+> In this article, it is assumed that the **SocialAndLocalAccounts** starter pack is used in the previous steps mentioned in the pre-requisite.

+> Not all add-on capabilities are supported by all models. For more information, *see* [model data extraction](concept-model-overview.md#model-analysis-features).

+|Document analysis models|[General document](concept-general-document.md) |moved to layout**| ✔️| ✔️| n/a|

+|Prebuilt models|[US 1040 Tax*](concept-tax-document.md) | ✔️| ✔️| n/a| n/a|

+|Prebuilt models|[US 1098 Tax*](concept-tax-document.md) | ✔️| n/a| n/a| n/a|

+|Prebuilt models|[US 1099 Tax*](concept-tax-document.md) | ✔️| n/a| n/a| n/a|

+|Prebuilt models|[US Mortgage 1008 Summary](concept-mortgage-documents.md) | ✔️| n/a| n/a| n/a|

+|Prebuilt models|[Marriage certificate](concept-marriage-certificate.md) | ✔️| n/a| n/a| n/a|

+|Prebuilt models|[Credit card](concept-credit-card.md) | ✔️| n/a| n/a| n/a|

+|Prebuilt models|[Business card](concept-business-card.md) | deprecated|✔️|✔️|✔️ |

+|Custom classification model|[Custom classifier](concept-custom-classifier.md) | ✔️| ✔️| n/a| n/a|

+|Custom extraction model|[Custom neural](concept-custom-neural.md) | ✔️| ✔️| ✔️| n/a|

+|Customextraction model|[Custom template](concept-custom-template.md) | ✔️| ✔️| ✔️| ✔️|

+|Custom extraction model|[Custom composed](concept-composed-models.md) | ✔️| ✔️| ✔️| ✔️|

+\* - Contains sub-models. See the model specific information for supported variations and sub-types.

+| [US Mortgage document models](#us-mortgage-documents) | Process US mortgage forms to extract borrower loan and property information. |

+## Model details

+This section describes the output you can expect from each model. Please note that you can extend the output of most models with add-on features.

+ US Tax 1040|Extract mortgage interest details.|**prebuilt-tax.us.1040(variations)**|

+ |US Tax 1098|Extract mortgage interest details.|**prebuilt-tax.us.1098(variations)**|

+ |US Tax 1099|Extract income received from sources other than employer.|**prebuilt-tax.us.1099(variations)**|

+>

+### US mortgage documents

+The US mortgage document models analyze and extract key fields including borrower, loan and property information from a select group of mortgage documents. The API supports the analysis of English-language US mortgage documents of various formats and quality including phone-captured images, scanned documents, and digital PDFs. The following models are currently supported:

+ |Model|Description|ModelID|

+ ||||

+ |1003 End-User License Agreement (EULA)|Extract loan, borrower, property details.|**prebuilt-mortgage.us.1003**|

+ |1008 Summary document|Extract borrower, seller, property, mortgage and underwriting details.|**prebuilt-mortgage.us.1008**|

+ |Closing disclosure|Extract closing, transaction costs and loan details.|**prebuilt-mortgage.us.closingDisclosure**|

+ |Marriage certificate|Extract marriage information details for joint loan applicants.|**prebuilt-marriageCertificate**|

+ |US Tax W-2|Extract taxable compensation details for income verification.|**prebuilt-tax.us.W-2**|

+

+***Sample Closing disclosure document processed using [Document Intelligence Studio](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=mortgage.us.closingDisclosure)***:

+> [!div class="nextstepaction"]

+> [Learn more: Mortgage document models](concept-mortgage-documents.md)

+>

+### Marriage certificate

+Use the marriage certificate model to process U.S. marriage certificates to extract key fields including the individuals, date and location.

+***Sample U.S. marriage certificate processed using [Document Intelligence Studio](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=marriageCertificate.us)***:

+> [!div class="nextstepaction"]

+> [Learn more: identity document model](concept-marriage-certificate.md)

+### Credit card

+Use the credit card model to process credit and debit cards to extract key fields.

+***Sample credit card processed using [Document Intelligence Studio](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=creditCard)***:

+> [!div class="nextstepaction"]

+> [Learn more: identity document model](concept-credit-card.md)

+Custom models can be broadly classified into two types. Custom classification models that support classification of a "document type" and custom extraction models that can extract a defined schema from a specific document type.

+Custom document models analyze and extract data from forms and documents specific to your business. They're trained to recognize form fields within your distinct content and extract key-value pairs and table data. You only need one example of the form type to get started.

+Version v3.0 custom model supports signature detection in custom template (form) and cross-page tables in both template and neural models.

+* In addition to the query fields, the response includes the model output. For a list of features or schema extracted by each model, see [model analysis features](concept-model-overview.md#model-analysis-features).

+> Create an Azure AI services resource if you plan to access multiple Azure AI services under a single endpoint/key. For Document Intelligence access only, create a Document Intelligence resource. Currently [Microsoft Entra authentication](../../../active-directory/authentication/overview-authentication.md) is not supported on Document Intelligence Studio to access Document Intelligence service APIs. To use Document Intelligence Studio, enabling access key-based authentication/local authentication is necessary.

+You can [create connections](../how-to/connections-add.md) to Azure AI services such as Azure OpenAI and Azure AI Content Safety. You can then use the connection in a prompt flow tool such as the LLM tool.

+As another example, you can [create a connection](../how-to/connections-add.md) to an Azure AI Search resource. The connection can then be used by prompt flow tools such as the Vector DB Lookup tool.

+## Azure AI Studio enterprise chat solution demo

+Learn how to create a retail copilot using your data with Azure AI Studio in this [end-to-end walkthrough video](https://youtu.be/Qes7p5w8Tz8).

