+## Create an AKS cluster

+AKS clusters can use [Kubernetes role-based access control (Kubernetes RBAC)][k8s-rbac], which allows you to define access to resources based on roles assigned to users. Permissions are combined when users are assigned multiple roles. Permissions can be scoped to either a single namespace or across the whole cluster. For more information, see [Control access to cluster resources using Kubernetes RBAC and Microsoft Entra ID in AKS][aks-k8s-rbac].

+For information about AKS resource limits and region availability, see [Quotas, virtual machine size restrictions, and region availability in AKS][quotas-skus-regions].

+> [!NOTE]

+> To ensure your cluster operates reliably, you should run at least two nodes.

+### [Azure CLI](#tab/azure-cli)

+To allow an AKS cluster to interact with other Azure resources, the Azure platform automatically creates a cluster identity. In this example, the cluster identity is [granted the right to pull images][container-registry-integration] from the ACR instance you created in the previous tutorial. To execute the command successfully, you need to have an **Owner** or **Azure account administrator** role in your Azure subscription.

+* Create an AKS cluster using the [`az aks create`][az aks create] command. The following example creates a cluster named *myAKSCluster* in the resource group named *myResourceGroup*. This resource group was created in the [previous tutorial][aks-tutorial-prepare-acr] in the *eastus* region.

+ ```azurecli-interactive

+ az aks create \

+ --resource-group myResourceGroup \

+ --name myAKSCluster \

+ --node-count 2 \

+ --generate-ssh-keys \

+ --attach-acr <acrName>

+ ```

+ > [!NOTE]

+ > If you already generated SSH keys, you may encounter an error similar to `linuxProfile.ssh.publicKeys.keyData is invalid`. To proceed, retry the command without the `--generate-ssh-keys` parameter.

+To avoid needing an **Owner** or **Azure account administrator** role, you can also manually configure a service principal to pull images from ACR. For more information, see [ACR authentication with service principals](../container-registry/container-registry-auth-service-principal.md) or [Authenticate from Kubernetes with a pull secret](../container-registry/container-registry-auth-kubernetes.md). Alternatively, you can use a [managed identity](use-managed-identity.md) instead of a service principal for easier management.

+### [Azure PowerShell](#tab/azure-powershell)

+To allow an AKS cluster to interact with other Azure resources, the Azure platform automatically creates a cluster identity. In this example, the cluster identity is [granted the right to pull images][container-registry-integration] from the ACR instance you created in the previous tutorial. To execute the command successfully, you need to have an **Owner** or **Azure account administrator** role in your Azure subscription.

+* Create an AKS cluster using the [`New-AzAksCluster`][new-azakscluster] cmdlet. The following example creates a cluster named *myAKSCluster* in the resource group named *myResourceGroup*. This resource group was created in the [previous tutorial][aks-tutorial-prepare-acr] in the *eastus* region.

+ ```azurepowershell-interactive

+ New-AzAksCluster -ResourceGroupName myResourceGroup -Name myAKSCluster -NodeCount 2 -GenerateSshKey -AcrNameToAttach <acrName>

+ ```

+ > [!NOTE]

+ > If you already generated SSH keys, you may encounter an error similar to `linuxProfile.ssh.publicKeys.keyData is invalid`. To proceed, retry the command without the `-GenerateSshKey` parameter.

+To avoid needing an **Owner** or **Azure account administrator** role, you can also manually configure a service principal to pull images from ACR. For more information, see [ACR authentication with service principals](../container-registry/container-registry-auth-service-principal.md) or [Authenticate from Kubernetes with a pull secret](../container-registry/container-registry-auth-kubernetes.md). Alternatively, you can use a [managed identity](use-managed-identity.md) instead of a service principal for easier management.

+### [Azure Developer CLI](#tab/azure-azd)

+AZD packages the deployment of clusters with the application itself using `azd up`. This command is covered in the next tutorial.

+To learn how to move Automation to a new region, see [Move Automation account to another region](../../operational-excellence/relocation-automation.md).

+To view more data from your Java-based Azure Functions applications than is [collected by default](../../azure-functions/functions-monitoring.md?tabs=cmd), enable the [Application Insights Java 3.x agent](./java-in-process-agent.md). This agent allows Application Insights to automatically collect and correlate dependencies, logs, and metrics from popular libraries and Azure Software Development Kits (SDKs). This telemetry is in addition to the request telemetry already captured by Functions.

+If you're using `log4j` or `logback` for console logging, distributed tracing for Java Functions creates duplicate logs. These duplicate logs are then sent to Application Insights. To avoid this behavior, use the following workarounds.

+## Distributed tracing for Node.js function apps

+To view more data from your Node Azure Functions applications than is [collected by default](../../azure-functions/functions-monitoring.md#collecting-telemetry-data), instrument your Function using the [Azure Monitor OpenTelemetry Distro](./opentelemetry-enable.md?tabs=nodejs).

+1. Enter the word "cost" in the **Filter services** field near the top of the **All services** pane. Services that have "cost" in the title or that have "cost" as a keyword are shown.

+The portal menu and page header are global elements that are always present in the Azure portal. These persistent features are the "shell" for the user interface associated with each individual service or feature. The header provides access to global controls. The working pane for a resource or service may also have a resource menu specific to that area.

+To view and manage your settings, select the **Settings** menu icon in the top right section of the global page header to open **Portal settings**.

+**Directories + subscriptions** lets you manage directories and set subscription filters.

+The **Startup directory** shows the default directory when you sign in to the Azure portal (or **Last visited** if you've chosen that option). To choose a different startup directory, select **change** to open [Appearance + startup views](#appearance--startup-views), where you can change your selection.

+> After you apply a subscription filter, you'll only see subscriptions that match that filter, across all portal experiences. You won't be able to work with other subscriptions that are excluded from the selected filter. Any new subscriptions that are created after the filter was applied may not be shown if the filter criteria don't match. To see them, you must update the filter criteria to include other subscriptions in the portal, or select **Advanced filters** and use the **Default** filter to always show all subscriptions.

+After you continue, **Advanced filters** appears in the left navigation menu of **Portal settings**. You can create and manage multiple subscription filters here. Your currently selected subscriptions are saved as an imported filter that you can use again. You'll see this filter selected in **Directories + subscriptions**.

+After enabling **Advanced filters**, you can create, modify, or delete subscription filters.

+**My information** lets you update the email address that is used for updates on Azure services, billing, support, or security issues. You can also opt in or out from additional emails about Microsoft Azure and other products and services.

+Near the top of **My information**, you'll see options to export, restore, or delete settings.

+To delete your portal settings, select **Delete all settings and private dashboards** from the top of **My information**. You'll be prompted to confirm the deletion. When you do so, all settings customizations will return to the default settings, and all of your private dashboards will be lost.

+- Get help from your peers in [Microsoft Q&A](/answers/products/azure)

+You can search, filter, and sort support requests. By default, you might only see recent open requests. Change the filter options to select a longer period of time or to include support requests that were closed.

+1. From **All support requests**, select the support request.

+1. In the **Support Request**, select **New message**.

+1. From **All support requests**, select the support request.

+1. In the **Support Request**, select **Change severity**.

+1. From **All support requests**, select the support request.

+1. In the **Support Request**, select **Advanced diagnostic information** near the top of the screen.

+1. From **All support requests**, select the support request.

+1. In the **Support Request**, select the **Upload file** box, then browse to find your file and select **Upload**.

+description: Describes how to use throttling with Azure Resource Manager requests when subscription limits are reached.

+# Understand how Azure Resource Manager throttles requests

+This article describes how Azure Resource Manager throttles requests. It shows you how to track the number of requests that remain before reaching the limit, and how to respond when you reach the limit.

+Every subscription-level and tenant-level operation is subject to throttling limits. Subscription requests are ones that involve passing your subscription ID, such as retrieving the resource groups in your subscription. For example, sending a request to `https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups?api-version=2022-01-01` is a subscription-level operation. Tenant requests don't include your subscription ID, such as retrieving valid Azure locations. For example, sending a request to `https://management.azure.com/tenants?api-version=2022-01-01` is a tenant-level operation.

+These limits apply to each Azure Resource Manager instance. There are multiple instances in every Azure region, and Azure Resource Manager is deployed to all Azure regions. So, in practice, the limits are higher than these limits. The requests from a user are usually handled by different instances of Azure Resource Manager.

+## Migrating to regional throttling and token bucket algorithm

+Starting in 2024, Microsoft is migrating Azure subscriptions to a new throttling architecture. With this change, you'll experience new throttling limits. The new throttling limits are applied per region rather than per instance of Azure Resource Manager. The new architecture uses a [token bucket algorithm](https://en.wikipedia.org/wiki/Token_bucket) to manage API throttling.

+The token bucket represents the maximum number of requests that you can send for each second. When you reach the maximum number of requests, the refill rate determines how quickly tokens become available in the bucket.

+These updated limits make it easier for you to refresh and manage your quota.

+The new limits are:

+| Scope | Operations | Bucket size | Refill rate per sec |

+| -- | - | -- | - |

+| Subscription | reads | 250 | 25 |

+| Subscription | deletes | 200 | 10 |

+| Subscription | writes | 200 | 10 |

+| Tenant | reads | 250 | 25 |

+| Tenant | deletes | 200 | 10 |

+| Tenant | writes | 200 | 10 |

+The subscription limits apply per subscription, per service principal, and per operation type. There are also global subscription limits that are equivalent to 15 times the individual service principal limits for each operation type. The global limits apply across all service principals. Requests will be throttled if the global, service principal, or tenant specific limits are exceeded.

+The limits may be smaller for free or trial customers.

+For example, suppose you have a bucket size of 250 tokens for read requests and refill rate of 25 tokens per second. If you send 250 read requests in a second, the bucket is empty and your requests are throttled. Each second, 25 tokens become available until the bucket reaches its maximum capacity of 250 tokens. You can use tokens as they become available.

+### How do I know if my subscription uses the new throttling experience?

+After your subscription is migrated to the new throttling experience, the response header shows the remaining requests per minute instead of per hour. Also, your `Retry-After` value shows one minute or less, instead of five minutes. For more information, see [Error code](#error-code).

+### Why is throttling changing to per region rather than per instance?

+Since different regions have a different number of Resource Manager instances, throttling per instance causes inconsistent throttling performance. Throttling per region makes throttling consistent and predictable.

+### How does the new throttling experience affect my limits?

+You can send more requests. Write requests increase by 30 times. Delete requests increase by 2.4 times. Read requests increase by 7.5 times.

+### Can I prevent my subscription from migrating to the new throttling experience?

+No, all subscriptions will eventually be migrated.

+When you reach the limit, you receive the HTTP status code **429 Too many requests**. The response includes a **Retry-After** value, which specifies the number of seconds your application should wait (or sleep) before sending the next request. If you send a request before the retry value elapses, your request isn't processed and a new retry value is returned.

+| x-ms-ratelimit-remaining-subscription-resource-requests |Subscription scoped resource type requests remaining.<br /><br />This header value is only returned if a service overrides the default limit. Resource Manager adds this value instead of the subscription reads or writes. |

+| x-ms-ratelimit-remaining-subscription-resource-entities-read |Subscription scoped resource type collection requests remaining.<br /><br />This header value is only returned if a service overrides the default limit. This value provides the number of remaining collection requests (list resources). |

+| x-ms-ratelimit-remaining-tenant-resource-requests |Tenant scoped resource type requests remaining.<br /><br />This header is only added for requests at tenant level, and only if a service overrides the default limit. Resource Manager adds this value instead of the tenant reads or writes. |

+| x-ms-ratelimit-remaining-tenant-resource-entities-read |Tenant scoped resource type collection requests remaining.<br /><br />This header is only added for requests at tenant level, and only if a service overrides the default limit. |

+ Title: Deploy an artifact file to Azure Container Apps

+In this quickstart, you learn to deploy a container app from a prebuilt artifact file. The example in this article deploys a Java application using a JAR file, which includes a Java-specific manifest file. Your job is to create a backend web API service that returns a static collection of music albums. After completing this quickstart, you can continue to [Communication between microservices](communicate-between-microservices.md) to learn how to deploy a front end application that calls the API.

+| Java | Install the [JDK](/java/openjdk/install), recommend 17, or later|

+Next, install, or update the Azure Container Apps extension for the CLI.

+The `up` command uses the Docker file in the root of the repository to build the container image. The `EXPOSE` instruction in the Docker file defines the target port. A Docker file, however, isn't required to build a container app.

+Copy the FQDN to a web browser. From your web browser, go to the `/albums` endpoint of the FQDN.

+## Deploy a WAR file

+You can also deploy your container app from a [WAR file](java-deploy-war-file.md).

+ Title: Build environment variables for Java in Azure Container Apps

+description: Learn about Java image build from source code via environment variables.

+# Build environment variables for Java in Azure Container Apps

+Azure Container Apps uses [Buildpacks](https://buildpacks.io/) to automatically create a container image that allows you to deploy from your source code directly to the cloud. To take control of your build configuration, you can use environment variables to customize parts of your build like the JDK, Maven, and Tomcat. The following article shows you how to configure environment variables to help you take control over builds that automatically create a container for you.

+## Supported Java build environment variables

+### Configure JDK

+Container Apps use [Microsoft Build of OpenJDK](https://www.microsoft.com/openjdk) to build source code and as the runtime environment. Four LTS JDK versions are supported: 8, 11, 17 and 21.

+- For source code build, the default version is JDK 17.

+- For a JAR file build, the JDK version is read from the file location `META-INF\MANIFEST.MF` in the JAR, but uses the default JDK version 17 if the specified version isn't available.

+

+Here's a listing of the environment variables used to configure JDK:

+| Environment variable | Description | Default |

+|--|--|--|

+| `BP_JVM_VERSION` | Controls the JVM version. | `17` |

+### Configure Maven

+Container Apps supports building Maven-based applications from source.

+Here's a listing of the environment variables used to configure Maven:

+| Build environment variable | Description | Default |

+|--|--|--|

+| `BP_MAVEN_VERSION` | Sets the major Maven version. Since Buildpacks only ships a single version of each supported line, updates to the buildpack can change the exact version of Maven installed. If you require a specific minor/patch version of Maven, use the Maven wrapper instead. | `3` |

+| `BP_MAVEN_BUILD_ARGUMENTS` | Defines the arguments passed to Maven. The `--batch-mode` is prepended to the argument list in environments without a TTY. | `-Dmaven.test.skip=true --no-transfer-progress package` |

+| `BP_MAVEN_ADDITIONAL_BUILD_ARGUMENTS` | Defines extra arguments used (for example, `-DskipJavadoc` appended to `BP_MAVEN_BUILD_ARGUMENTS`) to pass to Maven. | |

+| `BP_MAVEN_ACTIVE_PROFILES` | Comma separated list of active profiles passed to Maven. | |

+| `BP_MAVEN_BUILT_MODULE` | Designates application artifact that contains the module. By default, the build looks in the root module. | |

+| `BP_MAVEN_BUILT_ARTIFACT` | Location of the built application artifact. This value supersedes the `BP_MAVEN_BUILT_MODULE` variable. You can match a single file, multiple files, or a directory through one or more space separated patterns. | `target/*.[ejw]ar` |

+| `BP_MAVEN_POM_FILE` | Specifies a custom location to the project's *pom.xml* file. This value is relative to the root of the project (for example, */workspace*). | `pom.xml` |

+| `BP_MAVEN_DAEMON_ENABLED` | Triggers the installation and configuration of Apache `maven-mvnd` instead of Maven. Set this value to `true` if you want to the Maven Daemon. | `false` |

+| `BP_MAVEN_SETTINGS_PATH` | Specifies a custom location to Maven's *settings.xml* file. | |

+| `BP_INCLUDE_FILES` | Colon separated list of glob patterns to match source files. Any matched file is retained in the final image. | |

+| `BP_EXCLUDE_FILES` | Colon separated list of glob patterns to match source files. Any matched file is removed from the final image. Any include patterns are applied first, and you can use "exclude patterns" to reduce the files included in the build. | |

+| `BP_JAVA_INSTALL_NODE` | Control whether or not a separate Buildpack installs Yarn and Node.js. If set to `true`, the Buildpack checks the app root or path set by `BP_NODE_PROJECT_PATH`. The project path looks for either a *yarn.lock* file, which requires the installation of Yarn and Node.js. If there's a *package.json* file, then the build only requires Node.js. | `false` |

+| `BP_NODE_PROJECT_PATH` | Direct the project subdirectory to look for *package.json* and *yarn.lock* files. | |

+### Configure Tomcat

+Container Apps supports running war file in Tomcat application server.

+Here's a listing of the environment variables used to configure Tomcat:

+| Build environment variable | Description | Default |

+|--|--|--|

+| `BP_TOMCAT_CONTEXT_PATH` | The context path where the application is mounted. | Defaults to empty (`ROOT`) |

+| `BP_TOMCAT_EXT_CONF_SHA256` | The SHA256 hash of the external configuration package. | |

+| `BP_TOMCAT_ENV_PROPERTY_SOURCE_DISABLED` | When set to `true`, the Buildpack doesn't configure `org.apache.tomcat.util.digester.EnvironmentPropertySource`. This configuration option is added to support loading configuration from environment variables and referencing them in Tomcat configuration files. | |

+| `BP_TOMCAT_EXT_CONF_STRIP` | The number of directory levels to strip from the external configuration package. | `0` |

+| `BP_TOMCAT_EXT_CONF_URI` | The download URI of the external configuration package. | |

+| `BP_TOMCAT_EXT_CONF_VERSION` | The version of the external configuration package. | |

+| `BP_TOMCAT_VERSION` | Used to configure a specific Tomcat version. Supported Tomcat versions include 8, 9, and 10. | `9.*` |

+### Configure Cloud Build Service

+Here's a listing of the environment variables used to configure a Cloud Build Service:

+| Build environment variable | Description | Default |

+|--|--|--|

+| `ORYX_DISABLE_TELEMETRY` | Controls whether or not to disable telemetry collection. | `false` |

+## How to configure Java build environment variables

+You can configure Java build environment variables when you deploy Java application source code via CLI command `az containerapp up`, `az containerapp create`, or `az containerapp update`:

+```azurecli

+az containerapp up \

+ --name <CONTAINER_APP_NAME> \

+ --source <SOURCE_DIRECTORY> \

+ --build-env-vars <NAME=VALUE NAME=VALUE> \

+ --resource-group <RESOURCE_GROUP_NAME> \

+ --environment <ENVIRONMENT_NAME>

+```

+The `build-env-vars` argument is a list of environment variables for the build, space-separated values in `key=value` format. Here's an example list you can pass in as variables:

+```bash

+BP_JVM_VERSION=21 BP_MAVEN_VERSION=4 "BP_MAVEN_BUILD_ARGUMENTS=-Dmaven.test.skip=true --no-transfer-progress package"

+```

+You can also configure the Java build environment variables when you [set up GitHub Actions with Azure CLI in Azure Container Apps](github-actions-cli.md).

+```azurecli

+az containerapp github-action add \

+ --repo-url "https://github.com/<OWNER>/<REPOSITORY_NAME>" \

+ --build-env-vars <NAME=VALUE NAME=VALUE> \

+ --branch <BRANCH_NAME> \

+ --name <CONTAINER_APP_NAME> \

+ --resource-group <RESOURCE_GROUP> \

+ --registry-url <URL_TO_CONTAINER_REGISTRY> \

+ --registry-username <REGISTRY_USER_NAME> \

+ --registry-password <REGISTRY_PASSWORD> \

+ --service-principal-client-id <appId> \

+ --service-principal-client-secret <password> \

+ --service-principal-tenant-id <tenant> \

+ --token <YOUR_GITHUB_PERSONAL_ACCESS_TOKEN>

+```

+## Next steps

+> [!div class="nextstepaction"]

+> [Build and deploy from a repository](quickstart-code-to-cloud.md)

+ Title: Deploy a WAR file on Tomcat in Azure Container Apps

+description: Learn how to deploy a WAR file on Tomcat in Azure Container Apps.

+# Tutorial: Deploy a WAR file on Tomcat in Azure Container Apps

+Rather than manually creating a Dockerfile and directly using a container registry, you can deploy your Java application directly from a web application archive (WAR) file. This article demonstrates how to deploy a Java application on Tomcat using a WAR file to Azure Container Apps.

+By the end of this tutorial you deploy an application on Container Apps that displays the home page of the Spring PetClinic sample application.

+> [!NOTE]

+> If necessary, you can specify the Tomcat version in the build environment variables.

+## Prerequisites

+| Requirement | Instructions |

+|--|--|

+| Azure account | If you don't have one, [create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).<br<br>You need the *Contributor* or *Owner* permission on the Azure subscription to proceed. <br><br>Refer to [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md?tabs=current) for details. |

+| GitHub Account | Get one for [free](https://github.com/join). |

+| git | [Install git](https://git-scm.com/downloads) |

+| Azure CLI | Install the [Azure CLI](/cli/azure/install-azure-cli).|

+| Java | Install the [Java Development Kit](/java/openjdk/install). Use version 17 or later. |

+| Maven | Install the [Maven](https://maven.apache.org/download.cgi).|

+## Deploy a WAR file on Tomcat

+1. Get the sample application.

+ Clone the Spring PetClinic sample application to your machine.

+ ```bash

+ git clone https://github.com/spring-petclinic/spring-framework-petclinic.git

+ ```

+1. Build the WAR package.

+ First, change into the *spring-framework-petclinic* folder.

+ ```bash

+ cd spring-framework-petclinic

+ ```

+ Then, clean the Maven build area, compile the project's code, and create a WAR file, all while skipping any tests.

+ ```bash

+ mvn clean package -DskipTests

+ ```

+ After you execute the build command, a file named *petclinic.war* is generated in the */target* folder.

+

+1. Deploy the WAR package to Azure Container Apps.

+ Now you can deploy your WAR file with the `az containerapp up` CLI command.

+ ```azurecli

+ az containerapp up \

+ --name <YOUR_CONTAINER_APP_NAME> \

+ --resource-group <YOUR_RESOURCE_GROUP> \

+ --subscription <YOUR_SUBSCRIPTION>\

+ --location <LOCATION> \

+ --environment <YOUR_ENVIRONMENT_NAME> \

+ --artifact <YOUR_WAR_FILE_PATH> \

+ --build-env-var BP_TOMCAT_VERSION=10.* \

+ --ingress external \

+ --target-port 8080 \

+ --query properties.configuration.ingress.fqdn

+ ```

+ > [!NOTE]

+ > The default Tomcat version is 9. If you need to change the Tomcat version for compatibility with your application, you can use the `--build-env-var BP_TOMCAT_VERSION=<YOUR_TOMCAT_VERSION>` argument to adjust the version number.

