+> The Batch synthesis API is generally available. The Long Audio API will be retired on April 1st, 2027. For more information, see [Migrate to batch synthesis API](migrate-to-batch-synthesis.md).

+The Batch synthesis API can synthesize a large volume of text input (long and short) asynchronously. Publishers and audio content platforms can create long audio content in a batch. For example: audio books, news articles, and documents. The batch synthesis API can create synthesized audio longer than 10 minutes.

+|`customVoices`|The map of a custom voice name and its deployment ID.<br/><br/>For example: `"customVoices": {"your-custom-voice-name": "502ac834-6537-4bc3-9fd6-140114daa66d"}`<br/><br/>You can use the voice name in your `synthesisConfig.voice` (when the `inputKind` is set to `"PlainText"`) or within the SSML text of `inputs` (when the `inputKind` is set to `"SSML"`).<br/><br/>This property is required to use a custom voice. If you try to use a custom voice that isn't defined here, the service returns an error.|

+|`id`|The batch synthesis job ID you passed in path.<br/><br/>This property is required in path.|

+|`inputs`|The plain text or SSML to be synthesized.<br/><br/>When the `inputKind` is set to `"PlainText"`, provide plain text as shown here: `"inputs": [{"text": "The rainbow has seven colors."}]`. When the `inputKind` is set to `"SSML"`, provide text in the [Speech Synthesis Markup Language (SSML)](speech-synthesis-markup.md) as shown here: `"inputs": [{"text": "<speak version='\''1.0'\'' xml:lang='\''en-US'\''><voice xml:lang='\''en-US'\'' xml:gender='\''Female'\'' name='\''en-US-AvaMultilingualNeural'\''>The rainbow has seven colors.</voice></speak>"}]`.<br/><br/>Include up to 1,000 text objects if you want multiple audio output files. Here's example input text that should be synthesized to two audio output files: `"inputs": [{"text": "synthesize this to a file"},{"text": "synthesize this to another file"}]`. However, if the `properties.concatenateResult` property is set to `true`, then each synthesized result is written to the same audio output file.<br/><br/>You don't need separate text inputs for new paragraphs. Within any of the (up to 1,000) text inputs, you can specify new paragraphs using the "\r\n" (newline) string. Here's example input text with two paragraphs that should be synthesized to the same audio output file: `"inputs": [{"text": "synthesize this to a file\r\nsynthesize this to another paragraph in the same file"}]`<br/><br/>There are no paragraph limits, but the maximum JSON payload size (including all text inputs and other properties) is 500 kilobytes.<br/><br/>This property is required when you create a new batch synthesis job. This property isn't included in the response when you get the synthesis job.|

+|`internalId`|The internal batch synthesis job ID.<br/><br/>This property is read-only.|

+|`properties.sizeInBytes`|The audio output size in bytes.<br/><br/>This property is read-only.|

+|`properties.billingDetails`|The number of words that were processed and billed by `customNeuralCharacters` versus `neuralCharacters` (prebuilt) voices.<br/><br/>This property is read-only.|

+|`properties.decompressOutputFiles`|Determines whether to unzip the synthesis result files in the destination container. This property can only be set when the `destinationContainerUrl` property is set. This optional `bool` value ("true" or "false") is "false" by default.|

+|`properties.destinationPath`|The prefix path where batch synthesis results can be stored with. If you don't specify a prefix path, the default prefix path is `YourSpeechResourceId/YourSynthesisId`.<br/><br/>This optional property can only be set when the `destinationContainerUrl` property is set.|

+|`properties.durationInMilliseconds`|The audio output duration in milliseconds.<br/><br/>This property is read-only.|

+|`properties.timeToLiveInHours`|A duration in hours after the synthesis job is created, when the synthesis results will be automatically deleted. This optional setting is `744` (31 days) by default. The maximum time to live is 31 days. The date and time of automatic deletion (for synthesis jobs with a status of "Succeeded" or "Failed") is equal to the `lastActionDateTime` + `timeToLiveInHours` properties.<br/><br/>Otherwise, you can call the [delete](./batch-synthesis.md#delete-batch-synthesis) synthesis method to remove the job sooner.|

+|`synthesisConfig`|The configuration settings to use for batch synthesis of plain text.<br/><br/>This property is only applicable when `inputKind` is set to `"PlainText"`.|

+|`synthesisConfig.backgroundAudio`|The background audio for each audio output.<br/><br/>This optional property is only applicable when `inputKind` is set to `"PlainText"`.|

+|`synthesisConfig.backgroundAudio.fadein`|The duration of the background audio fade-in as milliseconds. The default value is `0`, which is the equivalent to no fade in. Accepted values: `0` to `10000` inclusive.<br/><br/>For information, see the attributes table under [add background audio](speech-synthesis-markup-voice.md#add-background-audio) in the Speech Synthesis Markup Language (SSML) documentation. Invalid values are ignored.<br/><br/>This optional property is only applicable when `inputKind` is set to `"PlainText"`.|

+|`synthesisConfig.backgroundAudio.fadeout`|The duration of the background audio fade-out in milliseconds. The default value is `0`, which is the equivalent to no fade out. Accepted values: `0` to `10000` inclusive.<br/><br/>For information, see the attributes table under [add background audio](speech-synthesis-markup-voice.md#add-background-audio) in the Speech Synthesis Markup Language (SSML) documentation. Invalid values are ignored.<br/><br/>This optional property is only applicable when `inputKind` is set to `"PlainText"`.|

+|`synthesisConfig.backgroundAudio.src`|The URI location of the background audio file.<br/><br/>For information, see the attributes table under [add background audio](speech-synthesis-markup-voice.md#add-background-audio) in the Speech Synthesis Markup Language (SSML) documentation. Invalid values are ignored.<br/><br/>This property is required when `synthesisConfig.backgroundAudio` is set.|

+|`synthesisConfig.backgroundAudio.volume`|The volume of the background audio file. Accepted values: `0` to `100` inclusive. The default value is `1`.<br/><br/>For information, see the attributes table under [add background audio](speech-synthesis-markup-voice.md#add-background-audio) in the Speech Synthesis Markup Language (SSML) documentation. Invalid values are ignored.<br/><br/>This optional property is only applicable when `inputKind` is set to `"PlainText"`.|

+|`synthesisConfig.pitch`|The pitch of the audio output.<br/><br/>For information about the accepted values, see the [adjust prosody](speech-synthesis-markup-voice.md#adjust-prosody) table in the Speech Synthesis Markup Language (SSML) documentation. Invalid values are ignored.<br/><br/>This optional property is only applicable when `inputKind` is set to `"PlainText"`.|

+|`synthesisConfig.rate`|The rate of the audio output.<br/><br/>For information about the accepted values, see the [adjust prosody](speech-synthesis-markup-voice.md#adjust-prosody) table in the Speech Synthesis Markup Language (SSML) documentation. Invalid values are ignored.<br/><br/>This optional property is only applicable when `inputKind` is set to `"PlainText"`.|

+|`synthesisConfig.role`|For some voices, you can adjust the speaking role-play. The voice can imitate a different age and gender, but the voice name isn't changed. For example, a male voice can raise the pitch and change the intonation to imitate a female voice, but the voice name isn't changed. If the role is missing or isn't supported for your voice, this attribute is ignored.<br/><br/>For information about the available styles per voice, see [voice styles and roles](language-support.md?tabs=tts#voice-styles-and-roles).<br/><br/>This optional property is only applicable when `inputKind` is set to `"PlainText"`.|

+|`synthesisConfig.speakerProfileId`|The speaker profile ID of a personal voice.<br/><br/>For information about available personal voice base model names, see [integrate personal voice](personal-voice-how-to-use.md#integrate-personal-voice-in-your-application).<br/>For information about how to get the speaker profile ID, see [language and voice support](personal-voice-create-voice.md).<br/><br/>This property is required when `inputKind` is set to `"PlainText"`.|

+|`synthesisConfig.style`|For some voices, you can adjust the speaking style to express different emotions like cheerfulness, empathy, and calm. You can optimize the voice for different scenarios like customer service, newscast, and voice assistant.<br/><br/>For information about the available styles per voice, see [voice styles and roles](language-support.md?tabs=tts#voice-styles-and-roles).<br/><br/>This optional property is only applicable when `synthesisConfig.style` is set.|

+|`synthesisConfig.styleDegree`|The intensity of the speaking style. You can specify a stronger or softer style to make the speech more expressive or subdued. The range of accepted values are: 0.01 to 2 inclusive. The default value is 1, which means the predefined style intensity. The minimum unit is 0.01, which results in a slight tendency for the target style. A value of 2 results in a doubling of the default style intensity. If the style degree is missing or isn't supported for your voice, this attribute is ignored.<br/><br/>For information about the available styles per voice, see [voice styles and roles](language-support.md?tabs=tts#voice-styles-and-roles).<br/><br/>This optional property is only applicable when `inputKind` is set to `"PlainText"`.|

+|`synthesisConfig.voice`|The voice that speaks the audio output.<br/><br/>For information about the available prebuilt neural voices, see [language and voice support](language-support.md?tabs=tts). To use a custom voice, you must specify a valid custom voice and deployment ID mapping in the `customVoices` property. To use a personal voice, you need to specify the `synthesisConfig.speakerProfileId` property. <br/><br/>This property is required when `inputKind` is set to `"PlainText"`.|

+|`synthesisConfig.volume`|The volume of the audio output.<br/><br/>For information about the accepted values, see the [adjust prosody](speech-synthesis-markup-voice.md#adjust-prosody) table in the Speech Synthesis Markup Language (SSML) documentation. Invalid values are ignored.<br/><br/>This optional property is only applicable when `inputKind` is set to `"PlainText"`.|

+|`inputKind`|Indicates whether the `inputs` text property should be plain text or SSML. The possible case-insensitive values are "PlainText" and "SSML". When the `inputKind` is set to `"PlainText"`, you must also set the `synthesisConfig` voice property.<br/><br/>This property is required.|

+### HTTP 400 error

+- The number of requested text inputs exceeded the limit of 10,000.

+- You tried to use a _F0_ Speech resource, but the region only supports the _Standard_ Speech resource pricing tier.

+- You tried to create a new batch synthesis job that would exceed the limit of 300 active jobs. Each Speech resource can have up to 300 batch synthesis jobs that don't have a status of "Succeeded" or "Failed".

+There are too many recent requests. Each client application can submit up to 100 requests per 10 seconds for each Speech resource. Reduce the number of requests per second.

+Here's an example request that results in an HTTP 400 error, because the `inputs` property is required to create a job.

+curl -v -X PUT -H "Ocp-Apim-Subscription-Key: YourSpeechKey" -H "Content-Type: application/json" -d '{

+ "inputKind": "SSML"

+}' "https://YourSpeechRegion.api.cognitive.microsoft.com/texttospeech/batchsyntheses/YourSynthesisId?api-version=2024-04-01"

+ "error": {

+ "code": "BadRequest",

+ "message": "The inputs is required."

+ Title: Batch synthesis API for text to speech - Speech service

+# Batch synthesis API for text to speech

+The Batch synthesis API can synthesize a large volume of text input (long and short) asynchronously. Publishers and audio content platforms can create long audio content in a batch. For example: audio books, news articles, and documents. The batch synthesis API can create synthesized audio longer than 10 minutes.

+> The Batch synthesis API is generally available. The Long Audio API will be retired on April 1st, 2027. For more information, see [Migrate to batch synthesis API](migrate-to-batch-synthesis.md).

+| Operation | Method | REST API call |

+| - | -- | - |

+| [Create batch synthesis](#create-batch-synthesis) | `PUT` | texttospeech/batchsyntheses/YourSynthesisId |

+| [Get batch synthesis](#get-batch-synthesis) | `GET` | texttospeech/batchsyntheses/YourSynthesisId |

+| [List batch synthesis](#list-batch-synthesis) | `GET` | texttospeech/batchsyntheses |

+| [Delete batch synthesis](#delete-batch-synthesis) | `DELETE` | texttospeech/batchsyntheses/YourSynthesisId |

+<!-- | [Get operation for status monitor](#get-operation) | `GET` | texttospeech/operations/YourOperationId | -->

+To submit a batch synthesis request, construct the HTTP PUT request path and body according to the following instructions:

+- Set the required `inputKind` property.

+- If the `inputKind` property is set to "PlainText", then you must also set the `voice` property in the `synthesisConfig`. In the example below, the `inputKind` is set to "SSML", so the `synthesisConfig` isn't set.

+- Optionally you can set the `description`, `timeToLiveInHours`, and other properties. For more information, see [batch synthesis properties](batch-synthesis-properties.md).

+> The maximum JSON payload size that will be accepted is 2 megabytes. Each Speech resource can have up to 300 batch synthesis jobs that are running concurrently.

+Set the required `YourSynthesisId` in path. The `YourSynthesisId` have to be unique. It must be 3-64 long, contains only numbers, letters, hyphens, underscores and dots, starts and ends with a letter or number.

+Make an HTTP PUT request using the URI as shown in the following example. Replace `YourSpeechKey` with your Speech resource key, replace `YourSpeechRegion` with your Speech resource region, and set the request body properties as previously described.

+curl -v -X PUT -H "Ocp-Apim-Subscription-Key: YourSpeechKey" -H "Content-Type: application/json" -d '{

+ "inputKind": "SSML",

+ "content": "<speak version=\"1.0\" xml:lang=\"en-US\"><voice name=\"en-US-JennyNeural\">The rainbow has seven colors.</voice></speak>"

+ }

+ }

+}' "https://YourSpeechRegion.api.cognitive.microsoft.com/texttospeech/batchsyntheses/YourSynthesisId?api-version=2024-04-01"

+ "id": "YourSynthesisId",

+ "internalId": "7ab84171-9070-4d3b-88d4-1b8cc1cb928a",

+ "status": "NotStarted",

+ "createdDateTime": "2024-03-12T07:23:18.0097387Z",

+ "lastActionDateTime": "2024-03-12T07:23:18.0097388Z",

+ "inputKind": "SSML",

+ "timeToLiveInHours": 744,

+ }

+To get the status of the batch synthesis job, make an HTTP GET request using the URI as shown in the following example. Replace `YourSpeechKey` with your Speech resource key, and replace `YourSpeechRegion` with your Speech resource region.

+curl -v -X GET "https://YourSpeechRegion.api.cognitive.microsoft.com/texttospeech/batchsyntheses/YourSynthesisId?api-version=2024-04-01" -H "Ocp-Apim-Subscription-Key: YourSpeechKey"

+ "id": "YourSynthesisId",

+ "internalId": "7ab84171-9070-4d3b-88d4-1b8cc1cb928a",

+ "status": "Succeeded",

+ "createdDateTime": "2024-03-12T07:23:18.0097387Z",

+ "lastActionDateTime": "2024-03-12T07:23:18.7979669",

+ "inputKind": "SSML",

+ "customVoices": {},

+ "properties": {

+ "timeToLiveInHours": 744,

+ "outputFormat": "riff-24khz-16bit-mono-pcm",

+ "concatenateResult": false,

+ "decompressOutputFiles": false,

+ "wordBoundaryEnabled": false,

+ "sentenceBoundaryEnabled": false,

+ "sizeInBytes": 120000,

+ "succeededAudioCount": 1,

+ "failedAudioCount": 0,

+ "durationInMilliseconds": 2500,

+ "billingDetails": {

+ "neuralCharacters": 29

+ }

+ },

+ "outputs": {

+ "result": "https://stttssvcuse.blob.core.windows.net/batchsynthesis-output/29f2105f997c4bfea176d39d05ff201e/YourSynthesisId/results.zip?SAS_Token"

+}

+To list all batch synthesis jobs for the Speech resource, make an HTTP GET request using the URI as shown in the following example. Replace `YourSpeechKey` with your Speech resource key and replace `YourSpeechRegion` with your Speech resource region. Optionally, you can set the `skip` and `maxpagesize` (up to 100) query parameters in URL. The default value for `skip` is 0 and the default value for `maxpagesize` is 100.

+curl -v -X GET "https://YourSpeechRegion.api.cognitive.microsoft.com/texttospeech/batchsyntheses?api-version=2024-04-01&skip=1&maxpagesize=2" -H "Ocp-Apim-Subscription-Key: YourSpeechKey"

+ "value": [

+ "id": "my-job-03",

+ "internalId": "5f7e9ab6-2c92-4dcb-b5ee-ec0983ee4db0",

+ "status": "Succeeded",

+ "createdDateTime": "2024-03-12T07:28:32.5690441Z",

+ "lastActionDateTime": "2024-03-12T07:28:33.0042293",

+ "inputKind": "SSML",

+ "timeToLiveInHours": 744,

+ "sentenceBoundaryEnabled": false,

+ "sizeInBytes": 120000,

+ "succeededAudioCount": 1,

+ "failedAudioCount": 0,

+ "durationInMilliseconds": 2500,

+ "billingDetails": {

+ "neuralCharacters": 29

+ }

+ "result": "https://stttssvcuse.blob.core.windows.net/batchsynthesis-output/29f2105f997c4bfea176d39d05ff201e/my-job-03/results.zip?SAS_Token"

+ }

+ },

+ "id": "my-job-02",

+ "internalId": "5577585f-4710-4d4f-aab6-162d14bd7ee0",

+ "status": "Succeeded",

+ "createdDateTime": "2024-03-12T07:28:29.6418211Z",

+ "lastActionDateTime": "2024-03-12T07:28:30.0910306",

+ "inputKind": "SSML",

+ "timeToLiveInHours": 744,

+ "sentenceBoundaryEnabled": false,

+ "sizeInBytes": 120000,

+ "succeededAudioCount": 1,

+ "failedAudioCount": 0,

+ "durationInMilliseconds": 2500,

+ "billingDetails": {

+ "neuralCharacters": 29

+ }

+ "result": "https://stttssvcuse.blob.core.windows.net/batchsynthesis-output/29f2105f997c4bfea176d39d05ff201e/my-job-02/results.zip?SAS_Token"

+ }

+ }

+ "nextLink": "https://YourSpeechRegion.api.cognitive.microsoft.com/texttospeech/batchsyntheses?skip=3&maxpagesize=2&api-version=2024-04-01"

+}

+The `value` property in the json response lists your synthesis requests. The list is paginated, with a maximum page size of 100. The `"nextLink"` property is provided as needed to get the next page of the paginated list.

+Delete the batch synthesis job history after you retrieved the audio output results. The Speech service keeps batch synthesis history for up to 31 days, or the duration of the request `timeToLiveInHours` property, whichever comes sooner. The date and time of automatic deletion (for synthesis jobs with a status of "Succeeded" or "Failed") is equal to the `lastActionDateTime` + `timeToLiveInHours` properties.

+curl -v -X DELETE "https://YourSpeechRegion.api.cognitive.microsoft.com/texttospeech/batchsyntheses/YourSynthesisId?api-version=2024-04-01" -H "Ocp-Apim-Subscription-Key: YourSpeechKey"

+After you [get a batch synthesis job](#get-batch-synthesis) with `status` of "Succeeded", you can download the audio output results. Use the URL from the `outputs.result` property of the [get batch synthesis](#get-batch-synthesis) response.

+ "jobID": "7ab84171-9070-4d3b-88d4-1b8cc1cb928a",

+ "status": "Succeeded",

+ "results": [

+ "contents": [

+ "<speak version=\"1.0\" xml:lang=\"en-US\"><voice name=\"en-US-JennyNeural\">The rainbow has seven colors.</voice></speak>"

+ "status": "Succeeded",

+ "audioFileName": "0001.wav",

+ "properties": {

+ "sizeInBytes": "120000",

+ "durationInMilliseconds": "2500"

+If sentence boundary data was requested (`"sentenceBoundaryEnabled": true`), then a corresponding `[nnnn].sentence.json` file is included in the results. Likewise, if word boundary data was requested (`"wordBoundaryEnabled": true`), then a corresponding `[nnnn].word.json` file is included in the results.

+ "Text": "The",

+ "AudioOffset": 50,

+ "Duration": 137

+ "AudioOffset": 200,

+ "Duration": 350

+ "AudioOffset": 562,

+ "Duration": 175

+ "AudioOffset": 750,

+ "Duration": 300

+ "AudioOffset": 1062,

+ "Duration": 625

+ {

+ "Text": ".",

+ "AudioOffset": 1700,

+ "Duration": 100

+ }

+HTTP 201 Created indicates that the create batch synthesis request (via HTTP PUT) was successful.

+- You tried to get or delete a synthesis job that doesn't exist.

+- You successfully deleted a synthesis job.

+### HTTP 400 error

+- The number of requested text inputs exceeded the limit of 10,000.

+- You tried to use a _F0_ Speech resource, but the region only supports the _Standard_ Speech resource pricing tier.

+- You tried to create a new batch synthesis job that would exceed the limit of 300 active jobs. Each Speech resource can have up to 300 batch synthesis jobs that don't have a status of "Succeeded" or "Failed".

+There are too many recent requests. Each client application can submit up to 100 requests per 10 seconds for each Speech resource. Reduce the number of requests per second.

+Here's an example request that results in an HTTP 400 error, because the `inputs` property is required to create a job.

+curl -v -X PUT -H "Ocp-Apim-Subscription-Key: YourSpeechKey" -H "Content-Type: application/json" -d '{

+ "inputKind": "SSML"

+}' "https://YourSpeechRegion.api.cognitive.microsoft.com/texttospeech/batchsyntheses/YourSynthesisId?api-version=2024-04-01"

+ "error": {

+ "code": "BadRequest",

+ "message": "The inputs is required."

