+## February 2024

+### New articles

+- [Enable CAPTCHA in Azure Active Directory B2C](add-captcha.md)

+- [Define a CAPTCHA technical profile in an Azure Active Directory B2C custom policy](captcha-technical-profile.md)

+- [Verify CAPTCHA challenge string using CAPTCHA display control](display-control-captcha.md)

+### Updated articles

+- [Enable custom domains in Azure Active Directory B2C](custom-domain.md) - Updated steps to block the default B2C domain

+- [Manage Azure AD B2C custom policies with Microsoft Graph PowerShell](manage-custom-policies-powershell.md) - Microsoft Graph PowerShell updates

+- [Localization string IDs](localization-string-ids.md) - CAPTCHA updates

+- [Page layout versions](page-layout.md) - CAPTCHA updates

+|TIFF | Each image in the TIFF = 1 page unit | Total images in the TIFF |

+This article is to help you understand the support lifecycle for the Azure OpenAI API previews. New preview APIs target a monthly release cadence. Post April 2, 2024, the latest three preview APIs will remain supported while older APIs will no longer be supported.

+> [!NOTE]

+> The `2023-06-01-preview` API will remain supported at this time, as `DALL-E 2` is only available in this API version. `DALL-E 3` is supported in the latest API releases.

+The number of concurrent calls you can achieve depends on each call's shape (prompt size, max_token parameter, etc). The service will continue to accept calls until the utilization reach 100%. To determine the approximate number of concurrent calls you can model out the maximum requests per minute for a particular call shape in the [capacity calculator](https://oai.azure.com/portal/calculator). If the system generates less than the number of samplings tokens like max_token, it will accept more requests.

+- `2023-06-01-preview` [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-06-01-preview/inference.json)

+- `2023-12-01-preview` (retiring April 2, 2024) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-12-01-preview/inference.json)

+- `2023-06-01-preview` [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-06-01-preview/inference.json)

+- `2023-12-01-preview` (retiring April 2, 2024) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-12-01-preview/inference.json)

+- `2023-06-01-preview` [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-06-01-preview/inference.json)

+- `2023-12-01-preview` (retiring April 2, 2024) (This version or greater required for Vision scenarios) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/tree/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-12-01-preview)

+- `2023-06-01-preview` [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-06-01-preview/inference.json)

+- `2023-12-01-preview` (retiring April 2, 2024) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-12-01-preview/inference.json)

+- `2023-12-01-preview (retiring April 2, 2024)` [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-12-01-preview/inference.json)

+- `2023-06-01-preview` [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-06-01-preview/inference.json)

+- `2023-06-01-preview` [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-06-01-preview/inference.json)

+- `2023-06-01-preview` [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-06-01-preview/inference.json)

+- `2023-12-01-preview` (retiring April 2, 2024) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-12-01-preview/inference.json)

+- `2023-12-01-preview` (retiring April 2, 2024) [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-12-01-preview/inference.json)

+| `Granularity` | Determines the lowest level of evaluation granularity. Returns scores for levels greater than or equal to the minimal value. Accepted values are `Phoneme`, which shows the score on the full text, word, syllable, and phoneme level, `Word`, which shows the score on the full text and word level, or `FullText`, which shows the score on the full text level only. The provided full reference text can be a word, sentence, or paragraph. It depends on your input reference text. Default: `Phoneme`.|

+* Azure AI Studio currently doesn't support bring your own virtual network, it only supports managed VNet isolation.

+To connect to Azure AI services (Azure OpenAI, Azure AI Search, and Azure AI Content Safety) or storage accounts in Azure AI Studio, create a private endpoint in your virtual network. Ensure the PNA (Public Network Access) flag is disabled when creating the private endpoint connection. For more about Azure AI services connections, follow documentation [here](../../ai-services/cognitive-services-virtual-networks.md). You can optionally bring your own (BYO) search, but this requires a private endpoint connection from your virtual network.

+Telemetry data helps the SDK team understand how the SDK is used so it can be improved and the information about failures helps the team resolve problems and fix bugs. The SDK telemetry feature is enabled by default for Jupyter Notebook usage and can't be enabled for non-Jupyter scenarios.

+To opt out of the telemetry feature in a Jupyter scenario:

+- When using the `azure-ai-generative` package, set both of the following environment variables to `"False"`: `"AZURE_AI_GENERATIVE_ENABLE_LOGGING"` and `"AZURE_AI_RESOURCES_ENABLE_LOGGING"`. Both environment variables need to be set to `"False"` since `azure-ai-generative` is dependent on `azure-ai-resources`.

+- When using the `azure-ai-resources` package, set the environment variable `"AZURE_AI_RESOURCES_ENABLE_LOGGING"` to `"False"`.

+description: Recommendations and best practices for optimizing costs in Azure Kubernetes Service (AKS).

+Cost optimization is about maximizing the value of resources while minimizing unnecessary expenses within your cloud environment. This process involves identifying cost effective configuration options and implementing best practices to improve operational efficiency. An AKS environment can be optimized to minimize cost while taking into account performance and reliability requirements.

+In this article, you learn about:

+> [!div class="checklist"]

+> * Strategic infrastucture selection

+> * Dynamic rightsizing and autoscaling

+> * Leveraging Azure discounts for substantial savings

+> * Holistic monitoring and FinOps practices

+## Prepare the application environment

+### Evaluate SKU family

+It's important to evaluate the resource requirements of your application prior to deployment. Small development workloads have different infrastructure needs than large production ready workloads. While a combination of CPU, memory, and networking capacity configurations heavily influences the cost effectiveness of a SKU, consider the following VM types:

+- [**Azure Spot Virtual Machines**](/azure/virtual-machines/spot-vms) - [Spot node pools](./spot-node-pool.md) are backed by Azure Spot Virtual machine scale sets and deployed to a single fault domain with no high availability or SLA guarantees. Spot VMs allow you to take advantage of unutilized Azure capacity with significant discounts (up to 90% as compared to pay-as-you-go prices). If Azure needs capacity back, the Azure infrastructure evicts the Spot nodes. _Best for dev/test environments, workloads that can handle interruptions such as batch processing jobs, and workloads with flexible execution time._

+- [**Ampere Altra Arm-based processors (ARM64)**](https://azure.microsoft.com/blog/now-in-preview-azure-virtual-machines-with-ampere-altra-armbased-processors/) - ARM64 VMs are power-efficient and cost effective but don't compromise on performance. With [AMR64 node pool support in AKS](./create-node-pools.md#arm64-node-pools), you can create ARM64 Ubuntu agent nodes and even mix Intel and ARM architecture nodes within a cluster. These ARM VMs are engineered to efficiently run dynamic, scalable workloads and can deliver up to 50% better price-performance than comparable x86-based VMs for scale-out workloads. _Best for web or application servers, open-source databases, cloud-native applications, gaming servers, and more._

+- [**GPU optimized SKUs**](/azure/virtual-machines/sizes) - Depending on the nature of your workload, consider using compute optimized, memory optimized, storage optimized, or even graphical processing unit (GPU) optimized VM SKUs. GPU VM sizes are specialized VMs that are available with single, multiple, and fractional GPUs. _[GPU-enabled Linux node pools on AKS](./gpu-cluster.md) are best for compute-intensive workloads like graphics rendering, large model training and inferencing._

+> [!NOTE]

+> The cost of compute varies across regions. When picking a less expensive region to run workloads, be conscious of the potential impact of latency as well as data transfer costs. To learn more about VM SKUs and their characteristics, see [Sizes for virtual machines in Azure](/azure/virtual-machines/sizes).

+### Use cluster preset configurations

+Picking the right VM SKU, regions, number of nodes, and other configuration options can be difficult upfront. [Cluster preset configurations](./quotas-skus-regions.md#cluster-configuration-presets-in-the-azure-portal) in the Azure portal offloads this initial challenge by providing recommended configurations for different application environments that are cost-conscious and performant. The **Dev/Test** preset is best for developing new workloads or testing existing workloads. The **Production Economy** preset is best for serving production traffic in a cost-conscious way if your workloads can tolerate interruptions. Noncritical features are off by default and the preset values can be modified at any time.

+### Consider multitenancy

+AKS offer flexibility in how you run multitenant clusters and isolate resources. For friendly multitenancy, clusters and infrastructure can be shared across teams and business units through [_logical isolation_](./operator-best-practices-cluster-isolation.md#logically-isolated-clusters). Kubernetes [Namespaces](./concepts-clusters-workloads.md#namespaces) form the logical isolation boundary for workloads and resources. Sharing infrastructure reduces cluster management overhead while also improving resource utilization and pod density within the cluster. To learn more about multitenancy on AKS and to determine if it's right for your organizational needs, see [AKS considerations for multitenancy](/azure/architecture/guide/multitenant/service/aks) and [Design clusters for multitenancy](./operator-best-practices-cluster-isolation.md#design-clusters-for-multi-tenancy).

+> [!WARNING]

+> Kubernetes environments aren't entirely safe for hostile multitenancy. If any tenant on the shared infrastructure can't be trusted, additional planning is needed to prevent tenants from impacting the security of other services.

+>

+> Consider [_physical isolation_](./operator-best-practices-cluster-isolation.md#physically-isolated-clusters) boundaries. In this model, teams or workloads are assigned to their own cluster. Added management and financial overhead will be a tradeoff.

+## Build cloud native applications

+### Make your container as lean as possible

+A lean container refers to optimizing the size and resource footprint of the containerized application. Check that your base image is minimal and only contains the necessary dependencies. Remove any unnecessary libraries and packages. A smaller container image will accelerate deployment times and increase scaling operation efficiency. Going one step further, [Artifact Streaming on AKS](./artifact-streaming.md) allows you to stream container images from Azure Container Registry (ACR). It pulls only the necessary layer for initial pod startup, reducing the pull time for larger images from minutes to seconds.

+### Enforce resource quotas

+[Resource quotas](./operator-best-practices-scheduler.md#enforce-resource-quotas) provide a way to reserve and limit resources across a development team or project. Quotas are defined on a namespace and can set on compute resources, storage resources, and object counts. When you define resource quotas, individual namespaces are prevented from consuming more resources than allocated. This is particularly important for multi-tenant clusters where teams are sharing infrastructure.

+### Use cluster start stop

+Small development and test clusters, when left unattended, can realize large amounts of unnecessary spending. Turn off clusters that don't need to run at all times using [cluster start and stop](./start-stop-cluster.md?tabs=azure-cli). Doing so shuts down all system and user node pools so you arenΓÇÖt paying for extra compute. All objects and cluster state will be maintained when you start the cluster again.

+### Use capacity reservations

+Capacity reservations allow you to reserve compute capacity in an Azure region or Availability Zone for any duration of time. Reserved capacity will be available for immediate use until the reservation is deleted. [Associating an existing capacity reservation group to a node pool](./manage-node-pools.md#associate-capacity-reservation-groups-to-node-pools) guarantees allocated capacity for your node pool and helps you avoid potential on-demand pricing spikes during periods of high compute demand.

+## Monitor your environment and spend

+### Increase visibility with Microsoft Cost Management

+[Microsoft Cost Management](/azure/cost-management-billing/cost-management-billing-overview) offers a broad set of capabilities to help with cloud budgeting, forecasting, and visibility for costs both inside and outside of the cluster. Proper visibility is essential for deciphering spending trends, identifying optimization opportunities, and increasing accountability amongst application developers and platform teams. Enable the [AKS Cost Analysis add-on](./cost-analysis.md) for granular cluster cost breakdown by Kubernetes constructs along with Azure Compute, Network, and Storage categories.

+### Azure Monitor

+If you're ingesting metric data via Container insights, we recommended migrating to managed Prometheus metrics, which offers a significant cost reduction. You can [disable Container insights metrics using the data collection rule (DCR)](/azure/azure-monitor/containers/container-insights-data-collection-dcr?tabs=portal) and deploy the [managed Prometheus add-on](./network-observability-managed-cli.md?tabs=non-cilium#azure-managed-prometheus-and-grafana), which supports configuration via Azure Resource Manager, Azure CLI, Azure portal, and Terraform.

+If you rely on log ingestion, we also recommended using the Basic Logs API to reduce Log Analytics costs. To learn more, see [Azure Monitor best practices](/azure/azure-monitor/best-practices-containers#cost-optimization) and [managing costs for Container insights](/azure/azure-monitor/containers/container-insights-cost).

+## Optimize workloads through autoscaling

+### Enable Application Autoscaling

+#### Vertical Pod Autoscaling

+Requests and limits that are significantly higher than actual usage can result in overprovisioned workloads and wasted resources. In contrast, requests and limits that are too low can result in throttling and workload issues due to lack of memory. [Vertical Pod Autoscaler (VPA)](./vertical-pod-autoscaler.md) allows you to fine-tune CPU and memory resources required by your pods. VPA provides recommended values for CPU and memory requests and limits based on historical container usage, which you can set manually or update automatically. _Best for applications with fluctuating resource demands._

+#### Horizontal Pod Autoscaling

+[Horizontal Pod Autoscaler (HPA)](./concepts-scale.md#horizontal-pod-autoscaler) dynamically scales the number of pod replicas based on an observed metric such as CPU or memory utilization. During periods of high demand, HPA scales out, adding more pod replicas to distribute the workload. During periods of low demand, HPA scales in, reducing the number of replicas to conserve resources. _Best for applications with predictable resource demands._

+> [!WARNING]

+> You shouldn't use the VPA in conjunction with the HPA on the same CPU or memory metrics. This combination can lead to conflicts, as both autoscalers attempt to respond to changes in demand using the same metrics. However, you can use the VPA for CPU or memory in conjunction with the HPA for custom metrics to prevent overlap and ensure that each autoscaler focuses on distinct aspects of workload scaling.

+#### Kubernetes Event-driven Autoscaling

+[Kubernetes Event-driven Autoscaler (KEDA) add-on](./keda-about.md) provides additional flexibility to scale based on various event-driven metrics that align with your application behavior. For example, for a web application, KEDA can monitor incoming HTTP request traffic and adjust the number of pod replicas to ensure the application remains responsive. For processing jobs, KEDA can scale the application based on message queue length. Managed support is provided for all [Azure Scalers](https://keda.sh/docs/2.13/scalers/).

+### Enable Infrastructure Autoscaling

+#### Cluster Autoscaling

+To keep up with application demand, [Cluster Autoscaler](./cluster-autoscaler-overview.md) watches for pods that can't be scheduled due to resource constraints and scales the number of nodes in the node pool accordingly. When nodes don't have running pods, Cluster Autoscaler will scale down the number of nodes. Note that Cluster Autoscaler profile settings apply to all autoscaler-enabled nodepools in the cluster. To learn more, see [Cluster Autoscaler best practices and considerations](./cluster-autoscaler-overview.md#best-practices-and-considerations).

+#### Node Autoprovisioning

+Complicated workloads may require several node pools with different VM size configurations to accommodate CPU and memory requirements. Accurately selecting and managing several node pool configurations adds complexity and operational overhead. [Node Autoprovision (NAP)](./node-autoprovision.md?tabs=azure-cli) simplifies the SKU selection process and decides, based on pending pod resource requirements, the optimal VM configuration to run workloads in the most efficient and cost effective manner.

+> [!NOTE]

+> Refer to [Performance and scaling for small to medium workloads in Azure Kubernetes Service (AKS)](./best-practices-performance-scale.md) and [Performance and scaling best practices for large workloads in Azure Kubernetes Service (AKS)](./best-practices-performance-scale-large.md) for additional scaling best practices.

+## Save with Azure discounts

+### Azure Reservations

+If your workload is predictable and exists for an extended period of time, consider purchasing an [Azure Reservation](/azure/cost-management-billing/reservations/save-compute-costs-reservations) to further reduce your resource costs. Azure Reservations operate on a one-year or three-year term, offering up to 72% discount as compared to pay-as-you-go prices for compute. Reservations automatically apply to matching resources. _Best for workloads that are committed to running in the same SKUs and regions over an extended period of time._

+### Azure Savings Plan

+If you have consistent spend but your use of disparate resources across SKUs and regions makes Azure Reservations infeasible, consider purchasing an [Azure Savings Plan](/azure/cost-management-billing/savings-plan/savings-plan-compute-overview). Like Azure Reservations, Azure Savings Plans operate on a one-year or three-year term and automatically apply to any resources within benefit scope. You commit to spend a fixed hourly amount on compute resources irrespective of SKU or region. _Best for workloads that utilize different resources and/or different datacenter regions._

+### Azure Hybrid Benefit

+[Azure Hybrid Benefit for Azure Kubernetes Service (AKS)](./azure-hybrid-benefit.md) allows you to maximize your on-premises licenses at no additional cost. Use any qualifying on-premises licenses that also have an active Software Assurance (SA) or a qualifying subscription to get Windows VMs on Azure at a reduced cost.

+## Embrace FinOps to build a cost saving culture

+[Financial operations (FinOps)](https://www.finops.org/introduction/what-is-finops/) is a discipline that combines financial accountability with cloud management and optimization. It focuses on driving alignment between finance, operations, and engineering teams to understand and control cloud costs. The FinOps foundation has released several notable projects:

+- [FinOps Framework](https://finops.org/framework) - an operating model for how to practice and implement FinOps.

+- [FOCUS Specification](https://focus.finops.org/) - a technical specification and open standard for cloud usage, cost, and billing data across all major cloud provider services.

+## Next steps

+Cost optimization is an ongoing and iterative effort. Learn more by reviewing the following recommendations and architecture guidance:

+* [Microsoft Azure Well-Architected Framework for AKS - Cost Optimization Design Principles](/azure/architecture/framework/services/compute/azure-kubernetes-service/azure-kubernetes-service#cost-optimization)

+* [Baseline Architecture Guide for AKS](/azure/architecture/reference-architectures/containers/aks/baseline-aks)

+* [Optimize Compute Costs on AKS](/training/modules/aks-optimize-compute-costs/)

+* [AKS Cost Optimization Techniques](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/azure-kubernetes-service-aks-cost-optimization-techniques/ba-p/3652908)

+* [What is FinOps?](/azure/cost-management-billing/finops/)

+* Make sure you're collecting and retaining only the necessary log data to support your requirements. [Configure data collection rules for your AKS workloads](../azure-monitor/containers/container-insights-data-collection-configmap.md#data-collection-settings) and implement design considerations for [optimizing your Log Analytics costs](../azure-monitor/best-practices-cost.md).

+> [!IMPORTANT]

+> The token needs to be refreshed periodically. If you use [SDK][sdk], the rotation is automatic, otherwise, you need to refresh the token every 24 hours manually.

+[sdk]: workload-identity-overview.md#azure-identity-client-libraries

+>[!Note]

+> .NET apps targeting PostgreSQL should set the connection string to **Custom** as workaround for a [knows issue in .NET EnvironmentVariablesConfigurationProvider](https://github.com/dotnet/runtime/issues/36123)

+>

+> [!NOTE]

+> If your scenario relied on the dynamic nature of the `Document` type to identify different schemas and types of events, you can use a base abstract type with the common properties across your types or dynamic types like `JObject` that allow to access properties like `Document` did.

+| January 2024 |**Known Issues**<ul><li>The agent extension code size is beyond the deployment limit set by Arc, thus 1.29.5 won't install on Arc enabled servers. **This issue was fixed in 1.29.6**</li></ul>**Windows**<ul><li>Added support for Transport Layer Security 1.3</li><li>Reverted a change to enable multiple IIS subscriptions to use same filter. Feature will be redeployed once memory leak is fixed.</li><li>Improved ETW event throughput rate</li></ul>**Linux**<ul><li>Fix Error messages logged intended for mdsd.err went to mdsd.warn instead in 1.29.4 only. Likely error messages: "Exception while uploading to Gig-LA : ...", "Exception while uploading to ODS: ...", "Failed to upload to ODS: ..."</li><li>Reduced noise generated by AMAs' use of semanage when SELinux is enabled"</li></ul> | 1.23.0 | 1.29.5, 1.29.6 |

+> * On February 29, 2024, Continuous Export was retired as part of the classic Application Insights resource retirement.

+This section provides templates.

+ > [!CAUTION]

+ > Ensure that you have removed all Continous Export settings from your resource before running the migration templates. See [Prerequisites](#prerequisites)

+We strongly encourage manual migration to workspace-based resources, which is initiated by selecting the retirement notice banner in the classic Application Insights resource Overview pane of the Azure portal. This process typically involves a single step of choosing which Log Analytics workspace will be used to store your application data. If you use continuous export, you'll need to additionally migrate to diagnostic settings or disable the feature first.

+> The sampling overrides feature is in GA, starting from 3.5.0.

+ "overrides": [

+ {

+ "telemetryType": "request",

+ "attributes": [

+ ...

+ ],

+ "percentage": 0

+ },

+ {

+ "telemetryType": "request",

+ "attributes": [

+ ...

+ ],

+ "percentage": 100

+ }

+ ]

+ "sampling": {

+ "overrides": [

+ {

+ "telemetryType": "request",

+ "attributes": [

+ {

+ "key": "url.path",

+ "value": "/health-check",

+ "matchType": "strict"

+ }

+ ],

+ "percentage": 0

+ }

+ ]

+ "sampling": {

+ "overrides": [

+ {

+ "telemetryType": "dependency",

+ "attributes": [

+ {

+ "key": "db.system",

+ "value": "redis",

+ "matchType": "strict"

+ },

+ {

+ "key": "db.statement",

+ "value": "GET my-noisy-key",

+ "matchType": "strict"

+ }

+ ],

+ "percentage": 0

+ }

+ ]

+ "sampling": {

+ "overrides": [

+ {

+ "telemetryType": "request",

+ "attributes": [

+ {

+ "key": "url.path",

+ "value": "/login",

+ "matchType": "strict"

+ }

+ ],

+ "percentage": 100

+ }

+ ]

+* `Span1` Name: 'spanA' Attributes: {env: dev, test_request: 123, credit_card: 1234}

+* `Span2` Name: 'spanB' Attributes: {env: dev, test_request: false}

+* `Span3` Name: 'spanA' Attributes: {env: 1, test_request: dev, credit_card: 1234}

+* `Span1` Name: 'spanA' Attributes: {env: dev, test_request: 123, credit_card: 1234}

+* `Span2` Name: 'spanB' Attributes: {env: dev, test_request: false}

+* `Span3` Name: 'spanA' Attributes: {env: 1, test_request: dev, credit_card: 1234}

+* `Span1` Name: 'spanB' Attributes: {env: dev, test_request: 123, credit_card: 1234}

+* `Span2` Name: 'spanA' Attributes: {env: dev, test_request: false}

+* `Span3` Name: 'spanB' Attributes: {env: 1, test_request: dev, credit_card: 1234}

+* `Span1` Name: 'spanB' Attributes: {env: production, test_request: 123, credit_card: 1234, redact_trace: "false"}

+* `Span2` Name: 'spanA' Attributes: {env: staging, test_request: false, redact_trace: true}

+* `Span3` Name: 'spanB' Attributes: {env: production, test_request: true, credit_card: 1234, redact_trace: false}

+For example, given `url.path = /path?queryParam1=value1,queryParam2=value2`, the following attributes are inserted:

+* url.path: *no* change

+ "key": "url.path",

+For example, given `url.path = https://example.com/user/12345622` is updated to `url.path = https://example.com/user/****` using either of the below configurations.

+ "key": "url.path",

+ "key": "url.path",

+### Nonstring typed attributes samples

+Starting 3.4.19 GA, telemetry processors support nonstring typed attributes:

+Additionally, nonstring typed attributes support `regexp`.

+| `http.request.method` (used to be `http.method`) | string | HTTP request method.|

+| `url.full` (client span) or `url.path` (server span) (used to be `http.url`) | string | Full HTTP request URL in the form `scheme://host[:port]/path?query[#fragment]`. The fragment isn't usually transmitted over HTTP. But if the fragment is known, it should be included.|

+| `http.response.status_code` (used to be `http.status_code`) | number | [HTTP response status code](https://tools.ietf.org/html/rfc7231#section-6).|

+| `network.protocol.version` (used to be `http.flavor`) | string | Type of HTTP protocol. |

+| `user_agent.original` (used to be `http.user_agent`) | string | Value of the [HTTP User-Agent](https://tools.ietf.org/html/rfc7231#section-5.5.3) header sent by the client. |

+ It matches any telemetry that has attributes named `http.request.method` and `url.path`.

+ Then it extracts `url.path` attribute into a new attribute named `tempName`.

+ { "key": "http.request.method" },

+ { "key": "url.path" }

+ "key": "url.path",

+ "fromAttributes": [ "http.request.method", "tempPath" ],

+# Create a SpanEnrichingProcessor instance.

+span_enrich_processor = SpanEnrichingProcessor()

+ # Configure the custom span processors to include span enrich processor.

+ span_processors=[span_enrich_processor],

+Add `SpanEnrichingProcessor` to your project with the following code:

+ # Configure the custom span processors to include span filter processor.

+ span_processors=[span_filter_processor],

+ Add `SpanFilteringProcessor` to your project with the following code:

+- Python Application using Python 3.8+

+> [3.5.0](https://github.com/microsoft/ApplicationInsights-Java/releases/tag/3.5.0),

+| [PowerShell](vminsights-enable-powershell.md) | Use a PowerShell script to enable multiple machines. |

+| Maximum number of quota rules per volume | 100 | No |

+> You can also revert the option from *Standard* back to *Basic* network features. However, before performing the revert operation, you need to submit a waitlist request through the **[Azure NetApp Files standard networking features (edit volumes) Request Form](https://aka.ms/anfeditnetworkfeatures)**. The revert capability can take approximately one week to be enabled after you submit the waitlist request. You can check the status of the registration by using the following command:

+> If you convert from NFSv4.1 to NFSv3, all advanced NFSv4.1 features such as Access Control Lists (ACLs) and file locking become unavailable.

+* Converting a volume from NFSv3 to NFSv4.1 causes the `.snapshot` directory to be hidden from NFSv4.1 clients. The directory remains accessible.

+* Converting a volume from NFSv4.1 to NFSv3 causes the `.snapshot` directory to be visible. You can modify the properties of the volume to [hide the snapshot path](snapshots-edit-hide-path.md).

+> Converting a volume from NFSv4.1 to NFSv3 results in all NFSv4.1 features such as ACLs and file locking to become unavailable.

+* `Microsoft.NetApp/locations/{location}/regionInfos`

+* You can create a maximum number of 100 quota rules for a volume.

+## Rearrange your favorite services

+When you add a new service to your **Favorites** list, it appears as the last item in the list. To move it to a different position, select the new service, then drag and drop it to the desired location.

+You can continue to drag and drop any service in your **Favorites** list to place them in the order you choose.

+2. On the information card, select the star so that it changes from filled to unfilled.

+The service is then removed from your **Favorites** list.

+- Learn how to [manage your settings and preferences in the Azure portal](set-preferences.md).

+ai-usage: ai-assisted

+ai-usage: ai-assisted

+ai-usage: ai-assisted

+ai-usage: ai-assisted

+ai-usage: ai-assisted

+ai-usage: ai-assisted

+ai-usage: ai-assisted

+* Cloud Backup for Virtual Machines uses the Azure REST API to collect information about your Azure NetApp Files datastores and create Azure NetApp Files snapshots. To interact with the [Azure REST API](/rest/api/azure/), the Cloud Backup for Virtual Machines virtual appliance requires outbound internet access from your Azure VMware Solution SDDC via HTTPS. For more information, see [Internet connectivity design considerations](../azure-vmware/concepts-design-public-internet-access.md).

+```

+az rest --method delete --"https://management.azure.com/subscriptions/%3Csubscrption-id%3E/resourcegroups/%3Cresource-group-name%3E/providers/Microsoft.AVS/privateClouds/%3Cprivate-cloud-name%3E/addons/arc?api-version=2022-05-01%22"

+```

+## Under the hood

+How does the tunnel tool work? Under the hood it starts a tunnel connection to the Web PubSub service. Tunnel connection is a persistent connection (WebSocket) connects to the `/server/tunnel` endpoint, and it is considered as one kind of server connections. You could also use ACL rules in the service to disable such connections from connecting.