+> [!VIDEO https://www.youtube.com/embed/Qes7p5w8Tz8]

+As a developer, you can manage settings such as connections and compute. Your admin mainly uses this section to look at access control, usage, and billing.

+Learn how to build your own copilot with Azure AI Studio in this [overview video from Microsoft Mechanics on YouTube](https://youtu.be/3hZorLy6JiA).

+> [!VIDEO https://www.youtube.com/embed/3hZorLy6JiA]

+You can explore Azure AI Studio without signing in, but for full functionality an Azure account is needed. You also need to apply for access to Azure OpenAI Service by completing the form at [https://aka.ms/oai/access](https://aka.ms/oai/access). You receive a follow-up email when your subscription is added.

+| `net.ipv4.tcp_keepalive_intvl` | 10 - 90 | 75 | How frequently the probes are sent out. Multiplied by `tcp_keepalive_probes` it makes up the time to kill a connection that isn't responding, after probes started. |

+| `net.ipv4.ip_local_port_range` | First: 1024 - 60999 and Last: 32768 - 65535] | First: 32768 and Last: 60999 | The local port range that is used by TCP and UDP traffic to choose the local port. Comprised of two numbers: The first number is the first local port allowed for TCP and UDP traffic on the agent node, the second is the last local port number. |

+| `net.netfilter.nf_conntrack_max` | 131072 - 2097152 | 131072 | `nf_conntrack` is a module that tracks connection entries for NAT within Linux. The `nf_conntrack` module uses a hash table to record the *established connection* record of the TCP protocol. `nf_conntrack_max` is the maximum number of nodes in the hash table, that is, the maximum number of connections supported by the `nf_conntrack` module or the size of connection tracking table. |

+| `net.netfilter.nf_conntrack_buckets` | 65536 - 524288 | 65536 | `nf_conntrack` is a module that tracks connection entries for NAT within Linux. The `nf_conntrack` module uses a hash table to record the *established connection* record of the TCP protocol. `nf_conntrack_buckets` is the size of hash table. |

+AKS has automatic GPU driver installation enabled by default. In some cases, such as installing your own drivers or using the [NVIDIA GPU Operator](https://docs.nvidia.com/datacenter/cloud-native/gpu-operator/latest/getting-started.html), you may want to skip GPU driver installation.

+NVIDIA device plugin installation is required when using GPUs on AKS. In some cases, the installation is handled automatically, such as when using the [NVIDIA GPU Operator](https://docs.nvidia.com/datacenter/cloud-native/gpu-operator/latest/getting-started.html) or the [AKS GPU image (preview)](#use-the-aks-gpu-image-preview). Alternatively, you can manually install the NVIDIA device plugin.

+2. Follow the NVIDIA documentation to [Install the GPU Operator](https://docs.nvidia.com/datacenter/cloud-native/gpu-operator/latest/getting-started.html).

+> - Windows Server 2019 is being retired after Kubernetes version 1.32 reaches end of life (EOL). For more information, see [AKS release notes][aks-release-notes].

+> - Windows Server 2022 is being retired after Kubernetes version 1.34 reaches its end of life (EOL). For more information, see [AKS release notes][aks-release-notes].

+ The following example output shows the pods in the `default` namespace:

+1. [Republish your developer portal](developer-portal-overview.md#publish-the-portal).

+> You need to [republish the developer portal](developer-portal-overview.md#publish-the-portal) when you create or update Azure Active Directory B2C configuration settings for the changes to take effect.

+1. [Republish your developer portal](developer-portal-overview.md#publish-the-portal).

+> You need to [republish the portal](developer-portal-overview.md#publish-the-portal) for the Microsoft Entra ID changes to take effect.

+* Once a developer is added to a group, they can view and subscribe to the products associated with that group. For more information, see [How to create and publish a product in Azure API Management][How create and publish a product in Azure API Management].

+* You can control how the developer portal content appears to different users and groups you've configured. Learn more about [visibility and access controls in the developer portal](developer-portal-overview.md#content-visibility-and-access).

+description: Follow this tutorial to learn how to customize the API Management developer portal, an automatically generated, fully customizable website with the documentation of your APIs.

+In this tutorial, you'll get started with customizing the API Management *developer portal*. The developer portal is an automatically generated, fully customizable website with the documentation of your APIs. It's where API consumers can discover your APIs, learn how to use them, and request access.

+For more information about developer portal features and options, see [Azure API Management developer portal overview](developer-portal-overview.md).

+- Complete the following quickstart: [Create an Azure API Management instance](get-started-create-service-instance.md).

+- [Import and publish](import-and-publish.md) an API.

+Follow these steps to access the managed version of the developer portal.

+## Add an image to the media library

+You'll want to use your own images and other media content in the developer portal to reflect your organization's branding. If an image that you want to use isn't already in the portal's media library, add it in the developer portal:

+1. In the left menu of the visual editor, select **Media**.

+1. Do one of the following:

+ * Select **Upload file** and select a local image file on your computer.

+ * Select **Link file**. Enter a **Reference URL** to the image file and other details. Then select **Download**.

+1. Select **Close** to exit the media library.

+> [!TIP]

+> You can also add an image to the media library by dragging and dropping it directly in the visual editor window.

+## Replace the default logo on the home page

+A placeholder logo is provided in the top left corner of the navigation bar. You can replace it with your own logo to match your organization's branding.

+1. In the developer portal, select the default **Contoso** logo in the top left of the navigation bar.

+1. Select **Edit**.

+1. In the **Picture** pop-up, under **Main**, select **Source**.

+1. In the **Media** pop-up, select one of the following:

+ * An image already uploaded in your media library

+ * **Upload file** to upload a new image file to your media library

+ * **None** if you don't want to use a logo

+1. The logo updates in real time.

+1. Select outside the pop-up windows to exit the media library.

