+ <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="oid"/>

+Azure Active Directory B2C (Azure AD B2C) supports federation with SAML 2.0 identity providers. This article describes how to parse the security assertions, and the configuration options that are available when enabling sign-in with a SAML identity provider.

+You can also include claims that not return by the identity provider, as long as you set the `DefaultValue` attribute. The default value can be static or dynamic, using [context claims](#enable-use-of-context-claims).

+- **DefaultValue** is a predefined default value. If the claim is empty, the default value is used. You can also use a [claim resolvers](claim-resolver-overview.md) with a contextual value, such as the correlation ID, or the user IP address.

+To read the SAML assertion **NameId** in the **Subject** as a normalized claim, set the claim **PartnerClaimType** to the value of the `SPNameQualifier` attribute. If the `SPNameQualifier`attribute isn't presented, set the claim **PartnerClaimType** to value of the `NameQualifier` attribute.

+If both `SPNameQualifier` or `NameQualifier` attributes aren't presented in the SAML assertion, set the claim **PartnerClaimType** to `assertionSubjectName`. Make sure the **NameId** is the first value in assertion XML. When you define more than one assertion, Azure AD B2C picks the subject value from the last assertion.

+The following XML is an example of an Azure AD metadata single sign-on service with two bindings. The `HTTP-Redirect` takes precedence over the `HTTP-POST` because it appears first in the SAML identity provider metadata.

+The Assertion Consumer Service (or ACS) is where the identity provider SAML responses are sent and received by Azure AD B2C. SAML responses are transmitted to Azure AD B2C via HTTP POST binding. The ACS location points to your relying party's base policy. For example, if the relying policy is *B2C_1A_signup_signin*, the ACS is the base policy of the *B2C_1A_signup_signin*, such as *B2C_1A_TrustFrameworkBase*.

+The following XML is an example of an Azure AD B2C policy metadata assertion consumer service element.

+When the identity provider indicates that Azure AD B2C binding is set to `HTTP-POST`, Azure AD B2C includes the signature and the algorithm in the body of the SAML request. You can also configure Azure AD to include the public key of the certificate when the binding is set to `HTTP-POST`. Use the **IncludeKeyInfo** metadata to `true`, or `false`. In the following example, Azure AD doesn't include the public key of the certificate.

+By default, the SAML authorization request specifies the `urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified` policy. This name ID indicates that any type of identifier supported by the identity provider for the requested subject can be used.

+The `ForceAuthN` property is a Boolean `true` or `false` value. By default, Azure AD B2C sets the ForceAuthN value to `false`. If the session is then reset (for example by using the `prompt=login` in OIDC), then the `ForceAuthN` value is set to `true`. Setting the `ForceAuthN` metadata to `true` forces the value for all requests to the external IDP.

+You can optionally include the `ProviderName` attribute in the SAML authorization request. Set the `ProviderName` metadata to include the provider name for all requests to the external SAML IDP. The following example shows the `ProviderName` property set to `Contoso app`:

+> Per the SAML specification, the extension data must be namespace-qualified XML (for example, 'urn:ext:custom' shown in the sample), and it must not be one of the SAML-specific namespaces.

+With the SAML protocol message extension, the SAML response looks like the following example:

+Azure AD B2C requires all incoming assertions to be signed. You can remove this requirement by setting the **WantsSignedAssertions** to `false`. The identity provider shouldnΓÇÖt sign the assertions in this case, but even if it does, Azure AD B2C doesn't validate the signature.

+If you disable the assertions validation, you might also want to disable the response message signature validation. Set the **ResponsesSigned** metadata to `false`. The identity provider shouldnΓÇÖt sign the SAML response message in this case, but even if it does, Azure AD B2C doesn't validate the signature.

+In the input and output claims collection, you can include claims that not return by the identity provider as long as you set the `DefaultValue` attribute. You can also use [context claims](claim-resolver-overview.md) to be included in the technical profile. To use a context claim:

+To help configure and debug federation with a SAML identity provider, you can use a browser extension for the SAML protocol, such as [SAML DevTools extension](https://chrome.google.com/webstore/detail/saml-devtools-extension/jndllhgbinhiiddokbeoeepbppdnhhio) for Chrome, [SAML-tracer](https://addons.mozilla.org/es/firefox/addon/saml-tracer/) for FireFox, or [Microsoft Edge or IE Developer tools](https://techcommunity.microsoft.com/t5/microsoft-sharepoint-blog/gathering-a-saml-token-using-edge-or-ie-developer-tools/ba-p/320957).

+- Check if the SAML request contains a signature and determine what algorithm is used to sign in the authorization request.

+- Get the claims (assertions) under the `AttributeStatement` section.

+- Check if the identity provider returns an error message.

+- Check if the assertion section is encrypted.

+## SAML request and response samples

+Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between an identity provider and a service provider. When Azure AD B2C federates with a SAML identity provider, it acts as a **service provider** initiating a SAML request to the SAML **identity provider**, and waiting for a SAML response.

+A success SAML response contains security **assertions** which are statements that made by the external SAML identity providers. Azure AD B2C parses and [maps the assertions](#claims-mapping) into claims.

+### Authorization request

+To request a user authentication, Azure AD B2C sends an `AuthnRequest` element to the external SAML identity provider. A sample SAML 2.0 `AuthnRequest` could look like the following example:

+```xml

+<samlp:AuthnRequest

+ xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"

+ ID="_11111111-0000-0000-0000-000000000000"

+ Version="2.0"

+ IssueInstant="2023-03-20T07:10:00.0000000Z"

+ Destination="https://fabrikam.com/saml2"

+ ForceAuthn="false"

+ IsPassive="false"

+ ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

+ AssertionConsumerServiceURL="https://contoso.b2clogin.com/contoso.onmicrosoft.com/B2C_1A_TrustFrameworkBase/samlp/sso/assertionconsumer"

+ ProviderName="https://fabrikam.com"

+ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

+ <saml:Issuer

+ Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://contoso.b2clogin.com/contoso.onmicrosoft.com/B2C_1A_TrustFrameworkBase

+ </saml:Issuer>

+</samlp:AuthnRequest>

+```

+### Response

+When a requested sign-on completes successfully, the external SAML identity provider posts a response to Azure AD B2C [assertion consumer service](#assertion-consumer-service) endpoint. A response to a successful sign-on attempt looks like the following sample:

+```xml

+<samlp:Response

+ ID="_98765432-0000-0000-0000-000000000000"

+ Version="2.0"

+ IssueInstant="2023-03-20T07:11:30.0000000Z"

+ Destination="https://contoso.b2clogin.com/contoso.onmicrosoft.com/B2C_1A_TrustFrameworkBase/samlp/sso/assertionconsumer"

+ InResponseTo="_11111111-0000-0000-0000-000000000000"

+ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

+ <Issuer

+ xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://fabrikam.com/

+ </Issuer>

+ <samlp:Status>

+ <samlp:StatusCode

+ Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>

+ </samlp:Status>

+ <Assertion

+ ID="_55555555-0000-0000-0000-000000000000"

+ IssueInstant="2023-03-20T07:40:45.505Z"

+ Version="2.0"

+ xmlns="urn:oasis:names:tc:SAML:2.0:assertion">

+ <Issuer>https://fabrikam.com/</Issuer>

+ <Signature

+ xmlns="http://www.w3.org/2000/09/xmldsig#">

+ ...

+ </Signature>

+ <Subject>

+ <NameID

+ Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">ABCDEFG

+ </NameID>

+ ...

+ </Subject>

+ <AttributeStatement>

+ <Attribute Name="uid">

+ <AttributeValue>12345</AttributeValue>

+ </Attribute>

+ <Attribute Name="displayname">

+ <AttributeValue>David</AttributeValue>

+ </Attribute>

+ <Attribute Name="email">

+ <AttributeValue>david@contoso.com</AttributeValue>

+ </Attribute>

+ ....

+ </AttributeStatement>

+ <AuthnStatement

+ AuthnInstant="2023-03-20T07:40:45.505Z"

+ SessionIndex="_55555555-0000-0000-0000-000000000000">

+ <AuthnContext>

+ <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>

+ </AuthnContext>

+ </AuthnStatement>

+ </Assertion>

+</samlp:Response>

+```

+### Logout request

+Upon an application sign-out request, Azure AD B2C attempts to sign out from your SAML identity provider. Azure AD B2C sends a `LogoutRequest` message to the external IDP to indicate that a session has been terminated. The following excerpt shows a sample `LogoutRequest` element.

+The value of the `NameID` element matches the `NameID` of the user that is being signed out. The `SessionIndex` element matches the `SessionIndex` attribute of `AuthnStatement` in the sign-in SAML response.

+```xml

+<samlp:LogoutRequest

+ xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"

+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

+ ID="_22222222-0000-0000-0000-000000000000"

+ Version="2.0"

+ IssueInstant="2023-03-20T08:21:07.3679354Z"

+ Destination="https://fabrikam.com/saml2/logout"

+ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

+ <saml:Issuer

+ Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://contoso.b2clogin.com/contoso.onmicrosoft.com/B2C_1A_TrustFrameworkBase

+ </saml:Issuer>

+ <saml:NameID>ABCDEFG</saml:NameID>

+ <samlp:SessionIndex>_55555555-0000-0000-0000-000000000000</samlp:SessionIndex>

+</samlp:LogoutRequest>

+```

+Before you get started, make sure you're familiar with app management and **single sign-on (SSO)** concepts. Check out the following links:

+- **Default value if null (optional)** - The value that will be passed to the target system if the source attribute is null. This value will only be provisioned when a user is created. The "default value when null" won't be provisioned when updating an existing user. If for example, you want to provision all existing users in the target system with a particular Job Title (when it's null in the source system), you can use the following [expression](../app-provisioning/functions-for-customizing-application-data.md): Switch(IsPresent([jobTitle]), "DefaultValue", "True", [jobTitle]). Make sure to replace the "Default Value" with what you would like to provision when null in the source system.

+- **Matching precedence** ΓÇô Multiple matching attributes can be set. When there are multiple, they're evaluated in the order defined by this field. As soon as a match is found, no further matching attributes are evaluated. While you can set as many matching attributes as you would like, consider whether the attributes you're using as matching attributes are truly unique and need to be matching attributes. Generally customers have 1 or 2 matching attributes in their configuration.

+The Azure AD provisioning service can be deployed in both "green field" scenarios (where users don't exist in the target system) and "brownfield" scenarios (where users already exist in the target system). To support both scenarios, the provisioning service uses the concept of matching attributes. Matching attributes allow you to determine how to uniquely identify a user in the source and match the user in the target. As part of planning your deployment, identify the attribute that can be used to uniquely identify a user in the source and target systems. Things to note:

+When a user signs in, the authentication process checks which authentication methods are registered for the user. The user is prompted to sign-in with the most secure method according to the following order. The order of authentication methods is dynamic. It's updated as the security landscape changes, and as better authentication methods emerge. Click the link for information about each method.

+1. [Temporary Access Pass](howto-authentication-temporary-access-pass.md)

+1. [Certificate-based authentication](concept-certificate-based-authentication.md)

+1. [FIDO2 security key](concept-authentication-passwordless.md#fido2-security-keys)

+1. [Time-based one-time password (TOTP)](concept-authentication-oath-tokens.md)¹

+1. [Telephony](concept-authentication-phone-options.md)²

+¹ Includes hardware or software TOTP from Microsoft Authenticator, Authenticator Lite, or third-party applications.

+² Includes SMS and voice calls.

+For error handling in authentication flows with redirect methods (`loginRedirect`, `acquireTokenRedirect`), you'll need to handle the redirect promise, which is called with success or failure after the redirect using the `handleRedirectPromise()` method as follows:

+const msal = require('@azure/msal-browser');

+const myMSALObj = new msal.PublicClientApplication(msalConfig);

+myMSALObj.handleRedirectPromise()

+ .then(function (response) {

+ //success response

+ })

+ .catch((error) => {

+ console.log(error);

+ })

+ // due to interaction required

+ if (error instanceof InteractionRequiredAuthError) {

+ // extract, if exists, claims from the error object

+ if (error.claims) {

+ accessTokenRequest.claims = error.claims,

+When calling an API requiring Conditional Access, you can receive a claims challenge in the error from the API. In this case, you can pass the claims returned in the error to the `claims` parameter in the [access token request object](https://learn.microsoft.com/azure/active-directory/develop/msal-js-pass-custom-state-authentication-request) to satisfy the appropriate policy.

+See [How to use Continuous Access Evaluation enabled APIs in your applications](./app-resilience-continuous-access-evaluation.md) for more detail.

+Consider enabling [Logging in MSAL.js](msal-logging-js.md) to help you diagnose and debug issues

+## February 2023

+### General Availability - Filter and transform group names in token claims configuration using regular expression

+**Type:** New feature

+**Service category:** Enterprise Apps

+**Product capability:** SSO

+Filter and transform group names in token claims configuration using regular expression. Many application configurations on ADFS and other IdPs rely on the ability to create authorization claims based on the content of Group Names using regular expression functions in the claim rules. Azure AD now has the capability to use a regular expression match and replace function to create claim content based on Group **onpremisesSAMAccount** names. This functionality will allow those applications to be moved to Azure AD for authentication using the same group management patterns. For more information, see: [Configure group claims for applications by using Azure Active Directory](../hybrid/how-to-connect-fed-group-claims.md).

+### General Availability - Filter groups in tokens using a substring match

+**Type:** New feature

+**Service category:** Enterprise Apps

+**Product capability:** SSO

+Azure AD now has the capability to filter the groups included in the token using substring match on the display name or **onPremisesSAMAccountName** attributes of the group object. Only Groups the user is a member of will be included in the token.This was a blocker for some of our customers to migrate their apps from ADFS to Azure AD. This feature will unblock those challenges.

+For more information, see:

+- [Group Filter](../develop/reference-claims-mapping-policy-type.md#group-filter).

+- [Configure group claims for applications by using Azure Active Directory](../hybrid/how-to-connect-fed-group-claims.md).

+### General Availability - New SSO claims transformation features

+**Type:** New feature

+**Service category:** Enterprise Apps

+**Product capability:** SSO

+Azure AD now supports claims transformations on multi-valued attributes and can emit multi-valued claims. More functions to allow match and string operations on claims processing to enable apps to be migrated from other IdPs to Azure AD. This includes: Match on Empty(), NotEmpty(), Prefix(), Suffix(), and extract substring operators. For more information, see: [Claims mapping policy type](../develop/reference-claims-mapping-policy-type.md).

+### General Availability - New Detection for Service Principal Behavior Anomalies

+**Type:** New feature

+**Service category:** Access Reviews

+**Product capability:** Identity Security & Protection

+Post-authentication anomalous activity detection for workload identities. This detection focuses specifically on detection of post authenticated anomalous behavior performed by a workload identity (service principal). Post-authentication behavior will be assessed for anomalies based on an action and/or sequence of actions occurring for the account. Based on the scoring of anomalies identified, the offline detection may score the account as low, medium, or high risk. The risk allocation from the offline detection will be available within the Risky workload identities reporting blade. A new detection type identified as Anomalous service principal activity will appear in filter options. For more information, see: [Securing workload identities](../identity-protection/concept-workload-identity-risk.md).

+### General Availability - Microsoft cloud settings for Azure AD B2B

+**Type:** New feature

+**Service category:** B2B

+**Product capability:** B2B/B2C

+Microsoft cloud settings let you collaborate with organizations from different Microsoft Azure clouds. With Microsoft cloud settings, you can establish mutual B2B collaboration between the following clouds:

+- Microsoft Azure commercial and Microsoft Azure Government

+- Microsoft Azure commercial and Microsoft Azure China 21Vianet

+For more information about Microsoft cloud settings for B2B collaboration., see: [Microsoft cloud settings](../external-identities/cross-tenant-access-overview.md#microsoft-cloud-settings).

+### Public Preview - Support for Directory Extensions using Azure AD cloud sync

+**Type:** New feature

+**Service category:** Provisioning

+**Product capability:** Azure AD Connect Cloud Sync

+Hybrid IT Admins now can sync both Active Directory and Azure AD Directory Extensions using Azure AD Cloud Sync. This new capability adds the ability to dynamically discover the schema for both Active Directory and Azure AD, allowing customers to map the needed attributes using Cloud Sync's attribute mapping experience.

+For more information on how to enable this feature, see: [Cloud Sync directory extensions and custom attribute mapping](../cloud-sync/custom-attribute-mapping.md)

+### General Availability - On-premises application provisioning

+**Type:** Changed feature

+**Service category:** Provisioning

+**Product capability:** Outbound to On-premises Applications

+Azure AD supports provisioning users into applications hosted on-premises or in a virtual machine, without having to open up any firewalls. If your application supports [SCIM](https://techcommunity.microsoft.com/t5/identity-standards-blog/provisioning-with-scim-getting-started/ba-p/880010), or you've built a SCIM gateway to connect to your legacy application, you can use the Azure AD Provisioning agent to [directly connect](../app-provisioning/on-premises-scim-provisioning.md) with your application and automate provisioning and deprovisioning. If you have legacy applications that don't support SCIM and rely on an [LDAP](../app-provisioning/on-premises-ldap-connector-configure.md) user store, or a [SQL](../app-provisioning/tutorial-ecma-sql-connector.md) database, Azure AD can support those as well.

+- Does the Security Assertion Markup Language (SAML) application certificate need to be renewed?

+- Are shared and guest user accounts used to access the application?

+| Help desk admin | Tier 1 support view the sign-in logs to resolve issues. | None |

+| Identity admin | Configure and debug when issues involve Azure AD | Cloud Application Administrator |

+| Infrastructure admins | Certificate rollover owner | Cloud Application Administrator |

+When you enable federation on SAML application, Azure AD creates a certificate that is by default valid for three years. You can customize the expiration date for that certificate if needed. Ensure that you have processes in place to renew certificates prior to their expiration.

+writer: twimmers

+ms.assetid: 5f03d8b7-c3a0-443e-91af-99cc3956fa18

+ 

+ > [!NOTE]

+ > - Tenant URL: https://**InsertInstanceName**.service-now.com/api/now/scim

+ > - Authorization Endpoint: https://**InsertInstanceName**.service-now.com/oauth_auth.do?response_type=code&client_id=**InsertClientID**&state=1&scope=useraccount&redirect_uri=https%3A%2F%2Fportal.azure.com%2FTokenAuthorize

+ > - Token Endoint: https://**InsertInstanceName**.service-now.com/api/now/scim

+

+No, license assignment isn't required.

+Yes, customers can have a mixture of license plans in one tenant.

+1. On the Azure portal menu or from the **Home** page, select **Create a resource**.

+1. Select **Containers** > **Kubernetes Service**.

+1. On the **Basics** page, configure the following options:

+ * Ensure the **Preset configuration** is *Standard ($$)*. For more details on preset configurations, see [Cluster configuration presets in the Azure portal][preset-config].

+1. Select **Next: Node pools** when complete.

+1. Keep the default **Node pools** options. At the bottom of the screen, click **Next: Access**.

+1. On the **Access** page, configure the following options:

+1. Select **Next: Networking** when complete.

+1. Keep the default **Networking** options. At the bottom of the screen, click **Next: Integrations**.

+1. On the **Integrations** page, if you want to enable the [recommended out-of-the-box alerts](../../azure-monitor/alerts/alerts-overview.md#recommended-alert-rules) for AKS clusters, select **Enable recommended alert rules**. You can see the list of alerts that are automatically enabled if you select this option.

+1. Click **Review + create**. When you navigate to the **Review + create** tab, Azure runs validation on the settings that you have chosen. If validation passes, you can proceed to create the AKS cluster by selecting **Create**. If validation fails, then it indicates which settings need to be modified.

+1. It takes a few minutes to create the AKS cluster. When your deployment is complete, navigate to your resource by either:

+ Title: Create a managed or user-assigned NAT gateway

+description: Learn how to create an AKS cluster with managed NAT integration and user-assigned NAT gateway.

+# Create a managed or user-assigned NAT gateway

+This article shows you how to create an AKS cluster with a managed NAT gateway and a user-assigned NAT gateway for egress traffic and how to disable OutboundNAT on Windows.

+## Create an AKS cluster with a managed NAT gateway

+To create an AKS cluster with a new managed NAT Gateway, use `--outbound-type managedNATGateway`, `--nat-gateway-managed-outbound-ip-count`, and `--nat-gateway-idle-timeout` when running `az aks create`. If you want the NAT gateway to be able to operate out of availability zones, specify the zones using `--zones`.

+## Create an AKS cluster with a user-assigned NAT gateway

+To create an AKS cluster with a user-assigned NAT gateway, use `--outbound-type userAssignedNATGateway` when running `az aks create`. This configuration requires bring-your-own networking (via [Kubenet][byo-vnet-kubenet] or [Azure CNI][byo-vnet-azure-cni]) and that the NAT Gateway is preconfigured on the subnet. The following commands create the required resources for this scenario. Make sure to run them all in the same session so that the values stored to variables are still available for the `az aks create` command.

+* * If you're using Azure CLI, the **aks-preview** extension version **0.5.74 or later** is required.

+* To learn about what Roles to use in various scenarios, see:

+ * [AzureML access to AKS clusters with special configurations](https://github.com/Azure/AML-Kubernetes/blob/master/docs/azureml-aks-ta-support.md).

+ * [AKS backup using Azure Backup][aks-azure-backup]

+[aks-azure-backup]: ../backup/azure-kubernetes-service-backup-overview.md

+[1(I2v2) = $563.56](https://azure.com/e/17946ea2c4db483d882526ba515a6771)

+[1(I1v2) = $281.78](https://azure.com/e/9d481c3af3cd407d975017c2b8158bbd)

+[1(I1v2) = **$281.78**](https://azure.com/e/9d481c3af3cd407d975017c2b8158bbd)

+[14(I1v2) = **$3,944.92**](https://azure.com/e/e0f1ebacf937479ba073a9c32cb2452f)

+ You're on App Service Environment v3 so be sure to review the [features and feature differences](overview.md#feature-differences) compared to previous versions. For ILB App Service Environment, you keep the same ILB IP address. For internet facing App Service Environment, the public IP address and the outbound IP address change. Note for ELB App Service Environment, previously there was a single IP for both inbound and outbound. For App Service Environment v3, they're separate. For more information, see [App Service Environment v3 networking](networking.md#addresses). For a full comparison of the App Service Environment versions, see [App Service Environment version comparison](version-comparison.md).

+| Japan West | ✅ | | ✅ |

+### Logging and monitoring

+|Feature |[App Service Environment v1](app-service-app-service-environment-intro.md) |[App Service Environment v2](intro.md) |[App Service Environment v3](overview.md) |

+|||||

+|Application logging to storage account over virtual network |Yes |Yes |No. The recommendation is to use [diagnostics logging](../overview-diagnostics.md) instead. If you need to use a firewall for the logging storage account, the storage account must be in a different region and use the outbound public addresses of the App Service Environment in the rules. For more information, see [networking considerations](../troubleshoot-diagnostic-logs.md#networking-considerations). |

+|Azure Policy integration|Yes |Yes |Yes |

+|Azure Advisor integration|Yes |Yes |Yes |

+### Pricing

+App Service Environment v3 is often cheaper than previous versions due to the removal of the stamp fee and larger instance sizes. For information and example scenarios on how migrating to App Service Environment v3 can affect your costs, see the [migration pricing samples](migrate.md#pricing) and [Estimate your cost savings by migrating to App Service Environment v3](https://azure.github.io/AppService/2023/03/02/App-service-environment-v3-pricing.html).

+|Feature |[App Service Environment v1](app-service-app-service-environment-intro.md) |[App Service Environment v2](intro.md) |[App Service Environment v3](overview.md) |

+|||||

+|Pricing |Pay for each vCPU |Stamp fee plus cost per Isolated instance, reservations are available for the stamp fee |No stamp fee and the Isolated v2 rate has 1-3 year reserved instance pricing. Azure Savings Plans for Compute are also available. |

+zone_pivot_groups: deploy-python-web-app-postgressql

+## Troubleshooting

+Listed below are issues you may encounter while trying to work through this tutorial and steps to resolve them.