+ In this example, the Tomcat version is set to `10` (including any minor versions) by setting the `BP_TOMCAT_VERSION=10.*` environment variable.

+ You can find more applicable build environment variables in [Java build environment variables](java-build-environment-variables.md)

+1. Verify the app status.

+ In this example, `containerapp up` command includes the `--query properties.configuration.ingress.fqdn` argument, which returns the fully qualified domain name (FQDN), also known as the app's URL.

+ View the application by pasting this URL into a browser. Your app should resemble the following screenshot.

+ :::image type="content" source="media/java-deploy-war-file/azure-container-apps-petclinic-warfile.png" alt-text="Screenshot of petclinic application.":::

+## Next steps

+> [!div class="nextstepaction"]

+> [Java build environment variables](java-build-environment-variables.md)

+ Title: How to use memory efficiently for Java apps in Azure Container Apps

+description: Optimization of default configurations to enhance Java application performance and efficiency.

+# Use memory efficiently for Java apps in Azure Container Apps

+The Java Virtual Machine (JVM) uses memory conservatively as it assumes OS memory must be shared among multiple applications. However, your container app can optimize memory usage and make the maximum amount of memory possible available to your application. This memory optimization is known as Java automatic memory fitting. When memory fitting is enabled, Java application performance is typically improved between 10% and 20% without any code changes.

+Azure Container Apps provides automatic memory fitting under the following circumstances:

+- A single Java application is running in a container.

+- Your application is deployed from source code or a JAR file.

+Automatic memory fitting is enabled by default, but you can disable manually.

+## Disable memory fitting

+Automatic memory fitting is helpful in most scenarios, but it might not be ideal for all situations. You can disable memory fitting manually or automatically.

+### Manual disable

+To disable memory fitting when you create your container app, set the environment variable `BP_JVM_FIT` to `false`.

+The following examples show you how to use disable memory fitting with the `create`, `up`, and `update` commands.

+# [create](#tab/create)

+```azurecli-interactive

+az containerapp create \

+ --name <CONTAINER_APP_NAME> \

+ --resource-group <RESOURCE_GROUP> \

+ --image <CONTAINER_IMAGE_LOCATION> \

+ --environment <ENVIRONMENT_NAME> \

+ --env-vars BP_JVM_FIT="false"

+```

+# [up](#tab/up)

+```azurecli-interactive

+az containerapp up \

+ --name <CONTAINER_APP_NAME> \

+ --resource-group <RESOURCE_GROUP> \

+ --image <CONTAINER_IMAGE_LOCATION> \

+ --environment <ENVIRONMENT_NAME> \

+ --env-vars BP_JVM_FIT="false"

+```

+# [update](#tab/update)

+```azurecli-interactive

+az containerapp update \

+ --name <CONTAINER_APP_NAME> \

+ --resource-group <RESOURCE_GROUP> \

+ --image <CONTAINER_IMAGE_LOCATION> \

+ --set-env-vars BP_JVM_FIT="false"

+```

+> [!NOTE]

+> The container app restarts when you run the `update` command.

+To verify that memory fitting is disabled, check your logs for the following message:

+> Disabling jvm memory fitting, reason: manually disabled

+### Automatic disable

+Memory fitting is automatically disabled when any of the following conditions are met:

+- **Limited container memory**: Container memory is less than 1 GB.

+- **Explicitly set memory options**: When one or more memory settings are specified in environment variables through `JAVA_TOOL_OPTIONS`. Memory setting options include the following values:

+ - `-XX:MaxRAMPercentage`

+ - `-XX:MinRAMPercentage`

+ - `-XX:InitialRAMPercentage`

+ - `-XX:MaxMetaspaceSize`

+ - `-XX:MetaspaceSize`

+ - `-XX:ReservedCodeCacheSize`

+ - `-XX:MaxDirectMemorySize`

+ - `-Xmx`

+ - `-Xms`

+ - `-Xss`

+ For example, memory fitting is automatically disabled if you specify the maximum heap size in an environment variable like shown the following example:

+ ```azurecli-interactive

+ az containerapp update \

+ --name <CONTAINER_APP_NAME> \

+ --resource-group <RESOURCE_GROUP> \

+ --image <CONTAINER_IMAGE_LOCATION> \

+ --set-env-vars JAVA_TOOL_OPTIONS="-Xmx512m"

+ ```

+ With memory fitting disabled, you see the following message output to the log:

+ > Disabling jvm memory fitting, reason: use settings specified in

+ > JAVA_TOOL_OPTIONS=-Xmx512m instead

+ > Picked up JAVA_TOOL_OPTIONS: -Xmx512m

+- **Small non-heap memory size**: Rare cases when the calculated size of heap or nonheap size is too small (less than 200 MB).

+## Verify memory fit is enabled

+Inspect your [log stream](log-streaming.md) during start-up for a message that references *Calculated JVM Memory Configuration*.

+Here's an example message output during start-up.

+> Calculated JVM Memory Configuration: -XX:MaxDirectMemorySize=10M

+> -Xmx1498277K -XX:MaxMetaspaceSize=86874K -XX:ReservedCodeCacheSize=240M

+> -Xss1M (Total Memory: 2G, Thread Count: 250,

+> Loaded Class Count: 12924, Headroom: 0%)

+>

+> Picked up JAVA_TOOL_OPTIONS: -XX:MaxDirectMemorySize=10M

+> -Xmx1498277K -XX:MaxMetaspaceSize=86874K

+> -XX:ReservedCodeCacheSize=240M -Xss1M

+## Runtime configuration

+You can set environment variables to affect the memory fitting behavior.

+| Variable | Unit | Example | Description |

+|--|--|--|--|

+| `BPL_JVM_HEAD_ROOM` | Percentage | `BPL_JVM_HEAD_ROOM=5` | Leave memory space for the system based on the given percentage. |

+| `BPL_JVM_THREAD_COUNT` | Number | `BPL_JVM_THREAD_COUNT=200` | The estimated maximum number of threads. |

+| `BPL_JVM_CLASS_ADJUSTMENT` | Number<br> Percentage | `BPL_JVM_CLASS_ADJUSTMENT=10000`<br>`BPL_JVM_CLASS_ADJUSTMENT="10%"` | Adjust JVM class count by explicit value or percentage. |

+> [!NOTE]

+> Changing these variables does not disable automatic memory fitting.

+## Out of memory warning

+If you decide to configure the memory settings yourself, you run the risk of encountering an out-of-memory warning.

+Here are some possible reasons of why your container could run out of memory:

+- Heap memory is greater than the total available memory.

+- Nonheap memory is greater than the total available memory.

+- Heap + nonheap memory is greater than the total available memory.

+If your container runs out of memory, then you encounter the following warning:

+> OOM Warning: heap memory 1200M is greater than 1G available for allocation (-Xmx1200M)

+## Next steps

+> [!div class="nextstepaction"]

+> [Monitor logs with Log Analytics](log-monitoring.md)

+ Title: Java on Azure Container Apps overview

+description: Learn about the tools and resources needed to run Java applications on Azure Container Apps.

+# Java on Azure Container Apps overview

+Azure Container Apps can run any containerized Java application in the cloud while giving flexible options for how your deploy your applications.

+When you use Container Apps for your containerized Java applications, you get:

+- **Cost effective scaling**: When you use the [Consumption plan](plans.md#consumption), your Java apps can scale to zero. Scaling in when there's little demand for your app automatically drives costs down for your projects.

+- **Deployment options**: Azure Container Apps integrates with [Buildpacks](https://buildpacks.io), which allows you to deploy directly from a Maven build, via artifact files, or with your own Dockerfile.

+- **Automatic memory fitting**: Container Apps optimizes how the Java Virtual Machines (JVM) [manages memory](java-memory-fit.md), making the most possible memory available to your Java applications.

+- **Build environment variables**: You can configure [custom key-value pairs](java-build-environment-variables.md) to control the Java image build from source code.

+- **WAR deployment**: You can deploy your container app directly from a [WAR file](java-deploy-war-file.md).

+This article details the information you need to know as you build Java applications on Azure Container Apps.

+## Deployment types

+Running containerized applications usually means you need to create a Dockerfile for your application, but running Java applications on Container Apps gives you a few options.

+| Type | Description | Uses Buildpacks | Uses a Dockerfile |

+|--|--|--|--|

+| Artifact build | You can deploy directly to Container Apps from your source code. | Yes | No |

+| Maven build | You can create a Maven build to deploy to Container Apps | Yes | No |

+| Dockerfile | You can create your Dockerfile manually and take full control over your deployment. | No | Yes |

+> [!NOTE]

+> The Buildpacks deployments support JDK versions 8, 11, 17, and 21.

+## Application types

+Different applications types are implemented either as an individual container app or as a [Container Apps job](jobs.md). Use the following table to help you decide which application type is best for your scenario.

+Examples listed in this table aren't meant to be exhaustive, but to help you best understand the intent of different application types.

+| Type | Examples | Implement as... |

+|--|--|--|

+| Web applications and API endpoints | Spring Boot, Quarkus, Apache Tomcat, and Jetty | An individual container app |

+| Console applications, scheduled tasks, task runners, batch jobs | SparkJobs, ETL tasks, Spring Batch Job, Jenkins pipeline job | A Container Apps job |

+## Debugging

+As you debug your Java application on Container Apps, be sure to inspect the Java [in-process agent](/azure/spring-apps/enterprise/how-to-application-insights?pivots=sc-enterprise) for log stream and console debugging messages.

+## Troubleshooting

+Keep the following items in mind as you develop your Java applications:

+- **Default resources**: By default, an app has a half a CPU and 1 GB available.

+- **Stateless processes**: As your container app scales in and out, new processes are created and shut down. Make sure to plan ahead so that you write data to shared storage such as databases and file system shares. Don't expect any files written directly to the container file system to be available to any other container.

+- **Scale to zero is the default**: If you need to ensure one or more instances of your application are continuously running, make sure you define a [scale rule](scale-app.md) to best meet your needs.

+- **Unexpected behavior**: If your container app fails to build, start, or run, verify that the artifact path is set correctly in your container.

+- **Buildpack support issues**: If your Buildpack doesn't support dependencies or the version of Java you require, create your own Dockerfile to deploy your app. You can view a [sample Dockerfile](https://github.com/Azure-Samples/containerapps-albumapi-java/blob/main/Dockerfile) for reference.

+- **SIGTERM and SIGINT signals**: By default, the JVM handles `SIGTERM` and `SIGINT` signals and doesnΓÇÖt pass them to the application unless you intercept these signals and handle them in your application accordingly. Container Apps uses both `SIGTERM` and `SIGINT` for process control. If you don't capture these signals, and your application terminates unexpectedly, you might lose these signals unless you persist them to storage.

+- **Access to container images**: If you use artifact or source code deployment in combination with the default registry, you don't have direct access to your container images.

+## Monitoring

+All the [standard observability tools](observability.md) work with your Java application. As you build your Java applications to run on Container Apps, keep in mind the following items:

+- **Logging**: Send application and error messages to `stdout` or `stderror` so they can surface in the log stream. Avoid logging directly to the container's filesystem as is common when using popular logging services.

+- **Performance monitoring configuration**: Deploy performance monitoring services as a separate container in your Container Apps environment so it can directly access your application.

+## Scaling

+If you need to make sure requests from your front-end applications reach the same server, or your front-end app is split between multiple containers, make sure to enable [sticky sessions](sticky-sessions.md).

+## Security

+The Container Apps runtime terminates SSL for you inside your Container Apps environment.

+## Memory management

+To help optimize memory management in your Java application, you can ensure [JVM memory fitting](java-memory-fit.md) is enabled in your app.

+Memory is measured in gibibytes (Gi) and CPU core pairs. The following table shows the range of resources available to your container app.

+| Threshold | CPU cores | Memory in Gibytes (Gi) |

+||||

+| Minimum | 0.25 | 0.5 |

+| Maximum | 4 | 8 |

+Cores are available in 0.25 core increments, with memory available at a 2:1 ratio. For instance, if you require 1.25 cores, you have 2.5 Gi of memory available to your container app.

+> [!NOTE]

+> For apps using JDK versions 9 and lower, make sure to define custom JVM memory settings to match the memory allocation in Azure Container Apps.

+## Next steps

+> [!div class="nextstepaction"]

+> [Configure build environment variables](java-build-environment-variables.md)

+> The Java Buildpack uses [Maven](https://maven.apache.org/what-is-maven.html) with default settings to build your application. Alternatively, you can the [use `--build-env-vars` parameter to configure the image build from source code](java-build-environment-variables.md).

+|.NET v3 SDK |[>= `3.36.0`](https://www.nuget.org/packages/Microsoft.Azure.Cosmos/3.36.0) |This feature is available in both preview and non-preview versions. For non-preview versions, it's off by default. You can enable tracing by setting `DisableDistributedTracing = false` in `CosmosClientOptions.CosmosClientTelemetryOptions`. |

+|.NET v3 SDK preview |[>= `3.33.0-preview`](https://www.nuget.org/packages/Microsoft.Azure.Cosmos/3.33.0-preview) |This feature is available in both preview and non-preview versions. For preview versions, it's on by default. You can disable tracing by setting `DisableDistributedTracing = true` in `CosmosClientOptions.CosmosClientTelemetryOptions`. |

+Azure Cosmos DB traces follow the [OpenTelemetry database specification](https://github.com/open-telemetry/opentelemetry-specification) and also provide several custom attributes. You can see different attributes depending on the operation of your request, and these attributes are core attributes for all requests.

+If you configured logs in your trace provider, you can automatically get [diagnostics](./troubleshoot-dotnet-sdk.md#capture-diagnostics) for Azure Cosmos DB requests that failed or had high latency. These logs can help you diagnose failed and slow requests without requiring any custom code to capture them.

+In addition to getting diagnostic logs for failed requests, you can configure different latency thresholds for when to collect diagnostics from successful requests. The default values are 100 ms for point operations and 500 ms for non point operations. These thresholds can be adjusted through client options.

+To use OpenTelemetry with the Azure Cosmos DB SDKs, add the `Azure.Cosmos.Operation` source to your trace provider. OpenTelemetry is compatible with many exporters that can ingest your data. The following sample uses the `Azure Monitor OpenTelemetry Exporter`, but you can choose to configure any exporter you wish. Depending on your chosen exporter, you might see a delay ingesting data of up to a few minutes.

+There are many different ways to configure Application Insights depending on the language your application is written in and your compute environment. For more information, see the [Application Insights documentation](../../azure-monitor/app/app-insights-overview.md#how-do-i-use-application-insights). Ingestion of data into Application Insights can take up to a few minutes.

+description: Learn about deploying the Defender for APIs plan in Defender for Cloud.

+This article describes how to enable and onboard the Defender for APIs plan in the Defender for Cloud portal. Alternately, you can [enable Defender for APIs within an API Management instance](../api-management/protect-with-defender-for-apis.md) in the Azure portal.

+Learn more about the [Microsoft Defender for APIs](defender-for-apis-introduction.md) plan in the Microsoft Defender for Cloud.

+- You must select a plan that grants entitlement appropriate for the API traffic volume in your subscription to receive the most optimal pricing. By default, subscriptions are opted into "Plan 1", which can lead to unexpected overages if your subscription has API traffic higher than the [one million API calls entitlement](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/18).

+When selecting a plan, consider these points:

+- Defender for APIs protects only those APIs that are onboarded to Defender for APIs. This means you can activate the plan at the subscription level, and complete the second step of onboarding by fixing the onboarding recommendation. For more information about onboarding, see the [onboarding guide](defender-for-apis-deploy.md#enable-the-defender-for-apis-plan).

+- Defender for APIs has five pricing plans, each with a different entitlement limit and monthly fee. The billing is done at the subscription level.

+- Billing is applied to the entire subscription based on the total amount of API traffic monitored over the month for the subscription.

+- The API traffic counted towards the billing is reset to 0 at the start of each month (every billing cycle).

+- The overages are computed on API traffic exceeding the entitlement limit per plan selection during the month for your entire subscription.

+To select the best plan for your subscription from the Microsoft Defender for Cloud [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/), follow these steps and choose the plan that matches your subscriptionsΓÇÖ API traffic requirements:

+> [!NOTE]

+> The Defender for Cloud pricing page will be updated with the pricing information and pricing calculators by end of March 2024. In the meantime, use this document to select the correct Defender for APIs entitlements and enable the plan.

+ :::image type="content" source="media/defender-for-apis-entitlement-plans/select-environment-settings.png" alt-text="Screenshot that shows where to select Environment settings." lightbox="media/defender-for-apis-entitlement-plans/select-environment-settings.png":::

+

+1. Select **Details** under the pricing column for the APIs plan.

+ :::image type="content" source="media/defender-for-apis-entitlement-plans/select-api-details.png" alt-text="Screenshot that shows where to select API details." lightbox="media/defender-for-apis-entitlement-plans/select-api-details.png":::

+

+1. Select the plan that is suitable for your subscription.

+1. Select **Save**.

+## Selecting the optimal plan based on historical Azure API Management API traffic usage

+You must select a plan that grants entitlement appropriate for the API traffic volume in your subscription to receive the most optimal pricing. By default, subscriptions are opted into **Plan 1**, which can lead to unexpected overages if your subscription has API traffic higher than the [one million API calls entitlement](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/18).

+**To estimate the monthly API traffic in Azure API Management:**

+1. Navigate to the Azure API Management portal and select **Metrics** under the Monitoring menu bar item.

+ :::image type="content" source="media/defender-for-apis-entitlement-plans/select-metrics.png" alt-text="Screenshot that shows where to select metrics." lightbox="media/defender-for-apis-entitlement-plans/select-metrics.png":::

+1. Select the time range as **Last 30 days**.

+1. Select and set the following parameters:

+ 1. Scope: **Azure API Management Service Name**

+ 1. Metric Namespace: **API Management service standard metrics**

+ 1. Metric = **Requests**

+ 1. Aggregation = **Sum**

+

+1. After setting the above parameters, the query will automatically run, and the total number of requests for the past 30 days appears at the bottom of the screen. In the screenshot example, the query results in 414 total number of requests.

+ :::image type="content" source="media/defender-for-apis-entitlement-plans/metrics-results.png" alt-text="Screenshot that shows metrics results." lightbox="media/defender-for-apis-entitlement-plans/metrics-results.png":::

+ > [!NOTE]

+ > These instructions are for calculating the usage per Azure API management service. To calculate the estimated traffic usage for *all* API management services within the Azure subscription, change the **Scope** parameter to each Azure API management service within the Azure subscription, re-run the query, and sum the query results.

+If you don't have access to run the metrics query, reach out to your internal Azure API Management administrator or your Microsoft account manager.

+1. Under **Enable enhanced security features** select the security recommendation **Azure API Management APIs should be onboarded to Defender for APIs**:

+1. In the recommendation page you can review the recommendation severity, update interval, description, and remediation steps.

+1. In **Unhealthy resources** select the APIs that you want to protect with Defender for APIs.

+1. In **Fixing resources** review the selected APIs and select **Fix resources**:

+- [Review](defender-for-apis-posture.md) API threats and security posture.

+- [Investigate API findings, recommendations, and alerts](defender-for-apis-posture.md).

+> Malware scanning in Defender for Storage is not included for free in the first 30-day trial and will be charged from the first day in accordance with the pricing scheme available on the Defender for Cloud [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/).

+The "capping" mechanism is designed to set a monthly scanning limit, measured in gigabytes (GB), for each storage account, serving as an effective cost control. If a predefined scanning limit is established for a storage account in a single calendar month, the scanning operation would automatically halt once this threshold is reached (with up to a 20-GB deviation), and files wouldn't be scanned for malware. The cap is reset at the end of every month at midnight UTC. Updating the cap typically takes up to an hour to take effect.

+description: Learn how to enable and manage adaptive application control in Microsoft Defender for Cloud to create an allowlist of applications running for Azure machines.

+ :::image type="content" source="media/enable-adaptive-application-controls/adaptive-application-recommended-tab.png" alt-text="Screenshot that shows you where on the screen the recommendation tab is.":::

+ :::image type="content" source="media/enable-adaptive-application-controls/adaptive-application-add-custom-rule.png" alt-text="Screenshot that shows you where the add rule button is located.":::

+ :::image type="content" source="media/enable-adaptive-application-controls/recent-alerts.png" alt-text="Screenshot showing recent alerts in Configured tab.":::

+## Related content

+- View common question about [Adaptive application controls](faq-defender-for-servers.yml)

+ :::image type="content" source="media/enable-vulnerability-assessment-agentless/turn-on-agentless-scanning-azure.png" alt-text="Screenshot of settings and monitoring screen to turn on agentless scanning." lightbox="media/enable-vulnerability-assessment-agentless/turn-on-agentless-scanning-azure.png":::

+1. In Defender for Cloud, select **Environment settings**.

+1. Select the relevant project or organization.

+1. For either the Defender Cloud Security Posture Management (CSPM) or Defender for Servers P2 plan, selectΓÇ» **Settings**.

+1. SelectΓÇ»**Save and Next: Configure Access**.

+1. Select ΓÇ»**Next: Review and generate**.

+1. Select ΓÇ»**Update**.

+## Test the agentless malware scanner's deployment

+ New-Item -ItemType Directory -Path $DIR_PATH

+ $content = [IO.File]::ReadAllText($FILE_PATH)

+ if ($content -eq $TEST_STRING) {

+ Write-Host "Test file created and validated successfully."

+ } else {

+ Write-Host "Test file does not contain the correct string."

+ }

+ Write-Host "Failed to create test file."

+## Related content

+## Related content

+description: Learn how to enable Defender CSPM on your Azure subscription for Microsoft Defender for Cloud and enhance your security posture.

+When you enable Defender for Cloud, you automatically enable the **Foundational CSPM capabilities**. These capabilities are part of the free services offered by Defender for Cloud.

+- **Agentless container vulnerability assessments**: Provides vulnerability management for images stored in your container registries.

+- **Permissions Management (Preview)** - Insights into Cloud Infrastructure Entitlement Management (CIEM). CIEM ensures appropriate and secure identities and access rights in cloud environments. It helps understand access permissions to cloud resources and associated risks. Setup and data collection may take up to 24 hours.