+1. In the top bar, select **Save**.

+## Edit content on the home page

+The default **Home** page and other pages are provided with placeholder text and other images. You can either remove entire sections containing this content or keep the structure and adjust the elements one by one. Replace the generated text and images with your own and make sure any links point to desired locations.

+Edit the structure and content of the generated pages in several ways. For example:

+## Edit the site's primary color

+To change colors, gradients, typography, buttons, and other user interface elements in the developer portal, edit the site styles. For example, change the primary color used in the navigation bar, buttons, and other elements to match your organization's branding.

+1. In the developer portal, in the left menu of the visual editor, select **Styles**.

+1. Under the **Colors** section, select the color style item you want to edit. For example, select **Primary**.

+1. Select **Edit color**.

+1. Select the color from the color-picker, or enter the color hex code.

+1. In the top bar, elect **Save**.

+The updated color is applied to the site in real time.

+> [!TIP]

+> If you want, add and name another color item by selecting **+ Add color** on the **Styles** page.

+## Change the background image on the home page

+You can change the background on your portal's home page to an image or color that matches your organization's branding. If you haven't already uploaded a different image to the media library, you can upload it before changing the background image, or when you're changing it.

+1. On the home page of the developer portal, click in the top right corner so that the top section is highlighted at the corners and a pop-up menu appears.

+1. To the right of **Edit article** in the pop-up menu, select the up-down arrow (**Switch to parent**).

+1. Select **Edit section**.

+1. In the **Section** pop-up, under **Background**, select one of the icons:

+ :::image type="content" source="media/api-management-howto-developer-portal-customize/background.png" alt-text="Screenshot of background settings in the developer portal.":::

+ * **Clear background**, to remove a background image

+ * **Background image**, to select an image from the media library, or to upload a new image

+ * **Background color**, to select a color from the color picker, or to clear a color

+ * **Background gradient**, to select a gradient from your site styles page, or to clear a gradient

+1. Under **Background sizing**, make a selection appropriate for your background.

+1. In the top bar, select **Save**.

+## Change the default layout

+The developer portal uses *layouts* to define common content elements such as navigation bars and footers on groups of related pages. Each page is automatically matched with a layout based on a URL template.

+By default, the developer portal comes with two layouts:

+* **Home** - used for the home page (URL template `/`)

+* **Default** - used for all other pages (URL template `/*`).

+You can change the layout for any page in the developer portal and define new layouts to apply to pages that match other URL templates.

+For example, to change the logo that's used in the navigation bar of the Default layout to match your organization's branding:

+1. In the left menu of the visual editor, select **Pages**.

+1. Select the **Layouts** tab, and select **Default**.

+1. Select the picture of the logo in the upper left corner and select **Edit**.

+1. Under **Main**, select **Source**.

+1. In the **Media** pop-up windows, select one of the following:

+ * An image already uploaded in your media library

+ * **Upload file** to upload a new image file to your media file that you can select

+ * **None** if you don't want to use a logo

+1. The logo updates in real time.

+1. Select outside the pop-up windows to exit the media library.

+1. In the top bar, select **Save**.

+## Edit navigation menus

+You can edit the navigation menus at the top of the developer portal pages to change the order of menu items, add items, or remove items. You can also change the name of menu items and the URL or other content they point to.

+For example, the **Default** and **Home** layouts for the developer portal display two menus to guest users of the developer portal:

+* a main menu with links to **Home**, **APIs**, and **Products**

+* an anonymous user menu with links to **Sign in** and **Sign up** pages.

+However, you might want to customize them. For example, if you want to independently invite users to your site, you could disable the **Sign up** link in the anonymous user menu.

+1. In the left menu of the visual editor, select **Site menu**.

+1. On the left, expand **Anonymous user menu**.

+1. Select the settings (gear icon) next to **Sign up**, and select **Delete**.

+1. Select **Save**.

+## Edit site settings

+Edit the site settings for the developer portal to change the site name, description, and other details.

+1. In the left menu of the visual editor, select **Settings**.

+1. In the **Settings** pop-up, enter the site metadata you want to change. Optionally, set up a favicon for the site from an image in your media library.

+1. In the top bar, **Save**.

+> If you want to change the site's domain name, you must first set up a custom domain in your API Management instance. [Learn more about custom domain names](configure-custom-domain.md) in API Management.

+## Publish the portal

+To make your portal and its latest changes available to visitors, you need to *publish* it.

+To publish from the administrative interface of the developer portal:

+> [!TIP]

+> Another option is to publish the site from the Azure portal. On the **Portal overview** page of your API Management instance in the Azure portal, select **Publish**.

+## Visit the published portal

+To view your changes after you publish the portal, access it at the same URL as the administrative panel, for example `https://contoso-api.developer.azure-api.net`. View it in a separate browser session (using incognito or private browsing mode) as an external visitor.

+## Apply the CORS policy on APIs

+To let the visitors of your portal test the APIs through the built-in interactive console, enable CORS (cross-origin resource sharing) on your APIs, if you haven't already done so. On the **Portal overview** page of your API Management instance in the Azure portal, select **Enable CORS**. [Learn more](enable-cors-developer-portal.md).

+## Next steps

+In this tutorial, you learned how to:

+> [!div class="checklist"]

+> * Access the managed version of the developer portal

+> * Navigate its administrative interface

+> * Customize the content

+> * Publish the changes

+> * View the published portal

+Advance to the next tutorial:

+> [!div class="nextstepaction"]

+> [Import and manage APIs using Visual Studio Code](visual-studio-code-tutorial.md)

+See related content about the developer portal:

+- [Azure API Management developer portal overview](developer-portal-overview.md)

+1. [Republish](developer-portal-overview.md#publish-the-portal) the developer portal.

