+ <OrchestrationSteps>

+ <OrchestrationStep Order="1" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />

+ </OrchestrationSteps>

+</UserJourney>

+Many organizations rely on software as a service (SaaS) applications such as ServiceNow, Zscaler, and Slack for end-user productivity. Historically IT staff has relied on manual provisioning methods such as uploading CSV files, or using custom scripts to securely manage user identities in each SaaS application. These processes are error prone, insecure, and hard to manage.

+* **Address compliance and governance**. Azure AD supports native audit logs for every user provisioning request. Requests are executed in both the source and target systems. Audit logs let you track who has access to applications from a single screen.

+You need the appropriate licenses for the application(s) you want to automatically provision. Discuss with the application owners whether the users assigned to the application have the proper licenses for their application roles. If Azure AD manages automatic provisioning based on roles, the roles assigned in Azure AD must align to application licenses. Incorrect licenses owned in the application may lead to errors during the provisioning/updating of a user.

+In this example, the users and or groups are created in a cloud HR application like such as Workday and SuccessFactors. The Azure AD provisioning service and Azure AD Connect provisioning agent provisions the user data from the cloud HR app tenant into AD. Once the accounts are updated in AD, it's synced with Azure AD through Azure AD Connect, and the email addresses and username attributes can be written back to the cloud HR app tenant.

+We recommend that the initial configuration of automatic user provisioning is in a test environment with a small subset of users before scaling it to all users in production. See [best practices](../fundamentals/active-directory-deployment-plans.md#best-practices-for-a-pilot) for running a pilot.

+When you enable automatic provisioning for an application, the initial cycle takes anywhere from 20 minutes to several hours. The duration depends on the size of the Azure AD directory and the number of users in scope for provisioning.

+- Administrators can target all users or select users/Security groups within their tenant for each method.

+> Password reset and Azure AD Multi-Factor Authentication support phone extensions only in office phone.

+There are two types of Auth providers, and the distinction is around how your Azure subscription is charged. The per-authentication option calculates the number of authentications performed against your tenant in a month. This option is best if some accounts authenticate only occasionally. The per-user option calculates the number of accounts that are eligible to perform MFA, which is all accounts in Azure AD, and all enabled accounts in MFA Server. This option is best if some users have licenses but you need to extend MFA to more users beyond your licensing limits.

+All users in an Azure AD Free tenant can use Azure AD Multi-Factor Authentication by using security defaults. The mobile authentication app and SMS methods can be used for Azure AD Multi-Factor Authentication when using Azure AD Free security defaults.

+To get the authentication methods available in the legacy SSPR policy, go to **Azure Active Directory** > **Users** > **Password reset** > **Authentication methods**. The following table lists the available methods in the legacy SSPR policy and corresponding methods in the Authentication method policy.

+### What happens to number matching settings that are currently configured for a group in the Authentication methods policy after number matching is enabled for Authenticator push notifications after May 8th, 2023?

+In the United States, if you haven't configured MFA caller ID, voice calls from Microsoft come from the following number. Users with spam filters should exclude this number.

+* `https://login.microsoftonline.com`

+* `https://login.microsoftonline.us (Azure Government)`

+* `https://login.chinacloudapi.cn (Azure China 21Vianet)`

+* `https://credentials.azure.com`

+* `https://strongauthenticationservice.auth.microsoft.com`

+* `https://strongauthenticationservice.auth.microsoft.us (Azure Government)`

+* `https://strongauthenticationservice.auth.microsoft.cn (Azure China 21Vianet)`

+* `https://adnotifications.windowsazure.com`

+* `https://adnotifications.windowsazure.us (Azure Government)`

+* `https://adnotifications.windowsazure.cn (Azure China 21Vianet)`

+* `https://login.microsoftonline.com`

+* `https://provisioningapi.microsoftonline.com`

+* `https://aadcdn.msauth.net`

+* `https://www.powershellgallery.com`

+* `https://go.microsoft.com`

+* `https://aadcdn.msftauthimages.net`

+If you need more granularity, see the [list of Microsoft Azure IP Ranges and Service Tags for Public Cloud](https://www.microsoft.com/download/details.aspx?id=56519).

+For Azure GOV, see the [list of Microsoft Azure IP Ranges and Service Tags for US Government Cloud](https://www.microsoft.com/download/details.aspx?id=57063).

+These files are updated weekly.

+MSAL is able to call Web Account Manager (WAM), a Windows 10+ component that ships with the OS. This component acts as an authentication broker and users of your app benefit from integration with accounts known from Windows, such as the account you signed-in with in your Windows session.

+- Enhanced security. See [token protection](https://learn.microsoft.com/azure/active-directory/conditional-access/concept-token-protection)

+- Better Single Sign-On

+- Ability to sign in silently with the current Windows account

+- Available on Windows 10 and later and on Windows Server 2019 and later. On Mac, Linux, and earlier versions of Windows, MSAL will automatically fall back to a browser.

+## WAM integration package

+Most apps will need to reference `Microsoft.Identity.Client.Broker` package to use this integration. MAUI apps are not required to do this; the functionality is inside MSAL when the target is `net6-windows` and later.

+## WAM calling pattern

+You can use the following pattern to use WAM.

+```csharp

+ // 1. Configuration - read below about redirect URI

+ var pca = PublicClientApplicationBuilder.Create("client_id")

+ .WithBroker(new BrokerOptions(BrokerOptions.OperatingSystems.Windows))

+ .Build();

+ // Add a token cache, see https://learn.microsoft.com/azure/active-directory/develop/msal-net-token-cache-serialization?tabs=desktop

+ // 2. Find a account for silent login

+ // is there an account in the cache?

+ IAccount accountToLogin = (await pca.GetAccountsAsync()).FirstOrDefault();

+ if (accountToLogin == null)

+ {

+ // 3. no account in the cache, try to login with the OS account

+ accountToLogin = PublicClientApplication.OperatingSystemAccount;

+ }

+ try

+ {

+ // 4. Silent authentication

+ var authResult = await pca.AcquireTokenSilent(new[] { "User.Read" }, accountToLogin)

+ .ExecuteAsync();

+ }

+ // cannot login silently - most likely AAD would like to show a consent dialog or the user needs to re-enter credentials

+ catch (MsalUiRequiredException)

+ {

+ // 5. Interactive authentication

+ var authResult = await pca.AcquireTokenInteractive(new[] { "User.Read" })

+ .WithAccount(accountToLogin)

+ // this is mandatory so that WAM is correctly parented to your app, read on for more guidance

+ .WithParentActivityOrWindow(myWindowHandle)

+ .ExecuteAsync();

+

+ // consider allowing the user to re-authenticate with a different account, by calling AcquireTokenInteractive again

+ }

+If a broker isn't present (for example, Win8.1, Mac, or Linux), then MSAL will fall back to a browser, where redirect URI rules apply.

+### Redirect URI

+WAM redirect URIs don't need to be configured in MSAL, but they must be configured in the app registration.

+### Token cache persistence

+It's important to persist MSAL's token cache because MSAL continues to store id tokens and account metadata there. See https://learn.microsoft.com/azure/active-directory/develop/msal-net-token-cache-serialization?tabs=desktop

+### Find a account for silent login

+The recommended pattern is:

+1. If the user previously logged in, use that account.

+2. If not, use `PublicClientApplication.OperatingSystemAccount` which the current Windows Account

+3. Allow the end-user to change to a different account by logging in interactively.

+## Parent Window Handles

+It is required to configure MSAL with the window that the interactive experience should be parented to, using `WithParentActivityOrWindow` APIs.

+### UI applications

+For UI apps like WinForms, WPF, WinUI3 see https://learn.microsoft.com/windows/apps/develop/ui-input/retrieve-hwnd

+### Console applications

+For console applications it is a bit more involved, because of the terminal window and its tabs. Use the following code:

+```csharp

+enum GetAncestorFlags

+{

+ GetParent = 1,

+ GetRoot = 2,

+ /// <summary>

+ /// Retrieves the owned root window by walking the chain of parent and owner windows returned by GetParent.

+ /// </summary>

+ GetRootOwner = 3

+}

+/// <summary>

+/// Retrieves the handle to the ancestor of the specified window.

+/// </summary>

+/// <param name="hwnd">A handle to the window whose ancestor is to be retrieved.

+/// If this parameter is the desktop window, the function returns NULL. </param>

+/// <param name="flags">The ancestor to be retrieved.</param>

+/// <returns>The return value is the handle to the ancestor window.</returns>

+[DllImport("user32.dll", ExactSpelling = true)]

+static extern IntPtr GetAncestor(IntPtr hwnd, GetAncestorFlags flags);

+[DllImport("kernel32.dll")]

+static extern IntPtr GetConsoleWindow();

+// This is your window handle!

+public IntPtr GetConsoleOrTerminalWindow()

+{

+ IntPtr consoleHandle = GetConsoleWindow();

+ IntPtr handle = GetAncestor(consoleHandle, GetAncestorFlags.GetRootOwner );

+

+ return handle;

+}

+```

+1. Open *SignInButton.jsx* and add the following code, which creates a button that signs in the user using either a pop-up or redirect.

+> [Tutorial: Call an API from a React single-page app](single-page-app-tutorial-04-call-api.md)

+ integrity="sha384-o4ufwq3oKqc7IoCcR08YtZXmgOljhTggRwxP2CLbSqeXGtitAxwYaUln/05nJjit"

+ <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.4.1/css/bootstrap.min.css" integrity="sha384-Vkoo8x4CGsO3+Hhxv8T/Q5PaXtkKtu6ug5TOeNV6gBiFeWPGFN9MuhOf23Q9Ifjh" crossorigin="anonymous">

+> [Scenario: Single-page application](scenario-spa-overview.md)

+* `Connect-MgGraph -Scope User.Read.All`

+**Service category:** Terms of use

+You configure and test Azure AD single sign-on for Beable in a test environment. Beable supports **IDP** initiated single sign-on.

+ `https://prod-literacy-backend-alb-<ID>.beable.com/login/ssoVerification/?providerId=<ProviderID>&identifier=<DOMAIN>`

+In this article, you learn how to integrate QRadar SOAR with Azure Active Directory (Azure AD). QRadar SOAR enhances the analyst experience through accelerated incident response with simple automation, process standardization, and integration with your existing security tools. When you integrate QRadar SOAR with Azure AD, you can:

+You configure and test Azure AD single sign-on for QRadar SOAR in a test environment. QRadar SOAR supports both **SP** and **IDP** initiated single sign-on.

+ | `https://<CustomerName>.domain.extension/<ID>` |

+ | `https://<CustomerName>.domain.extension` |

+ | `https://<CustomerName>.domain.extension/<ID>` |

+ | `https://<CustomerName>.domain.extension` |

+ | `https://<CustomerName>.domain.extension/<ID>` |

+ | `https://<CustomerName>.domain.extension` |

+> [!NOTE]

+> This integration is also available to use from Azure AD US Government Cloud environment. You can find this application in the Azure AD US Government Cloud Application Gallery and configure it in the same way as you do from public cloud.

+description: Learn how to use GPUs for high performance compute or graphics-intensive workloads on Azure Kubernetes Service (AKS).

+Graphical processing units (GPUs) are often used for compute-intensive workloads, such as graphics and visualization workloads. AKS supports GPU-enabled Linux node pools to run compute-intensive Kubernetes workloads. For more information on available GPU-enabled VMs, see [GPU-optimized VM sizes in Azure][gpu-skus]. For AKS node pools, we recommend a minimum size of *Standard_NC6*. The NVv4 series (based on AMD GPUs) aren't supported with AKS.

+This article helps you provision nodes with schedulable GPUs on new and existing AKS clusters.

+* This article assumes you have an existing AKS cluster. If you don't have a cluster, create one using the [Azure CLI][aks-quickstart-cli], [Azure PowerShell][aks-quickstart-powershell], or the [Azure portal][aks-quickstart-portal].

+* You also need the Azure CLI version 2.0.64 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].

+* Get the credentials for your AKS cluster using the [`az aks get-credentials`][az-aks-get-credentials] command. The following example command gets the credentials for the *myAKSCluster* in the *myResourceGroup* resource group:

+ ```azurecli-interactive

+ az aks get-credentials --resource-group myResourceGroup --name myAKSCluster

+ ```

+There are two ways to add the NVIDIA device plugin:

+1. [Using the AKS GPU image](#update-your-cluster-to-use-the-aks-gpu-image-preview)

+2. [Manually installing the NVIDIA device plugin](#manually-install-the-nvidia-device-plugin)

+> We don't recommend manually installing the NVIDIA device plugin daemon set with clusters using the AKS GPU image.

+AKS provides a fully configured AKS image containing the [NVIDIA device plugin for Kubernetes][nvidia-github].

+1. Install the `aks-preview` Azure CLI extension using the [`az extension add`][az-extension-add] command.

+ ```azurecli-interactive

+ az extension add --name aks-preview

+ ```

+2. Update to the latest version of the extension using the [`az extension update`][az-extension-update] command.

+ ```azurecli-interactive

+ az extension update --name aks-preview

+ ```

+3. Register the `GPUDedicatedVHDPreview` feature flag using the [`az feature register`][az-feature-register] command.

+ ```azurecli-interactive

+ az feature register --namespace "Microsoft.ContainerService" --name "GPUDedicatedVHDPreview"

+ ```

+ It takes a few minutes for the status to show *Registered*.

+4. Verify the registration status using the [`az feature show`][az-feature-show] command.

+ ```azurecli-interactive

+ az feature show --namespace "Microsoft.ContainerService" --name "GPUDedicatedVHDPreview"

+ ```

+5. When the status reflects *Registered*, refresh the registration of the *Microsoft.ContainerService* resource provider using the [`az provider register`][az-provider-register] command.

+ ```azurecli-interactive

+ az provider register --namespace Microsoft.ContainerService

+ ```

+#### Add a node pool for GPU nodes

+Now that you updated your cluster to use the AKS GPU image, you can add a node pool for GPU nodes to your cluster.

+* Add a node pool using the [`az aks nodepool add`][az-aks-nodepool-add] command.

+ ```azurecli-interactive

+ az aks nodepool add \

+ --resource-group myResourceGroup \

+ --cluster-name myAKSCluster \

+ --name gpunp \

+ --node-count 1 \

+ --node-vm-size Standard_NC6 \

+ --node-taints sku=gpu:NoSchedule \

+ --aks-custom-headers UseGPUDedicatedVHD=true \

+ --enable-cluster-autoscaler \

+ --min-count 1 \

+ --max-count 3

+ ```

+ The previous example command adds a node pool named *gpunp* to *myAKSCluster* in *myResourceGroup* and uses parameters to configure the following node pool settings:

+ * `--node-vm-size`: Sets the VM size for the node in the node pool to *Standard_NC6*.

+ * `--node-taints`: Specifies a *sku=gpu:NoSchedule* taint on the node pool.

+ * `--aks-custom-headers`: Specifies a specialized AKS GPU image, *UseGPUDedicatedVHD=true*. If your GPU sku requires generation 2 VMs, use *--aks-custom-headers UseGPUDedicatedVHD=true,usegen2vm=true* instead.

+ * `--enable-cluster-autoscaler`: Enables the cluster autoscaler.

+ * `--min-count`: Configures the cluster autoscaler to maintain a minimum of one node in the node pool.

+ * `--max-count`: Configures the cluster autoscaler to maintain a maximum of three nodes in the node pool.

+ > [!NOTE]

+ > Taints and VM sizes can only be set for node pools during node pool creation, but you can update autoscaler settings at any time.

+You can deploy a DaemonSet for the NVIDIA device plugin, which runs a pod on each node to provide the required drivers for the GPUs.

+1. Add a node pool to your cluster using the [`az aks nodepool add`][az-aks-nodepool-add] command.

+ ```azurecli-interactive

+ az aks nodepool add \

+ --resource-group myResourceGroup \

+ --cluster-name myAKSCluster \

+ --name gpunp \

+ --node-count 1 \

+ --node-vm-size Standard_NC6 \

+ --node-taints sku=gpu:NoSchedule \

+ --enable-cluster-autoscaler \

+ --min-count 1 \

+ --max-count 3

+ ```

+ The previous example command adds a node pool named *gpunp* to *myAKSCluster* in *myResourceGroup* and uses parameters to configure the following node pool settings:

+ * `--node-vm-size`: Sets the VM size for the node in the node pool to *Standard_NC6*.

+ * `--node-taints`: Specifies a *sku=gpu:NoSchedule* taint on the node pool.

+ * `--enable-cluster-autoscaler`: Enables the cluster autoscaler.

+ * `--min-count`: Configures the cluster autoscaler to maintain a minimum of one node in the node pool.

+ * `--max-count`: Configures the cluster autoscaler to maintain a maximum of three nodes in the node pool.

+ > [!NOTE]

+ > Taints and VM sizes can only be set for node pools during node pool creation, but you can update autoscaler settings at any time.

+2. Create a namespace using the [`kubectl create namespace`][kubectl-create] command.

+ ```console

+ kubectl create namespace gpu-resources

+ ```

+3. Create a file named *nvidia-device-plugin-ds.yaml* and paste the following YAML manifest provided as part of the [NVIDIA device plugin for Kubernetes project][nvidia-github]:

+ ```yaml

+ apiVersion: apps/v1

+ kind: DaemonSet

+ name: nvidia-device-plugin-daemonset

+ namespace: gpu-resources

+ selector:

+ matchLabels:

+ name: nvidia-device-plugin-ds

+ updateStrategy:

+ type: RollingUpdate

+ template:

+ metadata:

+ # Mark this pod as a critical add-on; when enabled, the critical add-on scheduler

+ # reserves resources for critical add-on pods so that they can be rescheduled after

+ # a failure. This annotation works in tandem with the toleration below.

+ annotations:

+ scheduler.alpha.kubernetes.io/critical-pod: ""

+ labels:

+ name: nvidia-device-plugin-ds

+ spec:

+ tolerations:

+ # Allow this pod to be rescheduled while the node is in "critical add-ons only" mode.

+ # This, along with the annotation above marks this pod as a critical add-on.

+ - key: CriticalAddonsOnly

+ operator: Exists

+ - key: nvidia.com/gpu

+ operator: Exists

+ effect: NoSchedule

+ - key: "sku"

+ operator: "Equal"

+ value: "gpu"

+ effect: "NoSchedule"

+ containers:

+ - image: mcr.microsoft.com/oss/nvidia/k8s-device-plugin:1.11

+ name: nvidia-device-plugin-ctr

+ securityContext:

+ allowPrivilegeEscalation: false

+ capabilities:

+ drop: ["ALL"]

+ volumeMounts:

+ - name: device-plugin

+ mountPath: /var/lib/kubelet/device-plugins

+ volumes:

+ - name: device-plugin

+ hostPath:

+ path: /var/lib/kubelet/device-plugins

+ ```

+4. Create the DaemonSet and confirm the NVIDIA device plugin is created successfully using the [`kubectl apply`][kubectl-apply] command.

+ ```console

+ kubectl apply -f nvidia-device-plugin-ds.yaml

+ ```

+After creating your cluster, confirm that GPUs are schedulable in Kubernetes.

+1. List the nodes in your cluster using the [`kubectl get nodes`][kubectl-get] command.

+ ```console

+ kubectl get nodes

+ ```

+ Your output should look similar to the following example output:

+ ```console

+ NAME STATUS ROLES AGE VERSION

+ aks-gpunp-28993262-0 Ready agent 13m v1.20.7

+ ```

+2. Confirm the GPUs are schedulable using the [`kubectl describe node`][kubectl-describe] command.

+ ```console

+ kubectl describe node aks-gpunp-28993262-0

+ ```

+ Under the *Capacity* section, the GPU should list as `nvidia.com/gpu: 1`. Your output should look similar to the following condensed example output:

+ ```console

+ Name: aks-gpunp-28993262-0

+ Roles: agent

+ Labels: accelerator=nvidia

+ [...]

+ Capacity:

+ [...]

+ nvidia.com/gpu: 1

+ [...]

+ ```

+To see the GPU in action, you can schedule a GPU-enabled workload with the appropriate resource request. In this example, we'll run a [Tensorflow](https://www.tensorflow.org/) job against the [MNIST dataset](http://yann.lecun.com/exdb/mnist/).

+1. Create a file named *samples-tf-mnist-demo.yaml* and paste the following YAML manifest, which includes a resource limit of `nvidia.com/gpu: 1`:

+ > [!NOTE]

+ > If you receive a version mismatch error when calling into drivers, such as "CUDA driver version is insufficient for CUDA runtime version", review the [NVIDIA driver matrix compatibility chart](https://docs.nvidia.com/deploy/cuda-compatibility/https://docsupdatetracker.net/index.html).

+ ```yaml

+ apiVersion: batch/v1

+ kind: Job

+ name: samples-tf-mnist-demo

+ template:

+ metadata:

+ labels:

+ app: samples-tf-mnist-demo

+ spec:

+ containers:

+ - name: samples-tf-mnist-demo

+ image: mcr.microsoft.com/azuredocs/samples-tf-mnist-demo:gpu

+ args: ["--max_steps", "500"]

+ imagePullPolicy: IfNotPresent

+ resources:

+ limits:

+ nvidia.com/gpu: 1

+ restartPolicy: OnFailure

+ tolerations:

+ - key: "sku"

+ operator: "Equal"

+ value: "gpu"

+ effect: "NoSchedule"

+ ```

+2. Run the job using the [`kubectl apply`][kubectl-apply] command, which parses the manifest file and creates the defined Kubernetes objects.

+ ```console

+ kubectl apply -f samples-tf-mnist-demo.yaml

+ ```

+## View the status of the GPU-enabled workload

+1. Monitor the progress of the job using the [`kubectl get jobs`][kubectl-get] command with the `--watch` flag. It may take a few minutes to first pull the image and process the dataset.

+ ```console

+ kubectl get jobs samples-tf-mnist-demo --watch

+ ```

+ When the *COMPLETIONS* column shows *1/1*, the job has successfully finished, as shown in the following example output:

+ ```console

+ NAME COMPLETIONS DURATION AGE

+ samples-tf-mnist-demo 0/1 3m29s 3m29s

+ samples-tf-mnist-demo 1/1 3m10s 3m36s

+ ```

+2. Exit the `kubectl --watch` process with *Ctrl-C*.

+3. Get the name of the pod using the [`kubectl get pods`][kubectl-get] command.

+ ```console

+ kubectl get pods --selector app=samples-tf-mnist-demo

+ ```

+4. View the output of the GPU-enabled workload using the [`kubectl logs`][kubectl-logs] command.

+ ```console

+ kubectl logs samples-tf-mnist-demo-smnr6

+ ```

+ The following condensed example output of the pod logs confirms that the appropriate GPU device, `Tesla K80`, has been discovered:

+ ```console

+ 2019-05-16 16:08:31.258328: I tensorflow/core/platform/cpu_feature_guard.cc:137] Your CPU supports instructions that this TensorFlow binary was not compiled to use: SSE4.1 SSE4.2 AVX AVX2 FMA

+ 2019-05-16 16:08:31.396846: I tensorflow/core/common_runtime/gpu/gpu_device.cc:1030] Found device 0 with properties:

+ name: Tesla K80 major: 3 minor: 7 memoryClockRate(GHz): 0.8235

+ pciBusID: 2fd7:00:00.0

+ totalMemory: 11.17GiB freeMemory: 11.10GiB

+ 2019-05-16 16:08:31.396886: I tensorflow/core/common_runtime/gpu/gpu_device.cc:1120] Creating TensorFlow device (/device:GPU:0) -> (device: 0, name: Tesla K80, pci bus id: 2fd7:00:00.0, compute capability: 3.7)

+ 2019-05-16 16:08:36.076962: I tensorflow/stream_executor/dso_loader.cc:139] successfully opened CUDA library libcupti.so.8.0 locally

+ Successfully downloaded train-images-idx3-ubyte.gz 9912422 bytes.

+ Extracting /tmp/tensorflow/input_data/train-images-idx3-ubyte.gz

+ Successfully downloaded train-labels-idx1-ubyte.gz 28881 bytes.

+ Extracting /tmp/tensorflow/input_data/train-labels-idx1-ubyte.gz

+ Successfully downloaded t10k-images-idx3-ubyte.gz 1648877 bytes.

+ Extracting /tmp/tensorflow/input_data/t10k-images-idx3-ubyte.gz

+ Successfully downloaded t10k-labels-idx1-ubyte.gz 4542 bytes.

+ Extracting /tmp/tensorflow/input_data/t10k-labels-idx1-ubyte.gz

+ Accuracy at step 0: 0.1081

+ Accuracy at step 10: 0.7457

+ Accuracy at step 20: 0.8233

+ Accuracy at step 30: 0.8644

+ Accuracy at step 40: 0.8848

+ Accuracy at step 50: 0.8889

+ Accuracy at step 60: 0.8898

+ Accuracy at step 70: 0.8979

+ Accuracy at step 80: 0.9087

+ Accuracy at step 90: 0.9099

+ Adding run metadata for 99

+ Accuracy at step 100: 0.9125

+ Accuracy at step 110: 0.9184

+ Accuracy at step 120: 0.922

+ Accuracy at step 130: 0.9161

+ Accuracy at step 140: 0.9219

+ Accuracy at step 150: 0.9151

+ Accuracy at step 160: 0.9199

+ Accuracy at step 170: 0.9305

+ Accuracy at step 180: 0.9251

+ Accuracy at step 190: 0.9258

+ Adding run metadata for 199

+ [...]

+ Adding run metadata for 499

+ ```

+[Container Insights with AKS][aks-container-insights] monitors the following GPU usage metrics:

+| containerGpuDutyCycle | `container.azm.ms/clusterId`, `container.azm.ms/clusterName`, `containerName`, `gpuId`, `gpuModel`, `gpuVendor`| Percentage of time over the past sample period (60 seconds) during which GPU was busy/actively processing for a container. Duty cycle is a number between 1 and 100. |

+* Remove the associated Kubernetes objects you created in this article using the [`kubectl delete job`][kubectl delete] command.

+ ```console

+ kubectl delete jobs samples-tf-mnist-demo

+ ```

+* To run Apache Spark jobs, see [Run Apache Spark jobs on AKS][aks-spark].

+* For more information on features of the Kubernetes scheduler, see [Best practices for advanced scheduler features in AKS][advanced-scheduler-aks].

+* For more information on Azure Kubernetes Service and Azure Machine Learning, see:

+ * [Configure a Kubernetes cluster for ML model training or deployment][azureml-aks].

+ * [Deploy a model with an online endpoint][azureml-deploy].

+ * [High-performance serving with Triton Inference Server][azureml-triton].

+ * [Labs for Kubernetes and Kubeflow][kubeflow].

+[kubeflow]: https://github.com/Azure/kubeflow-labs

+[az-aks-nodepool-add]: /cli/azure/aks/nodepool#az_aks_nodepool_add

+[az-extension-add]: /cli/azure/extension#az-extension-add

+[az-extension-update]: /cli/azure/extension#az-extension-update

+```azurecli

+```azurecli

+| cache-response | Set to `true` to cache the current HTTP response. If the attribute is omitted, only HTTP responses with the status code `200 OK` are cached. Policy expressions are allowed. | No | `false` |

+This article walks through the steps in the Azure portal to create a Power Platform [custom connector](/connectors/custom-connectors/) to an API in API Management. With this capability, citizen developers can use the Power Platform to create and distribute apps that are based on internal and external APIs managed by API Management.

+* [Learn more about the Power Platform](https://powerplatform.microsoft.com/) and [licensing](/power-platform/admin/pricing-billing-skus)

+| * / 5671, 5672, 443 | Outbound | TCP | VirtualNetwork / EventHub | Dependency for [Log to Azure Event Hubs policy](api-management-howto-log-event-hubs.md) and [Azure Monitor](api-management-howto-use-azure-monitor.md) (optional) | External & Internal |

+ Title: Getting started with Azure App Service

+description: Take the first steps toward working with Azure App Service.

+zone_pivot_groups: app-service-getting-started-stacks

+# Getting started with Azure App Service

+## Introduction

+[Azure App Service](./overview.md) is a fully managed platform as a service (PaaS) for hosting web applications. Use the following resources to get started with .NET.

+| Action | Resources |

+| | |

+| **Create your first .NET app** | Using one of the following tools:<br><br>- [Visual Studio](./quickstart-dotnetcore.md?tabs=net60&pivots=development-environment-vs)<br>- [Visual Studio Code](./quickstart-dotnetcore.md?tabs=net60&pivots=development-environment-vscode)<br>- [Command line](./quickstart-dotnetcore.md?tabs=net60&pivots=development-environment-cli)<br>- [Azure PowerShell](./quickstart-dotnetcore.md?tabs=net60&pivots=development-environment-ps)<br>- [Azure portal](./quickstart-dotnetcore.md?tabs=net60&pivots=development-environment-azure-portal) |

+| **Deploy your app** | - [Configure ASP.NET](./configure-language-dotnet-framework.md)<br>- [Configure ASP.NET core](./configure-language-dotnetcore.md?pivots=platform-linux)<br>- [GitHub actions](./deploy-github-actions.md) |

+| **Monitor your app**| - [Log stream](./troubleshoot-diagnostic-logs.md#stream-logs)<br>- [Diagnose and solve tool](./overview-diagnostics.md)|

+| **Add domains & certificates** |- [Map a custom domain](./app-service-web-tutorial-custom-domain.md?tabs=root%2Cazurecli)<br>- [Add SSL certificate](./configure-ssl-certificate.md)|

+| **Connect to a database** | - [.NET with Azure SQL Database](./app-service-web-tutorial-dotnet-sqldatabase.md)<br>- [.NET Core with Azure SQL DB](./tutorial-dotnetcore-sqldb-app.md)|

+| **Custom containers** |- [Linux - Visual Studio Code](./quickstart-custom-container.md?tabs=dotnet&pivots=container-linux-vscode)<br>- [Windows - Visual Studio](./quickstart-custom-container.md?tabs=dotnet&pivots=container-windows-vs)|

+| **Review best practices** | - [Scale your app](./manage-scale-up.md)<br>- [Deployment](./deploy-best-practices.md)<br>- [Security](/security/benchmark/azure/baselines/app-service-security-baseline?toc=/azure/app-service/toc.json)<br>- [Virtual Network](./configure-vnet-integration-enable.md)|

+[Azure App Service](./overview.md) is a fully managed platform as a service (PaaS) for hosting web applications. Use the following resources to get started with Python.

+| Action | Resources |

+| | |

+| **Create your first Python app** | Using one of the following tools:<br><br>- [Flask - CLI](./quickstart-python.md?tabs=flask%2Cwindows%2Cazure-cli%2Cvscode-deploy%2Cdeploy-instructions-azportal%2Cterminal-bash%2Cdeploy-instructions-zip-azcli)<br>- [Flask - Visual Studio Code](./quickstart-python.md?tabs=flask%2Cwindows%2Cvscode-aztools%2Cvscode-deploy%2Cdeploy-instructions-azportal%2Cterminal-bash%2Cdeploy-instructions-zip-azcli)<br>- [Django - CLI](./quickstart-python.md?tabs=django%2Cwindows%2Cazure-cli%2Cvscode-deploy%2Cdeploy-instructions-azportal%2Cterminal-bash%2Cdeploy-instructions-zip-azcli)<br>- [Django - Visual Studio Code](./quickstart-python.md?tabs=django%2Cwindows%2Cvscode-aztools%2Cvscode-deploy%2Cdeploy-instructions-azportal%2Cterminal-bash%2Cdeploy-instructions-zip-azcli)<br>- [Django - Azure portal](./quickstart-python.md?tabs=django%2Cwindows%2Cazure-portal%2Cvscode-deploy%2Cdeploy-instructions-azportal%2Cterminal-bash%2Cdeploy-instructions-zip-azcli) |

+| **Deploy your app** | - [Configure Python](configure-language-python.md)<br>- [GitHub actions](./deploy-github-actions.md) |

+| **Monitor your app**| - [Log stream](./troubleshoot-diagnostic-logs.md#stream-logs)<br>- [Diagnose and solve tool](./overview-diagnostics.md)|

+| **Add domains & certificates** |- [Map a custom domain](./app-service-web-tutorial-custom-domain.md?tabs=root%2Cazurecli)<br>- [Add SSL certificate](./configure-ssl-certificate.md)|

+| **Connect to a database** | - [Postgres - CLI](./tutorial-python-postgresql-app.md?tabs=flask%2Cwindows&pivots=deploy-azd)<br>- [Postgres - Azure portal](./tutorial-python-postgresql-app.md?tabs=flask%2Cwindows&pivots=deploy-portal)|

+| **Custom containers** |- [Linux - Visual Studio Code](./quickstart-custom-container.md?tabs=python&pivots=container-linux-vscode)|

+| **Review best practices** | - [Scale your app](./manage-scale-up.md)<br>- [Deployment](./deploy-best-practices.md)<br>- [Security](/security/benchmark/azure/baselines/app-service-security-baseline?toc=/azure/app-service/toc.json)<br>- [Virtual Network](./configure-vnet-integration-enable.md)|

+[Azure App Service](./overview.md) is a fully managed platform as a service (PaaS) for hosting web applications. Use the following resources to get started with Node.js.

+| Action | Resources |

+| | |

+| **Create your first Node app** | Using one of the following tools:<br><br>- [Visual Studio Code](./quickstart-nodejs.md?tabs=linux&pivots=development-environment-vscode)<br>- [CLI](./quickstart-nodejs.md?tabs=linux&pivots=development-environment-cli)<br>- [Azure portal](./quickstart-nodejs.md?tabs=linux&pivots=development-environment-azure-portal) |

+| **Deploy your app** | - [Configure Node](./configure-language-nodejs.md?pivots=platform-linux)<br>- [GitHub actions](./deploy-github-actions.md) |

+| **Monitor your app**| - [Log stream](./troubleshoot-diagnostic-logs.md#stream-logs)<br>- [Diagnose and solve tool](./overview-diagnostics.md)|

+| **Add domains & certificates** |- [Map a custom domain](./app-service-web-tutorial-custom-domain.md?tabs=root%2Cazurecli)<br>- [Add SSL certificate](./configure-ssl-certificate.md)|

+| **Connect to a database** | - [MongoDB](./tutorial-nodejs-mongodb-app.md)|

+| **Custom containers** |- [Linux - Visual Studio Code](./quickstart-custom-container.md?tabs=node&pivots=container-linux-vscode)|

+| **Review best practices** | - [Scale your app](./manage-scale-up.md)<br>- [Deployment](./deploy-best-practices.md)<br>- [Security](/security/benchmark/azure/baselines/app-service-security-baseline?toc=/azure/app-service/toc.json)<br>- [Virtual Network](./configure-vnet-integration-enable.md)|

+[Azure App Service](./overview.md) is a fully managed platform as a service (PaaS) for hosting web applications. Use the following resources to get started with Java.

+| Action | Resources |

+| | |

+| **Create your first Java app** | Using one of the following tools:<br><br>- [Linux - Maven](./quickstart-java.md?tabs=javase&pivots=platform-linux-development-environment-maven)<br>- [Linux - Azure portal](./quickstart-java.md?tabs=javase&pivots=platform-linux-development-environment-azure-portal)<br>- [Windows - Maven](./quickstart-java.md?tabs=javase&pivots=platform-windows-development-environment-maven)<br>- [Windows - Azure portal](./quickstart-java.md?tabs=javase&pivots=platform-windows-development-environment-azure-portal) |

+| **Deploy your app** | - [Configure Java](./configure-language-java.md?pivots=platform-linux)<br>- [Deploy War](./deploy-zip.md?tabs=cli#deploy-warjarear-packages)<br>- [GitHub actions](./deploy-github-actions.md) |

+| **Monitor your app**| - [Log stream](./troubleshoot-diagnostic-logs.md#stream-logs)<br>- [Diagnose and solve tool](./overview-diagnostics.md)|

+| **Add domains & certificates** |- [Map a custom domain](./app-service-web-tutorial-custom-domain.md?tabs=root%2Cazurecli)<br>- [Add SSL certificate](./configure-ssl-certificate.md)|

+| **Connect to a database** |- [Java Spring with Cosmos DB](./tutorial-java-spring-cosmosdb.md)|

+| **Custom containers** |- [Linux - Visual Studio Code](./quickstart-custom-container.md?tabs=python&pivots=container-linux-vscode)|

+| **Review best practices** | - [Scale your app](./manage-scale-up.md)<br>- [Deployment](./deploy-best-practices.md)<br>- [Security](/security/benchmark/azure/baselines/app-service-security-baseline?toc=/azure/app-service/toc.json)<br>- [Virtual Network](./configure-vnet-integration-enable.md)|

+[Azure App Service](./overview.md) is a fully managed platform as a service (PaaS) for hosting web applications. Use the following resources to get started with PHP.

+| Action | Resources |

+| | |

+| **Create your first PHP app** | Using one of the following tools:<br><br>- [Linux - CLI](./quickstart-php.md?tabs=cli&pivots=platform-linux)<br>- [Linux - Azure portal](./quickstart-php.md?tabs=portal&pivots=platform-linux) |

+| **Deploy your app** | - [Configure PHP](./configure-language-php.md?pivots=platform-linux)<br>- [Deploy via FTP](./deploy-ftp.md?tabs=portal)|

+| **Monitor your app**|- [Troubleshoot with Azure Monitor](./tutorial-troubleshoot-monitor.md)<br>- [Log stream](./troubleshoot-diagnostic-logs.md#stream-logs)<br>- [Diagnose and solve tool](./overview-diagnostics.md)|

+| **Add domains & certificates** |- [Map a custom domain](./app-service-web-tutorial-custom-domain.md?tabs=root%2Cazurecli)<br>- [Add SSL certificate](./configure-ssl-certificate.md)|

+| **Connect to a database** | - [MySQL with PHP](./tutorial-php-mysql-app.md)|

+| **Custom containers** |- [Multi-container](./quickstart-multi-container.md)|

+| **Review best practices** | - [Scale your app]()<br>- [Deployment](./deploy-best-practices.md)<br>- [Security](/security/benchmark/azure/baselines/app-service-security-baseline?toc=/azure/app-service/toc.json)<br>- [Virtual Network](./configure-vnet-integration-enable.md)|

+## Next steps

+> [!div class="nextstepaction"]

+> [Learn about App Service](./overview.md)

+This article gives reasons on why Azure Application Gateway returns specific HTTP response codes. Common causes and troubleshooting steps are provided to help you determine the root cause of error HTTP Response code. HTTP response codes can be returned to a client request whether or not a connection was initiated to a backend target.

+- The request is not compliant to RFC.

+Some of the common reasons for the request to be non-compliant to RFC is listed.So review the urls/requests from the clients and ensure it's compliant to RFC.

+| Category | Examples |

+| - | - |

+| Invalid Host in request line | Host containing two colons (example.com:**8090:8080**) |

+| Missing Host Header | Request doesn't have Host Header |

+| Presence of malformed or illegal character | Reserved characters are **&,!.** Workaround is to percent code it like %& |

+| Invalid HTTP version | Get /content.css HTTP/**0.3** |

+| Header field name and URI contains non-ASCII Character | GET /**«úü¡»¿**.doc HTTP/1.1 |

+| Missing Content Length header for POST request | Self Explanatory |

+| Invalid HTTP Method | **GET123** /https://docsupdatetracker.net/index.html HTTP/1.1 |

+| Duplicate Headers | Authorization:\<base64 encoded content\>,Authorization: \<base64 encoded content\> |

+| Invalid value in Content-Length | Content-Length: **abc**,Content-Length: **-10**|

+HTTP 403 Forbidden is presented when customers are utilizing WAF skus and have WAF configured in Prevention mode. If enabled WAF rulesets or custom deny WAF rules match the characteristics of an inbound request, the client is presented a 403 forbidden response.

+An HTTP 408 response can be observed when client requests to the frontend listener of application gateway don't respond back within 60 seconds. This error can be observed due to traffic congestion between on-premises networks and Azure, when virtual appliance inspects the traffic traffic, or the client itself becomes overwhelmed.

+An HTTP 499 response is presented if a client request that is sent to application gateways using v2 sku is closed before the server finished responding. This error can be observed in 2 scenarios. First scenario is when a large response is returned to the client and the client may have closed or refreshed their application before the server finished sending the large response. Second scenario is the timeout on the client side is low and does not wait long enough to receive the response from server. In this case it is better to increase the timeout on the client. In application gateways using v1 sku, an HTTP 0 response code may be raised for the client closing the connection before the server has finished responding as well.