+The [Batch synthesis API](batch-synthesis.md) provides asynchronous synthesis of long-form text to speech. This article describes the benefits of upgrading from Long Audio API to Batch synthesis API, and details about how to do so.

+> [Batch synthesis API](batch-synthesis.md) is generally available. the Long Audio API will be retired on April 1st, 2027.

+## Base path and version

+Update the endpoint from `https://YourSpeechRegion.customvoice.api.speech.microsoft.com` to `https://YourSpeechRegion.api.cognitive.microsoft.com` or you can use custom domain instead: `https://{customDomainName}.cognitiveservices.azure.com/`.

+Update the base path in your code from `/texttospeech/v3.0/longaudiosynthesis` to `/texttospeech/batchsyntheses`.

+Update the version from base path to query string `/texttospeech/v3.0/longaudiosynthesis` to `?api-version=2024-04-01`.

+For example, to list synthesis jobs for your Speech resource in the `eastus` region, use `https://eastus.api.cognitive.microsoft.com/texttospeech/batchsyntheses?api-version=2024-04-01` instead of `https://eastus.customvoice.api.speech.microsoft.com/api/texttospeech/v3.0/longaudiosynthesis`.

+Batch synthesis API is available in more [Speech regions](regions.md).

+| Region | Endpoint |

+| - | - |

+| Australia East | `https://australiaeast.customvoice.api.speech.microsoft.com` |

+| East US | `https://eastus.customvoice.api.speech.microsoft.com` |

+| India Central | `https://centralindia.customvoice.api.speech.microsoft.com` |

+| Southeast Asia | `https://southeastasia.customvoice.api.speech.microsoft.com` |

+| UK South | `https://uksouth.customvoice.api.speech.microsoft.com` |

+| West Europe | `https://westeurope.customvoice.api.speech.microsoft.com` |

+Batch synthesis text inputs are sent in a JSON payload of up to 2 megabytes.

+- One plain text (.txt) or SSML text (.txt) file encoded as [UTF-8 with Byte Order Mark (BOM)](https://www.w3.org/International/questions/qa-utf8-bom.en#bom). Don't use compressed files such as ZIP. If you have more than one input file, you must submit multiple requests.

+- Contains more than 400 characters for plain text or 400 [billable characters](./text-to-speech.md#pricing-note) for SSML text, and less than 10,000 paragraphs. For plain text, each paragraph is separated by a new line. For SSML text, each SSML piece is considered a paragraph. Separate SSML pieces by different paragraphs.

+- riff-8khz-16bit-mono-pcm

+- riff-16khz-16bit-mono-pcm

+- riff-24khz-16bit-mono-pcm

+- riff-48khz-16bit-mono-pcm

+- audio-16khz-32kbitrate-mono-mp3

+- audio-16khz-64kbitrate-mono-mp3

+- audio-16khz-128kbitrate-mono-mp3

+- audio-24khz-48kbitrate-mono-mp3

+- audio-24khz-96kbitrate-mono-mp3

+- audio-24khz-160kbitrate-mono-mp3

+With batch synthesis API, use the URL from the `outputs.result` property of the HTTP GET batch synthesis response. The [results](batch-synthesis.md#batch-synthesis-results) are in a ZIP file that contains the audio (such as `0001.wav`), summary, and debug details.

+Batch synthesis API supports up to 300 batch synthesis jobs that don't have a status of "Succeeded" or "Failed". The Speech service keeps each synthesis history for up to 31 days, or the duration of the request `timeToLiveInHours` property, whichever comes sooner. The date and time of automatic deletion (for synthesis jobs with a status of "Succeeded" or "Failed") is equal to the `lastActionDateTime` + `timeToLiveInHours` properties.

+The Long Audio API is limited to 20,000 requests for each Azure subscription account. The Speech service doesn't remove job history automatically. You must remove the previous job run history before making new requests that would otherwise exceed the limit.

+- If your application uses a [Speech SDK](speech-sdk.md), you provide the region identifier, such as `westus`, when you create a `SpeechConfig`. Make sure the region matches the region of your subscription.

+- If your application uses one of the Speech service REST APIs, the region is part of the endpoint URI you use when making requests.

+- Keys created for a region are valid only in that region. If you attempt to use them with other regions, you get authentication errors.

+| Geography | Region | Region identifier |

+| - | -- | |

+| Africa | South Africa North | `southafricanorth` ⁶ |

+| Asia Pacific | East Asia | `eastasia` ⁵ |

+| Asia Pacific | Southeast Asia | `southeastasia` ^1,2,4,5,7,9 |

+| Asia Pacific | Australia East | `australiaeast` ^1,2,4,7 |

+| Asia Pacific | Central India | `centralindia` ^1,2,4,5 |

+| Asia Pacific | Japan East | `japaneast` ^2,5 |

+| Asia Pacific | Japan West | `japanwest` ³ |

+| Asia Pacific | Korea Central | `koreacentral` ² |

+| Canada | Canada Central | `canadacentral` ¹ |

+| Europe | North Europe | `northeurope` ^1,2,4,5,7 |

+| Europe | West Europe | `westeurope` ^1,2,4,5,7,9 |

+| Europe | France Central | `francecentral` |

+| Europe | Germany West Central | `germanywestcentral` |

+| Europe | Norway East | `norwayeast` |

+| Europe | Sweden Central | `swedencentral`⁸ |

+| Europe | Switzerland North | `switzerlandnorth` ⁶ |

+| Europe | Switzerland West | `switzerlandwest` ³ |

+| Europe | UK South | `uksouth` ^1,2,4,7 |

+| Middle East | UAE North | `uaenorth` ⁶ |

+| South America | Brazil South | `brazilsouth` ⁶ |

+| Qatar | Qatar Central | `qatarcentral`^3,8 |

+| US | Central US | `centralus` |

+| US | East US | `eastus` ^1,2,4,5,7,9 |

+| US | East US 2 | `eastus2` ^1,2,4,5 |

+| US | North Central US | `northcentralus` ^4,6 |

+| US | South Central US | `southcentralus` ^1,2,4,5,6,7 |

+| US | West Central US | `westcentralus` ^3,5 |

+| US | West US | `westus` ^2,5 |

+| US | West US 2 | `westus2` ^1,2,4,5,7 |

+| US | West US 3 | `westus3` ³ |

+³ The region doesn't support Batch Synthesis API.

+| - | - | -- |

+| Asia | East Asia | `eastasia` |

+| Asia | Southeast Asia | `southeastasia` |

+| Australia | Australia East | `australiaeast` |

+| Europe | North Europe | `northeurope` |

+| Europe | West Europe | `westeurope` |

+| North America | East US | `eastus` |

+| North America | East US 2 | `eastus2` |

+| North America | South Central US | `southcentralus` |

+| North America | West Central US | `westcentralus` |

+| North America | West US | `westus` |

+| North America | West US 2 | `westus2` |

+| South America | Brazil South | `brazilsouth` |

+| Global region | Region | Region identifier |

+| - | - | -- |

+| North America | West US | `westus` |

+| North America | West US 2 | `westus2` |

+| North America | East US | `eastus` |

+| North America | East US 2 | `eastus2` |

+| North America | West Central US | `westcentralus` |

+| North America | South Central US | `southcentralus` |

+| Europe | West Europe | `westeurope` |

+| Europe | North Europe | `northeurope` |

+| Asia | East Asia | `eastasia` |

+| Asia | Southeast Asia | `southeastasia` |

+| India | Central India | `centralindia` |

+ Title: How to configure a managed network for Azure AI hubs

+description: Learn how to configure a managed network for Azure AI hubs

+# How to configure a managed network for Azure AI hubs

+We have two network isolation aspects. One is the network isolation to access an Azure AI hub. Another is the network isolation of computing resources in your Azure AI hub and Azure AI projects such as compute instance, serverless and managed online endpoint. This document explains the latter highlighted in the diagram. You can use Azure AI hub built-in network isolation to protect your computing resources.

+- Create private endpoint outbound rules to your private Azure resources. Note that private Azure AI services and Azure AI Search are not supported yet.

+When you enable managed virtual network isolation, a managed virtual network is created for the Azure AI hub. Managed compute resources you create for the Azure AI hub automatically use this managed VNet. The managed VNet can use private endpoints for Azure resources that are used by your Azure AI hub, such as Azure Storage, Azure Key Vault, and Azure Container Registry.

+| Disabled | Inbound and outbound traffic isn't restricted. | You want public inbound and outbound from the Azure AI hub. |

+The managed VNet is preconfigured with [required default rules](#list-of-required-rules). It's also configured for private endpoint connections to your Azure AI hub, Azure AI hub's default storage, container registry and key vault __if they're configured as private__ or __the Azure AI hub isolation mode is set to allow only approved outbound__. After choosing the isolation mode, you only need to consider other outbound requirements you might need to add.

+> In this configuration, the storage, key vault, and container registry used by the Azure AI hub are flagged as private. Since they are flagged as private, a private endpoint is used to communicate with them.

+Not available in AI CLI, but you can use [Azure Machine Learning CLI](../../machine-learning/how-to-managed-network.md#configure-a-managed-virtual-network-to-allow-internet-outbound). Use your Azure AI hub name as workspace name in Azure Machine Learning CLI.

+* __Create a new Azure AI hub__:

+ 1. Sign in to the [Azure portal](https://portal.azure.com), and choose Azure AI Studio from Create a resource menu.

+ 1. Select **+ New Azure AI**.

+ * __Destination type__: Private Endpoint is the only option when the network isolation is private with internet outbound. Azure AI hub managed VNet doesn't support creating a private endpoint to all Azure resource types. For a list of supported resources, see the [Private endpoints](#private-endpoints) section.

+ 1. Sign in to the [Azure portal](https://portal.azure.com), and select the Azure AI hub that you want to enable managed VNet isolation for.

+Not available in AI CLI, but you can use [Azure Machine Learning CLI](../../machine-learning/how-to-managed-network.md#configure-a-managed-virtual-network-to-allow-only-approved-outbound). Use your Azure AI hub name as workspace name in Azure Machine Learning CLI.

+* __Create a new Azure AI hub__:

+ 1. Sign in to the [Azure portal](https://portal.azure.com), and choose Azure AI Studio from Create a resource menu.

+ 1. Select **+ New Azure AI**.

+ > Azure AI hub managed VNet doesn't support creating a private endpoint to all Azure resource types. For a list of supported resources, see the [Private endpoints](#private-endpoints) section.

+ 1. Sign in to the [Azure portal](https://portal.azure.com), and select the Azure AI hub that you want to enable managed VNet isolation for.

+Not available in AI CLI, but you can use [Azure Machine Learning CLI](../../machine-learning/how-to-managed-network.md#manage-outbound-rules). Use your Azure AI hub name as workspace name in Azure Machine Learning CLI.

+1. Sign in to the [Azure portal](https://portal.azure.com), and select the Azure AI hub that you want to enable managed VNet isolation for.

+* When the isolation mode for the managed VNet is `Allow internet outbound`, private endpoint outbound rules are automatically created as required rules from the managed VNet for the Azure AI hub and associated resources __with public network access disabled__ (Key Vault, Storage Account, Container Registry, Azure AI hub).

+* When the isolation mode for the managed VNet is `Allow only approved outbound`, private endpoint outbound rules are automatically created as required rules from the managed VNet for the Azure AI hub and associated resources __regardless of public network access mode for those resources__ (Key Vault, Storage Account, Container Registry, Azure AI hub).

+If you plan to use __Visual Studio Code__ with the Azure AI hub, add outbound _FQDN_ rules to allow traffic to the following hosts:

+If you plan to use __HuggingFace models__ with the Azure AI hub, add outbound _FQDN_ rules to allow traffic to the following hosts:

+* Azure AI hub

+When you create a private endpoint for Azure AI hub dependency resources, such as Azure Storage, Azure Container Registry, and Azure Key Vault, the resource can be in a different Azure subscription. However, the resource must be in the same tenant as the Azure AI hub.

+The Azure AI hub managed VNet feature is free. However, you're charged for the following resources that are used by the managed VNet:

+* FQDN outbound rules - FQDN outbound rules are implemented using Azure Firewall. If you use outbound FQDN rules, charges for Azure Firewall are included in your billing. Azure Firewall SKU is standard. Azure Firewall is provisioned per Azure AI hub.

+* Azure AI services provisioned with Azure AI hub and Azure AI Search attached with Azure AI hub should be public.

+ Title: Index Lookup tool for flows in Azure AI Studio

+description: This article introduces the Index Lookup tool for flows in Azure AI Studio.

+ Title: Istio service mesh AKS add-on performance

+description: Istio service mesh AKS add-on performance

+# Istio service mesh add-on performance

+The Istio-based service mesh add-on is logically split into a control plane (`istiod`) and a data plane. The data plane is composed of Envoy sidecar proxies inside workload pods. Istiod manages and configures these Envoy proxies. This article presents the performance of both the control and data plane for revision asm-1-19, including resource consumption, sidecar capacity, and latency overhead. Additionally, it provides suggestions for addressing potential strain on resources during periods of heavy load.

+## Control plane performance

+[IstiodΓÇÖs CPU and memory requirements][control-plane-performance] correlate with the rate of deployment and configuration changes and the number of proxies connected. The scenarios tested were:

+- Pod churn: examines the impact of pod churning on `istiod`. To reduce variables, only one service is used for all sidecars.

+- Multiple

+#### Test specifications

+- One `istiod` instance with default settings

+- Horizontal pod autoscaling disabled

+- Tested with two network plugins: Azure CNI Overlay and Azure CNI Overlay with Cilium [ (recommended network plugins for large scale clusters) ](/azure/aks/azure-cni-overlay?tabs=kubectl#choosing-a-network-model-to-use)

+- Node SKU: Standard D16 v3 (16 vCPU, 64-GB memory)

+- Kubernetes version: 1.28.5

+- Istio revision: asm-1-19

+### Pod churn

+The [ClusterLoader2 framework][clusterloader2] was used to determine the maximum number of sidecars Istiod can manage when there's sidecar churning. The churn percent is defined as the percent of sidecars churned down/up during the test. For example, 50% churn for 10,000 sidecars would mean that 5,000 sidecars were churned down, then 5,000 sidecars were churned up. The churn percents tested were determined from the typical churn percentage during deployment rollouts (`maxUnavailable`). The churn rate was calculated by determining the total number of sidecars churned (up and down) over the actual time taken to complete the churning process.

+#### Sidecar capacity and Istiod CPU and memory

+**Azure CNI overlay**

+| Churn (%) | Churn Rate (sidecars/sec) | Sidecar Capacity | Istiod Memory (GB) | Istiod CPU |

+|-|--|--|-|--|

+| 0 | -- | 25000 | 32.1 | 15 |

+| 25 | 31.2 | 15000 | 22.2 | 15 |

+| 50 | 31.2 | 15000 | 25.4 | 15 |

+**Azure CNI overlay with Cilium**

+| Churn (%) | Churn Rate (sidecars/sec) | Sidecar Capacity | Istiod Memory (GB) | Istiod CPU |

+|-|--|--|-|--|

+| 0 |-- | 30000 | 41.2 | 15 |

+| 25 | 41.7 | 25000 | 36.1 | 16 |

+| 50 | 37.9 | 25000 | 42.7 | 16 |

+### Multiple services

+The [ClusterLoader2 framework][clusterloader2] was used to determine the maximum number of sidecars `istiod` can manage with 1,000 services. The results can be compared to the 0% churn test (one service) in the pod churn scenario. Each service had `N` sidecars contributing to the overall maximum sidecar count. The API Server resource usage was observed to determine if there was any significant stress from the add-on.

+**Sidecar capacity**

+| Azure CNI Overlay | Azure CNI Overlay with Cilium |

+|||

+| 20000 | 20000 |

+**CPU and memory**

+| Resource | Azure CNI Overlay | Azure CNI Overlay with Cilium |

+||--||

+| API Server Memory (GB) | 38.9 | 9.7 |

+| API Server CPU | 6.1 | 4.7 |

+| Istiod Memory (GB) | 40.4 | 42.6 |

+| Istiod CPU | 15 | 16 |

+## Data plane performance

+Various factors impact [sidecar performance][data-plane-performance] such as request size, number of proxy worker threads, and number of client connections. Additionally, any request flowing through the mesh traverses the client-side proxy and then the server-side proxy. Therefore, latency and resource consumption are measured to determine the data plane performance.

+[Fortio][fortio] was used to create the load. The test was conducted with the [Istio benchmark repository][istio-benchmark] that was modified for use with the add-on.

+#### Test specifications

+- Tested with two network plugins: Azure CNI Overlay and Azure CNI Overlay with Cilium [ (recommended network plugins for large scale clusters) ](/azure/aks/azure-cni-overlay?tabs=kubectl#choosing-a-network-model-to-use)

+- Node SKU: Standard D16 v5 (16 vCPU, 64-GB memory)

+- Kubernetes version: 1.28.5

+- Two proxy workers

+- 1-KB payload

+- 1000 QPS at varying client connections

+- `http/1.1` protocol and mutual TLS enabled

+- 26 data points collected

+#### CPU and memory

+The memory and CPU usage for both the client and server proxy for 16 client connections and 1000 QPS across all network plugin scenarios is roughly 0.4 vCPU and 72 MB.

+#### Latency

+The sidecar Envoy proxy collects raw telemetry data after responding to a client, which doesn't directly affect the request's total processing time. However, this process delays the start of handling the next request, contributing to queue wait times and influencing average and tail latencies. Depending on the traffic pattern, the actual tail latency varies.

+The following evaluates the impact of adding sidecar proxies to the data path, showcasing the P90 and P99 latency.

+| Azure CNI Overlay |Azure CNI Overlay with Cilium |

+|:-:|:-:|

+[  ](./media/aks-istio-addon/latency-box-plot/overlay-azure-p99.png#lightbox) | [  ](./media/aks-istio-addon/latency-box-plot/overlay-cilium-p99.png#lightbox)

+[  ](./media/aks-istio-addon/latency-box-plot/overlay-azure-p90.png#lightbox) | [  ](./media/aks-istio-addon/latency-box-plot/overlay-cilium-p90.png#lightbox)

+## Service entry

+Istio's ServiceEntry custom resource definition enables adding other services into the IstioΓÇÖs internal service registry. A [ServiceEntry][serviceentry] allows services already in the mesh to route or access the services specified. However, the configuration of multiple ServiceEntries with the `resolution` field set to DNS can cause a [heavy load on DNS servers][understanding-dns]. The following suggestions can help reduce the load:

+- Switch to `resolution: NONE` to avoid proxy DNS lookups entirely. Suitable for most use cases.

+- Increase TTL (Time To Live) if you control the domains being resolved.

+- Limit the ServiceEntry scope with `exportTo`.

+[control-plane-performance]: https://istio.io/latest/docs/ops/deployment/performance-and-scalability/#control-plane-performance

+[data-plane-performance]: https://istio.io/latest/docs/ops/deployment/performance-and-scalability/#data-plane-performance

+[clusterloader2]: https://github.com/kubernetes/perf-tests/tree/master/clusterloader2#clusterloader

+[fortio]: https://fortio.org/

+[istio-benchmark]: https://github.com/istio/tools/tree/master/perf/benchmark#istio-performance-benchmarking

+[serviceentry]: https://istio.io/latest/docs/reference/config/networking/service-entry/

+[understanding-dns]: https://preliminary.istio.io/latest/docs/ops/configuration/traffic-management/dns/#proxy-dns-resolution

+| Feature/behavior | Isolated worker model | In-process model³ |

+ [!INCLUDE [functions-in-process-model-retirement-note](../../includes/functions-in-process-model-retirement-note.md)]

+This article is an introduction to developing Azure Functions by using C# in .NET class libraries. These class libraries are used to run _in-process with the Functions runtime_. Your .NET functions can alternatively run _isolated from the Functions _runtime_, which offers several advantages. To learn more, see [the isolated worker model](dotnet-isolated-process-guide.md). For a comprehensive comparison between these two models, see [Differences between the in-process model and the isolated worker model](dotnet-isolated-in-process-differences.md).

+<TargetFramework>net8.0</TargetFramework>

+You can choose `net8.0`, `net7.0`, `net6.0`, or `net48` as the target framework if you are using the [isolated worker model](dotnet-isolated-process-guide.md). If you are using the [in-process model](./functions-dotnet-class-library.md), you can only choose `net6.0`, and you must include the `Microsoft.NET.Sdk.Functions` extension set to at least `4.0.0`.

+> [!IMPORTANT]

+> [Support will end for the in-process model on November 10, 2026](https://aka.ms/azure-functions-retirements/in-process-model). We highly recommend that you migrate your apps to the isolated worker model by following the instructions in this article.

+> **Unless your app depends on a library or API only available to .NET Framework, we recommend updating to .NET 8 on the isolated worker model.** Many apps on version 1.x target .NET Framework only because that is what was available when they were created. Additional capabilities are available to more recent versions of .NET, and if your app is not forced to stay on .NET Framework due to a dependency, you should target a more recent version. .NET 8 is the fully released version with the longest support window from .NET.

+> Although you can choose to instead use the in-process model, this is not recommended if it can be avoided. [Support will end for the in-process model on November 10, 2026](https://aka.ms/azure-functions-retirements/in-process-model), so you'll need to move to the isolated worker model before then. Doing so while migrating to version 4.x will decrease the total effort required, and the isolated worker model will give your app [additional benefits](./dotnet-isolated-in-process-differences.md), including the ability to more easily target future versions of .NET. If you are moving to the isolated worker model, the [.NET Upgrade Assistant] can also handle many of the necessary code changes for you.

