-* [Zero Trust framework to enable remote work](https://www.microsoft.com/security/blog/2020/04/02/announcing-microsoft-zero-trust-assessment-tool/)

- work](https://www.microsoft.com/security/blog/2020/04/02/announcing-microsoft-zero-trust-assessment-tool/)

-For more information, visit this F5 knowledge article [Configuring LDAP remote authentication for Active Directory](https://support.f5.com/csp/article/K11072). ThereΓÇÖs also a great BIG-IP reference table to help diagnose LDAP-related issues in this F5 knowledge article on [LDAP Query](https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-0/5.html).

-* [Zero Trust framework to enable remote work](https://www.microsoft.com/security/blog/2020/04/02/announcing-microsoft-zero-trust-assessment-tool/)

-See [BIG-IP APM variable assign examples]( https://devcentral.f5.com/s/articles/apm-variable-assign-examples-1107) and [F5 BIG-IP session variables reference]( https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-access-policy-manager-visual-policy-editor/session-variables.html) for more info.

-For more information, visit this F5 knowledge article [Configuring LDAP remote authentication for Active Directory](https://support.f5.com/csp/article/K11072). ThereΓÇÖs also a great BIG-IP reference table to help diagnose LDAP-related issues in this F5 knowledge article on [LDAP Query](https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-0/5.html).

-For more information, visit this F5 knowledge article [Configuring LDAP remote authentication for Active Directory](https://support.f5.com/csp/article/K11072). ThereΓÇÖs also a great BIG-IP reference table to help diagnose LDAP-related issues in this [F5 knowledge article on LDAP Query](https://techdocs.f5.com/en-us/bigip-16-1-0/big-ip-access-policy-manager-authentication-methods/ldap-query.html).

-See [BIG-IP APM variable assign examples](https://devcentral.f5.com/s/articles/apm-variable-assign-examples-1107) and [F5 BIG-IP session variables reference](https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-access-policy-manager-visual-policy-editor/session-variables.html) for more info.

-See [BIG-IP APM variable assign examples](https://devcentral.f5.com/s/articles/apm-variable-assign-examples-1107) and [F5 BIG-IP session variables reference](https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-access-policy-manager-visual-policy-editor/session-variables.html) for more info.

-See [BIG-IP APM variable assign examples]( https://devcentral.f5.com/s/articles/apm-variable-assign-examples-1107) and [F5 BIG-IP session variables reference]( https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-access-policy-manager-visual-policy-editor/session-variables.html) for more info.

-* Company branding shown on My Apps

-For applications that use password-based SSO or accessed by using [Microsoft Azure AD Application Proxy](../app-proxy/application-proxy.md), you must use Microsoft Edge mobile. For other applications, any mobile browser can be used.

-description: Learn how to configure single sign-on between Azure Active Directory and Mural Identity.

-# Tutorial: Azure AD SSO integration with Mural Identity

-In this tutorial, you'll learn how to integrate Mural Identity with Azure Active Directory (Azure AD). When you integrate Mural Identity with Azure AD, you can:

-* Control in Azure AD who has access to Mural Identity.

-* Enable your users to be automatically signed-in to Mural Identity with their Azure AD accounts.

-* Mural Identity single sign-on (SSO) enabled subscription.

-* Mural Identity supports **SP and IDP** initiated SSO.

-* Mural Identity supports **Just In Time** user provisioning.

-## Add Mural Identity from the gallery

-To configure the integration of Mural Identity into Azure AD, you need to add Mural Identity from the gallery to your list of managed SaaS apps.

-1. In the **Add from the gallery** section, type **Mural Identity** in the search box.

-1. Select **Mural Identity** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

-## Configure and test Azure AD SSO for Mural Identity

-Configure and test Azure AD SSO with Mural Identity using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Mural Identity.

-To configure and test Azure AD SSO with Mural Identity, perform the following steps:

-1. **[Configure Mural Identity SSO](#configure-mural-identity-sso)** - to configure the single sign-on settings on application side.

- 1. **[Create Mural Identity test user](#create-mural-identity-test-user)** - to have a counterpart of B.Simon in Mural Identity that is linked to the Azure AD representation of user.

-1. In the Azure portal, on the **Mural Identity** application integration page, find the **Manage** section and select **single sign-on**.

-1. On the **Basic SAML Configuration** section, perform the following steps if you wish to configure the application in **SP** initiated mode:

- a. In the **Identifier** text box, type the URL:

- `https://app.mural.co`

- b. In the **Reply URL** text box, type one of the following URLs:

-

- | **Reply URL** |

- |-|

- | `https://api.mural.co/api/v0/authenticate/saml2/callback` |

- | `https://app.mural.co/api/v0/authenticate/saml2/callback` |

- c. In the **Sign-on URL** text box, type one of the following URLs:

- | **Sign-on URL** |

- |--|

- | `https://api.mural.co/api/v0/authenticate/saml2/callback` |

- | `https://app.mural.co/api/v0/authenticate/saml2/callback` |

-1. Mural Identity application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.

-1. In addition to above, Mural Identity application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirements.

-1. On the **Set up Mural Identity** section, copy the appropriate URL(s) based on your requirement.

-In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Mural Identity.

-1. In the applications list, select **Mural Identity**.

-## Configure Mural Identity SSO

-To configure single sign-on on **Mural Identity** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Mural Identity support team](mailto:support@mural.co). They set this setting to have the SAML SSO connection set properly on both sides.

-### Create Mural Identity test user

-In this section, a user called Britta Simon is created in Mural Identity. Mural Identity supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Mural Identity, a new one is created after authentication.

-* Click on **Test this application** in Azure portal. This will redirect to Mural Identity Sign on URL where you can initiate the login flow.

-* Go to Mural Identity Sign-on URL directly and initiate the login flow from there.

-* Click on **Test this application** in Azure portal and you should be automatically signed in to the Mural Identity for which you set up the SSO.

-You can also use Microsoft My Apps to test the application in any mode. When you click the Mural Identity tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Mural Identity for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-Once you configure Mural Identity you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

-You can instead request a larger volume for a PVC. Edit the PVC object, and specify a larger size. This change triggers the expansion of the underlying volume that backs the PV.

-Except for the following two images, AKS images aren't required to run as root:

-[vm-sla]: https://azure.microsoft.com/support/legal/sla/virtual-machines/

- <url>...</url>

-| url | The URL of the request. | No if mode=copy; otherwise yes. |

- az deployment group create --resource-group exampleRG --template-file main.bicep --parameters publisherEmail=<publisher-email> publishername=<publisher-name>

-adobe-target: true

-adobe-target-activity: DocsExpΓÇô386541ΓÇôA/BΓÇôEnhanced-Readability-QuickstartsΓÇô2.19.2021

-adobe-target-experience: Experience B

-adobe-target-content: ./app-service-web-tutorial-custom-domain-uiex

-The features you use will depend on whether you're in the multitenant service or in an ASE.

-## Multitenant App Service networking features

-Azure App Service is a distributed system. The roles that handle incoming HTTP or HTTPS requests are called *front ends*. The roles that host the customer workload are called *workers*. All the roles in an App Service deployment exist in a multitenant network. Because there are many different customers in the same App Service scale unit, you can't connect the App Service network directly to your network.

-| Access restrictions | Gateway-required VNet Integration |

-| Service endpoints | VNet Integration |

-| Access resources in an Azure virtual network in the same region | VNet Integration </br> ASE |

-| Access resources in an Azure virtual network in a different region | VNet Integration and virtual network peering </br> Gateway-required VNet Integration </br> ASE and virtual network peering |

-| Access resources secured with service endpoints | VNet Integration </br> ASE |

-| Access resources across Azure ExpressRoute circuits | VNet Integration </br> ASE |

-| Secure outbound traffic from your web app | VNet Integration and network security groups </br> ASE |

-| Route outbound traffic from your web app | VNet Integration and route tables </br> ASE |

-Azure App Service scale units support many customers in each deployment. The Free and Shared SKU plans host customer workloads on multitenant workers. The Basic and higher plans host customer workloads that are dedicated to only one App Service plan. If you have a Standard App Service plan, all the apps in that plan will run on the same worker. If you scale out the worker, all the apps in that App Service plan will be replicated on a new worker for each instance in your App Service plan.

-This feature allows you to build a list of allow and deny rules that are evaluated in priority order. It's similar to the network security group (NSG) feature in Azure networking. You can use this feature in an ASE or in the multitenant service. When you use it with an ILB ASE, you can restrict access from private address blocks.

-> IP-based access restriction rules only handle virtual network address ranges when your app is in an App Service Environment. If your app is in the multitenant service, you need to use [service endpoints](../virtual-network/virtual-network-service-endpoints-overview.md) to restrict traffic to select subnets in your virtual network.

-* Restrict access to your app to resources in your virtual network. These resources can include VMs, ASEs, or even other apps that use VNet Integration.

-For each access restriction rule, you can add additional http header filtering. This allows you to further inspect the incoming request and filter based on specific http header values. Each header can have up to 8 values per rule. The following list of http headers is currently supported:

-### Gateway-required VNet Integration

-Gateway-required App Service VNet Integration enables your app to make *outbound* requests into an Azure virtual network. The feature works by connecting the host your app is running on to a Virtual Network gateway on your virtual network by using a point-to-site VPN. When you configure the feature, your app gets one of the point-to-site addresses assigned to each instance. This feature enables you to access resources in either classic or Azure Resource Manager virtual networks in any region.

-

-* Access resources on private IPs in your Classic virtual networks.

-* Access resources on-premises if there's a site-to-site VPN.

-* Access resources in cross region VNets that are not peered to a VNet in the region.

-When this feature is enabled, your app will use the DNS server that the destination virtual network is configured with. For more information on this feature, see [App Service VNet Integration][vnetintegrationp2s].

-### Regional VNet Integration

-Gateway-required VNet Integration is useful, but it doesn't solve the problem of accessing resources across ExpressRoute. On top of needing to reach across ExpressRoute connections, there's a need for apps to be able to make calls to services secured by service endpoint. Another VNet Integration capability can meet these needs.

-The regional VNet Integration feature enables you to place the back end of your app in a subnet in a Resource Manager virtual network in the same region as your app. This feature isn't available from an App Service Environment, which is already in a virtual network. Use cases for this feature:

-

-To learn more, see [App Service VNet Integration][vnetintegration].

-With an ASE, you don't need to use VNet Integration because the ASE is already in your virtual network. If you want to access resources like SQL or Azure Storage over service endpoints, enable service endpoints on the ASE subnet. If you want to access resources in the virtual network or private endpoints in the virtual network, you don't need to do any additional configuration. If you want to access resources across ExpressRoute, you're already in the virtual network and don't need to configure anything on the ASE or the apps in it.

-Because the apps in an ILB ASE can be exposed on a private IP address, you can easily add WAF devices to expose just the apps that you want to the internet and help keep the rest secure. This feature can help make the development of multitier applications easier.

-Some things aren't currently possible from the multitenant service but are possible from an ASE. Here are some examples:

-* Scale up to many more instances than are possible in the multitenant service.

-* Force TLS 1.1 across all apps hosted in the system without any ability to disable it at the app level.

- * An ASE doesn't scale immediately like the multitenant service. You need to anticipate scaling needs rather than reactively scaling.

-The features noted for the multitenant service can be used together to solve more elaborate use cases. Two of the more common use cases are described here, but they're just examples. By understanding what the various features do, you can meet nearly all your system architecture needs.

-You might wonder how to put an app into a virtual network. If you put your app into a virtual network, the inbound and outbound endpoints for the app are within the virtual network. An ASE is the best way to solve this problem. But you can meet most of your needs within the multitenant service by combining features. For example, you can host intranet-only applications with private inbound and outbound addresses by:

-* Using the new VNet Integration feature so the back end of your app is in your virtual network.

-### Create multitier applications

-A multitier application is an application in which the API back-end apps can be accessed only from the front-end tier. There are two ways to create a multitier application. Both start by using VNet Integration to connect your front-end web app to a subnet in a virtual network. Doing so will enable your web app to make calls into your virtual network. After your front-end app is connected to the virtual network, you need to decide how to lock down access to your API application. You can:

-* Host the front end in the multitenant service and the back end in an ILB ASE.

-* Host both the front end and the API app in the multitenant service.

-If you're hosting both the front end and API app for a multitier application, you can:

-* When you use service endpoints, you only need to secure traffic to your API app to the integration subnet. This helps to secure the API app, but you could still have data exfiltration from your front-end app to other apps in the app service.

-Line-of-business (LOB) applications are internal applications that aren't normally exposed for access from the internet. These applications are called from inside corporate networks where access can be strictly controlled. If you use an ILB ASE, it's easy to host your line-of-business applications. If you use the multitenant service, you can either use private endpoints or use service endpoints combined with an application gateway. There are two reasons to use an application gateway with service endpoints instead of using private endpoints:

-If you scan App Service, you'll find several ports that are exposed for inbound connections. There's no way to block or control access to these ports in the multitenant service. Here's the list of exposed ports:

-Because subnet size can't be changed after assignment, use a subnet that's large enough to accommodate whatever scale your app might reach. To avoid any issues with subnet capacity, use a `/26` with 64 addresses. When creating subnets in Azure portal as part of integrating with the virtual network, a minimum size of /27 is required.

-You can control what traffic goes through the virtual network integration. There are three types of routing to consider when you configure regional virtual network integration. [Application routing](#application-routing) defines what traffic is routed from your app and into the virtual network. [Configuration routing](#configuration-routing) affects operations that happen before or during startup of you app. Examples are container image pull and app settings with Key Vault reference. [Network routing](#network-routing) is the ability to handle how both app and configuration traffic is routed from your virtual network and out.

-Bringing you own storage for content in often used in Functions where [content storage](./../azure-functions/configure-networking-how-to.md#restrict-your-storage-account-to-a-virtual-network) is configured as part of the Functions app.

-* Ensure that a default site is configured and is listening at 127.0.0.1.

-* The call to `http://127.0.0.1:port` should return an HTTP result code of 200. This should be returned within the 30-second timeout period.

-* Ensure that the port configured is open and that there are no firewall rules or Azure Network Security Groups, which block incoming or outgoing traffic on the port configured.

-* [Container Probes]https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#httpgetaction-v1-core)

-## Access Audit Logs

-These logs are stored in Azure and can't be accessed directly. If you need to access these logs, file a support ticket. For more information, see [Contact Microsoft Support](https://azure.microsoft.com/support/options/).

-Once the support ticket is filed, Microsoft will download and provide you access to these logs.

-* **config** - View and change settings to enable features and control agent behavior

-The following versions of the Windows and Linux operating system are officially supported for the Azure Connected Machine agent:

-* Ubuntu 16.04, 18.04, and 20.04 LTS (x64)

-* CentOS Linux 7 and 8 (x64)

-* SUSE Linux Enterprise Server (SLES) 12 and 15 (x64)

-* Red Hat Enterprise Linux (RHEL) 7 and 8 (x64)

-* Amazon Linux 2 (x64)

-* Oracle Linux 7 and 8 (x64)

-The following tables provides coverage information for Azure Maps routing.

-## Americas

-| Country/Region | Calculate Route & Reachable Range | Real-time Traffic | Truck Route |

-## Asia Pacific

-| Country/Region | Calculate Route & Reachable Range | Real-time Traffic | Truck Route |

-## Europe

-| Country/Region | Calculate Route & Reachable Range | Real-time Traffic | Truck Route |

-## Middle East & Africa

-| Country/Region | Calculate Route & Reachable Range | Real-time Traffic | Truck Route |

-The Azure Monitor agent replaces the [legacy agents for Azure Monitor](agents-overview.md). To start transitioning your VMs off the current agents to the new agent, consider the following factors:

-

- Assess whether your environment is supported by the Azure Monitor agent. If not, you might need to stay with the current agent. If the Azure Monitor agent supports your current environment, consider transitioning to it.

- Most new capabilities in Azure Monitor will be made available only with the Azure Monitor agent. Over time, more functionality will be available only in the new agent. Consider whether the Azure Monitor agent has the features you require and if there are some features that you can temporarily do without to get other important features in the new agent.

- If the Azure Monitor agent has all the core capabilities you require, consider transitioning to it. If there are critical features that you require, continue with the current agent until the Azure Monitor agent reaches parity.

-## Coexistence with other agents

-The Azure Monitor agent can coexist with the existing agents so that you can continue to use their existing functionality during evaluation or migration. This capability is important because of the limitations that support existing solutions. Be careful in collecting duplicate data because it could skew query results and generate more charges for data ingestion and retention.

-For example, VM insights uses the Log Analytics agent to send performance data to a Log Analytics workspace. You might also have configured the workspace to collect Windows events and Syslog events from agents. If you install the Azure Monitor agent and create a data collection rule for these same events and performance data, it will result in duplicate data.

-As such, ensure you're not collecting the same data from both agents. If you are, ensure they're going to separate destinations.

-Stateful alerts fire once per incident and resolve. The alert rule resolves when the alert condition isn't met for 30 minutes for a specific evaluation period (to account for log ingestion delay), and for three consecutive evaluations to reduce noise if there is flapping conditions. For example, with a frequency of 5 minutes, the alert resolve after 40 minutes or with a frequency of 1 minute, the alert resolve after 32 minutes. The resolved notification is sent out via web-hooks or email, the status of the alert instance (called monitor state) in Azure portal is also set to resolved.

-* To configure sampling overrides that override the defaulr sampling rate and apply different sampling rates to selected requests and dependencies, use the [sampling override guide](./java-standalone-sampling-overrides.md#getting-started).

-* To configure fixed-rate samping that applies to all of your telemetry, use the [fixed rate sampling guide](./java-standalone-config.md#sampling).

-* Read the Developer Network article [Optimize Telemetry with Application Insights](/archive/msdn-magazine/2017/may/devops-optimize-telemetry-with-application-insights).

-* Read the [Service Level Agreement (SLA)](https://azure.microsoft.com/support/legal/sla/monitor/v1_3/) for Azure Monitor.

-> The daily cap doesn't stop the collection of data types **WindowsEvent**, **SecurityAlert**, **SecurityBaseline**, **SecurityBaselineSummary**, **SecurityDetection**, **SecurityEvent**, **WindowsFirewall**, **MaliciousIPCommunication**, **LinuxAuditLog**, **SysmonEvent**, **ProtectionStatus**, **Update**, and **UpdateSummary**, except for workspaces in which Microsoft Defender for Cloud was installed before June 19, 2017.

-> SQL Managed Instance link feature is now available in all Azure regions.

- DTC_SUPPORT = NONE,

- CLUSTER_TYPE=NONE,

-## Permissions

-You may have noticed that when we describe the PubSub WebSocket clients, a client can publish to other clients only when it's *authorized* to. The `role`s of the client determines the *initial* permissions the client have:

-| Role | Permission |

-|||

-| Not specified | The client can send event requests.

-| `webpubsub.joinLeaveGroup` | The client can join/leave any group.

-| `webpubsub.sendToGroup` | The client can publish messages to any group.

-| `webpubsub.joinLeaveGroup.<group>` | The client can join/leave group `<group>`.

-| `webpubsub.sendToGroup.<group>` | The client can publish messages to group `<group>`.

-The server-side can also grant or revoke permissions of the client dynamically through REST APIs or server SDKs.

-### Join groups

-Format:

-```json

-{

- "type": "joinGroup",

- "group": "<group_name>",

- "ackId" : 1

-}

-```

-* `ackId` is the identity of each request and should be unique. The service sends a [ack response message](#ack-response) to notify the process result of the request. More details can be found at [AckId and Ack Response](./concept-client-protocols.md#ackid-and-ack-response)

-### Leave groups

-Format:

-```json

-{

- "type": "leaveGroup",

- "group": "<group_name>",

- "ackId" : 1

-}

-```

-* `ackId` is the identity of each request and should be unique. The service sends a [ack response message](#ack-response) to notify the process result of the request. More details can be found at [AckId and Ack Response](./concept-client-protocols.md#ackid-and-ack-response)

-### Publish messages

-Format:

-```json

-{

- "type": "sendToGroup",

- "group": "<group_name>",

- "ackId" : 1,

- "noEcho": true|false,

- "dataType" : "json|text|binary",

- "data": {}, // data can be string or valid json token depending on the dataType

-}

-```

-* `ackId` is the identity of each request and should be unique. The service sends a [ack response message](#ack-response) to notify the process result of the request. More details can be found at [AckId and Ack Response](./concept-client-protocols.md#ackid-and-ack-response)

-* `noEcho` is optional. If set to true, this message is not echoed back to the same connection. If not set, the default value is false.

-* `dataType` can be one of `json`, `text`, or `binary`:

- * `json`: `data` can be any type that JSON supports and will be published as what it is; If `dataType` isn't specified, it defaults to `json`.

- * `text`: `data` should be in string format, and the string data will be published;

- * `binary`: `data` should be in base64 format, and the binary data will be published;

-#### Case 1: publish text data:

-```json

-{

- "type": "sendToGroup",

- "group": "<group_name>",

- "dataType" : "text",

- "data": "text data",

- "ackId": 1

-}

-```

-* What subprotocol client in this group `<group_name>` receives:

-```json

-{

- "type": "message",

- "from": "group",

- "group": "<group_name>",

- "dataType" : "text",

- "data" : "text data"

-}

-```

-* What the raw client in this group `<group_name>` receives is string data `text data`.

-#### Case 2: publish JSON data:

-```json

-{

- "type": "sendToGroup",

- "group": "<group_name>",

- "dataType" : "json",

- "data": {

- "hello": "world"

- }

-}

-```

-* What subprotocol client in this group `<group_name>` receives:

-```json

-{

- "type": "message",

- "from": "group",

- "group": "<group_name>",

- "dataType" : "json",

- "data" : {

- "hello": "world"

- }

-}

-```

-* What the raw client in this group `<group_name>` receives is serialized string data `{"hello": "world"}`.

-#### Case 3: publish binary data:

-```json

-{

- "type": "sendToGroup",

- "group": "<group_name>",

- "dataType" : "binary",

- "data": "<base64_binary>",

- "ackId": 1

-}

-```

-* What subprotocol client in this group `<group_name>` receives:

-```json

-{

- "type": "message",

- "from": "group",

- "group": "<group_name>",

- "dataType" : "binary",

- "data" : "<base64_binary>",

-}

-```

-* What the raw client in this group `<group_name>` receives is the **binary** data in the binary frame.

-### Send custom events

-Format:

-```json

-{

- "type": "event",

- "event": "<event_name>",

- "ackId": 1,

- "dataType" : "json|text|binary",

- "data": {}, // data can be string or valid json token depending on the dataType

-}

-```

-* `ackId` is the identity of each request and should be unique. The service sends a [ack response message](#ack-response) to notify the process result of the request. More details can be found at [AckId and Ack Response](./concept-client-protocols.md#ackid-and-ack-response)

-`dataType` can be one of `text`, `binary`, or `json`:

-* `json`: data can be any type json supports and will be published as what it is; If `dataType` is not specified, it defaults to `json`.