+Azure Application Gateway shouldn't exhibit 500 response codes. Open a support request if you see this code, because this issue is an internal error to the service. For information on how to open a support case, see [Create an Azure support request](../azure-portal/supportability/how-to-create-azure-support-request.md).

+Azure application Gateway V2 SKU sent HTTP 504 errors if the backend response time exceeds the time-out value which is configured in the Backend Setting.

+

+ Title: Listener TLS certificate management in Application Gateway

+# TLS certificates management for listeners

+Listener TLS/SSL certificates in Application Gateway are used for terminating client TLS connection at the gateway. This function is analogous to uploading a certificate on a web server to support TLS/HTTPS connections from clients/browsers.

+## TLS Certificate structure

+The TLS/SSL certificates on application gateway are stored in local certificate objects or containers. This certificate containerΓÇÖs reference is then supplied to listeners to support TLS connections for clients. Refer to this illustration for better understanding.

+> [!IMPORTANT]

+> The **TLS certificate for Listeners** (TLS termination/End-to-end TLS) is a **Generally available** feature. Only its Portal management experience ([released in March 2023](https://azure.microsoft.com/updates/public-preview-listener-tls-certificates-management-available-in-the-azure-portal/)) is referred to as Preview.

+Before you can use Form Recognizer containers in disconnected environments, you must first fill out and [submit a request form](../../../cognitive-services/containers/disconnected-containers.md#request-access-to-use-containers-in-disconnected-environments) and [purchase a commitment plan](../../../cognitive-services/containers/disconnected-containers.md#purchase-a-commitment-plan-to-use-containers-in-disconnected-environments).

+* [Deploy the Sample Labeling tool to an Azure Container Instance (ACI)](../deploy-label-tool.md#deploy-with-azure-container-instances-aci)

+* [Change or end a commitment plan](../../../cognitive-services/containers/disconnected-containers.md#purchase-a-different-commitment-plan-for-disconnected-containers)

+* "LogAnalytics/Behavior": false

+Specify your existing workspace in the `LogAnalytics/Workspace` line. Set the `LogAnalytics/Behavior` setting to true if you would like this log analytics workspace to be used in all cases. This means that any machine with this custom profile will use this workspace, even it is already connected to one. By default, the `LogAnalytics/Behavior` is set to false. If your machine is already connected to a workspace, then that workspace will continue to be used. If it's not connected to a workspace, then the workspace specified in `LogAnalytics\Workspace` will be used.

+- East Asia

+- Korea Central

+- Norway East

+- Sweden Central

+You can use the Bicep template to create a new Hybrid Worker group, create a new Azure Windows VM and add it to an existing Hybrid Worker Group. Learn more about [Bicep](../azure-resource-manager/bicep/overview.md).

+Follow the steps mentioned below as an example:

+1. Create a Hybrid Worker Group.

+1. Create either an Azure VM or Arc-enabled server. Alternatively, you can also use an existing Azure VM or Arc-enabled server.

+1. Connect the Azure VM or Arc-enabled server to the above created Hybrid Worker Group.

+1. Generate a new GUID and pass it as the name of the Hybrid Worker.

+1. Enable System-assigned managed identity on the VM.

+1. Install Hybrid Worker Extension on the VM.

+1. To confirm if the extension has been successfully installed on the VM, in **Azure portal**, go to the VM > **Extensions** tab and check the status of the Hybrid Worker extension installed on the VM.

+Follow the steps mentioned below as an example:

+1. Create a Hybrid Worker Group.

+1. Create either an Azure VM or Arc-enabled server. Alternatively, you can also use an existing Azure VM or Arc-enabled server.

+1. Connect the Azure VM or Arc-enabled server to the above created Hybrid Worker Group.

+1. Generate a new GUID and pass it as the name of the Hybrid Worker.

+1. Enable System-assigned managed identity on the VM.

+1. Install Hybrid Worker Extension on the VM.

+1. To confirm if the extension has been successfully installed on the VM, in **Azure portal**, go to the VM > **Extensions** tab and check the status of the Hybrid Worker extension installed on the VM.

+You can use Azure CLI to create a new Hybrid Worker group, create a new Azure VM, add it to an existing Hybrid Worker Group and install the Hybrid Worker extension. Learn more aboutΓÇ»[Azure CLI](https://learn.microsoft.com/cli/azure/what-is-azure-cli).

+Follow the steps mentioned below as an example:

+1. Create a Hybrid Worker Group.

+ ```azurecli-interactive

+ az automation hrwg create --automation-account-name accountName --resource-group groupName --name hybridrunbookworkergroupName

+ ```

+1. Create an Azure VM or Arc-enabled server and add it to the above created Hybrid Worker Group. Use the below command to add an existing Azure VM or Arc-enabled Server to the Hybrid Worker Group. Generate a new GUID and pass it as `hybridRunbookWorkerGroupName`. To fetch `vmResourceId`, go to the **Properties** tab of the VM on Azure portal.

+ ```azurecli-interactive

+ az automation hrwg hrw create --automation-account-name accountName --resource-group groupName --hybrid-runbook-worker-group-name hybridRunbookWorkerGroupName --hybrid-runbook-worker-id

+ ```

+1. Follow the steps [here](../active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md#enable-system-assigned-managed-identity-on-an-existing-vm) to enable the System-assigned managed identity on the VM.

+1. Install Hybrid Worker Extension on the VM

+ ```azurecli-interactive

+ az vm extension set --name HybridWorkerExtension --publisher Microsoft.Azure.Automation.HybridWorker --version 1.1 --vm-name <vmname> -g <resourceGroupName> \

+ --settings '{"AutomationAccountURL" = "<registration-url>";}' --enable-auto-upgrade true

+ ```

+1. To confirm if the extension has been successfully installed on the VM, in **Azure portal**, go to the VM > **Extensions** tab and check the status of the Hybrid Worker extension installed on the VM.

+You can use PowerShell cmdlets to create a new Hybrid Worker group, create a new Azure VM, add it to an existing Hybrid Worker Group and install the Hybrid Worker extension.

+Follow the steps mentioned below as an example:

+1. Create a Hybrid Worker Group.

+ ```powershell-interactive

+ New-AzAutomationHybridRunbookWorkerGroup -AutomationAccountName "Contoso17" -Name "RunbookWorkerGroupName" -ResourceGroupName "ResourceGroup01"

+ ```

+1. Create an Azure VM or Arc-enabled server and add it to the above created Hybrid Worker Group. Use the below command to add an existing Azure VM or Arc-enabled Server to the Hybrid Worker Group. Generate a new GUID and pass it as `hybridRunbookWorkerGroupName`. To fetch `vmResourceId`, go to the **Properties** tab of the VM on Azure portal.

+ ```azurepowershell

+ New-AzAutomationHybridRunbookWorker -AutomationAccountName "Contoso17" -Name "RunbookWorkerName" -HybridRunbookWorkerGroupName "RunbookWorkerGroupName" -VmResourceId "VmResourceId" -ResourceGroupName "ResourceGroup01"

+ ```

+1. Follow the steps [here](../active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md#enable-system-assigned-managed-identity-on-an-existing-vm) to enable the System-assigned managed identity on the VM.

+1. Install Hybrid Worker Extension on the VM.

+

+ **Hybrid Worker extension settings**

+ ```powershell-interactive

+ $settings = @{

+ "AutomationAccountURL" = "<registrationurl>";

+ };

+ ```

+

+ **Azure VMs**

+ ```powershell

+ Set-AzVMExtension -ResourceGroupName <VMResourceGroupName> -Location <VMLocation> -VMName <VMName> -Name "HybridWorkerExtension" -Publisher "Microsoft.Azure.Automation.HybridWorker" -ExtensionType HybridWorkerForWindows -TypeHandlerVersion 1.1 -Settings $settings -EnableAutomaticUpgrade $true/$false

+ ```

+ **Azure Arc-enabled VMs**

+ ```powershell

+ New-AzConnectedMachineExtension -ResourceGroupName <VMResourceGroupName> -Location <VMLocation> -MachineName <VMName> -Name "HybridWorkerExtension" -Publisher "Microsoft.Azure.Automation.HybridWorker" -ExtensionType HybridWorkerForWindows -TypeHandlerVersion 1.1 -Setting $settings -NoWait -EnableAutomaticUpgrade

+ ```

+1. To confirm if the extension has been successfully installed on the VM, In **Azure portal**, go to the VM > **Extensions** tab and check the status of Hybrid Worker extension installed on the VM.

+**Manage Hybrid Worker Extension**

+Follow the steps mentioned below as an example:

+1. Create a Hybrid Worker Group.

+1. Create either an Azure VM or Arc-enabled server. Alternatively, you can also use an existing Azure VM or Arc-enabled server.

+1. Connect the Azure VM or Arc-enabled server to the above created Hybrid Worker Group.

+1. Generate a new GUID and pass it as the name of the Hybrid Worker.

+1. Enable System-assigned managed identity on the VM.

+1. Install Hybrid Worker Extension on the VM.

+1. To confirm if the extension has been successfully installed on the VM, in **Azure portal**, go to the VM > **Extensions** tab and check the status of the Hybrid Worker extension installed on the VM.

+Follow the steps mentioned below as an example:

+1. Create a Hybrid Worker Group.

+1. Create either an Azure VM or Arc-enabled server. Alternatively, you can also use an existing Azure VM or Arc-enabled server.

+1. Connect the Azure VM or Arc-enabled server to the above created Hybrid Worker Group.

+1. Generate a new GUID and pass it as the name of the Hybrid Worker.

+1. Enable System-assigned managed identity on the VM.

+1. Install Hybrid Worker Extension on the VM.

+1. To confirm if the extension has been successfully installed on the VM, in **Azure portal**, go to the VM > **Extensions** tab and check the status of the Hybrid Worker extension installed on the VM.

+You can use Azure CLI to create a new Hybrid Worker group, create a new Azure VM, add it to an existing Hybrid Worker Group and install the Hybrid Worker extension. Learn more aboutΓÇ»[Azure CLI](https://learn.microsoft.com/cli/azure/what-is-azure-cli).

+Follow the steps mentioned below as an example:

+1. Create a Hybrid Worker Group.

+ ```azurecli-interactive

+ az automation hrwg create --automation-account-name accountName --resource-group groupName --name hybridrunbookworkergroupName

+ ```

+1. Create an Azure VM or Arc-enabled server and add it to the above created Hybrid Worker Group. Use the below command to add an existing Azure VM or Arc-enabled Server to the Hybrid Worker Group. Generate a new GUID and pass it as `hybridRunbookWorkerGroupName`. To fetch `vmResourceId`, go to the **Properties** tab of the VM on Azure portal.

+ ```azurecli-interactive

+ az automation hrwg hrw create --automation-account-name accountName --resource-group groupName --hybrid-runbook-worker-group-name hybridRunbookWorkerGroupName --hybrid-runbook-worker-id

+ ```

+1. Follow the steps [here](../active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md#enable-system-assigned-managed-identity-on-an-existing-vm) to enable the System-assigned managed identity on the VM.

+1. Install Hybrid Worker Extension on the VM

+ ```azurecli-interactive

+ az vm extension set --name HybridWorkerExtension --publisher Microsoft.Azure.Automation.HybridWorker --version 1.1 --vm-name <vmname> -g <resourceGroupName> \

+ --settings '{"AutomationAccountURL" = "<registration-url>";}' --enable-auto-upgrade true

+ ```

+1. To confirm if the extension has been successfully installed on the VM, in **Azure portal**, go to the VM > **Extensions** tab and check the status of the Hybrid Worker extension installed on the VM.

+You can use PowerShell cmdlets to create a new Hybrid Worker group, create a new Azure VM, add it to an existing Hybrid Worker Group and install the Hybrid Worker extension.

+Follow the steps mentioned below as an example:

+1. Create a Hybrid Worker Group.

+ ```powershell-interactive

+ New-AzAutomationHybridRunbookWorkerGroup -AutomationAccountName "Contoso17" -Name "RunbookWorkerGroupName" -ResourceGroupName "ResourceGroup01"

+ ```

+1. Create an Azure VM or Arc-enabled server and add it to the above created Hybrid Worker Group. Use the below command to add an existing Azure VM or Arc-enabled Server to the Hybrid Worker Group. Generate a new GUID and pass it as `hybridRunbookWorkerGroupName`. To fetch `vmResourceId`, go to the **Properties** tab of the VM on Azure portal.

+ ```azurepowershell

+ New-AzAutomationHybridRunbookWorker -AutomationAccountName "Contoso17" -Name "RunbookWorkerName" -HybridRunbookWorkerGroupName "RunbookWorkerGroupName" -VmResourceId "VmResourceId" -ResourceGroupName "ResourceGroup01"

+ ```

+1. Follow the steps [here](../active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md#enable-system-assigned-managed-identity-on-an-existing-vm) to enable the System-assigned managed identity on the VM.

+1. Install Hybrid Worker Extension on the VM.

+

+ **Hybrid Worker extension settings**

+ ```powershell-interactive

+ $settings = @{

+ "AutomationAccountURL" = "<registrationurl>";

+ };

+ ```

+

+ **Azure VMs**

+ ```powershell

+ Set-AzVMExtension -ResourceGroupName <VMResourceGroupName> -Location <VMLocation> -VMName <VMName> -Name "HybridWorkerExtension" -Publisher "Microsoft.Azure.Automation.HybridWorker" -ExtensionType HybridWorkerForWindows -TypeHandlerVersion 1.1 -Settings $settings -EnableAutomaticUpgrade $true/$false

+ ```

+ **Azure Arc-enabled VMs**

+ ```powershell

+ New-AzConnectedMachineExtension -ResourceGroupName <VMResourceGroupName> -Location <VMLocation> -MachineName <VMName> -Name "HybridWorkerExtension" -Publisher "Microsoft.Azure.Automation.HybridWorker" -ExtensionType HybridWorkerForWindows -TypeHandlerVersion 1.1 -Setting $settings -NoWait -EnableAutomaticUpgrade

+ ```

+1. To confirm if the extension has been successfully installed on the VM, In **Azure portal**, go to the VM > **Extensions** tab and check the status of Hybrid Worker extension installed on the VM.

+**Manage Hybrid Worker Extension**

+ Title: Quickstart for using Azure App Configuration in Azure Kubernetes Service (preview) | Microsoft Docs

+description: "In this quickstart, create an Azure Kubernetes Service with an ASP.NET core web app workload and use the Azure App Configuration Kubernetes Provider to load key-values from App Configuration store."

+ms.devlang: csharp

+#Customer intent: As an Azure Kubernetes Service user, I want to manage all my app settings in one place using Azure App Configuration.

+# Quickstart: Use Azure App Configuration in Azure Kubernetes Service (preview)

+In Kubernetes, you set up pods to consume configuration from ConfigMaps. It lets you decouple configuration from your container images, making your applications easily portable. [Azure App Configuration Kubernetes Provider](https://mcr.microsoft.com/product/azure-app-configuration/kubernetes-provider/about) can construct ConfigMaps and Secrets from your key-values and Key Vault references in Azure App Configuration. It enables you to take advantage of Azure App Configuration for the centralized storage and management of your configuration without any changes to your application code.

+In this quickstart, you incorporate Azure App Configuration Kubernetes Provider in an Azure Kubernetes Service workload where you run a simple ASP.NET Core app consuming configuration from environment variables.

+## Prerequisites

+* An App Configuration store. [Create a store](./quickstart-azure-app-configuration-create.md#create-an-app-configuration-store).

+* An Azure Container Registry. [Create a registry](/azure/aks/tutorial-kubernetes-prepare-acr#create-an-azure-container-registry).

+* An Azure Kubernetes Service (AKS) cluster that is granted permission to pull images from your Azure Container Registry. [Create an AKS cluster](/azure/aks/tutorial-kubernetes-deploy-cluster#create-a-kubernetes-cluster).

+* [.NET Core SDK](https://dotnet.microsoft.com/download)

+* [Azure CLI](/cli/azure/install-azure-cli)

+* [Docker Desktop](https://www.docker.com/products/docker-desktop/)

+* [helm](https://helm.sh/docs/intro/install/)

+* [kubectl](https://kubernetes.io/docs/tasks/tools/)

+> [!TIP]

+> The Azure Cloud Shell is a free, interactive shell that you can use to run the command line instructions in this article. It has common Azure tools preinstalled, including the .NET Core SDK. If you're logged in to your Azure subscription, launch your [Azure Cloud Shell](https://shell.azure.com) from shell.azure.com. You can learn more about Azure Cloud Shell by [reading our documentation](../cloud-shell/overview.md)

+>

+## Create an application running in AKS

+In this section, you will create a simple ASP.NET Core web application running in Azure Kubernetes Service (AKS). The application reads configuration from the environment variables defined in a Kubernetes deployment. In the next section, you will enable it to consume configuration from Azure App Configuration without changing the application code. If you already have an AKS application that reads configuration from environment variables, you can skip this section and go to [Use App Configuration Kubernetes Provider](#use-app-configuration-kubernetes-provider).

+### Create an application

+1. Use the .NET Core command-line interface (CLI) and run the following command to create a new ASP.NET Core web app project in a new *MyWebApp* directory:

+

+ ```dotnetcli

+ dotnet new webapp --output MyWebApp --framework net6.0

+ ```

+1. Open *Index.cshtml* in the Pages directory, and update the content with the following code.

+

+ ```html

+ @page

+ @model IndexModel

+ @using Microsoft.Extensions.Configuration

+ @inject IConfiguration Configuration

+ @{

+ ViewData["Title"] = "Home page";

+ }

+ <style>

+ h1 {

+ color: @Configuration["Settings:FontColor"];

+ }

+ </style>

+ <div class="text-center">

+ <h1>@Configuration["Settings:Message"]</h1>

+ </div>

+ ```

+### Containerize the application

+1. Run the [dotnet publish](/dotnet/core/tools/dotnet-publish) command to build the app in release mode and create the assets in the *published* folder.

+

+ ```dotnetcli

+ dotnet publish -c Release -o published

+ ```

+1. Create a file named *Dockerfile* at the root of your project directory, open it in a text editor, and enter the following content. A Dockerfile is a text file that doesn't have an extension and that is used to create a container image.

+ ```dockerfile

+ FROM mcr.microsoft.com/dotnet/aspnet:6.0 AS runtime

+ WORKDIR /app

+ COPY published/ ./

+ ENTRYPOINT ["dotnet", "MyWebApp.dll"]

+ ```

+1. Build a container image named *aspnetapp* by running the following command.

+ ```docker

+ docker build --tag aspnetapp .

+ ```

+### Push the image to Azure Container Registry

+1. Run the [az acr login](/cli/azure/acr#az-acr-login) command to login your container registry. The following example logs into a registry named *myregistry*. Replace the registry name with yours.

+ ```azurecli

+ az acr login --name myregistry

+ ```

+ The command returns `Login Succeeded` once login is successful.

+1. Use [docker tag](https://docs.docker.com/engine/reference/commandline/tag/) to create a tag *myregistry.azurecr.io/aspnetapp:v1* for the image *aspnetapp*.

+ ```docker

+ docker tag aspnetapp myregistry.azurecr.io/aspnetapp:v1

+ ```

+ > [!TIP]

+ > To review the list of your existing docker images and tags, run `docker image ls`. In this scenario, you should see at least two images: `aspnetapp` and `myregistry.azurecr.io/aspnetapp`.

+1. Use [docker push](https://docs.docker.com/engine/reference/commandline/push/) to upload the image to the container registry. For example, the following command pushes the image to a repository named *aspnetapp* with tag *v1* under the registry *myregistry*.

+ ```docker

+ docker push myregistry.azurecr.io/aspnetapp:v1

+ ```

+### Deploy the application

+1. Create a *Deployment* directory in the root directory of your project.

+1. Add a *deployment.yaml* file to the *Deployment* directory with the following content to create a deployment. Replace the value of `template.spec.containers.image` with the image you created in the previous step.

+ ```yaml

+ apiVersion: apps/v1

+ kind: Deployment

+ metadata:

+ name: aspnetapp-demo

+ labels:

+ app: aspnetapp-demo

+ spec:

+ replicas: 1

+ selector:

+ matchLabels:

+ app: aspnetapp-demo

+ template:

+ metadata:

+ labels:

+ app: aspnetapp-demo

+ spec:

+ containers:

+ - name: aspnetapp

+ image: myregistry.azurecr.io/aspnetapp:v1

+ ports:

+ - containerPort: 80

+ env:

+ - name: Settings__Message

+ value: "Message from the local configuration"

+ - name: Settings__FontColor

+ value: "Black"

+ ```

+1. Add a *service.yaml* file to the *Deployment* directory with the following content to create a LoadBalancer service.

+

+ ```yaml

+ apiVersion: v1

+ kind: Service

+ metadata:

+ name: aspnetapp-demo-service

+ spec:

+ type: LoadBalancer

+ ports:

+ - port: 80

+ selector:

+ app: aspnetapp-demo

+ ```

+1. Run the following command to deploy the application to the AKS cluster.

+ ```console

+ kubectl create namespace appconfig-demo

+ kubectl apply -f ./Deployment -n appconfig-demo

+ ```

+1. Run the following command and get the External IP address exposed by the LoadBalancer service.

+

+ ```console

+ kubectl get service configmap-demo-service -n appconfig-demo

+ ```

+1. Open a browser window, and navigate to the IP address obtained in the previous step. The web page looks like this:

+ 

+## Use App Configuration Kubernetes Provider

+Now that you have an application running in AKS, you'll deploy the App Configuration Kubernetes Provider to your AKS cluster running as a Kubernetes controller. The provider retrieves data from your App Configuration store and creates a ConfigMap, which is consumable as environment variables by your application.

+### Setup the Azure App Configuration store

+1. Add following key-values to the App Configuration store and leave **Label** and **Content Type** with their default values. For more information about how to add key-values to a store using the Azure portal or the CLI, go to [Create a key-value](./quickstart-azure-app-configuration-create.md#create-a-key-value).

+ |**Key**|**Value**|

+ |||

+ |Settings__FontColor|*Green*|

+ |Settings__Message|*Hello from Azure App Configuration*|

+

+1. [Enabling the system-assigned managed identity on the Virtual Machine Scale Sets of your AKS cluster](/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vmss#enable-system-assigned-managed-identity-on-an-existing-virtual-machine-scale-set). This allows the App Configuration Kubernetes Provider to use the managed identity to connect to your App Configuration store.

+1. Grant read access to your App Configuration store by [assigning the managed identity the App Configuration Data Reader role](/azure/azure-app-configuration/howto-integrate-azure-managed-service-identity#grant-access-to-app-configuration).

+### Install App Configuration Kubernetes Provider to AKS cluster

+1. Run the following command to get access credentials for your AKS cluster. Replace the value of the `name` and `resource-group` parameters with your AKS instance:

+

+ ```console

+ az aks get-credentials --name <your-aks-instance-name> --resource-group <your-aks-resource-group>

+ ```

+1. Install Azure App Configuration Kubernetes Provider to your AKS cluster using `helm`:

+

+ ```console

+ helm install azureappconfiguration.kubernetesprovider \

+ oci://mcr.microsoft.com/azure-app-configuration/helmchart/kubernetes-provider \

+ --version 1.0.0-preview \

+ --namespace azappconfig-system \

+ --create-namespace

+ ```

+1. Add an *appConfigurationProvider.yaml* file to the *Deployment* directory with the following content to create an `AzureAppConfigurationProvider` resource. `AzureAppConfigurationProvider` is a custom resource that defines what data to download from an Azure App Configuration store and creates a ConfigMap.

+ Replace the value of the `endpoint` field with the endpoint of your Azure App Configuration store.

+

+ ```yaml

+ apiVersion: azconfig.io/v1beta1

+ kind: AzureAppConfigurationProvider

+ metadata:

+ name: appconfigurationprovider-sample

+ spec:

+ endpoint: <your-app-configuration-store-endpoint>

+ target:

+ configMapName: configmap-created-by-appconfig-provider

+ ```

+

+ > [!NOTE]

+ > `AzureAppConfigurationProvider` is a declarative API object. It defines the desired state of the ConfigMap created from the data in your App Configuration store with the following behavior:

+ >

+ > - The ConfigMap will fail to be created if a ConfigMap with the same name already exists in the same namespace.

+ > - The ConfigMap will be reset based on the present data in your App Configuration store if it's deleted or modified by any other means.

+ > - The ConfigMap will be deleted if the App Configuration Kubernetes Provider is uninstalled.

+2. Update the *deployment.yaml* file in the *Deployment* directory to use the ConfigMap `configmap-created-by-appconfig-provider` for environment variables.

+

+ Replace the `env` section

+ ```yaml

+ env:

+ - name: Settings__Message

+ value: "Message from the local configuration"

+ - name: Settings__FontColor

+ value: "Black"

+ ```

+ with

+ ```yaml

+ envFrom:

+ - configMapRef:

+ name: configmap-created-by-appconfig-provider

+ ```

+3. Run the following command to deploy the changes. Replace the namespace if you are using your existing AKS application.

+

+ ```console

+ kubectl apply -f ./Deployment -n appconfig-demo

+ ```

+4. Refresh the browser. The page shows updated content.

+ 

+### Troubleshooting

+If you don't see your application picking up the data from your App Configuration store, run the following command to validate that the ConfigMap is created properly.

+```console

+kubectl get configmap configmap-created-by-appconfig-provider -n appconfig-demo

+```

+If the ConfigMap is not created properly, run the following command to get the data retrieval status.

+```console

+kubectl get AzureAppConfigurationProvider appconfigurationprovider-sample -n appconfig-demo -o yaml

+```

+If the Azure App Configuration Kubernetes Provider retrieved data from your App Configuration store successfully, the `phase` property under the status section of the output should be `COMPLETE`, as shown in the following example.

+```console

+$ kubectl get AzureAppConfigurationProvider appconfigurationprovider-sample -n appconfig-demo -o yaml

+apiVersion: azconfig.io/v1beta1

+kind: AzureAppConfigurationProvider

+ ... ... ...

+status:

+ lastReconcileTime: "2023-04-06T06:17:06Z"

+ lastSyncTime: "2023-04-06T06:17:06Z"

+ message: Complete sync settings to ConfigMap or Secret

+ phase: COMPLETE

+```

+If the phase is not `COMPLETE`, the data isn't downloaded from your App Configuration store properly. Run the following command to show the logs of the Azure App Configuration Kubernetes Provider.

+```console

+kubectl logs deployment/az-appconfig-k8s-provider -n azappconfig-system

+```

+Use the logs for further troubleshooting. For example, if you see requests to your App Configuration store are responded with *RESPONSE 403: 403 Forbidden*, it may indicate the App Configuration Kubernetes Provider doesn't have the necessary permission to access your App Configuration store. Follow the instructions in [Setup the Azure App Configuration store](#setup-the-azure-app-configuration-store) to ensure the managed identity is enabled and it's assigned the proper permission.

+## Clean up resources

+Uninstall the App Configuration Kubernetes Provider from your AKS cluster if you want to keep the AKS cluster.

+```console

+helm uninstall azureappconfiguration.kubernetesprovider --namespace azappconfig-system

+```

+## Summary

+In this quickstart, you:

+* Created an application running in Azure Kubernetes Service (AKS).

+* Connected your AKS cluster to your App Configuration store using the App Configuration Kubernetes Provider.

+* Created a ConfigMap with data from your App Configuration store.

+* Ran the application with configuration from your App Configuration store without changing your application code.

+> - Distributed availability groups can be set up for either General Purpose or Business Critical service tiers.

+## Prerequisites

+The following prerequisites must be met before setting up failover groups between two Azure Arc-enabled SQL managed instances:

+- An Azure Arc data controller and an Arc enabled SQL managed instance provisioned at the primary site with `--license-type` as one of `BasePrice` or `LicenseIncluded`.

+- An Azure Arc data controller and an Arc enabled SQL managed instance provisioned at the secondary site with identical configuration as the primary in terms of:

+ - CPU

+ - Memory

+ - Storage

+ - Service tier

+ - Collation

+ - Other instance settings

+- The instance at the secondary site requires `--license-type` as `DisasterRecovery`

+> [!NOTE]

+> - It is important to specify the `--license-type` **during** the Azure Arc-enabled SQL MI creation. This will allow the DR instance to be seeded from the primary instance in the primary data center. Updating this property post deployment will not have the same effect.

+## Deployment process

+To set up an Azure failover group between two Azure Arc-enabled SQL managed instances, complete the following steps:

+1. Copy the binary data from the mirroring certificates

+ either in `sync` mode or `async` mode

+

+## Synchronization modes

+Failover groups in Azure Arc data services support two synchronization modes - `sync` and `async`. The synchronization mode directly impacts how the data is synchronized between the Azure Arc-enabled SQL managed instances, and potentially the performance on the primary managed instance.

+If primary and secondary sites are within a few miles of each other, use `sync` mode. Otherwise use `async` mode to avoid any performance impact on the primary site.

+## Configure Azure failover group - direct mode

+Follow the steps below if the Azure Arc data services are deployed in `directly` connected mode.

+Once the prerequisites are met, run the below command to set up Azure failover group between the two Azure Arc-enabled SQL managed instances:

+```azurecli

+az sql instance-failover-group-arc create --name <name of failover group> --mi <primary SQL MI> --partner-mi <Partner MI> --resource-group <name of RG> --partner-resource-group <name of partner MI RG>

+```

+Example:

+```azurecli

+az sql instance-failover-group-arc create --name sql-fog --mi sql1 --partner-mi sql2 --resource-group rg-name --partner-resource-group rg-name

+```

+The above command:

+1. Creates the required custom resources on both primary and secondary sites

+1. Copies the mirroring certificates and configures the failover group between the instances

+## Configure Azure failover group - indirect mode

+Follow the steps below if Azure Arc data services are deployed in `indirectly` connected mode.

+ > [!NOTE]

+ > It is important to specify `--license-type DisasterRecovery` **during** the Azure Arc-enabled SQL MI creation. This will allow the DR instance to be seeded from the primary instance in the primary data center. Updating this property post deployment will not have the same effect.

+3. Mirroring certificates - The binary data inside the Mirroring Certificate property of the Azure Arc-enabled SQL MI is needed for the Instance Failover Group CR (Custom Resource) creation.

+ (a) If using `az` CLI, generate the mirroring certificate file first, and then point to that file while configuring the Instance Failover Group so the binary data is read from the file and copied over into the CR. The cert files are not needed after failover group creation.

+ (b) If using `kubectl`, directly copy and paste the binary data from the Azure Arc-enabled SQL MI CR into the yaml file that will be used to create the Instance Failover Group.

+ az sql instance-failover-group-arc create --shared-name <name of failover group> --name <name for primary failover group resource> --mi <local SQL managed instance name> --role primary --partner-mi <partner SQL managed instance name> --partner-mirroring-url tcp://<secondary IP> --partner-mirroring-cert-file <secondary.pem> --k8s-namespace <namespace> --use-k8s

+ On the secondary instance, run the following command to set up the failover group custom resource. The `--partner-mirroring-cert-file` in this case should point to a path that has the mirroring certificate file generated from the primary instance as described in 3(a) above.

+ az sql instance-failover-group-arc create --shared-name <name of failover group> --name <name for secondary failover group resource> --mi <local SQL managed instance name> --role secondary --partner-mi <partner SQL managed instance name> --partner-mirroring-url tcp://<primary IP> --partner-mirroring-cert-file <primary.pem> --k8s-namespace <namespace> --use-k8s

+## Retrieve Azure failover group health state

+Information about the failover group such as primary role, secondary role, and the current health status can be viewed on the custom resource on either primary or secondary site.

+Run the below command on primary and/or the secondary site to list the failover groups custom resource:

+```azurecli

+kubectl get fog -n <namespace>

+```

+Describe the custom resource to retrieve the failover group status, as follows:

+```azurecli

+kubectl describe fog <failover group cr name> -n <namespace>

+```

+## Failover group operations

+Once the failover group is set up between the managed instances, different failover operations can be performed depending on the circumstances.

+Possible failover scenarios are:

+- The Azure Arc-enabled SQL managed instances at both sites are in healthy state and a failover needs to be performed:

+ + perform a manual failover from primary to secondary without data loss by setting `role=secondary` on the primary SQL MI.

+

+- Primary site is unhealthy/unreachable and a failover needs to be performed:

+

+ + the primary Azure Arc-enabled SQL managed instance is down/unhealthy/unreachable

+ + the secondary Azure Arc-enabled SQL managed instance needs to be force-promoted to primary with potential data loss

+ + when the original primary Azure Arc-enabled SQL managed instance comes back online, it will report as `Primary` role and unhealthy state and needs to be forced into a `secondary` role so it can join the failover group and data can be synchronized.

+

+## Manual failover (without data loss)

+Use `az sql instance-failover-group-arc update ...` command group to initiate a failover from primary to secondary. Any pending transactions on the geo-primary instance are replicated over to the geo-secondary instance before the failover.

+### Directly connected mode

+Run the following command to initiate a manual failover, in `direct` connected mode using ARM APIs:

+```azurecli

+az sql instance-failover-group-arc update --name <shared name of failover group> --mi <primary Azure Arc-enabled SQL MI> --role secondary --resource-group <resource group>

+```

+Example:

+```azurecli

+az sql instance-failover-group-arc update --name myfog --mi sqlmi1 --role secondary --resource-group myresourcegroup

+```

+### Indirectly connected mode

+Run the following command to initiate a manual failover, in `indirect` connected mode using kubernetes APIs:

+az sql instance-failover-group-arc update --name <name of failover group resource> --role secondary --k8s-namespace <namespace> --use-k8s

+## Forced failover with data loss

+On the geo-secondary DR instance, run the following command to promote it to primary role, with data loss.

+> [!NOTE]

+> If the `--partner-sync-mode` was configured as `sync`, it needs to be reset to `async` when the secondary is promoted to primary.

+### Directly connected mode

+```azurecli

+az sql instance-failover-group-arc update --name <shared name of failover group> --mi <secondary Azure Arc-enabled SQL MI> --role force-primary-allow-data-loss --resource-group <resource group> --partner-sync-mode async

+```

+Example:

+az sql instance-failover-group-arc update --name myfog --mi sqlmi2 --role force-primary-allow-data-loss --resource-group myresourcegroup --partner-sync-mode async

+### Indirectly connected mode

+```azurecli

+az sql instance-failover-group-arc update --k8s-namespace my-namespace --name secondarycr --use-k8s --role force-primary-allow-data-loss --partner-sync-mode async

+```

+When the geo-primary Azure Arc-enabled SQL MI instance becomes available, run the below command to bring it into the failover group and synchronize the data:

+### Directly connected mode

+```azurecli

+az sql instance-failover-group-arc update --name <shared name of failover group> --mi <old primary Azure Arc-enabled SQL MI> --role force-secondary --resource-group <resource group>

+```

+### Indirectly connected mode

+az sql instance-failover-group-arc update --k8s-namespace my-namespace --name secondarycr --use-k8s --role force-secondary

+Optionally, the `--partner-sync-mode` can be configured back to `sync` mode if desired.

+At this point, if you plan to continue running the production workload off of the secondary site, the `--license-type` needs to be updated to either `BasePrice` or `LicenseIncluded` to initiate billing for the vCores consumed.

+## Next steps

+[Overview: Azure Arc-enabled SQL Managed Instance business continuity](managed-instance-business-continuity-overview.md)

+## April 12, 2023

+### Image tag

+`v1.18.0_2023-04-11`

+For complete release version information, see [Version log](version-log.md#april-11-2023).

+New for this release:

+- Azure Arc-enabled SQL Managed Instance

+ - Direct mode for failover groups is generally available az CLI

+- Arc PostgreSQL

+ - Ensure postgres extensions work per database/role

+ - Arc PostgreSQL | Upload metrics/logs to Azure Monitor

+When planning for the deployment of Azure Arc data services, plan the correct amount of:

+- Compute

+- Memory

+- Storage

+These resources are required for:

+- The data controller

+- SQL managed instances

+- PostgreSQL servers

+Because Azure Arc-enabled data services deploy on Kubernetes, you have the flexibility of adding more capacity to your Kubernetes cluster over time by compute nodes or storage. This guide explains minimum requirements and recommends sizes for some common requirements.

+When you deploy with Azure CLI (az), use a power of two number to set the memory values. Specifically, use the suffixes:

+- `Ki`

+- `Mi`

+- `Gi`

+A minimum size Azure Arc-enabled data services deployment could be considered to be the Azure Arc data controller plus one SQL managed instance plus one PostgreSQL server. For this configuration, you need at least 16-GB RAM and 4 cores of _available_ capacity on your Kubernetes cluster. You should ensure that you have a minimum Kubernetes node size of 8-GB RAM and 4 cores and a sum total capacity of 16-GB RAM available across all of your Kubernetes nodes. For example, you could have 1 node at 32-GB RAM and 4 cores or you could have 2 nodes with 16-GB RAM and 4 cores each.

+|Pod name|CPU request|Memory request|CPU limit|Memory limit|

+||||||

+|**`bootstrapper`**|`100m`|`100Mi`|`200m`|`200Mi`|

+|**`control`**|`400m`|`2Gi`|`1800m`|`2Gi`|

+|**`controldb`**|`200m`|`4Gi`|`800m`|`6Gi`|

+|**`logsdb`**|`200m`|`1600Mi`|`2`|`1600Mi`|

+|**`logsui`**|`100m`|`500Mi`|`2`|`2Gi`|

+|**`metricsdb`**|`200m`|`800Mi`|`400m`|`2Gi`|

+|**`metricsdc`**|`100m`|`200Mi`|`200m`|`300Mi`|

+|**`metricsui`**|`20m`|`200Mi`|`500m`|`200Mi`|

+`metricsdc` is a `daemonset`, which is created on each of the Kubernetes nodes in your cluster. The numbers in the table are _per node_. If you set `allowNodeMetricsCollection = false` in your deployment profile file before you create the data controller, this `daemonset` isn't created.

+You can override the default settings for the `controldb` and control pods in your data controller YAML file. Example:

+|CPU request|Minimum: 1<br/> Maximum: 24<br/> Default: 2|Minimum: 1<br/> Maximum: unlimited<br/> Default: 4|

+|CPU limit|Minimum: 1<br/> Maximum: 24<br/> Default: 2|Minimum: 1<br/> Maximum: unlimited<br/> Default: 4|

+|Memory request|Minimum: `2Gi`<br/> Maximum: `128Gi`<br/> Default: `4Gi`|Minimum: `2Gi`<br/> Maximum: unlimited<br/> Default: `4Gi`|

+|Memory limit|Minimum: `2Gi`<br/> Maximum: `128Gi`<br/> Default: `4Gi`|Minimum: `2Gi`<br/> Maximum: unlimited<br/> Default: `4Gi`|

+|`fluentbit`|`100m`|`100Mi`|Not specified|Not specified|The `fluentbit` container resource requests are _in addition to_ the requests specified for the SQL managed instance.|

+|`arc-sqlmi`|User specified or not specified.|User specified or not specified.|User specified or not specified.|User specified or not specified.|

+|`collectd`|Not specified|Not specified|Not specified|Not specified|

+The default volume size for all persistent volumes is `5Gi`.

+- Memory: `256Mi`

+|`fluentbit`|`100m`|`100Mi`|Not specified|Not specified|The `fluentbit` container resource requests are _in addition to_ the requests specified for the PostgreSQL server.|

+|`postgres`|User specified or not specified.|User specified or `256Mi` (default).|User specified or not specified.|User specified or not specified.||

+|`arc-postgresql-agent`|Not specified|Not specified|Not specified|Not specified||

+The overall size of an environment required for Azure Arc-enabled data services is primarily a function of the number and size of the database instances. The overall size can be difficult to predict ahead of time knowing that the number of instances may grow and shrink and the amount of resources that are required for each database instance can change.

+The baseline size for a given Azure Arc-enabled data services environment is the size of the data controller, which requires 4 cores and 16-GB RAM. From there, add the cumulative total of cores and memory required for the database instances. SQL Managed Instance requires one pod for each instance. PostgreSQL server creates one pod for each server.

+In addition to the cores and memory you request for each database instance, you should add `250m` of cores and `250Mi` of RAM for the agent containers.

+### Example sizing calculation

+- **"SQL1"**: 1 SQL managed instance with 16-GB RAM, 4 cores

+- **"SQL2"**: 1 SQL managed instance with 256-GB RAM, 16 cores

+- **"Postgres1"**: 1 PostgreSQL server at 12-GB RAM, 4 cores

+- The size of "SQL1" is: `1 pod * ([16Gi RAM, 4 cores] + [250Mi RAM, 250m cores])`. For the agents per pod use `16.25 Gi` RAM and 4.25 cores.