+# [.NET 8](#tab/net8)

+# [.NET 6 (in-process model)](#tab/net6-in-proc)

+# [.NET 8](#tab/net8)

+# [.NET 6 (in-process model)](#tab/net6-in-proc)

+# [.NET 8](#tab/net8)

+# [.NET 6 (in-process model)](#tab/net6-in-proc)

+A program.cs file isn't required when running in-process.

+# [.NET 8](#tab/net8)

+# [.NET 6 (in-process model)](#tab/net6-in-proc)

+# [.NET 8](#tab/net8)

+# [.NET 6 (in-process model)](#tab/net6-in-proc)

+# [.NET 8](#tab/net8)

+# [.NET 6 (in-process model)](#tab/net6-in-proc)

+| Version 1.x | .NET 6 (in-process) |

+| | |

+| `FunctionName` (attribute) | `FunctionName` (attribute) |

+| `TraceWriter` | `ILogger<T>`, `ILogger` |

+| `HttpRequestMessage` | `HttpRequest` |

+| `HttpResponseMessage` | `IActionResult` |

+# [.NET 8](#tab/net8)

+# [.NET 6 (in-process model)](#tab/net6-in-proc)

+> **We recommend updating to .NET 8 on the isolated worker model.** .NET 8 is the fully released version with the longest support window from .NET.

+> Although you can choose to instead use the in-process model, this is not recommended if it can be avoided. [Support will end for the in-process model on November 10, 2026](https://aka.ms/azure-functions-retirements/in-process-model), so you'll need to move to the isolated worker model before then. Doing so while migrating to version 4.x will decrease the total effort required, and the isolated worker model will give your app [additional benefits](./dotnet-isolated-in-process-differences.md), including the ability to more easily target future versions of .NET. If you are moving to the isolated worker model, the [.NET Upgrade Assistant] can also handle many of the necessary code changes for you.

+# [.NET 8](#tab/net8)

+# [.NET 6 (in-process model)](#tab/net6-in-proc)

+# [.NET 8](#tab/net8)

+# [.NET 6 (in-process model)](#tab/net6-in-proc)

+# [.NET 8](#tab/net8)

+# [.NET 6 (in-process model)](#tab/net6-in-proc)

+A `Program.cs` file isn't required when you are using the in-process model.

+# [.NET 8](#tab/net8)

+# [.NET 6 (in-process model)](#tab/net6-in-proc)

+# [.NET 6 (in-process)](#tab/net6-in-proc)

+No changes are required to your `host.json` file.

+# [.NET 8](#tab/net8)

+# [.NET 6 (in-process model)](#tab/net6-in-proc)

+| .NET Core 3.1 | .NET 5 | .NET 6 (in-process) |

+| | | |

+| `FunctionName` (attribute) | `Function` (attribute) | `FunctionName` (attribute) |

+| `ILogger` | `ILogger` | `ILogger` |

+| `HttpRequest` | `HttpRequestData` | `HttpRequest` |

+| `IActionResult` | `HttpResponseData` | `IActionResult` |

+| `FunctionsStartup` (attribute) | Uses [`Program.cs`](#programcs-file) instead | `FunctionsStartup` (attribute) |

+# [.NET 6 (in-process)](#tab/net6-in-proc)

+Make sure to check [Breaking changes between 3.x and 4.x](#breaking-changes-between-3x-and-4x) for additional changes you might need to make to your project.

+# [.NET 8](#tab/net8)

+# [.NET 6 (in-process model)](#tab/net6-in-proc)

+Sames as version 3.x (in-process).

+### Does Azure Monitor Agent support data collection for the various Log Analytics solutions and Azure services like Microsoft Defender for Cloud and Microsoft Sentinel?

+For a list of features and services that use Azure Monitor Agent for data collection, see [Migrate to Azure Monitor Agent from Log Analytics agent](../agents/azure-monitor-agent-migration.md#migrate-additional-services-and-features).

+Some services might install other extensions to collect more data or to transforms or process data, and then use Azure Monitor Agent to route the final data to Azure Monitor.

+> If you can't select your country/region code in the Azure portal, voice calls aren't supported for your country/region. If your country/region code isn't available, you can vote to have your country/region added at [Share your ideas](https://feedback.azure.com/d365community/idea/e527eaa6-2025-ec11-b6e6-000d3a4f09d0). In the meantime, as a workaround, configure your action group to call a webhook to a third-party voice call provider that offers support in your country/region. If a country is marked with an '*' calls will come from a USA based phone number.

+| 86 | China* |

+| 852 | Hong Kong* |

+| 91 | India* |

+| 39 | Italy* |

+| 81 | Japan* |

+| 40 | Romania* |

+| 7 | Russia* |

+| 82 | South Korea |

+| 886 | Taiwan* |

+| 971 | United Arab Emirates* |

+Communication services supports Microsoft Entra authentication for Communication services resources. You can find more details, about the managed identity support in the [Microsoft Entra documentation](/entra/identity/managed-identities-azure-resources/managed-identities-status).

+Bring your own Azure storage uses [Azure Managed Identities](/entra/identity/managed-identities-azure-resources/overview) to access user-owned resources securely. Azure Managed Identities provides an identity for the application to use when it needs to access Azure resources, eliminating the need for developers to manage credentials.

+In this example, we use the Microsoft Authentication Library (MSAL) to refresh the Microsoft Entra access token. Following the guide to [acquire a Microsoft Entra token to call an API](/entra/identity-platform/scenario-spa-acquire-token), we first try to obtain the token without the user's interaction. If that's not possible, we trigger one of the interactive flows.

+Option 1: Trigger the token acquisition flow with [`AuthenticationParameters.forceRefresh`](/entra/identity-platform/msal-js-pass-custom-state-authentication-request) set to `true`.

+More information about supported aggregation types and time series aggregations, see [Advanced features of Azure Metrics Explorer](../../azure-monitor/essentials/metrics-charts.md#aggregation).

+The `Email Service Delivery Status Updates` metric lets the email sender track SMTP and Enhanced SMTP status codes and get an idea of how many hard bounces they're encountering.

+| MessageStatus | Terminal state of the Delivered, Failed, Suppressed. Emails are suppressed when a user sends an email to an email address that is known not to exist. Sending emails to addresses that don't exist trigger a hard bounce. |

+| EnhancedSmtpStatusCode | The EnhancedSmtpStatusCode status code will be emitted if it's available. This status code provides other details not available with the SmtpStatusCode. |

+The following operations are available for the `Email Service API Requests` metric. These standard dimensions are supported: StatusCode, StatusCodeClass, StatusCodeReason, and Operation.

+- User interface of [Microsoft Entra ID](../troubleshooting-info.md?#getting-user-id) or with on-premises directory synchronization [Microsoft Entra Connect](/entra/identity/hybrid/connect/how-to-connect-sync-whatis)

+- Alice or her Microsoft Entra administrator needs to give the custom Teams application consent, prior to the first attempt to sign in. Learn more about [consent](/entra/identity-platform/application-consent-experience).

+- Alice or her Microsoft Entra administrator needs to give Contoso's Microsoft Entra application consent before the first attempt to sign in. Learn more about [consent](/entra/identity-platform/application-consent-experience).

+1. Authenticate Alice using the Fabrikam application: Alice is authenticated through Fabrikam's application. A standard OAuth flow with Microsoft Authentication Library (MSAL) is used. Make sure you configure MSAL with a correct [authority](/entr).

+ - Authority: `https://login.microsoftonline.com/<tenant>/` or `https://login.microsoftonline.com/organizations/` (based on your [scenario](/entra/identity-platform/msal-client-application-configuration#authority)

+Find more details in [Microsoft Entra documentation](/entra/identity/role-based-access-control/permissions-reference).

+For more information about using Call Quality Dashboard (CQD) to view interop call logs, see [Use CQD to manage call and meeting quality in Microsoft Teams](/microsoftteams/quality-of-experience-review-guide).

+To enable calling through Call Automation APIs, a [Microsoft Teams Administrator](/entra/identity/role-based-access-control/permissions-reference#teams-administrator) or [Global Administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator) must explicitly enable the Communication Services resource(s) access to their tenant to allow calling.

+1. Create a user-assigned managed identity resource according to [these instructions](/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities).

+- [Managed Identities](/entra/identity/managed-identities-azure-resources/overview)

+- [Manage user-assigned managed identities](/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities)

+To use Azure Communication Services support for Teams users, you need a Microsoft Entra instance with users that have a valid Teams license. Furthermore, license must be assigned to the administrators or relevant users. Also, note that [MSA accounts (personal Microsoft accounts)](/entra/external-id/microsoft-account) are not supported. This article describes the service plans requirements to use Azure Communication Services support for Teams users.

+For more information, see [Microsoft Entra Product names and service plan identifiers](/entra/identity/users/licensing-service-plan-reference).

+- An Entra application with access to the Azure Communication Services Resource. [Register an application with Microsoft Entra ID and create a service principal](/entra/identity-platform/howto-create-service-principal-portal#register-an-application-with-microsoft-entra-id-and-create-a-service-principal)

+- A client secret for the Entra application with access to the Azure Communication Service Resource. [Create a new client secret](/entra/identity-platform/howto-create-service-principal-portal#option-3-create-a-new-client-secret)

+For more detailed information, see [Register an application with the Microsoft identity platform](/entra/identity-platform/quickstart-register-app#register-an-application).

+For more information about setting up environments in public documentation, see [Microsoft Authentication Library overview](/entra/identity-platform/msal-overview).

+- Register a Client and Server (Web API) applications in Microsoft Entra ID as part of [On Behalf Of workflow](/entr)

+ 2. As part of the application setup, the service account is used to login into the solution once. With this permission the application can retrieve and store an access token on behalf of the service account that will own the meetings. Your application will need to store the tokens generated from the login and place them in a secure location such as a key vault. The application will need to store both the access token and the refresh token. Learn more about [auth tokens](/entra/identity-platform/access-tokens). and [refresh tokens](/entra/identity-platform/refresh-tokens).

+ 3. The application will require "on behalf of" permissions with the [offline scope](/entra/identity-platform/permissions-consent-overview#offline_access) to act on behalf of the service account for the purpose of creating meetings. Individual Microsoft Graph APIs require different scopes, learn more in the links detailed below as we introduce the required APIs.

+[Register your app under Microsoft Entra ID (using Android platform settings)](/entra/identity-platform/tutorial-v2-android).

+> OpenAI relies on Cosmos DB to dynamically scale their ChatGPT service ΓÇô one of the fastest-growing consumer apps ever ΓÇô enabling high reliability and low maintenance.ΓÇ¥ ΓÇô Satya Nadella, Microsoft chairman and chief executive officer

+A [vector database](../../vector-database.md) is a database designed to store and manage vector embeddings, which are mathematical representations of data in a high-dimensional space. In this space, each dimension corresponds to a feature of the data, and tens of thousands of dimensions might be used to represent sophisticated data. A vector's position in this space represents its characteristics. Words, phrases, or entire documents, and images, audio, and other types of data can all be vectorized. Vector search is used to query these embeddings.

+In 2023, a notable trend in software was the integration of AI enhancements, often achieved by incorporating specialized standalone vector databases into existing tech stacks. This article explains what vector databases are, as well as presents an alternative architecture that you might want to consider: using an integrated vector database in the NoSQL or relational database you already use, especially when working with multi-modal data. This approach not only allows you to reduce cost but also achieve greater data consistency, scale, and performance.

+> [!TIP]

+> Data consistency, scale, and performance guarantees are why OpenAI built its ChatGPT service on top of Azure Cosmos DB. You, too, can take advantage of its integrated vector database, as well as its single-digit millisecond response times, automatic and instant scalability, and guaranteed speed at any scale. Please consult the [implementation samples](#how-to-implement-integrated-vector-database-functionalities) section of this article and [try](#next-step) the lifetime free tier or one of the free trial options.

+Besides the typical vector database functionalities above, an integrated vector database in a highly performant NoSQL or relational database converts the existing raw data in your account into embeddings and stores them alongside your original data. This way, you can avoid the extra cost of replicating your data in a separate vector database. Moreover, this architecture keeps your vector embeddings and original data together, which better facilitates multi-modal data operations, and you can achieve greater data consistency, scale, and performance.

+> [!TIP]

+> Besides these typical use cases for vector databases, our integrated vector database is also an ideal solution for production-level LLM caching thanks to its low latency, high scalability, and high availability.

+## Vector database related concepts

+### Embeddings

+An embedding is a special format of data representation that machine learning models and algorithms can easily use. The embedding is an information dense representation of the semantic meaning of a piece of text. Each embedding is a vector of floating-point numbers, such that the distance between two embeddings in the vector space is correlated with semantic similarity between two inputs in the original format. For example, if two texts are similar, then their vector representations should also be similar. A vector database extension that allows you to store your embeddings with your original data ensures data consistency, scale, and performance. [[Go back](#what-is-a-vector-database)]

+### Vector search

+Vector search is a method that helps you find similar items based on their data characteristics rather than by exact matches on a property field. This technique is useful in applications such as searching for similar text, finding related images, making recommendations, or even detecting anomalies. It works by taking the vector representations (lists of numbers) of your data that you created by using a machine learning model by using an embeddings API, such as [Azure OpenAI Embeddings](../ai-services/openai/how-to/embeddings.md) or [Hugging Face on Azure](https://azure.microsoft.com/solutions/hugging-face-on-azure). It then measures the distance between the data vectors and your query vector. The data vectors that are closest to your query vector are the ones that are found to be most similar semantically. Using a native vector search feature offers an efficient way to store, index, and search high-dimensional vector data directly alongside other application data. This approach removes the necessity of migrating your data to costlier alternative vector databases and provides a seamless integration of your AI-driven applications. [[Go back](#what-is-a-vector-database)]

+### Prompts and prompt engineering

+A prompt refers to a specific text or information that can serve as an instruction to an LLM, or as contextual data that the LLM can build upon. A prompt can take various forms, such as a question, a statement, or even a code snippet. Prompts can serve as:

+- Instructions provide directives to the LLM

+- Primary content: gives information to the LLM for processing

+- Examples: help condition the model to a particular task or process

+- Cues: direct the LLM's output in the right direction

+- Supporting content: represents supplemental information the LLM can use to generate output

+The process of creating good prompts for a scenario is called prompt engineering. For more information about prompts and best practices for prompt engineering, see Azure OpenAI Service [prompt engineering techniques](../ai-services/openai/concepts/advanced-prompt-engineering.md). [[Go back](#what-are-some-vector-database-use-cases)]

+### Tokens

+Tokens are small chunks of text generated by splitting the input text into smaller segments. These segments can either be words or groups of characters, varying in length from a single character to an entire word. For instance, the word hamburger would be divided into tokens such as ham, bur, and ger while a short and common word like pear would be considered a single token. LLMs like ChatGPT, GPT-3.5, or GPT-4 break words into tokens for processing. [[Go back](#what-are-some-vector-database-use-cases)]

+### Retrieval-augmented generation

+Retrieval-augmentated generation (RAG) is an architecture that augments the capabilities of LLMs like ChatGPT, GPT-3.5, or GPT-4 by adding an information retrieval system like vector search that provides grounding data, such as those stored in a vector database. This approach allows your LLM to generate contextually relevant and accurate responses based on your custom data sourced from vectorized documents, images, audio, video, etc.

+A simple RAG pattern using Azure Cosmos DB for NoSQL could be:

+1. Insert data into an Azure Cosmos DB for NoSQL database and collection

+2. Create embeddings from a data property using Azure OpenAI Embeddings

+3. Link the Azure Cosmos DB for NoSQL to Azure Cognitive Search (for vector indexing/search)

+4. Create a vector index over the embeddings properties

+5. Create a function to perform vector similarity search based on a user prompt

+6. Perform question answering over the data using an Azure OpenAI Completions model

+The RAG pattern, with prompt engineering, serves the purpose of enhancing response quality by offering more contextual information to the model. RAG enables the model to apply a broader knowledge base by incorporating relevant external sources into the generation process, resulting in more comprehensive and informed responses. For more information on "grounding" LLMs, see [grounding LLMs](https://techcommunity.microsoft.com/t5/fasttrack-for-azure/grounding-llms/ba-p/3843857). [[Go back](#what-are-some-vector-database-use-cases)]

+Here are multiple ways to implement RAG on your data by using our integrated vector database functionalities:

+## How to implement integrated vector database functionalities

+You can implement integrated vector database functionalities for the following [Azure Cosmos DB APIs](choose-api.md):

+### API for MongoDB

+Use the natively [integrated vector database in Azure Cosmos DB for MongoDB vCore](mongodb/vcore/vector-search.md), which offers an efficient way to store, index, and search high-dimensional vector data directly alongside other application data. This approach removes the necessity of migrating your data to costlier alternative vector databases and provides a seamless integration of your AI-driven applications.

+#### Code samples

+### API for PostgreSQL

+#### Code samples

+### NoSQL API

+#### Code samples

+## More Vector Databases

+ Title: Alerts schema

+#customer intent: As a reader, I want to understand the different schemas used by Microsoft Defender for Cloud for security alerts so that I can effectively work with the alerts.

+# Alerts schemas

+Defender for Cloud provides alerts that help you identify, understand, and respond to security threats. Alerts are generated when Defender for Cloud detects suspicious activity or a security-related issue in your environment. You can view these alerts in the Defender for Cloud portal, or you can export them to external tools for further analysis and response.

+You can review security alerts from the [overview dashboard](overview-page.md), [alerts](managing-and-responding-alerts.md) page, [resource health pages](investigate-resource-health.md), or [workload protections dashboard](workload-protections-dashboard.md).

+The following external tools can be used to consume alerts from Defender for Cloud:

+If you're using any programmatic methods to consume the alerts, you need the correct schema to find the fields that are relevant to you. Also, if you're exporting to an Event Hubs or trying to trigger Workflow Automation with generic HTTP connectors, schemas should be utilized to properly parse the JSON objects.

+> Since the schema is different for each of these scenarios, ensure you select the relevant tab.

+## Related articles

+- [Log Analytics workspaces](../azure-monitor/logs/quick-create-workspace.md) - Azure Monitor stores log data in a Log Analytics workspace, a container that includes data and configuration information

+## Next step

+> [!div class="nextstepaction"]

+> [Continuously export Defender for Cloud data](continuous-export.md)

+- Learn more about [Data Aware Security Posture](concept-data-security-posture.md)

+- Subscribe to [Microsoft Security on YouTube](https://www.youtube.com/playlist?list=PL3ZTgFEc7LysiX4PfHhdJPR7S8mGO14YS)

+- Learn more about [Microsoft Security](https://msft.it/6002T9HQY)

+ - [LinkedIn](https://www.linkedin.com/showcase/microsoft-security/)

+ - [Twitter](https://twitter.com/msftsecurity)

+> [API Security with Defender for APIs](episode-thirty-two.md)

+**Episode description**: In this episode of Defender for Cloud in the Field, Security Researcher, Hagai Kestenberg joins Yuri Diogenes to talk about Defender for Cloud capabilities to counter identity-based supply chain attacks. Hagai explains the different types of supply chain attacks and focuses on the risks of identity-based supply chain attacks. Hagai makes recommendations to mitigate this type of attack and explain the new capability in Defender for Resource Manager that can be used to identify this type of attack. Hagai also demonstrates the new alert generated by Defender for Resource Manager when this type of attack is identified.

+> [New AWS Connector in Microsoft Defender for Cloud](episode-one.md)

+- Learn more about [Defender for APIs](defender-for-apis-introduction.md)

+- Subscribe to [Microsoft Security on YouTube](https://www.youtube.com/playlist?list=PL3ZTgFEc7LysiX4PfHhdJPR7S8mGO14YS)

+- Learn more about [Microsoft Security](https://msft.it/6002T9HQY)

+ - [LinkedIn](https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbFk5TXZuQld2NlpBRV9BQlJqMktYSm95WWhCZ3xBQ3Jtc0tsQU13MkNPWGNFZzVuem5zc05wcnp0VGxybHprVTkwS2todWw0b0VCWUl4a2ZKYVktNGM1TVFHTXpmajVLcjRKX0cwVFNJaDlzTld4MnhyenBuUGRCVmdoYzRZTjFmYXRTVlhpZGc4MHhoa3N6ZDhFMA&q=https%3A%2F%2Fwww.linkedin.com%2Fshowcase%2Fmicrosoft-security%2F)

+ - [Twitter](https://twitter.com/msftsecurity)

+> [Agentless Container Posture Management in Defender for Cloud](episode-thirty-three.md)

+- [14:30](/shows/mdc-in-the-field/new-custom-recommendations#time=14m30s) - Filtering custom recommendations in the Defender for Cloud dashboard

+- Learn how to [create custom recommendations and security standards](create-custom-recommendations.md)

+- Subscribe to [Microsoft Security on YouTube](https://www.youtube.com/playlist?list=PL3ZTgFEc7LysiX4PfHhdJPR7S8mGO14YS)

+- Join our [Tech Community](https://aka.ms/SecurityTechCommunity)

+- Learn more about [Microsoft Security](https://msft.it/6002T9HQY)

+ - [LinkedIn](https://www.linkedin.com/showcase/microsoft-security/)

+ - [Twitter](https://twitter.com/msftsecurity)

+- Subscribe to [Microsoft Security on YouTube](https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqa0ZoTml2Qm9kZ2pjRzNMUXFqVUwyNl80YVNtd3xBQ3Jtc0trVm9QM2Z0NlpOeC1KSUE2UEd1cVJ5aHQ0MTN6WjJEYmNlOG9rWC1KZ1ZqaTNmcHdOOHMtWXRLSGhUTVBhQlhhYzlUc2xmTHZtaUpkd1c4LUQzLWt1YmRTbkVQVE5EcTJIM0Foc042SGdQZU5acVRJbw&q=https%3A%2F%2Faka.ms%2FSubscribeMicrosoftSecurity)

+- Follow us on social media:

+- Join our [Tech Community](https://aka.ms/SecurityTechCommunity)

+- For more about [Microsoft Security](https://msft.it/6002T9HQY)

+> [Defender for Storage](episode-thirteen.md)

+# Zero Trust and Defender for Cloud | Defender for Cloud in the field

+- Learn more about [Zero Trust](https://www.microsoft.com/security/business/zero-trust)

+- Subscribe to [Microsoft Security on YouTube](https://www.youtube.com/playlist?list=PL3ZTgFEc7LysiX4PfHhdJPR7S8mGO14YS)

+- Join our [Tech Community](https://aka.ms/SecurityTechCommunity)

+- For more about [Microsoft Security](https://msft.it/6002T9HQY)

+ - [LinkedIn](https://www.linkedin.com/showcase/microsoft-security/)

+ - [Twitter](https://twitter.com/msftsecurity)

+> [Security Policy Enhancements in Defender for Cloud](episode-twenty-nine.md)

+- [Learn more](defender-for-containers-vulnerability-assessment-elastic.md) about AWS ECR Coverage in Defender for Containers.