+#### I can't connect to the SSH session

+If you can't connect to the SSH session, then the app itself has failed to start. Check the [diagnostic logs](#6-stream-diagnostic-logs) for details. For example, if you see an error like `KeyError: 'AZURE_POSTGRESQL_CONNECTIONSTRING'`, it may mean that the environment variable is missing (you may have removed the app setting).

+#### I get an error when running database migrations

+If you encounter any errors related to connecting to the database, check if the app settings (`AZURE_POSTGRESQL_CONNECTIONSTRING`) have been changed. Without that connection string, the migrate command can't communicate with the database.

+## Provision and deploy using the Azure Developer CLI

+Sample Python application templates using the Flask and Django framework are provided for this tutorial. The [Azure Developer CLI](/azure/developer/azure-developer-cli/overview) greatly streamlines the process of provisioning application resources and deploying code on Azure. For a more step-by-step approach using the Azure portal and other tools, toggle to the **Azure portal** approach at the top of the page.

+The Azure Developer CLI (azd) provides end-to-end support for project initialization, provisioning, deploying, monitoring and scaffolding a CI/CD pipeline to run against real Azure resources. You can use `azd` to provision and deploy the resources for the sample application in an automated and streamlined way.

+Follow the steps below to setup the Azure Developer CLI and provision and deploy the sample application:

+1. Install the Azure Developer CLI. For a full list of supported installation options and tools, visit the [installation guide](/azure/developer/azure-developer-cli/install-azd).

+ ### [Windows](#tab/windows)

+ ```azdeveloper

+ powershell -ex AllSigned -c "Invoke-RestMethod 'https://aka.ms/install-azd.ps1' | Invoke-Expression"

+ ```

+ ### [Linux/MacOS](#tab/linuxmac)

+ ```azdeveloper

+ curl -fsSL https://aka.ms/install-azd.sh | bash

+ ```

+

+1. Run the `azd up` command to clone, provision and deploy the app resources. Provide the name of the template you wish to use for the `--template` parameter. The `azd up` command will also prompt you to login to Azure and provide a name and location for the app.

+ ### [Flask](#tab/flask)

+

+ ```bash

+ azd up --template msdocs-flask-postgresql-sample-app

+ ```

+

+ ### [Django](#tab/django)

+

+ ```bash

+ azd up --template msdocs-django-postgresql-sample-app

+ ```

+1. When the `azd up` command finishes running, the URL for your deployed web app in the console will be printed. Click, or copy and paste the web app URL into your browser to explore the running app and verify that it is working correctly. All of the Azure resources and application code were set up for you by the `azd up` command.

+ The name of the resource group that was created is also displayed in the console output. Locate the resource group in the Azure portal to see all of the provisioned resources.

+ :::image type="content" border="False" source="./media/tutorial-python-postgresql-app/azd-resources-small.png" lightbox="./media/tutorial-python-postgresql-app/azd-resources.png" alt-text="A screenshot showing the resources deployed by the Azure Developer CLI.":::

+The Azure Developer CLI also enables you to configure your application to use a CI/CD pipeline for deployments, setup monitoring functionality, and even remove the provisioned resources if you want to tear everything down. For more information about these additional workflows, visit the project [README](https://github.com/Azure-Samples/msdocs-flask-postgresql-sample-app/blob/main/README.md).

+## Explore the completed azd project template workflow

+The sections ahead review the steps that `azd` handled for you in more depth. You can explore this workflow to better understand the requirements for deploying your own apps to Azure. When you ran `azd up`, the Azure Developer CLI completed the following steps:

+> [!NOTE]

+> You can also use the steps outlined in the **Azure portal** version of this flow to gain additional insights into the tasks that `azd` completed for you.

+### 1. Cloned and initialized the project

+The `azd up` command cloned the sample app project template to your machine. The project template includes the following components:

+* **Source code**: The code and assets for a Flask or Django web app that can be used for local development or deployed to Azure.

+* **Bicep files**: Infrastructure as code (IaC) files that are used by `azd` to create the necessary resources in Azure.

+* **Configuration files**: Essential configuration files such as `azure.yaml` that are used by `azd` to provision, deploy and wire resources together to produce a fully-fledged application.

+### 2. Provisioned the Azure resources

+The `azd up` command created all of the resources for the sample application in Azure using the Bicep files in the [`infra`](https://github.com/Azure-Samples/msdocs-flask-postgresql-sample-app/tree/main/infra) folder of the project template. [Bicep](/azure/azure-resource-manager/bicep/overview?tabs=bicep) is a declarative language used to manage Infrastructure as Code in Azure. Some of the key resources and configurations created by the template include:

+* **Resource group**: A resource group was created to hold all of the other provisioned Azure resources. The resource group keeps your resources well organized and easier to manage. The name of the resource group is based off of the environment name you specified during the `azd up` initialization process.

+* **Azure Virtual Network**: A virtual network was created to enable the provisioned resources to securely connect and communicate with one another. Related configurations such as setting up a private DNS zone link were also applied.

+* **Azure App Service plan**: An App Service plan was created to host App Service instances. App Service plans define what compute resources are available for one or more web apps.

+* **Azure App Service**: An App Service instance was created in the new App Service plan to host and run the deployed application. In this case a Linux instance was created and configured to run Python apps. Additional configurations were also applied to the app service, such as setting the Postgres connection string and secret keys.

+* **Azure Database for PostgresSQL**: A Postgres database and server were created for the app hosted on App Service to connect to. The required admin user, network and connection settings were also configured.

+* **Azure Application Insights**: Application insights was setup and configured for the app hosted on the App Service. This service enables detailed telemetry and monitoring for your application.

+You can inspect the Bicep files in the [`infra`](https://github.com/Azure-Samples/msdocs-flask-postgresql-sample-app/tree/main/infra) folder of the project to understand how each of these resources were provisioned in more detail. The `resources.bicep` file defines most of the different services created in Azure. For example, the App Service plan and App Service web app instance were created and connected using the following Bicep code:

+### [Flask](#tab/flask)

+```yaml

+resource appServicePlan 'Microsoft.Web/serverfarms@2021-03-01' = {

+ name: '${prefix}-service-plan'

+ location: location

+ tags: tags

+ sku: {

+ name: 'B1'

+ }

+ properties: {

+ reserved: true

+ }

+}

+resource web 'Microsoft.Web/sites@2022-03-01' = {

+ name: '${prefix}-app-service'

+ location: location

+ tags: union(tags, { 'azd-service-name': 'web' })

+ kind: 'app,linux'

+ properties: {

+ serverFarmId: appServicePlan.id

+ siteConfig: {

+ alwaysOn: true

+ linuxFxVersion: 'PYTHON|3.10'

+ ftpsState: 'Disabled'

+ appCommandLine: 'startup.sh'

+ }

+ httpsOnly: true

+ }

+ identity: {

+ type: 'SystemAssigned'

+ }

+```

+### [Django](#tab/django)

+```yml

+resource appServicePlan 'Microsoft.Web/serverfarms@2021-03-01' = {

+ name: '${prefix}-service-plan'

+ location: location

+ tags: tags

+ sku: {

+ name: 'B1'

+ }

+ properties: {

+ reserved: true

+ }

+}

+resource web 'Microsoft.Web/sites@2022-03-01' = {

+ name: '${prefix}-app-service'

+ location: location

+ tags: union(tags, { 'azd-service-name': 'web' })

+ kind: 'app,linux'

+ properties: {

+ serverFarmId: appServicePlan.id

+ siteConfig: {

+ alwaysOn: true

+ linuxFxVersion: 'PYTHON|3.10'

+ ftpsState: 'Disabled'

+ appCommandLine: 'startup.sh'

+ }

+ httpsOnly: true

+ }

+ identity: {

+ type: 'SystemAssigned'

+ }

+```

+The Azure Database for PostgreSQL was also created using the following Bicep:

+```yml

+resource postgresServer 'Microsoft.DBforPostgreSQL/flexibleServers@2022-01-20-preview' = {

+ location: location

+ tags: tags

+ name: pgServerName

+ sku: {

+ name: 'Standard_B1ms'

+ tier: 'Burstable'

+ }

+ properties: {

+ version: '12'

+ administratorLogin: 'postgresadmin'

+ administratorLoginPassword: databasePassword

+ storage: {

+ storageSizeGB: 128

+ }

+ backup: {

+ backupRetentionDays: 7

+ geoRedundantBackup: 'Disabled'

+ }

+ network: {

+ delegatedSubnetResourceId: virtualNetwork::databaseSubnet.id

+ privateDnsZoneArmResourceId: privateDnsZone.id

+ }

+ highAvailability: {

+ mode: 'Disabled'

+ }

+ maintenanceWindow: {

+ customWindow: 'Disabled'

+ dayOfWeek: 0

+ startHour: 0

+ startMinute: 0

+ }

+ }

+ dependsOn: [

+ privateDnsZoneLink

+ ]

+}

+```

+### 3. Deployed the application

+The `azd up` command also deployed the sample application code to the provisioned Azure resources. The Developer CLI understands how to deploy different parts of your application code to different services in Azure using the `azure.yaml` file at the root of the project. The `azure.yaml` file specifies the app source code location, the type of app, and the Azure Service that should host that app.

+Consider the following `azure.yaml` file. These configurations tell the Azure Developer CLI that the Python code that lives at the root of the project should be deployed to the created App Service.

+### [Flask](#tab/flask)

+```yml

+name: flask-postgresql-sample-app

+metadata:

+ template: flask-postgresql-sample-app@0.0.1-beta

+ web:

+ project: .

+ language: py

+ host: appservice

+```

+### [Django](#tab/django)

+```yml

+name: django-postgresql-sample-app

+metadata:

+ template: django-postgresql-sample-app@0.0.1-beta

+ web:

+ project: .

+ language: py

+ host: appservice

+```

+## Remove the resources

+Once you are finished experimenting with your sample application, you can run the `azd down` command to remove the app from Azure. Removing resources helps to avoid unintended costs or unused services in your Azure subscription.

+```bash

+azd down

+```

+ ```yml

+ version: '3.3'

+ nginx:

+ image: nginx:alpine

+ container_name: reverseproxy

+ volumes:

+ - ${NGINX_CONF_FILE}:/etc/nginx/nginx.conf

+ ports:

+ - "5000:5000"

+ rabbitmq:

+ container_name: ${RABBITMQ_HOSTNAME}

+ image: rabbitmq:3

+ expose:

+ - "5672"

+ layout:

+ container_name: azure-cognitive-service-layout

+ image: mcr.microsoft.com/azure-cognitive-services/form-recognizer/layout

+ depends_on:

+ - rabbitmq

+ environment:

+ eula: accept

+ apikey: ${FORM_RECOGNIZER_KEY}

+ billing: ${FORM_RECOGNIZER_ENDPOINT_URI}

+ Queue:RabbitMQ:HostName: ${RABBITMQ_HOSTNAME}

+ Queue:RabbitMQ:Port: ${RABBITMQ_PORT}

+ Logging:Console:LogLevel:Default: Information

+ SharedRootFolder: /shared

+ Mounts:Shared: /shared

+ Mounts:Output: /logs

+ volumes:

+ - type: bind

+ source: ${SHARED_MOUNT_PATH}

+ target: /shared

+ - type: bind

+ source: ${OUTPUT_MOUNT_PATH}

+ target: /logs

+ expose:

+ - "5000"

+ custom-api:

+ container_name: azure-cognitive-service-custom-api

+ image: mcr.microsoft.com/azure-cognitive-services/form-recognizer/custom-api

+ restart: always

+ depends_on:

+ - rabbitmq

+ environment:

+ eula: accept

+ apikey: ${FORM_RECOGNIZER_KEY}

+ billing: ${FORM_RECOGNIZER_ENDPOINT_URI}

+ Logging:Console:LogLevel:Default: Information

+ Queue:RabbitMQ:HostName: ${RABBITMQ_HOSTNAME}

+ Queue:RabbitMQ:Port: ${RABBITMQ_PORT}

+ SharedRootFolder: /shared

+ Mounts:Shared: /shared

+ Mounts:Output: /logs

+ volumes:

+ - type: bind

+ source: ${SHARED_MOUNT_PATH}

+ target: /shared

+ - type: bind

+ source: ${OUTPUT_MOUNT_PATH}

+ target: /logs

+ expose:

+ - "5000"

+ custom-supervised:

+ container_name: azure-cognitive-service-custom-supervised

+ image: mcr.microsoft.com/azure-cognitive-services/form-recognizer/custom-supervised

+ restart: always

+ depends_on:

+ - rabbitmq

+ environment:

+ eula: accept

+ apikey: ${FORM_RECOGNIZER_KEY}

+ billing: ${FORM_RECOGNIZER_ENDPOINT_URI}

+ CustomFormRecognizer:ContainerPhase: All

+ CustomFormRecognizer:LayoutAnalyzeUri: http://azure-cognitive-service-layout:5000/formrecognizer/v2.1/layout/analyze

+ Logging:Console:LogLevel:Default: Information

+ Queue:RabbitMQ:HostName: ${RABBITMQ_HOSTNAME}

+ Queue:RabbitMQ:Port: ${RABBITMQ_PORT}

+ SharedRootFolder: /shared

+ Mounts:Shared: /shared

+ Mounts:Output: /logs

+ volumes:

+ - type: bind

+ source: ${SHARED_MOUNT_PATH}

+ target: /shared

+ - type: bind

+ source: ${OUTPUT_MOUNT_PATH}

+ target: /logs

+ ```

+- [PowerShell](https://github.com/Azure/azure-powershell/blob/main/src/Automanage/help/Az.Automanage.md)

+- [Azure CLI](https://github.com/Azure/azure-cli-extensions/tree/main/src/automanage)

+- Delete profiles

+> **User-assigned managed identities (UAMI) are in general supported for Azure jobs only.** One other scenario in which user-assigned managed identities (UAMI) run successfully in Hybrid Workers is, when only the Hybrid Worker VM has a UAMI assigned (i.e., the Automation Account can't have any UAMI assigned, otherwise the VM UAMI will fail authenticating).

+- Australia East

+- Brazil South

+- Canada Central

+- Central US

+- East US 2

+- Germany West Central

+- North Europe

+- Qatar Central

+- South Africa North

+- South Central US

+- South East Asia

+- West Europe

+- West US 2

+You've set up your app to use the [options pattern in ASP.NET Core](/aspnet/core/fundamentals/configuration/options) during the quickstart. When the underlying configuration of your app is updated from App Configuration, your strongly typed `Settings` object obtained via `IOptionsSnapshot<T>` is updated automatically. Note that you shouldn't use the `IOptions<T>` if dynamic configuration update is desired because it doesn't read configuration data after the app has started.

+## Back up and restore

+- Renaming databases is currently not supported, during point in time restore.

+- Transactional replication is currently not supported.

+- Log shipping is currently blocked.

+- Creating a database using SQL Server Management Studio does not work currently. Use the T-SQL command `CREATE DATABASE` to create databases.

+This table summarizes answers to frequently asked questions regarding support roles and responsibilities.

+__Why doesn't Microsoft provide SLAs on Azure Arc hybrid services?__ Customers and their partners own and operate the infrastructure that Azure Arc hybrid services run on so Microsoft can't provide the SLA.

+Azure provides configuration management capability using GitOps in Azure Kubernetes Service (AKS) and Azure Arc-enabled Kubernetes clusters.

+GitOps is enabled in an Azure Arc-enabled Kubernetes or AKS cluster as a `Microsoft.KubernetesConfiguration/extensions/microsoft.flux` [cluster extension](./conceptual-extensions.md) resource. The `microsoft.flux` extension must be installed in the cluster before one or more `fluxConfigurations` can be created. The extension is installed automatically when you create the first `Microsoft.KubernetesConfiguration/fluxConfigurations` in a cluster, or you can install it manually using the portal, the Azure CLI (`az k8s-extension create --extensionType=microsoft.flux`), ARM template, or REST API.

+By default, the `microsoft.flux` extension installs the [Flux controllers](https://fluxcd.io/docs/components/) (Source, Kustomize, Helm, Notification) and the FluxConfig CRD, fluxconfig-agent, and fluxconfig-controller. You can control which of these controllers is installed. Optionally, you can also install the Flux image-automation and image-reflector controllers, which provide functionality for updating and retrieving Docker images.

+* [Flux Source controller](https://toolkit.fluxcd.io/components/source/controller/): Watches the `source.toolkit.fluxcd.io` custom resources. Handles synchronization between the Git repositories, Helm repositories, Buckets and Azure Blob storage. Handles authorization with the source for private Git, Helm repos and Azure blob storage accounts. Surfaces the latest changes to the source through a tar archive file.

+* fluxconfig-agent: Responsible for watching Azure for new or updated `fluxConfigurations` resources, and for starting the associated Flux configuration in the cluster. Also responsible for pushing Flux status changes in the cluster back to Azure for each `fluxConfigurations` resource.

+> The `microsoft.flux` extension is installed in the `flux-system` namespace and has [cluster-wide scope](conceptual-extensions.md#extension-scope). The option to install this extension at the namespace scope is not available, and attempts to install at namespace scope will fail with 400 error.

+`fluxconfig-agent` is responsible for the following tasks:

+`fluxconfig-controller` is responsible for the following tasks:

+Each `fluxConfigurations` resource in Azure is associated with one Flux `GitRepository` or `Bucket` custom resource and one or more `Kustomization` custom resources in a Kubernetes cluster. When you create a `fluxConfigurations` resource, you specify the URL to the source (Git repository, Bucket or Azure Blob storage) and the sync target in the source for each `Kustomization`. You can configure dependencies between `Kustomization` custom resources to control deployment sequencing. You can also create multiple namespace-scoped `fluxConfigurations` resources on the same cluster for different applications and app teams.

+> The `fluxconfig-agent` monitors for new or updated `fluxConfiguration` resources in Azure. The agent requires connectivity to Azure for the desired state of the `fluxConfiguration` to be applied to the cluster. If the agent is unable to connect to Azure, there will be a delay in making changes in the cluster until the agent can connect. If the cluster is disconnected from Azure for more than 48 hours, then the request to the cluster will time-out, and the changes will need to be reapplied in Azure.

+If you've added support for [private link to an Azure Arc-enabled Kubernetes cluster](private-link.md), then the `microsoft.flux` extension works out-of-the-box with communication back to Azure. For connections to your Git repository, Helm repository, or any other endpoints that are needed to deploy your Kubernetes manifests, you must provision these endpoints behind your firewall, or list them on your firewall, so that the Flux Source controller can successfully reach them.

+Because Azure Resource Manager manages your configurations, you can automate creating the same configuration across all Azure Kubernetes Service and Azure Arc-enabled Kubernetes resources using Azure Policy, within the scope of a subscription or a resource group. This at-scale enforcement ensures that specific configurations are applied consistently across entire groups of clusters.

+az k8

+If you use `bucket` source, here are the bucket-specific command arguments.

+| `--url` `-u` | URL String | The URL for the `bucket`. Formats supported: `http://`, `https://`. |

+If you use `azblob` source, here are the blob-specific command arguments.

+> [!IMPORTANT]

+> When using managed identity authentication for AKS clusters and `azblob` source, the managed identity must be assigned at minimum the [Storage Blob Data Reader](/azure/role-based-access-control/built-in-roles#storage-blob-data-reader) role. Authentication using a managed identity is not yet available for Azure Arc-enabled Kubernetes clusters.

+> If you need Flux to access the source through your proxy, you must update the Azure Arc agents with the proxy settings. For more information, see [Connect using an outbound proxy server](./quickstart-connect-cluster.md?tabs=azure-cli-connect-using-an-outbound-proxy-server).

+To support various repository providers that implement Git, Flux can be configured to use one of two Git libraries: `go-git` or `libgit2`. For details, see the [Flux documentation](https://fluxcd.io/docs/components/source/gitrepositories/#git-implementation).

+By using `az k8s-configuration flux kustomization create`, you can create one or more kustomizations during the configuration.

+| `depends_on` | String | Name of one or more kustomizations (within this configuration) that must reconcile before this kustomization can reconcile. For example: `depends_on=["kustomization1","kustomization2"]`. If you remove a kustomization that has dependent kustomizations, the state of dependent kustomizations becomes `DependencyNotReady`, and reconciliation will halt.|

+LetΓÇÖs say you deploy a `fluxConfiguration` to one of our Kubernetes clusters in the **cluster-config** namespace with cluster scope. You configure the source to sync the `https://github.com/fluxcd/flux2-kustomize-helm-example` repo. This is the same sample Git repo used in the [Deploy applications using GitOps with Flux v2 tutorial](tutorial-use-gitops-flux2.md). After Flux syncs the repo, it deploys the resources described in the manifests (YAML files). Two of the manifests describe HelmRelease and HelmRepository objects.

+To work with multi-tenancy, the correct approach is to deploy all Flux objects into the same namespace as the `fluxConfigurations`. This approach avoids the cross-namespace reference issue, and allows the Flux controllers to get the permissions to apply the objects. Thus, for a GitOps configuration created in the **cluster-config** namespace, these example manifests would change as follows:

+To migrate to using Flux v2 in the same clusters where you've been using Flux v1, you must first delete all Flux v1 `sourceControlConfigurations` from the clusters. Because Flux v2 has a fundamentally different architecture, the `microsoft.flux` cluster extension won't install if there are Flux v1 `sourceControlConfigurations` resources in a cluster. The process of removing Flux v1 configurations and deploying Flux v2 configurations should not take more than 30 minutes.

+Removing Flux v1 `sourceControlConfigurations` doesn't stop any applications that are running on the clusters. However, during the period when Flux v1 configuration is removed and Flux v2 extension is not yet fully deployed:

+* If there are new changes in the application manifests stored in a Git repository, these are not pulled during the migration, and the application version deployed on the cluster will be stale.

+* If there are unintended changes in the cluster state and it deviates from the desired state specified in source Git repository, the cluster won't be able to self-heal.

+We recommend testing your migration scenario in a development environment before migrating your production environment.

+* Supports [multi-tenancy](#multi-tenancy), like applying each source repository with its own set of permissions.

+This tutorial describes how to use GitOps in a Kubernetes cluster. GitOps with Flux v2 is enabled as a [cluster extension](conceptual-extensions.md) in Azure Arc-enabled Kubernetes clusters or Azure Kubernetes Service (AKS) clusters. After the `microsoft.flux` cluster extension is installed, you can create one or more `fluxConfigurations` resources that sync your Git repository sources to the cluster and reconcile the cluster to the desired state. With GitOps, you can use your Git repository as the source of truth for cluster configuration and application deployment.

+Before you dive in, take a moment to [learn how GitOps with Flux works conceptually](./conceptual-gitops-flux2.md).

+> While the source in this tutorial is a Git repository, Flux also provides support for other common file sources such as Helm repositories, Buckets, and Azure Blob Storage.

+>

+> [!NOTE]

+> Eventually Azure will stop supporting GitOps with Flux v1, so we recommend [migrating to Flux v2](conceptual-gitops-flux2.md#migrate-from-flux-v1) as soon as possible.

+This new version of Start/Stop VMs v2 provides a decentralized low-cost automation option for customers who want to optimize their VM costs. It offers all of the same functionality as the [original version](../../automation/automation-solution-vm-management.md) available with Azure Automation, but it's designed to take advantage of newer technology in Azure. The Start/Stop VMs v2 relies on mutiple Azure services and it will be charged based on the service that are deployed and consumed.

+>

+> TomTom is a subprocessor that is authorized to subprocess Azure Maps customer data. For more information, see the Microsoft Online Services [Subprocessor List] located in the [Microsoft Trust Center].

+[Microsoft Trust Center]: https://www.microsoft.com/trust-center/privacy

+[Subprocessor List]: https://servicetrust.microsoft.com/DocumentPage/aead9e68-1190-4d90-ad93-36418de5c594

+# Secure an Azure Maps account with a SAS token (preview)

+> [Azure Maps samples](https://github.com/Azure-Samples/Azure-Maps-AzureAD-Samples)

+1. On the **Condition** tab, when you select the **Signal name** field, the most commonly used signals are displayed in the drop-down list. Select one of these popular signals, or select **See all signals** if you want to choose a different signal for the condition.