+- The size of "SQL2" is: `1 pod * ([256Gi RAM, 16 cores] + [250Mi RAM, 250m cores])`. For the agents per pod use `256.25 Gi` RAM and 16.25 cores.

+- The total size of SQL 1 and SQL 2 is:

+ - `(16.25 GB + 256.25 Gi) = 272.5-GB RAM`

+ - `(4.25 cores + 16.25 cores) = 20.5 cores`

+- The size of "Postgres1" is: `1 pod * ([12Gi RAM, 4 cores] + [250Mi RAM, 250m cores])`. For the agents per pod use `12.25 Gi` RAM and `4.25` cores.

+- The total capacity required:

+ - For the database instances:

+ - 272.5-GB RAM

+ - 20.5 cores

+ - For SQL:

+ - 12.25-GB RAM

+ - 4.25 cores

+ - For PostgreSQL server

+ - 284.75-GB RAM

+ - 24.75 cores

+- The total capacity required for the database instances plus the data controller is:

+ - For the database instance

+ - 284.75-GB RAM

+ - 24.75 cores

+ - For the data controller

+ - 16-GB RAM

+ - 4 cores

+ - In total:

+ - 300.75-GB RAM

+ - 28.75 cores.

+Keep in mind that a given database instance size request for cores or RAM cannot exceed the available capacity of the Kubernetes nodes in the cluster. For example, if the largest Kubernetes node you have in your Kubernetes cluster is 256-GB RAM and 24 cores, you can't create a database instance with a request of 512-GB RAM and 48 cores.

+Maintain at least 25% of available capacity across the Kubernetes nodes. This capacity allows Kubernetes to:

+- Efficiently schedule pods to be created

+- Enable elastic scaling

+- Supports rolling upgrades of the Kubernetes nodes

+- Facilitates longer term growth on demand

+In your sizing calculations, add the resource requirements of the Kubernetes system pods and any other workloads, which may be sharing capacity with Azure Arc-enabled data services on the same Kubernetes cluster.

+To maintain high availability during planned maintenance and disaster continuity, plan for at least one of the Kubernetes nodes in your cluster to be unavailable at any given point in time. Kubernetes attempts to reschedule the pods that were running on a given node that was taken down for maintenance or due to a failure. If there is no available capacity on the remaining nodes those pods won't be rescheduled for creation until there is available capacity again. Be extra careful with large database instances. For example, if there is only one Kubernetes node big enough to meet the resource requirements of a large database instance and that node fails, then Kubernetes won't schedule that database instance pod onto another Kubernetes node.

+Your Kubernetes administrator may have set up [resource quotas](https://kubernetes.io/docs/concepts/policy/resource-quotas/) on your namespace/project. Keep these quotas in mind when planning your database instance sizes.

+ Title: Troubleshoot configuration - Azure Arc-enabled SQL Managed Instance

+description: Describes how to troubleshoot configuration. Includes steps to provide configuration files for Azure Arc-enabled SQL Managed Instance Azure Arc-enabled data services

+# User-provided configuration files

+Arc data services provide management of configuration settings and files in the system. The system generates configuration files such as `mssql.conf`, `mssql.json`, `krb5.conf` using the user-provided settings in the custom resource spec and some system-determined settings. The scope of what settings are supported and what changes can be made to the configuration files using the custom resource spec evolves over time. You may need to try changes in the configuration files that aren't possible through the settings on the custom resource spec.

+To alleviate this problem, you can provide configuration file content for a selected set of files through a Kubernetes `ConfigMap`. The information in the `ConfigMap` effectively overrides the file content that the system would have otherwise generated. This content allows you to try some configuration settings.

+For Arc SQL Managed Instance, the supported configuration files that you can override using this method are:

+- `mssql.conf`

+- `mssql.json`

+- `krb5.conf`

+## Steps to provide override configuration files

+1. Prepare the content of the configuration file

+ Prepare the content of the file that you would like to provide an override for.

+1. Create a `ConfigMap`

+ Create a `ConfigMap` spec to store the content of the configuration file. The key in the `ConfigMap` dictionary should be the name of the file, and the value should be the content.

+ You can provide file overrides for multiple configuration files in one `ConfigMap`.

+ The `ConfigMap` must be in the same namespace as the SQL Managed Instance.

+ The following spec shows an example of how to provide an override for mssql.conf file:

+ ```json

+ apiVersion: v1

+ kind: ConfigMap

+ metadata:

+ name: sqlmifo-cm

+ namespace: test

+ data:

+ mssql.conf: "[language]\r\nlcid = 1033\r\n\r\n[licensing]\r\npid = GeneralPurpose\r\n\r\n[network]\r\nforceencryption = 0\r\ntlscert = /var/run/secrets/managed/certificates/mssql/mssql-certificate.pem\r\ntlsciphers = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384\r\ntlskey = /var/run/secrets/managed/certificates/mssql/mssql-privatekey.pem\r\ntlsprotocols = 1.2\r\n\r\n[sqlagent]\r\nenabled = False\r\n\r\n[telemetry]\r\ncustomerfeedback = false\r\n\r\n"

+ ```

+ Apply the `ConfigMap` in Kubernetes using `kubectl apply -f <filename>`.

+1. Provide the name of the ConfigMap in SQL Managed Instance spec

+ In SQL Managed Instance spec, provide the name of the ConfigMap in the field `spec.fileOverrideConfigMap`.

+ The SQL Managed Instance `apiVersion` must be at least v12 (released in April 2023).

+ The following SQL Managed Instance spec shows an example of how to provide the name of the ConfigMap.

+ ```json

+ apiVersion: sql.arcdata.microsoft.com/v12

+ kind: SqlManagedInstance

+ metadata:

+ name: sqlmifo

+ namespace: test

+ spec:

+ fileOverrideConfigMap: sqlmifo-cm

+ ...

+ ```

+ Apply the SQL Managed Instance spec in Kubernetes. This action leads to the delivery of the provided configuration files to Arc SQL Managed Instance container.

+1. Check that the files are downloaded in the `arc-sqlmi` container.

+ The locations of supported files in the container are:

+ - `mssql.conf`: `/var/run/config/mssql/mssql.conf`

+ - `mssql.json`: `/var/run/config/mssql/mssql.json`

+ - `krb5.conf`: `/etc/krb5.conf`

+## Next steps

+[Get logs to troubleshoot Azure Arc-enabled data services](troubleshooting-get-logs.md)

+5. Expand Custom Logs at the bottom of the list of tables and you will see a table called 'sql_instance_logs_CL' or 'postgresInstances_postgresql_logs_CL'.

+In your favorite text/code editor, add the following script to the file and save as a script executable file - such as `.sh` (Linux/Mac), `.cmd`, `.bat`, or `.ps1` (Windows).

+In the **direct** connected mode, metrics upload can only be set up in **automatic** mode. This automatic upload of metrics can be set up either during deployment of Azure Arc data controller or post deployment.

+Choose sql server or postgres as the metric namespace.

+Select the metric you want to visualize (you can also select multiple).

+Change the frequency to last 30 minutes.

+In your favorite text/code editor, add the following script to the file and save as a script executable file such as `.sh` (Linux/Mac), `.cmd`, `.bat`, or `.ps1`.

+The following extensions are deployed by default in the containers of your Azure Arc-enabled PostgreSQL server, some of them are standard [`contrib`](https://www.postgresql.org/docs/14/contrib.html) extensions:

+## Enable extensions in Arc-enabled PostgreSQL server

+You can create an Arc-enabled PostgreSQL server with any of the supported extensions enabled by passing a comma separated list of extensions to the `--extensions` parameter of the `create` command.

+*NOTE*: Enabled extensions are added to the configuration ``shared_preload_libraries``. Extensions must be installed in your database before you can use it. To install a particular extension, you should run the [`CREATE EXTENSION`](https://www.postgresql.org/docs/current/sql-createextension.html) command. This command loads the packaged objects into your database.

+For example, connect to your database and issue the following PostgreSQL command to install pgaudit extension:

+```SQL

+CREATE EXTENSION pgaudit;

+```

+## Update extensions

+You can run the kubectl describe command to get the current list of enabled extensions:

+Check whether the extension is installed after connecting to the database by running following PostgreSQL command:

+```SQL

+select * from pg_extension;

+```

+Enable new extensions by appending them to the existing list, or remove extensions by removing them from the existing list. Pass the desired list to the update command. For example, to add `pgcrypto` and remove `pg_partman` from the server in the example above:

+Once allowed extensions list is updated. Connect to the database and install newly added extension by the following command:

+```SQL

+CREATE EXTENSION pgcrypto;

+```

+Similarly, to remove an extension from an existing database issue the command [`DROP EXTENSION`](https://www.postgresql.org/docs/current/sql-dropextension.html) :

+```SQL

+DROP EXTENSION pg_partman;

+```

+## Show the list of installed extensions

+Connect to your database with the client tool of your choice and run the standard PostgreSQL query:

+```SQL

+## April 11, 2023

+|Component|Value|

+|--|--|

+|Container images tag |`v1.18.0_2023-04-11`|

+|**CRD names and version:**| |

+|`activedirectoryconnectors.arcdata.microsoft.com`| v1beta1, v1beta2, v1|

+|`datacontrollers.arcdata.microsoft.com`| v1beta1, v1 through v5|

+|`exporttasks.tasks.arcdata.microsoft.com`| v1beta1, v1, v2|

+|`failovergroups.sql.arcdata.microsoft.com`| v1beta1, v1beta2, v1, v2|

+|`kafkas.arcdata.microsoft.com`| v1beta1 through v1beta4|

+|`monitors.arcdata.microsoft.com`| v1beta1, v1, v2|

+|`postgresqls.arcdata.microsoft.com`| v1beta1 through v1beta6|

+|`postgresqlrestoretasks.tasks.postgresql.arcdata.microsoft.com`| v1beta1|

+|`sqlmanagedinstances.sql.arcdata.microsoft.com`| v1beta1, v1 through v12|

+|`sqlmanagedinstancemonitoringprofiles.arcdata.microsoft.com`| v1beta1, v1beta2|

+|`sqlmanagedinstancereprovisionreplicatasks.tasks.sql.arcdata.microsoft.com`| v1beta1|

+|`sqlmanagedinstancerestoretasks.tasks.sql.arcdata.microsoft.com`| v1beta1, v1|

+|`telemetrycollectors.arcdata.microsoft.com`| v1beta1 through v1beta5|

+|`telemetryrouters.arcdata.microsoft.com`| v1beta1 through v1beta5|

+|`redis.arcdata.microsoft.com`| v1beta1|

+|Azure Resource Manager (ARM) API version|2023-01-15-preview|

+|`arcdata` Azure CLI extension version|1.4.13 ([Download](https://aka.ms/az-cli-arcdata-ext))|

+|Arc-enabled Kubernetes helm chart extension version|1.18.0|

+|Azure Arc Extension for Azure Data Studio<br/>`arc`<br/>`azcli`|<br/>1.8.0 ([Download](https://aka.ms/ads-arcdata-ext))</br>1.8.0 ([Download](https://aka.ms/ads-azcli-ext))|

+## Version 1.24 - November 2022

+Download for [Windows](https://download.microsoft.com/download/f/9/d/f9d60cc9-7c2a-4077-b890-f6a54cc55775/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)

+### New features

+- `azcmagent logs` improvements:

+ - Only the most recent log file for each component is collected by default. To collect all log files, use the new `--full` flag.

+ - Journal logs for the agent services are now collected on Linux operating systems

+ - Logs from extensions are now collected

+- Agent telemetry is no longer sent to `dc.services.visualstudio.com`. You may be able to remove this URL from any firewall or proxy server rules if no other applications in your environment require it.

+- Failed extension installs can now be retried without removing the old extension as long as the extension settings are different

+- Increased the [resource limits](agent-overview.md#agent-resource-governance) for the Azure Update Management Center extension on Linux to reduce downtime during update operations

+### Fixed

+- Improved logic for detecting machines running on Azure Stack HCI to reduce false positives

+- Auto-registration of required resource providers only happens when they are unregistered

+- Agent will now detect drift between the proxy settings of the command line tool and background services

+- Fixed a bug with proxy bypass feature that caused the agent to incorrectly use the proxy server for bypassed URLs

+- Improved error handling when extensions don't download successfully, fail validation, or have corrupt state files

+Download for [Windows](https://download.microsoft.com/download/3/9/8/398f6036-958d-43c4-ad7d-4576f1d860a#installing-a-specific-version-of-the-agent)

+Download for [Windows](https://download.microsoft.com/download/1/3/5/135f1f2b-7b14-40f6-bceb-3af4ebadf434/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)

+- The agent retains extension allow and blocklists when switching the agent from monitoring mode to full mode. Use [azcmagent config clear](manage-agent.md#config) to reset individual configuration settings to the default state.

+Download for [Windows](https://download.microsoft.com/download/#installing-a-specific-version-of-the-agent)

+Download for [Windows](https://download.microsoft.com/download/f/b/1/fb143ada-1b82-4d19-a125-40f2b352e257/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)

+Download for [Windows](https://download.microsoft.com/download/8/9/f/89f80a2b-32c3-43e8-b3b8-fce6cea8e2cf/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)

+Download for [Windows](https://download.microsoft.com/download/2/5/6/25685d0f-2895-4b80-9b1d-5ba53a46097f/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)

+Download for [Windows](https://download.microsoft.com/download/#installing-a-specific-version-of-the-agent)

+Download for [Windows](https://download.microsoft.com/download/e/#installing-a-specific-version-of-the-agent)

+Download for [Windows](https://download.microsoft.com/download/0/7/4/074a7a9e-1d86-4588-8297-b4e587ea0307/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)

+Download for [Windows](https://download.microsoft.com/download/e/8/1/e816ff18-251b-4160-b421-a4f8ab9c2bfe/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)

+Download for [Windows](https://download.microsoft.com/download/8/#installing-a-specific-version-of-the-agent)

+Download for [Windows](https://download.microsoft.com/download/9/e/e/9eec9acb-53f1-4416-9e10-afdd8e5281ad/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)

+Download for [Windows](https://download.microsoft.com/download/6/d/b/6dbf7141-0bf0-4b18-93f5-20de4018369d/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)

+Download for [Windows](https://download.microsoft.com/download/1/c/4/1c4a0bde-0b6c-4c52-bdaf-04851c567f43/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)

+Download for [Windows](https://download.microsoft.com/download/5/1/d/51d4340b-c927-4fc9-a0da-0bb8556338d0/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)

+Download for [Windows](https://download.microsoft.com/download/1/7/5/1758f4ea-3114-4a20-9113-6bc5fff1c3e8/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)

+Download for [Windows](https://download.microsoft.com/download/6/1/c/61c69f31-8e22-4298-ac9d-47cd2090c81d/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)

+Download for [Windows](https://download.microsoft.com/download/d/3/d/d3df034a-d231-4ca6-9199-dbaa139b1eaf/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)

+Download for [Windows](https://download.microsoft.com/download/1/d/4/1d44ef2e-dcc9-42e4-b76c-2da6a6e852af/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)

+Download for [Windows](https://download.microsoft.com/download/e/b/1/eb128465-8830-47b0-b89e-051eefd33f7c/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)

+Download for [Windows](https://download.microsoft.com/download/5/4/c/54c2afd8-e559-41ab-8aa2-cc39bc13156b/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)

+Download for [Windows](https://download.microsoft.com/download/4/c/2/4c287d81-6657-4cd8-9254-881ae6a2d1f4/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)

+- Review the [Planning and deployment guide](plan-at-scale-deployment.md) to plan for deploying Azure Arc-enabled servers at any scale and implement centralized management and monitoring.

+## Version 1.29 - April 2023

+Download for [Windows](https://download.microsoft.com/download/2/7/0/27063536-949a-4b16-a29a-3d1dcb29cff7/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)

+### New features

+- The agent now compares the time on the local system and Azure service when checking network connectivity and creating the resource in Azure. If the clocks are offset by more than 120 seconds (2 minutes), a non-blocking error will be printed to the console. You may encounter TLS connection errors if the time of your computer does not match the time in Azure.

+- `azcmagent show` now supports an `--os` flag to print additional OS information to the console

+### Fixed

+- Resolved a rare condition under which the guest configuration service (gc_service) could consume excessive CPU resources

+- Removed "sudo" calls in internal install script that could be blocked if SELinux is enabled

+- Reduced how long network checks wait before determining a network endpoint is unreachable

+- Stopped writing error messages in "himds.log" referring to a missing certificate key file for the ATS agent, an inactive component reserved for future use.

+Download for [Windows](https://download.microsoft.com/download/5/9/7/59789af8-5833-4c91-8dc5-91c46ad4b54f/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)

+Download for [Windows](https://download.microsoft.com/download/8/4/5/845d5e04-bb09-4ed2-9ca8-bb51184cddc9/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)

+Download for [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)

+Download for [Windows](https://download.microsoft.com/download/2/#installing-a-specific-version-of-the-agent)

+## Installing a specific version of the agent

+Microsoft recommends using the most recent version of the Azure Connected Machine agent for the best experience. However, if you need to run an older version of the agent for any reason, you can follow these instructions to install a specific version of the agent.

+### [Windows](#tab/windows)

+Links to the current and previous releases of the Windows agents are available below the heading of each [release note](agent-release-notes.md). If you're looking for an agent version that's more than 6 months old, check out the [release notes archive](agent-release-notes-archive.md).

+### [Linux - apt](#tab/linux-apt)

+1. If you haven't already, configure your package manager with the [Linux Software Repository for Microsoft Products](/windows-server/administration/linux-package-repository-for-microsoft-software).

+1. Search for available agent versions with `apt-cache`:

+ ```bash

+ sudo apt-cache madison azcmagent

+ ```

+1. Find the version you want to install, replace `VERSION` in the following command with the full (4-part) version number, and run the command to install the agent:

+ ```bash

+ sudo apt install azcmagent=VERSION

+ ```

+ For example, to install version 1.28, the install command is:

+ ```bash

+ sudo apt install azcmagent=1.28.02260.736

+ ```

+### [Linux - yum](#tab/linux-yum)

+1. If you haven't already, configure your package manager with the [Linux Software Repository for Microsoft Products](/windows-server/administration/linux-package-repository-for-microsoft-software).

+1. Search for available agent versions with `yum list`:

+ ```bash

+ sudo yum list azcmagent --showduplicates

+ ```

+1. Find the version you want to install, replace `VERSION` in the following command with the full (4-part) version number, and run the command to install the agent:

+ ```bash

+ sudo yum install azcmagent-VERSION

+ ```

+ For example, to install version 1.28, the install command would look like:

+ ```bash

+ sudo yum install azcmagent-1.28.02260-755

+ ```

+### [Linux - zypper](#tab/linux-zypper)

+1. If you haven't already, configure your package manager with the [Linux Software Repository for Microsoft Products](/windows-server/administration/linux-package-repository-for-microsoft-software).

+1. Search for available agent versions with `zypper search`:

+ ```bash

+ sudo zypper search -s azcmagent

+ ```

+1. Find the version you want to install, replace `VERSION` in the following command with the full (4-part) version number, and run the command to install the agent:

+ ```bash

+ sudo zypper install -f azcmagent-VERSION

+ ```

+ For example, to install version 1.28, the install command would look like:

+ ```bash

+ sudo zypper install -f azcmagent-1.28.02260-755

+ ```

+We expect that most Azure Cache for Redis customers aren't affected by the change. Your application might be affected if it explicitly specifies a list of acceptable certificates, a practice known as ΓÇ£certificate pinningΓÇ¥. If it's pinned to an intermediate or leaf certificate instead of the Baltimore CyberTrust Root, you should **take immediate actions** to change the certificate configuration.

+Azure Cache for Redis doesn't support [OCSP stapling](https://docs.redis.com/latest/rs/security/certificates/ocsp-stapling/).

+ Enable **Non-TLS access only** if you plan to connect to the new cache without using TLS. Disabling TLS is **not** recommended, however. You can't change the eviction policy or clustering policy of an Enterprise cache instance after you create it. If you're using this cache instance in a replication group, be sure to know the policies of your primary nodes before you create the cache. For more information on replication, see [Active geo-replication prerequisites](cache-how-to-active-geo-replication.md#active-geo-replication-prerequisites).

+The Azure Maps C# SDK supports functionality available in the Azure Maps [Rest API], like searching for an address, routing between different coordinates, and getting the geo-location of a specific IP address. This article introduces the C# REST SDK with examples to help you get started building location-aware applications in C# that incorporates the power of Azure Maps.

+> Azure Maps C# SDK supports any .NET version that is compatible with [.NET standard] version 2.0 or higher. For an interactive table, seeΓÇ»[.NET Standard versions].

+- [Azure Maps account].

+- [Subscription key] or other form of [Authentication with Azure Maps].

+- [.NET standard] version 2.0 or higher.

+The client object used to access the Azure Maps Search APIs require either an `AzureKeyCredential` object to authenticate when using an Azure Maps subscription key or a `TokenCredential` object with the Azure Maps client ID when authenticating using Azure Active Directory (Azure AD). For more information on authentication, see [Authentication with Azure Maps].

+You can authenticate with Azure AD using the [Azure Identity library][Identity library .NET]. To use the [DefaultAzureCredential][defaultazurecredential.NET] provider, you need to install the Azure Identity client library for .NET:

+You need to register the new Azure AD application and grant access to Azure Maps by assigning the required role to your service principal. For more information, see [Host a daemon on non-Azure resources]. The Application (client) ID, a Directory (tenant) ID, and a client secret are returned. Copy these values and store them in a secure place. You need them in the following steps.

+> The other environment variables created in the previous code snippet, while not used in the code sample, are required by `DefaultAzureCredential()`. If you do not set these environment variables correctly, using the same naming conventions, you will get run-time errors. For example, if your `AZURE_CLIENT_ID` is missing or invalid you will get an `InvalidAuthenticationTokenTenant` error.

+The above code snippet demonstrates how to create a `MapsSearchClient` object using your Azure credentials, then uses its [FuzzySearch] method, passing in the point of interest (POI) name "_Starbucks_" and coordinates _GeoPosition(-122.31, 47.61)_. The SDK packages and sends the results to the Azure Maps REST endpoints. When the search results are returned, they're written out to the screen using `Console.WriteLine`.

+The `SearchAddress` method returns results ordered by confidence score and since `searchResult.Results.First()` is used, only the coordinates of the first result are returned.

+Azure Maps Search also provides some batch query methods. These methods return Long Running Operations (LRO) objects. The requests might not return all the results immediately, so users can choose to wait until completion or query the result periodically. The following example demonstrates how to call the batched reverse search methods:

+In the above example, two queries are passed to the batched reverse search request. To get the LRO results, you have few options. The first option is to pass `WaitUntil.Completed` to the method. The request waits until all requests are finished and return the results:

+Another option is to pass `WaitUntil.Started`. The request returns immediately, and you need to manually poll the results:

+The third method requires the operation ID to get the results, which is cached on the server side for 14 days:

+The [Azure.Maps Namespace] in the .NET documentation.

+[.NET Standard versions]: https://dotnet.microsoft.com/platform/dotnet-standard#versions

+[Authentication with Azure Maps]: azure-maps-authentication.md

+[Azure Maps account]: quick-demo-map-app.md#create-an-azure-maps-account

+[Azure.Maps Namespace]: /dotnet/api/azure.maps

+[defaultazurecredential.NET]: /dotnet/api/overview/azure/identity-readme?view=azure-dotnet#defaultazurecredential

+[FuzzySearch]: /dotnet/api/azure.maps.search.mapssearchclient.fuzzysearch

+[geolocation readme]: https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/maps/Azure.Maps.Geolocation/README.md

+[geolocation sample]: https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/maps/Azure.Maps.Geolocation/samples

+[geolocation package]: https://www.nuget.org/packages/Azure.Maps.geolocation

+[Host a daemon on non-Azure resources]: ./how-to-secure-daemon-app.md#host-a-daemon-on-non-azure-resources

+[Identity library .NET]: /dotnet/api/overview/azure/identity-readme?view=azure-dotnet

+[rendering package]: https://www.nuget.org/packages/Azure.Maps.Rendering

+[rendering readme]: https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/maps/Azure.Maps.Rendering/README.md

+[rendering sample]: https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/maps/Azure.Maps.Rendering/samples

+[search package]: https://www.nuget.org/packages/Azure.Maps.Search

+[search readme]: https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/maps/Azure.Maps.Search/README.md

+[search sample]: https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/maps/Azure.Maps.Search/samples

+[Subscription key]: quick-demo-map-app.md#get-the-subscription-key-for-your-account

+The following PowerShell code snippet demonstrates how to use PowerShell to create a maven project. First, run the maven command to create a maven project:

+| `-DartifactId` | Project name. It's created as a new folder. |

+To use the Azure Maps Java SDK, you need to install all required packages. Each service in Azure Maps is available in its own package. The Azure Maps services include Search, Render, Traffic, Weather, etc. You only need to install the packages for the service or services used in your project.

+Once the maven project is created, there should be a `pom.xml` file with basic information such as group ID, name, artifact ID. Next, add a dependency for each of the Azure Maps services, as the following example demonstrates:

+You can authenticate with Azure AD using the [Azure Identity library][Identity library]. To use the [DefaultAzureCredential] provider, you need to add the mvn dependency in the `pom.xml` file:

+You need to register the new Azure AD application and grant access to Azure Maps by assigning the required role to your service principal. For more information, see [Host a daemon on non-Azure resources][Host daemon]. The Application (client) ID, a Directory (tenant) ID, and a client secret are returned. Copy these values and store them in a secure place. You need them in the following steps.

+> The other environment variables created in the previous code snippet, while not used in the code sample, are required by are required by `DefaultAzureCredential()`. If you do not set these environment variables correctly, using the same naming conventions, you will get run-time errors. For example, if your `AZURE_CLIENT_ID` is missing or invalid you will get an `InvalidAuthenticationTokenTenant` error.

+Azure Maps Search also provides some batch query methods. These methods return Long Running Operations (LRO) objects. The requests might not return all the results immediately, so users can choose to wait until completion or query the result periodically as demonstrated in the batch reverse search method:

+[Azure Maps account]: quick-demo-map-app.md#create-an-azure-maps-account

+[defaultazurecredential]: /azure/developer/java/sdk/identity-azure-hosted-auth#default-azure-credential

+[Host daemon]: ./how-to-secure-daemon-app.md#host-a-daemon-on-non-azure-resources

+[Identity library]: /java/api/overview/azure/identity-readme?source=recommendations&view=azure-java-stable

+[Subscription key]: quick-demo-map-app.md#get-the-subscription-key-for-your-account

+[java elevation package]: https://repo1.maven.org/maven2/com/azure/azure-maps-elevation

+[java elevation readme]: https://github.com/Azure/azure-sdk-for-jav

+[java elevation sample]: https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/maps/azure-maps-elevation/src/samples/java/com/azure/maps/elevation/samples

+[java geolocation readme]: https://github.com/Azure/azure-sdk-for-jav

+[java geolocation sample]: https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/maps/azure-maps-geolocation/src/samples/java/com/azure/maps/geolocation/samples

+[java geolocation package]: https://repo1.maven.org/maven2/com/azure/azure-maps-geolocation

+[java routing package]: https://repo1.maven.org/maven2/com/azure/azure-maps-route

+[java routing readme]: https://github.com/Azure/azure-sdk-for-jav

+[java routing sample]: https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/maps/azure-maps-route/src/samples/java/com/azure/maps/route/samples

+[java search package]: https://repo1.maven.org/maven2/com/azure/azure-maps-search

+[java search readme]: https://github.com/Azure/azure-sdk-for-jav

+[java search sample]: https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/maps/azure-maps-search/src/samples/java/com/azure/maps/search/samples

+[java timezone package]: https://repo1.maven.org/maven2/com/azure/azure-maps-timezone

+The Azure Maps JavaScript/TypeScript REST SDK (JavaScript SDK) supports searching using the Azure Maps [Search service], like searching for an address, fuzzy searching for a point of interest (POI), and searching by coordinates. This article helps you get started building location-aware applications that incorporate the power of Azure Maps.

+- [Subscription key] or other form of [Authentication with Azure Maps].

+The following example creates a new directory then a Node.js program named _mapsDemo_ using npm:

+To use Azure Maps JavaScript SDK, you need to install the search package. Each of the Azure Maps services including search, routing, rendering and geolocation are each in their own package.

+You need a `credential` object for authentication when creating the `MapsSearchClient` object used to access the Azure Maps search APIs. You can use either an Azure Active Directory (Azure AD) credential or an Azure subscription key to authenticate. For more information on authentication, see [Authentication with Azure Maps].

+You can authenticate with Azure AD using the [Azure Identity library]. To use the [DefaultAzureCredential] provider, you need to install the `@azure/identity` package:

+You need to register the new Azure AD application and grant access to Azure Maps by assigning the required role to your service principal. For more information, see [Host a daemon on non-Azure resources]. The Application (client) ID, a Directory (tenant) ID, and a client secret are returned. Copy these values and store them in a secure place. You need them in the following steps.

+You can use a `.env` file for these variables. You need to install the [dotenv] package:

+Use a `.env` file to store the subscription key variable to accomplish this. You need to install the [dotenv] package to retrieve the value:

+This code snippet shows how to use the `MapsSearch` method from the Azure Maps Search client library to create a `client` object with your Azure credentials. You can use either your Azure Maps subscription key or the [Azure AD credential](#using-an-azure-ad-credential) from the previous section. The `path` parameter specifies the API endpoint, which is "/search/fuzzy/{format}" in this case. The `get` method sends an HTTP GET request with the query parameters, such as `query`, `coordinates`, and `countryFilter`. The query searches for Starbucks locations near Seattle in the US. The SDK returns the results as a [FuzzySearchResult] object and writes them to the console. For more information, see the [FuzzySearchRequest] documentation.

+Azure Maps Search also provides some batch query methods. These methods return Long Running Operations (LRO) objects. The requests might not return all the results immediately, so you can use the poller to wait until completion. The following example demonstrates how to call batched reverse search method:

+In this example, three queries are passed into the helper function `createBatchItems` that is imported from `@azure-rest/maps-search`. This helper function composed the body of the batch request. The first query is invalid, see [Handing failed requests](#handing-failed-requests) for an example showing how to handle the invalid query.

+Handle failed requests by checking for the `error` property in the response batch item. See the `logResponseBody` function in the completed batch reverse search following example.

+[Authentication with Azure Maps]: azure-maps-authentication.md

+[Azure Core Authentication Package]: /javascript/api/@azure/core-auth/

+[Azure Identity library]: /javascript/api/overview/azure/identity-readme

+[Azure Maps account]: quick-demo-map-app.md#create-an-azure-maps-account

+[dotenv]: https://github.com/motdotla/dotenv#readme

+[Host a daemon on non-Azure resources]: ./how-to-secure-daemon-app.md#host-a-daemon-on-non-azure-resources

+[js geolocation package]: https://www.npmjs.com/package/@azure-rest/maps-geolocation

+[js geolocation readme]: https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/maps/maps-geolocation-rest/README.md

+[js geolocation sample]: https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/maps/maps-geolocation-rest/samples/v1-beta

+[js render package]: https://www.npmjs.com/package/@azure-rest/maps-render

+[js render readme]: https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/maps/maps-render-rest/README.md

+[js render sample]: https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/maps/maps-render-rest/samples/v1-beta

+[js route package]: https://www.npmjs.com/package/@azure-rest/maps-route

+[js route readme]: https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/maps/maps-route-rest/README.md

+[js route sample]: https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/maps/maps-route-rest/samples/v1-beta

+[JS-SDK]: /javascript/api/@azure-rest/maps-search

+[Search service]: /rest/api/maps/search

+[searchAddress]: /javascript/api/@azure-rest/maps-search/searchaddress

+[Subscription key]: quick-demo-map-app.md#get-the-subscription-key-for-your-account

+- [Subscription key] or other form of [Authentication with Azure Maps].

+You need a `credential` object for authentication when creating the `MapsSearchClient` object used to access the Azure Maps search APIs. You can use either an Azure Active Directory (Azure AD) credential or an Azure subscription key to authenticate. For more information on authentication, see [Authentication with Azure Maps].

+You can authenticate with Azure AD using the [Azure Identity package]. To use the [DefaultAzureCredential] provider, you need to install the Azure Identity client package:

+You need to register the new Azure AD application and grant access to Azure Maps by assigning the required role to your service principal. For more information, see [Host a daemon on non-Azure resources]. The Application (client) ID, a Directory (tenant) ID, and a client secret are returned. Copy these values and store them in a secure place. You need them in the following steps.

+Next you need to specify the Azure Maps account you intend to use by specifying the maps’ client ID. The Azure Maps account client ID can be found in the Authentication sections of the Azure Maps account. For more information, see [View authentication details].

+After setting up the environment variables, you can use them in your program to instantiate the `AzureMapsSearch` client. Create a file named *demo.py* and add the following code:

+> The other environment variables created in the previous code snippet, while not used in the code sample, are required by `DefaultAzureCredential()`. If you do not set these environment variables correctly, using the same naming conventions, you will get run-time errors. For example, if your `AZURE_CLIENT_ID` is missing or invalid you will get an `InvalidAuthenticationTokenTenant` error.

+Once your environment variable is created, you can access it in your code. Create a file named *demo.py* and add the following code:

+This sample code instantiates `AzureKeyCredential` with the Azure Maps subscription key, then uses it to instantiate the `MapsSearchClient` object. The methods provided by `MapsSearchClient` forward the request to the Azure Maps REST endpoints. In the end, the program iterates through the results and prints the address and coordinates for each result.

+The `SearchAddress` method returns results ordered by confidence score and prints the coordinates of the first result.

+Azure Maps Search also provides some batch query methods. These methods return long-running operations (LRO) objects. The requests might not return all the results immediately, so users can choose to wait until completion or query the result periodically. The following examples demonstrate how to call the batched reverse search method.

+Since these return LRO objects, you need the `asyncio` method included in the `aiohttp` package:

+In the above example, three queries are passed to the batched reverse search request. To get the LRO results, the request creates a batch request with a batch ID as result that can be used to fetch batch response later. The LRO results are cached on the server side for 14 days.

+[Authentication with Azure Maps]: azure-maps-authentication.md

+

+ connectionString: "YOUR CONNECTION STRING",

+ connectionString: "YOUR CONNECTION STRING",

+ You can replace the asterisk (`*`) in `data-*` with any name following the [production rule of XML names](https://www.w3.org/TR/REC-xml/#NT-Name) with the following restrictions.

+| dntDataTag | String | `ai-dnt` | `data-ai-dnt`| The plug-in for capturing telemetry data ignores HTML elements with this attribute.|

+ connectionString: "YOUR CONNECTION STRING",

+The JavaScript snippet can be added to your webpages manually or via the automatic snippet injection.

+### Enable Application Insights SDK for JavaScript automatically

+The automatic Snippet injection feature available in the Application Insights .NET core SDK and the Application Insights Node.js SDK (preview)

+allows you to automatically inject the Application Insights JavaScript SDK into every webpage of your web application.

+For more information, see [Application Insights .NET core SDK Snippet Injection](./asp-net-core.md?tabs=netcorenew%2Cnetcore6#enable-client-side-telemetry-for-web-applications)

+and [Application Insights Node.js SDK Snippet Injection (preview)](./nodejs.md#automatic-web-instrumentationpreview).

+However, if you want more control over which pages to add the Application Insights JavaScript SDK

+or if you're using a programming language other than .NET and Node.js, please follow the manual configuration steps below.

+### Enable Application Insights SDK for JavaScript manually

+# [.NET 6.0+](#tab/dotnet6)

+```csharp

+using Microsoft.ApplicationInsights;

+using Microsoft.ApplicationInsights.Extensibility;

+using Microsoft.ApplicationInsights.Extensibility.PerfCounterCollector.QuickPulse;

+// Create a TelemetryConfiguration instance.

+TelemetryConfiguration config = TelemetryConfiguration.CreateDefault();

+config.InstrumentationKey = "INSTRUMENTATION-KEY-HERE";

+QuickPulseTelemetryProcessor quickPulseProcessor = null;

+config.DefaultTelemetrySink.TelemetryProcessorChainBuilder

+ .Use((next) =>

+ {

+ quickPulseProcessor = new QuickPulseTelemetryProcessor(next);

+ return quickPulseProcessor;

+ })

+ .Build();

+var quickPulseModule = new QuickPulseTelemetryModule();

+// Secure the control channel.

+// This is optional, but recommended.

+quickPulseModule.AuthenticationApiKey = "YOUR-API-KEY-HERE";

+quickPulseModule.Initialize(config);

+quickPulseModule.RegisterTelemetryProcessor(quickPulseProcessor);

+// Create a TelemetryClient instance. It is important

+// to use the same TelemetryConfiguration here as the one

+// used to set up Live Metrics.

+TelemetryClient client = new TelemetryClient(config);

+// This sample runs indefinitely. Replace with actual application logic.

+while (true)

+{

+ // Send dependency and request telemetry.

+ // These will be shown in Live Metrics.

+ // CPU/Memory Performance counter is also shown

+ // automatically without any additional steps.

+ client.TrackDependency("My dependency", "target", "http://sample",

+ DateTimeOffset.Now, TimeSpan.FromMilliseconds(300), true);

+ client.TrackRequest("My Request", DateTimeOffset.Now,

+ TimeSpan.FromMilliseconds(230), "200", true);

+ Task.Delay(1000).Wait();

+}

+```

+# [.NET 5.0](#tab/dotnet5)

+```csharp

+using Microsoft.ApplicationInsights;

+using Microsoft.ApplicationInsights.Extensibility;

+using Microsoft.ApplicationInsights.Extensibility.PerfCounterCollector.QuickPulse;

+using System;

+using System.Threading.Tasks;

+namespace LiveMetricsDemo

+{

+ internal class Program

+ static void Main(string[] args)

+ // Create a TelemetryConfiguration instance.

+ TelemetryConfiguration config = TelemetryConfiguration.CreateDefault();

+ config.InstrumentationKey = "INSTRUMENTATION-KEY-HERE";

+ QuickPulseTelemetryProcessor quickPulseProcessor = null;

+ config.DefaultTelemetrySink.TelemetryProcessorChainBuilder

+ .Use((next) =>

+ {

+ quickPulseProcessor = new QuickPulseTelemetryProcessor(next);

+ return quickPulseProcessor;

+ })

+ .Build();

+ var quickPulseModule = new QuickPulseTelemetryModule();

+ // Secure the control channel.

+ // This is optional, but recommended.

+ quickPulseModule.AuthenticationApiKey = "YOUR-API-KEY-HERE";

+ quickPulseModule.Initialize(config);

+ quickPulseModule.RegisterTelemetryProcessor(quickPulseProcessor);

+ // Create a TelemetryClient instance. It is important

+ // to use the same TelemetryConfiguration here as the one

+ // used to set up Live Metrics.

+ TelemetryClient client = new TelemetryClient(config);

+ // This sample runs indefinitely. Replace with actual application logic.

+ while (true)

+ // Send dependency and request telemetry.

+ // These will be shown in Live Metrics.

+ // CPU/Memory Performance counter is also shown

+ // automatically without any additional steps.

+ client.TrackDependency("My dependency", "target", "http://sample",

+ DateTimeOffset.Now, TimeSpan.FromMilliseconds(300), true);

+ client.TrackRequest("My Request", DateTimeOffset.Now,

+ TimeSpan.FromMilliseconds(230), "200", true);

+ Task.Delay(1000).Wait();

+ }

+ }

+ }

+}

+```

+# [.NET Framework](#tab/dotnet-framework)

+```csharp

+using Microsoft.ApplicationInsights;

+using Microsoft.ApplicationInsights.Extensibility;

+using Microsoft.ApplicationInsights.Extensibility.PerfCounterCollector.QuickPulse;

+using System;

+using System.Threading.Tasks;

+namespace LiveMetricsDemo

+{

+ class Program

+ {

+ static void Main(string[] args)

+ {

+ // Create a TelemetryConfiguration instance.

+ TelemetryConfiguration config = TelemetryConfiguration.CreateDefault();

+ config.InstrumentationKey = "INSTRUMENTATION-KEY-HERE";

+ QuickPulseTelemetryProcessor quickPulseProcessor = null;

+ config.DefaultTelemetrySink.TelemetryProcessorChainBuilder

+ .Use((next) =>

+ quickPulseProcessor = new QuickPulseTelemetryProcessor(next);

+ return quickPulseProcessor;

+ })

+ .Build();

+ var quickPulseModule = new QuickPulseTelemetryModule();

+ // Secure the control channel.

