+| `x-ms-cpim-csrf` | b2clogin.com, login.microsoftonline.com, branded domain | End of [browser session](session-behavior.md) | Cross-Site Request Forgery token used for CRSF protection. For more information, read the [Cross-Site request forgery token](#cross-site-request-forgery-token) section. |

+## Cross-Site request forgery token

+To prevent Cross Site Request Forgery (CSRF) attacks, Azure AD B2C applies the Synchronizer Token strategy mechanism. For more details on this pattern, check out the [Cross-Site Request Forgery Prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#synchronizer-token-pattern) article.

+Azure AD B2C generates a synchronizer token, and adds it in two places; in a cookie labeled `x-ms-cpim-csrf`, and a query string parameter named `csrf_token` in the URL of the page sent to the Azure AD B2C. As Azure AD B2C service processes the incoming requests from the browser, it confirms that both the query string and cookie versions of the token exist, and that they exactly match. Also it verifies the elements of the contents of the token to confirm against expected values for the in-progress authentication.

+For example, in the sign-up or sign-in page, when a user selects the "Forgot password", or "Sign-up now" links, the browser sends a GET request to Azure AD B2C in order to load the contents of the next page. The request to load content Azure AD B2C additionally chooses to send and validate the Synchronizer Token as an extra layer of protection to ensure that the request to load the page was the result of an in-progress authentication.

+The Synchronizer Token is a credential that doesn't identify a user, but rather is tied to an active unique authentication session.

+ - Windows 10 devices require a machine-level proxy configuration or scoped proxy configuration for the temporary defaultuser1 account used to perform SSPR (see [Troubleshooting](#proxy-configurations-for-windows-password-reset) section for more details).

+### Troubleshooting Windows 10 password reset

+#### Proxy configurations for Windows password reset

+During the password reset, SSPR creates a temporary local user account to connect to `https://passwordreset.microsoftonline.com/n/passwordreset`. When a proxy is configured for user authentication, it may fail with the error **"Something went wrong. Please, try again later."** This is because the local user account is not authorized to use the authenticated proxy.

+In this case, you can use one of the following workarounds:

+- Configure a machine-wide proxy setting that doesn't depend on the type of user logged into the machine. For example, you can enable the Group Policy **Make proxy settings per-machine (rather than per-user)** for the workstations.

+- You can also use Per-User proxy configuration for SSPR if you modify the registry template for the Default Account. The commands are as follows:

+

+ ```cmd

+ reg load "hku\Default" "C:\Users\Default\NTUSER.DAT"

+ reg add "hku\Default\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d "1" /f

+ reg add "hku\Default\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /t REG_SZ /d "<your proxy:port>" /f

+ reg unload "hku\Default"

+ ```

+- The error **"Something went wrong"** can also occur when anything interrupts connectivity to URL `https://passwordreset.microsoftonline.com/n/passwordreset`. For example, this error can occur when antivirus software runs on the workstation without exclusions for URLs `passwordreset.microsoftonline.com`, `ajax.aspnetcdn.com`, and `ocsp.digicert.com`. Disable this software temporarily to test if the issue is resolved or not.

+ Title: Deploy to Azure Kubernetes Service with Azure Pipelines

+description: Build and push images to Azure Container Registry; Deploy to Azure Kubernetes Service with Azure Pipelines

+zone_pivot_groups: pipelines-version

+# Build and deploy to Azure Kubernetes Service with Azure Pipelines

+**Azure DevOps Services**

+Use [Azure Pipelines](/azure/devops/pipelines/) to automatically deploy to Azure Kubernetes Service (AKS). Azure Pipelines lets you build, test, and deploy with continuous integration (CI) and continuous delivery (CD) using [Azure DevOps](/azure/devops/).

+In this article, you'll learn how to create a pipeline that continuously builds and deploys your app. Every time you change your code in a repository that contains a Dockerfile, the images are pushed to your Azure Container Registry, and the manifests are then deployed to your AKS cluster.

+## Prerequisites

+* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* An Azure Resource Manager service connection. [Create an Azure Resource Manager service connection](/azure/devops/library/connect-to-azure#create-an-azure-resource-manager-service-connection-using-automated-security).

+* A GitHub account. Create a free [GitHub account](https://github.com/join) if you don't have one already.

+## Get the code

+Fork the following repository containing a sample application and a Dockerfile:

+```

+https://github.com/MicrosoftDocs/pipelines-javascript-docker

+```

+## Create the Azure resources

+Sign in to the [Azure portal](https://portal.azure.com/), and then select the [Cloud Shell](/azure/cloud-shell/overview) button in the upper-right corner.

+### Create a container registry

+```azurecli-interactive

+# Create a resource group

+az group create --name myapp-rg --location eastus

+# Create a container registry

+az acr create --resource-group myapp-rg --name myContainerRegistry --sku Basic

+# Create a Kubernetes cluster

+az aks create \

+ --resource-group myapp-rg \

+ --name myapp \

+ --node-count 1 \

+ --enable-addons monitoring \

+ --generate-ssh-keys

+```

+## Sign in to Azure Pipelines

+Sign in to [Azure Pipelines](https://azure.microsoft.com/services/devops/pipelines). After you sign in, your browser goes to `https://dev.azure.com/my-organization-name` and displays your Azure DevOps dashboard.

+Within your selected organization, create a _project_. If you don't have any projects in your organization, you see a **Create a project to get started** screen. Otherwise, select the **Create Project** button in the upper-right corner of the dashboard.

+## Create the pipeline

+### Connect and select your repository

+1. Sign in to your Azure DevOps organization and go to your project.

+1. Go to **Pipelines**, and then select **New pipeline**.

+1. Do the steps of the wizard by first selecting **GitHub** as the location of your source code.

+1. You might be redirected to GitHub to sign in. If so, enter your GitHub credentials.

+1. When you see the list of repositories, select your repository.

+1. You might be redirected to GitHub to install the Azure Pipelines app. If so, select **Approve & install**.

+1. Select **Deploy to Azure Kubernetes Service**.

+1. If you're prompted, select the subscription in which you created your registry and cluster.

+1. Select the `myapp` cluster.

+1. For **Namespace**, select **Existing**, and then select **default**.

+1. Select the name of your container registry.

+1. You can leave the image name and the service port set to the defaults.

+1. Set the **Enable Review App for Pull Requests** checkbox for [review app](/azure/devops/pipelines/process/environments-kubernetes) related configuration to be included in the pipeline YAML auto-generated in subsequent steps.

+1. Select **Validate and configure**.

+ As Azure Pipelines creates your pipeline, the process will:

+ * Create a _Docker registry service connection_ to enable your pipeline to push images into your container registry.

+ * Create an _environment_ and a Kubernetes resource within the environment. For an RBAC-enabled cluster, the created Kubernetes resource implicitly creates ServiceAccount and RoleBinding objects in the cluster so that the created ServiceAccount can't perform operations outside the chosen namespace.