+ Title: Namespace topics to route MQTT messages to Event Hubs (CLI)

+description: 'This tutorial shows how to use namespace topics to route MQTT messages to Azure Event Hubs. You use Azure CLI to do the tasks in this tutorial.'

+ - build-2023

+ - ignite-2023

+# Tutorial: Use namespace topics to route MQTT messages to Azure Event Hubs (Azure CLI)

+In this tutorial, you learn how to use a namespace topic to route data from MQTT clients to Azure Event Hubs. Here are the high-level steps:

+## Prerequisites

+- If you don't have an Azure subscription, create an [Azure free account](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio) before you begin.

+- If you're new to Event Grid, read the [Event Grid overview](/azure/event-grid/overview) before you start this tutorial.

+- Register the Event Grid resource provider according to the steps in [Register the Event Grid resource provider](/azure/event-grid/custom-event-quickstart-portal#register-the-event-grid-resource-provider).

+- Make sure that port **8883** is open in your firewall. The sample in this tutorial uses the MQTT protocol, which communicates over port 8883. This port might be blocked in some corporate and educational network environments.

+## Launch Cloud Shell

+1. Sign into the [Azure portal](https://portal.azure.com).

+1. Select the link to launch the Cloud Shell.

+1. Switch to Bash.

+ :::image type="content" source="./media/mqtt-routing-to-event-hubs-cli-namespace-topics/cloud-shell-bash.png" alt-text="Screenshot that shows the Azure portal with Cloud Shell open and Bash selected.":::

+## Create an Event Grid namespace and topic

+ To create an Event Grid namespace and a topic in the namespace, copy the following script to an editor, replace placeholders with actual values, and run the commands.

+| Placeholder | Comments |

+| -- | -- |

+| `RESOURCEGROUPNAME` | Specify a name for the resource group to be created. |

+| `EVENTGRIDNAMESPACENAME` | Specify the name for the Event Grid namespace. |

+| `REGION` | Specify the location in which you want to create the resources. |

+| `NAMESPACETOPICNAME` | Specify a name for the namespace topic. |

+```azurecli

+rgName="RESOURCEGROUPNAME"

+nsName="EVENTGRIDNAMESPACENAME"

+location="REGION"

+nsTopicName="NAMESPACETOPICNAME"

+az group create -n $rgName -l $location

+az eventgrid namespace create -g $rgName -n $nsName -l $location --topic-spaces-configuration "{state:Enabled}" --identity "{type:SystemAssigned}"

+az eventgrid namespace topic create -g $rgName --name $nsTopicName --namespace-name $nsName

+```

+## Create an Event Hubs namespace and an event hub

+To create an Event Hubs namespace and an event hub in the namespace, replace placeholders with actual values, and run the following commands. This event hub is used as an event handler in the event subscription you create in this tutorial.

+| Placeholder | Comments |

+| -- | -- |

+| `EVENTHUBSNAMESPACENAME` | Specify a name for Event Hubs namespace to be created. |

+| `EVENTHUBNAME` | Specify the name for Event Hubs instance (event hub) to be created in the Event Hubs namespace. |

+```azurecli

+ehubNsName="EVENTHUBSNAMESPACENAME`"

+ehubName="EVENTHUBNAME"

+az eventhubs namespace create --resource-group $rgName --name $ehubNsName

+az eventhubs eventhub create --resource-group $rgName --namespace-name $ehubNsName --name $ehubName

+```

+## Give Event Grid namespace the access to send events to the event hub

+Run the following command to add the service principal of the Event Grid namespace to the Azure Event Hubs Data Sender role on the Event Hubs namespace. It allows the Event Grid namespace and resources in it to send events to the event hub in the Event Hubs namespace.

+```azurecli

+egNamespaceServicePrincipalObjectID=$(az ad sp list --display-name $nsName --query [].id -o tsv)

+namespaceresourceid=$(az eventhubs namespace show -n $ehubNsName -g $rgName --query "{I:id}" -o tsv)

+az role assignment create --assignee $egNamespaceServicePrincipalObjectID --role "Azure Event Hubs Data Sender" --scope $namespaceresourceid

+```

+## Create an event subscription with Event Hubs as the endpoint

+To create an event subscription for the namespace topic you created earlier, replace placeholders with actual values, and run the following commands. This subscription is configured to use the event hub as the event handler.

+| Placeholder | Comments |

+| -- | -- |

+| `EVENTSUBSCRIPTIONNAME` | Specify a name for the event subscription for the namespace topic. |

+```azurecli

+eventSubscriptionName="EVENTSUBSCRIPTIONNAME"

+eventhubresourceid=$(az eventhubs eventhub show -n $ehubName --namespace-name $ehubNsName -g $rgName --query "{I:id}" -o tsv)

+az resource create --api-version 2023-06-01-preview --resource-group $rgName --namespace Microsoft.EventGrid --resource-type eventsubscriptions --name $eventSubscriptionName --parent namespaces/$nsName/topics/$nsTopicName --location $location --properties "{\"deliveryConfiguration\":{\"deliveryMode\":\"Push\",\"push\":{\"maxDeliveryCount\":10,\"deliveryWithResourceIdentity\":{\"identity\":{\"type\":\"SystemAssigned\"},\"destination\":{\"endpointType\":\"EventHub\",\"properties\":{\"resourceId\":\"$eventhubresourceid\"}}}}}}"

+```

+## Configure routing in the Event Grid namespace

+Run the following commands to enable routing on the namespace to route messages or events to the namespace topic you created earlier. The event subscription on that namespace topic forwards those events to the event hub that's configured as an event handler.

+```azurecli

+routeTopicResourceId=$(az eventgrid namespace topic show -g $rgName --namespace-name $nsName -n $nsTopicName --query "{I:id}" -o tsv)

+az eventgrid namespace create -g $rgName -n $nsName --topic-spaces-configuration "{state:Enabled,'routeTopicResourceId':$routeTopicResourceId}"

+```

+## Client client, topic space, and permission bindings

+Now, create a client to send a few messages for testing. In this step, you create a client, a topic space with a topic, and publisher and subscriber bindings.

+

+For detailed instructions, see [Quickstart: Publish and subscribe to MQTT messages on an Event Grid namespace with the Azure CLI](mqtt-publish-and-subscribe-cli.md).

+| Placeholder | Comments |

+| -- | -- |

+| `CLIENTNAME` | Specify a name for client that send a few test messages. |

+| `CERTIFICATETHUMBPRINT` | Thumbprint of client's certificate. See the above quickstart for instructions to create a certificate and extract a thumbprint. Use the same thumbprint in the MQTTX tool to send test messages. |

+| `TOPICSPACENAME` | Specify a name for the topic space to be created. |

+| `PUBLSHERBINDINGNAME` | Specify a name for the publisher binding. |

+| `SUBSCRIBERBINDINGNAME` | Specify a name for the subscriber binding. |

+```azurecli

+clientName="CLIENTNAME"

+clientAuthName="client1-authnID"

+clientThumbprint="CERTIFICATETHUMBPRINT"

+topicSpaceName="TOPICSPACENAME"

+publisherBindingName="PUBLSHERBINDINGNAME"

+subscriberBindingName="SUBSCRIBERBINDINGNAME"

+az eventgrid namespace client create -g $rgName --namespace-name $nsName -n $clientName --authentication-name $clientAuthName --client-certificate-authentication "{validationScheme:ThumbprintMatch,allowed-thumbprints:[$clientThumbprint]}"

+az eventgrid namespace topic-space create -g $rgName --namespace-name $nsName -n $topicSpaceName --topic-templates ['contosotopics/topic1']

+az eventgrid namespace permission-binding create -g $rgName --namespace-name $nsName -n $publisherBindingName --client-group-name '$all' --permission publisher --topic-space-name $topicSpaceName

+az eventgrid namespace permission-binding create -g $rgName --namespace-name $nsName -n $subscriberBindingName --client-group-name '$all' --permission subscriber --topic-space-name $topicSpaceName

+```

+## Send messages using MQTTX

+Use MQTTX to send a few test messages. For step-by-step instructions, see the quickstart: [Publish and subscribe on an MQTT topic](./mqtt-publish-and-subscribe-portal.md).

+Verify that the event hub received those messages on the **Overview** page for your Event Hubs namespace.

+## View routed MQTT messages in Event Hubs by using a Stream Analytics query

+Navigate to the Event Hubs instance (event hub) within your event subscription in the Azure portal. Process data from your event hub by using Stream Analytics. For more information, see [Process data from Azure Event Hubs using Stream Analytics - Azure Event Hubs | Microsoft Learn](/azure/event-hubs/process-data-azure-stream-analytics). You can see the MQTT messages in the query.

+## Next steps

+For code samples, go to [this GitHub repository](https://github.com/Azure-Samples/MqttApplicationSamples/tree/main).

+ Title: Use namespace topics to route MQTT messages to Event Hubs

+description: 'This tutorial shows how to use namespace topics to route MQTT messages to Azure Event Hubs. You use Azure portal to do the tasks in this tutorial.'

+ - build-2023

+ - ignite-2023

+# Tutorial: Use namespace topics to route MQTT messages to Azure Event Hubs (Azure portal)

+In this tutorial, you learn how to use a namespace topic to route data from MQTT clients to Azure Event Hubs. Here are the high-level steps:

+## Prerequisites

+- If you don't have an Azure subscription, create an [Azure free account](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio) before you begin.

+- If you're new to Event Grid, read the [Event Grid overview](/azure/event-grid/overview) before you start this tutorial.

+- Register the Event Grid resource provider according to the steps in [Register the Event Grid resource provider](/azure/event-grid/custom-event-quickstart-portal#register-the-event-grid-resource-provider).

+- Make sure that port **8883** is open in your firewall. The sample in this tutorial uses the MQTT protocol, which communicates over port 8883. This port might be blocked in some corporate and educational network environments.

+In a separate tab of the Web browser or in a separate window, use the Azure portal to create an Event Hubs namespace with an event hub.

+## Give Event Grid namespace the access to send events to the event hub

+1. On the **Event Hubs Namespace** page, select **Access control (IAM)** on the left menu.

+1. On the **Access control** page, select **+ Add** on the command bar, and then select **Add role assignment**.

+ :::image type="content" source="./media/mqtt-routing-to-event-hubs-portal-namespace-topics/event-hubs-access-control-add-role-assignment.png" alt-text="Screenshot that shows the Access control page for the Event Hubs namespace.":::

+1. On the **Add role assignment** page, select **Azure Event Hubs Data Sender** from the list of roles, and then select **Next** at the bottom of the page.

+ :::image type="content" source="./media/mqtt-routing-to-event-hubs-portal-namespace-topics/select-azure-event-hubs-data-sender.png" alt-text="Screenshot that shows the Add role assignment page with Azure Event Hubs Data Sender selected.":::

+1. On the **Members** page, follow these steps:

+ 1. For the **Assign access to** field, select **Managed identity**.

+ 1. Choose **+ Select members**.

+ :::image type="content" source="./media/mqtt-routing-to-event-hubs-portal-namespace-topics/select-managed-identity.png" alt-text="Screenshot that shows the Add role assignment page with Managed identity selected.":::

+1. On the **Select managed identities** page, follow these steps:

+ 1. Select your **Azure subscription**.

+ 1. For **Managed identity**, select **Event Grid Namespace**.

+ 1. Select the managed identity that has the same name as the Event Grid namespace.

+ 1. Choose **Select** at the bottom of the page.

+

+ :::image type="content" source="./media/mqtt-routing-to-event-hubs-portal-namespace-topics/select-event-grid-namespace-managed-identity.png" alt-text="Screenshot that shows the Select managed identities page with the Event Grid namespace's managed identity selected.":::

+1. On the **Add role assignment** page, select **Review + assign** at the bottom of the page.

+1. On the **Review + assign** page, select **Review + assign**.

+## Create an event subscription with Event Hubs as the endpoint

+1. Switch to the tab of your Web browser window that has the Event Grid namespace open.

+1. On the **Event Grid Namespace** page, select **Topics** on the left menu.

+1. On the **Topics** page, select the namespace topic you created earlier.

+ :::image type="content" source="./media/mqtt-routing-to-event-hubs-portal-namespace-topics/select-topic.png" alt-text="Screenshot that shows the Topics page with the namespace topic selected.":::

+1. On the **Event Grid Namespace Topic** page, select **+ Subscription** on the command bar at the top.

+ :::image type="content" source="./media/mqtt-routing-to-event-hubs-portal-namespace-topics/subscriptions-page.png" alt-text="Screenshot that shows the Subscriptions page.":::

+1. On the **Create Subscription** page, follow these steps:

+ 1. Enter a **name** for the event subscription.

+ 1. For **Delivery mode**, select **Push**.

+ 1. Confirm that **Endpoint type** is set to **Event hub**.

+ 1. Select **Configure an endpoint**.

+ :::image type="content" source="./media/mqtt-routing-to-event-hubs-portal-namespace-topics/create-subscription-page.png" alt-text="Screenshot that shows the Create Subscription page.":::

+ 1. On the **Select Event Hub**, follow these steps:

+ 1. Select the **Azure subscription** that has the event hub.

+ 1. Select the **resource group** that has the event hub.

+ 1. Select the **Event Hubs namespace**.

+ 1. Select the **event hub** in the Event Hubs namespace.

+ 1. Then, select **Confirm selection**.

+ :::image type="content" source="./media/mqtt-routing-to-event-hubs-portal-namespace-topics/select-event-hub-page.png" alt-text="Screenshot that shows the Select event hub page.":::

+ 1. Back on the **Create Subscription** page, select **System Assigned** for **Managed identity type**.

+ 1. Select **Create** at the bottom of the page.

+

+ :::image type="content" source="./media/mqtt-routing-to-event-hubs-portal-namespace-topics/create-subscription.png" alt-text="Screenshot that shows the Create Subscription page with Create button selected.":::

+## Configure routing in the Event Grid namespace

+1. Navigate back to the **Event Grid Namespace** page by selecting the namespace in the **Essentials** section of the **Event Grid Namespace Topic** page or by selecting the namespace name in the breadcrumb menu at the top.

+1. On the **Event Grid Namespace** page, select **Routing** on the left menu in the **MQTT broker** section.

+1. On the **Routing** page, select **Enable routing**.

+1. For **Topic type**, select **Namespace topic**.

+1. For **Topic**, select the Event Grid namespace topic that you created where all MQTT messages will be routed.

+1. Select **Apply**.

+ :::image type="content" source="./media/mqtt-routing-to-event-hubs-portal-namespace-topics/routing-page.png" alt-text="Screenshot that shows the Routing page with the namespace topic selected.":::

+ Check notifications to confirm that the namespace is enabled with the routing information.

+## Create clients, topic space, and permission bindings

+Follow steps in the quickstart: [Publish and subscribe on an MQTT topic](./mqtt-publish-and-subscribe-portal.md) to:

+1. Create a client. You can create the second client if you want to, but it's optional.

+1. Create a topic space.

+1. Create publisher and subscriber permission bindings.

+1. Use MQTTX to send a few messages.

+1. Verify that the event hub received those messages on the **Overview** page for your Event Hubs namespace.

+ :::image type="content" source="./media/mqtt-routing-to-event-hubs-portal-namespace-topics/verify-incoming-messages.png" alt-text="Screenshot that shows the Overview page of the event hub with incoming message count." lightbox="./media/mqtt-routing-to-event-hubs-portal-namespace-topics/verify-incoming-messages.png":::

+

+## View routed MQTT messages in Event Hubs by using a Stream Analytics query

+Navigate to the Event Hubs instance (event hub) within your event subscription in the Azure portal. Process data from your event hub by using Stream Analytics. For more information, see [Process data from Azure Event Hubs using Stream Analytics - Azure Event Hubs | Microsoft Learn](/azure/event-hubs/process-data-azure-stream-analytics). You can see the MQTT messages in the query.

+## Next steps

+For code samples, go to [this GitHub repository](https://github.com/Azure-Samples/MqttApplicationSamples/tree/main).

+|\_isparallel| No |The "_isparallel" query parameter can be added to the export operation to enhance its throughput. The value needs to be set to true to enable parallelization. It is important to note that using this parameter may result in an increase in the request units consumption over the life of export. |

+The query parameter _summary=count and _count=0 can be added to _history endpoint to get count of all versioned resources. This count includes soft deleted resources.

+## **February 2024**

+**Enables counting all versions (historical and soft deleted) of resources**

+The query parameter _summary=count and _count=0 can be added to _history endpoint to get count of all versioned resources. This count includes soft deleted resources. For more information, see [history management](././../azure-api-for-fhir/purge-history.md).

+**Improve throughput for export operation**

+The "_isparallel" query parameter can be added to the export operation to enhance its throughput. It is important to note that using this parameter may result in an increase in Request Units consumption over the life of export. For more information, see [Export operation query parameters](././../azure-api-for-fhir/export-data.md).

+**Change in name nomenclature for exported file name and default storage account**

+With this change exported file names follow the format '{FHIR Resource Name}-{Number}-{Number}.ndjson'. The order of the files is not guaranteed to correspond to any ordering of the resources in the database.Default storage account name is updated to 'Export-{Number}'. There is no change to number of resources added in individual exported files.

+**Performance Enhancement**

+Parallel optimization for FHIR queries can be enabled using HTTP header "x-ms-query-latency-over-efficiency" . This value needs to be set to true to achieve maximum concurrency during execution of query. For more information, see [Batch Bundles](././../azure-api-for-fhir/fhir-rest-api-capabilities.md).

+Conditional interactions can be complex and performance-intensive. To enhance the latency of queries involving conditional interactions, you have the option to utilize the request header x-conditionalquery-processing-logic. For more information, see [Performance considerations for conditional API interactions](././../azure-api-for-fhir/fhir-rest-api-capabilities.md).

+ Title: Monitor IoT messages with distributed tracing (preview)

+Use distributed tracing (preview) in IoT Hub to monitor IoT messages as they pass through Azure services. IoT Hub is one of the first Azure services to support distributed tracing. As more Azure services support distributed tracing, you're able to trace Internet of Things (IoT) messages throughout the Azure services involved in your solution. For more information about the feature, see [What is distributed tracing?](../azure-monitor/app/distributed-trace-data.md).

+- Monitor the flow of each message through IoT Hub by using [trace context](https://github.com/w3c/trace-context). Trace context includes correlation IDs that allow you to correlate events from one component with events from another component. You can apply it for a subset or all IoT device messages by using a [device twin](iot-hub-devguide-device-twins.md).

+- Log the trace context to [Azure Monitor Logs](monitor-iot-hub.md).

+> [!IMPORTANT]

+> Distributed tracing an Azure IoT Hub is currently in PREVIEW.

+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+- An Azure IoT hub created in one of the following regions.

+- A device registered to your IoT hub. If you don't have one, follow the steps in [Register a new device in the IoT hub](./iot-hub-create-through-portal.md#register-a-new-device-in-the-iot-hub) and save the device connection string to use in this article.

+- This article assumes that you're familiar with sending telemetry messages to your IoT hub.

+- The latest version of [Git](https://git-scm.com/download/).

+## Public preview limits and considerations

+Consider the following limitations to determine if this preview feature is right for your scenarios:

+- The proposal for the W3C Trace Context standard is currently a working draft.

+- The only development language that the client SDK currently supports is C, in the [public preview branch of the Azure IoT device SDK for C](https://github.com/Azure/azure-iot-sdk-c/blob/public-preview/readme.md)

+- Cloud-to-device twin capability isn't available for the [IoT Hub basic tier](iot-hub-scaling.md#basic-and-standard-tiers). However, IoT Hub still logs to Azure Monitor if it sees a properly composed trace context header.

+- To ensure efficient operation, IoT Hub imposes a throttle on the rate of logging that can occur as part of distributed tracing.

+- The distributed tracing feature is supported only for IoT hubs created in the following regions:

+ - North Europe

+ - Southeast Asia

+ - West US 2

+## Understand Azure IoT distributed tracing

+Many IoT solutions, including the [Azure IoT reference architecture](/azure/architecture/reference-architectures/iot), generally follow a variant of the [microservice architecture](/azure/architecture/microservices/). As an IoT solution grows more complex, you end up using a dozen or more microservices. These microservices might or might not be from Azure.

+Pinpointing where IoT messages are dropping or slowing down can be challenging. For example, imagine that you have an IoT solution that uses five different Azure services and 1,500 active devices. Each device sends 10 device-to-cloud messages per second, for a total of 15,000 messages per second. But you notice that your web app sees only 10,000 messages per second. How do you find the culprit?

+For you to reconstruct the flow of an IoT message across services, each service should propagate a *correlation ID* that uniquely identifies the message. After Azure Monitor collects correlation IDs in a centralized system, you can use those IDs to see message flow. This method is called the [distributed tracing pattern](/azure/architecture/microservices/logging-monitoring#distributed-tracing).

+To support wider adoption for distributed tracing, Microsoft is contributing to [W3C standard proposal for distributed tracing](https://w3c.github.io/trace-context/). When distributed tracing support for IoT Hub is enabled, it follows this flow for each generated message:

+1. A message is generated on the IoT device.

+1. The IoT device decides (with help from the cloud) that this message should be assigned with a trace context.

+1. The SDK adds a `tracestate` value to the message property, which contains the time stamp for message creation.

+1. The IoT device sends the message to IoT Hub.

+1. The message arrives at the IoT Hub gateway.

+1. IoT Hub looks for the `tracestate` value in the message properties and checks whether it's in the correct format. If so, IoT Hub generates a globally unique `trace-id` value for the message and a `span-id` value for the "hop." IoT Hub records these values in the [IoT Hub distributed tracing logs](monitor-iot-hub-reference.md#distributed-tracing-preview) under the `DiagnosticIoTHubD2C` operation.

+1. When the message processing is finished, IoT Hub generates another `span-id` value and logs it, along with the existing `trace-id` value, under the `DiagnosticIoTHubIngress` operation.

+1. If routing is enabled for the message, IoT Hub writes it to the custom endpoint. IoT Hub logs another `span-id` value with the same `trace-id` value under the `DiagnosticIoTHubEgress` category.

+## Configure distributed tracing in an IoT hub

+1. Select **Save**.

+## Update sampling options

+To change the percentage of messages to be traced from the cloud, you must update the device twin. You can make updates by using the JSON editor in the Azure portal or the IoT Hub service SDK. The following subsections provide examples.

+### Update a single device

+You can use the Azure portal or the Azure IoT Hub extension for Visual Studio Code (VS Code) to update the sampling rate of a single device.

+#### [Azure portal](#tab/portal)

+1. Go to your IoT hub in the [Azure portal](https://portal.azure.com/), and then select **Devices** from the **Device management** section of the menu.