+1. (Optional.) If you chose to **See all signals** in the previous step, use the **Select a signal** pane to search for the signal name or filter the list of signals. Filter by:

+ Select the **Signal name** and **Apply**.

+ 1. Preview the results of the selected metric signal in the **Preview** section. Select values for the following fields.

+ |Time range|The time range to include in the results. Can be from the last six hours to the last week.|

+ |Time series|The time series to include in the results.|

+

+ 1. (Optional) Depending on the signal type, you might see the **Split by dimensions** section.

+ Dimensions are name-value pairs that contain more data about the metric value. By using dimensions, you can filter the metrics and monitor specific time-series, instead of monitoring the aggregate of all the dimensional values.

+ If you select more than one dimension value, each time series that results from the combination triggers its own alert and is charged separately. For example, the transactions metric of a storage account can have an API name dimension that contains the name of the API called by each transaction (for example, GetBlob, DeleteBlob, and PutPage). You can choose to have an alert fired when there's a high number of transactions in a specific API (the aggregated data). Or you can use dimensions to alert only when the number of transactions is high for specific APIs.

+ |Field |Description |

+ |||

+ |Dimension name|Dimensions can be either number or string columns. Dimensions are used to monitor specific time series and provide context to a fired alert.<br>Splitting on the **Azure Resource ID** column makes the specified resource into the alert target. If detected, the **ResourceID** column is selected automatically and changes the context of the fired alert to the record's resource. |

+ |Operator|The operator used on the dimension name and value. |

+ |Dimension values|The dimension values are based on data from the last 48 hours. Select **Add custom value** to add custom dimension values. |

+ |Include all future values| Select this field to include any future values added to the selected dimension. |

+1. Select **Use an existing action group**, and enter the details of the existing action group if you want to use an action group that already exists.

+The system compiles a list of recommended alert rules based on:

+- The resource providerΓÇÖs knowledge of important signals and thresholds for monitoring the resource.

+- Telemetry that tells us what customers commonly alert on for this resource.

+> Recommended alert rules is enabled for:

+> - Allow you to access [the latest features of Azure Monitor](#new-capabilities) while keeping application, infrastructure, and platform logs in a consolidated location.

+- When you enable managed identity authentication (preview), a data collection rule is created with the name *MSCI-\<cluster-region\>-<\cluster-name\>*. Currently, this name can't be modified.

+|PipelineFailedRuns |Yes |Failed pipeline runs metrics |Count |Total |Failed pipeline runs metrics |FailureType, Pipeline |

+|PipelineSucceededRuns |Yes |Succeeded pipeline runs metrics |Count |Total |Succeeded pipeline runs metrics |FailureType, Pipeline |

+|TriggerCancelledRuns |Yes |Cancelled trigger runs metrics |Count |Total |Cancelled trigger runs metrics |Pipeline, FailureType |

+|TriggerFailedRuns |Yes |Failed trigger runs metrics |Count |Total |Failed trigger runs metrics |Pipeline, FailureType |

+|TriggerSucceededRuns |Yes |Succeeded trigger runs metrics |Count |Total |Succeeded trigger runs metrics |Pipeline, FailureType |

+<!--Gen Date: Sun Mar 12 2023 11:30:35 GMT+0200 (Israel Standard Time)-->

+ - 404--Cluster not found, the cluster might have been deleted. If you try to create a cluster with that name and get conflict, the cluster is in deletion process.

+1. To set up health status alerts, you can either [enable recommended out-of-the-box alert](../alerts/alerts-overview.md#recommended-alert-rules) rules, or manually create new alert rules.

+ - To enable the recommended alert rules:

+ 1. select **Alerts**, then select **Enable recommended alert rules**. The **Enable recommended alert rules** pane opens with a list of recommended alert rules based on your type of resource.

+ 1. In the **Alert me if** section, select all of the rules you want to enable. The rules are populated with the default values for the rule condition, you can change the default values if you would like.

+ 1. In the **Notify me by** section, select the way you want to be notified if an alert is fired.

+ 1. Select **Use an existing action group**, and enter the details of the existing action group if you want to use an action group that already exists.

+ 1. Select **Enable**.

+ :::image type="content" source="../alerts/media/alerts-managing-alert-instances/alerts-enable-recommended-alert-rule-pane.png" alt-text="Screenshot of recommended alert rules pane.":::

+ - To create a new alert rule:

+ 1. Select **Add resource health alert**.

+

+ The **Create alert rule** wizard opens, with the **Scope** and **Condition** panes pre-populated. By default, the rule triggers alerts all status changes in all Log Analytics workspaces in the subscription. If necessary, you can edit and modify the scope and condition at this stage.

+ :::image type="content" source="media/data-ingestion-time/log-analytics-workspace-latency-alert-rule.png" lightbox="media/data-ingestion-time/log-analytics-workspace-latency-alert-rule.png" alt-text="Screenshot that shows the Create alert rule wizard for Log Analytics workspace latency issues.":::

+ 1. Follow the rest of the steps in [Create a new alert rule in the Azure portal](../alerts/alerts-create-new-alert-rule.md#create-a-new-alert-rule-in-the-azure-portal).

+Deleted clusters take two weeks to be completely removed. You can have up to seven clusters per subscription and region, five active, and two deleted in past two weeks.

+When deleting a cluster, you're losing access to all data, which was ingested from workspaces that were linked to it. This operation isn't reversible.

+The cluster's billing stops when cluster is deleted, regardless of the 30-days commitment tier defined in cluster.

+If you delete your cluster while workspaces are linked, workspaces get automatically unlinked from the cluster before the cluster delete, and new data to workspaces gets ingested to Log Analytics clusters instead. You can query workspace for the time range before it was linked to the cluster, and after the unlink, and the service performs cross-cluster queries seamlessly.

+> - There is a limit of seven clusters per subscription and region, five active, plus two that were deleted in past two weeks.

+- A maximum of seven clusters allowed per subscription and region, five active, plus two that were deleted in past 2 weeks.

+- Deleting a linked workspace is permitted while linked to cluster. If you decide to [recover](./delete-workspace.md#recover-a-workspace) a workspace during the [soft-delete](./delete-workspace.md#soft-delete-behavior) period, it returns to previous state and remains linked to cluster.

+- If you get conflict error when creating a cluster, it might have been deleted in past 2 weeks and in deletion process yet. The cluster name remains reserved during the 2 weeks deletion period and you can't create a new cluster with that name.

+ - 404--Cluster not found, the cluster might have been deleted. If you try to create a cluster with that name and get conflict, the cluster is in deletion process.

+- 400--Cluster not found, the cluster you specified doesn't exist or was deleted.

+ | parse kind = regex RawData with *

+ ':"'

+ " - -" * '"'

+ RequestType:string

+ ' '

+ Resource:string

+<br>Snapshot Collector used via SDK is not supported when Interop feature is enabled. [See more not supported scenarios.](snapshot-debugger-troubleshoot.md#not-supported-scenarios)

+Address multiple improvements and added support for Azure Active Directory (Azure AD) authentication for Application Insights ingestion.

+- Increase the default limit on how many snapshots can be captured in 10 minutes from 1 to 3.

+- Improve the Azure portal snapshot viewing experience.

+* [Azure Virtual Machines and Virtual Machine Scale Sets](snapshot-debugger-vm.md?toc=/azure/azure-monitor/toc.json)

+|APPLICATIONINSIGHTS_AUTHENTICATION_STRING | Authorization=AD;ClientID={Client ID of the User-Assigned Identity} |

+* For help with troubleshooting Snapshot Debugger issues, see [Snapshot Debugger troubleshooting](snapshot-debugger-troubleshoot.md).

+* For help with troubleshooting Snapshot Debugger issues, see [Snapshot Debugger troubleshooting](snapshot-debugger-troubleshoot.md).

+ Title: Troubleshoot Azure Application Insights Snapshot Debugger

+description: This article presents troubleshooting steps and information to help developers enable and use Application Insights Snapshot Debugger.

+reviewer: cweining

+# <a id="troubleshooting"></a> Troubleshoot problems enabling Application Insights Snapshot Debugger or viewing snapshots

+If you enabled Application Insights Snapshot Debugger for your application, but aren't seeing snapshots for exceptions, you can use these instructions to troubleshoot.

+There can be many different reasons why snapshots aren't generated. You can start by running the snapshot health check to identify some of the possible common causes.

+## Not Supported Scenarios

+Below you can find scenarios where Snapshot Collector isn't supported:

+|Scenario | Side Effects | Recommendation |

+||--|-|

+|When using the Snapshot Collector SDK in your application directly (*.csproj*) and you have enabled the advance option "Interop".| The local Application Insights SDK (including Snapshot Collector telemetry) will be lost, therefore, no Snapshots will be available. <br/> Your application could crash at startup with `System.ArgumentException: telemetryProcessorTypedoes not implement ITelemetryProcessor` <br/> For more information about the Application Insights feature "Interop", see the [documentation.](../app/azure-web-apps-net-core.md#troubleshooting) | If you're using the advance option "Interop", use the codeless Snapshot Collector injection (enabled thru the Azure portal UX) |

+## Make sure you're using the appropriate Snapshot Debugger Endpoint

+Currently the only regions that require endpoint modifications are [Azure Government](../../azure-government/compare-azure-government-global-azure.md#application-insights) and [Azure China](/azure/china/resources-developer-guide).

+For App Service and applications using the Application Insights SDK, you have to update the connection string using the supported overrides for Snapshot Debugger as defined below:

+|Connection String Property | US Government Cloud | China Cloud |

+|||-|

+|SnapshotEndpoint | `https://snapshot.monitor.azure.us` | `https://snapshot.monitor.azure.cn` |

+For more information about other connection overrides, see [Application Insights documentation](../app/sdk-connection-string.md?tabs=net#connection-string-with-explicit-endpoint-overrides).

+For Function App, you have to update the `host.json` using the supported overrides below:

+|Property | US Government Cloud | China Cloud |

+|||-|

+|AgentEndpoint | `https://snapshot.monitor.azure.us` | `https://snapshot.monitor.azure.cn` |

+Below is an example of the `host.json` updated with the US Government Cloud agent endpoint:

+```json

+{

+ "version": "2.0",

+ "logging": {

+ "applicationInsights": {

+ "samplingExcludedTypes": "Request",

+ "samplingSettings": {

+ "isEnabled": true

+ },

+ "snapshotConfiguration": {

+ "isEnabled": true,

+ "agentEndpoint": "https://snapshot.monitor.azure.us"

+ }

+ }

+ }

+}

+```

+## Use the snapshot health check

+Several common problems result in the Open Debug Snapshot not showing up. Using an outdated Snapshot Collector, for example; reaching the daily upload limit; or perhaps the snapshot is just taking a long time to upload. Use the Snapshot Health Check to troubleshoot common problems.

+There's a link in the exception pane of the end-to-end trace view that takes you to the Snapshot Health Check.

+The interactive, chat-like interface looks for common problems and guides you to fix them.

+If that doesn't solve the problem, then refer to the following manual troubleshooting steps.

+## Verify the instrumentation key

+Make sure you're using the correct instrumentation key in your published application. Usually, the instrumentation key is read from the *ApplicationInsights.config* file. Verify the value is the same as the instrumentation key for the Application Insights resource that you see in the portal.

+## <a id="SSL"></a>Check TLS/SSL client settings (ASP.NET)

+If you have an ASP.NET application that's hosted in Azure App Service or in IIS on a virtual machine, your application could fail to connect to the Snapshot Debugger service due to a missing SSL security protocol.

+[The Snapshot Debugger endpoint requires TLS version 1.2](snapshot-debugger-upgrade.md?toc=/azure/azure-monitor/toc.json). The set of SSL security protocols is one of the quirks enabled by the `httpRuntime targetFramework` value in the `system.web` section of `web.config`.

+If the `httpRuntime targetFramework` is 4.5.2 or lower, then TLS 1.2 isn't included by default.

+> [!NOTE]

+> The `httpRuntime targetFramework` value is independent of the target framework used when building your application.

+To check the setting, open your *web.config* file and find the system.web section. Ensure that the `targetFramework` for `httpRuntime` is set to 4.6 or above.

+ ```xml

+ <system.web>

+ ...

+ <httpRuntime targetFramework="4.7.2" />

+ ...

+ </system.web>

+ ```

+> [!NOTE]

+> Modifying the `httpRuntime targetFramework` value changes the runtime quirks applied to your application and can cause other, subtle behavior changes. Be sure to test your application thoroughly after making this change. For a full list of compatibility changes, see [Re-targeting changes](/dotnet/framework/migration-guide/application-compatibility#retargeting-changes).

+> [!NOTE]

+> If the `targetFramework` is 4.7 or above then Windows determines the available protocols. In Azure App Service, TLS 1.2 is available. However, if you're using your own virtual machine, you may need to enable TLS 1.2 in the OS.

+## Preview Versions of .NET Core

+If you're using a preview version of .NET Core or your application references Application Insights SDK, directly or indirectly via a dependent assembly, follow the instructions for [Enable Snapshot Debugger for other environments](snapshot-debugger-vm.md?toc=/azure/azure-monitor/toc.json).

+## Check the Diagnostic Services site extension' Status Page

+If Snapshot Debugger was enabled through the [Application Insights pane](snapshot-debugger-app-service.md?toc=/azure/azure-monitor/toc.json) in the portal, it was enabled by the Diagnostic Services site extension.

+> [!NOTE]

+> Codeless installation of Application Insights Snapshot Debugger follows the .NET Core support policy.

+> For more information about supported runtimes, see [.NET Core Support Policy](https://dotnet.microsoft.com/platform/support/policy/dotnet-core).

+You can check the Status Page of this extension by going to the following url:

+`https://{site-name}.scm.azurewebsites.net/DiagnosticServices`

+> [!NOTE]

+> The domain of the Status Page link will vary depending on the cloud.

+This domain will be the same as the Kudu management site for App Service.

+This Status Page shows the installation state of the Profiler and Snapshot Collector agents. If there was an unexpected error, it will be displayed and show how to fix it.

+You can use the Kudu management site for App Service to get the base url of this Status Page:

+1. Open your App Service application in the Azure portal.

+1. Select **Advanced Tools**, or search for **Kudu**.

+1. Select **Go**.

+1. Once you are on the Kudu management site, in the URL, **append the following `/DiagnosticServices` and press enter**.

+ It will end like this: `https://<kudu-url>/DiagnosticServices`

+## Upgrade to the latest version of the NuGet package

+Based on how Snapshot Debugger was enabled, see the following options:

+* If Snapshot Debugger was enabled through the [Application Insights pane in the portal](snapshot-debugger-app-service.md?toc=/azure/azure-monitor/toc.json), then your application should already be running the latest NuGet package.

+* If Snapshot Debugger was enabled by including the [Microsoft.ApplicationInsights.SnapshotCollector](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector) NuGet package, use Visual Studio's NuGet Package Manager to make sure you're using the latest version of `Microsoft.ApplicationInsights.SnapshotCollector`.

+For the latest updates and bug fixes [consult the release notes](./snapshot-collector-release-notes.md).

+## Check the uploader logs

+After a snapshot is created, a minidump file (*.dmp*) is created on disk. A separate uploader process creates that minidump file and uploads it, along with any associated PDBs, to Application Insights Snapshot Debugger storage. After the minidump has uploaded successfully, it's deleted from disk. The log files for the uploader process are kept on disk. In an App Service environment, you can find these logs in `D:\Home\LogFiles`. Use the Kudu management site for App Service to find these log files.

+1. Open your App Service application in the Azure portal.

+1. Select **Advanced Tools**, or search for **Kudu**.

+1. Select **Go**.

+1. In the **Debug console** drop-down list, select **CMD**.

+1. Select **LogFiles**.

+You should see at least one file with a name that begins with `Uploader_` or `SnapshotUploader_` and a `.log` extension. Select the appropriate icon to download any log files or open them in a browser.

+The file name includes a unique suffix that identifies the App Service instance. If your App Service instance is hosted on more than one machine, there are separate log files for each machine. When the uploader detects a new minidump file, it's recorded in the log file. Here's an example of a successful snapshot and upload:

+```

+SnapshotUploader.exe Information: 0 : Received Fork request ID 139e411a23934dc0b9ea08a626db16c5 from process 6368 (Low pri)

+ DateTime=2018-03-09T01:42:41.8571711Z

+SnapshotUploader.exe Information: 0 : Creating minidump from Fork request ID 139e411a23934dc0b9ea08a626db16c5 from process 6368 (Low pri)

+ DateTime=2018-03-09T01:42:41.8571711Z

+SnapshotUploader.exe Information: 0 : Dump placeholder file created: 139e411a23934dc0b9ea08a626db16c5.dm_

+ DateTime=2018-03-09T01:42:41.8728496Z

+SnapshotUploader.exe Information: 0 : Dump available 139e411a23934dc0b9ea08a626db16c5.dmp

+ DateTime=2018-03-09T01:42:45.7525022Z

+SnapshotUploader.exe Information: 0 : Successfully wrote minidump to D:\local\Temp\Dumps\c12a605e73c44346a984e00000000000\139e411a23934dc0b9ea08a626db16c5.dmp

+ DateTime=2018-03-09T01:42:45.7681360Z

+SnapshotUploader.exe Information: 0 : Uploading D:\local\Temp\Dumps\c12a605e73c44346a984e00000000000\139e411a23934dc0b9ea08a626db16c5.dmp, 214.42 MB (uncompressed)

+ DateTime=2018-03-09T01:42:45.7681360Z

+SnapshotUploader.exe Information: 0 : Upload successful. Compressed size 86.56 MB

+ DateTime=2018-03-09T01:42:59.6184651Z

+SnapshotUploader.exe Information: 0 : Extracting PDB info from D:\local\Temp\Dumps\c12a605e73c44346a984e00000000000\139e411a23934dc0b9ea08a626db16c5.dmp.

+ DateTime=2018-03-09T01:42:59.6184651Z

+SnapshotUploader.exe Information: 0 : Matched 2 PDB(s) with local files.

+ DateTime=2018-03-09T01:42:59.6809606Z

+SnapshotUploader.exe Information: 0 : Stamp does not want any of our matched PDBs.

+ DateTime=2018-03-09T01:42:59.8059929Z

+SnapshotUploader.exe Information: 0 : Deleted D:\local\Temp\Dumps\c12a605e73c44346a984e00000000000\139e411a23934dc0b9ea08a626db16c5.dmp

+ DateTime=2018-03-09T01:42:59.8530649Z

+```

+> [!NOTE]

+> The example above is from version 1.2.0 of the `Microsoft.ApplicationInsights.SnapshotCollector` NuGet package. In earlier versions, the uploader process is called `MinidumpUploader.exe` and the log is less detailed.

+In the previous example, the instrumentation key is `c12a605e73c44346a984e00000000000`. This value should match the instrumentation key for your application.

+The minidump is associated with a snapshot with the ID `139e411a23934dc0b9ea08a626db16c5`. You can use this ID later to locate the associated exception record in Application Insights Analytics.

+The uploader scans for new PDBs about once every 15 minutes. Here's an example:

+```

+SnapshotUploader.exe Information: 0 : PDB rescan requested.

+ DateTime=2018-03-09T01:47:19.4457768Z

+SnapshotUploader.exe Information: 0 : Scanning D:\home\site\wwwroot for local PDBs.

+ DateTime=2018-03-09T01:47:19.4457768Z

+SnapshotUploader.exe Information: 0 : Local PDB scan complete. Found 2 PDB(s).

+ DateTime=2018-03-09T01:47:19.4614027Z

+SnapshotUploader.exe Information: 0 : Deleted PDB scan marker : D:\local\Temp\Dumps\c12a605e73c44346a984e00000000000\6368.pdbscan

+ DateTime=2018-03-09T01:47:19.4614027Z

+```

+For applications that *aren't* hosted in App Service, the uploader logs are in the same folder as the minidumps: `%TEMP%\Dumps\<ikey>` (where `<ikey>` is your instrumentation key).

+## Troubleshooting Cloud Services

+In Cloud Services, the default temporary folder could be too small to hold the minidump files, leading to lost snapshots.

+The space needed depends on the total working set of your application and the number of concurrent snapshots.

+The working set of a 32-bit ASP.NET web role is typically between 200 MB and 500 MB. Allow for at least two concurrent snapshots.

+For example, if your application uses 1 GB of total working set, you should make sure there is at least 2 GB of disk space to store snapshots.

+Follow these steps to configure your Cloud Service role with a dedicated local resource for snapshots.

+1. Add a new local resource to your Cloud Service by editing the Cloud Service definition (.csdef) file. The following example defines a resource called `SnapshotStore` with a size of 5 GB.

+ ```xml

+ <LocalResources>

+ <LocalStorage name="SnapshotStore" cleanOnRoleRecycle="false" sizeInMB="5120" />

+ </LocalResources>

+ ```

+1. Modify your role's startup code to add an environment variable that points to the `SnapshotStore` local resource. For Worker Roles, the code should be added to your role's `OnStart` method:

+ ```csharp

+ public override bool OnStart()

+ {

+ Environment.SetEnvironmentVariable("SNAPSHOTSTORE", RoleEnvironment.GetLocalResource("SnapshotStore").RootPath);

+ return base.OnStart();

+ }

+ ```

+ For Web Roles (ASP.NET), the code should be added to your web application's `Application_Start` method:

+ ```csharp

+ using Microsoft.WindowsAzure.ServiceRuntime;

+ using System;

+ namespace MyWebRoleApp

+ {

+ public class MyMvcApplication : System.Web.HttpApplication

+ {

+ protected void Application_Start()

+ {

+ Environment.SetEnvironmentVariable("SNAPSHOTSTORE", RoleEnvironment.GetLocalResource("SnapshotStore").RootPath);

+ // TODO: The rest of your application startup code

+ }

+ }

+ }

+ ```

+1. Update your role's *ApplicationInsights.config* file to override the temporary folder location used by `SnapshotCollector`

+ ```xml

+ <TelemetryProcessors>

+ <Add Type="Microsoft.ApplicationInsights.SnapshotCollector.SnapshotCollectorTelemetryProcessor, Microsoft.ApplicationInsights.SnapshotCollector">

+ <!-- Use the SnapshotStore local resource for snapshots -->

+ <TempFolder>%SNAPSHOTSTORE%</TempFolder>

+ <!-- Other SnapshotCollector configuration options -->

+ </Add>

+ </TelemetryProcessors>

+ ```

+## Overriding the Shadow Copy folder

+When the Snapshot Collector starts up, it tries to find a folder on disk that is suitable for running the Snapshot Uploader process. The chosen folder is known as the Shadow Copy folder.

+The Snapshot Collector checks a few well-known locations, making sure it has permissions to copy the Snapshot Uploader binaries. The following environment variables are used:

+* Fabric_Folder_App_Temp

+* LOCALAPPDATA

+* APPDATA

+* TEMP

+If a suitable folder can't be found, Snapshot Collector reports an error saying *"Couldn't find a suitable shadow copy folder."*

+If the copy fails, Snapshot Collector reports a `ShadowCopyFailed` error.

+If the uploader can't be launched, Snapshot Collector reports an `UploaderCannotStartFromShadowCopy` error. The body of the message often contains `System.UnauthorizedAccessException`. This error usually occurs because the application is running under an account with reduced permissions. The account has permission to write to the shadow copy folder, but it doesn't have permission to execute code.

+Since these errors usually happen during startup, they'll usually be followed by an `ExceptionDuringConnect` error saying *Uploader failed to start*."