+- Subscribe to [Microsoft Security on YouTube](https://www.youtube.com/playlist?list=PL3ZTgFEc7LysiX4PfHhdJPR7S8mGO14YS)

+- Join our [Tech Community](https://aka.ms/SecurityTechCommunity)

+- For more about [Microsoft Security](https://msft.it/6002T9HQY)

+ - [LinkedIn](https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbFk5TXZuQld2NlpBRV9BQlJqMktYSm95WWhCZ3xBQ3Jtc0tsQU13MkNPWGNFZzVuem5zc05wcnp0VGxybHprVTkwS2todWw0b0VCWUl4a2ZKYVktNGM1TVFHTXpmajVLcjRKX0cwVFNJaDlzTld4MnhyenBuUGRCVmdoYzRZTjFmYXRTVlhpZGc4MHhoa3N6ZDhFMA&q=https%3A%2F%2Fwww.linkedin.com%2Fshowcase%2Fmicrosoft-security%2F)

+ - [Twitter](https://twitter.com/msftsecurity)

+> [Governance capability improvements in Defender for Cloud](episode-twenty-six.md)

+- [Learn more](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/new-express-configuration-for-vulnerability-assessment-in/ba-p/3695390) about Defender for SQL Vulnerability Assessment (VA).

+- Subscribe to [Microsoft Security on YouTube](https://www.youtube.com/playlist?list=PL3ZTgFEc7LysiX4PfHhdJPR7S8mGO14YS)

+- Join our [Tech Community](https://aka.ms/SecurityTechCommunity)

+- For more about [Microsoft Security](https://msft.it/6002T9HQY)

+ - [LinkedIn](https://www.linkedin.com/showcase/microsoft-security/)

+ - [Twitter](https://twitter.com/msftsecurity)

+> [AWS ECR Coverage in Defender for Containers](episode-twenty-five.md)

+- Learn more about [managing security policies](tutorial-security-policy.md)

+- Subscribe to [Microsoft Security on YouTube](https://www.youtube.com/playlist?list=PL3ZTgFEc7LysiX4PfHhdJPR7S8mGO14YS)

+- Join our [Tech Community](https://aka.ms/SecurityTechCommunity)

+- For more about [Microsoft Security](https://msft.it/6002T9HQY)

+ - [LinkedIn](https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbFk5TXZuQld2NlpBRV9BQlJqMktYSm95WWhCZ3xBQ3Jtc0tsQU13MkNPWGNFZzVuem5zc05wcnp0VGxybHprVTkwS2todWw0b0VCWUl4a2ZKYVktNGM1TVFHTXpmajVLcjRKX0cwVFNJaDlzTld4MnhyenBuUGRCVmdoYzRZTjFmYXRTVlhpZGc4MHhoa3N6ZDhFMA&q=https%3A%2F%2Fwww.linkedin.com%2Fshowcase%2Fmicrosoft-security%2F)

+ - [Twitter](https://twitter.com/msftsecurity)

+> [New Custom Recommendations for AWS and GCP in Defender for Cloud](episode-thirty.md)

+- [Learn more](./regulatory-compliance-dashboard.md) about improving your regulatory compliance.

+- Subscribe to [Microsoft Security on YouTube](https://www.youtube.com/playlist?list=PL3ZTgFEc7LysiX4PfHhdJPR7S8mGO14YS)

+- Join our [Tech Community](https://aka.ms/SecurityTechCommunity)

+- For more about [Microsoft Security](https://msft.it/6002T9HQY)

+ - [LinkedIn](https://www.linkedin.com/showcase/microsoft-security/)

+ - [Twitter](https://twitter.com/msftsecurity)

+> [Defender External Attack Surface Management (Defender EASM)](episode-twenty-two.md)

+- Learn more about [Defender for Servers](plan-defender-for-servers.md)

+- Subscribe to [Microsoft Security on YouTube](https://www.youtube.com/playlist?list=PL3ZTgFEc7LysiX4PfHhdJPR7S8mGO14YS)

+- Join our [Tech Community](https://aka.ms/SecurityTechCommunity)

+- For more about [Microsoft Security](https://msft.it/6002T9HQY)

+ - [LinkedIn](https://www.linkedin.com/showcase/microsoft-security/)

+ - [Twitter](https://twitter.com/msftsecurity)

+> [Zero Trust and Defender for Cloud](episode-twenty-eight.md)

+- Learn how to [drive your organization to remediate security recommendations with governance](governance-rules.md)

+- Subscribe to [Microsoft Security on YouTube](https://www.youtube.com/playlist?list=PL3ZTgFEc7LysiX4PfHhdJPR7S8mGO14YS)

+- Join our [Tech Community](https://aka.ms/SecurityTechCommunity)

+- For more about [Microsoft Security](https://msft.it/6002T9HQY)

+ - [LinkedIn](https://www.linkedin.com/showcase/microsoft-security/)

+ - [Twitter](https://twitter.com/msftsecurity)

+> [Demystifying Defender for Servers](episode-twenty-seven.md)

+- [Learn more](/defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti) about Defender TI.

+- Subscribe to [Microsoft Security on YouTube](https://www.youtube.com/playlist?list=PL3ZTgFEc7LysiX4PfHhdJPR7S8mGO14YS)

+- Join our [Tech Community](https://aka.ms/SecurityTechCommunity)

+- For more about [Microsoft Security](https://msft.it/6002T9HQY)

+ - [LinkedIn](https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbFk5TXZuQld2NlpBRV9BQlJqMktYSm95WWhCZ3xBQ3Jtc0tsQU13MkNPWGNFZzVuem5zc05wcnp0VGxybHprVTkwS2todWw0b0VCWUl4a2ZKYVktNGM1TVFHTXpmajVLcjRKX0cwVFNJaDlzTld4MnhyenBuUGRCVmdoYzRZTjFmYXRTVlhpZGc4MHhoa3N6ZDhFMA&q=https%3A%2F%2Fwww.linkedin.com%2Fshowcase%2Fmicrosoft-security%2F)

+ - [Twitter](https://twitter.com/msftsecurity)

+> [Enhancements in Defender for SQL Vulnerability Assessment](episode-twenty-four.md)

+- [Learn more](concept-easm.md) about external attack surface management.

+- Subscribe to [Microsoft Security on YouTube](https://www.youtube.com/playlist?list=PL3ZTgFEc7LysiX4PfHhdJPR7S8mGO14YS)

+- Join our [Tech Community](https://aka.ms/SecurityTechCommunity)

+- For more about [Microsoft Security](https://msft.it/6002T9HQY)

+ - [LinkedIn](https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbFk5TXZuQld2NlpBRV9BQlJqMktYSm95WWhCZ3xBQ3Jtc0tsQU13MkNPWGNFZzVuem5zc05wcnp0VGxybHprVTkwS2todWw0b0VCWUl4a2ZKYVktNGM1TVFHTXpmajVLcjRKX0cwVFNJaDlzTld4MnhyenBuUGRCVmdoYzRZTjFmYXRTVlhpZGc4MHhoa3N6ZDhFMA&q=https%3A%2F%2Fwww.linkedin.com%2Fshowcase%2Fmicrosoft-security%2F)

+ - [Twitter](https://twitter.com/msftsecurity)

+> [Defender Threat Intelligence (Defender TI)](episode-twenty-three.md)

+- [Learn more](./concept-attack-path.md) about Attack path.

+- Subscribe to [Microsoft Security on YouTube](https://www.youtube.com/playlist?list=PL3ZTgFEc7LysiX4PfHhdJPR7S8mGO14YS)

+- Join our [Tech Community](https://aka.ms/SecurityTechCommunity)

+- For more about [Microsoft Security](https://msft.it/6002T9HQY)

+ - [LinkedIn](https://www.linkedin.com/showcase/microsoft-security/)

+ - [Twitter](https://twitter.com/msftsecurity)

+> [Latest updates in the regulatory compliance dashboard](episode-twenty-one.md)

+# Integrate Microsoft Purview with Microsoft Defender for Cloud

+- Subscribe to [Microsoft Security on YouTube](https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqa0ZoTml2Qm9kZ2pjRzNMUXFqVUwyNl80YVNtd3xBQ3Jtc0trVm9QM2Z0NlpOeC1KSUE2UEd1cVJ5aHQ0MTN6WjJEYmNlOG9rWC1KZ1ZqaTNmcHdOOHMtWXRLSGhUTVBhQlhhYzlUc2xmTHZtaUpkd1c4LUQzLWt1YmRTbkVQVE5EcTJIM0Foc042SGdQZU5acVRJbw&q=https%3A%2F%2Faka.ms%2FSubscribeMicrosoftSecurity)

+- Follow us on social media:

+- Join our [Tech Community](https://aka.ms/SecurityTechCommunity)

+- For more about [Microsoft Security](https://msft.it/6002T9HQY)

+> [Watch Episode 3](episode-three.md)

+This single page, in Defender for Cloud's portal pages shows:

+- [Microsoft Defender for Cloud enabled on your subscription](connect-azure-subscription.md).

+- **To apply security recommendations**: you must be signed in with an account that has the relevant permissions (Resource Group Contributor, Resource Group Owner, Subscription Contributor, or Subscription Owner)

+- **To dismiss alerts**: you must be signed in with an account that has the relevant permissions (Security Admin, Subscription Contributor, or Subscription Owner)

+**To open the resource health page for a resource**:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Search for and select **Microsoft Defender for Cloud**.

+1. Select **Inventory**.

+1. Select any resource.

+1. Review the left pane of the resource health page for an overview of the subscription, status, and monitoring information about the resource. You can also see whether enhanced security features are enabled for the resource:

+### Harden a resource

+To ensure your resource is hardened according to the policies applied to your subscriptions, fix the issues described in the recommendations:

+1. From the right pane, select a recommendation.

+1. Continue as instructed on screen.

+ > [!TIP]

+ > The instructions for fixing issues raised by security recommendations differ for each of Defender for Cloud's recommendations.

+ >

+ > To decide which recommendations to resolve first, look at the severity of each one and its [potential impact on your secure score](secure-score-security-controls.md).

+### Investigate a security alert

+1. From the right pane, select an alert.

+1. Follow the instructions in [Respond to security alerts](managing-and-responding-alerts.md#respond-to-a-security-alert).

+description: Learn how to customize information protection policies in Microsoft Defender for Cloud to secure your data effectively and meet compliance requirements.

+#customer intent: As a user, I want to learn how to customize information protection policies in Microsoft Defender for Cloud so that I can secure my data effectively.

+## Related articles

+- [Azure SQL Database Data Discovery and Classification](/azure/azure-sql/database/data-discovery-and-classification-overview)

+- [Microsoft Defender for Cloud data security](data-security.md)

+## Next step

+> [!div class="nextstepaction"]

+> [Setting security policies in Microsoft Defender for Cloud](tutorial-security-policy.md)

+We provide many useful queries to help you get started exploring security alerts.

+We provide many useful queries to help you get start exploring security recommendations.

+| 2019-03-22T10:21:06.060 | /subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub> | <device_name> | Medium | Active | Permissive firewall rule in the input chain was found | A rule in the firewall was found that contains a permissive pattern for a wide range of IP addresses or Ports | {"Rules":"[{\"SourceAddress\":\"\",\"SourcePort\":\"\",\"DestinationAddress\":\"\",\"DestinationPort\":\"1337\"}]"} |

+| 2019-03-22T10:50:27.237 | /subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub> | <device_name> | Medium | Active | Permissive firewall rule in the input chain was found | A rule in the firewall was found that contains a permissive pattern for a wide range of IP addresses or Ports | {"Rules":"[{\"SourceAddress\":\"\",\"SourcePort\":\"\",\"DestinationAddress\":\"\",\"DestinationPort\":\"1337\"}]"} |

+Before you start, you need:

+1. An email address to be used as the contact for your new Microsoft Tenant

+1. A Global Admin permissions (Entra ID role on the tenant)

+1. Credit card details for your new Azure subscription, although you aren't charged until you switch from the **Free Trial** to the **Pay-As-You-Go** plan

+| 24.1.2 |02/2024 | Major |01/2025 |

+| **OT networks** | **Version 24.1.2**:<br> - [Alert suppression rules from the Azure portal (Public preview)](#alert-suppression-rules-from-the-azure-portal-public-preview)<br>- [Focused alerts in OT/IT environments](#focused-alerts-in-otit-environments)<br>- [Alert ID now aligned on the Azure portal and sensor console](#alert-id-now-aligned-on-the-azure-portal-and-sensor-console)<br>- [Newly supported protocols](#newly-supported-protocols)<br><br>**Cloud features**<br>- [New license renewal reminder in the Azure portal](#new-license-renewal-reminder-in-the-azure-portal) <br><br>- [New OT appliance hardware profile](#new-ot-appliance-hardware-profile) <br><br>- [New fields for SNMP MIB OIDs](#new-fields-for-snmp-mib-oids)|

+Event Grid has a client registry that stores information about the clients permitted to connect to it. Before a client can connect, there must be an entry for that client in the client registry. As a client connects to MQTT broker, it needs to authenticate with MQTT broker based on credentials stored in the identity registry. MQTT broker supports X.509 certificate authentication that is the industry authentication standard in IoT devices and [Microsoft Entra ID](mqtt-client-microsoft-entra-token-and-rbac.md) that is Azure's authentication standard for applications.[Learn more about MQTT client authentication.](mqtt-client-authentication.md)

+MQTT is a publish-subscribe messaging transport protocol that was designed for constrained environments. ItΓÇÖs efficient, scalable, and reliable, which made it the gold standard for communication in IoT scenarios. MQTT broker supports clients that publish and subscribe to messages over MQTT v3.1.1, MQTT v3.1.1 over WebSockets, MQTT v5, and MQTT v5 over WebSockets. MQTT broker also supports cross MQTT version (MQTT 3.1.1 and MQTT 5) communication.

+MQTT v5 introduced many improvements over MQTT v3.1.1 to deliver a more seamless, transparent, and efficient communication. It added:

+Learn more about [Client authentication.](mqtt-client-authentication.md)

+For more information, see [How to establish multiple sessions for a single client.](mqtt-establishing-multiple-sessions-per-client.md)

+- If a client tries to take over another client's active session by presenting its session name with a different authentication name, its connection request is rejected with an unauthorized error. For example, if Client B tries to connect to session 123 that is assigned at that time for client A, Client B's connection request is rejected. That being said, if the same client tries to reconnect with the same session names and the same authentication name, it's able to take over its existing session.

+MQTT v5 introduced the clean start and session expiry features as an improvement over MQTT v3.1.1 in handling session persistence. Clean Start is a feature that allows a client to start a new session with MQTT broker, discarding any previous session data. Session Expiry allows a client to inform MQTT broker when an inactive session is considered expired and automatically removed. In the CONNECT packet, a client can set Clean Start flag to true and/or short session expiry interval for security reasons or to avoid any potential data conflicts that might have occurred during the previous session. A client can also set a clean start to false and/or long session expiry interval to ensure the reliability and efficiency of persistent sessions.

+You can configure the maximum session expiry interval allowed for all your clients connecting to the Event Grid namespace. For MQTT v3.1.1 clients, the configured limit is applied as the default session expiry interval for all persistent sessions. For MQTT v5 clients, the configured limit is applied as the maximum value for the Session Expiry Interval property in the CONNECT packet; any value that exceeds the limit is adjusted. The default value for this namespace property is 1 hour and can be extended up to 8 hours. Use the following steps to configure the maximum session expiry interval in the Azure portal:

+### Last Will and Testament (LWT) messages (preview)

+Last Will and Testament (LWT) notifies your MQTT clients with the abrupt disconnections of other MQTT clients. You can use LWT to ensure predictable and reliable flow of communication among MQTT clients during unexpected disconnections, which is valuable for scenarios where real-time communication, system reliability, and coordinated actions are critical. Clients that collaborate to perform complex tasks can react to LWT messages from each other by adjusting their behavior, redistributing tasks, or taking over certain responsibilities to maintain the systemΓÇÖs performance and stability.

+To use LWT, a client can specify the will message, will topic, and the rest of the will properties in the CONNECT packet during connection. When the client disconnects abruptly, the MQTT broker publishes the will message to all the clients that subscribed to the will topic.

+In MQTT v5, message expiry interval allows messages to have a configurable lifespan. The message expiry interval is defined as the time interval between the time a message is published to MQTT broker and the time when the MQTT broker needs to discard the undelivered message. This feature is useful in scenarios where messages are only valid for a certain amount of time, such as time-sensitive commands, real-time data streaming, or security alerts. By setting a message expiry interval, MQTT broker can automatically remove outdated messages, ensuring that only relevant information is available to subscribers. If a message's expiry interval is set to zero, it means the message should never expire.

+For MQTT v5, MQTT broker is able to send negative acknowledgments (NACKs) and server-initiated disconnect packets that provide the client with more information about failures for message delivery or connection. These features help the client diagnose the reason behind a failure and take appropriate mitigating actions. MQTT broker uses the reason codes that are defined in the [MQTT v5 Specification.](https://docs.oasis-open.org/mqtt/mqtt/v5.0/mqtt-v5.0.html)

+- Will delay interval isn't supported yet.

+- User Properties on CONNECT, SUBSCRIBE, DISCONNECT, PUBACK, AUTH packets aren't used by the service so they're not supported. If any of these requests include user properties, the request fails.

+- Keep Alive Maximum is 1,160 seconds.

+- Keep Alive Maximum is 1,160 seconds.

+[This repository](https://github.com/Azure-Samples/MqttApplicationSamples) contains C#, C, and python code samples that show how to send telemetry, send commands, and broadcast alerts. The certificates created through the samples are fit for testing, but they aren't fit for production environments.

+description: Learn about Azure ExpressRoute FastPath to send network traffic by bypassing the gateway.

+FastPath is available on all ExpressRoute circuits. Limited general availability (GA) support for Private Endpoint/Private Link connectivity and Public preview support for virtual network peering and UDR connectivity over FastPath is only available for connections associated to ExpressRoute Direct circuits.

+FastPath still requires a virtual network gateway to be created to exchange routes between virtual network and on-premises network. For more information about virtual network gateways and ExpressRoute, including performance information, and gateway SKUs, see [ExpressRoute virtual network gateways](expressroute-about-virtual-network-gateways.md).

+* Private Link: FastPath Connectivity to a private endpoint or Private Link service over an ExpressRoute Direct circuit is supported for limited scenarios. For more information, see [enable FastPath and Private Link for 100-Gbps ExpressRoute Direct](expressroute-howto-linkvnet-arm.md#fastpath-virtual-network-peering-user-defined-routes-udrs-and-private-link-support-for-expressroute-direct-connections). FastPath connectivity to a Private endpoint/Private Link service isn't supported for ExpressRoute partner circuits.

+* DNS Private Resolver: Azure ExpressRoute FastPath doesn't support connectivity to [DNS Private Resolver](../dns/dns-private-resolver-overview.md).

+|--|--|--|

+| ExpressRoute Direct Port | 100 Gbps | 200,000 |

+| ExpressRoute Direct Port | 10 Gbps | 100,000 |

+| ExpressRoute provider circuit | 10 Gbps and lower | 25,000 |

+FastPath support for Virtual Network Peering, User Defined Routes (UDRs) and Private Endpoint/Private Link connectivity is available for limited scenarios for 100/10Gbps ExpressRoute Direct connections. Virtual Network Peering and UDR support are available globally across all Azure regions. Private Endpoint/ Private Link connectivity is available in the following Azure regions:

+For more information about supported scenarios and to enroll in the limited GA offering, complete this [Microsoft Form](https://aka.ms/FastPathLimitedGA).

+An Availability Zone in an Azure region is a combination of a fault domain and an update domain. To achieve the highest resiliency and availability, you should configure a zone-redundant ExpressRoute virtual network gateway. To learn more, see [About zone-redundant virtual network gateways in Azure Availability Zones][zone redundant vgw]. To configure a zone-redundant virtual network gateway, see [Create a zone-redundant virtual network gateway in Azure Availability Zones][conf zone redundant vgw].