+| Microsoft Entra ID | `*.login.microsoft.com` <br><br> Allow access to FQDNs under sections 56 and 59 according to [this article](/office365/enterprise/urls-and-ip-address-ranges#microsoft-365-common-and-office-online). | 443 <br><br> As applicable |

+| Microsoft Entra ID | `*.login.microsoft.com` <br><br> Allow access to FQDNs under sections 56 and 59 according to [this article](/office365/enterprise/urls-and-ip-address-ranges#microsoft-365-common-and-office-online). | 443 <br><br> As applicable |

+| Azure AD | `*.login.microsoft.com` <br><br> Allow access to FQDNs under sections 56 and 59 according to [this article](/office365/enterprise/urls-and-ip-address-ranges#microsoft-365-common-and-office-online) | 443 <br><br> As applicable |

+| Azure AD | `*.login.microsoft.com` <br><br> Allow access to FQDNs under sections 56 and 59 according to [this article](/office365/enterprise/urls-and-ip-address-ranges#microsoft-365-common-and-office-online) | 443 <br><br> As applicable

+| Microsoft Entra ID | `*.login.microsoft.com` <br><br> [Allow access to FQDNs under sections 56 and 59](/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide&preserve-view=true#microsoft-365-common-and-office-online). | 443 <br><br> As applicable |

+| Microsoft Entra ID |`*.login.microsoft.com` <br><br> [Allow access to FQDNs under sections 56 and 59](/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide&preserve-view=true#microsoft-365-common-and-office-online). | 443 <br><br> As applicable |

+ [!INCLUDE [Important about BastionSubnet size](../../includes/bastion-subnet-size.md)]

+ [!INCLUDE [Note about BastionSubnet size](../../includes/bastion-subnet-size.md)]

+ Title: Provision a pool with Auto OS Upgrade

+description: Learn how to create a Batch pool with Auto OS Upgrade so that customers can have control over their OS upgrade strategy to ensure safe, workload-aware OS upgrade deployments.

+# Create an Azure Batch pool with Automatic Operating System (OS) Upgrade

+> [!IMPORTANT]

+> - Support for pools with Auto OS Upgrade in Azure Batch is currently in public preview, and is currently controlled by an account-level feature flag. If you want to use this feature, please start a [support request](../azure-portal/supportability/how-to-create-azure-support-request.md) and provide your batch account to request its activation.

+> - This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

+> - For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+When you create an Azure Batch pool, you can provision the pool with nodes that have Auto OS Upgrade enabled. This article explains how to set up a Batch pool with Auto OS Upgrade.

+## Why use Auto OS Upgrade?

+Auto OS Upgrade is used to implement an automatic operating system upgrade strategy and control within Azure Batch Pools. Here are some reasons for using Auto OS Upgrade:

+- **Security.** Auto OS Upgrade ensures timely patching of vulnerabilities and security issues within the operating system image, to enhance the security of compute resources. It helps prevent potential security vulnerabilities from posing a threat to applications and data.

+- **Minimized Availability Disruption.** Auto OS Upgrade is used to minimize the availability disruption of compute nodes during OS upgrades. It is achieved through task-scheduling-aware upgrade deferral and support for rolling upgrades, ensuring that workloads experience minimal disruption.

+- **Flexibility.** Auto OS Upgrade allows you to configure your automatic operating system upgrade strategy, including percentage-based upgrade coordination and rollback support. It means you can customize your upgrade strategy to meet your specific performance and availability requirements.

+- **Control.** Auto OS Upgrade provides you with control over your operating system upgrade strategy to ensure secure, workload-aware upgrade deployments. You can tailor your policy configurations to meet the specific needs of your organization.

+In summary, the use of Auto OS Upgrade helps improve security, minimize availability disruptions, and provide both greater control and flexibility for your workloads.

+## How does Auto OS Upgrade work?

+When upgrading images, VMs in Azure Batch Pool will follow roughly the same work flow as VirtualMachineScaleSets. To learn more about the detailed steps involved in the Auto OS Upgrade process for VirtualMachineScaleSets, you can refer to [VirtualMachineScaleSet page](../virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade.md#how-does-automatic-os-image-upgrade-work).

+However, if *automaticOSUpgradePolicy.osRollingUpgradeDeferral* is set to 'true' and an upgrade becomes available when a batch node is actively running tasks, the upgrade will be delayed until all tasks have been completed on the node.

+> [!Note]

+> If a pool has enabled *osRollingUpgradeDeferral*, its nodes will be displayed as *upgradingos* state during the upgrade process. Please note that the *upgradingos* state will only be shown when you are using the the API version of 2024-02-01 or later. If you're using an old API version to call *GetTVM/ListTVM*, the node will be in a *rebooting* state when upgrading.

+## Supported OS images

+Only certain OS platform images are currently supported for automatic upgrade. For detailed images list, you can get from [VirtualMachineScaleSet page](../virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade.md#supported-os-images).

+## Requirements

+* The version property of the image must be set to **latest**.

+* For Batch Management API, use API version 2024-02-01 or higher. For Batch Service API, use API version 2024-02-01.19.0 or higher.

+* Ensure that external resources specified in the pool are available and updated. Examples include SAS URI for bootstrapping payload in VM extension properties, payload in storage account, reference to secrets in the model, and more.

+* If you are using the property *virtualMachineConfiguration.windowsConfiguration.enableAutomaticUpdates*, this property must set to 'false' in the pool definition. The enableAutomaticUpdates property enables in-VM patching where "Windows Update" applies operating system patches without replacing the OS disk. With automatic OS image upgrades enabled, an extra patching process through Windows Update isn't required.

+### Additional requirements for custom images

+* When a new version of the image is published and replicated to the region of that pool, the VMs will be upgraded to the latest version of the Azure Compute Gallery image. If the new image isn't replicated to the region where the pool is deployed, the VM instances won't be upgraded to the latest version. Regional image replication allows you to control the rollout of the new image for your VMs.

+* The new image version shouldn't be excluded from the latest version for that gallery image. Image versions excluded from the gallery image's latest version won't be rolled out through automatic OS image upgrade.

+## Configure Auto OS Upgrade

+If you intend to implement Auto OS Upgrades within a pool, it's essential to configure the **UpgradePolicy** field during the pool creation process. To configure automatic OS image upgrades, make sure that the *automaticOSUpgradePolicy.enableAutomaticOSUpgrade* property is set to 'true' in the pool definition.

+> [!Note]

+> **Upgrade Policy mode** and **Automatic OS Upgrade Policy** are separate settings and control different aspects of the provisioned scale set by Azure Batch. The Upgrade Policy mode will determine what happens to existing instances in scale set. However, Automatic OS Upgrade Policy enableAutomaticOSUpgrade is specific to the OS image and tracks changes the image publisher has made and determines what happens when there is an update to the image.

+> [!IMPORTANT]

+> If you are using [user subscription](batch-account-create-portal.md#additional-configuration-for-user-subscription-mode), it's essential to note that a subscription feature **Microsoft.Compute/RollingUpgradeDeferral** is required for your subscription to be registered. You cannot use *osRollingUpgradeDeferral* unless this feature is registered. To enable this feature, please [manually register](../azure-resource-manager/management/preview-features.md) it on your subscription.

+### REST API

+The following example describes how to create a pool with Auto OS Upgrade via REST API:

+```http

+PUT https://management.azure.com/subscriptions/<subscriptionid>/resourceGroups/<resourcegroupName>/providers/Microsoft.Batch/batchAccounts/<batchaccountname>/pools/<poolname>?api-version=2024-02-01

+```

+Request Body

+```json

+{

+ "name": "test1",

+ "type": "Microsoft.Batch/batchAccounts/pools",

+ "parameters": {

+ "properties": {

+ "vmSize": "Standard_d4s_v3",

+ "deploymentConfiguration": {

+ "virtualMachineConfiguration": {

+ "imageReference": {

+ "publisher": "MicrosoftWindowsServer",

+ "offer": "WindowsServer",

+ "sku": "2019-datacenter-smalldisk",

+ "version": "latest"

+ },

+ "nodePlacementConfiguration": {

+ "policy": "Zonal"

+ },

+ "nodeAgentSKUId": "batch.node.windows amd64",

+ "windowsConfiguration": {

+ "enableAutomaticUpdates": false

+ }

+ }

+ },

+ "scaleSettings": {

+ "fixedScale": {

+ "targetDedicatedNodes": 2,

+ "targetLowPriorityNodes": 0

+ }

+ },

+ "upgradePolicy": {

+ "mode": "Automatic",

+ "automaticOSUpgradePolicy": {

+ "disableAutomaticRollback": true,

+ "enableAutomaticOSUpgrade": true,

+ "useRollingUpgradePolicy": true,

+ "osRollingUpgradeDeferral": true

+ },

+ "rollingUpgradePolicy": {

+ "enableCrossZoneUpgrade": true,

+ "maxBatchInstancePercent": 20,

+ "maxUnhealthyInstancePercent": 20,

+ "maxUnhealthyUpgradedInstancePercent": 20,

+ "pauseTimeBetweenBatches": "PT0S",

+ "prioritizeUnhealthyInstances": false,

+ "rollbackFailedInstancesOnPolicyBreach": false

+ }

+ }

+ }

+ }

+}

+```

+### SDK (C#)

+The following code snippet shows an example of how to use the [Batch .NET](https://www.nuget.org/packages/Microsoft.Azure.Batch/) client library to create a pool of Auto OS Upgrade via C# codes. For more details about Batch .NET, view the [reference documentation](/dotnet/api/microsoft.azure.batch).

+```csharp

+public async Task CreateUpgradePolicyPool()

+{

+ // Authenticate

+ var clientId = Environment.GetEnvironmentVariable("CLIENT_ID");

+ var clientSecret = Environment.GetEnvironmentVariable("CLIENT_SECRET");

+ var tenantId = Environment.GetEnvironmentVariable("TENANT_ID");

+ var subscriptionId = Environment.GetEnvironmentVariable("SUBSCRIPTION_ID");

+ ClientSecretCredential credential = new ClientSecretCredential(tenantId, clientId, clientSecret);

+ ArmClient client = new ArmClient(credential, subscriptionId);

+

+ // Get an existing Batch account

+ string resourceGroupName = "testrg";

+ string accountName = "testaccount";

+ ResourceIdentifier batchAccountResourceId = BatchAccountResource.CreateResourceIdentifier(subscriptionId, resourceGroupName, accountName);

+ BatchAccountResource batchAccount = client.GetBatchAccountResource(batchAccountResourceId);

+

+ // get the collection of this BatchAccountPoolResource

+ BatchAccountPoolCollection collection = batchAccount.GetBatchAccountPools();

+

+ // Define the pool

+ string poolName = "testpool";

+ BatchAccountPoolData data = new BatchAccountPoolData()

+ {

+ VmSize = "Standard_d4s_v3",

+ DeploymentConfiguration = new BatchDeploymentConfiguration()

+ {

+ VmConfiguration = new BatchVmConfiguration(new BatchImageReference()

+ {

+ Publisher = "MicrosoftWindowsServer",

+ Offer = "WindowsServer",

+ Sku = "2019-datacenter-smalldisk",

+ Version = "latest",

+ },

+ nodeAgentSkuId: "batch.node.windows amd64")

+ {

+ NodePlacementPolicy = BatchNodePlacementPolicyType.Zonal,

+ IsAutomaticUpdateEnabled = false

+ },

+ },

+ ScaleSettings = new BatchAccountPoolScaleSettings()

+ {

+ FixedScale = new BatchAccountFixedScaleSettings()

+ {

+ TargetDedicatedNodes = 2,

+ TargetLowPriorityNodes = 0,

+ },

+ },

+ UpgradePolicy = new UpgradePolicy()

+ {

+ Mode = UpgradeMode.Automatic,

+ AutomaticOSUpgradePolicy = new AutomaticOSUpgradePolicy()

+ {

+ DisableAutomaticRollback = true,

+ EnableAutomaticOSUpgrade = true,

+ UseRollingUpgradePolicy = true,

+ OSRollingUpgradeDeferral = true

+ },

+ RollingUpgradePolicy = new RollingUpgradePolicy()

+ {

+ EnableCrossZoneUpgrade = true,

+ MaxBatchInstancePercent = 20,

+ MaxUnhealthyInstancePercent = 20,

+ MaxUnhealthyUpgradedInstancePercent = 20,

+ PauseTimeBetweenBatches = "PT0S",

+ PrioritizeUnhealthyInstances = false,

+ RollbackFailedInstancesOnPolicyBreach = false,

+ }

+ }

+ };

+

+ ArmOperation<BatchAccountPoolResource> lro = await collection.CreateOrUpdateAsync(WaitUntil.Completed, poolName, data);

+ BatchAccountPoolResource result = lro.Value;

+

+ // the variable result is a resource, you could call other operations on this instance as well

+ // but just for demo, we get its data from this resource instance

+ BatchAccountPoolData resourceData = result.Data;

+ // for demo we just print out the id

+ Console.WriteLine($"Succeeded on id: {resourceData.Id}");

+}

+```

+## FAQs

+- How can I enable Auto OS Upgrade?

+ Start a [support request](../azure-portal/supportability/how-to-create-azure-support-request.md) and provide your batch account to request its activation.

+- Will my tasks be disrupted if I enabled Auto OS Upgrade?

+ Tasks won't be disrupted when *automaticOSUpgradePolicy.osRollingUpgradeDeferral* is set to 'true'. In that case, the upgrade will be postponed until node becomes idle. Otherwise, node will upgrade when it receives a new OS version, regardless of whether it is currently running a task or not. So we strongly advise enabling *automaticOSUpgradePolicy.osRollingUpgradeDeferral*.

+## Next steps

+- Learn how to use a [managed image](batch-custom-images.md) to create a pool.

+- Learn how to use the [Azure Compute Gallery](batch-sig-images.md) to create a pool.

+- **Automatic memory fitting**: Container Apps optimizes how the Java Virtual Machine (JVM) [manages memory](java-memory-fit.md), making the most possible memory available to your Java applications.

+[region-availability]: container-instances-resource-and-quota-limits.md

+This article details the availability and quota limits of Azure Container Instances compute, memory, and storage resources in Azure regions and by target operating system. For a general list of available regions for Azure Container Instances, see [available regions](https://azure.microsoft.com/regions/services/).

+> [!IMPORTANT]

+> K80 and P100 GPU SKUs are retiring by August 31st, 2023. This is due to the retirement of the underlying VMs used: [NC Series](../virtual-machines/nc-series-retirement.md) and [NCv2 Series](../virtual-machines/ncv2-series-retirement.md) Although V100 SKUs will be available, it is receommended to use Azure Kubernetes Service instead. GPU resources are not fully supported and should not be used for production workloads. Use the following resources to migrate to AKS today: [How to Migrate to AKS](../aks/aks-migration.md).

+This article provides background about the feature, limitations, and resources. To see the availability of Spot containers in Azure regions, see [Resource and quota limits](container-instances-resource-and-quota-limits.md).

+> Container group deployment to a virtual network is generally available for Linux and Windows containers, in most regions where Azure Container Instances is available. For details, see [Resource availability and quota limits](container-instances-resource-and-quota-limits.md).

+- **Azure Monitoring and alerting**ΓÇ»- All the logs generated by Managed Airflow are exported to Azure Monitor. It also provides metrics to track critical conditions and help you notify if the need be.

+ Title: Copy and transform data in Microsoft Fabric Warehouse

+description: Learn how to copy and transform data to and from Microsoft Fabric Warehouse using Azure Data Factory or Azure Synapse Analytics pipelines.

+# Copy and transform data in Microsoft Fabric Warehouse using Azure Data Factory or Azure Synapse Analytics

+This article outlines how to use Copy Activity to copy data from and to Microsoft Fabric Warehouse. To learn more, read the introductory article for [Azure Data Factory](introduction.md) or [Azure Synapse Analytics](../synapse-analytics/overview-what-is.md).

+## Supported capabilities

+This Microsoft Fabric Warehouse connector is supported for the following capabilities:

+| Supported capabilities|IR | Managed private endpoint|

+|| --| --|

+|[Copy activity](copy-activity-overview.md) (source/sink)|&#9312; &#9313;|Γ£ô |

+|[Lookup activity](control-flow-lookup-activity.md)|&#9312; &#9313;|Γ£ô |

+|[GetMetadata activity](control-flow-get-metadata-activity.md)|&#9312; &#9313;|Γ£ô |

+|[Script activity](transform-data-using-script.md)|&#9312; &#9313;|Γ£ô |

+|[Stored procedure activity](transform-data-using-stored-procedure.md)|&#9312; &#9313;|Γ£ô |

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+## Get started

+## Create a Microsoft Fabric Warehouse linked service using UI

+Use the following steps to create a Microsoft Fabric Warehouse linked service in the Azure portal UI.

+1. Browse to the Manage tab in your Azure Data Factory or Synapse workspace and select Linked Services, then select New:

+ # [Azure Data Factory](#tab/data-factory)

+ :::image type="content" source="media/doc-common-process/new-linked-service.png" alt-text="Screenshot of creating a new linked service with Azure Data Factory UI.":::

+ # [Azure Synapse](#tab/synapse-analytics)

+ :::image type="content" source="media/doc-common-process/new-linked-service-synapse.png" alt-text="Screenshot of creating a new linked service with Azure Synapse UI.":::

+2. Search for Warehouse and select the connector.

+ :::image type="content" source="media/connector-microsoft-fabric-warehouse/microsoft-fabric-warehouse-connector.png" alt-text="Screenshot showing select Microsoft Fabric Warehouse connector.":::

+1. Configure the service details, test the connection, and create the new linked service.

+ :::image type="content" source="media/connector-microsoft-fabric-warehouse/configure-microsoft-fabric-warehouse-linked-service.png" alt-text="Screenshot of configuration for Microsoft Fabric Warehouse linked service.":::

+## Connector configuration details

+The following sections provide details about properties that are used to define Data Factory entities specific to Microsoft Fabric Warehouse.

+## Linked service properties

+The Microsoft Fabric Warehouse connector supports the following authentication types. See the corresponding sections for details:

+- [Service principal authentication](#service-principal-authentication)

+### Service principal authentication

+To use service principal authentication, follow these steps.

+1. [Register an application with the Microsoft Identity platform](../active-directory/develop/quickstart-register-app.md) and [add a client secret](../active-directory/develop/quickstart-register-app.md#add-a-client-secret). Afterwards, make note of these values, which you use to define the linked service:

+ - Application (client) ID, which is the service principal ID in the linked service.

+ - Client secret value, which is the service principal key in the linked service.

+ - Tenant ID

+2. Grant the service principal at least the **Contributor** role in Microsoft Fabric workspace. Follow these steps:

+ 1. Go to your Microsoft Fabric workspace, select **Manage access** on the top bar. Then select **Add people or groups**.

+

+ :::image type="content" source="media/connector-microsoft-fabric-warehouse/fabric-workspace-manage-access.png" alt-text="Screenshot shows selecting Fabric workspace Manage access.":::

+ :::image type="content" source="media/connector-microsoft-fabric-warehouse/manage-access-pane.png" alt-text=" Screenshot shows Fabric workspace Manage access pane.":::

+

+ 1. In **Add people** pane, enter your service principal name, and select your service principal from the drop-down list.

+

+ 1. Specify the role as **Contributor** or higher (Admin, Member), then select **Add**.

+

+ :::image type="content" source="media/connector-microsoft-fabric-warehouse/select-workspace-role.png" alt-text="Screenshot shows adding Fabric workspace role.":::

+ 1. Your service principal is displayed on **Manage access** pane.

+These properties are supported for the linked service:

+| Property | Description | Required |

+|: |: |: |

+| type | The type property must be set to **Warehouse**. |Yes |

+| endpoint | The endpoint of Microsoft Fabric Warehouse server. | Yes |

+| workspaceId | The Microsoft Fabric workspace ID. | Yes |

+| artifactId | The Microsoft Fabric Warehouse object ID. | Yes |

+| tenant | Specify the tenant information (domain name or tenant ID) under which your application resides. Retrieve it by hovering the mouse in the upper-right corner of the Azure portal. | Yes |

+| servicePrincipalId | Specify the application's client ID. | Yes |

+| servicePrincipalCredentialType | The credential type to use for service principal authentication. Allowed values are **ServicePrincipalKey** and **ServicePrincipalCert**. | Yes |

+| servicePrincipalCredential | The service principal credential. <br/> When you use **ServicePrincipalKey** as the credential type, specify the application's client secret value. Mark this field as **SecureString** to store it securely, or [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). <br/> When you use **ServicePrincipalCert** as the credential, reference a certificate in Azure Key Vault, and ensure the certificate content type is **PKCS #12**.| Yes |

+| connectVia | The [integration runtime](concepts-integration-runtime.md) to be used to connect to the data store. You can use the Azure integration runtime or a self-hosted integration runtime if your data store is in a private network. If not specified, the default Azure integration runtime is used. |No |

+**Example: using service principal key authentication**

+You can also store service principal key in Azure Key Vault.

+```json

+{

+ "name": "MicrosoftFabricWarehouseLinkedService",

+ "properties": {

+ "type": "Warehouse",

+ "typeProperties": {

+ "endpoint": "<Microsoft Fabric Warehouse server endpoint>",

+ "workspaceId": "<Microsoft Fabric workspace ID>",

+ "artifactId": "<Microsoft Fabric Warehouse object ID>",

+ "tenant": "<tenant info, e.g. microsoft.onmicrosoft.com>",

+ "servicePrincipalId": "<service principal id>",

+ "servicePrincipalCredentialType": "ServicePrincipalKey",

+ "servicePrincipalCredential": {

+ "type": "SecureString",

+ "value": "<service principal key>"

+ }

+ },

+ "connectVia": {

+ "referenceName": "<name of Integration Runtime>",

+ "type": "IntegrationRuntimeReference"

+ }

+ }

+}

+```

+## Dataset properties

+For a full list of sections and properties available for defining datasets, see the [Datasets](concepts-datasets-linked-services.md) article.

+The following properties are supported for Microsoft Fabric Warehouse dataset:

+| Property | Description | Required |

+| :-- | :-- | :-- |

+| type | The **type** property of the dataset must be set to **WarehouseTable**. | Yes |

+| schema | Name of the schema. |No for source, Yes for sink |

+| table | Name of the table/view. |No for source, Yes for sink |

+### Dataset properties example

+```json

+{

+ "name": "FabricWarehouseTableDataset",

+ "properties": {

+ "type": "WarehouseTable",

+ "linkedServiceName": {

+ "referenceName": "<Microsoft Fabric Warehouse linked service name>",

+ "type": "LinkedServiceReference"

+ },

+ "schema": [ < physical schema, optional, retrievable during authoring >

+ ],

+ "typeProperties": {

+ "schema": "<schema_name>",

+ "table": "<table_name>"

+ }

+ }

+}

+```

+## Copy activity properties

+For a full list of sections and properties available for defining activities, see [Copy activity configurations](copy-activity-overview.md#configuration) and [Pipelines and activities](concepts-pipelines-activities.md). This section provides a list of properties supported by the Microsoft Fabric Warehouse source and sink.

+### Microsoft Fabric Warehouse as the source

+>[!TIP]

+>To load data from Microsoft Fabric Warehouse efficiently by using data partitioning, learn more from [Parallel copy from Microsoft Fabric Warehouse](#parallel-copy-from-microsoft-fabric-warehouse).

+To copy data from Microsoft Fabric Warehouse, set the **type** property in the Copy Activity source to **WarehouseSource**. The following properties are supported in the Copy Activity **source** section:

+| Property | Description | Required |

+| : | :-- | :- |

+| type | The **type** property of the Copy Activity source must be set to **WarehouseSource**. | Yes |

+| sqlReaderQuery | Use the custom SQL query to read data. Example: `select * from MyTable`. | No |

+| sqlReaderStoredProcedureName | The name of the stored procedure that reads data from the source table. The last SQL statement must be a SELECT statement in the stored procedure. | No |

+| storedProcedureParameters | Parameters for the stored procedure.<br/>Allowed values are name or value pairs. Names and casing of parameters must match the names and casing of the stored procedure parameters. | No |

+| queryTimeout | Specifies the timeout for query command execution. Default is 120 minutes. | No |

+| isolationLevel | Specifies the transaction locking behavior for the SQL source. The allowed value is **Snapshot**. If not specified, the database's default isolation level is used. For more information, see [system.data.isolationlevel](/dotnet/api/system.data.isolationlevel). | No |

+| partitionOptions | Specifies the data partitioning options used to load data from Microsoft Fabric Warehouse. <br>Allowed values are: **None** (default), and **DynamicRange**.<br>When a partition option is enabled (that is, not `None`), the degree of parallelism to concurrently load data from a Microsoft Fabric Warehouse is controlled by the [`parallelCopies`](copy-activity-performance-features.md#parallel-copy) setting on the copy activity. | No |

+| partitionSettings | Specify the group of the settings for data partitioning. <br>Apply when the partition option isn't `None`. | No |

+| ***Under `partitionSettings`:*** | | |

+| partitionColumnName | Specify the name of the source column **in integer or date/datetime type** (`int`, `smallint`, `bigint`, `date`, `datetime2`) that will be used by range partitioning for parallel copy. If not specified, the index or the primary key of the table is detected automatically and used as the partition column.<br>Apply when the partition option is `DynamicRange`. If you use a query to retrieve the source data, hook `?AdfDynamicRangePartitionCondition` in the WHERE clause. For an example, see the [Parallel copy from Microsoft Fabric Warehouse](#parallel-copy-from-microsoft-fabric-warehouse) section. | No |

+| partitionUpperBound | The maximum value of the partition column for partition range splitting. This value is used to decide the partition stride, not for filtering the rows in table. All rows in the table or query result will be partitioned and copied. If not specified, copy activity auto detect the value. <br>Apply when the partition option is `DynamicRange`. For an example, see the [Parallel copy from Microsoft Fabric Warehouse](#parallel-copy-from-microsoft-fabric-warehouse) section. | No |

+| partitionLowerBound | The minimum value of the partition column for partition range splitting. This value is used to decide the partition stride, not for filtering the rows in table. All rows in the table or query result will be partitioned and copied. If not specified, copy activity auto detect the value.<br>Apply when the partition option is `DynamicRange`. For an example, see the [Parallel copy from Microsoft Fabric Warehouse](#parallel-copy-from-microsoft-fabric-warehouse) section. | No |

+>[!Note]

+>When using stored procedure in source to retrieve data, note if your stored procedure is designed as returning different schema when different parameter value is passed in, you may encounter failure or see unexpected result when importing schema from UI or when copying data to Microsoft Fabric Warehouse with auto table creation.

+#### Example: using SQL query

+```json

+"activities":[

+ {

+ "name": "CopyFromMicrosoftFabricWarehouse",

+ "type": "Copy",

+ "inputs": [

+ {

+ "referenceName": "<Microsoft Fabric Warehouse input dataset name>",

+ "type": "DatasetReference"

+ }

+ ],

+ "outputs": [

+ {

+ "referenceName": "<output dataset name>",

+ "type": "DatasetReference"

+ }

+ ],

+ "typeProperties": {

+ "source": {

+ "type": "WarehouseSource",

+ "sqlReaderQuery": "SELECT * FROM MyTable"

+ },

+ "sink": {

+ "type": "<sink type>"

+ }

+ }

+ }

+]

+```

+#### Example: using stored procedure

+```json

+"activities":[

+ {

+ "name": "CopyFromMicrosoftFabricWarehouse",

+ "type": "Copy",

+ "inputs": [

+ {

+ "referenceName": "<Microsoft Fabric Warehouse input dataset name>",

+ "type": "DatasetReference"

+ }

+ ],

+ "outputs": [

+ {

+ "referenceName": "<output dataset name>",

+ "type": "DatasetReference"

+ }

+ ],

+ "typeProperties": {

+ "source": {

+ "type": "WarehouseSource",

+ "sqlReaderStoredProcedureName": "CopyTestSrcStoredProcedureWithParameters",

+ "storedProcedureParameters": {

+ "stringData": { "value": "str3" },

+ "identifier": { "value": "$$Text.Format('{0:yyyy}', <datetime parameter>)", "type": "Int"}

+ }

+ },

+ "sink": {

+ "type": "<sink type>"

+ }

+ }

+ }

+]

+```

+#### Sample stored procedure:

+```sql

+CREATE PROCEDURE CopyTestSrcStoredProcedureWithParameters

+(

+ @stringData varchar(20),

+ @identifier int

+)

+AS

+SET NOCOUNT ON;

+BEGIN

+ select *

+ from dbo.UnitTestSrcTable

+ where dbo.UnitTestSrcTable.stringData != stringData

+ and dbo.UnitTestSrcTable.identifier != identifier

+END

+GO

+```

+### Microsoft Fabric Warehouse as a sink type

+Azure Data Factory and Synapse pipelines support [Use COPY statement](#use-copy-statement) to load data into Microsoft Fabric Warehouse.