+To work around these errors, you can specify the shadow copy folder manually via the `ShadowCopyFolder` configuration option. For example, using *ApplicationInsights.config*:

+ ```xml

+ <TelemetryProcessors>

+ <Add Type="Microsoft.ApplicationInsights.SnapshotCollector.SnapshotCollectorTelemetryProcessor, Microsoft.ApplicationInsights.SnapshotCollector">

+ <!-- Override the default shadow copy folder. -->

+ <ShadowCopyFolder>D:\SnapshotUploader</ShadowCopyFolder>

+ <!-- Other SnapshotCollector configuration options -->

+ </Add>

+ </TelemetryProcessors>

+ ```

+Or, if you're using *appsettings.json* with a .NET Core application:

+ ```json

+ {

+ "ApplicationInsights": {

+ "InstrumentationKey": "<your instrumentation key>"

+ },

+ "SnapshotCollectorConfiguration": {

+ "ShadowCopyFolder": "D:\\SnapshotUploader"

+ }

+ }

+ ```

+## Use Application Insights search to find exceptions with snapshots

+When a snapshot is created, the throwing exception is tagged with a snapshot ID. That snapshot ID is included as a custom property when the exception is reported to Application Insights. Using **Search** in Application Insights, you can find all records with the `ai.snapshot.id` custom property.

+1. Browse to your Application Insights resource in the Azure portal.

+1. Select **Search**.

+1. Type `ai.snapshot.id` in the Search text box and press Enter.

+If this search returns no results, then, no snapshots were reported to Application Insights in the selected time range.

+To search for a specific snapshot ID from the Uploader logs, type that ID in the Search box. If you can't find records for a snapshot that you know was uploaded, follow these steps:

+1. Double-check that you're looking at the right Application Insights resource by verifying the instrumentation key.

+1. Using the timestamp from the Uploader log, adjust the Time Range filter of the search to cover that time range.

+If you still don't see an exception with that snapshot ID, then the exception record wasn't reported to Application Insights. This situation can happen if your application crashed after it took the snapshot but before it reported the exception record. In this case, check the App Service logs under `Diagnose and solve problems` to see if there were unexpected restarts or unhandled exceptions.

+## Edit network proxy or firewall rules

+If your application connects to the Internet via a proxy or a firewall, you may need to update the rules to communicate with the Snapshot Debugger service.

+The IPs used by Application Insights Snapshot Debugger are included in the Azure Monitor service tag. For more information, see [Service Tags documentation](../../virtual-network/service-tags-overview.md).

+- For help with troubleshooting Snapshot Debugger issues, see [Snapshot Debugger troubleshooting](snapshot-debugger-troubleshoot.md).

+* [Azure Virtual Machines and Virtual Machine Scale Sets](snapshot-debugger-vm.md?toc=/azure/azure-monitor/toc.json) running Windows Server 2012 R2 or later

+If you've enabled Snapshot Debugger but aren't seeing snapshots, check our [Troubleshooting guide](snapshot-debugger-troubleshoot.md).

+* [Azure Virtual Machines and Virtual Machine Scale Sets](snapshot-debugger-vm.md?toc=/azure/azure-monitor/toc.json)

+ "address" : "wss://dc-node.servicebus.windows.net:443/$hc/{path}?...",

+| After my private cloud NSX-T Data Center upgrade to version [3.2.2](https://docs.vmware.com/en/VMware-NSX/3.2.2/rn/vmware-nsxt-data-center-322-release-notes/https://docsupdatetracker.net/index.html), the NSX-T Manager **DNS Forwarder Upstream Server Timeout** alarm is raised | February 2023 | [Enable private cloud internet Access](concepts-design-public-internet-access.md), alarm is raised because NSX-T Manager cannot access the configured CloudFlare DNS server. | February 2023 |

+In this article, you learned about the current known issues with the Azure VMware Solution.

+For more information, see [About Azure VMware Solution](introduction.md).

+> [!IMPORTANT]

+> Nested groups are not supported, and their use may cause loss of access.

+[Learn more about CDs on Azure VMware Solutions reference architecture](https://cloudsolutions.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/cloud-director-service-reference-architecture-for-azure-vmware-solution.pdf)

+| **Standalone instance** | Low | Migrate with VMware vMotion, the DB is available during migration, but it is not recommended to commit any critical data during it. |

+| **Always-On Availability Group** | Low | The primary replica will always be available during the migration of the first secondary replica and the secondary replica will become the primary after the initial failover to Azure. |

+| **Failover Cluster Instance** | High | All nodes of the cluster are shutdown and migrated using VMware HCX Cold Migration. Downtime duration depends upon database size and private network speed to Azure cloud. |

+ - Select your primary replica and open **Availability Group** **Properties**.

+ - Change **Availability Mode** to **Asynchronous commit** only for the replica to be migrated.

+ - Change **Failover Mode** to **Manual** for every member of the availability group.

+ - Select one virtual machine running the secondary replica of the database the is going to be migrated.

+ - Set the vSphere cluster in the remote private cloud to run the migrated SQL cluster as the **Compute Container**.

+ - Select the **vSAN Datastore** as remote storage.

+ - Select a folder. This not mandatory, but is recommended to separate the different workloads in your Azure VMware Solution private cloud.

+ - Keep **Same format as source**.

+ - Select **vMotion** as **Migration profile**.

+ - In **Extended Options** select **Migrate Custom Attributes**.

+ - Verify that on-premises network segments have the correct remote stretched segment in Azure.

+ - Select **Validate** and ensure that all checks are completed with pass status. The most common error is related to the storage configuration. Verify again that there are no virtual SCSI controllers have the physical sharing setting.

+ - Click **Go** to start the migration.

+ - **Data Loss** status in the **Failover Readiness** column is expected since the replica has been out-of-sync with the primary during the migration.

+ - The secondary replica starts to synchronize back all the changes made to the primary replica during the migration. Wait until it appears in Synchronized state.

+ - Open the Dashboard and verify there is no data loss in any of the replicas and that all are in a **Synchronized** state.

+ :::image type="content" source="media/sql-server-hybrid-benefit/sql-always-on-7.png" alt-text="Diagram showing availability Group Dashboard with new primary replica and all migrated secondary replicas in synchronized state." border="false" lightbox="media/sql-server-hybrid-benefit/sql-always-on-7.png":::

+ - Edit the **Properties** of the availability group and set **Failover Mode** to **Automatic** in all replicas.

+- [Enable SQL Azure hybrid benefit for Azure VMware Solution](enable-sql-azure-hybrid-benefit.md).

+- [Create a placement policy in Azure VMware Solution](create-placement-policy.md)

+- [Windows Server Failover Clustering Documentation](https://learn.microsoft.com/windows-server/failover-clustering/failover-clustering-overview)

+- [Microsoft SQL Server 2019 Documentation](https://learn.microsoft.com/sql/sql-server/)

+- [Microsoft SQL Server 2022 Documentation](https://learn.microsoft.com/sql/sql-server/)

+- [Windows Server Technical Documentation](https://learn.microsoft.com/windows-server/)

+- [Planning Highly Available, Mission Critical SQL Server Deployments with VMware vSphere](https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/solutions/vmware-vsphere-highly-available-mission-critical-sql-server-deployments.pdf)

+- [Microsoft SQL Server on VMware vSphere Availability and Recovery Options](https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/solutions/sql-server-on-vmware-availability-and-recovery-options.pdf)

+- [VMware KB 100 2951 ΓÇô Tips for configuring Microsoft SQL Server in a virtual machine](https://kb.vmware.com/s/article/1002951)

+- [Microsoft SQL Server 2019 in VMware vSphere 7.0 Performance Study](https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/performance/vsphere7-sql-server-perf.pdf)

+- [Architecting Microsoft SQL Server on VMware vSphere ΓÇô Best Practices Guide](https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/solutions/sql-server-on-vmware-best-practices-guide.pdf)

+- [Setup for Windows Server Failover Cluster in VMware vSphere 7.0](https://docs.vmware.com/en/VMware-vSphere/7.0/vsphere-esxi-vcenter-server-703-setup-wsfc.pdf)

+| **Standalone instance** | Low | Migration will be done using vMotion, the DB will be available during migration time, but it isn't recommended to commit any critical data during it. |

+| **Always-On Availability Group** | Low | The primary replica will always be available during the migration of the first secondary replica and the secondary replica will become the primary after the initial failover to Azure. |

+| **Failover Cluster Instance** | High | All nodes of the cluster will be shut down and migrated using VMware HCX Cold Migration. Downtime duration will depend upon database size and private network speed to Azure cloud. |

+ - Verify that the second node is in **Offline** state and that all clustered services and storage are under the control of the first node.

+ :::image type="content" source="media/sql-server-hybrid-benefit/sql-failover-1.png" alt-text="Diagram showing Windows Server Failover Cluster Manager cluster storage verification." border="false" lightbox="media/sql-server-hybrid-benefit/sql-failover-1.png":::

+ - Shut down the cluster.

+ - Check that all cluster services are successfully stopped without errors.

+ - Remove all shared disks from the virtual machine configuration.

+ - Ensure that the **Delete files from datastore** checkbox isn't selected as this will permanently delete the disk from the datastore, and you'll need to recover the cluster from a previous backup.

+ - Set **SCSI Bus Sharing** from **Physical** to **None** in the virtual SCSI controllers used for the shared storage. Usually, these controllers are of VMware Paravirtual type.

+ - Select the second node virtual machine.

+ - Set the vSphere cluster in the remote private cloud that will run the migrated SQL cluster as the **Compute Container**.

+ - Select the **vSAN Datastore** as remote storage.

+ - Select a folder if you want to place the virtual machines in specific folder, this not mandatory but is recommended to separate the different workloads in your Azure VMware Solution private cloud.

+ - Keep **Same format as source**.

+ - Select **Cold migration** as **Migration profile**.

+ - In **Extended** **Options** select **Migrate Custom Attributes**.

+ - Verify that on-premises network segments have the correct remote stretched segment in Azure.

+ - Select **Validate** and ensure that all checks are completed with pass status. The most common error here will be one related to the storage configuration. Verify again that there are no SCSI controllers with physical sharing setting.

+ - Select **Go** and the migration will initiate.

+ - Set SCSI Bus sharing back to physical in the SCSI controller managing shared storage.

+ - Add the cluster shared disks to the node as additional storage. Assign them to the second SCSI controller.

+ - Ensure that all the storage configuration is the same as the one recorded before the migration.

+ - Verify virtual machine network configuration and ensure it can reach on-premises and Azure resources.

+ - Open **Failover Cluster Manager** and verify cluster services.

+ - Verify that Windows Server can reach the storage.

+ - In the **Failover Cluster Manager** review that the second node appears as **Online** status.

+| **Standalone instance** | Low | Migration is done using VMware vMotion, the DB is available during migration time, but it isn't recommended to commit any critical data during it. |

+| **Always-On Availability Group** | Low | The primary replica will always be available during the migration of the first secondary replica and the secondary replica will become the primary after the initial failover to Azure. |

+| **Failover Cluster Instance** | High | All nodes of the cluster are shutdown and migrated using VMware HCX Cold Migration. Downtime duration depends upon database size and private network speed to Azure cloud. |

+ - Select the Microsoft SQL Server virtual machine.

+ - Set the vSphere cluster in the remote private cloud of the migrated SQL cluster as the **Compute Container**.

+ - Select the vSAN Datastore as remote storage.

+ - Select a folder. This isn't mandatory, but we recommended separating the different workloads in your Azure VMware Solution private cloud.

+ - Keep **Same format as source**.

+ - Select **vMotion** as Migration profile.

+ - In **Extended Options** select **Migrate Custom Attributes**.

+ - Verify that on-premises network segments have the correct remote stretched segment in Azure VMware Solution.

+ - Select **Validate** and ensure that all checks are completed with pass status.

+ - Select **Go** to start the migration.

+ - Verify the network configuration and check connectivity both with on-premises and Azure VMware Solution resources.

+ - Using SQL Server Management Studio verify you can access the database.

+Microsoft SQL server is a core component of many business-critical applications currently running on VMware vSphere and is one of the most widely used database platforms in the market with customers running hundreds of SQL Server instances with VMware vSphere on-premises.

+- [Enable SQL Azure hybrid benefit for Azure VMware Solution](migrate-sql-server-standalone-cluster.md)

+- [Configure Windows Server Failover Cluster on Azure VMware Solution vSAN](configure-windows-server-failover-cluster.md)

+| Network usage | Description | Subnet | Example |

+| -- | - | | - |

+| Private cloud management | Management Network (i.e. vCenter, NSX-T) | `/26` | `10.10.0.0/26` |

+| HCX Mgmt Migrations | Local connectivity for HCX appliances (downlinks) | `/26` | `10.10.0.64/26` |

+| Global Reach Reserved | Outbound interface for ExpressRoute | `/26` | `10.10.0.128/26` |

+| NSX-T Data Center DNS Service | Built-in NSX-T DNS Service | `/32` | `10.10.0.192/32` |

+| Reserved | Reserved | `/32` | `10.10.0.193/32` |

+| Reserved | Reserved | `/32` | `10.10.0.194/32` |

+| Reserved | Reserved | `/32` | `10.10.0.195/32` |

+| Reserved | Reserved | `/30` | `10.10.0.196/30` |

+| Reserved | Reserved | `/29` | `10.10.0.200/29` |

+| Reserved | Reserved | `/28` | `10.10.0.208/28` |

+| ExpressRoute peering | ExpressRoute Peering | `/27` | `10.10.0.224/27` |

+| ESXi Management | ESXi management VMkernel interfaces | `/25` | `10.10.1.0/25` |

+| vMotion Network | vMotion VMkernel interfaces | `/25` | `10.10.1.128/25` |

+| Replication Network | vSphere Replication interfaces | `/25` | `10.10.2.0/25` |

+| vSAN | vSAN VMkernel interfaces and node communication | `/25` | `10.10.2.128/25` |

+| HCX Uplink | Uplinks for HCX IX and NE appliances to remote peers | `/26` | `10.10.3.0/26` |

+| Reserved | Reserved | `/26` | `10.10.3.64/26` |

+| Reserved | Reserved | `/26` | `10.10.3.128/26` |

+| Reserved | Reserved | `/26` | `10.10.3.192/26` |

+| On-premises network | HCX Cloud Manager | TCP (HTTPS) | 9443 | HCX Cloud Manager virtual appliance management interface for HCX system configuration. |

+| On-premises Admin Network | HCX Cloud Manager | SSH | 22 | Administrator SSH access to HCX Cloud Manager virtual appliance. |

+| HCX Manager, Interconnect (HCX-IX) | ESXi Hosts | TCP | 80,443,902 | Management and OVF deployment. |

+| Interconnect (HCX-IX), Network Extension (HCX-NE) at Source| Interconnect (HCX-IX), Network Extension (HCX-NE) at Destination| UDP | 4500 | Required for IPSEC<br> Internet key exchange (IKEv2) to encapsulate workloads for the bidirectional tunnel. Network Address Translation-Traversal (NAT-T) is also supported. |

+| On-premises Interconnect (HCX-IX) | Cloud Interconnect (HCX-IX) | UDP | 500 | Required for IPSEC<br> Internet key exchange (ISAKMP) for the bidirectional tunnel. |

+| On-premises vCenter Server network | Private Cloud management network | TCP | 8000 | vMotion of VMs from on-premises vCenter Server to Private Cloud vCenter Server |

+| HCX Connector | connect.hcx.vmware.com<br> hybridity.depot.vmware.com | TCP | 443 | `connect` is needed to validate license key.<br> `hybridity` is needed for updates. |

+There can be more items to consider when it comes to firewall rules, this is intended to give common rules for common scenarios. Note that when source and destination say "on-premises," this is only important if you have a firewall that inspects flows within your datacenter. If you do not have a firewall that inspects between on-premises components, you can ignore those rules as they would not be needed.

+[Full list of HCX port requirements](https://ports.esp.vmware.com/home/VMware-HCX)

+AKS backup integrates with Backup center, providing a single pane of glass that can help you govern, monitor, operate, and analyze backups at scale. Your backups are also available in the *AKS portal* under the **Settings** section.

+AKS Backup enables you to back up your Kubernetes workloads and Persistent Volumes deployed in AKS clusters. The solution requires a [**Backup Extension**](/azure/azure-arc/kubernetes/conceptual-extensions) to be installed inside the AKS cluster and Backup Vault communicates to the Extension to perform backup and restore related operations. **Backup Extension** is mandatory to be installed inside AKS cluster to enable backup and restore. As part of installation, a storage account and a blob container is to be provided in input where backups will be stored.

+Along with Backup Extension, a *User Identity* is created in the AKS cluster's Managed Resource Group (called Extension Identity). This extension identity gets the *Storage Account Contributor* role assigned to it on the storage account where backups are stored in a blob container.

+To support Public, Private, and Authorized IP based clusters, AKS backup requires *Trusted Access* to be enabled between *Backup vault* and *AKS cluster*. Trusted Access allows Backup vault to access the AKS clusters as specific permissions assigned to it related to the *Backup operations*. For more information on AKS Trusted Access, see [Enable Azure resources to access Azure Kubernetes Service (AKS) clusters using Trusted Access](../aks/trusted-access-feature.md).

+>AKS backup currently allows storing backups in *Operational Tier*. Operational Tier is a local data store and backups aren't moved to a vault, but are stored in your own tenant. However, the Backup vault still serves as the unit of managing backups.

+Once *Backup Extension* is installed and *Trusted Access* is enabled, you can configure scheduled backups for the clusters as per your backup policy, and can restore the backups to the original or an alternate cluster in the same subscription and region. AKS backup allows you to enable granular controls to choose a specific *namespace* or an *entire cluster* as a backup/restore configuration while performing the specific operation.

+The *backup solution* enables backup operation for your Kubernetes workloads deployed in the cluster and the data stored in the *Persistent Volume*. The Kubernetes workloads are stored in a blob container and the *Disk-based Persistent Volumes* are backed up as *Disk Snapshots* in a Snapshot Resource Group

+>[!Note]

+>Currently, the solution only supports Persistent Volumes of CSI Driver-based Azure Disks. During backups, other Persistent Volume types (File Share, Blobs) are skipped by the solution.

+>[!Note]

+>- The Backup vault and the AKS cluster to be backed up or restored should be in the same region and subscription.

+>- Copying backups to the *Vault Tier* is currently not supported. So, the *Backup vault storage redundancy* setting (LRS/GRS) doesn't apply to the backups stored in Operational Tier.

+>AKS backup allows creating multiple backup instances for a single AKS cluster with different backup configurations, as required. However, each backup instance of an AKS cluster should be created either in a different Backup vault or with a different backup policy in the same Backup vault.

+- Backup Extension can be installed in the cluster from the *AKS portal* blade on the **Backup** tab under **Settings**. You can also use the Azure CLI commands to [manage the installation and other operations on the Backup Extension](azure-kubernetes-service-cluster-manage-backups.md#manage-operations).

+- Before you install an extension in an AKS cluster, you must register the `Microsoft.KubernetesConfiguration` resource provider at the subscription level. Learn how to [register the resource provider](azure-kubernetes-service-cluster-manage-backups.md#register-the-resource-provider).

+Before you enable Trusted Access between a Backup vault and an AKS cluster, [enable a *feature flag* on the cluster's subscription](azure-kubernetes-service-cluster-manage-backups.md#enable-the-feature-flag).

+- Install Backup Extension on the AKS clusters following the [required FQDN/application rules](../aks/limit-egress-traffic.md#required-fqdn--application-rules-6).

+- If you've any previous installation of *Velero* in the AKS cluster, you need to delete it before installing Backup Extension.

+| Contributor | AKS cluster | Snapshot resource group | Allows AKS cluster to store persistent volume snapshots in the resource group. |

+AKS backup is available in all the Azure public cloud regions, East US, North Europe, West Europe, South East Asia, West US 2, East US 2, West US, North Central US, Central US, France Central, Korea Central, Australia East, UK South, East Asia, West Central US, Japan East, South Central US, West US3, Canada Central, Canada East, Australia South East, Central India, Norway East, Germany West Central, Switzerland North, Sweden Central, Japan West, UK West, Korea South, South Africa North, South India, France South, Brazil South, UAE North.

+6. In the *context* pane, provide the *storage account* and *blob container* where you need to store the backup, and then select **Click on Install Extension**.

+7. To enable *Trusted Access* and *other role permissions*, select **Grant Permission** > **Next**.

+8. Select the backup policy that defines the schedule and retention policy for AKS backup, and then select **Next**.

+9. Select **Add/Edit** to define the *backup instance configuration*.

+10. In the *context* pane, enter the *cluster resources* that you want to back up.

+11. Select the *snapshot resource group* where *persistent volume (Azure Disk) snapshots* need to be stored, and then select **Validate**.

+12. To resolve the error, select the *checkbox* corresponding to the *Datasource*, and then select **Assign Missing Role**.

+13. Once the *role assignment* is successful, select **Next**.

+14. Select **Configure Backup**.

+## Register the resource provider

+To register the resource provider, run the following command:

+ ```azurecli-interactive

+ az provider register --namespace Microsoft.KubernetesConfiguration

+ ```

+>[!Note]

+>Don't initiate extension installation before registering resource provider.

+### Monitor the registration process

+The registration may take up to *10 minutes*. To monitor the registration process, run the following command:

+ ```azurecli-interactive

+ az provider show -n Microsoft.KubernetesConfiguration -o table

+ ```

+### Grant permission on storage account

+To provide *Storage Account Contributor Permission* to the Extension Identity on storage account, run the following command:

+ ```azurecli-interactive

+ az role assignment create --assignee-object-id $(az k8s-extension show --name azure-aks-backup --cluster-name aksclustername --resource-group aksclusterresourcegroup --cluster-type managedClusters --query aksAssignedIdentity.principalId --output tsv) --role 'Storage Account Contributor' --scope /subscriptions/subscriptionid/resourceGroups/storageaccountresourcegroup/providers/Microsoft.Storage/storageAccounts/storageaccountname

+ ```

+## Enable the feature flag

+To enable the feature flag follow these steps:

+1. To install the *aks-preview* extension, run the following command:

+ ```azurecli-interactive

+ az extension add --name aks-preview

+ ```

+1. To update to the latest version of the extension released, run the following command:

+ ```azurecli-interactive

+ az extension update --name aks-preview

+ ```

+1. To register the *TrustedAccessPreview* feature flag, run the `az feature register` command.

+ **Example**

+ ```azurecli-interactive

+ az feature register --namespace "Microsoft.ContainerService" --name "TrustedAccessPreview"

+ ```

+

+ It takes a few minutes for the status to show Registered.

+1. To verify the registration status, run the `az feature show` command.

+ **Example**

+ ```azurecli-interactive

+ az feature show --namespace "Microsoft.ContainerService" --name "TrustedAccessPreview"

+ ```

+1. When the status shows as **Registered**, run the `az provider register` command to refresh the `Microsoft.ContainerService` resource provider registration.

+ **Example**

+ ```azurecli-interactive

+ az provider register --namespace Microsoft.ContainerService

+ ```

+>[!Note]

+>Don't initiate backup configuration before enabling the feature flag.

+Learn more about [other commands related to Trusted Access](../aks/trusted-access-feature.md#trusted-access-feature-overview).

+ - [Immutable vault for Azure Backup is now generally available](#immutable-vault-for-azure-backup-is-now-generally-available)

+## Immutable vault for Azure Backup is now generally available

+Azure Backup now supports immutable vaults that help you ensure that recovery points once created can't be deleted before their expiry as per the backup policy (expiry at the time at which the recovery point was created). You can also choose to make the immutability irreversible to offer maximum protection to your backup data, thus helping you protect your data better against various threats, including ransomware attacks and malicious actors.

+For more information, see the [concept of Immutable vault for Azure Backup](backup-azure-immutable-vault-concept.md).

+ * **Egress Traffic to Internet:** Azure Bastion needs to be able to communicate with the Internet for session, Bastion Shareable Link, and certificate validation. For this reason, we recommend enabling port 80 outbound to the **Internet.**

+The Azure Resource Manager APIs for Batch provide programmatic access to Batch accounts. Using these APIs, you can programmatically manage Batch accounts, quotas, application packages, and other resources through the Microsoft.Batch provider.

+| **Batch Management JavaScript** |[Azure SDK for JavaScript - Docs](/javascript/api/overview/azure/arm-batch-readme) |[npm](https://www.npmjs.com/package/@azure/arm-batch) |- |- |

+These command-line tools provide the same functionality as the Batch service and Batch Management APIs:

+ password: "YourPassword"

+* To run multi-instance [MPI workloads](batch-mpi.md), choose H-series or other sizes that have a network interface for Remote Direct Memory Access (RDMA). These sizes connect to an InfiniBand network for inter-node communication, which can accelerate MPI applications.