+1. Choose your device.

+1. Select the gear icon under **Distributed Tracing (preview)**. In the panel that opens:

+ 1. Select the **Enable** option.

+ 1. For **Sampling rate**, choose a percentage between 0 and 100.

+ 1. Select **Save**.

+ :::image type="content" source="media/iot-hub-distributed-tracing/enable-distributed-tracing.png" alt-text="Screenshot that shows how to enable distributed tracing in the Azure portal." lightbox="media/iot-hub-distributed-tracing/enable-distributed-tracing.png":::

+1. Wait a few seconds, and then select **Refresh**. If the device successfully acknowledges your changes, a sync icon with a check mark appears.

+#### [VS Code](#tab/vscode)

+1. With Visual Studio Code installed, install the latest version of the [Azure IoT Hub extension for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=vsciot-vscode.azure-iot-toolkit).

+1. Open Visual Studio Code, and go to the **Explorer** tab and the **Azure IoT Hub** section.

+1. Select the ellipsis (...) next to **Azure IoT Hub** to see a submenu. Choose the **Select IoT Hub** option to retrieve your IoT hub from Azure.

+ In the pop-up window that appears at the top of Visual Studio Code, you can select your subscription and IoT hub.

+ See a demonstration on the [vscode-azure-iot-toolkit](https://github.com/Microsoft/vscode-azure-iot-toolkit/wiki/Select-IoT-Hub) GitHub page.

+1. Expand your device under **Devices**. Right-click **Distributed Tracing Setting (Preview)**, and then select **Update Distributed Tracing Setting (Preview)**.

+1. In the pop-up pane that appears at the top of the window, select **Enable**.

+ :::image type="content" source="media/iot-hub-distributed-tracing/enable-distributed-tracing-vsc.png" alt-text="Screenshot that shows how to enable distributed tracing in the Azure IoT Hub extension.":::

+ **Enable Distributed Tracing: Enabled** now appears under **Distributed Tracing Setting (Preview)** > **Desired**.

+1. In the pop-up pane that appears for the sampling rate, enter an integer between 0 and 100, then select the Enter key.

+ 

+ **Sample rate: 100(%)** now appears under **Distributed Tracing Setting (Preview)** > **Desired**.

+### Bulk update multiple devices

+To update the distributed tracing sampling configuration for multiple devices, use [automatic device configuration](./iot-hub-automatic-device-management.md). Follow this twin schema:

+```json

+{

+ "properties": {

+ "desired": {

+ "azureiot*com^dtracing^1": {

+ "sampling_mode": 1,

+ "sampling_rate": 100

+ }

+ }

+ }

+}

+```

+| Element name | Required | Type | Description |

+|--|-||--|

+| `sampling_mode` | Yes | Integer | Two mode values are currently supported to turn sampling on and off. `1` is on, and `2` is off. |

+| `sampling_rate` | Yes | Integer | This value is a percentage. Only values from `0` to `100` (inclusive) are permitted. |

+## Query and visualize traces

+To see all the traces logged by an IoT hub, query the log store that you selected in diagnostic settings. This section shows how to query by using Log Analytics.

+If you set up [Log Analytics with resource logs](../azure-monitor/essentials/resource-logs.md#send-to-azure-storage), query by looking for logs in the `DistributedTracing` category. For example, this query shows all the logged traces:

+```Kusto

+// All distributed traces

+AzureDiagnostics

+| where Category == "DistributedTracing"

+| project TimeGenerated, Category, OperationName, Level, CorrelationId, DurationMs, properties_s

+| order by TimeGenerated asc

+```

+Here are a few example logs in Log Analytics:

+| Time generated | Operation name | Category | Level | Correlation ID | Duration in milliseconds | Properties |

+| | | | | | | |

+| 2018-02-22T03:28:28.633Z | DiagnosticIoTHubD2C | DistributedTracing | Informational | 00-8cd869a412459a25f5b4f31311223344-0144d2590aacd909-01 | | `{"deviceId":"AZ3166","messageSize":"96","callerLocalTimeUtc":"2018-02-22T03:27:28.633Z","calleeLocalTimeUtc":"2018-02-22T03:27:28.687Z"}` |

+| 2018-02-22T03:28:38.633Z | DiagnosticIoTHubIngress | DistributedTracing | Informational | 00-8cd869a412459a25f5b4f31311223344-349810a9bbd28730-01 | 20 | `{"isRoutingEnabled":"false","parentSpanId":"0144d2590aacd909"}` |

+| 2018-02-22T03:28:48.633Z | DiagnosticIoTHubEgress | DistributedTracing | Informational | 00-8cd869a412459a25f5b4f31311223344-349810a9bbd28730-01 | 23 | `{"endpointType":"EventHub","endpointName":"myEventHub", "parentSpanId":"0144d2590aacd909"}` |

+To understand the types of logs, see [Azure IoT Hub distributed tracing logs](monitor-iot-hub-reference.md#distributed-tracing-preview).

+## Run a sample application

+1. Open a command prompt or Git Bash shell. Run the following commands to clone the latest release of the public-preview branch of the [Azure IoT C SDK](https://github.com/Azure/azure-iot-sdk-c) GitHub repository:

+1. Run the following commands from the `azure-iot-sdk-c` directory to create a `cmake` subdirectory and go to the `cmake` folder:

+ If CMake can't find your C++ compiler, you might encounter build errors while running the preceding command. If that happens, try running the command in the [Visual Studio command prompt](/dotnet/framework/tools/developer-command-prompt-for-vs).

+In this section, you edit the [iothub_ll_telemetry_sample.c](https://github.com/Azure/azure-iot-sdk-c/tree/public-preview/iothub_client/samples/iothub_ll_telemetry_sample) sample in the SDK repository to enable distributed tracing. Or, you can copy an already edited version of the sample from the [azure-iot-distributed-tracing-sample](https://github.com/Azure-Samples/azure-iot-distributed-tracing-sample/blob/master/iothub_ll_telemetry_sample-c/iothub_ll_telemetry_sample.c) repository.

+ ```cmd

+ cd iothub_client/samples/iothub_ll_telemetry_sample

+ cmake --build . --target iothub_ll_telemetry_sample --config Debug

+ ```

+ ```cmd

+ Debug/iothub_ll_telemetry_sample.exe

+ ```

+1. Keep the app running. You can observe the messages being sent to IoT Hub in the console window.

+For a client app that can receive sampling decisions from the cloud, try the [iothub_devicetwin_sample.c](https://github.com/Azure-Samples/azure-iot-distributed-tracing-sample/tree/master/iothub_devicetwin_sample-c) sample in the distributed tracing sample repo.

+### Workaround for non-Microsoft clients

+First, you must implement all the IoT Hub protocol primitives in your messages by following the developer guide [Create and read IoT Hub messages](iot-hub-devguide-messages-construct.md). Then, edit the protocol properties in the MQTT and AMQP messages to add `tracestate` as a system property.

+- For MQTT, add `%24.tracestate=timestamp%3d1539243209` to the message topic. Replace `1539243209` with the creation time of the message in Unix time-stamp format. As an example, refer to the implementation [in the C SDK](https://github.com/Azure/azure-iot-sdk-c/blob/6633c5b18710febf1af7713cf1a336fd38f623ed/iothub_client/src/iothubtransport_mqtt_common.c#L761).

+- For AMQP, add `key("tracestate")` and `value("timestamp=1539243209")` as message annotation. For a reference implementation, see the [uamqp_messaging.c](https://github.com/Azure/azure-iot-sdk-c/blob/6633c5b18710febf1af7713cf1a336fd38f623ed/iothub_client/src/uamqp_messaging.c#L527) file.

+## Set environment variables

+Sign in with Azure CLI:

+```azurecli

+az login

+```

+Set environment variables for the rest of the setup. Replace values in `<>` with valid values or names of your choice. A new Azure Event Grid namespace and topic space are created in your Azure subscription based on the names you provide:

+```azurecli

+# For this tutorial, the steps assume the IoT Operations cluster and the Event Grid

+# are in the same subscription, resource group, and location.

+# Name of the resource group of Azure Event Grid and IoT Operations cluster

+export RESOURCE_GROUP=<RESOURCE_GROUP_NAME>

+# Azure region of Azure Event Grid and IoT Operations cluster

+export LOCATION=<LOCATION>

+# Name of the Azure Event Grid namespace

+export EVENT_GRID_NAMESPACE=<EVENT_GRID_NAMESPACE>

+# Name of the Arc-enabled IoT Operations cluster

+export CLUSTER_NAME=<CLUSTER_NAME>

+# Subscription ID of Azure Event Grid and IoT Operations cluster

+export SUBSCRIPTION_ID=<SUBSCRIPTION_ID>

+```

+[Create Event Grid namespace](../../event-grid/create-view-manage-namespaces.md) with Azure CLI. The location should be the same as the one you used to deploy Azure IoT Operations.

+az eventgrid namespace create \

+ --namespace-name $EVENT_GRID_NAMESPACE \

+ --resource-group $RESOURCE_GROUP \

+ --location $LOCATION \

+ --topic-spaces-configuration "{state:Enabled,maximumClientSessionsPerAuthenticationName:3}"

+In the Event Grid namespace, create a topic space named `tutorial` with a topic template `telemetry/#`.

+az eventgrid namespace topic-space create \

+ --resource-group $RESOURCE_GROUP \

+ --namespace-name $EVENT_GRID_NAMESPACE \

+ --name tutorial \

+ --topic-templates "telemetry/#"

+Using `az k8s-extension show`, find the principal ID for the Azure IoT MQ Arc extension. The command stores the principal ID in a variable for later use.

+export PRINCIPAL_ID=$(az k8s-extension show \

+ --resource-group $RESOURCE_GROUP \

+ --cluster-name $CLUSTER_NAME \

+ --name mq \

+ --cluster-type connectedClusters \

+ --query identity.principalId -o tsv)

+echo $PRINCIPAL_ID

+Then, use Azure CLI to assign publisher and subscriber roles to IoT MQ for the topic space you created.

+Assign the publisher role:

+az role assignment create \

+ --assignee $PRINCIPAL_ID \

+ --role "EventGrid TopicSpaces Publisher" \

+ --scope /subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.EventGrid/namespaces/$EVENT_GRID_NAMESPACE/topicSpaces/tutorial

+Assign the subscriber role:

+az role assignment create \

+ --assignee $PRINCIPAL_ID \

+ --role "EventGrid TopicSpaces Subscriber" \

+ --scope /subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.EventGrid/namespaces/$EVENT_GRID_NAMESPACE/topicSpaces/tutorial

+Use Azure CLI to get the Event Grid MQTT broker hostname.

+az eventgrid namespace show \

+ --resource-group $RESOURCE_GROUP \

+ --namespace-name $EVENT_GRID_NAMESPACE \

+ --query topicSpacesConfiguration.hostname \

+ -o tsv

+Besides the interpretability techniques described in the previous section, we support another SHAP-based explainer, called Tabular Explainer. Depending on the model, Tabular Explainer uses one of the supported SHAP explainers:

+The explanation functions accept both models and pipelines as input. If a model is provided, it must implement the prediction function `predict` or `predict_proba` that conforms to the Scikit convention. If your model doesn't support this, you can wrap it in a function that generates the same outcome as `predict` or `predict_proba` in Scikit and use that wrapper function with the selected explainer.

+If you provide a pipeline, the explanation function assumes that the running pipeline script returns a prediction. When you use this wrapping technique, `azureml.interpret` can support models that are trained via PyTorch, TensorFlow, Keras deep learning frameworks, and classic machine learning models.

+The `azureml.interpret` package is designed to work with both local and remote compute targets. If you run the package locally, the SDK functions won't contact any Azure services.

+- Try out dataset training examples with our [sample notebooks](https://github.com/Azure/MachineLearningNotebooks/tree/master/how-to-use-azureml/work-with-data/)

+| Australia South East |13.77.49.33 |13.77.49.32/29, 104.46.179.160/27|

+| Canada Central | 13.71.168.32| 13.71.168.32/29, 20.38.144.32/29, 52.246.152.32/29, 20.48.196.32/27|

+| China East | 52.130.112.139 | 52.130.112.136/29, 52.130.13.96/27|

+| East US | 40.71.8.203, 40.71.83.113|20.42.65.64/29, 20.42.73.0/29, 52.168.116.64/29, 20.62.132.160/27|

+| Central India | 20.192.96.33 | 40.80.48.32/29, 104.211.86.32/29, 20.192.96.32/29, 20.192.43.160/27|

+| South India | 40.78.192.32| 40.78.192.32/29, 40.78.193.32/29, 52.172.113.96/27|

+| West India | 104.211.144.32| 104.211.144.32/29, 104.211.145.32/29, 52.136.53.160/27|

+| Australia South East |13.77.49.33 |13.77.49.32/29, 104.46.179.160/27|

+| Canada Central | 13.71.168.32| 13.71.168.32/29, 20.38.144.32/29, 52.246.152.32/29, 20.48.196.32/27|

+| China East | 52.130.112.139 | 52.130.112.136/29, 52.130.13.96/27|

+| East US | 40.71.8.203, 40.71.83.113|20.42.65.64/29, 20.42.73.0/29, 52.168.116.64/29, 20.62.132.160/27|

+| Central India | 20.192.96.33 | 40.80.48.32/29, 104.211.86.32/29, 20.192.96.32/29, 20.192.43.160/27|

+| South India | 40.78.192.32| 40.78.192.32/29, 40.78.193.32/29, 52.172.113.96/27|

+| West India | 104.211.144.32| 104.211.144.32/29, 104.211.145.32/29, 52.136.53.160/27|

+ Title: Relocation guidance overview for Microsoft Azure products and services (Preview)

+description: Relocation guidance overview for Microsoft Azure products and services. View Azure service specific relocation guides.

+ - subject-relocation

+# Azure services relocation guidance overview (Preview)

+As Microsoft continues to expand Azure global infrastructure and launch new Azure regions worldwide, there's an increasing number of options available for you to relocate your workloads into new regions. Region relocation options vary by service and by workload architecture. To successfully relocate a workload to another region, you need to plan your relocation strategy with an understanding of what each service in your workload requires and supports.

+Azure region relocation documentation (Preview) contains service-specific relocation guidance for Azure products and services. The relocation documentation set is founded on both [Azure Cloud Adoption Framework - Relocate cloud workloads](/azure/cloud-adoption-framework/relocate/) as well as the following Well-architected Framework (WAF) Operational Excellence principles:

+- [Deploy with confidence](/azure/well-architected/operational-excellence/principles#deploy-with-confidence)

+- [Adopt safe deployment practices](/azure/well-architected/operational-excellence/principles#adopt-safe-deployment-practices)

+Each service specific guide can contain service-specific information on topics such as:

+- [Service-relocation automation tools](/azure/cloud-adoption-framework/relocate/select#select-service-relocation-automation).

+- [Data relocation automation](/azure/cloud-adoption-framework/relocate/select#select-data-relocation-automation).

+- [Cutover approaches](/azure/cloud-adoption-framework/relocate/select#select-cutover-approach).

+- Possible and actual service dependencies that also require relocation planning.

+- Lists of considerations, features, and limitations in relation to relocation planning for that service.

+- Links to how-tos and relevant product-specific relocation information.

+## Service categories across region types

+## Azure services relocation guides

+The following tables provide links to each Azure service relocation document. The tables also provide information on which kind of relocation method is supported.

+###  Foundational services

+| Product | Relocation with data | Relocation without data | Resource Mover |

+| | | | |

+[Azure Event Hubs](relocation-event-hub.md)| ❌ | ✅| ❌ |

+[Azure Event Hubs Cluster](relocation-event-hub-cluster.md)| ❌ | ✅| ❌ |

+[Azure Key Vault](./relocation-key-vault.md)| ✅ | ✅| ❌ |

+[Azure Virtual Network](./relocation-virtual-network.md)| ❌ | ✅| ✅ |

+[Azure Virtual Network - Network Security Groups](./relocation-virtual-network-nsg.md)| ❌ | ✅| ✅ |

+###  Mainstream services

+| Product | Relocation with data | Relocation without data | Resource Mover |

+| | | | |

+[Azure Monitor - Log Analytics](./relocation-log-analytics.md)| ❌ | ✅| ❌ |

+[Azure Database for PostgreSQL](./relocation-postgresql-flexible-server.md)| ✅ | ✅| ❌ |

+[Azure Private Link Service](./relocation-private-link.md) | ❌ | ✅| ❌ |

+[Storage Account](relocation-storage-account.md)| ✅ | ✅| ❌ |

+###  Strategic services

+| Product | Relocation with data | Relocation without data | Resource Mover |

+| | | | |

+[Azure Automation](./relocation-automation.md)| ✅ | ✅| ❌ |

+## Additional information

+- [Azure Resources Mover documentation](/azure/resource-mover/)

+- [Azure Resource Manager (ARM) documentation](/azure/azure-resource-manager/templates/)

+ Title: Azure Operational Excellence documentation (Preview)

+description: Azure Operational Excellence documentation for guidance for specific workload operations and projects

+ - subject-relocation

+# Azure Operational Excellence documentation (Preview)

+The Azure Operational Excellence documentation is an organized collection of service specific guidance in the context of targeted workflow operations. Each service specific operational excellence guidance set is grounded in the [Azure Well-Architected Framework (WAF) principles for Operational Excellence](/azure/well-architected/operational-excellence/principles), and designed based on the [Cloud Adoption Framework (CAF)](/azure/cloud-adoption-framework/) architecture.

+Currently in preview, the Operational Excellence documentation set contains the following service-specific content:

+- [Service region relocation](./overview-relocation.md). The region relocation documentation is designed to provide service-specific relocation guidance, so that you can move your services from one region to another safely and with confidence, in accordance with the following Well-architected Framework (WAF) principles:

+ - [Deploy with confidence](/azure/well-architected/operational-excellence/principles#deploy-with-confidence)

+ - [Adopt safe deployment practices](/azure/well-architected/operational-excellence/principles#adopt-safe-deployment-practices)

+ Each service-specific guide is derived from [Relocate cloud workloads](/azure/cloud-adoption-framework/relocate/) in the Cloud Adoption Framework for Azure.

+ Title: Relocation guidance for Azure Automation

+description: Learn how to relocate an Azure Automation to a new region

+ - subject-relocation

+# Relocate Azure Automation to another region

+This article covers relocation guidance for [Azure Automation](../automation/overview.md) across regions.

+If your Azure Automation instance doesn't have any configuration and the instance itself needs to be moved alone, you can choose to redeploy the NetApp File instance by using [Bicep, ARM Template, or Terraform](/azure/templates/microsoft.automation/automationaccounts?tabs=bicep&pivots=deployment-language-bicep).

+## Prerequisites

+- Identify all Automation dependant resources.

+- If the system-assigned managed identity isn't being used at source, you must map user-assigned managed identity at the target.

+- If the target Azure Automation needs to be enabled for private access, associate with Virtual Network for private endpoint.

+- If the source Azure Automation is enabled with a private connection, create a private link and configure the private link with DNS at target.

+- For Azure Automation to communicate with Hybrid RunBook Worker, Azure Update Manager, Change Tracking, Inventory Configuration, and Automation State Configuration, you must enable port 443 for both inbound and outbound internet access.

+## Prepare

+To get started, export a Resource Manager template. This template contains settings that describe your Automation namespace.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+2. Select **All resources** and then select your Automation resource.

+3. Select **Export template**.

+4. Choose **Download** in the **Export template** page.

+5. Locate the .zip file that you downloaded from the portal, and unzip that file to a folder of your choice.

+ This zip file contains the .json files that include the template and scripts to deploy the template.

+## Redeploy

+In the diagram below, the red flow lines illustrate redeployment of the target instance along with configuration movement.

+**To deploy the template to create an Automation instance in the target region:**

+1. Reconfigure the template parameters for the target.

+1. Deploy the template using [ARM](/azure/automation/quickstart-create-automation-account-template), [Portal](/azure/automation/automation-create-standalone-account?tabs=azureportal) or [PowerShell](/powershell/module/az.automation/import-azautomationrunbook?view=azps-11.2.0&preserve-view=true).

+1. Use PowerShell to export all associated runbooks from the source Azure Automation instance and import them to the target instance. Reconfigure the properties as per target. For more information, see [Export-AzAuotomationRunbook](/powershell/module/az.automation/export-azautomationrunbook?view=azps-11.2.0&viewFallbackFrom=azps-9.4.0&preserve-view=true).

+1. Associate the relocated Azure Automation instance to the target Log Analytics workspace.

+1. Configure the target virtual machines with desired state configuration from the relocated Azure Automation instance as per source.

+## Next steps

+To learn more about moving resources between regions and disaster recovery in Azure, refer to:

+- [Move resources to a new resource group or subscription](../azure-resource-manager/management/move-resource-group-and-subscription.md)

+- [Move Azure VMs to another region](../site-recovery/azure-to-azure-tutorial-migrate.md)

+ Title: Relocate an Azure Event Hubs dedicated cluster to another region

+description: This article shows you how to relocate an Azure Event Hubs dedicated cluster from the current region to another region.

+ - subject-relocation

+# Relocate an Azure Event Hubs dedicated cluster to another region

+This article shows you how to export an Azure Resource Manager template for an existing Event Hubs dedicated cluster and then use the template to create a cluster with same configuration settings in another region.

+If you have other resources such as namespaces and event hubs in the Azure resource group that contains the Event Hubs cluster, you may want to export the template at the resource group level so that all related resources can be moved to the new region in one step. The steps in this article show you how to export an **Event Hubs cluster** to the template. The steps for exporting a **resource group** to the template are similar.

+## Prerequisites

+Ensure that the dedicated cluster can be created in the target region. The easiest way to find out is to use the Azure portal to try to [create an Event Hubs dedicated cluster](../event-hubs/event-hubs-dedicated-cluster-create-portal.md). You see the list of regions that are supported at that point of time for creating the cluster.

+## Prepare

+To get started, export a Resource Manager template. This template contains settings that describe your Event Hubs dedicated cluster.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+2. Select **All resources** and then select your Event Hubs dedicated cluster.

+3. On the **Event Hubs Cluster** page, select **Export template** in the **Automation** section on the left menu.

+4. Choose **Download** in the **Export template** page.

+ :::image type="content" source="../event-hubs/media/move-cluster-across-regions/download-template.png" alt-text="Screenshot showing where to download Resource Manager template" lightbox="../event-hubs/media/move-cluster-across-regions/download-template.png":::

+5. Locate the .zip file that you downloaded from the portal, and unzip that file to a folder of your choice.

