters from applications using environment variables when in a sandbox environment or utilizing the standard collection mechanism when hosted on a Windows Container or Virtual Machine.

+### 2.0.0-beta3

+- Update ApplicationInsights .NET/.NET Core SDK to 2.20.1-redfield.

+- Enable SQL query collection.

+https://www.multitech.com/documents/publications/reference-guides/Telit_LE910-V2_Modules_AT_Commands_Reference_Guide_r5.pdf).

+As you prepare for migrating SQL Server databases to SQL Server on Azure VMs, be sure to consider the versions of SQL Server that are supported. For a list of current supported SQL Server versions on Azure VMs, please see [SQL Server on Azure VMs](../../virtual-machines/windows/sql-server-on-azure-vm-iaas-what-is-overview.md#getting-started).

+The SQL Server IaaS Agent extension unlocks a number of feature benefits for managing your SQL Server VM. You can register your SQL Server VM in lightweight management mode, which unlocks a few of the benefits, or in full management mode, which unlocks all available benefits.

+This article provides an overview of SQL Server on Azure Virtual Machines (VMs) on the Windows platform.

+If you're new to SQL Server on Azure VMs, check out the *SQL Server on Azure VM Overview* video from our in-depth [Azure SQL video series](/shows/Azure-SQL-for-Beginners?WT.mc_id=azuresql4beg_azuresql-ch9-niner):

+> [!VIDEO https://docs.microsoft.com/shows/Azure-SQL-for-Beginners/SQL-Server-on-Azure-VM-Overview-4-of-61/player]

+## Overview

+## Feature benefits

+When you register your SQL Server on Azure VM with the [SQL IaaS agent extension](sql-server-iaas-agent-extension-automate-management.md) you unlock a number of feature benefits. You can register your SQL Server VM in lightweight management mode, which unlocks a few of the benefits, or in full management mode, which unlocks all available benefits. Registering with the extension is completely free.

+The following table details the benefits unlocked by the extension:

+## Getting started

+To get started with SQL Server on Azure VMs, review the following resources:

+- **Create SQL VM**: To create your SQL Server on Azure VM, review the Quickstarts using the [Azure portal](sql-vm-create-portal-quickstart.md), [Azure PowerShell](sql-vm-create-powershell-quickstart.md) or an [ARM template](create-sql-vm-resource-manager-template.md). For more thorough guidance, review the [Provisioning guide](create-sql-vm-portal.md).

+- **Connect to SQL VM**: To connect to your SQL Server on Azure VMs, review the [ways to connect](ways-to-connect-to-sql.md).

+- **Migrate data**: Migrate your data to SQL Server on Azure VMs from [SQL Server](../../migration-guides/virtual-machines/sql-server-to-sql-on-azure-vm-migration-overview.md), [Oracle](../../migration-guides/virtual-machines/oracle-to-sql-on-azure-vm-guide.md), or [Db2](../../migration-guides/virtual-machines/db2-to-sql-on-azure-vm-guide.md).

+- **Storage configuration**: For information about configuring storage for your SQL Server on Azure VMs, review [Storage configuration](storage-configuration.md).

+- **Performance**: Fine-tune the performance of your SQL Server on Azure VM by reviewing the [Performance best practices checklist](performance-guidelines-best-practices-checklist.md).

+- **Pricing**: For information about the pricing structure of your SQL Server on Azure VM, review the [Pricing guidance](pricing-guidance.md).

+- **Frequently asked questions**: For commonly asked questions, and scenarios, review the [FAQ](frequently-asked-questions-faq.yml).

+## Licensing

+Azure only maintains one virtual machine image for each supported operating system, version, and edition combination. This means that over time images are refreshed, and older images are removed. For more information, see the **Images** section of the [SQL Server VMs FAQ](./frequently-asked-questions-faq.yml).

+> Change the licensing model of a pay-per-usage SQL Server VM to use your own license. For more information, see [How to change the licensing model for a SQL Server VM](licensing-model-azure-hybrid-benefit-ahb-change.md).

+Since SQL Server on Azure VMs is integrated into the Azure platform, review resources from related products and services that interact with the SQL Server on Azure VM ecosystem:

+- **Windows virtual machines**: [Azure Virtual Machines overview](../../../virtual-machines/windows/overview.md)

+- **Storage**: [Introduction to Microsoft Azure Storage](../../../storage/common/storage-introduction.md)

+- **Networking**: [Virtual Network overview](../../../virtual-network/virtual-networks-overview.md), [IP addresses in Azure](../../../virtual-network/ip-services/public-ip-addresses.md), [Create a Fully Qualified Domain Name in the Azure portal](../../../virtual-machines/create-fqdn.md)

+- **SQL**: [SQL Server documentation](/sql/index), [Azure SQL Database comparison](../../azure-sql-iaas-vs-paas-what-is-overview.md)

+- [NETSCOUT](https://www.netscout.com/technology-partners/microsoft-azure)

+- [Turbonomic](https://blog.turbonomic.com/turbonomic-announces-partnership-and-support-for-azure-vmware-service)

+ Title: Operating system support for Azure VMware Solution virtual machines

+description: Learn about operating system support for your Azure VMware Solution virtual machines.

+# Operating system support for Azure VMware Solution virtual machines

+Azure VMware Solution supports a wide range of operating systems to be used in the guest virtual machines. Being based on VMware vSphere, currently 6.7 version, all operating systems currently supported by vSphere can be used by any Azure VMware Solution customer for their workloads.

+Check the list of operating systems and configurations supported in the [VMware Compatibility Guide](https://www.vmware.com/resources/compatibility/search.php?deviceCategory=software), create a query for ESXi 6.7 Update 3 and select all operating systems and vendors.

+Additionally to the supported operating systems by VMware on vSphere we have worked with Red Hat, SUSE and Canonical to extend the support model currently in place for Azure Virtual Machines to the workloads running on Azure VMware Solution, given that it is a first-party Azure service. You can check the following sites of vendors for more information about the benefits of running their operating system on Azure.

+- [Red Hat Enterprise Linux](https://access.redhat.com/ecosystem/microsoft-azure)

+- [Ubuntu Server](https://ubuntu.com/azure)

+- [SUSE Enterprise Linux Server](https://www.suse.com/partners/alliance/microsoft/)

+ :::image type="content" source="./media/backup-azure-arm-restore-vms/trigger-restore-operation-disks.png" alt-text="Screenshot showing to select Resource disks.":::

+This article shows you how to deploy Azure Bastion with the Standard SKU using PowerShell. Azure Bastion is a PaaS service that's maintained for you, not a bastion host that you install on your VM and maintain yourself. An Azure Bastion deployment is per virtual network, not per subscription/account or virtual machine. For more information about Azure Bastion, see [What is Azure Bastion?](bastion-overview.md)

+If you donΓÇÖt have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+> [!NOTE]

+> The use of Azure Bastion with Azure Private DNS Zones is not supported at this time. Before you begin, please make sure that the virtual network where you plan to deploy your Bastion resource is not linked to a private DNS zone.

+>

+## Prerequisites

+The following prerequisites are required.

+### <a name="values"></a>Example values

+You can use the following example values when creating this configuration, or you can substitute your own.

+**Basic VNet and VM values:**

+|**Name** | **Value** |

+| | |

+| Virtual machine| TestVM |

+| Resource group | TestRG1 |

+| Region | East US |

+| Virtual network | VNet1 |

+| Address space | 10.1.0.0/16 |

+| Subnets | FrontEnd: 10.1.0.0/24 |

+**Azure Bastion values:**

+|**Name** | **Value** |

+| | |

+| Name | VNet1-bastion |

+| Subnet Name | FrontEnd |

+| Subnet Name | AzureBastionSubnet|

+| AzureBastionSubnet addresses | A subnet within your VNet address space with a subnet mask /26 or larger.<br> For example, 10.1.1.0/26. |

+| Tier/SKU | Standard |

+| Public IP address | Create new |

+| Public IP address name | VNet1-ip |

+| Public IP address SKU | Standard |

+| Assignment | Static |

+## Deploy Bastion

+This section helps you create a virtual network, subnets, and deploy Azure Bastion using Azure PowerShell.

+1. Create an Azure resource group with [New-AzResourceGroup](/powershell/module/az.resources/new-azresourcegroup). A resource group is a logical container into which Azure resources are deployed and managed. If you're running PowerShell locally, open your PowerShell console with elevated privileges and connect to Azure using the `Connect-AzAccount` command.

+ New-AzResourceGroup -Name TestRG1 -Location EastUS

+1. Create a virtual network.

+ ```azurepowershell-interactive

+ $virtualNetwork = New-AzVirtualNetwork `

+ -ResourceGroupName TestRG1 `

+ -Location EastUS `

+ -Name VNet1 `

+ -AddressPrefix 10.1.0.0/16

+ ```

+1. Set the configuration for the virtual network.

+ $virtualNetwork | Set-AzVirtualNetwork

+1. Configure and set a subnet for your virtual network. This will be the subnet to which you'll deploy a VM. The variable used for *-VirtualNetwork* was set in the previous steps.

+ $subnetConfig = Add-AzVirtualNetworkSubnetConfig `

+ -Name 'FrontEnd' `

+ -AddressPrefix 10.1.0.0/24 `

+ -VirtualNetwork $virtualNetwork

+ ```azurepowershell-interactive

+ $virtualNetwork | Set-AzVirtualNetwork

+ ```

+1. Configure and set the Azure Bastion subnet for your virtual network. This subnet is reserved exclusively for Azure Bastion resources. You must create the Azure Bastion subnet using the name value **AzureBastionSubnet**. This value lets Azure know which subnet to deploy the Bastion resources to. The example below also helps you add an Azure Bastion subnet to an existing VNet.

+ [!INCLUDE [Important about BastionSubnet size.](../../includes/bastion-subnet-size.md)]

+ Declare the variable.

+ ```azurepowershell-interactive

+ $virtualNetwork = Get-AzVirtualNetwork -Name "VNet1" `

+ -ResourceGroupName "TestRG1"

+ ```

+ Add the configuration.

+ ```azurepowershell-interactive

+ Add-AzVirtualNetworkSubnetConfig -Name "AzureBastionSubnet" `

+ -VirtualNetwork $virtualNetwork -AddressPrefix "10.1.1.0/26" `

+ ```

+ Set the configuration.

+ ```azurepowershell-interactive

+ $virtualNetwork | Set-AzVirtualNetwork

+ ```

+1. Create a public IP address for Azure Bastion. The public IP is the public IP address the Bastion resource on which RDP/SSH will be accessed (over port 443). The public IP address must be in the same region as the Bastion resource you're creating.

+ ```azurepowershell-interactive

+ $publicip = New-AzPublicIpAddress -ResourceGroupName "TestRG1" -name "VNet1-ip" -location "EastUS" -AllocationMethod Static -Sku Standard

+ ```

+1. Create a new Azure Bastion resource in the AzureBastionSubnet using the [New-AzBastion](/powershell/module/az.network/new-azbastion) command. The following example uses the **Standard SKU**. The Standard SKU lets you configure more Bastion features and connect to VMs using more connection types. For more information, see [Bastion SKUs](configuration-settings.md#skus). If you want to deploy using the Basic SKU, change the -Sku value to "Basic".

+ ```azurepowershell-interactive

+ New-AzBastion -ResourceGroupName "TestRG1" -Name "VNet1-bastion" `

+ -PublicIpAddressRgName "TestRG1" -PublicIpAddressName "VNet1-ip" `

+ -VirtualNetworkRgName "TestRG1" -VirtualNetworkName "VNet1" `

+ -Sku "Standard"

+ ```

+1. It takes about 10 minutes for the Bastion resources to deploy. You can create a VM in the next section while Bastion deploys to your virtual network.

+## <a name="create-vm"></a>Create a VM

+You can create a VM using the [Quickstart: Create a VM using PowerShell](../virtual-machines/windows/quick-create-powershell.md) or [Quickstart: Create a VM using the portal](../virtual-machines/windows/quick-create-portal.md) articles. Be sure you deploy the VM to the virtual network to which you deployed Bastion. The VM you create in this section isn't a part of the Bastion configuration and doesn't become a bastion host. You connect to this VM later in this tutorial via Bastion.

+The following required roles for your resources.

+* Required VM roles:

+ * Reader role on the virtual machine.

+ * Reader role on the NIC with private IP of the virtual machine.

+* Required inbound ports:

+ * For Windows VMS - RDP (3389)

+ * For Linux VMs - SSH (22)

+## <a name="connect"></a>Connect to a VM

+You can use the [Connection steps](#steps) in the section below to easily connect to your VM. Some connection types require the Bastion [Standard SKU](configuration-settings.md#skus). You can also use any of the [VM connection articles](#articles) to connect to a VM.

+#### <a name="articles"></a>Connect to VM articles

+### To enable audio output

+Before you can create any QnA Maker knowledge bases, you must first set up a QnA Maker service in Azure. Anyone with authorization to create new resources in a subscription can set up a QnA Maker service. If you are trying the Custom question answering feature, you would need to create the Language resource and add the Custom question answering feature.

+1. You may also want to download and install our free [DocumentTranslator app for Windows](https://github.com/MicrosoftTranslator/DocumentTranslation/releases).

+| Inuinnaqtun | `ikt` |Γ£ö|||||

+| Inuktitut (Latin) | `iu-Latn` |Γ£ö|||||

+| Somali | `so` |Γ£ö|||Γ£ö||

+| Upper Sorbian | `hsb` |Γ£ö|||||

+- **High throughput / low latency**: Provide customers the ability to scale for high throughput and low latency requirements by enabling Cognitive Services to run physically close to their application logic and data. Containers don't cap transactions per second (TPS) and can be made to scale both up and out to handle demand if you provide the necessary hardware resources.

+> [!NOTE]

+> See [Install and run Form Recognizer containers](../applied-ai-services/form-recognizer/containers/form-recognizer-container-install-run.md) for **Applied AI Services Form Recognizer** container instructions and image locations.

+> [!NOTE]

+> See [Form Recognizer container image tags and release notes](../../applied-ai-services/form-recognizer/containers/form-recognizer-container-image-tags.md) for **Applied AI Services Form Recognizer** container tag information and updates.

+* Fix container start issue that may occur when customers run it in some RHEL environments.

+* Fix model download nil error issue in some cases when customers download customized models.