+ // This is optional, but recommended.

+ quickPulseModule.AuthenticationApiKey = "YOUR-API-KEY-HERE";

+ quickPulseModule.Initialize(config);

+ quickPulseModule.RegisterTelemetryProcessor(quickPulseProcessor);

+ // Create a TelemetryClient instance. It is important

+ // to use the same TelemetryConfiguration here as the one

+ // used to set up Live Metrics.

+ TelemetryClient client = new TelemetryClient(config);

+ // This sample runs indefinitely. Replace with actual application logic.

+ while (true)

+ {

+ // Send dependency and request telemetry.

+ // These will be shown in Live Metrics.

+ // CPU/Memory Performance counter is also shown

+ // automatically without any additional steps.

+ client.TrackDependency("My dependency", "target", "http://sample",

+ DateTimeOffset.Now, TimeSpan.FromMilliseconds(300), true);

+ client.TrackRequest("My Request", DateTimeOffset.Now,

+ TimeSpan.FromMilliseconds(230), "200", true);

+ Task.Delay(1000).Wait();

+}

+```

+# [.NET 6.0+](#tab/dotnet6)

+In the *Program.cs* file, add the following namespace:

+```csharp

+using Microsoft.ApplicationInsights.Extensibility.PerfCounterCollector.QuickPulse;

+Then add the following service registration:

+```csharp

+// Existing code which includes services.AddApplicationInsightsTelemetry() to enable Application Insights.

+builder.Services.ConfigureTelemetryModule<QuickPulseTelemetryModule> ((module, o) => module.AuthenticationApiKey = "YOUR-API-KEY-HERE");

+```

+# [.NET 5.0](#tab/dotnet5)

+In the *Startup.cs* file, add the following namespace:

+# [.NET Framework](#tab/dotnet-framework)

+In the *applicationinsights.config* file, add `AuthenticationApiKey` to `QuickPulseTelemetryModule`:

+```xml

+<Add Type="Microsoft.ApplicationInsights.Extensibility.PerfCounterCollector.QuickPulse.QuickPulseTelemetryModule, Microsoft.AI.PerfCounterCollector">

+ <AuthenticationApiKey>YOUR-API-KEY-HERE</AuthenticationApiKey>

+</Add>

+```

+### Automatic web Instrumentation[Preview]

+ Automatic web Instrumentation can be enabled for node server via configuration

+```javascript

+let appInsights = require("applicationinsights");

+appInsights.setup("<connection_string>")

+ .enableWebInstrumentation(true)

+ .start();

+```

+or by setting environment variable `APPLICATIONINSIGHTS_WEB_INSTRUMENTATION_ENABLED = true`.

+Web Instrumentation will be enabled on node server responses when all of the following requirements are met:

+- Response has status code `200`.

+- Response method is `GET`.

+- Sever response has `Content-Type` html.

+- Server response contains both `<head>` and `</head>` Tags.

+- If response is compressed, it must have only one `Content-Encoding` type, and encoding type must be one of `gzip`, `br` or `deflate`.

+- Response does not contain current /backup web Instrumentation CDN endpoints. (current and backup Web Instrumentation CDN endpoints [here](https://github.com/microsoft/ApplicationInsights-JS#active-public-cdn-endpoints))

+web Instrumentation CDN endpoint can be changed by setting environment variable `APPLICATIONINSIGHTS_WEB_INSTRUMENTATION_SOURCE = "web Instrumentation CDN endpoints"`.

+web Instrumentation connection string can be changed by setting environment variable `APPLICATIONINSIGHTS_WEB_INSTRUMENTATION_CONNECTION_STRING = "web Instrumentation connection string"`

+> [!Note]

+> Web Instrumentation may slow down server response time, especially when response size is large or response is compressed. For the case in which some middle layers are applied, it may result in web Instrumentation not working and original response will be returned.

+1. Change the timestamp and values in the JSON file. Note that the 'time' value in the JSON file is expected to be in UTC.

+ Title: Application Insights API Access with Microsoft Azure Active Directory (Azure AD) Authentication

+description: Learn how to authenticate and access the Azure Monitor Application Insights APIs using Azure AD

+# Application Insights API Access with Microsoft Azure Active Directory (Azure AD) Authentication

+You can submit a query request to a workspace by using the Azure Monitor Log Analytics endpoint `https://api.loganalytics.azure.com`. To access the endpoint, you must authenticate through Azure Active Directory (Azure AD).

+>[!Note]

+> The `api.loganalytics.io` endpoint is being replaced by `api.loganalytics.azure.com`. The `api.loganalytics.io` endpoint will continue to be supported for the forseeable future.

+## Authenticate with a demo API key

+To quickly explore the API without Azure AD authentication, use the demonstration workspace with sample data, which supports API key authentication.

+To authenticate and run queries against the sample workspace, use `DEMO_WORKSPACE` as the {workspace-id} and pass in the API key `DEMO_KEY`.

+If either the Application ID or the API key is incorrect, the API service returns a [403](https://en.wikipedia.org/wiki/List_of_HTTP_status_codes#4xx_Client_Error) (Forbidden) error.

+The API key `DEMO_KEY` can be passed in three different ways, depending on whether you want to use a header, the URL, or basic authentication:

+- **Custom header**: Provide the API key in the custom header `X-Api-Key`.

+- **Query parameter**: Provide the API key in the URL parameter `api_key`.

+- **Basic authentication**: Provide the API key as either username or password. If you provide both, the API key must be in the username.

+This example uses the workspace ID and API key in the header:

+```

+ POST https://api.loganalytics.azure.com/v1/workspaces/DEMO_WORKSPACE/query

+ X-Api-Key: DEMO_KEY

+ Content-Type: application/json

+

+ {

+ "query": "AzureActivity | summarize count() by Category"

+ }

+```

+## Public API endpoint

+The public API endpoint is:

+```

+ https://api.loganalytics.azure.com/{api-version}/workspaces/{workspaceId}

+```

+where:

+ - **api-version**: The API version. The current version is "v1."

+ - **workspaceId**: Your workspace ID.

+

+The query is passed in the request body.

+

+For example:

+ ```

+ https://api.loganalytics.azure.com/v1/workspaces/1234abcd-def89-765a-9abc-def1234abcde

+

+ Body:

+ {

+ "query": "Usage"

+ }

+```

+## Set up authentication

+To access the API, you register a client app with Azure AD and request a token.

+1. [Register an app in Azure AD](./register-app-for-token.md).

+1. On the app's overview page, select **API permissions**.

+1. Select **Add a permission**.

+1. On the **APIs my organization uses** tab, search for **Log Analytics** and select **Log Analytics API** from the list.

+ :::image type="content" source="../media/api-register-app/request-api-permissions.png" alt-text="A screenshot that shows the Request API permissions page.":::

+1. Select **Delegated permissions**.

+1. Select the **Data.Read** checkbox.

+1. Select **Add permissions**.

+ :::image type="content" source="../media/api-register-app/add-requested-permissions.png" alt-text="A screenshot that shows the continuation of the Request API permissions page.":::

+Now that your app is registered and has permissions to use the API, grant your app access to your Log Analytics workspace.

+1. From your **Log Analytics workspace** overview page, select **Access control (IAM)**.

+1. Select **Add role assignment**.

+ :::image type="content" source="../media/api-register-app/workspace-access-control.png" alt-text="A screenshot that shows the Access control page for a Log Analytics workspace.":::

+1. Select the **Reader** role and then select **Members**.

+ :::image type="content" source="../media/api-register-app/add-role-assignment.png" alt-text="A screenshot that shows the Add role assignment page for a Log Analytics workspace.":::

+1. On the **Members** tab, choose **Select members**.

+1. Enter the name of your app in the **Select** box.

+1. Select your app and choose **Select**.

+1. Select **Review + assign**.

+ :::image type="content" source="../media/api-register-app/select-members.png" alt-text="A screenshot that shows the Select members pane on the Add role assignment page for a Log Analytics workspace.":::

+1. After you finish the Active Directory setup and workspace permissions, request an authorization token.

+>[!Note]

+> For this example, we applied the Reader role. This role is one of many built-in roles and might include more permissions than you require. More granular roles and permissions can be created. For more information, see [Manage access to Log Analytics workspaces](../../logs/manage-access.md).

+## Request an authorization token

+Before you begin, make sure you have all the values required to make the request successfully. All requests require:

+- Your Azure AD tenant ID.

+- Your workspace ID.

+- Your Azure AD client ID for the app.

+- An Azure AD client secret for the app.

+The Log Analytics API supports Azure AD authentication with three different [Azure AD OAuth2](/azure/active-directory/develop/active-directory-protocols-oauth-code) flows:

+- Client credentials

+- Authorization code

+- Implicit

+### Client credentials flow

+In the client credentials flow, the token is used with the Log Analytics endpoint. A single request is made to receive a token by using the credentials provided for your app in the previous step when you [register an app in Azure AD](./register-app-for-token.md).

+Use the `https://api.loganalytics.azure.com` endpoint.

+#### Client credentials token URL (POST request)

+```http

+ POST /<your-tenant-id>/oauth2/token

+ Host: https://login.microsoftonline.com

+ Content-Type: application/x-www-form-urlencoded

+

+ grant_type=client_credentials

+ &client_id=<app-client-id>

+ &resource=https://api.loganalytics.io

+ &client_secret=<app-client-secret>

+```

+A successful request receives an access token in the response:

+```http

+ {

+ token_type": "Bearer",

+ "expires_in": "86399",

+ "ext_expires_in": "86399",

+ "access_token": ""eyJ0eXAiOiJKV1QiLCJ.....Ax"

+ }

+```

+Use the token in requests to the Log Analytics endpoint:

+```http

+ POST /v1/workspaces/your workspace id/query?timespan=P1D

+ Host: https://api.loganalytics.azure.com

+ Content-Type: application/json

+ Authorization: bearer <your access token>

+ Body:

+ {

+ "query": "AzureActivity |summarize count() by Category"

+ }

+```

+Example response:

+```http

+ {

+ "tables": [

+ {

+ "name": "PrimaryResult",

+ "columns": [

+ {

+ "name": "OperationName",

+ "type": "string"

+ },

+ {

+ "name": "Level",

+ "type": "string"

+ },

+ {

+ "name": "ActivityStatus",

+ "type": "string"

+ }

+ ],

+ "rows": [

+ [

+ "Metric Alert",

+ "Informational",

+ "Resolved",

+ ...

+ ],

+ ...

+ ]

+ },

+ ...

+ ]

+ }

+```

+### Authorization code flow

+The main OAuth2 flow supported is through [authorization codes](/azure/active-directory/develop/active-directory-protocols-oauth-code). This method requires two HTTP requests to acquire a token with which to call the Azure Monitor Log Analytics API. There are two URLs, with one endpoint per request. Their formats are described in the following sections.

+#### Authorization code URL (GET request)

+```http

+ GET https://login.microsoftonline.com/YOUR_Azure AD_TENANT/oauth2/authorize?

+ client_id=<app-client-id>

+ &response_type=code

+ &redirect_uri=<app-redirect-uri>

+ &resource=https://api.loganalytics.io

+```

+When a request is made to the authorize URL, the client\_id is the application ID from your Azure AD app, copied from the app's properties menu. The redirect\_uri is the homepage/login URL from the same Azure AD app. When a request is successful, this endpoint redirects you to the sign-in page you provided at sign-up with the authorization code appended to the URL. See the following example:

+```http

+ http://<app-client-id>/?code=AUTHORIZATION_CODE&session_state=STATE_GUID

+```

+At this point, you've obtained an authorization code, which you need now to request an access token.

+#### Authorization code token URL (POST request)

+```http

+ POST /YOUR_Azure AD_TENANT/oauth2/token HTTP/1.1

+ Host: https://login.microsoftonline.com

+ Content-Type: application/x-www-form-urlencoded

+

+ grant_type=authorization_code

+ &client_id=<app client id>

+ &code=<auth code fom GET request>

+ &redirect_uri=<app-client-id>

+ &resource=https://api.loganalytics.io

+ &client_secret=<app-client-secret>

+```

+All values are the same as before, with some additions. The authorization code is the same code you received in the previous request after a successful redirect. The code is combined with the key obtained from the Azure AD app. If you didn't save the key, you can delete it and create a new one from the keys tab of the Azure AD app menu. The response is a JSON string that contains the token with the following schema. Types are indicated for the token values.

+Response example:

+```http

+ {

+ "access_token": "eyJ0eXAiOiJKV1QiLCJ.....Ax",

+ "expires_in": "3600",

+ "ext_expires_in": "1503641912",

+ "id_token": "not_needed_for_log_analytics",

+ "not_before": "1503638012",

+ "refresh_token": "eyJ0esdfiJKV1ljhgYF.....Az",

+ "resource": "https://api.loganalytics.io",

+ "scope": "Data.Read",

+ "token_type": "bearer"

+ }

+```

+The access token portion of this response is what you present to the Log Analytics API in the `Authorization: Bearer` header. You can also use the refresh token in the future to acquire a new access\_token and refresh\_token when yours have gone stale. For this request, the format and endpoint are:

+```http

+ POST /YOUR_AAD_TENANT/oauth2/token HTTP/1.1

+ Host: https://login.microsoftonline.com

+ Content-Type: application/x-www-form-urlencoded

+

+ client_id=<app-client-id>

+ &refresh_token=<refresh-token>

+ &grant_type=refresh_token

+ &resource=https://api.loganalytics.io

+ &client_secret=<app-client-secret>

+```

+Response example:

+```http

+ {

+ "token_type": "Bearer",

+ "expires_in": "3600",

+ "expires_on": "1460404526",

+ "resource": "https://api.loganalytics.io",

+ "access_token": "eyJ0eXAiOiJKV1QiLCJ.....Ax",

+ "refresh_token": "eyJ0esdfiJKV1ljhgYF.....Az"

+ }

+```

+### Implicit code flow

+The Log Analytics API supports the OAuth2 [implicit flow](/azure/active-directory/develop/active-directory-dev-understanding-oauth2-implicit-grant). For this flow, only a single request is required, but no refresh token can be acquired.

+#### Implicit code authorize URL

+```http

+ GET https://login.microsoftonline.com/YOUR_AAD_TENANT/oauth2/authorize?

+ client_id=<app-client-id>

+ &response_type=token

+ &redirect_uri=<app-redirect-uri>

+ &resource=https://api.loganalytics.io

+```

+A successful request produces a redirect to your redirect URI with the token in the URL:

+```http

+ http://YOUR_REDIRECT_URI/#access_token=YOUR_ACCESS_TOKEN&token_type=Bearer&expires_in=3600&session_state=STATE_GUID

+```

+This access\_token can be used as the `Authorization: Bearer` header value when it's passed to the Log Analytics API to authorize requests.

+## More information

+You can find documentation about OAuth2 with Azure AD here:

+ - [Azure AD authorization code flow](/azure/active-directory/develop/active-directory-protocols-oauth-code)

+ - [Azure AD implicit grant flow](/azure/active-directory/develop/active-directory-dev-understanding-oauth2-implicit-grant)

+ - [Azure AD S2S client credentials flow](/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service)

+## Next steps

+- [Request format](./request-format.md)

+- [Response format](./response-format.md)

+- [Querying logs for Azure resources](./azure-resource-queries.md)

+- [Batch queries](./batch-queries.md)

+If the **AWAIT_TIME** appears to be in framework code instead of your code, the Profiler could be showing:

+- The framework code used to execute the **AWAIT**

+- Code used for recording telemetry about the **AWAIT**

+You can uncheck the **Framework dependencies** checkbox at the top of the page to show only your code and make it easier to see where the **AWAIT** originates.

+- .NET Framework and ASP.NET applications running .NET Framework 4.6.2 and newer versions.

+- .NET and ASP.NET applications running .NET [LTS](https://dotnet.microsoft.com/platform/support/policy/dotnet-core) and newer versions on Windows.

+- .NET [LTS](https://dotnet.microsoft.com/platform/support/policy/dotnet-core) (and newer versions) applications on Windows.

+* [Disable `showmount`](disable-showmount.md) (Preview)

+ By default, Azure NetApp Files enables [`showmount` functionality](/windows-server/administration/windows-commands/showmount) to show NFS exported paths. The setting allows NFS clients to use the `showmount -e` command to see a list of exports available on the Azure NetApp Files NFS-enabled storage endpoint. This functionality might cause security scanners to flag the Azure NetApp Files NFS service as having a vulnerability because these scanners often use `showmount` to see what is being returned. In those scenarios, you might want to disable `showmount` on Azure NetApp Files. This setting allows you to enable/disable `showmount` for your NFS-enabled storage endpoints.

+ When using cross-region replication, reverting a snapshot in a source or destination volume with an active replication configuration was not initially supported. Restoring a snapshot on the source volume from the latest local snapshot was not possible. Instead you had to use either client copy using the `.snapshot` directory, single file snapshot restore, or needed to break the replication in order to apply a volume revert. With this new feature, a snapshot revert on a replication source volume is possible provided you select a snapshot that is newer than the latest SnapMirror snapshot. This enables data recovery (revert) from a snapshot while cross region replication stays active, improving data protection SLA.

+Use the following steps to view the privileges granted to the Azure VMware Solution CloudAdmin role on your Azure VMware Solution private cloud vCenter.

+Azure VMware Solution has considerations relating to the use of AS-Path Prepend for redundant ExpressRoute configurations. If you're running two or more ExpressRoute paths between on-premises and Azure, consider the following guidance for influencing traffic out of Azure VMware Solution towards your on-premises location via ExpressRoute GlobalReach.

+Due to asymmetric routing, connectivity issues can occur when Azure VMware Solution doesn't observe AS-Path Prepend and therefore uses equal-cost multipath (ECMP) routing to send traffic toward your environment over both ExpressRoute circuits. This behavior can cause problems with stateful firewall inspection devices placed behind existing ExpressRoute circuits.

+For AS-Path Prepend, consider the following:

+> * The key point is that you must prepend **Public** ASN numbers to influence how AVS route's traffic back to on-premises. If you prepend using _Private_ ASN, AVS will ignore the prepend, and the ECMP behavior above will occur. Even if you operate a Private BGP ASN on-premises, it's still possible to configure your on-premises devices to utilizes Public ASN when prepending routes outbound, to ensure compatibility with Azure VMware Solution.

+> * You wish to use AS-Path Prepend to force Azure VMware solution to prefer one circuit over another.

+> * Use either 2-byte or 4-byte public ASN numbers. If you don't own a public ASN for prepending, open a [Microsoft support ticket](https://ms.portal.azure.com/#view/Microsoft_Azure_Support/HelpAndSupportBlade/~/overview) to explore further options.

+| Partner ecosystem | Support for their product/solution. For reference, the following are some of the supported Azure VMware Solution partner solution/product:<ul><li>BCDR - SRM, JetStream, Zerto, and others</li><li>Backup - Veeam, Commvault, Rubrik, and others</li><li>VDI - Horizon/Citrix</li><li>Security solutions - BitDefender, TrendMicro, Checkpoint</li><li>Other VMware products - vRA, vROps, AVI |

+Like with any VMware vSphere environment, the VMs must connect to a network segment. As the production deployment of Azure VMware Solution expands, there's often a combination of L2 extended segments from on-premises and local NSX-T Data Center network segments.

+1. In the Azure portal, select your private cloud, and then **Manage** > **VMware credentials**.

+> * Login to NSX-T Manager from your VM

+ :::image type="content" source="./media/blob-restore/select-backup-type-for-restore-inline.png" alt-text="Screenshot shows the restore options for blob backup." lightbox="./media/blob-restore/select-backup-type-for-restore-expanded.png":::

+ :::image type="content" source="./media/blob-restore/choose-options-for-vaulted-backup.png" alt-text="Screenshot shows the option to choose for vaulted backup." lightbox="./media/blob-restore/choose-options-for-vaulted-backup.png":::

+>[!NOTE]

+>To view all resource logs available for Bastion, select each of the resource logs. If you exclude the 'All Logs' setting, you will not see all the available resource logs.

+ Title: Schedule Batch jobs for efficiency

+description: Learn how to schedule Batch jobs to manage your tasks, prioritize jobs to run first, and minimize resource usage.

+# Schedule Batch jobs for efficiency

+Scheduling Batch jobs lets you prioritize the jobs you want to run first, while taking into account [task dependencies](batch-task-dependencies.md). You can also make sure to use the least amount of resources. Nodes can be decommissioned when not needed, and tasks that are dependent on other tasks are spun up just in time to optimize the workflows. Since only one job at a time runs, jobs can be set to autocomplete, and a new one doesn't start until the previous one completes.

+The tasks you schedule using the job manager task are associated with a job. The job manager task will create tasks for the job. To do so, the job manager task needs to authenticate with the Batch account. Use the *AZ_BATCH_AUTHENTICATION_TOKEN* access token. The token allows access to the rest of the job.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+ :::image type="content" source="media/batch-job-schedule/add-job-schedule.png" alt-text="Screenshot of the Add button for job schedules.":::

+1. Under **Basic form**, enter the following information:

+ :::image type="content" source="media/batch-job-schedule/add-job-schedule-01.png" alt-text="Screenshot of the Basic form section of the job schedule options.":::

+1. In the **Schedule** section, enter the following information:

+ - **Do not run after**: No jobs will run after the time you enter here. If you don't specify a time, then you're creating a recurring job schedule, which remains active until you explicitly terminate it.

+ - **Recurrence interval**: Select **Enabled** if you want to specify the amount of time between jobs. You can have only one job at a time scheduled, so if it's time to create a new job under a job schedule but the previous job is still running, the Batch service won't create the new job until the previous job finishes.

+ :::image type="content" source="media/batch-job-schedule/add-job-schedule-02.png" alt-text="Screenshot of the Schedule section of the job schedule options.":::

+1. In the **Job Specification** section, enter the following information:

+ - **Pool ID**: Select the pool where you want the job to run. To choose from a list of pools in your Batch account, select **Update**.

+ - **Job configuration task**: Select **Update** to name and configure the job manager task, as well as the job preparation task and job release tasks, if you're using them.

+ :::image type="content" source="media/batch-job-schedule/add-job-schedule-03.png" alt-text="Screenshot of the job specification options for a new job schedule.":::

+1. In the **Advanced settings** section, enter the following information:

+ - **Max task retry count**: Select **Custom** if you want to specify the number of times a task can be retried, or **Unlimited** if you want the task to be tried for as many times as is needed. This isn't the same as the number of retries an API call might have.

+ - **When all tasks complete**: The default is *NoAction*, but you can select *TerminateJob* if you prefer to terminate the job when all tasks have been completed (or if there are no tasks in the job).

+ - **When a task fails**: A task fails if the retry count is exhausted or there's an error when starting the task. The default is *NoAction*, but you can select *PerformExitOptionsJobAction* if you prefer to take the action associated with the task's exit condition if it fails.

+ :::image type="content" source="media/batch-job-schedule/add-job-schedule-04.png" alt-text="Screenshot of the Advanced settings for a new job schedule.":::

+ Title: 'Quickstart: Create an Azure Batch account using Terraform'

+description: 'In this article, you create an Azure Batch account using Terraform'

+# Quickstart: Create an Azure Batch account using Terraform

+Get started with [Azure Batch](/azure/batch/batch-technical-overview) by using Terraform to create a Batch account, including storage. You need a Batch account to create compute resources (pools of compute nodes) and Batch jobs. You can link an Azure Storage account with your Batch account. This pairing is useful to deploy applications and store input and output data for most real-world workloads.

+After completing this quickstart, you'll understand the key concepts of the Batch service and be ready to try Batch with more realistic workloads at larger scale.

+In this article, you learn how to:

+> [!div class="checklist"]

+> * Create a random value for the Azure resource group name using [random_pet](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet)

+> * Create an Azure resource group using [azurerm_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group)

+> * Create a random value using [random_string](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string)

+> * Create an Azure Storage account using [azurerm_storage_account](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account)

+> * Create an Azure Batch account using [azurerm_batch_account](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/batch_account)

+## Prerequisites

+- [Install and configure Terraform](/azure/developer/terraform/quickstart-configure)

+## Implement the Terraform code

+> [!NOTE]

+> The sample code for this article is located in the [Azure Terraform GitHub repo](https://github.com/Azure/terraform/tree/master/quickstart/101-batch-account-with-storage). You can view the log file containing the [test results from current and previous versions of Terraform](https://github.com/Azure/terraform/tree/master/quickstart/101-batch-account-with-storage/TestRecord.md).

+>

+> See more [articles and sample code showing how to use Terraform to manage Azure resources](/azure/terraform)

+1. Create a directory in which to test and run the sample Terraform code and make it the current directory.

+1. Create a file named `providers.tf` and insert the following code:

+ [!code-terraform[master](~/terraform_samples/quickstart/101-batch-account-with-storage/providers.tf)]

+1. Create a file named `main.tf` and insert the following code:

+ [!code-terraform[master](~/terraform_samples/quickstart/101-batch-account-with-storage/main.tf)]

+1. Create a file named `variables.tf` and insert the following code:

+ [!code-terraform[master](~/terraform_samples/quickstart/101-batch-account-with-storage/variables.tf)]

+1. Create a file named `outputs.tf` and insert the following code:

+ [!code-terraform[master](~/terraform_samples/quickstart/101-batch-account-with-storage/outputs.tf)]

+## Initialize Terraform

+## Create a Terraform execution plan

+## Apply a Terraform execution plan

+## Verify the results

+#### [Azure CLI](#tab/azure-cli)

+1. Get the Azure resource group name.

+ ```console

+ resource_group_name=$(terraform output -raw resource_group_name)

+ ```

+1. Get the Batch account name.

+ ```console

+ batch_name=$(terraform output -raw batch_name)

+ ```

+1. Run [az batch account show](/cli/azure/batch/account#az-batch-account-show) to display information about the new Batch account.

+ ```azurecli

+ az batch account show \

+ --resource-group $resource_group_name \

+ --name $batch_name

+ ```

+#### [Azure PowerShell](#tab/azure-powershell)

+1. Get the Azure resource group name.

+ ```console

+ $resource_group_name=$(terraform output -raw resource_group_name)

+ ```

+1. Get the Batch account name.

+ ```console

+ $batch_name=$(terraform output -raw batch_name)

+ ```

+1. Run [Get-AzBatchAccount](/powershell/module/az.batch/get-azbatchaccount) to display information about the new service.

+ ```azurepowershell

+ Get-AzBatchAccount -ResourceGroupName $resource_group_name `

+ -Name $batch_name

+ ```

+## Clean up resources

+## Troubleshoot Terraform on Azure

+[Troubleshoot common problems when using Terraform on Azure](/azure/developer/terraform/troubleshoot)

+## Next steps

+> [!div class="nextstepaction"]

+> [Run your first Batch job with the Azure CLI](/azure/batch/quick-create-cli)

+## Run the container disconnected from the internet

+## Run the container disconnected from the internet

+### Run the container connected to the internet

+### Run the container disconnected from the internet

+The speech-to-text container provide a default directory for writing the license file and billing log at runtime. The default directories are /license and /output respectively.

+When you're mounting these directories to the container with the `docker run -v` command, make sure the local machine directory is set ownership to `user:group nonroot:nonroot` before running the container.

+Below is a sample command to set file/directory ownership.

+```bash

+sudo chown -R nonroot:nonroot <YOUR_LOCAL_MACHINE_PATH_1> <YOUR_LOCAL_MACHINE_PATH_2> ...

+```

+### Diarization on the speech-to-text output

+### Analyze sentiment on the speech-to-text output

+### Phraselist v2 on the speech-to-text output

+### Run the container disconnected from the internet

+To use this container disconnected from the internet, you must first request access by filling out an application, and purchasing a commitment plan. See [Use Docker containers in disconnected environments](../containers/disconnected-containers.md) for more information.

+In order to prepare and configure the Custom Speech-to-Text container you will need two separate speech resources:

+1. A regular Azure Speech Service resource which is either configured to use a "**S0 - Standard**" pricing tier or a "**Speech to Text (Custom)**" commitment tier pricing plan. This will be used to train, download, and configure your custom speech models for use in your container.

+1. An Azure Speech Service resource which is configured to use the "**DC0 Commitment (Disconnected)**" pricing plan. This is used to download your disconnected container license file required to run the container in disconnected mode.

+Download the docker container and run it to get the required speech model as [described above](#get-the-container-image-with-docker-pull) using the regular Azure Speech resource. Next, you will need to download your disconnected license file.

+The `DownloadLicense=True` parameter in your `docker run` command will download a license file that will enable your Docker container to run when it isn't connected to the internet. It also contains an expiration date, after which the license file will be invalid to run the container. You can only use a license file with the appropriate container that you've been approved for. For example, you can't use a license file for a speech-to-text container with a form recognizer container.

+| Placeholder | Value | Format or example |

+|-|-||

+| `{IMAGE}` | The container image you want to use. | `mcr.microsoft.com/azure-cognitive-services/form-recognizer/invoice` |

+| `{LICENSE_MOUNT}` | The path where the license will be downloaded, and mounted. | `/host/license:/path/to/license/directory` |

+| `{ENDPOINT_URI}` | The endpoint for authenticating your service request. You can find it on your resource's **Key and endpoint** page, on the Azure portal. | `https://<your-custom-subdomain>.cognitiveservices.azure.com` |

+| `{API_KEY}` | The key for your Text Analytics resource. You can find it on your resource's **Key and endpoint** page, on the Azure portal. |`xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`|

+| `{CONTAINER_LICENSE_DIRECTORY}` | Location of the license folder on the container's local filesystem. | `/path/to/license/directory` |

+```bash

+docker run --rm -it -p 5000:5000 \

+-v {LICENSE_MOUNT} \

+{IMAGE} \

+eula=accept \

+billing={ENDPOINT_URI} \

+apikey={API_KEY} \

+DownloadLicense=True \

+Mounts:License={CONTAINER_LICENSE_DIRECTORY}

+```

+Once the license file has been downloaded, you can run the container in a disconnected environment. The following example shows the formatting of the `docker run` command you'll use, with placeholder values. Replace these placeholder values with your own values.

+Wherever the container is run, the license file must be mounted to the container and the location of the license folder on the container's local filesystem must be specified with `Mounts:License=`. An output mount must also be specified so that billing usage records can be written.

+Placeholder | Value | Format or example |

+|-|-||

+| `{IMAGE}` | The container image you want to use. | `mcr.microsoft.com/azure-cognitive-services/form-recognizer/invoice` |

+ `{MEMORY_SIZE}` | The appropriate size of memory to allocate for your container. | `4g` |

+| `{NUMBER_CPUS}` | The appropriate number of CPUs to allocate for your container. | `4` |

+| `{LICENSE_MOUNT}` | The path where the license will be located and mounted. | `/host/license:/path/to/license/directory` |

+| `{OUTPUT_PATH}` | The output path for logging [usage records](../containers/disconnected-containers.md#usage-records). | `/host/output:/path/to/output/directory` |

+| `{MODEL_PATH}` | The path where the model is located. | `/path/to/model/` |

+| `{CONTAINER_LICENSE_DIRECTORY}` | Location of the license folder on the container's local filesystem. | `/path/to/license/directory` |

+| `{CONTAINER_OUTPUT_DIRECTORY}` | Location of the output folder on the container's local filesystem. | `/path/to/output/directory` |

+```bash

+docker run --rm -it -p 5000:5000 --memory {MEMORY_SIZE} --cpus {NUMBER_CPUS} \

+-v {LICENSE_MOUNT} \

+-v {OUTPUT_PATH} \

+-v {MODEL_PATH} \

+{IMAGE} \

+eula=accept \

+Mounts:License={CONTAINER_LICENSE_DIRECTORY}

+Mounts:Output={CONTAINER_OUTPUT_DIRECTORY}

+```

+The [Custom Speech-to-Text](../speech-service/speech-container-howto.md?tabs=cstt) container provides a default directory for writing the license file and billing log at runtime. The default directories are /license and /output respectively.

+When you're mounting these directories to the container with the `docker run -v` command, make sure the local machine directory is set ownership to `user:group nonroot:nonroot` before running the container.

+Below is a sample command to set file/directory ownership.

+```bash

+sudo chown -R nonroot:nonroot <YOUR_LOCAL_MACHINE_PATH_1> <YOUR_LOCAL_MACHINE_PATH_2> ...

+```

+### Run the container disconnected from the internet

+The neural text-to-speech container provide a default directory for writing the license file and billing log at runtime. The default directories are /license and /output respectively.

+When you're mounting these directories to the container with the `docker run -v` command, make sure the local machine directory is set ownership to `user:group nonroot:nonroot` before running the container.

+Below is a sample command to set file/directory ownership.

+```bash

+sudo chown -R nonroot:nonroot <YOUR_LOCAL_MACHINE_PATH_1> <YOUR_LOCAL_MACHINE_PATH_2> ...

+```

+4. See the following documentation for steps on downloading and configuring the container for disconnected usage:

+ * [Computer Vision - Read](../computer-vision/computer-vision-how-to-install-containers.md#run-the-container-disconnected-from-the-internet)

+ * [Language Understanding (LUIS)](../LUIS/luis-container-howto.md#run-the-container-disconnected-from-the-internet)

+ * [Text Translation (Standard)](../translator/containers/translator-disconnected-containers.md)

+ * [Form recognizer](../../applied-ai-services/form-recognizer/containers/form-recognizer-disconnected-containers.md)

+ **Speech service**

+ * [Speech-to-Text](../speech-service/speech-container-howto.md?tabs=stt#run-the-container-disconnected-from-the-internet)

+ * [Custom Speech-to-Text](../speech-service/speech-container-howto.md?tabs=cstt#run-the-container-disconnected-from-the-internet-1)

+ * [Neural Text-to-Speech](../speech-service/speech-container-howto.md?tabs=ntts#run-the-container-disconnected-from-the-internet-2)

+ **Language service**

+ * [Sentiment Analysis](../language-service/sentiment-opinion-mining/how-to/use-containers.md#run-the-container-disconnected-from-the-internet)

+ * [Key Phrase Extraction](../language-service/key-phrase-extraction/how-to/use-containers.md#run-the-container-disconnected-from-the-internet)

+ * [Language Detection](../language-service/language-detection/how-to/use-containers.md#run-the-container-disconnected-from-the-internet)

+

+ Title: 'Quickstart: Create an Azure Cognitive Services resource using Terraform'

+description: 'In this article, you create an Azure Cognitive Services resource using Terraform'

+keywords: cognitive services, cognitive solutions, cognitive intelligence, cognitive artificial intelligence

+# Quickstart: Create an Azure Cognitive Services resource using Terraform

+This article shows how to use Terraform to create a [Cognitive Services account](/azure/cognitive-services/cognitive-services-apis-create-account) using [Terraform](/azure/developer/terraform/quickstart-configure).

+Azure Cognitive Services are cloud-based artificial intelligence (AI) services that help developers build cognitive intelligence into applications without having direct AI or data science skills or knowledge. They are available through REST APIs and client library SDKs in popular development languages. Azure Cognitive Services enables developers to easily add cognitive features into their applications with cognitive solutions that can see, hear, speak, and analyze.

+In this article, you learn how to:

+> [!div class="checklist"]

+> * Create a random pet name for the Azure resource group name using [random_pet](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet)

+> * Create an Azure resource group using [azurerm_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group)

+> * Create a random string using [random_string](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string)

+> * Create a Cognitive Services account using [azurerm_cognitive_account](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cognitive_account)

+## Prerequisites

+- [Install and configure Terraform](/azure/developer/terraform/quickstart-configure)

+## Implement the Terraform code

+> [!NOTE]

+> The sample code for this article is located in the [Azure Terraform GitHub repo](https://github.com/Azure/terraform/tree/master/quickstart/101-cognitive-services-account). You can view the log file containing the [test results from current and previous versions of Terraform](https://github.com/Azure/terraform/tree/master/quickstart/101-cognitive-services-account/TestRecord.md).

+>

+> See more [articles and sample code showing how to use Terraform to manage Azure resources](/azure/terraform)

+1. Create a directory in which to test and run the sample Terraform code and make it the current directory.

+1. Create a file named `main.tf` and insert the following code:

+ [!code-terraform[master](~/terraform_samples/quickstart/101-cognitive-services-account/main.tf)]

+1. Create a file named `outputs.tf` and insert the following code:

+ [!code-terraform[master](~/terraform_samples/quickstart/101-cognitive-services-account/outputs.tf)]

+1. Create a file named `providers.tf` and insert the following code:

+ [!code-terraform[master](~/terraform_samples/quickstart/101-cognitive-services-account/providers.tf)]

+1. Create a file named `variables.tf` and insert the following code:

+ [!code-terraform[master](~/terraform_samples/quickstart/101-cognitive-services-account/variables.tf)]

+## Initialize Terraform

+## Create a Terraform execution plan

+## Apply a Terraform execution plan

+## Verify the results

+#### [Azure CLI](#tab/azure-cli)

+1. Get the Azure resource name in which the Cognitive Services account was created.

+ ```console

+ resource_group_name=$(terraform output -raw resource_group_name)

+ ```

+1. Get the Cognitive Services account name.

+ ```console

+ azurerm_cognitive_account_name=$(terraform output -raw azurerm_cognitive_account_name)

+ ```

+1. Run [az cognitiveservices account show](/cli/azure/cognitiveservices/account#az-cognitiveservices-account-show) to show the Cognitive Services account you created in this article.

+ ```azurecli

+ az cognitiveservices account show --name $azurerm_cognitive_account_name \

+ --resource-group $resource_group_name

+ ```

+#### [Azure PowerShell](#tab/azure-powershell)

+1. Get the Azure resource name in which the Cognitive Services account was created.

+ ```console

+ $resource_group_name=$(terraform output -raw resource_group_name)

+ ```

+1. Get the Cognitive Services account name.

+ ```console

+ $azurerm_cognitive_account_name=$(terraform output -raw azurerm_cognitive_account_name)

+ ```

+1. Run [Get-AzCognitiveServicesAccount](/powershell/module/az.cognitiveservices/get-azcognitiveservicesaccount) to display information about the new service.