+ This zip file contains the .json files that include the template and scripts to deploy the template.

+## Move

+Deploy the template to create an Event Hubs dedicated cluster in the target region.

+1. In the Azure portal, select **Create a resource**.

+2. In **Search the Marketplace**, type **template deployment**, and select **Template deployment (deploy using custom templates)**.

+1. On the **Template deployment** page, select **Create**.

+1. Select **Build your own template in the editor**.

+1. Select **Load file**, and then follow the instructions to load the **template.json** file that you downloaded in the last section.

+1. Update the value of the `location` property to point to the new region. To obtain location codes, see [Azure locations](https://azure.microsoft.com/global-infrastructure/locations/). The code for a region is the region name with no spaces, for example, `West US` is equal to `westus`.

+1. Select **Save** to save the template.

+1. On the **Custom deployment** page, follow these steps:

+ 1. Select an Azure **subscription**.

+ 2. Select an existing **resource group** or create one.

+ 3. Select the target **location** or region. If you selected an existing resource group, this setting is read-only.

+ 4. In the **SETTINGS** section, do the following steps:

+ 1. Enter the new **cluster name**.

+ :::image type="content" source="../event-hubs/media/move-cluster-across-regions/deploy-template.png" alt-text="Screenshot showing Deploy Resource Manager template":::

+ 5. Select **Review + create** at the bottom of the page.

+ 1. On the **Review + create** page, review settings, and then select **Create**.

+## Discard or clean up

+After the deployment, if you want to start over, you can delete the **target Event Hubs dedicated cluster**, and repeat the steps described in the [Prepare](#prepare) and [Move](#move) sections of this article.

+To commit the changes and complete the move of an Event Hubs cluster, delete the **Event Hubs cluster** in the original region.

+To delete an Event Hubs cluster (source or target) by using the Azure portal:

+1. In the search window at the top of Azure portal, type **Event Hubs Clusters**, and select **Event Hubs Clusters** from search results. You see the Event Hubs cluster in a list.

+2. Select the cluster to delete, and select **Delete** from the toolbar.

+3. On the **Delete Cluster** page, confirm the deletion by typing the **cluster name**, and then select **Delete**.

+## Next steps

+In this tutorial, you learned how to move an Event Hubs dedicated cluster from one region to another.

+See the [Move Event Hubs namespaces across regions](relocation-event-hub.md) article for instructions on moving a namespace from one region to another region.

+To learn more about moving resources between regions and disaster recovery in Azure, refer to:

+- [Move resources to a new resource group or subscription](../azure-resource-manager/management/move-resource-group-and-subscription.md)

+- [Move Azure VMs to another region](../site-recovery/azure-to-azure-tutorial-migrate.md)

+ Title: Relocation guidance in Azure Event Hubs

+description: Learn how to relocate Azure Event Hubs to a new region

+ - subject-relocation

+# Relocate Azure Event Hubs to another region

+This article shows you how to to copy an Event Hubs namespace and configuration settings to another region.

+If you have other resources in the Azure resource group that contains the Event Hubs namespace, you may want to export the template at the resource group level so that all related resources can be moved to the new region in one step. To learn how to export a **resource group** to the template, see [Move resources across regions(from resource group)](/azure/resource-mover/move-region-within-resource-group).

+

+## Prerequisites

+- Ensure that the services and features that your account uses are supported in the target region.

+- If you have **capture feature** enabled for event hubs in the namespace, move [Azure Storage or Azure Data Lake Store Gen 2](../storage/common/storage-account-move.md) accounts before moving the Event Hubs namespace. You can also move the resource group that contains both Storage and Event Hubs namespaces to the other region by following steps similar to the ones described in this article.

+- If the Event Hubs namespace is in an **Event Hubs cluster**, [move the dedicated cluster](../event-hubs/move-cluster-across-regions.md) to the **target region** before you go through steps in this article. You can also use the [quickstart template on GitHub](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.eventhub/eventhubs-create-cluster-namespace-eventhub/) to create an Event Hubs cluster. In the template, remove the namespace portion of the JSON to create only the cluster.

+- Identify all resources dependencies. Depending on how you've deployed Event Hub, the following services *may* need deployment in the target region:

+ - [Public IP](/azure/virtual-network/move-across-regions-publicip-portal)

+ - [Azure Private Link Service](./relocation-private-link.md)

+ - [Virtual Network](./relocation-virtual-network.md)

+ - Event Hub Namespace

+ - [Event Hub Cluster](./relocation-event-hub-cluster.md)

+ - [Storage Account](./relocation-storage-account.md)

+ >[!TIP]

+ >When Capture is enabled, you can either relocate a Storage Account from the source or use an existing one in the target region.

+- Identify all dependent resources. Event Hub is a messaging system that lets applications publish and subscribe for messages. Consider whether or not your application at target requires messaging support for the same set of dependent services that it had at the source target.

+## Prepare

+To get started, export a Resource Manager template. This template contains settings that describe your Event Hubs namespace.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+2. Select **All resources** and then select your Event Hubs namespace.

+3. On the **Event Hubs Namespace** page, select **Export template** under **Automation** in the left menu.

+4. Choose **Download** in the **Export template** page.

+ 

+5. Locate the .zip file that you downloaded from the portal, and unzip that file to a folder of your choice.

+ This zip file contains the .json files that include the template and scripts to deploy the template.

+## Redeploy

+Deploy the template to create an Event Hubs namespace in the target region.

+1. In the Azure portal, select **Create a resource**.

+2. In **Search the Marketplace**, type **template deployment**, and select **Template deployment (deploy using custom templates)**.

+5. Select **Build your own template in the editor**.

+6. Select **Load file**, and then follow the instructions to load the **template.json** file that you downloaded in the last section.

+1. Update the value of the `location` property to point to the new region. To obtain location codes, see [Azure locations](https://azure.microsoft.com/global-infrastructure/locations/). The code for a region is the region name with no spaces, for example, `West US` is equal to `westus`.

+1. Select **Save** to save the template.

+1. On the **Custom deployment** page, follow these steps:

+ 1. Select an Azure **subscription**.

+ 2. Select an existing **resource group** or create one. If the source namespace was in an Event Hubs cluster, select the resource group that contains cluster in the target region.

+ 3. Select the target **location** or region. If you selected an existing resource group, this setting is read-only.

+ 4. In the **SETTINGS** section, do the following steps:

+ 1. Enter the new **namespace name**.

+ 

+ 2. If your source namespace was in an **Event Hubs cluster**, enter names of **resource group** and **Event Hubs cluster** as part of **external ID**.

+ ```

+ /subscriptions/<AZURE SUBSCRIPTION ID>/resourceGroups/<CLUSTER'S RESOURCE GROUP>/providers/Microsoft.EventHub/clusters/<CLUSTER NAME>

+ ```

+ 3. If event hub in your namespace uses a Storage account for capturing events, specify the resource group name and the storage account for `StorageAccounts_<original storage account name>_external` field.

+

+ ```

+ /subscriptions/0000000000-0000-0000-0000-0000000000000/resourceGroups/<STORAGE'S RESOURCE GROUP>/providers/Microsoft.Storage/storageAccounts/<STORAGE ACCOUNT NAME>

+ ```

+ 5. Select **Review + create** at the bottom of the page.

+ 1. On the **Review + create** page, review settings, and then select **Create**.

+## Discard or clean up

+After the deployment, if you want to start over, you can delete the **target Event Hubs namespace**, and repeat the steps described in the [Prepare](#prepare) and [Move](#redeploy) sections of this article.

+To commit the changes and complete the move of an Event Hubs namespace, delete the **Event Hubs namespace** in the original region. Make sure that you processed all the events in the namespace before deleting the namespace.

+To delete an Event Hubs namespace (source or target) by using the Azure portal:

+1. In the search window at the top of Azure portal, type **Event Hubs**, and select **Event Hubs** from search results. You see the Event Hubs namespaces in a list.

+2. Select the target namespace to delete, and select **Delete** from the toolbar.

+ 

+3. On the **Delete Namespace** page, confirm the deletion by typing the **namespace name**, and then select **Delete**.

+## Next steps

+In this how-to, you learned how to move an Event Hubs namespace from one region to another.

+See the [Relocate Event Hubs to another region](relocation-event-hub-cluster.md) article for instructions on moving an Event Hubs cluster from one region to another region.

+To learn more about moving resources between regions and disaster recovery in Azure, refer to:

+- [Move resources to a new resource group or subscription](../azure-resource-manager/management/move-resource-group-and-subscription.md)

+- [Move Azure VMs to another region](../site-recovery/azure-to-azure-tutorial-migrate.md)

+ Title: Relocate Azure KeyVault to another region

+description: This article offers guidance on moving a key vault to a different region.

+# Customer intent: As a key vault administrator, I want to move my vault to another region.

+# Relocate Azure KeyVault to another region

+Azure Key Vault does not allow you to move a key vault from one region to another. You can, however, create a key vault in the new region, manually backup/restore each individual key, secret, or certificate from your existing key vault to the new key vault, and then remove the original key vault.

+## Prerequisites

+It's critical to understand the implications of this workaround before you attempt to apply it in a production environment.

+## Prepare

+First, you must create a new key vault in the region to which you wish to move. You can do so through the [Azure portal](/azure/key-vault/general/quick-create-portal), the [Azure CLI](/azure/key-vault/general/quick-create-cli), or [Azure PowerShell](/azure/key-vault/general/quick-create-powershell).

+Keep in mind the following concepts:

+* Key vault names are globally unique. You can't reuse a vault name.

+* You need to reconfigure your access policies and network configuration settings in the new key vault.

+* You need to reconfigure soft-delete and purge protection in the new key vault.

+* The backup and restore operation won't preserve your autorotation settings. You might need to reconfigure the settings.

+## Move

+Export your keys, secrets, or certificates from your old key vault, and then import them into your new vault.

+You can back up each individual secret, key, and certificate in your vault by using the backup command. Your secrets are downloaded as an encrypted blob. For step by step guidance, see [Azure Key Vault backup and restore](/azure/key-vault/general/backup).

+Alternatively, you can download certain secret types manually. For example, you can download certificates as a PFX file. This option eliminates the geographical restrictions for some secret types, such as certificates. You can upload the PFX files to any key vault in any region. The secrets are downloaded in a non-password protected format. You are responsible for securing your secrets during the move.

+After you have downloaded your keys, secrets, or certificates, you can restore them to your new key vault.

+Using the backup and restore commands has two limitations:

+* You can't back up a key vault in one geography and restore it into another geography. For more information, see [Azure geographies](https://azure.microsoft.com/global-infrastructure/geographies/).

+* The backup command backs up all versions of each secret. If you have a secret with a large number of previous versions (more than 10), the request size might exceed the allowed maximum and the operation might fail.

+## Verify

+Before deleting your old key vault, verify that the new vault contains all of the required keys, secrets, and certificates.

+## Next steps

+- [Azure Key Vault backup and restore](/azure/key-vault/general/backup)

+- [Moving an Azure Key Vault across resource groups](/azure/key-vault/general/move-resourcegroup)

+- [Moving an Azure Key Vault to another subscription](/azure/key-vault/general/move-subscription)

+ Title: Relocation guidance for Log Analytics workspace

+description: Learn how to relocate Log Analytics workspace to a new region.

+ - subject-relocation

+#CustomerIntent: As a cloud architect/engineer, I want to learn how to relocate Log Analytics workspace to another region.

+# Relocate Azure Monitor - Log Analytics workspace to another region

+A relocation plan for Log Analytics workspace must include the relocation of any resources that log data with Log Analytics Workspace.

+Log Analytics workspace doesn't natively support migrating workspace data from one region to another and associated devices. Instead, you must create a new Log Analytics workspace in the target region and reconfigure the devices and settings in the new workspace.

+The diagram below illustrates the relocation pattern for a Log Analytics workspace. The red flow lines represent the redeployment of the target instance along with data movement and updating domains and endpoints.

+## Prerequisites

+- To export the workspace configuration to a template that can be deployed to another region, you need the [Log Analytics Contributor](../role-based-access-control/built-in-roles.md#log-analytics-contributor) or [Monitoring Contributor](../role-based-access-control/built-in-roles.md#monitoring-contributor) role, or higher.

+- Identify all the resources that are currently associated with your workspace, including:

+ - *Connected agents*: Enter **Logs** in your workspace and query a [heartbeat](../azure-monitor/insights/solution-agenthealth.md#azure-monitor-log-records) table to list connected agents.

+ ```kusto

+ Heartbeat

+ | summarize by Computer, Category, OSType, _ResourceId

+ ```

+ - *Diagnostic settings*: Resources can send logs to Azure Diagnostics or dedicated tables in your workspace. Enter **Logs** in your workspace, and run this query for resources that send data to the `AzureDiagnostics` table:

+ ```kusto

+ AzureDiagnostics

+ | where TimeGenerated > ago(12h)

+ | summarize by ResourceProvider , ResourceType, Resource

+ | sort by ResourceProvider, ResourceType

+ ```

+ Run this query for resources that send data to dedicated tables:

+ ```kusto

+ search *

+ | where TimeGenerated > ago(12h)

+ | where isnotnull(_ResourceId)

+ | extend ResourceProvider = split(_ResourceId, '/')[6]

+ | where ResourceProvider !in ('microsoft.compute', 'microsoft.security')

+ | extend ResourceType = split(_ResourceId, '/')[7]

+ | extend Resource = split(_ResourceId, '/')[8]

+ | summarize by tostring(ResourceProvider) , tostring(ResourceType), tostring(Resource)

+ | sort by ResourceProvider, ResourceType

+ ```

+ - *Installed solutions*: Select **Legacy solutions** on the workspace navigation pane for a list of installed solutions.

+ - *Data collector API*: Data arriving through a [Data Collector API](../azure-monitor/logs/data-collector-api.md) is stored in custom log tables. For a list of custom log tables, select **Logs** on the workspace navigation pane, and then select **Custom log** on the schema pane.

+ - *Linked services*: Workspaces might have linked services to dependent resources such as an Azure Automation account, a storage account, or a dedicated cluster. Remove linked services from your workspace. Reconfigure them manually in the target workspace.

+ - *Alerts*: To list alerts, select **Alerts** on your workspace navigation pane, and then select **Manage alert rules** on the toolbar. Alerts in workspaces created after June 1, 2019, or in workspaces that were [upgraded from the Log Analytics Alert API to the scheduledQueryRules API](../azure-monitor/alerts/alerts-log-api-switch.md) can be included in the template.

+

+ You can [check if the scheduledQueryRules API is used for alerts in your workspace](../azure-monitor/alerts/alerts-log-api-switch.md#check-switching-status-of-workspace). Alternatively, you can configure alerts manually in the target workspace.

+ - *Query packs*: A workspace can be associated with multiple query packs. To identify query packs in your workspace, select **Logs** on the workspace navigation pane, select **queries** on the left pane, and then select the ellipsis to the right of the search box. A dialog with the selected query packs opens on the right. If your query packs are in the same resource group as the workspace that you're moving, you can include it with this migration.

+- Verify that your Azure subscription allows you to create Log Analytics workspaces in the target region.

+## Prepare

+The following procedures show how to prepare the workspace and resources for the move by using a Resource Manager template.

+> [!NOTE]

+> Not all resources can be exported through a template. You'll need to configure these separately after the workspace is created in the target region.

+1. Sign in to the [Azure portal](https://portal.azure.com), and then select **Resource Groups**.

+1. Find the resource group that contains your workspace and select it.

+1. To view an alert resource, select the **Show hidden types** checkbox.

+1. Select the **Type** filter. Select **Log Analytics workspace**, **Solution**, **SavedSearches**, **microsoft.insights/scheduledqueryrules**, **defaultQueryPack**, and other workspace-related resources that you have (such as an Automation account). Then select **Apply**.

+1. Select the workspace, solutions, saved searches, alerts, query packs, and other workspace-related resources that you have (such as an Automation account). Then select **Export template** on the toolbar.

+

+ > [!NOTE]

+ > Microsoft Sentinel can't be exported with a template. You need to [onboard Sentinel](../sentinel/quickstart-onboard.md) to a target workspace.

+

+1. Select **Deploy** on the toolbar to edit and prepare the template for deployment.

+1. Select **Edit parameters** on the toolbar to open the *parameters.json* file in the online editor.

+1. To edit the parameters, change the `value` property under `parameters`. Here's an example:

+ ```json

+ {

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "workspaces_name": {

+ "value": "my-workspace-name"

+ },

+ "workspaceResourceId": {

+ "value": "/subscriptions/resource-id/resourceGroups/resource-group-name/providers/Microsoft.OperationalInsights/workspaces/workspace-name"

+ },

+ "alertName": {

+ "value": "my-alert-name"

+ },

+ "querypacks_name": {

+ "value": "my-default-query-pack-name"

+ }

+ }

+ }

+ ```

+1. Select **Save** in the editor.

+## Edit the template

+1. Select **Edit template** on the toolbar to open the *template.json* file in the online editor.

+1. To edit the target region where the Log Analytics workspace will be deployed, change the `location` property under `resources` in the online editor.

+ To get region location codes, see [Data residency in Azure](https://azure.microsoft.com/global-infrastructure/locations/). The code for a region is the region name with no spaces. For example, **Central US** should be `centralus`.

+1. Remove linked-services resources (`microsoft.operationalinsights/workspaces/linkedservices`) if they're present in the template. You should reconfigure these resources manually in the target workspace.

+ The following example template includes the workspace, saved search, solutions, alerts, and query pack:

+ ```json

+ {

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "workspaces_name": {

+ "type": "String"

+ },

+ "workspaceResourceId": {

+ "type": "String"

+ },

+ "alertName": {

+ "type": "String"

+ },

+ "querypacks_name": {

+ "type": "String"

+ }

+ },

+ "variables": {},

+ "resources": [

+ {

+ "type": "microsoft.operationalinsights/workspaces",

+ "apiVersion": "2020-08-01",

+ "name": "[parameters('workspaces_name')]",

+ "location": "france central",

+ "properties": {

+ "sku": {

+ "name": "pergb2018"

+ },

+ "retentionInDays": 30,

+ "features": {

+ "enableLogAccessUsingOnlyResourcePermissions": true

+ },

+ "workspaceCapping": {

+ "dailyQuotaGb": -1

+ },

+ "publicNetworkAccessForIngestion": "Enabled",

+ "publicNetworkAccessForQuery": "Enabled"

+ }

+ },

+ {

+ "type": "Microsoft.OperationalInsights/workspaces/savedSearches",

+ "apiVersion": "2020-08-01",

+ "name": "[concat(parameters('workspaces_name'), '/2b5112ec-5ad0-5eda-80e9-ad98b51d4aba')]",

+ "dependsOn": [

+ "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaces_name'))]"

+ ],

+ "properties": {

+ "category": "VM Monitoring",

+ "displayName": "List all versions of curl in use",

+ "query": "VMProcess\n| where ExecutableName == \"curl\"\n| distinct ProductVersion",

+ "tags": [],

+ "version": 2

+ }

+ },

+ {

+ "type": "Microsoft.OperationsManagement/solutions",

+ "apiVersion": "2015-11-01-preview",

+ "name": "[concat('Updates(', parameters('workspaces_name'))]",

+ "location": "france central",

+ "dependsOn": [

+ "[resourceId('microsoft.operationalinsights/workspaces', parameters('workspaces_name'))]"

+ ],

+ "plan": {

+ "name": "[concat('Updates(', parameters('workspaces_name'))]",

+ "promotionCode": "",

+ "product": "OMSGallery/Updates",

+ "publisher": "Microsoft"

+ },

+ "properties": {

+ "workspaceResourceId": "[resourceId('microsoft.operationalinsights/workspaces', parameters('workspaces_name'))]",

+ "containedResources": [

+ "[concat(resourceId('microsoft.operationalinsights/workspaces', parameters('workspaces_name')), '/views/Updates(', parameters('workspaces_name'), ')')]"

+ ]

+ }

+ }

+ {

+ "type": "Microsoft.OperationsManagement/solutions",

+ "apiVersion": "2015-11-01-preview",

+ "name": "[concat('VMInsights(', parameters('workspaces_name'))]",

+ "location": "france central",

+ "plan": {

+ "name": "[concat('VMInsights(', parameters('workspaces_name'))]",

+ "promotionCode": "",

+ "product": "OMSGallery/VMInsights",

+ "publisher": "Microsoft"

+ },

+ "properties": {

+ "workspaceResourceId": "[resourceId('microsoft.operationalinsights/workspaces', parameters('workspaces_name'))]",

+ "containedResources": [

+ "[concat(resourceId('microsoft.operationalinsights/workspaces', parameters('workspaces_name')), '/views/VMInsights(', parameters('workspaces_name'), ')')]"

+ ]

+ }

+ },

+ {

+ "type": "microsoft.insights/scheduledqueryrules",

+ "apiVersion": "2021-08-01",

+ "name": "[parameters('alertName')]",

+ "location": "france central",

+ "properties": {

+ "displayName": "[parameters('alertName')]",

+ "severity": 3,

+ "enabled": true,

+ "evaluationFrequency": "PT5M",

+ "scopes": [

+ "[parameters('workspaceResourceId')]"

+ ],

+ "windowSize": "PT15M",

+ "criteria": {

+ "allOf": [

+ {

+ "query": "Heartbeat | where computer == 'my computer name'",

+ "timeAggregation": "Count",

+ "operator": "LessThan",

+ "threshold": 14,

+ "failingPeriods": {

+ "numberOfEvaluationPeriods": 1,

+ "minFailingPeriodsToAlert": 1

+ }

+ }

+ ]

+ },

+ "autoMitigate": true,

+ "actions": {}

+ }

+ },

+ {

+ "type": "Microsoft.OperationalInsights/querypacks",

+ "apiVersion": "2019-09-01-preview",

+ "name": "[parameters('querypacks_name')]",

+ "location": "francecentral",

+ "properties": {}

+ },

+ {

+ "type": "Microsoft.OperationalInsights/querypacks/queries",

+ "apiVersion": "2019-09-01-preview",

+ "name": "[concat(parameters('querypacks_name'), '/00000000-0000-0000-0000-000000000000')]",

+ "dependsOn": [

+ "[resourceId('Microsoft.OperationalInsights/querypacks', parameters('querypacks_name'))]"

+ ],

+ "properties": {

+ "displayName": "my-query-name",

+ "body": "my-query-text",

+ "related": {

+ "categories": [],

+ "resourceTypes": [

+ "microsoft.operationalinsights/workspaces"

+ ]

+ },

+ "tags": {

+ "labels": []

+ }

+ }

+ }

+ ]

+ }

+ ```

+1. Select **Save** in the online editor.