+To copy data to Microsoft Fabric Warehouse, set the sink type in Copy Activity to **WarehouseSink**. The following properties are supported in the Copy Activity **sink** section:

+| Property | Description | Required |

+| :- | :-- | :-- |

+| type | The **type** property of the Copy Activity sink must be set to **WarehouseSink**. | Yes |

+| allowCopyCommand| Indicates whether to use [COPY statement](/sql/t-sql/statements/copy-into-transact-sql?source=recommendations&view=fabric&preserve-view=true) to load data into Microsoft Fabric Warehouse. <br/><br/>See [Use COPY statement to load data into Microsoft Fabric Warehouse](#use-copy-statement) section for constraints and details.<br/><br/>The allowed value is **True**. | Yes |

+| copyCommandSettings | A group of properties that can be specified when `allowCopyCommand` property is set to TRUE. | No |

+| writeBatchTimeout| This property specifies the wait time for the insert, upsert and stored procedure operation to complete before it times out.<br/><br/>Allowed values are for the timespan. An example is "00:30:00" for 30 minutes. If no value is specified, the timeout defaults to "00:30:00"| No |

+| preCopyScript | Specify a SQL query for Copy Activity to run before writing data into Microsoft Fabric Warehouse in each run. Use this property to clean up the preloaded data. | No |

+| tableOption | Specifies whether to [automatically create the sink table](copy-activity-overview.md#auto-create-sink-tables) if not exists based on the source schema. Allowed values are: `none` (default), `autoCreate`. |No |

+| disableMetricsCollection | The service collects metrics for copy performance optimization and recommendations, which introduce additional master DB access. If you are concerned with this behavior, specify `true` to turn it off. | No (default is `false`) |

+#### Example: Microsoft Fabric Warehouse sink

+```json

+"activities":[

+ {

+ "name": "CopyToMicrosoftFabricWarehouse",

+ "type": "Copy",

+ "inputs": [

+ {

+ "referenceName": "<input dataset name>",

+ "type": "DatasetReference"

+ }

+ ],

+ "outputs": [

+ {

+ "referenceName": "<Microsoft Fabric Warehouse output dataset name>",

+ "type": "DatasetReference"

+ }

+ ],

+ "typeProperties": {

+ "source": {

+ "type": "<source type>"

+ },

+ "sink": {

+ "type": "WarehouseSink",

+ "allowCopyCommand": true,

+ "tableOption": "autoCreate",

+ "disableMetricsCollection": false

+ }

+ }

+ }

+]

+```

+## Parallel copy from Microsoft Fabric Warehouse

+The Microsoft Fabric Warehouse connector in copy activity provides built-in data partitioning to copy data in parallel. You can find data partitioning options on the **Source** tab of the copy activity.

+When you enable partitioned copy, copy activity runs parallel queries against your Microsoft Fabric Warehouse source to load data by partitions. The parallel degree is controlled by the [`parallelCopies`](copy-activity-performance-features.md#parallel-copy) setting on the copy activity. For example, if you set `parallelCopies` to four, the service concurrently generates and runs four queries based on your specified partition option and settings, and each query retrieves a portion of data from your Microsoft Fabric Warehouse.

+You are suggested to enable parallel copy with data partitioning especially when you load large amount of data from your Microsoft Fabric Warehouse. The following are suggested configurations for different scenarios. When copying data into file-based data store, it's recommended to write to a folder as multiple files (only specify folder name), in which case the performance is better than writing to a single file.

+| Scenario | Suggested settings |

+| | |

+| Full load from large table, while with an integer or datetime column for data partitioning. | **Partition options**: Dynamic range partition.<br>**Partition column** (optional): Specify the column used to partition data. If not specified, the index or primary key column is used.<br/>**Partition upper bound** and **partition lower bound** (optional): Specify if you want to determine the partition stride. This is not for filtering the rows in table, and all rows in the table will be partitioned and copied. If not specified, copy activity auto detect the values.<br><br>For example, if your partition column "ID" has values range from 1 to 100, and you set the lower bound as 20 and the upper bound as 80, with parallel copy as 4, the service retrieves data by 4 partitions - IDs in range <=20, [21, 50], [51, 80], and >=81, respectively. |

+| Load a large amount of data by using a custom query, while with an integer or date/datetime column for data partitioning. | **Partition options**: Dynamic range partition.<br>**Query**: `SELECT * FROM <TableName> WHERE ?AdfDynamicRangePartitionCondition AND <your_additional_where_clause>`.<br>**Partition column**: Specify the column used to partition data.<br>**Partition upper bound** and **partition lower bound** (optional): Specify if you want to determine the partition stride. This is not for filtering the rows in table, and all rows in the query result will be partitioned and copied. If not specified, copy activity auto detect the value.<br><br>During execution, the service replaces `?AdfRangePartitionColumnName` with the actual column name and value ranges for each partition, and sends to Microsoft Fabric Warehouse. <br>For example, if your partition column "ID" has values range from 1 to 100, and you set the lower bound as 20 and the upper bound as 80, with parallel copy as 4, the service retrieves data by 4 partitions- IDs in range <=20, [21, 50], [51, 80], and >=81, respectively. <br><br>Here are more sample queries for different scenarios:<br> 1. Query the whole table: <br>`SELECT * FROM <TableName> WHERE ?AdfDynamicRangePartitionCondition`<br> 2. Query from a table with column selection and additional where-clause filters: <br>`SELECT <column_list> FROM <TableName> WHERE ?AdfDynamicRangePartitionCondition AND <your_additional_where_clause>`<br> 3. Query with subqueries: <br>`SELECT <column_list> FROM (<your_sub_query>) AS T WHERE ?AdfDynamicRangePartitionCondition AND <your_additional_where_clause>`<br> 4. Query with partition in subquery: <br>`SELECT <column_list> FROM (SELECT <your_sub_query_column_list> FROM <TableName> WHERE ?AdfDynamicRangePartitionCondition) AS T`|

+Best practices to load data with partition option:

+- Choose distinctive column as partition column (like primary key or unique key) to avoid data skew.

+- If you use Azure Integration Runtime to copy data, you can set larger "[Data Integration Units (DIU)](copy-activity-performance-features.md#data-integration-units)" (>4) to utilize more computing resource. Check the applicable scenarios there.

+- "[Degree of copy parallelism](copy-activity-performance-features.md#parallel-copy)" control the partition numbers, setting this number too large sometime hurts the performance, recommend setting this number as (DIU or number of Self-hosted IR nodes) * (2 to 4).

+- Note that Microsoft Fabric Warehouse can execute a maximum of 32 queries at a moment, setting "Degree of copy parallelism" too large may cause a Warehouse throttling issue.

+**Example: query with dynamic range partition**

+```json

+"source": {

+ "type": "WarehouseSource",

+ "query":ΓÇ»"SELECT * FROM <TableName> WHERE ?AdfDynamicRangePartitionCondition AND <your_additional_where_clause>",

+ "partitionOption": "DynamicRange",

+ "partitionSettings": {

+ "partitionColumnName": "<partition_column_name>",

+ "partitionUpperBound": "<upper_value_of_partition_column (optional) to decide the partition stride, not as data filter>",

+ "partitionLowerBound": "<lower_value_of_partition_column (optional) to decide the partition stride, not as data filter>"

+ }

+}

+```

+## <a name="use-copy-statement"></a> Use COPY statement to load data into Microsoft Fabric Warehouse

+Using [COPY statement](/sql/t-sql/statements/copy-into-transact-sql?source=recommendations&view=fabric&preserve-view=true) is a simple and flexible way to load data into Microsoft Fabric Warehouse with high throughput. To learn more details, check [Bulk load data using the COPY statement](../synapse-analytics/sql-data-warehouse/quickstart-bulk-load-copy-tsql.md)

+- If your source data is in **Azure Blob or Azure Data Lake Storage Gen2**, and the **format is COPY statement compatible**, you can use copy activity to directly invoke COPY statement to let Microsoft Fabric Warehouse pull the data from source. For details, see **[Direct copy by using COPY statement](#direct-copy-by-using-copy-statement)**.

+- If your source data store and format isn't originally supported by COPY statement, use the **[Staged copy by using COPY statement](#staged-copy-by-using-copy-statement)** feature instead. The staged copy feature also provides you with better throughput. It automatically converts the data into COPY statement compatible format, stores the data in Azure Blob storage, then calls COPY statement to load data into Microsoft Fabric Warehouse.

+>[!TIP]

+>When using COPY statement with Azure Integration Runtime, effective [Data Integration Units (DIU)](copy-activity-performance-features.md#data-integration-units) is always 2. Tuning the DIU doesn't impact the performance.

+### Direct copy by using COPY statement

+Microsoft Fabric Warehouse COPY statement directly supports Azure Blob, Azure Data Lake Storage Gen1 and Azure Data Lake Storage Gen2. If your source data meets the criteria described in this section, use COPY statement to copy directly from the source data store to Microsoft Fabric Warehouse. Otherwise, use [Staged copy by using COPY statement](#staged-copy-by-using-copy-statement). The service checks the settings and fails the copy activity run if the criteria is not met.

+- The **source linked service and format** are with the following types and authentication methods:

+ | Supported source data store type | Supported format | Supported source authentication type |

+ | :-- | -- | :-- |

+ | [Azure Blob](connector-azure-blob-storage.md) | [Delimited text](format-delimited-text.md) | Account key authentication, shared access signature authentication|

+ | &nbsp; | [Parquet](format-parquet.md) | Account key authentication, shared access signature authentication |

+ | [Azure Data Lake Storage Gen2](connector-azure-data-lake-storage.md) | [Delimited text](format-delimited-text.md)<br/>[Parquet](format-parquet.md) | Account key authentication, shared access signature authentication |

+- Format settings are with the following:

+ - For **Parquet**: `compression` can be **no compression**, **Snappy**, or **``GZip``**.

+ - For **Delimited text**:

+ - `rowDelimiter` is explicitly set as **single character** or "**\r\n**", the default value is not supported.

+ - `nullValue` is left as default or set to **empty string** ("").

+ - `encodingName` is left as default or set to **utf-8 or utf-16**.

+ - `escapeChar` must be same as `quoteChar`, and is not empty.

+ - `skipLineCount` is left as default or set to 0.

+ - `compression` can be **no compression** or **``GZip``**.

+- If your source is a folder, `recursive` in copy activity must be set to true, and `wildcardFilename` need to be `*` or `*.*`.

+- `wildcardFolderPath` , `wildcardFilename` (other than `*`or `*.*`), `modifiedDateTimeStart`, `modifiedDateTimeEnd`, `prefix`, `enablePartitionDiscovery` and `additionalColumns` are not specified.

+The following COPY statement settings are supported under `allowCopyCommand` in copy activity:

+| Property | Description | Required |

+| :- | :-- | :-- |

+| defaultValues | Specifies the default values for each target column in Microsoft Fabric Warehouse. The default values in the property overwrite the DEFAULT constraint set in the data warehouse, and identity column cannot have a default value. | No |

+| additionalOptions | Additional options that will be passed to a Microsoft Fabric Warehouse COPY statement directly in "With" clause in [COPY statement](/sql/t-sql/statements/copy-into-transact-sql?source=recommendations&view=fabric&preserve-view=true). Quote the value as needed to align with the COPY statement requirements. | No |

+```json

+"activities":[

+ {

+ "name": "CopyFromAzureBlobToMicrosoftFabricWarehouseViaCOPY",

+ "type": "Copy",

+ "inputs": [

+ {

+ "referenceName": "ParquetDataset",

+ "type": "DatasetReference"

+ }

+ ],

+ "outputs": [

+ {

+ "referenceName": "MicrosoftFabricWarehouseDataset",

+ "type": "DatasetReference"

+ }

+ ],

+ "typeProperties": {

+ "source": {

+ "type": "ParquetSource",

+ "storeSettings":{

+ "type": "AzureBlobStorageReadSettings",

+ "recursive": true

+ }

+ },

+ "sink": {

+ "type": "WarehouseSink",

+ "allowCopyCommand": true,

+ "copyCommandSettings":ΓÇ»{

+ "defaultValues":ΓÇ»[

+ {

+ "columnName":ΓÇ»"col_string",

+ "defaultValue":ΓÇ»"DefaultStringValue"

+ }

+ ],

+ "additionalOptions":ΓÇ»{

+ "MAXERRORS":ΓÇ»"10000",

+ "DATEFORMAT":ΓÇ»"'ymd'"

+ }

+ }

+ },

+ "enableSkipIncompatibleRow": true

+ }

+ }

+]

+```

+### Staged copy by using COPY statement

+When your source data is not natively compatible with COPY statement, enable data copying via an interim staging Azure Blob or Azure Data Lake Storage Gen2 (it can't be Azure Premium Storage). In this case, the service automatically converts the data to meet the data format requirements of COPY statement. Then it invokes COPY statement to load data into Microsoft Fabric Warehouse. Finally, it cleans up your temporary data from the storage. See [Staged copy](copy-activity-performance-features.md#staged-copy) for details about copying data via a staging.

+To use this feature, create an [Azure Blob Storage linked service](connector-azure-blob-storage.md#linked-service-properties) or [Azure Data Lake Storage Gen2 linked service](connector-azure-data-lake-storage.md#linked-service-properties) with **account key or system-managed identity authentication** that refers to the Azure storage account as the interim storage.

+>[!IMPORTANT]

+>- When you use managed identity authentication for your staging linked service, learn the needed configurations for [Azure Blob](connector-azure-blob-storage.md#managed-identity) and [Azure Data Lake Storage Gen2](connector-azure-data-lake-storage.md#managed-identity) respectively.

+>- If your staging Azure Storage is configured with VNet service endpoint, you must use managed identity authentication with "allow trusted Microsoft service" enabled on storage account, refer to [Impact of using VNet Service Endpoints with Azure storage](/azure/azure-sql/database/vnet-service-endpoint-rule-overview#impact-of-using-virtual-network-service-endpoints-with-azure-storage).

+>[!IMPORTANT]

+>If your staging Azure Storage is configured with Managed Private Endpoint and has the storage firewall enabled, you must use managed identity authentication and grant Storage Blob Data Reader permissions to the Synapse SQL Server to ensure it can access the staged files during the COPY statement load.

+```json

+"activities":[

+ {

+ "name": "CopyFromSQLServerToMicrosoftFabricWarehouseViaCOPYstatement",

+ "type": "Copy",

+ "inputs": [

+ {

+ "referenceName": "SQLServerDataset",

+ "type": "DatasetReference"

+ }

+ ],

+ "outputs": [

+ {

+ "referenceName": "MicrosoftFabricWarehouseDataset",

+ "type": "DatasetReference"

+ }

+ ],

+ "typeProperties": {

+ "source": {

+ "type": "SqlSource",

+ },

+ "sink": {

+ "type": "WarehouseSink",

+ "allowCopyCommand": true

+ },

+ "stagingSettings": {

+ "linkedServiceName": {

+ "referenceName": "MyStagingStorage",

+ "type": "LinkedServiceReference"

+ }

+ }

+ }

+ }

+]

+```

+## Lookup activity properties

+To learn details about the properties, check [Lookup activity](control-flow-lookup-activity.md).

+## GetMetadata activity properties

+To learn details about the properties, check [GetMetadata activity](control-flow-get-metadata-activity.md)

+## Data type mapping for Microsoft Fabric Warehouse

+When you copy data from Microsoft Fabric Warehouse, the following mappings are used from Microsoft Fabric Warehouse data types to interim data types within the service internally. To learn about how the copy activity maps the source schema and data type to the sink, see [Schema and data type mappings](copy-activity-schema-and-type-mapping.md).

+| Microsoft Fabric Warehouse data type | Data Factory interim data type |

+| : | :-- |

+| bigint | Int64 |

+| binary | Byte[] |

+| bit | Boolean |

+| char | String, Char[] |

+| date | DateTime |

+| datetime2 | DateTime |

+| Decimal | Decimal |

+| FILESTREAM attribute (varbinary(max)) | Byte[] |

+| Float | Double |

+| int | Int32 |

+| numeric | Decimal |

+| real | Single |

+| smallint | Int16 |

+| time | TimeSpan |

+| uniqueidentifier | Guid |

+| varbinary | Byte[] |

+| varchar | String, Char[] |

+## Next steps

+For a list of data stores supported as sources and sinks by the copy activity, see [Supported data stores](copy-activity-overview.md#supported-data-stores-and-formats).

+1. In the **Custom deployment** section, enter the target subscription, region, and other details required for the deployment. When you're done, select **Review + create** to deploy the Resource Manager template.

+## June 2023

+### Continuous integration and continuous deployment

+npm package now supports pre-downloaded bundle for building ARM templates. If your firewall setting is blocking direct download for your npm package, you can now pre-load the package upfront, and let npm package consume local version instead. This is a super boost for your CI/CD pipeline in a firewalled environment.

+### Region expansion

+Azure Data Factory is now available in Sweden Central. You can co-locate your ETL workflow in this new region if you are utilizing the region for storing and managing your modern data warehouse. [Learn more](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/continued-region-expansion-azure-data-factory-just-became/ba-p/3857249)

+### Data movement

+Securing outbound traffic with Azure Data Factory's outbound network rules is now supported. [Learn more](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/securing-outbound-traffic-with-azure-data-factory-s-outbound/ba-p/3844032)

+### Connectors

+The Amazon S3 connector is now supported as a sink destination using Mapping Data Flows. [Learn more](connector-amazon-simple-storage-service.md)

+### Data flow

+We introduce optional Source settings for DelimitedText and JSON sources in top-level CDC resource. The top-level CDC resource in data factory now supports optional source configurations for Delimited and JSON sources. You can now select the column/row delimiters for delimited sources and set the document type for JSON sources. [Learn more](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/introducing-optional-source-settings-for-delimitedtext-and-json/ba-p/3824274)

+## February 2024

+### Data movement

+We added native UI support of parameterization for the following linked

+> All values within < > is to be replaced with your respective environment values. The extension ID supported today is 'IBM.TWC'

+- An instance of [Azure OpenAI](../ai-services/openai/how-to/create-resource.md) created in your Azure subscription.

+* View our Azure Data Manager for Agriculture APIs [here](/rest/api/data-manager-for-agri).

+ Title: Automatically assess machines for vulnerabilities

+description: Use Microsoft Defender for Cloud to automatically ensure your machines have a vulnerability assessment solution

+## Next step

+ Title: Microsoft Defender Vulnerability Management FAQ

+description: Learn about the requirements for data-aware security posture in Microsoft Defender for Cloud.

+|What Azure data resources can I discover? | **Object storage:**<br /><br />[Block blob](../storage/blobs/storage-blobs-introduction.md) storage accounts in Azure Storage v1/v2<br/><br/> Azure Data Lake Storage Gen2<br/><br/>Storage accounts behind private networks are supported.<br/><br/> Storage accounts encrypted with a customer-managed server-side key are supported.<br/><br/> Accounts aren't supported if any of these settings are enabled: Storage account is defined as [Azure DNS Zone](https://techcommunity.microsoft.com/t5/azure-storage-blog/public-preview-create-additional-5000-azure-storage-accounts/ba-p/3465466); The storage account endpoint has a [custom domain mapped to it](../storage/blobs/storage-custom-domain-name.md).<br /><br /><br />**Databases**<br /><br />Azure SQL Databases |

+|What AWS data resources can I discover? | **Object storage:**<br /><br />AWS S3 buckets<br/><br/> Defender for Cloud can discover KMS-encrypted data, but not data encrypted with a customer-managed key.<br /><br />**Databases**<br /><br />- Amazon Aurora<br />- Amazon RDS for PostgreSQL<br />- Amazon RDS for MySQL<br />- Amazon RDS for MariaDB<br />- Amazon RDS for SQL Server (noncustom)<br />- Amazon RDS for Oracle Database (noncustom, SE2 Edition only) <br /><br />Prerequisites and limitations: <br />- Automated backups need to be enabled. <br />- The IAM role created for the scanning purposes (DefenderForCloud-DataSecurityPostureDB by default) needs to have permissions to the KMS key used for the encryption of the RDS instance. <br />- You can't share a DB snapshot that uses an option group with permanent or persistent options, except for Oracle DB instances that have the **Timezone** or **OLS** option (or both). [Learn more](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html) |

+|What AWS regions are supported? | S3:<br /><br />Asia Pacific (Mumbai); Asia Pacific (Singapore); Asia Pacific (Sydney); Asia Pacific (Tokyo); Canada (Montreal); Europe (Frankfurt); Europe (Ireland); Europe (London); Europe (Paris); Europe (Stockholm); South America (São Paulo); US East (Ohio); US East (N. Virginia); US West (N. California): US West (Oregon).<br/><br/><br />RDS:<br /><br/>Africa (Cape Town); Asia Pacific (Hong Kong SAR); Asia Pacific (Hyderabad); Asia Pacific (Melbourne); Asia Pacific (Mumbai); Asia Pacific (Osaka); Asia Pacific (Seoul); Asia Pacific (Singapore); Asia Pacific (Sydney); Asia Pacific (Tokyo); Canada (Central); Europe (Frankfurt); Europe (Ireland); Europe (London); Europe (Paris); Europe (Stockholm); Europe (Zurich); Middle East (UAE); South America (São Paulo); US East (Ohio); US East (N. Virginia); US West (N. California): US West (Oregon).<br /><br /> Discovery is done locally within the region. |

+- For newly enabled subscriptions, results appear within 24 hours.

+- KMS keys are created once for each region that contains RDS instances. The creation of a KMS key may incur a minimal extra cost, according to AWS KMS pricing.

+ Title: Azure Monitor workbooks with Defender for Cloud data

+> To use this workbook, your environment must have a [GitHub connector](quickstart-onboard-github.md), [GitLab connector](quickstart-onboard-gitlab.md), or [Azure DevOps connector](quickstart-onboard-devops.md).

+**Microsoft Defender for container registries** includes a vulnerability scanner to scan the images in your Azure Resource Manager-based Azure Container Registry registries and provide deeper visibility into your images' vulnerabilities.

+When issues are found, you'll get notified in the workload protection dashboard. For every vulnerability, Defender for Cloud provides actionable recommendations, along with a severity classification, and guidance for how to remediate the issue. For details of Defender for Cloud's recommendations for containers, see the [reference list of recommendations](recommendations-reference.md#container-recommendations).

+Defender for Cloud pulls the image from the registry and runs it in an isolated sandbox with the scanner. The scanner extracts a list of known vulnerabilities.

+[Learn about creating rules to disable findings from the integrated vulnerability assessment tool](disable-vulnerability-findings-containers.md).

+> [Scan your images for vulnerabilities](agentless-vulnerability-assessment-azure.md)

+- [Scan your ACR images for vulnerabilities](agentless-vulnerability-assessment-aws.md)

+ Title: Microsoft Defender for open-source relational databases

+> Defender for Server's vulnerability assessment solution powered by Qualys, is on a retirement path that set to complete on **May 1st, 2024**. If you are a currently using the built-in vulnerability assessment powered by Qualys, you should plan to [transition to the Microsoft Defender Vulnerability Management vulnerability scanning solution](how-to-transition-to-built-in.md).

+ - **Unhealthy resources** ΓÇô A vulnerability scanner extension can be deployed to these machines.

+ > - `https://qagpublic.qg3.apps.qualys.com` - Qualys' US data center

+ > - `https://qagpublic.qg2.apps.qualys.eu` - Qualys' European data center

+- Azure Container Registry images - [Vulnerability assessments for Azure with Microsoft Defender Vulnerability Management](agentless-vulnerability-assessment-azure.md)

+ |Configure or edit a JIT policy for a VM | *Assign these actions to the role:* <ul><li>On the scope of a subscription (or resource group when using API or PowerShell only) that is associated with the VM:<br/> `Microsoft.Security/locations/jitNetworkAccessPolicies/write` </li><li> On the scope of a subscription (or resource group when using API or PowerShell only) of VM: <br/>`Microsoft.Compute/virtualMachines/write`</li></ul> |

+ > To create a least-privileged role for users that need to request JIT access to a VM, and perform no other JIT operations, use the [Set-JitLeastPrivilegedRole script](https://github.com/Azure/Azure-Security-Center/tree/main/Powershell%20scripts/JIT%20Scripts/JIT%20Custom%20Role) from the Defender for Cloud GitHub community pages.

+ > [!NOTE]

+ > In order to successfully create a custom JIT policy, the policy name, together with the targeted VM name, must not exceed a total of 56 characters.

+## March 2024

+|Date | Update |

+|-|-|

+| March 3 | [Defender for Cloud Containers Vulnerability Assessment powered by Qualys retirement](#defender-for-cloud-containers-vulnerability-assessment-powered-by-qualys-retirement) |

+### Defender for Cloud Containers Vulnerability Assessment powered by Qualys retirement

+March 3, 2024

+The Defender for Cloud Containers Vulnerability Assessment powered by Qualys is being retired. The retirement will be completed by March 6, and until that time partial results may still appear both in the Qualys recommendations, and Qualys results in the security graph. Any customers who were previously using this assessment should upgrade to [Vulnerability assessments for Azure with Microsoft Defender Vulnerability Management](agentless-vulnerability-assessment-azure.md). For information about transitioning to the container vulnerability assessment offering powered by Microsoft Defender Vulnerability Management, see [Transition from Qualys to Microsoft Defender Vulnerability Management](transition-to-defender-vulnerability-management.md).

+The updated experience for managing security policies, initially released in Preview for Azure, is expanding its support to cross cloud (AWS and GCP) environments. This Preview release includes:

+- The updated experience is applied to AWS and GCP for [creating custom recommendations with a KQL query](create-custom-recommendations.md).

+> [!IMPORTANT]

+> The Defender for Cloud Containers Vulnerability Assessment powered by Qualys is being retired. The retirement will be completed by March 6, and until that time partial results may still appear both in the Qualys recommendations, and Qualys results in the security graph. Any customers who were previously using this assessment should upgrade to to [Vulnerability assessments for Azure with Microsoft Defender Vulnerability Management](agentless-vulnerability-assessment-azure.md). For information about transitioning to the container vulnerability assessment offering powered by Microsoft Defender Vulnerability Management, see [Transition from Qualys to Microsoft Defender Vulnerability Management](transition-to-defender-vulnerability-management.md).

+Microsoft Defender Vulnerability Management integrates across many cloud native use cases, such as containers ship and runtime scenarios.

+The Defender for Cloud Containers Vulnerability Assessment powered by Qualys [is now retired](release-notes.md#defender-for-cloud-containers-vulnerability-assessment-powered-by-qualys-retirement). If you haven't transitioned yet to[Vulnerability assessments for Azure with Microsoft Defender Vulnerability Management](agentless-vulnerability-assessment-azure.md), follow the steps on the page to make the transition.

+## Step 2: (Optional) Update REST API and Azure Resource Graph queries

+If you were accessing container vulnerability assessment results by Qualys programmatically, either via the Azure Resource Graph (ARG) Rest API or Subassessment REST API or ARG queries, you need to update your existing queries to match the new schema and/or REST API provided by the new container vulnerability assessment powered by Microsoft Defender Vulnerability Management.

+Any Azure Resource Graph queries used for reporting should be updated to reflect the Microsoft Defender Vulnerability Management assessmentKeys listed previously. The following are examples to help you transition to Microsoft Defender Vulnerability Management queries.

+#### View pod, container, and namespace for a running vulnerable image on the AKS cluster

+## Step 3: (Optional) Container Security reporting

+The workbook provides results from Microsoft Defender Vulnerability Management scanning, offering a comprehensive overview of vulnerabilities detected within your Azure Registry container images. The Containers Security workbook provides the following benefits for container vulnerability assessment:

+## Next step

+ > [!TIP]

+| [New version of Defender Agent for Defender for Containers](#new-version-of-defender-agent-for-defender-for-containers) | January 4, 2024 | February 2024 |

+## New version of Defender Agent for Defender for Containers

+**Announcement date: January 4, 2024**

+**Estimated date for change: February 2024**

+A new version of the [Defender Agent for Defender for Containers](tutorial-enable-containers-azure.md#deploy-the-defender-agent-in-azure) will be released in February 2024. It includes performance and security improvements, support for both AMD64 and ARM64 arch nodes (Linux only), and uses [Inspektor Gadget](https://www.inspektor-gadget.io/) as the process collection agent instead of Sysdig. The new version is only supported on Linux kernel versions 5.4 and higher, so if you have older versions of the Linux kernel, you'll need to upgrade. For more information, see [Supported host operating systems](support-matrix-defender-for-containers.md#supported-host-operating-systems).

+ - [Logic App Operator](../role-based-access-control/built-in-roles.md#logic-app-operator) permissions are required or Logic App read/trigger access (this role can't create or edit logic apps; only *run* existing ones)

+ - [Logic App Contributor](../role-based-access-control/built-in-roles.md#logic-app-contributor) permissions are required for logic app creation and modification.

+- If you want to use Logic Apps connectors, you might need other credentials to sign in to their respective services (for example, your Outlook/Teams/Slack instances).

+## Configure workflow automation at scale

+ Title: DELL XE4 SFF for OT monitoring in SMB/ L500 deployments - Microsoft Defender for IoT

+description: Learn about the DELL XE4 SFF appliance when used for OT monitoring with Microsoft Defender for IoT in SMB/ L500 deployments.

+# DELL XE4 SFF

+This article describes the **DELL XE4 SFF** appliance deployment and installation for OT sensors monitoring production lines.