+> You need to [republish the developer portal](developer-portal-overview.md#publish-the-portal) for the delegation changes to take effect.

+6. [Republish your developer portal](../developer-portal-overview.md#publish-the-portal).

+1. Save your changes, and [republish the portal](developer-portal-overview.md#publish-the-portal).

+After you configure the widget in the administrative interface, [republish the portal](developer-portal-overview.md#publish-the-portal) to make the widget available in production.

+This article provides answers to frequently asked questions about the [developer portal](developer-portal-overview.md) in Azure API Management.

+* For small customizations, use a built-in widget to [add custom HTML](developer-portal-extend-custom-functionality.md#use-custom-html-code-widget).

+After you update the domain, you need to [republish the portal](developer-portal-overview.md#publish-the-portal) for the changes to take effect.

+After you configure an identity provider (for example, Azure AD, Azure AD B2C), you need to [republish the portal](developer-portal-overview.md#publish-the-portal) for the changes to take effect. Make sure your developer portal pages include the OAuth buttons widget.

+After you set up delegation, you need to [republish the portal](developer-portal-overview.md#publish-the-portal) for the changes to take effect.

+Most configuration changes (for example, VNet, sign-in, product terms) require [republishing the portal](developer-portal-overview.md#publish-the-portal).

+The interactive console makes a client-side API request from the browser. Resolve the CORS problem by adding a CORS policy on your API(s), or configure the portal to use a CORS proxy. For more information, see [Enable CORS for interactive console in the API Management developer portal](enable-cors-developer-portal.md).

+1. Remove **Sign up** links and navigation items in the portal content. For information about customizing portal content, see [Tutorial: Access and customize the developer portal](api-management-howto-developer-portal-customize.md#edit-navigation-menus).

+1. Save your changes, and [republish the portal](developer-portal-overview.md#publish-the-portal).

+## Related content

+1. After you update the configuration, [republish the portal](developer-portal-overview.md#publish-the-portal) for the changes to take effect.

+ Title: Overview of the developer portal in Azure API Management

+description: Learn about the developer portal in API Management - a customizable website where API consumers can explore your APIs.

+# Overview of the developer portal

+The API Management *developer portal* is an automatically generated, fully customizable website with the documentation of your APIs. It's where API consumers can discover your APIs, learn how to use them, request access, and try them out.

+This article introduces features of the developer portal, the types of content the portal presents, and options to manage and extend the developer portal for your specific users and scenarios.

+## Developer portal architectural concepts

+The portal components can be logically divided into two categories: *code* and *content*.

+### Code

+Code is maintained in the API Management developer portal [GitHub repository](https://github.com/Azure/api-management-developer-portal) and includes:

+- **Widgets** - represent visual elements and combine HTML, JavaScript, styling ability, settings, and content mapping. Examples are an image, a text paragraph, a form, a list of APIs etc.

+- **Styling definitions** - specify how widgets can be styled

+- **Engine** - which generates static webpages from portal content and is written in JavaScript

+- **Visual editor** - allows for in-browser customization and authoring experience

+### Content

+Content is divided into two subcategories: *portal content* and *API Management data*.

+* *Portal content* is specific to the portal website and includes:

+ - **Pages** - for example, landing page, API tutorials, blog posts

+ - **Media** - images, animations, and other file-based content

+ - **Layouts** - templates that are matched against a URL and define how pages are displayed

+ - **Styles** - values for styling definitions, such as fonts, colors, borders

+ - **Settings** - configurations such as favicon, website metadata

+

+ Portal content, except for media, is expressed as JSON documents.

+

+* *API Management data* includes entities such as APIs, Operations, Products, and Subscriptions that are managed in your API Management instance.

+## Customize and style the portal

+Out of the box, the developer portal is already populated with your published APIs and products and ready to be customized for your needs. As an API publisher, you use the developer portal's administrative interface to customize the appearance and functionality of the developer portal.

+If you're accessing the portal for the first time, the portal includes placeholder pages, content, and navigation menus. The placeholder content you see has been designed to showcase the portal's capabilities and minimize the customizations needed to personalize your portal.

+For a step-by-step walkthrough of customizing and publishing the developer portal, see [Tutorial: Access and customize the developer portal](api-management-howto-developer-portal-customize.md).

+> [!IMPORTANT]

+> * Access to the developer portal by API publishers and consumers requires network connectivity to both the developer portal's endpoint (default: `https://<apim-instance-name>.portal.azure-api.net`) and the API Management instance's management endpoint (default: `https://<apim-instance-name>.management.azure-api.net`).

+> * Publishing the developer portal requires additional connectivity to blob storage managed by API Management in the West US region.

+> * If the API Management instance is deployed in a VNet, ensure that the hostnames of the developer portal and management endpoint resolve properly and that you enable connectivity to required dependencies for the developer portal. [Learn more](virtual-network-reference.md).

+### Visual editor

+The developer portal's administrative interface provides a visual editor for publishers to customize the portal's content and styling. Using the visual editor, you can add, remove, and rearrange pages, sections, and widgets. You can also change the styling of the portal's elements, such as fonts, colors, and spacing.

+### Layouts and pages

+Layouts define how pages are displayed. For example, in the default content, there are two layouts: one applies to the home page, and the other to all remaining pages. You can modify these layouts and add more layouts to suit your needs.

+A layout gets applied to a page by matching its URL template to the page's URL. For example, a layout with a URL template of `/wiki/*` is applied to every page with the `/wiki/` segment in the URL: `/wiki/getting-started`, `/wiki/styles`, etc.

+In the following image, content belonging to the layout is outlined in blue, while the page-specific content is outlined in red.

+The pre-provisioned content in the developer portal showcases pages with commonly used features. You can modify the content of these pages or add new ones to suit your needs.