-* `text`: data should be in string format, and the string data will be published;

-* `binary`: data should be in base64 format, and the binary data will be published;

-#### Case 1: send event with text data:

-```json

-{

- "type": "event",

- "event": "<event_name>",

- "ackId": 1,

- "dataType" : "text",

- "data": "text data",

-}

-```

-What the upstream event handler receives like below, the `Content-Type` for the CloudEvents HTTP request is `text/plain` for `dataType`=`text`

-```HTTP

-POST /upstream HTTP/1.1

-Host: xxxxxx

-WebHook-Request-Origin: xxx.webpubsub.azure.com

-Content-Type: text/plain

-Content-Length: nnnn

-ce-specversion: 1.0

-ce-type: azure.webpubsub.user.<event_name>

-ce-source: /client/{connectionId}

-ce-id: {eventId}

-ce-time: 2021-01-01T00:00:00Z

-ce-signature: sha256={connection-id-hash-primary},sha256={connection-id-hash-secondary}

-ce-userId: {userId}

-ce-connectionId: {connectionId}

-ce-hub: {hub_name}

-ce-eventName: <event_name>

-text data

-```

-#### Case 2: send event with JSON data:

-```json

-{

- "type": "event",

- "event": "<event_name>",

- "ackId": 1,

- "dataType" : "json",

- "data": {

- "hello": "world"

- },

-}

-```

-What the upstream event handler receives like below, the `Content-Type` for the CloudEvents HTTP request is `application/json` for `dataType`=`json`

-```HTTP

-POST /upstream HTTP/1.1

-Host: xxxxxx

-WebHook-Request-Origin: xxx.webpubsub.azure.com

-Content-Type: application/json

-Content-Length: nnnn

-ce-specversion: 1.0

-ce-type: azure.webpubsub.user.<event_name>

-ce-source: /client/{connectionId}

-ce-id: {eventId}

-ce-time: 2021-01-01T00:00:00Z

-ce-signature: sha256={connection-id-hash-primary},sha256={connection-id-hash-secondary}

-ce-userId: {userId}

-ce-connectionId: {connectionId}

-ce-hub: {hub_name}

-ce-eventName: <event_name>

-{

- "hello": "world"

-}

-```

-#### Case 3: send event with binary data:

-```json

-{

- "type": "event",

- "event": "<event_name>",

- "ackId": 1,

- "dataType" : "binary",

- "data": "base64_binary",

-}

-```

-What the upstream event handler receives like below, the `Content-Type` for the CloudEvents HTTP request is `application/octet-stream` for `dataType`=`binary`

-```HTTP

-POST /upstream HTTP/1.1

-Host: xxxxxx

-WebHook-Request-Origin: xxx.webpubsub.azure.com

-Content-Type: application/octet-stream

-Content-Length: nnnn

-ce-specversion: 1.0

-ce-type: azure.webpubsub.user.<event_name>

-ce-source: /client/{connectionId}

-ce-id: {eventId}

-ce-time: 2021-01-01T00:00:00Z

-ce-signature: sha256={connection-id-hash-primary},sha256={connection-id-hash-secondary}

-ce-userId: {userId}

-ce-connectionId: {connectionId}

-ce-hub: {hub_name}

-ce-eventName: <event_name>

-binary

-```

-The WebSocket frame can be `text` format for text message frames or UTF8 encoded binaries for `binary` message frames.

-Service declines the client if the message does not match the described format.

-## Permissions

-In the earlier description of the PubSub WebSocket client, you might have noticed that a client can publish to other clients only when it's *authorized* to do so. The client's roles determine its *initial* permissions, as listed in the following table:

-| Role | Permission |

-|||

-| Not specified | The client can send event requests. |

-| `webpubsub.joinLeaveGroup` | The client can join or leave any group. |

-| `webpubsub.sendToGroup` | The client can publish messages to any group. |

-| `webpubsub.joinLeaveGroup.<group>` | The client can join or leave group `<group>`. |

-| `webpubsub.sendToGroup.<group>` | The client can publish messages to group `<group>`. |

-| | |

-The server side can also grant or revoke a client's permissions dynamically through REST APIs or server SDKs.

-### Join groups

-Format:

-Set `join_group_message.group` to the group name.

-* `ackId` is the identity of each request and should be unique. The service sends a [ack response message](#ack-response) to notify the process result of the request. More details can be found at [AckId and Ack Response](./concept-client-protocols.md#ackid-and-ack-response)

-### Leave groups

-Format:

-Set `leave_group_message.group` to the group name.

-* `ackId` is the identity of each request and should be unique. The service sends a [ack response message](#ack-response) to notify the process result of the request. More details can be found at [AckId and Ack Response](./concept-client-protocols.md#ackid-and-ack-response)

-### Publish messages

-Format:

-* `ackId` is the identity of each request and should be unique. The service sends a [ack response message](#ack-response) to notify the process result of the request. More details can be found at [AckId and Ack Response](./concept-client-protocols.md#ackid-and-ack-response)

-There's an implicit `dataType`, which can be `protobuf`, `text`, or `binary`, depending on the `data` in `MessageData` you set. The receiver clients can use `dataType` to handle the content correctly.

-* `protobuf`: If you set `send_to_group_message.data.protobuf_data`, the implicit `dataType` is `protobuf`. `protobuf_data` can be of the [Any](https://developers.google.com/protocol-buffers/docs/proto3#any) message type. All other clients receive a protobuf-encoded binary, which can be deserialized by the protobuf SDK. Clients that support only text-based content (for example, `json.webpubsub.azure.v1`) receive a Base64-encoded binary.

-* `text`: If you set `send_to_group_message.data.text_data`, the implicit `dataType` is `text`. `text_data` should be a string. All clients with other protocols receive a UTF-8-encoded string.

-* `binary`: If you set `send_to_group_message.data.binary_data`, the implicit `dataType` is `binary`. `binary_data` should be a byte array. All clients with other protocols receive a raw binary without protobuf encoding. Clients that support only text-based content (for example, `json.webpubsub.azure.v1`) receive a Base64-encoded binary.

-#### Case 1: Publish text data

-Set `send_to_group_message.group` to `group`, and set `send_to_group_message.data.text_data` to `"text data"`.

-* The protobuf subprotocol client in group `group` receives the binary frame and can use [DownstreamMessage](#responses) to deserialize it.

-* The JSON subprotocol client in group `group` receives:

- ```json

- {

- "type": "message",

- "from": "group",

- "group": "group",

- "dataType" : "text",

- "data" : "text data"

- }

- ```

-* The raw client in group `group` receives string `text data`.

-#### Case 2: Publish protobuf data

-Let's assume that you have a customer message:

-```

-message MyMessage {

- int32 value = 1;

-}

-```

-Set `send_to_group_message.group` to `group` and `send_to_group_message.data.protobuf_data` to `Any.pack(MyMessage)` with `value = 1`.

-* The protobuf subprotocol client in group `group` receives the binary frame and can use [DownstreamMessage](#responses) to deserialize it.

-* The subprotocol client in group `group` receives:

- ```json

- {

- "type": "message",

- "from": "group",

- "group": "G",

- "dataType" : "protobuf",

- "data" : "Ci90eXBlLmdvb2dsZWFwaXMuY29tL2F6dXJlLndlYnB1YnN1Yi5UZXN0TWVzc2FnZRICCAE=" // Base64-encoded bytes

- }

- ```

- > [!NOTE]

- > The data is a Base64-encoded, deserializeable protobuf binary.

-You can use the following protobuf definition and use `Any.unpack()` to deserialize it:

-```protobuf

-syntax = "proto3";

-message MyMessage {

- int32 value = 1;

-}

-```

-* The raw client in group `group` receives the binary frame:

- ```

- # Show in hexadecimal

- 0A 2F 74 79 70 65 2E 67 6F 6F 67 6C 65 61 70 69 73 2E 63 6F 6D 2F 61 7A 75 72 65 2E 77 65 62 70 75 62 73 75 62 2E 54 65 73 74 4D 65 73 73 61 67 65 12 02 08 01

- ```

-#### Case 3: Publish binary data

-Set `send_to_group_message.group` to `group`, and set `send_to_group_message.data.binary_data` to `[1, 2, 3]`.

-* The protobuf subprotocol client in group `group` receives the binary frame and can use [DownstreamMessage](#responses) to deserialize it.

-* The JSON subprotocol client in group `group` receives:

- ```json

- {

- "type": "message",

- "from": "group",

- "group": "group",

- "dataType" : "binary",

- "data" : "AQID", // Base64-encoded [1,2,3]

- }

- ```

- Because the JSON subprotocol client supports only text-based messaging, the binary is always Base64-encoded.

-* The raw client in group `group` receives the binary data in the binary frame:

- ```

- # Show in hexadecimal

- 01 02 03

- ```

-### Send custom events

-There's an implicit `dataType`, which can be `protobuf`, `text`, or `binary`, depending on the `dataType` you set. The receiver clients can use `dataType` to handle the content correctly.

-* `protobuf`: If you set `event_message.data.protobuf_data`, the implicit `dataType` is `protobuf`. `protobuf_data` can be any supported protobuf type. The event handler receives the protobuf-encoded binary, which can be deserialized by any protobuf SDK.

-* `text`: If you set `event_message.data.text_data`, the implicit is `text`. `text_data` should be a string. The event handler receives a UTF-8-encoded string;

-* `binary`: If you set `event_message.data.binary_data`, the implicit is `binary`. `binary_data` should be a byte array. The event handler receives the raw binary frame.

-#### Case 1: Send an event with text data

-Set `event_message.data.text_data` to `"text data"`.

-The upstream event handler receives a request that's similar to the following. Note that `Content-Type` for the CloudEvents HTTP request is `text/plain`, where `dataType`=`text`.

-```HTTP

-POST /upstream HTTP/1.1

-Host: xxxxxx

-WebHook-Request-Origin: xxx.webpubsub.azure.com

-Content-Type: text/plain

-Content-Length: nnnn

-ce-specversion: 1.0

-ce-type: azure.webpubsub.user.<event_name>

-ce-source: /client/{connectionId}

-ce-id: {eventId}

-ce-time: 2021-01-01T00:00:00Z

-ce-signature: sha256={connection-id-hash-primary},sha256={connection-id-hash-secondary}

-ce-userId: {userId}

-ce-connectionId: {connectionId}

-ce-hub: {hub_name}

-ce-eventName: <event_name>

-text data

-```

-#### Case 2: Send an event with protobuf data

-Assume that you've received the following customer message:

-```

-message MyMessage {

- int32 value = 1;

-}

-```

-Set `event_message.data.protobuf_data` to `any.pack(MyMessage)` with `value = 1`

-The upstream event handler receives a request that's similar to the following. Note that the `Content-Type` for the CloudEvents HTTP request is `application/x-protobuf`, where `dataType`=`protobuf`.

-```HTTP

-POST /upstream HTTP/1.1

-Host: xxxxxx

-WebHook-Request-Origin: xxx.webpubsub.azure.com

-Content-Type: application/json

-Content-Length: nnnn

-ce-specversion: 1.0

-ce-type: azure.webpubsub.user.<event_name>

-ce-source: /client/{connectionId}

-ce-id: {eventId}

-ce-time: 2021-01-01T00:00:00Z

-ce-signature: sha256={connection-id-hash-primary},sha256={connection-id-hash-secondary}

-ce-userId: {userId}

-ce-connectionId: {connectionId}

-ce-hub: {hub_name}

-ce-eventName: <event_name>

-// Just show in hexadecimal; read it as binary

-0A 2F 74 79 70 65 2E 67 6F 6F 67 6C 65 61 70 69 73 2E 63 6F 6D 2F 61 7A 75 72 65 2E 77 65 62 70 75 62 73 75 62 2E 54 65 73 74 4D 65 73 73 61 67 65 12 02 08 01

-```

-The data is a valid protobuf binary. You can use the following `proto` and `any.unpack()` to deserialize it:

-```protobuf

-syntax = "proto3";

-message MyMessage {

- int32 value = 1;

-}

-```

-#### Case 3: Send an event with binary data

-Set `send_to_group_message.binary_data` to `[1, 2, 3]`.

-The upstream event handler receives a request similar to the following. For `dataType`=`binary`, the `Content-Type` for the CloudEvents HTTP request is `application/octet-stream`.

-```HTTP

-POST /upstream HTTP/1.1

-Host: xxxxxx

-WebHook-Request-Origin: xxx.webpubsub.azure.com

-Content-Type: application/octet-stream

-Content-Length: nnnn

-ce-specversion: 1.0

-ce-type: azure.webpubsub.user.<event_name>

-ce-source: /client/{connectionId}

-ce-id: {eventId}

-ce-time: 2021-01-01T00:00:00Z

-ce-signature: sha256={connection-id-hash-primary},sha256={connection-id-hash-secondary}

-ce-userId: {userId}

-ce-connectionId: {connectionId}

-ce-hub: {hub_name}

-ce-eventName: <event_name>

-// Just show in hexadecimal; you need to read it as binary

-01 02 03

-```

-The WebSocket frame can be in `text` format for text message frames or UTF-8-encoded binaries for `binary` message frames.

-The service declines the client if the message doesn't match the prescribed format.

-description: Learn about Archive Tier Support for Azure Backup.

-# Overview of Archive Tier in Azure Backup

-## Supported workloads

-| Azure virtual machines | <ul><li>Only monthly and yearly recovery points. Daily and weekly recovery points aren't supported. </li><li>Age >= 3 months in Vault-Standard Tier </li><li>Retention left >= 6 months </li><li>No active daily and weekly dependencies. </li></ul> |

-| SQL Server in Azure virtual machines/ SAP HANA in Azure Virtual Machines | <ul><li>Only full recovery points. Logs and differentials aren't supported. </li><li>Age >= 45 days in Vault-Standard Tier. </li><li>Retention left >= 6 months </li><li>No dependencies </li></ul> |

->- Archive Tier support for SQL Servers in Azure VMs and SAP HANA in Azure VM is now generally available in multiple regions. For the detailed list of supported regions, see the [support matrix](#support-matrix).

->- Archive Tier support for Azure Virtual Machines is also in limited public preview. To sign up for limited public preview, fill [this form](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR463S33c54tEiJLEM6Enqb9UNU5CVTlLVFlGUkNXWVlMNlRPM1lJWUxLRy4u).

-## Supported clients

-## How Azure Backup moves recovery points to the vault-archive tier?

-## Archive recommendations (Only for Azure Virtual Machines)

-The recovery points for Azure Virtual Machines are incremental. When you move recovery points to archive tier, they are converted to full recovery points (to ensure that all recovery points in the archive tier are independent and isolated from each other). Thus, overall backup storage (Vault-Standard + Vault-Archive) may increase.

-To resolve this, Azure Backup provides recommendation set. The recommendation set returns a list of recovery points, which if moved together to archive tier ensures cost savings.

-You can view the archive tier pricing from our [pricing page](azure-backup-pricing.md).

-## Support matrix

-| Workloads | Preview | Generally available |

-| | | |

-| SQL Server in Azure Virtual Machines/ SAP HANA in Azure Virtual Machines | None | Australia East, Central India, North Europe, South East Asia, East Asia, Australia South East, Canada Central, Brazil South, Canada East, France Central, France South, Japan East, Japan West, Korea Central, Korea South, South India, UK West, UK South, Central US, East US 2, West US, West US 2, West Central US, East US, South Central US, North Central US, West Europe, US Gov Virginia, US Gov Texas, US Gov Arizona, UAE North, Germany West Central, China East 2, China North 2, Norway East. |

-| Azure Virtual Machines | East US, East US 2, Central US, South Central US, West US, West US 2, West Central US, North Central US, Brazil South, Canada East, Canada Central, West Europe, UK South, UK West, East Asia, Japan East, South India, South East Asia, Australia East, Central India, North Europe, Australia South East, France Central, France South, Japan West, Korea Central, Korea South, UAE North, Germany West Central, Norway East. | None |

-While restoring from recovery point in archive tier in primary region, the recovery point is copied to the Standard tier and is retained according to the rehydration duration, both in primary and secondary region. You can perform Cross region restore from these rehydrated recovery points.

-1. In **Restore configuration** > **Create new** > **Restore Type**, select **Create new virtual machine**.

-description: Learn about using Archive Tier Support for Azure Backup.

-zone_pivot_groups: backup-client-powershelltier-clitier-portaltier

-# Use Archive Tier support

-This article provides the procedure to backup of long-term retention points in the archive tier, and snapshots and the Standard tier using PowerShell.

-| Azure Virtual Machines (Preview) <br><br> SQL Server in Azure Virtual Machines | <ul><li>View Archivable Recovery Points </li><li>View Recommended Recovery Points (Only for Virtual Machines) </li><li>Move Archivable Recovery Points </li><li>Move Recommended Recovery Points (Only for Azure Virtual Machines) </li><li>View Archived Recovery points </li><li>Restore from archived recovery points </li></ul> |

->- Cost savings are ensured only when you move all recovery points contained in the recommendation set to the vault-archive tier.

-2. Temporarily store it in the vault-standard tier for a duration (also known as the rehydration duration) ranging from a period of 10 to 30 days. The default is 15 days. There are two different priorities of rehydration ΓÇô Standard and High priority. Learn more about [rehydration priority](../storage/blobs/archive-rehydrate-overview.md#rehydration-priority).

-For more information about the various restore methods for Azure virtual machines, see [Restore an Azure VM with PowerShell](backup-azure-vms-automation.md#restore-an-azure-vm).

-## Move recovery points to archive tier at scale

-This article provides the procedure to backup of long-term retention points in the archive tier, and snapshots and the Standard tier using command-line interface (CLI).

-| Azure Virtual Machines (Preview) <br><br> SQL Server in Azure Virtual Machines <br><br> SAP HANA in Azure Virtual Machines | <ul><li> View Archivable Recovery Points </li><li>View Recommended Recovery Points (Only for Virtual Machines) </li><li>Move Archivable Recovery Points </li><li>Move Recommended Recovery Points (Only for Azure Virtual Machines) </li><li>View Archived Recovery points </li><li>Restore from archived recovery points </li></ul> |

-You can move the archivable recovery points to the vault-archive tier using the following commands. [Learn more](archive-tier-support.md#supported-workloads) about the eligibility criteria.

->- You can ensure cost savings only when all the recovery points contained in the recommendation set is moved to the vault-archive tier.

-You can move archivable recovery points to the vault-archive tier using the following commands. The name parameter in the command should contain the name of an archivable recovery point.

-This article provides the procedure to backup of long-term retention points in the archive tier, and snapshots and the Standard tier using Azure portal.

-## Supported workloads

-| Workloads | Operations |

-| | |

-| Azure Virtual Machine | <ul><li>View Archived Recovery Points </li><li>Restore for Archived Recovery points </li><li>View Archive move and Restore Jobs </li></ul> |

-| SQL Server in Azure Virtual Machine/ <br> SAP HANA in Azure Virtual Machines | <ul><li>View Archived Recovery Points </li><li>Move all archivable recovery to archive </li><li>Restore from Archived recovery points </li><li>View Archive move and Restore jobs</li></ul> |

-## View archived recovery points

-You can now view all the recovery points that have are moved to archive.

-## Move archivable recovery points for a particular SQL/SAP HANA database

-You can now move all recovery points for a particular SQL/SAP HANA database at one go.

-Follow these steps:

-1. Select the backup Item (database in SQL Server or SAP HANA in Azure VM) whose recovery points you want to move to the vault-archive tier.

-2. Select **click here** to view recovery points that are older than 7 days.

- :::image type="content" source="./media/use-archive-tier-support/view-old-recovery-points-inline.png" alt-text="Screenshot showing the process to view recovery points that are older than 7 days." lightbox="./media/use-archive-tier-support/view-old-recovery-points-expanded.png":::

-3. To view all eligible archivable points to be moved to archive, select _Long term retention points can be moved to archive. To move all ΓÇÿeligible recovery pointsΓÇÖ to archive tier, click here_.

- :::image type="content" source="./media/use-archive-tier-support/view-all-eligible-archivable-points-for-move-inline.png" alt-text="Screenshot showing the process to view all eligible archivable points to be moved to archive." lightbox="./media/use-archive-tier-support/view-all-eligible-archivable-points-for-move-expanded.png":::

- All archivable recovery points appear.

- [Learn more](archive-tier-support.md#supported-workloads) about eligibility criteria.

-3. Click **Move Recovery Points to archive** to move all recovery points to the vault-archive tier.

- :::image type="content" source="./media/use-archive-tier-support/move-all-recovery-points-to-vault-inline.png" alt-text="Screenshot showing the option to start the move process of all recovery points to the vault-archive tier." lightbox="./media/use-archive-tier-support/move-all-recovery-points-to-vault-expanded.png":::

- >[!Note]

- >This option moves all the archivable recovery points to vault-archive.

-You can monitor the progress in backup jobs.

-## Restore

-To restore the recovery points that are moved to archive, you need to add the required parameters for rehydration duration and rehydration priority.

-## View jobs

-## View Archive Usage in Vault Dashboard

-You can also view the archive usage in the vault dashboard.

-## Next steps

-Review the [limits](../luis-limits.md#model-boundaries) to understand how many intents you can add to a model.

-LUIS provides the following conversions of a user utterance before prediction"

-This integration uses a different [pricing](luis-limits.md#key-limits) model than the usual Language Understanding pricing tiers.

-See [Key limits](luis-limits.md#key-limits) for information.

-The `appID` is available on the **Settings** page of your LUIS app as well as part of the URL (after `/apps/`) when you're editing that LUIS app. The `subscription-key` is the endpoint key used for querying your app. While you can use your free authoring/starter key while you're learning LUIS, it is important to change the endpoint key to a key that supports your [expected LUIS usage](luis-limits.md#key-limits). The `timezoneOffset` unit is minutes.

-The [authoring key](luis-how-to-azure-subscription.md) is used to author the app. Not used for production-level endpoint queries. For more information, see [Key limits](luis-limits.md#key-limits).

-3. Create a LUIS prediction endpoint resource of kind `LUIS`, named `my-luis-prediction-resource`. Create it in the _existing_ resource group named `my-resource-group` for the `westus` region. If you want higher throughput than the free tier provides, change `F0` to `S0`. [Learn more about pricing tiers and throughput.](luis-limits.md#key-limits)

-For more information on key limits, see [key limits](luis-limits.md#key-limits).

-LUIS has several limit areas. The first is the [model limit](#model-limits), which controls intents, entities, and features in LUIS. The second area is [quota limits](#key-limits) based on key type. A third area of limits is the [keyboard combination](#keyboard-controls) for controlling the LUIS website. A fourth area is the [world region mapping](luis-reference-regions.md) between the LUIS authoring website and the LUIS [endpoint](luis-glossary.md#endpoint) APIs.

-<a name="model-boundaries"></a>

-|Area|Limit|

-|--|:--|

-| [App name][luis-get-started-create-app] | *Default character max |

-| Applications| 500 applications per Azure authoring resource |

-| [Batch testing][batch-testing]| 10 datasets, 1000 utterances per dataset|

-| Explicit list | 50 per application|

-| [Intents][intents]|500 per application: 499 custom intents, and the required _None_ intent.<br>[Dispatch-based](https://aka.ms/dispatch-tool) application has corresponding 500 dispatch sources.|

-| [List entities](concepts/entities.md) | Parent: 50, child: 20,000 items. Canonical name is *default character max. Synonym values have no length restriction. |

-| [machine-learning entities + roles](concepts/entities.md):<br> composite,<br>simple,<br>entity role|A limit of either 100 parent entities or 330 entities, whichever limit the user hits first. A role counts as an entity for the purpose of this limit. An example is a composite with a simple entity, which has 2 roles is: 1 composite + 1 simple + 2 roles = 4 of the 330 entities.<br>Subentities can be nested up to 5 levels, with a maximum of 20 children per level.|

-|Model as a feature| Maximum number of models that can be used as a feature to a specific model to be 10 models. The maximum number of phrase lists used as a feature for a specific model to be 10 phrase lists.|

-| [Preview - Dynamic list entities](./luis-migration-api-v3.md)|2 lists of ~1k per query prediction endpoint request|

-| [Patterns](luis-concept-patterns.md)|500 patterns per application.<br>Maximum length of pattern is 400 characters.<br>3 Pattern.any entities per pattern<br>Maximum of 2 nested optional texts in pattern|

-| [Pattern.any](concepts/entities.md)|100 per application, 3 pattern.any entities per pattern |

-| [Phrase list][phrase-list]|500 phrase lists. 10 global phrase lists due to the model as a feature limit. Non-interchangeable phrase list has max of 5,000 phrases. Interchangeable phrase list has max of 50,000 phrases. Maximum number of total phrases per application of 500,000 phrases.|

-| [Prebuilt entities](./howto-add-prebuilt-models.md) | no limit|

-| [Regular expression entities](concepts/entities.md)|20 entities<br>500 character max. per regular expression entity pattern|

-| [Roles](concepts/entities.md)|300 roles per application. 10 roles per entity|

-| [Utterance][utterances] | 500 characters<br><br>If you have text longer than this character limit, you need to segment the utterance prior to input to LUIS and you will receive individual intent responses per segment. There are obvious breaks you can work with, such as punctuation marks and long pauses in speech.|

-| [Versions](./luis-concept-app-iteration.md)| 100 versions per application |

-*Default character max is 50 characters.