+| Appliance characteristic |Details |

+|||

+|**Hardware profile** | L500 |

+|**Performance** | Max bandwidth: 25 Mbps <br> Up to 8x RJ45 monitoring ports or 6x SFP (OPT) |

+|**Physical specifications** | Mounting: Small Form Factor <br> Ports: 1x1Gbps (builtin) and optional expansion PCIe cards for copper and SFP connectors|

+|**Status** | Supported, available preconfigured |

+The following image shows a sample of the DELL XE4 SFF front panel:

+The following image shows a sample of the DELL XE4 SFF back panel:

+The following image shows the DELL XE4 SFF dust filter installation and maintenance:

+## Specifications

+|Component|Technical specifications|

+|-|-|

+|Construction |Small Form Factor |

+|Dimensions |1. Width: 6.65 in. (169.00 mm) <br>2. Depth: 11.84 in. (300.80 mm) <br>3. Height: 14.45 in. (367.00 mm) |

+|Weight |Weight (min): 14.13 lb (6.41 kg) <br>Weight (max): 21.03 lb (9.54 kg) |

+|CPU |12th Generation Intel Core i5-12600 (6 Cores/18MB/12T/3.3GHz to 4.8GHz/65W) |

+|Memory |8 GB (1x8GB) DDR4 Non-ECC Memory |

+|Storage |M.2 2280 512-GB PCIe NVMe Class 40 Solid State Drive |

+|Network controller |Built-in 1x1Gbps |

+|Power Adapter |300 W internal power supply unit (PSU), 92% Efficient PSU, 80 Plus Platinum |

+|PWS |300 W internal power supply unit (PSU), 92% Efficient, 80 Plus Platinum, V3, TCO9 |

+|Temperature |5┬░C to 45┬░C (41┬░F to 113┬░F) |

+|Dust Filter |Dell XE4 optional dust filter fits over the front of the chassis and safeguards internal components in areas such as factory, warehouse, and retail environments without impeding air flow. |

+|Humidity |20% to 80% (non-condensing, Max dew point temperature = 26┬░C) |

+|Vibration |0.26 GRMS random at 5 Hz to 350 Hz |

+|Shock |Bottom/Right half-sine pulse 40G, 2 ms |

+|EMC |Product Safety, EMC and Environmental Datasheets <br><https://www.dell.com/learn/us/en/uscorp1/product-info-datasheets-safety-emc-environmental> |

+## DELL XE4 SFF - Bill of Materials

+|Type|Description|PN|Quantity|

+|-||-|-|

+|Processor|12th Generation Intel Core i5-12600 (6 Cores/18MB/12T/3.3GHz to 4.8GHz/65W) |338-CCYL|1|

+|Memory| 8 GB (1x8GB) DDR4 Non-ECC Memory |370-AGFP |1 |

+|Storage |M.2 2280 512 GB PCIe NVMe Class 40 Solid State Drive |400-BMWH |1 |

+|Storage |M.2 22x30 Thermal Pad |412-AAQT |1 |

+|Storage |M2X3.5 Screw for SSD/DDPE |773-BBBC |1 |

+|Speakers |Internal Speaker |520-AARD |1 |

+|Graphics |Intel Integrated Graphics |490-BBFG |1 |

+|Optical Drive |No Optical Drive |429-ABKF |1 |

+|Network Adapters (NIC) |No Additional Network Card Selected (Integrated NIC included) |555-BBJO |1 |

+|Power Cord |System Power Cord (UK/MY/SG/HK/Bangladesh/Brunei/Pakistan/Sri Lanka/Maldives) |450-AANJ |1 |

+|Documentation |End User License Agreement (MUI) OEM |340-ABMB |1 |

+|Keyboard |Dell Multimedia Keyboard-KB216 - UK (QWERTY) - Black |580-ADDF |1 |

+|Mouse |Dell Optical Mouse-MS116 - Black |570-ABJO |1 |

+|System Monitoring Options |System Monitoring not selected in this configuration |817-BBSI |1 |

+|Additional Video Ports |No Additional Video Ports |492-BCKH |1 |

+|Add-in Cards |No Additional Add In Cards |382-BBHX |1 |

+|Additional Storage Devices - Media Reader |No Media Card Reader |385-BBCR |1|

+|Dust Protection |Dust Filter |325-BDSX |1 |

+|Chassis Options |300 W internal power supply unit (PSU), 92% Efficient, 80 Plus Platinum, V3, TCO9 |329-BJVV |1 |

+|Systems Management |In-Band Systems Management |631-ADFK |1|

+|EPEAT 2018 |EPEAT 2018 Registered (Silver) |379-BDTO |1 |

+|ENERGY STAR |ENERGY STAR Qualified |387-BBLW |1 |

+|TPM Security |Trusted Platform Module (Discrete TPM Enabled) |329-BBJL |1 |

+|Consolidation Fees - (EM-EMEA Only) |Consolidation Fee Desktop |546-10007 |1 |

+|Shipping Material |OptiPlex OEM Small Form Factor Packaging and Labels |328-BFCV |1 |

+|Optical Software |CMS Software not included |632-BBBJ |1 |

+|Processor Label |Intel Core i5 Processor Label |340-CUEW |1 |

+|Raid Connectivity |NO RAID |817-BBBN |1 |

+|Transportation from ODM to region |Desktop BTO Standard shipment |800-BBIO |1 |

+|Bezel |OEM, BRAND, XE4SFF, RM7WS2MN-V2, NOM, AVIGILON |325-BFBS |1 |

+|Bezel |OEM Badge Small Form Factor |340-DBRM |1 |

+|Bezel |Client ID Module info mod for no apps on OEM Client platform projects |750-ABLB |1 |

+|OEMR XE4 Small Form Factor |OptiPlex XE4 Small Form Factor OEM-Ready |210-BDLO |1 |

+|Hard Drive Cables and Brackets |No Hard Drive Bracket, Dell OptiPlex |575-BBKX |1 |

+|Order Information |Dell Order |799-AANV |1 |

+|BIOS Configuration - Standard |BIOS: NIC Set To On w/ PXE |696-10356 |1 |

+|BIOS Configuration - Standard |BIOS Wake-On-Lan Set To Enabled-Same As Remote wake up |696-10362 |1 |

+|BIOS Configuration - Standard |BIOS Setting Mandatory Enablement SKU |696-10421 |1 |

+|Label |Regulatory Label XE4 OEM SFF EMEA |389-EEGP |1 |

+|Operating System |Ubuntu Linux 20.04 |605-BBNY |1 |

+|Operating System Recovery Options |No Media |620-AAOH |1 |

+|Dell

+|Dell

+|Dell

+|Dell

+## Optional port expansion

+Optional modules for port expansion include:

+|Description| PN|Quantity|

+|--|--||

+|Dell Intel Ethernet i350 Quad Port 1 GbE Base-T Adapter PCIe Full Height |540-BDLF |1|

+|Intel 1 GB Single Port PCIe Network card (half height) |540-BBMO |1 |

+|Intel X710 Dual Port 10 GbE SFP+ Adapter | 540-BDQZ |1|

+## Set up the Dell XE4 BIOS

+This procedure describes how to configure the BIOS configuration for an unconfigured sensor appliance.

+If any of the steps are missing in the BIOS, make sure that the hardware matches the specifications above.

+Set up the Dell XE4 BIOS to achieve optimal performance for sensors.

+**To configure the Dell XE4 BIOS**:

+1. Set up **Boot Mode**

+ 1. Select **System setup options** > **Boot Configuration menu** > **Boot Mode**

+ 1. Set to **UEFI Only**

+1. Set up **Installation boot from USB/DVD (as applicable)**

+ 1. Select **System setup options** > **Boot Configuration menu** > **Boot Sequence**

+ 1. Select the installation disk drive as the first option

+1. Set up **Restart on Power Loss**

+ 1. Select **System setup options** > **Power Menu** > **AC Behavior**

+ 1. Set to **Restart**

+1. Disable Sleep/Hibernation

+ 1. Select **System setup options** > **Power Menu** > **Block Sleep**

+ 1. Enable **Block Sleep**

+## Dell XE4 software setup

+This procedure describes how to install Defender for IoT software on the Dell XE4. The installation process takes about 20 minutes. After the installation, the system restarts several times.

+To install Defender for IoT software:

+1. Connect the screen and keyboard to the appliance, and then connect to the CLI.

+1. Connect an external CD or disk-on-key that contains the software you downloaded from the Azure portal.

+1. Switch on the appliance.

+1. Continue by installing your Defender for IoT software. For more information, see [Defender for IoT software installation](../ot-deploy/install-software-ot-sensor.md#install-defender-or-iot-software-on-ot-sensors).

+## Next steps

+Continue understanding system requirements for physical or virtual appliances. For more information, see [Which appliances do I need?](../ot-appliance-sizing.md)

+Then, use any of the following procedures to continue:

+- [Download software for an OT sensor](../ot-deploy/install-software-ot-sensor.md#download-software-files-from-the-azure-portal)

+- [Download software files for an on-premises management console](../legacy-central-management/install-software-on-premises-management-console.md#download-software-files-from-the-azure-portal)

+ Title: HPE ProLiant DL20 Gen10 Plus (NHP 2LFF) for OT monitoring in SMB/ L500 deployments - Microsoft Defender for IoT

+description: Learn about the HPE ProLiant DL20 Gen10 Plus appliance when used for OT monitoring with Microsoft Defender for IoT in SMB deployments.

+description: Learn about the HPE ProLiant DL20 Gen10 appliance when used for OT monitoring with Microsoft Defender for IoT in SMB deployments.

+| **OT networks** | **Version 24.1.0**:<br> - [Alert suppression rules from the Azure portal (Public preview)](#alert-suppression-rules-from-the-azure-portal-public-preview)<br>- [Focused alerts in OT/IT environments](#focused-alerts-in-otit-environments)<br>- [Alert ID now aligned on the Azure portal and sensor console](#alert-id-now-aligned-on-the-azure-portal-and-sensor-console)<br>- [Newly supported protocols](#newly-supported-protocols)<br><br>**Cloud features**<br>- [New license renewal reminder in the Azure portal](#new-license-renewal-reminder-in-the-azure-portal) <br><br>- [New OT appliance hardware profile](#new-ot-appliance-hardware-profile) <br><br>- [New fields for SNMP MIB OIDs](#new-fields-for-snmp-mib-oids)|

+Organizations where sensors are deployed between OT and IT networks deal with many alerts, related to both OT and IT traffic. The number of alerts, some of which are irrelevant, can cause alert fatigue and affect overall performance.

+### New OT appliance hardware profile

+The DELL XE4 SFF appliance is now supported for OT sensors monitoring production lines. This is part of the L500 hardware profile, a *Production line* environment, with six cores, 8-GB RAM, and 512-GB disk storage.

+For more information, see [DELL XE4 SFF](appliance-catalog/dell-xe4-sff.md).

+- Your organization must have configured Microsoft Dev Box with at least one project and dev box pool before you can create a dev box.

+ - Platform engineers can follow these steps to configure Microsoft Dev Box: [Quickstart: Configure Microsoft Dev Box](quickstart-configure-dev-box-service.md) -

+- You must have permissions as a [Dev Box User](quickstart-configure-dev-box-service.md#provide-access-to-a-dev-box-project) for a project that has an available dev box pool. If you don't have permissions to a project, contact your administrator.

+> [!IMPORTANT]

+> You organization must have configured Microsoft Dev Box with at least one project and dev box pool before you can create a dev box. If you don't see any projects or dev box pools, contact your administrator.

+When metadata records are loaded onto the Platform using `Storage service`, we can configure permissions for viewers and owners of the metadata records under the *acl* field. The viewers and owners are assigned via groups as defined in the `Entitlement service`. When performing a search as a user, the matched metadata records will only show up for users who are assigned to the Group.

+> [Domain data management service concepts](concepts-ddms.md)

+This article lists the known issues for [Azure Firewall](overview.md). It is updated as issues are resolved.

+> [!NOTE]

+> * Managed certificate is currently **not supported** for Azure Front Door Standard or Premium in Azure Government Cloud. You need to use BYOC for Azure Front Door Standard or Premium in Azure Government Cloud or wait until this capability is available.

+> [!NOTE]

+> * If you're not using your own certificate, enabling managed identities and granting access to the Key Vault is not required. You can skip to the [**Migrate**](#migrate) phase.

+> * Managed certificate is currently **not supported** for Azure Front Door Standard or Premium in Azure Government Cloud. You need to use BYOC for Azure Front Door Standard or Premium in Azure Government Cloud or wait until this capability is available.

+ > [!NOTE]

+ > Managed certificate is currently **not supported** for Azure Front Door Standard or Premium in Azure Government Cloud. You need to use BYOC for Azure Front Door Standard or Premium in Azure Government Cloud or wait until this capability is available..

+At the end of this process, you identify virtual machines that aren't using managed

+ that sends HTTP requests to Azure Resource Manager-based REST APIs. You can also use tooling like PowerShell's

+ [Invoke-RestMethod](/powershell/module/microsoft.powershell.utility/invoke-restmethod).

+- **Scope** - A scope determines which resources or group of resources the policy assignment gets

+- **Name** - The name of the assignment. For this example, _audit-vm-manageddisks_ was used.

+ assignment. In this case, it's the ID of policy definition _Audit VMs that don't use managed

+To view the non-compliant resources that aren't compliant under this new assignment, run the following command to

+The results are comparable to what you'd typically see listed under **Non-compliant resources** in the Azure portal view.

+In this quickstart, you assigned a policy definition to identify non-compliant resources in your Azure environment.

+To learn more about assigning policies to validate that new resources are compliant, continue to the tutorial for:

+REST API has no libraries or modules to uninstall. If you installed a tool like _ARMClient_ to make the calls and no longer need it, you may uninstall the tool now.

+ "apiVersion": "2023-11-01",

+ "apiVersion": "2023-11-01",

+$fhirservicename="your fhir service name"

+ Title: Azure IoT Central solution architecture

+The telemetry, properties, and commands that a device implements are collectively known as the device capabilities. You define these capabilities in a model that the device and the IoT Central application share. In IoT Central, this model is part of the device template that defines a specific type of device. To learn more, see [Assign a device to a device template](concepts-device-templates.md#assign-a-device-to-a-device-template).

+- Devices can't connect directly to IoT Central because they can't connect to the internet. For example, you might have a collection of Bluetooth enabled occupancy sensors that need to connect through a gateway device.

+[Transformations](howto-transform-data-internally.md) in an IoT Central data export definition let you manipulate the format and structure of the device data before exporting it to a destination.

+For long-term storage and control over archiving and retention policies, you can [continuously export your data](howto-export-to-blob-storage.md) to other storage destinations. The use of a separate storage service outside of IoT Central lets you use other analytics tools to derive insights from the data in your solution.

+You might need to [transform or do computations](howto-transform-data.md) on your data before it can be used either in IoT Central or another service. For example, you could add local weather information to the location data reported by a delivery truck.

+An X.509 enrollment group contains a root or intermediate X.509 certificate. Devices can authenticate if they have a valid leaf certificate derived from the root or intermediate certificate.

+Each enrollment group should use a unique X.509 certificate. IoT Central doesn't support using the same X.509 certificate across multiple enrollment groups.

+To learn more, see [How to connect devices with X.509 certificates](how-to-connect-devices-x509.md).

+A SAS enrollment group contains group-level SAS keys. Devices can authenticate if they have a valid SAS token derived from a group-level SAS key.

+If you use the default **SAS-IoT-Devices** enrollment group, IoT Central generates the individual device keys for you. To access these keys, select **Connect** on the device details page. This page displays the **ID Scope**, **Device ID**, **Primary key**, and **Secondary key** that you use in your device code. This page also displays a QR code that contains the same data.

+Typically, devices connect by using credentials derived from an enrollment group X.509 certificate or SAS key. However, if your devices each have their own credentials, you can use individual enrollments. An individual enrollment is an entry for a single device allowing it to connect. Individual enrollments can use either X.509 leaf certificates or SAS tokens (from a physical or virtual trusted platform module) as attestation mechanisms. For more information, see [DPS individual enrollment](../../iot-dps/concepts-service.md#individual-enrollment).

+To set up a sample to evaluate a solution, see [Ingest Industrial Data with Azure IoT Central and Calculate OEE](https://github.com/Azure-Samples/iotc-solution-builder).

+* A *gateway device*, with downstream devices connecting to it. A gateway device can include custom modules.

+This guide shows two ways to use X.509 certificates - [group enrollments](how-to-connect-devices-x509.md#use-group-enrollment) typically used in a production environment, and [individual enrollments](how-to-connect-devices-x509.md#use-individual-enrollment) useful for testing. The article also describes how to [roll device certificates](#roll-your-x509-device-certificates) to maintain connectivity when certificates expire.

+To complete the steps in this how-to guide, you should first complete the [Create and connect a client application to your Azure IoT Central application](./tutorial-connect-device.md) tutorial. You modify the code you used in the tutorial when you follow the steps in this guide.

+These commands produce the following root and the device certificates:

+1. If you're using an intermediate or root certificate authority that you trust and know you have full ownership of the certificate, you can self-attest that you verified the certificate by setting certificate status verified on upload to **On**. Otherwise, set certificate status verified on upload to **Off**.

+After you save the enrollment group, make a note of the ID scope. You need it later.

+## Roll your X.509 device certificates

+During the lifecycle of your IoT Central application, you might need to roll your X.509 certificates. For example:

+- X.509 certificates have expiry dates. The frequency in which you roll your certificates depends on the security needs of your solution. Customers with solutions involving highly sensitive data might roll certificates daily, while others roll their certificates every couple years.

+5. Later when the secondary certificate expires, come back and update the secondary certificate.

+ - *~/certs/certs/iot-edge-device-mycacert-full-chain.cert.pem* - A device CA certificate referenced from the IoT Edge configuration file. In a gateway scenario, this CA certificate is how the IoT Edge device verifies its identity to downstream devices.

+ The previous example assumes you're signed in as **AzureUser** and created a device CA certificate called "mycacert".

+IoT Central relies on the Device Provisioning Service (DPS) to provision devices in IoT Central. Currently, IoT Edge can't use DPS provision a downstream device to your IoT Central application. The following steps show you how to provision the `thermostat1` device manually. To complete these steps, you need an environment with Python installed and internet connectivity. Check the [Azure IoT Python SDK](https://github.com/Azure/azure-iot-sdk-python/blob/main/README.md) for current Python version requirements. The [Azure Cloud Shell](https://shell.azure.com/) has Python preinstalled:

+ > If you see an error when the downstream device tries to connect. Try re-running the device provisioning steps.

+ Title: Authenticate REST API calls in Azure IoT Central

+This article describes the types of token you can use in the authorization header, and how to get them. Service principals are the recommended approach for IoT Central REST API access management.

+- _Microsoft Entra bearer token_. A bearer token is associated with a Microsoft Entra user account or service principal. The token grants the caller the same permissions the user or service principal has in the IoT Central application.

+Use a bearer token associated with your user account while you're developing and testing automation and scripts that use the REST API. Use a bearer token associated with a service principal for production automation and scripts. Use a bearer token in preference to an API token to reduce the risk of leaks and problems when tokens expire.

+1. Select **+ New** or **Create an API token**.

+After you query your data, you can visualize it on the line chart. You can show or hide telemetry, change the time duration, or view the data in a grid.

+ - **Inner date range slider tool**: Use the two endpoint controls to highlight the time span you want. The outer date range slider control constrains the inner date range.

+# Edit a device template

+Changes to the model in a device template can affect your entire application, including any connected devices. Changes to a capability used by rules, exports, device groups, or jobs might cause them to behave unexpectedly or not work at all. For example, if you remove a telemetry definition from a template:

+Additive changes, such as adding a capability or interface to a model are nonbreaking changes. You can make additive changes to a model at any stage of the development life cycle.

+For an IoT Edge device, the model groups capabilities by modules that correspond to the IoT Edge modules running on the device. The deployment manifest is a separate JSON document that tells an IoT Edge device which modules to install, how to configure them, and what properties the module has. If you modify a deployment manifest, you can update the device template to include the modules and properties defined in the manifest:

+- _Save_. When you change part of your device template, saving the changes creates a draft that you can return to. These changes don't yet affect connected devices. Any devices created from this template don't have the saved changes until you publish it.

+- _Version a template_. When you version a device template, it creates a new template with all the latest saved changes. Changes made to a new version don't impact existing device instances. To learn more, see [Version a device template](#version-a-device-template).

+| Map (telemetry) | Display the location of one or more devices on a map. You can also display up to 100 points of a device's location history. For example, you can display a sampled route of where a device went in the past week.|

+* `displayName`: a name for the deployment manifest displayed in the UI.

+To use a deployment manifest already stored in your IoT Central application, first use the [Get a deployment manifest](#get-a-deployment-manifest) API to fetch it.

+Use **Assign edge manifest** to select a previously uploaded deployment manifest from the **Edge manifests** page. You can also use this option to manually notify a device if you modify the deployment manifest on the **Edge manifests** page.

+If you're assigning a device template to an IoT Edge device, you might want to define the modules and writable properties in the device template. To add the modules and property definitions to a device template:

+- The device status changes to **Provisioned** when a registered device completes the provisioning step by using the Device Provisioning Service (DPS). To complete the provisioning process, the device needs the *Device ID* that was used to register the device, either a SAS key or X.509 certificate, and the *ID scope*. After DPS provisions the device, it can connect to your IoT Central application and start sending data.

+| Waiting for approval | The auto approve option is disabled in the device connection group and the device wasn't added through the UI. <br/> A user must manually approve the device through the UI before it can be used. | `Provisioned: false` <br/> `Enabled: false` |

+| Registered | A device was approved either automatically or manually. | `Provisioned: false` <br/> `Enabled: true` |

+| Provisioned | The device was provisioned and can connect to your IoT Central application. | `Provisioned: true` <br/> `Enabled: true` |

+| Blocked | The device isn't allowed to connect to your IoT Central application. You can block a device that is in any of the other states. | `Provisioned:` depends on `Waiting for approval`/`Registered`/`Provisioned status` <br/> `Enabled: false` |

+A device can also have a status of **Unassigned**. This status isn't shown in the **Device status** field in the UI, it's shown in the **Device template** field in the UI. However, you can filter the device list for devices with the **Unassigned** status. If the device status is **Unassigned**, the device connecting to IoT Central isn't assigned to a device template. This situation typically happens in the following scenarios:

+When a device or edge device connects using the MQTT protocol, _connected_ and _disconnected_ events for the device are generated. The device doesn't send these events, IoT Central generates them internally.

+1. To see the device details, click on the device in the device list.

+Cloud properties are the device metadata associated with the device, such as city and serial number. Cloud properties only exist in the IoT Central application and aren't synchronized to your devices. Writable properties control the behavior of a device and let you set the state of a device remotely, for example by setting the target temperature of a thermostat device. Device properties are set by the device and are read-only within IoT Central. You can view and update properties on the **Device Details** views for your device.

+description: Learn how to use the IoT Central REST API to add, modify, delete, and manage devices in an application.

+| Waiting for approval | The auto approve option is disabled in the device connection group and the device wasn't added through the UI. <br/> A user must manually approve the device through the UI before it can be used. | `Provisioned: false` <br/> `Enabled: false` |

+| Registered | A device was approved either automatically or manually. | `Provisioned: false` <br/> `Enabled: true` |

+| Provisioned | The device was provisioned and can connect to your IoT Central application. | `Provisioned: true` <br/> `Enabled: true` |

+| Blocked | The device isn't allowed to connect to your IoT Central application. You can block a device that is in any of the other states. | `Provisioned:` depends on `Waiting for approval`/`Registered`/`Provisioned status` <br/> `Enabled: false` |

+Use the **maxpagesize** to set the result size. The maximum returned result size is 100 and the default size is 25.

+When you create a device group, you define a `filter` that selects the devices to add to the group. A `filter` identifies a device template and any properties to match. The following example creates device group that contains all devices associated with the "dtmi:modelDefinition:dtdlv2" template where the `provisioned` property is `true`.

+The organizations field is only used when an application has an organization hierarchy defined. To learn more about organizations, see [Manage IoT Central organizations](howto-edit-device-template.md).

+These commands produce the following root and the device certificates:

+description: This article describes how to create and manage your IoT Central applications with the REST API, add a system assigned managed identity, and manage dashboards.

+You can use the [control plane REST API](/rest/api/iotcentral/2021-06-01controlplane/apps) to create and manage IoT Central applications. You can also use the REST API to:

+* Add a managed identity to your application.

+* Manage dashboards in your application

+## Dashboards

+You can create dashboards that are associated with a specific organization. An organization dashboard is only visible to users who have access to the organization the dashboard is associated with. Only users in a role that has [organization dashboard permissions](howto-manage-users-roles.md#customizing-the-app) can create, edit, and delete organization dashboards.

+All users can create *personal dashboards*, visible only to themselves. Users can switch between organization and personal dashboards.

+> [!NOTE]

+> Creating personal dashboards using API is currently not supported.

+To learn how to manage dashboards by using the IoT Central UI, see [How to manage dashboards.](../core/howto-manage-dashboards.md)

+### Dashboards REST API

+The IoT Central REST API lets you:

+* Add a dashboard to your application

+* Update a dashboard in your application

+* Get a list of the dashboard in the application

+* Get a dashboard by ID

+* Delete a dashboard in your application

+## Add a dashboard

+Use the following request to create a dashboard.

+```http

+PUT https://{your app subdomain}.azureiotcentral.com/api/dashboards/{dashboardId}?api-version=2022-10-31-preview

+```

+`dashboardId` - A unique [DTMI](https://github.com/Azure/opendigitaltwins-dtdl/blob/master/DTDL/v2/DTDL.v2.md#digital-twin-model-identifier) identifier for the dashboard.

+The request body has some required fields:

+* `@displayName`: Display name of the dashboard.

+* `@favorite`: Is the dashboard in the favorites list?

+* `group`: Device group ID.

+* `Tile` : Configuration specifying tile object, including the layout, display name, and configuration.

+Tile has some required fields:

+| Name | Description |

+| - | -- |

+| `displayName` | Display name of the tile |

+| `height` | Height of the tile |

+| `width` | Width of the tile |

+| `x` | Horizontal position of the tile |

+| `y` | Vertical position of the tile |

+The dimensions and location of a tile both use integer units. The smallest possible tile has a height and width of one.

+You can configure a tile object to display multiple types of data. This article includes examples of tiles that show line charts, markdown, and last known value. To learn more about the different tile types you can add to a dashboard, see [Tile types](howto-manage-dashboards.md#tile-types).

+### Line chart tile

+Plot one or more aggregate telemetry values for one or more devices over a time period. For example, you can display a line chart to plot the average temperature and pressure of one or more devices during the past hour.

+The line chart tile has the following configuration:

+| Name | Description |

+|--|--|

+| `capabilities` | Specifies the aggregate value of the telemetry to display. |

+| `devices` | The list of devices to display. |

+| `format` | The format configuration of the chart such as the axes to use. |

+| `group` | The ID of the device group to display. |

+| `queryRange` | The time range and resolution to display.|

+| `type` | `lineChart` |

+### Markdown tile

+Clickable tiles that display a heading and description text formatted in Markdown. The URL can be a relative link to another page in the application or an absolute link to an external site.

+The markdown tile has the following configuration:

+| Name | Description |

+|--|--|

+| `description` | The markdown string to render inside the tile. |

+| `href` | The link to visit when the tile is selected. |

+| `image` | A base64 encoded image to display. |

+| `type` | `markdown` |

+### Last known value tile

+Display the latest telemetry values for one or more devices. For example, you can use this tile to display the most recent temperature, pressure, and humidity values for one or more devices.