+ * Generate an *azure-pipelines.yml* file, which defines your pipeline.

+ * Generate Kubernetes manifest files. These files are generated by hydrating the [deployment.yml](https://github.com/Microsoft/azure-pipelines-yaml/blob/master/templates/resources/k8s/deployment.yml) and [service.yml](https://github.com/Microsoft/azure-pipelines-yaml/blob/master/templates/resources/k8s/service.yml) templates based on selections you made. When you're ready, select **Save and run**.

+1. Select **Save and run**.

+1. You can change the **Commit message** to something like _Add pipeline to our repository_. When you're ready, select **Save and run** to commit the new pipeline into your repo, and then begin the first run of your new pipeline!

+## See your app deploy

+As your pipeline runs, watch as your build stage, and then your deployment stage, go from blue (running) to green (completed). You can select the stages and jobs to watch your pipeline in action.

+> [!NOTE]

+> If you're using a Microsoft-hosted agent, you must add the IP range of the Microsoft-hosted agent to your firewall. Get the weekly list of IP ranges from the [weekly JSON file](https://www.microsoft.com/download/details.aspx?id=56519), which is published every Wednesday. The new IP ranges become effective the following Monday. For more information, see [Microsoft-hosted agents](/azure/devops/pipelines/agents/hosted?tabs=yaml&view=azure-devops&preserve-view=true#networking).

+> To find the IP ranges that are required for your Azure DevOps organization, learn how to [identify the possible IP ranges for Microsoft-hosted agents](/azure/devops/pipelines/agents/hosted?tabs=yaml&view=azure-devops&preserve-view=true#to-identify-the-possible-ip-ranges-for-microsoft-hosted-agents).

+

+After the pipeline run is finished, explore what happened and then go see your app deployed. From the pipeline summary:

+1. Select the **Environments** tab.

+1. Select **View environment**.

+1. Select the instance if your app for the namespace you deployed to. If you stuck to the defaults we mentioned above, then it will be the **myapp** app in the **default** namespace.

+1. Select the **Services** tab.

+1. Select and copy the external IP address to your clipboard.

+1. Open a new browser tab or window and enter &lt;IP address&gt;:8080.

+If you're building our sample app, then _Hello world_ appears in your browser.

+<a name="how"></a>

+## How the pipeline builds

+When you finished selecting options and then proceeded to validate and configure the pipeline Azure Pipelines created a pipeline for you, using the _Deploy to Azure Kubernetes Service_ template.

+The build stage uses the [Docker task](/azure/devops/tasks/build/docker) to build and push the image to the Azure Container Registry.

+```YAML

+- stage: Build

+ displayName: Build stage

+ jobs:

+ - job: Build

+ displayName: Build job

+ pool:

+ vmImage: $(vmImageName)

+ steps:

+ - task: Docker@2

+ displayName: Build and push an image to container registry

+ inputs:

+ command: buildAndPush

+ repository: $(imageRepository)

+ dockerfile: $(dockerfilePath)

+ containerRegistry: $(dockerRegistryServiceConnection)

+ tags: |

+ $(tag)

+

+ - task: PublishPipelineArtifact@1

+ inputs:

+ artifactName: 'manifests'

+ path: 'manifests'

+```

+The deployment job uses the _Kubernetes manifest task_ to create the `imagePullSecret` required by Kubernetes cluster nodes to pull from the Azure Container Registry resource. Manifest files are then used by the Kubernetes manifest task to deploy to the Kubernetes cluster.

+```YAML

+- stage: Deploy

+ displayName: Deploy stage

+ dependsOn: Build

+ jobs:

+ - deployment: Deploy

+ displayName: Deploy job

+ pool:

+ vmImage: $(vmImageName)

+ environment: 'myenv.aksnamespace' #customize with your environment

+ strategy:

+ runOnce:

+ deploy:

+ steps:

+ - task: DownloadPipelineArtifact@2

+ inputs:

+ artifactName: 'manifests'

+ downloadPath: '$(System.ArtifactsDirectory)/manifests'

+ - task: KubernetesManifest@0

+ displayName: Create imagePullSecret

+ inputs:

+ action: createSecret

+ secretName: $(imagePullSecret)

+ namespace: $(k8sNamespace)

+ dockerRegistryEndpoint: $(dockerRegistryServiceConnection)

+

+ - task: KubernetesManifest@0

+ displayName: Deploy to Kubernetes cluster

+ inputs:

+ action: deploy

+ namespace: $(k8sNamespace)

+ manifests: |

+ $(System.ArtifactsDirectory)/manifests/deployment.yml

+ $(System.ArtifactsDirectory)/manifests/service.yml

+ imagePullSecrets: |

+ $(imagePullSecret)

+ containers: |

+ $(containerRegistry)/$(imageRepository):$(tag)

+```

+## Clean up resources

+Whenever you're done with the resources you created, you can use the following command to delete them:

+```azurecli

+az group delete --name myapp-rg

+```

+Enter `y` when you're prompted.

+**Azure DevOps Services | Azure DevOps Server 2020 | Azure DevOps Server 2019**

+Use [Azure Pipelines](/azure/devops/pipelines/) to automatically deploy to Azure Kubernetes Service (AKS). Azure Pipelines lets you build, test, and deploy with continuous integration (CI) and continuous delivery (CD) using [Azure DevOps](/azure/devops/).

+In this article, you'll learn how to create a pipeline that continuously builds and deploys your app. Every time you change your code in a repository that contains a Dockerfile, the images are pushed to your Azure Container Registry, and the manifests are then deployed to your AKS cluster.

+## Prerequisites

+* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* An Azure Resource Manager service connection. [Create an Azure Resource Manager service connection](/azure/devops/library/connect-to-azure#create-an-azure-resource-manager-service-connection-using-automated-security).

+* A GitHub account. Create a free [GitHub account](https://github.com/join) if you don't have one already.

+## Get the code

+Fork the following repository containing a sample application and a Dockerfile:

+```

+https://github.com/MicrosoftDocs/pipelines-javascript-docker

+```

+## Create the Azure resources

+Sign in to the [Azure portal](https://portal.azure.com/), and then select the [Cloud Shell](/azure/cloud-shell/overview) button in the upper-right corner.

+### Create a container registry

+```azurecli-interactive

+# Create a resource group

+az group create --name myapp-rg --location eastus

+# Create a container registry

+az acr create --resource-group myapp-rg --name myContainerRegistry --sku Basic

+# Create a Kubernetes cluster

+az aks create \

+ --resource-group myapp-rg \

+ --name myapp \

+ --node-count 1 \

+ --enable-addons monitoring \

+ --generate-ssh-keys

+```

+## Configure authentication

+When you use Azure Container Registry (ACR) with Azure Kubernetes Service (AKS),

+you must establish an authentication mechanism. This can be achieved in two ways:

+1. Grant AKS access to ACR. See [Authenticate with Azure Container Registry from Azure Kubernetes Service](/azure/container-registry/container-registry-auth-aks).