-<a name="intent-and-entity-naming"></a>

-|Objects|Restrictions|

-|--|--|

-|Intent, entity|All intent and entity names must be unique in a version of an app.|

-|ML entity components|All machine-learning entity components (child entities) must be unique, within that entity for components at the same level.|

-|Features | All named features, such as phrase lists, must be unique within a version of an app.|

-|Entity roles|All roles on an entity or entity component must be unique when they are at the same entity level (parent, child, grandchild, etc.).|

-|Object|Exclude characters|

-|--|--|

-|Intent, entity, and role names|`:`<br>`$` <br> `&`|

-|Version name|`\`<br> `/`<br> `:`<br> `?`<br> `&`<br> `=`<br> `*`<br> `+`<br> `(`<br> `)`<br> `%`<br> `@`<br> `$`<br> `~`<br> `!`<br> `#`|

-<a name="key-limits"></a>

-|Authoring resource|Authoring TPS|

-|--|--|

-|F0 - Free tier |1 million/month, 5/second|

-|Query Prediction resource|Query TPS|

-|--|--|

-|F0 - Free tier |10 thousand/month, 5/second|

-|S0 - Standard tier|50/second|

-|Keyboard input | Description |

-|--|--|

-|Control+E|switches between tokens and entities on utterances list|

-[luis-get-started-create-app]: ./luis-get-started-create-app.md

-[batch-testing]: ./luis-interactive-test.md#batch-testing

-[intents]: ./luis-concept-intent.md

-[phrase-list]: ./concepts/patterns-features.md

-[utterances]: ./concepts/utterances.md

-[luis-how-to-manage-versions]: ./luis-how-to-manage-versions.md

-[pricing]: https://azure.microsoft.com/pricing/details/cognitive-services/language-understanding-intelligent-services/

-[speech-to-intent-pricing]: https://azure.microsoft.com/pricing/details/cognitive-services/language-understanding-intelligent-services/

-> * Authoring your LUIS app is free, as indicated by the F0 tier. Learn [more about pricing tiers](luis-limits.md#key-limits).

-> * Subscription keys are used to access your Cognitive Service API. Do not share your keys. Store them securely, for example, using Azure Key Vault. We also recommend regenerating these keys regularly. Only one key is necessary to make an API call. When regenerating the first key, you can use the second key for continued access to the service.

-description: How to manage settings, create workspace, share workspace, and manage subscription key in Custom Translator.

-#Customer intent: As a Custom Translator user, I want to understand how to manage settings, so that I can create workspace, share workspace, and manage subscription key in Custom Translator.

-Within the Custom Translator settings page, you can share your workspace, modify your Translator subscription key, and delete workspace.

-You need to have a Translator subscription key associated with your workspace to train or deploy models.

->Custom Translator does not support creating workspace for Translator Text API resource (a.k.a. Azure subscription key) that was created inside [Enabled VNET](../../../api-management/api-management-using-with-vnet.md).

- 

- 

-2. **Editor:** An editor in the workspace will be able to add documents, train models, and delete documents and projects. They can add a subscription key, but can't modify who the workspace is shared with, delete the workspace, or change the workspace name.

-2. A subscription to the Translator Text API via the Azure portal. You will need the Translator Text API subscription key to associate with your workspace in Custom Translator. See [how to sign up for the Translator Text API](../translator-how-to-signup.md).

-On subsequent visits to the Custom Translator portal, navigate to the Settings page where you can manage your workspace, create more workspaces, associate your Microsoft Translator Text API subscription key with your workspaces, add co-owners, and change a subscription key.

-In the application's **Program** class, create variable for your subscription key and custom endpoint. For details, *see* [Custom domain name and subscription key](get-started-with-document-translation.md#custom-domain-name-and-subscription-key)

-private static readonly string subscriptionKey = "<your subscription key>";

- DocumentTranslationClient client = new DocumentTranslationClient(new Uri(endpoint), new AzureKeyCredential(subscriptionKey));

-Create variables for your resource subscription key, custom endpoint, sourceUrl, and targetUrl. For

-more information, *see* [Custom domain name and subscription key](get-started-with-document-translation.md#custom-domain-name-and-subscription-key)

- subscriptionKey = "<your-subscription-key>"

-client = DocumentTranslationClient(endpoint, AzureKeyCredential(subscriptionKey))

-> * Generally, when you create a Cognitive Service resource in the Azure portal, you have the option to create a multi-service subscription key or a single-service subscription key. However, Document Translation is currently supported in the Translator (single-service) resource only, and is **not** included in the Cognitive Services (multi-service) resource.

-## Custom domain name and subscription key

-### Get your subscription key

-1. Copy and paste your subscription key in a convenient location, such as *Microsoft Notepad*.

-|Ocp-Apim-Subscription-Key|**Required**: The value is the Azure subscription key for your Translator or Cognitive Services resource.|

-* Set your endpoint, subscription key, and container URL values in Program.cs.

-* Set your endpoint, subscription key, and container URL values.

-* Set your endpoint, subscription key, and container URL values.

-* Create a Java file in the **java** directory and copy/paste the code from the provided sample. Don't forget to add your subscription key and endpoint.

-* Set your endpoint, subscription key, and container URL values.

->> * `subscriptionKey`

- private static readonly string subscriptionKey = "<YOUR-SUBSCRIPTION-KEY>";

- request.Headers.Add("Ocp-Apim-Subscription-Key", subscriptionKey);

-let subscriptionKey = '<YOUR-SUBSCRIPTION-KEY>';

- 'Ocp-Apim-Subscription-Key': subscriptionKey,

-subscriptionKey = '<YOUR-SUBSCRIPTION-KEY>'

- 'Ocp-Apim-Subscription-Key': subscriptionKey,

- String subscriptionKey = "'<YOUR-SUBSCRIPTION-KEY>'";

- .addHeader("Ocp-Apim-Subscription-Key", subscriptionKey)

-subscriptionKey := "<YOUR-SUBSCRIPTION-KEY>"

-req.Header.Add("Ocp-Apim-Subscription-Key", subscriptionKey)

- private static readonly string subscriptionKey = "<YOUR-SUBSCRIPTION-KEY>";

- request.Headers.Add("Ocp-Apim-Subscription-Key", subscriptionKey);

-let subscriptionKey = '<YOUR-SUBSCRIPTION-KEY>';

- 'Ocp-Apim-Subscription-Key': subscriptionKey

- String subscriptionKey = "<YOUR-SUBSCRIPTION-KEY>";

- url).method("GET", null).addHeader("Ocp-Apim-Subscription-Key", subscriptionKey).build();

-subscriptionKey = '<YOUR-SUBSCRIPTION-KEY>'

- 'Ocp-Apim-Subscription-Key': subscriptionKey

- subscriptionKey := "<YOUR-SUBSCRIPTION-KEY>"

- req.Header.Add("Ocp-Apim-Subscription-Key", subscriptionKey)

- private static readonly string subscriptionKey = "<YOUR-SUBSCRIPTION-KEY>";

- request.Headers.Add("Ocp-Apim-Subscription-Key", subscriptionKey);

-let subscriptionKey = '<YOUR-SUBSCRIPTION-KEY>';

- 'Ocp-Apim-Subscription-Key': subscriptionKey

- String subscriptionKey = "<YOUR-SUBSCRIPTION-KEY>";

- url).method("GET", null).addHeader("Ocp-Apim-Subscription-Key", subscriptionKey).build();

-subscriptionKey = '<YOUR-SUBSCRIPTION-KEY>'

- 'Ocp-Apim-Subscription-Key': subscriptionKey

- subscriptionKey := "<YOUR-SUBSCRIPTION-KEY>"

- req.Header.Add("Ocp-Apim-Subscription-Key", subscriptionKey)

- private static readonly string subscriptionKey = "<YOUR-SUBSCRIPTION-KEY>";

- request.Headers.Add("Ocp-Apim-Subscription-Key", subscriptionKey);

-let subscriptionKey = '<YOUR-SUBSCRIPTION-KEY>';

- 'Ocp-Apim-Subscription-Key': subscriptionKey

- String subscriptionKey = "<YOUR-SUBSCRIPTION-KEY>";

- url).method("GET", null).addHeader("Ocp-Apim-Subscription-Key", subscriptionKey).build();

-subscriptionKey = '<YOUR-SUBSCRIPTION-KEY>'

- 'Ocp-Apim-Subscription-Key': subscriptionKey

- subscriptionKey := "<YOUR-SUBSCRIPTION-KEY>"

- req.Header.Add("Ocp-Apim-Subscription-Key", subscriptionKey)

- private static readonly string subscriptionKey = "<YOUR-SUBSCRIPTION-KEY>";

- request.Headers.Add("Ocp-Apim-Subscription-Key", subscriptionKey);

-let subscriptionKey = '<YOUR-SUBSCRIPTION-KEY>';

- 'Ocp-Apim-Subscription-Key': subscriptionKey

- String subscriptionKey = "<YOUR-SUBSCRIPTION-KEY>";

- url).method("DELETE", null).addHeader("Ocp-Apim-Subscription-Key", subscriptionKey).build();

-subscriptionKey = '<YOUR-SUBSCRIPTION-KEY>'

- 'Ocp-Apim-Subscription-Key': subscriptionKey

- subscriptionKey := "<YOUR-SUBSCRIPTION-KEY>"

- req.Header.Add("Ocp-Apim-Subscription-Key", subscriptionKey)

-| 401 | Unauthorized | The request isn't authorized. Check to make sure your subscription key or token is valid and in the correct region. When managing your subscription on the Azure portal, make sure you're using the **Translator** single-service resource _not_ the **Cognitive Services** multi-service resource.

-|Ocp-Apim-Subscription-Key|**Required**: The value is the Azure subscription key for your Translator or Cognitive Services resource.|

-* Set the subscription key and endpoint values in Program.cs.

-* Replace the `subscriptionKey` value with an access key valid for your subscription.

-* Create a Java file and copy in the code from the provided sample. Don't forget to add your subscription key.

-* Set your subscription key.

-* Set your subscription key.

- private static readonly string subscriptionKey = "YOUR-SUBSCRIPTION-KEY";

- request.Headers.Add("Ocp-Apim-Subscription-Key", subscriptionKey);

- subscriptionKey := "YOUR-SUBSCRIPTION-KEY"

- req.Header.Add("Ocp-Apim-Subscription-Key", subscriptionKey)

- private static String subscriptionKey = "YOUR_SUBSCRIPTION_KEY";

- .addHeader("Ocp-Apim-Subscription-Key", subscriptionKey)

-var subscriptionKey = "YOUR_SUBSCRIPTION_KEY";

- 'Ocp-Apim-Subscription-Key': subscriptionKey,

-# Add your subscription key and endpoint

-subscription_key = "YOUR_SUBSCRIPTION_KEY"

- 'Ocp-Apim-Subscription-Key': subscription_key,

- private static readonly string subscriptionKey = "YOUR-SUBSCRIPTION-KEY";

- request.Headers.Add("Ocp-Apim-Subscription-Key", subscriptionKey);

- subscriptionKey := "YOUR-SUBSCRIPTION-KEY"

- req.Header.Add("Ocp-Apim-Subscription-Key", subscriptionKey)

- private static String subscriptionKey = "YOUR_SUBSCRIPTION_KEY";

- .addHeader("Ocp-Apim-Subscription-Key", subscriptionKey)

-var subscriptionKey = "YOUR_SUBSCRIPTION_KEY";

- 'Ocp-Apim-Subscription-Key': subscriptionKey,

-# Add your subscription key and endpoint

-subscription_key = "YOUR_SUBSCRIPTION_KEY"

- 'Ocp-Apim-Subscription-Key': subscription_key,

- private static readonly string subscriptionKey = "YOUR-SUBSCRIPTION-KEY";

- request.Headers.Add("Ocp-Apim-Subscription-Key", subscriptionKey);

- subscriptionKey := "YOUR-SUBSCRIPTION-KEY"

- req.Header.Add("Ocp-Apim-Subscription-Key", subscriptionKey)

- private static String subscriptionKey = "YOUR_SUBSCRIPTION_KEY";

- .addHeader("Ocp-Apim-Subscription-Key", subscriptionKey)

-var subscriptionKey = "YOUR_SUBSCRIPTION_KEY";

- 'Ocp-Apim-Subscription-Key': subscriptionKey,

-# Add your subscription key and endpoint

-subscription_key = "YOUR_SUBSCRIPTION_KEY"

- 'Ocp-Apim-Subscription-Key': subscription_key,

- private static readonly string subscriptionKey = "YOUR-SUBSCRIPTION-KEY";

- request.Headers.Add("Ocp-Apim-Subscription-Key", subscriptionKey);

- subscriptionKey := "YOUR-SUBSCRIPTION-KEY"

- req.Header.Add("Ocp-Apim-Subscription-Key", subscriptionKey)

- private static String subscriptionKey = "YOUR_SUBSCRIPTION_KEY";

- .addHeader("Ocp-Apim-Subscription-Key", subscriptionKey)

-var subscriptionKey = "YOUR_SUBSCRIPTION_KEY";

- 'Ocp-Apim-Subscription-Key': subscriptionKey,

-# Add your subscription key and endpoint

-subscription_key = "YOUR_SUBSCRIPTION_KEY"

- 'Ocp-Apim-Subscription-Key': subscription_key,

- private static readonly string subscriptionKey = "YOUR-SUBSCRIPTION-KEY";

- request.Headers.Add("Ocp-Apim-Subscription-Key", subscriptionKey);

- subscriptionKey := "YOUR-SUBSCRIPTION-KEY"

- req.Header.Add("Ocp-Apim-Subscription-Key", subscriptionKey)

- private static String subscriptionKey = "YOUR_SUBSCRIPTION_KEY";

- .addHeader("Ocp-Apim-Subscription-Key", subscriptionKey)

-var subscriptionKey = "YOUR_SUBSCRIPTION_KEY";

- 'Ocp-Apim-Subscription-Key': subscriptionKey,

-# Add your subscription key and endpoint

-subscription_key = "YOUR_SUBSCRIPTION_KEY"

- 'Ocp-Apim-Subscription-Key': subscription_key,

- private static readonly string subscriptionKey = "YOUR-SUBSCRIPTION-KEY";

- request.Headers.Add("Ocp-Apim-Subscription-Key", subscriptionKey);

- subscriptionKey := "YOUR-SUBSCRIPTION-KEY"

- req.Header.Add("Ocp-Apim-Subscription-Key", subscriptionKey)

- private static String subscriptionKey = "YOUR_SUBSCRIPTION_KEY";

- .addHeader("Ocp-Apim-Subscription-Key", subscriptionKey)

-var subscriptionKey = "YOUR_SUBSCRIPTION_KEY";

- 'Ocp-Apim-Subscription-Key': subscriptionKey,

-# Add your subscription key and endpoint

-subscription_key = "YOUR_SUBSCRIPTION_KEY"

- 'Ocp-Apim-Subscription-Key': subscription_key,

- private static readonly string subscriptionKey = "YOUR-SUBSCRIPTION-KEY";

- request.Headers.Add("Ocp-Apim-Subscription-Key", subscriptionKey);

- subscriptionKey := "YOUR-SUBSCRIPTION-KEY"

- req.Header.Add("Ocp-Apim-Subscription-Key", subscriptionKey)

- private static String subscriptionKey = "YOUR_SUBSCRIPTION_KEY";

- .addHeader("Ocp-Apim-Subscription-Key", subscriptionKey)

-var subscriptionKey = "YOUR_SUBSCRIPTION_KEY";

- 'Ocp-Apim-Subscription-Key': subscriptionKey,

-# Add your subscription key and endpoint

-subscription_key = "YOUR_SUBSCRIPTION_KEY"

- 'Ocp-Apim-Subscription-Key': subscription_key,

- private static readonly string subscriptionKey = "YOUR-SUBSCRIPTION-KEY";

- request.Headers.Add("Ocp-Apim-Subscription-Key", subscriptionKey);

- subscriptionKey := "YOUR-SUBSCRIPTION-KEY"

- req.Header.Add("Ocp-Apim-Subscription-Key", subscriptionKey)

- private static String subscriptionKey = "YOUR_SUBSCRIPTION_KEY";

- .addHeader("Ocp-Apim-Subscription-Key", subscriptionKey)

-var subscriptionKey = "YOUR_SUBSCRIPTION_KEY";

- 'Ocp-Apim-Subscription-Key': subscriptionKey,

-# Add your subscription key and endpoint

-subscription_key = "YOUR_SUBSCRIPTION_KEY"

- 'Ocp-Apim-Subscription-Key': subscription_key,

- private static readonly string subscriptionKey = "YOUR-SUBSCRIPTION-KEY";

- request.Headers.Add("Ocp-Apim-Subscription-Key", subscriptionKey);

- subscriptionKey := "YOUR-SUBSCRIPTION-KEY"

- req.Header.Add("Ocp-Apim-Subscription-Key", subscriptionKey)

- private static String subscriptionKey = "YOUR_SUBSCRIPTION_KEY";

- .addHeader("Ocp-Apim-Subscription-Key", subscriptionKey)

-var subscriptionKey = "YOUR_SUBSCRIPTION_KEY";

- 'Ocp-Apim-Subscription-Key': subscriptionKey,

-# Add your subscription key and endpoint

-subscription_key = "YOUR_SUBSCRIPTION_KEY"

- 'Ocp-Apim-Subscription-Key': subscription_key,

-| 401 | Unauthorized | The request is not authorized. Check to make sure your subscription key or token is valid and in the correct region. *See also* [Authentication](reference/v3-0-reference.md#authentication).|

-Subscribe to Translator or [Cognitive Services multi-service](https://azure.microsoft.com/pricing/details/cognitive-services/) in Azure Cognitive Services, and use your subscription key (available in the Azure portal) to authenticate.

-Region is required for the multi-service Text API subscription. The region you select is the only region that you can use for text translation when using the multi-service subscription key, and must be the same region you selected when you signed up for your multi-service subscription through the Azure portal.

-curl -X POST "https://api.cognitive.microsofttranslator.us/translate?api-version=3.0?&from=en&to=zh-Hans" -H "Ocp-Apim-Subscription-Key: <subscription key>" -H "Ocp-Apim-Subscription-Region: chinanorth" -H "Content-Type: application/json; charset=UTF-8" -d "[{'Text':'你好, 你叫什么名字？'}]"

-description: This article will show you how to create an Azure Cognitive Services Translator resource and get a subscription key and endpoint URL.

-In this article, you'll learn how to create a Translator resource in the Azure portal. [Azure Translator](translator-overview.md) is a cloud-based machine translation service that is part of the [Azure Cognitive Services](../what-are-cognitive-services.md) family of REST APIs. Azure resources are instances of services that you create. All API requests to Azure services require an **endpoint** URL and a read-only **subscription key** for authenticating access.

-1. Copy and paste your subscription keys and endpoint URL in a convenient location, such as *Microsoft Notepad*.

-[Build schema](./train-model.md)

-In the **view model details** page, you'll be able to see all your models, with their current training status, and the date they were last trained.

-Microsoft will indicate to you via the Azure Communication Services API that recording or transcription has commenced and you must communicate this fact in real time to your users within your application's user interface. You agree to indemnify Microsoft for all costs and damages incurred as a result of your failure to comply with this obligation.

-## Confidential Containers demo

-For a sample application, see the [healthcare demo with confidential containers](https://github.com/Azure-Samples/confidential-container-samples/blob/main/confidential-healthcare-scone-confinf-onnx/README.md).

-> [!VIDEO https://www.youtube.com/embed/PiYCQmOh0EI]

-* Ensure Actions is enabled for your repository. Navigate to your forked repository and select **Settings** > **Actions**. In **Actions permissions**, ensure that **Enable local and third party Actions for this repository** is selected.

-groupId=$(az group show \

-registryId=$(az acr show \

-1. In the GitHub UI, navigate to your forked repository and select **Settings** > **Secrets**.

-1. Select **Add a new secret** to add the following secrets:

-1. In the GitHub UI, select **Actions** > **New workflow**.

-1. Select **Set up a workflow yourself**.

-curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net' -H Metadata:true -s

-| Japan East | 2 | 8 | 4 | 16 | 50 | N/A | Y |

-[az-region-support]: ../availability-zones/az-overview.md#regions

-az container create --resource-group myResourceGroup --name aci-tutorial-app --image <acrLoginServer>/aci-tutorial-app:v1 --cpu 1 --memory 1 --registry-login-server <acrLoginServer> --registry-username <service-principal-ID> --registry-password <service-principal-password> --dns-name-label <aciDnsLabel> --ports 80

-|Pricing:|Free|

-**To enable Defender for Storage for individual storage accounts under a specific subscription**:

-1. Navigate to **Microsoft Defender fo Cloud** > **Environment settings**.

-1. (Optional) Select **Select types** to and enable specific resource types.

- :::image type="content" source="media/quickstart-enable-database-protections/resource-type.png" alt-text="Screenshot showing the types of resources available.":::

-| [Deprecating Microsoft Defender for IoT device recommendations](#deprecating-microsoft-defender-for-iot-device-recommendations)| March 2022 |

-| [Deprecating Microsoft Defender for IoT device alerts](#deprecating-microsoft-defender-for-iot-device-alerts) | March 2022 |

-### Deprecating Microsoft Defender for IoT device recommendations

-**Estimated date for change:** March 2022

-Microsoft Defender for IoT device recommendations will no longer be visible in Microsoft Defender for Cloud. These recommendations will still be available on Microsoft Defender for IoT's Recommendations page, and in Microsoft Sentinel.

-The following recommendations will be deprecated:

-| Assessment key | Recommendations |

-|--|--|

-| 1a36f14a-8bd8-45f5-abe5-eef88d76ab5b: IoT Devices | Open Ports On Device |

-| ba975338-f956-41e7-a9f2-7614832d382d: IoT Devices | Permissive firewall rule in the input chain was found |

-| beb62be3-5e78-49bd-ac5f-099250ef3c7c: IoT Devices | Permissive firewall policy in one of the chains was found |

-| d5a8d84a-9ad0-42e2-80e0-d38e3d46028a: IoT Devices | Permissive firewall rule in the output chain was found |

-| 5f65e47f-7a00-4bf3-acae-90ee441ee876: IoT Devices | Operating system baseline validation failure |

-|a9a59ebb-5d6f-42f5-92a1-036fd0fd1879: IoT Devices | Agent sending underutilized messages |

-| 2acc27c6-5fdb-405e-9080-cb66b850c8f5: IoT Devices | TLS cipher suite upgrade needed |

-|d74d2738-2485-4103-9919-69c7e63776ec: IoT Devices | Auditd process stopped sending events |

-### Deprecating Microsoft Defender for IoT device alerts

-**Estimated date for change:** March 2022

-All Microsoft Defender for IoT device alerts will no longer be visible in Microsoft Defender for Cloud. These alerts will still be available on Microsoft Defender for IoT's Alert page, and in Microsoft Sentinel.

-For **cloud-connected sensors**, information that the sensor detects is displayed in the sensor console. Alert information is delivered through an IoT hub and can be shared with other Azure services, such as Microsoft Sentinel.

-Defender for IoT routes all traffic from all European regions to the West Europe regional datacenter. It routes traffic from all remaining regions to the Central US regional datacenter. Review [IoT Hub supported regions](https://azure.microsoft.com/global-infrastructure/services/?products=iot-hub).

-**Clarify which sensors and management console appliances are required to handle the network load**

-We recommend that you calculate the approximate number of devices that will be monitored. Later, when you register your Azure subscription to the portal, you'll be asked to enter this number. Numbers can be added in intervals of 1,000,for example 1000, 2000, 3000. The numbers of monitored devices are called *committed devices*.