+> [!NOTE]

+> Due to integration considerations, the following pages can't be removed or moved under a different URL: `/404`, `/500`, `/captcha`, `/change-password`, `/config.json`, `/confirm/invitation`, `/confirm-v2/identities/basic/signup`, `/confirm-v2/password`, `/internal-status-0123456789abcdef`, `/publish`, `/signin`, `/signin-sso`, `/signup`.

+### Styles

+The **Styles** panel is created with designers in mind. Use styles to manage and customize all the visual elements in your portal, such as fonts used in headings and menus and button colors. The styling is hierarchical - many elements inherit properties from other elements. For example, button elements use colors for text and background. To change a button's color, you need to change the original color variant.

+To edit a variant, select it and select **Edit style** in the options that appear on top of it. After you make the changes in the pop-up window, close it.

+## Extend portal functionality

+In some cases you might need functionality beyond the customization and styling options provided in the managed developer portal. If you need to implement custom logic, which isn't supported out-of-the-box, you have [several options](developer-portal-extend-custom-functionality.md):

+* [Add custom HTML](developer-portal-extend-custom-functionality.md#use-custom-html-code-widget) directly through a developer portal widget designed for small customizations - for example, add HTML for a form or to embed a video player. The custom code is rendered in an inline frame (IFrame).

+* [Create and upload a custom widget](developer-portal-extend-custom-functionality.md#create-and-upload-custom-widget) to develop and add more complex custom portal features.

+* [Self-host the portal](developer-portal-self-host.md), only if you need to make modifications to the core of the developer portal [codebase](https://github.com/Azure/api-management-developer-portal). This option requires advanced configuration. Azure Support's assistance is limited only to the basic setup of self-hosted portals.

+> [!NOTE]

+> Because the API Management developer portal codebase is maintained on [GitHub](https://github.com/Azure/api-management-developer-portal), you can open issues and make pull requests for the API Management team to merge new functionality at any time.

+>

+## Control access to portal content

+The developer portal synchronizes with your API Management instance to display content such as the APIs, operations, products, subscriptions, and user profiles. APIs and products must be in a *published* state to be visible in the developer portal.

+### Content visibility and access

+In API Management, [groups of users](api-management-howto-create-groups.md) are used to manage the visibility of products and their associated APIs to developers. In addition to using built-in groups, you can create custom groups to suit your needs. Products are first made visible to groups, and then developers in those groups can view and subscribe to the products that are associated with the groups.

+You can also control how other portal content (such as pages and sections) appears to different users, based on their identity. For example, you might want to display certain pages only to users who have access to a specific product or API. Or, make a section of a page appear only for certain [groups of users](api-management-howto-create-groups.md). The developer portal has built-in controls for these needs.

+> [!NOTE]

+> Visibility and access controls are supported only in the managed developer portal. They aren't supported in the [self-hosted portal](developer-portal-self-host.md).

+* When you add a page or edit the settings of an existing page, make a selection under **Access** to control the users or groups that can see the page

+

+ :::image type="content" source="media/developer-portal-overview/page-access-control.png" alt-text="Screenshot of the page access control settings in the developer portal.":::

+ > [!TIP]

+ > To edit the settings of an existing page, select the gear icon next to the page name on the **Pages** tab.

+* When you select page content such as a page section, menu, or button for editing, select the **Change access** icon to control the users or groups that can see the element on the page

+ :::image type="content" source="media/developer-portal-overview/change-visibility-button.png" alt-text="Screenshot of the change access button in the developer portal.":::

+ * You can change the visibility of the following page content: sections, menus, buttons, and sign-in for OAuth authorization.

+ * Media files such as images on a page inherit the visibility of the elements that contain them.

+When a user visits the developer portal with visibility and access controls applied:

+* The developer portal automatically hides buttons or navigation items that point to pages that a user doesn't have access to.

+* An attempt by a user to access a page they aren't authorized to access results in a 404 Not Found error.

+> [!TIP]

+> Using the administrative interface, you can preview pages as a user associated with any built-in or custom group by selecting **View as** in the menu at the top.

+>

+### Content security policy

+You can enable a content security policy to add a layer of security to your developer portal and help mitigate certain types of attacks including cross-site scripting and data injection. With a content security policy, the developer portal on the browser will only load resources from trusted locations that you specify, such as your corporate website or other trusted domains.

+To enable a content security policy:

+1. In the [Azure portal](https://portal.azure.com), navigate to your API Management instance.

+1. In the left menu, under **Developer portal**, select **Portal settings**.

+1. On the **Content security policy** tab, select **Enabled**.

+1. Under **Allowed sources**, add one or more hostnames that specify trusted locations that the developer portal can load resources from. You can also specify a wildcard character to allow all subdomains of a domain. For example, `*.contoso.com` allows all subdomains of `contoso.com`.

+1. Select **Save**.

+### Interactive test console

+The developer portal provides a "Try it" capability on the API reference pages so that portal visitors can test your APIs directly through an interactive console.

+The test console supports APIs with different authorization models - for example, APIs that require no authorization, or that require a subscription key or OAuth 2.0 authorization. In the latter case, you can configure the test console to generate a valid OAuth token on behalf of the test console user. For more information, see [How to authorize test console of developer portal by configuring OAuth 2.0 user authorization](api-management-howto-oauth2.md).

+> [!IMPORTANT]

+> To let the visitors of your portal test the APIs through the built-in interactive console, enable a CORS (cross-origin resource sharing) policy on your APIs. For details, see [Enable CORS for interactive console in the API Management developer portal](enable-cors-developer-portal.md).

+## Manage user sign-up and sign-in

+By default, the developer portal enables anonymous access. This means that anyone can view the portal and its content without signing in, although access to certain content and functionality such as using the test console may be restricted. You can enable a developer portal website setting to require users to sign in to access the portal.