+1. Use a [Kubernetes image pull secret](/azure/container-registry/container-registry-auth-aks).

+ An image pull secret can be created by using the [Kubernetes deployment task](/azure/devops/tasks/deploy/kubernetes).

+## Create a release pipeline

+The build pipeline used to set up CI has already built a Docker image and pushed it to an Azure Container Registry.

+It also packaged and published a Helm chart as an artifact. In the release pipeline, we'll deploy the container image as a Helm application to the AKS cluster.

+1. In **Azure Pipelines** open the summary for your build.

+1. In the build summary, choose the **Release** icon to start a new release pipeline.

+ If you've previously created a release pipeline that uses these build artifacts, you'll

+ be prompted to create a new release instead. In that case, go to the **Releases** page and

+ start a new release pipeline from there by choosing the **+** icon.

+1. Select the **Empty job** template.

+1. Open the **Tasks** page and select **Agent job**.

+1. Choose **+** to add a new task and add a **Helm tool installer** task.

+ This ensures the agent that runs the subsequent tasks has Helm and Kubectl installed on it.

+1. Choose **+** again and add a **Package and deploy Helm charts** task.

+ Configure the settings for this task as follows:

+ - **Connection Type**: Select **Azure Resource Manager** to connect to an AKS cluster by using

+ an Azure service connection. Alternatively, if you want to connect to any Kubernetes

+ cluster by using kubeconfig or a service account, you can select **Kubernetes Service Connection**.

+ In this case, you'll need to create and select a Kubernetes service connection instead of

+ an Azure subscription for the following setting.

+

+ - **Azure subscription**: Select a connection from the list under **Available Azure Service Connections** or create a more restricted permissions connection to your Azure subscription.

+ If you see an **Authorize** button next to the input, use it to authorize the connection to your Azure subscription.

+ If you don't see the required Azure subscription in the list of subscriptions, see [Create an Azure service connection](/azure/devops/library/connect-to-azure) to manually set up the connection.

+ - **Resource group**: Enter or select the resource group containing your AKS cluster.

+

+ - **Kubernetes cluster**: Enter or select the AKS cluster you created.

+

+ - **Command**: Select **init** as the Helm command. This will install Tiller to your running Kubernetes cluster.

+ It will also set up any necessary local configuration.

+ Tick **Use canary image version** to install the latest pre-release version of Tiller.

+ You could also choose to upgrade Tiller if it's pre-installed by ticking **Upgrade Tiller**.

+ If these options are enabled, the task will run `helm init --canary-image --upgrade`

+

+1. Choose **+** in the **Agent job** and add another **Package and deploy Helm charts** task.

+ Configure the settings for this task as follows:

+

+ - **Kubernetes cluster**: Enter or select the AKS cluster you created.

+

+ - **Namespace**: Enter your Kubernetes cluster namespace where you want to deploy your application.

+ Kubernetes supports multiple virtual clusters backed by the same physical cluster.

+ These virtual clusters are called _namespaces_.

+ You can use namespaces to create different environments such as dev, test, and staging in the same cluster.

+ - **Command**: Select **upgrade** as the Helm command.

+ You can run any Helm command using this task and pass in command options as arguments.

+ When you select the **upgrade**, the task shows some more fields:

+ * **Chart Type**: Select **File Path**. Alternatively, you can specify **Chart Name** if you want to

+ specify a URL or a chart name. For example, if the chart name is `stable/mysql`, the task will execute

+ `helm upgrade stable/mysql`

+

+ * **Chart Path**: This can be a path to a packaged chart or a path to an unpacked chart directory.

+ In this example, you're publishing the chart using a CI build, so select the file package using file picker

+ or enter `$(System.DefaultWorkingDirectory)/**/*.tgz`

+

+ * **Release Name**: Enter a name for your release; for example, `azuredevops`

+

+ * **Recreate Pods**: Tick this checkbox if there is a configuration change during the release and you want to replace a running pod with the new configuration.

+ * **Reset Values**: Tick this checkbox if you want the values built into the chart to override all values provided by the task.

+ * **Force**: Tick this checkbox if, should conflicts occur, you want to upgrade and rollback to delete, recreate the resource, and reinstall the full release.

+ This is useful in scenarios where applying patches can fail (for example, for services because the cluster IP address is immutable).

+ * **Arguments**: Enter the Helm command arguments and their values; for this example

+ `--set image.repository=$(imageRepoName) --set image.tag=$(Build.BuildId)`

+ See [this section](#argument-details) for a description of why we're using these arguments.

+

+ * **Enable TLS**: Tick this checkbox to enable strong TLS-based connections between Helm and Tiller.

+ * **CA certificate**: Specify a CA certificate to be uploaded and used to issue certificates for Tiller and Helm client.

+

+ * **Certificate**: Specify the Tiller certificate or Helm client certificate

+ * **Key**: Specify the Tiller Key or Helm client key

+1. In the **Variables** page of the pipeline, add a variable named **imageRepoName** and set the value

+ to the name of your Helm image repository. Typically, this is in the format `example.azurecr.io/coderepository`

+1. Save the release pipeline.

+<a name="argument-details"></a>

+### Arguments used in the Helm upgrade task

+In the build pipeline, the container image is tagged with `$(Build.BuildId)` and this is pushed to an Azure Container Registry.

+In a Helm chart, you can parameterize the container image details such as the name and tag

+because the same chart can be used to deploy to different environments.

+These values can also be specified in the **values.yaml** file or be overridden by a user-supplied values file,

+which can in turn be overridden by `--set` parameters during the Helm install or upgrade.

+

+In this example, we pass the following arguments:

+`--set image.repository=$(imageRepoName) --set image.tag=$(Build.BuildId)`

+

+The value of `$(imageRepoName)` was set in the **Variables** page (or the **variables** section of your YAML file).

+Alternatively, you can directly replace it with your image repository name in the `--set` arguments value or **values.yaml** file.

+For example:

+```

+ image:

+ repository: VALUE_TO_BE_OVERRIDDEN

+ tag: latest

+```

+Another alternative is to set the **Set Values** option of the task to specify the argument values as comma-separated key-value pairs.

+## Create a release to deploy your app

+You're now ready to create a release, which means to start the process of running the release pipeline with the artifacts produced by a specific build. This will result in deploying the build:

+1. Choose **+ Release** and select **Create a release**.

+1. In the **Create a new release** panel, check that the artifact version you want to use is selected and choose **Create**.

+1. Choose the release link in the information bar message. For example: "Release **Release-1** has been created".

+1. In the pipeline view, choose the status link in the stages of the pipeline to see the logs and agent output.

+### [Form Recognizer GA (v2.1)](#tab/v2-1)

+The following features are supported by Form Recognizer v2.1. Use the links in the table to learn more about each feature and browse the API references.