+## Redeploy

+1. Select **Subscription** to choose the subscription where the target workspace will be deployed.

+1. Select **Resource group** to choose the resource group where the target workspace will be deployed. You can select **Create new** to create a new resource group for the target workspace.

+1. Verify that **Region** is set to the target location where you want the network security group to be deployed.

+1. Select the **Review + create** button to verify your template.

+1. Select **Create** to deploy the workspace and the selected resource to the target region.

+1. Your workspace, including selected resources, is now deployed in the target region. You can complete the remaining configuration in the workspace for paring functionality to the original workspace.

+ - *Connect agents*: Use any of the available options, including Data Collection Rules, to configure the required agents on virtual machines and virtual machine scale sets and to specify the new target workspace as the destination.

+ - *Diagnostic settings*: Update diagnostic settings in identified resources, with the target workspace as the destination.

+ - *Install solutions*: Some solutions, such as [Microsoft Sentinel](../sentinel/quickstart-onboard.md), require certain onboarding procedures and weren't included in the template. You should onboard them separately to the new workspace.

+ - *Configure the Data Collector API*: Configure Data Collector API instances to send data to the target workspace.

+ - *Configure alert rules*: When alerts aren't exported in the template, you need to configure them manually in the target workspace.

+1. Verify that new data isn't ingested to the original workspace. Run the following query in your original workspace, and observe that there's no ingestion after the migration:

+ ```kusto

+ search *

+ | where TimeGenerated > ago(12h)

+ | summarize max(TimeGenerated) by Type

+ ```

+After data sources are connected to the target workspace, ingested data is stored in the target workspace. Older data stays in the original workspace and is subject to the retention policy. You can perform a [cross-workspace query](../azure-monitor/logs/cross-workspace-query.md). If both workspaces were assigned the same name, use a qualified name (*subscriptionName/resourceGroup/componentName*) in the workspace reference.

+Here's an example for a query across two workspaces that have the same name:

+```kusto

+union

+ workspace('subscription-name1/<resource-group-name1/<original-workspace-name>')Update,

+ workspace('subscription-name2/<resource-group-name2/<target-workspace-name>').Update,

+| where TimeGenerated >= ago(1h)

+| where UpdateState == "Needed"

+| summarize dcount(Computer) by Classification

+```

+## Discard

+If you want to discard the source workspace, delete the exported resources or the resource group that contains these resources:

+1. Select the target resource group in the Azure portal.

+1. On the **Overview** page:

+

+ - If you created a new resource group for this deployment, select **Delete resource group** on the toolbar to delete the resource group.

+ - If the template was deployed to an existing resource group, select the resources that were deployed with the template, and then select **Delete** on the toolbar to delete selected resources.

+## Clean up

+While new data is being ingested to your new workspace, older data in the original workspace remains available for query and is subject to the retention policy defined in the workspace. We recommend that you keep the original workspace for as long as you need older data to [query across](../azure-monitor/logs/cross-workspace-query.md) workspaces.

+If you no longer need access to older data in the original workspace:

+1. Select the original resource group in the Azure portal.

+1. Select any resources that you want to remove, and then select **Delete** on the toolbar.

+## Related content

+To learn more about moving resources between regions and disaster recovery in Azure, refer to:

+- [Migrate Log Analytics to availability zone support](../reliability/migrate-monitor-log-analytics.md)

+- [Move resources to a new resource group or subscription](../azure-resource-manager/management/move-resource-group-and-subscription.md)

+- [Move Azure VMs to another region](../site-recovery/azure-to-azure-tutorial-migrate.md)

+ Title: Relocate Azure Database for PostgreSQL to another region

+description: Learn how to relocate an Azure Database for PostgreSQL to another region using Azure services and tools.

+ - subject-relocation

+# Relocate Azure Database for PostgreSQL to another region

+This article covers relocation guidance for Azure Database for PostgreSQL, Single Server, and Flexible Servers across geographies where region pairs aren't available for replication and geo-restore.

+To learn how to relocate Azure Cosmos DB for PostgreSQL (formerly called Azure Database for PostgreSQL - Hyperscale (Citus)), see [Read replicas in Azure Cosmos DB for PostgreSQL](/azure/cosmos-db/postgresql/concepts-read-replicas).

+For an overview of the region pairs supported by native replication, see [cross-region replication](../postgresql/concepts-read-replicas.md#cross-region-replication).

+## Prerequisites

+Prerequisites only apply to [redeployment with data](#redeploy-with-data). To move your database without data, you can skip to [Prepare](#prepare).

+- To relocate PostgreSQL with data from one region to another, you must have an additional compute resource to run the backup and restore tools. The examples in this guide use an Azure VM running Ubuntu 20.04 LTS. The compute resources must:

+ - Have network access to both the source and the target server, either on a private network or by inclusion in the firewall rules.

+ - Be located in either the source or target region.

+ - Use [Accelerated Networking](/azure/virtual-network/accelerated-networking-overview) (if available).

+ - The database content isn't saved to any intermediate storage; the output of the logical backup tool is sent directly to the target server.

+- Depending on your Azure Database for PostgreSQL instance design, the following dependent resources might need to be deployed and configured in the target region prior to relocation:

+ - [Public IP](/azure/virtual-network/move-across-regions-publicip-portal)

+ - [Azure Private Link](./relocation-private-link.md)

+ - [Virtual Network](./relocation-virtual-network.md)

+ - [Network Peering](/azure/virtual-network/scripts/virtual-network-powershell-sample-peer-two-virtual-networks)

+## Prepare

+To get started, export a Resource Manager template. This template contains settings that describe your Automation namespace.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Select **All resources** and then select your Automation resource.

+1. Select **Export template**.

+1. Choose **Download** in the **Export template** page.

+1. Locate the .zip file you downloaded from the portal and unzip that file to a folder of your choice.

+ This zip file contains the .json files that include the template and scripts to deploy the template.

+## Redeploy without data

+1. Adjust the exported template parameters to match the destination region.

+ > [!IMPORTANT]

+ > The target server must be different from the name of the source server. You must reconfigure clients to point to the new server.

+1. Redeploy the template to the new region. For an example of how to use an ARM template to create an Azure Database for PostgreSQL, see [Quickstart: Use an ARM template to create an Azure Database for PostgreSQL - Flexible Server](/azure/postgresql/flexible-server/quickstart-create-server-arm-template?tabs=portal%2Cazure-portal).

+## Redeploy with data

+Redeployment with data migration for Azure Database for PostgreSQL is based on logical backup and restore and requires native tools. As a result, you can expect noticeable downtime during restoration.

+> [!TIP]

+> You can use the Azure portal to relocate an Azure Database for PostgreSQL - Flexible Server. To learn how to perform replication for Single Server, see [Move an Azure Database for PostgreSQL - Flexible Server to another region by using the Azure portal](/azure/postgreSQL/single-server/how-to-move-regions-portal).

+1. Adjust the exported template parameters to match the destination region.

+ > [!IMPORTANT]

+ > The target server name must be different from the source server name. You must reconfigure clients to point to the new server.

+1. Redeploy the template to the new region. For an example of how to use an ARM template to create an Azure Database for PostgreSQL, see [Quickstart: Use an ARM template to create an Azure Database for PostgreSQL - Flexible Server](/azure/postgresql/flexible-server/quickstart-create-server-arm-template?tabs=portal%2Cazure-portal).

+1. On the compute resource provisioned for the migration, install the PostgreSQL client tools for the PostgreSQL version to be migrated. The following example uses PostgreSQL version 13 on an Azure VM that runs Ubuntu 20.04 LTS:

+ ```bash

+ sudo sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list'

+ wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add -

+ sudo apt-get update

+ sudo apt-get install -y postgresql-client-13

+ ```

+ For more information on the installation of PostgreSQL components in Ubuntu, refer to [Linux downloads (Ubuntu)](https://www.postgresql.org/download/linux/ubuntu/).

+ For other platforms, go to [PostgreSQL Downloads](https://www.postgresql.org/download/).

+1. (Optional) If you created additional roles in the source server, create them in the target server. To get a list of existing roles, use the following query:

+ ```sql

+ select *

+ from pg_catalog.pg_roles

+ where rolename not like 'pg_%' and rolename not in ('azuresu', 'azure_pg_admin', 'replication')

+ order by rolename;

+ ```

+1. To migrate each database, do the following steps:

+ 1. Stop all database activity on the source server.

+ 1. Replace credentials information, source server, target server, and database name in the following script:

+ ```sql

+ export USER=admin_username

+ export PGPASSWORD=admin_password

+ export SOURCE=pgsql-arpp-source.postgres.database.azure.com

+ export TARGET=pgsql-arpp-target.postgres.database.azure.com

+ export DATABASE=database_name

+ pg_dump -h $SOURCE -U $USER --create --exclude-schema=pg_catalog $DATABASE | psql -h $TARGET -U $USER postgres

+ ```

+ 1. To migrate the database, run the script.

+ 1. Configure the clients to point to the target server.

+ 1. Perform functional tests on the applications.

+ 1. Ensure that the `ignoreMissingVnetServiceEndpoint` flag is set to `False`, so the IaC fails to deploy the database when the service endpoint isn't configured in the target region.

+## Related content

+- [Move resources to a new resource group or subscription](../azure-resource-manager/management/move-resource-group-and-subscription.md)

+- [Move Azure VMs to another region](../site-recovery/azure-to-azure-tutorial-migrate.md)

+ Title: Relocate Azure Private Link Service to another region

+description: Learn how to relocate an Azure Private Link Service to a new region

+ - subject-relocation

+# Relocate Azure Private Link Service to another region

+This article shows you how to relocate [Azure Private Link Service](/azure/private-link/private-link-overview) when moving your workload to another region.

+To learn how to to reconfigure [private endpoints](/azure/private-link/private-link-overview) for a particular service, see the [appropriate service relocation guide](overview-relocation.md).

+## Prepare

+Identify all resources that are used by Private Link Service, such as Standard load balancer, virtual machines, virtual network, etc.

+## Redeploy

+1. Redeploy all resources that are used by Private Link Service.

+1. Ensure that a standard load balancer with all dependent resources is relocated to the target region.

+1. Create a Private Link Service that references the relocated load balancer. To create the Private Link, you can use [Azure Portal](/azure/private-link/create-private-link-service-portal), [PowerShell](/azure/private-link/create-private-link-service-powershell), or [Azure CLI](/azure/private-link/create-private-link-service-cli).

+ In the load balancer selection process:

+ - Choose the frontend IP configuration where you want to receive the traffic.

+ - Choose a subnet for NAT IP addresses for the Private Link Service.

+ - Choose Private Link Service settings that are the same as the source Private Link Service.

+

+1. Redeploy the private endpoint into the relocated virtual network.

+1. Configure your DNS settings by following guidance in [Private DNS zone values](/azure/private-link/private-endpoint-dns?branch=main).

+## Next steps

+To learn more about moving resources between regions and disaster recovery in Azure, refer to:

+- [Move resources to a new resource group or subscription](../azure-resource-manager/management/move-resource-group-and-subscription.md)

+- [Move Azure VMs to another region](../site-recovery/azure-to-azure-tutorial-migrate.md)

+ Title: Relocate Azure Storage Account to another region

+description: Learn how to relocate Azure Storage Account to another region

+ - subject-relocation

+# Relocate Azure Storage Account to another region

+This article shows you how to:

+This article shows you how to relocate an Azure Storage Account to a new region by creating a copy of your storage account into another region. You also learn how to relocate your data to that account by using AzCopy, or another tool of your choice.

+### Prerequisites

+- Ensure that the services and features that your account uses are supported in the target region.

+- For preview features, ensure that your subscription is allowlisted for the target region.

+- Depending on your Storage Account deployment, the following dependent resources may need to be deployed and configured in the target region *prior* to relocation:

+ - [Virtual Network, Network Security Groups, and User Defined Route](./relocation-virtual-network.md)

+ - [Azure Key Vault](./relocation-key-vault.md)

+ - [Azure Automation](./relocation-automation.md)

+ - [Public IP](/azure/virtual-network/move-across-regions-publicip-portal)

+ - [Azure Private Link Service](./relocation-private-link.md)

+## Prepare

+To prepare, you must export and then modify a Resource Manager template.

+### Export a template

+A Resource Manager template contains settings that describe your storage account.

+# [Portal](#tab/azure-portal)

+To export a template by using Azure portal:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+2. Select **All resources** and then select your storage account.

+3. Select > **Automation** > **Export template**.

+4. Choose **Download** in the **Export template** blade.

+5. Locate the .zip file that you downloaded from the portal, and unzip that file to a folder of your choice.

+ This zip file contains the .json files that comprise the template and scripts to deploy the template.

+# [PowerShell](#tab/azure-powershell)

+To export a template by using PowerShell:

+1. Sign in to your Azure subscription with the [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount) command and follow the on-screen directions:

+ ```azurepowershell-interactive

+ Connect-AzAccount

+ ```

+2. If your identity is associated with more than one subscription, then set your active subscription to subscription of the storage account that you want to move.

+ ```azurepowershell-interactive

+ $context = Get-AzSubscription -SubscriptionId <subscription-id>

+ Set-AzContext $context

+ ```

+3. Export the template of your source storage account. These commands save a json template to your current directory.

+ ```azurepowershell-interactive

+ $resource = Get-AzResource `

+ -ResourceGroupName <resource-group-name> `

+ -ResourceName <storage-account-name> `

+ -ResourceType Microsoft.Storage/storageAccounts

+ Export-AzResourceGroup `

+ -ResourceGroupName <resource-group-name> `

+ -Resource $resource.ResourceId

+ ```

+### Modify the template

+Modify the template by changing the storage account name and region.

+# [Portal](#tab/azure-portal)

+To deploy the template by using Azure portal:

+1. In the Azure portal, select **Create a resource**.

+2. In **Search the Marketplace**, type **template deployment**, and then press **ENTER**.

+3. Select **Template deployment**.

+ 

+4. Select **Create**.

+5. Select **Build your own template in the editor**.

+6. Select **Load file**, and then follow the instructions to load the **template.json** file that you downloaded in the last section.

+7. In the **template.json** file, name the target storage account by setting the default value of the storage account name. This example sets the default value of the storage account name to `mytargetaccount`.

+ ```json

+ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "storageAccounts_mysourceaccount_name": {

+ "defaultValue": "mytargetaccount",

+ "type": "String"

+ }

+ },

+8. Edit the **location** property in the **template.json** file to the target region. This example sets the target region to `centralus`.

+ ```json

+ "resources": [{

+ "type": "Microsoft.Storage/storageAccounts",

+ "apiVersion": "2019-04-01",

+ "name": "[parameters('storageAccounts_mysourceaccount_name')]",

+ "location": "centralus"

+ }]

+ ```

+ To obtain region location codes, see [Azure Locations](https://azure.microsoft.com/global-infrastructure/locations/). The code for a region is the region name with no spaces, **Central US** = **centralus**.

+# [PowerShell](#tab/azure-powershell)

+To deploy the template by using PowerShell:

+1. In the **template.json** file, name the target storage account by setting the default value of the storage account name. This example sets the default value of the storage account name to `mytargetaccount`.

+ ```json

+ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "storageAccounts_mysourceaccount_name": {

+ "defaultValue": "mytargetaccount",

+ "type": "String"

+ }

+ },

+ ```

+2. Edit the **location** property in the **template.json** file to the target region. This example sets the target region to `eastus`.

+ ```json

+ "resources": [{

+ "type": "Microsoft.Storage/storageAccounts",

+ "apiVersion": "2019-04-01",

+ "name": "[parameters('storageAccounts_mysourceaccount_name')]",

+ "location": "eastus"

+ }]

+ ```

+ You can obtain region codes by running the [Get-AzLocation](/powershell/module/az.resources/get-azlocation) command.

+ ```azurepowershell-interactive

+ Get-AzLocation | format-table

+ ```

+## Redeploy

+Deploy the template to create a new storage account in the target region.

+# [Portal](#tab/azure-portal)

+1. Save the **template.json** file.

+2. Enter or select the property values:

+ - **Subscription**: Select an Azure subscription.

+ - **Resource group**: Select **Create new** and give the resource group a name.

+ - **Location**: Select an Azure location.

+3. Select **I agree to the terms and conditions stated above**, and then select **Select Purchase**.

+# [PowerShell](#tab/azure-powershell)

+1. Obtain the subscription ID where you want to deploy the target public IP with [Get-AzSubscription](/powershell/module/az.accounts/get-azsubscription):

+ ```azurepowershell-interactive

+ Get-AzSubscription

+ ```

+2. Use these commands to deploy your template:

+ ```azurepowershell-interactive

+ $resourceGroupName = Read-Host -Prompt "Enter the Resource Group name"

+ $location = Read-Host -Prompt "Enter the location (i.e. centralus)"

+ New-AzResourceGroup -Name $resourceGroupName -Location "$location"

+ New-AzResourceGroupDeployment -ResourceGroupName $resourceGroupName -TemplateUri "<name of your local template file>"

+ ```

+> [!TIP]

+> If you receive an error which states that the XML specified is not syntactically valid, compare the JSON in your template with the schemas described in the [Azure Resource Manager documentation](/azure/templates/microsoft.storage/allversions).

+### Configure the new storage account

+Some features won't export to a template, so you'll have to add them to the new storage account.

+The following table lists these features along with guidance for adding them to your new storage account.

+| Feature | Guidance |

+|--|--|

+| **Lifecycle management policies** | [Manage the Azure Blob storage lifecycle](../storage/blobs/storage-lifecycle-management-concepts.md) |

+| **Static websites** | [Host a static website in Azure Storage](../storage/blobs/storage-blob-static-website-how-to.md) |

+| **Event subscriptions** | [Reacting to Blob storage events](../storage/blobs/storage-blob-event-overview.md) |

+| **Alerts** | [Create, view, and manage activity log alerts by using Azure Monitor](../azure-monitor/alerts/alerts-activity-log.md) |

+| **Content Delivery Network (CDN)** | [Use Azure CDN to access blobs with custom domains over HTTPS](../storage/blobs/storage-https-custom-domain-cdn.md) |

+> [!NOTE]

+> If you set up a CDN for the source storage account, just change the origin of your existing CDN to the primary blob service endpoint (or the primary static website endpoint) of your new account.

+### Move data to the new storage account

+AzCopy is the preferred tool to move your data over due to its performance optimization. With AzCopy, data is copied directly between storage servers, and so it doesn't use the network bandwidth of your computer. You can run AzCopy at the command line or as part of a custom script. For more information, see [Copy blobs between Azure storage accounts by using AzCopy](/azure/storage/common/storage-use-azcopy-blobs-copy?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json&branch=pr-en-us-259662).

+You can also use Azure Data Factory to move your data over. To learn how to use Data Factory to relocate your data see one of the following guides:

+ - [Copy data to or from Azure Blob storage by using Azure Data Factory](/azure/data-factory/connector-azure-blob-storage)

+ - [Copy data to or from Azure Data Lake Storage Gen2 using Azure Data Factory](/azure/data-factory/connector-azure-data-lake-storage)

+ - [Copy data from or to Azure Files by using Azure Data Factory](/azure/data-factory/connector-azure-file-storage)

+ - [Copy data to and from Azure Table storage by using Azure Data Factory](/azure/data-factory/connector-azure-table-storage)

+## Discard or clean up

+After the deployment, if you want to start over, you can delete the target storage account, and repeat the steps described in the [Prepare](#prepare) and [Redeploy](#redeploy) sections of this article.

+To commit the changes and complete the move of a storage account, delete the source storage account.

+# [Portal](#tab/azure-portal)

+To remove a storage account by using the Azure portal:

+1. In the Azure portal, expand the menu on the left side to open the menu of services, and choose **Storage accounts** to display the list of your storage accounts.

+2. Locate the target storage account to delete, and right-click the **More** button (**...**) on the right side of the listing.

+3. Select **Delete**, and confirm.

+# [PowerShell](#tab/azure-powershell)

+To remove the resource group and its associated resources, including the new storage account, use the [Remove-AzStorageAccount](/powershell/module/az.storage/remove-azstorageaccount) command:

+```powershell

+Remove-AzStorageAccount -ResourceGroupName $resourceGroup -AccountName $storageAccount

+```

+## Next steps

+To learn more about moving resources between regions and disaster recovery in Azure, refer to:

+- [Move resources to a new resource group or subscription](../azure-resource-manager/management/move-resource-group-and-subscription.md)

+- [Move Azure VMs to another region](../site-recovery/azure-to-azure-tutorial-migrate.md)

+ Title: Relocate Azure NSG to another region

+description: Learn how to use ARM templates to relocate Azure network security group (NSG) to another region

+ - subject-relocation

+ - devx-track-arm-template

+# Relocate Azure network security group (NSG) to another region

+This article shows you how to relocate an NSG to a new region by creating a copy of the source configuration and security rules of the NSG to another region.

+## Prerequisites

+- Make sure that the Azure network security group is in the target Azure region.

+- Associate the new NSG to resources in the target region.

+- To export an NSG configuration and deploy a template to create an NSG in another region, you'll need the Network Contributor role or higher.

+- Identify the source networking layout and all the resources that you're currently using. This layout includes but isn't limited to load balancers, public IPs, and virtual networks.

+- Verify that your Azure subscription allows you to create NSGs in the target region that's used. Contact support to enable the required quota.

+- Make sure that your subscription has enough resources to support the addition of NSGs for this process. See [Azure subscription and service limits, quotas, and constraints](../azure-resource-manager/management/azure-subscription-service-limits.md#networking-limits).

+## Prepare

+The following steps show how to prepare the network security group for the configuration and security rule move using a Resource Manager template, and move the NSG configuration and security rules to the target region using the portal.

+### Export and modify a template

+# [Portal](#tab/azure-portal)

+To export and modify a template by using Azure portal:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+2. Select **All resources** and then select your storage account.

+3. Select > **Automation** > **Export template**.

+4. Choose **Deploy** in the **Export template** blade.

+5. Select **TEMPLATE** > **Edit parameters** to open the **parameters.json** file in the online editor.

+6. To edit the parameter of the NSG name, change the **value** property under **parameters**:

+ ```json

+ {

+ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "networkSecurityGroups_myVM1_nsg_name": {

+ "value": "<target-nsg-name>"