+The portal supports several options for user sign-up and sign-in:

+* Basic authentication for developers to sign in with credentials for API Management [user accounts](api-management-howto-create-or-invite-developers.md). Developers can sign up for an account directly through the portal, or you can create accounts for them.

+* Depending on your scenarios, restrict access to the portal by requiring users to sign up or sign in with a [Microsoft Entra ID](api-management-howto-aad.md) or [Azure AD B2C](api-management-howto-aad-b2c.md) account.

+* If you already manage developer sign-up and sign-in through an existing website, [delegate authentication](api-management-howto-setup-delegation.md) instead of using the developer portal's built-in authentication.

+[Learn more](secure-developer-portal-access.md) about options to secure user sign-up and sign-in to the developer portal.

+### Reports for users

+The developer portal generates reports for authenticated users to view their individual API usage, data transfer, and response times, including aggregated use by specific products and subscriptions. Users can view the reports by selecting **Reports** in the default navigation menu for authenticated users. Users can filter reports by time interval, up to the most recent 90 days.

+> [!NOTE]

+> Reports in the developer portal only show data for the authenticated user. API publishers and administrators can access usage data for all users of the API Management instance - for example, by setting up monitoring features such as [Azure Application Insights](api-management-howto-app-insights.md) in the portal.

+## Save and publish website content

+After you update the developer portal content or configuration, you need to save and publish your changes to make them available to portal visitors. The developer portal maintains a record of the content you've published, and you can revert to a previous portal *revision* when you need to.

+### Save changes

+Whenever you make a change in the portal, you need to save it manually by selecting the **Save** button in the menu at the top, or press [Ctrl]+[S]. If you need to, you can **Undo** your last saved changes. Saved changes are visible only to you and aren't visible to portal visitors until you publish them.

+> [!NOTE]

+> The managed developer portal receives and applies software updates automatically. Changes that you've saved but not published to the developer portal remain in that state during an update.

+### Publish the portal

+To make your portal and its latest changes available to visitors, you need to *publish* it. You publish the portal within the portal's administrative interface or from the Azure portal.

+> [!IMPORTANT]

+> You need to publish the portal any time you want to expose changes to the portal's content or styling. The portal also needs to be republished after API Management service configuration changes that affect the developer portal. For example, republish the portal after assigning a custom domain, updating the identity providers, setting delegation, or specifying sign-in and product terms.

+#### Publish from the administrative interface

+#### Publish from the Azure portal

+1. In the [Azure portal](https://portal.azure.com), navigate to your API Management instance.

+1. In the left menu, under **Developer portal**, select **Portal overview**.

+1. In the **Portal overview** window, select **Publish**.

+ :::image type="content" source="media/developer-portal-overview/publish-portal-azure-portal.png" alt-text="Screenshot of publishing the developer portal from the Azure portal":::

+### Restore a previous portal revision

+Each time you publish the developer portal, a corresponding portal revision is saved. You can republish a previous portal revision at any time. For example, you might want to roll back a change you introduced when you last published the portal.

+> [!NOTE]

+> Developer portal software updates are applied automatically when you restore a revision. Changes saved but not published in the administrative interface remain in that state when you publish a revision.

+To restore a previous portal revision:

+1. In the [Azure portal](https://portal.azure.com), navigate to your API Management instance.

+1. In the left menu, under **Developer portal**, select **Portal overview**.

+1. On the **Revisions** tab, select the context menu (**...**) for a revision that you want to restore, and then select **Make current and publish**.

+### Reset the portal

+If you want to discard all changes you've made to the developer portal, you can reset the website to its starting state. Resetting the portal deletes any changes you've made to the developer portal pages, layouts, customizations, and uploaded media.

+> [!NOTE]

+> Resetting the developer portal doesn't delete the published version of the developer portal.

+To reset the developer portal:

+1. In the administrative interface, in the menu at the left of the visual editor, select **Settings**.

+1. On the **Advanced** tab, select **Yes, reset the website to default state**.

+1. Select **Save**.

+## Related content

+Learn more about the developer portal:

+- [Access and customize the managed developer portal](api-management-howto-developer-portal-customize.md)

+- [Extend functionality of the managed developer portal](developer-portal-extend-custom-functionality.md)

+- [Set up self-hosted version of the portal](developer-portal-self-host.md)

+Browse other resources:

+- [GitHub repository with the source code](https://github.com/Azure/api-management-developer-portal)

+- [Frequently asked questions about the developer portal](developer-portal-faq.md)

+ Title: Enable CORS for Azure API Management developer portal

+description: How to configure CORS to enable the Azure API Management developer portal's interactive test console.

+# Enable CORS for interactive console in the API Management developer portal

+Cross-origin resource sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources.

+To let visitors to the API Management [developer portal](developer-portal-overview.md) use the interactive test console in the API reference pages, enable a [CORS policy](cors-policy.md) for APIs in your API Management instance. If the developer portal's domain name isn't an allowed origin for cross-domain API requests, test console users will see a CORS error.

+For certain scenarios, you can configure the developer portal as a CORS proxy instead of enabling a CORS policy for APIs.

+## Prerequisites

+## Enable CORS policy for APIs

+You can enable a setting to configure a CORS policy automatically for all APIs in your API Management instance. You can also manually configure a CORS policy.

+> [!NOTE]

+> Only one CORS policy is executed. If you specify multiple CORS policies (for example, on the API level and on the all-APIs level), your interactive console may not work as expected.

+### Enable CORS policy automatically

+1. In the left menu of your API Management instance, under **Developer portal**, select **Portal overview**.

+1. Under **Enable CORS**, the status of CORS policy configuration is displayed. A warning box indicates an absent or misconfigured policy.

+1. To enable CORS from the developer portal for all APIs, select **Enable CORS**.