+ ```azurepowershell

+ Get-AzCognitiveServicesAccount -ResourceGroupName $resource_group_name `

+ -Name $azurerm_cognitive_account_name

+ ```

+## Clean up resources

+## Troubleshoot Terraform on Azure

+[Troubleshoot common problems when using Terraform on Azure](/azure/developer/terraform/troubleshoot)

+## Next steps

+> [!div class="nextstepaction"]

+> [Recover deleted Cognitive Services resources](manage-resources.md)

+2. On selection of an Azure OpenAI resource, click **Connect**, which allows your Language resource to have direct access to your Azure OpenAI resource. It assigns your Language resource the role of `Cognitive Services User` to your Azure OpenAI resource, which allows your current Language resource to have access to Azure OpenAI's service. If the connection fails, follow these [steps](#add-required-configurations-to-azure-openai-resource) below to add the right role to your Azure OpenAI resource manually.

+### Add required configurations to Azure OpenAI resource

+If connecting your Language resource to an Azure OpenAI resource fails, follow these steps:

+Enable identity management for your Language resource using the following options:

+### [Azure portal](#tab/portal)

+Your Language resource must have identity management, to enable it using [Azure portal](https://portal.azure.com/):

+1. Go to your Language resource

+2. From left hand menu, under **Resource Management** section, select **Identity**

+3. From **System assigned** tab, make sure to set **Status** to **On**

+### [Language Studio](#tab/studio)

+Your Language resource must have identity management, to enable it using [Language Studio](https://aka.ms/languageStudio):

+1. Click the settings icon in the top right corner of the screen

+2. Select **Resources**

+3. Select the check box **Managed Identity** for your Language resource.

+After enabling managed identity, assign the role `Cognitive Services User` to your Azure OpenAI resource using the managed identity of your Language resource.

+ 1. Go to the [Azure portal](https://portal.azure.com/) and navigate to your Azure OpenAI resource.

+ 2. Click on the Access Control (IAM) tab on the left.

+ 3. Click on Add > Add role assignment.

+ 4. Select "Job function roles" and click Next.

+ 5. Select `Cognitive Services User` from the list of roles and click Next.

+ 6. Select Assign access to "Managed identity" and click on "Select members".

+ 7. Under "Managed identity" select "Language".

+ 8. Search for your resource and select it. Then click on the Select button below and next to complete the process.

+ 9. Review the details and click on Review + Assign.

+After a few minutes, refresh the Language Studio and you will be able to successfully connect to Azure OpenAI.

+## Run the container disconnected from the internet

+## Run the container disconnected from the internet

+## Run the container disconnected from the internet

+## Languages supported by extractive and abstractive document summarization

+## April 2023

+* You can now use Azure OpenAI to automatically label or generate data during authoring. Learn more with the links below.

+ * Auto-label your documents in [Custom text classification](./custom-text-classification/how-to/use-autolabeling.md) or [Custom named entity recognition](./custom-named-entity-recognition/how-to/use-autolabeling.md).

+ * Generate suggested utterances in [Conversational language understanding](./conversational-language-understanding/how-to/tag-utterances.md#suggest-utterances-with-azure-openai).

+### Validate domain ownership

+Follow [these instructions](../../how-tos/telephony/domain-validation.md) to validate a domain ownership of your SBC

+## Configure outbound voice routing

+Refer to [Voice routing quickstart](../../quickstarts/telephony/voice-routing-sdk-config.md) to add an SBC and configure outbound voice routing rules.

+When you add a direct routing configuration to a resource, all calls made from this resourceΓÇÖs instances (identities) try a direct routing trunk first. The routing is based on a dialed number and a match in voice routes configured for the resource.

+- If `alternateCallerId` parameter doesn't match any of the purchased numbers, the call fails.

+The diagram demonstrates the Azure Communication Services voice routing logic.

+If you created one voice route with a pattern `^\+1(425|206)(\d{7})$` and added `sbc1.contoso.biz` and `sbc2.contoso.biz` to it, and then created a second route with the same pattern with `sbc3.contoso.biz` and `sbc4.contoso.biz`. In this case, when the user makes a call to `+1 425 XXX XX XX` or `+1 206 XXX XX XX`, the call is first routed to SBC `sbc1.contoso.biz` or `sbc2.contoso.biz`. If both sbc1 and sbc2 are unavailable, the route with lower priority is tried (`sbc3.contoso.biz` and `sbc4.contoso.biz`). If none of the SBCs of the second route are available, the call is dropped.

+If you created one voice route with a pattern `^\+1(425|206)(\d{7})$` and added `sbc1.contoso.biz` and `sbc2.contoso.biz` to it, and then created a second route with the same pattern with `sbc3.contoso.biz` and `sbc4.contoso.biz`, and created a third route with `^+1(\d[10])$` with `sbc5.contoso.biz`. In this case, when the user makes a call to `+1 425 XXX XX XX` or `+1 206 XXX XX XX`, the call is first routed to SBC `sbc1.contoso.biz` or `sbc2.contoso.biz`. If both sbc1 nor sbc2 are unavailable, the route with lower priority is tried (`sbc3.contoso.biz` and `sbc4.contoso.biz`). If none of the SBCs of a second route are available, the third route is tried. If sbc5 is also not available, the call is dropped. Also, if a user dials `+1 321 XXX XX XX`, the call goes to `sbc5.contoso.biz`, and it isn't available, the call is dropped.

+For general inbound call management use [Call Automation SDKs](../call-automation/incoming-call-notification.md) to build an application that listens for and manage inbound calls placed to a phone number or received via ACS direct routing.

+Omnichannel for Customer Service customers, refer to [these instructions](/dynamics365/customer-service/voice-channel-inbound-calling).

+| Channel Type | Content Format | Resolution | Sampling Rate | Bit rate | Data rate | Output | Description |

+| :-- | :- | :-- | :- | :-- | : | : | : |

+| mixed | mp4 | 1920x1080, 16 FPS (frames per second) | 16 kHz | 1 mbps | 7.5 MB/min* | single file, single channel | mixed video in a default 3x3 (most active speakers) tile arrangement with display name support |

+| Channel Type | Content Format | Sampling Rate | Bit rate | Data rate | Output | Description |

+| :-- | :- | :-- | : | : | : | :- |

+| mixed | mp3 | 16 kHz | 48 kbps | 0.36 MB/min* | single file, single channel | mixed audio of all participants |

+| mixed | wav | 16 kHz | 256 kbps | 1.92 MB/min | single file, single channel | mixed audio of all participants |

+| unmixed | wav | 16 kHz | 256 kbps | 1.92 MB/min* per channel | single file, up to 5 wav channels | unmixed audio, one participant per channel, up to five channels |

+> [*NOTE]

+> Mp3 and Mp4 formats use lossy compression that results in variable bitrate; therefore, data rate values in the tables above reflect the theoretical maximum. WAV format is uncompressed and bitrate is fixed, so the data rate calculations are exact.

+An Event Grid notification `Microsoft.Communication.RecordingFileStatusUpdated` is published when a recording is ready for retrieval, typically a few minutes after the recording process has completed (for example, meeting ended, recording stopped). Recording event notifications include `contentLocation` and `metadataLocation`, which are used to retrieve both recorded media and a recording metadata file.

+zone_pivot_groups: acs-plat-web-ios-android-windows

+When we are working with calls in Azure Communication Services, problems may arise that cause issues for your customers. To help with the previously described scenario, we have a feature that is called "User Facing Diagnostics" that can be used to examine various properties of a call to determine what the issue might be.

+| noNetwork | There's no network available. | - Set to `True` when a call fails to start because there's no network available. <br/> - Set to `False` when there are ICE candidates present. | Device isn't connected to a network. | Ensure that the call has a reliable internet connection that can sustain a voice call. For more information, see the [Network optimization](network-requirements.md#network-optimization) section. |

+| networkRelaysNotReachable | Problems with a network. | - Set to `True` when the network has some constraint that isn't allowing you to reach Azure Communication Services relays. <br/> - Set to `False` upon making a new call. | During a call when the WiFi signal goes on and off. | Ensure that firewall rules and network routing allow client to reach Microsoft turn servers. For more information, see the [Firewall configuration](network-requirements.md#firewall-configuration) section. |

+| networkReconnect | The connection was lost and we are reconnecting to the network. | - Set to`Bad` when the network is disconnected <br/> - Set to `Poor`when the media transport connectivity is lost <br/> - Set to `Good` when a new session is connected. | Low bandwidth, no internet | Ensure that the call has a reliable internet connection that can sustain a voice call. For more information, see the [Network bandwidth requirement](network-requirements.md#network-bandwidth) section. |

+| networkReceiveQuality | An indicator regarding incoming stream quality. | - Set to`Bad` when there's a severe problem with receiving the stream. <br/> - Set to `Poor` when there's a mild problem with receiving the stream. <br/> - Set to `Good` when there's no problem with receiving the stream. | Low bandwidth | Ensure that the call has a reliable internet connection that can sustain a voice call. For more information, see the [Network bandwidth requirement](network-requirements.md#network-bandwidth) section. Suggest that the end user turn off their camera to conserve available internet bandwidth. |

+| networkSendQuality | An indicator regarding outgoing stream quality. | - Set to`Bad` when there's a severe problem with sending the stream. <br/> - Set to `Poor` when there's a mild problem with sending the stream. <br/> - Set to `Good` when there's no problem with sending the stream. | Low bandwidth | Ensure that the call has a reliable internet connection that can sustain a voice call. For more information, see the [Network bandwidth requirement](network-requirements.md#network-bandwidth) section. Also, suggest that the end user turn off their camera to conserve available internet bandwidth. |

+| noSpeakerDevicesEnumerated | there's no audio output device (speaker) on the user's system. | - Set to `True` when there are no speaker devices on the system, and speaker selection is supported. <br/> - Set to `False` when there's a least one speaker device on the system, and speaker selection is supported. | All speakers are unplugged | When value set to `True`, consider giving visual notification to end user that their current call session doesn't have any speakers available. |

+| speakingWhileMicrophoneIsMuted | Speaking while being on mute. | - Set to `True` when local microphone is muted and the local user is speaking. <br/> - Set to `False` when local user either stops speaking, or unmutes the microphone. <br/> \* Note: Currently, this option isn't supported on Safari because the audio level samples are taken from WebRTC stats. | During a call, mute your microphone and speak into it. | When value set to `True` consider giving visual notification to end user that they might be talking and not realizing that their audio is muted. |

+| noMicrophoneDevicesEnumerated | No audio capture devices (microphone) on the user's system | - Set to `True` when there are no microphone devices on the system. <br/> - Set to `False` when there's at least one microphone device on the system. | All microphones are unplugged during the call. | When value set to `True` consider giving visual notification to end user that their current call session doesn't have a microphone. For more information, see [enable microphone from device manger](../best-practices.md#plug-in-microphone-or-enable-microphone-from-device-manager-when-azure-communication-services-call-in-progress) section. |

+| microphoneNotFunctioning | Microphone isn't functioning. | - Set to `True` when we fail to start sending local audio stream because the microphone device may have been disabled in the system or it is being used by another process. This UFD takes about 10 seconds to get raised. <br/> - Set to `False` when microphone starts to successfully send audio stream again. | No microphones available, microphone access disabled in a system | When value set to `True` give visual notification to end user that there's a problem with their microphone. |

+| microphoneMuteUnexpectedly | Microphone is muted | - Set to `True` when microphone enters muted state unexpectedly. <br/> - Set to `False` when microphone starts to successfully send audio stream | Microphone is muted from the system. Most cases happen when user is on an Azure Communication Services call on a mobile device and a phone call comes in. In most cases, the operating system mutes the Azure Communication Services call so a user can answer the phone call. | When value is set to `True`, give visual notification to end user that their call was muted because a phone call came in. For more information, see how to best handle [OS muting an Azure Communication Services call](../best-practices.md#handle-os-muting-call-when-phone-call-comes-in) section for more details. |

+| microphonePermissionDenied | there's low volume from device or itΓÇÖs almost silent on macOS. | - Set to `True` when audio permission is denied from the system settings (audio). <br/> - Set to `False` on successful stream acquisition. <br/> Note: This diagnostic only works on macOS. | Microphone permissions are disabled in the Settings. | When value is set to `True`, give visual notification to end user that they did not enable permission to use microphone for an Azure Communication Services call. |

+| cameraFreeze | Camera stops producing frames for more than 5 seconds. | - Set to `True` when the local video stream is frozen. This diagnostic means that the remote side is seeing your video frozen on their screen or it means that the remote participants are not rendering your video on their screen. <br/> - Set to `False` when the freeze ends and users can see your video as per normal. | The Camera was lost during the call or bad network caused the camera to freeze. | When value is set to `True`, consider giving notification to end user that the remote participant network might be bad - possibly suggest that they turn off their camera to conserve bandwidth. For more information, see [Network bandwidth requirement](network-requirements.md#network-bandwidth) section on needed internet abilities for an Azure Communication Services call. |

+| cameraStartFailed | Generic camera failure. | - Set to `True` when we fail to start sending local video because the camera device may have been disabled in the system or it is being used by another process~. <br/> - Set to `False` when selected camera device successfully sends local video again. | Camera failures | When value is set to `True`, give visual notification to end user that their camera failed to start. |

+| cameraStartTimedOut | Common scenario where camera is in bad state. | - Set to `True` when camera device times out to start sending video stream. <br/> - Set to `False` when selected camera device successfully sends local video again. | Camera failures | When value is set to `True`, give visual notification to end user that their camera is possibly having problems. (When value is set back to `False` remove notification). |

+| cameraPermissionDenied | Camera permissions were denied in settings. | - Set to `True` when camera permission is denied from the system settings (video). <br/> - Set to `False` on successful stream acquisition. <br> Note: This diagnostic only works on macOS Chrome. | Camera permissions are disabled in the settings. | When value is set to `True`, give visual notification to end user that they did not enable permission to use camera for an Azure Communication Services call. |

+| cameraStoppedUnexpectedly | Camera malfunction | - Set to `True` when camera enters stopped state unexpectedly. <br/> - Set to `False` when camera starts to successfully send video stream again. | Check camera is functioning correctly. | When value is set to `True`, give visual notification to end user that their camera is possibly having problems. (When value is set back to `False` remove notification). |

+| screenshareRecordingDisabled | System screen sharing was denied from the preferences in Settings. | - Set to `True` when screen sharing permission is denied from the system settings (sharing). <br/> - Set to `False` on successful stream acquisition. <br/> Note: This diagnostic only works on macOS.Chrome. | Screen recording is disabled in Settings. | When value is set to `True`, give visual notification to end user that they did not enable permission to share their screen for an Azure Communication Services call. |

+| capturerStartFailed | System screen sharing failed. | - Set to `True` when we fail to start capturing the screen. <br/> - Set to `False` when capturing the screen can start successfully. | | When value is set to `True`, give visual notification to end user that there was possibly a problem sharing their screen. (When value is set back to `False`, remove notification). |

+| capturerStoppedUnexpectedly | System screen sharing malfunction | - Set to `True` when screen capturer enters stopped state unexpectedly. <br/> - Set to `False` when screen capturer starts to successfully capture again. | Check screen sharing is functioning correctly | When value is set to `True`, give visual notification to end user that there possibly a problem that causes sharing their screen to stop. (When value is set back to `False` remove notification). |

+### Native only

+| Name | Description | Possible values | Use cases | Mitigation Steps |

+| | -- | -- | :- | -- |

+| speakerVolumeIsZero | Zero volume on a device (speaker). | - Set to `True` when the speaker volume is zero. <br/> - Set to `False` when speaker volume is not zero. | Not hearing audio from participants on call. | When value is set to `True`, you may have accidentally the volume at lowest(zero). |

+| speakerMuted | Speaker device is muted. | - Set to `True` when the speaker device is muted. <br/> - Set to `False` when the speaker device isn't muted. | Not hearing audio from participants on call. | When value is set to `True`, you may have accidentally muted the speaker. |

+| speakerNotFunctioningDeviceInUse | Speaker is already in use. Either the device is being used in exclusive mode, or the device is being used in shared mode and the caller asked to use the device in exclusive mode. | - Set to `True` when the speaker device stream acquisition times out (audio). <br/> - Set to `False` when speaker acquisition is successful. | Not hearing audio from participants on call through speaker. | When value is set to `True`, give visual notification to end user so they can check if another application is using the speaker and try closing it. |

+| speakerNotFunctioning | Speaker isn't functioning (failed to initialize the audio device client or device became inactive for more than 5 sec) | - Set to `True` when speaker is unavailable, or device stream acquisition times out (audio). <br/> - Set to `False` when speaker acquisition is successful. | Not hearing audio from participants on call through speaker. | Try checking the state of the speaker device. |

+| microphoneNotFunctioningDeviceInUse | Microphone is already in use. Either the device is being used in exclusive mode, or the device is being used in shared mode and the caller asked to use the device in exclusive mode. | - Set to `True` when the microphone device stream acquisition times out (audio). <br/> - Set to `False` when microphone acquisition is successful. | Your audio not reaching other participants in the call. | When value is set to `True`, give visual notification to end user so they can check if another application is using the microphone and try closing it. |

+ Title: Azure Communication Services direct routing domain validation

+description: A how-to page about domain validation for direct routing.

+# Domain validation

+This page describes the process of domain name ownership validation. Fully Qualified Domain Name (FQDN) consists of two parts: host name and domain name. For example, if your session border controller (SBC) name is `sbc1.contoso.com`, then `sbc1` would be a host name, while `contoso.com` would be a domain name. If there's an SBC with FQDN of `acs.sbc1.testing.contoso.com`, `acs` would be a host name, and `sbc1.testing.contoso.com` would be a domain name. To use direct routing, you need to validate that you own a domain part of your FQDN.

+Azure Communication Services direct routing configuration consists of the following steps:

+- Verify domain ownership for your SBC FQDN

+- Configure SBC FQDN and port number

+- Create voice routing rules

+## Domain ownership validation

+Make sure to add and verify domain name portion of the FQDN and keep in mind that the `*.onmicrosoft.com` and `*.azure.com` domain names aren't supported for the SBC FQDN domain name. For example, if you have two domain names, `contoso.com` and `contoso.onmicrosoft.com`, use `sbc.contoso.com` as the SBC name. If using a subdomain, make sure this subdomain is also added and verified. For example, if you want to use `sbc.acs.contoso.com`, then `acs.contoso.com` needs to be registered.

+### Domain verification using Azure portal

+#### Add new domain name

+1. Open Azure portal and navigate to your [Communication Service resource](../../quickstarts/create-communication-resource.md).

+1. In the left navigation pane, select Direct routing under Voice Calling - PSTN.

+1. Select Connect domain from the Domains tab.

+1. Enter the domain part of SBCΓÇÖs fully qualified domain name.

+1. Reenter the domain name.

+1. Select Confirm and then select Add.

+[ ](./media/direct-routing-add-domain.png#lightbox)

+#### Verify domain ownership

+1. Select Verify next to new domain that is now visible in DomainΓÇÖs list.

+1. Azure portal generates a value for a TXT record, you need to add that record to

+[ ](./media/direct-routing-verify-domain-2.png#lightbox)

+>[!Note]

+>It might take up to 30 minutes for new DNS record to propagate on the Internet

+3. Select Next. If everything is set up correctly, you should see Domain status changed to *Verified* next to the added domain.

+[ ](./media/direct-routing-domain-verified.png#lightbox)

+#### Remove domain from Azure Communication Services

+If you want to remove a domain from your Azure Communication Services direct routing configuration, select the checkbox fir a corresponding domain name, and select *Remove*.

+[ ](./media/direct-routing-remove-domain.png#lightbox)

+## Next steps:

+### Conceptual documentation

+- [Telephony in Azure Communication Services](../../concepts/telephony/telephony-concept.md)

+- [Direct routing infrastructure requirements](../../concepts/telephony/direct-routing-infrastructure.md)

+- [Pricing](../../concepts/pricing.md)

+### Quickstarts

+- [Outbound call to a phone number](../../quickstarts/telephony/pstn-call.md)

+- [Redirect inbound telephony calls with Call Automation](../../quickstarts/call-automation/redirect-inbound-telephony-calls.md)

+ Title: Quickstart - Configure voice routing using SDK

+description: In this quickstart, you learn how to configure Azure Communication Services direct routing programmatically.

+zone_pivot_groups: acs-azp-java-python-csharp-js

+# Quickstart: Configure voice routing programmatically

+Configure outbound voice routing rules for Azure Communication Services direct routing

+## Clean up resources

+If you want to clean up and remove a Communication Services subscription, you can delete the resource or resource group. Deleting the resource group also deletes any other resources associated with it. Learn more about [cleaning up resources](../create-communication-resource.md#clean-up-resources).

+## Next steps

+For more information, see the following articles:

+- Learn about [Calling SDK capabilities](../voice-video-calling/getting-started-with-calling.md).

+- Learn more about [how calling works](../../concepts/voice-video-calling/about-call-types.md).

+- Call to a telephone number [quickstart](./pstn-call.md).

+You need a certificate in PEM format. You can create more than one certificate and add or delete them using ledger Update API.

+- **Windows**: Install [Chocolatey for Windows](https://chocolatey.org/install), open a PowerShell terminal window in admin mode, and run `choco install openssl`. Alternatively, you can install OpenSSL for Windows directly from [here](http://gnuwin32.sourceforge.net/packages/openssl.htm).

+- **Linux**:

+ - Ubuntu:

+ ```bash

+ sudo apt-get install openssl

+ ```

+ - RHEL/CentOS:

+ ```bash

+ sudo yum install openssl -y

+ ```

+ - SUSE:

+ ```bash

+ sudo zypper install openssl

+ ```

+By enabling Container Apps' zone redundancy feature, replicas are automatically distributed across the zones in the region. Traffic is load balanced among the replicas. If a zone outage occurs, traffic will automatically be routed to the replicas in the remaining zones.

+> [!NOTE]

+> There is no extra charge for enabling zone redundancy, but it only provides benefits when you have 2 or more replicas, with 3 or more being ideal since most regions that support zone redundancy have 3 zones.

+| Workload profiles architecture (preview) | Supports user defined routes (UDR) and egress through NAT Gateway when using a custom virtual network. The minimum required subnet size is /27. |

+> [!NOTE]

+> When you provide your own virtual network, additional [managed resources](networking.md#managed-resources) are created, which incur billing.

+| Replicas | Revision | 300 | Yes | |

+ --infrastructure-subnet-resource-id "<SUBNET_ID>" \

+ --internal-only true

+This article explains the resource model for the Azure Cosmos DB point-in-time restore feature. It explains the parameters that support the continuous backup and resources that can be restored. This feature is supported in Azure Cosmos DB API for SQL, Azure Cosmos DB API for Gremlin, Table API and the Azure Cosmos DB API for MongoDB.

+> Currently the point-in-time restore feature is available for Azure Cosmos DB for NoSQL, API for MongoDB, Table and Gremlin accounts. After you create an account with continuous mode you can't switch it to a periodic mode. The ``Continuous7Days`` tier is in preview.

+This feature is supported for Azure Cosmos DB API for NoSQL containers, API for MongoDB , Table API and API for Gremlin graphs.

+ - Azure Cosmos DB Spark connector < 4.18.0

+- Azure Cosmos DB Spark connector < 4.18.0

+> Support for 7-day continous backup in both provisioning and migration scenarios is still in preview.

+> * If the account is of type API for NoSQL,API for Table, Gremlin or API for MongoDB.

+Currently, API for NoSQL, API for Table, Gremlin API and API for MongoDB accounts with single write region that have shared, provisioned, or autoscale provisioned throughput support migration.

+> [!NOTE]

+> Creating a **unique index** obtains an exclusive lock on the collection for the entire duration of the build process. This blocks read and write operations on the collection until the operation is completed.

+The concept of a *change* is an operation on an item. The most common scenarios where events for the same item are received are:

+* Your Function is failing during execution. If your Function has enabled [retry policies](../../azure-functions/functions-bindings-error-pages.md#retries) or in cases where your Function execution is exceeding the allowed execution time, the same batch of changes can be delivered again to your Function. This is expected and by design, look at your Function logs for indication of failures and make sure you have enabled [trigger logs](how-to-configure-cosmos-db-trigger.md#enabling-trigger-specific-logs) for further details.

+* There is a load balancing of leases across instances. When instances increase or decrease, [load balancing](change-feed-processor.md#dynamic-scaling) can cause the same batch of changes to be delivered to multiple Function instances. This is expected and by design, and should be transient. The [trigger logs](how-to-configure-cosmos-db-trigger.md#enabling-trigger-specific-logs) include the events when an instance acquires and releases leases.

+* The item is being updated. The change feed can contain multiple operations for the same item. If the item is receiving updates, it can pick up multiple events (one for each update). One easy way to distinguish among different operations for the same item is to track the `_lsn` [property for each change](../change-feed.md#change-feed-and-_etag-_lsn-or-_ts). If the properties don't match, the changes are different.

+* If you're identifying items only by `id`, remember that the unique identifier for an item is the `id` and its partition key. (Two items can have the same `id` but a different partition key).

+# Data Encryption with Customer Managed Keys Preview

+# Enable data encryption with customer-managed keys (preview) in Azure Cosmos DB for PostgreSQL

+Before restoring the account, install the [latest version of Azure PowerShell](/powershell/azure/install-az-ps) or version higher than 9.6.0. Next connect to your Azure account and select the required subscription with the following commands:

+Import the `Az.CosmosDB` module version 1.10.0 and run the following command to get the restore details. The restoreTimestamp will be under the restoreParameters object:

+ * Install the latest version of [Azure CLI](/cli/azure/install-azure-cli) or version higher than 2.46.0.

+ * If you have already installed CLI, run `az upgrade` command to update to the latest version. This command will only work with CLI version higher than 2.46.0. If you have an earlier version, use the above link to install the latest version.

+ "gremlinDatabasesToRestore": [{

+ }]

+>[!NOTE]

+> You must manually cancel your SaaS subscriptions before you cancel your Azure subscription. Only pay-as-you-go SaaS subscriptions are cancelled automatically by the Azure subscription cancellation process.

+- Billing Reader

+- For more information about roles, see [Azure built-in roles](../../role-based-access-control/built-in-roles.md).

+You may experience an issue when you try to sign up for a new account in the Microsoft Azure portal. This short guide walks you through the sign-up process and discusses some common issues at each step.

+Before beginning sign-up, verify the following information:

+- Your country/region

+#### Free trial isn't available

+This issue can occur if the account is registered in an [unmanaged Azure AD directory](../../active-directory/enterprise-users/directory-self-service-signup.md), and it isn't in your organization's Azure AD directory. To resolve this issue, sign up the Azure account by using another account, or take over the unmanaged AD directory. For more information, see [Take over an unmanaged directory as administrator in Azure Active Directory](../../active-directory/enterprise-users/domains-admin-takeover.md).

+The issue can also occur if the account was created using the Microsoft 365 Developer Program. Microsoft doesn't allow purchasing other paid services using your Microsoft 365 Developer Program subscription. For more information, see [Does the subscription also include a subscription to Azure?](/office/developer-program/microsoft-365-developer-program-faq#does-the-subscription-also-include-a-subscription-to-azure-)

+Here are some other tips:

+Virtual or prepaid credit cards aren't accepted as payment for Azure subscriptions. To see what else may cause your card to be declined, see [Troubleshoot a declined card at Azure sign-up](./troubleshoot-declined-card.md).

+You may see a small, temporary verification hold on your credit card account after you sign up. This hold is removed within three to five days. If you're worried about managing costs, read more about [Analyzing unexpected charges](../understand/analyze-unexpected-charges.md).

+ - Sign in to the [Cloud Partner Program portal](https://mspartner.microsoft.com/Pages/Locale.aspx) to verify your eligibility status. If you have the appropriate [Cloud Platform Competencies](https://mspartner.microsoft.com/pages/membership/cloud-platform-competency.aspx), you may be eligible for other benefits.

+## Other help resources

+- A dev center. If you don't have one available, follow the steps in [Create a dev center](quickstart-configure-dev-box-service.md#1-create-a-dev-center).

+- A compute gallery. Images stored in a compute gallery can be used in a dev box definition, provided they meet the requirements listed in the [Compute gallery image requirements](#compute-gallery-image-requirements) section.

+

+> [!NOTE]

+> Microsoft Dev Box Preview doesn't support community galleries.

+## Compute gallery image requirements

+A gallery used to configure dev box definitions must have at least [one image definition and one image version](../virtual-machines/image-version.md).

+The image version must meet the following requirements:

+- Generation 2.

+- Hyper-V v2.

+- Windows OS.

+ - Windows 10 Enterprise version 20H2 or later.

+ - Windows 11 Enterprise 21H2 or later.

+- Generalized VM image.

+ - You must create the image using the following sysprep options: `/mode:vm flag: Sysprep /generalize /oobe /mode:vm`. </br>

+ For more information, see: [Sysprep Command-Line Options](/windows-hardware/manufacture/desktop/sysprep-command-line-options?view=windows-11#modevm&preserve-view=true).

+ - To speed up the Dev Box creation time, you can disable the reserved storage state feature in the image by using the following command: `DISM.exe /Online /Set-ReservedStorageState /State:Disabled`. </br>

+ For more information, see: [DISM Storage reserve command-line options](/windows-hardware/manufacture/desktop/dism-storage-reserve?view=windows-11#set-reservedstoragestate&preserve-view=true).

+- Single-session virtual machine (VM) images. (Multiple-session VM images aren't supported.)

+- No recovery partition.

+ - For information about how to remove a recovery partition, see the [Windows Server command: delete partition](/windows-server/administration/windows-commands/delete-partition).

+- Default 64-GB OS disk size. The OS disk size is automatically adjusted to the size specified in the SKU description of the Windows 365 license.

+- The image definition must have [trusted launch enabled as the security type](../virtual-machines/trusted-launch.md). You configure the security type when you create the image definition.

+> - Dev Box image requirements exceed [Windows 365 image requirements](/windows-365/enterprise/device-images) and include settings to optimize dev box creation time and performance.

+> - Images that do not meet Windows 365 requirements will not be listed for creation.

+You can use the same managed identity in multiple dev centers and compute galleries. Any dev center with the managed identity added has the necessary permissions to the images in the gallery that you've added the Owner role assignment to.

+# Tutorial: Migrate PostgreSQL to Azure Database for PostgreSQL online using DMS (classic) via the Azure portal

+You can use Azure Database Migration Service to migrate the databases from an on-premises PostgreSQL instance to [Azure Database for PostgreSQL](../postgresql/index.yml) with minimal downtime to the application. In this tutorial, you migrate the **listdb** sample database from an on-premises instance of PostgreSQL 13.10 to Azure Database for PostgreSQL by using the online migration activity in Azure Database Migration Service.

+* Download and install [PostgreSQL community edition](https://www.postgresql.org/download/). The source PostgreSQL Server version must be >= 9.4. For more information, see [Supported PostgreSQL database versions](../postgresql/flexible-server/concepts-supported-versions.md).

+ Also note that the target Azure Database for PostgreSQL version must be equal to or later than the on-premises PostgreSQL version. For example, PostgreSQL 12 can migrate to Azure Database for PostgreSQL >= 12 version but not to Azure Database for PostgreSQL 11.

+* [Create an Azure Database for PostgreSQL server](../postgresql/quickstart-create-server-database-portal.md).

+ For example, to create a schema dump file for the **listdb** database:

+ pg_dump -O -h localhost -U postgres -d listdb -s -x > listdbSchema.sql

+ For details on how to connect and create a database, see the article [Create an Azure Database for PostgreSQL server in the Azure portal](../postgresql/quickstart-create-server-database-portal.md).

+ psql -h mypgserver-20170401.postgres.database.azure.com -U postgres -d migratedb < listdbSchema.sql

+

+ :::image type="content" source="media/tutorial-postgresql-to-azure-postgresql-online-portal/dms-search-classic.png" alt-text="Screenshot of a Search Azure Database Migration Service.":::

+ :::image type="content" source="media/tutorial-postgresql-to-azure-postgresql-online-portal/dms-instance-search-classic.png" alt-text="Screenshot of a Searching the Azure Database Migration Service instance.":::

+4. In the **Migration activity type** section, select **Online data migration**.

+ :::image type="content" source="media/tutorial-postgresql-to-azure-postgresql-online-portal/dms-create-project-classic.png" alt-text="Screenshot of a Create a new migration project.":::

+5. Select **Create and run activity**, to successfully use Azure Database Migration Service to migrate data.

+ :::image type="content" source="media/tutorial-postgresql-to-azure-postgresql-online-portal/dms-add-source-details-classic.png" alt-text="Screenshot of an Add source details screen.":::

+1. On the **Target details** screen, specify the connection details for the target Azure Database for PostgreSQL - Flexible server, which is the preprovisioned instance to which the schema was deployed by using pg_dump.

+ :::image type="content" source="media/tutorial-postgresql-to-azure-postgresql-online-portal/dms-add-target-details-classic.png" alt-text="Screenshot of an Add target details screen.":::

+2. Click on **Next:Select databases**, and then on the **Select databases** screen, map the source and the target database for migration.

+ :::image type="content" source="media/tutorial-postgresql-to-azure-postgresql-online-portal/dms-map-target-databases-classic.png" alt-text="Screenshot of a map databases with the target screen.":::

+3. Click on **Next:Select tables**, and then on the **Select tables** screen, select the required tables that need to be migrated.

+ :::image type="content" source="media/tutorial-postgresql-to-azure-postgresql-online-portal/dms-select-tables-classic.png" alt-text="Screenshot of a selecting the tables for migration screen.":::

+

+4. Click on **Next:Configure migration settings**, and then on the **Configure migration settings** screen, accept the default values.

+ :::image type="content" source="media/tutorial-postgresql-to-azure-postgresql-online-portal/dms-migration-settings-classic.png" alt-text="Screenshot of configuring migration setting screen.":::

+5. On the **Migration summary** screen, in the **Activity name** text box, specify a name for the migration activity, and then review the summary to ensure that the source and target details match what you previously specified.

+ :::image type="content" source="media/tutorial-postgresql-to-azure-postgresql-online-portal/dms-migration-summary-classic.png" alt-text="Screenshot of migration summary screen.":::

+* Select **Start migration**.

+ :::image type="content" source="media/tutorial-postgresql-to-azure-postgresql-online-portal/dms-monitor-migration-classic.png" alt-text="Screenshot of migration monitoring screen.":::

+ :::image type="content" source="media/tutorial-postgresql-to-azure-postgresql-online-portal/dms-full-data-load-details-classic.png" alt-text="Screenshot of migration full load details screen.":::

+ :::image type="content" source="media/tutorial-postgresql-to-azure-postgresql-online-portal/dms-incremental-data-sync-details-classic.png" alt-text="Screenshot of migration incremental load details screen.":::

+ :::image type="content" source="media/tutorial-postgresql-to-azure-postgresql-online-portal/dms-complete-cutover-classic.png" alt-text="Screenshot of cutover completion screen.":::

+# Tutorial: Migrate PostgreSQL to Azure Database for PostgreSQL online using DMS (classic) via the Azure CLI

+ * [Swagger](https://github.com/Azure/azure-rest-api-specs/tree/main/specification/eventgrid/resource-manager/Microsoft.EventGrid)

+You can now easily upgrade your existing Firewall Standard SKU to Premium SKU and downgrade from Premium to Standard SKU.

+> [!IMPORTANT]

+> Always perform any upgrade/downgrade operations during off-business hours and scheduled maintenance times.

+ Title: Use connections

+description: Learn how to use connections to connect to External data sources for training with Azure Machine Learning.

+# Customer intent: As an experienced data scientist with Python skills, I have data located in external sources outside of Azure. I need to make that data available to the Azure Machine Learning platform, to train my machine learning models.

+# Create connections

+In this article, learn how to connect to data sources located outside of Azure, to make that data available to Azure Machine Learning services. For this data availability, Azure supports connections to these external sources:

+- Snowflake DB

+- Amazon S3

+- Azure SQL DB

+## Prerequisites

+- An Azure subscription. If you don't have an Azure subscription, create a free account before you begin. Try the [free or paid version of Azure Machine Learning](https://azure.microsoft.com/free/).

+- The [Azure Machine Learning SDK for Python](https://aka.ms/sdk-v2-install).

+- An Azure Machine Learning workspace.

+> [!NOTE]

+> An Azure Machine Learning connection securely stores the credentials passed during connection creation in the Workspace Azure Key Vault. A connection references the credentials from the key vault storage location for further use. You won't need to directly deal with the credentials after they are stored in the key vault. You have the option to store the credentials in the YAML file. A CLI command or SDK can override them. We recommend that you **avoid** credential storage in a YAML file, because a security breach could lead to a credential leak.

+## Create a Snowflake DB connection

+# [CLI: Username/password](#tab/cli-username-password)

+This YAML file creates a Snowflake DB connection. Be sure to update the appropriate values:

+```yaml

+# my_snowflakedb_connection.yaml

+$schema: http://azureml/sdk-2-0/Connection.json

+type: snowflake

+name: my_snowflakedb_connection # add your datastore name here

+target: jdbc:snowflake://<myaccount>.snowflakecomputing.com/?db=<mydb>&warehouse=<mywarehouse>&role=<myrole>

+# add the Snowflake account, database, warehouse name and role name here. If no role name provided it will default to PUBLIC

+credentials:

+ type: username_password

+ username: <username> # add the Snowflake database user name here or leave this blank and type in CLI command line

+ password: <password> # add the Snowflake database password here or leave this blank and type in CLI command line

+```

+Create the Azure Machine Learning connection in the CLI:

+### Option 1: Use the username and password in YAML file

+```azurecli

+az ml connection create --file my_snowflakedb_connection.yaml

+```

+### Option 2: Override the username and password at the command line

+```azurecli

+az ml connection create --file my_snowflakedb_connection.yaml --set credentials.username="XXXXX" credentials.password="XXXXX"

+```

+# [Python SDK: username/ password](#tab/sdk-username-password)

+### Option 1: Load connection from YAML file

+```python

+from azure.ai.ml import MLClient, load_workspace_connection

+ml_client = MLClient.from_config()

+wps_connection = load_workspace_connection(source="./my_snowflakedb_connection.yaml")

+wps_connection.credentials.username="XXXXX"

+wps_connection.credentials.password="XXXXXXXX"

+ml_client.connections.create_or_update(workspace_connection=wps_connection)

+```

+### Option 2: Use WorkspaceConnection() in a Python script

+```python

+from azure.ai.ml import MLClient

+from azure.ai.ml.entities import WorkspaceConnection

+from azure.ai.ml.entities import UsernamePasswordConfiguration

+target= "jdbc:snowflake://<myaccount>.snowflakecomputing.com/?db=<mydb>&warehouse=<mywarehouse>&role=<myrole>"

+# add the Snowflake account, database, warehouse name and role name here. If no role name provided it will default to PUBLIC

+wps_connection = WorkspaceConnection(type="snowflake",

+target= target,

+credentials= UsernamePasswordConfiguration(username="XXXXX", password="XXXXXX")

+)

+ml_client.connections.create_or_update(workspace_connection=wps_connection)

+```

+## Create an Azure SQL DB connection

+# [CLI: Username/password](#tab/cli-sql-username-password)

+This YAML script creates an Azure SQL DB connection. Be sure to update the appropriate values:

+```yaml

+# my_sqldb_connection.yaml

+$schema: http://azureml/sdk-2-0/Connection.json

+type: azuresqldb

+name: my_sqldb_connection

+target: Server=tcp:<myservername>,<port>;Database=<mydatabase>;Trusted_Connection=False;Encrypt=True;Connection Timeout=30

+# add the sql servername, port addresss and database

+credentials:

+ type: sql_auth

+ username: <username> # add the sql database user name here or leave this blank and type in CLI command line

+ password: <password> # add the sql database password here or leave this blank and type in CLI command line

+```

+Create the Azure Machine Learning connection in the CLI:

+### Option 1: Use the username / password from YAML file

+```azurecli

+az ml connection create --file my_sqldb_connection.yaml

+```

+### Option 2: Override the username and password in YAML file

+```azurecli

+az ml connection create --file my_sqldb_connection.yaml --set credentials.username="XXXXX" credentials.password="XXXXX"

+```

+# [Python SDK: username/ password](#tab/sdk-sql-username-password)

+### Option 1: Load connection from YAML file

+```python

+from azure.ai.ml import MLClient, load_workspace_connection

+ml_client = MLClient.from_config()

+wps_connection = load_workspace_connection(source="./my_sqldb_connection.yaml")

+wps_connection.credentials.username="XXXXXX"

+wps_connection.credentials.password="XXXXXxXXX"

+ml_client.connections.create_or_update(workspace_connection=wps_connection)

+```

+### Option 2: Using WorkspaceConnection()

+```python

+from azure.ai.ml import MLClient

+from azure.ai.ml.entities import WorkspaceConnection

+from azure.ai.ml.entities import UsernamePasswordConfiguration

+target= "Server=tcp:<myservername>,<port>;Database=<mydatabase>;Trusted_Connection=False;Encrypt=True;Connection Timeout=30"

+# add the sql servername, port addresss and database

+wps_connection = WorkspaceConnection(type="azure_sql_db",

+target= target,

+credentials= UsernamePasswordConfiguration(username="XXXXX", password="XXXXXX")

+)

+ml_client.connections.create_or_update(workspace_connection=wps_connection)

+```

+## Create Amazon S3 connection

+# [CLI: Access key](#tab/cli-s3-access-key)

+Create an Amazon S3 connection with the following YAML file. Be sure to update the appropriate values:

+```yaml

+# my_s3_connection.yaml

+$schema: http://azureml/sdk-2-0/Connection.json

+type: s3

+name: my_s3_connection

+target: https://<mybucket>.amazonaws.com # add the s3 bucket details

+credentials:

+ type: access_key

+ access_key_id: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX # add access key id

+ secret_access_key: XxXxXxXXXXXXXxXxXxxXxxXXXXXXXXxXxxXXxXXXXXXXxxxXxXXxXXXXXxXXxXXXxXxXxxxXXxXXxXXXXXxXxxXX # add access key secret

+```

+Create the Azure Machine Learning connection in the CLI:

+```azurecli

+az ml connection create --file my_s3_connection.yaml

+```

+# [Python SDK: Access key](#tab/sdk-s3-access-key)

+### Option 1: Load connection from YAML file

+```python

+from azure.ai.ml import MLClient, load_workspace_connection

+ml_client = MLClient.from_config()

+wps_connection = load_workspace_connection(source="./my_s3_connection.yaml")

+ml_client.connections.create_or_update(workspace_connection=wps_connection)

+```

+### Option 2: Use WorkspaceConnection() in a Python script

+```python

+from azure.ai.ml import MLClient

+from azure.ai.ml.entities import WorkspaceConnection

+from azure.ai.ml.entities import AccessKeyConfiguration

+target = "https://<mybucket>.amazonaws.com" # add the s3 bucket details

+wps_connection = WorkspaceConnection(type="s3",

+target= target,

+credentials= AccessKeyConfiguration(access_key_id="XXXXXX",acsecret_access_key="XXXXXXXX")

+)

+ml_client.connections.create_or_update(workspace_connection=wps_connection)

+```

+## Next steps

+- [Import data assets](how-to-import-data-assets.md#import-data-assets)

+ Title: Import Data

+description: Learn how to import data from external sources on to Azure Machine Learning platform

+# Import data assets

+> [!div class="op_single_selector" title1="Select the version of Azure Machine Learning SDK you are using:"]

+> * [v2 ](how-to-import-data-assets.md)

+In this article, learn how to import data into the Azure Machine Learning platform from external sources. A successful import automatically creates and registers an Azure Machine Learning data asset with the name provided during the import. An Azure Machine Learning data asset resembles a web browser bookmark (favorites). You don't need to remember long storage paths (URIs) that point to your most-frequently used data. Instead, you can create a data asset, and then access that asset with a friendly name.

+A data import creates a cache of the source data, along with metadata, for faster and reliable data access in Azure Machine Learning training jobs. The data cache avoids network and connection constraints. The cached data is versioned to support reproducibility (which provides versioning capabilities for data imported from SQL Server sources). Additionally, the cached data provides data lineage for auditability. A data import uses ADF (Azure Data Factory pipelines) behind the scenes, which means that users can avoid complex interactions with ADF. Behind the scenes, Azure Machine Learning also handles management of ADF compute resource pool size, compute resource provisioning, and tear-down to optimize data transfer by determining proper parallelization.

+The transferred data is partitioned and securely stored as parquet files in Azure storage. This enables faster processing during training. ADF compute costs only involve the time used for data transfers. Storage costs only involve the time needed to cache the data, because cached data is a copy of the data imported from an external source. That external source is hosted in Azure storage.

+The caching feature involves upfront compute and storage costs. However, it pays for itself, and can save money, because it reduces recurring training compute costs compared to direct connections to external source data during training. It caches data as parquet files, which makes job training faster and more reliable against connection timeouts for larger data sets. This leads to fewer reruns, and fewer training failures.

+You can now import data from Snowflake, Amazon S3 and Azure SQL.

+## Prerequisites

+To create and work with data assets, you need:

+* An Azure subscription. If you don't have an Azure subscription, create a free account before you begin. Try the [free or paid version of Azure Machine Learning](https://azure.microsoft.com/free/).

+* An Azure Machine Learning workspace. [Create workspace resources](quickstart-create-resources.md).

+* The [Azure Machine Learning CLI/SDK installed](how-to-configure-cli.md).

+* [Workspace connections created](how-to-connection.md)

+## Importing from external database sources / import from external sources to create a meltable data asset

+> [!NOTE]

+> The external databases can have Snowflake, Azure SQL, etc. formats.

+The following code samples can import data from external databases. The `connection` that handles the import action determines the external database data source metadata. In this sample, the code imports data from a Snowflake resource. The connection points to a Snowflake source. With a little modification, the connection can point to an Azure SQL database source and an Azure SQL database source. The imported asset `type` from an external database source is `mltable`.

+# [Azure CLI](#tab/cli)

+Create a `YAML` file `<file-name>.yml`:

+```yaml

+$schema: http://azureml/sdk-2-0/DataImport.json

+# Supported connections include:

+# Connection: azureml:<workspace_connection_name>

+# Supported paths include:

+# Datastore: azureml://datastores/<data_store_name>/paths/<my_path>/${{name}}

+type: mltable

+name: <name>

+source:

+ type: database

+ query: <query>

+ connection: <connection>

+path: <path>

+```

+Next, run the following command in the CLI:

+```cli

+> az ml data import -f <file-name>.yml

+```

+# [Python SDK](#tab/Python-SDK)

+```python

+from azure.ai.ml.entities import DataImport

+from azure.ai.ml.data_transfer import Database

+from azure.ai.ml import MLClient

+# Supported connections include:

+# Connection: azureml:<workspace_connection_name>

+# Supported paths include:

+# Datastore: azureml://datastores/<data_store_name>/paths/<my_path>/${{name}}

+ml_client = MLClient.from_config()

+data_import = DataImport(

+ name="<name>",

+ source=Database(connection="<connection>", query="<query>"),

+ path="<path>"

+ )

+ml_client.data.import_data(data_import=data_import)

+```

+## Import data from external data and file system resources to create a uri_folder data asset

+> [!NOTE]

+> An Amazon S3 data resource can serve as an external file system resource.

+The `connection` that handles the data import action determines the details of the external data source. The connection defines an Amazon S3 bucket as the target. The connection expects a valid `path` value. An asset value imported from an external file system source has a `type` of `uri_folder`.

+The next code sample imports data from an Amazon S3 resource.

+# [Azure CLI](#tab/cli)

+Create a `YAML` file `<file-name>.yml`:

+```yaml

+$schema: http://azureml/sdk-2-0/DataImport.json

+# Supported connections include:

+# Connection: azureml:<workspace_connection_name>

+# Supported paths include:

+# Datastore: azureml://datastores/<data_store_name>/paths/<my_path>/${{name}}

+type: uri_folder

+name: <name>

+source:

+ type: file_system

+ path: <path_on_source>

+ connection: <connection>

+path: <path>

+```

+Next, execute this command in the CLI:

+```cli

+> az ml data import -f <file-name>.yml

+```

+# [Python SDK](#tab/Python-SDK)

+```python

+from azure.ai.ml.entities import DataImport

+from azure.ai.ml.data_transfer import FileSystem

+from azure.ai.ml import MLClient

+# Supported connections include:

+# Connection: azureml:<workspace_connection_name>

+# Supported paths include:

+# Datastore: azureml://datastores/<data_store_name>/paths/<my_path>/${{name}}

+ml_client = MLClient.from_config()

+data_import = DataImport(

+ name="<name>",

+ source=FileSystem(connection="<connection>", path="<path_on_source>"),

+ path="<path>"

+ )

+ml_client.data.import_data(data_import=data_import)

+```

+## Check the import status of external data sources

+The data import action is an asynchronous action. It can take a long time. After submission of an import data action via the CLI or SDK, the Azure Machine Learning service might need several minutes to connect to the external data source. Then the service would start the data import and handle data caching and registration. The time needed for a data import also depends on the size of the source data set.

+The next example returns the status of the submitted data import activity. The command or method uses the "data asset" name as the input to determine the status of the data materialization.

+# [Azure CLI](#tab/cli)

+```cli

+> az ml data list-materialization-status --name <name>

+```

+# [Python SDK](#tab/Python-SDK)

+```python

+from azure.ai.ml.entities import DataImport

+from azure.ai.ml import MLClient

+ml_client = MLClient.from_config()

+ml_client.data.show_materialization_status(name="<name>")

+```

+## Next steps

+- [Read data in a job](how-to-read-write-data-v2.md#read-data-in-a-job)

+- [Working with tables in Azure Machine Learning](how-to-mltable.md)

+- [Access data from Azure cloud storage during interactive development](how-to-access-data-interactive.md)

+# Troubleshooting environment issues

+In this article, learn how to troubleshoot common problems you may encounter with environment image builds and learn about AzureML environment vulnerabilities.

+## Vulnerabilities in AzureML Environments

+### Scan for Vulnerabilities

+You can monitor and maintain environment hygiene with [Microsoft Defender for Container Registry](../defender-for-cloud/defender-for-containers-vulnerability-assessment-azure.md) to help scan images for vulnerabilities.

+To automate this process based on triggers from Microsoft Defender, see [Automate responses to Microsoft Defender for Cloud triggers](../defender-for-cloud/workflow-automation.md).

+### Vulnerabilities vs Reproducibility

+### *Curated Environments*

+Curated environments are pre-created environments that Azure Machine Learning manages and are available by default in every Azure Machine Learning workspace provisioned. New versions are released by Azure Machine Learning to address vulnerabilities. Whether you use the latest image may be a tradeoff between reproducibility and vulnerability management.

+Curated Environments contain collections of Python packages and settings to help you get started with various machine learning frameworks. You're meant to use them as is. These pre-created environments also allow for faster deployment time.

+### *User-managed Environments*

+In user-managed environments, you're responsible for setting up your environment and installing every package that your training script needs on the

+Once you install more dependencies on top of a Microsoft-provided image, or bring your own base image, vulnerability management becomes your responsibility.

+### *System-managed Environments*

+You use system-managed environments when you want conda to manage the Python environment for you. Azure Machine Learning creates a new isolated conda environment by materializing your conda specification on top of a base Docker image. While Azure Machine Learning patches base images with each release, whether you use the

+### Vulnerabilities: Common Issues

+### *Vulnerabilities in Base Docker Images*

+System vulnerabilities in an environment are usually introduced from the base image. For example, vulnerabilities marked as "Ubuntu" or "Debian" are from the system level of the environmentΓÇôthe base Docker image. If the base image is from a third-party issuer, please check if the latest version has fixes for the flagged vulnerabilities. Most common sources for the base images in Azure Machine Learning are:

+- Microsoft Artifact Registry (MAR) aka Microsoft Container Registry (mcr.microsoft.com).

+ - Images can be listed from MAR homepage, calling _catalog API, or [/tags/list](https://mcr.microsoft.com/v2/azureml/openmpi4.1.0-ubuntu20.04/tags/list)_

+ - Source and release notes for training base images from AzureML can be found in [Azure/AzureML-Containers](https://github.com/Azure/AzureML-Containers)

+- Nvidia (nvcr.io, or [nvidia's Profile](https://hub.docker.com/u/nvidia/#!))

+If the latest version of your base image does not resolve your vulnerabilities, base image vulnerabilities can be addressed by installing versions recommended by a vulnerability scan:

+```

+apt-get install -y library_name

+```

+### *Vulnerabilities in Python Packages*

+Vulnerabilities can also be from installed Python packages on top of the system-managed base image. These Python-related vulnerabilities should be resolved by updating your Python dependencies. Python (pip) vulnerabilities in the image usually come from user-defined dependencies.

+To search for known Python vulnerabilities and solutions please see [GitHub Advisory Database](https://github.com/advisories). To address Python vulnerabilities, update the package to the version that has fixes for the flagged issue:

+```

+pip install -u my_package=={good.version}

+```

+If you're using a conda environment, update the reference in the conda dependencies file.

+In some cases, Python packages will be automatically installed during conda's setup of your environment on top of a base Docker image. Mitigation steps for those are the same as those for user-introduced packages. Conda installs necessary dependencies for every environment it materializes. Packages like cryptography, setuptools, wheel, etc. will be automatically installed from conda's default channels. There's a known issue with the default anaconda channel missing latest package versions, so it's recommended to prioritize the community-maintained conda-forge channel. Otherwise, please explicitly specify packages and versions, even if you don't reference them in the code you plan to execute on that environment.

+### *Cache issues*

+Machine Learning doesn't delete images from your container registry, and it's your responsibility to evaluate which images you need to maintain over time.

+## Troubleshooting environment image builds

+Learn how to troubleshoot issues with environment image builds and package installations.

+This issue can happen when a command isn't recognized during an image build or in the specified Python package requirement.

+### Invalid operator

+<!--issueDescription-->

+This issue can happen when pip fails to install a Python package due to an invalid operator found in the requirement.

+**Potential causes:**

+* There's an invalid operator found in the Python package requirement

+**Affected areas (symptoms):**

+* Failure in building environments from UI, SDK, and CLI.

+* Failure in running jobs because Azure Machine Learning implicitly builds the environment in the first step.

+<!--/issueDescription-->

+**Troubleshooting steps**

+* Ensure that you've spelled the package correctly and that the specified version exists

+* Ensure that your package version specifier is formatted correctly and that you're using valid comparison operators. See [Version specifiers](https://peps.python.org/pep-0440/#version-specifiers)

+* Replace the invalid operator with the operator recommended in the error message

+### No matching distribution

+<!--issueDescription-->

+This issue can happen when there's no package found that matches the version you specified.

+**Potential causes:**

+* You spelled the package name incorrectly

+* The package and version can't be found on the channels or feeds that you specified

+* The version you specified doesn't exist

+**Affected areas (symptoms):**

+* Failure in building environments from UI, SDK, and CLI.

+* Failure in running jobs because Azure Machine Learning implicitly builds the environment in the first step.

+<!--/issueDescription-->

+**Troubleshooting steps**

+* Ensure that you've spelled the package correctly and that it exists

+* Ensure that the version you specified for the package exists

+* Run `pip install --upgrade pip` and then run the original command again

+* Ensure the pip you're using can install packages for the desired Python version. See [Should I use pip or pip3?](https://stackoverflow.com/questions/61664673/should-i-use-pip-or-pip3)

+**Resources**

+* [Running Pip](https://pip.pypa.io/en/stable/user_guide/#running-pip)

+* [pypi](https://aka.ms/azureml/environment/pypi)

+* [Installing Python Modules](https://docs.python.org/3/installing/https://docsupdatetracker.net/index.html)

+## *Apt-Get Issues*

+### Failed to run apt-get command

+<!--issueDescription-->

+This issue can happen when apt-get fails to run.

+**Potential causes:**

+* Network connection issue, which could be temporary

+* Broken dependencies related to the package you're running apt-get on

+* You don't have the correct permissions to use the apt-get command

+**Affected areas (symptoms):**

+* Failure in building environments from UI, SDK, and CLI.

+* Failure in running jobs because it will implicitly build the environment in the first step.

+<!--/issueDescription-->

+**Troubleshooting steps**

+* Check your network connection and DNS settings

+* Run `apt-get check` to check for broken dependencies

+* Run `apt-get update` and then run your original command again

+* Run the command with the `-f` flag, which will try to resolve the issue coming from the broken dependencies

+* Run the command with `sudo` permissions, such as `sudo apt-get install <package-name>`

+**Resources**

+* [Package management with APT](https://help.ubuntu.com/community/AptGet/Howto)

+* [Ubuntu Apt-Get](https://manpages.ubuntu.com/manpages/xenial/man8/apt-get.8.html)

+* [What to do when apt-get fails](https://www.linux.com/news/what-do-when-apt-get-fails/#:~:text=Check%20the%20broken%20dependencies%E2%80%99%20availability.%20Run%20apt-get%20update,adding%20another%20source%2C%20then%20run%20apt-get%20install%20again)

+* [apt-get command in Linux with Examples](https://www.geeksforgeeks.org/apt-get-command-in-linux-with-examples/)

+## *Command Not Found*

+### Command not recognized

+<!--issueDescription-->

+This issue can happen when the command being run isn't recognized.

+**Potential causes:**

+* You haven't installed the command via your Dockerfile before you try to execute the command

+* You haven't included the command in your path, or you haven't added it to your path

+**Affected areas (symptoms):**

+* Failure in building environments from UI, SDK, and CLI.

+* Failure in running jobs because it will implicitly build the environment in the first step.

+<!--/issueDescription-->

+**Troubleshooting steps**

+Ensure that you have an installation step for the command in your Dockerfile before trying to execute the command

+* Review this [example](https://stackoverflow.com/questions/67186341/make-install-in-dockerfile)

+If you've tried installing the command and are experiencing this issue, ensure that you've added the command to your path

+* Review this [example](https://stackoverflow.com/questions/27093612/in-a-dockerfile-how-to-update-path-environment-variable)

+* Review how to set [environment variables in a Dockerfile](https://docs.docker.com/engine/reference/builder/#env)

+To access Grafana APIs, you need to get an access token. You can get the access token using the Azure CLI or making a POST request.

+### [Azure CLI](#tab/azure-cli)

+Sign in to the Azure CLI by running the [az login](/cli/azure/reference-index#az-login) command and replace `<client-id>`, `<client-secret>`, and `<tenant-id>` with the application (client) ID, client secret, and tenant ID collected in the previous step:

+```

+az login --service-principal --username "<client-id>" --password "<client-secret>" --tenant "<tenant-id>"

+```

+Use the command [az grafana api-key create](/cli/azure/grafana/api-key#az-grafana-api-key-create) to create a key. Here's an example output:

+```

+az grafana api-key create --key keyname --name <name> --resource-group <rg> --resource-group editor --output json

+{

+ "id": 3,

+ "key": "<redacted>",

+ "name": "keyname"

+}

+```

+> [!NOTE]

+> You can only view this key here once. Save it in a secure place.

+### [POST request](#tab/post)

+Follow the example below to call Azure AD and retrieve a token. Replace `<tenant-id>`, `<client-id>`, and `<client-secret>` with the tenant ID, application (client) ID, and client secret collected in the previous step.

+ Title: Query Store - Azure Database for PostgreSQL - Flexible Server

+description: This article describes the Query Store feature in Azure Database for PostgreSQL - Flexible Server.

+> [!NOTE]

+> **pg_qs.query_capture_mode** supersedes **pgms_wait_sampling.query_capture_mode**. If pg_qs.query_capture_mode is NONE, the pgms_wait_sampling.query_capture_mode setting has no effect.

+A primary server for Azure Database for PostgreSQL - Flexible Server can be deployed in [any region that supports the service](https://azure.microsoft.com/explore/global-infrastructure/products-by-region/?products=postgresql&regions=all). You can create replicas of the primary server within the same region or across different global Azure regions where Azure Database for PostgreSQL - Flexible Server is available. However, it is important to note that replicas cannot be created in [special Azure regions](../../virtual-machines/regions.md#special-azure-regions), regardless of whether they are in-region or cross-region.

+You are free to change server parameters on your read replica server and set different values than on the primary server. The only exception are parameters that might affect recovery of the replica, mentioned also in the "Scaling" section below: max_connections, max_prepared_transactions, max_locks_per_transaction, max_wal_senders, max_worker_processes. Please ensure these parameters are always [greater than or equal to the setting on the primary](https://www.postgresql.org/docs/current/hot-standby.html#HOT-STANDBY-ADMIN) to ensure that the replica does not run out of shared memory during recovery.

+* PostgreSQL requires several parameters on replicas to be [greater than or equal to the setting on the primary](https://www.postgresql.org/docs/current/hot-standby.html#HOT-STANDBY-ADMIN) to ensure that the replica does not run out of shared memory during recovery. The parameters affected are: max_connections, max_prepared_transactions, max_locks_per_transaction, max_wal_senders, max_worker_processes.

+| Sweden Central | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :x: |

+## Release: April 2023

+* Public preview of [Query Performance Insight](./concepts-query-performance-insight.md) for Azure Database for PostgreSQL ΓÇô Flexible Server.

+**A.** We aren't stopping the ability to create new single servers immediately, so you can continue to create new single servers through CLI to meet your business needs for all PostgreSQL versions supported on Azure Database for PostgreSQL ΓÇô Single Server. We strongly encourage you to explore Flexible Server and see if that will meet your needs. Don't hesitate to contact us if necessary so we can guide you and suggest the best path forward for you.

+- [What is flexible server?](../flexible-server/overview.md)

+This article applies to the AP5GC 2303 release (PMN-2303-0). This release is compatible with the ASE Pro 1 GPU and ASE Pro 2 running the ASE 2301 and ASE 2303 releases, and is supported by the 2022-04-01-preview and 2022-11-01 [Microsoft.MobileNetwork](/rest/api/mobilenetwork) API versions.

+## March 2023

+### Packet core 2303

+**Type:** New release

+**Date available:** March 30, 2023

+The 2303 release for the Azure Private 5G Core packet core is now available. For more information, see [Azure Private 5G Core 2303 release notes](azure-private-5g-core-release-notes-2303.md).

+|[Classic Storage](https://azure.microsoft.com/updates/classic-azure-storage-accounts-will-be-retired-on-31-august-2024/) | Aug 24 | [Migrate Classic Storage to ARM](/azure/storage/common/classic-account-migration-overview?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+[Azure Storage Mover](reliability-azure-storage-mover.md)|

+### Azure Container Apps

+This section outlines variations and considerations when using Azure Container Apps services.

+| Product | Unsupported, limited, and/or modified features | Notes |

+||--||

+| Azure Monitor| The Azure Monitor integration is not supported in Azure China |

+| Azure Container Apps Default Domain | \*.azurecontainerapps.io | No default domain is provided for external enviromment. The [custom domain](/azure/container-apps/custom-domains-certificates) is required. |

+| Azure Container Apps Event Stream Endpoint | \<region\>.azurecontainerapps.dev | \<region\>.chinanorth3.azurecontainerapps-dev.cn |

+> [!Important]

+> Each VIS resource has a unique Managed Resource Group associated with. This Resource Group contains resources like Storage Account, Keyvault etc. which are critical for Azure Center for SAP solutions service to provide capabilities like deployment of infrastructure for a new system, installation of SAP software, registration of existing systems and all other SAP system management functions. Please do not delete this RG or any resources within it. If they are deleted, you will have to re-register the VIS to use any capabilities of ACSS.

+[3108316]:https://launchpad.support.sap.com/#/notes/3108316

+ Configure RHEL as described in SAP Note [2002167] for RHEL 7.x, SAP Note [2772999] for RHEL 8.x or SAP note [3108316] for RHEL 9.x.

+ # If using RHEL 7.x

+ # If using RHEL 8.x or later