+ }

+ }

+ }

+ ```

+7. Change the source NSG value in the editor to a name of your choice for the target NSG. Ensure you enclose the name in quotes.

+8. Select **Save** in the editor.

+9. Select **TEMPLATE** > **Edit template** to open the **template.json** file in the online editor.

+10. To edit the target region where the NSG configuration and security rules will be moved, change the **location** property under **resources** in the online editor:

+ ```json

+ "resources": [

+ {

+ "type": "Microsoft.Network/networkSecurityGroups",

+ "apiVersion": "2019-06-01",

+ "name": "[parameters('networkSecurityGroups_myVM1_nsg_name')]",

+ "location": "<target-region>",

+ "properties": {

+ "provisioningState": "Succeeded",

+ "resourceGuid": "2c846acf-58c8-416d-be97-ccd00a4ccd78",

+ }

+ }

+ ]

+ ```

+11. To obtain region location codes, see [Azure Locations](https://azure.microsoft.com/global-infrastructure/locations/). The code for a region is the region name with no spaces, **Central US** = **centralus**.

+12. You can also change other parameters in the template if you choose, and are optional depending on your requirements:

+ * **Security rules** - You can edit which rules are deployed into the target NSG by adding or removing rules to the **securityRules** section in the **template.json** file:

+ ```json

+ "resources": [

+ {

+ "type": "Microsoft.Network/networkSecurityGroups",

+ "apiVersion": "2019-06-01",

+ "name": "[parameters('networkSecurityGroups_myVM1_nsg_name')]",

+ "location": "<target-region>",

+ "properties": {

+ "provisioningState": "Succeeded",

+ "resourceGuid": "2c846acf-58c8-416d-be97-ccd00a4ccd78",

+ "securityRules": [

+ {

+ "name": "RDP",

+ "etag": "W/\"c630c458-6b52-4202-8fd7-172b7ab49cf5\"",

+ "properties": {

+ "provisioningState": "Succeeded",

+ "protocol": "TCP",

+ "sourcePortRange": "*",

+ "destinationPortRange": "3389",

+ "sourceAddressPrefix": "*",

+ "destinationAddressPrefix": "*",

+ "access": "Allow",

+ "priority": 300,

+ "direction": "Inbound",

+ "sourcePortRanges": [],

+ "destinationPortRanges": [],

+ "sourceAddressPrefixes": [],

+ "destinationAddressPrefixes": []

+ }

+ },

+ ]

+ }

+ ```

+ To complete the addition or the removal of the rules in the target NSG, you must also edit the custom rule types at the end of the **template.json** file in the format of the example below:

+ ```json

+ {

+ "type": "Microsoft.Network/networkSecurityGroups/securityRules",

+ "apiVersion": "2019-06-01",

+ "name": "[concat(parameters('networkSecurityGroups_myVM1_nsg_name'), '/Port_80')]",

+ "dependsOn": [

+ "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroups_myVM1_nsg_name'))]"

+ ],

+ "properties": {

+ "provisioningState": "Succeeded",

+ "protocol": "*",

+ "sourcePortRange": "*",

+ "destinationPortRange": "80",

+ "sourceAddressPrefix": "*",

+ "destinationAddressPrefix": "*",

+ "access": "Allow",

+ "priority": 310,

+ "direction": "Inbound",

+ "sourcePortRanges": [],

+ "destinationPortRanges": [],

+ "sourceAddressPrefixes": [],

+ "destinationAddressPrefixes": []

+ }

+ ```

+13. Select **Save** in the online editor.

+# [PowerShell](#tab/azure-powershell)

+To export and modify a template by using PowerShell:

+1. Sign in to your Azure subscription with the [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount) command and follow the on-screen directions:

+

+ ```azurepowershell-interactive

+ Connect-AzAccount

+ ```

+2. Obtain the resource ID of the NSG you want to move to the target region and place it in a variable using [Get-AzNetworkSecurityGroup](/powershell/module/az.network/get-aznetworksecuritygroup):

+ ```azurepowershell-interactive

+ $sourceNSGID = (Get-AzNetworkSecurityGroup -Name <source-nsg-name> -ResourceGroupName <source-resource-group-name>).Id

+ ```

+3. Export the source NSG to a .json file into the directory where you execute the command [Export-AzResourceGroup](/powershell/module/az.resources/export-azresourcegroup):

+

+ ```azurepowershell-interactive

+ Export-AzResourceGroup -ResourceGroupName <source-resource-group-name> -Resource $sourceNSGID -IncludeParameterDefaultValue

+ ```

+4. The file downloaded will be named after the resource group the resource was exported from. Locate the file that was exported from the command named **\<resource-group-name>.json** and open it in an editor of your choice:

+

+ ```azurepowershell

+ notepad <source-resource-group-name>.json

+ ```

+5. To edit the parameter of the NSG name, change the property **defaultValue** of the source NSG name to the name of your target NSG, ensure the name is in quotes:

+

+ ```json

+ {

+ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "networkSecurityGroups_myVM1_nsg_name": {

+ "defaultValue": "<target-nsg-name>",

+ "type": "String"

+ }

+ }

+ ```

+6. To edit the target region where the NSG configuration and security rules will be moved, change the **location** property under **resources**:

+ ```json

+ "resources": [

+ {

+ "type": "Microsoft.Network/networkSecurityGroups",

+ "apiVersion": "2019-06-01",

+ "name": "[parameters('networkSecurityGroups_myVM1_nsg_name')]",

+ "location": "<target-region>",

+ "properties": {

+ "provisioningState": "Succeeded",

+ "resourceGuid": "2c846acf-58c8-416d-be97-ccd00a4ccd78",

+ }

+ }

+ ```

+

+7. To obtain region location codes, you can use the Azure PowerShell cmdlet [Get-AzLocation](/powershell/module/az.resources/get-azlocation) by running the following command:

+ ```azurepowershell-interactive

+ Get-AzLocation | format-table

+

+ ```

+8. You can also change other parameters in the **\<resource-group-name>.json** if you choose, and are optional depending on your requirements:

+ * **Security rules** - You can edit which rules are deployed into the target NSG by adding or removing rules to the **securityRules** section in the **\<resource-group-name>.json** file:

+ ```json

+ "resources": [

+ {

+ "type": "Microsoft.Network/networkSecurityGroups",

+ "apiVersion": "2019-06-01",

+ "name": "[parameters('networkSecurityGroups_myVM1_nsg_name')]",

+ "location": "TARGET REGION",

+ "properties": {

+ "provisioningState": "Succeeded",

+ "resourceGuid": "2c846acf-58c8-416d-be97-ccd00a4ccd78",

+ "securityRules": [

+ {

+ "name": "RDP",

+ "etag": "W/\"c630c458-6b52-4202-8fd7-172b7ab49cf5\"",

+ "properties": {

+ "provisioningState": "Succeeded",

+ "protocol": "TCP",

+ "sourcePortRange": "*",

+ "destinationPortRange": "3389",

+ "sourceAddressPrefix": "*",

+ "destinationAddressPrefix": "*",

+ "access": "Allow",

+ "priority": 300,

+ "direction": "Inbound",

+ "sourcePortRanges": [],

+ "destinationPortRanges": [],

+ "sourceAddressPrefixes": [],

+ "destinationAddressPrefixes": []

+ }

+ ]

+ }

+

+ ```

+ To complete the addition or the removal of the rules in the target NSG, you must also edit the custom rule types at the end of the **\<resource-group-name>.json** file in the format of the example below:

+ ```json

+ {

+ "type": "Microsoft.Network/networkSecurityGroups/securityRules",

+ "apiVersion": "2019-06-01",

+ "name": "[concat(parameters('networkSecurityGroups_myVM1_nsg_name'), '/Port_80')]",

+ "dependsOn": [

+ "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroups_myVM1_nsg_name'))]"

+ ],

+ "properties": {

+ "provisioningState": "Succeeded",

+ "protocol": "*",

+ "sourcePortRange": "*",

+ "destinationPortRange": "80",

+ "sourceAddressPrefix": "*",

+ "destinationAddressPrefix": "*",

+ "access": "Allow",

+ "priority": 310,

+ "direction": "Inbound",

+ "sourcePortRanges": [],

+ "destinationPortRanges": [],

+ "sourceAddressPrefixes": [],

+ "destinationAddressPrefixes": []

+ }

+ ```

+9. Save the **\<resource-group-name>.json** file.

+## Redeploy

+# [Portal](#tab/azure-portal)

+1. Select **BASICS** > **Subscription** to choose the subscription where the target NSG will be deployed.

+1. Select **BASICS** > **Resource group** to choose the resource group where the target NSG will be deployed. You can click **Create new** to create a new resource group for the target NSG. Ensure the name isn't the same as the source resource group of the existing NSG.

+1. Select **BASICS** > **Location** is set to the target location where you wish for the NSG to be deployed.

+1. Verify under **SETTINGS** that the name matches the name that you entered in the parameters editor above.

+1. Check the box under **TERMS AND CONDITIONS**.

+1. Select the **Purchase** button to deploy the target network security group.

+# [PowerShell](#tab/azure-powershell)

+1. Create a resource group in the target region for the target NSG to be deployed using [New-AzResourceGroup](/powershell/module/az.resources/new-azresourcegroup):

+

+ ```azurepowershell-interactive

+ New-AzResourceGroup -Name <target-resource-group-name> -location <target-region>

+ ```

+

+1. Deploy the edited **\<resource-group-name>.json** file to the resource group created in the previous step using [New-AzResourceGroupDeployment](/powershell/module/az.resources/new-azresourcegroupdeployment):

+ ```azurepowershell-interactive

+ New-AzResourceGroupDeployment -ResourceGroupName <target-resource-group-name> -TemplateFile <source-resource-group-name>.json

+

+ ```

+1. To verify the resources were created in the target region, use [Get-AzResourceGroup](/powershell/module/az.resources/get-azresourcegroup) and [Get-AzNetworkSecurityGroup](/powershell/module/az.network/get-aznetworksecuritygroup):

+

+ ```azurepowershell-interactive

+ Get-AzResourceGroup -Name <target-resource-group-name>

+ ```

+ ```azurepowershell-interactive

+ Get-AzNetworkSecurityGroup -Name <target-nsg-name> -ResourceGroupName <target-resource-group-name>

+ ```

+## Discard

+# [Portal](#tab/azure-portal)

+If you wish to discard the target NSG, delete the resource group that contains the target NSG. To do so, select the resource group from your dashboard in the portal and select **Delete** at the top of the overview page.

+# [PowerShell](#tab/azure-powershell)

+After the deployment, if you wish to start over or discard the NSG in the target, delete the resource group that was created in the target and the moved NSG will be deleted. To remove the resource group, use [Remove-AzResourceGroup](/powershell/module/az.resources/remove-azresourcegroup):

+```azurepowershell-interactive

+Remove-AzResourceGroup -Name <target-resource-group-name>

+```

+## Clean up

+# [Portal](#tab/azure-portal)

+To commit the changes and complete the move of the NSG, delete the source NSG or resource group. To do so, select the network security group or resource group from your dashboard in the portal and select **Delete** at the top of each page.

+# [PowerShell](#tab/azure-powershell)

+To commit the changes and complete the move of the NSG, delete the source NSG or resource group, use [Remove-AzResourceGroup](/powershell/module/az.resources/remove-azresourcegroup) or [Remove-AzNetworkSecurityGroup](/powershell/module/az.network/remove-aznetworksecuritygroup):

+```azurepowershell-interactive

+Remove-AzResourceGroup -Name <source-resource-group-name>

+```

+``` azurepowershell-interactive

+Remove-AzNetworkSecurityGroup -Name <source-nsg-name> -ResourceGroupName <source-resource-group-name>

+```

+## Next steps

+In this tutorial, you moved an Azure network security group from one region to another and cleaned up the source resources. To learn more about moving resources between regions and disaster recovery in Azure, refer to:

+- [Move resources to a new resource group or subscription](../azure-resource-manager/management/move-resource-group-and-subscription.md)

+- [Move Azure VMs to another region](../site-recovery/azure-to-azure-tutorial-migrate.md)

+ Title: Relocate Azure Virtual Network to another region

+description: Learn how to relocate Azure Virtual Network to another region

+ - subject-relocation

+# Relocate Azure Virtual Network to another region

+This article shows you how to relocate a virtual network to a new region by redeploying the virtual network. Redeployment supports both independent relocation of multiple workloads and private IP address range change in the target region. It's recommended that you use a Resource Manager template to relocate your virtual network.

+However, can also choose to move your virtual network with Azure Resource Mover. However, if you choose to move your virtual network with Azure Resource Mover, make sure that you understand the following considerations:

+**If you choose to use Resource Mover:**

+- All workloads in a virtual network must be relocated together.

+- A relocation using Azure Resource Mover doesn't support private IP address range change.

+- Azure Resource Mover can move resources such as Network Security Group and User Defined Route along with the virtual network. However, it's recommended that you move them separately. Moving them altogether can lead to failure of the Validate dependencies stage.

+- Resource Mover can't directly move NAT gateway instances from one region to another. To work around this limitation, see Create and configure NAT gateway after moving resources to another region.

+- Azure Resource Mover doesnΓÇÖt support any changes to the address space during the relocation process. As a result, when movement completes, both source and target have the same, and thus conflicting, address space. It's recommended that you do manual update of address space as soon as relocation completes.

+- Virtual Network Peering must be reconfigured after the relocation. It's recommended that you move the peering virtual network either before or with the source virtual network.

+- While performing the Initiate move steps with Azure Resource Mover, resources may be temporarily unavailable.

+To learn how to move your virtual network using Resource Mover, see [Move Azure VMs across regions](/azure/resource-mover/tutorial-move-region-virtual-machines).

+## Prerequisites

+- Confirm that your virtual network is in the source Azure region.

+- To export a virtual network and deploy a template to create a virtual network in another region, you need to have the Network Contributor role or higher.

+- Identify the source networking layout and all the resources that you're currently using. This layout includes but isn't limited to load balancers, network security groups (NSGs), and public IPs.

+- Verify that your Azure subscription allows you to create virtual networks in the target region. To enable the required quota, contact support.

+- Confirm that your subscription has enough resources to support the addition of virtual networks for this process. For more information, see [Azure subscription and service limits, quotas, and constraints](../azure-resource-manager/management/azure-subscription-service-limits.md#networking-limits).

+- Understand the following considerations:

+ - If you enable private IP address range change, multiple workloads in a virtual network can be relocated independently of each other,

+ - The redeployment method supports the option to enable and disable private IP address range change in the target region.

+ - If you don't enable private IP address change in the target region, data migration scenarios that require communication between source and target region can only be established using public endpoints (public IP addresses).

+

+> [!IMPORTANT]

+> Starting July 1, 2021, you won't be able to add new tests in an existing workspace or enable a new workspace with Network performance monitor. You can continue to use the tests created prior to July 1, 2021. To minimize service disruption to your current workloads, migrate your tests from Network performance monitor to the new Connection monitor in Azure Network Watcher before February 29, 2024.

+## Plan

+To plan for your relocation of an Azure Virtual Network, you must understand whether you're relocating your virtual network in a connected or disconnected scenario. In a connected scenario, the virtual network has a routed IP connection to an on-premises datacenter using a hub, VPN Gateway, or an ExpressRoute connection. In a disconnected scenario, the virtual network is used by workload components to communicate with each other.

+### Disconnected scenario

+| Relocation with no IP Address Change | Relocation with IP Address Change |

+| --|--|

+| No other IP address ranges are needed. | Other IP Address ranges are needed. |

+| No IP Address change for resources after relocation. | IP Address change of resources after relocation |

+| All workloads in a virtual network must be relocated together. | Workload relocation without considering dependencies or partial relocation is possible (Take communication latency into account) |

+| Virtual Network in the source region needs to be disconnected or removed before the Virtual Network in the target region can be connected. | Enable communication shortcuts between source and target region using vNetwork peering. |

+| No support for data migration scenarios where you need communication between source and target region. | If communication between source and target region is required in data migration scenarios, you can establish network peering during relocation. |

+#### Disconnected relocation with the same IP-address range

+#### Disconnected relocation with a new IP-address range

+### Connected Scenario

+| Relocation with no IP Address Change | Relocation with IP Address Change |

+|--|--|

+| No other IP address ranges are needed.| Other IP Address ranges are needed. |

+| No IP Address change for resources after relocation. | IP Address change of resources after relocation.

+| All workloads with dependencies on each other need to be relocated together. | Workload relocation without considering dependencies possible (Take communication latency into account). |

+| No communication between the two virtual networks in the source and target regions is possible. | Possible to enable communication between source and target region using vNetwork peering.|

+| Data migrations where communication between source and target region isn't possible or can only established through public endpoints. | If communication between source and target region is required in data migration scenarios, you can establish network peering during relocation.|

+#### Connected relocation with the same IP-address range

+#### Connected relocation with a new IP-address range

+## Prepare

+1. Remove any virtual network peers. Virtual network peerings can't be re-created, and they'll fail if they're still present in the template. In the [Redeploy](#redeploy) section, you'll reconfigure peerings at the target virtual network.

+1. Move the diagnostic storage account that contains Network Watcher NSG logs. To learn how to move a storage account, see [Relocate Azure Storage Account to another region](./relocation-storage-account.md).

+1. [Relocate the Network Security Groups(NSG)](./relocation-virtual-network-nsg.md).

+1. Disable [DDoS Protection Plan](/azure/ddos-protection/manage-ddos-protection).

+### Export and modify a template

+# [Portal](#tab/azure-portal)

+**To export the virtual network and deploy the target virtual network by using the Azure portal:**

+1. Sign in to the [Azure portal](https://portal.azure.com), and then select **Resource Groups**.

+1. Locate the resource group that contains the source virtual network, and then select it.

+1. Select **Automation** > **Export template**.

+1. In the **Export template** pane, select **Deploy**.

+1. To open the *parameters.json* file in your online editor, select **Template** > **Edit parameters**.

+1. To edit the parameter of the virtual network name, change the **value** property under **parameters**:

+ ```json

+ {

+ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "virtualNetworks_myVNET1_name": {

+ "value": "<target-virtual-network-name>"

+ }

+ }

+ }

+ ```

+1. In the editor, change the source virtual network name value in the editor to a name that you want for the target virtual network. Be sure to enclose the name in quotation marks.

+1. Select **Save** in the editor.

+1. To open the *template.json* file in the online editor, select **Template** > **Edit template**.

+1. In the online editor, to edit the target region, change the **location** property under **resources**:

+ ```json

+ "resources": [

+ {

+ "type": "Microsoft.Network/virtualNetworks",

+ "apiVersion": "2019-06-01",

+ "name": "[parameters('virtualNetworks_myVNET1_name')]",

+ "location": "<target-region>",

+ "properties": {

+ "provisioningState": "Succeeded",

+ "resourceGuid": "6e2652be-35ac-4e68-8c70-621b9ec87dcb",

+ "addressSpace": {

+ "addressPrefixes": [

+ "10.0.0.0/16"

+ ]

+ },

+ ```

+1. To obtain region location codes, see [Azure Locations](https://azure.microsoft.com/global-infrastructure/locations/). The code for a region is the region name, without spaces (for example, **Central US** = **centralus**).

+1. (Optional) You can also change other parameters in the template, depending on your requirements:

+ * **Address Space**: Before you save the file, you can alter the address space of the virtual network by modifying the **resources** > **addressSpace** section and changing the **addressPrefixes** property:

+ ```json

+ "resources": [

+ {

+ "type": "Microsoft.Network/virtualNetworks",

+ "apiVersion": "2019-06-01",

+ "name": "[parameters('virtualNetworks_myVNET1_name')]",

+ "location": "<target-region",

+ "properties": {

+ "provisioningState": "Succeeded",

+ "resourceGuid": "6e2652be-35ac-4e68-8c70-621b9ec87dcb",

+ "addressSpace": {

+ "addressPrefixes": [

+ "10.0.0.0/16"

+ ]

+ },

+ ```

+ * **Subnet**: You can change or add to the subnet name and the subnet address space by changing the template's **subnets** section. You can change the name of the subnet by changing the **name** property. And you can change the subnet address space by changing the **addressPrefix** property:

+ ```json

+ "subnets": [

+ {

+ "name": "subnet-1",

+ "etag": "W/\"d9f6e6d6-2c15-4f7c-b01f-bed40f748dea\"",

+ "properties": {

+ "provisioningState": "Succeeded",

+ "addressPrefix": "10.0.0.0/24",

+ "delegations": [],

+ "privateEndpointNetworkPolicies": "Enabled",

+ "privateLinkServiceNetworkPolicies": "Enabled"

+ }

+ },

+ {

+ "name": "GatewaySubnet",

+ "etag": "W/\"d9f6e6d6-2c15-4f7c-b01f-bed40f748dea\"",

+ "properties": {

+ "provisioningState": "Succeeded",

+ "addressPrefix": "10.0.1.0/29",

+ "serviceEndpoints": [],

+ "delegations": [],

+ "privateEndpointNetworkPolicies": "Enabled",

+ "privateLinkServiceNetworkPolicies": "Enabled"

+ }

+ }

+ ]

+ ```

+ To change the address prefix in the *template.json* file, edit it in two places:

+ - In the code in the preceding section

+ - In the **type** section of the following code.

+

+ Also, change the **addressPrefix** property in the following code to match the **addressPrefix** property in the code in the preceding section.