+| Feature | Description | Development options |

+|-|--|-|

+|[**Layout API**](concept-layout.md) | Extraction and analysis of text, selection marks, and table structures, along with their bounding box coordinates, from forms and documents. | <ul><li>[**Form Recognizer labeling tool**](quickstarts/try-sample-label-tool.md#analyze-layout)</li><li>[**REST API**](quickstarts/get-started-sdk-rest-api.md#try-it-layout-model)</li><li>[**Client-library SDK**](quickstarts/try-sdk-rest-api.md)</li><li>[**Form Recognizer Docker container**](containers/form-recognizer-container-install-run.md?branch=main&tabs=layout#run-the-container-with-the-docker-compose-up-command)</li></ul>|

+|[**Custom model**](concept-custom.md) | Extraction and analysis of data from forms and documents specific to distinct business data and use cases.| <ul><li>[**Form Recognizer labeling tool**](quickstarts/try-sample-label-tool.md#train-a-custom-form-model)</li><li>[**REST API**](quickstarts/try-sdk-rest-api.md)</li><li>[**Client-library SDK**](how-to-guides/try-sdk-rest-api.md)</li><li>[**Form Recognizer Docker container**](containers/form-recognizer-container-install-run.md?tabs=custom#run-the-container-with-the-docker-compose-up-command)</li></ul>|

+|[**Invoice model**](concept-invoice.md) | Automated data processing and extraction of key information from sales invoices. | <ul><li>[**Form Recognizer labeling tool**](quickstarts/try-sample-label-tool.md#analyze-using-a-prebuilt-model)</li><li>[**REST API**](quickstarts/get-started-sdk-rest-api.md#try-it-prebuilt-model)</li><li>[**Client-library SDK**](quickstarts/try-sdk-rest-api.md)</li><li>[**Form Recognizer Docker container**](containers/form-recognizer-container-install-run.md?tabs=invoice#run-the-container-with-the-docker-compose-up-command)</li></ul>|

+|[**Receipt model**](concept-receipt.md) | Automated data processing and extraction of key information from sales receipts.| <ul><li>[**Form Recognizer labeling tool**](quickstarts/try-sample-label-tool.md#analyze-using-a-prebuilt-model)</li><li>[**REST API**](quickstarts/get-started-sdk-rest-api.md#try-it-prebuilt-model)</li><li>[**Client-library SDK**](how-to-guides/try-sdk-rest-api.md)</li><li>[**Form Recognizer Docker container**](containers/form-recognizer-container-install-run.md?tabs=receipt#run-the-container-with-the-docker-compose-up-command)</li></ul>|

+|[**ID document model**](concept-id-document.md) | Automated data processing and extraction of key information from US driver's licenses and international passports.| <ul><li>[**Form Recognizer labeling tool**](quickstarts/try-sample-label-tool.md#analyze-using-a-prebuilt-model)</li><li>[**REST API**](quickstarts/get-started-sdk-rest-api.md#try-it-prebuilt-model)</li><li>[**Client-library SDK**](how-to-guides/try-sdk-rest-api.md)</li><li>[**Form Recognizer Docker container**](containers/form-recognizer-container-install-run.md?tabs=id-document#run-the-container-with-the-docker-compose-up-command)</li></ul>|

+|[**Business card model**](concept-business-card.md) | Automated data processing and extraction of key information from business cards.| <ul><li>[**Form Recognizer labeling tool**](quickstarts/try-sample-label-tool.md#analyze-using-a-prebuilt-model)</li><li>[**REST API**](quickstarts/get-started-sdk-rest-api.md#try-it-prebuilt-model)</li><li>[**Client-library SDK**](how-to-guides/try-sdk-rest-api.md)</li><li>[**Form Recognizer Docker container**](containers/form-recognizer-container-install-run.md?tabs=business-card#run-the-container-with-the-docker-compose-up-command)</li></ul>|

+### [Form Recognizer v3.0](#tab/v3-0)

+> * Try our [**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com)

+> * Explore the [**REST API reference documentation**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v3-0-preview-1/operations/AnalyzeDocument) to learn more.

+### [Form Recognizer v2.1](#tab/v2-1)

+> * Try our [**Sample Labeling online tool**](https://aka.ms/fott-2.1-ga/)

+> * Follow our [**client library / REST API quickstart**](./quickstarts/try-sdk-rest-api.md) to get started extracting data from your documents. We recommend that you use the free service when you're learning the technology. Remember that the number of free pages is limited to 500 per month.

+> * Explore the [**REST API reference documentation**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v2-1/operations/AnalyzeWithCustomForm) to learn more.

+ Title: "Quickstart: Form Recognizer C# SDK (beta) | Preview"

+<!-- markdownlint-disable MD029 -->

+# Get started: Form Recognizer C# SDK (beta)

+> Form Recognizer beta version is currently in public preview. Some features may not be supported or have limited capabilities.

+1. [Run your program](#run-your-application).

+ Title: "Quickstart: Form Recognizer Java SDK (beta) | Preview"

+# Get started: Form Recognizer Java SDK (beta)

+> Form Recognizer beta version is currently in public preview. Some features may not be supported or have limited capabilities.

+1. [Build and run your program](#build-and-run-the-application)

+## Build and run the application

+ Title: "Quickstart: Form Recognizer JavaScript SDK (beta) | Preview"

+# Get Started: Form Recognizer JavaScript SDK (beta)

+> Form Recognizer beta version is currently in public preview. Some features may not be supported or have limited capabilities.

+1. [Run your program](#run-your-application)

+Once you've added a code sample to your application, run your program:

+ Title: "Quickstart: Form Recognizer Python SDK (beta) | Preview"

+# Get started: Form Recognizer Python SDK (beta)

+> Form Recognizer beta version is currently in public preview. Some features may not be supported or have limited capabilities.

+ * [**General document**](#general-document-model)

+ * [**Layout**](#layout-model)

+ * [**Prebuilt Invoice**](#prebuilt-model)

+1. [Run your program](#run-the-application)

+## Run the application

+Once you've added a code sample to your application, build and run your program:

+ Title: "Quickstart: Form Recognizer REST API v3.0 | Preview"

+# Get started: Form Recognizer REST API 2022-01-30-preview

+- [project-keep](/azure/data-explorer/kusto/query/project-keep-operator)

+- [Use a search job to retrieve data from Basic Logs into Analytics Logs where it can be queries multiple times.](search-jobs.md)

+- [CommonSecurityLog](/azure/azure-monitor/reference/tables/commonsecuritylog)

+- [SecurityEvents](/azure/azure-monitor/reference/tables/securityevent)

+- [project-keep](/azure/data-explorer/kusto/query/project-keep-operator)

+- [Learn about directly querying Basic Logs.](basic-logs-query.md)

+- [Permissions to create Data Collection Rule objects](/azure/azure-monitor/essentials/data-collection-rule-overview#permissions) in the workspace.