+| Language | Language code |

+| Afrikaans | `af` |

+| Amharic | `am` |

+| Arabic | `ar` |

+| Assamese | `as` |

+| Azerbaijani | `az` |

+| Belarusian | `be` |

+| Bulgarian | `bg` |

+| Bengali | `bn` |

+| Breton | `br` |

+| Bosnian | `bs` |

+| Catalan | `ca` |

+| Czech | `cs` |

+| Welsh | `cy` |

+| Danish | `da` |

+| German | `de`

+| Greek | `el` |

+| English (US) | `en-us` |

+| English (Uk) | `en-gb` |

+| Esperanto | `eo` |

+| Spanish | `es` |

+| Estonian | `et` |

+| Basque | `eu` |

+| Persian (Farsi) | `fa` |

+| Finnish | `fi` |

+| French | `fr` |

+| Western Frisian | `fy` |

+| Irish | `ga` |

+| Scottish Gaelic | `gd` |

+| Galician | `gl` |

+| Gujarati | `gu` |

+| Hausa | `ha` |

+| Hebrew | `he` |

+| Hindi | `hi` |

+| Croatian | `hr` |

+| Hungarian | `hu` |

+| Armenian | `hy` |

+| Indonesian | `id` |

+| Italian | `it` |

+| Japanese | `ja` |

+| Javanese | `jv` |

+| Georgian | `ka` |

+| Kazakh | `kk` |

+| Khmer | `km` |

+| Kannada | `kn` |

+| Korean | `ko` |

+| Kurdish (Kurmanji) | `ku` |

+| Kyrgyz | `ky` |

+| Latin | `la` |

+| Lao | `lo` |

+| Lithuanian | `lt` |

+| Latvian | `lv` |

+| Malagasy | `mg` |

+| Macedonian | `mk` |

+| Malayalam | `ml` |

+| Mongolian | `mn` |

+| Marathi | `mr` |

+| Malay | `ms` |

+| Burmese | `my` |

+| Nepali | `ne` |

+| Dutch | `nl` |

+| Norwegian (Bokmal) | `nb` |

+| Oriya | `or` |

+| Punjabi | `pa` |

+| Polish | `pl` |

+| Pashto | `ps` |

+| Portuguese (Brazil) | `pt-br` |

+| Portuguese (Portugal) | `pt-pt` |

+| Romanian | `ro` |

+| Russian | `ru` |

+| Sanskrit | `sa` |

+| Sindhi | `sd` |

+| Sinhala | `si` |

+| Slovak | `sk` |

+| Slovenian | `sl` |

+| Somali | `so` |

+| Albanian | `sq` |

+| Serbian | `sr` |

+| Sundanese | `su` |

+| Swedish | `sv` |

+| Swahili | `sw` |

+| Tamil | `ta` |

+| Telugu | `te` |

+| Thai | `th` |

+| Filipino | `tl` |

+| Turkish | `tr` |

+| Uyghur | `ug` |

+| Ukrainian | `uk` |

+| Urdu | `ur` |

+| Uzbek | `uz` |

+| Vietnamese | `vi` |

+| Xhosa | `xh` |

+| Yiddish | `yi` |

+| Chinese (Simplified) | `zh-hans` |

+| Chinese (Traditional) | `zh-hant` |

+| Zulu | `zu` |

+| Language | Language Code |

+| | |

+| Afrikaans | `af` |

+| Amharic | `am` |

+| Arabic | `ar` |

+| Assamese | `as` |

+| Azerbaijani | `az` |

+| Belarusian | `be` |

+| Bulgarian | `bg` |

+| Bengali | `bn` |

+| Breton | `br` |

+| Bosnian | `bs` |

+| Catalan | `ca` |

+| Czech | `cs` |

+| Welsh | `cy` |

+| Danish | `da` |

+| German | `de`

+| Greek | `el` |

+| English (US) | `en-us` |

+| Esperanto | `eo` |

+| Spanish | `es` |

+| Estonian | `et` |

+| Basque | `eu` |

+| Persian (Farsi) | `fa` |

+| Finnish | `fi` |

+| French | `fr` |

+| Western Frisian | `fy` |

+| Irish | `ga` |

+| Scottish Gaelic | `gd` |

+| Galician | `gl` |

+| Gujarati | `gu` |

+| Hausa | `ha` |

+| Hebrew | `he` |

+| Hindi | `hi` |

+| Croatian | `hr` |

+| Hungarian | `hu` |

+| Armenian | `hy` |

+| Indonesian | `id` |

+| Italian | `it` |

+| Japanese | `ja` |

+| Javanese | `jv` |

+| Georgian | `ka` |

+| Kazakh | `kk` |

+| Khmer | `km` |

+| Kannada | `kn` |

+| Korean | `ko` |

+| Kurdish (Kurmanji) | `ku` |

+| Kyrgyz | `ky` |

+| Latin | `la` |

+| Lao | `lo` |

+| Lithuanian | `lt` |

+| Latvian | `lv` |

+| Malagasy | `mg` |

+| Macedonian | `mk` |

+| Malayalam | `ml` |

+| Mongolian | `mn` |

+| Marathi | `mr` |

+| Malay | `ms` |

+| Burmese | `my` |

+| Nepali | `ne` |

+| Dutch | `nl` |

+| Norwegian (Bokmal) | `nb` |

+| Oriya | `or` |

+| Punjabi | `pa` |

+| Polish | `pl` |

+| Pashto | `ps` |

+| Portuguese (Brazil) | `pt-br` |

+| Portuguese (Portugal) | `pt-pt` |

+| Romanian | `ro` |

+| Russian | `ru` |

+| Sanskrit | `sa` |

+| Sindhi | `sd` |

+| Sinhala | `si` |

+| Slovak | `sk` |

+| Slovenian | `sl` |

+| Somali | `so` |

+| Albanian | `sq` |

+| Serbian | `sr` |

+| Sundanese | `su` |

+| Swedish | `sv` |

+| Swahili | `sw` |

+| Tamil | `ta` |

+| Telugu | `te` |

+| Thai | `th` |

+| Filipino | `tl` |

+| Turkish | `tr` |

+| Uyghur | `ug` |

+| Ukrainian | `uk` |

+| Urdu | `ur` |

+| Uzbek | `uz` |

+| Vietnamese | `vi` |

+| Xhosa | `xh` |

+| Yiddish | `yi` |

+| Chinese (Simplified) | `zh-hans` |

+| Zulu | `zu` |

+| Language | Language code |

+| | |

+| Afrikaans | `af` |

+| Amharic | `am` |

+| Arabic | `ar` |

+| Assamese | `as` |

+| Azerbaijani | `az` |

+| Belarusian | `be` |

+| Bulgarian | `bg` |

+| Bengali | `bn` |

+| Breton | `br` |

+| Bosnian | `bs` |

+| Catalan | `ca` |

+| Czech | `cs` |

+| Welsh | `cy` |

+| Danish | `da` |

+| German | `de`

+| Greek | `el` |

+| English (US) | `en-us` |

+| Esperanto | `eo` |

+| Spanish | `es` |

+| Estonian | `et` |

+| Basque | `eu` |

+| Persian (Farsi) | `fa` |

+| Finnish | `fi` |

+| French | `fr` |

+| Western Frisian | `fy` |

+| Irish | `ga` |

+| Scottish Gaelic | `gd` |

+| Galician | `gl` |

+| Gujarati | `gu` |

+| Hausa | `ha` |

+| Hebrew | `he` |

+| Hindi | `hi` |

+| Croatian | `hr` |

+| Hungarian | `hu` |

+| Armenian | `hy` |

+| Indonesian | `id` |

+| Italian | `it` |

+| Japanese | `ja` |

+| Javanese | `jv` |

+| Georgian | `ka` |

+| Kazakh | `kk` |

+| Khmer | `km` |

+| Kannada | `kn` |

+| Korean | `ko` |

+| Kurdish (Kurmanji) | `ku` |

+| Kyrgyz | `ky` |

+| Latin | `la` |

+| Lao | `lo` |

+| Lithuanian | `lt` |

+| Latvian | `lv` |

+| Malagasy | `mg` |

+| Macedonian | `mk` |

+| Malayalam | `ml` |

+| Mongolian | `mn` |

+| Marathi | `mr` |

+| Malay | `ms` |

+| Burmese | `my` |

+| Nepali | `ne` |

+| Dutch | `nl` |

+| Norwegian (Bokmal) | `nb` |

+| Oriya | `or` |

+| Punjabi | `pa` |

+| Polish | `pl` |

+| Pashto | `ps` |

+| Portuguese (Brazil) | `pt-br` |

+| Portuguese (Portugal) | `pt-pt` |

+| Romanian | `ro` |

+| Russian | `ru` |

+| Sanskrit | `sa` |

+| Sindhi | `sd` |

+| Sinhala | `si` |

+| Slovak | `sk` |

+| Slovenian | `sl` |

+| Somali | `so` |

+| Albanian | `sq` |

+| Serbian | `sr` |

+| Sundanese | `su` |

+| Swedish | `sv` |

+| Swahili | `sw` |

+| Tamil | `ta` |

+| Telugu | `te` |

+| Thai | `th` |

+| Filipino | `tl` |

+| Turkish | `tr` |

+| Uyghur | `ug` |

+| Ukrainian | `uk` |

+| Urdu | `ur` |

+| Uzbek | `uz` |

+| Vietnamese | `vi` |

+| Xhosa | `xh` |

+| Yiddish | `yi` |

+| Chinese (Simplified) | `zh-hans` |

+| Zulu | `zu` |

+## March 2022

+* Expanded language support for:

+ * [Custom text classification](custom-classification/language-support.md)

+ * [Custom Named Entity Recognition (NER)](custom-named-entity-recognition/language-support.md)

+ * [Conversational language understanding](conversational-language-understanding/language-support.md)

+* Model improvements for latest model-version for [text summarization](text-summarization/overview.md)

+* Consumption logic app: You can connect to an MQ server only by using the *managed* MQ connector. This connector provides only actions, no triggers.

+* Standard logic app: You can connect to an MQ server by using either the managed MQ connector, which includes *only* actions, or the *built-in* MQ operations, which include triggers *and* actions.

+* The MQ connector doesn't support segmented messages.

+* The MQ connector doesn't use the message's **Format** field and doesn't make any character set conversions. The connector only puts whatever data appears in the message field into a JSON message and sends the message along.

+| Maximum storage per container | 50 GB * |

+> [!NOTE]

+> * Maximum storage limit is 30GB for Cassandra API.

+The supported payment methods for Microsoft Azure are credit cards, debit cards, and check wire transfer. To get approved to pay by check wire transfer, see [Pay for your Azure subscription by check or wire transfer](pay-by-invoice.md).

+If you'd like to change your billing profile's default payment method to check wire transfer, see [Pay for Azure subscriptions by invoice](pay-by-invoice.md).

+If your payment isn't received or if we can't process your payment, you'll get an email and see an alert in the Azure portal telling you that your subscription is past due. The email contains a link that takes you to the Settle balance page.

+If your default payment method is credit card, the [Account Administrator](add-change-subscription-administrator.md#whoisaa) can settle the outstanding charges in the Azure portal. If you pay by invoice (check wire transfer), send your payment to the location listed at the bottom of your invoice.

+1. In the **Subscription overview** page, select the red past due banner to settle the balance.

+1. In the new **Settle balance** page, select **Select payment method**.

+1. In the new area on the right, select a credit card from the drop-down or add a new one by selecting the blue **Add new payment method** link. This credit card will become the active payment method for all subscriptions currently using the failed payment method.

+1. Select **Pay**.

+## Settle balance might be Pay now

+Users in the following countries/locales don't see the **Settle balance** option. Instead, they use the [Pay now](../understand/pay-bill.md#pay-now-in-the-azure-portal) option to pay their bill.

+- AT - Austria

+- AU - Australia

+- BE - Belgium

+- BG - Bulgaria

+- CA - Canada

+- CH - Switzerland

+- CZ - Czech Republic

+- DE - Germany

+- DK - Denmark

+- EE - Estonia

+- ES - Spain

+- FI - Finland

+- FR - France

+- GB - United Kingdom

+- GR - Greece

+- HR - Croatia

+- HU - Hungary

+- IE - Ireland

+- IT - Italy

+- JP - Japan

+- KR - South Korea

+- LT - Lithuania

+- LV - Latvia

+- NL - Netherlands

+- NO - Norway

+- NZ - New Zealand

+- PL - Poland

+- PT - Portugal

+- RO - Romania

+- SE - Sweden

+- SK - Slovakia

+- TW - Taiwan

+If your credit card charge is declined by your financial institution, contact your financial institution to resolve the issue. Check with your bank to make sure:

+## Pay now might be unavailable

+If you have an Microsoft Online Services Program account (pay-as-you-go account), the **Pay now** option might be unavailable. Instead, you might see a **Settle balance** banner. If so, see [Resolve past due balance](../manage/resolve-past-due-balance.md#resolve-past-due-balance-in-the-azure-portal).

+# Introduction to Azure Data Factory V1

+1. Under **Monitoring**, select **Alerts**.

+1. Select the **+ New Alert Rule** button or select **+ Create** on the navigation bar, then select **Alert rule**.

+1. Close the **Select a Signal** page.

+1. On the **Create an alert rule** page, you'll see the follow tabs:

+ - Scope

+ - Condition

+ - Actions

+ - Details

+ - Tags

+ - Review + create

+

+ For each step use the values described below:

+ | Setting | Value |

+ |--|--|

+ | Scope | 1) Select **+ Select Scope**. <br/> 2) From the *Filter by subscription* dropdown list, select the **Subscription** that contains the public IP address you want to log. <br/> 3) From the *Filter by resource type* dropdown list, select **Public IP Address**, then select the specific public IP address you want to log metrics for. <br/> 4) Select **Done**. |

+ | Condition | 1) Select the **+ Add Condition** button <br/> 2) In the *Search by signal name* search box, select **Under DDoS attack or not**. <br/> 3) Leave *Chart period* and *Alert Logic* as default. <br/> 4) From the *Operator* drop-down, select **Greater than or equal to**. <br/> 5) From the *Aggregation type* drop-down, select **Maximum**. <br/> 6) In the *Threshold value* box, enter **1**. For the *Under DDoS attack or not metric*, **0** means you're not under attack while **1** means you are under attack. <br/> 7) Select **Done**. |

+ | Actions | 1) Select the **+ Create action group** button. <br/> 2) On the **Basics** tab, select your subscription, a resource group and provide the *Action group name* and *Display name*. <br/> 3) On the *Notifications* tab, under *Notification type*, select **Email/SMS message/Push/Voice**. <br/> 4) Under *Name*, enter **MyUnderAttackEmailAlert**. <br/> 5) On the *Email/SMS message/Push/Voice* page enter the **Email** and as many of the available options you require, and then select **OK**. <br/> 6) Select **Review + create** and then select **Create**. |

+ | Details | 1) Under *Alert rule name*, enter *MyDdosAlert*. <br/> 2) Select **Review + create** and then select **Create**. |

+1. Run the workflow that will push the image to the selected container registry. Once the image is pushed into the registry, a scan of the registry runs and you can view the CI/CD scan results along with the registry scan results within Microsoft Defender for Cloud. Running the above YAML file will install an instance of Aqua Security's [Trivy](https://github.com/aquasecurity/trivy) in your build system. Trivy is licensed under the Apache 2.0 License and has dependencies on data feeds, many of which contain their own terms of use.

+| azuredefender-collector-ds-* | kube-system | [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) | A set of containers that focus on collecting inventory and security events from the Kubernetes environment. | SYS_ADMIN, <br>SYS_RESOURCE, <br>SYS_PTRACE | memory: 64Mi<br> <br> cpu: 60m | No |

+| azuredefender-publisher-ds-* | kube-system | [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) | Publish the collected data to Microsoft Defender for Containers' backend service where the data will be processed for and analyzed. | N/A | memory: 200Mi  <br> <br> cpu: 60m | Https 443 <br> <br> Learn more about the [outbound access prerequisites](../aks/limit-egress-traffic.md#microsoft-defender-for-containers) |

+Defender for Cloud provides real-time threat protection for your Azure Kubernetes Service (AKS) containerized environments and generates alerts for suspicious activities. You can use this information to quickly remediate security issues and improve the security of your containers.

+Threat protection at the cluster level is provided by the analysis of the Kubernetes audit logs.

+> Microsoft Defender for Kubernetes has been replaced with [**Microsoft Defender for Containers**](defender-for-servers-introduction.md). If you've already enabled Defender for Kubernetes on a subscription, you can continue to use it. However, you won't get Defender for Containers' improvements and new features.

+|Release state:|General availability (GA)|

+|Pricing:|**Microsoft Defender for Kubernetes** is billed as shown on the [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/).|

+|Clouds:|:::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds<br>:::image type="icon" source="./media/icons/yes-icon.png"::: National (Azure Government, Azure China 21Vianet)|

+For a full list of the cluster level alerts, see alerts with "K8S.NODE_" prefix in the alert type in the [reference table of alerts](alerts-reference.md#alerts-k8scluster).

+- [What happens to subscriptions with Microsoft Defender for Kubernetes or Microsoft Defender for Containers enabled?](#what-happens-to-subscriptions-with-microsoft-defender-for-kubernetes-or-microsoft-defender-for-containers-enabled)

+- [Is Defender for Containers a mandatory upgrade?](#is-defender-for-containers-a-mandatory-upgrade)

+- [Does the new plan reflect a price increase?](#does-the-new-plan-reflect-a-price-increase)

+### What happens to subscriptions with Microsoft Defender for Kubernetes or Microsoft Defender for Containers enabled?

+Subscriptions that already have one of these plans enabled can continue to benefit from it.

+If you haven't enabled them yet, or create a new subscription, these plans can no longer be enabled.

+### Is Defender for Containers a mandatory upgrade?

+No. Subscriptions that have either Microsoft Defender for Kubernetes or Microsoft Defender for Containers Registries enabled doesn't need to be upgraded to the new Microsoft Defender for Containers plan. However, they won't benefit from the new and improved capabilities and theyΓÇÖll have an upgrade icon shown alongside them in the Azure portal.

+### Does the new plan reflect a price increase?

+No. ThereΓÇÖs no direct price increase. The new comprehensive Container security plan combines Kubernetes protection and container registry image scanning, and removes the previous dependency on the (paid) Defender for Servers plan.

+| VA | Registry scan | - | - | - | - | - |

+| VA | View vulnerabilities for running images | - | - | - | - | - |

+| Hardening | Control plane recommendations | - | - | - | - | - |

+| Discovery and Auto provisioning | Auto provisioning of Defender extension | - | - | - | - | - |

+| Discovery and Auto provisioning | Auto provisioning of Azure policy extension | - | - | - | - | - |

+| VA | Registry scan | - | - | - | - | - |

+| VA | View vulnerabilities for running images | - | - | - | - | - |

+| Hardening | Control plane recommendations | - | - | - | - | - |

+| Hardening | Control plane recommendations | - | - | - | - | - |

+| Runtime Threat Detection | Agentless threat detection | Arc enabled K8s clusters | Preview | X | Defender extension | Defender for Containers |

+| Discovery and Auto provisioning | Discovery of uncovered/unprotected clusters | Arc enabled K8s clusters | Preview | X | Agentless | Free |

+| [AWS and GCP recommendations to GA](#aws-and-gcp-recommendations-to-ga) | March 2022 |

+### AWS and GCP recommendations to GA

+There are currently AWS and GCP recommendations in the preview stage. These recommendations come from the AWS Foundational Security Best Practices and GCP default standards which are assigned by default. All of the recommendations will become Generally Available (GA) in March 2022.

+#### AWS recommendations

+#### GCP recommendations

+**To find these recommendations**:

+1. Navigate to **Environment settings** > **`GCP connector`** > **Standards (preview)**.

+1. Right click on **GCP Default (preview)**, and select **view assessments**.

+Custom recommendations are those created by a user, and have no impact on the secure score. Therefore, the custom recommendations are being relocated from the Secure score recommendations tab to the All recommendations tab.

+

+ **Please note that the connection string includes a key that enables direct access to the module itself, therefore includes sensitive information that should only be used and readable by root users.**

+As models cannot be overwritten, this command will now return a service error indicating that some of the model IDs you are trying to create already exist.

+

+> [!IMPORTANT]

+> If you aren't a member of [owner](../role-based-access-control/built-in-roles.md#owner) or [contributor](../role-based-access-control/built-in-roles.md#contributor) roles at the Azure subscription level, you must be a member of the [Stream Analytics Query Tester](../role-based-access-control/built-in-roles.md#stream-analytics-query-tester) role at the Azure subscription level to successfully complete steps in this section. This role allows you to perform testing queries without creating a stream analytics job first. For instructions on assigning a role to a user, see [Assign AD roles to users](../active-directory/roles/manage-roles-portal.md).

+ Title: 'Verify Azure ExpressRoute connectivity - troubleshooting guide'

+description: This article provides instructions on troubleshooting and validating end-to-end connectivity of an ExpressRoute circuit.

+# Verify ExpressRoute connectivity

+This article helps you verify and troubleshoot Azure ExpressRoute connectivity. ExpressRoute extends an on-premises network into the Microsoft Cloud over a private connection that's commonly facilitated by a connectivity provider. ExpressRoute connectivity traditionally involves three distinct network zones:

+- Customer network

+- Provider network

+- Microsoft datacenter

+> [!NOTE]

+> In the ExpressRoute direct connectivity model (offered at a bandwidth of 10/100 Gbps), customers can directly connect to the port for Microsoft Enterprise Edge (MSEE) routers. The direct connectivity model includes only customer and Microsoft network zones.

+This article helps you identify if and where a connectivity issue exists. You can then seek support from the appropriate team to resolve the issue.

+> This article is intended to help you diagnose and fix simple issues. It's not intended to be a replacement for Microsoft support. If you can't solve a problem by using the guidance in this article, open a support ticket with [Microsoft Support][Support].

+The following diagram shows the logical connectivity of a customer network to the Microsoft network through ExpressRoute.

+In the preceding diagram, the numbers indicate key network points:

+1. Customer compute device (for example, a server or PC).

+2. Customer edge routers (CEs).

+3. Provider edge routers/switches (PEs) that face customer edge routers.

+4. PEs that face Microsoft Enterprise Edge ExpressRoute routers (MSEEs). This article calls them *PE-MSEEs*.