-## Onboard a sensor ##

- - **Cloud connected sensors**: Information that sensors detect is displayed in the sensor console. In addition, alert information is delivered through an IoT hub and can be shared with other Azure services, such as Microsoft Sentinel. You can also choose to automatically push threat intelligence packages from Defender for IoT to your sensors. For more information, see [Threat intelligence research and packages](how-to-work-with-threat-intelligence-packages.md).

-1. Select a site to associate your sensor to within an IoT Hub. The IoT Hub will serve as a gateway between this sensor and Microsoft Defender for IoT. Define the display name, and zone. You can also add descriptive tags. The display name, zone, and tags are descriptive entries on the [Sites and Sensors page](how-to-manage-sensors-on-the-cloud.md#manage-on-boarded-sensors).

-| **Cloud connected mode** | Information that the sensor detects is displayed in the sensor console. Alert information is also delivered through the IoT hub and can be shared with other Azure services, such as Microsoft Sentinel. You can also enable automatic threat intelligence updates. |

-description: Learn how to configure Microsoft Defender for IoT to communicate with a sensor through a proxy with no direct internet access.

-# Connect Microsoft Defender for IoT sensors without direct internet access by using a proxy

-This article describes how to configure Microsoft Defender for IoT to communicate with a sensor through a proxy with no direct internet access. Connect the sensor with a forwarding proxy that has HTTP tunneling, and uses the HTTP CONNECT command for connectivity. The instructions here are given uses the open-source Squid proxy, any other proxy that supports CONNECT can be used.

-The proxy uses an encrypted SSL tunnel to transfer data from the sensors to the service. The proxy doesn't inspect, analyze, or cache any data.

-| Parameter | Description |

-| Name | The name of the device as the sensor discovered it, or as entered by the user. |

-| Type | The type of device as determined by the sensor, or as entered by the user. |

-| Vendor | The name of the device's vendor, as defined in the MAC address. |

-| Operating System | The OS of the device, if detected. |

-| Firmware version | The device's firmware, if detected. |

-| IP Address | The IP address of the device. |

-| VLAN | The VLAN of the device. For details about instructing the sensor to discover VLANs, see [Define VLAN names](how-to-manage-the-on-premises-management-console.md#define-vlan-names).(how-to-define-management-console-network-settings.md#define-vlan-names). |

-| MAC Address | The MAC address of the device. |

-| Protocols | The protocols that the device uses. |

-| Unacknowledged Alerts | The number of unacknowledged alerts associated with this device. |

-| Is Authorized | The authorization status defined by the user:<br />- **True**: The device has been authorized.<br />- **False**: The device hasn't been authorized. |

-| Is Known as Scanner | Defined as a network scanning device by the user. |

-| Is Programming device | Defined as an authorized programming device by the user. <br />- **True**: The device performs programming activities for PLCs, RTUs, and controllers, which are relevant to engineering stations. <br />- **False**: The device isn't a programming device. |

-| Groups | The groups that this device participates in. |

-| Last Activity | The last activity that the device performed. |

-| Discovered | When this device was first seen in the network. |

-| PLC mode (preview) | The PLC operating mode includes the Key state (physical) and run state (logical). Possible **Key** states include, Run, Program, Remote, Stop, Invalid, Programming Disabled.Possible Run. The possible **Run** states are Run, Program, Stop, Paused, Exception, Halted, Trapped, Idle, Offline. If both states are the same, only one state is presented. |

-## Device inventory overview

-The Device inventory gives you an overview of all devices within your environment. Here you can see the individual details of each device and filter, and order your search by various options.

-The following table describes the different device properties in the device inventory.

-| Parameter | Description | Default value |

-|--|--|--|

-| **Application** | The application the exists on the device. | - |

-| **Class** | The class of the device. | IoT |

-| **Data source** | The source of the data, such as Micro Agent, OtSensor, and Mde. | MicroAgent |

-| **Description** | The description of the device. | - |

-| **Firmware vendor** | The vendor of the device's firmware. | - |

-| **Firmware version** | The version of the firmware. | - |

-| **First seen** | The date, and time the device was first seen. Presented in format MM/DD/YYYY HH:MM:SS AM/PM. | - |

-| **Importance** | The level of importance of the device. | - |

-| **IPv4 Address** | The IPv4 address of the device. | - |

-| **IPv6 Address** | The IPv6 address of the device. | - |

-| **Last activity** | The date, and time the device last sent an event to the cloud. Presented in format MM/DD/YYYY HH:MM:SS AM/PM. | - |

-| **Last update time** | The date, and time the device last sent a system information event to the cloud. Presented in format MM/DD/YYYY HH:MM:SS AM/PM. | - |

-| **Location** | The physical location of the device. | - |

-| **MAC Address** | The MAC address of the device. | - |

-| **Model** | The device's model. | - |

-| **Name** | The name of the device as the sensor discovered it, or as entered by the user. | - |

-| **OS architecture** | The architecture of the operating system. | - |

-| **OS distribution** | The distribution of the operating system, such as Android, Linux, and Haiku. | - |

-| **OS platform** | The OS of the device, if detected. | - |

-| **OS version** | The version of the operating system, such as Windows 10 and Ubuntu 20.04.1. | - |

-| **PLC mode** | The PLC operating mode which includes the Key state (physical, or logical), and the Run state (logical). Possible Key states include, `Run`, `Program`, `Remote`, `Stop`, `Invalid`, and `Programming Disabled`. Possible Run states are `Run`, `Program`, `Stop`, `Paused`, `Exception`, `Halted`, `Trapped`, `Idle`, or `Offline`. If both states are the same, then only one state is presented. | - |

-| **PLC secured** | Determines if the PLC mode is in a secure state. A possible secure state is `Run`. A possible unsecured state cab be either `Program`, or `Remote`. | - |

-| **Programming time** | The last time the device was programmed. | - |

-| **Protocols** | The protocols that the device uses. | - |

-| **Purdue level** | The Purdue level in which the device exists. | - |

-| **Scanner** | Whether the device performs scanning-like activities in the network. | - |

-| **Sensor** | The sensor the device is connected to. | - |

-| **Site** | The site that contains this device. | - |

-| **Slots** | The number of slots the device has. | - |

-| **Subtype** | The subtype of the device, such as speaker and smart tv. | Managed Device |

-| **Type** | The type of device, such as communication, and industrial. | Miscellaneous |

-| **Vendor** | The name of the device's vendor, as defined in the MAC address. | - |

-| **VLAN** | The VLAN of the device. | - |

-| **Zone** | The zone that contains this device. | - |

-**To view the device inventory**:

-For a list of filters that can be applied to the device inventory table, see the [Device inventory overview](#device-inventory-overview).

-Multiple filters can be applied at one time. The filters are not saved when you leave the Device inventory page.

-## How to identify devices that have not recently communicated with the Azure cloud

-If you are under the impression that certain devices are not actively communicating, there is a way to check, and see which devices have not communicated in a specified time period.

-1. Select the :::image type="icon" source="media/how-to-manage-device-inventory-on-the-cloud/edit-columns-icon.png" border="false"::: button.

-1. Add a column by selecting the :::image type="icon" source="media/how-to-manage-device-inventory-on-the-cloud/add-column-icon.png" border="false"::: button.

-1. Select **Last Activity**.

-1. Select **Save**

-1. Select the :::image type="icon" source="media/how-to-manage-device-inventory-on-the-cloud/add-filter-icon.png" border="false"::: to add a filter on the last activity column.

-## See next

-Sensors that are cloud connected are associated with the Defender for IoT hub. These sensors are not limited by time periods for the activation file. The activation file for cloud-connected sensors is used to ensure connection to the Defender for IoT hub.

- :::image type="content" source="media/how-to-manage-individual-sensors/edit-network-configuration-screen.png" alt-text="Configure your network settings.":::

-| HTTPS | TCP | Out | 443 | Access to Azure portal | Sensor | `*.azure-devices.net`<br> `*.blob.core.windows.net`<br> `*.servicebus.windows.net` |

-

-This article lists new features and feature enhancements for Defender for IoT in February 2022.

-| 10.0 | 01/2021 | 10/2021 |

-| 10.3 | 04/2021 | 01/2022 |

-With this version, users are only required to install sensors and connect to Defender for IoT on the Azure portal. Defender for IoT no longer requires you to install, pay for, or manage an IoT Hub.

-This new connectivity model requires that you open a new firewall rule. For more information, see [Sensor access to Azure portal](how-to-set-up-your-network.md#sensor-access-to-azure-portal).

-## April 2021

-### Work with automatic threat Intelligence updates (Public Preview)

-New threat intelligence packages can now be automatically pushed to cloud connected sensors as they're released by Microsoft Defender for IoT. This is in addition to downloading threat intelligence packages and then uploading them to sensors.

-Working with automatic updates helps reduce operational efforts and ensure greater security.

-Enable automatic updating by onboarding your cloud connected sensor on the Defender for IoT portal with the **Automatic Threat Intelligence Updates** toggle turned on.

-If you would like to take a more conservative approach to updating your threat intelligence data, you can manually push packages from the Microsoft Defender for IoT portal to cloud connected sensors only when you feel it's required.

-This gives you the ability to control when a package is installed, without the need to download and then upload it to your sensors. Manually push updates to sensors from the Defender for IoT **Sites and Sensors** page.

-You can also review the following information about threat intelligence packages:

-### View cloud connected sensor information (Public Preview)

-View important operational information about cloud connected sensors on the **Sites and Sensors** page.

-### Alert API enhancements

-New fields are available for users working with alert APIs.

-**On-premises management console**

-**Sensor**

-API version 2 is required when working with the new fields.

-### Features delivered as Generally Available (GA)

-The following features were previously available for Public Preview, and are now Generally Available (GA) features:

-## March 2021

-### Sensor - enhanced custom alert rules (Public Preview)

-You can now create custom alert rules based on the day, group of days and time-period network activity was detected. Working with day and time rule conditions is useful, for example in cases where alert severity is derived by the time the alert event takes place. For example, create a custom rule that triggers a high severity alert when network activity is detected on a weekend or in the evening.

-This feature is available on the sensor with the release of version 10.2.

-### On-premises management console - export alerts (Public Preview)

-Alert information can now be exported to a .csv file from the on-premises management console. You can export information of all alerts detected or export information based on the filtered view.

-This feature is available on the on-premises management console with the release of version 10.2.

-### Add second network interface to On-premises management console (Public Preview)

-You can now enhance the security of your deployment by adding a second network interface to your on-premises management console. This feature allows your on-premises management to have its connected sensors on one secure network, while allowing your users to access the on-premises management console through a second separate network interface.

-This feature is available on the on-premises management console with the release of version 10.2.

-## January 2021

-### Security

-Certificate and password recovery enhancements were made for this release.

-#### Certificates

-This version lets you:

-For upgrades:

-For Fresh Installations:

-#### Password recovery

-

-Sensor and on-premises management console Administrative users can now recover passwords from the Microsoft Defender for IoT portal. Previously password recovery required intervention by the support team.

-### Onboarding

-#### On-premises management console - committed devices

-Following initial sign-in to the on-premises management console, users are now required to upload an activation file. The file contains the aggregate number of devices to be monitored on the organizational network. This number is referred to as the number of committed devices.

-Committed devices are defined during the onboarding process on the Microsoft Defender for IoT portal, where the activation file is generated.

-First-time users and users upgrading are required to upload the activation file.

-After initial activation, the number of devices detected on the network might exceed the number of committed devices. This event might happen, for example, if you connect more sensors to the management console. If there's a discrepancy between the number of detected devices and the number of committed devices, a warning appears in the management console. If this event occurs, you should upload a new activation file.

-#### Pricing page options

-Pricing page lets you onboard new subscriptions to Microsoft Defender for IoT and define committed devices in your network.

-Additionally, the Pricing page now lets you manage existing subscriptions associated with a sensor and update device commitment.

-#### View and manage onboarded sensors

-A new Site and Sensors portal page lets you:

-### Usability

-#### Azure Sentinel new connector page

-The Microsoft Defender for IoT data connector page in Azure Sentinel has been redesigned. The data connector is now based on subscriptions rather than IoT Hubs; allowing customers to better manage their configuration connection to Azure Sentinel.

-#### Azure portal permission updates

-Security Reader and Security Administrator support has been added.

-### Other updates

-#### Access group - zone permissions

-The on-premises management console Access Group rules won't include the option to grant access to a specific zone. There's no change in defining rules that use sites, regions, and business units. Following upgrade, Access Groups that contained rules allowing access to specific zones will be modified to allow access to its parent site, including all its zones.

-#### Terminology changes

-The term asset has been renamed device in the sensor and on-premises management console, reports, and other solution interfaces.

-In sensor and on-premises management console Alerts, the term Manage this Event has been named Remediation Steps.

-No, for the agentless version of Microsoft Defender for IoT, you do not need to be an Azure customer. However, if you want to send alerts to Microsoft Sentinel; provision network sensors and monitor their health from the cloud; and benefit from automatic software and threat intelligence updates, you will need to connect the sensor to Azure via Azure IoT Hub.

- * **IoT Hub**: *.azure-devices.net

- - **Cloud-connected sensors**: Information that the sensor detects is displayed in the sensor console. Alert information is delivered through an IoT hub and can be shared with other Azure services, such as Microsoft Sentinel. In addition, threat intelligence packages can be pushed from Defender for IoT to sensors. Conversely when, the sensor is not cloud connected, you must download threat intelligence packages and then upload them to your enterprise sensors. To allow Defender for IoT to push packages to sensors, enable the **Automatic Threat Intelligence Updates** toggle. For more information, see [Threat intelligence research and packages](how-to-work-with-threat-intelligence-packages.md).

- For cloud connected sensors, the name defined during onboarding is the name that appears in the sensor console. You can't change this name from the console directly. For locally managed sensors, the name applied during onboarding will be stored in Azure but can be updated in the sensor console.

-1. Select a site to associate your sensor to within an IoT Hub. The IoT Hub will serve as a gateway between this sensor and Microsoft Defender for IoT. Define the display name, and zone. You can also add descriptive tags. The display name, zone, and tags are descriptive entries on the [View onboarded sensors](how-to-manage-sensors-on-the-cloud.md#manage-on-boarded-sensors).

-In the **Create logic apps custom connector** page that follows, select your subscription and resource group, and a name and deployment location for your new connector. Select **Review + create**.

-Doing so will take you to the **Review + create** tab, where you can select **Create** at the bottom to create your resource.

- - **File**: This configuration will be the custom Swagger file you downloaded earlier. Select **Import**, locate the file on your machine (*Azure_Digital_Twins_custom_Swaggers__Logic_Apps_connector_\LogicApps\...\digitaltwins.json*), and select **Open**.

- - **Icon**: Upload an icon that you like.

- - **Icon background color**: Enter hexadecimal code in the format '#xxxxxx' for your color.

- - **Description**: Fill whatever values you want.

- - **Connect via on-premises data gateway**: **Toggled off** (leave default)

- - **Client ID**: The Application (client) ID for the Azure AD app registration you created in [Prerequisites](#prerequisites)

- - **Client secret**: The Client secret from the app registration

- - **Tenant ID**: The Directory (tenant) ID for your Azure AD app registration

- - **Redirect URL**: (leave default for now)

-The Redirect URL field says **Save the custom connector to generate the redirect URL**. Generate it now by selecting **Update connector** across the top of the pane to confirm your connector settings.

-Return to the Redirect URL field and copy the value that has been generated. You'll use it in the next step.

-Now you've entered all the information that is required to create your connector (no need to continue past Security to the Definition step). You can close the **Edit Logic Apps Custom Connector** pane.

->Back on your connector's Overview page where you originally selected **Edit**, note that selecting Edit again will restart the entire process of entering your configuration choices. It will not populate your values from the last time you went through it, so if you want to save an updated configuration with any changed values, you must re-enter all the other values as well to avoid their being overwritten by the defaults.

-Enter the custom connector's redirect URL into the new field, and select the **Save** icon.

-You're now done setting up a custom connector that can access the Azure Digital Twins APIs.

-In the **Logic App** page that follows, enter your subscription and resource group. Under **Instance Details** select a **Consumption** instance type, choose a name for your logic app, and select the deployment location. Choose whether you want to enable or disable log analytics.

-Doing so will take you to the **Review + create** tab, where you can review your details and select **Create** at the bottom to create your resource.

-In the Logic Apps Designer page that follows, change the **Recurrence** Frequency to **Second**, so that the event is triggered every 3 seconds. Selecting this frequency will make it easy to see the results later without having to wait long.

-Doing so will open a Choose an action box. Switch to the **Custom** tab. You should see your custom connector from earlier in the top box.

-Select it to display the list of APIs contained in that connector. Use the search bar or scroll through the list to select **DigitalTwins_Add**. (The **DigitalTwins_Add** action is the API call used in this article, but you could also select any other API as a valid choice for a Logic Apps connection).

-In the new **DigitalTwinsAdd** box, fill the fields as follows:

-* **id**: Fill the *Twin ID* of the digital twin in your instance that you want the Logic App to update.

-* **twin**: This field is where you'll enter the body that the chosen API request requires. For **DigitalTwinsUpdate**, this body is in the form of JSON Patch code. For more about structuring a JSON Patch to update your twin, see the [Update a digital twin](how-to-manage-twin.md#update-a-digital-twin) section of *How-to: Manage digital twins*.

-* **api-version**: The latest API version. Currently, this value is *2020-10-31*.

-Select **Save** in the Logic Apps Designer.

-You can choose other operations by selecting **+ New step** on the same window.

-You can query your twin via your method of choice (such as a [custom client app](tutorial-command-line-app.md), the [Azure Digital Twins Explorer](concepts-azure-digital-twins-explorer.md), the [SDKs and APIs](concepts-apis-sdks.md), or the [CLI](concepts-cli.md)).

-For more about querying your Azure Digital Twins instance, see [Query the twin graph](how-to-query-graph.md).

-If your organization has many subscriptions, you may need a way to efficiently manage access,

-policies, and compliance for those subscriptions. Azure management groups provide a level of scope

-above subscriptions. You organize subscriptions into containers called "management groups" and apply

-your governance conditions to the management groups. All subscriptions within a management group

-automatically inherit the conditions applied to the management group. Management groups give you

-enterprise-grade management at a large scale no matter what type of subscriptions you might have.

-All subscriptions within a single management group must trust the same Azure Active Directory

-virtual machine (VM) creation. This policy would be applied to all management groups,

-subscriptions, and resources under that management group by only allowing VMs to be created in that

-region.

-# Guidelines to develop secure embedded applications with Azure RTOS

-## Introduction

-This article offers guidance on implementing security for IoT devices that run Azure RTOS, and connect to Azure IoT services. Azure RTOS is a real-time operating system for embedded devices. It includes a networking stack and middleware, and helps you securely connect your application to the cloud.

-The security of an IoT application depends on your choice of hardware, and how your application implements and uses security features. We recommend that you use this article as a starting point to understand the main issues for further investigation.

-Microsoft recommends an approach based on the principle of *Zero Trust* when designing IoT devices. We highly recommend reading the [Zero Trust: Cyber security for IoT](https://azure.microsoft.com/mediahandler/files/resourcefiles/zero-trust-cybersecurity-for-the-internet-of-things/Zero%20Trust%20Security%20Whitepaper_4.30_3pm.pdf) whitepaper as a prerequisite to this article. This brief paper outlines several categories that should be considered when implementing security across an IoT ecosystem with an emphasis on device security. The following sections overview the key components for cryptographic security.

- - *Hardware Root of Trust (RoT)* A strong, hardware-based identity. This identity should be immutable and backed by hardware isolation and protection mechanisms.

- - *Password-less authentication* is often achieved using X.509 certificates and asymmetric cryptography, where private keys are secured and isolated in hardware. Password-less authentication should be used both for the device identity often used in onboarding and/or attestation scenarios, and the device's operational identity with other cloud services.

- - *Renewable credentials* The device's operational identity should be secured using renewable, relatively short-lived credentials. X.509 certificates that are backed by a secure PKI with a renewal period appropriate for the device's security posture provide an excellent solution.

-## Embedded security components - cryptography

-Cryptography is a foundation of security in networked devices. However, networking protocols such as TLS rely on cryptography to protect and authenticate information traveling over a network or the public internet. A secure IoT device that connects to a server or cloud service using Transport Layer Security (TLS) or similar protocols requires strong cryptography with protection for keys and secrets that are based in hardware. Most other security mechanisms provided by those protocols are built on cryptographic concepts. Therefore, having proper cryptographic support is the single most critical consideration in developing a secure connected IoT device. The following sections overview the key components for cryptographic security.

-### True random hardware-based entropy source

-Any cryptographic application using TLS or cryptographic operations that require random values for keys or secrets must have an approved random entropy source. Without proper true randomness, statistical methods can be used to derive keys and secrets much faster than brute-force attacks, weakening otherwise strong cryptography. Modern embedded devices should support some form of Cryptographic Random Number Generator (CRNG) or ΓÇ£TrueΓÇ¥ Random Number Generator (TRNG) that can be used to feed the random number generator that is passed into a TLS application.

-Hardware Random Number Generators (HRNG) supply some of the best sources of entropy. HRNGs typically generate values based on statistically random noise signals generated in a physical process rather than from a software algorithm. Many government agencies and standards bodies around the world provide guidelines for random number generators. Some examples are the National Institute of Standards and Technology (NIST) in the US, the National Cypersecurity Agency of France (ANSSI) in France, and the Federal Office for Information Security (BSI) in Germany.

-**Azure RTOS**: Azure RTOS uses random numbers for cryptography and TLS. For more information, see the User Guide for each protocol in the [Azure RTOS NetX Duo documentation](/azure/rtos/netx-duo/overview-netx-duo).

-**Application**: A random number function must be provided by the application developer and linked into the application, including Azure RTOS.

-> The C library function `rand()` does NOT utilize a hardware-based RNG by default. It's critical to assure that a proper random routine is used. The setup will be specific to your hardware platform.

-Real-time capability is primarily needed for checking the expiration date of X.509 certificates. TLS also uses timestamps as part of its session negotiation, and certain applications may require accurate time reporting. There are many options for obtaining accurate time such as a Real-Time Clock (RTC) device, Network Time Protocol (NTP) to obtain time over a network, and a Global Positioning System (GPS), which includes timekeeping.

-> Having an accurate time is nearly as critical as having a TRNG for secure applications that use TLS and X.509.

-Many devices will use a hardware RTC backed by synchronization over a network service or GPS. Devices may also rely solely on an RTC or solely on a network service (or GPS). Regardless of the implementation, measures should be taken to prevent drift, protect hardware components from tampering, and guard against spoofing attacks when using network services or GPS. If an attacker can spoof time, they can induce your device to accept expired certificates.

-**Hardware**: If you implement a hardware RTC and NTP or other network-based solutions are unavailable for synching, the RTC should:

-An invalid time will disrupt all TLS communication, possibly rendering the device unreachable.

-**Azure RTOS**: Azure RTOS TLS uses time data for several security-related functions, but the application developer must provide a function for retrieving time data from the RTC or network. For more information, see the [NetX Secure TLS user guide](/azure/rtos/netx-duo/netx-secure-tls/chapter1).

-**Application**: Depending on the time source used, the application may be required to initialize the functionality so that TLS can properly obtain the time information.

-There are a wide variety of cryptographic routines available today. When you design an application, research the cryptographic routines that you'll need and choose the strongest (largest) keys possible. Look to NIST or other organizations that provide guidance on appropriate cryptography for different applications.

-**Hardware**: If you're using hardware-based cryptography (which is recommended), your choices may be limited. Choose hardware that exceeds your minimum cryptographic and security needs and use the strongest routines and keys available on that platform.

-**Application**: Applications that require cryptographic operations should also use the strongest approved routines possible.