+ ```bash

+ sudo yum install -y pcs pacemaker fence-agents-azure-arm nmap-ncat

+ ```bash

+> [!IMPORTANT]

+> Even for non-DBMS usage, you should use the preview functionality that allows you to create the NFS share in the same Azure Availability Zones as you placed your VM(s) that should mount the NFS shares into. This functionality is documented in the article [Manage availability zone volume placement for Azure NetApp Files](../../azure-netapp-files/manage-availability-zone-volume-placement.md). The motivation to have this type of Availability Zone alignment is the reduction of risk surface by having the NFS shares yet in another AvZone where you don't run VMs in.

+You can implement this architecture by creating multiple services and designing a strategy for data synchronization. Optionally, you can include a resource like Azure Traffic Manager for routing requests.

+> [!TIP]

+> For help in deploying multiple search services across multiple regions, see this [Bicep sample on GitHub](https://github.com/Azure-Samples/azure-search-multiple-regions) that deploys a fully configured, multi-regional search solution. The sample gives you two options for index synchronization, and request redirection using Traffic Manager.

+## April 2023

+| Item&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | Type | Description |

+|--||--|

+| [**Multi-region deployment of Azure Cognitive Search for business continuity and disaster recovery**](https://github.com/Azure-Samples/azure-search-multiple-regions) | Sample | Deployment scripts that fully configure a multi-regional solution for Azure Cognitive Search, with options for synchronizing content and request redirection if an endpoint fails.|

+To continue using Service Bus, Relay, and Event Hubs, move to Resource Manager by November 30, 2021. We encourage all customers who are still using old APIs to make the switch soon to take advantage of the extra benefits of Resource Manager, which include resource grouping, tags, a streamlined deployment and management process, and fine-grained access control using Azure role-based access control (Azure RBAC).

+| Service Manager APIs (Deprecated) | Resource Manager - Service Bus API | Resource Manager - Event Hubs API | Resource Manager - Relay API |

+| **Namespaces-GetNamespaceAsync** <br/>[Service Bus Get Namespace](/rest/api/servicebus/get-namespace)<br/>[Event Hubs Get Namespace](/rest/api/eventhub/get-event-hub)<br/>[Relay Get Namespace](/rest/api/servicebus/get-relays)<br/> ```GET https://management.core.windows.net/{subscription ID}/services/ServiceBus/Namespaces/{namespace name}``` | [get](/rest/api/servicebus/stable/namespaces/get) | [get](/rest/api/eventhub/stable/namespaces/get) | [get](/rest/api/relay/namespaces/get) |

+| Get-AzureSBAuthorizationRule | [Get-AzureRmServiceBusAuthorizationRule](/powershell/module/azurerm.servicebus/get-azurermservicebusauthorizationrule) | [Get-AzServiceBusAuthorizationRule](/powershell/module/az.servicebus/get-azservicebusauthorizationrule) |

+| Get-AzureSBLocation | [Get-AzureRmServiceBusGeoDRConfiguration](/powershell/module/azurerm.servicebus/get-azurermservicebusgeodrconfiguration) | [Get-AzServiceBusGeoDRConfiguration](/powershell/module/az.servicebus/get-azservicebusgeodrconfiguration) |

+| Get-AzureSBNamespace | [Get-AzureRmServiceBusNamespace](/powershell/module/azurerm.servicebus/get-azurermservicebusnamespace) | [Get-AzServiceBusNamespace](/powershell/module/az.servicebus/get-azservicebusnamespace) |

+| New-AzureSBAuthorizationRule | [New-AzureRmServiceBusAuthorizationRule](/powershell/module/azurerm.servicebus/new-azurermservicebusauthorizationrule) | [New-AzServiceBusAuthorizationRule](/powershell/module/az.servicebus/new-azservicebusauthorizationrule) |

+| New-AzureSBNamespace | [New-AzureRmServiceBusNamespace](/powershell/module/azurerm.servicebus/new-azurermservicebusnamespace) | [New-AzServiceBusNamespace](/powershell/module/az.servicebus/new-azservicebusnamespace) |

+| Remove-AzureSBAuthorizationRule | [Remove-AzureRmServiceBusAuthorizationRule](/powershell/module/azurerm.servicebus/remove-azurermservicebusauthorizationrule) | [Remove-AzServiceBusAuthorizationRule](/powershell/module/az.servicebus/remove-azservicebusauthorizationrule) |

+| Remove-AzureSBNamespace | [Remove-AzureRmServiceBusNamespace](/powershell/module/azurerm.servicebus/remove-azurermservicebusnamespace) | [Remove-AzServiceBusNamespace](/powershell/module/az.servicebus/remove-azservicebusnamespace) |

+| Set-AzureSBAuthorizationRule | [Set-AzureRmServiceBusAuthorizationRule](/powershell/module/azurerm.servicebus/set-azurermservicebusauthorizationrule) | [Set-AzServiceBusAuthorizationRule](/powershell/module/az.servicebus/set-azservicebusauthorizationrule) |

+> [!NOTE]

+> When a client tries to get the info about a queue or topic, the Service Bus service returns some static information like name, last updated time, created time, requires session or not etc., and some dynamic information like message counts. If the request gets throttled, the service returns the static information and empty dynamic information. That's why message counts are shown as 0 when the namespace is being throttled. This behavior is by design.

+|Entity Name| Service Bus supports messaging entities under the namespace. With the 'Incoming Requests' metric, the Entity Name dimension will have a value of '-NamespaceOnlyMetric-' in addition to all your queues and topics. This represents the request, which was made at the namespace level. Examples include a request to list all queues/topics under the namespace or requests to entities that failed authentication or authorization.|

+* [Application Insights Correlation](../azure-monitor/app/distributed-tracing-telemetry-correlation.md)

+openssl req -newkey rsa:2048 -nodes -keyout TestCert.prv -x509 -days 365 -out TestCert.pem

+cat TestCert.prv >> TestCert.pem

+echo "Hello World!" > plaintext.txt

+iconv -f ASCII -t UTF-16LE plaintext.txt -o plaintext_UTF-16.txt

+openssl smime -encrypt -in plaintext_UTF-16.txt -binary -outform der TestCert.pem | base64 > encrypted.txt

+PRINCIPAL_ID=$(az resource show --id /subscriptions/<YOUR SUBSCRIPTON>/resourceGroups/<YOUR RG>/providers/Microsoft.Compute/virtualMachineScaleSets/<YOUR SCALE SET> --api-version 2018-06-01 | python -c "import sys, json; print(json.load(sys.stdin)['identity']['principalId'])")

+az role assignment create --assignee $PRINCIPAL_ID --role 'Contributor' --scope "/subscriptions/<YOUR SUBSCRIPTION>/resourceGroups/<YOUR RG>/providers/<PROVIDER NAME>/<RESOURCE TYPE>/<RESOURCE NAME>"

+ACCESS_TOKEN=$(curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F' -H Metadata:true | python -c "import sys, json; print json.load(sys.stdin)['access_token']")

+COSMOS_DB_PASSWORD=$(curl 'https://management.azure.com/subscriptions/<YOUR SUBSCRIPTION>/resourceGroups/<YOUR RG>/providers/Microsoft.DocumentDB/databaseAccounts/<YOUR ACCOUNT>/listKeys?api-version=2016-03-31' -X POST -d "" -H "Authorization: Bearer $ACCESS_TOKEN" | python -c "import sys, json; print(json.load(sys.stdin)['primaryMasterKey'])")

+> For Spring Boot applications, to see metrics from Spring Boot Actuator, add the `spring-boot-starter-actuator` dependency. For more information, see the [Add actuator dependency](concept-manage-monitor-app-spring-boot-actuator.md#add-actuator-dependency) section of [Manage and monitor app with Spring Boot Actuator](concept-manage-monitor-app-spring-boot-actuator.md).

+**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise

+Azure Spring Apps intelligently schedules your applications on the underlying Kubernetes worker nodes. To provide high availability, Azure Spring Apps distributes applications with two or more instances on different nodes.

+East US, East US 2, Central US, South Central US, North Central US, West US, West US 2, West US 3, West Europe, North Europe, UK South, Southeast Asia, Australia East, Canada Central, Canada East, UAE North, Central India, Korea Central, East Asia, Japan East, South Africa North, Brazil South, France Central, Germany West Central, Switzerland North, China East 2, China North 2, and China North 3. [Learn More](https://azure.microsoft.com/global-infrastructure/services/?products=spring-cloud)

+* `spring.application.name` is overridden by the application name that's used to create each application.

+* `server.port` defaults to port 1025. If any other value is applied, it's overridden, so don't specify a server port in your code.

+* The Azure portal, Azure Resource Manager templates, and Terraform don't support uploading application packages. You can upload application packages by deploying the application using the Azure CLI, Azure DevOps, Maven Plugin for Azure Spring Apps, Azure Toolkit for IntelliJ, and the Visual Studio Code extension for Azure Spring Apps.

+We're not actively developing more capabilities for Service Binding. Instead, there's a new Azure-wise solution named [Service Connector](../service-connector/overview.md). On the one hand, the new solution brings you consistent integration experience across App hosting services on Azure like App Service. On the other hand, it covers your needs better by starting with supporting 10+ most used target Azure services including MySQL, SQL DB, Azure Cosmos DB, Postgres DB, Redis, Storage and more. Service Connector is currently in Public Preview, we invite you to try out the new experience.

+> After you create an Enterprise tier instance, your entitlement is ready within ten business days. If you encounter any exceptions, raise a support ticket with Microsoft to get help with it.

+### I'm a Spring developer but new to Azure. What's the quickest way for me to learn how to develop an application in Azure Spring Apps?

+We've identified an issue with Spring Boot 2.4 and are currently working with the Spring community to resolve it. In the meantime, include these two dependencies to enable TLS authentication between your apps and Eureka.

+Azure Spring Apps supports exporting Spring application logs and metrics to Azure Storage, Event Hubs, and [Log Analytics](../azure-monitor/logs/data-platform-logs.md). The table name in Log Analytics is *AppPlatformLogsforSpring*. To learn how to enable it, see [Diagnostic services](diagnostic-services.md).

+Yes. For more information, see [Use Application Insights Java In-Process Agent in Azure Spring Apps](./how-to-application-insights.md).

+### When I delete/move an Azure Spring Apps service instance, are its extension resources deleted/moved as well?

+It depends on the logic of resource providers that own the extension resources. The extension resources of a `Microsoft.AppPlatform` instance don't belong to the same namespace, so the behavior varies by resource provider. For example, the delete/move operation won't cascade to the **diagnostics settings** resources. If a new Azure Spring Apps instance is provisioned with the same resource ID as the deleted one, or if the previous Azure Spring Apps instance is moved back, the previous **diagnostics settings** resources continue extending it.

+### How long are Java 8, Java 11, and Java 17 LTS versions supported?

+Public notice is sent out at 12 months before any old runtime version is retired. You have 12 months to migrate to a later version.

+* Subscription admins get email notification when we retire a Java version.

+* The retirement information is published in the documentation.

+### Whether and when is my application restarted?

+### How long is .NET Core 3.1 supported?

+Until December 3, 2022. See [.NET Core Support Policy](https://dotnet.microsoft.com/platform/support/policy/dotnet-core).

+In some rare scenarios, you may see errors like the following from your application logs:

+The Spring framework raises this issue at a low rate due to network instability or other network issues. There should be no impacts to the user experience. The Eureka client has both heartbeat and retry policy to take care of this problem. You can consider it a transient error and skip it safely.

+**This article applies to:** ✔️ Standard consumption (Preview) ✔️ Basic/Standard ❌️ Enterprise

+* In the navigation pane, select **Application Insights** to view the **Overview** page of Application Insights. The **Overview** page shows you an overview of all running applications.

+* In the navigation pane, select **Performance** to see the performance data of all applications' operations, dependencies, and roles.

+* In the navigation pane, select **Failures** to see any unexpected failures or exceptions from your applications.

+* In the navigation pane, select **Metrics** and select the namespace to see both Spring Boot metrics and custom metrics, if any.

+* In the navigation pane, select **Live Metrics** to see the real-time metrics for different dimensions.

+* In the navigation pane, select **Availability** to monitor the availability and responsiveness of Web apps by creating [Availability tests in Application Insights](/previous-versions/azure/azure-monitor/app/monitor-web-app-availability).

+* In the navigation pane, select **Logs** to view all applications' logs, or one application's logs when filtering by `cloud_RoleName`.

+> Don't use the same Application Insights instance in different Azure Spring Apps instances, or you're shown mixed data.

+Automation in Enterprise tier is pending support. Documentation is added as soon as it's available.

+* [Use Application Insights Java In-Process Agent in Azure Spring Apps](./how-to-application-insights.md)

+**This article applies to:** ✔️ Basic/Standard ❌ Enterprise

+Persistent storage is a file-share container managed by Azure and allocated per application. All instances of an application share data stored in persistent storage. An Azure Spring Apps instance can have a maximum of 10 applications with persistent storage enabled. Each application is allocated 50 GB of persistent storage. The default mount path for persistent storage is */persistent*.

+ ```azurecli

+ az spring app create -n <app> -g <resource-group> -s <service-name> --enable-persistent-storage true

+ ```

+ ```azurecli

+ az spring app update -n <app> -g <resource-group> -s <service-name> --enable-persistent-storage true

+ ```

+ ```azurecli

+ az spring app update -n <app> -g <resource-group> -s <service-name> --enable-persistent-storage false

+ ```

+> If you disable an application's persistent storage, all of that storage is deallocated and all of the stored data is permanently lost.

+**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise

+For a service runtime subnet, the minimum size is /28.

+**This article applies to:** ✔️ Standard consumption (Preview) ✔️ Basic/Standard ❌️ Enterprise

+By default, Azure Spring Apps prints the *info* level logs of the Dynatrace OneAgent to `STDOUT`. The logs are mixed with the application logs. You can find the explicit agent version from the application logs.

+> We strongly recommend that you don't override the default logging behavior provided by Azure Spring Apps for Dynatrace. If you do, the logging scenarios previously described are blocked, and the log file(s) may be lost. For example, you shouldn't output the `DT_LOGLEVELFILE` environment variable to your applications.

+The Dynatrace OneAgent auto-upgrade is disabled and is upgraded quarterly with the JDK. Agent upgrade may affect the following scenarios:

+* Existing applications using Dynatrace OneAgent before upgrade are unchanged, but require restart or redeploy to engage the new version of Dynatrace OneAgent.

+* Applications created after upgrade use the new version of Dynatrace OneAgent.

+* [Use Application Insights Java In-Process Agent in Azure Spring Apps](how-to-application-insights.md)

+Tanzu Service Registry is one of the commercial VMware Tanzu components. This component helps you apply the *service discovery* design pattern to your applications.

+**This article applies to:** ✔️ Standard consumption (Preview) ✔️ Basic/Standard ✔️ Enterprise

+Azure Spring Apps preinstalls the New Relic Java agent to */opt/agents/newrelic/java/newrelic-agent.jar*. Customers can activate the agent from applications' **JVM options**, and configure the agent using the [New Relic Java agent environment variables](https://docs.newrelic.com/docs/agents/java-agent/configuration/java-agent-configuration-config-file/#Environment_Variables).

+By default, Azure Spring Apps prints the logs of the New Relic Java agent to `STDOUT`. The logs are mixed with the application logs. You can find the explicit agent version from the application logs.

+You can use some environment variables provided by New Relic to configure the logging of the New Agent, such as, `NEW_RELIC_LOG_LEVEL` to control the level of logs. For more information, see [New Relic Environment Variables](https://docs.newrelic.com/docs/agents/java-agent/configuration/java-agent-configuration-config-file/#Environment_Variables).

+> We strongly recommend that you don't override the logging default behavior provided by Azure Spring Apps for New Relic. If you do, the logging scenarios previously described are blocked, and the log file(s) may be lost. For example, you shouldn't pass the following environment variables to your applications. Log file(s) may be lost after restart or redeployment of application(s).

+The New Relic Java agent update/upgrade the JDK regularly. The agent update/upgrade may impact following scenarios.

+* Existing applications that use the New Relic Java agent before update/upgrade are unchanged.

+* New applications created after update/upgrade use the new version of the New Relic Java agent.

+* [Use Application Insights Java In-Process Agent in Azure Spring Apps](how-to-application-insights.md)

+**This article applies to:** ✔️ Basic/Standard ✔️ Enterprise

+1. Generate the code for the sample app by using Spring Initializr with [this configuration](https://start.spring.io/#!type=maven-project&language=java&packaging=jar&groupId=com.example&artifactId=hellospring&name=hellospring&description=Demo%20project%20for%20Spring%20Boot&packageName=com.example.hellospring&dependencies=web,cloud-eureka,actuator,cloud-config-client).

+ az spring app create \

+ --resource-group <resource-group-name> \

+ --service <Azure-Spring-Apps-instance-name> \

+ --name demo \

+ --runtime-version Java_17 \

+ --assign-endpoint

+ az spring app deploy \

+ --resource-group <resource-group-name> \

+ --service <Azure-Spring-Apps-instance-name> \

+ --name demo \

+ --artifact-path target\hellospring-0.0.1-SNAPSHOT.jar

+ az spring app deployment create \

+ --resource-group <resource-group-name> \

+ --service <Azure-Spring-Apps-instance-name> \

+ --app demo \

+ --name green \

+ --runtime-version Java_17 \

+ --artifact-path target\hellospring-0.0.1-SNAPSHOT.jar

+1. From the navigation pane, open the **Apps** pane to view apps for your service instance.

+az spring app deploy \

+ --resource-group <resource-group-name> \

+ --service <service-instance-name> \

+ --name gateway \

+ --deployment green \

+ --jar-path gateway.jar

+az spring app deployment delete \

+ --resource-group <resource-group-name> \

+ --service <service-instance-name> \

+ --name <staging-deployment-name> \

+ --app gateway

+[Application Live View for VMware Tanzu](https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.4/tap/app-live-view-about-app-live-view.html) is a lightweight insights and troubleshooting tool that helps app developers and app operators look inside running apps.

+[API portal](https://docs.vmware.com/en/API-portal-for-VMware-Tanzu/1.1/api-portal/GUID-https://docsupdatetracker.net/index.html) is one of the commercial VMware Tanzu components. API portal supports viewing API definitions from [Spring Cloud Gateway for VMware Tanzu®](./how-to-use-enterprise-spring-cloud-gateway.md) and testing of specific API routes from the browser. It also supports enabling single sign-on (SSO) authentication via configuration.

+| predicates | A list of predicates. See [Available Predicates](https://docs.vmware.com/en/VMware-Spring-Cloud-Gateway-for-Kubernetes/1.2/scg-k8s/GUID-configuring-routes.html#available-predicates). |

+| filters | A list of filters. See [Available Filters](https://docs.vmware.com/en/VMware-Spring-Cloud-Gateway-for-Kubernetes/1.2/scg-k8s/GUID-configuring-routes.html#available-filters). |

+For more examples of commercial filters, see [Commercial Route Filters](https://docs.vmware.com/en/VMware-Spring-Cloud-Gateway-for-Kubernetes/1.2/scg-k8s/GUID-route-filters.html#filters-added-in-spring-cloud-gateway-for-kubernetes) in the VMware Spring Cloud Gateway documentation. These examples are written using Kubernetes resource definitions.

+The following example shows how to use the [AddRequestHeadersIfNotPresent](https://docs.vmware.com/en/VMware-Spring-Cloud-Gateway-for-Kubernetes/1.2/scg-k8s/GUID-route-filters.html#add-request-headers-if-not-present) filter by converting the Kubernetes resource definition.

+[Application Live View for VMware Tanzu](https://docs.vmware.com/en/VMware-Tanzu-Application-Platform/1.4/tap/app-live-view-about-app-live-view.html) is a lightweight insights and troubleshooting tool that helps app developers and app operators look inside running apps.

+**This article applies to:** ✔️ Basic/Standard ❌ Enterprise

+1. Create an app for the `PlanetWeatherProvider` project in your Azure Spring Apps instance.

+ To enable automatic service registration, you've given the app the same name as the value of `spring.application.name` in the project's *appsettings.json* file:

+ az spring app deploy \

+ --name planet-weather-provider \

+ --runtime-version NetCore_31 \

+ --main-entry Microsoft.Azure.SpringCloud.Sample.PlanetWeatherProvider.dll \

+ --artifact-path ./publish-deploy-planet.zip

+ az spring app deploy \

+ --name solar-system-weather \

+ --runtime-version NetCore_31 \

+ --main-entry Microsoft.Azure.SpringCloud.Sample.SolarSystemWeather.dll \

+ --artifact-path ./publish-deploy-solar.zip

+ az spring app update --name solar-system-weather --assign-endpoint true

+ az spring app show --name solar-system-weather --output table

+- [JDK 17](/azure/developer/java/fundamentals/java-jdk-install)

+```bash

+ az spring app create \

+ --name api-gateway \

+ --runtime-version Java_17 \

+ --instance-count 1 \

+ --memory 2Gi \

+ --assign-endpoint

+ az spring app create \

+ --name customers-service \

+ --runtime-version Java_17 \

+ --instance-count 1 \

+ --memory 2Gi

+Access the app gateway and customers service from browser with the **Public Url** shown previously, in the format of `https://<service name>-api-gateway.azuremicroservices.io`.

+az spring app create \

+ --name admin-server \

+ --runtime-version Java_17 \

+ --instance-count 1 \

+ --memory 2Gi \

+ --assign-endpoint

+az spring app create \

+ --name vets-service \

+ --runtime-version Java_17 \

+ --instance-count 1 \

+ --memory 2Gi

+az spring app create \

+ --name visits-service \

+ --runtime-version Java_17 \

+ --instance-count 1 \

+ --memory 2Gi

+az spring app deploy \

+ --name admin-server \

+ --runtime-version Java_17 \

+ --jar-path spring-petclinic-admin-server/target/spring-petclinic-admin-server-3.0.1.jar \

+ --jvm-options="-Xms1536m -Xmx1536m"

+az spring app deploy \

+ --name vets-service \

+ --runtime-version Java_17 \

+ --jar-path spring-petclinic-vets-service/target/spring-petclinic-vets-service-3.0.1.jar \

+ --jvm-options="-Xms1536m -Xmx1536m"

+az spring app deploy \

+ --name visits-service \

+ --runtime-version Java_17 \

+ --jar-path spring-petclinic-visits-service/target/spring-petclinic-visits-service-3.0.1.jar \

+ --jvm-options="-Xms1536m -Xmx1536m"

+```bash

+ ```bash

+ You're asked to select:

+ ```bash

+Correct the app names in each *pom.xml* file for these modules, and then run the `deploy` command again.

+1. Start the deployment by selecting the **Run** button at the bottom of the **Deploy Azure Spring Apps app** dialog. The plug-in runs the command `mvn package` on the `api-gateway` app and deploys the JAR file generated by the `package` command.

+Repeat the previous steps to deploy `customers-service` and other Pet Clinic apps to Azure Spring Apps:

+**This article applies to:** ✔️ Basic/Standard ❌️ Enterprise

+This series of quickstarts uses a sample app composed of two Spring apps to show how to deploy a .NET Core Steeltoe app to the Azure Spring Apps service. You use Azure Spring Apps capabilities such as service discovery, config server, logs, metrics, and distributed tracing.