+- [Learn more about writing transformation queries](../essentials/data-collection-rule-transformations.md)

+- [Permissions to create Data Collection Rule objects](/azure/azure-monitor/essentials/data-collection-rule-overview#permissions) in the workspace.

+In this tutorial, you'll use a PowerShell script to send sample Apache access logs over HTTP to the API endpoint. This will require a script to convert this data to the JSON format that's required for the Azure Monitor custom logs API. The data will further be converted with a transformation in a data collection rule (DCR) that filters out records that shouldn't be ingested and create the columns required for the table that the data will be sent to. Once the configuration is complete, you'll send sample data from the command line and then inspect the results in Log Analytics.

+- [Learn more about writing transformation queries](../essentials/data-collection-rule-transformations.md)

+- [Permissions to create Data Collection Rule objects](../essentials/data-collection-rule-overview.md#permissions) in the workspace.

+- [Learn more about writing transformation queries](../essentials/data-collection-rule-transformations.md)

+- [Learn more about writing transformation queries](../essentials/data-collection-rule-transformations.md)

+> The backup instance name is generated by clients so that this will be a unique value. It's based on datasource name and a unique GUID. Once you list the backup instances, you should be able to check the name of backup instance and the relevant datasource name.

+| Rel 22-03 | [5011503] | Latest Cumulative Update(LCU) | [6.42] | March 8, 2022 |

+| Rel 22-03 | [5011486] | IE Cumulative Updates | [2.121], [3.108], [4.101] | March 8, 2022 |

+| Rel 22-03 | [5011497] | Latest Cumulative Update(LCU) | [7.10] | March 8, 2022 |

+| Rel 22-03 | [5011495] | Latest Cumulative Update(LCU) | [5.66] | March 8, 2022 |

+| Rel 22-03 | [5008867] | .NET Framework 3.5 Security and Quality Rollup | [2.121] | Jan 11, 2022 |

+| Rel 22-03 | [5008860] | .NET Framework 4.5.2 Security and Quality Rollup | [2.121] | Jan 11, 2022 |

+| Rel 22-03 | [5008868] | .NET Framework 3.5 Security and Quality Rollup | [4.101] | Jan 11, 2022 |

+| Rel 22-03 | [5008870] | .NET Framework 4.5.2 Security and Quality Rollup | [4.101] | Jan 11, 2022 |

+| Rel 22-03 | [5008865] | .NET Framework 3.5 Security and Quality Rollup | [3.108] | Jan 11, 2022 |

+| Rel 22-03 | [5008869] | . NET Framework 4.5.2 Security and Quality Rollup | [3.108] | Jan 11, 2022 |

+| Rel 22-03 | [5008873] | . NET Framework 3.5 and 4.7.2 Cumulative Update | [6.42] | Jan 11, 2022 |

+| Rel 22-03 | [5008882] | .NET Framework 4.8 Security and Quality Rollup | [7.10] | Jan 11, 2022 |

+| Rel 22-03 | [5011552] | Monthly Rollup | [2.121] | March 8, 2022 |

+| Rel 22-03 | [5011535] | Monthly Rollup | [3.108] | March 8, 2022 |

+| Rel 22-03 | [5011564] | Monthly Rollup | [4.101] | March 8, 2022 |

+| Rel 22-03 | [5011571] | Servicing Stack update | [3.108] | March 8, 2022 |

+| Rel 22-03 | [5001403] | Servicing Stack update | [4.101] | Apr 13, 2021 |

+| Rel 22-03 | [4578013] | Standalone Security Update | [4.101] | Aug 19, 2020 |

+| Rel 22-03 | [5011570] | Servicing Stack update | [5.66] | March 8, 2021 |

+| Rel 22-03 | [5011649] | Servicing Stack update | [2.121] | March 8, 2022 |

+| Rel 22-03 | [4494175] | Microcode | [5.66] | Sep 1, 2020 |

+| Rel 22-03 | [4494174] | Microcode | [6.42] | Sep 1, 2020 |

+[2.121]: ./cloud-services-guestos-update-matrix.md#family-2-releases

+[3.108]: ./cloud-services-guestos-update-matrix.md#family-3-releases

+[4.101]: ./cloud-services-guestos-update-matrix.md#family-4-releases

+[5.66]: ./cloud-services-guestos-update-matrix.md#family-5-releases

+[6.42]: ./cloud-services-guestos-update-matrix.md#family-6-releases

+[7.10]: ./cloud-services-guestos-update-matrix.md#family-7-releases

+###### **March 19, 2022**

+The March Guest OS has released.

+| WA-GUEST-OS-7.10_202203-01 | March 19, 2022 | Post 7.12 |

+|~~WA-GUEST-OS-7.8_202201-02~~| February 11, 2022 | March 19, 2022 |

+| WA-GUEST-OS-6.42_202203-01 | March 19, 2022 | Post 6.44 |

+|~~WA-GUEST-OS-6.40_202201-02~~| February 11, 2022 | March 19, 2022 |

+| WA-GUEST-OS-5.66_202203-01 | March 19, 2022 | Post 5.68 |

+|~~WA-GUEST-OS-5.64_202201-02~~| February 11, 2022 | March 19, 2022 |

+| WA-GUEST-OS-4.101_202203-01 | March 19, 2022 | Post 4.103 |

+|~~WA-GUEST-OS-4.99_202201-02~~| February 11 , 2022 | March 19, 2022 |

+| WA-GUEST-OS-3.108_202203-01 | March 19, 2022 | Post 3.110 |

+|~~WA-GUEST-OS-3.106_202201-02~~| February 11, 2022 | March 19, 2022 |

+| WA-GUEST-OS-2.121_202203-01 | March 19, 2022 | Post 2.123 |

+|~~WA-GUEST-OS-2.119_202201-02~~| February 11, 2022 | March 19, 2022 |

+ > [!NOTE]

+ > There is currently only one Azure Data Factory Portal endpoint and therefore only one private endpoint for portal in a DNS zone. Attempting to create a second or subsequent portal private endpoint will overwrite the previously created private DNS entry for portal.

+update: 19/03/2022

+1. Name the Webhook as appropriate and optionally upload an icon to identify your messages. After that, select the "Create" button to create the Incoming Webhook.