-Cryptography implemented in hardware for acceleration is there to unburden CPU cycles and almost always requires software that applies it to achieve security goals. Timing attacks exploit the duration of a cryptographic operation to derive information about a secret key. When you perform cryptographic operations in constant time, regardless of the key or data properties, hardware cryptographic peripherals prevent this kind of attack. Every platform will likely be different as there's no accepted standard for cryptographic hardware (other than the accepted cryptographic algorithms like AES and RSA).

-> - Some cryptographic accelerators implement only the Electronic Codebook (ECB) mode of the cipher, and it's left to the software developer to implement more secure modes like Galois/Counter Mode (GCM), Counter with CBC-MAC (CCM), or Cipher Block Chaining (CBC). ECB is not semantically secure.

-> - Cryptographic accelerators often leave key protection to the software developer.

-Combining hardware cryptography acceleration that implements secure cipher modes with hardware-based protection for keys provides a higher level of security for cryptographic operations.

-**Hardware**: There are few standards for hardware cryptographic acceleration so each platform will vary in available functionality. For more information, consult with your Micro Controller Unit (MCU) vendor.

-**Azure RTOS**: Azure RTOS provides drivers for select cryptographic hardware platforms. Check your Azure RTOS Cryptography documentation for more information on hardware-based cryptography.

-**Application**: Applications that require cryptographic operations should make use of all hardware-based cryptography that is available.

-## Embedded security components ΓÇô device identity

-In IoT systems, the notion that each endpoint represents a unique physical device challenges some of the assumptions that are built into the modern internet. As a result, a secure IoT device must be able to uniquely identify itself or an attacker could imitate a valid device to steal data, send fraudulent information, or tamper with device functionality. Confirm that each IoT device that connects to a cloud service identifies itself in a way that can't be easily bypassed. The following sections overview the key security components for device identity.

-A unique device identifier (device ID) allows a cloud service to verify the identity of a specific physical device and to verify that the device belongs to a particular group. It's the digital equivalent of a physical serial number, but it must be globally unique and protected. If the device ID is compromised, there's no way to distinguish between the physical device it represents and a fraudulent client.

-In most modern connected devices, the device ID will be tied to cryptography. For example:

-Regardless of implementation, the device ID and any associated cryptographic material must be hardware-protected, for example by using a Hardware Security Module (HSM).

-While the device ID can be used for client authentication with a cloud service or server, it's highly advisable to split the device ID from operational certificates typically used for such purposes. To lessen the attack surface, operational certificates should be relatively short-lived, and the public portion of the device ID shouldn't be widely distributed. Instead, the device ID can be used to sign and/or derive private keys associated with operational certificates.

-> A device ID is tied to a physical device (usually in a cryptographic manner) and provides a root of trust. It can be thought of as a ΓÇ£birth certificateΓÇ¥ for the deviceΓÇô-it represents a unique identity that applies to the entire lifespan of the device. Other forms of IDs such as for attestation or operational identification are designed to be updated periodically-ΓÇôit is equivalent to a driverΓÇÖs license (following the birth certificate analogy)ΓÇôit frequently identifies the owner, and security is maintained by requiring periodic updates or renewals. Just like a birth certificate can be provided to procure a driver's license, the device ID can be used to procure an operational ID. Note that within IoT, both the device ID and operational ID are frequently provided as X.509 certificates, utilizing the associated private keys to cryptographically tie the IDs to the specific hardware.

-**Hardware**: A device ID must be tied to the hardware and must not be easily replicated. You should require hardware-based cryptographic features such as those found in an HSM. Some MCU devices may provide similar functionality.

-**Azure RTOS**: No specific Azure RTOS features use device IDs. However, communication to cloud services via TLS may require an X.509 certificate that is tied to the device ID.

-**Application**: No specific features required for user applications, but a unique device ID may be required for certain applications.

-If your device utilizes a certificate from a Public Key Infrastructure (PKI), your application will need the ability to update those certificates periodically. This is true for both for the device and any trusted certificates used for verifying servers. The more frequent the update, the more secure your application will be.

-**Hardware**: All certificate private keys should be tied to your device. Ideally, the key should be generated internally by the hardware and never exposed to your application. You should mandate the ability to generate X.509 certificate requests on the device.

-**Azure RTOS**: Azure RTOS TLS provides basic X.509 certificate support. Certificate Revocation Lists (CRLs) and policy parsing are supported but require manual management in your application without a supporting Software Development Kit (SDK).

-**Application**: Make use of CRLs or Online Certificate Status Protocol (OCSP) to validate that certificates haven't been revoked by your PKI. Make sure to enforce X.509 policies, including validity periods and expiration dates, as required by your PKI.

-Some devices provide a secret key or value that is uniquely loaded (usually using permanent fuses) into each specific device for the purposes of checking ownership or status of the device. Whenever possible, this hardware-based value should be utilized, though not necessarily directly, as part of any process where the device needs to identify itself to a remote host.

-This should be coupled with a secure boot mechanism to prevent fraudulent use of the secret ID. Depending on the cloud services being used and their PKI, the device ID may be tied to an X.509 certificate. However, whenever possible the attestation device ID should be separate from "operational" certificates used to authenticate a device.

-Device status in attestation scenarios can include information like firmware version, life-cycle state (for example, running vs. debug), component health, or any number of other factors that will help a service determine the device's state. For example, device attestation is often involved in OTA firmware update protocols to ensure that the correct updates are delivered to the intended device.

-> ΓÇ£AttestationΓÇ¥ is distinct from ΓÇ£authenticationΓÇ¥. Attestation uses an external authority to determine whether a device belongs to a particular group using cryptography. ΓÇ£AuthenticationΓÇ¥ uses cryptography to verify that a host (device) owns a private key in a challenge-response process, such as the TLS handshake.

-**Hardware**: The selected hardware must provide functionality to provide a secret unique identifier. This functionality is usually tied into cryptographic hardware like a TPM or HSM and requires a specific API for attestation services.

-**Application**: The user application may be required to implement logic to tie the hardware features to whatever attestation the chosen cloud service(s) requires.

-## Embedded security components ΓÇô memory protection

-Many successful hacking attacks utilize buffer overflow errors to gain access to privileged information or even to execute arbitrary code on a device. Numerous technologies and languages have been created to battle overflow problems, but the fact remains that system-level embedded development requires low-level programming. As a result, most embedded development is done using C or assembly language. These languages lack modern memory protection schemes but allow for less restrictive memory manipulation. Given the lack of built-in protection, the Azure RTOS developer must be vigilant about memory corruption. The following recommendations leverage functionality provided by some MCU platforms and Azure RTOS itself to help mitigate the impact of overflow errors on security. The following sections overview the key security components for memory protection.

-### Protection against reading/writing memory

-An MCU may provide a latching mechanism that enables a tamper-resistant state, either by preventing reading of sensitive data or by locking areas of memory from being overwritten. This may be part of, or in addition to, a Memory Protection Unit (MPU) or a Memory Management Unit (MMU).

-**Azure RTOS**: If the memory protection mechanism is not an MMU or MPU, Azure RTOS doesn't require any specific support. For more advanced memory protection, Azure RTOS ThreadX Modules may be used to provide detailed control over memory spaces for threads and other RTOS control structures.

-**Application**: The application developer may be required to enable memory protection when the device is first booted ΓÇô refer to secure boot documentation. For simple mechanisms (not MMU or MPU), the application may place sensitive data (for example, certificates) into the protected memory region and access it using the hardware platform APIs.

-If your hardware platform has a Memory Management Unit (MMU) or Memory Protection Unit (MPU), then those features can be utilized to isolate the memory spaces used by individual threads or processes. More sophisticated mechanisms also exist, such as TrustZone that provide additional protections above and beyond what a simple MPU can do. This isolation can thwart attackers from using a hijacked thread or process to corrupt or view memory in another thread or process.

-**Azure RTOS**: Azure RTOS allows for ΓÇÿThreadX ModulesΓÇÖ that are built independently/separately and are provided with their own instruction and data area addresses at run-time. Memory protection can then be enabled such that a context switch to a thread in a module will disallow code from accessing memory outside of the assigned area.

-> TLS and Message Queuing Telemetry Transport (MQTT) arenΓÇÖt yet supported from ThreadX Modules.

-**Application**: The application developer may be required to enable memory protection when the device is first booted ΓÇô refer to secure boot and ThreadX Modules documentation. Note: Use of ThreadX Modules may introduce additional memory and CPU overhead.

-Many MCU devices contain an internal ΓÇ£program flashΓÇ¥ where the application firmware is stored. The application code is sometimes run directly from the flash hardware, using the RAM only for data. If the MCU allows execution of code from RAM, look for a way to disable that feature. Many attacks will try to modify the application code in some way, but if the attacker can't execute code from RAM it becomes more difficult to compromise the device. Placing your application in flash makes it more difficult to change because of the nature of flash technology (unlock/erase/write process) and increases the challenge for an attacker. It's not a perfect solution, but, to provide for renewable security, the flash needs to be updatable. A completely read-only code section would be better at preventing attacks on executable code but would prevent updating.

-**Hardware**: Presence of a program flash used for code storage and execution. If running in RAM is required, then consider leveraging an MMU or MPU (if available) to protect from writing to the executable memory space.

-**Application**: Application may need to disable flash writing during secure boot depending on the hardware.

-Avoiding buffer overflow problems is a primary concern for code running on connected devices. Applications written in unmanaged languages like C are particularly susceptible to buffer overflow issues. Safe coding practices can alleviate some of the problem but whenever possible try to incorporate buffer checking into your application. You may be able to make use of built-in features of the selected hardware platform, third-party libraries, tools, and, in some cases, features in the hardware itself that provide a mechanism for detecting or preventing overflow conditions.

-**Hardware**: Some platforms may provide memory checking functionality. Consult with your MCU vendor for more information.

-**Azure RTOS**: No specific Azure RTOS functionality provided.

-### Enable run-time stack checking

-Preventing stack overflow is a primary security concern for any application. Azure RTOS has some stack checking features that should be utilized whenever possible. These features are covered in the Azure RTOS ThreadX User Guide.

-**Hardware**: Some MCU platform vendors may provide hardware-based stack checking. Use any functionality that is available.

-**Application**: Certain compilers such as IAR also have ΓÇ£stack canaryΓÇ¥ support that helps to catch stack overflow conditions. Check your tools to see what options are available and enable them if possible.

-## Embedded security components ΓÇô secure boot and firmware update

- An IoT device, unlike a traditional embedded device, will often be connected over the internet to a cloud service for monitoring and data gathering. As a result, it's nearly certain that the device will be probed in some way, which could lead to an attack if a vulnerability is found. A successful attack may result in the discovery of an unknown vulnerability that further compromises the device and, more importantly, other devices of the same kind. For this reason, it's critical that an IoT device can be updated quickly and easily. This means that the firmware image itself must be verified, because if an attacker can load a compromised image onto a device then that device is lost. The solution is to pair a secure boot mechanism with remote firmware update (also called Over the Air, or OTA, update) capability. Secure boot verifies that a firmware image is valid and trusted, while an OTA update mechanism allows updates to be quickly and securely deployed to the device. The following sections overview the key security components for secure boot and firmware update.

-It is vital that a device can be proven to be running valid firmware upon reset. Secure boot prevents the device from running untrusted or modified firmware images. Secure boot mechanisms are tied to the hardware platform and validate the firmware image against internally protected measurements before loading the application. If validation fails, the device will refuse to boot the corrupted image.

-**Hardware**: MCU vendors may provide their own proprietary secure boot mechanisms as secure boot is tied to the hardware.

-**Azure RTOS**: No specific Azure RTOS functionality is required for secure boot. There are third-party commercial vendors that offer secure boot products.

-**Application**: The application may be affected by secure boot if over-the-air updates are enabled because the application itself may need to be responsible for retrieving and loading new firmware images (OTA update is tied to secure boot). The application will also need to be built with versioning and code-signing to support updates with secure boot.

-An OTA update, sometimes referred to as ΓÇ£firmware updateΓÇ¥, involves updating the firmware image on your device to a new version to add features or fix bugs. OTA update is important for security because any vulnerabilities that are discovered must be patched as soon as possible.

-> OTA updates MUST be tied to secure boot and code signing, or it is impossible to validate that new images arenΓÇÖt compromised.

-**Hardware**: Various implementations for OTA update exist, and some MCU vendors provide OTA update solutions that are tied to their hardware. Some OTA update mechanisms can also utilize extra storage space (for example, flash) for rollback protection and to provide uninterrupted application functionality during update downloads.

-**Application**: Some third-party software solutions for OTA update also exist and may be utilized by an Azure RTOS application. The application will also need to be built with versioning and code-signing to support updates with secure boot.

-Secure boot and OTA update must work together to provide an effective firmware update mechanism. Secure boot must be able to ingest a new firmware image from the OTA mechanism and mark the new version as being trusted. The OTA/Secure boot mechanism must also protect against downgrade attacks. If an attacker can force a rollback to an earlier trusted version that has known vulnerabilities, then the OTA/secure boot fails to provide proper security.

-**Hardware**: No specific hardware functionality required (except as part of secure boot, OTA, or certificate management).

-**Azure RTOS**: No specific Azure RTOS functionality required.

-**Application**: No specific application support required, depends on requirements for OTA, secure boot, and certificate management.

-Make use of any features for signing and verifying code or credential updates. Code signing involves generating a cryptographic hash of the firmware or application image. That hash is used to verify the integrity of the image received by the device, usually using a trusted root X.509 certificate to verify the hash signature. This process is usually tied into secure boot and OTA update mechanisms.

-**Hardware**: No specific hardware functionality required (except as part of OTA update or secure boot). Using hardware-based signature verification is recommended if available.

-**Azure RTOS**: No specific Azure RTOS functionality required

-**Application** : Code signing can be is tied to secure boot and OTA update mechanisms to verify the integrity of downloaded firmware images.

-## Embedded security components ΓÇô protocols

-The following sections overview the key security components for protocols.

-> TLS 1.0 and TLS 1.1 are obsolete protocols and shouldn't be used for new application development. They're disabled by default in Azure RTOS.

-**Azure RTOS**: TLS 1.2 is enabled by default. TLS 1.3 support must be explicitly enabled in Azure RTOS as TLS 1.2 is still the de facto standard.

-**Application**: To use TLS with cloud services, a certificate will be required. The certificate must be managed by the application.

-X.509 certificates are used to authenticate a device to a server and a server to a device. A device certificate is used to prove the identity of a device to a server. Trusted root CA certificates are used by a device to authenticate a server or service to which it connects. The ability to update these certificates is critical as certificates can be compromised and have limited lifespans.

-Using hardware-based X.509 certificates with TLS mutual authentication and a PKI with active monitoring of certificate status provides the highest level of security.

-**Application**: Depending on requirements, the application may have to enforce X.509 policies. CRLs should be enforced to ensure revoked certificates are rejected.

-### Use strongest cryptographic options and cipher suites for TLS

-Use the strongest cryptography and cipher suites available for TLS. Having the ability to update TLS and cryptography is also important because over time certain cipher suites and TLS versions may become compromised or discontinued.

-**Azure RTOS**: Azure RTOS TLS provides hardware drivers for select devices that support cryptography in hardware. For routines not supported in hardware, the [Azure RTOS cryptography library](/azure/rtos/netx/netx-crypto/chapter1) is designed specifically for embedded systems. A FIPS 140-2 certified library that uses the same code base is also available.

-**Application**: Applications using TLS should choose cipher suites that utilize hardware-based cryptography (when available) and the strongest keys available.

-When using X.509 authentication in TLS, opt for mutual certificate authentication. With mutual authentication, both the server and client must provide a verifiable certificate for identification.

-Using hardware-based X.509 certificates with TLS mutual authentication and a PKI with active monitoring of certificate status provides the highest level of security.

-**Azure RTOS**: Azure RTOS TLS provides support for mutual certificate authentication in both TLS Server and Client applications. For more information, see the [Azure RTOS NetX Secure TLS documentation](/azure/rtos/netx-duo/netx-secure-tls/chapter1#netx-secure-unique-features).

-**Application**: Applications using TLS should always default to mutual certificate authentication whenever possible. Mutual authentication requires TLS clients to have a device certificate. Mutual authentication is an optional TLS feature but is highly recommended when possible.

-**Application**: Applications using MQTT should only use TLS-based MQTT with mutual certificate authentication.

-## Embedded security components ΓÇô application design and development

-The following sections overview the key security components for application design and development.

-For development, most MCU devices use a JTAG interface or similar interface to provide information to debuggers or other applications. Leaving a debugging interface enabled on your device gives an attacker an easy door into your application. Make sure to disable all debugging interfaces and remove associated debugging code from your application before deployment.

-**Hardware**: Some devices may have hardware support to disable debugging interfaces permanently or the interface may be able to be removed physically from the device. (Note that removing the interface physically from the device does NOT mean the interface is disabled.) You may need to disable the interface on boot (for example, during a secure boot process), but it should always be disabled in production devices.

-**Application**: If the device doesn't have a feature to permanently disable debugging interfaces, the application may have to disable those interfaces on boot. Disabling debugging interfaces should be done as early as possible in the boot process, preferably during a secure boot before the application is running.

-When available, an IoT device should use a watchdog timer to reset an unresponsive application. Having the watchdog timer reset the device when time runs out will limit the amount of time an attacker may have to execute an exploit. The watchdog can be reinitialized by the application and some basic integrity checks can also be done such as looking for code executing in RAM, checksums on data, identity checks, and so on. If an attacker doesn't account for the watchdog timer reset while trying to compromise the device, then the device would reboot into a (theoretically) clean state. Note that this would require a secure boot mechanism to verify the identity of the application image.

-**Azure RTOS**: No specific Azure RTOS functionality required.

-**Application**: Watchdog timer management--refer to device hardware platform documentation for more information.

-**Azure RTOS**: No specific Azure RTOS requirements but consider logging Azure RTOS API return codes to look for specific problems with lower-level protocols (for example, TLS alert causes, TCP failures) that may indicate problems.

-**Application**: Make use of logging libraries and your cloud service's client SDK to push error logs to the cloud where they can be stored and analyzed safely without using valuable device storage space. Integration with [Microsoft Defender for IoT](https://azure.microsoft.com/services/azure-defender-for-iot/) would provide this functionality and more. Microsoft Defender for IoT provides agent-less monitoring of devices in an IoT solution. Monitoring can be enhanced by including the [Microsoft Defender for IOT micro-agent for Azure RTOS](../defender-for-iot/device-builders/iot-security-azure-rtos.md) on your device. For more information, see the [Runtime security monitoring and threat detection](#runtime-security-monitoring-and-threat-detection) recommendation.

-### Disable unused protocols and features

-RTOS and MCU-based applications will typically have a few dedicated functions. This feature is in sharp contrast to general purpose computing machines running higher-level operating systems, such as Windows and Linux, that enable dozens or hundreds of protocols and features by default. When designing an RTOS MCU application, look closely at what networking protocols are required. Every protocol that is enabled represents a different avenue for attackers to gain a foothold within the device. If you donΓÇÖt need a feature or protocol, donΓÇÖt enable it.

-**Hardware**: No specific hardware requirements, but if the platform allows unused peripherals and ports to be disabled, use that functionality to reduce your attack surface.

-**Azure RTOS**: Azure RTOS has a ΓÇ£disabled by defaultΓÇ¥ philosophy. Only enable protocols and features that are required for your application. Resist the temptation to enable features ΓÇ£just in caseΓÇ¥.

-**Application**: When designing your application, try to reduce the feature set to the bare minimum. Fewer features make an application easier to analyze for security vulnerabilities and reduce your application attack surface.

-### Use all possible complier and linker security features when building your application

-Modern compilers and linkers provide numerous options for additional security at build time. Utilize as many compiler- and linker-based options as possible to improve your application with proven security mitigations. Some options may affect size, performance, or RTOS functionality, so care is required when enabling certain features.

-**Hardware**: No specific hardware requirements but your hardware platform may support security features that can be enabled during the compiling or linking processes.

-**Azure RTOS**: As an RTOS, some compiler-based security features may interfere with the real-time guarantees of Azure RTOS. Consider your RTOS needs when selecting compiler options and test them thoroughly.

-**Application**: If using GCC, the following list of options should be considered. For more information, see the GCC documentation.

-If using other development tools, consult your documentation for appropriate options. In general, the following guidelines should help in building a more secure configuration:

-Some MCU devices permit unaligned memory accesses, but others do not. Consider the properties of your specific device when developing your application.

-**Hardware**: The memory access alignment behavior will be specific to your selected device.

-**Azure RTOS**: For processors that do NOT support unaligned access, ensure that the macro `NX_CRYPTO_DISABLE_UNALIGNED_ACCESS` is defined. Failure to do so will result in possible CPU faults during certain cryptographic operations.

-**Application**: In any memory operation (for example, copy or move) considers the memory alignment behavior of your hardware platform.

-Connected IoT devices may not have the necessary resources to implement all security features locally. However, with connection to the cloud, there are remote security options that can be utilized to improve the security of your application without adding significant overhead to the embedded device.

-**Hardware**: No specific hardware features required (other than a network interface).

-**Application**: The [Microsoft Defender for IOT micro-agent for Azure RTOS](../defender-for-iot/device-builders/iot-security-azure-rtos.md) provides a comprehensive security solution for Azure RTOS devices. The module provides security services via a small software agent that is built into your deviceΓÇÖs firmware and comes as part of Azure RTOS. The service includes detection of malicious network activities, device behavior baselining based on custom alerts, and recommendations that will help to improve the security hygiene of your devices. Whether you're using Azure RTOS in combination with Azure Sphere or not, the Microsoft Defender for IoT micro-agent provides an additional layer of security that is built right into the RTOS by default.

-The previous sections detailed specific design considerations with descriptions of the necessary hardware, operating system, and application requirements to help mitigate security threats. This section provides a basic checklist of security-related issues to consider when designing and implementing IoT applications with Azure RTOS. This shortlist of measures is meant as a complement to, not a replacement for, the more detailed discussion in previous sections. Ultimately, a comprehensive analysis of the physical and cyber security threats posed by the environment your device will be deployed into coupled with careful consideration and rigorous implementation of the measures needed to mitigate those threats must be done to provide the highest possible level of security for your device.

-### Security DOs

- - Supplied examples provide the required cipher suites to be compatible with TLS RFCs, but stronger cipher suites may be more suitable. Cipher suites include multiple ciphers for different TLS operations, so choose carefully. For example, using Elliptic-Curve Diffie-Hellman Ephemeral (ECDHE) may be preferable to RSA for key exchange, but the benefits can be lost if the cipher suite also uses RC4 for application data. Make sure every cipher in a cipher suite meets your security needs.

- - Use hardware drivers when applicable. Azure RTOS provides hardware cryptography drivers for select platforms. For more information, see the [NetX Crypto documentation](/azure/rtos/netx/netx-crypto/chapter1).

-### Security DON'Ts

- - Known plaintext attacks, which use known, unencrypted data to derive information about encrypted data.

- Whenever possible, try to use accepted security protocols like TLS when securing your application.

-ARMΓÇÖs Platform Security Architecture provides a standardized framework for building secure embedded devices using ARM TrustZone technology. Microcontroller manufacturers can certify designs with ARMΓÇÖs PSA Certified program giving a level of confidence about the security of applications built on ARM technologies.

-The Common Criteria is an international agreement that provides standardized guidelines and an authorized laboratory program to evaluate products for IT security. Certification provides a level of confidence in the security posture of applications using devices that have been evaluated using the program guidelines.

-The Security Evaluation Standard for IoT Platforms is a standardized methodology for evaluating the security of connected IoT products and components.

-The SMM is a framework for building customized IoT security models, allowing IoT manufacturers to create detailed models to evaluate and measure the security posture of their products.

-ISO 27000 is a collection of standards regarding the management and security of information assets, providing baseline guarantees about the security of digital information in certified products.

-FIPS 140 is a US government program that standardizes cryptographic algorithms and implementations used in US government and military applications. Along with documented standards, certified laboratories provide FIPS certification to guarantee specific cryptographic implementations adhere to regulations.