+ ```yaml

+ MercuryWeather: very warm

+ VenusWeather: quite unpleasant

+ MarsWeather: very cool

+ SaturnWeather: a little bit sandy

+ ```

+ ```json

+ [{

+ "Key": "Mercury",

+ "Value": "very warm"

+ }, {

+ "Key": "Venus",

+ "Value": "quite unpleasant"

+ }, {

+ "Key": "Mars",

+ "Value": "very cool"

+ }, {

+ "Key": "Saturn",

+ "Value": "a little bit sandy"

+ }]

+ ```

+In this quickstart, we use the well-known sample app [PetClinic](https://github.com/spring-petclinic/spring-petclinic-microservices) to show you how to deploy apps to the Azure Spring Apps service. The **Pet Clinic** sample demonstrates the microservice architecture pattern and highlights the services breakdown. You see how to deploy services to Azure with Azure Spring Apps capabilities such as service discovery, config server, logs, metrics, distributed tracing, and developer-friendly tooling support.

+PetClinic is decomposed into four core Spring apps. All of them are independently deployable applications organized by business domains.

+* **Visits service**: Stores and shows visits information for each pet's comments.

+Spring Cloud Gateway includes route filters from the Open Source version and several more route filters. One of these filters is the [RateLimit: Limiting user requests filter](https://docs.vmware.com/en/VMware-Spring-Cloud-Gateway-for-Kubernetes/1.2/scg-k8s/GUID-route-filters.html#ratelimit-limiting-user-requests-filter). The RateLimit filter limits the number of requests allowed per route during a time window.

+ For more information, see [Metrics](./concept-metrics.md).

+ > [!NOTE]

+ > These metrics are available only for Spring Boot applications. To enable these metrics, add the `spring-boot-starter-actuator` dependency. For more information, see the [Add actuator dependency](concept-manage-monitor-app-spring-boot-actuator.md#add-actuator-dependency) section of [Manage and monitor app with Spring Boot Actuator](concept-manage-monitor-app-spring-boot-actuator.md).

+> [!NOTE]

+> To prevent accidentally exposing your function app to anonymous traffic, the identity provider created by the linking process is not automatically deleted. You can delete the identity provider named *Azure Static Web Apps (Linked)* from the function app's authentication settings.

+ Title: Monitor copy logs in Azure Storage Mover

+description: Learn how to monitor the status of Azure Storage Mover migration jobs.

+<!--

+!########################################################

+STATUS: DRAFT

+CONTENT:

+REVIEW Stephen/Fabian: Reviewed

+REVIEW Engineering: not reviewed

+EDIT PASS: started

+Initial doc score: 97 (1212 words and 2 issues)

+!########################################################

+-->

+# How to enable Azure Storage Mover copy and job logs

+When you use a migration tool to move your critical data from on-premises sources to Azure destination targets, you want to be able to monitor operations for potential issues. The data relating to the operations performed during your migration can be stored as either logs entries or metrics. When configured, Azure Storage Mover can provide **Copy logs** and **Job run logs**. These logs are especially useful because they allow you to trace the migration result of job runs and of individual files.

+Both the copy and job run logs can be sent to an Azure Analytics Workspace. Analytics workspaces are storage units where Azure services store the log data they generate. Log Analytics is integrated into the Storage Mover portal experience. This integration allows you to see the relevant logs for your copy jobs within the same surface you use to manage them. More importantly, the integration also allows you to create and run log queries from multiple logs and interactively analyze their results.

+> [!IMPORTANT]

+> Before you can access your migration's log data, you need to ensure that you've created an Azure Analytics Workspace and configured your Storage Mover instance to use it. Any logs generated prior to this configuration will be lost. You may be able to retrieve limited log information directly from the agent.

+This article describes the steps involved in creating an analytics workspace and to configure a diagnostic setting within a storage mover resource.

+## Configuring Azure Log Analytics and Storage Mover

+This section briefly describes how to configure an Azure Monitor Log Analytics Workspace and Storage Mover diagnostic settings. After completing the following steps, you'll be able to query the data provided by your Storage Mover resource.

+### Create a Log Analytics workspace

+Storage Mover collects copy and job logs, and stores the information in an Azure Log Analytics workspace. After you've created a workspace, you can configure Storage Mover to save its data there. If you don't have an existing workspace, you can create one in the Azure portal.

+Enter **Log Analytics** in the search box and select **Log Analytics workspace**. In the content pane, select either **Create** or **Create log analytics workspace** to create a workspace. Provide values for the **Subscription**, **Resource Group**, **Name**, and **Region** fields, and select **Review + Create**.

+You can get more detailed information about Log Analytics and its features by visiting the [Log Analytics overview](/azure/azure-monitor/logs/log-analytics-overview) article. If you prefer to view a tutorial, you can visit the [Log Analytics tutorial](/azure/azure-monitor/logs/log-analytics-tutorial) instead.

+### Configure Storage Mover diagnostic settings

+After an analytics workspace has been created, you can specify it as the destination in which Storage Mover logs and metrics can be displayed.

+There are two options for configuring Storage Mover to send logs to your analytics workspace. First, you can configure diagnostic settings during the initial deployment of your top-level Storage Mover resource. The following example shows how to specify diagnostic settings in the Azure portal during Storage Mover resource creation.

+You may also choose to add a diagnostic setting to a Storage Mover resource after it's been deployed. To add the diagnostic setting, navigate to the Storage Mover resource. In the menu pane, select **Diagnostic settings** and then select **Add diagnostic setting** as shown in the following example.

+In the **Diagnostic setting** pane, provide a value for the **Diagnostic setting name**. Within the **Logs** group, select one or more log categories to be collected. You may also select the **Job runs** option within the **Metrics** group to view the results of your individual job runs. Within the **Destination details** group, select **Send to Log Analytics workspace**, the name of your subscription, and the name of the Log Analytics workspace to collect your log data. Finally, select **Save** to add your new diagnostic setting. You can view the image provided as a reference.

+After your Storage Mover diagnostic setting has been saved, it will be reflected on the Diagnostic settings screen within the **Diagnostic settings** table.

+## Analyzing logs

+All resource logs in Azure Monitor have the same fields, and are followed by service-specific fields. The common schema is outlined in [Azure Monitor resource log schema](../azure-monitor/essentials/resource-logs-schema.md).

+Storage Mover generates two tables, StorageMoverCopyLogsFailed and StorageMoverJobRunLogs. The schema for **StorageMoverCopyLogsFailed** is found in the [Azure Storage Copy log data reference](/azure/azure-monitor/reference/tables/StorageMoverCopyLogsFailed), and the schema for **StorageMoverJobRunLogs** is found in the [Azure Storage Job run log data reference](/azure/azure-monitor/reference/tables/StorageMoverJobRunLogs).

+Your log data is integrated into Storage Mover's Azure portal user interface (UI) experience. To access your log data, migrate to your top-level storage mover resource and select **Logs** from within the **Monitoring** group in the navigation pane. Close the initial **Welcome to Log Analytics** window displayed in the main content pane as shown in the following example.

+After the **Welcome** window is closed within the main content pane, the **New Query** window is displayed. In the schema and filter pane, ensure that the **Tables** object is selected and that the **StorageMoverCopyLogsFailed** and **StorageMoverJobRunLogs** tables are visible. Using Kusto Query Language (KQL) queries, you can begin extracting log data from the tables displayed within the schema and filter pane. Enter your query into the query editing field and select **Run** as shown in the following screen capture. A simple query example is also provided used to retrieve details on any failed copy operations from the previous 60 days.

+```kusto

+ StorageMoverCopyLogsFailed

+ | top 1000 by timeGenerated desc

+```

+### Sample Kusto queries

+After you send logs to Log Analytics, you can access those logs by using Azure Monitor log queries. For more information, see the [Log Analytics tutorial](../azure-monitor/logs/log-analytics-tutorial.md).

+The following sample queries provided can be entered in the **Log search** bar to help you monitor your migration. These queries work with the [new language](../azure-monitor/logs/log-query-overview.md).

+- To list all the files that failed to copy from a specific job run within the last 30 days.

+ ```kusto

+ StorageMoverCopyLogsFailed

+ | where TimeGenerated > ago(30d) and JobRunName == "[job run ID]"

+ ```

+- To list the 10 most common copy log error codes over the last seven days.

+ ```kusto

+ StorageMoverCopyLogsFailed

+ | where TimeGenerated > ago(7d)

+ | summarize count() by StatusCode

+ | top 10 by count_ desc

+ ```

+- To list the 10 most recent job failure error codes over the last three days.

+ ```kusto

+ StorageMoverJobRunLogs

+ | where TimeGenerated > ago(3d) and StatusCode != "AZSM0000"

+ | summarize count() by StatusCode

+ | top 10 by count_ desc

+ ```

+- To create a pie chart of failed copy operations grouped by job run over the last 30 days.

+ ```kusto

+ StorageMoverCopyLogsFailed

+ | where TimeGenerated > ago(30d)

+ | summarize count() by JobRunName

+ | sort by count_ desc

+ | render piechart

+ ```

+## Next steps

+Get started with any of these guides.

+- [Log Analytics workspaces](../azure-monitor/logs/log-analytics-workspace-overview.md)

+- [Azure Monitor Logs overview](../azure-monitor/logs/data-platform-logs.md)

+- [Diagnostic settings in Azure Monitor](../azure-monitor/essentials/diagnostic-settings.md?tabs=portal)

+- [Azure Storage Mover support bundle overview](troubleshooting.md)

+- [Troubleshooting Storage Mover job run error codes](status-code.md)

+Azure Storage blob inventory provides a list of the containers, blobs, blob versions, and snapshots in your storage account, along with their associated properties. It generates an output report in either comma-separated values (CSV) or Apache Parquet format on a daily or weekly basis. You can use the report to audit retention, legal hold or encryption status of your storage account contents, or you can use it to understand the total data size, age, tier distribution, or other attributes of your data. You can also use blob inventory to simplify your business workflows or speed up data processing jobs, by using blob inventory as a scheduled automation of the [List Containers](/rest/api/storageservices/list-containers2) and [List Blobs](/rest/api/storageservices/list-blobs) APIs. Blob inventory rules allow you to filter the contents of the report by blob type, prefix, or by selecting the blob properties to include in the report.

+6. To copy a page blob snapshot to block blob, use the [Get-AzStorageBlob](/powershell/module/az.storage/get-azstorageblob) and [Copy-AzStorageBlob](/powershell/module/az.storage/copy-azstorageblob) command with `-DestBlobType` parameter as `Block`.

+ ```powershell

+ $containerName = '<source container name>'

+ $srcPageBlobName = '<source page blob name>'

+ $srcPageBlobSnapshotTime = '<snapshot time of source page blob>'

+ $destContainerName = '<destination container name>'

+ $destBlobName = '<destination block blob name>'

+ $destTier = '<destination block blob tier>'

+ Get-AzStorageBlob -Container $containerName -Blob $srcPageBlobName -SnapshotTime $srcPageBlobSnapshotTime -Context $ctx | Copy-AzStorageBlob -DestContainer $destContainerName -DestBlob $destBlobName -DestBlobType block -StandardBlobTier $destTier -DestContext $ctx

+ ```

+4. To copy a page blob snapshot to block blob, use the [az storage blob copy start](/cli/azure/storage/blob/copy#az-storage-blob-copy-start) command and set the `--destination-blob-type` parameter to `blockBlob` along with source page blob snapshot uri.

+ ```azurecli

+ srcPageblobSnapshotUri = '<source page blob snapshot uri>'

+ destcontainerName = '<destination container name>'

+ destblobName = '<destination block blob name>'

+ destTier = '<destination block blob tier>'

+ az storage blob copy start --account-name $accountName --destination-blob $destBlobName --destination-container $destcontainerName --destination-blob-type BlockBlob --source-uri $srcPageblobSnapshotUri --tier $destTier

+ ```

+This article shows how to create and manage container leases using the [Azure Storage client library for Java](/java/api/overview/azure/storage-blob-readme). You can use the client library to acquire, renew, release, and break container leases.

+## About container leases

+Lease operations are handled by the [BlobLeaseClient](/jav).

+When you acquire a container lease, you obtain a lease ID that your code can use to operate on the container. If the container already has an active lease, you can only request a new lease by using the active lease ID. However, you can specify a new lease duration.

+To acquire a lease, create an instance of the [BlobLeaseClient](/java/api/com.azure.storage.blob.specialized.blobleaseclient) class, and then use the following method:

+You can renew a container lease if the lease ID specified on the request matches the lease ID associated with the container. The lease can be renewed even if it has expired, as long as the container hasn't been leased again since the expiration of that lease. When you renew a lease, the duration of the lease resets.

+To renew an existing lease, use the following method:

+You can release a container lease if the lease ID specified on the request matches the lease ID associated with the container. Releasing a lease allows another client to acquire a lease for the container immediately after the release is complete.

+You can release a lease by using the following method:

+You can break a container lease if the container has an active lease. Any authorized request can break the lease; the request isn't required to specify a matching lease ID. A lease can't be renewed after it's broken, and breaking a lease prevents a new lease from being acquired for a period of time until the original lease expires or is released.

+You can break a lease by using the following method:

+This article shows how to create and manage container leases using the [Azure Storage client library for Python](/python/api/overview/azure/storage). You can use the client library to acquire, renew, release and break container leases.

+## About container leases

+Lease operations are handled by the [BlobLeaseClient](/python/api/azure-storage-blob/azure.storage.blob.blobleaseclient) class, which provides a client containing all lease operations for blobs and containers. To learn more about blob leases using the client library, see [Create and manage blob leases with Python](storage-blob-lease-python.md).

+When you acquire a container lease, you obtain a lease ID that your code can use to operate on the container. If the container already has an active lease, you can only request a new lease by using the active lease ID. However, you can specify a new lease duration.

+To acquire a lease, create an instance of the [BlobLeaseClient](/python/api/azure-storage-blob/azure.storage.blob.blobleaseclient) class, and then use the following method:

+You can renew a container lease if the lease ID specified on the request matches the lease ID associated with the container. The lease can be renewed even if it has expired, as long as the container hasn't been leased again since the expiration of that lease. When you renew a lease, the duration of the lease resets.

+To renew a lease, use the following method:

+You can release a container lease if the lease ID specified on the request matches the lease ID associated with the container. Releasing a lease allows another client to acquire a lease for the container immediately after the release is complete.

+You can release a lease by using the following method:

+You can break a container lease if the container has an active lease. Any authorized request can break the lease; the request isn't required to specify a matching lease ID. A lease can't be renewed after it's broken, and breaking a lease prevents a new lease from being acquired for a period of time until the original lease expires or is released.

+You can break a lease by using the following method:

+ Title: Create and manage container leases with .NET

+description: Learn how to manage a lock on a container in your Azure Storage account using the .NET client library.

+# Create and manage container leases with .NET

+This article shows how to create and manage container leases using the [Azure Storage client library for .NET](/dotnet/api/overview/azure/storage). You can use the client library to acquire, renew, release, and break container leases.

+## About container leases

+Lease operations are handled by the [BlobLeaseClient](/dotnet/api/azure.storage.blobs.specialized.blobleaseclient) class, which provides a client containing all lease operations for blobs and containers. To learn more about blob leases using the client library, see [Create and manage blob leases with .NET](storage-blob-lease.md).

+When you acquire a container lease, you obtain a lease ID that your code can use to operate on the container. If the container already has an active lease, you can only request a new lease by using the active lease ID. However, you can specify a new lease duration.

+To acquire a lease, create an instance of the [BlobLeaseClient](/dotnet/api/azure.storage.blobs.specialized.blobleaseclient) class, and then use one of the following methods:

+The following example acquires a 30-second lease for a container:

+You can renew a container lease if the lease ID specified on the request matches the lease ID associated with the container. The lease can be renewed even if it has expired, as long as the container hasn't been leased again since the expiration of that lease. When you renew a lease, the duration of the lease resets.

+To renew a lease, use one of the following methods on a [BlobLeaseClient](/dotnet/api/azure.storage.blobs.specialized.blobleaseclient) instance:

+The following example renews a container lease:

+You can release a container lease if the lease ID specified on the request matches the lease ID associated with the container. Releasing a lease allows another client to acquire a lease for the container immediately after the release is complete.

+You can release a lease using one of the following methods on a [BlobLeaseClient](/dotnet/api/azure.storage.blobs.specialized.blobleaseclient) instance:

+The following example releases a lease on a container:

+You can break a container lease if the container has an active lease. Any authorized request can break the lease; the request isn't required to specify a matching lease ID. A lease can't be renewed after it's broken, and breaking a lease prevents a new lease from being acquired for a period of time until the original lease expires or is released.

+You can break a lease using one of the following methods on a [BlobLeaseClient](/dotnet/api/azure.storage.blobs.specialized.blobleaseclient) instance:

+- [BreakAsync](/dotnet/api/azure.storage.blobs.specialized.blobleaseclient.breakasync)

+The following example breaks a lease on a container:

+## Resources

+To learn more about managing container leases using the Azure Blob Storage client library for .NET, see the following resources.

+### REST API operations

+The Azure SDK for .NET contains libraries that build on top of the Azure REST API, allowing you to interact with REST API operations through familiar .NET paradigms. The client library methods for managing container leases use the following REST API operation:

+- [Lease Container](/rest/api/storageservices/lease-container)

+### Code samples

+- [View code samples from this article (GitHub)](https://github.com/Azure-Samples/AzureStorageSnippets/blob/master/blobs/howto/dotnet/BlobDevGuideBlobs/LeaseContainer.cs)

+### See also

+- [Managing Concurrency in Blob storage](concurrency-manage.md)

+This article shows how to create and manage blob leases using the [Azure Storage client library for Java](/java/api/overview/azure/storage-blob-readme). You can use the client library to acquire, renew, release, and break blob leases.

+## About blob leases

+Lease operations are handled by the [BlobLeaseClient](/jav).

+When you acquire a blob lease, you obtain a lease ID that your code can use to operate on the blob. If the blob already has an active lease, you can only request a new lease by using the active lease ID. However, you can specify a new lease duration.

+To acquire a lease, create an instance of the [BlobLeaseClient](/java/api/com.azure.storage.blob.specialized.blobleaseclient) class, and then use the following method:

+You can renew a blob lease if the lease ID specified on the request matches the lease ID associated with the blob. The lease can be renewed even if it has expired, as long as the blob hasn't been modified or leased again since the expiration of that lease. When you renew a lease, the duration of the lease resets.

+To renew an existing lease, use the following method:

+You can release a blob lease if the lease ID specified on the request matches the lease ID associated with the blob. Releasing a lease allows another client to acquire a lease for the blob immediately after the release is complete.

+You can release a lease by using the following method:

+You can break a blob lease if the blob has an active lease. Any authorized request can break the lease; the request isn't required to specify a matching lease ID. A lease can't be renewed after it's broken, and breaking a lease prevents a new lease from being acquired for a period of time until the original lease expires or is released.

+You can break a lease by using the following method:

+This article shows how to create and manage blob leases using the [Azure Storage client library for Python](/python/api/overview/azure/storage). You can use the client library to acquire, renew, release, and break blob leases.

+## About blob leases

+Lease operations are handled by the [BlobLeaseClient](/python/api/azure-storage-blob/azure.storage.blob.blobleaseclient) class, which provides a client containing all lease operations for blobs and containers. To learn more about container leases using the client library, see [Create and manage container leases with Python](storage-blob-container-lease-python.md).

+When you acquire a blob lease, you obtain a lease ID that your code can use to operate on the blob. If the blob already has an active lease, you can only request a new lease by using the active lease ID. However, you can specify a new lease duration.

+To acquire a lease, create an instance of the [BlobLeaseClient](/python/api/azure-storage-blob/azure.storage.blob.blobleaseclient) class, and then use the following method:

+You can renew a blob lease if the lease ID specified on the request matches the lease ID associated with the blob. The lease can be renewed even if it has expired, as long as the blob hasn't been modified or leased again since the expiration of that lease. When you renew a lease, the duration of the lease resets.

+To renew a lease, use the following method:

+You can release a blob lease if the lease ID specified on the request matches the lease ID associated with the blob. Releasing a lease allows another client to acquire a lease for the blob immediately after the release is complete.

+You can release a lease by using the following method:

+You can break a blob lease if the blob has an active lease. Any authorized request can break the lease; the request isn't required to specify a matching lease ID. A lease can't be renewed after it's broken, and breaking a lease prevents a new lease from being acquired for a period of time until the original lease expires or is released.

+You can break a lease by using the following method:

+ Title: Create and manage blob leases with .NET

+description: Learn how to manage a lock on a blob in your Azure Storage account using the .NET client library.

+ms.devlang: csharp

+# Create and manage blob leases with .NET

+This article shows how to create and manage blob leases using the [Azure Storage client library for .NET](/dotnet/api/overview/azure/storage). You can use the client library to acquire, renew, release, and break blob leases.

+## About blob leases

+Lease operations are handled by the [BlobLeaseClient](/dotnet/api/azure.storage.blobs.specialized.blobleaseclient) class, which provides a client containing all lease operations for blobs and containers. To learn more about container leases using the client library, see [Create and manage container leases with .NET](storage-blob-container-lease.md).

+## Acquire a lease

+When you acquire a blob lease, you obtain a lease ID that your code can use to operate on the blob. If the blob already has an active lease, you can only request a new lease by using the active lease ID. However, you can specify a new lease duration.

+To acquire a lease, create an instance of the [BlobLeaseClient](/dotnet/api/azure.storage.blobs.specialized.blobleaseclient) class, and then use one of the following methods:

+- [Acquire](/dotnet/api/azure.storage.blobs.specialized.blobleaseclient.acquire)

+- [AcquireAsync](/dotnet/api/azure.storage.blobs.specialized.blobleaseclient.acquireasync)

+The following example acquires a 30-second lease for a blob:

+## Renew a lease

+You can renew a blob lease if the lease ID specified on the request matches the lease ID associated with the blob. The lease can be renewed even if it has expired, as long as the blob hasn't been modified or leased again since the expiration of that lease. When you renew a lease, the duration of the lease resets.

+To renew a lease, use one of the following methods on a [BlobLeaseClient](/dotnet/api/azure.storage.blobs.specialized.blobleaseclient) instance:

+- [Renew](/dotnet/api/azure.storage.blobs.specialized.blobleaseclient.renew)

+- [RenewAsync](/dotnet/api/azure.storage.blobs.specialized.blobleaseclient.renewasync)

+The following example renews a lease for a blob:

+## Release a lease

+You can release a blob lease if the lease ID specified on the request matches the lease ID associated with the blob. Releasing a lease allows another client to acquire a lease for the blob immediately after the release is complete.

+You can release a lease using one of the following methods on a [BlobLeaseClient](/dotnet/api/azure.storage.blobs.specialized.blobleaseclient) instance:

+- [Release](/dotnet/api/azure.storage.blobs.specialized.blobleaseclient.release)

+- [ReleaseAsync](/dotnet/api/azure.storage.blobs.specialized.blobleaseclient.releaseasync)

+The following example releases a lease on a blob:

+## Break a lease

+You can break a blob lease if the blob has an active lease. Any authorized request can break the lease; the request isn't required to specify a matching lease ID. A lease can't be renewed after it's broken, and breaking a lease prevents a new lease from being acquired for a period of time until the original lease expires or is released.

+You can break a lease using one of the following methods on a [BlobLeaseClient](/dotnet/api/azure.storage.blobs.specialized.blobleaseclient) instance:

+- [Break](/dotnet/api/azure.storage.blobs.specialized.blobleaseclient.break)

+- [BreakAsync](/dotnet/api/azure.storage.blobs.specialized.blobleaseclient.breakasync)

+The following example breaks a lease on a blob:

+## Resources

+To learn more about managing blob leases using the Azure Blob Storage client library for .NET, see the following resources.

+### REST API operations

+The Azure SDK for .NET contains libraries that build on top of the Azure REST API, allowing you to interact with REST API operations through familiar .NET paradigms. The client library methods for managing blob leases use the following REST API operation:

+- [Lease Blob](/rest/api/storageservices/lease-blob)

+### Code samples

+- [View code samples from this article (GitHub)](https://github.com/Azure-Samples/AzureStorageSnippets/blob/master/blobs/howto/dotnet/BlobDevGuideBlobs/LeaseBlob.cs)

+### See also

+- [Managing Concurrency in Blob storage](concurrency-manage.md)

+For more information about how to locate and delete disk artifacts in classic storage accounts with PowerShell or Azure CLI, see one of the following articles:

+- [Migrate to Resource Manager with PowerShell](../../virtual-machines/migration-classic-resource-manager-ps.md#step-52-migrate-a-storage-account)

+- [Migrate VMs to Resource Manager using Azure CLI](../../virtual-machines/migration-classic-resource-manager-cli.md#step-5-migrate-a-storage-account)

+## Why is a migration required?

+On August 31, 2024, we'll retire classic Azure storage accounts and they'll no longer be accessible. Before that date, you'll need to migrate them to Azure Resource Manager, which provides the same capabilities as well as new features, including:

+- A management layer that simplifies deployment by enabling you to create, update, and delete resources.

+- Resource grouping, which allows you to deploy, monitor, manage, and apply access control policies to resources as a group.

+- All new features for Azure Storage are implemented for storage account in Azure Resource Manager deployments, so customers that are still using classic resources will no longer have access to new features and updates.

+On September 1, 2024, customers will no longer be able to connect to classic storage accounts by using Azure Service Manager. Any data still contained in these accounts will no longer be accessible through Azure Service Manager.

+Depending on when your subscription was created, you may no longer to be able to create classic storage accounts:

+- Subscriptions created after August 31, 2022 can no longer create classic storage accounts.

+- Subscriptions created before September 1, 2022 will be able to create classic storage accounts until September 1, 2023

+We recommend creating storage accounts only in Azure Resource Manager from this point forward.

+For step-by-step instructions, see [How to migrate your classic storage accounts to Azure Resource Manager](classic-account-migrate.md). For an in-depth overview of the migration process, see [Understand storage account migration from the classic deployment model to Azure Resource Manager](classic-account-migration-process.md).

+## FAQ

+### How do I migrate my classic storage accounts to Resource Manager?

+For step-by-step instructions for migrating your classic storage accounts, see [How to migrate your classic storage accounts to Azure Resource Manager](classic-account-migrate.md). For an in-depth overview of the migration process, see [Understand storage account migration from the classic deployment model to Azure Resource Manager](classic-account-migration-process.md).

+### At what point can classic storage accounts no longer be created?

+Subscriptions created after August 2022 are no longer be able to create classic storage accounts. Subscriptions created before August 2022 can continue to create and manage classic storage resources until the retirement date of August 31, 2024.

+### What happens to existing classic storage accounts after August 31, 2024?

+After August 31, 2024, you will no longer be able to access data in your classic storage accounts or manage them. It won't be possible to migrate a classic storage account after August 31, 2024.

+### Can Microsoft handle this migration for me?

+No, Microsoft cannot migrate a customer's storage account on their behalf. Customers must use the self-serve options listed above.

+### Will there be downtime when migrating my storage account from Classic to Resource Manager?

+There is no downtime to migrate a classic storage account to Resource Manager. However, there is downtime for other scenarios linked to classic virtual machine (VM) migration.

+### What operations are not available during the migration?

+Also, during the migration, management operations are not available on the storage account. Data operations can continue to be performed during the migration.

+If you are creating or managing container objects with the Azure Storage resource provider, note that those operations will be blocked while the migration is underway. For more information, see [Understand storage account migration from the classic deployment model to Azure Resource Manager](classic-account-migration-process.md).

+### Are storage account access keys regenerated as part of the migration?

+No, account access keys are not regenerated during the migration. Your access keys and connection strings will continue to work unchanged after the migration is complete.

+### Are Azure RBAC role assignments maintained through the migration?

+Any RBAC role assignments that are scoped to the classic storage account are maintained after the migration.

+### What type of storage account is created by the migration process?

+Your storage account will be a general-purpose v1 account after the migration process completes. You can then upgrade it to general-purpose v2. For more information about upgrading your account, see [Upgrade to a general-purpose v2 storage account](storage-account-upgrade.md).

+### Will the URL of my storage account remain the same post-migration?

+Yes, the migrated storage account will have the same name and address as the classic account.

+### Can additional verbose logging be added as part of the migration process?

+No, migration is a service that doesn't have capabilities to provide additional logging.

+The Validation step does not check for virtual machine (VM) disks that may be associated with the storage account. You must check your storage accounts manually to determine whether they support VM disks. For more information, see the following articles:

+- [How to migrate your classic storage accounts to Azure Resource Manager](classic-account-migrate.md)

+- [Migrate to Resource Manager with PowerShell](../../virtual-machines/migration-classic-resource-manager-ps.md#step-52-migrate-a-storage-account)

+- [Migrate VMs to Resource Manager using Azure CLI](../../virtual-machines/migration-classic-resource-manager-cli#step-5-migrate-a-storage-account.md

+| **Azure Active Directory** | `https://secure.aadcdn.microsoftonline-p.com` | `https://secure.aadcdn.microsoftonline-p.com`<br>(same as public cloud endpoint URL) | This URL is accessed by the Active Directory authentication library that the Azure File Sync server registration UI uses to log in the administrator. |

+ |Spark Version|The creation wizard integrates the proper version for Spark SDK and Scala SDK. Here you can choose the Spark version you need.|

+ - **Patch orchestration configuration of Azure virtual machines** ΓÇö all the Azure machines inventoried in the subscription are summarized by each update orchestration method. Values are:

+ - **Azure orchestrated**ΓÇöthis mode enables automatic VM guest patching for the Azure virtual machine. Subsequent patch installation is orchestrated by Azure.

+1. In **Basics** tab, select the **Maintenance scope** as *Guest (Azure VM, Arc-enabled VMs/servers)*.

+ :::image type="content" source="./media/scheduled-updates/create-maintenance-configuration.png" alt-text="Create Maintenance configuration.":::

+## Grouping using policy

+The update management center (preview) allows you to target a group of Azure or non-Azure VMs for update deployment via Azure Policy. The grouping using policy, keeps you from having to edit your deployment to update machines. You can use subscription, resource group, tags or regions to define the scope and use this feature for the built-in policies which you can customize as per your use-case.

+For Windows 11 and Windows 10 multi-session hosts, Intune supports both device-based configurations and user-based configurations on Windows 11 and Windows 10. User-scope configuration on Windows 10 requires the update March 2023 Cumulative Update Preview (KB5023773) and OS version 19042.2788, 19044.2788, 19045.2788 or later. To learn more about using Intune to manage multi-session hosts, see [Using Azure Virtual Desktop multi-session with Intune](/mem/intune/fundamentals/windows-virtual-desktop-multi-session).

+## Version 1.0.6425.300

+This update was released at the beginning of April 2023 and includes the following changes:

+- General improvements and bug fixes.

+| Public | 1.2.4157 | [Windows 64-bit](https://go.microsoft.com/fwlink/?linkid=2139369) *(most common)*<br />[Windows 32-bit](https://go.microsoft.com/fwlink/?linkid=2139456)<br />[Windows ARM64](https://go.microsoft.com/fwlink/?linkid=2139370) |

+## Updates for version 1.2.4157

+*Date published: April 10, 2023*

+Download: [Windows 64-bit](https://go.microsoft.com/fwlink/?linkid=2139369), [Windows 32-bit](https://go.microsoft.com/fwlink/?linkid=2139456), [Windows ARM64](https://go.microsoft.com/fwlink/?linkid=2139370)

+- Fixed the vulnerability known as [CVE-2023-28267](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28267).

+- Fixed an issue that generated duplicate Activity IDs for unique connections.

+Download: [Windows 64-bit](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW10DEa), [Windows 32-bit](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW10GYu), [Windows ARM64](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW10GYw)

+## March 2023

+Here's what changed in March 2023:

+### Redesigned connection bar for the Windows Desktop client

+The latest version of the Windows Desktop client includes a redesigned connection bar. For more information, see [Updates for version 1.2.4155](whats-new-client-windows.md#updates-for-version-124157).

+### Shutdown session host status

+The Shutdown session host status is now available in the Azure Virtual Desktop portal and the most recent API version. For more information, see [Session host statuses and health checks](troubleshoot-statuses-checks.md#session-host-statuses).

+### Windows 10 and 11 22H2 images now visible in the image drop-down menu

+Windows 10 and 11 22H2 Enterprise and Enterprise multi-session images are now visible in the image dropdown when creating a new host pool or adding a VM in a host pool from the Azure Virtual Desktop portal.

+### Uniform Resource Identifier Schemes in public preview

+Uniform Resource Identifier (URI) schemes with the Remote Desktop client for Azure Virtual Desktop is now in public preview. This new feature lets you subscribe to a workspace or connect to a particular desktop or Remote App using URI schemes. URI schemes also provide fast and efficient end-user connection to Azure Virtual Desktop resources. For more information, see [our blog post](https://techcommunity.microsoft.com/t5/azure-virtual-desktop-blog/announcing-the-public-preview-of-uniform-resource-identifier/ba-p/3763075).

+### Azure Virtual Desktop Insights at Scale now generally available

+Azure Virtual Desktop Insights at Scale is now generally available. This feature gives you the ability to review performance and diagnostic information in multiple host pools at the same time in a single view. If you're an existing Azure Virtual Desktop Insights user, you get this feature without having to do any extra configuration or setup. For more information, see [our blog post](https://techcommunity.microsoft.com/t5/azure-virtual-desktop-blog/announcing-the-general-availability-of-azure-virtual-desktop/ba-p/3738624).

+1. In **Grace period (min)**, specify the grace period in minutes, allowed values are between 10 and 90 minutes.

+> [!NOTE]

+> Enable the [Application Health extension](./virtual-machine-scale-sets-health-extension.md) or [Load Balancer health probes](../load-balancer/load-balancer-custom-probe-overview.md) on your Virtual Machine Scale Sets before you start the next steps.

+2. Under **Settings** in the menu on the left, select **Health and repair**.

+3. Enable the **Monitor application health** option.

+If you're monitoring your scale set by using the Application Health extension:

+4. Choose **Application Health extension** from the Application Health monitor dropdown list.

+5. From the **Protocol** dropdown list, choose the network protocol used by your application to report health. Select the appropriate protocol based on your application requirements. Protocol options are **HTTP, HTTPS**, or **TCP**.

+6. In the **Port number** configuration box, type the network port used to monitor application health.

+7. For **Path**, provide the application endpoint path (for example, "/") used to report application health.

+> [!NOTE]

+> The Application Health extension will ping this path inside each virtual machine in the scale set to get application health status for each instance. If you're using [Binary Health States](./virtual-machine-scale-sets-health-extension.md#binary-health-states) and the endpoint responds with a status 200 (OK), then the instance is marked as "Healthy". In all the other cases (including if the endpoint is unreachable), the instance is marked "Unhealthy". For more health state options, explore [Rich Health States](./virtual-machine-scale-sets-health-extension.md#binary-versus-rich-health-states).

+If you're monitoring your scale set using SLB Health probes:

+8. Choose **Load balancer probe** from the Application Health monitor dropdown list.

+9. For the Load Balancer health probe, select an existing health probe or create a new health probe for monitoring.

+To enable automatic repairs:

+10. Locate the **Automatic repair policy** section. Automatic repairs can be used to delete unhealthy instances from the scale set and create new ones to replace them.

+11. Turn **On** the **Automatic repairs** option.

+12. In **Grace period (min)**, specify the grace period in minutes. Allowed values are between 10 and 90 minutes.

+6. When you're done, select **Save**.

+### ARM templates

+The following example describes how to set automatic OS upgrades on a scale set model via Azure Resource Manager templates (ARM templates):

+```json

+"properties": {

+ "upgradePolicy": {

+ "mode": "Automatic",

+ "RollingUpgradePolicy": {

+ "BatchInstancePercent": 20,

+ "MaxUnhealthyInstancePercent": 25,

+ "MaxUnhealthyUpgradedInstancePercent": 25,

+ "PauseTimeBetweenBatches": "PT0S"

+ "automaticOSUpgradePolicy": {

+ "enableAutomaticOSUpgrade": true,

+ "useRollingUpgradePolicy": true,

+ "disableAutomaticRollback": false

+ }

+ }

+"imagePublisher": {

+ "type": "string",

+ "defaultValue": "MicrosoftWindowsServer"

+ },

+ "imageOffer": {

+ "type": "string",

+ "defaultValue": "WindowsServer"

+ },

+ "imageSku": {

+ "type": "string",

+ "defaultValue": "2022-datacenter"

+ },

+ "imageOSVersion": {

+ "type": "string",

+ "defaultValue": "latest"

+ }

+}

+```

+### Bicep

+The following example describes how to set automatic OS upgrades on a scale set model via Bicep:

+```json

+properties:ΓÇ»{

+    overprovision: overProvision

+    upgradePolicy: {

+      mode: 'Automatic'

+      automaticOSUpgradePolicy: {

+        enableAutomaticOSUpgrade: true

+      }

+    }

+```

+Update-AzVmssInstance -ResourceGroupName $vmScaleSetResourceGroup `

+Update-AzVmssInstance -ResourceGroupName $vmScaleSetResourceGroup `

+| Proximity Placement Groups  | Yes, when using one Availability Zone or none. Cannot be changed after deployment. Read [Proximity Placement Groups documentation](../virtual-machine-scale-sets/proximity-placement-groups.md) | Yes, when using one Availability Zone or none. Can be changed after deployment stopping all instances. Read [Proximity Placement Groups documentation](../virtual-machine-scale-sets/proximity-placement-groups.md) | Yes |

+> We do not support custom answer file in the sysprep step, hence you should not use the "/unattend:_answerfile_" switch with your sysprep command.

+>

+> Azure platform mounts an ISO file to the DVD-ROM when a Windows VM is created from a generalized image. For this reason, the **DVD-ROM must be enabled in the OS in the generalized image**. If it is disabled, the Windows VM will be stuck at out-of-box experience (OOBE).

+4. Verify if CD/DVD-ROM is enabled.If it is disabled, the Windows VM will be stuck at out-of-box experience (OOBE).

+```

+ Registry key Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cdrom\start (Value 4 = disabled, expected value 1 = automatic) Make sure it is set to 1.