+> [!NOTE]

+> Using **Classic Metrics** is not recommended.

+Once a metric is selected, the default aggregation is applied. Optionally, you can apply splitting, which shows the metric with different dimensions.

+Metrics explorer supports sum, maximum, minimum, average and count as [aggregation types](../azure-monitor/essentials/metrics-charts.md#aggregation). You should use the recommended Aggregation type when reviewing the insights for each ExpressRoute metric.

+| [ARP Availability](#arp) | Availability | Percent | Average | ARP Availability from MSEE towards all peers. | Peering Type, Peer | Yes |

+| [BGP Availability](#bgp) | Availability | Percent | Average | BGP Availability from MSEE towards all peers. | Peering Type, Peer | Yes |

+You can view the line protocol across each link of the ExpressRoute Direct port pair. The Line Protocol indicates if the physical link is up and running over ExpressRoute Direct. Monitor this dashboard and set alerts to know when the physical connection goes down.

+We highly recommended you set alerts for each of these metrics so that you're aware of when your gateway could be seeing performance issues.

+You can view the CPU utilization of each gateway instance. The CPU utilization might spike briefly during routine host maintenance but prolong high CPU utilization could indicate your gateway is reaching a performance bottleneck. Increasing the size of the ExpressRoute gateway might resolve this issue. Set an alert for how frequent the CPU utilization exceeds a certain threshold.

+This metric shows the number of routes the ExpressRoute gateway is advertising to the circuit. The address spaces might include virtual networks that are connected using virtual network peering and uses remote ExpressRoute gateway. You should expect the number of routes to remain consistent unless there are frequent changes to the virtual network address spaces. Set an alert for when the number of advertised routes drop below the threshold for the number of virtual network address spaces you're aware of.

+This metric shows the number of routes the ExpressRoute gateway is learning from peers connected to the ExpressRoute circuit. These routes can be either from another virtual network connected to the same circuit or learned from on-premises. Set an alert for when the number of learned routes drop below a certain threshold. This metric can indicate either the gateway is seeing a performance problem or remote peers are no longer advertising routes to the ExpressRoute circuit.

+This metric shows the frequency of routes being learned from or advertised to remote peers. You should first investigate your on-premises devices to understand why the network is changing so frequently. A high frequency in routes change could indicate a performance problem on the ExpressRoute gateway where scaling the gateway SKU up might resolve the problem. Set an alert for a frequency threshold to be aware of when your ExpressRoute gateway is seeing abnormal route changes.

+This metric shows the number of virtual machines that are using the ExpressRoute gateway. The number of virtual machines might include VMs from peered virtual networks that use the same ExpressRoute gateway. Set an alert for this metric if the number of VMs goes above a certain threshold that could affect the gateway performance.

+This metric displays the maximum number of flows created per second on the ExpressRoute Gateway. Through split at instance level and direction, you can see max flow creation rate per gateway instance and inbound/outbound direction respectively. For more information, see [understand network flow limits](../virtual-network/virtual-machine-network-throughput.md#network-flow-limits).

+You can view the CPU utilization of each ExpressRoute Traffic Collector instance. The CPU utilization might spike briefly during routine host maintenance, but prolonged high CPU utilization could indicate your ExpressRoute Traffic Collector is reaching a performance bottleneck.

+You can view the memory utilization of each ExpressRoute Traffic Collector instance. Memory utilization might spike briefly during routine host maintenance, but prolonged high memory utilization could indicate your Azure Traffic Collector is reaching a performance bottleneck.

+You can view the count of number of flow records processed by ExpressRoute Traffic Collector, aggregated across ExpressRoute Circuits. Customer can split the metrics across each ExpressRoute Traffic Collector instance or ExpressRoute circuit when multiple circuits are associated to the ExpressRoute Traffic Collector. Monitoring this metric helps you understand if you need to deploy more ExpressRoute Traffic Collector instances or migrate ExpressRoute circuit association from one ExpressRoute Traffic Collector deployment to another.

+**Guidance:** Splitting by circuits is recommended when multiple ExpressRoute circuits are associated with an ExpressRoute Traffic Collector deployment. This metric helps determine the flow count of each ExpressRoute circuit and ExpressRoute Traffic Collector utilization by each ExpressRoute circuit.

+1. On the *Select a signal* page, select a metric, resource health, or activity log that you want to be alerted. Depending on the signal you select, you might need to enter additional information such as a threshold value. You can also combine multiple signals into a single alert. Select **Next: Actions >** to define who and how they get notify.

+1. Select **+ Select action groups** to choose an existing action group you previously created or select **+ Create action group** to define a new one. In the action group, you determine how notifications get sent and who receives them.

+After you select a metric, certain metric allow you to set up dimensions based on peering or a specific peer (virtual networks).

+You can also view ExpressRoute metrics by going to your ExpressRoute circuit resource and selecting the *Logs* tab. For any metrics you query, the output contains the following columns.

+| Count | real | Usually is 2 (each MSEE pushes a single metric value every minute) |

+* [Link a virtual network to an ExpressRoute circuit](expressroute-howto-linkvnet-arm.md)

+Some services in Azure have a special focused prebuilt monitoring dashboard in the Azure portal that provides a starting point for monitoring your service. These special dashboards are called *insights*.

+Once a metric is selected, the default aggregation is applied. Optionally, you can apply splitting, which shows the metric with different dimensions.

+* To query for Border Gateway Protocol (BGP) route table learned over the last 12 hours.

+1. On the *Select a signal* page, select a metric, resource health, or activity log that you want to be alerted. Depending on the signal you select, you might need to enter additional information such as a threshold value. You can also combine multiple signals into a single alert. Select **Next: Actions >** to define who and how they get notify.

+1. Select **+ Select action groups** to choose an existing action group you previously created or select **+ Create action group** to define a new one. In the action group, you determine how notifications get sent and who receives them.

+Once you configured your circuit and Microsoft peering, you can easily view it using the **Overview** page in the Azure portal.

+Once you successfully created the Microsoft peering over your ExpressRoute circuit and associated a route filter with the circuit, you can verify the BGP routes received from Microsoft Enterprise Edge (MSEEs) on the PE devices that are peering with the MSEEs. The verification command varies, depending on the operating system of your PE devices.

+The following partial output shows that 68 prefixes were received from the neighbor \*.243.229.34 with the Autonomous System Number (ASN) 12076 (MSEE):

+In the examples, the VPN gateway and the IPsec tunnel terminations are configured using an Azure Resource Manager template. If you're new to using Resource Manager templates, or to understand the Resource Manager template basics, see [Understand the structure and syntax of Azure Resource Manager templates](../azure-resource-manager/templates/syntax.md). The template in this section creates a green field Azure environment (virtual network). However, if you have an existing virtual network, you can reference it in the template. If you aren't familiar with VPN gateway IPsec/IKE site-to-site configurations, see [Create a site-to-site connection](../vpn-gateway/vpn-gateway-create-site-to-site-rm-powershell.md).

+### <a name="vnet"></a>3.2 Create virtual network (virtual network)

+If you're associating an existing virtual network with the VPN tunnels, you can skip this step.

+The Azure VPN gateway is compatible with many VPN devices from different vendors. For configuration information and devices that are validated to work with VPN gateway, see [About VPN devices](../vpn-gateway/vpn-gateway-about-vpn-devices.md).

+Typically eBGP peers are directly connected (often over a WAN connection). However, when you're configuring eBGP over IPsec VPN tunnels via ExpressRoute Microsoft peering, there are multiple routing domains between the eBGP peers. Use the **ebgp-multihop** command to establish the eBGP neighbor relationship between the two not-directly connected peers. The integer that follows ebgp-multihop command specifies the time to live (TTL) value in the BGP packets. The command **maximum-paths eibgp 2** enables load balancing of traffic between the two BGP paths.

+The line protocol on the Virtual Tunnel Interface (VTI) doesn't change to "up" until IKE phase 2 completes. The following command verifies the security association:

+### <a name="verifye2e"></a>Verify end-to-end connectivity between the inside network on-premises and the Azure virtual network

+* [Add a site-to-site connection to a virtual network with an existing VPN gateway connection](../vpn-gateway/add-remove-site-to-site-connections.md)

+Apex domains, also called *root domains*, or *naked domains*, are at the root of a Domain Name System (DNS) zone and don't contain subdomains. For example, `contoso.com` is an apex domain.

+However, this problem can be resolved by using alias records in Azure DNS. Unlike CNAME records, alias records are created at the zone apex. You can point a zone apex record to an Azure Front Door profile that has public endpoints. Multiple application owners can point to the same Azure Front Door endpoint used for any other domain within their DNS zone. For example, `contoso.com` and `www.contoso.com` can point to the same Azure Front Door endpoint.

+Mapping your apex or root domain to your Azure Front Door profile uses *CNAME flattening*, sometimes called *DNS chasing*. CNAME flattening is where a DNS provider recursively resolves CNAME entries until it resolves an IP address. Azure DNS supports this functionality for Azure Front Door endpoints.

+|--|--|

+When you use an Azure Front Door-managed certificate, Azure Front Door attempts to automatically rotate (renew) the certificate. Before it does so, Azure Front Door checks whether the DNS CNAME record is still pointed to the Azure Front Door endpoint. Apex domains don't have a CNAME record pointing to an Azure Front Door endpoint, so the autorotation for managed certificate fails until the domain ownership is revalidated.

+description: Learn how to onboard a root or apex domain to an existing Azure Front Door using the Azure portal.

+The Domain Name System (DNS) protocol prevents the assignment of CNAME records at the zone apex. For example, if your domain is `contoso.com`; you can create CNAME records for `somelabel.contoso.com`; but you can't create CNAME for `contoso.com` itself. This restriction presents a problem for application owners who load balances applications behind Azure Front Door. Since using an Azure Front Door profile requires creation of a CNAME record, it isn't possible to point at the Azure Front Door profile from the zone apex.

+This problem can be resolved by using alias records in Azure DNS. Unlike CNAME records, alias records are created at the zone apex. Application owners can use it to point their zone apex record to an Azure Front Door profile that has public endpoints. Application owners can point to the same Azure Front Door profile used for any other domain within their DNS zone. For example, `contoso.com` and `www.contoso.com` can point to the same Azure Front Door profile.

+Mapping your apex or root domain to your Azure Front Door profile requires *CNAME flattening* or *DNS chasing*, which is when the DNS provider recursively resolves CNAME entries until it resolves an IP address. Azure DNS supports this functionality for Azure Front Door endpoints.

+You can use the Azure portal to onboard an apex domain on your Azure Front Door and enable HTTPS on it by associating it with a Transport Layer Security (TLS) certificate. Apex domains are also referred as *root* or *naked* domains.

+ :::image type="content" source="./media/front-door-apex-domain/add-domain.png" alt-text="Screenshot of adding a new domain to an Azure Front Door profile.":::

+1. On **Add a domain** page, you enter information about the custom domain. You can choose Azure-managed DNS (recommended) or you can choose to use your DNS provider.

+ :::image type="content" source="./media/front-door-apex-domain/add-custom-domain.png" alt-text="Screenshot of adding a new custom domain to an Azure Front Door profile.":::

+1. Select the **Pending** validation state. A new page appears with DNS TXT record information needed to validate the custom domain. The TXT record is in the form of `_dnsauth.<your_subdomain>`.

+ - **Azure DNS-based zone** - select the **Add** button to create a new TXT record with the displayed value in the Azure DNS zone.

+1. Close the *Validate the custom domain* page and return to the *Domains* page for the Azure Front Door profile. You should see the *Validation state* change from **Pending** to **Approved**. If not, wait up to 10 minutes for changes to reflect. If your validation doesn't get approved, make sure your TXT record is correct and name servers are configured correctly if you're using Azure DNS.

+1. Once the alias record gets created and the custom domain is associated to the Azure Front Door endpoint, traffic starts flowing.

+> * When placing service like an Azure Web App behind Azure Front Door, you need to configure with the web app with the same domain name as the root domain in Azure Front Door. You also need to configure the backend host header with that domain name to prevent a redirect loop.

+1. Select the Azure subscription that contains your Azure Front Door profile. Then select the Azure Front Door resource from the **Azure resource** dropdown.

+1. The above step creates a zone apex record pointing to your Azure Front Door resource and also a CNAME record mapping *afdverify* (example - `afdverify.contosonews.com`) that is used for onboarding the domain on your Azure Front Door profile.

+## Onboard the custom domain on your Azure Front Door

+1. On the Azure Front Door designer tab, select on '+' icon on the Frontend hosts section to add a new custom domain.

+1. Once the CNAME mapping from the domain to your Azure Front Door is validated, select on **Add** to add the custom domain.

+ > Azure Front Door managed certificate management type is not currently supported for apex or root domains. The only option available for enabling HTTPS on an apex or root domain for Azure Front Door is using your own custom TLS/SSL certificate hosted on Azure Key Vault.

+1. Ensure that you have setup the right permissions for Azure Front Door to access your key Vault as noted in the UI, before proceeding to the next step.

+- Learn how to [create an Azure Front Door profile](quickstart-create-front-door.md).

+- Learn [how Azure Front Door works](front-door-routing-architecture.md).

+This article outlines the protocol that Front Door supports with parts of the call path (see image). In the following sections, you find information about HTTP headers supported by Front Door.

+> Azure Front Door doesn't certify any HTTP headers that aren't documented here.

+## From client to Azure Front Door

+Azure Front Door accepts most headers for the incoming request without modifying them. Some reserved headers are removed from the incoming request if sent, including headers with the `X-FD-*` prefix.

+The debug request header, `X-Azure-DebugInfo`, provides extra debugging information about the Front Door. You need to send `X-Azure-DebugInfo: 1` request header from the client to the Azure Front Door to receive [optional response headers](#optional-debug-response-headers) when Azure Front Door response to the client.

+Azure Front Door includes headers for an incoming request unless they're removed because of restrictions. Azure Front Door also appends the following headers:

+| Via | `Via: 1.1 Azure` </br> Front Door adds the client's HTTP version followed by *Azure* as the value for the Via header. This header indicates the client's HTTP version and that Front Door was an intermediate recipient for the request between the client and the backend. |

+| X-Azure-ClientIP | `X-Azure-ClientIP: 127.0.0.1` </br> Represents the client IP address associated with the request being processed. For example, a request coming from a proxy might add the X-Forwarded-For header to indicate the IP address of the original caller. |

+| X-Azure-SocketIP | `X-Azure-SocketIP: 127.0.0.1` </br> Represents the socket IP address associated with the TCP connection that the current request originated from. A request's client IP address might not be equal to its socket IP address because the client IP can be arbitrarily overwritten by a user.|

+| X-Azure-Ref | `X-Azure-Ref: 0zxV+XAAAAABKMMOjBv2NT4TY6SQVjC0zV1NURURHRTA2MTkANDM3YzgyY2QtMzYwYS00YTU0LTk0YzMtNWZmNzA3NjQ3Nzgz` </br> A unique reference string that identifies a request served by Azure Front Door. This string is used to search access logs and critical for troubleshooting.|

+| X-Azure-RequestChain | `X-Azure-RequestChain: hops=1` </br> A header that Front Door uses to detect request loops, and users shouldn't take a dependency on it. |

+| X-Azure-FDID | `X-Azure-FDID: 55ce4ed1-4b06-4bf1-b40e-4638452104da` <br/> A reference string that identifies the request came from a specific Front Door resource. The value can be seen in the Azure portal or retrieved using the management API. You can use this header in combination with IP ACLs to lock down your endpoint to only accept requests from a specific Front Door resource. See the FAQ for [more detail](front-door-faq.yml#what-are-the-steps-to-restrict-the-access-to-my-backend-to-only-azure-front-door-) |

+| X-Forwarded-For | `X-Forwarded-For: 127.0.0.1` </br> The X-Forwarded-For (XFF) HTTP header field often identifies the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer. If there's an existing XFF header, then Front Door appends the client socket IP to it or adds the XFF header with the client socket IP. |

+| X-Forwarded-Host | `X-Forwarded-Host: contoso.azurefd.net` </br> The X-Forwarded-Host HTTP header field is a common method used to identify the original host requested by the client in the Host HTTP request header. This is because the host name from Azure Front Door might differ for the backend server handling the request. Any previous value is overridden by Azure Front Door. |

+| X-Forwarded-Proto | `X-Forwarded-Proto: http` </br> The `X-Forwarded-Proto` HTTP header field is often used to identify the originating protocol of an HTTP request. Front Door based on configuration might communicate with the backend by using HTTPS. This is true even if the request to the reverse proxy is HTTP. Any previous value will be overridden by Front Door. |

+| X-FD-HealthProbe | `X-FD-HealthProbe` HTTP header field is used to identify the health probe from Front Door. If this header is set to 1, the request is from the health probe. It can be used to restrict access from Front Door with a particular value for the `X-Forwarded-Host` header field. |

+| X-Azure-Ref | `X-Azure-Ref: 0zxV+XAAAAABKMMOjBv2NT4TY6SQVjC0zV1NURURHRTA2MTkANDM3YzgyY2QtMzYwYS00YTU0LTk0YzMtNWZmNzA3NjQ3Nzgz` </br> This is a unique reference string that identifies a request served by Front Door, which is critical for troubleshooting as it's used to search access logs.|

+| X-Cache | `X-Cache:` This header describes the caching status of the request. For more information, see [Caching with Azure Front Door](front-door-caching.md#response-headers). |

+You need to send `X-Azure-DebugInfo: 1` request header to enable the following optional response headers.

+| X-Azure-OriginStatusCode | `X-Azure-OriginStatusCode: 503` </br> This header contains the HTTP status code returned by the backend. Using this header you can identify the HTTP status code returned by the application running in your backend without going through backend logs. This status code might be different from the HTTP status code in the response sent to the client by Front Door. This header allows you to determine if the backend is misbehaving or if the issue is with the Front Door service. |

+| X-Azure-InternalError | This header contains the error code that Azure Front Door comes across when processing the request. This error indicates the issue is internal to the Azure Front Door service/infrastructure. Report issue to support. |

+| X-Azure-ExternalError | `X-Azure-ExternalError: 0x830c1011, The certificate authority is unfamiliar` </br> This header shows the error code that Front Door servers come across while establishing connectivity to the backend server to process a request. This header helps identify issues in the connection between Front Door and the backend application. This header includes a detailed error message to help you identify connectivity issues to your backend (for example, DNS resolution, invalid cert, and so on.). |

+- You don't need to onboard each subdomain in your Azure Front Door profile. For example, suppose you create new subdomains every customer, and route all customers' requests to a single origin group. Whenever you add a new customer, Azure Front Door understands how to route traffic to your origin group even though the subdomain isn't explicitly configured.

+- You don't need to generate a new Transport Layer Security (TLS) certificate, or manage any subdomain-specific HTTPS settings, to bind a certificate for each subdomain.

+You can add a wildcard domain following steps similar for subdomains. For more information about adding a subdomain to Azure Front Door, see [Configure a custom domain on Azure Front Door using the Azure portal](standard-premium/how-to-add-custom-domain.md).

+You can add a wildcard domain under the section for front-end hosts or domains. Similar to subdomains, Azure Front Door (classic) validates that there's CNAME record mapping for your wildcard domain. This Domain Name System (DNS) mapping can be a direct CNAME record mapping like `*.contoso.com` mapped to `endpoint.azurefd.net`. Or you can use afdverify temporary mapping. For example, `afdverify.contoso.com` mapped to `afdverify.endpoint.azurefd.net` validates the CNAME record map for the wildcard.

+WAF policies can be attached to wildcard domains, similar to other domains. A different WAF policy can be applied to a subdomain of a wildcard domain. Subdomains automatically inherit the WAF policy from the wildcard domain if there's no explicit WAF policy associated to the subdomain. However, if the subdomain is added to a different profile from the wildcard domain profile, the subdomain can't inherit the WAF policy associated with the wildcard domain.

+Caching can significantly decrease latency and reduce the load on origin servers. However, not all types of traffic can benefit from caching. Static assets such as images, CSS, and JavaScript files are ideal for caching. While dynamic assets, such as authenticated API endpoints, shouldn't be cached to prevent the leakage of personal information. We recommend having separate routes for static and dynamic assets, with caching disabled for the latter.

+* Learn more about [policy settings](../web-application-firewall/afds/waf-front-door-policy-settings.md) for Web Application Firewall (WAF) with Azure Front Door.

+ | Target sub resource | The type of subresource for the resource selected previously that your private endpoint can access. You can select *web* or *web_secondary*. |

+Once the origin is added and the private endpoint connection is approved, you can test your private link connection to your storage static website.

+File compression is an effective method to improve file transfer speed and increase page-load performance. The server compresses the file to reduce its size before sending it. File compression can reduce bandwidth costs and provide a better experience for your users.

+> [!NOTE]

+* During custom, create - Enable caching and compression when you're adding a route.

+ :::image type="content" source="../media/how-to-compression/front-door-compression-endpoint-manager-1.png" alt-text="Screenshot of the Azure Front Door manager landing page." lightbox="../media/how-to-compression/front-door-compression-endpoint-manager-1-expanded.png":::

+ :::image type="content" source="../media/how-to-compression/front-door-compression-endpoint-manager-2.png" alt-text="Screenshot of Azure Front Door Manager showing the 'Enable compression' radio button.":::

+1. Select **Update**.

+* Disable compression in Azure Front Door manager route.