+

+### Enable CORS policy manually

+1. Select the **Manually apply it on the global level** link to see the generated policy code.

+2. Navigate to **All APIs** in the **APIs** section of your API Management instance.

+3. Select the **</>** icon in the **Inbound processing** section.

+4. In the policy editor, insert the policy in the **\<inbound\>** section of the XML file. Make sure the **\<origin\>** value matches your developer portal's domain.

+> [!NOTE]

+>

+> If you apply the CORS policy in the Product scope, instead of the API(s) scope, and your API uses subscription key authentication through a header, your console won't work.

+>

+> The browser automatically issues an `OPTIONS` HTTP request, which doesn't contain a header with the subscription key. Because of the missing subscription key, API Management can't associate the `OPTIONS` call with a Product, so it can't apply the CORS policy.

+>

+> As a workaround, you can pass the subscription key in a query parameter.

+## CORS proxy option

+For some scenarios (for example, if the API Management gateway is network isolated), you can choose to configure the developer portal as a CORS proxy itself, instead of enabling a CORS policy for your APIs. The CORS proxy routes the interactive console's API calls through the portal's backend in your API Management instance.

+> [!NOTE]

+> If the APIs are exposed through a self-hosted gateway or your service is in a virtual network, the connectivity from the API Management developer portal's backend service to the gateway is required.

+To configure the CORS proxy, access the developer portal as an administrator:

+1. On the **Overview** page of your API Management instance, select **Developer portal**. The developer portal opens in a new browser tab.

+1. In the left menu of the administrative interface, select **Pages** > **APIs** > **Details**.

+1. On the **APIs: Details** page, select the **Operation: Details** widget, and select **Edit widget**.

+1. Select **Use CORS proxy**.

+1. Save changes to the portal, and [republish the portal](developer-portal-overview.md#publish-the-portal).

+## CORS configuration for self-hosted developer portal

+If you [self-host](developer-portal-self-host.md) the developer portal, the following configuration is needed to enable CORS:

+* Specify the portal's backend endpoint using the `backendUrl` option in the configuration files. Otherwise, the self-hosted portal isn't aware of the location of the backend service.

+* Add **Origin** domain values to the self-hosted portal configuration specifying the environments where the self-hosted portal is hosted. [Learn more](developer-portal-self-host.md#configure-cors-settings-for-developer-portal-backend)

+## Related content

+* For more information about configuring a policy, see [Set or edit policies](set-edit-policies.md).

+* For details about the CORS policy, see the [cors](cors-policy.md) policy reference.

+> [!NOTE]

+> By default, the developer portal enables anonymous access. This means that anyone can view the portal and content such as APIs without signing in, although functionality such as using the test console is restricted. You can enable a setting that requires users to sign-in to view the developer portal. In the Azure portal, in the left menu of your API Management instance, under **Developer portal**, select **Identities** > **Settings**. Under **Anonymous users**, select (enable) **Redirect anonymous users to sign-in page**.

+az rest --method get --uri "${ASE_ID}?api-version=2022-03-01" --query properties.networkingConfiguration.internalInboundIpAddresses

+az rest --method get --uri "${ASE_ID}?api-version=2022-03-01" --query properties.networkingConfiguration.externalInboundIpAddresses

+| `WEBSITES_CONTAINER_STOP_TIME_LIMIT` | Amount of time in seconds to wait for the container to terminate gracefully. Default is `5`. You can increase to a maximum of `120` ||

+> [!NOTE]

+- Windows Server 2022

+ Title: Monitor Azure app services performance Python (Preview)

+description: Application performance monitoring for Azure app services using Python. Chart load and response time, dependency information, and set alerts on performance.

+ms.devlang: python

+# Application monitoring for Azure App Service and Python (Preview)

+> [!IMPORTANT]

+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+Monitor your Python web applications on Azure App Services without modifying the code. This guide shows you how to enable Azure Monitor Application Insights and offers tips for automating large-scale deployments.

+The integration instruments popular Python libraries in your code, letting you automatically gather and correlate dependencies, logs, and metrics. After instrumenting, you collect calls and metrics from these Python libraries:

+| Instrumentation | Supported library Name | Supported versions |

+| | - | |

+| [OpenTelemetry Django Instrumentation][ot_instrumentation_django] | [`django`][pypi_django] | [link][ot_instrumentation_django_version]

+| [OpenTelemetry FastApi Instrumentation][ot_instrumentation_fastapi] | [`fastapi`][pypi_fastapi] | [link][ot_instrumentation_fastapi_version]

+| [OpenTelemetry Flask Instrumentation][ot_instrumentation_flask] | [`flask`][pypi_flask] | [link][ot_instrumentation_flask_version]

+| [OpenTelemetry Psycopg2 Instrumentation][ot_instrumentation_psycopg2] | [`psycopg2`][pypi_psycopg2] | [link][ot_instrumentation_psycopg2_version]

+| [OpenTelemetry Requests Instrumentation][ot_instrumentation_requests] | [`requests`][pypi_requests] | [link][ot_instrumentation_requests_version]

+| [OpenTelemetry UrlLib Instrumentation][ot_instrumentation_urllib] | [`urllib`][pypi_urllib] | All

+| [OpenTelemetry UrlLib3 Instrumentation][ot_instrumentation_urllib3] | [`urllib3`][pypi_urllib3] | [link][ot_instrumentation_urllib3_version]

+> [!NOTE]

+> If using Django, see the additional [Django Instrumentation](#django-instrumentation) section in this article.

+Logging telemetry is collected at the level of the root logger. To learn more about Python's native logging hierarchy, visit the [Python logging documentation][python_logging_docs].

+## Prerequisites

+* Python version 3.11 or prior.

+* App Service must be deployed as code. Custom containers aren't supported.