-* Retry capability implemented on your client code, as described on the [Retry general guidance](/architecture/best-practices/transient-faults) at the Azure Architecture Center

-> We recommend not provisioning on every reboot of the device, as this could cause some issues when reprovisioning several thousands or millions of devices at once. Instead you should attempt to use the [Device Registration Status Lookup](/rest/api/iot-dps/service/runtime-registration/device-registration-status-lookup) API and try to connect with that information to IoT Hub. If that fails, then try to reprovision as the IoT Hub information might have changed. Keep in mind that querying for the registration state will count as a new device registration, so you should consider the [Device registration limit]( about-iot-dps.md#quotas-and-limits). Also consider implementing an appropriate retry logic, such as exponential back-off with randomization, as described on the [Retry general guidance](/architecture/best-practices/transient-faults).

-* Retry capability implemented on your client code, as described on the [Retry general guidance](/architecture/best-practices/transient-faults) at the Azure Architecture Center

-> We recommend not provisioning on every reboot of the device, as this could cause some issues when reprovisioning several thousands or millions of devices at once. Instead you should attempt to use the [Device Registration Status Lookup](/rest/api/iot-dps/service/runtime-registration/device-registration-status-lookup) API and try to connect with that information to IoT Hub. If that fails, then try to reprovision as the IoT Hub information might have changed. Keep in mind that querying for the registration state will count as a new device registration, so you should consider the [Device registration limit]( about-iot-dps.md#quotas-and-limits). Also consider implementing an appropriate retry logic, such as exponential back-off with randomization, as described on the [Retry general guidance](/architecture/best-practices/transient-faults).

-For more information, see the [Storage account operations in the Key Vault REST API reference](/rest/api/keyvault). For information on establishing permissions, see [Vaults - Create or Update](/rest/api/keyvault/vaults/createorupdate) and [Vaults - Update Access Policy](/rest/api/keyvault/keyvault/vaults/update-access-policy).

-For more information on working with secrets, see [Secret operations in the Key Vault REST API reference](/rest/api/keyvault). For information on establishing permissions, see [Vaults - Create or Update](/rest/api/keyvault/vaults/createorupdate) and [Vaults - Update Access Policy](/rest/api/keyvault/vaults/updateaccesspolicy).

-In this section, you create a load balancer that load balances virtual machines. When you create an internal load balancer, a virtual network is configured as the network for the load balancer. The following diagram shows the resources created in this quickstart:

-In this section, you create a load balancer that load balances virtual machines. When you create an internal load balancer, a virtual network is configured as the network for the load balancer. The following diagram shows the resources created in this quickstart:

-Get started with Azure Load Balancer by using the Azure portal to create an internal load balancer and three virtual machines.

-# [**Standard SKU**](#tab/option-1-create-internal-load-balancer-standard)

->[!NOTE]

->Standard SKU load balancer is recommended for production workloads. For more information about SKUs, see **[Azure Load Balancer SKUs](skus.md)**.

-A private IP address in the virtual network is configured as the frontend (named as **LoadBalancerFrontend** by default) for the load balancer.

-The frontend IP address can be **Static** or **Dynamic**.

-## Create the virtual network

-In this section, you'll create a virtual network and subnet.

- | Region | Select **(Europe) West Europe** |

-## Create NAT gateway

-In this section, you'll create a NAT gateway for outbound internet access for resources in the virtual network.

-1. In the search box at the top of the portal, enter **NAT gateway**. Select **NAT gateways** in the search results.

-2. In **NAT gateways**, select **+ Create**.

-3. In **Create network address translation (NAT) gateway**, enter or select the following information:

- | Setting | Value |

- | - | -- |

- | **Project details** | |

- | Subscription | Select your subscription. |

- | Resource group | Select **CreateIntLBQS-rg**. |

- | **Instance details** | |

- | NAT gateway name | Enter **myNATgateway**. |

- | Availability zone | Select **None**. |

- | Idle timeout (minutes) | Enter **15**. |

-4. Select the **Outbound IP** tab or select the **Next: Outbound IP** button at the bottom of the page.

-5. In **Outbound IP**, select **Create a new public IP address** next to **Public IP addresses**.

-6. Enter **myNATgatewayIP** in **Name** in **Add a public IP address**.

-7. Select **OK**.

-8. Select the **Subnet** tab or select the **Next: Subnet** button at the bottom of the page.

-9. In **Virtual network** in the **Subnet** tab, select **myVNet**.

-10. Select **myBackendSubnet** under **Subnet name**.

-11. Select the blue **Review + create** button at the bottom of the page, or select the **Review + create** tab.

-12. Select **Create**.

-## <a name="create-load-balancer-resources"></a> Create load balancer

- | Region | Select **(Europe) West Europe**. |

- | Type | Select **Internal**. |

-5. In **Frontend IP configuration**, select **+ Add a frontend IP**.

-6. Enter **LoadBalancerFrontend** in **Name**.

- | Frontend IP address | Select **LoadBalancerFrontend**. |

- | Backend pool | Select **myBackendPool**. |

- > In this example you created a NAT gateway to provide outbound Internet access. The outbound rules tab in the configuration is bypassed and isn't needed with the NAT gateway. For more information on Azure NAT gateway, see [What is Azure Virtual Network NAT?](../virtual-network/nat-gateway/nat-overview.md)

-## Create virtual machines

-In this section, you'll create three VMs (**myVM1**, **myVM2** and **myVM3**) in three different zones (**Zone 1**, **Zone 2**, and **Zone 3**).

-These VMs are added to the backend pool of the load balancer that was created earlier.

-1. In the search box at the top of the portal, enter **Virtual machine**. Select **Virtual machines** in the search results.

-2. In **Virtual machines**, select **+ Create** > **Virtual machine**.

-

-3. In **Create a virtual machine**, enter or select the values in the **Basics** tab:

- | Setting | Value |

- |--|-|

- | **Project Details** | |

- | Subscription | Select your Azure subscription |

- | Resource Group | Select **CreateIntLBQS-rg** |

- | **Instance details** | |

- | Virtual machine name | Enter **myVM1** |

- | Region | Select **(Europe) West Europe** |

- | Availability Options | Select **Availability zones** |

- | Availability zone | Select **1** |

- | Image | Select **Windows Server 2019 Datacenter - Gen1** |

- | Azure Spot instance | Leave the default of unchecked. |

- | Size | Choose VM size or take default setting |

- | **Administrator account** | |

- | Username | Enter a username |

- | Password | Enter a password |

- | Confirm password | Reenter password |

- | **Inbound port rules** | |

- | Public inbound ports | Select **None** |

-4. Select the **Networking** tab, or select **Next: Disks**, then **Next: Networking**.

-

-5. In the Networking tab, select or enter:

- |-|-|

- | **Network interface** | |

- | Virtual network | **myVNet** |

- | Subnet | **myBackendSubnet** |

- | Public IP | Select **None**. |

- | NIC network security group | Select **Advanced**|

- | Configure network security group | Select **Create new**. </br> In the **Create network security group**, enter **myNSG** in **Name**. </br> Under **Inbound rules**, select **+Add an inbound rule**. </br> Under **Destination port ranges**, enter **80**. </br> Under **Priority**, enter **100**. </br> In **Name**, enter **myNSGRule** </br> Select **Add** </br> Select **OK** |

- | **Load balancing** |

- | Place this virtual machine behind an existing load-balancing solution? | Select the box. |

- | **Load balancing settings** |

- | Load-balancing options | Select **Azure load balancing** |

- | Select a load balancer | Select **myLoadBalancer** |

- | Select a backend pool | Select **myBackendPool** |

-

-6. Select **Review + create**.

-

-7. Review the settings, and then select **Create**.

-8. Follow the steps 1 through 7 to create two more VMs with the following values and all the other settings the same as **myVM1**:

- | Setting | VM 2| VM 3|

- | - | -- ||

- | Name | **myVM2** |**myVM3**|

- | Availability zone | **2** |**3**|

- | Network security group | Select the existing **myNSG**| Select the existing **myNSG**|

-# [**Basic SKU**](#tab/option-2-create-load-balancer-basic)

->[!NOTE]

->Standard SKU load balancer is recommended for production workloads. For more information about SKUs, see **[Azure Load Balancer SKUs](skus.md)**.

-## Create the virtual network

-In this section, you'll create a virtual network and subnet.

-1. In the search box at the top of the portal, enter **Virtual network**. Select **Virtual Networks** in the search results.

-2. In **Virtual networks**, select **+ Create**.

-3. In **Create virtual network**, enter or select this information in the **Basics** tab:

- | **Setting** | **Value** |

- ||--|

- | **Project Details** | |

- | Subscription | Select your Azure subscription |

- | Resource Group | Select **Create new**. </br> In **Name** enter **CreateIntLBQS-rg**. </br> Select **OK**. |

- | **Instance details** | |

- | Name | Enter **myVNet** |

- | Region | Select **(Europe) West Europe** |

-4. Select the **IP Addresses** tab or select the **Next: IP Addresses** button at the bottom of the page.

-5. In the **IP Addresses** tab, enter this information:

- | Setting | Value |

- |--|-|

- | IPv4 address space | Enter **10.1.0.0/16** |

-6. Under **Subnet name**, select the word **default**.

-7. In **Edit subnet**, enter this information:

- | Setting | Value |

- |--|-|

- | Subnet name | Enter **myBackendSubnet** |

- | Subnet address range | Enter **10.1.0.0/27** |

-8. Select **Save**.

-9. Select the **Security** tab.

-10. Under **BastionHost**, select **Enable**. Enter this information:

- | Setting | Value |

- |--|-|

- | Bastion name | Enter **myBastionHost** |

- | AzureBastionSubnet address space | Enter **10.1.1.0/24** |

- | Public IP Address | Select **Create new**. </br> For **Name**, enter **myBastionIP**. </br> Select **OK**. |

-11. Select the **Review + create** tab or select the **Review + create** button.

-12. Select **Create**.

-## Create load balancer

-In this section, you create a load balancer that load balances virtual machines.

-During the creation of the load balancer, you'll configure:

-* Frontend IP address

-* Backend pool

-* Inbound load-balancing rules

-1. In the search box at the top of the portal, enter **Load balancer**. Select **Load balancers** in the search results.

-2. In the **Load balancer** page, select **Create**.

-3. In the **Basics** tab of the **Create load balancer** page, enter, or select the following information:

- | Setting | Value |

- | | |

- | Subscription | Select your subscription. |

- | Resource group | Select **CreateIntLBQS-rg**. |

- | **Instance details** | |

- | Name | Enter **myLoadBalancer** |

- | Region | Select **(Europe) West Europe**. |

- | Type | Select **Internal**. |

- | SKU | Select **Basic**. |

- :::image type="content" source="./media/quickstart-load-balancer-standard-internal-portal/create-basic-internal-load-balancer.png" alt-text="Screenshot of create standard load balancer basics tab." border="true":::

-4. Select **Next: Frontend IP configuration** at the bottom of the page.

-5. In **Frontend IP configuration**, select **+ Add a frontend IP**.

-6. Enter **LoadBalancerFrontend** in **Name**.

-7. Select **myBackendSubnet** in **Subnet**.

-8. Select **Dynamic** for **Assignment**.

-9. Select **Add**.

-10. Select **Next: Backend pools** at the bottom of the page.

-11. In the **Backend pools** tab, select **+ Add a backend pool**.

-12. Enter **myBackendPool** for **Name** in **Add backend pool**.

-13. Select **Virtual machines** in **Associated to**.

-14. Select **IPv4** or **IPv6** for **IP version**.

-15. Select **Add**.

-16. Select the **Next: Inbound rules** button at the bottom of the page.

-17. In **Load balancing rule** in the **Inbound rules** tab, select **+ Add a load balancing rule**.

-18. In **Add load balancing rule**, enter or select the following information:

- | Setting | Value |

- | - | -- |

- | Name | Enter **myHTTPRule** |

- | IP Version | Select **IPv4** or **IPv6** depending on your requirements. |

- | Frontend IP address | Select **LoadBalancerFrontend**. |

- | Protocol | Select **TCP**. |

- | Port | Enter **80**. |

- | Backend port | Enter **80**. |

- | Backend pool | Select **myBackendPool**. |

- | Health probe | Select **Create new**. </br> In **Name**, enter **myHealthProbe**. </br> Select **HTTP** in **Protocol**. </br> Leave the rest of the defaults, and select **OK**. |

- | Session persistence | Select **None**. |

- | Idle timeout (minutes) | Enter or select **15**. |

- | Floating IP | Select **Disabled**. |

-19. Select **Add**.

-20. Select the blue **Review + create** button at the bottom of the page.

-21. Select **Create**.

- > [!NOTE]

- > In this example we created a NAT gateway to provide outbound Internet access. The outbound rules tab in the configuration is bypassed and isn't needed with the NAT gateway. For more information on Azure NAT gateway, see [What is Azure Virtual Network NAT?](../virtual-network/nat-gateway/nat-overview.md)

- > For more information about outbound connections in Azure, see [Source Network Address Translation (SNAT) for outbound connections](../load-balancer/load-balancer-outbound-connections.md)

-In this section, you'll create three VMs (**myVM1**, **myVM2**, and **myVM3**).

-The three VMs will be added to an availability set named **myAvailabilitySet**.

-2. In **Virtual machines**, select **+ Create** > **Virtual machine**.

-3. In **Create a virtual machine**, type or select the values in the **Basics** tab:

- | Region | Select **(Europe) West Europe** |

- | Availability Options | Select **Availability set** |

- | Availability set | Select **Create new**. </br> Enter **myAvailabilitySet** in **Name**. </br> Select **OK** |

- | Image | **Windows Server 2019 Datacenter - Gen1** |

- | **Inbound port rules** | |

- | Public inbound ports | Select **None**. |

- | Virtual network | Select **myVNet** |

- | Subnet | Select **myBackendSubnet** |

- | Public IP | Select **None** |

- | Configure network security group | Select **Create new**. </br> In the **Create network security group**, enter **myNSG** in **Name**. </br> Under **Inbound rules**, select **+Add an inbound rule**. </br> Under **Destination port ranges**, enter **80**. </br> Under **Priority**, enter **100**. </br> In **Name**, enter **myNSGRule** </br> Select **Add** </br> Select **OK** |

- | Place this virtual machine behind an existing load-balancing solution? | Select the box |

- | **Load balancing settings** | |

- | Load-balancing options | Select **Azure load balancer**. |

- | Select a load balancer | Select **myLoadBalancer**>. |

- | Select a backend pool | Select **myBackendPool**. |

-

-8. Follow the steps 1 through 7 to create two more VMs with the following values and all the other settings the same as **myVM1**:

- | Setting | VM 2 | VM 3 |

- | - | -- ||

- | Name | **myVM2** |**myVM3**|

- | Availability set| Select **myAvailabilitySet** | Select **myAvailabilitySet**|

- | Network security group | Select the existing **myNSG**| Select the existing **myNSG**|

-2. In **Virtual machines**, select **+ Create** > **Virtual machine**.

- |--|-|

- | Region | Select **(Europe) West Europe** |

- | Image | Select **Windows Server 2019 Datacenter** |

-4. Select **Use Bastion**.

-5. Enter the username and password entered during VM creation.

-6. Select **Connect**.

-7. On the server desktop, navigate to **Windows Administrative Tools** > **Windows PowerShell** > **Windows PowerShell**.

-8. In the PowerShell Window, execute the following commands to:

-9. Close the Bastion session with **myVM1**.

-10. Repeat steps 1 through 9 to install IIS and the updated iisstart.htm file on **myVM2** and **myVM3**.

-3. Make note or copy the address next to **Private IP Address** in the **Overview** of **myLoadBalancer**.

-7. Select **Use Bastion**.

-8. Enter the username and password entered during VM creation.

-9. Open **Internet Explorer** on **myTestVM**.

-10. Enter the IP address from the previous step into the address bar of the browser. The custom page displaying one of the backend server names is displayed on the browser.

-* Created an Azure Standard or Basic Internal Load Balancer

-* Attached 3 VMs to the load balancer.

-* Configured the load balancer traffic rule, health probe, and then tested the load balancer.

-The following diagram shows the resources created in this quickstart:

-The following diagram shows the resources created in this quickstart:

-> [!IMPORTANT]

-> If your workspace contains sensitive data we recommend setting the [hbi_workspace flag](/python/api/azureml-core/azureml.core.workspace%28class%29#create-name--auth-none--subscription-id-none--resource-group-none--location-none--create-resource-group-true--sku--basicfriendly-name-none--storage-account-none--key-vault-none--app-insights-none--container-registry-none--cmk-keyvault-none--resource-cmk-uri-none--hbi-workspace-false--default-cpu-compute-target-none--default-gpu-compute-target-none--exist-ok-false--show-output-true-) while creating your workspace. The `hbi_workspace` flag can only be set when a workspace is created. It cannot be changed for an existing workspace.

-The `hbi_workspace` flag controls the amount of [data Microsoft collects for diagnostic purposes](#microsoft-collected-data) and enables [additional encryption in Microsoft-managed environments](../security/fundamentals/encryption-atrest.md). In addition, it enables the following actions:

-* Starts encrypting the local scratch disk in your Azure Machine Learning compute cluster provided you have not created any previous clusters in that subscription. Else, you need to raise a support ticket to enable encryption of the scratch disk of your compute clusters

-* Cleans up your local scratch disk between runs

-* Securely passes credentials for your storage account, container registry, and SSH account from the execution layer to your compute clusters using your key vault

-When this flag is set to True, one possible impact is increased difficulty troubleshooting issues. This could happen because some telemetry isn't sent to Microsoft and there is less visibility into success rates or problem types, and therefore may not be able to react as proactively when this flag is True.

-> [!TIP]

-> The `hbi_workspace` flag does not impact encryption in transit, only encryption at rest.

-Azure Machine Learning stores snapshots, output, and logs in the Azure Blob storage account that's tied to the Azure Machine Learning workspace and your subscription. All the data stored in Azure Blob storage is encrypted at rest with Microsoft-managed keys.

-To use your own (customer-managed) keys to encrypt the Azure Cosmos DB instance, you can create a dedicated Cosmos DB instance for use with your workspace. We recommend this approach if you want to store your data, such as run history information, outside of the multi-tenant Cosmos DB instance hosted in our Microsoft subscription.

-To enable provisioning a Cosmos DB instance in your subscription with customer-managed keys, perform the following actions:

-* Register the Microsoft.MachineLearning and Microsoft.DocumentDB resource providers in your subscription, if not done already.

-* Use the following parameters when creating the Azure Machine Learning workspace. Both parameters are mandatory and supported in SDK, Azure CLI, REST APIs, and Resource Manager templates.

- * `cmk_keyvault`: This parameter is the resource ID of the key vault in your subscription. This key vault needs to be in the same region and subscription that you will use for the Azure Machine Learning workspace.

- * `resource_cmk_uri`: This parameter is the full resource URI of the customer managed key in your key vault, including the [version information for the key](../key-vault/general/about-keys-secrets-certificates.md#objects-identifiers-and-versioning).

- > [!NOTE]

- > Enabling soft delete and purge protection on the CMK key vault instance is required before creating an encrypted machine learning workspace to protect against accidental data loss in case of vault deletion.

-

- > [!NOTE]

- > This key vault instance can be different than the key vault that is created by Azure Machine Learning when you provision the workspace. If you want to use the same key vault instance for the workspace, pass the same key vault while provisioning the workspace by using the [key_vault parameter](/python/api/azureml-core/azureml.core.workspace%28class%29#create-name--auth-none--subscription-id-none--resource-group-none--location-none--create-resource-group-true--sku--basicfriendly-name-none--storage-account-none--key-vault-none--app-insights-none--container-registry-none--cmk-keyvault-none--resource-cmk-uri-none--hbi-workspace-false--default-cpu-compute-target-none--default-gpu-compute-target-none--exist-ok-false--show-output-true-).

-If you need to __rotate or revoke__ your key, you can do so at any time. When rotating a key, Cosmos DB will start using the new key (latest version) to encrypt data at rest. When revoking (disabling) a key, Cosmos DB takes care of failing requests. It usually takes an hour for the rotation or revocation to be effective.

-For more information on customer-managed keys with Cosmos DB, see [Configure customer-managed keys for your Azure Cosmos DB account](../cosmos-db/how-to-setup-cmk.md).

- [!INCLUDE [machine-learning-customer-managed-keys.md](../../includes/machine-learning-customer-managed-keys.md)]

-For more information, see [Encryption at rest](concept-data-encryption.md#encryption-at-rest).

-You can provide your own key for data encryption. Doing so creates the Azure Cosmos DB instance that stores metadata in your Azure subscription.

-> 1. Authorize the __Machine Learning App__ (in Identity and Access Management) with contributor permissions on your subscription.

-> 1. Follow the steps in [Configure customer-managed keys](../cosmos-db/how-to-setup-cmk.md) to:

-> * Register the Azure Cosmos DB provider

-> * Create and configure an Azure Key Vault

-> * Generate a key

->

-> You do not need to manually create the Azure Cosmos DB instance, one will be created for you during workspace creation. This Azure Cosmos DB instance will be created in a separate resource group using a name based on this pattern: `<your-workspace-resource-name>_<GUID>`.

->

-> You cannot change this setting after workspace creation. If you delete the Azure Cosmos DB used by your workspace, you must also delete the workspace that is using it.

-You can use the asset quick links to navigate to search results for jobs, models, and components that you created.

-If an asset filter (job, model, component) is present, results are scoped to those tabs. Other filters apply to all assets unless an asset filter is also present in the query. Similarly, free text search can be provided alongside filters, but are scoped to the tabs chosen by asset filters, if present.

-You can view your search results in the individual **Jobs**, **Models** and **Components** tabs. Select an asset to open its **Details** page in the context of the relevant workspace. Results from workspaces you don't have permissions to view are not displayed.

-az resource move --destination-group destination-rg --destination-subsctiption-id destination-sub-id --ids "/subscriptions/origin-sub-id/resourceGroups/origin-rg/providers/Microsoft.MachineLearningServices/workspaces/origin-workspace-name"

-* Learn about [resource move](../azure-resource-manager/management/move-resource-group-and-subscription.md)

-| [Adobe-Primetime] | [Primetime Digital Program Insertion Signaling Specification 1.2](https://www.adobe.com/content/dam/acom/en/devnet/primetime/PrimetimeDigitalProgramInsertionSignalingSpecification.pdf) |

-**Performance-based** | Assessments that make recommendations based on collected performance data | The VM size recommendation is based on CPU and RAM-utilization data.<br/><br/> The disk-type recommendation is based on the input/output operations per second (IOPS) and throughput of the on-premises disks. Disk types are Azure Standard HDD, Azure Standard SSD, Azure Premium disks, and Azure Ultra disks.

-**As-is on-premises** | Assessments that don't use performance data to make recommendations | The VM size recommendation is based on the on-premises server size.<br/><br> The recommended disk type is based on the selected storage type for the assessment.

-Calculations are in the preceding order. A server server moves to a later stage only if it passes the previous one. For example, if a server fails the Azure readiness stage, it's marked as unsuitable for Azure. Sizing and cost calculations aren't done for that server.

-**Target location** | The location to which you want to migrate. The assessment currently supports these target Azure regions:<br/><br/> Australia East, Australia Southeast, Brazil South, Canada Central, Canada East, Central India, Central US, China East, China North, East Asia, East US, East US 2, Germany Central, Germany Northeast, Japan East, Japan West, Korea Central, Korea South, North Central US, North Europe, South Central US, Southeast Asia, South India, UK South, UK West, US Gov Arizona, US Gov Texas, US Gov Virginia, West Central US, West Europe, West India, West US, and West US 2.

-**Target storage disk (as-is sizing)** | The type of disk to use for storage in Azure. <br/><br/> Specify the target storage disk as Premium-managed, Standard SSD-managed, Standard HDD-managed, or Ultra disk.