+The last known value (LKV) tile has the following configuration:

+| Name | Description |

+|--|--|

+| `capabilities` | Specifies the telemetry to display. |

+| `devices` | The list of devices to display. |

+| `format` | The format configuration of the LKV tile such as text size of word wrapping. |

+| `group` | The ID of the device group to display. |

+| `showTrend` | Show the difference between the last known value and the previous value. |

+| `type` | `lkv` |

+The following example shows a request body that adds a new dashboard with line chart, markdown, and last known value tiles. The LKV and line chart tiles are `2x2` tiles. The markdown tile is a `1x1` tile. The tiles are arranged on the top row of the dashboard:

+```json

+{

+ "displayName": "My Dashboard ",

+ "tiles": [

+ {

+ "displayName": "LKV Temperature",

+ "configuration": {

+ "type": "lkv",

+ "capabilities": [

+ {

+ "capability": "temperature",

+ "aggregateFunction": "avg"

+ }

+ ],

+ "group": "0fb6cf08-f03c-4987-93f6-72103e9f6100",

+ "devices": [

+ "3xksbkqm8r",

+ "1ak6jtz2m5q",

+ "h4ow04mv3d"

+ ],

+ "format": {

+ "abbreviateValue": false,

+ "wordWrap": false,

+ "textSize": 14

+ }

+ },

+ "x": 0,

+ "y": 0,

+ "width": 2,

+ "height": 2

+ },

+ {

+ "displayName": "Documentation",

+ "configuration": {

+ "type": "markdown",

+ "description": "Comprehensive help articles and links to more support.",

+ "href": "https://aka.ms/iotcentral-pnp-docs",

+ "image": "4d6c6373-0220-4191-be2e-d58ca2a289e1"

+ },

+ "x": 2,

+ "y": 0,

+ "width": 1,

+ "height": 1

+ },

+ {

+ "displayName": "Average temperature",

+ "configuration": {

+ "type": "lineChart",

+ "capabilities": [

+ {

+ "capability": "temperature",

+ "aggregateFunction": "avg"

+ }

+ ],

+ "devices": [

+ "3xksbkqm8r",

+ "1ak6jtz2m5q",

+ "h4ow04mv3d"

+ ],

+ "group": "0fb6cf08-f03c-4987-93f6-72103e9f6100",

+ "format": {

+ "xAxisEnabled": true,

+ "yAxisEnabled": true,

+ "legendEnabled": true

+ },

+ "queryRange": {

+ "type": "time",

+ "duration": "PT30M",

+ "resolution": "PT1M"

+ }

+ },

+ "x": 3,

+ "y": 0,

+ "width": 2,

+ "height": 2

+ }

+ ],

+ "favorite": false

+}

+```

+<!-- TODO: Fix this - also check the image example above... -->

+The response to this request looks like the following example:

+```json

+{

+ "id": "dtmi:kkfvwa2xi:p7pyt5x38",

+ "displayName": "My Dashboard",

+ "personal": false,

+ "tiles": [

+ {

+ "displayName": "lineChart",

+ "configuration": {

+ "type": "lineChart",

+ "capabilities": [

+ {

+ "capability": "temperature",

+ "aggregateFunction": "avg"

+ }

+ ],

+ "devices": [

+ "1cfqhp3tue3",

+ "mcoi4i2qh3"

+ ],

+ "group": "da48c8fe-bac7-42bc-81c0-d8158551f066",

+ "format": {

+ "xAxisEnabled": true,

+ "yAxisEnabled": true,

+ "legendEnabled": true

+ },

+ "queryRange": {

+ "type": "time",

+ "duration": "PT30M",

+ "resolution": "PT1M"

+ }

+ },

+ "x": 5,

+ "y": 0,

+ "width": 2,

+ "height": 2

+ }

+ ],

+ "favorite": false

+}

+```

+## Get a dashboard

+Use the following request to retrieve the details of a dashboard by using a dashboard ID.

+```http

+GET https://{your app subdomain}.azureiotcentral.com/api/dashboards/{dashboardId}?api-version=2022-10-31-preview

+```

+The response to this request looks like the following example:

+```json

+{

+ "id": "dtmi:kkfvwa2xi:p7pyt5x38",

+ "displayName": "My Dashboard",

+ "personal": false,

+ "tiles": [

+ {

+ "displayName": "lineChart",

+ "configuration": {

+ "type": "lineChart",

+ "capabilities": [

+ {

+ "capability": "AvailableMemory",

+ "aggregateFunction": "avg"

+ }

+ ],

+ "devices": [

+ "1cfqhp3tue3",

+ "mcoi4i2qh3"

+ ],

+ "group": "da48c8fe-bac7-42bc-81c0-d8158551f066",

+ "format": {

+ "xAxisEnabled": true,

+ "yAxisEnabled": true,

+ "legendEnabled": true

+ },

+ "queryRange": {

+ "type": "time",

+ "duration": "PT30M",

+ "resolution": "PT1M"

+ }

+ },

+ "x": 5,

+ "y": 0,

+ "width": 2,

+ "height": 2

+ }

+ ],

+ "favorite": false

+}

+```

+## Update a dashboard

+```http

+PATCH https://{your app subdomain}.azureiotcentral.com/api/dashboards/{dashboardId}?api-version=2022-10-31-preview

+```

+The following example shows a request body that updates the display name of a dashboard and adds the dashboard to the list of favorites:

+```json

+{

+ "displayName": "New Dashboard Name",

+ "favorite": true

+}

+```

+The response to this request looks like the following example:

+```json

+{

+ "id": "dtmi:kkfvwa2xi:p7pyt5x38",

+ "displayName": "New Dashboard Name",

+ "personal": false,

+ "tiles": [

+ {

+ "displayName": "lineChart",

+ "configuration": {

+ "type": "lineChart",

+ "capabilities": [

+ {

+ "capability": "AvailableMemory",

+ "aggregateFunction": "avg"

+ }

+ ],

+ "devices": [

+ "1cfqhp3tue3",

+ "mcoi4i2qh3"

+ ],

+ "group": "da48c8fe-bac7-42bc-81c0-d8158551f066",

+ "format": {

+ "xAxisEnabled": true,

+ "yAxisEnabled": true,

+ "legendEnabled": true

+ },

+ "queryRange": {

+ "type": "time",

+ "duration": "PT30M",

+ "resolution": "PT1M"

+ }

+ },

+ "x": 5,

+ "y": 0,

+ "width": 5,

+ "height": 5

+ }

+ ],

+ "favorite": true

+}

+```

+## Delete a dashboard

+Use the following request to delete a dashboard by using the dashboard ID:

+```http

+DELETE https://{your app subdomain}.azureiotcentral.com/api/dashboards/{dashboardId}?api-version=2022-10-31-preview

+```

+## List dashboards

+Use the following request to retrieve a list of dashboards from your application:

+```http

+GET https://{your app subdomain}.azureiotcentral.com/api/dashboards?api-version=2022-10-31-preview

+```

+The response to this request looks like the following example:

+```json

+{

+ "value": [

+ {

+ "id": "dtmi:kkfvwa2xi:p7pyt5x3o",

+ "displayName": "Dashboard",

+ "personal": false,

+ "tiles": [

+ {

+ "displayName": "Device templates",

+ "configuration": {

+ "type": "markdown",

+ "description": "Get started by adding your first device.",

+ "href": "/device-templates/new/devicetemplates",

+ "image": "f5ba1b00-1d24-4781-869b-6f954df48736"

+ },

+ "x": 1,

+ "y": 0,

+ "width": 1,

+ "height": 1

+ },

+ {

+ "displayName": "Quick start demo",

+ "configuration": {

+ "type": "markdown",

+ "description": "Learn how to use Azure IoT Central in minutes.",

+ "href": "https://aka.ms/iotcentral-pnp-video",

+ "image": "9eb01d71-491a-44e5-8fac-7af3bc9f9acd"

+ },

+ "x": 2,

+ "y": 0,

+ "width": 1,

+ "height": 1

+ },

+ {

+ "displayName": "Tutorials",

+ "configuration": {

+ "type": "markdown",

+ "description": "Step-by-step articles teach you how to create apps and devices.",

+ "href": "https://aka.ms/iotcentral-pnp-tutorials",

+ "image": "7d9fc12c-d46e-41c6-885f-0a67c619366e"

+ },

+ "x": 3,

+ "y": 0,

+ "width": 1,

+ "height": 1

+ },

+ {

+ "displayName": "Documentation",

+ "configuration": {

+ "type": "markdown",

+ "description": "Comprehensive help articles and links to more support.",

+ "href": "https://aka.ms/iotcentral-pnp-docs",

+ "image": "4d6c6373-0220-4191-be2e-d58ca2a289e1"

+ },

+ "x": 4,

+ "y": 0,

+ "width": 1,

+ "height": 1

+ },

+ {

+ "displayName": "IoT Central Image",

+ "configuration": {

+ "type": "image",

+ "format": {

+ "backgroundColor": "#FFFFFF",

+ "fitImage": true,

+ "showTitle": false,

+ "textColor": "#FFFFFF",

+ "textSize": 0,

+ "textSizeUnit": "px"

+ },

+ "image": ""

+ },

+ "x": 0,

+ "y": 0,

+ "width": 1,

+ "height": 1

+ },

+ {

+ "displayName": "Contoso Image",

+ "configuration": {

+ "type": "image",

+ "format": {

+ "backgroundColor": "#FFFFFF",

+ "fitImage": true,

+ "showTitle": false,

+ "textColor": "#FFFFFF",

+ "textSize": 0,

+ "textSizeUnit": "px"

+ },

+ "image": "c9ac5af4-f38e-4cd3-886a-e0cb107f391c"

+ },

+ "x": 0,

+ "y": 1,

+ "width": 5,

+ "height": 3

+ },

+ {

+ "displayName": "Available Memory",

+ "configuration": {

+ "type": "lineChart",

+ "capabilities": [

+ {

+ "capability": "AvailableMemory",

+ "aggregateFunction": "avg"

+ }

+ ],

+ "devices": [

+ "1cfqhp3tue3",

+ "mcoi4i2qh3"

+ ],

+ "group": "da48c8fe-bac7-42bc-81c0-d8158551f066",

+ "format": {

+ "xAxisEnabled": true,

+ "yAxisEnabled": true,

+ "legendEnabled": true

+ },

+ "queryRange": {

+ "type": "time",

+ "duration": "PT30M",

+ "resolution": "PT1M"

+ }

+ },

+ "x": 5,

+ "y": 0,

+ "width": 2,

+ "height": 2

+ }

+ ],

+ "favorite": false

+ }

+ ]

+}

+```

+description: Create, edit, delete, and manage users and roles in your Azure IoT Central application to control access to resources.

+1. To add a user to an IoT Central application, go to the **Users** page in the **Permissions** section:

+1. To add a user on the **Users** page, choose **+ Assign user**. To add a service principal on the **Users** page, choose **+ Assign service principal**. To add a Microsoft Entra group on the **Users** page, choose **+ Assign group**. Start typing the name of the Active Directory group or service principal to autopopulate the form.

+1. Choose a role for the user from the **Role** drop-down menu. Learn more about roles in the [Manage roles](#manage-roles) section of this article:

+ When you invite a new user, you need to share the application URL with them and ask them to sign in. After the user signs in for the first time, the application appears on the user's [My apps](https://apps.azureiotcentral.com/myapps) page.

+Roles and organizations can't be changed after they're assigned. To change the role or organization assigned to a user, delete the user, and then add the user again with a different role or organization.

+You can add users to your custom role in the same way that you add users to a built-in role.

+### Minimize disruption

+To minimize disruption, you can migrate your devices in phases. The migrator tool uses device groups to move devices from IoT Central to your IoT hub. Divide your device fleet into device groups such as devices in Texas, devices in New York, and devices in the rest of the US. Then migrate each device group independently.

+> [!WARNING]

+> You can't add unassigned devices to a device group. Therefore you can't currently use the migrator tool to migrate unassigned devices.

+Minimize business impact by following these steps:

+- Create the PaaS solution and run it in parallel with the IoT Central application.

+- Set up continuous data export in IoT Central application and appropriate routes to the PaaS solution IoT hub. Transform both data channels and store the data into the same data lake.

+- Migrate the devices in phases and verify at each phase. If something doesn't go as planned, fail the devices back to IoT Central.

+- When you've migrated all the devices to the PaaS solution and fully exported your data from IoT Central, you can remove the devices from the IoT Central solution.

+After the migration, devices aren't automatically deleted from the IoT Central application. These devices continue to be billed as IoT Central charges for all provisioned devices in the application. When you remove these devices from the IoT Central application, you're no longer billed for them. Eventually, remove the IoT Central application.

+### Move existing data out of IoT Central

+You can configure IoT Central to continuously export telemetry and property values. Export destinations are data stores such as Azure Data Lake, Event Hubs, and Webhooks. You can export device templates using either the IoT Central UI or the REST API. The REST API lets you export the users in an IoT Central application.

+description: How to create an Azure IoT device template in your Azure IoT Central application. You define the telemetry, state, properties, and commands for your device type.

+The name of the template you created is **Sensor Controller**. The model includes components such as **Sensor Controller**, **SensorTemp**, and **Device Information interface**. Components define the capabilities of an ESP32 device. Capabilities include the telemetry, properties, and commands.

+You can also automatically create a device template from a currently unassigned device. IoT Central uses the telemetry and property values the device sends to infer a device model.

+After you define the template, you can publish it. Until the template is published, you can't connect a device to it, and it doesn't appear on the **Devices** page.

+- Import a DTDL model from a JSON file. A device builder might use Visual Studio Code to author a device model for your application.

+- Select one of the devices from the device catalog. This option imports the device model that the manufacturer published for this device. A device model imported like this is automatically published.

+|Initial value | The default parameter value. This parameter is an IoT Central extension to DTDL. |

+Use cloud properties to store information about devices in IoT Central. Cloud properties are never sent to a device. For example, you can use cloud properties to store the name of the customer who installed the device, or the device's last service date.

+After you select **Generate default views**, they're automatically added under the **Views** section of your device template.

+To test your view, select **Configure preview device**. This feature lets you see the view as an operator sees it after it publishes. Use this feature to validate that your views show the correct data. Choose from the following options:

+- The real test device you configured for your device template.

+- Create applications.

+- Manage security.

+- Preconfigured rules and jobs

+You choose the application template when you create your application. You can't change the template an application uses after you create it.

+- Create a copy of an application if you just need a duplicate copy of your application. For example, you might need a duplicate copy for testing.

+The preview devices API also lets you [manage dashboards](howto-manage-iot-central-with-rest-api.md#dashboards), [manage deployment manifests](howto-manage-deployment-manifests-with-rest-api.md), and [manage data exports](howto-manage-data-export-with-rest-api.md).

+- Aggregate or filter telemetry before sending it to IoT Central. This approach can help reduce the costs of sending data to IoT Central.

+A gateway device manages one or more downstream devices that connect to your IoT Central application. A gateway device can process the telemetry from the downstream devices before forwarding it to your IoT Central application. Both IoT devices and IoT Edge devices can act as gateways. To learn more, see [Define a new IoT gateway device type in your Azure IoT Central application](./tutorial-define-gateway-device-type.md) and [How to connect devices through an IoT Edge transparent gateway](how-to-connect-iot-edge-transparent-gateway.md).

+When you register a device with IoT Central, you tell IoT Central the ID of a device that you want to connect to the application. Optionally at this stage, you can assign the device to a [device template](concepts-device-templates.md) that declares the capabilities of the device to your application.

+Data export in IoT Central lets you continuously stream device data to destinations such as Azure Blob Storage, Azure Event Hubs, Azure Service Bus Messaging. You can choose to lock down these destinations by using an Azure Virtual Network and private endpoints. To enable IoT Central to connect to a destination on a secure virtual network, configure a firewall exception. To learn more, see [Export data to a secure destination on an Azure Virtual Network](howto-connect-secure-vnet.md).

+In this quickstart, you configure an IoT Central rule. IoT Central rules let you automate actions that occur in response to specific conditions. The example in this quickstart uses accelerometer telemetry from the phone to trigger a rule when the phone is turned over.

+The smartphone app sends telemetry that includes values from the accelerometer sensor. The sensor works differently on Android and iOS devices:

+## Next step

+In this quickstart, you create an Azure IoT Central application and connect your first device. To get you started quickly, you install an app on your smartphone to act as the device. The app sends telemetry, reports properties, and responds to commands:

+ You should have at least **Contributor** access in your Azure subscription. If you created the subscription yourself, you're automatically an administrator with sufficient access. To learn more, see [What is Azure role-based access control?](../../role-based-access-control/overview.md).

+ | Resource group | The resource group you want to use. You can create a new resource group or use an existing one. |

+> The QR code contains the information, such as the registered device ID, that your device needs to establish a connection to your IoT Central application. It saves you from the need to enter the connection information manually.

+## Next step

+In this quickstart, you configure your IoT Central application to export data Azure Data Explorer. Azure Data Explorer lets you store, query, and process the telemetry from devices such as the **IoT Plug and Play** smartphone app.

+ To see how the transformation works and experiment with the query, paste the following sample telemetry message into **1. Add your input message**:

+You might need to wait for several minutes to collect enough data. To see the telemetry values change, try holding your phone in different orientations:

+## Next step

+1. In your IoT Central application, navigate to the **Devices** page. Check the status of the **Environmental sensor - 001** device is **Provisioned**. You might need to wait for a few minutes while the device connects.

+A deployment manifest can include definitions of properties exposed by a module. For example, the configuration in the deployment manifest for the **SimulatedTemperatureSensor** module includes the following:

+1. Select **Add inherited interface** (you might need to select **...** to see this option). Select **Import interface**. Then import the *EnvironmentalSensorTelemetry.json* file you previously downloaded.

+A gateway device can also:

+In this tutorial, you create a device template for a gateway device from scratch. You use this template later to create a simulated gateway device in your application.

+To learn more about modifying a device template after you publish it, see [Edit an existing device template](howto-edit-device-template.md).

+To manage the device, add a new form to the device template:

+ To select an aggregation type, use the ellipsis icons next to the telemetry types. The default is **Average**. Use **Group by** to change how the aggregate data is shown. For example, if you split by device ID you see a plot for each device when you select **Analyze**.

+> - Authorize the REST API.

+> - Create an IoT Central application.

+> - Add a device to your application.

+> - Query and control the device.

+> - Set up data export.

+> - Delete an application.

+The collection uses variables to parameterize the REST API calls. To see the variables, select the `...` next to **IoT Central REST tutorial** and select **Edit**. Then select **Variables**. Many of the variables are either set automatically as you make the API calls or have preset values.

+1. Select **Send**. In the response, notice that the device is now provisioned. IoT Central also assigned a device template to the device based on the model ID sent by the device.

+You can use the REST API to configure and manage your IoT Central application. The following steps show you how to configure data export to send telemetry values to a webhook. To simplify the setup, this article uses a **RequestBin** webhook as the destination. **RequestBin** is a non-Microsoft service.

+It might take a couple of minutes for the export to start. To check the status of the export by using the REST API:

+Delta updates allow you to generate a small update that represents only the changes between two full updates - a source image and a target image. This approach is ideal for reducing the bandwidth used to download an update to a device, particularly if there are only a few changes between the source and target updates.

+- The source and target update files must be SWUpdate (SWU) format.

+- The delta generation process recompresses the target SWU update using zstd compression in order to produce an optimal delta. Import this recompressed target SWU update to the Device Update service along with the generated delta update file.

+ - This process requires using [SWUpdate 2019.11](https://github.com/sbabic/swupdate/releases/tag/2019.11) or later.

+The Device Update agent _orchestrates_ the update process on the device, including download, install, and restart actions. Add the Device Update agent to a device and configure it for use. Use agent version 1.0 or later. For instructions, see [Device Update agent provisioning](device-update-agent-provisioning.md).

+The delta processor re-creates the original SWU image file on your device after the delta file is downloaded, so your update handler can install the SWU file. The delta processor code is available in the [Azure/iot-hub-device-update-delta](https://github.com/Azure/iot-hub-device-update-delta) GitHub repo.

+After a delta update is downloaded to a device, it must be compared against a valid _source SWU file_ that was previously cached on the device. This process is needed for the delta update to re-create the full target image. The simplest way to populate this cached image is to deploy a full image update to the device via the Device Update service (using the existing [import](import-update.md) and [deployment](deploy-update.md) processes). As long as the device is configured with the Device Update agent (version 1.0 or later) and delta processor, the Device Update agent caches the installed SWU file automatically for later delta update use.

+If you instead want to directly prepopulate the source image on your device, the path where the image is expected is:

+Before creating deltas with DiffGen, several things need to be downloaded and/or installed on the environment machine. We recommend a Linux environment and specifically Ubuntu 20.04 (or Windows Subsystem for Linux if natively on Windows).

+| .NETCore Runtime, version 6.0.0 | Via Terminal / Package Managers | [Instructions for Linux](/dotnet/core/install/linux). Only the Runtime is required. |

+If your SWU files are signed (likely), you need another argument as well:

+- In addition to using [recompressed_target_archive] as the target file, providing a signing command string parameter runs recompress_and_sign_tool.py to create the file [recompressed_target_archive] and have the sw-description file within the archive signed (meaning a sw-description.sig file is present). You can use the sample `sign_file.sh` script from the [Azure/iot-hub-device-update-delta](https://github.com/Azure/iot-hub-device-update-delta/tree/main/src/scripts/signing_samples/openssl_wrapper) GitHub repo. Open the script, edit it to add the path to your private key file, then save it. See the examples section for sample usage.

+| [output_path] | The path (including the desired name of the delta file being generated) on the host machine where the delta file is placed after creation. If the path doesn't exist, the tool creates it. |

+| [log_folder] | The path on the host machine where logs creates. We recommend defining this location as a sub folder of the output path. If the path doesn't exist, the tool creates it. |

+| [working_folder] | The path on the machine where collateral and other working files are placed during the delta generation. We recommend defining this location as a subfolder of the output path. If the path doesn't exist, the tool creates it. |

+In these examples, we're operating out of the /mnt/o/temp directory (in WSL):

+To create an import manifest for your delta update using the related files feature, you need to add [relatedFiles](import-schema.md#relatedfiles-object) and [downloadHandler](import-schema.md#downloadhandler-object) objects to your import manifest.

+Both of these properties are specific to your _source SWU image file_ that you used as an input to the DiffGen tool when creating your delta update. The information about the source SWU image is needed in your import manifest even though you don't actually import the source image. The delta components on the device use this metadata about the source image to locate the image on the device once the delta is downloaded.

+Use the `downloadHandler` object to specify how the Device Update agent orchestrates the delta update, using the related files feature. Unless you're customizing your own version of the Device Update agent for delta functionality, you should only use this downloadHandler:

+Once you create your import manifest, you're ready to import the delta update. To import, follow the instructions in [Add an update to Device Update for IoT Hub](import-update.md#import-an-update). You must include these items when importing:

+When you deploy a delta update, the experience in the Azure portal looks identical to deploying a regular image update. For more information on deploying updates, see [Deploy an update by using Device Update for Azure IoT Hub](deploy-update.md).

+Once you create the deployment for your delta update, the Device Update service and client automatically identify if there's a valid delta update for each device you're deploying to. If a valid delta is found, the delta update is downloaded and installed on that device. If there's no valid delta update found, the full image update (the recompressed target SWU image) is downloaded instead as a fallback. This approach ensures that all devices you're deploying the update to get to the appropriate version.

+If the update was unsuccessful, it shows an error status that can be interpreted using these instructions:

+ - If the error code isn't present in [result.h](https://github.com/Azure/iot-hub-device-update/blob/main/src/inc/aduc/result.h), it's likely an error in the delta processor component (separate from the Device Update agent). If so, the extendedResultCode is a negative decimal value of the following hexadecimal format: 0x90AXXXXX

+Device Update has several PnP models defined that support DU features. The Device Update model, '**dtmi:azure:iot:deviceUpdateContractModel;3**', supports the core functionality and uses the device update core interface to send update actions and metadata to devices and receive update status from devices.

+The other supported model is **dtmi:azure:iot:deviceUpdateModel;3** which extends **deviceUpdateContractModel;3** and also uses other PnP interfaces that send device properties and information and enable diagnostic features. Learn more about the [Device Update Models and Interfaces Versions] (https://github.com/Azure/iot-plugandplay-models/tree/main/dtmi/azure/iot).

+The Device Update agent uses the **dtmi:azure:iot:deviceUpdateModel;3** which supports all the latest features in the [1.1.0 release](https://github.com/Azure/iot-hub-device-update/releases/). This model supports the [V5 manifest version](import-concepts.md).Older manifests will work with the latest agents but new features require the use of the latest manifest version.

+|contractModelId|string|device to cloud|This property is used by the service to identify the base model version being used by the Device Update agent to manage and communicate with the agent.<br>Value: 'dtmi:azure:iot:deviceUpdateContractModel;3' for devices using DU agent version 1.1.0. <br>**Note:** Agents using the 'dtmi:azure:iot:deviceUpdateModel;2' must report the contractModelId as 'dtmi:azure:iot:deviceUpdateContractModel;3' as deviceUpdateModel;3 is extended from deviceUpdateContractModel;3|

+ "contractModelId": "dtmi:azure:iot:deviceUpdateContractModel;3",

+ "aduVer": "DU;agent/1.1.0",

+ },

+- [Roll over the keys used to authenticate devices in IoT Central](../iot-central/core/how-to-connect-devices-x509.md#roll-your-x509-device-certificates)

+- Create a [Microsoft Entra security group](../../active-directory/fundamentals/active-directory-manage-groups.md) for the HSM Administrators (instead of assigning the Administrator role to individuals) to prevent "administration lockout" if an individual account is deleted.

+- ICMP pings with packet sizes larger than 64 bytes will be dropped, leading to timeouts.

+- Outbound ICMP pings are not supported on a Load Balancer.

+ You might experience different performance levels in the workflow assistant, based on factors such as the number of workflow operations or complexity. The assistant is trained on workflows with different complexity levels but still has limited scope and might not be able to handle very large workflows. These limitations are primarily related to token constraints in the queries sent to Azure OpenAI Service. The Azure Logic Apps team is committed to continuous improvement and enhancing these limitations through iterative updates.

+**A**: The workflow is powered by [Azure OpenAI Service](../ai-services/openai/overview.md) and [ChatGPT](https://openai.com/blog/chatgpt), which use Azure Logic Apps documentation from reputable sources along with internet data that's used to train GPT 3.5-Turbo. This content is processed into a vectorized format, which is then accessible through a backend system built on Azure App Service. Queries are triggered based on interactions with the workflow designer.

+When you enter your question in the assistant's chat box, the Azure Logic Apps backend performs preprocessing and forwards the results to a large language model in Azure OpenAI Service. This model generates responses based on the current context in the form of the workflow definition's JSON code and your prompt.

+**A**: [Azure OpenAI Service](../ai-services/openai/overview.md) is an enterprise-ready AI technology that's powered and optimized for your business processes and your business data to meet security and privacy requirements.

+* You have permissions to run a batch endpoint deployment. **AzureML Data Scientist**, **Contributor**, and **Owner** roles can be used to run a deployment. For custom roles definitions read [Authorization on batch endpoints](how-to-authenticate-batch-endpoint.md) to know the specific permissions needed.

+* Access to Azure OpenAI.

+* Don't attempt to remove or replace a master node. That's a high risk operation that can cause issues with etcd, permanent network loss, and loss of access and manageability by ARO SRE. If you feel that a master node should be replaced or removed, contact support before making any changes.

+* Running custom workloads (including operators installed from Operator Hub or other operators provided by Red Hat) in infrastructure nodes isn't supported.

+* Don't remove or modify the default cluster Alertmanager svc, default receiver, or any default alerting rules, except to add other receivers to notify external systems.

+* Don't circumvent the deny assignment that is configured as part of the service, or perform administrative tasks normally prohibited by the deny assignment.

+An incident is an event that results in a degradation or outage Azure Red Hat OpenShift services. Incidents are raised by a customer or Customer Experience and Engagement (CEE) member through a [support case](openshift-service-definitions.md#support), directly by the centralized monitoring and alerting system, or directly by a member of the ARO Site Reliability Engineer (SRE) team.

+|ND96asr_v4*|Standard_ND96asr_v4|96|900|

+|ND96amsr_A100_v4*|Standard_ND96amsr_A100_v4|96|1924|

+|NC24ads_A100_v4*|Standard_NC24ads_A100_v4|24|220|

+|NC48ads_A100_v4*|Standard_NC48ads_A100_v4|48|440|

+|NC96ads_A100_v4*|Standard_NC96ads_A100_v4|96|880|

+\*Day-2 only (i.e., not supported as an install-time option)

+ Title: Archive for What's new with Azure Operator Insights ingestion agent

+description: Release notes for Azure Connected Machine agent versions older than six months.

+# Archive for What's new with Azure Operator Insights ingestion agent

+The primary [What's new in Azure Operator Insights ingestion agent?](ingestion-agent-release-notes.md) article contains updates for the last six months, while this article contains all the older information.

+The Azure Operator Insights ingestion agent receives improvements on an ongoing basis. This article provides you with information about:

+- Previous releases

+- Known issues

+- Bug fixes

+## Related content

+- [Azure Operator Insights ingestion agent overview](ingestion-agent-overview.md)

+ Title: What's new with Azure Operator Insights ingestion agent

+description: This article has release notes for Azure Operator Insights ingestion agent. For many of the summarized issues, there are links to more details.

+# What's new with Azure Operator Insights ingestion agent

+The Azure Operator Insights ingestion agent receives improvements on an ongoing basis. To stay up to date with the most recent developments, this article provides you with information about:

+- The latest releases

+- Known issues

+- Bug fixes

+This page is updated for each new release of the ingestion agent, so revisit it regularly. If you're looking for items older than six months, you can find them in [archive for What's new with Azure Operator Insights ingestion agent](ingestion-agent-release-notes-archive.md).