+5. MSEEs.

+6. Virtual network gateway.

+7. Compute device on the Azure virtual network.

+At times, this article references these network points by their associated number.

+Depending on the ExpressRoute connectivity model, network points 3 and 4 might be switches (layer 2 devices) or routers (layer 3 devices). The ExpressRoute connectivity models are cloud exchange co-location, point-to-point Ethernet connection, or any-to-any (IPVPN).

+In the direct connectivity model, there are no network points 3 and 4. Instead, CEs (2) are directly connected to MSEEs via dark fiber.

+If the cloud exchange co-location, point-to-point Ethernet, or direct connectivity model is used, CEs (2) establish Border Gateway Protocol (BGP) peering with MSEEs (5).

+If the any-to-any (IPVPN) connectivity model is used, PE-MSEEs (4) establish BGP peering with MSEEs (5). PE-MSEEs propagate the routes received from Microsoft back to the customer network via the IPVPN service provider network.

+> [!NOTE]

+> For high availability, Microsoft establishes a fully redundant parallel connectivity between MSEE and PE-MSEE pairs. A fully redundant parallel network path is also encouraged between the customer network and PE/CE pairs. For more information about high availability, see the article [Designing for high availability with ExpressRoute][HA].

+The following sections represent the logical steps in troubleshooting an ExpressRoute circuit.

+Provisioning an ExpressRoute circuit establishes a redundant layer 2 connection between CEs/PE-MSEEs (2/4) and MSEEs (5). For more information on how to create, modify, provision, and verify an ExpressRoute circuit, see the article [Create and modify an ExpressRoute circuit][CreateCircuit].

+>A service key uniquely identifies an ExpressRoute circuit. If you need assistance from Microsoft or from an ExpressRoute partner to troubleshoot an ExpressRoute issue, provide the service key to readily identify the circuit.

+In the Azure portal, open the page for the ExpressRoute circuit. The ![3][3] section of the page lists the ExpressRoute essentials, as shown in the following screenshot:

+In the ExpressRoute essentials, **Circuit status** indicates the status of the circuit on the Microsoft side. **Provider status** indicates if the circuit has been provisioned or not provisioned on the service-provider side.

+For an ExpressRoute circuit to be operational, **Circuit status** must be **Enabled**, and **Provider status** must be **Provisioned**.

+> After you configure an ExpressRoute circuit, if **Circuit status** is stuck in a **Not enabled** status, contact [Microsoft Support][Support]. If **Provider status** is stuck in a **Not provisioned** status, contact your service provider.

+To list all the ExpressRoute circuits in a resource group, use the following command:

+>If you're looking for the name of a resource group, you can get it by using the `Get-AzResourceGroup` command to list all the resource groups in your subscription.

+To select a particular ExpressRoute circuit in a resource group, use the following command:

+Here's an example response:

+To confirm that an ExpressRoute circuit is operational, pay particular attention to the following fields:

+> After you configure an ExpressRoute circuit, if **Circuit status** is stuck in a **Not enabled** status, contact [Microsoft Support][Support]. If **Provider status** is stuck in **Not provisioned** status, contact your service provider.

+## Validate peering configuration

+After the service provider has completed provisioning the ExpressRoute circuit, multiple routing configurations based on external BGP (eBGP) can be created over the ExpressRoute circuit between CEs/MSEE-PEs (2/4) and MSEEs (5). Each ExpressRoute circuit can have one or both of the following:

+- Azure private peering: traffic to private virtual networks in Azure

+- Microsoft peering: traffic to public endpoints of platform as a service (PaaS) and software as a service (SaaS)

+For more information on how to create and modify routing configuration, see the article [Create and modify routing for an ExpressRoute circuit][CreatePeering].

+> In an IPVPN connectivity model, service providers handle the responsibility of configuring the peerings (layer 3 services). In such a model, after the service provider has configured a peering and if the peering is blank in the portal, try refreshing the circuit configuration by using the refresh button on the portal. This operation will pull the current routing configuration from your circuit.

+In the Azure portal, you can check the status of an ExpressRoute circuit on the page for that circuit. The ![3][3] section of the page lists the ExpressRoute peerings, as shown in the following screenshot:

+In the preceding example, Azure private peering is provisioned, but Azure public and Microsoft peerings aren't provisioned. A successfully provisioned peering context would also have the primary and secondary point-to-point subnets listed. The /30 subnets are used for the interface IP address of the MSEEs and CEs/PE-MSEEs. For the peerings that are provisioned, the listing also indicates who last modified the configuration.

+> If enabling a peering fails, check if the assigned primary and secondary subnets match the configuration on the linked CE/PE-MSEE. Also check if the correct `VlanId`, `AzureASN`, and `PeerASN` values are used on MSEEs, and if these values map to the ones used on the linked CE/PE-MSEE.

+> If MD5 hashing is chosen, the shared key should be the same on MSEE and CE/PE-MSEE pairs. Previously configured shared keys would not be displayed for security reasons.

+> If you need to change any of these configurations on an MSEE router, see [Create and modify routing for an ExpressRoute circuit][CreatePeering].

+> [!NOTE]

+> On a /30 subnet assigned for interface, Microsoft will choose the second usable IP address of the subnet for the MSEE interface. So, ensure that the first usable IP address of the subnet has been assigned on the peered CE/PE-MSEE.

+To get the configuration details for Azure private peering, use the following commands:

+Here's an example response for a successfully configured private peering:

+A successfully enabled peering context would have the primary and secondary address prefixes listed. The /30 subnets are used for the interface IP address of the MSEEs and CEs/PE-MSEEs.

+To get the configuration details for Azure public peering, use the following commands:

+To get the configuration details for Microsoft peering, use the following commands:

+If a peering isn't configured, you'll get an error message. Here's an example response when the stated peering (Azure public peering in this case) isn't configured within the circuit:

+> If enabling a peering fails, check if the assigned primary and secondary subnets match the configuration on the linked CE/PE-MSEE. Also check if the correct `VlanId`, `AzureASN`, and `PeerASN` values are used on MSEEs, and if these values map to the ones used on the linked CE/PE-MSEE.

+>

+> If MD5 hashing is chosen, the shared key should be the same on MSEE and CE/PE-MSEE pairs. Previously configured shared keys would not be displayed for security reasons.

+> If you need to change any of these configurations on an MSEE router, see [Create and modify routing for an ExpressRoute circuit][CreatePeering].

+> On a /30 subnet assigned for interface, Microsoft will pick the second usable IP address of the subnet for the MSEE interface. So, ensure that the first usable IP address of the subnet has been assigned on the peered CE/PE-MSEE.

+The Address Resolution Protocol (ARP) table provides a mapping of the IP address and MAC address for a particular peering. The ARP table for an ExpressRoute circuit peering provides the following information for each interface (primary and secondary):

+* Mapping of the IP address for the on-premises router interface to the MAC address

+* Mapping of the IP address for the ExpressRoute router interface to the MAC address

+* Age of the mapping

+ARP tables can help validate layer 2 configuration and troubleshoot basic layer 2 connectivity issues.

+To learn how to view the ARP table of an ExpressRoute peering and how to use the information to troubleshoot layer 2 connectivity issues, see [Getting ARP tables in the Resource Manager deployment model][ARP].

+To get the routing table from MSEE on the primary path for the private routing context, use the following command:

+Here's an example response:

+> If the state of a eBGP peering between an MSEE and a CE/PE-MSEE is **Active** or **Idle**, check if the assigned primary and secondary peer subnets match the configuration on the linked CE/PE-MSEE. Also check if the correct `VlanId`, `AzureASN`, and `PeerASN` values are used on MSEEs, and if these values map to the ones used on the linked CE/PE-MSEE. If MD5 hashing is chosen, the shared key should be the same on MSEE and CE/PE-MSEE pairs. If you need to change any of these configurations on an MSEE router, see [Create and modify routing for an ExpressRoute circuit][CreatePeering].

+> If certain destinations are not reachable over a peering, check the route table of the MSEEs for the corresponding peering context. If a matching prefix (could be NATed IP) is present in the routing table, then check if any firewalls, network security groups, or access control lists (ACLs) on the path are blocking the traffic.

+To get the combined primary and secondary path traffic statistics (bytes in and out) of a peering context, use the following command:

+Here's an example output of the command:

+Here's an example output of the command for a nonexistent peering:

+Test your private peering connectivity by counting packets arriving at and leaving the Microsoft edge of your ExpressRoute circuit on the MSEE devices. This diagnostic tool works by applying an ACL to the MSEE to count the number of packets that hit specific ACL rules. Using this tool will allow you to confirm connectivity by answering questions such as:

+* Are they getting back to on-premises?

+### Run a test

+1. To access the diagnostic tool, select **Diagnose and solve problems** from your ExpressRoute circuit in the Azure portal.

+ :::image type="content" source="./media/expressroute-troubleshooting-expressroute-overview/diagnose-problems.png" alt-text="Screenshot of the button for diagnosing and solving problems from the ExpressRoute circuit.":::

+ :::image type="content" source="./media/expressroute-troubleshooting-expressroute-overview/connectivity-issues.png" alt-text="Screenshot of the option for connectivity issues.":::

+1. In the **Tell us more about the problem you are experiencing** dropdown list, select **Connectivity to Azure Private, Azure Public or Dynamics 365 Services**.

+ :::image type="content" source="./media/expressroute-troubleshooting-expressroute-overview/tell-us-more.png" alt-text="Screenshot of the dropdown option for the problem that the user is experiencing.":::

+ :::image type="content" source="./media/expressroute-troubleshooting-expressroute-overview/test-private-peering.png" alt-text="Screenshot of the options for troubleshooting connectivity issues, with the option for private peering highlighted.":::

+1. Run the [PsPing](/sysinternals/downloads/psping) test from your on-premises IP address to your Azure IP address, and keep it running during the connectivity test.

+1. Fill out the fields of the form. Be sure to enter the same on-premises and Azure IP addresses that you used in step 5. Then select **Submit** and wait for your results to load.

+ :::image type="content" source="./media/expressroute-troubleshooting-expressroute-overview/form.png" alt-text="Screenshot of the form for debugging an A C L.":::

+### Interpret results

+When your results are ready, you'll have two sets of them for the primary and secondary MSEE devices. Review the number of matches in and out, and use the following scenarios to interpret the results:

+* **You see packet matches sent and received on both MSEEs**: This result indicates healthy traffic inbound to and outbound from the MSEEs on your circuit. If loss is occurring either on-premises or in Azure, it's happening downstream from the MSEEs.

+* **If you're testing PsPing from on-premises to Azure, received results show matches, but sent results show no matches**: This result indicates that traffic is coming in to Azure but isn't returning to on-premises. Check for return-path routing issues. For example, are you advertising the appropriate prefixes to Azure? Is a user-defined route (UDR) overriding prefixes?

+* **If you're testing PsPing from Azure to on-premises, sent results show no matches, but received results show matches**: This result indicates that traffic is coming in to on-premises but isn't returning to Azure. Work with your provider to find out why traffic isn't being routed to Azure via your ExpressRoute circuit.

+* **One MSEE shows no matches, but the other shows good matches**: This result indicates that one MSEE isn't receiving or passing any traffic. It might be offline (for example, BGP/ARP is down).

+Your test results for each MSEE device will look like the following example:

+* IP port: 3389

+* On-premises IP address CIDR: 10.0.0.0

+* Azure IP address CIDR: 20.0.0.0

+## Verify availability of the virtual network gateway

+The ExpressRoute virtual network gateway facilitates the management and control plane connectivity to private link services and private IPs deployed to an Azure virtual network. The virtual network gateway infrastructure is managed by Microsoft and sometimes undergoes maintenance.

+During a maintenance period, performance of the virtual network gateway might be reduced. To troubleshoot connectivity issues to the virtual network and reactively detect if recent maintenance events reduced capacity for the virtual network gateway:

+1. Select **Diagnose and solve problems** from your ExpressRoute circuit in the Azure portal.

+ :::image type="content" source="./media/expressroute-troubleshooting-expressroute-overview/diagnose-problems.png" alt-text="Screenshot of the button for diagnosing and solving problem from an ExpressRoute circuit.":::

+ :::image type="content" source="./media/expressroute-troubleshooting-expressroute-overview/performance-issues.png" alt-text="Screenshot of selecting the option for performance issues.":::

+1. Wait for the diagnostics to run and interpret the results.

+ If maintenance on your virtual network gateway occurred during a period when you experienced packet loss or latency, it's possible that the reduced capacity of the gateway contributed to connectivity issues you're experiencing with the target virtual network. Follow the recommended steps. To support a higher network throughput and avoid connectivity issues during future maintenance events, consider upgrading the [virtual network gateway SKU](expressroute-about-virtual-network-gateways.md#gwsku).

+## Next steps

+[1]: ./media/expressroute-troubleshooting-expressroute-overview/expressroute-logical-diagram.png "Diagram that shows logical ExpressRoute connectivity and connections between a customer network, a provider network, and a Microsoft datacenter."

+[4]: ./media/expressroute-troubleshooting-expressroute-overview/portal-circuit-status.png "Screenshot that shows an example of ExpressRoute essentials listed in the Azure portal."

+[5]: ./media/expressroute-troubleshooting-expressroute-overview/portal-private-peering.png "Screenshot that shows an example ExpressRoute peerings listed in the Azure portal."

+## Azure Virtual Desktop support

+Azure Virtual Desktop is a comprehensive desktop and app virtualization service running in Azure. ItΓÇÖs the only virtual desktop infrastructure (VDI) that delivers simplified management, multi-session Windows 10/11, optimizations for Microsoft 365 apps for enterprise, and support for Remote Desktop Services (RDS) environments. You can deploy and scale your Windows desktops and apps on Azure in minutes, and get built-in security and compliance features. Azure Virtual Desktop doesn't require you to open any inbound access to your virtual network. However, you must allow a set of outbound network connections for the Windows Virtual Desktop virtual machines that run in your virtual network. For more information, see [Use Azure Firewall to protect Window Virtual Desktop deployments](protect-azure-virtual-desktop.md).

+Learn more about [Azure Virtual Desktop](../virtual-desktop/index.yml).

+## Release date: 03/10/2022

+The OS versions for this release are:

+- HDInsight 4.0: Ubuntu 18.04.5

+## Spark 3.1 is now generally available

+Spark 3.1 is now Generally Available on HDInsight 4.0 release. This release includes

+* Adaptive Query Execution,

+* Convert Sort Merge Join to Broadcast Hash Join,

+* Spark Catalyst Optimizer,

+* Dynamic Partition Pruning,

+* Customers will be able to create new Spark 3.1 clusters and not Spark 3.0 (preview) clusters.

+For more details, see the [Apache Spark 3.1](https://techcommunity.microsoft.com/t5/analytics-on-azure-blog/spark-3-1-is-now-generally-available-on-hdinsight/ba-p/3253679) is now Generally Available on HDInsight - Microsoft Tech Community.

+For a complete list of improvements, see the [Apache Spark 3.1 release notes.](https://spark.apache.org/releases/spark-release-3-1-2.html)

+For more details on migration, see the [migration guide.](https://spark.apache.org/docs/latest/migration-guide.html)

+## Kafka 2.4 is now generally available

+Kafka 2.4.1 is now Generally Available. For more information, please see [Kafka 2.4.1 Release Notes.](http://kafka.apache.org/24/documentation.html)

+Other features include MirrorMaker 2 availability, new metric category AtMinIsr topic partition, Improved broker start-up time by lazy on demand mmap of index files, More consumer metrics to observe user poll behavior.

+## Map Datatype in HWC is now supported in HDInsight 4.0

+This release includes Map Datatype Support for HWC 1.0 (Spark 2.4) Via the spark-shell application, and all other all spark clients that HWC supports. Following improvements are included like any other data types:

+A user can

+* Create a Hive table with any column(s) containing Map datatype, insert data into it and read the results from it.

+* Create an Apache Spark dataframe with Map Type and do batch/stream reads and writes.

+### New regions

+HDInsight has now expanded its geographical presence to two new regions: China East 3 and China North 3.

+### OSS backport changes

+OSS backports that are included in Hive including HWC 1.0 (Spark 2.4) which supports Map data type.

+### Here are the OSS backported Apache JIRAs for this release:

+| Impacted Feature | Apache JIRA |

+||--|

+| Metastore direct sql queries with IN/(NOT IN) should be split based on max parameters allowed by SQL DB | [HIVE-25659](https://issues.apache.org/jira/browse/HIVE-25659) |

+| Upgrade log4j 2.16.0 to 2.17.0 | [HIVE-25825](https://issues.apache.org/jira/browse/HIVE-25825) |

+| Update Flatbuffer version | [HIVE-22827](https://issues.apache.org/jira/browse/HIVE-22827) |

+| Support Map data-type natively in Arrow format | [HIVE-25553](https://issues.apache.org/jira/browse/HIVE-25553) |

+| LLAP external client - Handle nested values when the parent struct is null | [HIVE-25243](https://issues.apache.org/jira/browse/HIVE-25243) |

+| Upgrade arrow version to 0.11.0 | [HIVE-23987](https://issues.apache.org/jira/browse/HIVE-23987) |

+## Deprecation notices

+### Azure Virtual Machine Scale Sets on HDInsight

+HDInsight will no longer use Azure Virtual Machine Scale Sets to provision the clusters, no breaking change is expected. Existing HDInsight clusters on virtual machine scale sets will have no impact, any new clusters on latest images will no longer use Virtual Machine Scale Sets.

+### Scaling of Azure HDInsight HBase workloads will now be supported only using manual scale

+Starting from March 01, 2022, HDInsight will only support manual scale for HBase, there's no impact on running clusters. New HBase clusters won't be able to enable schedule based Autoscaling. For more information on how to  manually scale your HBase cluster, refer our documentation on [Manually scaling Azure HDInsight clusters](https://docs.microsoft.com/azure/hdinsight/hdinsight-scaling-best-practices)

+## HDInsight 3.6 end of support extension

+HDInsight 3.6 end of support is extended until September 30, 2022.

+Starting from September 30, 2022, customers can't create new HDInsight 3.6 clusters. Existing clusters will run as is without the support from Microsoft. Consider moving to HDInsight 4.0 to avoid potential system/support interruption.