+### Disable compression in Azure Front Door manager

+This article guides you through how to configure Azure Front Door Premium tier to connect to your storage account origin privately using the Azure Private Link service.

+In this section, you map the Private Link service to a private endpoint created in Azure Front Door's private network.

+1. The following table has information of what values to select in the respective fields while enabling private link with Azure Front Door. Select or enter the following settings to configure the storage blob you want Azure Front Door Premium to connect with privately.

+ | Target sub resource | The type of subresource for the resource selected previously that your private endpoint can access. You can select *blob* or *web*. |

+1. Once approved, it should look like the following screenshot. It takes a few minutes for the connection to fully establish. You can now access your storage account from Azure Front Door Premium.

+ Title: Configure Azure Front Door logs

+Access logs, health probe logs, and Web Application Firewall (WAF) logs aren't enabled by default. In this article, you learn how to enable diagnostic logs for your Azure Front Door profile.

+1. Search for **Azure Front Door** and then select the relevant Azure Front Door profile.

+1. Within the profile, navigate to **Monitoring**, select **Diagnostic Setting** and then choose **Add diagnostic setting**.

+1. Select theΓÇ»**log** options for **FrontDoorAccessLog**, **FrontDoorHealthProbeLog**, and **FrontDoorWebApplicationFirewallLog**.

+1. Select theΓÇ»**Destination details**. The destination options are:

+ > Microsoft recommends using Log Analytics for real-time monitoring and analysis of Azure Front Door performance.

+1. Select **Save** to begin logging.

+1. Select your Azure Front Door profile.

+Azure Front Door is integrated with Azure Monitor. You can use metrics in real time to measure traffic to your application, and to track, troubleshoot, and debug issues.

+You can also configure alerts for each metric such as a threshold for 4XXErrorRate or 5XXErrorRate. When the error rate exceeds the threshold, it triggers an alert as configured. For more information, see [Create, view, and manage metric alerts using Azure Monitor](../../azure-monitor/alerts/alerts-metric.md).

+Alert is charged based on Azure Monitor. For more information about alerts, see [Azure Monitor alerts](../../azure-monitor/alerts/alerts-overview.md).

+ * If you delete an endpoint or a custom domain in one profile and then recreate the same endpoint or domain in another profile, the report counts the new endpoint as a different endpoint.

+ * If you delete a custom domain and bind it to a different endpoint, the behavior depends on how you view the report. If you view the report by custom domains, then they're treated as one custom domain. If you view the report by endpoint, they're treated as separate items.

+In this report, you can view:

+* Requests with status code (3XX, 4XX, and 5XX) of each domain

+* A grid of the top countries or regions with corresponding data transferred out from Azure Front Door to clients, the percentage of data transferred out, the number of requests, the percentage of requests by the country or region, cache hit ratio, 4XX response code counts, and 5XX response code counts.

+* Hits: client requests that get served directly from Azure Front Door edge PoPs. Refers to those requests whose values for CacheStatus in the raw access logs are *HIT*, *PARTIAL_HIT*, or *REMOTE_HIT*.

+* Miss: client requests that get served by Azure Front Door edge POPs fetching contents from origin. Refers to those requests whose values for the field CacheStatus in the raw access raw logs are *MISS*.

+* Requests that contain matching Rules Set, which is set to disable the cache.

+* Requests that get blocked by the Azure Front Door WAF.

+The **top URL report** allow you to view the amount of traffic incurred through a particular endpoint or custom domain. You see data for the most requested 50 assets during any period in the past 90 days.

+Popular URLs are displayed with the following values:

+User can sort URLs by request count, request count percentage, data transferred, and data transferred percentage. The system aggregates all metrics by hour, and they might vary based on the selected time frame.

+The **top referrer** report shows you the top 50 referrers to a particular Azure Front Door endpoint or custom domain. You can view data for any period in the past 90 days. A referrer indicates the URL from which a request was generated. Referrer might come from a search engine or other websites. If a user types a URL (for example, `https://contoso.com/https://docsupdatetracker.net/index.html`) directly into the address bar of a browser, the referrer for the requested is *Empty*.

+You can sort by request count, request %, data transferred and data transferred %. The system aggregates all metrics by hour, and they might vary based on the selected time frame.

+| Overview metrics - Blocked Requests | The percentage of requests that gets blocked by WAF rules among all the requests that matched WAF rules. |

+ Title: 'Quickstart: Run first Azure Resource Graph query in portal'

+description: In this quickstart, you run your first Azure Resource Graph Explorer query using Azure portal.

+# Quickstart: Run your first Resource Graph query using Azure Resource Graph Explorer

+The power of Azure Resource Graph is available directly in the Azure portal through Azure Resource Graph Explorer. Resource Graph Explorer allows you to query information about the Azure Resource Manager resource types and properties. Resource Graph Explorer also provides an interface for working with multiple queries, evaluating the results, and even converting the results of some queries into a chart that can be pinned to an Azure dashboard.

+If you don't have an Azure account, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+Run your first query from the Azure portal using Azure Resource Graph Explorer.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Search for _resource graph_ and select **Resource Graph Explorer**.

+ :::image type="content" source="./media/first-query-portal/search-resource-graph.png" alt-text="Screenshot of the Azure portal to search for resource graph.":::

+1. In the **Query 1** portion of the window, copy and paste the following query. Then select **Run query**.

+ ```kusto

+ resources

+ | project name, type

+ | limit 5

+ ```

+ :::image type="content" source="./media/first-query-portal/run-query.png" alt-text="Screenshot of Azure Resource Graph Explorer that highlights run query, results, and messages.":::

+ This query example doesn't provide a sort modifier like `order by`. If you run this query multiple times, it's likely to yield a different set of resources per request.

+1. Review the query response in the **Results** tab and select the **Messages** tab to see details about the query, including the count of results and duration of the query. Errors, if any, are displayed in **Messages**.

+1. Update the query to `order by` the **name** property. Then, select **Run query**

+ ```kusto

+ resources

+ | project name, type

+ | limit 5

+ | order by name asc

+ ```

+ Like the first query, running this query multiple times is likely to yield a different set of resources per request. The order of the query commands is important. In this example, the `order by` comes after the `limit`. This command order first limits the query results and then orders them.

+1. Update the query to `order by` the **name** property and then `limit` to the top five results. Then, select **Run query**.

+ ```kusto

+ resources

+ | project name, type

+ | order by name asc

+ | limit 5

+ ```

+ When the final query is run several times, and with no changes in your environment, the results are consistent and ordered by the **name** property, but still limited to the top five results.

+The schema browser is located in the left pane of Resource Graph Explorer. This list of resources shows all the _resource types_ of Azure resources supported by Azure Resource Graph and that exist in your tenant. Select a resource type or property to show child properties that can be used to create a Resource Graph query.

+Select a table name from the schema browser and it gets added to the query. When you select a resource type it gets added to the query, like `where type =="<resource type>"`. If you select a property it gets added to the next line in the query, like `where <propertyName> == "INSERT_VALUE_HERE"`. You can use the schema browser to find properties that you can use in queries. Be sure to replace `INSERT_VALUE_HERE` with your own value, and adjust the query with conditions, operators, and functions.

+This example shows a query that was built from the schema browser by selecting the table `authorizationresources` with resource type `microsoft.authorization/roledefinitions` and the property `roleName`.

+```kusto

+authorizationresources

+| where type == "microsoft.authorization/roledefinitions"

+| where properties['roleName'] == "INSERT_VALUE_HERE"

+```

+To download comma-separated values (CSV) results from the Azure portal, browse to the Azure Resource Graph Explorer and run a query. On the toolbar, select **Download as CSV** as shown in the following screenshot:

+When you use the **Download as CSV** export functionality of Azure Resource Graph Explorer, the result set is limited to 55,000 records. This limitation is a platform limit that can't be overridden by filing an Azure support ticket.

+After running the previous query, if you select the **Charts** tab, you get a message that "the result set isn't compatible with a pie chart visualization." Queries that list results can't be made into a chart, but queries that provide counts of resources can.

+ resources

+ | where type == "microsoft.compute/virtualmachines"

+1. Select the **Charts** tab. Change the type from _Select chart type..._ to either _Bar chart_ or _Donut chart_.

+ :::image type="content" source="./media/first-query-portal/query-chart.png" alt-text="Screenshot of Azure Resource Graph Explorer with charts drop-down menu highlighted.":::

+## Pin the query visualization to a dashboard

+When you have results from a query that can be visualized, that data visualization can be pinned to your Azure portal dashboard. After running the previous query, follow these steps:

+1. Select **Save** and provide the name _VM by OS type_. Then select **Save** at the bottom of the right pane.

+1. Select **Run query** to rerun the query you saved.

+1. From **Pin to Dashboard** select the existing dashboard where you want the chart to appear.

+The query is now available on your dashboard with the title **VM by OS type**. If the query wasn't saved before it was pinned, the name is _Query 1_ instead.

+The query and resulting data visualization run and update each time the dashboard loads, providing real time and dynamic insights to your Azure environment directly in your workflow.

+Queries that result in a list can also be pinned to the dashboard. The feature isn't limited to data visualizations of queries.

+For more information about working with dashboards, see [Create a dashboard in the Azure portal](../../azure-portal/azure-portal-dashboards.md).

+If you want to remove the sample Resource Graph dashboards from your Azure portal environment, do the following steps:

+1. Select **Dashboard** from the _hamburger menu_ (three horizontal lines) on the top, left side of any portal page.

+1. On your dashboard, find the **VM by OS type** chart and select the ellipsis (`...`) to display the menu.

+1. Select **Remove from dashboard** select **Save** to confirm.

+In this quickstart, you used Azure Resource Graph Explorer to run your first query and looked at dashboard examples powered by Resource Graph. To learn more about the Resource Graph language, continue to the query language details page.

+> [Understanding the Azure Resource Graph query language](./concepts/query-language.md)

+Here's the output of the **SELECT** statement:

+Here's the output when you run this query in the console window:

+* **GET\_JSON_OBJECT()** returns the string representation of an array. To convert this array to a Hive array, you've to use regular expressions to replace the square brackets "[" and "]", and then you also have to call split to get the array.

+* [Use Apache Hive and HiveQL with Apache Hadoop in HDInsight to analyze a sample Apache `log4j` file](./hdinsight-use-hive.md)

+ * Enable a firewall rule and port forwarding for port 8883 to enable incoming connections to Azure IoT Operations broker.

+## Deploy Azure IoT Operations Preview

+In this section, you use the [az iot ops init](/cli/azure/iot/ops#az-iot-ops-init) command to configure your cluster so that it can communicate securely with your Azure IoT Operations components and key vault, then deploy Azure IoT Operations.

+1. Create a key vault. Replace the placeholder parameters with your own information.

+ | Placeholder | Value |

+ | -- | -- |

+ | **RESOURCE_GROUP** | The name of your resource group that contains the connected cluster. |

+ | **KEYVAULT_NAME** | A name for a new key vault. |

+ ```azurecli

+ az keyvault create --enable-rbac-authorization false --name "<KEYVAULT_NAME>" --resource-group "<RESOURCE_GROUP>"

+ ```

+ >[!TIP]

+ > You can use an existing key vault for your secrets, but verify that the **Permission model** is set to **Vault access policy**. You can check this setting in the Azure portal in the **Access configuration** section of an existing key vault. Or use the [az keyvault show](/cli/azure/keyvault#az-keyvault-show) command to check that `enableRbacAuthorization` is false.

+1. Run the following CLI command on your development machine or in your codespace terminal. Replace the placeholder parameters with your own information.

+ | Placeholder | Value |

+ | -- | -- |

+ | **CLUSTER_NAME** | The name of your connected cluster. |

+ | **RESOURCE_GROUP** | The name of your resource group that contains the connected cluster. |

+ | **KEYVAULT_NAME** | The name of your key vault. |

+ ```azurecli

+ az iot ops init --simulate-plc --cluster <CLUSTER_NAME> --resource-group <RESOURCE_GROUP> --kv-id $(az keyvault show --name <KEYVAULT_NAME> -o tsv --query id)

+ ```

+ If you get an error that says *Your device is required to be managed to access your resource*, run `az login` again and make sure that you sign in interactively with a browser.

+ >If you've run `az iot ops init` before, it automatically created an app registration in Microsoft Entra ID for you. You can reuse that registration rather than creating a new one each time. To use an existing app registration, add the optional parameter `--sp-app-id <APPLICATION_CLIENT_ID>`.

+ > [!IMPORTANT]

+ > Don't use the following example in production, use it for simulation and test purposes only. The example lowers the security level for the OPC PLC so that it accepts connections from any client without an explicit peer certificate trust operation.

+ ```azurecli

+ az k8s-extension update --version 0.3.0-preview --name opc-ua-broker --release-train preview --cluster-name <CLUSTER_NAME> --resource-group <RESOURCE_GROUP> --cluster-type connectedClusters --auto-upgrade-minor-version false --config opcPlcSimulation.deploy=true --config opcPlcSimulation.autoAcceptUntrustedCertificates=true

+ ```

+1. In the [Azure portal](https://portal.azure.com), navigate to the resource group that contains your cluster.

+- Start from the [Configure cluster and deploy Azure IoT Operations](../get-started/quickstart-deploy.md#deploy-azure-iot-operations-preview) and complete all the further steps.

+description: Learn how to deploy pipeline component as batch endpoint to trigger the pipeline using REST endpoint.

+Pipeline component deployment as batch endpoint is the feature that allows you to achieve the goals for the previously listed scenarios. This is the equivalent feature with published pipeline/pipeline endpoint in SDK v1.

+It's also possible to deploy your pipeline job as a batch endpoint. In this case, Azure Machine Learning can accept that job as the input to your batch endpoint and create the pipeline component automatically for you. For more information, see [Deploy existing pipeline jobs to batch endpoints](how-to-use-batch-pipeline-from-job.md).

+The current set of components have many limitations on their use:

+| `task_type` | Specifies whether the model is for classification, regression, or forecasting. | String, `classification`, `regression`, or `forecasting` |

+| `feature_metadata`| Specifies additional information the dashboard might need depending on task type. For forecasting, this includes specifying which column is the `datetime` column and which column is the `time_series_id` column. For vision, this might include mean pixel value or location data of an image.| Optional list of strings¹ |

+| `use_model_dependency`| Specifies if the model requires a separate docker container to be served in due to conflicting dependencies with the RAI dashboard. For forecasting, this must be enabled. Typically for other scenarios this isn't enabled. | Boolean |

+¹ The lists should be supplied as a single JSON-encoded string for `categorical_column_names`, `classes`, `feature_metadata` inputs.

+ Title: "Tutorial 7: Develop a feature set using Domain Specific Language (preview)"

+description: This is part 7 of the managed feature store tutorial series.

+#Customer intent: As a professional data scientist, I want to know how to build and deploy a model with Azure Machine Learning by using Python in a Jupyter Notebook.

+# Tutorial 7: Develop a feature set using Domain Specific Language (preview)

+An Azure Machine Learning managed feature store lets you discover, create, and operationalize features. Features serve as the connective tissue in the machine learning lifecycle, starting from the prototyping phase, where you experiment with various features. That lifecycle continues to the operationalization phase, where you deploy your models, and proceeds to the inference steps that look up feature data. For more information about feature stores, visit [feature store concepts](./concept-what-is-managed-feature-store.md).

+This tutorial describes how to develop a feature set using Domain Specific Language. The Domain Specific Language (DSL) for the managed feature store provides a simple and user-friendly way to define the most commonly used feature aggregations. With the feature store SDK, users can perform the most commonly used aggregations with a DSL *expression*. Aggregations that use the DSL *expression* ensure consistent results, compared with user-defined functions (UDFs). Additionally, those aggregations avoid the overhead of writing UDFs.

+This Tutorial shows how to

+> [!div class="checklist"]

+> * Create a new, minimal feature store workspace

+> * Locally develop and test a feature, through use of Domain Specific Language (DSL)

+> * Develop a feature set through use of User Defined Functions (UDFs) that perform the same transformations as a feature set created with DSL

+> * Compare the results of the feature sets created with DSL, and feature sets created with UDFs

+> * Register a feature store entity with the feature store

+> * Register the feature set created using DSL with the feature store

+> * Generate sample training data using the created features

+## Prerequisites

+> [!NOTE]

+> This tutorial uses an Azure Machine Learning notebook with **Serverless Spark Compute**.

+Before you proceed with this tutorial, make sure that you cover these prerequisites:

+1. An Azure Machine Learning workspace. If you don't have one, visit [Quickstart: Create workspace resources](./quickstart-create-resources.md?view-azureml-api-2) to learn how to create one.

+1. To perform the steps in this tutorial, your user account needs either the **Owner** or **Contributor** role to the resource group where the feature store will be created.

+## Set up

+ This tutorial relies on the Python feature store core SDK (`azureml-featurestore`). This SDK is used for create, read, update, and delete (CRUD) operations, on feature stores, feature sets, and feature store entities.

+ You don't need to explicitly install these resources for this tutorial, because in the set-up instructions shown here, the `conda.yml` file covers them.

+ To prepare the notebook environment for development:

+ 1. Clone the [examples repository - (azureml-examples)](https://github.com/azure/azureml-examples) to your local machine with this command:

+ `git clone --depth 1 https://github.com/Azure/azureml-examples`

+ You can also download a zip file from the [examples repository (azureml-examples)](https://github.com/azure/azureml-examples). At this page, first select the `code` dropdown, and then select `Download ZIP`. Then, unzip the contents into a folder on your local machine.

+ 1. Upload the feature store samples directory to project workspace

+ 1. Open Azure Machine Learning studio UI of your Azure Machine Learning workspace

+ 1. Select **Notebooks** in left navigation panel

+ 1. Select your user name in the directory listing

+ 1. Select the ellipses (**...**), and then select **Upload folder**

+ 1. Select the feature store samples folder from the cloned directory path: `azureml-examples/sdk/python/featurestore-sample`

+ 1. Run the tutorial

+ * Option 1: Create a new notebook, and execute the instructions in this document, step by step

+ * Option 2: Open existing notebook `featurestore_sample/notebooks/sdk_only/7. Develop a feature set using Domain Specific Language (DSL).ipynb`. You can keep this document open, and refer to it for more explanation and documentation links

+ 1. To configure the notebook environment, you must upload the `conda.yml` file

+ 1. Select **Notebooks** on the left navigation panel, and then select the **Files** tab

+ 1. Navigate to the `env` directory (select **Users** > *your_user_name* > **featurestore_sample** > **project** > **env**), and then select the `conda.yml` file

+ 1. Select **Download**

+ 1. Select **Serverless Spark Compute** in the top navigation **Compute** dropdown. This operation might take one to two minutes. Wait for the status bar in the top to display the **Configure session** link

+ 1. Select **Configure session** in the top status bar

+ 1. Select **Settings**

+ 1. Select **Apache Spark version** as `Spark version 3.3`

+ 1. Optionally, increase the **Session timeout** (idle time) if you want to avoid frequent restarts of the serverless Spark session

+ 1. Under **Configuration settings**, define *Property* `spark.jars.packages` and *Value* `com.microsoft.azure:azureml-fs-scala-impl:1.0.4`

+ :::image type="content" source="./media/tutorial-feature-store-domain-specific-language/dsl-spark-jars-property.png" lightbox="./media/tutorial-feature-store-domain-specific-language/dsl-spark-jars-property.png" alt-text="This screenshot shows the Spark session property for a package that contains the jar file used by managed feature store domain-specific language.":::

+ 1. Select **Python packages**

+ 1. Select **Upload conda file**

+ 1. Select the `conda.yml` you downloaded on your local device

+ 1. Select **Apply**

+ > [!TIP]

+ > Except for this specific step, you must run all the other steps every time you start a new spark session, or after session time out.

+ 1. This code cell sets up the root directory for the samples and starts the Spark session. It needs about 10 minutes to install all the dependencies and start the Spark session:

+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/7. Develop a feature set using Domain Specific Language (DSL).ipynb?name=setup-root-dir)]

+## Provision the necessary resources

+ 1. Create a minimal feature store:

+ Create a feature store in a region of your choice, from the Azure Machine Learning studio UI or with Azure Machine Learning Python SDK code.

+ * Option 1: Create feature store from the Azure Machine Learning studio UI

+ 1. Navigate to the feature store UI [landing page](https://ml.azure.com/featureStores)

+ 1. Select **+ Create**

+ 1. The **Basics** tab appears

+ 1. Choose a **Name** for your feature store

+ 1. Select the **Subscription**

+ 1. Select the **Resource group**

+ 1. Select the **Region**

+ 1. Select **Apache Spark version** 3.3, and then select **Next**

+ 1. The **Materialization** tab appears

+ 1. Toggle **Enable materialization**

+ 1. Select **Subscription** and **User identity** to **Assign user managed identity**

+ 1. Select **From Azure subscription** under **Offline store**

+ 1. Select **Store name** and **Azure Data Lake Gen2 file system name**, then select **Next**

+ 1. On the **Review** tab, verify the displayed information and then select **Create**

+ * Option 2: Create a feature store using the Python SDK

+ Provide `featurestore_name`, `featurestore_resource_group_name`, and `featurestore_subscription_id` values, and execute this cell to create a minimal feature store:

+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/7. Develop a feature set using Domain Specific Language (DSL).ipynb?name=create-min-fs)]

+ 1. Assign permissions to your user identity on the offline store:

+ If feature data is materialized, then you must assign the **Storage Blob Data Reader** role to your user identity to read feature data from offline materialization store.