+| Supported App Service plans: | [The supported App Service plans](https://azure.microsoft.com/pricing/details/app-service/plans/) are:<br>ΓÇó Free plan<br>ΓÇó Basic Service plan<br>ΓÇó Standard Service plan<br>ΓÇó Premium v2 Service Plan<br>ΓÇó Premium v3 Service Plan<br>ΓÇó App Service Environment v1<br>ΓÇó App Service Environment v2<br>ΓÇó App Service Environment v3|

+- [Deprecated the recommendation to use service principals to protect your subscriptions](#deprecated-the-recommendation-to-use-service-principals-to-protect-your-subscriptions)

+- [Legacy implementation of ISO 27001 is being replaced with new ISO 27001:2013](#legacy-implementation-of-iso-27001-is-being-replaced-with-new-iso-270012013)

+### Deprecated the recommendation to use service principals to protect your subscriptions

+As organizations move away from using management certificates to manage their subscriptions, and [our recent announcement that we're retiring the Cloud Services (classic) deployment model](https://azure.microsoft.com/updates/cloud-services-retirement-announcement/), we deprecated the following Defender for Cloud recommendation and its related policy:

+|Recommendation |Description |Severity |

+||||

+|[Service principals should be used to protect your subscriptions instead of Management Certificates](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/2acd365d-e8b5-4094-bce4-244b7c51d67c) |Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, using service principals with Resource Manager is recommended to limit the blast radius in the case of a certificate compromise. It also automates resource management. <br />(Related policy: [Service principals should be used to protect your subscriptions instead of management certificates](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2f6646a0bd-e110-40ca-bb97-84fcee63c414)) |Medium |

+Learn more:

+- [Cloud Services (classic) deployment model is retiring on 31 August 2024](https://azure.microsoft.com/updates/cloud-services-retirement-announcement/)

+- [Overview of Azure Cloud Services (classic)](../cloud-services/cloud-services-choose-me.md)

+- [Workflow of Windows Azure classic VM Architecture - including RDFE workflow basics](../cloud-services/cloud-services-workflow-process.md)

+### Legacy implementation of ISO 27001 is being replaced with new ISO 27001:2013

+The legacy implementation of ISO 27001 has been removed from Defender for Cloud's regulatory compliance dashboard. If you're tracking your ISO 27001 compliance with Defender for Cloud, onboard the new ISO 27001:2013 standard for all relevant management groups or subscriptions.

+For a complete list of supported protocols see, [Supported Protocols](concept-supported-protocols.md).

+# Microsoft Defender for IoT - supported IoT, OT, ICS, and SCADA protocols

+This article lists the protocols that are supported by default in Microsoft Defender for IoT. If your organization uses proprietary protocols or other protocols not listed here, use the Defender for IoT Horizon SDK to extend support as needed.

+## Supported protocols for asset discovery

+Defender for IoT can detect the following protocols when identifying assets and devices in your network:

+|Brand |Protocols |

+|||

+|**ABB** | IEC61850 MMS (including ABB extension) |

+|**ASHRAE** | BACnet<br> BACnet BACapp<br> BACnet BVLC |

+|**Beckhoff** | AMS (ADS)<br> Twincat |

+|**Cisco** | CAPWAP Control<br> CAPWAP Data<br> CDP<br> LWAPP |

+|**DNP. org** | DNP3 |

+|**Emerson** | DeltaV<br> Emerson OpenBSI/BSAP<br> Ovation DCS ADMD<br>Ovation DCS DPUSTAT<br> Ovation DCS SSRPC |

+|**Emerson Fischer** | ROC |

+|**Eurocontrol** | ASTERIX |

+|**GE** | Bentley Nevada (System 1)<br> EGD<br> GSM (GE MarkVI and MarkVIe)<br> SRTP (GE) |

+|**Honeywell** | ENAP<br> Experion DCS CDA<br> Experion DCS FDA |

+|**IEC** | Codesys V3<br> ICCP TASE.2/IEC-60870<br> IEC60870-5 (IEC104/101)<br> IEC60870-5-103 (encapsulated serial)<br> IEC61850 GOOSE<br> IEC61850 MMS<br> IEC61850 SMV (SAMPLED-VALUES)<br> LonTalk (LonWorks) |

+|**IEEE** | LLC<br> STP<br> VLAN |

+|**IETF** | ARP<br> DCE RPC<br> DNS<br> FTP (FTP_ADAT<br> FTP_DATA)<br> GSSAPI (RFC2743)<br> HTTP<br> ICMP<br> IPv4<br> IPv6<br> LLDP<br> MDNS<br> NBNS<br> NTLM (NTLMSSP Auth Protocol)<br> RPC<br> SMB / Browse / NBDGM<br> SMB / CIFS<br> SNMP<br> SPNEGO (RFC4178)<br> SSH<br> Syslog<br> Telnet<br> TFTP<br> TPKT<br> UDP |

+|**ISO** | CLNP (ISO 8473)<br> COTP (ISO 8073)<br> ISO Industrial Protocol<br> MQTT (IEC 20922) |

+|**Medical** |ASTM<br> HL7 |

+|**Microsoft** | Horizon community dissectors<br> Horizon proprietary dissectors (developed by customers) |

+|**Mitsubishi** | Melsoft / Melsec (Mitsubishi Electric) |

+|**Omron** | FINS |

+|**Oracle** | TDS<br> TNS |

+|**Rockwell Automation** | ENIP<br> EtherNet/IP CIP (including Rockwell extension)<br> EtherNet/IP CIP FW version 27 and above |

+|**Schneider Electric** | Modbus/TCP<br> Modbus TCPΓÇôSchneider Unity Extensions<br> OASYS (Schneider Electric Telvant) |

+|**Schneider Electric / Invensys** | Foxboro Evo<br> Foxboro I/A<br> Trident<br> TriGP<br> TriStation |

+|**Schneider Electric / Modicon** | Modbus RTU |

+|**Schneider Electric / Wonderware** | Wonderware Suitelink |

+|**Siemens** | CAMP<br> PCS7<br> PCS7 WinCC ΓÇô Historian<br> Profinet DCP<br> Profinet Realtime<br> Siemens PHD<br> Siemens S7<br> Siemens S7-Plus<br> Siemens S7-Plus<br> Siemens SICAM<br> Siemens WinCC |

+|**Toshiba** |Toshiba Computer Link |

+|**Yokogawa** | Centum ODEQ (Centum / ProSafe DCS)<br> HIS Equalize<br> Vnet/IP |

+## Supported protocols for active monitoring

+Defender for IoT can detect the following protocols using active monitoring, such as ping sweeps and queries:

+|Brand |Protocols |

+|||

+|**IETF** | Ping Sweep <br>SNMP Network Layout Query<br>SNMP Query |

+|**Microsoft** | Windows WMI Query (req. WMI/WinRM): hardware, BIOS, version, software, patches |

+|**Rockwell Automation** | ENIP Query<br> ENIP Scan<br> EtherNet/IP CIP (CIP Query) |

+|**Siemens** | Siemens S7 |

+## Don't see your protocol here?

+### Build support for proprietary protocols with the Horizon SDK

+Asset vendors, partners, or platform owners can use Defender for IoT's Horizon Protocol SDK to secure any protocol used in IoT and ICS environments that's not isn't already supported by default.

+Horizon helps you to write plugins that enable Deep Packet Inspection (DPI) on the traffic and detect threats in realtime. Customize your plugins localize and customize text for alerts, events, and protocol parameters.

+Horizon provides:

+- Support for common, proprietary, or custom protocols that deviate from standards

+- Extra flexibility and scope for DPI development

+- Extra visibility and control over your OT assets without needing to update your Defender for IoT version

+- The security of allowing proprietary development without divulging sensitive information

+### Collaborate with the Horizon community

+Join our community to help lead the way towards digital transformation and industry-wide collaboration for protocol support!