+Customers who are on Azure HDInsight 3.6 clusters will continue to get [Basic support](https://docs.microsoft.com/azure/hdinsight/hdinsight-component-versioning#support-options-for-hdinsight-versions) until September 30, 2022. After September 30, 2022 customers won't be able to create new HDInsight 3.6 clusters.

+If you need more help, you can contact the Azure experts on the [Microsoft Q&A and Stack Overflow forums](https://azure.microsoft.com/support/community/). Alternatively, you can file an [Azure support ticket](https://portal.azure.com/#create/Microsoft.Support).

+|interfaceId|string|device to cloud|This property is used by the service to identify the interface version being used by the Device Update agent. It is required by Device Update service to manage and communicate with the agent. This property is set at 'dtmi:azure:iot:deviceUpdateModel;1' for device using DU agent version 0.8.0.|

+Device Update for IoT Hub requires the IoT Plug and Play smart device to announce a model ID with a value of **"dtmi:azure:iot:deviceUpdateModel;1"** as part of the device connection. [Learn how to announce a model ID](../iot-develop/concepts-developer-guide-device.md#model-id-announcement).

+az iot hub connection-string show --policy-name service --hub-name {YourIoTHubName} --output table

+az iot hub connection-string show --hub-name $hubname --policy-name service -o table

+ Title: "Tutorial: Create a multiple virtual machines inbound NAT rule - Azure portal"

+# Tutorial: Create a multiple virtual machines inbound NAT rule using the Azure portal

+> * Create a multiple VMs inbound NAT rule

+## Create a load balancer

+## Create a multiple VMs inbound NAT rule

+## Create a NAT gateway

+> [!NOTE]

+> The Apache JMeter dashboard generation is temporarily disabled. You can download the CSV files with the test results.

+This tutorial describes how to automate performance regression testing by using Azure Load Testing Preview and Azure Pipelines. You'll configure an Azure Pipelines CI/CD workflow with the [Azure Load Testing task](/azure/devops/pipelines/tasks/test/azure-load-testing) to run a load test for a sample web application. You'll then use the test results to identify performance regressions.

+The sample application repository already contains a pipelines definition file. This pipeline first deploys the sample web application to Azure App Service, and then invokes the load test by using the [Azure Load Testing task](/azure/devops/pipelines/tasks/test/azure-load-testing). The pipeline uses an environment variable to pass the URL of the web application to the Apache JMeter script.

+ The repository contains an *azure-pipeline.yml* pipeline definition file. The following snippet shows how to use the [Azure Load Testing task](/azure/devops/pipelines/tasks/test/azure-load-testing) in Azure Pipelines:

+* Learn more about the [Azure Load Testing task](/azure/devops/pipelines/tasks/test/azure-load-testing).

+If your environment has strict network requirements and uses a firewall that limits traffic to specific IP addresses, your environment or firewall needs to permit incoming communication received by Azure Logic Apps and outgoing communication sent by Azure Logic Apps. To set up this access, you can create [Azure Firewall rules](../firewall/rule-processing.md) for your firewall to allow access for *both* [inbound](#inbound) and [outbound](#outbound) IP addresses used by Azure Logic Apps in your logic app's Azure region. *All* logic apps in the same region use the same IP address ranges.

+For Azure Logic Apps to receive incoming communication through your firewall, you have to allow traffic through the inbound IP addresses described in this section for your logic app's Azure region. If you're using Azure Government, see [Azure Government - Inbound IP addresses](#azure-government-inbound).

+

+For Azure Logic Apps to send outgoing communication through your firewall, you have to allow traffic through *all* the outbound IP addresses described in this section for your logic app's Azure region. If you're using Azure Government, see [Azure Government - Outbound IP addresses](#azure-government-outbound). If your workflow also uses any [managed connectors](../connectors/managed.md), such as the Office 365 Outlook connector or SQL connector, or uses any [custom connectors](/connectors/custom-connectors/), your firewall has to allow traffic through *all* the [managed connector outbound IP addresses](/connectors/common/outbound-ip-addresses) in your logic app's Azure region. If your workflow uses custom connectors that access on-premises resources through the [on-premises data gateway resource in Azure](logic-apps-gateway-connection.md), you need to set up the gateway installation to allow access for the corresponding [*managed connector* outbound IP addresses](/connectors/common/outbound-ip-addresses). For more information about setting up communication settings on the gateway, review these topics:

+- Managed API webhook triggers (*push* triggers) and actions won't work because they run in the public cloud and can't call into your private network. They require a public endpoint to receive calls. For example, such triggers include the Dataverse trigger and the Event Grid trigger.

+- If you use the Office 365 Outlook trigger, the workflow is triggered only hourly.

+The [OpenCensus](https://opencensus.io/quickstart/python/) Python library can be used to route logs to Application Insights from your scripts. Aggregating logs from pipeline runs in one place allows you to build queries and diagnose issues. Using Application Insights will allow you to track logs over time and compare pipeline logs across runs.

+Next, add the AzureLogHandler to the Python logger.

+ `azureml-interpret` uses the interpretability techniques developed in [Interpret-Community](https://github.com/interpretml/interpret-community/), an open source Python package for training interpretable models and helping to explain blackbox AI systems. [Interpret-Community](https://github.com/interpretml/interpret-community/) serves as the host for this SDK's supported explainers, and currently supports the following interpretability techniques:

+* [Dynamic installation](#dynamic): This approach uses a [requirements](https://pip.pypa.io/en/stable/cli/pip_install/#requirements-file-format) file to automatically restore Python packages when the Docker container boots.

+* [Pre-installed Python packages](#preinstalled): You provide a directory containing preinstalled Python packages. During deployment, this directory is mounted into the container for your entry script (`score.py`) to use.

+This approach uses a [requirements](https://pip.pypa.io/en/stable/cli/pip_install/#requirements-file-format) file to automatically restore Python packages when the image starts up.

+## Pre-installed Python packages

+To extend your prebuilt docker container image through pre-installed Python packages, follow these steps:

+* We encourage you to use our Python package extensibility solutions. If other dependencies are required (such as `apt` packages), create your own [Dockerfile extending from the inference image](how-to-extend-prebuilt-docker-image-inference.md#buildmodel).

+ | Solution | Create a `requirements.txt` that installs the specified packages when the container starts. | Create a local Python environment with all of the dependencies. Mount this directory into container at runtime. |

+* For structured data, see [Consume datasets in machine learning training scripts](#consume-datasets-in-machine-learning-training-scripts).

+* For unstructured data, see [Mount files to remote compute targets](#mount-files-to-remote-compute-targets).

+* [Train with datasets using pipelines](./how-to-create-machine-learning-pipelines.md).

+At the top of your Python file, import the `Schedule` and `ScheduleRecurrence` classes:

+# Initialize Python logger

+## Extra Python packages not installed

+When you complete a data labeling project, you can [export the label data from a labeling project](how-to-create-image-labeling-projects.md#export-the-labels). Doing so, allows you to capture both the reference to the data and its labels, and export them in [COCO format](http://cocodataset.org/#format-data) or as an Azure Machine Learning dataset.

+Use the **Export** button on the **Project details** page of your labeling project.

+

+>In object detection projects, the exported "bbox": [x,y,width,height]" values in COCO file are normalized. They are scaled to 1. Example : a bounding box at (10, 10) location, with 30 pixels width , 60 pixels height, in a 640x480 pixel image will be annotated as (0.015625. 0.02083, 0.046875, 0.125). Since the coordintes are normalized, it will show as '0.0' as "width" and "height" for all images. The actual width and height can be obtained using Python library like OpenCV or Pillow(PIL).

+> [!TIP]

+> Once you have exported your labeled data to an Azure Machine Learning dataset, you can use AutoML to build computer vision models trained on your labeled data. Learn more at [Set up AutoML to train computer vision models with Python (preview)](how-to-auto-train-image-models.md)

+download_path = animal_labels.download(stream_column='image_url')

+img = mpimg.imread(download_path[0])

+| Virtual Network (VNet) support | GA | YES | YES |

+| Virtual Network (VNet) support | GA | YES | N/A |

+**Description**: An environment for deep learning with PyTorch containing the AzureML Python SDK and other Python packages.

+**Description**: An environment for tasks such as regression, clustering, and classification with Scikit-learn. Contains the AzureML Python SDK and other Python packages.

+**Description**: An environment for deep learning with TensorFlow containing the AzureML Python SDK and other Python packages.

+ # py -3 uses the global Python interpreter. You can also use python -m venv .venv.

+OpenCRAVAT is a Python package that performs genomic variant interpretation including variant impact, annotation, and scoring. OpenCRAVAT has a modular architecture with a wide variety of analysis modules and annotation resources that can be selected and installed/run based on the needs of a given study.

+When you use private endpoints, traffic is secured to a private-link resource. The platform validates network connections, allowing only those that reach the specified private-link resource. To access additional sub-resources within the same Azure service, additional private endpoints with corresponding targets are required. In the case of Azure Storage, for instance, you would need separate private endpoints to access the _file_ and _blob_ sub-resources.

+Private endpoints provide a privately accessible IP address for the Azure service, but do not necessarily restrict public network access to it. [Azure App Service](tutorial-private-endpoint-webapp-portal.md) and [Azure Functions](../azure-functions/functions-create-vnet.md) become inaccessible publicly when they are associated with a private endpoint. All other Azure services require additional [access controls](../event-hubs/event-hubs-ip-filtering.md), however. These controls provide an extra network security layer to your resources, providing protection that helps prevent access to the Azure service associated with the private-link resource.

+The DNS settings that you use to connect to a private-link resource are important. Existing Azure services might already have a DNS configuration you can use when you're connecting over a public endpoint. To connect to the same service over private endpoint, separate DNS settings, often configured via private DNS zones, are required. Ensure that your DNS settings are correct when you use the fully qualified domain name (FQDN) for the connection. The settings must resolve to the private IP address of the private endpoint.

+The code in this tutorial creates a purview account and deletes a purview account. You can now download the Python SDK and learn about other resource provider actions you can perform for an Azure Purview account.

+| `<purview_account>.purview.azure.com` | 443 | Required to connect to Azure Purview service. |

+> [!IMPORTANT]

+> Currently, we do not support setting up scans for an Azure Synapse workspace from Azure Purview Studio, if you cannot enable **Allow Azure services and resources to access this workspace** on your Azure Synapse workspaces. In this case:

+> - You can use [Azure Purview Rest API - Scans - Create Or Update](/api/purview/scanningdataplane/scans/create-or-update) to create a new scan for your Synapse workspaces including dedicated and serverless pools.

+> - You must use **SQL Auth** as authentication mechanism.

+### Required permissions for scan

+Azure Purview supports basic authentication (username and password) for scanning Teradata. The Teradata user must have read access to system tables in order to access advanced metadata.

+To retrieve data types of view columns, Azure Purview issues a prepare statement for `select * from <view>` for each of the view queries and parse the metadata that contains the data type details for better performance. It requires the SELECT data permission on views. If the permission is missing, view column data types will be skipped.

+ - **Description**: A Python package to work with Azure Purview and Apache Atlas API. Supports bulk loading, custom lineage, and more from a Pythonic set of classes and Excel templates. The package supports programmatic interaction and an Excel template for low-code uploads.

+The [Azure Search Python samples](https://github.com/Azure-Samples/azure-search-python-samples) repository has a complete sample implemented in Python of a custom skill that enriches images.

+> You can however use PowerShell/APIs and Azure Resource Manager templates to deploy Virtual Machine Scale Sets with the Microsoft Anti-Malware extension. For installing an extension on an already running Virtual Machine, you can use the sample Python script [vmssextn.py](https://github.com/gbowerman/vmsstools). This script gets the existing extension config on the Scale Set and adds an extension to the list of existing extensions on the VM Scale Sets.

+Loss of key encryption keys means loss of data. For this reason, keys should not be deleted. Keys should be backed up whenever created or rotated. [Soft-Delete and purge protection](../../key-vault/general/soft-delete-overview.md) must be enabled on any vault storing key encryption keys to protect against accidental or malicious cryptographic erasure. Instead of deleting a key, it is recommended to set enabled to false on the key encryption key. Use access controls to revoke access to individual users or services in [Azure Key Vault](../../key-vault/general/security-features.md#access-model-overview) or [Managed HSM](../../key-vault/managed-hsm/secure-your-managed-hsm.md).

+1. To get the Google pickle string, run [this Python script](https://aka.ms/sentinel-GWorkspaceReportsAPI-functioncode) (in the same path as credentials.json).

+ - [(Preview) TI map Domain entity to DNS Events (ASIM DNS Schema)](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_DomainEntity_DnsEvents.yaml)

+ - [(Preview) TI map IP entity to DNS Events (ASIM DNS Schema)](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_IPEntity_DnsEvents.yaml)

+ - [Excessive NXDOMAIN DNS Queries (ASIM DNS Schema)](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDns_ExcessiveNXDOMAINDNSQueries.yaml)

+ - [DNS events related to mining pools (ASIM DNS Schema)](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml)

+ - [DNS events related to ToR proxies (ASIM DNS Schema)](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml)

+ - [Known CERIUM domains and hashes](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml)

+ - [Known NICKEL domains and hashes](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml)

+ - [NOBELIUM - Domain, Hash, and IP IOCs - May 2021](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml)

+ - [Solorigate Network Beacon](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Solorigate-Network-Beacon.yaml)

+- [DEV-0586 Actor IOC - January 2022](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0586_Jan2022_IOC.yaml)

+- [NOBELIUM IOCs related to FoggyWeb backdoor](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Nobelium_FoggyWeb.yaml)

+- [(Preview) TI map IP entity to Network Session Events (ASIM Network Session schema)](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/IPEntity_imNetworkSession.yaml)

+- [Port scan detected (ASIM Network Session schema)](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimNetworkSession/PortScan.yaml)

+- [Known Barium IP addresses](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml)

+- [Exchange Server Vulnerabilities Disclosed March 2021 IoC Match](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml)

+- [Known IRIDIUM IP](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml)

+- [NOBELIUM - Domain, Hash, and IP IOCs - May 2021](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml)

+- [Known STRONTIUM group domains - July 2019](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/STRONTIUMJuly2019IOCs.yaml)

+### Analytic rules

+- [Potential Fodhelper UAC Bypass (ASIM Version)](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PotentialFodhelperUACBypass(ASIMVersion).yaml)

+- [(Preview) TI map Domain entity to Web Session Events (ASIM Web Session schema)](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/DomainEntity_imWebSession.yaml)

+- [(Preview) TI map IP entity to Web Session Events (ASIM Web Session schema)](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ThreatIntelligenceIndicator/IPEntity_imWebSession.yaml)

+- [Discord CDN Risky File Download (ASIM Web Session Schema)](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/DiscordCDNRiskyFileDownload_ASim.yaml)

+- [Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/ExcessiveNetworkFailuresFromSource.yaml)

+- [Known Barium domains](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumDomainIOC112020.yaml)

+- [Known Barium IP addresses](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/BariumIPIOC112020.yaml)

+- [Known CERIUM domains and hashes](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/CERIUMOct292020IOCs.yaml)

+- [Known IRIDIUM IP](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/IridiumIOCs.yaml)

+- [Known NICKEL domains and hashes](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NICKELIOCsNov2021.yaml)

+- [NOBELIUM - Domain and IP IOCs - March 2021](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_DomainIOCsMarch2021.yaml)

+- [NOBELIUM - Domain, Hash, and IP IOCs - May 2021](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/NOBELIUM_IOCsMay2021.yaml)

+- [Known Phosphorus group domains/IP](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PHOSPHORUSMarch2019IOCs.yaml)

+- [User agent search for log4j exploitation attempt](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UserAgentSearch_log4j.yaml)

+- Before you deploy the [Common Event Format Data connector Python script](./connect-log-forwarder.md), make sure that your Virtual Machine isn't already connected to an existing Log Analytics workspace. You can find this information on the Log Analytics Workspace Virtual Machine list, where a VM that's connected to a Syslog workspace is listed as **Connected**.

+To deploy your application using Azure Resource Manager, you first must [create a sfpkg](./service-fabric-package-apps.md#create-an-sfpkg) Service Fabric Application package. The following Python script is an example of how to create a sfpkg:

+|3960 |RDP |3389 |TCP |Internet |Any |Deny |No

+Sfctl telemetry collects command name without parameters provided or their values, sfctl version, OS type, Python version, the success or failure of the command, the error message returned.

+ Title: Create and deploy applications in Azure Spring Cloud by using PowerShell

+description: How to create and deploy applications in Azure Spring Cloud by using PowerShell

+# Create and deploy applications by using PowerShell

+This article describes how you can create an instance of Azure Spring Cloud by using the [Az.SpringCloud](/powershell/module/Az.SpringCloud) PowerShell module.

+The requirements for completing the steps in this article depend on your Azure subscription:

+* If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.

+ > While the **Az.SpringCloud** PowerShell module is in preview, you must install it by using

+ > the `Install-Module` cmdlet. See the following command. After this PowerShell module becomes generally available, it will be part of future Az PowerShell releases and available by default from within Azure Cloud Shell.

+ resources should be billed. Select a specific subscription by using the [Set-AzContext](/powershell/module/az.accounts/set-azcontext) cmdlet:

+A resource group is a logical container in which Azure resources are deployed and managed as

+a group. Create an [Azure resource group](../azure-resource-manager/management/overview.md)

+by using the [New-AzResourceGroup](/powershell/module/az.resources/new-azresourcegroup)

+cmdlet. The following example creates a resource group with a specified name and location.

+## Provision a new instance

+example creates an Azure Spring Cloud service, with the name that you specified in the resource group you created previously.

+## Create a new application

+To create a new app, you use the

+[New-AzSpringCloudApp](/powershell/module/az.springcloud/new-azspringcloudapp) cmdlet. The following example creates an app in Azure Spring Cloud named `gateway`.

+## Create a new app deployment

+cmdlet. The following example creates an app deployment in Azure Spring Cloud named `default`, for the `gateway` app.

+## Get a service and its properties

+## Get an application

+[Get-AzSpringCloudApp](/powershell/module/az.springcloud/get-azspringcloudapp) cmdlet. The following example retrieves information about the app `gateway`.

+## Get an app deployment

+[Get-AzSpringCloudAppDeployment](/powershell/module/az.springcloud/get-azspringcloudappdeployment) cmdlet. The following example retrieves information about the `default` Azure Spring Cloud deployment.