+## Version 1.0.0 - February 2024

+Download for [RHEL8](https://download.microsoft.com/download/c/6/c/c6c49e4b-dbb8-4d00-be7f-f6916183b6ac/az-aoi-ingestion-1.0.0-1.el8.x86_64.rpm).

+### Known issues

+None

+### New features

+This is the first release of the Azure Operator Insights ingestion agent. It supports ingestion of Affirmed MCC EDRs and of arbitrary files from an SFTP server.

+### Fixed

+None

+## Related content

+- [Azure Operator Insights ingestion agent overview](ingestion-agent-overview.md)

+Links to the current and previous releases of the agents are available below the heading of each [release note](ingestion-agent-release-notes.md). If you're looking for an agent version that's more than 6 months old, check out the [release notes archive](ingestion-agent-release-notes-archive.md).

+Links to the current and previous releases of the agents are available below the heading of each [release note](ingestion-agent-release-notes.md). If you're looking for an agent version that's more than 6 months old, check out the [release notes archive](ingestion-agent-release-notes-archive.md).

+- Azure Databases for PostgreSQL flexible server instances are injected into subnet 10.0.1.0/24 of the VNet-1 virtual network.

+Here are some concepts to be familiar with when you're using virtual networks where resources are [integrated into virtual network](../../virtual-network/virtual-network-for-azure-services.md) with Azure Database for PostgreSQL flexible server instances:

+* **Delegated subnet**. A virtual network contains subnets (subnetworks). Subnets enable you to segment your virtual network into smaller address spaces. Azure resources are deployed into specific subnets within a virtual network.

+ The smallest CIDR range you can specify for the subnet is /28, which provides 16 IP addresses, however the first and last address in any network or subnet can't be assigned to any individual host. Azure reserves five IPs to be utilized internally by Azure networking, which include two IPs that can't be assigned to host, mentioned above. This leaves you 11 available IP addresses for /28 CIDR range, whereas a single Azure Database for PostgreSQL flexible server instance with High Availability features utilizes four addresses.

+ For Replication and Microsoft Entra connections, please make sure Route Tables don't affect traffic.A common pattern is routed all outbound traffic via an Azure Firewall or a custom on-premises network filtering appliance.

+When using private network access with Azure virtual network, providing the private DNS zone information is **mandatory** in order to be able to do DNS resolution. For new Azure Database for PostgreSQL flexible server instance creation using private network access, private DNS zones need to be used while configuring Azure Database for PostgreSQL flexible server instances with private access.

+If you use an Azure API, an Azure Resource Manager template (ARM template), or Terraform, **create private DNS zones that end with `.postgres.database.azure.com`**. Use those zones while configuring Azure Database for PostgreSQL flexible server instances with private access. For example, use the form `[name1].[name2].postgres.database.azure.com` or `[name].postgres.database.azure.com`. If you choose to use the form `[name].postgres.database.azure.com`, the name **can't** be the name you use for one of your Azure Databases for PostgreSQL flexible server instances or an error message will be shown during provisioning. For more information, see the [private DNS zones overview](../../dns/private-dns-overview.md).

+To map a Server name to the DNS record, you can run *nslookup* command in [Azure Cloud Shell](../../cloud-shell/overview.md) using Azure PowerShell or Bash, substituting name of your server for <server_name> parameter in example below:

+### Communication with privately networked clients in different regions

+Frequently customers have a need to connect to clients different Azure regions. More specifically, this question typically boils down to how to connect two VNETs (one of which has Azure Database for PostgreSQL - Flexible Server and another application client) that are in different regions.

+There are multiple ways to achieve such connectivity, some of which are:

+* **[Global VNET peering](../../virtual-network/virtual-network-peering-overview.md)**. Most common methodology, as its is the easiest way to connect networks in different regions together. Global VNET peering creates a connection over the Azure backbone directly between the two peered VNETs. This provides best network throughput and lowest latencies for connectivity using this method. When VNETs are peered, Azure will also handle the routing automatically for you, these VNETs can communicate with all resources in the peered VNET, established on a VPN gateway.

+* **[VNET-to-VNET connection](../../vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal.md)**. A VNET-to-VNET connection is essentially a VPN between the two different Azure locations. The VNET-to-VNET connection is established on a VPN gateway. This means your traffic incurs two additional traffic hops as compared to global VNET peering. There's also additional latency and lower bandwidth as compared to that method.

+* **[Communication via network appliance in Hub and Spoke architecture](#using-hub-and-spoke-private-networking-design)**.

+Instead of connecting spoke virtual networks directly to each other, you can use network appliances to forward traffic between spokes. Network appliances provide more network services like deep packet inspection and traffic segmentation or monitoring, but they can introduce latency and performance bottlenecks if they're not properly sized.

+By default **DNS name resolution** is **scoped to a virtual network**. This means that any client in one virtual network (VNET1) is unable to resolve the Azure Database for PostgreSQL flexible server FQDN in another virtual network (VNET2).

+Regardless of the networking option that you choose, we recommend that you always use an **FQDN** as host name when connecting to your Azure Database for PostgreSQL flexible server instance. The server's IP address isn't guaranteed to remain static. Using the FQDN helps you avoid making changes to your connection string.

+1. [Enable and configure](generative-ai-azure-overview.md#enable-the-azure_ai-extension) the `azure_ai` extension.

+`azure_cognitive.sentiment_analysis_result` a result record containing the sentiment predictions of the input text. It contains the sentiment, which can be `positive`, `negative`, `neutral`, and `mixed`; and the score for positive, neutral, and negative found in the text represented as a real number between 0 and 1. For example in `(neutral,0.26,0.64,0.09)`, the sentiment is `neutral` with `positive` score at `0.26`, neutral at `0.64` and negative at `0.09`.

+`azure_cognitive.language_detection_result`, a result containing the detected language name, its two-letter ISO 639-1 representation, and the confidence score for the detection. For example in `(Portuguese,pt,0.97)`, the language is `Portuguese`, and detection confidence is `0.97`.

+`azure_cognitive.pii_entity_recognition_result`, a result containing the redacted text, and entities as `azure_cognitive.entity[]`. Each entity contains the nonredacted text, personal data category, subcategory, and a score indicating the confidence that the entity correctly matches the identified substring. For example, if invoked with a `text` set to `'My phone number is +1555555555, and the address of my office is 16255 NE 36th Way, Redmond, WA 98052.'`, and `language` set to `'en'`, it could return `("My phone number is ***********, and the address of my office is ************************************.","{""(+1555555555,PhoneNumber,\\""\\"",0.8)"",""(\\""16255 NE 36th Way, Redmond, WA 98052\\"",Address,\\""\\"",1)""}")`.

+1. [Enable and configure](generative-ai-azure-overview.md#enable-the-azure_ai-extension) the `azure_ai` extension.

+In the Azure OpenAI resource, under **Resource Management** > **Keys and Endpoints** you can find the endpoint and the keys for your Azure OpenAI resource. To invoke the model deployment, enable the `azure_ai` extension using the endpoint and one of the keys.

+- `user@tenant.onmicrosoft.com` is the userPrincipalName of the Microsoft Entra user.

+ export PGUSER=$(az ad signed-in-user show --query "[userPrincipalName]" -o tsv | sed 's/ /\\ /g')

+| China East | 52.130.112.139 | 52.130.112.136/29, 52.130.13.96/27|

+Rotations are gradual and may take multiple weeks. Either the old or new host key may be presented by the Azure service during this time.

+zone_pivot_groups: azure-blob-storage-quickstart-options

+> [!NOTE]

+> The **Build from scratch** option walks you step by step through the process of creating a new project, installing packages, writing the code, and running a basic console app. This approach is recommended if you want to understand all the details involved in creating an app that connects to Azure Blob Storage. If you prefer to automate deployment tasks and start with a completed project, choose [Start with a template](storage-quickstart-blobs-java.md?pivots=blob-storage-quickstart-template).

+> [!NOTE]

+> The **Start with a template** option uses the Azure Developer CLI to automate deployment tasks and starts you off with a completed project. This approach is recommended if you want to explore the code as quickly as possible without going through the setup tasks. If you prefer step by step instructions to build the app, choose [Build from scratch](storage-quickstart-blobs-java.md?pivots=blob-storage-quickstart-scratch).

+Get started with the Azure Blob Storage client library for Java to manage blobs and containers.

+In this article, you follow steps to install the package and try out example code for basic tasks.

+In this article, you use the [Azure Developer CLI](/azure/developer/azure-developer-cli/overview) to deploy Azure resources and run a completed console app with just a few commands.

+- Azure account with an active subscription - [create an account for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio)

+- [Java Development Kit (JDK)](/java/azure/jdk/) version 8 or above

+- [Apache Maven](https://maven.apache.org/download.cgi)

+- Azure subscription - [create one for free](https://azure.microsoft.com/free/)

+- [Java Development Kit (JDK)](/java/azure/jdk/) version 8 or above

+- [Apache Maven](https://maven.apache.org/download.cgi)

+- [Azure Developer CLI](/azure/developer/azure-developer-cli/install-azd)

+With [Azure Developer CLI](/azure/developer/azure-developer-cli/install-azd) installed, you can create a storage account and run the sample code with just a few commands. You can run the project in your local development environment, or in a [DevContainer](https://code.visualstudio.com/docs/devcontainers/containers).

+### Initialize the Azure Developer CLI template and deploy resources

+From an empty directory, follow these steps to initialize the `azd` template, provision Azure resources, and get started with the code:

+- Clone the quickstart repository assets from GitHub and initialize the template locally:

+ ```console

+ azd init --template blob-storage-quickstart-java

+ ```

+ You'll be prompted for the following information:

+ - **Environment name**: This value is used as a prefix for all Azure resources created by Azure Developer CLI. The name must be unique across all Azure subscriptions and must be between 3 and 24 characters long. The name can contain numbers and lowercase letters only.

+- Log in to Azure:

+ ```console

+ azd auth login

+ ```

+- Provision and deploy the resources to Azure:

+ ```console

+ azd up

+ ```

+ You'll be prompted for the following information:

+ - **Subscription**: The Azure subscription that your resources are deployed to.

+ - **Location**: The Azure region where your resources are deployed.

+ The deployment might take a few minutes to complete. The output from the `azd up` command includes the name of the newly created storage account, which you'll need later to run the code.

+## Run the sample code

+At this point, the resources are deployed to Azure and the code is almost ready to run. Follow these steps to update the name of the storage account in the code, and run the sample console app:

+- **Update the storage account name**:

+ 1. In the local directory, navigate to the *blob-quickstart/src/main/java/com/blobs/quickstart* directory.

+ 1. Open the file named **App.java** in your editor. Find the `<storage-account-name>` placeholder and replace it with the actual name of the storage account created by the `azd up` command.

+ 1. Save the changes.

+- **Run the project**:

+ 1. Navigate to the *blob-quickstart* directory containing the `pom.xml` file. Compile the project by using the following `mvn` command:

+ ```console

+ mvn compile

+ ```

+ 1. Package the compiled code in its distributable format:

+ ```console

+ mvn package

+ ```

+ 1. Run the following `mvn` command to execute the app:

+ ```console

+ mvn exec:java

+ ```

+- **Observe the output**: This app creates a test file in your local *data* folder and uploads it to a container in the storage account. The example then lists the blobs in the container and downloads the file with a new name so that you can compare the old and new files.

+To learn more about how the sample code works, see [Code examples](#code-examples).

+When you're finished testing the code, see the [Clean up resources](#clean-up-resources) section to delete the resources created by the `azd up` command.

+> [!NOTE]

+> The Azure Developer CLI template includes a file with sample code already in place. The following examples provide detail for each part of the sample code. The template implements the recommended passwordless authentication method, as described in the [Authenticate to Azure](#authenticate-to-azure-and-authorize-access-to-blob-data) section. The connection string method is shown as an alternative, but isn't used in the template and isn't recommended for production code.

+Create a new container in your storage account by calling the [createBlobContainer](/java/api/com.azure.storage.blob.blobserviceclient#method-details) method on the `blobServiceClient` object. In this example, the code appends a GUID value to the container name to ensure that it's unique.

+> [!IMPORTANT]

+> Container names must be lowercase. For more information about naming containers and blobs, see [Naming and Referencing Containers, Blobs, and Metadata](/rest/api/storageservices/naming-and-referencing-containers--blobs--and-metadata).

+Upload a blob to a container by calling the [uploadFromFile](/java/api/com.azure.storage.blob.blobclient.uploadfromfile) method. The example code creates a text file in the local *data* directory to upload to the container.

+Add this code to the end of the `Main` method:

+When you're done with the quickstart, you can clean up the resources you created by running the following command:

+```console

+azd down

+```

+You'll be prompted to confirm the deletion of the resources. Enter `y` to confirm.

+description: Learn about Active Directory Domain Services (AD DS) authentication to Azure file shares. This article goes over supported scenarios, availability, and explains how the permissions work between your AD DS and Microsoft Entra ID.

+Before you enable AD DS authentication for Azure file shares, make sure you've completed the following prerequisites:

+- Select or create an Azure storage account. For optimal performance, we recommend that you deploy the storage account in the same region as the client from which you plan to access the share. Then, [mount the Azure file share](storage-how-to-use-files-windows.md) with your storage account key. Mounting with the storage account key verifies connectivity.

+Follow these steps to set up Azure Files for AD DS authentication:

+The following diagram illustrates the end-to-end workflow for enabling AD DS authentication over SMB for Azure file shares.

+> - End of life announced (EOLA) for Azure Synapse Runtime for Apache Spark 3.2 has been announced July 8, 2023. End of life announced (EOLA) runtimes will not have bug and feature fixes. Security fixes will be backported based on risk assessment. This runtime will be retired and disabled as of July 8, 2024.

+> - The GPU accelerated preview is limited to the [Azure Synapse 3.1 (unsupported)](../spark/apache-spark-3-runtime.md) and [Apache Spark 3.2 (EOLA)](../spark/apache-spark-32-runtime.md) runtimes.

+> - Azure Synapse Runtime for Apache Spark 3.1 has reached its end of life (EOL) as of January 26, 2023, with official support discontinued effective January 26, 2024, and no further addressing of support tickets, bug fixes, or security updates beyond this date.

+> - End of life announced (EOLA) for Azure Synapse Runtime for Apache Spark 3.2 has been announced July 8, 2023. End of life announced (EOLA) runtimes will not have bug and feature fixes. Security fixes will be backported based on risk assessment. This runtime will be retired and disabled as of July 8, 2024.

+> - End of life announced (EOLA) for Azure Synapse Runtime for Apache Spark 3.2 has been announced July 8, 2023. End of life announced (EOLA) runtimes will not have bug and feature fixes. Security fixes will be backported based on risk assessment. This runtime will be retired and disabled as of July 8, 2024.

+> - End of life announced (EOLA) for Azure Synapse Runtime for Apache Spark 3.2 has been announced July 8, 2023. End of life announced (EOLA) runtimes will not have bug and feature fixes. Security fixes will be backported based on risk assessment. This runtime will be retired and disabled as of July 8, 2024.

+> - End of life announced (EOLA) for Azure Synapse Runtime for Apache Spark 3.2 has been announced July 8, 2023. End of life announced (EOLA) runtimes will not have bug and feature fixes. Security fixes will be backported based on risk assessment. This runtime will be retired and disabled as of July 8, 2024.

+> - End of life announced (EOLA) for Azure Synapse Runtime for Apache Spark 3.2 has been announced July 8, 2023. End of life announced (EOLA) runtimes will not have bug and feature fixes. Security fixes will be backported based on risk assessment. This runtime will be retired and disabled as of July 8, 2024.

+Serverless SQL pools have limitations, and you can't create more than 100 databases per workspace. If you need to separate objects and isolate them, use schemas.

+# Use the administrative template for Azure Virtual Desktop

+There are two features in Azure Virtual Desktop that enable you to dynamically attach applications from an application package to a user session in Azure Virtual Desktop - *MSIX app attach* and *app attach (preview)*. *MSIX app attach* is generally available, but *app attach* is available in preview, which improves the administrative and user experiences. With both *MSIX app attach* and *app attach*, applications aren't installed locally on session hosts or images, making it easier to create custom images for your session hosts, and reducing operational overhead and costs for your organization. Applications run within containers, which separate user data, the operating system, and other applications, increasing security and making them easier to troubleshoot.

+- **Azure Stack HCI service fee.** Learn more at [Azure Stack HCI pricing](https://azure.microsoft.com/pricing/details/azure-stack/hci/).

+- **Azure Virtual Desktop on Azure Stack HCI service fee.** This fee requires you to pay for each active virtual CPU (vCPU) for your Azure Virtual Desktop session hosts running on Azure Stack HCI. Learn more at [Azure Virtual Desktop pricing](https://azure.microsoft.com/pricing/details/virtual-desktop/).

+ Title: Configure the clipboard transfer direction in Azure Virtual Desktop

+description: Learn how to configure the clipboard in Azure Virtual Desktop to function only in a single direction (unidirectional), from session host to client, or client to session host.

+# Configure the clipboard transfer direction and types of data that can be copied in Azure Virtual Desktop

+> [!IMPORTANT]

+> Configuring the clipboard transfer direction in Azure Virtual Desktop is currently in PREVIEW.

+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+Clipboard redirection in Azure Virtual Desktop allows users to copy and paste content, such as text, images, and files between the user's device and the remote session in either direction. You might want to limit the direction of the clipboard for users, to help prevent data exfiltration or malicious files being copied to a session host. You can configure whether users can use the clipboard from session host to client, or client to session host, and the types of data that can be copied, from the following options:

+- Disable clipboard transfers from session host to client, client to session host, or both.

+- Allow plain text only.

+- Allow plain text and images only.

+- Allow plain text, images, and Rich Text Format only.

+- Allow plain text, images, Rich Text Format, and HTML only.

+You apply settings to your session hosts. It doesn't depend on a specific Remote Desktop client or its version. This article shows you how to configure the direction the clipboard and the types of data that can be copied using Microsoft Intune, or you can configure the local Group Policy or registry of session hosts.

+## Prerequisites

+To configure the clipboard transfer direction, you need:

+- Session hosts running Windows 11 Insider Preview Build 25898 or later.

+- Depending on the method you use to configure the clipboard transfer direction:

+ - For Intune, you need permission to configure and apply settings. For more information, see [Administrative template for Azure Virtual Desktop](administrative-template.md).

+ - For configuring the local Group Policy or registry of session hosts, you need an account that is a member of the local Administrators group.

+## Configure clipboard transfer direction

+Here's how to configure the clipboard transfer direction and the types of data that can be copied. Select the relevant tab for your scenario.

+# [Intune](#tab/intune)

+To configure the clipboard using Intune, follow these steps. This process [deploys an OMA-URI to target a CSP](/troubleshoot/mem/intune/device-configuration/deploy-oma-uris-to-target-csp-via-intune).

+1. Sign in to the [Microsoft Intune admin center](https://endpoint.microsoft.com/).

+1. [Create a profile with custom settings](/mem/intune/configuration/custom-settings-configure) for Windows 10 and later devices, with the **Templates** profile type and the **Custom** profile template name.

+1. For the **Basics** tab, enter a name and optional description for the profile, and then select **Next**.

+1. For the **Configuration settings** tab, select **Add** to show the **Add row** pane.

+1. In the **Add row** pane, enter one of the following sets of settings, depending on whether you want to configure the clipboard from session host to client, or client to session host.

+ - To configure the clipboard from **session host to client**:

+ - **Name**: (*example*) Session host to client

+ - **Description**: *Optional*

+ - **OMA-URI**: `./Vendor/MSFT/Policy/Config/RemoteDesktopServices/LimitServerToClientClipboardRedirection`

+ - **Data type**: `String`

+ - **Value**: Enter a value from the following table:

+

+ | Value | Description |

+ |--|--|

+ | `<![CDATA[<enabled/><data id="TS_SC_CLIPBOARD_RESTRICTION_Text" value="0"/>]]>` | Disable clipboard transfers from session host to client. |

+ | `<![CDATA[<enabled/><data id="TS_SC_CLIPBOARD_RESTRICTION_Text" value="1"/>]]>` | Allow plain text. |

+ | `<![CDATA[<enabled/><data id="TS_SC_CLIPBOARD_RESTRICTION_Text" value="2"/>]]>` | Allow plain text and images. |

+ | `<![CDATA[<enabled/><data id="TS_SC_CLIPBOARD_RESTRICTION_Text" value="3"/>]]>` | Allow plain text, images, and Rich Text Format. |

+ | `<![CDATA[<enabled/><data id="TS_SC_CLIPBOARD_RESTRICTION_Text" value="4"/>]]>` | Allow plain text, images, Rich Text Format, and HTML. |

+ - To configure the clipboard from **client to session host**:

+ - **Name**: (*example*) Client to session host

+ - **Description**: *Optional*

+ - **OMA-URI**: `./Vendor/MSFT/Policy/Config/RemoteDesktopServices/LimitClientToServerClipboardRedirection`

+ - **Data type**: `String`

+ - **Value**: Enter a value from the following table:

+ | Value | Description |

+ |--|--|

+ | `<![CDATA[<enabled/><data id="TS_CS_CLIPBOARD_RESTRICTION" value="0"/>]]>` | Disable clipboard transfers from session host to client. |

+ | `<![CDATA[<enabled/><data id="TS_CS_CLIPBOARD_RESTRICTION" value="1"/>]]>` | Allow plain text. |

+ | `<![CDATA[<enabled/><data id="TS_CS_CLIPBOARD_RESTRICTION" value="2"/>]]>` | Allow plain text and images. |

+ | `<![CDATA[<enabled/><data id="TS_CS_CLIPBOARD_RESTRICTION" value="3"/>]]>` | Allow plain text, images, and Rich Text Format. |

+ | `<![CDATA[<enabled/><data id="TS_CS_CLIPBOARD_RESTRICTION" value="4"/>]]>` | Allow plain text, images, Rich Text Format, and HTML. |

+1. Select **Save** to add the row. Repeat the previous two steps to configure the clipboard in the other direction, if necessary, then once you configure the settings you want, select **Next**.

+1. For the **Assignments** tab, select the users, devices, or groups to receive the profile, then select **Next**. For more information on assigning profiles, see [Assign user and device profiles](/mem/intune/configuration/device-profile-assign).

+1. For the **Applicability Rules** tab, select **Next**.

+1. On the **Review + create** tab, review the configuration information, then select **Create**.

+1. Once the policy configuration is created, resync your session hosts and reboot them for the settings to take effect.

+1. Connect to a remote session with a supported client and test the clipboard settings you configured are working by trying to copy and paste content.

+# [Group Policy](#tab/group-policy)

+To configure the clipboard using Group Policy, follow these steps.

+> [!IMPORTANT]

+> These policy settings appear in both **Computer Configuration** and **User Configuration**. If both policy settings are configured, the stricter restriction is used.

+1. Open **Local Group Policy Editor** from the Start menu or by running `gpedit.msc`.

+1. Browse to one of the following policy sections. Use the policy section in **Computer Configuration** to the session host you target, and use the policy section in **User Configuration** applies to specific users you target.

+ - Machine: `Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection`

+ - User: `User Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection`

+1. Open one of the following policy settings, depending on whether you want to configure the clipboard from session host (server) to client, or client to session host:

+ - To configure the clipboard from **session host to client**, open the policy setting **Restrict clipboard transfer from server to client**, then select **Enabled**. Choose from the following options:

+ - **Disable clipboard transfers from server to client**.

+ - **Allow plain text.**

+ - **Allow plain text and images.**

+ - **Allow plain text, images, and Rich Text Format.**

+ - **Allow plain text, images, Rich Text Format, and HTML.**

+

+ - To configure the clipboard from **client to session host**, open the policy setting **Restrict clipboard transfer from client to server**, then select **Enabled** . Choose from the following options:

+ - **Disable clipboard transfers from client to server**.

+ - **Allow plain text.**

+ - **Allow plain text and images.**

+ - **Allow plain text, images, and Rich Text Format.**

+ - **Allow plain text, images, Rich Text Format, and HTML.**

+1. Select **OK** to save your changes.

+1. Once you configured settings, restart your session hosts for the settings to take effect.

+1. Connect to a remote session with a supported client and test the clipboard settings you configured are working by trying to copy and paste content.

+> [!TIP]

+> During the preview, you can also configure Group Policy centrally in an Active Directory domain by copying the `terminalserver.admx` and `terminalserver.adml` administrative template files from a session host to the [Group Policy Central Store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) in a test environment.

+# [Registry](#tab/registry)

+To configure the clipboard using the registry on a session host, follow these steps.

+1. Open **Registry Editor** from the Start menu or by running `regedit.exe`.

+1. Set one of the following registry keys and its value, depending on whether you want to configure the clipboard from session host to client, or client to session host.

+ - To configure the clipboard from **session host to client**, set one of the following registry keys and its value. Using the value for the machine applies to all users, and using the value for the user applies to the current user only.

+ - **Key**:

+ - Machine: `HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services`

+ - Users: `HKCU\Software\Policies\Microsoft\Windows NT\Terminal Services`

+ - **Type**: `REG_DWORD`

+ - **Value name**: `SCClipLevel`

+ - **Value data**: Enter a value from the following table:

+ | Value Data | Description |

+ |--|--|

+ | `0` | Disable clipboard transfers from session host to client. |

+ | `1` | Allow plain text. |

+ | `2` | Allow plain text and images. |

+ | `3` | Allow plain text, images, and Rich Text Format. |

+ | `4` | Allow plain text, images, Rich Text Format, and HTML. |

+ - To configure the clipboard from **client to session host**, set one of the following registry keys and its value. Using the value for the machine applies to all users, and using the value for the user applies to the current user only.

+ - **Key**:

+ - Machine: `HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services`

+ - Users: `HKCU\Software\Policies\Microsoft\Windows NT\Terminal Services`

+ - **Type**: `REG_DWORD`

+ - **Value name**: `CSClipLevel`

+ - **Value data**: Enter a value from the following table:

+

+ | Value Data | Description |

+ |--|--|

+ | `0` | Disable clipboard transfers from client to session host. |

+ | `1` | Allow plain text. |

+ | `2` | Allow plain text and images. |

+ | `3` | Allow plain text, images, and Rich Text Format. |

+ | `4` | Allow plain text, images, Rich Text Format, and HTML. |

+1. Restart your session host.

+1. Connect to a remote session with a supported client and test the clipboard settings you configured are working by trying to copy and paste content.

+## Related content

+- Configure [Watermarking](watermarking.md).

+- Configure [Screen Capture Protection](screen-capture-protection.md).

+- Learn about how to secure your Azure Virtual Desktop deployment at [Security best practices](security-guide.md).

+1. From the list of storage accounts, select the account that you enabled Active Directory Domain Services or Microsoft Entra Domain Services as the identity source and assigned the RBAC role for in the previous sections.

+ - Replace both instances of `<storage-account-name>` with the name of the storage account you specified earlier.

+ Title: Migrate MSIX packages from MSIX app attach to app attach - Azure Virtual Desktop

+description: Learn how to migrate MSIX packages from MSIX app attach to app attach in Azure Virtual Desktop using a PowerShell script.

+# Migrate MSIX packages from MSIX app attach to app attach

+> [!IMPORTANT]

+> App attach is currently in PREVIEW.

+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+App attach (preview) improves the administrative and user experiences over MSIX app attach. If you use MSIX app attach, you can migrate your MSIX packages to app attach using a PowerShell script.

+The migration script can perform the following actions:

+- Creates a new app attach package object and can delete the original MSIX package object, if necessary.

+- Copy permissions from application groups associated with the host pool and MSIX package.

+- Copy the location and resource group of the host pool and MSIX package.

+- Log migration activity.

+## Prerequisites

+To use the migration script, you need:

+- A host pool configured as a validation environment, with at least one MSIX package added with MSIX app attach.

+- An Azure account with the [Desktop Virtualization Contributor](rbac.md#desktop-virtualization-contributor) Azure role-based access control (RBAC) role assigned on the host pool.