+* High performance compute VM sizes ([Linux](../virtual-machines/sizes-hpc.md), [Windows](../virtual-machines/sizes-hpc.md))

+* GPU-enabled VM sizes ([Linux](../virtual-machines/sizes-gpu.md), [Windows](../virtual-machines/sizes-gpu.md))

+| [NC, NCv2, NCv3, NDv2 series](../virtual-machines/linux/n-series-driver-setup.md) | NVIDIA Tesla GPU (varies by series) | Ubuntu 16.04 LTS, or<br/>CentOS 7.3 or 7.4<br/>(Azure Marketplace) | NVIDIA CUDA or CUDA Toolkit drivers | N/A |

+| [NC, NCv2, NCv3, ND, NDv2 series](../virtual-machines/windows/n-series-driver-setup.md) | NVIDIA Tesla GPU (varies by series) | Windows Server 2016 or <br/>2012 R2 (Azure Marketplace) | NVIDIA CUDA or CUDA Toolkit drivers| N/A |

+* For pools in the virtual machine configuration, choose a preconfigured [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/) VM image that has drivers and software preinstalled. Examples:

+* Create a [custom Windows or Linux VM image](batch-sig-images.md) on which you have installed drivers, software, or other settings required for the VM size.

+ > [!NOTE]

+| - | -- |

+1. Deploy an Azure H16r VM running Windows Server 2016. For example, create the VM in the US West region.

+2. Add the HpcVmDrivers extension to the VM by [running an Azure PowerShell command](../virtual-machines/sizes-hpc.md) from a client computer that connects to your Azure subscription, or using Azure Cloud Shell.

+### Computer Vision 3.0 & 3.1 previews deprecation

+The preview versions of the Computer Vision 3.0 and 3.1 APIs are scheduled to be retired on September 30, 2023. Customers won't be able to make any calls to these APIs past this date. Customers are encouraged to migrate their workloads to the generally available (GA) 3.2 API instead. Mind the following changes when migrating from the preview versions to the 3.2 API:

+- The [Analyze Image](https://westus.dev.cognitive.microsoft.com/docs/services/computer-vision-v3-2/operations/56f91f2e778daf14a499f21b) and [Read](https://westus.dev.cognitive.microsoft.com/docs/services/computer-vision-v3-2/operations/5d986960601faab4bf452005) API calls take an optional _model-version_ parameter that you can use to specify which AI model to use. By default, they will use the latest model.

+- The [Analyze Image](https://westus.dev.cognitive.microsoft.com/docs/services/computer-vision-v3-2/operations/56f91f2e778daf14a499f21b) and [Read](https://westus.dev.cognitive.microsoft.com/docs/services/computer-vision-v3-2/operations/5d986960601faab4bf452005) API calls also return a `model-version` field in successful API responses. This field reports which model was used.

+- Computer Vision 3.2 API uses a different error-reporting format. See the [API reference documentation](https://westus.dev.cognitive.microsoft.com/docs/services/computer-vision-v3-2/operations/56f91f2e778daf14a499f21b) to learn how to adjust any error-handling code.

+| Fine-tuning | Ada <br> Babbage <br> Curie <br> Cushman* <br> Davinci* <br> \* Currently unavailable. \*\*East US and West Europe Fine-tuning is currently unavailable to new customers. Please use US South Central for US based training|

+az extension add -s https://aka.ms/acaarccli/containerapp-latest-py2.py3-none-any.whl --yes

+az extension add --source https://aka.ms/acaarccli/containerapp-latest-py2.py3-none-any.whl --yes

+az extension remove --name containerapp

+az extension add --source https://aka.ms/acaarccli/containerapp-latest-py2.py3-none-any.whl --yes

+| `<extensionName>-k8se-containerapp-controller` | The core operator pod that creates resources on the cluster and maintains the state of components. | 2 | 100 millicpu | 1 GB |

+| `<extensionName>-k8se-envoy-controller` | Operator, which generates Envoy configuration | 2 | 200 millicpu | 500 MB |

+| dapr-metrics | Dapr metrics pod | 1 | 100 millicpu | 500 MB |

+### Container Apps extension v1.0.47 (January 2023)

+- Upgrade of Envoy to 1.0.24

+### Container Apps extension v1.0.48 (February 2023)

+- Add probes to EasyAuth container(s)

+- Increased memory limit for dapr-operator

+- Added prevention of platform header overwriting

+### Container Apps extension v1.0.49 (February 2023)

+ - Upgrade of KEDA to 2.9.1

+ - Upgrade of Dapr to 1.9.5

+ - Increase Envoy Controller resource limits to 200 m CPU

+ - Increase Container App Controller resource limits to 1 GB memory

+ - Reduce EasyAuth sidecar resource limits to 50 m CPU

+ - Resolve KEDA error logging for missing metric values

+### Container Apps extension v1.0.50 (March 2023)

+ - Updated logging images in sync with Public Cloud

+To learn more about the `az containerapp up` command and its options, see [`az containerapp up`](/cli/azure/containerapp#az-containerapp-up).

+> [Quickstart: Deploy your code to Azure Container Apps](quickstart-code-to-cloud.md)

+INFRASTRUCTURE_SUBNET=`az network vnet subnet show --resource-group <RESOURCE_GROUP_NAME> --vnet-name <VNET_NAME> --name infrastructure --query "id" -o tsv | tr -d '[:space:]'`

+ Title: "Microservices communication using Dapr Publish and Subscribe"

+# Microservices communication using Dapr Publish and Subscribe

+ Title: "Quickstart: Build a Java app to manage Azure Cosmos DB for NoSQL data"

+description: Use a Java code sample from GitHub to learn how to build an app to connect to and query Azure Cosmos DB for NoSQL.

+This quickstart guide explains how to build a Java app to manage an Azure Cosmos DB for NoSQL account. You create the Java app using the SQL Java SDK, and add resources to your Azure Cosmos DB account by using the Java application.

+First, create an Azure Cosmos DB for NoSQL account using the Azure portal. Azure Cosmos DB is a multi-model database service that lets you quickly create and query document, table, key-value, and graph databases with global distribution and horizontal scale capabilities. You can [try Azure Cosmos DB account](https://aka.ms/trycosmosdb) for free without a credit card or an Azure subscription.

+> This quickstart is for Azure Cosmos DB Java SDK v4 only. For more information, see the [release notes](sdk-java-v4.md), [Maven repository](https://mvnrepository.com/artifact/com.azure/azure-cosmos), [performance tips](performance-tips-java-sdk-v4.md), and [troubleshooting guide](troubleshoot-java-sdk-v4.md). If you currently use an older version than v4, see the [Migrate to Azure Cosmos DB Java SDK v4](migrate-java-v4-sdk.md) guide for help upgrading to v4.

+> If you work with Azure Cosmos DB resources in a Spring application, consider using [Spring Cloud Azure](/azure/developer/java/spring-framework/) as an alternative. Spring Cloud Azure is an open-source project that provides seamless Spring integration with Azure services. To learn more about Spring Cloud Azure, and to see an example using Cosmos DB, see [Access data with Azure Cosmos DB NoSQL API](/azure/developer/java/spring-framework/configure-spring-boot-starter-java-app-with-cosmos-db).

+- An Azure account with an active subscription. If you don't have an Azure subscription, you can [try Azure Cosmos DB free](../try-free.md) with no credit card required.

+- [Java Development Kit (JDK) 8](https://www.oracle.com/java/technologies/javase/8u-relnotes.html). Point your `JAVA_HOME` environment variable to the folder where the JDK is installed.

+**The structure of an Azure Cosmos DB account:** For any API or programming language, an Azure Cosmos DB *account* contains zero or more *databases*, a *database* (DB) contains zero or more *containers*, and a *container* contains zero or more items, as shown in the following diagram:

+For more information, see [Databases, containers, and items in Azure Cosmos DB](../resource-model.md).

+A few important properties are defined at the level of the container, including *provisioned throughput* and *partition key*. The provisioned throughput is measured in request units (RUs), which have a monetary price and are a substantial determining factor in the operating cost of the account. Provisioned throughput can be selected at per-container granularity or per-database granularity, however container-level throughput specification is typically preferred. To learn more about throughput provisioning, see [Introduction to provisioned throughput in Azure Cosmos DB](../set-throughput.md).

+As items are inserted into an Azure Cosmos DB container, the database grows horizontally by adding more storage and compute to handle requests. Storage and compute capacity are added in discrete units known as *partitions*, and you must choose one field in your documents to be the partition key that maps each document to a partition. Partitions are managed such that each partition is assigned a roughly equal slice out of the range of partition key values. Therefore, you're advised to choose a partition key that's relatively random or evenly distributed. Otherwise, some partitions see substantially more requests (*hot partition*) while other partitions see substantially fewer requests (*cold partition*). To learn more, see [Partitioning and horizontal scaling in Azure Cosmos DB](../partitioning-overview.md).

+Now let's switch to working with code. Clone an API for NoSQL app from GitHub, set the connection string, and run it. You can see how easy it is to work with data programmatically.

+This step is optional. If you're interested in learning how the database resources are created in the code, you can review the following snippets. Otherwise, you can skip ahead to [Run the app](#run-the-app).

+You can authenticate to Cosmos DB for NoSQL using `DefaultAzureCredential` by adding the `azure-identity` [dependency](https://mvnrepository.com/artifact/com.azure/azure-identity) to your application. `DefaultAzureCredential` automatically discovers and uses the account you signed into in the previous step.

+### Manage database resources using the synchronous (sync) API

+* `CosmosClient` initialization: The `CosmosClient` provides client-side logical representation for the Azure Cosmos DB database service. This client is used to configure and execute requests against the service.

+* Use the [az cosmosdb sql database create](/cli/azure/cosmosdb/sql/database#az-cosmosdb-sql-database-create) and [az cosmosdb sql container create](/cli/azure/cosmosdb/sql/container#az-cosmosdb-sql-container-create) commands to create a Cosmos DB NoSQL database and container.

+3. In the git terminal window, use the following command to start the Java application. Replace SYNCASYNCMODE with `sync-passwordless` or `async-passwordless`, depending on which sample code you'd like to run. Replace YOUR_COSMOS_DB_HOSTNAME with the quoted URI value from the portal, and replace YOUR_COSMOS_DB_MASTER_KEY with the quoted primary key from portal.

+ The terminal window displays a notification that the `FamilyDB` database was created.

+4. The app references the database and container you created via Azure CLI earlier.

+5. The app performs point reads using object IDs and partition key value (which is `lastName` in our sample).

+6. The app queries items to retrieve all families with last name (*Andersen*, *Wakefield*, *Johnson*).

+7. The app doesn't delete the created resources. Switch back to the portal to [clean up the resources](#clean-up-resources) from your account so that you don't incur charges.

+You can authenticate to Cosmos DB for NoSQL using `DefaultAzureCredential` by adding the [azure-identity dependency](https://mvnrepository.com/artifact/com.azure/azure-identity) to your application. `DefaultAzureCredential` automatically discovers and uses the account you signed-in with in the previous step.

+* Async API calls return immediately, without waiting for a response from the server. The following code snippets show proper design patterns for accomplishing all of the preceding management tasks using async API.

+* Use the [az cosmosdb sql database create](/cli/azure/cosmosdb/sql/database#az-cosmosdb-sql-database-create) and [az cosmosdb sql container create](/cli/azure/cosmosdb/sql/container#az-cosmosdb-sql-container-create) commands to create a Cosmos DB NoSQL database and container.

+* As with the sync API, item creation is accomplished using the `createItem` method. This example shows how to efficiently issue numerous async `createItem` requests by subscribing to a Reactive Stream that issues the requests and prints notifications. Since this simple example runs to completion and terminates, `CountDownLatch` instances are used to ensure the program doesn't terminate during item creation. **The proper asynchronous programming practice is not to block on async calls. In realistic use cases, requests are generated from a main() loop that executes indefinitely, eliminating the need to latch on async calls.**

+3. In the git terminal window, use the following command to start the Java application. Replace SYNCASYNCMODE with `sync-passwordless` or `async-passwordless` depending on which sample code you would like to run, replace YOUR_COSMOS_DB_HOSTNAME with the quoted URI value from the portal, and replace YOUR_COSMOS_DB_MASTER_KEY with the quoted primary key from portal.

+4. The app references the database and container you created via Azure CLI earlier.

+5. The app performs point reads using object IDs and partition key value (which is `lastName` in our sample).

+6. The app queries items to retrieve all families with last name (*Andersen*, *Wakefield*, *Johnson*).

+7. The app doesn't delete the created resources. Switch back to the portal to [clean up the resources](#clean-up-resources) from your account so that you don't incur charges.

+## [Sync API](#tab/sync)

+3. In the git terminal window, use the following command to start the Java application. Replace SYNCASYNCMODE with `sync` or `async` depending on which sample code you would like to run, replace YOUR_COSMOS_DB_HOSTNAME with the quoted URI value from the portal, and replace YOUR_COSMOS_DB_MASTER_KEY with the quoted primary key from portal.

+4. The app creates a database with the name `AzureSampleFamilyDB`.

+5. The app creates a container with the name `FamilyContainer`.

+6. The app performs point reads using object IDs and partition key value (which is `lastName` in our sample).

+7. The app queries items to retrieve all families with last name (*Andersen*, *Wakefield*, *Johnson*).

+## [Async API](#tab/async)

+* Async API calls return immediately, without waiting for a response from the server. The following code snippets show proper design patterns for accomplishing all of the preceding management tasks using async API.

+* As with the sync API, item creation is accomplished using the `createItem` method. This example shows how to efficiently issue numerous async `createItem` requests by subscribing to a Reactive Stream that issues the requests and prints notifications. Since this simple example runs to completion and terminates, `CountDownLatch` instances are used to ensure the program doesn't terminate during item creation. **The proper asynchronous programming practice is not to block on async calls. In realistic use cases, requests are generated from a main() loop that executes indefinitely, eliminating the need to latch on async calls.**

+* As with the sync API, point reads are performed by using `readItem` method.

+* As with the sync API, SQL queries over JSON are performed by using the `queryItems` method.

+3. In the git terminal window, use the following command to start the Java application. Replace SYNCASYNCMODE with `sync` or `async` depending on which sample code you would like to run, replace YOUR_COSMOS_DB_HOSTNAME with the quoted URI value from the portal, and replace YOUR_COSMOS_DB_MASTER_KEY with the quoted primary key from portal.

+ The terminal window displays a notification that the `FamilyDB` database was created.

+4. The app creates a database with the name `AzureSampleFamilyDB`.

+5. The app creates a container with the name `FamilyContainer`.

+6. The app performs point reads using object IDs and partition key value (which is `lastName` in our sample).

+7. The app queries items to retrieve all families with last name (*Andersen*, *Wakefield*, *Johnson*).

+In this quickstart, you learned how to create an Azure Cosmos DB for NoSQL account, create a document database and container using Data Explorer, and run a Java app to do the same thing programmatically. You can now import additional data into your Azure Cosmos DB account.

+Are you capacity planning for a migration to Azure Cosmos DB? You can use information about your existing database cluster for capacity planning.

+* If all you know is the number of vcores and servers in your existing database cluster, read about [estimating RUs using vCores or vCPUs](../convert-vcore-to-request-unit.md).

+* If you know typical request rates for your current database workload, learn how to [estimate RUs using Azure Cosmos DB capacity planner](estimate-ru-with-capacity-planner.md).

+|**API documentation**|[.NET API reference documentation](/dotnet/api/microsoft.azure.documents)|

+|**API documentation**|[.NET API reference documentation](/dotnet/api/microsoft.azure.documents)|

+|**API documentation**|[.NET API reference documentation](/dotnet/api/microsoft.azure.cosmos)|

+4. If your resources are shut down regularly, the simulation can't find any savings, and no purchase recommendation is provided.

+5. The recommendation calculations include any special discounts that you might have for your on-demand usage rates.

+Reservation purchase recommendations are also shown in the Azure portal in the purchase experience. Recommendations are shown with the **Recommended Quantity**. When purchased, the quantity that Azure recommends gives the maximum savings possible. Although you can buy any quantity that you like, if you buy a different quantity your savings aren't optimal.

+The chart and estimated values change when you increase the recommended quantity. When you increase the reservation quantity, your savings are reduced because you end up with reduced reservation use. In other words, you pay for reservations that aren't fully used.

+If you lower the reservation quantity, your savings are also reduced. Although utilization is increased, there might be periods when your reservations don't fully cover your use. Usage beyond your reservation quantity is used by more expensive pay-as-you-go resources. The following example image illustrates the point. We've manually reduced the reservation quantity to 4. The reservation utilization is increased, but the overall savings are reduced because pay-as-you go costs are present.

+Currently, the Azure portal doesn't provide savings plan recommendations for management groups. However, you can get the details of per hour commitment of Subscriptions based recommendation from Azure portal and combine the amount based on Subscriptions grouping as part of Management group and apply the Savings Plan.

+| **Defender for Endpoint integration** | Defender for Servers integrates with Defender for Endpoint and protects servers with all the features, including:<br/><br/>- [Attack surface reduction](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction) to lower the risk of attack.<br/><br/> - [Next-generation protection](/microsoft-365/security/defender-endpoint/next-generation-protection), including real-time scanning and protection and [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/next-generation-protection).<br/><br/> - EDR, including [threat analytics](/microsoft-365/security/defender-endpoint/threat-analytics), [automated investigation and response](/microsoft-365/security/defender-endpoint/automated-investigations), [advanced hunting](/microsoft-365/security/defender-endpoint/advanced-hunting-overview), and [Microsoft Defender Experts](/microsoft-365/security/defender-endpoint/endpoint-attack-notifications).<br/><br/> - Vulnerability assessment and mitigation provided by [Microsoft Defender Vulnerability Management (MDVM)](/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management-capabilities) as part of the Defender for Endpoint integration. With Plan 2, you can get premium MDVM features, provided by the [MDVM add-on](/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management-capabilities#vulnerability-managment-capabilities-for-servers).| :::image type="icon" source="./media/icons/yes-icon.png" alt-text="Icon that shows it's supported in Plan 1."::: | :::image type="icon" source="./media/icons/yes-icon.png" alt-text="Icon that shows it's supported in Plan 2."::: |

+| **Microsoft Defender Vulnerability Management (MDVM) Add-on** | Enhance your vulnerability management program consolidated asset inventories, security baselines assessments, application block feature, and more. [Learn more](deploy-vulnerability-assessment-defender-vulnerability-management.md). | Not supported in Plan 1 | :::image type="icon" source="./media/icons/yes-icon.png" alt-text="Icon that shows it's supported in Plan 2."::: |

+| **[Qualys vulnerability assessment](deploy-vulnerability-assessment-vm.md)** | As an alternative to Defender Vulnerability Management, Defender for Cloud can deploy a Qualys scanner and display the findings. You don't need a Qualys license or account. | Not supported in Plan 1 | :::image type="icon" source="./media/icons/yes-icon.png" alt-text="Icon that shows it's supported in Plan 2.":::|

+You must be an Azure customer to use Microsoft Defender for IoT. However, OT sensors installed for air-gapped networks can be managed locally, and don't need to connect to the cloud.

+For more information, see [Defender for IoT subscription billing](billing.md).

+- [Enterprise IoT networks frequently asked questions](faqs-eiot.md)

+| 22.3.7 | 03/2023 | Patch | 02/2024 |

+| 22.3.6 | 03/2023 | Patch | 02/2024 |

+### 22.3.6 / 22.3.7

+<a name=22.3.7></a>

+**Release date**: 03/2023

+**Supported until**: 02/2024

+Version 22.3.7 includes the same features as 22.3.6. If you have version 22.3.6 installed, we strongly recommend that you update to version 22.3.7, which also includes important bug fixes.

+- [Support for transient devices](device-inventory.md#supported-devices)

+- [Auto-resolved notifications](how-to-work-with-the-sensor-device-map.md#device-notification-responses)

+- [Device data retention updated to 90 days](references-data-retention.md#device-data-retention-periods)

+- [Merging](how-to-investigate-sensor-detections-in-a-device-inventory.md#merge-devices) and [deleting](how-to-investigate-sensor-detections-in-a-device-inventory.md#delete-devices) devices on OT sensors now include confirmation messages when the action has completed

+- Support for [deleting multiple devices](how-to-investigate-sensor-detections-in-a-device-inventory.md#delete-devices) on OT sensors

+- An enhanced [editing device details](how-to-investigate-sensor-detections-in-a-device-inventory.md#edit-device-details) process on the OT sensor, using an **Edit** button in the toolbar at the top of the page

+- [Enhanced UI on the OT sensor for uploading an SSL/TLS certificate](how-to-deploy-certificates.md#deploy-ssltls-certificates-on-ot-appliances)

+- [Activation files for locally-managed sensors no longer expire](how-to-manage-individual-sensors.md#upload-a-new-activation-file)

+- Severity for all [**Suspicion of Malicious Activity**](alert-engine-messages.md#malware-engine-alerts) alerts is now **Critical**

+- [Allow internet connections on an OT network in bulk](how-to-accelerate-alert-incident-response.md#allow-internet-connections-on-an-ot-network)

+| **OT networks** | **Sensor version 22.3.6**: <br>- [Support for transient devices](#support-for-transient-devices)<br>- [Learn DNS traffic by configuring allowlists](#learn-dns-traffic-by-configuring-allowlists)<br>- [Device data retention updates](#device-data-retention-updates)<br>- [UI enhancements when uploading SSL/TLS certificates](#ui-enhancements-when-uploading-ssltls-certificates)<br>- [Activation files expiration updates](#activation-files-expiration-updates)<br>- [UI enhancements for managing the device inventory](#ui-enhancements-for-managing-the-device-inventory)<br>- [Updated severity for all Suspicion of Malicious Activity alerts](#updated-severity-for-all-suspicion-of-malicious-activity-alerts)<br>- [Automatically resolved device notifications](#automatically-resolved-device-notifications) <br><br> **Cloud features**: <br>- [New Microsoft Sentinel incident experience for Defender for IoT](#new-microsoft-sentinel-incident-experience-for-defender-for-iot) |

+### Support for transient devices

+Defender for IoT now identifies *transient* devices as a unique device type that represents devices that were detected for only a short time. We recommend investigating these devices carefully to understand their impact on your network.

+For more information, see [Defender for IoT device inventory](device-inventory.md) and [Manage your device inventory from the Azure portal](how-to-manage-device-inventory-for-organizations.md).

+### Learn DNS traffic by configuring allowlists

+The *support* user can now decrease the number of unauthorized internet alerts by creating an allowlist of domain names on your OT sensor.

+When a DNS allowlist is configured, the sensor checks each unauthorized internet connectivity attempt against the list before triggering an alert. If the domain's FQDN is included in the allowlist, the sensor doesnΓÇÖt trigger the alert and allows the traffic automatically.

+All OT sensor users can view the list of allowed DNS domains and their resolved IP addresses in data mining reports.  

+For example:

+

+For more information, see [Allow internet connections on an OT network](how-to-accelerate-alert-incident-response.md#allow-internet-connections-on-an-ot-network) and [Create data mining queries](how-to-create-data-mining-queries.md).

+

+### Device data retention updates

+The device data retention period on the OT sensor and on-premises management console has been updated to 90 days from the date of the **Last activity** value.

+For more information, see [Device data retention periods](references-data-retention.md#device-data-retention-periods).

+### UI enhancements when uploading SSL/TLS certificates

+The OT sensor version 22.3.6 has an enhanced **SSL/TLS Certificates** configuration page for defining your SSL/TLS certificate settings and deploying a CA-signed certificate.

+For more information, see [Deploy SSL/TLS certificates on OT appliances](how-to-deploy-certificates.md).

+### Activation files expiration updates

+Activation files on locally-managed OT sensors now remain activated for as long as your Defender for IoT plan is active on your Azure subscription, just like activation files on cloud-connected OT sensors.

+You'll only need to update your activation file if you're [updating an OT sensor from a legacy version](update-ot-software.md#update-legacy-ot-sensor-software) or switching the sensor management mode, such as moving from locally-managed to cloud-connected.