+The Horizon ICS community shares knowledge between domain experts in critical infrastructures, building management, production lines, transportation systems, and leading industries. For example, our community shares tutorials, discussion forums, instructor-led training, educational white papers, and more.

+To join the Horizon community, email us at: [horizon-community@microsoft.com](mailto:horizon-community@microsoft.com)

+For more information:

+- [Customize alert rules](how-to-accelerate-alert-incident-response.md#customize-alert-rules)

+- [About forwarded alert information](how-to-forward-alert-information-to-partners.md#about-forwarded-alert-information)

+You can now integrate Defender for IoT with Defender for Endpoint. When you do so, you're combining Defender for Endpoint device-discovery and agentless monitoring capabilities to help secure enterprise IoT devices that are connected to an IT network. Two examples of such devices are Voice over Internet Protocol (VoIP) phones and smart TVs. The result of this integration is a single, integrated solution that helps secure your entire IoT and OT infrastructure.

+1. Ensure that your resources are set to one of the following specifications:

+ | Tier | Requirements |

+ |--|--|

+ | **Minimum** | To support at least 1 Gbps: <br><br>- 4 CPUs, each with 2.4 GHz or more<br>- 8 GB RAM of DDR4 or better<br>- 250 GB HDD |

+ | **Recommended** | To support up to 10 Gbps: <br><br>- 8 CPUs, each with 2.4 GHz or more<br>- 32 GB RAM of DDR4 or better<br>- 500 GB HDD |

+

+ Make sure that your server or VM also has:

+

+ * Two network adapters

+ * Ubuntu 18.04 operating system.

+[Manage your IoT devices with the device inventory for organizations](how-to-manage-device-inventory-for-organizations.md#manage-your-iot-devices-with-the-device-inventory-for-organizations)

+monitoring and threat analysis are provided by [Microsoft Defender for Cloud](../security-center/security-center-introduction.md), which includes unified security

+Migration Service](../dms/dms-overview.md) assists you in migrating database sources to Azure Data

+- [Azure Governance hub](./index.yml).

+- [Governance in the Cloud Adoption Framework for Azure](/azure/cloud-adoption-framework/govern/)

+## Azure Spot

+If you have not already created a server , refer to this [quickstart](quickstart-create-mysql-server-database-using-azure-cli.md) to create one.

+- [Monitor and tune the server](concepts-monitoring.md)

+ Title: Azure Notification Hubs encryption for data at rest

+description: Learn how data is encrypted at rest in Azure Notification Hubs.

+# Azure Notification Hubs encryption for data at rest

+Azure Notification Hubs uses Transparent Data Encryption (TDE) to automatically encrypt customer keys and data stored in databases. Azure

+Notification Hubs encryption protects customer's data to help you to meet organizational security and compliance commitments.

+## Data encryption at rest in Azure

+Encryption at rest provides data protection for stored data (at rest). For detailed information about data encryption at rest in Microsoft Azure, see [Azure Data Encryption-at-Rest](/azure/security/fundamentals/encryption-atrest).

+## About Azure Notification Hubs encryption

+Azure Notification Hubs stores customer keys and data in SQL databases at rest. The SQL databases encrypt the data stored there with

+Transparent Data Encryption (TDE). The pages in a database are encrypted before they are written to disk and decrypted when read into memory. The server-level certificate is stored in the main database. Once the database has been secured, it can be restored by using the correct certification.

+Data stored in Azure Notification Hubs is automatically and seamlessly encrypted with keys managed by Microsoft (service-managed

+keys). Azure Notification Hubs encryption at rest is automatically enabled and cannot be disabled. This means the data is secured by

+default, and there is no need for modifications to your code or applications in order to use Azure Notification Hubs encryption.

+## Next steps

+- [Transparent data encryption (TDE)](/sql/relational-databases/security/encryption/transparent-data-encryption)

+- [Azure Data Encryption-at-Rest](/azure/security/fundamentals/encryption-atrest)

+- [What is Azure Key Vault?](/azure/key-vault/general/overview)

+> [!NOTE]

+> The Azure Information Protection (AIP) data connector uses the AIP audit logs (public preview) feature. As of **March 18, 2022**, we are sunsetting the AIP analytics and audit logs public preview, and moving forward will be using the [Microsoft 365 auditing solution](/microsoft-365/compliance/auditing-solutions-overview). Full retirement is scheduled for **September 30, 2022**.

+>

+> For more information, see [Removed and retired services](/azure/information-protection/removed-sunset-services.md#azure-information-protection-analytics).

+>

+ Title: Deploy Windows Server virtual machines in Azure Virtual Desktop - Azure

+description: How to deploy and configure Windows Server edition virtual machines on Azure Virtual Desktop.

+# Deploy Windows Server based virtual machines on Azure Virtual Desktop

+>[!IMPORTANT]

+>This content applies to Azure Virtual Desktop with Azure Resource Manager Azure Virtual Desktop objects. If you're using Azure Virtual Desktop (classic) without Azure Resource Manager objects, see [this article](./virtual-desktop-fall-2019/deploy-windows-7-virtual-machine.md).

+The process to deploy Windows Server based Virtual Machines (VM) on Azure Virtual Desktop is slightly different than for VMs running other versions of Windows such as Windows 10 or Windows 11. This guide will walk you through the steps.

+Azure Virtual Desktop Host pool supports running Windows Server 2012 R2 and above editions.

+> [!NOTE]

+> - Azure AD Join session host scenario is not supported with Windows Server editions.

+## Prerequisites

+Running Windows Server based host virtual machines on Azure Virtual Desktop requires Remote Desktop Services (RDS) Licensing Server.

+For more information, refer [Operating systems and licenses](prerequisites.md)

+Use the following information to learn about how licensing works in Remote Desktop Services and to deploy and manage your licenses.

+[License your RDS deployment with client access licenses](https://docs.microsoft.com/windows-server/remote/remote-desktop-services/rds-client-access-license)

+If you're already using Windows Server based Remote Desktop Services, you'll likely have Licensing Server setup in your environment. You can continue using the same provided Azure Virtual Desktop hosts has line of sight to the Server.

+## Configure Windows Server based Virtual Machines

+Once you've done the prerequisites, you're ready to configure Windows Server based VMs for deployment on Azure Virtual Desktop.

+1. Follow the instructions from [Create a host pool using the Azure portal](create-host-pools-azure-marketplace.md).

+1. Select relevant Windows Server image or upload your own customized image based on Windows Server edition at **Step 6** under **Virtual machine details** section.

+1. Select **Active Directory** as an option under **Domain to Join** at **Step 12** of **Virtual machine details** section.

+1. Connect to the newly deployed VM using an account with local administrator privileges.

+1. Open the Start menu and type "gpedit.msc" to open the Group Policy Editor.