+- A local device with PowerShell. Make sure you have the latest versions of [Az PowerShell](/powershell/azure/install-azps-windows) and [Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/installation) installed. Specifically, the following modules are required:

+ - Az.DesktopVirtualization

+ - Az.Accounts

+ - Az.Resources

+ - Microsoft.Graph.Authentication

+## Parameters

+Here are the parameters you can use with the migration script:

+| Parameter | Description |

+|--|--|

+| `MsixPackage` | The MSIX package object to migrate to an app attach object. This value can be passed in via pipeline. |

+| `PermissionSource` | Where to get permissions from for the new app attach object. Defaults to no permissions granted. The options are:<ul><li>`DAG`: the desktop application group associated with the host pool and MSIX package</li><li>`RAG`: one or more RemoteApp application groups associated with the host pool and MSIX package</li></ul>Both options grant permission to all users and groups with any permission that is scoped specifically to the application group. |

+| `HostPoolsForNewPackage` | Resource IDs of host pools to associate new app attach object with. Defaults to no host pools. Host pools must be in the same location as the app attach packages they're associated with. |

+| `TargetResourceGroupName` | Resource group to store the new app attach object. Defaults to resource group of host pool that the MSIX package is associated with. |

+| `Location` | Azure region to create new app attach object in. Defaults to location of host pool that the MSIX package is associated with. App attach packages have to be in the same location as the host pool they're associated with. |

+| `DeleteOrigin` | Delete source MSIX package after migration. |

+| `IsActive` | Enables the new app attach object. |

+| `DeactivateOrigin` | Disables source MSIX package object after migration. |

+| `PassThru` | Passes new app attach object through. `Passthru` returns the object for the created package. Use this value if you want to inspect it or pass it to another PowerShell command. |

+| `LogInJSON` | Write to the log file in JSON Format. |

+| `LogFilePath` | Path of the log file, defaults to `MsixMigration[Timestamp].log` in a temp folder, such as `C:\Users\%USERNAME%\AppData\Local\Temp\MsixMigration<DATETIME>.log`. The path for logging is written to the console when the script is run. |

+## Download and run the migration script

+Here's how to migrate MSIX packages from MSIX app attach to app attach.

+> [!IMPORTANT]

+> In the following examples, you'll need to change the `<placeholder>` values for your own.

+1. Open a PowerShell prompt on your local device.

+1. Download the PowerShell script `Migrate-MsixPackagesToAppAttach.ps1` and unblock it by running the following commands:

+ ```powershell

+ $url = "https://raw.githubusercontent.com/Azure/RDS-Templates/master/msix-app-attach/MigrationScript/Migrate-MsixPackagesToAppAttach.ps1"

+ $filename = $url.Split('/')[-1]

+ Invoke-WebRequest -Uri $url -OutFile $filename | Unblock-File

+ ```

+1. Import the required modules by running the following commands:

+ ```powershell

+ Import-Module Az.DesktopVirtualization

+ Import-Module Az.Accounts

+ Import-Module Az.Resources

+ Import-Module Microsoft.Graph.Authentication

+ ```

+1. Connect to Azure by running the following command and following the prompts to sign in to your Azure account:

+ ```powershell

+ Connect-AzAccount

+ ```

+1. Connect to Microsoft Graph by running the following command:

+ ```powershell

+ Connect-MgGraph -Scopes "Group.Read.All"

+ ```

+The following subsections contain some examples of how to use the migration script. Refer to the [parameters](#parameters) section for all the available parameters and a description of each parameter.

+> [!TIP]

+> If you don't pass any parameters to the migration script, it has the following default behavior:

+> - No permissions are granted to the new app attach package.

+> - The new app attach package isn't associated with any host pools and is inactive.

+> - The new app attach package is created in the same resource group and location as the host pool.

+> - The original MSIX package is still active isn't disable or deleted.

+> - Log information is written to the default file path.

+### Migrate a specific MSIX package added to a host pool and application group

+Here's an example to migrate a specific MSIX package added to a host pool from MSIX app attach to app attach. This example:

+ - Migrates the MSIX package to the same resource group and location as the host pool.

+ - Assigns the MSIX package in app attach to the same host pool and the same users as the RemoteApp application group source.

+ - Leaves the existing MSIX package configuration in MSIX app attach **active** on the host pool. If you want to disable the MSIX package immediately, use the `-DeactivateOrigin` parameter.

+ - Sets the new MSIX package configuration in app attach **inactive**. If you want to enable the MSIX package immediately, use the `-IsActive` parameter.

+ - Writes log information to the default file path and format.

+1. From the same PowerShell prompt, get a list of MSIX packages added to a host pool by running the following commands:

+ ```powershell

+ $parameters = @{

+ HostPoolName = '<HostPoolName>'

+ ResourceGroupName = '<ResourceGroupName>'

+ }

+

+ Get-AzWvdMsixPackage @parameters | Select-Object DisplayName, Name

+ ```

+ The output is similar to the following output:

+ ```output

+ DisplayName Name

+ -- -

+ MyApp hp01/MyApp_1.0.0.0_neutral__abcdef123ghij

+ ```

+1. Find the MSIX package you want to migrate and use the value from the `Name` parameter in the previous output:

+ ```powershell

+ $parameters = @{

+ HostPoolName = '<HostPoolName>'

+ ResourceGroupName = '<ResourceGroupName>'

+ }

+

+ $msixPackage = Get-AzWvdMsixPackage @parameters | ? Name -Match '<MSIXPackageName>'

+ $hostPoolId = (Get-AzWvdHostPool @parameters).Id

+ ```

+1. Migrate the MSIX package by running the following commands:

+ ```powershell

+ $parameters = @{

+ PermissionSource = 'RAG'

+ HostPoolsForNewPackage = $hostPoolId

+ PassThru = $true

+ }

+ $msixPackage | .\Migrate-MsixPackagesToAppAttach.ps1 @parameters

+ ```

+### Migrate all MSIX packages added to a host pool

+Here's an example to migrate all MSIX packages added to a host pool from MSIX app attach to app attach. This example:

+ - Migrates MSIX packages to the same resource group and location.

+ - Adds the new app attach packages to the same host pool.

+ - Sets all app attach packages to active.

+ - Sets all MSIX packages to inactive.

+ - Copies permissions from the associated desktop application group.

+ - Writes log information to a custom file path at `C:\MsixToAppAttach.log` in JSON format.

+1. From the same PowerShell prompt, get all MSIX packages added to a host pool and store them in a variable by running the following commands:

+ ```powershell

+ $parameters = @{

+ HostPoolName = '<HostPoolName>'

+ ResourceGroupName = '<ResourceGroupName>'

+ }

+

+ $msixPackages = Get-AzWvdMsixPackage @parameters

+ $hostPoolId = (Get-AzWvdHostPool @parameters).Id

+ ```

+1. Migrate the MSIX package by running the following commands:

+ ```powershell

+ $logFilePath = "C:\Temp\MsixToAppAttach.log"

+

+ $parameters = @{

+ IsActive = $true

+ DeactivateOrigin = $true

+ PermissionSource = 'DAG'

+ HostPoolsForNewPackage = $hostPoolId

+ PassThru = $true

+ LogInJSON = $true

+ LogFilePath = $LogFilePath

+ }

+ $msixPackages | .\Migrate-MsixPackagesToAppAttach.ps1 @parameters

+ ```

+To use the MSIXMGR tool, you need:

+| `*eh.servicebus.windows.net` | TCP | 443 | Diagnostic settings |

+| `*eh.servicebus.windows.net` | TCP | 443 | Diagnostic settings |

+### Set up FSLogix profile container

+### Configure antivirus exclusions for FSLogix

+If Windows Defender is configured in the VM, make sure it's configured to not scan the entire contents of VHD and VHDX files during attachment. You can find a list of exclusions for FSLogix at [Configure Antivirus file and folder exclusions](/fslogix/overview-prerequisites#configure-antivirus-file-and-folder-exclusions).

+If you're using Windows Defender, you can learn more about how to configure Windows Defender to exclude certain files from scanning at [Configure and validate exclusions based on file extension and folder location](/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus/).

+For Azure Virtual Desktop session hosts that use Windows 10 Enterprise or Windows 10 Enterprise multi-session, we recommend disabling Storage Sense. Disks where the operating system is installed are typically small in size and user data is stored remotely through profile roaming. This scenario results in Storage Sense believing that the disk is critically low on free space. You can disable Storage Sense in the image using the registry, or use Group Policy or Intune to disable Storage Sense after the session hosts are deployed.

+- For the registry, you can run the following command from an elevated PowerShell prompt to disable Storage Sense:

+ ```powershell

+ New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy" -Name 01 -PropertyType DWORD -Value 0 -Force

+ ```

+- For Group Policy, configure a Group Policy Object with the setting **Computer Configuration** > **Administrative Templates** > **System** > **Storage Sense** > **Allow Storage Sense** set to **Disabled**.

+- For Intune, configure a configuration profile using the settings catalog with the setting **Storage** > **Allow Storage Sense Global** set to **Block**.

+description: Learn about new and updated articles to the Azure Virtual Desktop documentation.

+We update documentation for Azure Virtual Desktop regularly. In this article, we highlight articles for new features and where there are important updates to existing articles.

+## February 2024

+In February 2024, we published the following changes:

+- Added guidance for MSIX and Appx package certificates when using MSIX app attach or app attach. For more information, see [MSIX app attach and app attach in Azure Virtual Desktop](app-attach-overview.md#msix-and-appx-package-certificates).

+- Consolidated articles for the three Remote Desktop clients available for Windows into a single article, [Connect to Azure Virtual Desktop with the Remote Desktop client for Windows](users/connect-windows.md).

+- Added Azure CLI guidance to [Configure personal desktop assignment](configure-host-pool-personal-desktop-assignment-type.md).

+- Updated [Drain session hosts for maintenance in Azure Virtual Desktop](drain-mode.md), including prerequisites and separating the Azure portal and Azure PowerShell steps into tabs.

+- Updated [Customize the feed for Azure Virtual Desktop users](customize-feed-for-virtual-desktop-users.md), including prerequisite, Azure PowerShell steps, and separating the Azure portal and Azure PowerShell steps into tabs.

+### New Azure Virtual Desktop web client is now available

+We've updated the Azure Virtual Desktop web client to the new web client. All users automatically migrate to this new version of the web client to access their resources.

+For more information about the new features available in the new web client, see [Use features of the Remote Desktop Web client](./users/client-features-web.md).

+ Title: Dalsv6 and Daldsv6-series

+description: Specifications for Dalsv6 and Daldsv6-series VMS

+# Dalsv6 and Daldsv6-series (Preview)

+**Applies to:** ✔️ Linux VMs ✔️ Windows VMs ✔️ Flexible scale sets ✔️ Uniform scale sets 

+> [!IMPORTANT]

+> Azure Virtual Machine Series Dalsv6 and Daldsv6 are currently in PREVIEW. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. 

+The Dalsv6-series and Daldsv6-series utilize AMD's 4th Generation EPYC^TM 9004 processor in a multi-threaded configuration with up to 320 MB L3 cache. The Dalsv6 and Daldsv6 VM series provides 2GiBs of RAM per vCPU and are optimized for workloads that require less RAM per vCPU than standard VM sizes. The Dalsv6-series can reduce costs when running non-memory intensive applications, including web servers, gaming, video encoding, AI/ML, and batch processing. 

+> [!NOTE]

+> The new Dalsv6 and Daldsv6 VM series will only work on OS images that are tagged with NVMe support.  If your current OS image is not supported for NVMe, you’ll see an error message. NVMe support is available in 50+ of the most popular OS images, and we continuously improve the OS image coverage. Please refer to our up-to-date lists for information on which OS images are tagged as NVMe supported.  For more information on NVMe enablement, see our [FAQ](https://learn.microsoft.com/azure/virtual-machines/enable-nvme-faqs).

+>

+> The new Dalsv6 and Daldsv6 VM series virtual machines public preview now available. For more information and to sign up for the preview, please visit our [announcement](https://techcommunity.microsoft.com/t5/azure-compute-blog/public-preview-new-amd-based-vms-with-increased-performance/ba-p/3981351) and follow the link to the [sign-up form](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR9RmLSiOpIpImo4Q01A_jJlUM1ZSRVlYU04wMUJQVjNQRFZHQzdEVFc1VyQlQCN0PWcu). This is an opportunity to experience our latest innovation.

+## Dalsv6-series

+Dalsv6-series VMs utilize AMD's 4th Generation EPYC^TM 9004 processors that can achieve a boosted maximum frequency of 3.7GHz. These virtual machines offer up to 96 vCPU and 192 GiB of RAM. These VM sizes can reduce cost when running non-memory intensive applications. The new VMs with no local disk provide a better value proposition for workloads that do not require local temporary storage. 

+> [!NOTE]

+> For frequently asked questions, seeΓÇ»[Azure VM sizes with no local temp disk](https://learn.microsoft.com/azure/virtual-machines/azure-vms-no-temp-disk).

+Dalsv6-series virtual machines do not have any temporary storage thus lowering the price of entry. You can attach Standard SSD, Standard HDD, and Premium SSD disk types. You can also attach Ultra Disk storage based on its regional availability. Disk storage is billed separately from virtual machines. [See pricing for disks](https://azure.microsoft.com/pricing/details/managed-disks/). 

+[Premium Storage](/azure/virtual-machines/premium-storage-performance): Supported 

+[Premium Storage caching](/azure/virtual-machines/premium-storage-performance): Supported 

+[Live Migration](/azure/virtual-machines/maintenance-and-updates): Not Supported for Preview 

+[Memory Preserving Updates](/azure/virtual-machines/maintenance-and-updates): Supported 

+[VM Generation Support](/azure/virtual-machines/generation-2): Generation 2 

+[Accelerated Networking](/azure/virtual-network/create-vm-accelerated-networking-cli): Supported 

+[Ephemeral OS Disks](/azure/virtual-machines/ephemeral-os-disks): Not Supported 

+[Nested Virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization): Supported 

+| Size | vCPU | Memory: GiB | Local NVMe Temporary storage (SSD) GiB | Max data disks | Max uncached Premium SSD disk throughput: IOPS/MBps | Max burst uncached Premium SSD disk throughput: IOPS/MBps¹ | Max uncached Ultra Disk and Premium SSD V2 disk throughput: IOPS/MBps | Max burst uncached Ultra Disk and Premium SSD V2 disk throughput: IOPS/MBps¹ | Max NICs | Max network bandwidth (Mbps) |

+|--||-||-|--||--||-||

+| Standard_D2als_v6 | 2 | 4 | Remote Storage Only | 4 | 4000/90 | 20000/1250 | 4000/90 | 20000/1250 | 2 | 12500 |

+| Standard_D4als_v6 | 4 | 8 | Remote Storage Only | 8 | 7600/180 | 20000/1250 | 7600/180 | 20000/1250 | 2 | 12500 |

+| Standard_D8als_v6 | 8 | 16 | Remote Storage Only | 16 | 15200/360 | 20000/1250 | 15200/360 | 20000/1250 | 4 | 12500 |

+| Standard_D16als_v6 | 16 | 32 | Remote Storage Only | 32 | 30400/720 | 40000/1250 | 30400/720 | 40000/1250 | 8 | 16000 |

+| Standard_D32als_v6 | 32 | 64 | Remote Storage Only | 32 | 57600/1440 | 80000/1700 | 57600/1440 | 80000/1700 | 8 | 20000 |

+| Standard_D48als_v6 | 48 | 96 | Remote Storage Only | 32 | 86400/2160 | 90000/2550 | 86400/2160 | 90000/2550 | 8 | 28000 |

+| Standard_D64als_v6 | 64 | 128 | Remote Storage Only | 32 | 115200/2880 | 120000/3400 | 115200/2880 | 120000/3400 | 8 | 36000 |

+| Standard_D96als_v6 | 96 | 192 | Remote Storage Only | 32 | 175000/4320 | 175000/5090 | 175000/4320 | 175000/5090 | 8 | 40000 |

+¹ΓÇ»Dalsv6-series VMs canΓÇ»[burst](/azure/virtual-machines/disk-bursting)ΓÇ»their disk performance and get up to their bursting max for up to 30 minutes at a time.┬á

+## Daldsv6-series

+Daldsv6-series VMs utilize AMD's 4th Generation EPYC^TM  9004 processors that can achieve a boosted maximum frequency of 3.7GHz. These virtual machines offer up to 96 vCPUs, 192 GiB of RAM, and up to 5,280 GiB of fast local NVMe temporary storage. These VM sizes can reduce cost when running non-memory intensive applications. 

+Daldsv6-series virtual machines support Standard SSD, Standard HDD, and Premium SSD disk types. You can also attach Ultra Disk storage based on its regional availability. Disk storage is billed separately from virtual machines. [See pricing for disks](https://azure.microsoft.com/pricing/details/managed-disks/). 

+[Premium Storage](/azure/virtual-machines/premium-storage-performance): Supported 

+[Premium Storage caching](/azure/virtual-machines/premium-storage-performance): Supported 

+[Live Migration](/azure/virtual-machines/maintenance-and-updates): Not Supported for Preview 

+[Memory Preserving Updates](/azure/virtual-machines/maintenance-and-updates): Supported 

+[VM Generation Support](/azure/virtual-machines/generation-2): Generation 2 

+[Accelerated Networking](/azure/virtual-network/create-vm-accelerated-networking-cli): Supported 

+[Ephemeral OS Disks](/azure/virtual-machines/ephemeral-os-disks): Not Supported for Preview 

+[Nested Virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization): Supported 

+| Size | vCPU | Memory: GiB | Local NVMe Temporary storage (SSD) | Max data disks | Max uncached Premium SSD disk throughput: IOPS/MBps | Max burst uncached Premium SSD disk throughput: IOPS/MBps¹ | Max uncached Ultra Disk and Premium SSD V2 disk throughput: IOPS/MBps | Max burst uncached Ultra Disk and Premium SSD V2 disk throughput: IOPS/MBps¹ | Max NICs | Max network bandwidth (Mbps) | Max network bandwidth (Mbps) | Max temp storage read throughput: IOPS / MBps |

+|||-||-|--||--||-|||--|

+| Standard_D2alds_v6 | 2 | 4 | 1x110 GiB | 4 | 4000/90 | 20000/1250 | 4000/90 | 20000/1250 | 2 | 12500 | 12500 | 37500/180 |

+| Standard_D4alds_v6 | 4 | 8 | 1x220 GiB | 8 | 7600/180 | 20000/1250 | 7600/180 | 20000/1250 | 2 | 12500 | 12500 | 75000/360 |

+| Standard_D8alds_v6 | 8 | 16 | 1x440 GiB | 16 | 15200/360 | 20000/1250 | 15200/360 | 20000/1250 | 4 | 12500 | 12500 | 150000/720 |

+| Standard_D16alds_v6 | 16 | 32 | 2x440 GiB | 32 | 30400/720 | 40000/1250 | 30400/720 | 40000/1250 | 8 | 16000 | 12500 | 300000/1440 |

+| Standard_D32alds_v6 | 32 | 64 | 4x440 GiB | 32 | 57600/1440 | 80000/1700 | 57600/1440 | 80000/1700 | 8 | 20000 | 16000 | 600000/2880 |

+| Standard_D48alds_v6 | 48 | 96 | 6x440 GiB | 32 | 86400/2160 | 90000/2550 | 86400/2160 | 90000/2550 | 8 | 28000 | 24000 | 900000/4320 |

+| Standard_D64alds_v6 | 64 | 128 | 4x880 GiB | 32 | 115200/2880 | 120000/3400 | 115200/2880 | 120000/3400 | 8 | 36000 | 32000 | 1200000/5760 |

+| Standard_D96alds_v6 | 96 | 192 | 6x880 GiB | 32 | 175000/4320 | 175000/5090 | 175000/4320 | 175000/5090 | 8 | 40000 | 40000 | 1800000/8640 |

+## Other sizes and information

+- [General purpose](sizes-general.md)

+- [Memory optimized](sizes-memory.md)

+- [Storage optimized](sizes-storage.md)

+- [GPU optimized](sizes-gpu.md)

+- [High performance compute](sizes-hpc.md)

+- [Previous generations](sizes-previous-gen.md)

+Pricing Calculator: [Pricing Calculator](https://azure.microsoft.com/pricing/calculator/)

+For more information on disk types, see [What disk types are available in Azure?](disks-types.md)

+## Next steps

+Learn more about how [Azure compute units (ACU)](acu.md) can help you compare compute performance across Azure SKUs.

+ Title: 'Dasv6 and Dadsv6-series - Azure Virtual Machines'

+description: Specifications for the Dasv6 and Dadsv6-series VMs.

+# Dasv6 and Dadsv6-series (Preview)

+**Applies to:** ✔️ Linux VMs ✔️ Windows VMs ✔️ Flexible scale sets ✔️ Uniform scale sets 

+> [!Important]

+> Azure Virtual Machine Series Dasv6 and Dadsv6 are currently in PREVIEW. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. 

+The Dasv6-series and Dadsv6-series utilize AMD's 4th Generation EPYC^TM 9004 processor in a multi-threaded configuration with up to 320 MB L3 cache, increasing customer options for running their general-purpose workloads. The Dasv6-series VMs work well for many general computing workloads, such as e-commerce systems, web front ends, desktop virtualization solutions, customer relationship management applications, entry-level and mid-range databases, application servers, and more. 

+> [!NOTE]

+> The new Dasv6 and Dadsv6 VM series will only work on OS images that are tagged with NVMe support.  If your current OS image is not supported for NVMe, you’ll see an error message. NVMe support is available in 50+ of the most popular OS images, and we continuously improve the OS image coverage. Please refer to our up-to-date [lists](https://learn.microsoft.com/azure/virtual-machines/enable-nvme-interface) for information on which OS images are tagged as NVMe supported.  For more information on NVMe enablement, see our [FAQ](https://learn.microsoft.com/azure/virtual-machines/enable-nvme-faqs).

+>

+> The new Dasv6 and Dadsv6 VM series virtual machines public preview now available. For more information and to sign up for the preview, please visit our [announcement](https://techcommunity.microsoft.com/t5/azure-compute-blog/public-preview-new-amd-based-vms-with-increased-performance/ba-p/3981351) and follow the link to the [sign-up form](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR9RmLSiOpIpImo4Q01A_jJlUM1ZSRVlYU04wMUJQVjNQRFZHQzdEVFc1VyQlQCN0PWcu). This is an opportunity to experience our latest innovation.

+## Dasv6-series 

+Dasv6-series VMs utilize AMD's 4th Generation EPYC^TM 9004 processors that can achieve a boosted maximum frequency of 3.7GHz. These virtual machines offer up to 96 vCPU and 384 GiB of RAM. The Dasv6-series sizes offer a combination of vCPU and memory for most production workloads. The new VMs with no local disk provide a better value proposition for workloads that do not require local temporary storage. 

+> [!NOTE]

+> For frequently asked questions, seeΓÇ»[Azure VM sizes with no local temp disk](https://learn.microsoft.com/azure/virtual-machines/azure-vms-no-temp-disk).

+ 

+Dasv6-series virtual machines support Standard SSD, Standard HDD, and Premium SSD disk types. You can also attach Ultra Disk storage based on its regional availability. Disk storage is billed separately from virtual machines.ΓÇ»[See pricing for disks](https://azure.microsoft.com/pricing/details/managed-disks/).

+[Premium Storage](/azure/virtual-machines/premium-storage-performance): Supported 

+[Premium Storage caching](/azure/virtual-machines/premium-storage-performance): Supported 

+[Live Migration](/azure/virtual-machines/maintenance-and-updates): Not Supported for Preview 

+[Memory Preserving Updates](/azure/virtual-machines/maintenance-and-updates): Supported 

+[VM Generation Support](/azure/virtual-machines/generation-2): Generation 2 

+[Accelerated Networking](/azure/virtual-network/create-vm-accelerated-networking-cli): Supported 

+[Ephemeral OS Disks](/azure/virtual-machines/ephemeral-os-disks): Not Supported 

+[Nested Virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization): Supported 

+| Size | vCPU | Memory: GiB | Local NVMe Temporary storage (SSD) GiB | Max data disks | Max uncached Premium SSD disk throughput: IOPS/MBps | Max burst uncached Premium SSD disk throughput: IOPS/MBps¹ | Max uncached Ultra Disk and Premium SSD V2 disk throughput: IOPS/MBps | Max burst uncached Ultra Disk and Premium SSD V2 disk throughput: IOPS/MBps¹ | Max NICs | Max network bandwidth (Mbps) |

+|-||-||-|--||--||-||

+| Standard_D2as_v6 | 2 | 8 | Remote Storage Only | 4 | 4000/90 | 20000/1250 | 4000/90 | 20000/1250 | 2 | 12500 |

+| Standard_D4as_v6 | 4 | 16 | Remote Storage Only | 8 | 7600/180 | 20000/1250 | 7600/180 | 20000/1250 | 2 | 12500 |

+| Standard_D8as_v6 | 8 | 32 | Remote Storage Only | 16 | 15200/360 | 20000/1250 | 15200/360 | 20000/1250 | 4 | 12500 |

+| Standard_D16as_v6 | 16 | 64 | Remote Storage Only | 32 | 30400/720 | 40000/1250 | 30400/720 | 40000/1250 | 8 | 16000 |

+| Standard_D32as_v6 | 32 | 128 | Remote Storage Only | 32 | 57600/1440 | 80000/1700 | 57600/1440 | 80000/1700 | 8 | 20000 |

+| Standard_D48as_v6 | 48 | 192 | Remote Storage Only | 32 | 86400/2160 | 90000/2550 | 86400/2160 | 90000/2550 | 8 | 28000 |

+| Standard_D64as_v6 | 64 | 256 | Remote Storage Only | 32 | 115200/2880 | 120000/3400 | 115200/2880 | 120000/3400 | 8 | 36000 |

+| Standard_D96as_v6 | 96 | 384 | Remote Storage Only | 32 | 175000/4320 | 175000/5090 | 175000/4320 | 175000/5090 | 8 | 40000 |

+¹ Dasv6-series VMs canΓÇ»[burst](disk-bursting.md)ΓÇ»their disk performance and get up to their bursting max for up to 30 minutes at a time.

+## Dadsv6-series

+Dadsv6-series VMs utilize AMD's 4th Generation EPYC^TM 9004 processors that can achieve a boosted maximum frequency of 3.7GHz. These virtual machines offer up to 96 vCPU and 384 GiB of RAM. The Dadsv6-series sizes offer a combination of vCPU, memory and fast local NVMe temporary storage for most production workloads.

+Daldsv6-series virtual machines support Standard SSD, Standard HDD, and Premium SSD disk types. You can also attach Ultra Disk storage based on its regional availability. Disk storage is billed separately from virtual machines.ΓÇ»[See pricing for disks](https://azure.microsoft.com/pricing/details/managed-disks/).

+[Premium Storage](/azure/virtual-machines/premium-storage-performance): Supported 

+[Premium Storage caching](/azure/virtual-machines/premium-storage-performance): Supported 

+[Live Migration](/azure/virtual-machines/maintenance-and-updates): Not Supported for Preview 

+[Memory Preserving Updates](/azure/virtual-machines/maintenance-and-updates): Supported 

+[VM Generation Support](/azure/virtual-machines/generation-2): Generation 2 

+[Accelerated Networking](/azure/virtual-network/create-vm-accelerated-networking-cli): Supported 

+[Ephemeral OS Disks](/azure/virtual-machines/ephemeral-os-disks): Not Supported for Preview 

+[Nested Virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization): Supported 

+| Size | vCPU | Memory: GiB | Local NVMe Temporary storage (SSD) | Max data disks | Max uncached Premium SSD disk throughput: IOPS/MBps | Max burst uncached Premium SSD disk throughput: IOPS/MBps¹ | Max uncached Ultra Disk and Premium SSD V2 disk throughput: IOPS/MBps | Max burst uncached Ultra Disk and Premium SSD V2 disk throughput: IOPS/MBps¹ | Max NICs | Max network bandwidth (Mbps) | Max network bandwidth (Mbps) | Max temp storage read throughput: IOPS / MBps |

+|--||-||-|--||--||-|||--|

+| Standard_D2ads_v6 | 2 | 8 | 1x110 GiB | 4 | 4000/90 | 20000/1250 | 4000/90 | 20000/1250 | 2 | 12500 | 12500 | 37500/180 |

+| Standard_D4ads_v6 | 4 | 16 | 1x220 GiB | 8 | 7600/180 | 20000/1250 | 7600/180 | 20000/1250 | 2 | 12500 | 12500 | 75000/360 |

+| Standard_D8ads_v6 | 8 | 32 | 1x440 GiB | 16 | 15200/360 | 20000/1250 | 15200/360 | 20000/1250 | 4 | 12500 | 12500 | 150000/720 |

+| Standard_D16ads_v6 | 16 | 64 | 2x440 GiB | 32 | 30400/720 | 40000/1250 | 30400/720 | 40000/1250 | 8 | 16000 | 12500 | 300000/1440 |

+| Standard_D32ads_v6 | 32 | 128 | 4x440 GiB | 32 | 57600/1440 | 80000/1700 | 57600/1440 | 80000/1700 | 8 | 20000 | 16000 | 600000/2880 |

+| Standard_D48ads_v6 | 48 | 192 | 6x440 GiB | 32 | 86400/2160 | 90000/2550 | 86400/2160 | 90000/2550 | 8 | 28000 | 24000 | 900000/4320 |

+| Standard_D64ads_v6 | 64 | 256 | 4x880 GiB | 32 | 115200/2880 | 120000/3400 | 115200/2880 | 120000/3400 | 8 | 36000 | 32000 | 1200000/5760 |

+| Standard_D96ads_v6 | 96 | 384 | 6x880 GiB | 32 | 175000/4320 | 175000/5090 | 175000/4320 | 175000/5090 | 8 | 40000 | 40000 | 1800000/8640 |

+¹ Dadsv6-series VMs canΓÇ»[burst](disk-bursting.md)ΓÇ»their disk performance and get up to their bursting max for up to 30 minutes at a time.