-**Target storage disk (performance-based sizing)** | Specifies the type of target storage disk as automatic, Premium-managed, Standard HDD-managed, Standard SSD-managed, or Ultra disk.<br/><br/> **Automatic**: The disk recommendation is based on the performance data of the disks, meaning the IOPS and throughput.<br/><br/>**Premium or Standard or Ultra disk**: The assessment recommends a disk SKU within the storage type selected.<br/><br/> If you want a single-instance VM service-level agreement (SLA) of 99.9%, consider using Premium-managed disks. This use ensures that all disks in the assessment are recommended as Premium-managed disks.<br/><br/> If you are looking to run data-intensive workloads that need high throughput, high IOPS, and consistent low latency disk storage, consider using Ultra disks.<br/><br/> Azure Migrate supports only managed disks for migration assessment.

-**Azure Reserved VM Instances** | Specifies [reserved instances](https://azure.microsoft.com/pricing/reserved-vm-instances/) so that cost estimations in the assessment take them into account.<br/><br/> When you select 'Reserved instances', the 'Discount (%)' and 'VM uptime' properties are not applicable.<br/><br/> Azure Migrate currently supports Azure Reserved VM Instances only for pay-as-you-go offers.

-**Sizing criteria** | Used to rightsize the Azure VM.<br/><br/> Use as-is sizing or performance-based sizing.

-**Comfort factor** | The buffer used during assessment. It's applied to the CPU, RAM, disk, and network data for VMs. It accounts for issues like seasonal usage, short performance history, and likely increases in future usage.<br/><br/> For example, a 10-core VM with 20% utilization normally results in a two-core VM. With a comfort factor of 2.0, the result is a four-core VM instead.

-**VM uptime** | The duration in days per month and hours per day for Azure VMs that won't run continuously. Cost estimates are based on that duration.<br/><br/> The default values are 31 days per month and 24 hours per day.

-**EA subscription** | Specifies that an Enterprise Agreement (EA) subscription is used for cost estimation. Takes into account the discount applicable to the subscription. <br/><br/> Leave the settings for reserved instances, discount (%) and VM uptime properties with their default settings.

-**Cores** | Each server must have no more than 128 cores, which is the maximum number an Azure VM supports.<br/><br/> If performance history is available, Azure Migrate considers the utilized cores for comparison. If the assessment settings specify a comfort factor, the number of utilized cores is multiplied by the comfort factor.<br/><br/> If there's no performance history, Azure Migrate uses the allocated cores to apply the comfort factor. | Ready if the number of cores is within the limit

-**RAM** | Each server must have no more than 3,892 GB of RAM, which is the maximum size an Azure M-series Standard_M128m&nbsp;² VM supports. [Learn more](../virtual-machines/sizes.md).<br/><br/> If performance history is available, Azure Migrate considers the utilized RAM for comparison. If a comfort factor is specified, the utilized RAM is multiplied by the comfort factor.<br/><br/> If there's no history, the allocated RAM is used to apply a comfort factor.<br/><br/> | Ready if the amount of RAM is within the limit

-**Storage disk** | The allocated size of a disk must be no more than 64 TB.<br/><br/> The number of disks attached to the server, including the OS disk, must be 65 or fewer. | Ready if the disk size and number are within the limits

-Linux | See the [Linux operating systems](../virtual-machines/linux/endorsed-distros.md) that Azure endorses. Other Linux operating systems might start in Azure. But we recommend that you upgrade the OS to an endorsed version before you migrate to Azure. | Ready for Azure if the version is endorsed.<br/><br/>Conditionally ready if the version isn't endorsed.

- - For Hyper-V servers dynamic memory is enabled

-Unsupported boot type | Azure does not support UEFI boot type for VMs with the Operating Systems: Windows Server 2003/Windows Server 2003 R2/Windows Server 2008/Windows Server 2008 R2. Check list of OS that support UEFI-based machines [here](./common-questions-server-migration.md#which-operating-systems-are-supported-for-migration-of-uefi-based-machines-to-azure)

-One or more unsuitable disks | One or more disks attached to the VM don't meet Azure requirements.<br/><br/> Azure Migrate: Discovery and assessment assesses the disks based on the disk limits for Ultra disks (64 TB).<br/><br/> For each disk attached to the VM, make sure that the size of the disk is <64 TB (supported by Ultra SSD disks).<br/><br/> If it isn't, reduce the disk size before you migrate to Azure, or use multiple disks in Azure and [stripe them together](../virtual-machines/premium-storage-performance.md#disk-striping) to get higher storage limits. Make sure that the performance (IOPS and throughput) needed by each disk is supported by Azure [managed virtual machine disks](../azure-resource-manager/management/azure-subscription-service-limits.md#storage-limits).

-> Geo-redundancy and zone-redundant High Availability to support zone redundancy is current surfaced as a create time operation only.

-## Moving from other backup storage options to geo-redundant backup storage

-Configuring geo-redundant storage for backup is only allowed during server create. Once the server is provisioned, you cannot change the backup storage redundancy option. However you can still move your existing backups storage to geo-redundant storage using the following suggested ways:

-The backup retention period governs how far back in time can a point-in-time restore operation be performed, since its based on backups available. The backup retention period can also be treated as a recovery window from a restore perspective. All backups required to perform a point-in-time restore within the backup retention period are retained in backup storage. For example - if the backup retention period is set to seven days, the recovery window is considered last seven days. In this scenario, all the backups required to restore the server in last seven days are retained. With a backup retention window of seven days, database snapshots and transaction log backups are stored for the last eight days (1 day prior to the window).

-# Point-in-time restore of a Azure Database for MySQL Flexible Server with Azure CLI

-Learn more about [business continuity](concepts-business-continuity.md)

-Azure Red Hat OpenShift includes a pre-configured, pre-installed, and self-updating monitoring stack that is based on the Prometheus open source project and its wider eco-system. It provides monitoring of cluster components and includes a set of alerts to immediately notify the cluster administrator about any occurring problems and a set of Grafana dashboards. The cluster monitoring stack is only supported for monitoring Azure Red Hat OpenShift clusters. For more information, see [Cluster monitoring for Azure Red Hat OpenShift](https://docs.openshift.com/container-platform/4.6/monitoring/understanding-the-monitoring-stack.html).

-Azure Purview Data Map provides the foundation for data discovery and data governance. It captures metadata about enterprise data present in analytics, software-as-a-service (SaaS), and operation systems in hybrid, on-premises, and multi-cloud environments. Azure Purview Data Map automatically stays up to date with its built-in scanning and classification system. With the UI, developers can further programmatically interact with the Data Map using open-source Apache Atlas APIs.

-## Elastic data map

-All Azure Purview accounts have a Data Map that can elastically grow starting at one capacity unit. They scale up and down based on request load within the elasticity window ([check current limits](how-to-manage-quotas.md)). These limits should cover most data landscapes. However, if you need a higher capacity, [you can create a support ticket](#request-capacity).

-Elastic Data Map comes with operation throughput and storage components that are represented as Capacity Unit (CU). All Azure Purview accounts, by default, come with one capacity unit and elastically grow based on usage. Each Data Map capacity unit includes a throughput of 25 operations/sec and 10 GB of metadata storage limit.

-Operations are the throughput measure of the Azure Purview Data Map. They include the Create, Read, Write, Update, and Delete operations on metadata stored in the Data Map. Some examples of operations are listed below:

-## Request capacity

-If you're working with very large datasets or a massive environment and need higher capacity for your elastic data map, you can request a larger capacity of elasticity window by [creating a support ticket](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview).

-Select **Service and subscription limits (quota)** and complete the on screen instructions by choosing the Azure Purview account that you'd like to request larger capacity for.

-In the description, provide as much relevant information as you can about your environment and the additional capacity you would like to request.

-Azure Purview is a cloud service for use by data users. You use Azure Purview to centrally manage data governance across your data estate, spanning both cloud and on-prem environments. The service enables business analysts to search for relevant data by using meaningful business terms. To raise the limits up to the maximum for your subscription, contact support.

-

-|Concurrent scans, per account at a given point. The limit is based on the type of data sources scanned*|5 | 10 |

-|[Data Map Capacity unit (CU)](concept-elastic-data-map.md) |1 CU (25 Operations/second throughput and 10 GB metadata storage) | 100 CU (Contact Support for higher CU)|

-|Data Map Operations throughput |25 Operations/second for each Capacity Unit | 2,500 Operations/Sec for 100 CU (Contact Support for more throughput)|

-|Data Map Storage |10 GB for each Capacity Unit | 1000 GB for for 100 CU (Contact Support for more storage) |

-|Data Map elasticity window | 1 - 8 CU (Data Map can auto scale up/down based on throughput within elasticity window) | Contact support to get higher elasticity window |

-*Self-hosted integration runtime scenarios are outside the scope for the limits defined in the above table.

-

-As a rule, the Azure Cognitive Search team publishes new versions only when necessary, since it can involve some effort to upgrade your code to use a new API version. A new version is needed only if some aspect of the API has changed in a way that breaks backward compatibility. Such changes can happen because of fixes to existing features, or because of new features that change existing API surface area.

-Some API versions are no longer supported and will be rejected by a search service:

-In addition, versions of the Azure Cognitive Search .NET SDK older than [**3.0.0-rc**](https://www.nuget.org/packages/Microsoft.Azure.Search/3.0.0-rc) will also be retired since they target one of these REST API versions.

-| [Azure.Search.Documents 11](/dotnet/api/overview/azure/search.documents-readme) | Stable | New client library from the Azure .NET SDK team, initially released July 2020. See the [Change Log](https://github.com/Azure/azure-sdk-for-net/blob/Azure.Search.Documents_11.3.0/sdk/search/Azure.Search.Documents/CHANGELOG.md) for information about minor releases. |

-| [Microsoft.Azure.Search 10](https://www.nuget.org/packages/Microsoft.Azure.Search/) | Stable | Released May 2019. This is the last version of the Microsoft.Azure.Search package. It is succeeded by Azure.Search.Documents. |

-| [Microsoft.Azure.Management.Search 4.0.0](/dotnet/api/overview/azure/search/management) | Stable | Targets the Management REST api-version=2020-08-01. |

-| Microsoft.Azure.Management.Search 3.0.0 | Stable | Targets the Management REST api-version=2015-08-19. |

-| [Java azure-search-documents 11](/java/api/overview/azure/search-documents-readme) | Stable | New client library from Azure Java SDK, released July 2020. Targets the Search REST api-version=2019-05-06. |

-| [Java Management Client 1.35.0](/java/api/overview/azure/search/management) | Stable | Targets the Management REST api-version=2015-08-19. |

-| [JavaScript @azure/search-documents 11.0](/javascript/api/overview/azure/search-documents-readme) | Stable | New client library from Azure JavaScript & TypesScript SDK, released July 2020. Targets the Search REST api-version=2016-09-01. |

-| [JavaScript @azure/arm-search](https://www.npmjs.com/package/@azure/arm-search) | Stable | Targets the Management REST api-version=2015-08-19. |

-| [Python azure-search-documents 11.0](/python/api/azure-search-documents) | Stable | New client library from Azure Python SDK, released July 2020. Targets the Search REST api-version=2019-05-06. |

-| [Python azure-mgmt-search 8.0](https://pypi.org/project/azure-mgmt-search/) | Stable | Targets the Management REST api-version=2015-08-19. |

-Azure Search is renamed to Azure Cognitive Search in version 10, but namespaces and package names are unchanged. Previous versions of the SDK (9.0 and earlier) continue to use the former name. For more information about using the SDK, including examples, see [How to use Azure Cognitive Search from a .NET Application](search-howto-dotnet-sdk.md).

-> [!NOTE]

-> If you're using version 8.0-preview or older, you should upgrade to version 9 first, and then upgrade to version 10. See [Upgrading to the Azure Search .NET SDK version 9](search-dotnet-sdk-migration-version-9.md) for instructions.

->

-> Your search service instance supports several REST API versions, including the latest one. You can continue to use a version when it is no longer the latest one, but we recommend that you migrate your code to use the newest version. When using the REST API, you must specify the API version in every request via the api-version parameter. When using the .NET SDK, the version of the SDK you're using determines the corresponding version of the REST API. If you are using an older SDK, you can continue to run that code with no changes even if the service is upgraded to support a newer API version.

-With [one exception](#WhatsNew), all features from version 10 are implemented in version 11. Key differences include:

-The client library's [Change Log](https://github.com/Azure/azure-sdk-for-net/blob/master/sdk/search/Azure.Search.Documents/CHANGELOG.md) has an itemized list of updates.

-+ New features will be added to **Azure.Search.Documents** only. The previous version, Microsoft.Azure.Search, is now a legacy client. Updates to legacy libraries are limited to high priority bug fixes only.

-+ [Quickstarts](search-get-started-dotnet.md), tutorials, and [C# samples](samples-dotnet.md) have been updated to use the Azure.Search.Documents package. We recommend reviewing existing samples and walkthroughs to learn about the new APIs before embarking on a migration exercise.

- Azure](https://azsk.azurewebsites.net/https://docsupdatetracker.net/index.html) is a collection of

-[Secure DevOps Kit for Azure](https://azsk.azurewebsites.net/https://docsupdatetracker.net/index.html) (AzSK) contains SVTs for multiple services of the Azure platform. You run these SVTs periodically to ensure that your Azure subscription and the different resources that comprise your application are in a secure state. You can also automate these tests by using the continuous integration/continuous deployment (CI/CD) extensions feature of AzSK, which makes SVTs available as a Visual Studio extension.

- [  ](media/sap/sap-watchlists.png#lightbox)

- [  ](media/sap/sap-data-connector.png#lightbox)

- [  ](media/sap/sap-logs-in-sentinel.png#lightbox)

-This article describes the SAP logs available from the Microsoft Sentinel SAP data connector, including the table names in Microsoft Sentinel, the log purposes, and detailed log schemas. Schema field descriptions are based on the field descriptions in the relevant [SAP documentation](https://help.sap.com/).

-This article is intended for advanced SAP users.

-The following sections describe the logs that are produced by the SAP data connector agent and ingested into Microsoft Sentinel.

-| Instance | ABAP instance, in the following syntax: `<HOST>_<SYSID>_<SYSNR>` |

-| Field | Description |

-| Field | Description |

-| -- | - |

-| ABAPProgramName | Program name, SAL only |

-| AlertSeverity | Alert severity |

-| AlertSeverityText | Alert severity text, SAL only |

-| AlertValue | Alert value |

-| AuditClassID | Audit class ID, SAL only |

-| ClientID | ABAP client ID (MANDT) |

-| Computer | User machine, SAL only |

-| Email | User email |

-| Host | Host |

-| Instance | ABAP instance, in the following syntax: `<HOST>_<SYSID>_<SYSNR>` |

-| MessageClass | Message class |

-| MessageContainerID | Message container ID, XAL Only |

-| MessageID | Message ID, such as `‘AU1’,’AU2’…` |

-| MessageText | Message text |

-| MonitoringObjectName | MTE Monitor object name, XAL only |

-| MonitorShortName | MTE Monitor short name, XAL only |

-| SAPProcesType | System Log: SAP process type, SAL only |

-| B* - Background Processing | |

-| D* - Dialog Processing | |

-| U* - Update Tasks | |

-| SystemID | System ID |

-| SystemNumber | System number |

-| TerminalIPv6 | User machine IP, SAL only |

-| TransactionCode | Transaction code, SAL only |

-| User | User |

-| Variable1 | Message variable 1 |

-| Variable2 | Message variable 2 |

-| Variable3 | Message variable 3 |

-| Variable4 | Message variable 4 |

-### ABAP SysLog

-| Instance | ABAP instance, in the following syntax: `<HOST>_<SYSID>_<SYSNR> ` |

-| Severity | Message severity, one of the following values: `Debug`, `Info`, `Warning`, `Error` |

-## Tables retrieved directly from SAP systems

-This section lists the data tables that are retrieved directly from the SAP system and ingested into Microsoft Sentinel exactly as they are.

-To have the data from these tables ingested into Microsoft Sentinel, configure the relevant settings in the **systemconfig.ini** file. For more information, see [Configuring User Master data collection](sap-solution-deploy-alternate.md#configuring-user-master-data-collection).

-The data retrieved from these tables provides a clear view of the authorization structure, group membership, and user profiles. It also allows you to track the process of authorization grants and revokes, and identiy and govern the risks associated with those processes.

-The tables listed below are required to enable functions that identify privileged users, map users to roles, groups, and authorizations.

-| Table name | Table description |

-| - | -- |

-| USR01 | User master record (runtime data) |

-| USR02 | Logon data (kernel-side use) |

-| UST04 | User masters<br>Maps users to profiles |

-| AGR_USERS | Assignment of roles to users |

-| AGR_1251 |Authorization data for the activity group |

-| USGRP_USER |Assignment of users to user groups |

-| USR21 | User name/Address key assignment |

-| ADR6 | Email addresses (business address services) |

-| USRSTAMP | Time stamp for all changes to the user |

-| ADCP | Person/Address assignment (business address services) |

-| USR05 | User master parameter ID |

-| AGR_PROF | Profile name for role |

-| AGR_FLAGS | Role attributes |

-| DEVACCESS | Table for development user |

-| AGR_DEFINE | Role definition |

-| AGR_AGRS | Roles in composite roles |

-| PAHI | History of the system, database, and SAP parameters |

-## Functions available from the SAP solution

-This section describes the [functions](../azure-monitor/logs/functions.md) that are available in your workspace after you've deployed the Continuous Threat Monitoring for SAP solution. Find these functions in the Microsoft Sentinel **Logs** page to use in your KQL queries, listed under **Workspace functions**.

-### SAPUsersAssignments

-The **SAPUsersAssignments** function gathers data from multiple SAP data sources and creates a user-centric view of the current user master data, roles, and profiles currently assigned.

- This function summarizes the user assignments to roles and profiles, and returns the following data:

-| Field | Description | Data Source/Notes |

-| - | - | - |

-| User | SAP user ID| SAL only |

-| Email | SMTP address| USR21 (SMTP_ADDR) |

-| UserType | User type| USR02 (USTYP) |

-| Timezone | Time zone| USR02 (TZONE) |

-| LockedStatus | Lock status| USR02 (UFLAG) |

-| LastSeenDate | Last seen date| USR02 (TRDAT) |

-| LastSeenTime | Last seen time| USR02 (LTIME) |

-| UserGroupAuth | User group in user master maintenance| USR02 (CLASS) |

-| Profiles |Set of profiles (default maximum set size = 50)|`["Profile 1", "Profile 2",...,"profile 50"]` |

-| DirectRoles | Set of Directly assigned roles (default max set size = 50) |`["Role 1", "Role 2",...,"ΓÇ¥"Role 50"]` |

-| ChildRoles |Set of indirectly assigned roles (default max set size = 50) |`["Role 1", "Role 2",...,"ΓÇ¥"Role 50"]` |

-| Client | Client ID | |

-| SystemID | System ID | As defined in the connector |

-### SAPUsersGetPrivileged

-The **SAPUsersGetPrivileged** function returns a list of privileged users per client and system ID.

-Users are considered privileged when they are listed in the *SAP - Privileged Users* watchlist, have been assigned to a profile listed in *SAP - Sensitive Profiles* watchlist, or have been added to a role listed in *SAP - Sensitive Roles* watchlist.

-**Parameters:**

- - TimeAgo

- - optional

- - default vaule: 7 days

- - Function will only seek User master data from TimeAgo until now()

-The **SAPUsersGetPrivileged** Microsoft Sentinel Function returns the following data:

-|Field| Description|

-|-|-|

-|User|SAP user ID |

-|Client| Client ID |

-|SystemID| System ID|

-### SAPUsersAuthorizations

-lists user assignments to authorizations, including the following data:

-The **SAPUsersAuthorizations** Microsoft Sentinel Function brings together data from several tables to produce a user-centric view of the current roles and authorizations assigned. Only users with active role and authorization assignments are returned.

-**Parameters:**

- - TimeAgo

- - Optional

- - Default value: 7 days

- - Determines that the function seeks User master data from the time defined by the `TimeAgo` value until the time defined by the `now()` value.

-The **SAPUsersAuthorizations** function returns the following data:

-|Field| Description |Notes|

-|-|-|-|

-|User| SAP user ID||

-|Roles| Set of roles (default max set size = 50)| `["Role 1", "Role 2",...,"Role 50"]`|

-|AuthorizationsDetails| Set of authorizations (default max set size = 100|`{ {AuthorizationsDeatils1}`,<br>`{AuthorizationsDeatils2}`, <br>...,<br>`{AuthorizationsDeatils100}}`|

-|Client| Client ID |

-|SystemID| System ID|

- - You must have **python 2.7** or **3** installed on your log forwarder machine. Use the `python ΓÇôversion` command to check.

-The preceding snippets are all for specifying MoveCost for a whole service at once from outside the service itself. However, move cost is most useful is when the move cost of a specific service object changes over its lifespan. Since the services themselves probably have the best idea of how costly they are to move a given time, there's an API for services to report their own individual move cost during runtime.