+If the resources created in this article aren't needed, you can delete them by running the examples shown in the following sections.

+### Delete an app deployment

+[Remove-AzSpringCloudAppDeployment](/powershell/module/az.springcloud/remove-azspringcloudappdeployment) cmdlet. The following example deletes an app deployed in Azure Spring Cloud named `default`, for the specified service and app.

+### Delete an app

+[Remove-AzSpringCloudApp](/powershell/module/Az.SpringCloud/remove-azspringcloudapp) cmdlet. The following example deletes the `gateway` app in the specified service and resource group.

+### Delete a service

+[Remove-AzSpringCloud](/powershell/module/Az.SpringCloud/remove-azspringcloud) cmdlet. The following example deletes the specified Azure Spring Cloud service.

+> The following example deletes the specified resource group and all resources contained within it. If resources outside the scope of this article exist in the specified resource group, they will also be deleted.

+[Azure Spring Cloud developer resources](./resources.md)

+| Azure Spring Cloud service instances | per region per subscription | 1 | 1 |

+ Title: Enable password protection for Azure Static Web Apps

+description: Prevent unauthorized access to your static web app with a password.

+# Configure password protection

+You can use a password to protect your app's pre-production environments or all environments. Scenarios when password protection is useful include:

+- Limiting access to your static web app to people who have the password

+- Protecting your static web app's staging environments

+Password protection is a lightweight feature that offers a limited level of security. To secure your app using an identity provider, use the integrated [Static Web Apps authentication](authentication-authorization.md). You can also restrict access to your app using [IP restrictions](configuration.md#networking) or a [private endpoint](private-endpoint.md).

+## Prerequisites

+An existing static web app in the Standard plan.

+## Enable password protection

+1. Open your static web app in the Azure portal.

+1. Under *Settings* menu, select **Configuration**.

+1. Select the **General settings** tab.

+1. In the *Password protection* section, select **Protect staging environments only** to protect only your app's pre-production environments or select **Protect both production and staging environments** to protect all environments.

+ :::image type="content" source="media/password-protection/portal-enable.png" alt-text="Screenshot of enabling password protection":::

+1. Enter a password in **Visitor password**. Passwords must be at least eight characters long and contain a capital letter, a lowercase letter, a number, and a symbol.

+1. Enter the same password in **Confirm visitor password**.

+1. Select the **Save** button.

+When visitors first navigate to a protected environment, they're prompted to enter the password before they can view the site.

+## Next steps

+> [!div class="nextstepaction"]

+> [Authentication and authorization](./authentication-authorization.md)

+To see an example that processes ACLs recursively in batches by specifying a batch size, see the Python [sample](https://github.com/Azure/azure-sdk-for-python/blob/master/sdk/storage/azure-storage-file-datalake/samples/datalake_samples_access_control_recursive.py).

+To see an example that processes ACLs recursively in batches by specifying a batch size, see the Python [sample](https://github.com/Azure/azure-sdk-for-python/blob/master/sdk/storage/azure-storage-file-datalake/samples/datalake_samples_access_control_recursive.py).

+To see an example that processes ACLs recursively in batches by specifying a batch size, see the Python [sample](https://github.com/Azure/azure-sdk-for-python/blob/master/sdk/storage/azure-storage-file-datalake/samples/datalake_samples_access_control_recursive.py).

+To see an example that processes ACLs recursively in batches by specifying a batch size, see the Python [sample](https://github.com/Azure/azure-sdk-for-python/blob/master/sdk/storage/azure-storage-file-datalake/samples/datalake_samples_access_control_recursive.py).

+To see an example that processes ACLs recursively in batches by specifying a batch size, see the Python [sample](https://github.com/Azure/azure-sdk-for-python/blob/master/sdk/storage/azure-storage-file-datalake/samples/datalake_samples_access_control_recursive.py).

+| prefixMatch | An array of strings for prefixes to be matched. Each rule can define up to 10 case-sensitive prefixes. A prefix string must start with a container name. For example, if you want to match all blobs under `https://myaccount.blob.core.windows.net/sample-container/blob1/...` for a rule, the prefixMatch is `sample-container/blob1`. | If you don't define prefixMatch, the rule applies to all blobs within the storage account. | No |

+- [Azure Storage client library for Node.js](/azure/storage/blobs/reference#javascript-client-libraries)

+|  |**Scality**<br>Scality builds a software-defined file and object platform designed for on-premise, hybrid, and multi-cloud environments. ScalityΓÇÖs integration with Azure Blob Storage enable enterprises to manage and secure their data between on-premises environments and Azure, and meet the demand of high-performance, cloud-based file workloads. |[Partner page](https://www.scality.com/partners/azure/)|

+|  |**XenData**<br>XenData software creates multi-tier storage systems that manage files and folders across on-premises storage and Azure Blob Storage. XenData Multi-Site Sync software creates a global file system for distributed teams, enabling them to share and synchronize files across multiple locations. XenData cloud solutions are optimized for video files, supporting video streaming and partial file restore. They are integrated with many complementary software products used in the Media and Entertainment industry and support a variety of workflows. Other industries and applications that use XenData solutions include Oil and Gas, Engineering and Scientific Data, Video Surveillance and Medical Imaging. |[Partner page](https://xendata.com/tech_partners_cloud/azure/)|

+- [Data management and migration partners](..\data-management\partner-overview.md)

+ 

+8. Select the Python option below.

+## Query nested objects

+- Checkout the learn module on how to [Query Azure Cosmos DB with SQL Serverless for Azure Synapse Analytics](/learn/modules/query-azure-cosmos-db-with-sql-serverless-for-azure-synapse-analytics/).

+## Jan 2022 update

+The following updates are new to Azure Synapse Analytics this month.

+### Apache Spark for Synapse

+You can now use four new database templates in Azure Synapse. [Learn more about Automotive, Genomics, Manufacturing, and Pharmaceuticals templates from the blog post](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/four-additional-azure-synapse-database-templates-now-available/ba-p/3058044) or the [database templates article](./database-designer/overview-database-templates.md). These templates are currently in public preview and are available within the Synapse Studio gallery.

+### Machine Learning

+Improvements to the Synapse Machine Learning library v0.9.5 (previously called MMLSpark). This release simplifies the creation of massively scalable machine learning pipelines with Apache Spark. To learn more, [read the blog post about the new capabilities in this release](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-january-update-2022/ba-p/3071681#TOCREF_3) or see the [full release notes](https://microsoft.github.io/SynapseML/)

+### Security

+* The Azure Synapse Analytics security overview - A whitepaper that covers the five layers of security. The security layers include authentication, access control, data protection, network security, and threat protection. [Understand each security feature in detailed](./guidance/security-white-paper-introduction.md) to implement an industry-standard security baseline and protect your data on the cloud.

+* TLS 1.2 is now required for newly created Synapse Workspaces. To learn more, see how [TLS 1.2 provides enhanced security using this article](./security/connectivity-settings.md) or the [blog post](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-january-update-2022/ba-p/3071681#TOCREF_6). Login attempts to a newly created Synapse workspace from connections using a TLS versions lower than 1.2 will fail.

+### Data Integration

+* Data quality validation rules using Assert transformation - You can now easily add data quality, data validation, and schema validation to your Synapse ETL jobs by leveraging Assert transformation in Synapse data flows. To learn more, see the [Assert transformation in mapping data flow article](/azure/data-factory/data-flow-assert) or [the blog post](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-january-update-2022/ba-p/3071681#TOCREF_8).

+* Native data flow connector for Dynamics - Synapse data flows can now read and write data directly to Dynamics through the new data flow Dynamics connector. Learn more on how to [Create data sets in data flows to read, transform, aggregate, join, etc. using this article](../data-factory/connector-dynamics-crm-office-365.md) or the [blog post](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-january-update-2022/ba-p/3071681#TOCREF_9). You can then write the data back into Dynamics using the built-in Synapse Spark compute.

+* IntelliSense and auto-complete added to pipeline expressions - IntelliSense makes creating expressions, editing them easy. To learn more, see how to [check your expression syntax, find functions, and add code to your pipelines.](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/intellisense-support-in-expression-builder-for-more-productive/ba-p/3041459)

+### Synapse SQL

+* COPY schema discovery for complex data ingestion. To learn more, see the [blog post](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-january-update-2022/ba-p/3071681#TOCREF_12) or [how Github leveraged this functionality in Introducing Automatic Schema Discovery with auto table creation for complex datatypes](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/introducing-automatic-schema-discovery-with-auto-table-creation/ba-p/3068927).

+* Serverless SQL pools now support the HASHBYTES function. HASHBYTES is a T-SQL function which hashes values. Learn how to use [hash values in distributing data using this article](/sql/t-sql/functions/hashbytes-transact-sql) or the [blog post](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-january-update-2022/ba-p/3071681#TOCREF_13).

+This article lists updates to Azure Synapse Analytics that are published in Feb 2022. Each update links to the Azure Synapse Analytics blog and an article that provides more information. For previous months releases, check out [Azure Synapse Analytics - updates archive](whats-new-archive.md).

+## SQL

+* Serverless SQL Pools now support more consistent query execution times. [Learn how Serverless SQL pools automatically detect spikes in read latency and support consistent query execution time.](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-february-update-2022/ba-p/3221841#TOCREF_2)

+* [The `OPENJSON` function makes it easy to get array element indexes](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-february-update-2022/ba-p/3221841#TOCREF_3). To learn more, see how the OPENJSON function in a serverless SQL pool allows you to [parse nested arrays and return one row for each JSON array element with the index of each element](/sql/t-sql/functions/openjson-transact-sql?view=azure-sqldw-latest&preserve-view=true#array-element-identity).

+## Data integration

+* [Upserting data is now supported by the copy activity](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-february-update-2022/ba-p/3221841#TOCREF_5). See how you can natively load data into a temporary table and then merge that data into a sink table with [upsert.](../data-factory/connector-azure-sql-database.md?tabs=data-factory#upsert-data)

+* [Transform Dynamics Data Visually in Synapse Data Flows.](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-february-update-2022/ba-p/3221841#TOCREF_6) Learn more on how to use a [Dynamics dataset or an inline dataset as source and sink types to transform data at scale.](../data-factory/connector-dynamics-crm-office-365.md?tabs=data-factory#mapping-data-flow-properties)

+* [Connect to your SQL sources in data flows using Always Encrypted](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-february-update-2022/ba-p/3221841#TOCREF_7). To learn more, see [how to securely connect to your SQL databases from Synapse data flows using Always Encrypted.](../data-factory/connector-azure-sql-database.md?tabs=data-factory)

+* [Capture descriptions from asserts in Data Flows](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-february-update-2022/ba-p/3221841#TOCREF_8) To learn more, see [how to define your own dynamic descriptive messages](../data-factory/data-flow-expressions-usage.md#assertErrorMessages) in the assert data flow transformation at the row or column level.

+* [Easily define schemas for complex type fields.](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-february-update-2022/ba-p/3221841#TOCREF_9) To learn more, see how you can make the engine to [automatically detect the schema of an embedded complex field inside a string column](../data-factory/data-flow-parse.md).

+ Title: 'Time Series Insights Gen1 migration to Azure Data Explorer | Microsoft Docs'

+description: How to migrate Azure Time Series Insights Gen 1 environments to Azure Data Explorer.

+# Migrating Time Series Insights Gen1 to Azure Data Explorer

+## Overview

+The recommendation is to set up Azure Data Explorer cluster with a new consumer group from the Event Hub or IoT Hub and wait for retention period to pass and fill Azure Data Explorer with the same data as Time Series Insights environment.

+If telemetry data is required to be exported from Time Series Insights environment, the suggestion is to use Time Series Insights Query API to download the events in batches and serialize in required format.

+For reference data, Time Series Insights Explorer or Reference Data API can be used to download reference data set and upload it into Azure Data Explorer as another table. Then, materialized views in Azure Data Explorer can be used to join reference data with telemetry data. Use materialized view with arg_max() aggregation function which will get the latest record per entity, as demonstrated in the following example. For more information about materialized views, read the following documentation: [Materialized views use cases] (./data-explorer/kusto/management/materialized-views/materialized-view-overview.md#materialized-views-use-cases).

+```

+.create materialized-view MVName on table T

+{

+ T

+ | summarize arg_max(Column1,*) by Column2

+}

+```

+## Translate Time Series Insights Queries to KQL

+For queries, the recommendation is to use KQL in Azure Data Explorer.

+#### Events

+```TSQ

+{

+ "searchSpan": {

+ "from": "2021-11-29T22:09:32.551Z",

+ "to": "2021-12-06T22:09:32.551Z"

+ },

+ "predicate": {

+ "predicateString": "([device_id] = 'device_0') AND ([has_error] != null OR [error_code] != null)"

+ },

+ "top": {

+ "sort": [

+ {

+ "input": {

+ "builtInProperty": "$ts"

+ },

+ "order": "Desc"

+ }

+ ],

+ "count": 100

+ }

+}

+```

+```KQL

+ events

+| where _timestamp >= datetime("2021-11-29T22:09:32.551Z") and _timestamp < datetime("2021-12-06T22:09:32.551Z") and deviceid == "device_0" and (not(isnull(haserror)) or not(isempty(errorcode)))

+| top 100 by _timestamp desc

+```

+#### Aggregates

+```TSQ

+{

+ "searchSpan": {

+ "from": "2021-12-04T22:30:00Z",

+ "to": "2021-12-06T22:30:00Z"

+ },

+ "predicate": {

+ "eq": {

+ "left": {

+ "property": "DeviceId",

+ "type": "string"

+ },

+ "right": "device_0"

+ }

+ },

+ "aggregates": [

+ {

+ "dimension": {

+ "uniqueValues": {

+ "input": {

+ "property": "DeviceId",

+ "type": "String"

+ },

+ "take": 1

+ }

+ },

+ "aggregate": {

+ "dimension": {

+ "dateHistogram": {

+ "input": {

+ "builtInProperty": "$ts"

+ },

+ "breaks": {

+ "size": "2d"

+ }

+ }

+ },

+ "measures": [

+ {

+ "count": {}

+ },

+ {

+ "sum": {

+ "input": {

+ "property": "DataValue",

+ "type": "Double"

+ }

+ }

+ },

+ {

+ "min": {

+ "input": {

+ "property": "DataValue",

+ "type": "Double"

+ }

+ }

+ },

+ {

+ "max": {

+ "input": {

+ "property": "DataValue",

+ "type": "Double"

+ }

+ }

+ }

+ ]

+ }

+ }

+ ]

+ }

+```

+```KQL

+ let _q = events | where _timestamp >= datetime("2021-12-04T22:30:00Z") and _timestamp < datetime("2021-12-06T22:30:00Z") and deviceid == "device_0";

+let _dimValues0 = _q | project deviceId | sample-distinct 1 of deviceId;

+_q

+| where deviceid in (_dimValues0) or isnull(deviceid)

+| summarize

+ _meas0 = count(),

+ _meas1 = iff(isnotnull(any(datavalue)), sum(datavalue), any(datavalue)),

+ _meas2 = min(datavalue),

+ _meas3 = max(datavalue),

+ by _dim0 = deviceid, _dim1 = bin(_timestamp, 2d)

+| project

+ _dim0,

+ _dim1,

+ _meas0,

+ _meas1,

+ _meas2,

+ _meas3,

+| sort by _dim0 nulls last, _dim1 nulls last

+```

+ Title: 'Time Series Insights Gen2 migration to Azure Data Explorer | Microsoft Docs'

+description: How to migrate Azure Time Series Insights Gen 2 environments to Azure Data Explorer.

+# Migrating Time Series Insights (TSI) Gen2 to Azure Data Explorer

+## Overview

+High-level migration recommendations.

+| Feature | Gen2 State | Migration Recommended |

+| | | |

+| Ingesting JSON from Hub with flattening and escaping | TSI Ingestion | ADX - OneClick Ingest / Wizard |

+| Open Cold store | Customer Storage Account | [Continuous data export](/azure/data-explorer/kusto/management/data-export/continuous-data-export) to customer specified external table in ADLS. |

+| PBI Connector | Private Preview | Use ADX PBI Connector. Rewrite TSQ to KQL manually. |

+| Spark Connector | Private Preview. Query telemetry data. Query model data. | Migrate data to ADX. Use ADX Spark connector for telemetry data + export model to JSON and load in Spark. Rewrite queries in KQL. |

+| Bulk Upload | Private Preview | Use ADX OneClick Ingest and LightIngest. An optionally, set up partitioning within ADX. |

+| Time Series Model | | Can be exported as JSON file. Can be imported to ADX to perform joins in KQL. |

+| TSI Explorer | Toggling warm and cold | ADX Dashboards |

+| Query language | Time Series Queries (TSQ) | Rewrite queries in KQL. Use Kusto SDKs instead of TSI ones. |

+## Migrating Telemetry

+Use `PT=Time` folder in the storage account to retrieve the copy of all telemetry in the environment. For more information, please see [Data Storage](./concepts-storage.md#cold-store).

+### Migration Step 1 ΓÇô Get Statistics about Telemetry Data

+Data

+1. Env overview

+ - Record Environment ID from first part of Data Access FQDN (for example, d390b0b0-1445-4c0c-8365-68d6382c1c2a From .env.crystal-dev.windows-int.net)

+1. Env Overview -> Storage Configuration -> Storage Account

+1. Use Storage Explorer to get folder statistics

+ - Record size and the number of blobs of `PT=Time` folder. For customers in private preview of Bulk Import, also record `PT=Import` size and number of blobs.

+### Migration Step 2 ΓÇô Migrate Telemetry To ADX

+#### Create ADX cluster

+1. Define the cluster size based on data size using the ADX Cost Estimator.

+ 1. From Event Hubs (or IoT Hub) metrics, retrieve the rate of how much data it's ingested per day. From the Storage Account connected to the TSI environment, retrieve how much data there is in the blob container used by TSI. This information will be used to compute the ideal size of an ADX Cluster for your environment.

+ 1. Open [the Azure Data Explorer Cost Estimator](https://dataexplorer.azure.com/AzureDataExplorerCostEstimator.html) and fill the existing fields with the information found. Set ΓÇ£Workload typeΓÇ¥ as ΓÇ£Storage OptimizedΓÇ¥, and "Hot Data" with the total amount of data queried actively.