+1. Navigate the tree to **Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Licensing**

+1. Select policy **Use the specified Remote Desktop license servers** and set the policy to point to the Remote Desktop Licensing Servers FQDN/IP Address.

+2. Select policy **Specify the licensing mode for the Remote Desktop Session Host server** and set the policy to Per Device or Per User, as appropriate for your licensing eligibility.

+> [!NOTE]

+> - You can also use and apply Domain based GPO and scope it to OU where Azure Virtual Desktop Hosts resides in Active Directory.

+## Next steps

+Now that you've deployed Windows Server based Host VMs, you can sign in to a supported Azure Virtual Desktop client to test it as part of a user session. If you want to learn how to connect to a session, check out these articles:

+- [Connect with the Windows Desktop client](user-documentation/connect-windows-7-10.md)

+- [Connect with the web client](user-documentation/connect-web.md)

+

+Some users will now see the option to create VMs in multiple zones. If you see the following message, use the **Preview** tab below.

+ 3. Select the **Type** of load balancer, either *Public* or *Internal*.

+ - Upload a certificate and add the password (application gateway will manage certificate storage). For certificate name, type a friendly name for the certificate.

+ - Use a key vault (application gateway will pull a defined certificate from a defined key vault). Select your **Managed identity**, **Key Vault**, and **Certificate**.

+ > [!IMPORTANT]

+ > After the VMs and application gateway are deployed, log in to the VMs to ensure that either the application gateway certificate is uploaded onto the VMs or the domain name of the VM certificate matches with the domain name of the application gateway.

+ > [!NOTE]

+ > A separate subnet will be defined for Application Gateway upon creation. For more information, see [Application Gateway infrastructure configuration](../application-gateway/configuration-infrastructure.md).

+* If jobs are interrupted by ECC errors on the GPU (either correctable or uncorrectable), first check to see if the GPU meets any of Nvidia's [RMA criteria for ECC errors](https://docs.nvidia.com/deploy/dynamic-page-retirement/https://docsupdatetracker.net/index.html#faq-pre). If the GPU is eligible for RMA, please contact support about getting it serviced; otherwise, reboot your VM to reattach the GPU as described [here](https://docs.nvidia.com/deploy/dynamic-page-retirement/https://docsupdatetracker.net/index.html#bl_reset_reboot). Note that less invasive methods such as `nvidia-smi -r` do not work with the virtualization solution deployed in Azure.

+1. Under **Instance details**, type *myVM* for the **Virtual machine name**, and choose *Ubuntu 18.04 LTS - Gen2* for your **Image**. Leave the other defaults. The default size and pricing is only shown as an example. Size availability and pricing are dependent on your region and subscription.

+ > [!NOTE]

+ > Some users will now see the option to create VMs in multiple zones. To learn more about this new capability, see [Create virtual machines in an availability zone](../create-portal-availability-zone.md).

+ > :::image type="content" source="../media/create-portal-availability-zone/preview.png" alt-text="Screenshot showing that you have the option to create virtual machines in multiple availability zones.":::

+ > [!NOTE]

+ > Some users will now see the option to create VMs in multiple zones. To learn more about this new capability, see [Create virtual machines in an availability zone](../create-portal-availability-zone.md).

+ > :::image type="content" source="../media/create-portal-availability-zone/preview.png" alt-text="Screenshot showing that you have the option to create virtual machines in multiple availability zones.":::

+The Virtual WAN team has been working on upgrading virtual routers from their current Cloud Services infrastructure to Virtual Machine Scale Sets (VMSS) based deployments. This will enable the virtual hub router to now be availability zone aware and have enhanced scaling out capabilities during high CPU usage. If you navigate to your Virtual WAN hub resource and see this message and button, then you can upgrade your router to the lastest version by clicking on the button. The Cloud Services infrastructure will be deprecated soon. If you would like to take advantage of new Virtual WAN features, such as [BGP peering with the hub](create-bgp-peering-hub-portal.md), you will have to update your virtual hub router via Azure Portal.

+Note that youΓÇÖll only be able to update your virtual hub router if all the resources (gateways/route tables/VNET connections) in your hub are in a succeeded state. Additionally, as this operation requires deployment of new VMSS based virtual hub routers, youΓÇÖll face an expected downtime of 30 minutes per hub. Within a single Virtual WAN resource, hubs should be updated one at a time instead of updating multiple at the same time. When the Router Version says ΓÇ£LatestΓÇ¥, then the hub is done updating. There will be no routing behavior changes after this update. If the update fails for any reason, your hub will be auto recovered to the old version to ensure there is still a working setup.

+Verify that you've met the following criteria before beginning your configuration:

+A hub is a virtual network that can contain gateways for site-to-site, ExpressRoute, or point-to-site functionality. For this tutorial, you begin by filling out the **Basics** tab for the virtual hub and then continue on to fill out the site-to-site tab in the next section. It's also possible to create an empty hub (a hub that doesn't contain any gateways) and then add gateways (S2S, P2S, ExpressRoute, etc.) later. Once a hub is created, you'll be charged for the hub, even if you don't attach any sites or create any gateways within the hub.

+Don't create the hub yet. Continue on to the next section to configure additional settings.

+Use the VPN device configuration file to configure your on-premises VPN device. The basic steps are listed below.

+1. From your Virtual WAN page, go to **Hubs -> Your virtual hub -> VPN (Site to site)** page.

+1. At the top of the **VPN (Site to site)** page, click **Download VPN Config**. You'll see a series of messages as Azure creates a storage account in the resource group 'microsoft-network-[location]', where location is the location of the WAN.

+1. Once the file finishes creating, click the link to download the file. To learn about the contents of the file, see [About the VPN device configuration file](#config-file) in this section.

+1. After you've applied the configuration to your VPN devices, it isn't necessary to keep the storage account that Azure created. You can delete it.

+ * **IP addresses** of the virtual hub vpngateway. Because each vpngateway connection is composed of two tunnels in active-active configuration, you'll see both IP addresses listed in this file. In this example, you see "Instance0" and "Instance1" for each site.<br>Example:

+ * **Vpngateway connection configuration details** such as BGP, pre-shared key etc. The PSK is the pre-shared key that is automatically generated for you. You can always edit the connection in the **Overview** page for a custom PSK.

+```

+```

+* The instructions on the VPN devices page aren't written for Virtual WAN, but you can use the Virtual WAN values from the configuration file to manually configure your VPN device.

+* The downloadable device configuration scripts that are for VPN Gateway don't work for Virtual WAN, as the configuration is different.

+You can view and edit your VPN gateway settings at any time. Go to your **Virtual HUB -> VPN (Site to site)** and select **View/Configure**.

+ :::image type="content" source="media/virtual-wan-site-to-site-portal/edit-gateway.png" alt-text="Screenshot shows the Edit VPN Gateway page with the Edit button highlighted." lightbox="media/virtual-wan-site-to-site-portal/edit-gateway.png":::