-14.04 LTS | [9.42](https://support.microsoft.com/topic/update-rollup-55-for-azure-site-recovery-kb5003408-b19c8190-5f88-43ea-85b1-d9e0cc5ca7e8), [9.43](https://support.microsoft.com/topic/update-rollup-56-for-azure-site-recovery-kb5005376-33f27950-1a07-43e5-bf40-4b380a270ef6), [9.44](https://support.microsoft.com/topic/update-rollup-57-for-azure-site-recovery-kb5006172-9fccc879-6e0c-4dc8-9fec-e0600cf94094), [9.45](https://support.microsoft.com/topic/update-rollup-58-for-azure-site-recovery-kb5007075-37ba21c3-47d9-4ea9-9130-a7d64f517d5d), [9.46](https://support.microsoft.com/topic/update-rollup-59-for-azure-site-recovery-kb5008707-66a65377-862b-4a4c-9882-fd74bdc7a81e) | 3.13.0-24-generic to 3.13.0-170-generic,<br/>3.16.0-25-generic to 3.16.0-77-generic,<br/>3.19.0-18-generic to 3.19.0-80-generic,<br/>4.2.0-18-generic to 4.2.0-42-generic,<br/>4.4.0-21-generic to 4.4.0-148-generic,<br/>4.15.0-1023-azure to 4.15.0-1045-azure |

-16.04 LTS | [9.44](https://support.microsoft.com/topic/update-rollup-57-for-azure-site-recovery-kb5006172-9fccc879-6e0c-4dc8-9fec-e0600cf94094), [9.45](https://support.microsoft.com/topic/update-rollup-58-for-azure-site-recovery-kb5007075-37ba21c3-47d9-4ea9-9130-a7d64f517d5d), [9.46](https://support.microsoft.com/topic/update-rollup-59-for-azure-site-recovery-kb5008707-66a65377-862b-4a4c-9882-fd74bdc7a81e) | 4.4.0-21-generic to 4.4.0-206-generic,<br/>4.8.0-34-generic to 4.8.0-58-generic,<br/>4.10.0-14-generic to 4.10.0-42-generic,<br/>4.11.0-13-generic to 4.11.0-14-generic,<br/>4.13.0-16-generic to 4.13.0-45-generic,<br/>4.15.0-13-generic to 4.15.0-140-generic<br/>4.11.0-1009-azure to 4.11.0-1016-azure,<br/>4.13.0-1005-azure to 4.13.0-1018-azure <br/>4.15.0-1012-azure to 4.15.0-1111-azure|

-16.04 LTS | [9.43](https://support.microsoft.com/topic/update-rollup-56-for-azure-site-recovery-kb5005376-33f27950-1a07-43e5-bf40-4b380a270ef6) | 4.4.0-21-generic to 4.4.0-206-generic,<br/>4.8.0-34-generic to 4.8.0-58-generic,<br/>4.10.0-14-generic to 4.10.0-42-generic,<br/>4.11.0-13-generic to 4.11.0-14-generic,<br/>4.13.0-16-generic to 4.13.0-45-generic,<br/>4.15.0-13-generic to 4.15.0-140-generic<br/>4.11.0-1009-azure to 4.11.0-1016-azure,<br/>4.13.0-1005-azure to 4.13.0-1018-azure <br/>4.15.0-1012-azure to 4.15.0-1111-azure|

-16.04 LTS | [9.42](https://support.microsoft.com/topic/update-rollup-55-for-azure-site-recovery-kb5003408-b19c8190-5f88-43ea-85b1-d9e0cc5ca7e8) | 4.4.0-21-generic to 4.4.0-206-generic,<br/>4.8.0-34-generic to 4.8.0-58-generic,<br/>4.10.0-14-generic to 4.10.0-42-generic,<br/>4.11.0-13-generic to 4.11.0-14-generic,<br/>4.13.0-16-generic to 4.13.0-45-generic,<br/>4.15.0-13-generic to 4.15.0-140-generic<br/>4.11.0-1009-azure to 4.11.0-1016-azure,<br/>4.13.0-1005-azure to 4.13.0-1018-azure <br/>4.15.0-1012-azure to 4.15.0-1111-azure|

-18.04 LTS | [9.43](https://support.microsoft.com/topic/update-rollup-56-for-azure-site-recovery-kb5005376-33f27950-1a07-43e5-bf40-4b380a270ef6) | 4.15.0-20-generic to 4.15.0-140-generic </br> 4.18.0-13-generic to 4.18.0-25-generic </br> 5.0.0-15-generic to 5.0.0-65-generic </br> 5.3.0-19-generic to 5.3.0-72-generic </br> 5.4.0-37-generic to 5.4.0-70-generic </br> 4.15.0-1009-azure to 4.15.0-1111-azure </br> 4.18.0-1006-azure to 4.18.0-1025-azure </br> 5.0.0-1012-azure to 5.0.0-1036-azure </br> 5.3.0-1007-azure to 5.3.0-1035-azure </br> 5.4.0-1020-azure to 5.4.0-1043-azure </br> 4.15.0-1114-azure </br> 4.15.0-143-generic </br> 5.4.0-1047-azure </br> 5.4.0-73-generic </br> 4.15.0-1115-azure </br> 4.15.0-144-generic </br> 5.4.0-1048-azure </br> 5.4.0-74-generic </br> 4.15.0-1121-azure </br> 4.15.0-151-generic </br> 4.15.0-153-generic </br> 5.3.0-76-generic </br> 5.4.0-1055-azure </br> 5.4.0-80-generic </br> 4.15.0-147-generic |

-18.04 LTS |[9.42](https://support.microsoft.com/topic/update-rollup-55-for-azure-site-recovery-kb5003408-b19c8190-5f88-43ea-85b1-d9e0cc5ca7e8) | 4.15.0-20-generic to 4.15.0-140-generic </br> 4.18.0-13-generic to 4.18.0-25-generic </br> 5.0.0-15-generic to 5.0.0-65-generic </br> 5.3.0-19-generic to 5.3.0-72-generic </br> 5.4.0-37-generic to 5.4.0-70-generic </br> 4.15.0-1009-azure to 4.15.0-1111-azure </br> 4.18.0-1006-azure to 4.18.0-1025-azure </br> 5.0.0-1012-azure to 5.0.0-1036-azure </br> 5.3.0-1007-azure to 5.3.0-1035-azure </br> 5.4.0-1020-azure to 5.4.0-1043-azure </br> 4.15.0-1114-azure </br> 4.15.0-143-generic </br> 5.4.0-1047-azure </br> 5.4.0-73-generic </br> 4.15.0-1115-azure </br> 4.15.0-144-generic </br> 5.4.0-1048-azure </br> 5.4.0-74-generic |

-20.04 LTS |[9.43](https://support.microsoft.com/topic/update-rollup-56-for-azure-site-recovery-kb5005376-33f27950-1a07-43e5-bf40-4b380a270ef6) | 5.4.0-26-generic to 5.4.0-60-generic </br> 5.4.0-1010-azure to 5.4.0-1043-azure </br> 5.4.0-1047-azure </br> 5.4.0-73-generic </br> 5.4.0-1048-azure </br> 5.4.0-74-generic |

-Debian 7 | [9.40](https://support.microsoft.com/topic/update-rollup-53-for-azure-site-recovery-060268ef-5835-bb49-7cbc-e8c1e6c6e12a) , [9.41](https://support.microsoft.com/topic/update-rollup-54-for-azure-site-recovery-50873c7c-272c-4a7a-b9bb-8cd59c230533), [9.42](https://support.microsoft.com/topic/update-rollup-55-for-azure-site-recovery-kb5003408-b19c8190-5f88-43ea-85b1-d9e0cc5ca7e8), [9.43](https://support.microsoft.com/topic/update-rollup-56-for-azure-site-recovery-kb5005376-33f27950-1a07-43e5-bf40-4b380a270ef6) [9.44](https://support.microsoft.com/topic/update-rollup-57-for-azure-site-recovery-kb5006172-9fccc879-6e0c-4dc8-9fec-e0600cf94094) | 3.2.0-4-amd64 to 3.2.0-6-amd64, 3.16.0-0.bpo.4-amd64 |

-Debian 8 | [9.40](https://support.microsoft.com/topic/update-rollup-53-for-azure-site-recovery-060268ef-5835-bb49-7cbc-e8c1e6c6e12a), [9.41](https://support.microsoft.com/topic/update-rollup-54-for-azure-site-recovery-50873c7c-272c-4a7a-b9bb-8cd59c230533), [9.42](https://support.microsoft.com/topic/update-rollup-55-for-azure-site-recovery-kb5003408-b19c8190-5f88-43ea-85b1-d9e0cc5ca7e8), [9.43](https://support.microsoft.com/topic/update-rollup-56-for-azure-site-recovery-kb5005376-33f27950-1a07-43e5-bf40-4b380a270ef6), [9.44](https://support.microsoft.com/topic/update-rollup-57-for-azure-site-recovery-kb5006172-9fccc879-6e0c-4dc8-9fec-e0600cf94094) | 3.16.0-4-amd64 to 3.16.0-11-amd64, 4.9.0-0.bpo.4-amd64 to 4.9.0-0.bpo.11-amd64 |

-Debian 9.1 | [9.43](https://support.microsoft.com/topic/update-rollup-56-for-azure-site-recovery-kb5005376-33f27950-1a07-43e5-bf40-4b380a270ef6) | 4.9.0-1-amd64 to 4.9.0-15-amd64 </br> 4.19.0-0.bpo.1-amd64 to 4.19.0-0.bpo.16-amd64 </br> 4.19.0-0.bpo.1-cloud-amd64 to 4.19.0-0.bpo.16-cloud-amd64

-Debian 10 | [9.43](https://support.microsoft.com/topic/update-rollup-56-for-azure-site-recovery-kb5005376-33f27950-1a07-43e5-bf40-4b380a270ef6) | 4.19.0-6-amd64 to 4.19.0-16-amd64 </br> 4.19.0-6-cloud-amd64 to 4.19.0-16-cloud-amd64 </br> 5.8.0-0.bpo.2-amd64 </br> 5.8.0-0.bpo.2-cloud-amd64

-Debian 10 | [9.42](https://support.microsoft.com/topic/update-rollup-55-for-azure-site-recovery-kb5003408-b19c8190-5f88-43ea-85b1-d9e0cc5ca7e8) | 4.19.0-6-amd64 to 4.19.0-16-amd64 </br> 4.19.0-6-cloud-amd64 to 4.19.0-16-cloud-amd64 </br> 5.8.0-0.bpo.2-amd64 </br> 5.8.0-0.bpo.2-cloud-amd64

-Debian 10 | [9.41](https://support.microsoft.com/topic/update-rollup-54-for-azure-site-recovery-50873c7c-272c-4a7a-b9bb-8cd59c230533) | 4.19.0-6-amd64 to 4.19.0-14-amd64 </br> 4.19.0-6-cloud-amd64 to 4.19.0-14-cloud-amd64 </br> 5.8.0-0.bpo.2-amd64 </br> 5.8.0-0.bpo.2-cloud-amd64 </br> 4.19.0-10-cloud-amd64, 4.19.0-16-amd64, 4.19.0-16-cloud-amd64 through 9.41 hot fix patch**

-SUSE Linux Enterprise Server 12 (SP1, SP2, SP3, SP4, SP5) | [9.43](https://support.microsoft.com/en-us/topic/update-rollup-56-for-azure-site-recovery-kb5005376-33f27950-1a07-43e5-bf40-4b380a270ef6) | All [stock SUSE 12 SP1,SP2,SP3,SP4,SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported.</br></br> 4.4.138-4.7-azure to 4.4.180-4.31-azure,</br>4.12.14-6.3-azure to 4.12.14-6.43-azure </br> 4.12.14-16.7-azure to 4.12.14-16.56-azure </br> 4.12.14-16.65-azure |

-SUSE Linux Enterprise Server 15, SP1, SP2 | [9.43](https://support.microsoft.com/topic/update-rollup-56-for-azure-site-recovery-kb5005376-33f27950-1a07-43e5-bf40-4b380a270ef6) | By default, all [stock SUSE 15, SP1, SP2 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported.</br></br> 4.12.14-5.5-azure to 4.12.14-5.47-azure </br></br> 4.12.14-8.5-azure to 4.12.14-8.55-azure </br> 5.3.18-16-azure </br> 5.3.18-18.5-azure to 5.3.18-18.58-azure

-16.04 LTS | [9.44](https://support.microsoft.com/topic/update-rollup-57-for-azure-site-recovery-kb5006172-9fccc879-6e0c-4dc8-9fec-e0600cf94094), [9.45](https://support.microsoft.com/topic/update-rollup-58-for-azure-site-recovery-kb5007075-37ba21c3-47d9-4ea9-9130-a7d64f517d5d), [9.46](https://support.microsoft.com/topic/update-rollup-59-for-azure-site-recovery-kb5008707-66a65377-862b-4a4c-9882-fd74bdc7a81e) | 4.4.0-21-generic to 4.4.0-206-generic,<br/>4.8.0-34-generic to 4.8.0-58-generic,<br/>4.10.0-14-generic to 4.10.0-42-generic,<br/>4.11.0-13-generic to 4.11.0-14-generic,<br/>4.13.0-16-generic to 4.13.0-45-generic,<br/>4.15.0-13-generic to 4.15.0-140-generic<br/>4.11.0-1009-azure to 4.11.0-1016-azure,<br/>4.13.0-1005-azure to 4.13.0-1018-azure <br/>4.15.0-1012-azure to 4.15.0-1111-azure|

-16.04 LTS | [9.43](https://support.microsoft.com/topic/update-rollup-56-for-azure-site-recovery-kb5005376-33f27950-1a07-43e5-bf40-4b380a270ef6) | 4.4.0-21-generic to 4.4.0-206-generic,<br/>4.8.0-34-generic to 4.8.0-58-generic,<br/>4.10.0-14-generic to 4.10.0-42-generic,<br/>4.11.0-13-generic to 4.11.0-14-generic,<br/>4.13.0-16-generic to 4.13.0-45-generic,<br/>4.15.0-13-generic to 4.15.0-140-generic<br/>4.11.0-1009-azure to 4.11.0-1016-azure,<br/>4.13.0-1005-azure to 4.13.0-1018-azure <br/>4.15.0-1012-azure to 4.15.0-1111-azure|

-16.04 LTS | [9.42](https://support.microsoft.com/topic/update-rollup-55-for-azure-site-recovery-kb5003408-b19c8190-5f88-43ea-85b1-d9e0cc5ca7e8) | 4.4.0-21-generic to 4.4.0-206-generic,<br/>4.8.0-34-generic to 4.8.0-58-generic,<br/>4.10.0-14-generic to 4.10.0-42-generic,<br/>4.11.0-13-generic to 4.11.0-14-generic,<br/>4.13.0-16-generic to 4.13.0-45-generic,<br/>4.15.0-13-generic to 4.15.0-140-generic<br/>4.11.0-1009-azure to 4.11.0-1016-azure,<br/>4.13.0-1005-azure to 4.13.0-1018-azure <br/>4.15.0-1012-azure to 4.15.0-1111-azure|

-18.04 LTS | [9.43](https://support.microsoft.com/topic/update-rollup-56-for-azure-site-recovery-kb5005376-33f27950-1a07-43e5-bf40-4b380a270ef6) | 4.15.0-20-generic to 4.15.0-140-generic </br> 4.18.0-13-generic to 4.18.0-25-generic </br> 5.0.0-15-generic to 5.0.0-65-generic </br> 5.3.0-19-generic to 5.3.0-72-generic </br> 5.4.0-37-generic to 5.4.0-70-generic </br> 4.15.0-1009-azure to 4.15.0-1111-azure </br> 4.18.0-1006-azure to 4.18.0-1025-azure </br> 5.0.0-1012-azure to 5.0.0-1036-azure </br> 5.3.0-1007-azure to 5.3.0-1035-azure </br> 5.4.0-1020-azure to 5.4.0-1043-azure </br> 4.15.0-1114-azure </br> 4.15.0-143-generic </br> 5.4.0-1047-azure </br> 5.4.0-73-generic </br> 4.15.0-1115-azure </br> 4.15.0-144-generic </br> 5.4.0-1048-azure </br> 5.4.0-74-generic </br> 4.15.0-1121-azure </br> 4.15.0-151-generic </br> 5.3.0-76-generic </br> 5.4.0-1055-azure </br> 5.4.0-80-generic </br> 4.15.0-147-generic |

-20.04 LTS |[9.43](https://support.microsoft.com/topic/update-rollup-56-for-azure-site-recovery-kb5005376-33f27950-1a07-43e5-bf40-4b380a270ef6) | 5.4.0-26-generic to 5.4.0-80 </br> 5.4.0-1010-azure to 5.4.0-1048-azure |

-Debian 7 | [9.42](https://support.microsoft.com/topic/update-rollup-55-for-azure-site-recovery-kb5003408-b19c8190-5f88-43ea-85b1-d9e0cc5ca7e8),[9.43](https://support.microsoft.com/topic/update-rollup-56-for-azure-site-recovery-kb5005376-33f27950-1a07-43e5-bf40-4b380a270ef6), [9.44](https://support.microsoft.com/topic/update-rollup-57-for-azure-site-recovery-kb5006172-9fccc879-6e0c-4dc8-9fec-e0600cf94094), [9.45](https://support.microsoft.com/topic/update-rollup-58-for-azure-site-recovery-kb5007075-37ba21c3-47d9-4ea9-9130-a7d64f517d5d), [9.46](https://support.microsoft.com/topic/update-rollup-59-for-azure-site-recovery-kb5008707-66a65377-862b-4a4c-9882-fd74bdc7a81e) | 3.2.0-4-amd64 to 3.2.0-6-amd64, 3.16.0-0.bpo.4-amd64 |

-Debian 8 |[9.42](https://support.microsoft.com/topic/update-rollup-55-for-azure-site-recovery-kb5003408-b19c8190-5f88-43ea-85b1-d9e0cc5ca7e8), [9.43](https://support.microsoft.com/topic/update-rollup-56-for-azure-site-recovery-kb5005376-33f27950-1a07-43e5-bf40-4b380a270ef6), [9.44](https://support.microsoft.com/topic/update-rollup-57-for-azure-site-recovery-kb5006172-9fccc879-6e0c-4dc8-9fec-e0600cf94094) [9.45](https://support.microsoft.com/topic/update-rollup-58-for-azure-site-recovery-kb5007075-37ba21c3-47d9-4ea9-9130-a7d64f517d5d), [9.46](https://support.microsoft.com/topic/update-rollup-59-for-azure-site-recovery-kb5008707-66a65377-862b-4a4c-9882-fd74bdc7a81e) | 3.16.0-4-amd64 to 3.16.0-11-amd64, 4.9.0-0.bpo.4-amd64 to 4.9.0-0.bpo.11-amd64 |

-Debian 9.1 | [9.43](https://support.microsoft.com/topic/update-rollup-56-for-azure-site-recovery-kb5005376-33f27950-1a07-43e5-bf40-4b380a270ef6) | 4.9.0-1-amd64 to 4.9.0-15-amd64 </br> 4.19.0-0.bpo.1-amd64 to 4.19.0-0.bpo.16-amd64 </br> 4.19.0-0.bpo.1-cloud-amd64 to 4.19.0-0.bpo.16-cloud-amd64 </br>

-Debian 10 | [9.43](https://support.microsoft.com/topic/update-rollup-56-for-azure-site-recovery-kb5005376-33f27950-1a07-43e5-bf40-4b380a270ef6) | 4.19.0-6-amd64 to 4.19.0-16-amd64 </br> 4.19.0-6-cloud-amd64 to 4.19.0-16-cloud-amd64 </br> 5.8.0-0.bpo.2-amd64 </br> 5.8.0-0.bpo.2-cloud-amd64

-SUSE Linux Enterprise Server 12 (SP1,SP2,SP3,SP4, SP5) | [9.43](https://support.microsoft.com/topic/update-rollup-56-for-azure-site-recovery-kb5005376-33f27950-1a07-43e5-bf40-4b380a270ef6) | All [stock SUSE 12 SP1,SP2,SP3,SP4,SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported.</br></br> 4.4.138-4.7-azure to 4.4.180-4.31-azure,</br>4.12.14-6.3-azure to 4.12.14-6.43-azure </br> 4.12.14-16.7-azure to 4.12.14-16.65-azure |

-SUSE Linux Enterprise Server 15, SP1, SP2 | [9.43](https://support.microsoft.com/topic/update-rollup-56-for-azure-site-recovery-kb5005376-33f27950-1a07-43e5-bf40-4b380a270ef6) | By default, all [stock SUSE 15, SP1, SP2 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported.</br></br> 4.12.14-5.5-azure to 4.12.14-5.47-azure </br></br> 4.12.14-8.5-azure to 4.12.14-8.55-azure </br> 5.3.18-16-azure </br> 5.3.18-18.5-azure to 5.3.18-18.58-azure

-Blobs in the Archive tier should be stored for a minimum of 180 days. Deleting or changing the tier of an archived blob before the 180-day period elapses incurs an early deletion fee. For more information, see [Archive access tier](access-tiers-overview.md#archive-access-tier).

-Azure File Sync enumerates the Azure File Share in the cloud once per day to discover changes that were made directly to the share so that they can sync down to the server endpoints. This scan generates transactions which are billed to the storage account at a rate of two LIST transactions per directory per day. You can put this number into the [pricing calculator](https://azure.microsoft.com/pricing/calculator/) to estimate the scan cost.

-* [*What is Azure Private Link service?*](../private-link/private-link-service-overview.md)

-In a browser, navigate to the Azure Resource Manager-integrated version of the Azure Virtual Desktop web client at <https://rdweb.wvd.microsoft.com/arm/webclient> and sign in with your user account.

->If you're using Azure Virtual Desktop (classic) without Azure Resource Manager integration, connect to your resources at <https://rdweb.wvd.microsoft.com/webclient> instead.

-In a browser, navigate to the Azure Virtual Desktop web client at <https://rdweb.wvd.microsoft.com/webclient> and sign in with your user account.

->If you're using Azure Virtual Desktop with Azure Resource Manager integration, connect to your resources at <https://rdweb.wvd.microsoft.com/arm/webclient> instead.

-Before you upload the secret to the key vault, you can optionally encrypt it by using a key encryption key. Use the wrap [API](/rest/api/keyvault/wrapkey) to first encrypt the secret using the key encryption key. The output of this wrap operation is a base64 URL encoded string, which you can then upload as a secret by using the [`Set-AzKeyVaultSecret`](/powershell/module/az.keyvault/set-azkeyvaultsecret) cmdlet.

-To begin exploring Azure Monitor, go to the **Overview** page for your virtual machine, and then select the **Monitoring** tab. The **Key Metrics** pane includes charts that show key health metrics, such as average CPU and network utilization. At the top of the pane, you can select a duration to change the time range for the charts, or select a chart to open the **Metrics** pane to drill down further or to create an alert rule.

-description: NC-series retirement by August 31, 2022

-# Migrate your NC and NC_Promo series virtual machines by August 31, 2022

-With this in mind, we are retiring our NC (v1) GPU VM sizes, powered by NVIDIA Tesla K80 GPUs on 31 August 2022.

-After 31 August 2022, any remaining NC size virtual machines remaining in your subscription will be set to a deallocated state. These virtual machines will be stopped and removed from the host. These virtual machines will no longer be billed in the deallocated state.

-description: NCv2-series retirement by August 31, 2022

-# Migrate your NCv2 series virtual machines by August 31, 2022

-With this in mind, we are retiring our NC (v2) GPU VM sizes, powered by NVIDIA Tesla P100 GPUs on 31 August 2022.

-After 31 August 2022, any remaining NCv2 size virtual machines remaining in your subscription will be set to a deallocated state. These virtual machines will be stopped and removed from the host. These virtual machines will no longer be billed in the deallocated state.

-description: ND-series retirement by August 31, 2022

-# Migrate your ND series virtual machines by August 31, 2022

-With this in mind, we are retiring our ND GPU VM sizes, powered by NVIDIA Tesla P40 GPUs on 31 August 2022.

-After 31 August 2022, any remaining ND size virtual machines remaining in your subscription will be set to a deallocated state. These virtual machines will be stopped and removed from the host. These virtual machines will no longer be billed in the deallocated state.

-# Migrate your NV and NV_Promo series virtual machines by August 31, 2022

-We continue to bring modern and optimized virtual machine (VM) instances to Azure by using the latest innovations in datacenter technologies. As we innovate, we also thoughtfully plan how we retire aging hardware. With this context in mind, we're retiring our NV-series Azure VM sizes on September 1, 2022.

-After September 1, 2022, any remaining NV and NV_Promo-size VMs remaining in your subscription will be set to a deallocated state. These VMs will be stopped and removed from the host. These VMs will no longer be billed in the deallocated state.

-Before you upload the secret to the key vault, you can optionally encrypt it by using a key encryption key. Use the wrap [API](/rest/api/keyvault/wrapkey) to first encrypt the secret using the key encryption key. The output of this wrap operation is a base64 URL encoded string, which you can then upload as a secret by using the [`Set-AzKeyVaultSecret`](/powershell/module/az.keyvault/set-azkeyvaultsecret) cmdlet.

- "start_lun" : 0

- "start_lun" : 9

- "start_lun" : 13

-> | `NFS_Provider` | Defines what NFS backend to use, the options are 'AFS' for Azure Files NFS or 'ANF' for Azure NetApp files, 'NONE' for NFS from the SCS server or 'NFS' for an external NFS solution. | Optional |

-> | `NFS_Provider` | Defines what NFS backend to use, the options are 'AFS' for Azure Files NFS or 'ANF' for Azure NetApp files. |

-> | `NFS_Provider` | Defines what NFS backend to use, the options are 'AFS' for Azure Files NFS or 'ANF' for Azure NetApp files, 'NONE' for NFS from the SCS server or 'NFS' for an external NFS solution. | Optional |

-Profile files contain information that is necessary to configure a VPN connection. This article will help you obtain and understand the information necessary for a VPN client profile.

- - *Allow* - WAF forwards the quest to the back-end, logs an entry in WAF logs and exits.

- - *Block* - Request is blocked, WAF sends response to client without forwarding the request to the back-end. WAF logs an entry in WAF logs.

- - *Log* - WAF logs an entry in WAF logs and continues to evaluate the next rule.

- - *Redirect* - WAF redirects request to a specified URI, logs an entry in WAF logs, and exits.

-|Action|Action taken on the request|

-The Azure Web Application Firewall (WAF) rate limit rule for Azure Front Door controls the number of requests allowed from clients during a one-minute duration.

-This article shows how to configure a WAF rate limit rule that controls the number of requests allowed from clients to a web application that contains */promo* in the URL using Azure PowerShell.

-In the following example, the limit is set to 1000. Requests from any client to the promo page exceeding 1000 during one minute are blocked until the next minute starts.