+For more information, see [Manage individual sensors](how-to-manage-individual-sensors.md).

+### UI enhancements for managing the device inventory

+The following enhancements were added to the OT sensor's device inventory in version 22.3.6:

+- A smoother process for [editing device details](how-to-investigate-sensor-detections-in-a-device-inventory.md#edit-device-details) on the OT sensor. Edit device details directly from the device inventory page on the OT sensor console using the new **Edit** button in the toolbar at the top of the page.

+- The OT sensor now supports [deleting multiple devices](how-to-investigate-sensor-detections-in-a-device-inventory.md#delete-devices) simultaneously.

+- The procedures for [merging](how-to-investigate-sensor-detections-in-a-device-inventory.md#merge-devices) and [deleting](how-to-investigate-sensor-detections-in-a-device-inventory.md#delete-devices) devices now include confirmation messages that appear when the action has completed.

+For more information, see [Manage your OT device inventory from a sensor console](how-to-investigate-sensor-detections-in-a-device-inventory.md).

+### Updated severity for all Suspicion of Malicious Activity alerts

+All alerts with the **Suspicion of Malicious Activity** category now have a severity of **Critical**.

+For more information, see [Malware engine alerts](alert-engine-messages.md#malware-engine-alerts).

+

+### Automatically resolved device notifications

+Starting in version 22.3.6, selected notifications on the OT sensor's **Device map** page are now automatically resolved if they aren't dismissed or otherwise handled within 14 days.

+After updating your sensor version, the **Inactive devices** and **New OT devices** notifications no longer appear. While any **Inactive devices** notifications that are left over from before the update are automatically dismissed, you may still have legacy **New OT devices** notifications to handle. Handle these notifications as needed to remove them from your sensor.

+For more information, see [Manage device notifications](how-to-work-with-the-sensor-device-map.md#manage-device-notifications).

+ Title: Install the devcenter Azure CLI extension

+description: Learn how to install the Azure CLI and the Azure Deployment Environments Preview CLI extension so you can create Deployment Environments resources from the command line.

+Customer intent: As a dev infra admin, I want to install the Deployment Environments CLI extension so that I can create Deployment Environments resources from the command line.

+# Azure Deployment Environments Preview Azure CLI extension

+In addition to the Azure admin portal and the developer portal, you can use the Deployment Environments Azure CLI extension to create resources. Azure Deployment Environments and Microsoft Dev Box use the same Azure CLI extension, which is called `devcenter`.

+## Install the Deployment Environments CLI extension

+To install the Deployment Environments Azure CLI extension, you first need to install the Azure CLI. The following steps show you how to install the Azure CLI, then the Deployment Environments CLI extension.

+1. Download and install the [Azure CLI](/cli/azure/install-azure-cli).

+1. Install the Deployment Environments CLI extension

+``` azurecli

+az extension add --name devcenter

+```

+1. Check that the `devcenter` extension is installed

+``` azurecli

+az extension list

+```

+### Update the Deployment Environments CLI extension

+You can update the Deployment Environments CLI extension if you already have it installed.

+To update a version of the extension that's installed

+``` azurecli

+az extension update --name devcenter

+```

+### Remove the Deployment Environments CLI extension

+To remove the extension, use the following command

+```azurecli

+az extension remove --name devcenter

+```

+## Get started with the Deployment Environments CLI extension

+You might find the following commands useful as you work with the Deployment Environments CLI extension.

+1. Sign in to Azure CLI with your work account.

+ ```azurecli

+ az login

+ ```

+1. Set your default subscription to the subscription where you're creating your specific Deployment Environments resources.

+ ```azurecli

+ az account set --subscription {subscriptionId}

+ ```

+1. Set default resource group. Setting a default resource group means you don't need to specify the resource group for each command.

+ ```azurecli

+ az configure --defaults group={resourceGroupName}

+ ```

+1. Get Help for a command

+ ```azurecli

+ az devcenter admin --help

+ ```

+## Next steps

+For complete command listings, refer to the [Microsoft Deployment Environments and Azure Deployment Environments Azure CLI documentation](https://aka.ms/CLI-reference).

+# Microsoft Dev Box Preview Azure CLI extension

+In addition to the Azure admin portal and the developer portal, you can use the Dev Box Azure CLI extension to create resources. Microsoft Dev Box and Azure Deployment Environments use the same Azure CLI extension, which is called `devcenter`.

+To install the Dev Box Azure CLI extension, you first need to install the Azure CLI. The following steps show you how to install the Azure CLI, then the Dev Box CLI extension.

+1. Download and install the [Azure CLI](/cli/azure/install-azure-cli).

+1. Install the Dev Box CLI extension

+``` azurecli

+az extension add --name devcenter

+```

+1. Check that the `devcenter` extension is installed

+``` azurecli

+az extension list

+```

+### Update the Dev Box CLI extension

+You can update the Dev Box CLI extension if you already have it installed.

+To update a version of the extension that's installed

+``` azurecli

+az extension update --name devcenter

+```

+### Remove the Dev Box CLI extension

+To remove the extension, use the following command

+```azurecli

+az extension remove --name devcenter

+```

+## Get started with the Dev Box CLI extension

+You might find the following commands useful as you work with the Dev Box CLI extension.

+1. Sign in to Azure CLI with your work account.

+1. Set your default subscription to the subscription where you're creating your specific Dev Box resources.

+1. Set default resource group. Setting a default resource group means you don't need to specify the resource group for each command.

+For complete command listings, refer to the [Microsoft Dev Box and Azure Deployment Environments Azure CLI documentation](https://aka.ms/CLI-reference).

+- **Vulnerabilities in security configuration on your machines should be remediated** in Microsoft Defender for Cloud

+1. Log in to Ambari at `https://CLUSTERNAME.azurehdidnsight.net` with your cluster credentials. The initial screen displays an overview dashboard. There are slight cosmetic differences between HDInsight 4.0.

+ You're notified if any configurations need attention. Note the items, and then select **Proceed Anyway**.

+1. Whenever a configuration is saved, you're prompted to restart the service. Select **Restart**.

+### Extra reading

+> [Build a device solution with IoT Hub](set-up-environment.md)

+ Title: Configure Access Control in Device Update for IoT Hub

+ Title: Configure Microsoft Connected Cache for Device Update for Azure IoT Hub

+ Title: Disconnected device update using Microsoft Connected Cache

+ Title: Microsoft Connected Cache within an Azure IoT Edge for Industrial IoT configuration

+ Title: Microsoft Connected Cache two level nested Azure IoT Edge Gateway with outbound unauthenticated proxy

+ Title: Microsoft Connected Cache preview deployment scenario samples

+ Title: Understand Device Update for Azure IoT Hub Agent

+ Title: Understand Device Update for Azure IoT Hub apt manifest

+ Title: Understand Device Update for Azure IoT Hub compliance

+ Title: Understand Device Update for Azure IoT Hub Configuration File

+ Title: Understand Device Update for IoT Hub authentication and authorization

+ Title: Understand Device Update for Azure IoT Hub deployments

+ Title: Understand Device Update for Azure IoT Hub diagnostic features

+ Title: Error codes for Device Update for Azure IoT Hub

+ Title: Understand Device Update for Azure IoT Hub device groups

+ Title: Using multiple steps for Updates with Device Update for Azure IoT Hub

+ Title: Device Update for IoT Hub network requirements

+ Title: Understand how Device Update for IoT Hub uses IoT Plug and Play

+ Title: Troubleshooting for importing proxy updates to Device Update for Azure IoT Hub

+ Title: Using Proxy Updates with Device Update for Azure IoT Hub

+ Title: Understand Device Update for Azure IoT Hub resources

+ Title: Security for Device Update for Azure IoT Hub

+ Title: Understand Device Update for IoT Hub importing

+ Title: Importing updates into Device Update for IoT Hub - import manifest schema

+ Title: Understand Device Update for IoT Hub network security

+ Title: Device Update for IoT Hub update manifest

+Mutual TLS authentication ensures that the client _authenticates_ the server (IoT Hub) certificate and the server (IoT Hub) _authenticates_ the [X.509 client certificate or X.509 thumbprint](tutorial-x509-prove-possession.md). _Authorization_ is performed by IoT Hub after _authentication_ is complete.

+ Title: "Attach/detach a compute gallery to a lab plan"

+description: This article describes how to attach or detach an Azure compute gallery to a lab plan in Azure Lab Services.

+This article shows how to attach or detach an Azure compute gallery to a lab plan. If you use a lab account, see how to [attach or detach a compute gallery to a lab account](how-to-attach-detach-shared-image-gallery-1.md).

+> To show a virtual machine image in the list of images during lab creation, you need to replicate the compute gallery image to the same region as the lab plan. You need to manually [replicate images](../virtual-machines/shared-image-galleries.md) to other regions in the compute gallery.

+Saving images to a compute gallery and replicating those images incurs additional cost. This cost is separate from the Azure Lab Services usage cost. Learn more about [Azure Compute Gallery pricing](../virtual-machines/azure-compute-gallery.md#billing).

+- To attach an Azure compute gallery to a lab plan, your Azure account needs to have the following permissions:

+ | Azure role | Scope | Note |

+ | - | -- | - |

+ | [Owner](/azure/role-based-access-control/built-in-roles#owner) | Azure compute gallery | If you attach an existing compute gallery. |

+ | [Owner](/azure/role-based-access-control/built-in-roles#owner) | Resource group | If you create a new compute gallery. |

+ Learn how to [assign an Azure role in Azure role-based access control (Azure RBAC)](/azure/role-based-access-control/role-assignments-steps#step-5-assign-role).

+> While using an Azure compute gallery, Azure Lab Services supports only images that use less than 128 GB of disk space on their OS drive. Images with more than 128 GB of disk space or multiple disks won't be shown in the list of virtual machine images during lab creation.

+## Attach a new compute gallery to a lab plan

+## Attach an existing compute gallery to a lab plan

+If you already have an Azure compute gallery, you can also attach it to your lab plan. To attach an existing compute gallery, you first need to grant the Azure Lab Services service principal permissions to the compute gallery. Next, you can attach the existing compute gallery to your lab plan.

+### Configure compute gallery permissions

+The Azure Lab Services service principal needs to have the Owner Azure RBAC role on the Azure compute gallery. There are two Azure Lab Services service principals:

+| Name | Application ID | Description |

+| - | -- | - |

+| Azure Lab Services | c7bb12bf-0b39-4f7f-9171-f418ff39b76a | Service principal for Azure Lab Services lab plans (V2). |

+| Azure Lab Services | 1a14be2a-e903-4cec-99cf-b2e209259a0f | Service principal for Azure Lab Services lab accounts (V1). |

+To attach a compute gallery to a lab plan, assign the Owner role to the service principal with application ID `c7bb12bf-0b39-4f7f-9171-f418ff39b76a`.

+> [!NOTE]

+> When you add a role assignment in the Azure portal, the user interface shows the *object ID* of the service principal, which is different from the *application ID*. The object ID for a service principal can be different in each Azure subscription. You can find the service principal object ID in Azure Active Directory, based on its application ID. Learn more about [Service principal objects](/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object).

+Follow these steps to grant permissions to the Azure Lab Service service principal by using the Azure CLI:

+1. Open [Azure Cloud Shell](https://shell.azure.com). Alternately, select the **Cloud Shell** button on the menu bar at the upper right in the [Azure portal](https://portal.azure.com).

+ Azure Cloud Shell is an interactive, authenticated, browser-accessible terminal for managing Azure resources. Learn how to get started with [Azure Cloud Shell](/azure/cloud-shell/quickstart).

+1. Enter the following commands in Cloud Shell:

+

+ 1. Select the service principal object ID, based on the application ID:

+ ```azurecli-interactive

+ az ad sp show --id c7bb12bf-0b39-4f7f-9171-f418ff39b76a --query "id" -o tsv

+ ```

+ 1. Select the ID of the compute gallery, based on the gallery name:

+ ```azurecli-interactive

+ az sig show --gallery-name <gallery-name> --resource-group <gallery-resource-group> --query id -o tsv

+ ```

+ Replace the text placeholders *`<gallery-name>`* and *`<gallery-resource-group>`* with the compute gallery name and the name of the resource group that contains the compute gallery. Make sure to remove the angle brackets when replacing the text.

+ 1. Assign the Owner role to service principal on the compute gallery:

+ ```azurecli-interactive

+ az role assignment create --assignee-object-id <service-principal-object-id> --role Owner --scope <gallery-id>

+ ```

+ Replace the text placeholders *`<service-principal-object-id>`* and *`<gallery-id>`* with the outcomes of the previous commands.

+Learn more about how to [assign an Azure role in Azure role-based access control (Azure RBAC)](/azure/role-based-access-control/role-assignments-steps#step-5-assign-role).

+### Attach the compute gallery

+Only one Azure compute gallery can be attached to a lab plan. To attach another compute gallery, follow the steps to [attach an existing compute gallery](#attach-an-existing-compute-gallery-to-a-lab-plan).

+- Azure Compute [resource provider must be registered](../azure-resource-manager/management/resource-providers-and-types.md) before Azure Lab Services can [create and attach an Azure Compute Gallery resource](how-to-attach-detach-shared-image-gallery.md#attach-an-existing-compute-gallery-to-a-lab-plan).

+You can use [built-in policies](how-to-integrate-azure-policy.md) if you want to control network isolation parameters with self-service workspace and computing resources creation.

+Experiments and runs tracking information in Azure Machine Learning can be queried using MLflow. You don't need to install any specific SDK to manage what happens inside of a training job, creating a more seamless transition between local runs and the cloud by removing cloud-specific dependencies. In this article, you'll learn how to query and compare experiments and runs in your workspace using Azure Machine Learning and MLflow SDK in Python.

+* Create, query, delete and search for experiments in a workspace.

+* Query, delete, and search for runs in a workspace.

+See [Support matrix for querying runs and experiments in Azure Machine Learning](#support-matrix-for-querying-runs-and-experiments) for a detailed comparison between MLflow Open-Source and MLflow when connected to Azure Machine Learning.

+> [!NOTE]

+> The Azure Machine Learning Python SDK v2 does not provide native logging or tracking capabilities. This applies not just for logging but also for querying the metrics logged. Instead, use MLflow to manage experiments and runs. This article explains how to use MLflow to manage experiments and runs in Azure Machine Learning.

+## Search experiments

+The `search_experiments()` method available since Mlflow 2.0 allows searching experiment matching a criteria using `filter_string`. The following query retrieves three experiments with different IDs.

+```python

+mlflow.search_experiments(filter_string="experiment_id IN (

+ 'CDEFG-1234-5678-90AB', '1234-5678-90AB-CDEFG', '5678-1234-90AB-CDEFG')"

+)

+```

+## Query runs inside an experiment

+Specific run field can also be indicated. Fields do not need a qualifier like `params`, `metrics` or `attributes`. The following search query for runs with specific IDs.

+```python

+mlflow.search_runs(experiment_ids=[ "1234-5678-90AB-CDEFG" ],

+ filter_string="run_id IN ('CDEFG-1234-5678-90AB', '1234-5678-90AB-CDEFG', '5678-1234-90AB-CDEFG')")

+```

+You can then load the model back from the downloaded artifacts using the typical function `load_model` in the flavor-specific namespace. The following example uses `xgboost`:

+> For query and loading models registered in the Model Registry, view [Manage models registries in Azure Machine Learning with MLflow](how-to-manage-models-mlflow.md).

+> [!IMPORTANT]

+> Items marked (preview) in this article are currently in public preview.

+> The preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

+> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+> - ¹ Check the section [Query runs inside an experiment](#query-runs-inside-an-experiment) for instructions and examples on how to achieve the same functionality in Azure Machine Learning.

+This means that the new Grafana instance can access and search all monitoring data in the subscription. It can view the Azure Monitor metrics and logs from all resources, and any logs stored in Log Analytics workspaces in the subscription.

+In this article, learn how to manually grant permission for Azure Managed Grafana to access an Azure resource using a managed identity.

+To edit permissions for a specific resource, follow these steps.

+### [Portal](#tab/azure-portal)

+1. The portal lists all the roles you can give to your Azure Managed Grafana resource. Select a role. For instance, **Monitoring Reader**, and select **Next**.

+1. For **Assign access to**, select **Managed identity**.

+1. Click on **Select members**.

+1. Select the **Subscription** containing your Managed Grafana instance.

+1. For **Managed identity**, select **Azure Managed Grafana**.

+1. Select one or several Managed Grafana instances.

+1. Select **Next**, then **Review + assign** to confirm the assignment of the new permission.

+### [Azure CLI](#tab/azure-cli)

+Assign a role assignment using the [az role assignment create](/cli/azure/role/assignment#az-role-assignment-create) command.

+In the code below, replace the following placeholders:

+- `<assignee>`: enter the assignee's object ID. For a managed identity, enter the managed identity's ID.

+- `<roleNameOrId>`: enter the role's name or ID. For Monitoring Reader, enter `Monitoring Reader` or `43d0d8ad-25c7-4714-9337-8ba259a9fe05`.

+- `<scope>`: enter the full ID of the resource Azure Managed Grafana needs access to.

+```azurecli

+az role assignment create --assignee "<assignee>" \

+--role "<roleNameOrId>" \

+--scope "<scope>"

+```

+Example: assigning permission for an Azure Managed Grafana instance to access an Application Insights resource using a managed identity.

+```azurecli

+az role assignment create --assignee "/subscriptions/abcdef01-2345-6789-0abc-def012345678/resourcegroups/my-rg/providers/Microsoft.Dashboard/grafana/mygrafanaworkspace" \

+--role "Monitoring Reader" \

+--scope "/subscriptions/abcdef01-2345-6789-0abc-def012345678/resourcegroups/my-rg/providers/microsoft.insights/components/myappinsights/

+```

+For more information about assigning Azure roles using the Azure CLI, refer to the [Role based access control documentation](../role-based-access-control/role-assignments-cli.md).

+description: 'Learn how you can share access permissions to Azure Grafana Managed.'

+# How to share access to Azure Managed Grafana

+A DevOps team may build dashboards to monitor and diagnose an application or infrastructure that it manages. Likewise, a support team may use a Grafana monitoring solution for troubleshooting customer issues. In these scenarios, multiple users are accessing one Grafana instance.

+Azure Managed Grafana enables such collaboration by allowing you to set custom permissions on an instance that you own. This article explains what permissions are supported and how to grant permissions to share an Azure Managed Grafana instance with your stakeholders.

+- You must have Grafana Admin permissions on the instance.

+Azure Managed Grafana supports the Grafana Admin, Grafana Editor, and Grafana Viewer roles:

+- The Grafana Admin role provides full control of the instance including managing role assignments, viewing, editing, and configuring data sources.

+- The Grafana Editor role provides read-write access to the dashboards in the instance.

+- The Grafana Viewer role provides read-only access to dashboards in the instance.

+More details on Grafana roles can be found in the [Grafana documentation](https://grafana.com/docs/grafana/latest/permissions/organization_roles/#compare-roles).

+Grafana user roles and assignments are fully [integrated within Azure Active Directory (Azure AD)](../role-based-access-control/built-in-roles.md#grafana-admin). You can assign a Grafana role to any Azure AD user, group, service principal or managed identity, and grant them access permissions associated with that role. You can manage these permissions from the Azure portal or the command line. This section explains how to assign Grafana roles to users in the Azure portal.

+> Azure Managed Grafana doesn't support personal Microsoft accounts (MSA) currently.

+## Add a Grafana role assignment

+### [Portal](#tab/azure-portal)

+1. Open your Azure Managed Grafana instance.

+1. Select **Access control (IAM)** in the left menu.

+1. Select **Add role assignment**.

+1. Select a Grafana role to assign among **Grafana Admin**, **Grafana Editor** or **Grafana Viewer**, then select **Next**.

+1. Choose if you want to assign access to a **User, group, or service principal**, or to a **Managed identity**.

+1. Click on **Select members**, pick the members you want to assign to the Grafana role and then confirm with **Select**.

+1. Select **Next**, then **Review + assign** to complete the role assignment.

+> Dashboard and data source level sharing are done from within the Grafana application. For more information, refer to [Share a Grafana dashboard or panel](./how-to-share-dashboard.md). [Share a Grafana dashboard] and [Data source permissions](https://grafana.com/docs/grafana/latest/administration/data-source-management/#data-source-permissions).

+### [Azure CLI](#tab/azure-cli)

+Assign a role using the [az role assignment create](/cli/azure/role/assignment#az-role-assignment-create) command.

+In the code below, replace the following placeholders:

+- `<assignee>`:

+ - For an Azure AD user, enter their email address or the user object ID.

+ - For a group, enter the group object ID.

+ - For a service principal, enter the service principal object ID.

+ - For a managed identity, enter the object ID.

+- `<roleNameOrId>`:

+ - For Grafana Admin, enter `Grafana Admin` or `22926164-76b3-42b3-bc55-97df8dab3e41`.

+ - For Grafana Editor, enter `Grafana Editor` or `a79a5197-3a5c-4973-a920-486035ffd60f`.

+ - For Grafana Viewer, enter `Grafana Viewer` or `60921a7e-fef1-4a43-9b16-a26c52ad4769`.

+- `<scope>`: enter the full ID of the Azure Managed Grafana instance.

+```azurecli

+az role assignment create --assignee "<assignee>" \

+--role "<roleNameOrId>" \

+--scope "<scope>"

+```

+Example:

+```azurecli

+az role assignment create --assignee "name@contoso.com" \

+--role "Grafana Admin" \

+--scope "/subscriptions/abcdef01-2345-6789-0abc-def012345678/resourcegroups/my-rg/providers/Microsoft.Dashboard/grafana/my-grafana"

+```

+For more information about assigning Azure roles using the Azure CLI, refer to the [Role based access control documentation](../role-based-access-control/role-assignments-cli.md).

+> [Share a Grafana dashboard or panel](./how-to-share-dashboard.md).

+Snapshot backups are enabled by default and taken every 24 hours. Backups are stored in an internal Azure Blob Storage account and are retained for up to 2 days (48 hours). There's no cost for the initial 2 backups. Additional backups will be charged, see [pricing](https://azure.microsoft.com/pricing/details/managed-instance-apache-cassandra/). To change the backup interval or retention period, or to restore from an existing backup, file a [support request](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest) in the Azure portal.

+Data-in replication allows you to synchronize data from an external MySQL server into an Azure Database for MySQL flexilbe server. The external server can be on-premises, in virtual machines, Azure Database for MySQL single server, or a database service hosted by other cloud providers. Data-in replication is based on the binary log (binlog) file position-based. To learn more about binlog replication, see the [MySQL binlog replication overview](https://dev.mysql.com/doc/refman/5.7/en/binlog-replication-configuration-overview.html).

+Parameter `replicate_wild_ignore_table` is used to create replication filter for tables on the replica server. To modify this parameter from Azure portal, navigate to Azure Database for MySQL flexible server used as replica and select "Server Parameters" to view/edit the `replicate_wild_ignore_table` parameter.

+- Binary log files on the source server shouldn't be purged before the replica applies those changes. If the source is Azure Database for MySQL refer how to configure binlog_expire_logs_seconds for [flexible server](./concepts-server-parameters.md#binlog_expire_logs_seconds) or [Single server](../concepts-server-parameters.md#binlog_expire_logs_seconds)

+Data-out replication allows you to synchronize data out of a Azure Database for MySQL flexible server to another MySQL server using MySQL native replication. The MySQL server (replica) can be on-premises, in virtual machines, or a database service hosted by other cloud providers. While [Data-in replication](concepts-data-in-replication.md) helps to move data into an Azure Database for MySQL flexible server (replica), Data-out replication would allow you to transfer data out of an Azure Database for MySQL flexible server (Primary). With Data-out replication, the binary log (binlog) is made community consumable allowing the an Azure Database for MySQL flexible server to act as a Primary server for the external replicas. To learn more about binlog replication, see the [MySQL binlog replication overview](https://dev.mysql.com/doc/refman/5.7/en/binlog-replication-configuration-overview.html).