+ 1. Open the [Azure ML global landing page](https://ml.azure.com/home)

+ 1. Select **Feature stores** in the left navigation

+ 1. You'll see the list of feature stores that you have access to. Select the feature store that you created above

+ 1. Select the storage account link under **Account name** on the **Offline materialization store** card, to navigate to the ADLS Gen2 storage account for the offline store

+ :::image type="content" source="./media/tutorial-feature-store-domain-specific-language/offline-store-link.png" lightbox="./media/tutorial-feature-store-domain-specific-language/offline-store-link.png" alt-text="This screenshot shows the storage account link for the offline materialization store on the feature store UI.":::

+ 1. Visit [this resource](../role-based-access-control/role-assignments-portal.md) for more information about how to assign the **Storage Blob Data Reader** role to your user identity on the ADLS Gen2 storage account for offline store. Allow some time for permissions to propagate.

+## Available DSL expressions and benchmarks

+ Currently, these aggregation expressions are supported:

+ - Average - `avg`

+ - Sum - `sum`

+ - Count - `count`

+ - Min - `min`

+ - Max - `max`

+ This table provides benchmarks that compare performance of aggregations that use DSL *expression* with the aggregations that use UDF, using a representative dataset of size 23.5 GB with the following attributes:

+ - `numberOfSourceRows`: 348,244,374

+ - `numberOfOfflineMaterializedRows`: 227,361,061

+ |Function|*Expression*|UDF execution time|DSL execution time|

+ |--||||

+ |`get_offline_features(use_materialized_store=false)`|`sum`, `avg`, `count`|~2 hours|< 5 minutes|

+ |`get_offline_features(use_materialized_store=true)`|`sum`, `avg`, `count`|~1.5 hours|< 5 minutes|

+ |`materialize()`|`sum`, `avg`, `count`|~1 hour|< 15 minutes|

+ > [!NOTE]

+ > The `min` and `max` DSL expressions provide no performance improvement over UDFs. We recommend that you use UDFs for `min` and `max` transformations.

+## Create a feature set specification using DSL expressions

+ 1. Execute this code cell to create a feature set specification, using DSL expressions and parquet files as source data.

+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/7. Develop a feature set using Domain Specific Language (DSL).ipynb?name=create-dsl-parq-fset)]

+ 1. This code cell defines the start and end times for the feature window.

+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/7. Develop a feature set using Domain Specific Language (DSL).ipynb?name=define-feat-win)]

+ 1. This code cell uses `to_spark_dataframe()` to get a dataframe in the defined feature window from the above feature set specification defined using DSL expressions:

+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/7. Develop a feature set using Domain Specific Language (DSL).ipynb?name=sparkdf-dsl-parq)]

+ 1. Print some sample feature values from the feature set defined with DSL expressions:

+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/7. Develop a feature set using Domain Specific Language (DSL).ipynb?name=display-dsl-parq)]

+## Create a feature set specification using UDF

+ 1. Create a feature set specification that uses UDF to perform the same transformations:

+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/7. Develop a feature set using Domain Specific Language (DSL).ipynb?name=create-udf-parq-fset)]

+ This transformation code shows that the UDF defines the same transformations as the DSL expressions:

+ ```python

+ class TransactionFeatureTransformer(Transformer):

+ def _transform(self, df: DataFrame) -> DataFrame:

+ days = lambda i: i * 86400

+ w_3d = (

+ Window.partitionBy("accountID")

+ .orderBy(F.col("timestamp").cast("long"))

+ .rangeBetween(-days(3), 0)

+ )

+ w_7d = (

+ Window.partitionBy("accountID")

+ .orderBy(F.col("timestamp").cast("long"))

+ .rangeBetween(-days(7), 0)

+ )

+ res = (

+ df.withColumn("transaction_7d_count", F.count("transactionID").over(w_7d))

+ .withColumn(

+ "transaction_amount_7d_sum", F.sum("transactionAmount").over(w_7d)

+ )

+ .withColumn(

+ "transaction_amount_7d_avg", F.avg("transactionAmount").over(w_7d)

+ )

+ .withColumn("transaction_3d_count", F.count("transactionID").over(w_3d))

+ .withColumn(

+ "transaction_amount_3d_sum", F.sum("transactionAmount").over(w_3d)

+ )

+ .withColumn(

+ "transaction_amount_3d_avg", F.avg("transactionAmount").over(w_3d)

+ )

+ .select(

+ "accountID",

+ "timestamp",

+ "transaction_3d_count",

+ "transaction_amount_3d_sum",

+ "transaction_amount_3d_avg",

+ "transaction_7d_count",

+ "transaction_amount_7d_sum",

+ "transaction_amount_7d_avg",

+ )

+ )

+ return res

+ ```

+ 1. Use `to_spark_dataframe()` to get a dataframe from the above feature set specification, defined using UDF:

+

+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/7. Develop a feature set using Domain Specific Language (DSL).ipynb?name=sparkdf-udf-parq)]

+ 1. Compare the results and verify consistency between the results from the DSL expressions and the transformations performed with UDF. To verify, select one of the `accountID` values to compare the values in the two dataframes:

+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/7. Develop a feature set using Domain Specific Language (DSL).ipynb?name=display-dsl-acct)]

+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/7. Develop a feature set using Domain Specific Language (DSL).ipynb?name=display-udf-acct)]

+## Export feature set specifications as YAML

+ To register the feature set specification with the feature store, it must be saved in a specific format. To review the generated `transactions-dsl` feature set specification, open this file from the file tree, to see the specification: `featurestore/featuresets/transactions-dsl/spec/FeaturesetSpec.yaml`

+ The feature set specification contains these elements:

+ 1. `source`: Reference to a storage resource; in this case, a parquet file in a blob storage

+ 1. `features`: List of features and their datatypes. If you provide transformation code, the code must return a dataframe that maps to the features and data types

+ 1. `index_columns`: The join keys required to access values from the feature set

+ For more information, read the [top level feature store entities document](./concept-top-level-entities-in-managed-feature-store.md) and the [feature set specification YAML reference](./reference-yaml-featureset-spec.md) resources.

+ As an extra benefit of persisting the feature set specification, it can be source controlled.

+ 1. Execute this code cell to write YAML specification file for the feature set, using parquet data source and DSL expressions:

+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/7. Develop a feature set using Domain Specific Language (DSL).ipynb?name=dump-dsl-parq-fset-spec)]

+ 1. Execute this code cell to write a YAML specification file for the feature set, using UDF:

+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/7. Develop a feature set using Domain Specific Language (DSL).ipynb?name=dump-udf-parq-fset-spec)]

+## Initialize SDK clients

+ The following steps of this tutorial use two SDKs.

+ 1. Feature store CRUD SDK: The Azure Machine Learning (AzureML) SDK `MLClient` (package name `azure-ai-ml`), similar to the one used with Azure Machine Learning workspace. This SDK facilitates feature store CRUD operations

+

+ - Create

+ - Read

+ - Update

+ - Delete

+

+ for feature store and feature set entities, because feature store is implemented as a type of Azure Machine Learning workspace

+ 1. Feature store core SDK: This SDK (`azureml-featurestore`) facilitates feature set development and consumption:

+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/7. Develop a feature set using Domain Specific Language (DSL).ipynb?name=init-python-clients)]

+## Register `account` entity with the feature store

+ Create an account entity that has a join key `accountID` of `string` type:

+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/7. Develop a feature set using Domain Specific Language (DSL).ipynb?name=register-account-entity)]

+## Register the feature set with the feature store

+ 1. Register the `transactions-dsl` feature set (that uses DSL) with the feature store, with offline materialization enabled, using the exported feature set specification:

+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/7. Develop a feature set using Domain Specific Language (DSL).ipynb?name=register-dsl-trans-fset)]

+ 1. Materialize the feature set to persist the transformed feature data to the offline store:

+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/7. Develop a feature set using Domain Specific Language (DSL).ipynb?name=mater-dsl-trans-fset)]

+ 1. Execute this code cell to track the progress of the materialization job:

+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/7. Develop a feature set using Domain Specific Language (DSL).ipynb?name=track-mater-job)]

+ 1. Print sample data from the feature set. The output information shows that the data was retrieved from the materialization store. The `get_offline_features()` method used to retrieve the training/inference data also uses the materialization store by default:

+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/7. Develop a feature set using Domain Specific Language (DSL).ipynb?name=lookup-trans-dsl-fset)]

+## Generate a training dataframe using the registered feature set

+### Load observation data

+ Observation data is typically the core data used in training and inference steps. Then, the observation data is joined with the feature data, to create a complete training data resource. Observation data is the data captured during the time of the event. In this case, it has core transaction data including transaction ID, account ID, and transaction amount. Since this data is used for training, it also has the target variable appended (`is_fraud`).

+ 1. First, explore the observation data:

+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/7. Develop a feature set using Domain Specific Language (DSL).ipynb?name=load-obs-data)]

+ 1. Select features that would be part of the training data, and use the feature store SDK to generate the training data:

+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/7. Develop a feature set using Domain Specific Language (DSL).ipynb?name=select-features-dsl)]

+ 1. The `get_offline_features()` function appends the features to the observation data with a point-in-time join. Display the training dataframe obtained from the point-in-time join:

+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/7. Develop a feature set using Domain Specific Language (DSL).ipynb?name=get-offline-features-dsl)]

+### Generate a training dataframe from feature sets using DSL and UDF

+ 1. Register the `transactions-udf` feature set (that uses UDF) with the feature store, using the exported feature set specification. Enable offline materialization for this feature set while registering with the feature store:

+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/7. Develop a feature set using Domain Specific Language (DSL).ipynb?name=register-udf-trans-fset)]

+ 1. Select features from the feature sets (created using DSL and UDF) that you would like to become part of the training data, and use the feature store SDK to generate the training data:

+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/7. Develop a feature set using Domain Specific Language (DSL).ipynb?name=select-features-dsl-udf)]

+ 1. The function `get_offline_features()` appends the features to the observation data with a point-in-time join. Display the training dataframe obtained from the point-in-time join:

+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/7. Develop a feature set using Domain Specific Language (DSL).ipynb?name=get-offline-features-dsl-udf)]

+The features are appended to the training data with a point-in-time join. The generated training data can be used for subsequent training and batch inferencing steps.

+## Clean up

+The [fifth tutorial in the series](./tutorial-develop-feature-set-with-custom-source.md#clean-up) describes how to delete the resources.

+## Next steps

+* [Part 2: Experiment and train models using features](./tutorial-experiment-train-models-using-features.md)

+* [Part 3: Enable recurrent materialization and run batch inference](./tutorial-enable-recurrent-materialization-run-batch-inference.md)

+When using a private endpoint, you need to connect to the same Azure service but use the private endpoint IP address. The intimate endpoint connection requires separate **Domain Name System (DNS)** settings to resolve the private IP address to the resource name.

+**[Private DNS zones](../../dns/private-dns-overview.md)** provide domain name resolution within a virtual network without a custom DNS solution. You link the **private DNS zones** to each virtual network to provide DNS services to that network.

+**Private DNS zones** provide separate DNS zone names for each Azure service. For example, if you configured a private DNS zone for the storage account blob service in the previous image, the DNS zones name is **privatelink.blob.core.windows.net**. Check out the Microsoft documentation here to see more of the private DNS zone names for all Azure services.

+### Hybrid DNS for Azure and on-premises resources

+**Domain Name System (DNS)** is a critical design topic in the overall landing zone architecture. Some organizations might want to use their existing investments in DNS, while others may want to adopt native Azure capabilities for all their DNS needs.

+You can use [Azure DNS Private Resolver service](../../dns/dns-private-resolver-overview.md) in conjunction with Azure Private DNS Zones for cross-premises name resolution. DNS Private Resolver can forward DNS request to another DNS server and also provides an IP address that can be used by external DNS server to forward requests. So external On-Premises DNS servers are able to resolve name located in a private DNS zone.

+More information on using [Private DNS Resolver]() with on-premises DNS forwarder to forward DNS traffic to Azure DNS see this [document](../../private-link/private-endpoint-dns-integration.md#on-premises-workloads-using-a-dns-forwarder), as well as this [document](../../private-link/tutorial-dns-on-premises-private-resolver.md) . Solutions described allow to extend on-premises network that already has a DNS solution in place to resolve resources in Azure.

+Microsoft architecture.

+### Private Link and DNS integration in hub and spoke network architectures

+Private DNS zones are typically hosted centrally in the same Azure subscription where the hub VNet deploys. This central hosting practice is driven by cross-premises DNS name resolution and other needs for central DNS resolution such as Active Directory. In most cases, only networking and identity administrators have permissions to manage DNS records in the zones.

+In such architecture following is usually configured:

+* On-premises DNS servers have conditional forwarders configured for each private endpoint public DNS zone, pointing to the Private DNS Resolver hosted in the hub VNet.

+* The Private DNS Resolver hosted in the hub VNet use the Azure-provided DNS (168.63.129.16) as a forwarder.

+* The hub VNet must be linked to the Private DNS zone names for Azure services (such as *privatelink.postgres.database.azure.com*, for Azure Database for PostgreSQL - Flexible Server).

+* All Azure VNets use Private DNS Resolver hosted in the hub VNet.

+* As the Private DNS Resolver isn't authoritative for customer's corporate domains, as it's just a forwarder, (for example, Active Directory domain names), it should have outbound endpoint forwarders to the customer's corporate domains, pointing to the on-premises DNS Servers or DNS servers deployed in Azure that are authoritative for such zones.

+description: Get answers to common questions about Azure Resource Mover.

+- Azure virtual machines and associated disks (Azure Spot virtual machines are not currently supported)

+- Network Interface Cards

+- Public IP addresses (Public IP are be retained across Azure region)

+You can't select disks as resources to the moved across regions. However, disks are moved as part of a virtual machine move.

+It's stored in an [Azure Cosmos DB](../cosmos-db/database-encryption-at-rest.md) database, and in [Azure Blob storage](../storage/common/storage-service-encryption.md), in a Microsoft subscription. Currently, metadata is stored in East US 2 and North Europe. We plan to expand this coverage to other regions. This doesn't restrict you from moving resources across any public region.

+You can remove resources that you added to the move list. The exact remove behavior depends on the resource state. [Learn more](remove-move-resources.md#vm-resource-state-after-removing).

+ Title: Manage resources that are created during the virtual machine move process in Azure Resource Mover

+description: Learn how to manage resources that are created during the virtual machine move process in Azure Resource Mover.

+# Manage resources created for the virtual machine move

+This article describes how to manage resources that are created explicitly by [Azure Resource Mover](overview.md) to facilitate the virtual machine move process.

+After moving virtual machines across regions, there are a number of resources created by Resource Mover that should be cleaned up manually.

+## Delete resources created for virtual machine move

+Manually delete the move collection, and Site Recovery resources created for the virtual machine move.

+2. Check that the virtual machine and all other source resources in the move collection have been moved/deleted. This ensures that there are no pending resources using them.

+Try [moving a virtual machine](tutorial-move-region-virtual-machines.md) to another region with Resource Mover.

+#Customer intent: As an Azure admin, I want to modify destination settings when moving resources to another region using Azure Resource Mover.

+You modify the destination settings for an Azure SQL Database resource as follows:

+ In **Error Summary**, monitor the active errors that need to be resolved before you can successfully move to the destination region.

+#Customer intent: As an Azure admin, I want to move Azure VMs to a different Azure region using Azure Resource Mover.

+#Customer intent: As an Azure admin, I want to move Azure resources to a different Azure region using Azure Resource Mover.

+#Customer intent: As an Azure admin, I need to compare tools for moving resources in Azure using Azure Resource Mover.

+#Customer intent: As an Azure admin, I want to move Azure VMs to a different Azure region using Azure Resource Mover.

+#Customer intent: As an Azure admin, I want to move Azure VMs to a different Azure region using Azure Resource Mover with PowerShell.

+#Customer intent: As an Azure admin, I want to move SQL Server databases to a different Azure region using Azure Resource Mover.

+#Customer intent: As an Azure admin, I want to move Azure VMs to a different Azure region using Azure Resource Mover.

+> | <a name='azure-kubernetes-fleet-manager-contributor-role'></a>[Azure Kubernetes Fleet Manager Contributor Role](./built-in-roles/containers.md#azure-kubernetes-fleet-manager-contributor-role) | Grants read/write access to Azure resources provided by Azure Kubernetes Fleet Manager, including fleets, fleet members, fleet update strategies, fleet update runs, etc. | 63bb64ad-9799-4770-b5c3-24ed299a07bf |

+> | <a name='azure-kubernetes-fleet-manager-rbac-admin'></a>[Azure Kubernetes Fleet Manager RBAC Admin](./built-in-roles/containers.md#azure-kubernetes-fleet-manager-rbac-admin) | Grants read/write access to Kubernetes resources within a namespace in the fleet-managed hub cluster - provides write permissions on most objects within a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces. | 434fb43a-c01c-447e-9f67-c3ad923cfaba |

+> | <a name='azure-kubernetes-fleet-manager-rbac-cluster-admin'></a>[Azure Kubernetes Fleet Manager RBAC Cluster Admin](./built-in-roles/containers.md#azure-kubernetes-fleet-manager-rbac-cluster-admin) | Grants read/write access to all Kubernetes resources in the fleet-managed hub cluster. | 18ab4d3d-a1bf-4477-8ad9-8359bc988f69 |

+> | <a name='azure-kubernetes-fleet-manager-rbac-reader'></a>[Azure Kubernetes Fleet Manager RBAC Reader](./built-in-roles/containers.md#azure-kubernetes-fleet-manager-rbac-reader) | Grants read-only access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces. | 30b27cfc-9c84-438e-b0ce-70e35255df80 |

+> | <a name='azure-kubernetes-fleet-manager-rbac-writer'></a>[Azure Kubernetes Fleet Manager RBAC Writer](./built-in-roles/containers.md#azure-kubernetes-fleet-manager-rbac-writer) | Grants read/write access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace.  Applying this role at cluster scope will give access across all namespaces. | 5af6afb3-c06c-4fa4-8848-71a8aee05683 |

+> | <a name='carbon-optimization-reader'></a>[Carbon Optimization Reader](./built-in-roles/management-and-governance.md#carbon-optimization-reader) | Allow read access to Azure Carbon Optimization data | fa0d39e6-28e5-40cf-8521-1eb320653a4c |

+## Azure Kubernetes Fleet Manager Contributor Role

+Grants read/write access to Azure resources provided by Azure Kubernetes Fleet Manager, including fleets, fleet members, fleet update strategies, fleet update runs, etc.

+> [!div class="mx-tableFixed"]

+> | Actions | Description |

+> | | |

+> | [Microsoft.ContainerService](../permissions/containers.md#microsoftcontainerservice)/fleets/* | |

+> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment |

+> | **NotActions** | |

+> | *none* | |

+> | **DataActions** | |

+> | *none* | |

+> | **NotDataActions** | |

+> | *none* | |

+```json

+{

+ "assignableScopes": [

+ "/"

+ ],

+ "description": "Grants read/write access to Azure resources provided by Azure Kubernetes Fleet Manager, including fleets, fleet members, fleet update strategies, fleet update runs, etc.",

+ "id": "/providers/Microsoft.Authorization/roleDefinitions/63bb64ad-9799-4770-b5c3-24ed299a07bf",

+ "name": "63bb64ad-9799-4770-b5c3-24ed299a07bf",

+ "permissions": [

+ {

+ "actions": [

+ "Microsoft.ContainerService/fleets/*",

+ "Microsoft.Resources/deployments/*"

+ ],

+ "notActions": [],

+ "dataActions": [],

+ "notDataActions": []

+ }

+ ],

+ "roleName": "Azure Kubernetes Fleet Manager Contributor Role",

+ "roleType": "BuiltInRole",

+ "type": "Microsoft.Authorization/roleDefinitions"

+}

+```

+Grants read/write access to Kubernetes resources within a namespace in the fleet-managed hub cluster - provides write permissions on most objects within a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces.

+[Learn more](/azure/kubernetes-fleet/access-fleet-kubernetes-api)

+ "description": "Grants read/write access to Kubernetes resources within a namespace in the fleet-managed hub cluster - provides write permissions on most objects within a a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces.",

+Grants read/write access to all Kubernetes resources in the fleet-managed hub cluster.

+[Learn more](/azure/kubernetes-fleet/access-fleet-kubernetes-api)

+ "description": "Grants read/write access to all Kubernetes resources in the fleet-managed hub cluster.",

+Grants read-only access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.

+[Learn more](/azure/kubernetes-fleet/access-fleet-kubernetes-api)

+ "description": "Grants read-only access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",

+Grants read/write access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace.  Applying this role at cluster scope will give access across all namespaces.