+ 1. After providing all the information, Azure Data Explorer Cost Estimator will suggest a VM size and number of instances for your cluster. Analyze if the size of actively queried data will fit in the Hot Cache. Multiply the number of instances suggested by the cache size of the VM size, per example:

+ - Cost Estimator suggestion: 9x DS14 + 4 TB (cache)

+ - Total Hot Cache suggested: 36 TB = [9x (instances) x 4 TB (of Hot Cache per node)]

+ 1. More factors to consider:

+ - Environment growth: when planning the ADX Cluster size consider the data growth along the time.

+ - Hydration and Partitioning: when defining the number of instances in ADX Cluster, consider extra nodes (by 2-3x) to speed up hydration and partitioning.

+ - For more information about compute selection, see [Select the correct compute SKU for your Azure Data Explorer cluster](/azure/data-explorer/manage-cluster-choose-sku).

+1. To best monitor your cluster and the data ingestion, you should enable Diagnostic Settings and send the data to a Log Analytics Workspace.

+ 1. In the Azure Data Explorer blade, go to ΓÇ£Monitoring | Diagnostic settingsΓÇ¥ and click on ΓÇ£Add diagnostic settingΓÇ¥

+ :::image type="content" source="media/gen2-migration/adx-diagnostic.png" alt-text="Screenshot of the Azure Data Explorer blade Monitoring | Diagnostic settings" lightbox="media/gen2-migration/adx-diagnostic.png":::

+ 1. Fill in the following

+ 1. Diagnostic setting name: Display Name for this configuration

+ 1. Logs: At minimum select SucceededIngestion, FailedIngestion, IngestionBatching

+ 1. Select the Log Analytics Workspace to send the data to (if you donΓÇÖt have one youΓÇÖll need to provision one before this step)

+ :::image type="content" source="media/gen2-migration/adx-log-analytics.png" alt-text="Screenshot of the Azure Data Explorer Log Analytics Workspace" lightbox="media/gen2-migration/adx-log-analytics.png":::

+1. Data partitioning.

+ 1. For small size data, the default ADX partitioning is enough. For more complex scenario, with large datasets and right push rate custom ADX data partitioning is more appropriate. Data partitioning is beneficial for scenarios, as follows:

+ 1. Improving query latency in big data sets.

+ 1. When querying historical data.

+ 1. When ingesting out-of-order data.

+ 1. The custom data partitioning should include:

+ 1. The timestamp column, which results in time-based partitioning of extents.

+ 1. A string-based column, which corresponds to the Time Series ID with highest cardinality.

+ 1. An example of data partitioning containing a Time Series ID column and a timestamp column is:

+```

+.alter table events policy partitioning

+ {

+ "PartitionKeys": [

+ {

+ "ColumnName": "timeSeriesId",

+ "Kind": "Hash",

+ "Properties": {

+ "Function": "XxHash64",

+ "MaxPartitionCount": 32,

+ "PartitionAssignmentMode": "Uniform"

+ }

+ },

+ {

+ "ColumnName": "timestamp",

+ "Kind": "UniformRange",

+ "Properties": {

+ "Reference": "1970-01-01T00:00:00",

+ "RangeSize": "1.00:00:00",

+ "OverrideCreationTime": true

+ }

+ }

+ ] ,

+ "EffectiveDateTime": "1970-01-01T00:00:00",

+ "MinRowCountPerOperation": 0,

+ "MaxRowCountPerOperation": 0,

+ "MaxOriginalSizePerOperation": 0

+ }

+```

+For more references, check [ADX Data Partitioning Policy](/azure/data-explorer/kusto/management/partitioningpolicy).

+#### Prepare for Data Ingestion

+1. Go to [https://dataexplorer.azure.com](https://dataexplorer.azure.com).

+ :::image type="content" source="media/gen2-migration/adx-landing-page.png" alt-text="Screenshot of the Azure Data Explorer landing page" lightbox="media/gen2-migration/adx-landing-page.png":::

+1. Go to Data tab and select ΓÇÿIngest from blob containerΓÇÖ

+ :::image type="content" source="media/gen2-migration/adx-ingest-blob.png" alt-text="Screenshot of the Azure Data Explorer ingestion from blob container" lightbox="media/gen2-migration/adx-ingest-blob.png":::

+1. Select Cluster, Database, and create a new Table with the name you choose for the TSI data

+ :::image type="content" source="media/gen2-migration/adx-ingest-table.png" alt-text="Screenshot of the Azure Data Explorer ingestion selection of cluster, database, and table" lightbox="media/gen2-migration/adx-ingest-table.png":::

+1. Select Next: Source

+1. In the Source tab select:

+ 1. Historical data

+ 1. ΓÇ£Select ContainerΓÇ¥

+ 1. Choose the Subscription and Storage account for your TSI data

+ 1. Choose the container that correlates to your TSI Environment

+ :::image type="content" source="media/gen2-migration/adx-ingest-container.png" alt-text="Screenshot of the Azure Data Explorer ingestion selection of container" lightbox="media/gen2-migration/adx-ingest-container.png":::

+1. Select on Advanced settings

+ 1. Creation time pattern: '/'yyyyMMddHHmmssfff'_'

+ 1. Blob name pattern: *.parquet

+ 1. Select on ΓÇ£DonΓÇÖt wait for ingestion to completeΓÇ¥

+ :::image type="content" source="media/gen2-migration/adx-ingest-advanced.png" alt-text="Screenshot of the Azure Data Explorer ingestion selection of advanced settings" lightbox="media/gen2-migration/adx-ingest-advanced.png":::

+1. Under File Filters, add the Folder path `V=1/PT=Time`

+ :::image type="content" source="media/gen2-migration/adx-ingest-folder-path.png" alt-text="Screenshot of the Azure Data Explorer ingestion selection of folder path" lightbox="media/gen2-migration/adx-ingest-folder-path.png":::

+1. Select Next: Schema

+ > [!NOTE]

+ > TSI applies some flattening and escaping when persisting columns in Parquet files. See these links for more details: https://docs.microsoft.com/azure/time-series-insights/concepts-json-flattening-escaping-rules, https://docs.microsoft.com/azure/time-series-insights/ingestion-rules-update.

+- If schema is unknown or varying

+ 1. Remove all columns that are infrequently queried, leaving at least timestamp and TSID column(s).

+ :::image type="content" source="media/gen2-migration/adx-ingest-schema.png" alt-text="Screenshot of the Azure Data Explorer ingestion selection of schema" lightbox="media/gen2-migration/adx-ingest-schema.png":::

+ 1. Add new column of dynamic type and map it to the whole record using $ path.

+ :::image type="content" source="media/gen2-migration/adx-ingest-dynamic-type.png" alt-text="Screenshot of the Azure Data Explorer ingestion for dynamic type" lightbox="media/gen2-migration/adx-ingest-dynamic-type.png":::

+ Example:

+ :::image type="content" source="media/gen2-migration/adx-ingest-dynamic-type-example.png" alt-text="Screenshot of the Azure Data Explorer ingestion for dynamic type example" lightbox="media/gen2-migration/adx-ingest-dynamic-type-example.png":::

+- If schema is known or fixed

+ 1. Confirm that the data looks correct. Correct any types if needed.

+ 1. Select Next: Summary

+Copy the LightIngest command and store it somewhere so you can use it in the next step.

+## Data Ingestion

+Before ingesting data you need to install the [LightIngest tool](/azure/data-explorer/lightingest#prerequisites).

+The command generated from One-Click tool includes a SAS token. ItΓÇÖs best to generate a new one so that you have control over the expiration time. In the portal, navigate to the Blob Container for the TSI Environment and select on ΓÇÿShared access tokenΓÇÖ

+> [!NOTE]

+> ItΓÇÖs also recommended to scale up your cluster before kicking off a large ingestion. For instance, D14 or D32 with 8+ instances.

+1. Set the following

+ 1. Permissions: Read and List

+ 1. Expiry: Set to a period youΓÇÖre comfortable that the migration of data will be complete

+ :::image type="content" source="media/gen2-migration/adx-ingest-sas-expiry.png" alt-text="Screenshot of the Azure Data Explorer ingestion for permission expiry" lightbox="media/gen2-migration/adx-ingest-sas-expiry.png":::

+1. Select on ΓÇÿGenerate SAS token and URLΓÇÖ and copy the ΓÇÿBlob SAS URLΓÇÖ

+ :::image type="content" source="media/gen2-migration/adx-ingest-sas-blob.png" alt-text="Screenshot of the Azure Data Explorer ingestion for SAS Blob URL" lightbox="media/gen2-migration/adx-ingest-sas-blob.png":::

+1. Go to the LightIngest command that you copied previously. Replace the -source parameter in the command with this ΓÇÿSAS Blob URLΓÇÖ

+1. `Option 1: Ingest All Data`. For smaller environments, you can ingest all of the data with a single command.

+ 1. Open a command prompt and change to the directory where the LightIngest tool was extracted to. Once there, paste the LightIngest command and execute it.

+ :::image type="content" source="media/gen2-migration/adx-ingest-lightingest-prompt.png" alt-text="Screenshot of the Azure Data Explorer ingestion for command prompt" lightbox="media/gen2-migration/adx-ingest-lightingest-prompt.png":::

+1. `Option 2: Ingest Data by Year or Month`. For larger environments or to test on a smaller data set you can filter the Lightingest command further.

+ 1. By Year

+ > Change your -prefix parameter

+ > Before: -prefix:"V=1/PT=Time"

+ > After: -prefix:"V=1/PT=Time/Y=<Year>"

+ > Example: -prefix:"V=1/PT=Time/Y=2021"

+ 1. By Month

+ > Change your -prefix parameter

+ > Before: -prefix:"V=1/PT=Time"

+ > After: -prefix:"V=1/PT=Time/Y=<Year>/M=<month #>"

+ > Example: -prefix:"V=1/PT=Time/Y=2021/M=03"

+Once youΓÇÖve modified the command, execute it like above. One the ingestion is complete (using monitoring option below) modify the command for the next year and month you want to ingest.

+## Monitoring Ingestion

+The LightIngest command included the -dontWait flag so the command itself wonΓÇÖt wait for ingestion to complete. The best way to monitor the progress while itΓÇÖs happening is to utilize the ΓÇ£InsightsΓÇ¥ tab within the portal.

+Open the Azure Data Explorer clusterΓÇÖs section within the portal and go to ΓÇÿMonitoring | InsightsΓÇÖ

+You can use the ΓÇÿIngestion (preview)ΓÇÖ section with the below settings to monitor the ingestion as itΓÇÖs happening

+- Time range: Last 30 minutes

+- Look at Successful and by Table

+- If you have any failures, look at Failed and by Table

+YouΓÇÖll know that the ingestion is complete once you see the metrics go to 0 for your table. If you want to see more details,, you can use Log Analytics. On the Azure Data Explorer cluster section select on the ΓÇÿLogΓÇÖ tab:

+#### Useful Queries

+Understand Schema if Dynamic Schema is used

+```

+| project p=treepath(fullrecord)

+| mv-expand p

+| summarize by tostring(p)

+```

+Accessing values in array

+```

+| where id_string == "a"

+| summarize avg(todouble(fullrecord.['nestedArray_v_double'])) by bin(timestamp, 1s)

+| render timechart

+```

+## Migrating Time Series Model (TSM) to Azure Data Explorer

+The model can be download in JSON format from TSI Environment using TSI Explorer UX or TSM Batch API.

+Then the model can be imported to another system like Azure Data Explorer.

+1. Download TSM from TSI UX.

+1. Delete first three lines using VSCode or another editor.

+ :::image type="content" source="media/gen2-migration/adx-tsm-1.png" alt-text="Screenshot of TSM migration to the Azure Data Explorer - Delete first 3 lines" lightbox="media/gen2-migration/adx-tsm-1.png":::

+1. Using VSCode or another editor, search and replace as regex `\},\n \{` with `}{`

+ :::image type="content" source="media/gen2-migration/adx-tsm-2.png" alt-text="Screenshot of TSM migration to the Azure Data Explorer - search and replace" lightbox="media/gen2-migration/adx-tsm-2.png":::

+1. Ingest as JSON into ADX as a separate table using Upload from file functionality.

+ :::image type="content" source="media/gen2-migration/adx-tsm-3.png" alt-text="Screenshot of TSM migration to the Azure Data Explorer - Ingest as JSON" lightbox="media/gen2-migration/adx-tsm-3.png":::

+## Translate Time Series Queries (TSQ) to KQL

+#### GetEvents

+```TSQ

+{

+ "getEvents": {

+ "timeSeriesId": [

+ "assest1",

+ "siteId1",

+ "dataId1"

+ ],

+ "searchSpan": {

+ "from": "2021-11-01T00:00:0.0000000Z",

+ "to": "2021-11-05T00:00:00.000000Z"

+ },

+ "inlineVariables": {},

+ }

+}

+```

+

+```KQL

+events

+| where timestamp >= datetime(2021-11-01T00:00:0.0000000Z) and timestamp < datetime(2021-11-05T00:00:00.000000Z)

+| where assetId_string == "assest1" and siteId_string == "siteId1" and dataid_string == "dataId1"