+## Other sizes and information

+- [General purpose](sizes-general.md)

+- [Memory optimized](sizes-memory.md)

+- [Storage optimized](sizes-storage.md)

+- [GPU optimized](sizes-gpu.md)

+- [High performance compute](sizes-hpc.md)

+- [Previous generations](sizes-previous-gen.md)

+Pricing Calculator: [Pricing Calculator](https://azure.microsoft.com/pricing/calculator/)

+For more information on disk types, see [What disk types are available in Azure?](disks-types.md)

+## Next steps

+Learn more about how [Azure compute units (ACU)](acu.md) can help you compare compute performance across Azure SKUs.

+ Title: 'Easv6 and Eadsv6-series - Azure Virtual Machines'

+description: Specifications for the Easv6 and Eadsv6-series VMs.

+# Easv6 and Eadsv6-series

+**Applies to:** ✔️ Linux VMs ✔️ Windows VMs ✔️ Flexible scale sets ✔️ Uniform scale sets 

+> [!IMPORTANT]

+> Azure Virtual Machine Series Easv6 and Eadsv6 are currently in PREVIEW. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. 

+The Easv6-series and Eadsv6-series utilize AMD's 4th Generation EPYC^TM 9004 processor in a multi-threaded configuration with up to 320 MB L3 cache, increasing customer options for running most memory optimized workloads. The Easv6-series VMs are ideal for memory-intensive enterprise applications, data warehousing, business intelligence, in-memory analytics, and financial transactions. 

+> [!NOTE]

+> The new Easv6 and Eadsv6 VM series will only work on OS images that are tagged with NVMe support.  If your current OS image is not supported for NVMe, you’ll see an error message. NVMe support is available in 50+ of the most popular OS images, and we continuously improve the OS image coverage. Please refer to our up-to-date [lists](https://learn.microsoft.com/azure/virtual-machines/enable-nvme-interface) for information on which OS images are tagged as NVMe supported.  For more information on NVMe enablement, see our [FAQ](https://learn.microsoft.com/azure/virtual-machines/enable-nvme-faqs).

+>

+> The new Easv6 and Eadsv6 VM series virtual machines public preview now available. For more information and to sign up for the preview, please visit our [announcement](https://techcommunity.microsoft.com/t5/azure-compute-blog/public-preview-new-amd-based-vms-with-increased-performance/ba-p/3981351) and follow the link to the [sign-up form](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR9RmLSiOpIpImo4Q01A_jJlUM1ZSRVlYU04wMUJQVjNQRFZHQzdEVFc1VyQlQCN0PWcu). This is an opportunity to experience our latest innovation.

+## Easv6-series 

+Easv6-series VMs utilize AMD's 4th Generation EPYC^TM 9004 processors that can achieve a boosted maximum frequency of 3.7GHz. These virtual machines offer up to 96 vCPU and 672 GiB of RAM. The Easv6-series sizes offer a combination of vCPU and memory that is ideal for memory-intensive enterprise applications. The new VMs with no local disk provide a better value proposition for workloads that do not require local temporary storage. 

+> [!Note]

+> For frequently asked questions, seeΓÇ»[Azure VM sizes with no local temp disk](/azure/virtual-machines/azure-vms-no-temp-disk).

+Easv6-series virtual machines support Standard SSD, Standard HDD, and Premium SSD disk types. You can also attach Ultra Disk storage based on its regional availability. Disk storage is billed separately from virtual machines. [See pricing for disks](https://azure.microsoft.com/pricing/details/managed-disks/). 

+[Premium Storage](/azure/virtual-machines/premium-storage-performance): Supported 

+[Premium Storage caching](/azure/virtual-machines/premium-storage-performance): Supported 

+[Live Migration](/azure/virtual-machines/maintenance-and-updates): Not Supported for Preview 

+[Memory Preserving Updates](/azure/virtual-machines/maintenance-and-updates): Supported 

+[VM Generation Support](/azure/virtual-machines/generation-2): Generation 2 

+[Accelerated Networking](/azure/virtual-network/create-vm-accelerated-networking-cli): Supported 

+[Ephemeral OS Disks](/azure/virtual-machines/ephemeral-os-disks): Not Supported 

+[Nested Virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization): Supported

+| Size | vCPU | Memory: GiB | Local NVMe Temporary storage (SSD) GiB | Max data disks | Max uncached Premium SSD disk throughput: IOPS/MBps | Max burst uncached Premium SSD disk throughput: IOPS/MBps¹ | Max uncached Ultra Disk and Premium SSD V2 disk throughput: IOPS/MBps | Max burst uncached Ultra Disk and Premium SSD V2 disk throughput: IOPS/MBps¹ | Max NICs | Max network bandwidth (Mbps) |

+|-||-|-|-|--||--||-||

+| Standard_E2as_v6 | 2 | 16 | Remote Storage Only | 4 | 4000/90 | 20000/1250 | 4000/90 | 20000/1250 | 2 | 12500 |

+| Standard_E4as_v6 | 4 | 32 | Remote Storage Only | 8 | 7600/180 | 20000/1250 | 7600/180 | 20000/1250 | 2 | 12500 |

+| Standard_E8as_v6 | 8 | 64 | Remote Storage Only | 16 | 15200/360 | 20000/1250 | 15200/360 | 20000/1250 | 4 | 12500 |

+| Standard_E16as_v6 | 16 | 128 | Remote Storage Only | 32 | 30400/720 | 40000/1250 | 30400/720 | 40000/1250 | 8 | 16000 |

+| Standard_E20as_v6 | 20 | 160 | Remote Storage Only | 32 | 38000/900 | 64000/1600 | 38000/900 | 64000/1600 | 8 | 16000 |

+| Standard_E32as_v6 | 32 | 256 | Remote Storage Only | 32 | 57600/1440 | 80000/1700 | 57600/1440 | 80000/1700 | 8 | 20000 |

+| Standard_E48as_v6 | 48 | 384 | Remote Storage Only | 32 | 86400/2160 | 90000/2550 | 86400/2160 | 90000/2550 | 8 | 28000 |

+| Standard_E64as_v6 | 64 | 512 | Remote Storage Only | 32 | 115200/2880 | 120000/3400 | 115200/2880 | 120000/3400 | 8 | 36000 |

+| Standard_E96as_v6 | 96 | 672 | Remote Storage Only | 32 | 175000/4320 | 175000/5090 | 175000/4320 | 175000/5090 | 8 | 40000 |

+¹ Easv6-series VMs can [burst](disk-bursting.md) their disk performance and get up to their bursting max for up to 30 minutes at a time.

+## Eadsv6-series 

+Eadsv6-series VMs utilize AMD's 4th Generation EPYC^TM 9004 processors that can achieve a boosted maximum frequency of 3.7GHz. These virtual machines offer up to 96 vCPU and 672 GiB of RAM. The Eadsv6-series sizes offer a combination of vCPU, memory and fast local NVMe temporary storage that is ideal for memory-intensive enterprise applications. 

+Eadsv6-series virtual machines support Standard SSD, Standard HDD, and Premium SSD disk types. You can also attach Ultra Disk storage based on its regional availability. Disk storage is billed separately from virtual machines. [See pricing for disks](https://azure.microsoft.com/pricing/details/managed-disks/). 

+[Premium Storage](/azure/virtual-machines/premium-storage-performance): Supported 

+[Premium Storage caching](/azure/virtual-machines/premium-storage-performance): Supported 

+[Live Migration](/azure/virtual-machines/maintenance-and-updates): Not Supported for Preview 

+[Memory Preserving Updates](/azure/virtual-machines/maintenance-and-updates): Supported 

+[VM Generation Support](/azure/virtual-machines/generation-2): Generation 2 

+[Accelerated Networking](/azure/virtual-network/create-vm-accelerated-networking-cli): Supported 

+[Ephemeral OS Disks](/azure/virtual-machines/ephemeral-os-disks): Not Supported for Preview 

+[Nested Virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization): Supported 

+| Size | vCPU | Memory: GiB | Local NVMe Temporary storage (SSD) | Max data disks | Max uncached Premium SSD disk throughput: IOPS/MBps | Max burst uncached Premium SSD disk throughput: IOPS/MBps¹ | Max uncached Ultra Disk and Premium SSD V2 disk throughput: IOPS/MBps | Max burst uncached Ultra Disk and Premium SSD V2 disk throughput: IOPS/MBps¹ | Max NICs | Max network bandwidth (Mbps) | Max temp storage read throughput: IOPS / MBps |

+|--||-||-|--||--||-||--|

+| Standard_E2ads_v6 | 2 | 16 | 1x110 GiB | 4 | 4000/90 | 20000/1250 | 4000/90 | 20000/1250 | 2 | 12500 | 37500/180 |

+| Standard_E4ads_v6 | 4 | 32 | 1x220 GiB | 8 | 7600/180 | 20000/1250 | 7600/180 | 20000/1250 | 2 | 12500 | 75000/360 |

+| Standard_E8ads_v6 | 8 | 64 | 1x440 GiB | 16 | 15200/360 | 20000/1250 | 15200/360 | 20000/1250 | 4 | 12500 | 150000/720 |

+| Standard_E16ads_v6 | 16 | 128 | 2x440 GiB | 32 | 30400/720 | 40000/1250 | 30400/720 | 40000/1250 | 8 | 16000 | 300000/1440 |

+| Standard_E20ads_v6 | 20 | 160 | 2x550 GiB | 32 | 38000/900 | 64000/1600 | 38000/900 | 64000/1600 | 8 | 16000 | 375000/1800 |

+| Standard_E32ads_v6 | 32 | 256 | 4x440 GiB | 32 | 57600/1440 | 80000/1700 | 57600/1440 | 80000/1700 | 8 | 20000 | 600000/2880 |

+| Standard_E48ads_v6 | 48 | 384 | 6x440 GiB | 32 | 86400/2160 | 90000/2550 | 86400/2160 | 90000/2550 | 8 | 28000 | 900000/4320 |

+| Standard_E64ads_v6 | 64 | 512 | 4x880 GiB | 32 | 115200/2880 | 120000/3400 | 115200/2880 | 120000/3400 | 8 | 36000 | 1200000/5760 |

+| Standard_E96ads_v6 | 96 | 672 | 6x880 GiB | 32 | 175000/4320 | 175000/5090 | 175000/4320 | 175000/5090 | 8 | 40000 | 1800000/8640 |

+¹ Eadsv6-series VMs can [burst](disk-bursting.md) their disk performance and get up to their bursting max for up to 30 minutes at a time.

+## Other sizes and information

+- [General purpose](sizes-general.md)

+- [Memory optimized](sizes-memory.md)

+- [Storage optimized](sizes-storage.md)

+- [GPU optimized](sizes-gpu.md)

+- [High performance compute](sizes-hpc.md)

+- [Previous generations](sizes-previous-gen.md)

+Pricing Calculator: [Pricing Calculator](https://azure.microsoft.com/pricing/calculator/)

+For more information on disk types, see [What disk types are available in Azure?](disks-types.md)

+## Next steps

+Learn more about how [Azure compute units (ACU)](acu.md) can help you compare compute performance across Azure SKUs.

+We plan to include impact details (user vs platform initiated, planned vs unplanned) as dimensions to the metric, so users are well equipped to interpret dips, and set up much more targeted metric alerts. With the emission of dimensions in 2023, we also anticipate transitioning the offering to a general availability status.

+For a general overview of how to monitor Azure Virtual Machines, see [Monitor Azure virtual machines](monitor-vm.md) and the [Monitoring Azure virtual machines reference](monitor-vm-reference.md).

+* RHEL 9.3, 9.2, 9.1, 9.0, 8.9, 8.8, 8.7, 8.6, 8.5, 8.4, 8.3, 8.2, 8.1, 8.0, 7.9, 7.8, 7.7, 7.6, 7.5, 7.4, 7.0

+* Oracle Linux 9.3, 9.2, 9.1, 9.0, 8.9, 8.8, 8.7, 8.6, 8.5, 8.4, 8.3, 8.2, 8.1, 7.9, 7.9, 7.8, 7.7

+Route-maps is a feature that gives you the ability to control route advertisements and routing for Virtual WAN virtual hubs. Route-maps lets you have more control of the routing that enters and leaves Azure Virtual WAN site-to-site (S2S) VPN connections, User VPN point-to-site (P2S) connections, ExpressRoute (ER) connections, and virtual network (VNet) connections. Route-maps can be configured using the Azure portal. For configuration steps, see [How to configure Route-maps](route-maps-how-to.md).

+> [!IMPORTANT]

+> [!INCLUDE [Preview text](../../includes/virtual-wan-route-maps-preview.md)]

+>

+## Why use Route-maps?

+Some of the key benefits of using Route-maps are:

+* Route-maps can be used to summarize routes when you have on-premises networks connected to Virtual WAN via ExpressRoute or VPN and are limited by the number of routes that can be advertised from/to virtual hub.

+* You can use Route-maps to control routes entering and leaving your Virtual WAN deployment among on-premises and virtual-networks.

+* You can control routing decisions in your Virtual WAN deployment by modifying a BGP attribute such as *AS-PATH* to make a route more, or less preferable. This is helpful when there are destination prefixes reachable via multiple paths and customers want to use AS-PATH to control best path selection.

+* You can easily tag routes using the BGP Community attribute in order to manage routes.

+In Virtual WAN, the virtual hub router acts as a route manager, providing simplification in routing operations within and across virtual hubs. The virtual hub router simplifies routing management by being the central routing engine that talks to gateways (S2S, ER, and P2S), Azure Firewall, and Network Virtual Appliances (NVAs).

+While the gateways make their routing decisions, the virtual hub router provides central route management and enables advanced routing scenarios in the virtual hub with features such as custom route tables, route association, and propagation.

+Route-maps lets you perform route aggregation, route filtering, and gives you the ability to modify BGP attributes such as AS-PATH and Community to manage routes and routing decisions. Route-maps are configurable for the following resources and settings:

+* **Connections:** A route-map can be applied to user, branch, ExpressRoute, and VNet connections.

+ A virtual hub can have a route-map applied to any of the connections, as shown in the following diagram:

+* **Route aggregation:** Route-maps lets you reduce the number of routes coming in and/or out of a connection by summarizing. (Example: 10.2.1.0.0/24, 10.2.2.0/24 and 10.2.3.0/24 can be summarized to 10.2.0.0/16).

+## Considerations and limitations

+Before using Route-maps, take into consideration the following limitations:

+* During Preview, hubs that are using Route-maps must be deployed in their own virtual WANs.

+* The Route-maps feature is only available for virtual hubs running on the Virtual Machine Scale Sets infrastructure. For more information, see the [FAQ](virtual-wan-faq.md).

+* When using Route-maps to summarize a set of routes, the hub router strips the *BGP Community* and *AS-PATH* attributes from those routes. This applies to both inbound and outbound routes.

+* You can't apply Route-maps to connections between on-premises and SD-WAN/Firewall NVAs in the virtual hub. These connections aren't supported during Preview. You can still apply route-maps to other supported connections when an NVA in the virtual hub is deployed. This doesn't apply to the Azure Firewall, as the routing for Azure Firewall is provided through Virtual WAN [routing intent features](how-to-routing-policies.md).

+* The point-to-site (P2S) Multipool feature isn't currently supported with Route-maps.

+* Modifying the *Default* route is only supported when the default route is learned from on-premises or an NVA.

+* A prefix can be modified either by Route-maps, or by NAT, but not both.

+* Route-maps won't be applied to the [hub address space](virtual-wan-site-to-site-portal.md#hub).

+You can configure Route-maps using the Azure portal. For configuration workflow and comprehensive steps, see [How to configure Route-maps](route-maps-how-to.md).

+## What are route-map rules?

+A route-map is an ordered sequence of one or more **route-map rules** that are applied to routes that are received or sent by the virtual hub. Route-map rules consist of [match conditions](#match-conditions), and [actions](#actions).

+When you're configuring a route-map rule, you use the **Next step** setting to specify whether routes that match this rule will continue on to be processed by the subsequent rules in the route-map, or stop (terminate). After route-map rules are configured for the route-map, the route-map can be applied to connections.

+Things to consider:

+* A route-map rule can have any number of route modifications configured. It's possible to have a route-map without any rules.

+* If a route-map has no actions configured in a rule, the routes are unaltered.

+* If a route-map has multiple modifications configured in a rule, all configured actions are applied on the route. The order of the actions isn't relevant.

+* If a route isn't matched by all the match conditions in a rule, the route isn't considered a match for the rule. The route is passed on to the rule under the route-map, irrespective of the **Next step** setting.

+* Configure rules to only match the routes intended to avoid unintended traffic flows.

+### Match conditions

+Route-maps allows you to match routes using Route-prefix, BGP community, and AS-Path. **Match conditions** are the set of conditions that a processed route must meet to be considered as a match for the rule.

+* A route-map rule can have any number of match conditions.

+* If a route-map is created without a match condition, all routes from the applied connection will be matched.

+ For example, a site-to-site VPN connection has routes 10.2.1.0/24, 10.2.2.0/24 and 10.2.3.0/24 being advertised from Azure to a branch office. A route-map without a match condition will match 10.2.1.0/24, 10.2.2.0/24 and 10.2.3.0/24.

+* If a route-map has multiple match conditions, then a route must meet all the match conditions to be considered a match for the rule. The order of the match conditions isn't relevant.

+ For example, a site-to-site VPN connection has routes 10.2.1.0/24 with an AS Path of 65535 and a BGP community of 65535:100 being advertised from Azure to a branch office. If a route-map rule is created on the connection with a match condition to match on prefix 10.2.1.0, and another match condition for AS Path 65535, both conditions need to be met in order to be considered a match.

+* Multiple rules are supported. If the first rule isn't matched, then the second rule is evaluated. Select **Terminate** in the **Next step** field to end the list of rules in the route-map. When no rule is matched, the default is to allow, not to deny.

+### Actions

+Match conditions are used to select a set of routes. Once those routes are selected, they can be dropped or modified. You can configure the following **Actions**:

+* **Drop:** All the matched routes are dropped (i.e filtered-out) from the route advertisement. For example, a site-to-site VPN connection has routes 10.2.1.0/24, 10.2.2.0/24 and 10.2.3.0/24 being advertised from Azure to a branch office. A route-map can be configured to drop 10.2.1.0/24, 10.2.2.0/24, resulting in only 10.2.3.0/24 being advertised from Azure to a branch office.

+* **Modify:** The possible route modifications are aggregating route-prefixes or modifying route BGP attributes. For example, a site-to-site VPN connection has routes 10.2.1.0/24 with an AS Path of 65535 and a BGP community of 65535:100 being advertised from Azure to a branch office. A route-map can be configured to add the AS Path of [65535, 65005].

+### Supported configurations for route-map rules

+This section shows the match conditions and actions supported for the Route-maps Preview.

+#### Match conditions

+|Property| Criterion| Value (example)| Interpretation|

+|Community |contains| 65001:100,65001:200|Community property of the route can have one or more of the specified communities. |

+|AS-Path |contains| 65001,65002,65003| AS-PATH in the routes can contain one or more of the ASNs listed. Order isn't relevant.|

+#### Route modifications

+|As-Path | Add | 64580,64581 |Prepend AS-PATH with the list of ASNs specified in the rule. These ASNs are applied in the same order for the matched routes. |

+## Apply route-maps to connections

+You can apply route-maps on each connection for the inbound, outbound, or both inbound and outbound directions. You can choose to apply same or different route-maps in inbound and outbound directions, but only one route-map can be applied in each direction. For ExpressRoute connections, a route-map can't be applied on MSEE devices.

+* **Inbound direction:** When a route-map is configured on a connection in the inbound direction, all the ingress route advertisements on that connection are processed by the route-map before they're entered into the virtual hub routerΓÇÖs routing table, *defaultRouteTable*.

+* **Outbound direction:** When a route-map is configured on a connection in the outbound direction, the route-map processes all the egress route advertisements on that connection before they're advertised by the virtual hub router across the connection.

+For steps to apply route-maps to connections, see [How to configure Route-maps](route-maps-how-to.md).

+## Monitor using the Route Map dashboard

+When a route-map is applied to a connection, you can use the Route Map dashboard to monitor and view:

+* Routes

+* AS Path

+* BGP communities

+For more information and steps, see [Monitor Route-maps using the Route Map dashboard](route-maps-dashboard.md).

+* To configure Route-maps, see [How to configure Route-maps](route-maps-how-to.md).

+* To monitor routes, AS Path, and BGP communities, see the

+[Route Map dashboard](route-maps-dashboard.md).

+> [!IMPORTANT]

+> Route-maps is currently in Public Preview and is provided without a service-level agreement. At this time, **Route-maps shouldn't be used for production workloads**. Certain features might not be supported, might have constrained capabilities, or might not be available in all Azure locations. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+>

+1. Select the direction from the two options: **In the inbound direction.** or **In the outbound direction.** You can view inbound from a VNet or inbound to the virtual hub router from ExpressRoute, Branch or User connections. You can also view routes outbound from a VNet or outbound from the virtual hub router to ExpressRoute, Branch or User connections.

+1. For **View routes for Route-maps applied**, select **In the outbound direction**.

+* [About Route Maps](route-maps-about.md)

+This article helps you create or edit a route-map in an Azure Virtual WAN hub using the Azure portal. For more information about Virtual WAN Route-maps, see [About Route-maps](route-maps-about.md).

+> [!Important]

+> [!INCLUDE [Preview text](../../includes/virtual-wan-route-maps-preview.md)]

+* You have virtual WAN (VWAN) with a connection (S2S, P2S, or ExpressRoute) already configured.

+ * For steps to create a VWAN with a S2S connection, see [Tutorial - Create a S2S connection with Virtual WAN](virtual-wan-site-to-site-portal.md).

+ * For steps to create a virtual WAN with a P2S User VPN connection, see [Tutorial - Create a User VPN P2S connection with Virtual WAN](virtual-wan-point-to-site-portal.md).

+* Be sure to view [About Route-maps](route-maps-about.md#considerations-and-limitations) for considerations and limitations before proceeding with configuration steps.

+## Configuration workflow

+1. Create a virtual WAN.

+1. Create all Virtual WAN virtual hubs needed for testing.

+1. Deploy any site-to-site VPN, point-to-site VPN, ExpressRoute gateways, and NVAs needed for testing.

+1. Verify that incoming and outgoing routes are working as expected.

+1. Configure a route-map and route-map rules, then save. For more information about route-map rules, see [About Route-maps](route-maps-about.md).

+1. Once a route-map is configured, the virtual hub router and gateways begin an upgrade needed to support the Route-maps feature.

+ * The upgrade process takes around 30 minutes.

+ * The upgrade process only happens the first time a route-map is created on a hub.

+ * If the route-map is deleted, the virtual hub router remains on the new version of software.

+ * Using Route-maps incurs an additional charge. For more information, see the [Pricing](https://azure.microsoft.com/pricing/details/virtual-wan/) page.

+1. The process is complete when the **Provisioning state** is **Succeeded**. Open a support case if the process failed.

+1. The route-map can now be applied to connections (ER, S2S VPN, P2S VPN, VNet).

+1. Once the route-map is applied in the correct direction, use the [Route-map dashboard](route-maps-dashboard.md) to verify that the route-map is working as expected.

+## Create a route-map

+> [!NOTE]

+> [!INCLUDE [Preview text](../../includes/virtual-wan-route-maps-preview.md)]

+>

+The following steps walk you through how to configure a route-map.

+1. On the Virtual Hub page, in the Routing section, select **Route-maps** to open the Route-maps page. On the Route-maps page, select **+ Add Route-map** to create a new route-map.

+1. On the **Create Route-map** page, provide a Name for the route-map.

+1. Then, select **+ Add Route-map** to create rules in the route-map.

+ * **Name** ΓÇô Provide a name for the route-map rule.

+ * **Next step** ΓÇô From the dropdown, select **Continue** if routes matching this rule must be processed by subsequent rules in the route-map. If not, select **Terminate**.

+ * **Match conditions** ΓÇô Each **Match Condition** requires a Property, Criterion, and a Value. There can be 0 or more match conditions.

+ * To add a new match condition, select the empty row in the table.

+ * To delete a row, select delete icon at the end of the row.

+ * To add multiple values under Value, use comma (,) as the delimiter. Refer to [About Route-maps](route-maps-about.md) for list of supported match conditions.

+ * **Actions > Action on match routes** ΓÇô Select **Drop** to deny the matched routes, or **Modify** to permit and modify the matched routes.

+ * **Actions > Route modifications** ΓÇô Each **Action** statement requires a Property, an Action, and a Value. There can be 0 or more route modification statements.

+ * To add a new statement, select the empty row in the table.

+ * To delete a row, select delete icon at the end of the row.

+ * To add multiple values under Value, use comma (,) as the delimiter. Refer to [About Route-maps](route-maps-about.md) for list of supported actions.

+1. Select **Add** to complete rule configuration. When you select **Add**, this stores the rule temporarily on the Azure portal, but isn't saved to the route-map yet. Select **Okay** on the **Reminder** dialog box to acknowledge that the rule isn't completely saved yet and proceed to the next-step.

+1. Repeat steps 6 and 7 to add additional rules, if necessary.

+1. On the **Create Route-map** page, after all the rules are added, ensure that the order of the rules is as desired. Adjust the rules as necessary by hovering your mouse on a row, then clicking and holding the 3 dots and dragging the row up or down. When you finish adjusting the rule order, select **Save** to save all the rules to the route-map.

+1. It takes a few minutes to save the route-map and the route-map rules. Once saved, the **Provisioning state** shows **Succeeded**.

+## Apply a route-map to connections

+Once the route-map is saved, you can apply the route-map to the desired connections in the virtual hub.

+1. On the **Apply Route-maps to connections** page, configure the following settings.

+ * Select the drop-down box under **Inbound Route-map** and select the route-map you want to apply in the ingress direction.

+ * Select the drop-down box under **Outbound Route-map** and select the route-map you want to apply in the egress direction.

+ * The table at the bottom lists all the connections to the virtual hub. Select one or more connections you want to apply the route-maps to.

+1. When you finish configuring these settings, select **Save**.

+1. Verify the changes by opening **Apply Route-maps to connections** again from the **Route-maps** page.

+1. Once the route-map is applied in the correct direction, use the [Route-map dashboard](route-maps-dashboard.md) to verify that the route-map is working as expected.

+## Modify or remove a route-map or route-map rules

+1. On the line for the route-map that you want to work with, select **… > Edit** or **… > Delete**, respectively.

+ :::image type="content" source="./media/route-maps-how-to/edit.png" alt-text="Screenshot shows how to modify or remove a route-map or rules." lightbox="./media/route-maps-how-to/edit.png":::

+## Modify or remove a route-map from a connection

+|Feature| Routing |[Virtual hub routing preference](about-virtual-hub-routing-preference.md)|Hub routing preference gives you more control over your infrastructure by allowing you to select how your traffic is routed when a virtual hub router learns multiple routes across S2S VPN, ER, and SD-WAN NVA connections. |October 2022| |

+| Feature|Network Virtual Appliances (NVAs)/Integrated Third-party solutions in Virtual WAN hubs| Public Preview of Internet inbound/DNAT for Next-Generation Firewall NVAs| Destination NAT for Network Virtual Appliances in the Virtual WAN hub allows you to publish applications to the users in the internet without directly exposing the application or server's public IP. Consumers access applications through a public IP address assigned to a Firewall Network Virtual Appliance. |February 2024| Supported for Fortinet Next-Generation Firewall, Check Point CloudGuard. See [DNAT documentation](how-to-network-virtual-appliance-inbound.md) for the full list of limitations and considerations.|

+| Managed preview | Route-maps | This feature allows you to perform route aggregation, route filtering, and modify BGP attributes for your routes in Virtual WAN. | preview-route-maps@microsoft.com | Known limitations are displayed here: [About Route-maps](route-maps-about.md).

+|3| Two ExpressRoute circuits in the same peering location connected to multiple hubs |If you have two ExpressRoute circuits in the same peering location, and both of these circuits are connected to multiple virtual hubs in the same Virtual WAN, then connectivity to your Azure resources might be impacted. | July 2023 | Make sure each virtual hub has at least 1 virtual network connected to it. This ensures connectivity to your Azure resources. The Virtual WAN team is also working on a fix for this issue. |