+[Learn more](/azure/kubernetes-fleet/access-fleet-kubernetes-api)

+ "description": "Grants read/write access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace.  Applying this role at cluster scope will give access across all namespaces.",

+## Carbon Optimization Reader

+Allow read access to Azure Carbon Optimization data

+[Learn more](/azure/carbon-optimization/permissions)

+> [!div class="mx-tableFixed"]

+> | Actions | Description |

+> | | |

+> | [Microsoft.Carbon](../permissions/management-and-governance.md#microsoftcarbon)/carbonEmissionReports/action | API for Carbon Emissions Reports |

+> | **NotActions** | |

+> | *none* | |

+> | **DataActions** | |

+> | *none* | |

+> | **NotDataActions** | |

+> | *none* | |

+```json

+{

+ "assignableScopes": [

+ "/"

+ ],

+ "description": "Allow read access to Azure Carbon Optimization data",

+ "id": "/providers/Microsoft.Authorization/roleDefinitions/fa0d39e6-28e5-40cf-8521-1eb320653a4c",

+ "name": "fa0d39e6-28e5-40cf-8521-1eb320653a4c",

+ "permissions": [

+ {

+ "actions": [

+ "Microsoft.Carbon/carbonEmissionReports/action"

+ ],

+ "notActions": [],

+ "dataActions": [],

+ "notDataActions": []

+ }

+ ],

+ "roleName": "Carbon Optimization Reader",

+ "roleType": "BuiltInRole",

+ "type": "Microsoft.Authorization/roleDefinitions"

+}

+```

+Azure service: [Azure Kubernetes Service (AKS)](/azure/aks/intro-kubernetes)

+> | Microsoft.ContainerService/fleets/autoUpgradeProfiles/read | Get a fleet auto upgrade profile |

+> | Microsoft.ContainerService/fleets/autoUpgradeProfiles/write | Create or Update a fleet auto upgrade profile |

+> | Microsoft.ContainerService/fleets/autoUpgradeProfiles/delete | Delete a fleet auto upgrade profile |

+> | Microsoft.ContainerService/locations/nodeimageversions/read | List available Node Image versions in the region. |

+> | Microsoft.ContainerService/managedClusters/loadBalancers/read | Gets a load balancer configuration |

+> | Microsoft.ContainerService/managedClusters/loadBalancers/write | Creates a new LoadBalancerConfiguration or updates an existing one |

+> | Microsoft.ContainerService/managedClusters/loadBalancers/delete | Deletes a load balancer configuration |

+## Microsoft.Carbon

+Azure service: [Azure carbon optimization](/azure/carbon-optimization/overview)

+> [!div class="mx-tableFixed"]

+> | Action | Description |

+> | | |

+> | Microsoft.Carbon/carbonEmissionReports/action | API for Carbon Emissions Reports |

+> | Microsoft.Carbon/queryCarbonEmissionDataAvailableDateRange/action | API for query carbon emission data available date range |

+> | Microsoft.Carbon/register/action | Register the subscription for Microsoft.Carbon |

+> | Microsoft.Carbon/unregister/action | Unregister the subscription for Microsoft.Carbon |

+> | Microsoft.Carbon/operations/read | read operations |

+> | [Microsoft.ContainerService](./permissions/containers.md#microsoftcontainerservice) | Accelerate your containerized application development without compromising security. | [Azure Kubernetes Service (AKS)](/azure/aks/intro-kubernetes) |

+> | [Microsoft.Carbon](./permissions/management-and-governance.md#microsoftcarbon) | | [Azure carbon optimization](/azure/carbon-optimization/overview) |

+`--put-blob-size-mb` Use this size (specified in MiB) as a threshold to determine whether to upload a blob as a single PUT request when uploading to Azure Storage. The default value is automatically calculated based on file size. Decimal fractions are allowed (For example: 0.25).

+`--preserve-symlinks` If enabled, symlink destinations are preserved as the blob content, rather than uploading the file or folder on the other end of the symlink.

+`--put-blob-size-mb` Use this size (specified in MiB) as a threshold to determine whether to upload a blob as a single PUT request when uploading to Azure Storage. The default value is automatically calculated based on file size. Decimal fractions are allowed (For example: 0.25).

+`--put-blob-size-mb` Use this size (specified in MiB) as a threshold to determine whether to upload a blob as a single PUT request when uploading to Azure Storage. The default value is automatically calculated based on file size. Decimal fractions are allowed (For example: 0.25).

+ Title: Manage Network Watcher Agent VM extension - Linux

+description: Learn about the Network Watcher Agent virtual machine extension for Linux virtual machines and how to install and uninstall it.

+#CustomerIntent: As an Azure administrator, I want to install Network Watcher Agent VM extension and manage it so that I can use Network watcher features to diagnose and monitor my Linux virtual machines (VMs).

+# Manage Network Watcher Agent virtual machine extension for Linux

+> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](../workloads/centos/centos-end-of-life.md).

+The Network Watcher Agent virtual machine extension is a requirement for some of Azure Network Watcher features that capture network traffic to diagnose and monitor Azure virtual machines (VMs). For more information, see [What is Azure Network Watcher?](../../network-watcher/network-watcher-overview.md)

+In this article, you learn how to install and uninstall Network Watcher Agent for Linux. Installation of the agent doesn't disrupt, or require a reboot of the virtual machine. If the virtual machine is deployed by an Azure service, check the documentation of the service to determine whether or not it permits installing extensions in the virtual machine.

+# [**Portal**](#tab/portal)

+- An Azure Linux virtual machine (VM). For more information, see [Supported Linux distributions and versions](#supported-operating-systems).

+- Outbound TCP connectivity to `169.254.169.254` over `port 80` and `168.63.129.16` over `port 8037`. The agent uses these IP addresses to communicate with the Azure platform.

+- Internet connectivity: Network Watcher Agent requires internet connectivity for some features to properly work. For example, it requires connectivity to your storage account to upload packet captures. For more information, see [Packet capture overview](../../network-watcher/packet-capture-overview.md).

+# [**PowerShell**](#tab/powershell)

+- An Azure Linux virtual machine (VM). For more information, see [Supported Linux distributions and versions](#supported-operating-systems).

+- Outbound TCP connectivity to `169.254.169.254` over `port 80` and `168.63.129.16` over `port 8037`. The agent uses these IP addresses to communicate with the Azure platform.

+- Internet connectivity: Network Watcher Agent requires internet connectivity for some features to properly work. For example, it requires connectivity to your storage account to upload packet captures. For more information, see [Packet capture overview](../../network-watcher/packet-capture-overview.md).

+- Azure Cloud Shell or Azure PowerShell.

+ The steps in this article run the Azure PowerShell cmdlets interactively in [Azure Cloud Shell](/azure/cloud-shell/overview). To run the commands in the Cloud Shell, select **Open Cloud Shell** at the upper-right corner of a code block. Select **Copy** to copy the code and then paste it into Cloud Shell to run it. You can also run the Cloud Shell from within the Azure portal.

+ You can also [install Azure PowerShell locally](/powershell/azure/install-azure-powershell) to run the cmdlets. This article requires the Azure PowerShell `Az` module. To find the installed version, run `Get-Module -ListAvailable Az`. If you run PowerShell locally, sign in to Azure using the [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount) cmdlet.

+# [**Azure CLI**](#tab/cli)

+- An Azure Linux virtual machine (VM). For more information, see [Supported Linux distributions and versions](#supported-operating-systems).

+- Outbound TCP connectivity to `169.254.169.254` over `port 80` and `168.63.129.16` over `port 8037`. The agent uses these IP addresses to communicate with the Azure platform.

+- Internet connectivity: Network Watcher Agent requires internet connectivity for some features to properly work. For example, it requires connectivity to your storage account to upload packet captures. For more information, see [Packet capture overview](../../network-watcher/packet-capture-overview.md).

+- Azure Cloud Shell or Azure CLI.

+ The steps in this article run the Azure CLI commands interactively in [Azure Cloud Shell](/azure/cloud-shell/overview). To run the commands in the Cloud Shell, select **Open Cloud Shell** at the upper-right corner of a code block. Select **Copy** to copy the code, and paste it into Cloud Shell to run it. You can also run the Cloud Shell from within the Azure portal.

+ You can also [install Azure CLI locally](/cli/azure/install-azure-cli) to run the commands. If you run Azure CLI locally, sign in to Azure using the [az login](/cli/azure/reference-index#az-login) command.

+# [**Resource Manager**](#tab/arm)

+- An Azure Linux virtual machine (VM). For more information, see [Supported Linux distributions and versions](#supported-operating-systems).

+- Outbound TCP connectivity to `169.254.169.254` over `port 80` and `168.63.129.16` over `port 8037`. The agent uses these IP addresses to communicate with the Azure platform.

+- Internet connectivity: Network Watcher Agent requires internet connectivity for some features to properly work. For example, it requires connectivity to your storage account to upload packet captures. For more information, see [Packet capture overview](../../network-watcher/packet-capture-overview.md).

+- Azure PowerShell or Azure CLI installed locally to deploy the template.

+ - You can [install Azure PowerShell locally](/powershell/azure/install-azure-powershell) to run the cmdlets. Use [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount) cmdlet to sign in to Azure.

+ - You can [install Azure CLI locally](/cli/azure/install-azure-cli) to run the commands. Use [az login](/cli/azure/reference-index#az-login) command to sign in to Azure.

+## Supported operating systems

+Network Watcher Agent extension for Linux can be installed on the following Linux distributions:

+| SUSE Linux Enterprise Server (SLES) | 12 and 15 (SP2, SP3, and SP4) |

+ "type": "Microsoft.Compute/virtualMachines/extensions",

+ "apiVersion": "2023-03-01",

+ "[concat('Microsoft.Compute/virtualMachines/', parameters('vmName'))]"

+```

+## List installed extensions

+# [**Portal**](#tab/portal)

+From the virtual machine page in the Azure portal, you can view the installed extension by following these steps:

+1. Under **Settings**, select **Extensions + applications**.

+1. In the **Extensions** tab, you can see all installed extensions on the virtual machine. If the list is long, you can use the search box to filter the list.

+ :::image type="content" source="./media/network-watcher/list-vm-extensions.png" alt-text="Screenshot that shows how to view installed extensions on a VM in the Azure portal." lightbox="./media/network-watcher/list-vm-extensions.png":::

+# [**PowerShell**](#tab/powershell)

+Use [Get-AzVMExtension](/powershell/module/az.compute/get-azvmextension) cmdlet to list all installed extensions on the virtual machine:

+```azurepowershell-interactive

+# List the installed extensions on the virtual machine.

+Get-AzVMExtension -ResourceGroupName 'myResourceGroup' -VMName 'myVM' | format-table Name, Publisher, ExtensionType, AutoUpgradeMinorVersion, EnableAutomaticUpgrade

+The output of the cmdlet lists the installed extensions:

+```output

+Name Publisher ExtensionType AutoUpgradeMinorVersion EnableAutomaticUpgrade

+- - -- -

+AzureNetworkWatcherExtension Microsoft.Azure.NetworkWatcher NetworkWatcherAgentLinux True True

+```

+# [**Azure CLI**](#tab/cli)

+Use [az vm extension list](/cli/azure/vm/extension#az-vm-extension-list) command to list all installed extensions on the virtual machine:

+```azurecli

+# List the installed extensions on the virtual machine.

+az vm extension list --resource-group 'myResourceGroup' --vm-name 'myVM' --out table

+```

+The output of the command lists the installed extensions:

+```output

+Name ProvisioningState Publisher Version AutoUpgradeMinorVersion

+- - -

+AzureNetworkWatcherExtension Succeeded Microsoft.Azure.NetworkWatcher 1.4 True

+```

+# [**Resource Manager**](#tab/arm)

+N/A

+## Install Network Watcher Agent VM extension

+# [**Portal**](#tab/portal)

+From the virtual machine page in the Azure portal, you can install the Network Watcher Agent VM extension by following these steps:

+1. Under **Settings**, select **Extensions + applications**.

+1. Select **+ Add** and search for **Network Watcher Agent** and install it. If the extension is already installed, you can see it in the list of extensions.

+ :::image type="content" source="./media/network-watcher/vm-extensions.png" alt-text="Screenshot that shows the VM's extensions page in the Azure portal." lightbox="./media/network-watcher/vm-extensions.png":::

+1. In the search box of **Install an Extension**, enter *Network Watcher Agent for Linux*. Select the extension from the list and select **Next**.

+ :::image type="content" source="./media/network-watcher/install-extension-linux.png" alt-text="Screenshot that shows how to install Network Watcher Agent for Linux in the Azure portal." lightbox="./media/network-watcher/install-extension-linux.png":::

+1. Select **Review + create** and then select **Create**.

+# [**PowerShell**](#tab/powershell)

+Use [Set-AzVMExtension](/powershell/module/az.compute/set-azvmextension) cmdlet to install Network Watcher Agent VM extension on the virtual machine:

+```azurepowershell-interactive

+# Install Network Watcher Agent for Linux on the virtual machine.

+Set-AzVMExtension -Name 'AzureNetworkWatcherExtension' -Publisher 'Microsoft.Azure.NetworkWatcher' -ExtensionType 'NetworkWatcherAgentLinux' -EnableAutomaticUpgrade 1 -TypeHandlerVersion '1.4' -ResourceGroupName 'myResourceGroup' -VMName 'myVM'

+```

+Once the installation is successfully completed, you see the following output:

+```output

+RequestId IsSuccessStatusCode StatusCode ReasonPhrase

+ - -

+ True OK

+# [**Azure CLI**](#tab/cli)

+Use [az vm extension set](/cli/azure/vm/extension#az-vm-extension-set) command to install Network Watcher Agent VM extension on the virtual machine:

+# Install Network Watcher Agent for Windows on the virtual machine.

+az vm extension set --name 'NetworkWatcherAgentLinux' --extension-instance-name 'AzureNetworkWatcherExtension' --publisher 'Microsoft.Azure.NetworkWatcher' --enable-auto-upgrade 'true' --version '1.4' --resource-group 'myResourceGroup' --vm-name 'myVM'

+# [**Resource Manager**](#tab/arm)

+Use the following Azure Resource Manager template (ARM template) to install Network Watcher Agent VM extension on a Linux virtual machine:

+```json

+{

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "vmName": {

+ "type": "string"

+ }

+ },

+ "variables": {},

+ "resources": [

+ {

+ "name": "[parameters('vmName')]",

+ "type": "Microsoft.Compute/virtualMachines",

+ "apiVersion": "2023-03-01",

+ "location": "[resourceGroup().location]",

+ "properties": {

+ }

+ },

+ {

+ "name": "[concat(parameters('vmName'), '/AzureNetworkWatcherExtension')]",

+ "type": "Microsoft.Compute/virtualMachines/extensions",

+ "apiVersion": "2023-03-01",

+ "location": "[resourceGroup().location]",

+ "dependsOn": [

+ "[concat('Microsoft.Compute/virtualMachines/', parameters('vmName'))]"

+ ],

+ "properties": {

+ "autoUpgradeMinorVersion": true,

+ "publisher": "Microsoft.Azure.NetworkWatcher",

+ "type": "NetworkWatcherAgentLinux",

+ "typeHandlerVersion": "1.4"

+ }

+ }

+ ],

+ "outputs": {}

+}

+```

+You can use either Azure PowerShell or Azure CLI to deploy the Resource Manager template:

+```azurepowershell

+# Deploy the JSON template file using Azure PowerShell.

+New-AzResourceGroupDeployment -ResourceGroupName 'myResourceGroup' -TemplateFile 'agent.json'

+```

+# Deploy the JSON template file using the Azure CLI.

+az deployment group create --resource-group 'myResourceGroup' --template-file 'agent.json'

+## Uninstall Network Watcher Agent VM extension

+# [**Portal**](#tab/portal)

+From the virtual machine page in the Azure portal, you can uninstall the Network Watcher Agent VM extension by following these steps:

+1. Under **Settings**, select **Extensions + applications**.

+1. Select **AzureNetworkWatcherExtension** from the list of extensions, and then select **Uninstall**.

+ :::image type="content" source="./media/network-watcher/uninstall-extension-linux.png" alt-text="Screenshot that shows how to uninstall Network Watcher Agent for Linux in the Azure portal." lightbox="./media/network-watcher/uninstall-extension-linux.png":::

+ > [!NOTE]

+ > You might see Network Watcher Agent VM extension named differently than **AzureNetworkWatcherExtension**.

+# [**PowerShell**](#tab/powershell)

+Use [Remove-AzVMExtension](/powershell/module/az.compute/remove-azvmextension) cmdlet to remove Network Watcher Agent VM extension from the virtual machine:

+```azurepowershell-interactive

+# Uninstall Network Watcher Agent VM extension.

+Remove-AzureVMExtension -Name 'AzureNetworkWatcherExtension' -ResourceGroupName 'myResourceGroup' -VMName 'myVM'

+```

+# [**Azure CLI**](#tab/cli)

+Use [az vm extension delete](/cli/azure/vm/extension#az-vm-extension-delete) command to remove Network Watcher Agent VM extension from the virtual machine:

+```azurecli-interactive

+# Uninstall Network Watcher Agent VM extension.

+az vm extension delete --name 'AzureNetworkWatcherExtension' --resource-group 'myResourceGroup' --vm-name 'myVM'

+```

+# [**Resource Manager**](#tab/arm)

+N/A

+## Frequently asked questions (FAQ)

+To get answers to most frequently asked questions about Network Watcher Agent, see [Network Watcher Agent FAQ](../../network-watcher/frequently-asked-questions.yml#network-watcher-agent).

+ Title: Manage Network Watcher Agent VM extension - Windows

+The Network Watcher Agent virtual machine extension is a requirement for some of Azure Network Watcher features that capture network traffic to diagnose and monitor Azure virtual machines (VMs). For more information, see [What is Azure Network Watcher?](../../network-watcher/network-watcher-overview.md)

+In this article, you learn how to install and uninstall Network Watcher Agent for Windows. Installation of the agent doesn't disrupt, or require a reboot of the virtual machine. If the virtual machine is deployed by an Azure service, check the documentation of the service to determine whether or not it permits installing extensions in the virtual machine.

+- Outbound TCP connectivity to `169.254.169.254` over `port 80` and `168.63.129.16` over `port 8037`. The agent uses these IP addresses to communicate with the Azure platform.

+- Internet connectivity: Network Watcher Agent requires internet connectivity for some features to properly work. For example, it requires connectivity to your storage account to upload packet captures. For more information, see [Packet capture overview](../../network-watcher/packet-capture-overview.md).

+- Outbound TCP connectivity to `169.254.169.254` over `port 80` and `168.63.129.16` over `port 8037`. The agent uses these IP addresses to communicate with the Azure platform.

+- Internet connectivity: Network Watcher Agent requires internet connectivity for some features to properly work. For example, it requires connectivity to your storage account to upload packet captures. For more information, see [Packet capture overview](../../network-watcher/packet-capture-overview.md).

+- Outbound TCP connectivity to `169.254.169.254` over `port 80` and `168.63.129.16` over `port 8037`. The agent uses these IP addresses to communicate with the Azure platform.

+- Internet connectivity: Network Watcher Agent requires internet connectivity for some features to properly work. For example, it requires connectivity to your storage account to upload packet captures. For more information, see [Packet capture overview](../../network-watcher/packet-capture-overview.md).

+- Outbound TCP connectivity to `169.254.169.254` over `port 80` and `168.63.129.16` over `port 8037`. The agent uses these IP addresses to communicate with the Azure platform.

+- Internet connectivity: Network Watcher Agent requires internet connectivity for some features to properly work. For example, it requires connectivity to your storage account to upload packet captures. For more information, see [Packet capture overview](../../network-watcher/packet-capture-overview.md).

+Get-AzVMExtension -ResourceGroupName 'myResourceGroup' -VMName 'myVM' | format-table Name, Publisher, ExtensionType, AutoUpgradeMinorVersion, EnableAutomaticUpgrade

+Name Publisher ExtensionType AutoUpgradeMinorVersion EnableAutomaticUpgrade

+- - -- -

+AzureNetworkWatcherExtension Microsoft.Azure.NetworkWatcher NetworkWatcherAgentWindows True True

+az deployment group create --resource-group 'myResourceGroup' --template-file 'agent.json'

+ > You might see Network Watcher Agent VM extension named differently than **AzureNetworkWatcherExtension**.

+## Frequently asked questions (FAQ)

+To get answers to most frequently asked questions about Network Watcher Agent, see [Network Watcher Agent FAQ](../../network-watcher/frequently-asked-questions.yml#network-watcher-agent).

+| **Gateway Inbound Flows** | Number of distinct 5-tuple flows (protocol, local IP address, remote IP address, local port, and remote port) flowing into a VPN Gateway. Limit is 250k flows.|

+| **Gateway Outbound Flows** | Number of distinct 5-tuple flows (protocol, local IP address, remote IP address, local port, and remote port) flowing out of a VPN Gateway. Limit is 250k flows.|

+| **Tunnel Flow Count** | Number of distinct 3-tupe (protocol, local IP address, remote IP address) flows created per link connection.|

+| **Gateway Inbound Flows** | Count | 5 minutes | Number of distinct 5-tuple flows flowing into a VPN Gateway. Limit is 250k flows. |

+| **Gateway Outbound Flows** | Count | 5 minutes | Number of distinct 5-tuple flows flowing out of a VPN Gateway. Limit is 250k flows. |

+| **Tunnel Total Flow Count** | Count | 5 minutes | Number of distinct 3-tuple flows created per tunnel. |

+| **VNet Address Prefix Count** | Count | 5 minutes | Number of virtual network address prefixes that are used/advertised by the gateway. |

+* To learn more about metrics in Azure Monitor, see [Metrics in Azure Monitor](../azure-monitor/essentials/data-platform-metrics.md).

+| **Gateway Inbound Flows** | Count | 5 minutes | Number of distinct 5-tuple flows flowing into a VPN Gateway. Limit is 250k flows. |

+| **Gateway Outbound Flows** | Count | 5 minutes | Number of distinct 5-tuple flows flowing out of a VPN Gateway. Limit is 250k flows. |

+| **Tunnel Total Flow Count** | Count | 5 minutes | Number of distinct 3-tuple flows created per tunnel. |