+| take 10000

+```

+#### GetEvents with filter

+ ```TSQ

+{

+ "getEvents": {

+ "timeSeriesId": [

+ "deviceId1",

+ "siteId1",

+ "dataId1"

+ ],

+ "searchSpan": {

+ "from": "2021-11-01T00:00:0.0000000Z",

+ "to": "2021-11-05T00:00:00.000000Z"

+ },

+ "filter": {

+ "tsx": "$event.sensors.sensor.String = 'status' AND $event.sensors.unit.String = 'ONLINE"

+ }

+ }

+}

+```

+```KQL

+events

+| where timestamp >= datetime(2021-11-01T00:00:0.0000000Z) and timestamp < datetime(2021-11-05T00:00:00.000000Z)

+| where deviceId_string== "deviceId1" and siteId_string == "siteId1" and dataId_string == "dataId1"

+| where ['sensors.sensor_string'] == "status" and ['sensors.unit_string'] == "ONLINE"

+| take 10000

+```

+#### GetEvents with projected variable

+```TSQ

+{

+ "getEvents": {

+ "timeSeriesId": [

+ "deviceId1",

+ "siteId1",

+ "dataId1"

+ ],

+ "searchSpan": {

+ "from": "2021-11-01T00:00:0.0000000Z",

+ "to": "2021-11-05T00:00:00.000000Z"

+ },

+ "inlineVariables": {},

+ "projectedVariables": [],

+ "projectedProperties": [

+ {

+ "name": "sensors.value",

+ "type": "String"

+ },

+ {

+ "name": "sensors.value",

+ "type": "bool"

+ },

+ {

+ "name": "sensors.value",

+ "type": "Double"

+ }

+ ]

+ }

+}

+```

+```KQL

+events

+| where timestamp >= datetime(2021-11-01T00:00:0.0000000Z) and timestamp < datetime(2021-11-05T00:00:00.000000Z)

+| where deviceId_string== "deviceId1" and siteId_string == "siteId1" and dataId_string == "dataId1"

+| take 10000

+| project timestamp, sensorStringValue= ['sensors.value_string'], sensorBoolValue= ['sensors.value_bool'], sensorDoublelValue= ['sensors.value_double']

+```

+#### AggregateSeries

+```TSQ

+{

+ "aggregateSeries": {

+ "timeSeriesId": [

+ "deviceId1"

+ ],

+ "searchSpan": {

+ "from": "2021-11-01T00:00:00.0000000Z",

+ "to": "2021-11-05T00:00:00.0000000Z"

+ },

+ "interval": "PT1M",

+ "inlineVariables": {

+ "sensor": {

+ "kind": "numeric",

+ "value": {

+ "tsx": "coalesce($event.sensors.value.Double, todouble($event.sensors.value.Long))"

+ },

+ "aggregation": {

+ "tsx": "avg($value)"

+ }

+ }

+ },

+ "projectedVariables": [

+ "sensor"

+ ]

+ }

+```

+```KQL

+events

+| where timestamp >= datetime(2021-11-01T00:00:00.0000000Z) and timestamp < datetime(2021-11-05T00:00:00.0000000Z)

+| where deviceId_string == "deviceId1"

+| summarize avgSensorValue= avg(coalesce(['sensors.value_double'], todouble(['sensors.value_long']))) by bin(IntervalTs = timestamp, 1m)

+| project IntervalTs, avgSensorValue

+```

+#### AggregateSeries with filter

+```TSQ

+{

+ "aggregateSeries": {

+ "timeSeriesId": [

+ "deviceId1"

+ ],

+ "searchSpan": {

+ "from": "2021-11-01T00:00:00.0000000Z",

+ "to": "2021-11-05T00:00:00.0000000Z"

+ },

+ "filter": {

+ "tsx": "$event.sensors.sensor.String = 'heater' AND $event.sensors.location.String = 'floor1room12'"

+ },

+ "interval": "PT1M",

+ "inlineVariables": {

+ "sensor": {

+ "kind": "numeric",

+ "value": {

+ "tsx": "coalesce($event.sensors.value.Double, todouble($event.sensors.value.Long))"

+ },

+ "aggregation": {

+ "tsx": "avg($value)"

+ }

+ }

+ },

+ "projectedVariables": [

+ "sensor"

+ ]

+ }

+}

+```

+```KQL

+events

+| where timestamp >= datetime(2021-11-01T00:00:00.0000000Z) and timestamp < datetime(2021-11-05T00:00:00.0000000Z)

+| where deviceId_string == "deviceId1"

+| where ['sensors.sensor_string'] == "heater" and ['sensors.location_string'] == "floor1room12"

+| summarize avgSensorValue= avg(coalesce(['sensors.value_double'], todouble(['sensors.value_long']))) by bin(IntervalTs = timestamp, 1m)

+| project IntervalTs, avgSensorValue

+```

+## Migration from TSI Power BI Connector to ADX Power BI Connector

+The manual steps involved in this migration are

+1. Convert Power BI query to TSQ

+1. Convert TSQ to KQL

+Power BI query to TSQ:

+The Power BI query copied from TSI UX Explorer looks like as shown below

+#### For Raw Data(GetEvents API)

+```

+{"storeType":"ColdStore","isSearchSpanRelative":false,"clientDataType":"RDX_20200713_Q","environmentFqdn":"6988946f-2b5c-4f84-9921-530501fbab45.env.timeseries.azure.com", "queries":[{"getEvents":{"searchSpan":{"from":"2019-10-31T23:59:39.590Z","to":"2019-11-01T05:22:18.926Z"},"timeSeriesId":["Arctic Ocean",null],"take":250000}}]}

+```

+- To convert it to TSQ, build a JSON from the above payload. The GetEvents API documentation also has examples to understand it better. Query - Execute - REST API (Azure Time Series Insights) | Microsoft Docs

+- The converted TSQ looks like as shown below. It's the JSON payload inside ΓÇ£queriesΓÇ¥

+```

+{

+ "getEvents": {

+ "timeSeriesId": [

+ "Arctic Ocean",

+ "null"

+ ],

+ "searchSpan": {

+ "from": "2019-10-31T23:59:39.590Z",

+ "to": "2019-11-01T05:22:18.926Z"

+ },

+ "take": 250000

+ }

+}

+```

+#### For Aggradate Data(Aggregate Series API)

+- For single inline variable, PowerBI query from TSI UX Explorer looks like as shown bellow:

+```

+{"storeType":"ColdStore","isSearchSpanRelative":false,"clientDataType":"RDX_20200713_Q","environmentFqdn":"6988946f-2b5c-4f84-9921-530501fbab45.env.timeseries.azure.com", "queries":[{"aggregateSeries":{"searchSpan":{"from":"2019-10-31T23:59:39.590Z","to":"2019-11-01T05:22:18.926Z"},"timeSeriesId":["Arctic Ocean",null],"interval":"PT1M", "inlineVariables":{"EventCount":{"kind":"aggregate","aggregation":{"tsx":"count()"}}},"projectedVariables":["EventCount"]}}]}

+```

+- To convert it to TSQ, build a JSON from the above payload. The AggregateSeries API documentation also has examples to understand it better. [Query - Execute - REST API (Azure Time Series Insights) | Microsoft Docs](/azure/rest/api/time-series-insights/dataaccessgen2/query/execute#queryaggregateseriespage1)

+- The converted TSQ looks like as shown below. It's the JSON payload inside ΓÇ£queriesΓÇ¥

+```

+{

+ "aggregateSeries": {

+ "timeSeriesId": [

+ "Arctic Ocean",

+ "null"

+ ],

+ "searchSpan": {

+ "from": "2019-10-31T23:59:39.590Z",

+ "to": "2019-11-01T05:22:18.926Z"

+ },

+ "interval": "PT1M",

+ "inlineVariables": {

+ "EventCount": {

+ "kind": "aggregate",

+ "aggregation": {

+ "tsx": "count()"

+ }

+ }

+ },

+ "projectedVariables": [

+ "EventCount",

+ ]

+ }

+}

+```

+- For more than one inline variable, append the json into ΓÇ£inlineVariablesΓÇ¥ as shown in the example below. The Power BI query for more than one inline variable looks like:

+```

+{"storeType":"ColdStore","isSearchSpanRelative":false,"clientDataType":"RDX_20200713_Q","environmentFqdn":"6988946f-2b5c-4f84-9921-530501fbab45.env.timeseries.azure.com","queries":[{"aggregateSeries":{"searchSpan":{"from":"2019-10-31T23:59:39.590Z","to":"2019-11-01T05:22:18.926Z"},"timeSeriesId":["Arctic Ocean",null],"interval":"PT1M", "inlineVariables":{"EventCount":{"kind":"aggregate","aggregation":{"tsx":"count()"}}},"projectedVariables":["EventCount"]}}, {"aggregateSeries":{"searchSpan":{"from":"2019-10-31T23:59:39.590Z","to":"2019-11-01T05:22:18.926Z"},"timeSeriesId":["Arctic Ocean",null],"interval":"PT1M", "inlineVariables":{"Magnitude":{"kind":"numeric","value":{"tsx":"$event['mag'].Double"},"aggregation":{"tsx":"max($value)"}}},"projectedVariables":["Magnitude"]}}]}

+{

+ "aggregateSeries": {

+ "timeSeriesId": [

+ "Arctic Ocean",

+ "null"

+ ],

+ "searchSpan": {

+ "from": "2019-10-31T23:59:39.590Z",

+ "to": "2019-11-01T05:22:18.926Z"

+ },

+ "interval": "PT1M",

+ "inlineVariables": {

+ "EventCount": {

+ "kind": "aggregate",

+ "aggregation": {

+ "tsx": "count()"

+ }

+ },

+ "Magnitude": {

+ "kind": "numeric",

+ "value": {

+ "tsx": "$event['mag'].Double"

+ },

+ "aggregation": {

+ "tsx": "max($value)"

+ }

+ }

+ },

+ "projectedVariables": [

+ "EventCount",

+ "Magnitude",

+ ]

+ }

+}

+```

+- If you want to query the latest data("isSearchSpanRelative": true), manually calculate the searchSpan as mentioned below

+ - Find the difference between ΓÇ£fromΓÇ¥ and ΓÇ£toΓÇ¥ from the Power BI payload. LetΓÇÖs call that difference as ΓÇ£DΓÇ¥ where ΓÇ£DΓÇ¥ = ΓÇ£fromΓÇ¥ - ΓÇ£toΓÇ¥

+ - Take the current timestamp(ΓÇ£TΓÇ¥) and subtract the difference obtained in first step. It will be new ΓÇ£fromΓÇ¥(F) of searchSpan where ΓÇ£FΓÇ¥ = ΓÇ£TΓÇ¥ - ΓÇ£DΓÇ¥

+ - Now, the new ΓÇ£fromΓÇ¥ is ΓÇ£FΓÇ¥ obtained in step 2 and new ΓÇ£toΓÇ¥ is ΓÇ£TΓÇ¥(current timestamp)

+ Title: 'Migrating to Azure Data Explorer | Microsoft Docs'

+description: How to migrate Azure Time Series Insights environments to Azure Data Explorer.

+# Migrating to Azure Data Explorer

+## Overview

+Time Series Insights (TSI) service provides access to historical data ingested through hubs for operational analytics and reporting. Service features are:

+- Data ingestion via hubs or bulk upload capability.

+- Data storage on hot, limited retention, and cold, infinite retention, paths.

+- Data contextualization applying hierarchies through Time Series Model.

+- Data charting and operational analysis through TSI Explorer.

+- Data query using TSQ through API or TSI Explorer.

+- Connectors to access data with Databricks Spark or PBI.

+## Feature Comparison with Azure Data Explorer (ADX)

+| Feature | TSI | ADX |

+| | | |

+| Data ingestion | Event Hubs, IoT hub limited to 1 MB/s | Event Hubs, IoT hub, Kafka, Spark, Azure storage, Azure Stream Analytics, Azure Data Factory, Logstash, Power automate, Logic apps, Telegraf, Apache Nifi. No limits on ingestion (scalable), Ingestion benchmark is 200 MB/s/node on a 16 core machine in ADX cluster. |

+| Data storage and retention | Warm store ΓÇô multitenant ADX Cluster | Cold Store - Azure Blob storage in customerΓÇÖs subscription Distributed columnar store with highly optimized hot(on SSD of compute nodes) and cold(on Azure storage) store. Choose any ADX SKU so full flexibility |

+| Data formats | JSON | JSON, CSV, Avro, Parquet, ORC, TXT and various others [Data formats supported by Azure Data Explorer for ingestion](/azure/data-explorer/ingestion-supported-formats). |

+| Data Querying | TSQ | KQL, SQL |

+| Data Visualization | TSI Explorer, PBI | PBI, ADX Dashboards, Grafana, Kibana and other visualization tools using ODBC/JDBC connectors |

+| Machine Learning | NA | Supports R, Python to build ML models or score data by exporting existing ML models. Native capabilities for forecasting. Anomaly detection at scale. Clustering capabilities for diagnostics and RCA |

+| PBI Connector | Public preview | Optimized native PBI connector(GA), supports direct query or import mode, supports query parameters and filters |

+| Data Export | Data is available as Parquet files in BLOB storage | Supports automatic continuous export to Azure storage, external tables to query exported data |

+| HA/DR | Storage is owned by customer so depends on selected config. | HA SLA of 99.9% availability, AZ supported, Storage is built on durable Azure Blob storage |

+| Security | Private link for incoming traffic, but open for storage and hubs | VNet injection, Private Link, Encryption at rest with customer managed keys supported |

+| RBAC role and RLS | Limited RBAC role, no RLS | Granular RBAC role for functions and data access, RLS and data masking supported |

+## TSI Migration to ADX Steps

+TSI has two offerings, Gen1 and Gen2, which have different migration steps.

+### TSI Gen1

+TSI Gen1 doesnΓÇÖt have cold storage or hierarchy capability. All data has fixed retention. Extracting data and mapping it to ADX would be complicated and time-consuming task for TSI developers and the customer. Suggestion migration path is to set up parallel data ingestion to ADX. After fixed data retention period passes TSI environment can be deleted as ADX will contain same data.

+1. Create ADX Cluster

+1. Set up parallel ingestion from hubs to ADX Cluster

+1. Continue ingesting data for the period of fixed retention

+1. Start using ADX Cluster

+1. Delete TSI environment

+Detailed FAQ and engineering experience is outlined in [How to migrate TSI Gen1 to ADX](./how-to-tsi-gen1-migration.md)

+### TSI Gen2

+TSI Gen2 stores all data on cold storage using Parquet format as a blob in customerΓÇÖs subscription. To migrate data customer, should take the blob and import it into ADX using bulk upload capability Lightingest. More information on lightingest can be fund here.

+1. Create ADX Cluster

+1. Redirect data ingestion to ADX Cluster

+1. Import TSI cold data using lightingest

+1. Start using ADX Cluster

+1. Delete TSI Environment

+Detailed FAQ and engineering experience is outlined in [How to migrate TSI Gen2 to ADX](./how-to-tsi-gen2-migration.md)

+> [!NOTE]

+> If you are unable to migrate to Time Series Insights to Azure Data Explorer by 31 March 2025, your Time Series Insights resources will be automatically deleted. YouΓÇÖll be able to access Gen2 data in your storage account. However, youΓÇÖll only be able to perform management operations (such as updating storage account settings, getting storage account properties/keys, and deleting storage accounts) through Azure Resource Manager. For Gen1 data, if you have a support plan, please create a support ticket to retrieve your Gen1 data. We will keep your Gen1 data until 30 April 2025.

+> [!IMPORTANT]

+> Automatic VM guest patching, on-demand patch assessment and on-demand patch installation are supported only on VMs created from images with the exact combination of publisher, offer and sku from the below supported OS images list. Custom images or any other publisher, offer, sku combinations are not supported. More images are added periodically.

+| 20 | Install Error | Python is required |

+If Python is not installed on your FreeBSD machine, run following commands before the installation. 

+ When all databases on the VM have been successfully recovered you may unmount the restore point. This can be done on the VM using the `unmount` command or in Azure portal from the File Recovery blade. You can also unmount the recovery volumes by running the Python script again with the **-clean** option.

+This snapshot backup procedure can be managed in various ways, using various tools. One example is the Python script ΓÇ£ntaphana_azure.pyΓÇ¥ available on GitHub [https://github.com/netapp/ntaphana](https://github.com/netapp/ntaphana)

+Back up to Azure blob storage is a cost effective and fast method to save ANF-based HANA database storage snapshot backups. To save the snapshots to Azure Blob storage, the AzCopy tool is preferred. Download the latest version of this tool and install it, for example, in the bin directory where the Python script from GitHub is installed.

+ Title: Integrating Azure with SAP RISE managed workloads| Microsoft Docs

+description: Describes integrating SAP RISE managed virtual network with customer's own Azure environment

+documentationcenter: ''

+editor: ''

+tags: azure-resource-manager

+keywords: ''

+ vm-linux

+# Integrating Azure with SAP RISE managed workloads

+For customers with SAP solutions such as RISE with SAP Enterprise Cloud Services (ECS) and SAP S/4HANA Cloud, private edition (PCE) which are deployed on Azure, integrating the SAP managed environment with their own Azure ecosystem and third party applications is of particular importance. The following article explains the concepts utilized and best practices to follow for a secure and performant solution.

+RISE with SAP S/4HANA Cloud, private edition and SAP Enterprise Cloud Services are SAP managed services of your SAP landscape, in an Azure subscription owned by SAP. The virtual network (vnet) utilized by these managed systems should fit well in your overall network concept and your available IP address space. Requirements for private IP range for RISE PCE or ECS environments are coming from SAP reference deployments. Customers specify the chosen RFC1918 CIDR IP address range to SAP. To facilitate connectivity between SAP and customers owned Azure subscriptions/vnets, a direct vnet peering can be set up. Another option is the use of a VPN vnet-to-vnet connection.

+> [!IMPORTANT]

+> For all details about RISE with SAP Enterprise Cloud Services and SAP S/4HANA Cloud, private edition please contact your SAP representative.

+## Virtual network peering with SAP RISE/ECS

+A vnet peering is the most performant way to connect securely and privately two standalone vnets, utilizing the Microsoft private backbone network. The peered networks appear as one for connectivity purposes, allowing applications to talk to each other. Applications running in different vnets, subscriptions, Azure tenants or regions are enabled to communicate directly. Like network traffic on a single vnet, vnet peering traffic remains on MicrosoftΓÇÖs private network and does not traverse the internet.

+For SAP RISE/ECS deployments, virtual peering is the preferred way to establish connectivity with customerΓÇÖs existing Azure environment. Both the SAP vnet and customer vnet(s) are protected with network security groups (NSG), enabling communication on SAP and database ports through the vnet peering. Communication between the peered vnets is secured through these NSGs, limiting communication to customerΓÇÖs SAP environment. For details and a list of open ports, contact your SAP representative.

+SAP managed workload is preferably deployed in the same [Azure region](https://azure.microsoft.com/global-infrastructure/geographies/) as customerΓÇÖs central infrastructure and applications accessing it. Virtual network peering can be set up within the same region as your SAP managed environment, but also through [global virtual network peering](/azure/virtual-network/virtual-network-peering-overview) between any two Azure regions. With SAP RISE/ECS available in many Azure regions, the region ideally should be matched with workload running in customer vnets due to latency and vnet peering cost considerations. However, some of the scenarios (for example, central S/4HANA deployment for a multi-national, globally presented company) also require to peer networks globally.

+ This diagram shows a typical SAP customer's hub and spoke virtual networks. Cross-tenant virtual network peering connects SAP RISE vnet to customer's hub vnet.

+Since SAP RISE/ECS runs in SAPΓÇÖs Azure tenant and subscriptions, the virtual network peering needs to be set up between [different tenants](/azure/virtual-network/create-peering-different-subscriptions). This can be accomplished by setting up the peering with the SAP provided networkΓÇÖs Azure resource ID and have SAP approve the peering. Add a user from the opposite AAD tenant as a guest user, accept the guest user invitation and follow process documented at [Create a VNet peering - different subscriptions](/azure/virtual-network/create-peering-different-subscriptions#cli). Contact your SAP representative for the exact steps required. Engage the respective team(s) within your organization that deal with network, user administration and architecture to enable this process to be completed swiftly.

+## VPN Vnet-to-Vnet

+As an alternative to vnet peering, virtual private network (VPN) connection can be established between VPN gateways, deployed both in the SAP RISE/ECS subscription and customers own. A vnet-to-vnet connection will be established between these two VPN gateways, enabling fast communication between the two separate vnets. The respective vnets and gateways can be located in different Azure regions.

+ This diagram shows a typical SAP customer's hub and spoke virtual networks. VPN gateway located in SAP RISE vnet connects through vnet-to-vnet connection into gateway contained in customer's hub vnet.

+While vnet peering is the recommended and more typical deployment model, a VPN vnet-to-vnet can potentially simplify a complex virtual peering between customer and SAP RISE/ECS virtual networks. The VPN Gateway acts as only point of entry into the customerΓÇÖs network and is managed and secured by a central team.

+Network Security Groups are in effect on both customer and SAP vnet, identically to vnet peering architecture enabling communication to SAP NetWeaver and HANA ports as required. For details how to set up the VPN connection and which settings should be used, contact your SAP representative.

+## Connectivity back to on-premise

+With an existing customer Azure deployment, on-premise network is already connected through ExpressRoute (ER) or VPN. The same on-premise network path is typically used for SAP RISE/ECS managed workloads. Preferred architecture is to use existing ER/VPN Gateways in customerΓÇÖs hub vnet for this purpose, with connected SAP RISE vnet seen as a spoke network connected to customerΓÇÖs vnet hub.

+ This diagram shows a typical SAP customer's hub and spoke virtual networks. It's connected to on-premise with a connection. Cross tenant virtual network peering connects SAP RISE vnet to customer's hub vnet. The vnet peering has remote gateway transit enabled, enabling SAP RISE vnet to be accessed from on-premise.

+With this architecture, central policies and security rules governing network connectivity to customer workloads also apply to SAP RISE/ECS managed workloads. The same on-premise network path is used for both customer's vnets and SAP RISE/ECS vnet.

+If there's no currently existing Azure to on-premise connectivity, contact your SAP representative for details which connections models are possible to be established. Any on-premise to SAP RISE/ECS connection is then for reaching the SAP managed vnet only. The on-premise to SAP RISE/ECS connection isn't used to access customer's own Azure vnets.

+**Important to note**: A virtual network can have [only have one gateway](/azure/virtual-network/virtual-network-peering-overview#gateways-and-on-premises-connectivity), local or remote. With vnet peering established between SAP RISE/ECS using remote gateway transit like in above architecture, no gateways can be added in the SAP RISE/ECS vnet. A combination of vnet peering with remote gateway transit together with another VPN gateway in the SAP RISE/ECS vnet isn't possible.