+Refer to the following general guidance on the replication filter in MySQL manual:

+- **Zone-redundant HA**. This option is preferred for complete isolation and redundancy of infrastructure across multiple availability zones. It provides the highest level of availability, but it requires you to configure application redundancy across zones. Zone-redundant HA is preferred when you want to achieve the highest level of availability against any infrastructure failure in the availability zone and when latency across the availability zone is acceptable. It can be enabled only when the server is created. Zone-redundant HA is available in a [subset of Azure regions](./overview.md#azure-regions) where the region supports multiple [availability zones](../../availability-zones/az-overview.md) and [zone-redundant Premium file shares](../..//storage/common/storage-redundancy.md#zone-redundant-storage) are available.

+- **Same-zone HA**. This option is preferred for infrastructure redundancy with lower network latency because the primary and standby servers will be in the same availability zone. It provides high availability without the need to configure application redundancy across zones. Same-zone HA is preferred when you want to achieve the highest level of availability within a single availability zone with the lowest network latency. Same-zone HA is available in all [Azure regions](./overview.md#azure-regions) where you can use Azure Database for MySQL - Flexible Server.

+- A primary server in one availability zone.

+- A standby replica server that has the same configuration as the primary server (compute tier, compute size, storage size, and network configuration) in another availability zone of the same Azure region.

+> [!NOTE]

+> For both zone-redundant and same-zone HA:

+> - If there's a failure, the time needed for the standby replica to take over the role of primary depends on the binary log application on the standby. So we recommend that you use primary keys on all tables to reduce failover time. Failover times are typically between 60 and 120 seconds.

+> - The standby server isn't available for read or write operations. It's a passive standby to enable fast failover.

+> - Always use a fully qualified domain name (FQDN) to connect to your primary server. Avoid using an IP address to connect. If there's a failover, after the primary and standby server roles are switched, a DNS A record might change. That change would prevent the application from connecting to the new primary server if an IP address is used in the connection string.

+> [!NOTE]

+> [!NOTE]

+> Azure Resource Health event is generated in the event of unplanned failover, representing the failover time during which server was unavailable. The triggered events can be seen when clicked on "Resource Health" in the left pane. Automatic failover is represented by status as **"Unavailable"** and tagged as **"Unplanned"**. Example - "Unavailable : A failover operation was triggered automatically (Unplanned)". If your resource remains in this state for an extended period of time, please open a [support ticket](https://azure.microsoft.com/support/create-ticket/) and we will assist you.

+> [!NOTE]

+> If there are any networking issue between the application and the customer networking endpoint (Private/Public access), either in networking path , on the endpoint or DNS issues in client side, the health check does not monitor this scenario. If you are using private access, make sure that the NSG rules for the VNet does not block the communication to the instance customer networking endpoint on port 3306. For public access make sure that the firewall rules are set and network traffic is allowed on port 3306 (if network path has any other firewalls). The DNS resolution from the client application side also needs to be taken care of.

+- Zone-redundant high availability can be set only when the flexible server is created.

+- High availability isn't supported in the burstable compute tier.

+- Restarting the primary database server to pick up static parameter changes also restarts the standby replica.

+- Data-in Replication isn't supported for HA servers.

+- GTID mode will be turned on as the HA solution uses GTID. Check whether your workload has [restrictions or limitations on replication with GTIDs](https://dev.mysql.com/doc/refman/5.7/en/replication-gtids-restrictions.html).

+ Title: 'Quickstart: Create an Azure Database for MySQL - ARM template'

+In this article, we focus on creation of PostgreSQL server with **Private access (VNet integration)** using Azure portal. With Private access (VNet Integration), you can deploy your flexible server into your own [Azure Virtual Network](../../virtual-network/virtual-networks-overview.md). Azure Virtual Networks provide private and secure network communication. With private access, connections to the PostgreSQL server are restricted to your virtual network. To learn more about it, refer to [Private access (VNet Integration)](./concepts-networking.md#private-access-vnet-integration).

+ > - The virtual network should not have any resource lock set at the VNET or subnet level, as locks may interfere with operations on the network and DNS. Make sure to remove any lock (**Delete** or **Read only**) from your VNET and all subnets before creating the server in a virtual network, and you can set it back after server creation.

+ 2. Select the VNET in which you're planning to deploy your flexible server.

+- If you want to set up your own private DNS zone to use with the flexible server, see [private DNS overview](../../dns/private-dns-overview.md) documentation for more details.

+6. In the **Connectivity method**, select **Private access (VNet Integration)**. Go to **Virtual Network** and select the already existing *virtual network* and *Subnet* created as part of prerequisites.

+> After the flexible server is deployed to a virtual network and subnet, you can't move it to Public access (allowed IP addresses).

+# Create Flexible server in a private virtual network (VNET)

+az postgres flexible-server create --resource-group myresourcegroup --vnet myvnet --location westus2

+- Create a new virtual network for your new postgreSQL server, if you choose to do so after prompted. **Make a note of virtual network name and subnet name** created for your server since you need to add the web app to the same virtual network.

+1. In a browser, open the URL *http:\//\<app-name>.azurewebsites.net*. The app should display the message "No polls are available" because there are no specific polls yet in the database.

+2. Browse to *http:\//\<app-name>.azurewebsites.net/admin*. Sign in using superuser credentials from the previous section (`root` and `postgres1`). Under **Polls**, select **Add** next to **Questions** and create a poll question with some choices.

+3. Browse again to *http:\//\<app-name>.azurewebsites.net/* to confirm that the questions are now presented to the user. Answer questions however you like to generate some data in the database.

+Browse to *http:\//\<app-name>.azurewebsites.net* and test the app again in production. (Because you only changed the length of a database field, the change is only noticeable if you try to enter a longer response when creating a question.)

+description: Learn about the upcoming changes of root certificate changes that affect Azure Database for PostgreSQL Single server

+## What change was scheduled to be performed starting December 2022 (12/2022)?

+Starting December 2022, the [BaltimoreCyberTrustRoot root certificate](https://www.digicert.com/CACerts/BaltimoreCyberTrustRoot.crt.pem) is replaced with a **compliant version** known as [DigiCertGlobalRootG2 root certificate ](https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem). If your applications take advantage of **verify-ca** or **verify-full** as value of [**sslmode** parameter](https://www.postgresql.org/docs/current/libpq-ssl.html) in the database client connectivity need to follow directions to add new certificates to certificate store to maintain connectivity.

+There are no code or application changes required on client side. if you follow our certificate update recommendation below, you'll still be able to continue to connect as long as **BaltimoreCyberTrustRoot certificate isn't removed** from the combined CA certificate. **We recommend to not remove the BaltimoreCyberTrustRoot from your combined CA certificate until further notice to maintain connectivity.**

+By default, PostgreSQL doesn't perform any verification of the server certificate. This means that it's still theoretically possible to spoof the server identity (for example by modifying a DNS record or by taking over the server IP address) without the client knowing. In order to prevent any possibility spoofing, SSL certificate verification on the client must be used. Such verification can be set via application client connection string [**ssl mode**](https://www.postgresql.org/docs/13/libpq-ssl.html) value - **verify-ca** or **verify-full**. If these ssl-mode values are chosen, you should follow directions in next section.

+* Optionally, to prevent future disruption, it's also recommended to add the following roots to the trusted store:

+> Please don't drop or alter **Baltimore certificate** until the cert change is made. We will send a communication once the change is done, after which it's safe for them to drop the Baltimore certificate.

+You may start receiving connectivity errors while connecting to your Azure Database for PostgreSQL server. You need to configure SSL with [BaltimoreCyberTrustRoot](https://www.digicert.com/CACerts/BaltimoreCyberTrustRoot.crt.pem) certificate again to maintain connectivity.

+If you are using a client that abstracts the connection string away, review the client's documentation to understand whether it verifies certificates. To understand PostgreSQL sslmode, review the [SSL mode descriptions](https://www.postgresql.org/docs/11/libpq-ssl.html#ssl-mode-descriptions) in PostgreSQL documentation.

+If you are trying to connect to the Azure Database for PostgreSQL using Azure Kubernetes Services (AKS), it's similar to access from a dedicated customers host environment. Refer to the steps [here](../../aks/ingress-own-tls.md).

+For connector using Self-hosted Integration Runtime where you explicitly include the path to SSL cert file in your connection string, you need to download the [new certificate](https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem) and update the connection string to use it.

+For servers created after November 30, 2022, you'll continue to use the [BaltimoreCyberTrustRoot](https://www.digicert.com/CACerts/BaltimoreCyberTrustRoot.crt.pem) together with new [DigiCertGlobalRootG2](https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem) root certificates in your database client SSL certificate store for your applications to connect using SSL.

+These certificates used by Azure Database for PostgreSQL are provided by trusted Certificate Authorities (CA). So the support of these certificates is tied to the support of these certificates by CA. The [BaltimoreCyberTrustRoot](https://www.digicert.com/CACerts/BaltimoreCyberTrustRoot.crt.pem) certificate is scheduled to expire in 2025 so Microsoft need to perform a certificate change before the expiry. Also in case if there are unforeseen bugs in these predefined certificates, Microsoft needs to make the certificate rotation at the earliest similar to the change performed on February 15, 2021 to ensure the service is secure and compliant always.

+### 10. If I am using read replicas, do I need to perform this update only on the primary server , or the read replicas?

+Since this update is a client-side change, if the client used to read data from the replica server, you need to apply the changes for those clients as well.

+There are many tools that you can use. For example, DigiCert has a handy [tool](https://www.digicert.com/help/) that shows you the certificate chain of any server name. (This tool works with publicly accessible server; it cannot connect to server that is contained in a virtual network (VNET)).

+Another tool you can use is OpenSSL in the command line, you can use this syntax to check certificates:

+If you have questions, get answers from community experts in [Microsoft Q&A](mailto:AzureDatabaseforPostgreSQL@service.microsoft.com). If you have a support plan and you need technical help, please create a [support request](../../azure-portal/supportability/how-to-create-azure-support-request.md):

+ Title: 'Quickstart: Create an Azure Database for PostgreSQL - ARM template'

+| AP5GC Cluster Node VM | Standard_F16s_HPN | 16 | 32 | Ephemeral - 128 GB </br> Persistent - 102 GB | AP5GC workload node |

+## Remaining usable resource on ASE Pro GPU

+The following resources are available within ASE after deploying AP5GC. You can use these resources, for example, to deploy additional virtual machines or storage accounts.

+| Resource | Value |

+|--|--|

+| vCPUs | 16 |

+| Memory | 56 GB |

+| Storage | ~3.75 GB |

+The *site plan* determines an allowance for the throughput and number of radio access network (RAN) connections for each site, as well as the number of devices that each network supports. The plan you selected when creating the site can be updated to support your deployment requirements as they change. In this how-to guide, you'll learn how to modify a site plan using the Azure portal.

+- Verify pricing and charges associated with the site plan to which you want to move. See the [Azure Private 5G Core Pricing page](https://azure.microsoft.com/pricing/details/private-5g-core/) for pricing information.

+| Site Plan | Licensed Throughput | Licensed Activated SIMs | Licensed RANs |

+> The use of application rules over network rules is recommended when inspecting traffic destined to private endpoints in order to maintain flow symmetry. If network rules are used, or an NVA is used instead of Azure Firewall, SNAT must be configured for traffic destined to private endpoints in order to maintain flow symmetry.

+Azure availability zones are at least three physically separate groups of datacenters within each Azure region. Datacenters within each zone are equipped with independent power, cooling, and networking infrastructure. Availability zones are designed to ensure high availability in the case of a local zone failure. When one zone experiences a failure, the remaining two zones support all regional services, capacity, and high availability. Failures can range from software and hardware failures to events such as earthquakes, floods, and fires. Tolerance to failures is achieved with redundancy and logical isolation of Azure services. For more detailed information on availability zones in Azure, see [Regions and availability zones](/azure/availability-zones/az-overview).

+Traffic is routed to all of your available App Service instances. In the case when a zone goes down, the App Service platform will detect lost instances and automatically attempt to find new replacement instances and spread traffic as needed. If you have [autoscale](../app-service/manage-scale-up.md) configured, and if it decides more instances are needed, autoscale will also issue a request to App Service to add more instances. Note that [autoscale behavior is independent of App Service platform behavior](../azure-monitor/autoscale/autoscale-overview.md) and that your autoscale instance count specification doesn't need to be a multiple of three.

+>[!NOTE]

+>There's no guarantee that requests for additional instances in a zone-down scenario will succeed. The back filling of lost instances occurs on a best-effort basis. The recommended solution is to create and configure your App Service plans to account for losing a zone as described in the next section.

+ Title: Reliability in Azure Batch

+description: Learn about reliability in Azure Batch

+<!--#Customer intent: I want to understand reliability support in Azure Batch so that I can respond to and/or avoid failures in order to minimize downtime and data loss. -->

+# Reliability in Azure Batch

+This article describes reliability support in Azure Batch and covers both intra-regional resiliency with [availability zones](#availability-zone-support) and links to information on [cross-region resiliency with disaster recovery](#disaster-recovery-cross-region-failover).

+## Availability zone support

+Azure availability zones are at least three physically separate groups of datacenters within each Azure region. Datacenters within each zone are equipped with independent power, cooling, and networking infrastructure. Availability zones are designed to ensure high availability in the case of a local zone failure. When one zone experiences a failure, the remaining two zones support all regional services, capacity, and high availability. Failures can range from software and hardware failures to events such as earthquakes, floods, and fires. Tolerance to failures is achieved with redundancy and logical isolation of Azure services. For more detailed information on availability zones in Azure, see [Availability zone service and regional support](availability-zones-service-support.md).

+There are three types of Azure services that support availability zones: zonal, zone-redundant, and always-available services. You can learn more about these types of services and how they promote resiliency in the [Azure services with availability zone support](availability-zones-service-support.md#azure-services-with-availability-zone-support).

+Batch maintains parity with Azure on supporting availability zones.

+### Prerequisites

+- For [user subscription mode Batch accounts](../batch/accounts.md#batch-accounts), make sure that the subscription in which you're creating your pool doesn't have a zone offer restriction on the requested VM SKU. To see if your subscription doesn't have any restrictions, call the [Resource Skus List API](/rest/api/compute/resource-skus/list?tabs=HTTP) and check the `ResourceSkuRestrictions`. If a zone restriction exists, you can submit a support ticket to remove the zone restriction.

+- Because InfiniBand doesn't support inter-zone communication, you can't create a pool with a zonal policy if it has inter-node communication enabled and uses a [VM SKU that supports InfiniBand](../virtual-machines/workloads/hpc/enable-infiniband.md).

+- Batch maintains parity with Azure on supporting availability zones. To use the zonal option, your pool must be created in an [Azure region with availability zone support](availability-zones-service-support.md#azure-regions-with-availability-zone-support).

+- To allocate your Batch pool across availability zones, the Azure region in which the pool was created must support the requested VM SKU in more than one zone. To validate that the region supports the requested VM SKU in more than one zone, call the [Resource Skus List API](/rest/api/compute/resource-skus/list?tabs=HTTP) and check the `locationInfo` field of `resourceSku`. Ensure that more than one zone is supported for the requested VM SKU. You can also use the [Azure CLI](/rest/api/compute/resource-skus/list?tabs=CLI) to list all available Resource SKUs with the following command:

+ ```azurecli

+

+ az vm list-skus

+

+ ```

+### Create an Azure Batch pool across availability zones

+For examples on how to create a Batch pool across availability zones, see [Create an Azure Batch pool across Availability Zones](/azure/batch/create-pool-availability-zones).

+Learn more about creating Batch accounts with the [Azure portal](../batch/batch-account-create-portal.md), the [Azure CLI](../batch/scripts/batch-cli-sample-create-account.md), [PowerShell](../batch/batch-powershell-cmdlets-get-started.md), or the [Batch management API](../batch/batch-management-dotnet.md).

+### Zone down experience

+During a zone down outage, the nodes within that zone become unavailable. Any nodes within that same node pool from other zone(s) aren't impacted and continue to be available.

+Azure Batch account doesn't reallocate or create new nodes to compensate for nodes that have gone down due to the outage. Users are required to add more nodes to the node pool, which are then allocated from other healthy zone(s).

+### Fault tolerance

+To prepare for a possible availability zone failure, you should over-provision capacity of service to ensure that the solution can tolerate 1/3 loss of capacity and continue to function without degraded performance during zone-wide outages. Since the platform spreads VMs across three zones and you need to account for at least the failure of one zone, multiply peak workload instance count by a factor of zones/(zones-1), or 3/2. For example, if your typical peak workload requires four instances, you should provision six instances: (2/3 * 6 instances) = 4 instances.

+## Disaster recovery: cross region failover

+Azure Batch is available in all Azure regions. However, when a Batch account is created, it must be associated with one specific region. All subsequent operations for that Batch account only apply to that region. For example, pools and associated virtual machines (VMs) are created in the same region as the Batch account.

+When designing an application that uses Batch, you must consider the possibility that Batch may not be available in a region. It's possible to encounter a rare situation where there's a problem with the region as a whole, the entire Batch service in the region, or your specific Batch account.

+If the application or solution using Batch must always be available, then it should be designed to either failover to another region or always have the workload split between two or more regions. Both approaches require at least two Batch accounts, with each account located in a different region.

+You're responsible for setting up cross-region disaster recovery with Azure Batch. If you run multiple Batch accounts across specific regions and take advantage of availability zones, your application can meet your disaster recovery objectives when one of your Batch accounts becomes unavailable.

+When providing the ability to failover to an alternate region, all components in a solution must be considered; it's not sufficient to simply have a second Batch account. For example, in most Batch applications, an Azure storage account is required. The storage account and Batch account must be in the same region for acceptable performance.

+Consider the following points when designing a solution that can failover:

+- Precreate all required services in each region, such as the Batch account and the storage account. There's often no charge for having accounts created, and charges accrue only when the account is used or when data is stored.

+- Make sure ahead of time that the [appropriate quotas](/azure/batch/batch-quota-limit) are set for all **user subscription** Batch accounts, to allocate the required number of cores using the Batch account.

+- Use templates and/or scripts to automate the deployment of the application in a region.

+- Keep application binaries and reference data up to date in all regions. Staying up to date will ensure that the region can be brought online quickly without having to wait for the upload and deployment of files. For example, consider the case where a custom application to install on pool nodes is stored and referenced using Batch application packages. When an update of the application is released, it should be uploaded to each Batch account and referenced by the pool configuration (or make the latest version the default version).

+- In the application calling Batch, storage, and any other services, make it easy to switch over clients or the load to different regions.

+- Consider frequently switching over to an alternate region as part of normal operation. For example, with two deployments in separate regions, switch over to the alternate region every month.

+The duration of time to recover from a disaster depends on the setup you choose. Batch itself is agnostic regarding whether you're using multiple accounts or a single account. In active-active configurations, where two Batch instances are receiving traffic simultaneously, disaster recovery is faster than for an active-passive configuration. Which configuration you choose should be based on business needs (different regions, latency requirements) and technical considerations.

+### Single-region geography disaster recovery

+How you implement disaster recovery in Batch is the same, whether you're working in a single-region or multi-region geography. The only differences are which SKU you use for storage, and whether you intend to use the same or different storage account across all regions.

+### Disaster recovery testing

+You should perform your own disaster recovery testing of your Batch enabled solution. It's considered a best practice to enable easy switching between client and service load across different regions.

+Testing your disaster recovery plan for Batch can be as simple as alternating Batch accounts. For example, you could rely on a single Batch account in a specific region for one operational day. Then, on the next day, you could switch to a second Batch account in a different region. Disaster recovery is primarily managed on the client side. This multiple-account approach to disaster recovery takes care of RTO and RPO expectations in either single-region or multiple-region geographies.

+### Capacity and proactive disaster recovery resiliency

+Microsoft and its customers operate under the Shared Responsibility model. Microsoft is responsible for platform and infrastructural resiliency. You are responsible for addressing disaster recovery for any specific service you deploy and control. To ensure that recovery is proactive:

+- You should always predeploy secondaries. The predeployment of secondaries is necessary because there's no guarantee of capacity at time of impact for those who haven't preallocated such resources.

+- Precreate all required services in each region, such as your Batch accounts and associated storage accounts. There's no charge for creating new accounts; charges accrue only when the account is used or when data is stored.

+- Make sure [appropriate quotas](../batch/batch-quota-limit.md) are set on all subscriptions ahead of time, so you can allocate the required number of cores using the Batch account. As with other Azure services, there are limits on certain resources associated with the Batch service. Many of these limits are default quotas applied by Azure at the subscription or account level. Keep these quotas in mind as you design and scale up your Batch workloads.

+>[!NOTE]

+>If you plan to run production workloads in Batch, you may need to increase one or more of the quotas above the default. To raise a quota, you can request a quota increase at no charge. For more information, see [Request a quota increase](../batch/batch-quota-limit.md#increase-a-quota).

+#### Storage

+You must configure Batch storage to ensure data is backed up cross-region; customer responsibility is the default. Most Batch solutions use Azure Storage for storing [resource files](../batch/resource-files.md) and output files. For example, your Batch tasks (including standard tasks, start tasks, job preparation tasks, and job release tasks) typically specify resource files that reside in a storage account. Storage accounts also store data that is processed and any output data that is generated. Understanding possible data loss across the regions of your service operations is an important consideration. You must also confirm whether data is rewritable or read-only.

+Batch supports the following types of Azure Storage accounts:

+- General-purpose v2 (GPv2) accounts

+- General-purpose v1 (GPv1) accounts

+- Blob storage accounts (currently supported for pools in the Virtual Machine configuration)

+For more information about storage accounts, see [Azure storage account overview](../storage/common/storage-account-overview.md).

+You can associate a storage account with your Batch account when you create the account or do this step later.

+If you're setting up a separate storage account for each region your service is available in, you must use zone-redundant storage (ZRS) accounts. Use geo-zone-redundant storage (GZRS) accounts if you're using the same storage account across multiple paired regions. For geographies that contain a single region, you must create a zone-redundant storage (ZRS) account because GZRS isn't available.

+Capacity planning is another important consideration with storage and should be addressed proactively. Consider your cost and performance requirements when choosing a storage account. For example, the GPv2 and blob storage account options support greater [capacity and scalability limits](https://azure.microsoft.com/blog/announcing-larger-higher-scale-storage-accounts/) compared with GPv1. (Contact Azure Support to request an increase in a storage limit.) These account options can improve the performance of Batch solutions that contain a large number of parallel tasks that read from or write to the storage account.

+When a storage account is linked to a Batch account, think of it as the autostorage account. An autostorage account is required if you plan to use the [application packages](../batch/batch-application-packages.md) capability, as it's used to store the application package .zip files. An autostorage account can also be used for [task resource files](../batch/resource-files.md#storage-container-name-autostorage); since the autostorage account is already linked to the Batch account, this avoids the need for shared access signature (SAS) URLs to access the resource files.

+## Next steps

+> [!div class="nextstepaction"]

+> [Resiliency in Azure](/azure/availability-zones/overview)

+Azure availability zones are at least three physically separate groups of datacenters within each Azure region. Datacenters within each zone are equipped with independent power, cooling, and networking infrastructure. Availability zones are designed to ensure high availability in the case of a local zone failure. When one zone experiences a failure, the remaining two zones support all regional services, capacity, and high availability. Failures can range from software and hardware failures to events such as earthquakes, floods, and fires. Tolerance to failures is achieved with redundancy and logical isolation of Azure services. For more detailed information on availability zones in Azure, see [Regions and availability zones](/azure/availability-zones/az-overview).

+During a zone-wide outage, the customer should expect a brief degradation of performance, until the service's self-healing rebalances underlying capacity to adjust to healthy zones. This isn't dependent on zone restoration; it's expected that the Microsoft-managed service self-healing state compensates for a lost zone, using capacity from other zones.

+Azure Bot Service runs in active-active mode for both global and regional services. When an outage occurs, you don't need to detect errors or manage the service. Azure Bot Service automatically performs autofailover and auto recovery in a multi-region geographical architecture. For the EU bot regional service, Azure Bot Service provides two full regions inside Europe with active/active replication to ensure redundancy. For the global bot service, all available regions/geographies can be served as the global footprint.