+ ```json

+ "type": "Microsoft.Network/virtualNetworks/subnets",

+ "apiVersion": "2019-06-01",

+ "name": "[concat(parameters('virtualNetworks_myVNET1_name'), '/GatewaySubnet')]",

+ "dependsOn": [

+ "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworks_myVNET1_name'))]"

+ ],

+ "properties": {

+ "provisioningState": "Succeeded",

+ "addressPrefix": "10.0.1.0/29",

+ "serviceEndpoints": [],

+ "delegations": [],

+ "privateEndpointNetworkPolicies": "Enabled",

+ "privateLinkServiceNetworkPolicies": "Enabled"

+ }

+ },

+ {

+ "type": "Microsoft.Network/virtualNetworks/subnets",

+ "apiVersion": "2019-06-01",

+ "name": "[concat(parameters('virtualNetworks_myVNET1_name'), '/subnet-1')]",

+ "dependsOn": [

+ "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworks_myVNET1_name'))]"

+ ],

+ "properties": {

+ "provisioningState": "Succeeded",

+ "addressPrefix": "10.0.0.0/24",

+ "delegations": [],

+ "privateEndpointNetworkPolicies": "Enabled",

+ "privateLinkServiceNetworkPolicies": "Enabled"

+ }

+ }

+ ]

+ ```

+1. In the online editor, select **Save**.

+# [PowerShell](#tab/azure-powershell)

+**To export the virtual network and deploy the target virtual network by using PowerShell:**

+1. Sign in to your Azure subscription with the [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount) command, and then follow the on-screen directions:

+

+ ```azurepowershell-interactive

+ Connect-AzAccount

+ ```

+1. Obtain the resource ID of the virtual network that you want to move to the target region, and then place it in a variable by using [Get-AzVirtualNetwork](/powershell/module/az.network/get-azvirtualnetwork):

+ ```azurepowershell-interactive

+ $sourceVNETID = (Get-AzVirtualNetwork -Name <source-virtual-network-name> -ResourceGroupName <source-resource-group-name>).Id

+ ```

+1. Export the source virtual network to a .json file in the directory where you execute the command [Export-AzResourceGroup](/powershell/module/az.resources/export-azresourcegroup):

+

+ ```azurepowershell-interactive

+ Export-AzResourceGroup -ResourceGroupName <source-resource-group-name> -Resource $sourceVNETID -IncludeParameterDefaultValue

+ ```

+1. The downloaded file has the same name as the resource group that the resource was exported from. Locate the *\<resource-group-name>.json* file, which you exported with the command, and then open it in your editor:

+

+ ```azurepowershell

+ notepad <source-resource-group-name>.json

+ ```

+1. To edit the parameter of the virtual network name, change the **defaultValue** property of the source virtual network name to the name of your target virtual network. Be sure to enclose the name in quotation marks.

+

+ ```json

+ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentmyResourceGroupVNET.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "virtualNetworks_myVNET1_name": {

+ "defaultValue": "<target-virtual-network-name>",

+ "type": "String"

+ }

+ ```

+1. To edit the target region where the virtual network will be moved, change the **location** property under resources:

+ ```json

+ "resources": [

+ {

+ "type": "Microsoft.Network/virtualNetworks",

+ "apiVersion": "2019-06-01",

+ "name": "[parameters('virtualNetworks_myVNET1_name')]",

+ "location": "<target-region>",

+ "properties": {

+ "provisioningState": "Succeeded",

+ "resourceGuid": "6e2652be-35ac-4e68-8c70-621b9ec87dcb",

+ "addressSpace": {

+ "addressPrefixes": [

+ "10.0.0.0/16"

+ ]

+ },

+ ```

+

+1. To obtain region location codes, you can use the Azure PowerShell cmdlet [Get-AzLocation](/powershell/module/az.resources/get-azlocation) by running the following command:

+ ```azurepowershell-interactive

+ Get-AzLocation | format-table

+ ```

+1. (Optional) You can also change other parameters in the *\<resource-group-name>.json* file, depending on your requirements:

+ * **Address Space**: Before you save the file, you can alter the address space of the virtual network by modifying the **resources** > **addressSpace** section and changing the **addressPrefixes** property:

+ ```json

+ "resources": [

+ {

+ "type": "Microsoft.Network/virtualNetworks",

+ "apiVersion": "2019-06-01",

+ "name": "[parameters('virtualNetworks_myVNET1_name')]",

+ "location": "<target-region",

+ "properties": {

+ "provisioningState": "Succeeded",

+ "resourceGuid": "6e2652be-35ac-4e68-8c70-621b9ec87dcb",

+ "addressSpace": {

+ "addressPrefixes": [

+ "10.0.0.0/16"

+ ]

+ },

+ ```

+ * **Subnet**: You can change or add to the subnet name and the subnet address space by changing the file's **subnets** section. You can change the name of the subnet by changing the **name** property. And you can change the subnet address space by changing the **addressPrefix** property:

+ ```json

+ "subnets": [

+ {

+ "name": "subnet-1",

+ "etag": "W/\"d9f6e6d6-2c15-4f7c-b01f-bed40f748dea\"",

+ "properties": {

+ "provisioningState": "Succeeded",

+ "addressPrefix": "10.0.0.0/24",

+ "delegations": [],

+ "privateEndpointNetworkPolicies": "Enabled",

+ "privateLinkServiceNetworkPolicies": "Enabled"

+ }

+ },

+ {

+ "name": "GatewaySubnet",

+ "etag": "W/\"d9f6e6d6-2c15-4f7c-b01f-bed40f748dea\"",

+ "properties": {

+ "provisioningState": "Succeeded",

+ "addressPrefix": "10.0.1.0/29",

+ "serviceEndpoints": [],

+ "delegations": [],

+ "privateEndpointNetworkPolicies": "Enabled",

+ "privateLinkServiceNetworkPolicies": "Enabled"

+ }

+ }

+ ]

+ ```

+ To change the address prefix, edit the file in two places: in the code in the preceding section and in the **type** section of the following code. Change the **addressPrefix** property in the following code to match the **addressPrefix** property in the code in the preceding section.

+ ```json

+ "type": "Microsoft.Network/virtualNetworks/subnets",

+ "apiVersion": "2019-06-01",

+ "name": "[concat(parameters('virtualNetworks_myVNET1_name'), '/GatewaySubnet')]",

+ "dependsOn": [

+ "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworks_myVNET1_name'))]"

+ ],

+ "properties": {

+ "provisioningState": "Succeeded",

+ "addressPrefix": "10.0.1.0/29",

+ "serviceEndpoints": [],

+ "delegations": [],

+ "privateEndpointNetworkPolicies": "Enabled",

+ "privateLinkServiceNetworkPolicies": "Enabled"

+ }

+ },

+ {

+ "type": "Microsoft.Network/virtualNetworks/subnets",

+ "apiVersion": "2019-06-01",

+ "name": "[concat(parameters('virtualNetworks_myVNET1_name'), '/subnet-1')]",

+ "dependsOn": [

+ "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworks_myVNET1_name'))]"

+ ],

+ "properties": {

+ "provisioningState": "Succeeded",

+ "addressPrefix": "10.0.0.0/24",

+ "delegations": [],

+ "privateEndpointNetworkPolicies": "Enabled",

+ "privateLinkServiceNetworkPolicies": "Enabled"

+ }

+ }

+ ]

+ ```

+1. Save the *\<resource-group-name>.json* file.

+## Redeploy

+# [Portal](#tab/azure-portal)

+1. To choose the subscription where the target virtual network will be deployed, select **Basics** > **Subscription**.

+1. To choose the resource group where the target virtual network will be deployed, select **Basics** > **Resource group**.

+ If you need to create a new resource group for the target virtual network, select **Create new**. Make sure that the name isn't the same as the source resource group name in the existing virtual network.

+1. Verify that **Basics** > **Location** is set to the target location where you want the virtual network to be deployed.

+1. Under **Settings**, verify that the name matches the name that you entered previously in the parameters editor.

+1. Select the **Terms and Conditions** check box.

+1. To deploy the target virtual network, select **Purchase**.

+1. [Reconfigure Virtual Network Peering](/azure/virtual-network/virtual-network-manage-peering).

+1. Enable Connection Monitor by following the guidelines in ([Migrate to Connection monitor from Network performance monitor](/azure/network-watcher/migrate-to-connection-monitor-from-network-performance-monitor)).

+1. Enable the DDoS Protection Plan. After the move, the auto-tuned policy thresholds for all the protected public IP addresses in the virtual network are reset.

+# [PowerShell](#tab/azure-powershell)

+1. Create a resource group in the target region for the target virtual network to be deployed by using [New-AzResourceGroup](/powershell/module/az.resources/new-azresourcegroup):

+

+ ```azurepowershell-interactive

+ New-AzResourceGroup -Name <target-resource-group-name> -location <target-region>

+ ```

+

+1. Deploy the edited *\<resource-group-name>.json* file to the resource group that you created in the previous step by using [New-AzResourceGroupDeployment](/powershell/module/az.resources/new-azresourcegroupdeployment):

+ ```azurepowershell-interactive

+ New-AzResourceGroupDeployment -ResourceGroupName <target-resource-group-name> -TemplateFile <source-resource-group-name>.json

+ ```

+1. To verify that the resources were created in the target region, use [Get-AzResourceGroup](/powershell/module/az.resources/get-azresourcegroup) and [Get-AzVirtualNetwork](/powershell/module/az.network/get-azvirtualnetwork):

+

+ ```azurepowershell-interactive

+ Get-AzResourceGroup -Name <target-resource-group-name>

+ ```

+ ```azurepowershell-interactive

+ Get-AzVirtualNetwork -Name <target-virtual-network-name> -ResourceGroupName <target-resource-group-name>

+ ```

+1. [Reconfigure Virtual Network Peering](/azure/virtual-network/scripts/virtual-network-powershell-sample-peer-two-virtual-networks).

+1. Enable Connection Monitor by following the guidelines in ([Migrate to Connection monitor from Network performance monitor](/azure/network-watcher/migrate-to-connection-monitor-from-network-performance-monitor)).

+1. Enable the DDoS Protection Plan. After the move, the auto-tuned policy thresholds for all the protected public IP addresses in the virtual network are reset.

+## Discard

+# [Portal](#tab/azure-portal)

+To discard the target virtual network, you delete the resource group that contains the target virtual network. To do so:

+1. On the Azure portal dashboard, select the resource group.

+1. At the top of the **Overview** pane, select **Delete**.

+# [PowerShell](#tab/azure-powershell)

+## Clean up

+# [Portal](#tab/azure-portal)

+To commit the changes and complete the virtual network move, you delete the source virtual network or resource group. To do so:

+1. On the Azure portal dashboard, select the virtual network or resource group.

+1. At the top of each pane, select **Delete**.

+# [PowerShell](#tab/azure-powershell)

+To commit your changes and complete the virtual network move, do either of the following:

+* Delete the resource group by using [Remove-AzResourceGroup](/powershell/module/az.resources/remove-azresourcegroup):

+ ```azurepowershell-interactive

+ Remove-AzResourceGroup -Name <source-resource-group-name>

+ ```

+* Delete the source virtual network by using [Remove-AzVirtualNetwork](/powershell/module/az.network/remove-azvirtualnetwork):

+ ``` azurepowershell-interactive

+ Remove-AzVirtualNetwork -Name <source-virtual-network-name> -ResourceGroupName <source-resource-group-name>

+ ```

+## Next steps

+To learn more about moving resources between regions and disaster recovery in Azure, refer to:

+- [Move resources to a new resource group or subscription](../azure-resource-manager/management/move-resource-group-and-subscription.md)

+- [Move Azure VMs to another region](../site-recovery/azure-to-azure-tutorial-migrate.md)

+ Title: Generate vector embeddings with Azure OpenAI in Azure Database for PostgreSQL.

+description: Use vector indexes and Azure Open AI embeddings in PostgreSQL for retrieval augmented generation (RAG) patterns.

+ Title: Copy data with Azure Storage Extension on Azure Database for PostgreSQL.

+description: Copy, export or read data from Azure Blob Storage with the Azure Storage extension for Azure Database for PostgreSQL - Flexible Server.

+## Release: February 2024

+* Support for [minor versions](./concepts-supported-versions.md) 16.1, 15.5, 14.10, 13.13, 12.17, 11.22 ^$

+- [Tampnet](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/tampnetas1686124551117.azure_tampnet_private_network?tab=Overview)

+| [Azure Container Registry](/azure/container-registry/zone-redundancy?toc=/azure/reliability) |

+| [Azure Cosmos DB](/azure/cosmos-db/high-availability?toc=/azure/reliability) |

+| [Azure Database for PostgreSQL](/azure/postgresql/flexible-server/how-to-manage-high-availability-portal#enable-high-availability-during-server-creation)|

+| [Azure Elastic SAN](reliability-elastic-san.md#availability-zone-migration)|

+| [Azure Functions](reliability-functions.md#availability-zone-migration)|

+| [Azure HDInsight](reliability-hdinsight.md#availability-zone-migration)|

+| [Azure Key Vault](/azure/key-vault/general/disaster-recovery-guidance?toc=/azure/reliability)|

+| [Azure Kubernetes Service](/azure/aks/availability-zones?toc=/azure/reliability)|

+| [Azure Logic Apps](/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard&toc=/azure/reliability)|

+| [Azure Service Bus](/azure/service-bus-messaging/service-bus-geo-dr#availability-zones?toc=/azure/reliability)|

+This guide describes how to migrate Log Analytics workspaces from non-availability zone support to availability support.

+> Application Insights resources can also use availability zones, but only if they are workspace-based and the workspace uses a dedicated cluster. Classic (non-workspace-based) Application Insights resources cannot use availability zones.

+To determine the current workspace link status for your workspace, use [CLI, PowerShell, or REST](../azure-monitor/logs/logs-dedicated-clusters.md#check-workspace-link-status) to retrieve the [cluster details](../azure-monitor/logs/logs-dedicated-clusters.md#check-cluster-provisioning-status). If the cluster uses an availability zone, then it has a property called `isAvailabilityZonesEnabled` with a value of `true`. Once a cluster is created, this property cannot be altered.

+Move your workspace to an availability zone by [creating a new dedicated cluster](../azure-monitor/logs/logs-dedicated-clusters.md#create-a-dedicated-cluster) in a region that supports availability zones. The cluster is automatically enabled for availability zones. Then [link your workspace to the new cluster](../azure-monitor/logs/logs-dedicated-clusters.md#link-a-workspace-to-a-cluster).

+Transitioning to a new cluster can be a gradual process. Don't remove the previous cluster until it is purged of any data. For example, if your workspace retention is set 60 days, you may want to keep your old cluster running for that period before removing it.

+Any queries against your workspace queries both clusters as required to provide you with a single, unified result set. As a result, all Azure Monitor features that rely on the workspace, such as workbooks and dashboards, continue to receive the full, unified result set based on data from both clusters.

+If you already have a dedicated cluster and choose to retain it to access its data, you are charged for both dedicated clusters. Starting August 4, 2021, the minimum required capacity reservation for dedicated clusters is reduced from 1000 GB/Daily to 500 GB/Daily, so weΓÇÖd recommend applying that minimum to your old cluster to reduce charges.

+## Related content

+- [Relocate Log Analytics workspaces to another region](../operational-excellence/relocation-log-analytics.md)

+- [Azure Monitor Logs Dedicated Clusters](../azure-monitor/logs/logs-dedicated-clusters.md)

+- [Azure Services that support Availability Zones](availability-zones-service-support.md)

+### Availability zone migration

+### Availability zone migration

+### Availability zone migration

+### Availability zone migration

+### Availability zone migration

+ > [!IMPORTANT]

+ > The value of the `sts:RoleSessionName` parameter must have the exact prefix `MicrosoftSentinel_`, otherwise the connector will not function properly.

+For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/p/?linkid=2218883&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).

+Follow these instructions to connect to AWS and stream your CloudTrail logs into Microsoft Sentinel. For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/p/?linkid=2218883&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).

+>>[Investigate entities with entity pages](entity-pages.md)

+|[MITRE ATT&CK dashboard](mitre-coverage.md) |Public preview |&#x2705; |&#x2705; |&#x2705; |

+|[Amazon Web Services](connect-aws.md?tabs=ct) |GA |&#x2705; |&#x2705; |&#10060; |

+|[Windows DNS Events via AMA](connect-dns-ama.md) |GA |&#x2705; |&#x2705;|&#x2705; |

+|[Add entities to threat intelligence](add-entity-to-threat-intelligence.md?tabs=incidents) |Public preview |&#x2705; |&#x2705; |&#x2705; |

+|[Notebooks](notebooks.md) |GA |&#x2705; |&#x2705; |&#x2705; |

+|[Notebook integration with Azure Synapse](notebooks-with-synapse.md) |Public preview |&#x2705; |&#x2705; |&#x2705; |

+Using [KQL](/azure/data-explorer/kusto/query/), we can query the **BehaviorAnalytics** table.

+> [!NOTE]

+> The *UserAccessAnalytics* table has been deprecated.

+Without multifactor authentication (MFA) enabled, user credentials are vulnerable to attackers looking to compromise attacks with [password spraying](https://www.microsoft.com/security/blog/2020/04/23/protecting-organization-password-spray-attacks/) or [spear phishing](https://www.microsoft.com/security/blog/2019/12/02/spear-phishing-campaigns-sharper-than-you-think/) attempts.

+| v1.33.0 | March 1, 2024 | March 1, 2025 |

+* macOS 10.15 Catalina and later versions

+ - azure-synapse

+| [Data Warehouse Units (DWU)](what-is-a-data-warehouse-unit-dwu-cdwu.md) |Default [Database Transaction Unit (DTU)](/azure/azure-sql/database/service-tiers-dtu?bc=%2fazure%2fsynapse-analytics%2fbreadcrumb%2ftoc.json&toc=%2fazure%2fsynapse-analytics%2ftoc.json) per server |54,000<br></br>By default, each SQL server (for example, `myserver.database.windows.net`) has a DTU Quota of 54,000, which allows up to DW6000c. This quota is simply a safety limit. You can increase your quota by [creating a support ticket](sql-data-warehouse-get-started-create-support-ticket.md) and selecting *Quota* as the request type. To calculate your DTU needs, multiply the 7.5 by the total DWU needed, or multiply 9 by the total cDWU needed. For example:<br></br>DW6000 x 7.5 = 45,000 DTUs<br></br>DW7500c x 9 = 67,500 DTUs.<br></br>You can view your current DTU consumption from the SQL server option in the portal. Both paused and unpaused databases count toward the DTU quota. |

+| Database connection |Maximum Concurrent open sessions |1024<br/><br/>The number of concurrent open sessions vary based on the selected DWU. DWU1000c and higher support a maximum of 1,024 open sessions. DWU500c and lower support a maximum concurrent open session limit of 512. Note, there are limits on the number of queries that can execute concurrently. When the concurrency limit is exceeded, the request goes into an internal queue where it waits to be processed.<br><br/>Idle session connections are not automatically closed. |

+| [Workload management](resource-classes-for-workload-management.md) |Maximum concurrent queries |128<br/><br/>A maximum of 128 concurrent queries can execute and remaining queries are queued.<br/><br/>The number of concurrent queries can decrease when users are assigned to higher resource classes or when the [data warehouse unit](memory-concurrency-limits.md) setting is lowered. Some queries, like DMV queries, are always allowed to run and do not affect the concurrent query limit. For more information on concurrent query execution, see the [concurrency maximums](memory-concurrency-limits.md) article. |

+| [tempdb](sql-data-warehouse-tables-temporary.md) |Maximum GB |399 GB per DW100c. For example, at DWU1000c, `tempdb` is sized to 3.99 TB. |

+| Database |Max size | Gen1: 240 TB compressed on disk. This space is independent of `tempdb` or log space, and therefore this space is dedicated to permanent tables. Clustered columnstore compression is estimated at 5X. This compression allows the database to grow to approximately 1 PB when all tables are clustered columnstore (the default table type). <br/><br/> Gen2: Unlimited storage for columnstore tables. Rowstore portion of the database is still limited to 240 TB compressed on disk. |

+| Table |Columns per table |1,024 columns |

+| Table |Bytes per row, defined size |8,060 bytes<br/><br/>The number of bytes per row is calculated in the same manner as it is for SQL Server with page compression. Like SQL Server, row-overflow storage is supported, which enables **variable length columns** to be pushed off-row. When variable length rows are pushed off-row, only 24-byte root is stored in the main record. For more information, see [Row-Overflow Data Exceeding 8 KB](/previous-versions/sql/sql-server-2008-r2/ms186981(v=sql.105)). |

+| Index |Nonclustered indexes per table. |50<br/><br/>Applies to rowstore tables only. |

+|Polybase Loads|Total number of files|1,000,000<br/><br/>Polybase loads cannot exceed more than 1M files. You might experience the following error: **Operation failed as split count exceeding upper bound of 1000000**.|

+| SELECT results |Columns per row |4096<br/><br/>You can never have more than 4,096 columns per row in the SELECT result. There is no guarantee that you can always have 4096. If the query plan requires a temporary table, the 1,024 columns per table maximum might apply. |

+| SELECT |Columns per JOIN |1,024 columns<br/><br/>You can never have more than 1,024 columns in the JOIN. There is no guarantee that you can always have 1024. If the JOIN plan requires a temporary table with more columns than the JOIN result, the 1024 limit applies to the temporary table. |

+| SELECT |Bytes per GROUP BY columns. |8060<br/><br/>The columns in the GROUP BY clause can have a maximum of 8,060 bytes. |

+| SELECT |Bytes per ORDER BY columns |8,060 bytes<br/><br/>The columns in the ORDER BY clause can have a maximum of 8,060 bytes |

+| Identifiers per statement |Number of referenced identifiers |65,535<br/><br/> The number of identifiers that can be contained in a single expression of a query is limited. Exceeding this number results in SQL Server error 8632. For more information, see [Internal error: An expression services limit has been reached](https://support.microsoft.com/help/913050/error-message-when-you-run-a-query-in-sql-server-2005-internal-error-a). |

+Cumulative data in DMVs reset when a dedicated SQL pool is paused or when it is scaled.

+| [sys.dm_pdw_request_steps](/sql/relational-databases/system-dynamic-management-views/sys-dm-pdw-request-steps-transact-sql?view=azure-sqldw-latest&preserve-view=true) |Total number of steps for the most recent 1000 SQL requests that are stored in `sys.dm_pdw_exec_requests`. |

+| [sys.dm_pdw_sql_requests](/sql/relational-databases/system-dynamic-management-views/sys-dm-pdw-sql-requests-transact-sql?view=azure-sqldw-latest&preserve-view=true) |The most recent 1000 SQL requests that are stored in `sys.dm_pdw_exec_requests`. |

+## Related content

+- [Cheat sheet for dedicated SQL pool (formerly SQL DW) in Azure Synapse Analytics](cheat-sheet.md)

+- [Best practices for dedicated SQL pools in Azure Synapse Analytics](../sql/best-practices-dedicated-sql-pool.md)

+- [Synapse implementation success methodology: Evaluate dedicated SQL pool design](../guidance/implementation-success-evaluate-dedicated-sql-pool-design.md)

+Because the Azure VM Dependency agent works at the kernel level, operating system support is also dependent on the kernel version. As of Dependency agent version 9.10.* the agent supports * kernels. The following table lists the major and minor Linux OS release and supported kernel versions for the Dependency agent.

+The Azure VM Dependency agent extension for Windows can be run against the supported operating systems listed in the following table. All operating systems in the following table are assumed to be x64. x86 isn't supported for any operating system.