+## Virtual WAN with SAP RISE/ECS managed workloads

+Similarly to using a hub and spoke network architecture with connectivity to both SAP RISE/ECS vnet and on-premises, the Azure Virtual Wan (vWAN) hub can be used for same purpose. Both connection options described earlier ΓÇô vnet peering as well as VPN vnet-to-vnet ΓÇô are available to be connected to vWAN hub.

+The vWAN network hub is deployed and managed entirely by customer in customer subscription and vnet. On-premise connection and routing through vWAN network hub are also managed entirely by customer.

+Again, contact your SAP representative for details and steps needed to establish this connectivity.

+## DNS integration with SAP RISE/ECS managed workloads

+Integration of customer owned networks with Cloud-based infrastructure and providing a seamless name resolution concept is a vital part of a successful project implementation.

+This diagram describes one of the common integration scenarios of SAP owned subscriptions, VNets and DNS infrastructure with customerΓÇÖs local network and DNS services. In this setup on-premise DNS servers are holding all DNS entries. The DNS infrastructure is capable to resolve DNS requests coming from all sources (on-premise clients, customerΓÇÖs Azure services and SAP managed environments).

+ This diagram shows a typical SAP customer's hub and spoke virtual networks. Cross-tenant virtual network peering connects SAP RISE vnet to customer's hub vnet. On-premise connectivity is provided from customer's hub. DNS servers are located both within customer's hub vnet as well as SAP RISE vnet, with DNS zone transfer between them. DNS Queries from customer's VMs query the customer's DNS servers.

+Design description and specifics:

+ - Custom DNS configuration for SAP-owned VNets

+ - 2 VMs in the RISE/STE/ECS Azure vnet hosting DNS servers

+ - Customers must provide and delegate to SAP a subdomain/zone (for example, \*hec.contoso.com) which will be used to assign names and create forward and reverse DNS entries for the virtual machines that run SAP managed environment. SAP DNS servers are holding a master DNS role for the delegated zone

+ - DNS zone transfer from SAP DNS server to customerΓÇÖs DNS servers is the primary method to replicate DNS entries from RISE/STE/ECS environment to on-premise DNS

+ - Customer-owned Azure vnets are also using custom DNS configuration referring to customer DNS servers located in Azure Hub vnet.

+ - Optionally, customers can set up a DNS forwarder within their Azure vnets. Such forwarder then pushes DNS requests coming from Azure services to SAP DNS servers that are targeted to the delegated zone (\*hec.contoso.com).

+Alternatively, DNS zone transfer from SAP DNS servers could be performed to a customerΓÇÖs DNS servers located in Azure Hub VNet (diagram above). This is applicable for the designs when customers operate custom DNS solution (e.g. [AD DS](/windows-server/identity/ad-ds/active-directory-domain-services) or BIND servers) within their Hub VNet.

+**Important to note**, that both Azure provided DNS and Azure private zones **do not** support DNS zone transfer capability, hence, cannot be used to accept DNS replication from SAP RISE/STE/ECS DNS servers. Additionally, external DNS service providers are typically not supported by SAP RISE/ECS.

+To further read about the usage of Azure DNS for SAP, outside the usage with SAP RISE/ECS see details in following [blog post](https://www.linkedin.com/posts/k-popov_sap-on-azure-dns-integration-whitepaper-activity-6841398577495977984-ui9V/).

+## Internet outbound and inbound connections with SAP RISE/ECS

+SAP workloads communicating with external applications or inbound connections from a companyΓÇÖs user base (for example, SAP Fiori) could require a network path to the Internet, depending on customerΓÇÖs requirements. Within SAP RISE/ECS managed workloads, work with your SAP representative to explore needs for such https/RFC/other communication paths. Network communication to/from the Internet is by default not enabled for SAP RISE/ECS customers and default networking is utilizing private IP ranges only. Internet connectivity requires planning with SAP, to optimally protect customerΓÇÖs SAP landscape.

+Should you enable Internet bound or incoming traffic with your SAP representatives, the network communication is protected through various Azure technologies such as NSGs, ASGs, Application Gateway with Web Application Firewall (WAF), proxy servers and others. These services are entirely managed through SAP within the SAP RISE/ECS vnet and subscription. The network path SAP RISE/ECS to and from Internet remains typically within the SAP RISE/ECS vnet only and does not transit into/from customerΓÇÖs own vnet(s).

+ This diagram shows a typical SAP customer's hub and spoke virtual networks. Cross-tenant virtual network peering connects SAP RISE vnet to customer's hub vnet. On-premise connectivity is provided from customer's hub. SAP Cloud Connector VM from SAP RISE vnet connects through Internet to SAP BTP. Another SAP Cloud Connector VM connects through Internet to SAP BTP, with internet inbound and outbound connectivity facilitated by customer's hub vnet.

+Applications within a customerΓÇÖs own vnet connect to the Internet directly from respective vnet or through customerΓÇÖs centrally managed services such as Azure Firewall, Azure Application Gateway, NAT Gateway and others. Connectivity to SAP BTP from non-SAP RISE/ECS applications takes the same network Internet bound path. Should an SAP Cloud Connecter be needed for such integration, it's placed with customerΓÇÖs non-SAP VMs requiring SAP BTP communication and network path managed by customer themselves.

+## SAP BTP Connectivity

+SAP Business Technology Platform (BTP) provides a multitude of applications that are accessed by public IP/hostname via the Internet.

+Customer services running in their Azure subscriptions access them either directly through VM/Azure service internet connection, or through User Defined Routes forcing all Internet bound traffic to go through a centrally managed firewall or other network virtual appliances.

+SAP has a [preview program](https://help.sap.com/products/PRIVATE_LINK/42acd88cb4134ba2a7d3e0e62c9fe6cf/3eb3bc7aa5db4b5da9dcdbf8ee478e52.html) in operation for SAP Private Link Service for customers using SAP BTP on Azure. The SAP Private Link Service exposes SAP BTP services through a private IP range to customerΓÇÖs Azure network and thus accessible privately through previously described vnet peering or VPN site-to-site connections instead of through the Internet.

+See a series of blog posts on the architecture of the SAP BTP Private Link Service and private connectivity methods, dealing with DNS and certificates in following SAP blog series [Getting Started with BTP Private Link Service for Azure](https://blogs.sap.com/2021/12/29/getting-started-with-btp-private-link-service-for-azure/)

+## Next steps

+Check out the documentation:

+- [SAP workloads on Azure: planning and deployment checklist](./sap-deployment-checklist.md)

+- [Virtual network peering](/azure/virtual-network/virtual-network-peering-overview)

+- [Public endpoint connectivity for Virtual Machines using Azure Standard Load Balancer in SAP high-availability scenarios](./high-availability-guide-standard-load-balancer-outbound-connections.md)

+If a VM image doesn't include a driver for the Mellanox physical NIC, networking capabilities will continue to work at the slower speeds of the virtual NIC, even though the portal, Azure CLI, and Azure PowerShell will still show the Accelerated Networking feature as _enabled_.

+An Application Gateway frontend can be a private IP address, public IP address, or both. The V1 SKU of Application Gateway supports basic dynamic public IPs. The V2 SKU supports standard SKU public IPs that are static only. Application Gateway V2 SKU doesn't support an internal IP address as it's only frontend. For more information, see [Application Gateway front-end IP address configuration](../../application-gateway/configuration-front-end-ip.md).

+- To learn more about public IP addresses in Azure, see [Public IP addresses](./public-ip-addresses.md).

+Each NAT gateway public IP address provides 64,512 SNAT ports to make outbound connections. NAT gateway can support up to 50,000 concurrent connections per public IP address to the same destination endpoint over the internet for TCP and UDP. Review the following section for details and the [troubleshooting article](./troubleshoot-nat.md) for specific problem resolution guidance.

+For NAT gateway, 64,512 SNAT ports are available per public IP address. For each public IP address attached to NAT gateway, the entire inventory of ports provided by those IPs is made available to any virtual machine instance within a subnet that is also attached to NAT gateway. NAT gateway selects a port at random out of the available inventory of ports to make new outbound connections. If NAT gateway doesn't find any available SNAT ports, then it will reuse a SNAT port. A port can be reused so long as it's going to a different destination endpoint. As mentioned in the [Performance](#performance) section, NAT gateway supports up to 50,000 concurrent connections per public IP address to the same destination endpoint over the internet.

+The following illustrates this concept as an additional flow to the preceding set, with a VM flowing to a new destination IP 65.52.0.2.

+* Presence of custom UDRs for virtual appliances and VPN ExpressRoutes override NAT gateway for directing internet bound traffic (route to the 0.0.0.0/0 address prefix). See [Troubleshooting NAT gateway](./troubleshoot-nat.md#virtual-appliance-udrs-and-vpn-expressroute-override-nat-gateway-for-routing-outbound-traffic) to learn more.

+* [Connection failures due to idle timeouts](#connection-failures-due-to-idle-timeouts)

+* [Connection failures outside of the Azure infrastructure](#connection-failures-outside-of-the-azure-infrastructure)

+3. No [NSG rules](../network-security-groups-overview.md#outbound) or [UDRs](#virtual-appliance-udrs-and-vpn-expressroute-override-nat-gateway-for-routing-outbound-traffic) are blocking NAT gateway from directing traffic outbound to the internet.

+* NAT gateway's configurable TCP idle timeout timer is set higher than the default value of 4 minutes.

+### Outbound connectivity not scaled out enough

+Each public IP address provides 64,512 SNAT ports to subnets attached to NAT gateway. From those available SNAT ports, NAT gateway can support up to 50,000 concurrent connections to the same destination endpoint. If outbound connections are dropping because SNAT ports are being exhausted, then NAT gateway may not be scaled out enough to handle the workload. More public IP addresses may need to be added to NAT gateway in order to provide more SNAT ports for outbound connectivity.

+The table below describes two common scenarios in which outbound connectivity may not be scaled out enough and how to validate and mitigate these issues:

+| Scenario | Evidence |Mitigation |

+||||

+| You're experiencing contention for SNAT ports and SNAT port exhaustion during periods of high usage. | You run the following [metrics](nat-metrics.md) in Azure Monitor: **Total SNAT Connection**: "Sum" aggregation shows high connection volume. "Failed" connection state shows transient or persistent failures over time. **Dropped Packets**: "Sum" aggregation shows packets dropping consistent with high connection volume. | Determine if you can add more public IP addresses or public IP prefixes. This addition will allow for up to 16 IP addresses in total to your NAT gateway. This addition will provide more inventory for available SNAT ports (64,000 per IP address) and allow you to scale your scenario further.|

+| You've already given 16 IP addresses and still are experiencing SNAT port exhaustion. | Attempt to add more IP addresses fails. Total number of IP addresses from public IP address resources or public IP prefix resources exceeds a total of 16. | Distribute your application environment across multiple subnets and provide a NAT gateway resource for each subnet. |

+>[!NOTE]

+>It is important to understand why SNAT exhaustion occurs. Make sure you are using the right patterns for scalable and reliable scenarios. Adding more SNAT ports to a scenario without understanding the cause of the demand should be a last resort. If you do not understand why your scenario is applying pressure on SNAT port inventory, adding more SNAT ports to the inventory by adding more IP addresses will only delay the same exhaustion failure as your application scales. You may be masking other inefficiencies and anti-patterns.

+### TCP idle timeout timers set higher than the default value

+NAT gateway has a configurable TCP idle timeout timer that defaults to 4 minutes. If this setting is changed to a higher value, NAT gateway will hold on to flows longer and can create [additional pressure on SNAT port inventory](nat-gateway-resource.md#timers). The table below describes a common scenarion in which a high TCP idle timeout may be causing SNAT exhaustion and provides possible mitigation steps to take:

+| Scenario | Evidence | Mitigation |

+||||

+| You would like to ensure that TCP connections stay active for long periods of time without idle timing out so you increase the TCP idle timeout timer setting. After a while you start to notice that connection failures occur more often. You suspect that you may be exhausting your inventory of SNAT ports since connections are holding on to them longer. | You check the following [NAT gateway metrics](nat-metrics.md) in Azure Monitor to determine if SNAT port exhaustion is happening: **Total SNAT Connection**: "Sum" aggregation shows high connection volume. "Failed" connection state shows transient or persistent failures over time. **Dropped Packets**: "Sum" aggregation shows packets dropping consistent with high connection volume. | You have a few possible mitigation steps that you can take to resolve SNAT port exhaustion: - **Reduce the TCP idle timeout** to a lower value to free up SNAT port inventory earlier. The TCP idle timeout timer cannot be set lower than 4 minutes. - Consider **[asynchronous polling patterns](/azure/architecture/patterns/async-request-reply)** to free up connection resources for other operations. - **Use TCP keepalives or application layer keepalives** to avoid intermediate systems timing out. For examples, see [.NET examples](/dotnet/api/system.net.servicepoint.settcpkeepalive). - For connections going to Azure PaaS services, use **[Private Link](/azure/private-link/private-link-overview)**. Private Link eliminates the need to use public IPs of your NAT gateway which frees up more SNAT ports for outbound connections to the internet.|

+## Connection failures due to idle timeouts

+### TCP idle timeout

+As described in the [TCP timers](#tcp-idle-timeout-timers-set-higher-than-the-default-value) section above, TCP keepalives should be used instead to refresh idle flows and reset the idle timeout. TCP keepalives only need to be enabled from one side of a connection in order to keep a connection alive from both sides. When a TCP keepalive is sent from one side of a connection, the other side automatically sends an ACK packet. The idle timeout timer is then reset on both sides of the connection. To learn more, see [Timer considerations](/azure/virtual-network/nat-gateway-resource#timers).

+>[!NOTE]

+>Increasing the TCP idle timeout is a last resort and may not resolve the root cause. A long timeout can cause low rate failures when timeout expires and introduce delay and unnecessary failures.

+### UDP idle timeout

+Unlike TCP idle timeout timers for NAT gateway, UDP idle timeout timers are not configurable. The table below describes a common scenario encountered with connections dropping due to UDP traffic idle timing out and steps to take to mitigate the issue.

+| Scenario | Evidence | Mitigation |

+||||

+| You notice that UDP traffic is dropping connections that need to be maintained for long periods of time. | You check the following [NAT gateway metrics](nat-metrics.md) in Azure Monitor, **Dropped Packets**: "Sum" aggregation shows packets dropping consistent with high connection volume. | A few possible mitigation steps that can be taken: - **Enable UDP keepalives**. Keep in mind that when a UDP keepalive is enabled, it is only active for one direction in a connection. This means that the connection can still time-out from going idle on the other side of a connection. To prevent a UDP connection from going idle and timing out, UDP keepalives should be enabled for both directions in a connection flow. - **Application layer keepalives** can also be used to refresh idle flows and reset the idle timeout. Check the server side for what options exist for application specific keepalives. |

+### Virtual appliance UDRs and VPN ExpressRoute override NAT gateway for routing outbound traffic

+When forced tunneling with a custom UDR is enabled to direct traffic to a virtual appliance or VPN through ExpressRoute, the UDR or ExpressRoute takes precedence over NAT gateway for directing internet bound traffic. To learn more, see [custom UDRs](/azure/virtual-network/virtual-networks/udr-overview#custom-routes).

+Virtual appliance UDR / VPN ExpressRoute >> NAT gateway >> default system

+Test and resolve issues with a virtual appliance UDR or VPN ExpressRoute overriding your NAT gateway by:

+1. [Testing that the NAT gateway public IP](./tutorial-create-nat-gateway-portal.md#test-nat-gateway) is used for outbound traffic. If a different IP is being used, it could be because of a custom UDR, follow the remaining steps on how to check for and remove custom UDRs.

+Once the custom UDR is removed from the routing table, the NAT gateway public IP should now take precedence in routing outbound traffic to the internet.

+### Private IPs are used to connect to Azure services by Private Link

+[Private Link](/azure/private-link/private-link-overview) connects your Azure virtual networks privately to Azure PaaS services such as Storage, SQL, or Cosmos DB over the Azure backbone network instead of over the internet. Private Link uses the private IP addresses of virtual machine instances in your virtual network to connect to these Azure platform services instead of the public IP of NAT gateway. As a result, when looking at the source IP address used to connect to these Azure services, you will notice that the private IPs of your instances are used. See [Azure services listed here](/azure/private-link/availability) for all services supported by Private Link.

+When possible, Private Link should be used to connect directly from your virtual networks to Azure platform services in order to [reduce the demand on SNAT ports](#tcp-idle-timeout-timers-set-higher-than-the-default-value). Reducing the demand on SNAT ports can help reduce the risk of SNAT port exhaustion.

+To create a Private Link, see the following Quickstart guides to get started:

+- [Create a Private Endpoint](/azure/private-link/create-private-endpoint-portal)

+- [Create a Private Link](/azure/private-link/create-private-link-service-portal)

+To check which Private Endpoints you have set up with Private Link:

+1. From the Azure portal, search for Private Link in the search box.

+2. In the Private Link center, select Private Endpoints or Private Link services to see what configurations have been set up. See [Manage private endpoint connections](/azure/private-link/manage-private-endpoint#manage-private-endpoint-connections-on-azure-paas-resources) for more details.

+Service endpoints can also be used to connect your virtual network to Azure PaaS services. To check if you have service endpoints configured for your virtual network:

+1. From the Azure portal, navigate to your virtual network and select "Service endpoints" from Settings.

+2. All Service endpoints created will be listed along with which subnets they are configured. See [logging and troubleshooting Service endpoints](/azure/virtual-network/virtual-network-service-endpoints-overview#logging-and-troubleshooting) for more details.

+>[!NOTE]

+>Private Link is the recommended option over Service endpoints for private access to Azure hosted services.

+## Connection failures outside of the Azure infrastructure

+### Connection failures with public internet transit

+### Connection failures at the public internet destination

+## Next steps

+We are always looking to improve the experience of our customers. If you are experiencing issues with NAT gateway that are not listed or resolved by this article, submit feedback through GitHub via the bottom of this page and we will address your feedback as soon as possible.

+To learn more about NAT gateway, see:

+* [Virtual Network NAT](nat-overview.md)

+* [NAT gateway resource](nat-gateway-resource.md)

+* [Metrics and alerts for NAT gateway resources](nat-metrics.md).

+- When a network security group is associated at the subnet level, it applies to all the NICs in the subnet, not just to the traffic coming from outside the subnet. This means that the traffic between the VMs contained in the subnet can be affected as well.

+* Use a different name for each virtual machine in a virtual network to avoid DNS resolution issues.

+> * For best performance, when you are using Azure VMs as DNS servers, IPv6 should be disabled.

+> * NSGs act as firewalls for you DNS resolver endpoints. You should modify or override your NSG security rules to allow access for UDP Port 53 (and optionally TCP Port 53) to your DNS listener endpoints. Once custom DNS servers are set on a network, then the traffic through port 53 will bypass the NSG's of the subnet.

+ * APIPA (169.254.0.1 to 169.254.255.254) address: Do not NAT the BGP APIPA address; specify the APIPA address in the Local Network Gateway directly.