+Azure availability zones are at least three physically separate groups of datacenters within each Azure region. Datacenters within each zone are equipped with independent power, cooling, and networking infrastructure. Availability zones are designed to ensure high availability in the case of a local zone failure. When one zone experiences a failure, the remaining two zones support all regional services, capacity, and high availability. Failures can range from software and hardware failures to events such as earthquakes, floods, and fires. Tolerance to failures is achieved with redundancy and logical isolation of Azure services. For more detailed information on availability zones in Azure, see [Availability zone service and regional support](availability-zones-service-support.md).

+Azure availability zones are at least three physically separate groups of datacenters within each Azure region. Datacenters within each zone are equipped with independent power, cooling, and networking infrastructure. Availability zones are designed to ensure high availability in the case of a local zone failure. When one zone experiences a failure, the remaining two zones support all regional services, capacity, and high availability. Failures can range from software and hardware failures to events such as earthquakes, floods, and fires. Tolerance to failures is achieved with redundancy and logical isolation of Azure services. For more detailed information on availability zones in Azure, see [Regions and availability zones](availability-zones-overview.md).

+Azure availability zones are at least three physically separate groups of datacenters within each Azure region. Datacenters within each zone are equipped with independent power, cooling, and networking infrastructure. Availability zones are designed to ensure high availability in the case of a local zone failure. When one zone experiences a failure, the remaining two zones support all regional services, capacity, and high availability. Failures can range from software and hardware failures to events such as earthquakes, floods, and fires. Tolerance to failures is achieved with redundancy and logical isolation of Azure services. For more detailed information on availability zones in Azure, see [Availability zone service and regional support](availability-zones-service-support.md).

+[Azure Batch](reliability-batch.md)|

+ "arrAccountDomain": "<select from available regions or specify the full url>"

+ "remoteRenderingDomain": "<select from available regions or specify the full url>",

+The `arrAccountDomain` should be a region from [list of available regions](../reference/regions.md). If you're running on a nonpublic Azure region, you have to specify the full url to the account authentication service in your region.

+- **maxLeaseTime:** The duration for which you want to lease the VM. The VM shuts down when the lease expires. The lease time can be extended later (see [here](#change-session-properties)).

+- **remoteRenderingDomain:** The region where the remote rendering VM resides in.

+ - Can differ from the arrAccountDomain, but still should be a region from [list of available regions](../reference/regions.md)

+ - If you're running on a nonpublic Azure region, you have to specify the full url to the remote rendering service in your region.

+The script calls the [session management REST API](../how-tos/session-rest-api.md) to spin up a rendering VM with the specified settings. On success, it retrieves the *sessionId*. Afterwards it polls the session properties until the session is ready or an error occurred.

+.\RenderingSession.ps1 -ArrAccountDomain <arrAccountDomain> -RemoteRenderingDomain <remoteRenderingDomain> -VmSize <vmsize> -MaxLeaseTime <hh:mm:ss>

+> Make sure you have filled out the *accountSettings* and *assetConversionSettings* sections, and the *remoteRenderingDomain* option in the *renderingSessionSettings* in arrconfig.json.

+1. Upload all files contained in the `assetConversionSettings.modelLocation` to the input blob container under the given `inputFolderPath`.

+* **ArrAccountDomain:** override for arrAccountDomain of accountSettings

+* **RemoteRenderingDomain:** override for remoteRenderingDomain of renderingSessionSettings

+For example you can combine the given options like this:

+The script returns a *conversionId*.

+> To use an existing user-assigned managed identity for deploying a new SAP system or registering an existing system, the user must also have the **Managed Identity Operator** role. This role is required to assign a user-assigned managed identity to the Virtual Instance for SAP solutions resource.

+> [!NOTE]

+> If you're creating a new user-assigned managed identity when you deploy a new SAP system or register an existing system, the user must also have the **Managed Identity Contributor** and **Managed Identity Operator** roles. These roles are required to create a user-assigned identity, make necessary role assignments to it and assign it to the VIS resource.

+| **Managed Identity Operator** |

+| **Managed Identity Operator** |

+|**Zero Trust (TIC3.0)** | Provides an automated visualization of Zero Trust principles, cross-walked to the [Trusted Internet Connections framework](https://www.cisa.gov/resources-tools/programs/trusted-internet-connections-tic). <br><br>For more information, see the [Zero Trust (TIC 3.0) workbook announcement blog](https://techcommunity.microsoft.com/t5/public-sector-blog/announcing-the-azure-sentinel-zero-trust-tic3-0-workbook/ba-p/2313761). |

+Take advantage of threat intelligence produced by Microsoft to generate high fidelity alerts and incidents with the **Microsoft Threat Intelligence Analytics** rule. Check the prerequisites to validate which logs this rule will match indicators with.

+- Office activity logs

+- Azure activity logs

+- **Office activity logs** ingested into the **OfficeActivity** table will match IPv4 indicators directly from the `ClientIP` field.

+- **Azure activity logs** ingested into the **AzureActivity** table will match IPv4 indicators directly from the `CallerIpAddress` field.

+[Azure-servicebus-jms](https://central.sonatype.com/artifact/com.microsoft.azure/azure-servicebus-jms/1.0.0)

+> To add the [Azure-servicebus-jms](https://central.sonatype.com/artifact/com.microsoft.azure/azure-servicebus-jms/1.0.0) to the build path, use the preferred dependency management tool for your project like [Maven](https://maven.apache.org/) or [Gradle](https://gradle.org/).

+* [Learn how to migrate from ActiveMQ to Service Bus](migrate-jms-activemq-to-servicebus.md)

+> Java applications leveraging JMS 2.0 API can connect to Azure Service Bus using the connection string, or using a `TokenCredential` for leveraging Azure Active Directory (AAD) backed authentication. When using AAD backed authentication, ensure to [assign roles and permissions](service-bus-managed-service-identity.md#assigning-azure-roles-for-access-rights) to the identity as needed.

+The Connection factory can then be instantiated with the below parameters.

+ * Host - the hostname of the Azure Service Bus Premium tier namespace.

+The factory can be created as shown here. The token credential and host are required parameters, but the other properties are optional.

+The Connection factory can then be instantiated with the below parameters.

+ * Host - the hostname of the Azure Service Bus Premium tier namespace.

+The factory can be created as shown here. The token credential and host are required parameters, but the other properties are optional.

+```java

+String host = "<YourNamespaceName>.servicebus.windows.net";

+ConnectionFactory factory = new ServiceBusJmsConnectionFactory(tokenCredential, host, null);

+```

+# [Service Principal](#tab/service-principal-backed-authentication)

+Create a [service principal](authenticate-application.md#register-your-application-with-an-azure-ad-tenant) on Azure, and use this identity to create a `TokenCredential`.

+```java

+TokenCredential tokenCredential = new new ClientSecretCredentialBuilder()

+                .tenantId("")

+                .clientId("")

+                .clientSecret("")

+                .build();;

+```

+The Connection factory can then be instantiated with the below parameters.

+ * Token credential - Represents a credential capable of providing an OAuth token.

+ * Host - the hostname of the Azure Service Bus Premium tier namespace.

+ * ServiceBusJmsConnectionFactorySettings property bag, which contains

+ * connectionIdleTimeoutMS - idle connection timeout in milliseconds.

+ * traceFrames - boolean flag to collect AMQP trace frames for debugging.

+ * *other configuration parameters*

+The factory can be created as shown here. The token credential and host are required parameters, but the other properties are optional.

+The Connection factory can be instantiated with the below parameters.

+ Title: Manage authentication in Service Connector

+description: Learn how to select and manage authentication parameters in Service Connector.

+# Manage authentication within Service Connector

+In this guide, learn about the different authentication options available in Service Connector, and how to customize environment variables.

+## Prerequisites

+- An Azure subscription - [create one for free](https://azure.microsoft.com/free).

+- An Azure App Service, Azure Container Apps or Azure Spring Apps instance.

+- This guide assumes that you already know how the basics of connecting services using Service Connector. To review our quickstarts, go to [App Service](quickstart-portal-app-service-connection.md), [Container Apps](quickstart-portal-container-apps.md) or [Azure Spring Apps](quickstart-portal-spring-cloud-connection.md).

+## Start creating a new connection

+1. Within your App Service, Container Apps or Azure Spring Apps instance, open Service Connector and fill out the form in the **Basics** tab with the required information about your compute and target services.

+1. Select **Next : Authentication**.

+## Select an authentication option

+Select one of the four different authentication options offered by Service Connector to connect your Azure services together:

+- **System assigned managed identity**: provides an automatically managed identity tied to the resource in Azure Active Directory (Azure AD)

+- **User assigned managed identity**: provides an identity that can be used on multiple resources

+- **Connection string**: provides one or multiple key-value pairs with secrets or tokens

+- **Service principal**: creates a service principal that defines the access policy and permissions for the user/application in the Azure AD tenant

+Service Connector offers the following authentication options:

+| Target resource | System assigned managed identity | User assigned managed identity | Connection string | Service principal |

+|-|--|--|--|--|

+| App Configuration |  |  |  |  |

+| Azure SQL |  | |  | |

+| Azure Cache for Redis | | |  | |

+| Azure Cache for Redis Enterprise | | |  | |

+| Azure Cosmos DB - Cassandra |  |  |  |  |

+| Azure Cosmos - Gremlin |  |  |  |  |

+| Azure Cosmos DB for MongoDB |  |  |  |  |

+| Azure Cosmos Table |  |  |  |  |

+| Azure Cosmos - SQL |  |  |  |  |

+| Blob Storage |  |  |  |  |

+| Confluent Cloud | | |  | |

+| Event Hubs |  |  |  |  |

+| Keyvault |  |  | |  |

+| MySQL single server |  | | | |

+| MySQL flexible server |  | |  | |

+| Postgres single server |  | |  | |

+| Postgres, flexible server |  | |  | |

+| Storage Queue |  |  |  |  |

+| Storage File | | |  | |

+| Storage Table | | |  | |

+| Service Bus |  |  |  |  |

+| SignalR |  |  |  |  |

+| WebPub Sub |  |  |  |  |

+## Review or update authentication configuration

+## [System assigned managed identity](#tab/managed-identity)

+When using a system-assigned managed identity, optionally review or update its authentication configuration by following these steps:

+1. Select **Advanced** to display more options.

+1. Under **Role**, review the default role selected for your source service or choose another one from the list.

+1. Under **Configuration information**, Service Connector lists a series of configuration settings that will be generated when you create the connection. This list consists of environment variables or application properties. It varies depending on the target resource and authentication method selected. Optionally select the edit button in front of each configuration setting to edit its key.

+1. Select **Done** to confirm.

+ :::image type="content" source="./media/manage-authentication/managed-identity-advanced.png" alt-text="Screenshot of the Azure portal, showing advanced authentication configuration for a system-assigned managed identity.":::

+## [User assigned managed identity](#tab/user-assigned-identity)

+When using a user-assigned managed identity, review or edit its authentication settings by following these steps:

+1. Under **Subscription**, select the Azure subscription that contains your user-assigned managed identity.

+1. Under **User assigned managed identity**, select the managed identity you want to use.

+ :::image type="content" source="./media/manage-authentication/user-assigned-identity-basic.png" alt-text="Screenshot of the Azure portal, showing basic authentication configuration for a user-assigned managed identity.":::

+1. Optionally select **Advanced** to display more options.

+ 1. Under **Role**, review the default role selected for your source service or choose another one from the list.

+ 1. Under **Configuration information**, Service Connector lists a series of configuration settings that will be generated when you create the connection. This list consists of environment variables or application properties and varies depending on the target resource and authentication method selected. Optionally select the edit button in front of each configuration setting to edit its key.

+ 1. Select **Done** to confirm.

+ :::image type="content" source="./media/manage-authentication/user-assigned-identity-advanced.png" alt-text="Screenshot of the Azure portal, showing advanced authentication configuration for a user-assigned managed identity.":::

+## [Connection string](#tab/connection-string)

+When using a connection string, review or edit its authentication settings by following these steps:

+1. Optionally select **Store Secret in Key Vault** to save your connection credentials in Azure Key Vault. This option lets you select an existing Key Vault connection from a drop-down list or create a new connection to a new or an existing Key Vault.

+ :::image type="content" source="./media/manage-authentication/connection-string-basic-with-key-vault.png" alt-text="Screenshot of the Azure portal, showing basic authentication configuration to authenticate with a connection-string.":::

+1. Optionally select **Advanced** to display more options.

+ 1. Under **Configuration information**, Service Connector lists a series of configuration settings that will be generated when you create the connection. This list consists of environment variables or application properties and varies depending on the target resource and authentication method selected. Optionally select the edit button in front of each configuration setting to edit its key.

+ 1. Select **Done** to confirm.

+ :::image type="content" source="./media/manage-authentication/connection-string-advanced.png" alt-text="Screenshot of the Azure portal, showing advanced authentication configuration to authenticate with a connection-string.":::

+## [Service principal](#tab/service-principal)

+When connecting Azure services using a service principal, review or edit authentication settings by following these steps:

+1. Choose a service principal by entering an object ID or name and selecting your service principal.

+1. Under **Secret**, enter the secret of the service principal.

+1. Optionally select **Store Secret in Key Vault** to save your connection credentials in Azure Key Vault. This option lets you select an existing Key Vault connection from a drop-down list or create a new connection to a new or an existing Key Vault.

+ :::image type="content" source="./media/manage-authentication/service-principal-basic-with-key-vault.png" alt-text="Screenshot of the Azure portal, showing basic authentication configuration to authenticate with a service principal.":::

+1. Optionally select **Advanced** to display more options.

+ 1. Under **Configuration information**, Service Connector lists a series of configuration settings that will be generated when you create the connection. This list consists of environment variables or application properties and varies depending on the target resource and authentication method selected. Optionally select the edit button in front of each configuration setting to edit its key.

+ 1. Select **Done** to confirm.

+ :::image type="content" source="./media/manage-authentication/service-principal-advanced.png" alt-text="Screenshot of the Azure portal, showing advanced authentication configuration to authenticate with a service principal.":::

+1. Select **Review + Create** and then **Create** to finalize the creation of the connection.

+## Check authentication configuration

+You can review authentication configuration on the following pages in the Azure portal:

+- When creating the connection, select the **Review + Create** tab and check the information listed under **Authentication**.

+ :::image type="content" source="./media/manage-authentication/review-authentication.png" alt-text="Screenshot of the Azure portal, showing a summary of connection authentication configuration.":::

+- After you've created the connection, in the **Service connector** page, configuration keys are listed.

+ :::image type="content" source="./media/manage-authentication/review-keys-after-creation.png" alt-text="Screenshot of the Azure portal, showing a summary of authentication configuration keys.":::

+## Next steps

+> [!div class="nextstepaction"]

+> [Service Connector internals](./concept-service-connector-internals.md)

+`https://myaccount.blob.core.windows.net/default.html`

+> The examples in this article assume that you've created a [BlobServiceClient](/javascript/api/@azure/storage-blob/blobserviceclient) object by using the guidance in the [Get started with Azure Blob Storage and JavaScript](storage-blob-javascript-get-started.md) article. Blobs in Azure Storage are organized into containers. Before you can upload a blob, you must first create a container. To learn how to create a container, see [Create a container in Azure Storage with JavaScript](storage-blob-container-create-javascript.md).

+> The examples in this article assume that you've created a [BlobServiceClient](/javascript/api/@azure/storage-blob/blobserviceclient) object by using the guidance in the [Get started with Azure Blob Storage and JavaScript](storage-blob-javascript-get-started.md) article. Blobs in Azure Storage are organized into containers. Before you can upload a blob, you must first create a container. To learn how to create a container, see [Create a container in Azure Storage with JavaScript](storage-blob-container-create-javascript.md).

+[API reference](/dotnet/api/azure.storage.blobs) | [Library source code](https://github.com/Azure/azure-sdk-for-net/tree/master/sdk/storage/Azure.Storage.Blobs) | [Package (NuGet)](https://www.nuget.org/packages/Azure.Storage.Blobs) | [Samples](../common/storage-samples-dotnet.md?toc=/azure/storage/blobs/toc.json#blob-samples) | [Give feedback](https://github.com/Azure/azure-sdk-for-net/issues)

+This section walks you through preparing a project to work with the Azure Blob Storage client library for .NET.

+From your project directory, install packages for the Azure Blob Storage and Azure Identity client libraries using the `dotnet add package` command. The Azure.Identity package is needed for passwordless connections to Azure services.

+dotnet add package Azure.Identity

+using Azure.Identity;

+Blob client library information:

+The following example creates a `BlobServiceClient` object authorized using `DefaultAzureCredential`:

+public BlobServiceClient GetBlobServiceClient(string accountName)

+ BlobServiceClient client = new(

+ new Uri($"https://{accountName}.blob.core.windows.net"),

+ new DefaultAzureCredential());

+ return client;

+[API reference](/jav?toc=/azure/storage/blobs/toc.json#blob-samples) | [Give feedback](https://github.com/Azure/azure-sdk-for-java/issues)

+[API reference](/javascript/api/preview-docs/@azure/storage-blob) | [Package (npm)](https://www.npmjs.com/package/@azure/storage-blob) | [Library source code](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/storage/storage-blob) | [Samples](../common/storage-samples-javascript.md?toc=/azure/storage/blobs/toc.json#blob-samples) | [Give feedback](https://github.com/Azure/azure-sdk-for-js/issues)

+ms.devlang: javascript

+[API reference](/python/api/azure-storage-blob) | [Package (PyPi)](https://pypi.org/project/azure-storage-blob/) | [Library source code](https://github.com/Azure/azure-sdk-for-python/tree/master/sdk/storage/azure-storage-blob) | [Samples](../common/storage-samples-python.md?toc=/azure/storage/blobs/toc.json#blob-samples) | [Give feedback](https://github.com/Azure/azure-sdk-for-python/issues)

+Create a [BlobBatchClient](/javascript/api/@azure/storage-blob/blobbatchclient). Use the client to create a batch with the [createBatch()](/javascript/api/@azure/storage-blob/blobbatchclient#@azure-storage-blob-blobbatchclient-createbatch) method. When the batch is ready, [submit](/javascript/api/@azure/storage-blob/blobbatchclient#@azure-storage-blob-blobbatchclient-submitbatch) the batch for processing. Use the returned structure to validate each blob's operation was successful.

+ includeLegalHold: false, // include legal hold

+ includeUncommitedBlobs: false, // include uncommitted blobs

+- [Blob versioning](versioning-overview.md)

+ ```

+>To guarantee compatibility, make sure the CIM files storing your MSIX images are generated on a version of Windows that is lower than or equal to the version of Windows where you are planning to run the MSIX packages. For example, CIM files generated on Windows 11 may not work on Windows 10.

+ - Windows 11 Enterprise single or multi-session with the [2022-10 Cumulative Updates for Windows 11 (KB5018418)](https://support.microsoft.com/kb/KB5018418) or later installed.

+ - Windows 10 Enterprise single or multi-session, versions 20H2 or later with the [2022-10 Cumulative Updates for Windows 10 (KB5018410)](https://support.microsoft.com/kb/KB5018410) or later installed.

+ - Windows Server 2022 with the [2022-10 Cumulative Update for Microsoft server operating system (KB5018421)](https://support.microsoft.com/kb/KB5018421) or later installed.

+ Get-AzWvdApplication -ApplicationGroupName <ApplicationGroupName> -ResourceGroupName <ResourceGroupName> | Select-Object Name, FilePath, ObjectId

+- Windows 11 Enterprise single or multi-session with the [2022-10 Cumulative Updates for Windows 11 (KB5018418)](https://support.microsoft.com/kb/KB5018418) or later installed.

+- Windows 10 Enterprise single or multi-session, versions 20H2 or later with the [2022-10 Cumulative Updates for Windows 10 (KB5018410)](https://support.microsoft.com/kb/KB5018410) or later installed.

+- Windows Server 2022 with the [2022-10 Cumulative Update for Microsoft server operating system (KB5018421)](https://support.microsoft.com/kb/KB5018421) or later installed.

+For more detailed instructions for how to configure Windows Defender, see [Configure Windows Defender Antivirus exclusions on Windows Server](/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus/).

+> [!WARNING]

+> For the Node Configuration name, make sure the node configuration exists in Azure State Configuration. If it does not, the extension deployment will return a failure.

+Make sure you are using the name of the *Node Configuration* and not the Configuration.

+This example shows you how to deny extensions published by 'Microsoft. Compute' by creating a rules file in Azure Cloud Shell, but if you're working in PowerShell locally, you can also create a local file and replace the path ($home/clouddrive) with the path to the local file on your machine.

+When you're done, hit the **Ctrl + O** and then **Enter** to save the file. Hit **Ctrl + X** to close the file and exit.

+This example shows you how to create a parameters file for VMs in Cloud Shell, but if you're working in PowerShell locally, you can also create a local file and replace the path ($home/clouddrive) with the path to the local file on your machine.

+When you're done, hit the **Ctrl + O** and then **Enter** to save the file. Hit **Ctrl + X** to close the file and exit.

+ The policy rules and parameter values below are the files you created and stored as .json files in your Cloud Shell. Replace the file paths as needed.

+This example assigns the policy to a resource group using [New-AzPolicyAssignment](/powershell/module/az.resources/new-azpolicyassignment). Any VM created in the **myResourceGroup** resource group won't be able to install the VM Access Agent or Custom Script extensions.

+To test the policy, try to use the VM Access extension. The following should fail with the message "Set-AzVMAccessExtension: Resource 'myVMAccess' was disallowed by policy."

+- China North 3 (public preview)

+To access the Azure VM Image Builder public preview in the Fairfax regions (USGov Arizona and USGov Virginia), you must register the *Microsoft.VirtualMachineImages/FairfaxPublicPreview* feature. To do so, run the following command in either PowerShell or Azure CLI:

+To access the Azure VM Image Builder public preview in the China North 3 region, you must register the *Microsoft.VirtualMachineImages/FairfaxPublicPreview* feature. To do so, run the following command in either PowerShell or Azure CLI:

+### [Azure PowerShell](#tab/azure-powershell)

+```powershell

+Register-AzProviderPreviewFeature -ProviderNamespace Microsoft.VirtualMachineImages -Name MooncakePublicPreview

+```

+### [Azure CLI](#tab/azure-cli)

+```azurecli-interactive

+az feature register --namespace Microsoft.VirtualMachineImages --name MooncakePublicPreview

+```

+- Encryption of VMs in subscriptions that have the [Secrets should have the specified maximum validity period](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F342e8053-e12e-4c44-be01-c3c2f318400f) policy enabled with the [DENY effect](../../governance/policy/concepts/effects.md).

+Legacy VM Sizes are not supported. You can find the list of supported VM sizes by either using resource SKU APIs or the Azure PowerShell module. You can't find the supported sizes using the CLI.

+When calling the [Resource Skus API](/rest/api/compute/resourceskus/list), check that the `EncryptionAtHostSupported` capability is set to **True**.

+For the Azure PowerShell module, use the [Get-AzComputeResourceSku](/powershell/module/az.compute/get-azcomputeresourcesku) cmdlet.

+- China North 3 (Public Preview)

+Register-AzProviderPreviewFeature -ProviderNamespace Microsoft.VirtualMachineImages -Name MooncakePublicPreview

+> [!IMPORTANT]

+> Register the feature `Microsoft.VirtualMachineImages/MooncakePublicPreview` to access the Azure Image Builder public preview in the China North 3 region.

+> [!NOTE]

+> Be aware of versions that are End Of Life (EOL) and no longer supported by Redhat. Uploaded image that are, at or beyond EOL will be supported on a reasonable business effort basis. Link to Redhat's [Product Lifecycle](https://access.redhat.com/product-life-cycles/?product=Red%20Hat%20Enterprise%20Linux,OpenShift%20Container%20Platform%204)

+- Encryption of VMs in subscriptions that have the [Secrets should have the specified maximum validity period](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F342e8053-e12e-4c44-be01-c3c2f318400f) policy enabled with the [DENY effect](../../governance/policy/concepts/effects.md).

+* [Serial console](/troubleshoot/azure/virtual-machines/serial-console-windows)