+ ```

+> [!NOTE]

+ > Verify if any policies applied restricting removable storage access (example: Computer configuration\Administrative Templates\System\Removable Storage Access\All Removable Storage classes: Deny all access)

+### Getting the most from name resolution that Azure provides\

+# [Ubuntu](#tab/ubuntu)

+1. Install the dnsmasq package:

+```bash

+sudo apt-get install dnsmasq

+```

+2. Enable the dnsmasq service:

+```bash

+sudo systemctl enable dnsmasq.service

+```

+3. Start the dnsmasq service:

+```bash

+sudo systemctl start dnsmasq.service

+```

+# [SUSE](#tab/sles)

+1. Install the dnsmasq package:

+```bash

+sudo zypper install dnsmasq

+```

+2. Enable the dnsmasq service:

+```bash

+sudo systemctl enable dnsmasq.service

+```

+3. Start the dnsmasq service:

+```bash

+sudo systemctl start dnsmasq.service

+```

+4. Edit `/etc/sysconfig/network/config` file using a text editor, and change `NETCONFIG_DNS_FORWARDER=""` to `dnsmasq`.

+5. Update `/etc/resolv.conf` to set the cache as the local DNS resolver.

+```bash

+sudo netconfig update

+```

+# [CentOS/RHEL](#tab/rhel)

+1. Install the dnsmasq package:

+```bash

+sudo yum install dnsmasq -y

+```

+2. Enable the dnsmasq service:

+```bash

+sudo systemctl enable dnsmasq.service

+```

+3. Start the dnsmasq service:

+```bash

+sudo systemctl start dnsmasq.service

+```

+4. Add `prepend domain-name-servers 127.0.0.1;` to `/etc/dhcp/dhclient.conf`.

+```bash

+sudo echo "prepend domain-name-servers 127.0.0.1;" >> /etc/dhcp/dhclient.conf

+```

+5. Restart the network service to set the cache as the local DNS resolver

+```bash

+sudo systemctl restart NetworkManager

+```

+> The `dnsmasq` package is only one of the many DNS caches that are available for Linux. Before you use it, check its suitability for your needs and that no other cache is installed.

+```bash

+sudo cat /etc/resolv.conf

+```

+The `/etc/resolv.conf` file is auto-generated and should not be edited. The specific steps that add the 'options' line vary by distribution:

+1. Add the options line to `/etc/resolvconf/resolv.conf.d/head` file.

+2. Run `sudo resolvconf -u` to update.

+1. Add `timeout:1 attempts:5` to the `NETCONFIG_DNS_RESOLVER_OPTIONS=""` parameter in `/etc/sysconfig/network/config`.

+2. Run `sudo netconfig update` to update.

+1. Add `RES_OPTIONS="timeout:1 attempts:5"` to `/etc/sysconfig/network`.

+2. Run `systemctl restart NetworkManager` to update.

+```azurecli-interactive

+```azurecli-interactive

+```azurecli-interactive

+To build images, you create a template as a JSON file. In the template, you define builders and provisioners that carry out the actual build process. Packer has a [provisioner for Azure](https://developer.hashicorp.com/packer/plugins/builders/azure) that allows you to define Azure resources, such as the service principal credentials created in the preceding step.

+ "image_sku": "20.04-LTS",

+> [!NOTE]

+> Replace the `image_publisher`, `image_offer`, `image_sku` values and `inline` commands accordingly.

+ image_sku = "20.04-LTS"

+sudo ./packer build ubuntu.json

+sudo packer build ubuntu.pkr.hcl

+```azurecli-interactive

+```azurecli-interactive

+| Create a Linux VM | `az vm create --resource-group myResourceGroup --name myVM --image LinuxImageName` |

+```azurecli-interactive

+>

+```azurecli-interactive

+#### For Ubuntu 18.04+

+sudo apt -y remove walinuxagent

+#### For Redhat 7.X, 8.X and 9.X

+sudo yum -y remove WALinuxAgent

+#### For SUSE 12.X, 15.X

+sudo zypper --non-interactive remove python-azure-agent

+> [!IMPORTANT]

+#### For Ubuntu 18.04+

+sudo pt -y purge walinuxagent

+sudo cp -rp /var/lib/waagent /var/lib/waagent.bkp

+sudo rm -rf /var/lib/waagent

+sudo rm -f /var/log/waagent.log

+#### For Redhat 7.X, 8.X, 9.X

+sudo yum -y remove WALinuxAgent

+sudo rm -f /etc/waagent.conf.rpmsave

+sudo rm -rf /var/lib/waagent

+sudo rm -f /var/log/waagent.log

+#### For SUSE 12.X, 15.X

+sudo zypper --non-interactive remove python-azure-agent

+sudo rm -f /etc/waagent.conf.rpmsave

+sudo rm -rf /var/lib/waagent

+sudo rm -f /var/log/waagent.log

+sudo cloud-init clean --logs --seed

+* Remove all existing ssh host keys

+ sudo rm /etc/ssh/ssh_host_*key*

+* Delete the admin account

+ sudo touch /var/run/utmp

+ sudo userdel -f -r <admin_user_account>

+* Delete the root password

+ sudo passwd -d root

+### Create a regular managed image

+```azurecli-interactive

+### Create an image version in a Azure Compute Gallery

+```azurecli-interactive

+> [!NOTE]

+>

+```azurecli-interactive

+ - Ubuntu 18.04 or later

+- Azure Disk Encryption versions:

+- Experience using */dev/disk/scsi1/* paths for data disks on Azure. For more information, see [Troubleshoot Linux VM device name problems](/troubleshoot/azure/virtual-machines/troubleshoot-device-names-problems).

+- Traditional LVM encryption

+- LVM-on-crypt

+### Traditional LVM encryption

+### LVM-on-crypt

+By using LVM-on-crypt, you can:

+ sudo vgs

+ sudo vgdisplay vgname

+ sudo lsblk

+ sudo lvdisplay lvname

+ sudo lvextend -r -L +2G /dev/vgname/lvname

+sudo lvdisplay lvname

+ sudo pvs

+ sudo vgs

+ sudo ls -l /dev/disk/azure/scsi1/

+5. Check the output of `lsblk`:

+ sudo lsbk

+ sudo ls -l /dev/disk/azure/scsi1/

+ sudo lsbk

+ sudo pvcreate /dev/newdisk

+ sudo pvs

+ sudo vgextend vgname /dev/newdisk

+ sudo vgs

+ sudo lsblk

+ sudo lvextend -r -L +2G /dev/vgname/lvname

+ ```azurecliazurecli-interactive

+ sudo umount /mountpoint

+ sudo cryptsetup luksClose /dev/vgname/lvname

+ sudo lvremove /dev/vgname/lvname

+ sudo ls -l /dev/disk/azure/scsi1/

+ sudo lsblk -fs

+ sudo pvs

+ sudo vgs

+ sudo vgdisplay -v vgname

+ for disk in `sudo ls -l /dev/disk/azure/scsi1/* | awk -F/ '{print $NF}'` ; do echo "sudo fdisk -l /dev/${disk} | grep ^Disk "; done | bash

+ sudo lsblk -o "NAME,SIZE"

+ sudo lvdisplay --maps VG/LV

+ sudo lvdisplay --maps datavg/datalv1

+ for disk in `sudo ls -l /dev/disk/azure/scsi1/* | awk -F/ '{print $NF}'` ; do echo "sudo fdisk -l /dev/${disk} | grep ^Disk "; done | bash

+ sudo lsblk -o "NAME,SIZE"

+ sudo pvdisplay /dev/resizeddisk

+ sudo pvresize /dev/resizeddisk

+ sudo pvdisplay /dev/resizeddisk

+ sudo vgdisplay vgname

+ sudo lvresize -r -L +5G vgname/lvname

+ sudo lvresize -r -l +100%FREE /dev/datavg/datalv01

+ sudo vgdisplay vgname

+ sudo lvdisplay /dev/vgname/lvname

+ sudo fdisk -l | egrep ^"Disk /"

+ sudo lsblk

+ sudo fdisk -l | egrep ^"Disk /"

+ sudo lsblk

+ sudo ls -la /dev/disk/azure/scsi1/

+ sudo mkfs.ext4 /dev/disk/azure/scsi1/${disk}

+ sudo mkdir ${newmount}

+ sudo blkid /dev/disk/azure/scsi1/lun4| awk -F\" '{print "UUID="$2" '${newmount}' "$4" defaults,nofail 0 0"}' >> /etc/fstab

+ sudo mount -a

+ sudo lsblk

+ ```azurecli-interactive

+ sudo lsblk

+ sudo umount ${newmount}

+ sudo pvs

+ sudo pvcreate /dev/mapper/mapperdevicename

+ sudo pvs

+ sudo vgextend vgname /dev/mapper/nameofhenewpv

+ sudo vgdisplay vgname

+ sudo lvextend -r -l +100%FREE /dev/vgname/lvname

+ sudo lvdisplay /dev/vgname/lvname

+ df -h /mountpoint

+ sudo lsblk

+ sudo lsblk -fs

+ sudo lsblk

+ sudo lsblk -s

+ sudo pvs

+ sudo vgs

+ sudo lvs

+ sudo fdisk

+ sudo fdisk -l | egrep ^"Disk /"

+ sudo lsblk

+ sudo fdisk

+ sudo fdisk -l | egrep ^"Disk /"

+ sudo lsblk

+ sudo pvdisplay /dev/mapper/devicemappername

+ sudo pvresize /dev/mapper/devicemappername

+ sudo pvdisplay /dev/mapper/devicemappername

+ sudo cryptsetup resize /dev/mapper/devicemappername

+ sudo vgdisplay vgname

+ sudo lvdisplay vgname/lvname

+ sudo lvresize -r -L +2G /dev/vgname/lvname

+ sudo lvdisplay vgname/lvname

+[Troubleshoot Azure Disk Encryption](disk-encryption-troubleshooting.md)

+```azurepowershell-interactive

+```azurepowershell-interactive

+```azurepowershell-interactive

+```azurepowershell-interactive

+```azurepowershell-interactive

+```azurecli-interactive

+```azurecli-interactive

+```azurecli-interactive

+```azurecli-interactive

+```azurecli-interactive

+```azurecli-interactive

+```azurecli-interactive

+```azurecli-interactive

+```azurecli-interactive

+```azurecli-interactive

+```azurecli-interactive

+Store the container name on a variable:

+```azurecli-interactive

+```azurecli-interactive

+```azurecli-interactive

+```azurecli-interactive

+sudo lsblk

+sudo lsblk -o NAME,TYPE,FSTYPE,LABEL,SIZE,RO,MOUNTPOINT

+sudo cryptsetup luksDump /dev/VGNAME/LVNAME

+sudo cryptsetup luksDump /dev/sdd1

+sudo dmsetup ls --target crypt

+The `WindowsUpdate` customizer is built on the [community Windows Update Provisioner](https://developer.hashicorp.com/packer/docs/provisioners/community-supported) for Packer, which is an open source project maintained by the Packer community. Microsoft tests and validate the provisioner with the Image Builder service, and will support investigating issues with it, and work to resolve issues, however the open source project isn't officially supported by Microsoft. For detailed documentation on and help with the Windows Update Provisioner, see the project repository.

+```azurepowershell-interactive

+```azurecli-interactive

+```output

+```azurepowershell-interactive

+```azurecli-interactive

+```azurepowershell-interactive

+```azurecli-interactive

+## Set variables and permissions

+```azurecli-interactive

+ ```

+ --maintenance-window-time-zone "Pacific Standard Time"

+ --maintenance-window-time-zone "Pacific Standard Time"

+ --location eastus \

+ --maintenance-window-duration "02:00" \

+ --maintenance-window-recur-every "20days" \

+ --maintenance-window-start-date-time "2022-12-30 07:00" \

+ --maintenance-window-time-zone "Pacific Standard Time" \

+ --install-patches-linux-parameters package-name-masks-to-exclude="ppt" package-name-masks-to-include="apt" classifications-to-include="Other" \

+ --install-patches-windows-parameters kb-numbers-to-exclude="KB123456" kb-numbers-to-include="KB123456" classifications-to-include="FeaturePack" \

+ --reboot-setting "IfRequired" \

+ --resource-parent-type hostGroups \

+```azurecli-interactive

+**Applies to:** :heavy_check_mark: Windows VMs

+```

+> [!NOTE]

+> [!NOTE]

+ "sku": "20.04.2-LTS",

+> [!NOTE]

+> Modify `publisher`, `offer`, `sku` and `version` values accordingly.

+1. Select **+ Create a resource** and search for **Network Manager**. 1. Select **Network Manager > Create** to begin setting up Azure Virtual Network Manager.

+ :::image type="content" source="./media/create-virtual-network-manager-portal/network-manager-basics-thumbnail.png" alt-text="Screenshot of Create a network manager Basics page." lightbox="./media/create-virtual-network-manager-portal/network-manager-basics-thumbnail.png":::

+ | Resource group | Select **Create new** and enter **rg-learn-eastus-001**.

+ | Name | Enter **vnm-learn-eastus-001**. |

+ | Region | Enter **eastus** or a region of your choosing. Azure Virtual Network Manager can manage virtual networks in any region. The region selected is for where the Virtual Network Manager instance will be deployed. |

+ | Scope and features | |

+ | [Scope](concept-network-manager-scope.md#scope) | Select **Select scopes** and choose your subscription.</br> Select **Add to selected scope > Select**. </br> *Scope* is used to define the resources which Azure Virtual Network Manager can manage. You can choose subscriptions and management groups.

+ | [Features](concept-network-manager-scope.md#features) | Select **Connectivity** and **Security Admin** from the dropdown list. </br> *Connectivity* - Enables the ability to create a full mesh or hub and spoke network topology between virtual networks within the scope. </br> *Security Admin* - Enables the ability to create global network security rules. |

+Create three virtual networks using the portal. Each virtual network has a tag of networkType used for dynamic membership. If you have existing virtual networks for your mesh configuration, you'll need to add tags listed in the table to your virtual networks and skip to the next section.

+1. From the **Home** screen, select **+ Create a resource** and search for **Virtual networks**. Then select **Create** to begin configuring the virtual network.

+ :::image type="content" source="./media/create-virtual-network-manager-portal/create-vnet-basic.png" alt-text="Screenshot of create a virtual network basics page.":::

+ | Resource group | Select **rg-learn-eastus-001**.

+ | Name | Enter a **vnet-learn-prod-eastus-001** for the virtual network name. |

+ | Region | Select **(US) East US**. |

+1. Select **Next** or the **IP addresses** tab and configure the following network address spaces:

+ :::image type="content" source="./media/create-virtual-network-manager-portal/create-vnet-ip.png" alt-text="Screenshot of create a virtual network IP addresses page." lightbox="./media/create-virtual-network-manager-portal/create-vnet-ip.png":::

+ | Resource group | Select the **rg-learn-eastus-001**. |

+ | Name | Enter **vnet-learn-prod-eastus-002** and **vnet-learn-test-eastus-003** for each additional virtual network. |

+ | Region | Select **(US) East US** |

+ | vnet-learn-prod-eastus-002 IP addresses | IPv4 address space: 10.1.0.0/16 </br> Subnet name: default </br> Subnet address space: 10.1.0.0/24|

+ | vnet-learn-test-eastus-003 IP addresses | IPv4 address space: 10.2.0.0/16 </br> Subnet name: default </br> Subnet address space: 10.2.0.0/24|

+1. Browse to **rg-learn-eastus-001** resource group, and select the **vnm-learn-eastus-001** virtual network manager instance.

+1. Select **Network Groups** under **Settings**, then select **+ Create**.

+ :::image type="content" source="./media/create-virtual-network-manager-portal/add-network-group-2.png" alt-text="Screenshot of add a network group.":::

+1. On the **Create a network group** page, enter **ng-learn-prod-eastus-001** and Select **Create**.

+ :::image type="content" source="./media/create-virtual-network-manager-portal/create-network-group.png" alt-text="Screenshot of create a network group page." lightbox="./media/create-virtual-network-manager-portal/create-network-group.png":::

+1. The new network group is now listed on the **Network Groups** page.

+## Define membership for connectivity configuration

+Once your network group is created, you add virtual networks as members. Choose one of the options: *[Manually add membership](#manually-add-membership)* or *[Create policy to dynamically add members](#create-azure-policy-for-dynamic-membership)* with Azure Policy. Choose one of the options for your mesh membership configuration:

+# [Manual membership](#tab/manualmembership)

+In this task, you manually add two virtual networks for your Mesh configuration to your network group using these steps:

+1. From the list of network groups, select **ng-learn-prod-eastus-001** and select **Add virtual networks** under *Manually add members* on the *ng-learn-prod-eastus-001* page.

+1. On the **Manually add members** page, select **vnet-learn-prod-eastus-001** and **vnet-learn-prod-eastus-002**, and select **Add**.

+ :::image type="content" source="media/create-virtual-network-manager-portal/group-members-list.png" alt-text="Screenshot of group membership under Group Membership." lightbox="media/create-virtual-network-manager-portal/group-members-list.png":::

+# [Azure Policy](#tab/azurepolicy)

+Using [Azure Policy](concept-azure-policy-integration.md), you define a condition to dynamically add two virtual networks to your network group when the name of the virtual network includes **prod** using these steps:

+1. From the list of network groups, select **ng-learn-prod-eastus-001** and select **Create azure policy** under *Create policy to dynamically add members*.

+1. On the **Create azure policy** page, select or enter the following information:

+ | Policy name | Enter **azpol-learn-prod-eastus-001** in the text box. |

+ | Parameter | Select **Name** from the drop-down.|

+ | Operator | Select **Contains** from the drop-down.|

+ | Condition | Enter **-prod** for the condition in the text box. |

+1. Select **Preview resources** to view the **Effective virtual networks** page and select **Close**. This page shows the virtual networks that will be added to the network group based on the conditions defined in Azure Policy.

+ :::image type="content" source="media/create-virtual-network-manager-portal/effective-virtual-networks.png" alt-text="Screenshot of effective virtual networks page.":::

+1. On the **Network Group** page under **Settings**, select **Group Members** to view the membership of the group based on the conditions defined in Azure Policy. You'll note the **Source** is listed as **azpol-learn-prod-eastus-001 - subscriptions/subscription_id**.

+ :::image type="content" source="media/create-virtual-network-manager-portal/group-members-list.png" alt-text="Screenshot of group membership under Group Membership." lightbox="media/create-virtual-network-manager-portal/group-members-list.png":::

+Now that the Network Group is created, and has the correct VNets, create a mesh network topology configuration. Replace **<subscription_id>** with your subscription and follow these steps:

+ | Name | Enter **cc-learn-prod-eastus-001**. |

+1. Select **+ Add > Add network group** and select **ng-learn-prod-eastus-001** under **Network Groups**. Choose **Select** to add the network group to the configuration.

+1. Select the **Visualization** tab to view the topology of the configuration. This tab shows you a visual representation of the network group you added to the configuration.

+1. Once the deployment completes, select **Refresh**, and you see the new connectivity configuration added to the **Configurations** page.

+ | Configurations | Select **Include connectivity configurations in your goal state** . |

+ | Connectivity configurations | Select **cc-learn-prod-eastus-001**. |

+ | Target regions | Select **East US** as the deployment region. |

+1. The deployment will display in the list for the selected region. The deployment of the configuration can take a few minutes to complete.

+Use the **Network Manager** section for each virtual network to verify whether configuration was deployed in these steps:

+1. Go to **vnet-learn-prod-eastus-001** virtual network and select **Network Manager** under **Settings**. Verify that **cc-learn-prod-eastus-001** is listed under **Connectivity Configurations** tab.

+ :::image type="content" source="./media/create-virtual-network-manager-portal/vnet-configuration-association.png" alt-text="Screenshot of connectivity configuration associated with vnet-learn-prod-eastus-001 virtual network." lightbox="./media/create-virtual-network-manager-portal/vnet-configuration-association.png":::

+1. Repeat the previous step on **vnet-learn-prod-eastus-002**.

+If you no longer need Azure Virtual Network Manager, the following steps will remove all configurations, network groups, and Virtual Network Manager.

+> [!NOTE]

+> Before you can remove Azure Virtual Network Manager, you must remove all deployments, configurations, and network groups.

+ | Target regions | Select **East US** as the deployed region. |

+1. To delete a configuration, select **Configurations** under **Settings** from the left pane of Azure Virtual Network Manager. Select the checkbox next to the configuration you want to remove and then select **Delete** at the top of the resource page.

+1. On the **Delete a configuration** page, select the following options:

+ :::image type="content" source="./media/create-virtual-network-manager-portal/configuration-delete-options.png" alt-text="Screenshot of configuration to be deleted option selection.":::

+ | Setting | Value |

+ | - | -- |

+ | Delete option | Select **Force delete the resource and all dependent resources**. |

+ | Confirm deletion | Enter the name of the configuration. In this example, it's **cc-learn-prod-eastus-001**. |

+1. To delete a network group, select **Network Groups** under **Settings** from the left pane of Azure Virtual Network Manager. Select the checkbox next to the network group you want to remove and then select **Delete** at the top of the resource page.

+ :::image type="content" source="./media/create-virtual-network-manager-portal/network-group-delete-options.png" alt-text="Screenshot of Network group to be deleted option selection." lightbox="./media/create-virtual-network-manager-portal/network-group-delete-options.png":::

+ | Confirm deletion | Enter the name of the network group. In this example, it's **ng-learn-prod-eastus-001**. |

+ | Confirm deletion | Enter the name of the network manager. In this example, it's **vnm-learn-eastus-001**. |

+1. To delete the resource group and virtual networks, locate **rg-learn-eastus-001** and select the **Delete resource group**. Confirm that you want to delete by entering **rg-learn-eastus-001** in the textbox, then select **Delete**

+ kubectl apply -f https://raw.githubusercontent.com/Azure/azure-container-networking/master/npm/azure-npm.yaml

+ kubectl apply -f https://raw.githubusercontent.com/Azure/azure-container-networking/master/npm/examples/windows/azure-npm.yaml

+- [Deploy the plug-in](deploy-container-networking.md) for Kubernetes clusters or Docker containers.

+[Azure Private Link](../private-link/private-link-overview.md) is a technology that allows you to connect Azure Platform-as-a-Service offerings using private IP address connectivity by exposing [Private Endpoints](../private-link/private-endpoint-overview.md). With Azure Virtual WAN, you can deploy a Private Endpoint in one of the virtual networks connected to any virtual hub. This private link provides connectivity to any other virtual network or branch connected to the same Virtual WAN.

+The steps in this article assume that you've already deployed a virtual WAN with one or more hubs and at least two virtual networks connected to Virtual WAN.

+You can create a private link endpoint for many different services. In this example, we're using Azure SQL Database. You can find more information about how to create a private endpoint for an Azure SQL Database in [Quickstart: Create a Private Endpoint using the Azure portal](../private-link/create-private-endpoint-portal.md). The following image shows the network configuration of the Azure SQL Database:

+Clicking on the private endpoint we've created, you should see its private IP address and its Fully Qualified Domain Name (FQDN). The private endpoint should have an IP address in the range of the VNet where it has been deployed (10.1.3.0/24):

+In this example, we verify connectivity to the Azure SQL Database from a Linux virtual machine with the MS SQL tools installed. The first step is verifying that DNS resolution works and the Azure SQL Database Fully Qualified Domain Name is resolved to a private IP address, in the same VNet where the Private Endpoint has been deployed (10.1.3.0/24):

+nslookup wantest.database.windows.net

+```

+```output

+As you can see in the previous output, the FQDN `wantest.database.windows.net` is mapped to `wantest.privatelink.database.windows.net`, that the private DNS zone created along the private endpoint will resolve to the private IP address `10.1.3.228`. Looking into the private DNS zone will confirm that there's an A record for the private endpoint mapped to the private IP address:

+query="SELECT CONVERT(char(15), CONNECTIONPROPERTY('client_net_address'));"

+sqlcmd -S wantest.database.windows.net -U $username -P $password -Q "$query"

+```

+```output

+As you can see, we're using a special SQL query that gives us the source IP address that the SQL server sees from the client. In this case the server sees the client with its private IP (`10.1.3.75`), which means that the traffic goes from the VNet straight into the private endpoint.

+Set the variables `username` and `password` to match the credentials defined in the Azure SQL Database to make the examples in this guide work.

+In this example we're connecting from a different VNet. First attach the private DNS zone to the new VNet so that its workloads can resolve the Azure SQL Database Fully Qualified Domain Name to the private IP address. This is done through linking the private DNS zone to the new VNet:

+nslookup wantest.database.windows.net

+```

+```output

+As you can see, there's a route pointing to the VNet 10.1.3.0/24 injected by the Virtual Network Gateways in Azure Virtual WAN. Now we can finally test connectivity to the database:

+query="SELECT CONVERT(char(15), CONNECTIONPROPERTY('client_net_address'));"

+sqlcmd -S wantest.database.windows.net -U $username -P $password -Q "$query"

+```

+```output

+With this example, we've seen how creating a private endpoint in one of the VNets attached to a Virtual WAN provides connectivity to the rest of VNets and branches in the Virtual WAN.

+## <a name="s2smulti"></a>Site-to-site VPN

+A Site-to-site (S2S) VPN gateway connection is a connection over IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. S2S connections can be used for cross-premises and hybrid configurations. A S2S connection requires a VPN device located on-premises that has a public IP address assigned to it. For information about selecting a VPN device, see the [VPN Gateway FAQ - VPN devices](vpn-gateway-vpn-faq.md#s2s).

+## <a name="P2S"></a>Point-to-site VPN

+A point-to-site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer. A P2S connection is established by starting it from the client computer. This solution is useful for telecommuters who want to connect to Azure VNets from a remote location, such as from home or a conference. P2S VPN is also a useful solution to use instead of S2S VPN when you have only a few clients that need to connect to a VNet.

+Unlike S2S connections, P2S connections don't require an on-premises public-facing IP address or a VPN device. P2S connections can be used with S2S connections through the same VPN gateway, as long as all the configuration requirements for both connections are compatible. For more information about point-to-site connections, see [About point-to-site VPN](point-to-site-about.md).

+You may be able to use VNet peering to create your connection, as long as your virtual network meets certain requirements. VNet peering doesn't use a virtual network gateway. For more information, see [VNet peering](../virtual-network/virtual-network-peering-overview.md).

+## <a name="coexisting"></a>Site-to-site and ExpressRoute coexisting connections

+[ExpressRoute](../expressroute/expressroute-introduction.md) is a direct, private connection from your WAN (not over the public Internet) to Microsoft Services, including Azure. Site-to-site VPN traffic travels encrypted over the public Internet. Being able to configure site-to-site VPN and ExpressRoute connections for the same virtual network has several advantages.

+You can configure a site-to-site VPN as a secure failover path for ExpressRoute, or use site-to-site VPNs to connect to sites that aren't part of your network, but that are connected through ExpressRoute. Notice that this configuration requires two virtual network gateways for the same virtual network, one using the gateway type 'Vpn', and the other using the gateway type 'ExpressRoute'.

+* The public IP address of your virtual network gateway. You can view the public IP address by using the Azure portal, PowerShell, or CLI. To find the public IP address of your VPN gateway using the Azure portal, go to **Virtual network gateways**, then select the name of your gateway.

+| Sophos | XG Next Gen Firewall | XG v17 | Not tested | [Configuration guide](https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/118402/sophos-xg-firewall-v17-x-how-to-establish-a-site-to-site-ipsec-vpn-to-microsoft-azure)<br><br>[Configuration guide - Multiple SAs](https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/118404/sophos-firewall-configure-a-site-to-site-ipsec-vpn-with-multiple-sas-to-a-route-based-azure-vpn-gateway) |

+ Title: 'Connect your on-premises network to an Azure VNet: site-to-site VPN: PowerShell'

+description: Learn how to create a site-to-site VPN Gateway connection between your on-premises network and an Azure VNet using PowerShell.

+# Create a VNet with a site-to-site VPN connection using PowerShell

+This article shows you how to use PowerShell to create a site-to-site VPN gateway connection from your on-premises network to the VNet. The steps in this article apply to the [Resource Manager deployment model](../azure-resource-manager/management/deployment-models.md). You can also create this configuration using a different deployment tool or deployment model by selecting a different option from the following list:

+A site-to-site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it. For more information about VPN gateways, see [About VPN gateway](vpn-gateway-about-vpngateways.md).

+* If you're unfamiliar with the IP address ranges located in your on-premises network configuration, you need to coordinate with someone who can provide those details for you. When you create this configuration, you must specify the IP address range prefixes that Azure will route to your on-premises location. None of the subnets of your on-premises network can over lap with the virtual network subnets that you want to connect to.

+1. Create the VNet.

+1. Create the gateway subnet.

+1. Set the configuration.

+The local network gateway (LNG) typically refers to your on-premises location. It isn't the same as a virtual network gateway. You give the site a name by which Azure can refer to it, then specify the IP address of the on-premises VPN device to which you will create a connection. You also specify the IP address prefixes that will be routed through the VPN gateway to the VPN device. The address prefixes you specify are the prefixes located on your on-premises network. If your on-premises network changes, you can easily update the prefixes.

+## <a name="PublicIP"></a>3. Request a public IP address

+A VPN gateway must have a public IP address. You first request the IP address resource, and then refer to it when creating your virtual network gateway. The IP address is dynamically assigned to the resource when the VPN gateway is created. The only time the public IP address changes is when the gateway is deleted and re-created. It doesn't change across resizing, resetting, or other internal maintenance/upgrades of your VPN gateway.

+Request a public IP address for your virtual network VPN gateway.

+Site-to-site connections to an on-premises network require a VPN device. In this step, you configure your VPN device. When configuring your VPN device, you need the following items:

+* A shared key. This is the same shared key that you specify when creating your site-to-site VPN connection. In our examples, we use a basic shared key. We recommend that you generate a more complex key to use.

+* The public IP address of your virtual network gateway. You can view the public IP address by using the Azure portal, PowerShell, or CLI. To find the public IP address of your virtual network gateway using PowerShell, use the following example. In this example, VNet1GWPIP is the name of the public IP address resource that you created in an earlier step.

+Next, create the site-to-site VPN connection between your virtual network gateway and your VPN device. Be sure to replace the values with your own. The shared key must match the value you used for your VPN device configuration. Notice that the '-ConnectionType' for site-to-site is **IPsec**.

+1. Create the connection.

+* For information about creating a site-to-site VPN connection using Azure Resource Manager template, see [Create a site-to-site VPN Connection](https://azure.microsoft.com/resources/templates/site-to-site-vpn-create/).

+ Title: 'Add multiple VPN Gateway site-to-site connections to a VNet: Azure portal'

+description: Learn how to add additional site-to-site connections to a VPN gateway.

+This article helps you add additional site-to-site (S2S) connections to a VPN gateway that has an existing connection. This architecture is often referred to as a "multi-site" configuration. You can add a S2S connection to a VNet that already has a S2S connection, point-to-site connection, or VNet-to-VNet connection. There are some limitations when adding connections. Check the [Prerequisites](#before) section in this article to verify before you start your configuration.

+**About ExpressRoute/site-to-site coexisting connections**

+* You can use the steps in this article to add a new VPN connection to an already existing ExpressRoute/site-to-site coexisting connection.

+* You can't use the steps in this article to configure a new ExpressRoute/site-to-site coexisting connection. To create a new coexisting connection see: [ExpressRoute/S2S coexisting connections](../expressroute/expressroute-howto-coexist-resource-manager.md).

+* You're NOT configuring a new coexisting ExpressRoute and VPN Gateway site-to-site connection.

+ * **Name:** The name you want to give to the site you're creating the connection to.

+This article helps you securely connect individual clients running Windows, Linux, or macOS to an Azure VNet. Point-to-site VPN connections are useful when you want to connect to your VNet from a remote location, such when you're telecommuting from home or a conference. You can also use P2S instead of a Site-to-Site VPN when you have only a few clients that need to connect to a VNet. Point-to-site connections don't require a VPN device or a public-facing IP address. P2S creates the VPN connection over either SSTP (Secure Socket Tunneling Protocol), or IKEv2.

+We use variables for this article so that you can easily change the values to apply to your own environment without having to change the examples themselves. Declare the variables that you want to use. You can use the following sample, substituting the values for your own when necessary. If you close your PowerShell/Cloud Shell session at any point during the exercise, just copy and paste the values again to redeclare the variables.

+ In this example, the -DnsServer server parameter is optional. Specifying a value doesn't create a new DNS server. The DNS server IP address that you specify should be a DNS server that can resolve the names for the resources you're connecting to from your VNet. This example uses a private IP address, but it's likely that this isn't the IP address of your DNS server. Be sure to use your own values. The value you specify is used by the resources that you deploy to the VNet, not by the P2S connection or the VPN client.

+1. A VPN gateway must have a Public IP address. You first request the IP address resource, and then refer to it when creating your virtual network gateway. The IP address is dynamically assigned to the resource when the VPN gateway is created. VPN Gateway currently only supports *Dynamic* Public IP address allocation. You can't request a Static Public IP address assignment. However, it doesn't mean that the IP address changes after it has been assigned to your VPN gateway. The only time the Public IP address changes is when the gateway is deleted and re-created. It doesn't change across resizing, resetting, or other internal maintenance/upgrades of your VPN gateway.

+* The -VpnClientProtocol is used to specify the types of tunnels that you would like to enable. The tunnel options are **OpenVPN, SSTP**, and **IKEv2**. You can choose to enable one of them or any supported combination. If you want to enable multiple types, then specify the names separated by a comma. OpenVPN and SSTP can't be enabled together. The strongSwan client on Android and Linux and the native IKEv2 VPN client on iOS and macOS will use only the IKEv2 tunnel to connect. Windows clients try IKEv2 first and if that doesnΓÇÖt connect, they fall back to SSTP. You can use the OpenVPN client to connect to OpenVPN tunnel type.

+* The virtual network gateway 'Basic' SKU doesn't support IKEv2, OpenVPN, or RADIUS authentication. If you're planning on having Mac clients connect to your virtual network, don't use the Basic SKU.

+After the VPN gateway finishes creating, you can add the VPN client address pool. The VPN client address pool is the range from which the VPN clients receive an IP address when connecting. Use a private IP address range that doesn't overlap with the on-premises location that you connect from, or with the VNet that you want to connect to.

+If you use self-signed certificates, they must be created using specific parameters. You can create a self-signed certificate using the instructions for [PowerShell and Windows 10 or later](vpn-gateway-certificates-point-to-site.md), or, if you don't have Windows 10 or later, you can use [MakeCert](vpn-gateway-certificates-point-to-site-makecert.md). It's important that you follow the steps in the instructions when generating self-signed root certificates and client certificates. Otherwise, the certificates you generate won't be compatible with P2S connections and you receive a connection error.

+1. After you create client certificate, [export](vpn-gateway-certificates-point-to-site.md#clientexport) it. You'll distribute the client certificate to the client computers that will connect.

+1. Upload the public key information to Azure. Once the certificate information is uploaded, Azure considers it to be a trusted root certificate. When uploading, make sure you're running PowerShell locally on your computer, or instead, you can use the [Azure portal steps](vpn-gateway-howto-point-to-site-resource-manager-portal.md#uploadfile). You can't upload using Azure Cloud Shell.

+* Use 'ipconfig' to check the IPv4 address assigned to the Ethernet adapter on the computer from which you're connecting. If the IP address is within the address range of the VNet that you're connecting to, or within the address range of your VPNClientAddressPool, this is referred to as an overlapping address space. When your address space overlaps in this way, the network traffic doesn't reach Azure, it stays on the local network.

+1. Copy the information to a text editor and remove all spaces so that it's a continuous string. This string is declared as a variable in the next step.

+ Title: ' Connect an on-premises network and a virtual network: S2S VPN: CLI'

+description: Learn how to create a site-to-site VPN Gateway IPsec connection between your on-premises network to a VNet using Azure CLI.

+# Create a virtual network with a site-to-site VPN connection using CLI

+This article shows you how to use the Azure CLI to create a site-to-site VPN gateway connection from your on-premises network to the VNet. The steps in this article apply to the [Resource Manager deployment model](../azure-resource-manager/management/deployment-models.md). You can also create this configuration using a different deployment tool or deployment model by selecting a different option from the following list:<br>

+A site-to-site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it. For more information about VPN gateways, see [About VPN gateway](vpn-gateway-about-vpngateways.md).

+* If you're unfamiliar with the IP address ranges located in your on-premises network configuration, you need to coordinate with someone who can provide those details for you. When you create this configuration, you must specify the IP address range prefixes that Azure will route to your on-premises location. None of the subnets of your on-premises network can over lap with the virtual network subnets that you want to connect to.

+VnetName = VNet1 

+AddressSpace = 10.1.0.0/16 

+SubnetName = Frontend

+Subnet = 10.1.0.0/24 

+GatewaySubnet = 10.1.255.0/27 

+LocalNetworkGatewayName = Site1

+LNG Public IP = <On-premises VPN device IP address>

+If you choose to run CLI locally, connect to your subscription. If you're using Azure Cloud Shell in the browser, you don't need to connect to your subscription. You'll connect automatically in Azure Cloud Shell. However, you may want to verify that you're using the correct subscription after you connect.

+az group create --name TestRG --location eastus

+The following example creates a virtual network named 'VNet1' and a subnet, 'Subnet1'.

+az network vnet create --name VNet1 --resource-group TestRG1 --address-prefix 10.1.0.0/16 --location eastus --subnet-name Subnet1 --subnet-prefix 10.1.0.0/24

+az network vnet subnet create --address-prefix 10.1.255.0/27 --name GatewaySubnet --resource-group TestRG1 --vnet-name VNet1

+## <a name="PublicIP"></a>6. Request a public IP address

+A VPN gateway must have a public IP address. You first request the IP address resource, and then refer to it when creating your virtual network gateway. The IP address is dynamically assigned to the resource when the VPN gateway is created. The only time the public IP address changes is when the gateway is deleted and re-created. It doesn't change across resizing, resetting, or other internal maintenance/upgrades of your VPN gateway.

+Use the [az network public-ip create](/cli/azure/network/public-ip) command to request a public IP address.

+az network public-ip create --name VNet1GWIP --resource-group TestRG1 --allocation-method Static --sku Standard

+* The *--gateway-type* for a site-to-site configuration is *Vpn*. The gateway type is always specific to the configuration that you're implementing. For more information, see [Gateway types](vpn-gateway-about-vpn-gateway-settings.md#gwtype).

+* The *--vpn-type* can be *RouteBased* (referred to as a Dynamic Gateway in some documentation), or *PolicyBased* (referred to as a Static Gateway in some documentation). The setting is specific to requirements of the device that you're connecting to. For more information about VPN gateway types, see [About VPN Gateway configuration settings](vpn-gateway-about-vpn-gateway-settings.md#vpntype).

+az network vnet-gateway create --name VNet1GW --public-ip-address VNet1GWIP --resource-group TestRG1 --vnet VNet1 --gateway-type Vpn --vpn-type RouteBased --sku VpnGw1 --no-wait 

+Site-to-site connections to an on-premises network require a VPN device. In this step, you configure your VPN device. When configuring your VPN device, you need the following:

+* A shared key. This is the same shared key that you specify when creating your site-to-site VPN connection. In our examples, we use a basic shared key. We recommend that you generate a more complex key to use.