+## Enable Application Insights

+The easiest way to monitor Python applications on Azure App Services is through the Azure portal.

+Activating monitoring in the Azure portal automatically instruments your application with Application Insights and requires no code changes.

+> [!NOTE]

+> You should only use autoinstrumentation on App Service if you aren't using manual instrumentation of OpenTelemetry in your code, such as the [Azure Monitor OpenTelemetry Distro](./opentelemetry-enable.md?tabs=python) or the [Azure Monitor OpenTelemetry Exporter][azure_monitor_opentelemetry_exporter]. This is to prevent duplicate data from being sent. To learn more about this, check out the [troubleshooting section](#troubleshooting) in this article.

+### Autoinstrumentation through Azure portal

+For a complete list of supported autoinstrumentation scenarios, see [Supported environments, languages, and resource providers](codeless-overview.md#supported-environments-languages-and-resource-providers).

+Toggle on monitoring for your Python apps in Azure App Service with no code changes required.

+Application Insights for Python integrates with code-based Linux Azure App Service.

+The integration is in public preview. It adds the Python SDK, which is in GA.

+1. **Select Application Insights** in the Azure control panel for your app service, then select **Enable**.

+ :::image type="content"source="./media/azure-web-apps/enable.png" alt-text="Screenshot of Application Insights tab with enable selected." lightbox="./media/azure-web-apps/enable.png":::

+2. Choose to create a new resource, or select an existing Application Insights resource for this application.

+ > [!NOTE]

+ > When you select **OK** to create the new resource you will be prompted to **Apply monitoring settings**. Selecting **Continue** will link your new Application Insights resource to your app service, doing so will also **trigger a restart of your app service**.

+ :::image type="content"source="./media/azure-web-apps/change-resource.png" alt-text="Screenshot of Change your resource dropdown." lightbox="./media/azure-web-apps/change-resource.png":::

+3. You specify the resource, and it's ready to use.

+ :::image type="content"source="./media/azure-web-apps-python/app-service-python.png" alt-text="Screenshot of instrument your application." lightbox="./media/azure-web-apps-python/app-service-python.png":::

+## Configuration

+You can configure with [OpenTelemetry environment variables][ot_env_vars] such as:

+| **Environment Variable** | **Description** |

+|--|-|

+| `OTEL_SERVICE_NAME`, `OTEL_RESOURCE_ATTRIBUTES` | Specifies the OpenTelemetry [Resource Attributes][opentelemetry_resource] associated with your application. You can set any Resource Attributes with [OTEL_RESOURCE_ATTRIBUTES][opentelemetry_spec_resource_attributes_env_var] or use [OTEL_SERVICE_NAME][opentelemetry_spec_service_name_env_var] to only set the `service.name`. |

+| `OTEL_LOGS_EXPORTER` | If set to `None`, disables collection and export of logging telemetry. |

+| `OTEL_METRICS_EXPORTER` | If set to `None`, disables collection and export of metric telemetry. |

+| `OTEL_TRACES_EXPORTER` | If set to `None`, disables collection and export of distributed tracing telemetry. |

+| `OTEL_BLRP_SCHEDULE_DELAY` | Specifies the logging export interval in milliseconds. Defaults to 5000. |

+| `OTEL_BSP_SCHEDULE_DELAY` | Specifies the distributed tracing export interval in milliseconds. Defaults to 5000. |

+| `OTEL_TRACES_SAMPLER_ARG` | Specifies the ratio of distributed tracing telemetry to be [sampled][application_insights_sampling]. Accepted values range from 0 to 1. The default is 1.0, meaning no telemetry is sampled out. |

+| `OTEL_PYTHON_DISABLED_INSTRUMENTATIONS` | Specifies which OpenTelemetry instrumentations to disable. When disabled, instrumentations aren't executed as part of autoinstrumentation. Accepts a comma-separated list of lowercase [library names](#application-monitoring-for-azure-app-service-and-python-preview). For example, set it to `"psycopg2,fastapi"` to disable the Psycopg2 and FastAPI instrumentations. It defaults to an empty list, enabling all supported instrumentations. |

+### Add a community instrumentation library

+You can collect more data automatically when you include instrumentation libraries from the OpenTelemetry community.

+To add the community OpenTelemetry Instrumentation Library, install it via your app's `requirements.txt` file. OpenTelemetry autoinstrumentation automatically picks up and instruments all installed libraries. Find the list of community libraries [here](https://github.com/open-telemetry/opentelemetry-python-contrib/tree/main/instrumentation).

+## Automate monitoring

+In order to enable telemetry collection with Application Insights, only the following Application settings need to be set:

+### Application settings definitions

+| App setting name | Definition | Value |

+|||:|

+| APPLICATIONINSIGHTS_CONNECTION_STRING | Connections string for your Application Insights resource | Example: abcd1234-ab12-cd34-abcd1234abcd |

+| ApplicationInsightsAgent_EXTENSION_VERSION | Main extension, which controls runtime monitoring. | `~3` |

+> [!NOTE]

+> Profiler and snapshot debugger are not available for Python applications

+## Django Instrumentation

+In order to use the OpenTelemetry Django Instrumentation, you need to set the `DJANGO_SETTINGS_MODULE` environment variable in the App Service settings to point from your app folder to your settings module. For more information, see the [Django documentation][django_settings_module_docs].

+## Frequently asked questions

+## Troubleshooting

+Here we provide our troubleshooting guide for monitoring Python applications on Azure App Services using autoinstrumentation.

+### Duplicate telemetry

+You should only use autoinstrumentation on App Service if you aren't using manual instrumentation of OpenTelemetry in your code, such as the [Azure Monitor OpenTelemetry Distro](./opentelemetry-enable.md?tabs=python) or the [Azure Monitor OpenTelemetry Exporter][azure_monitor_opentelemetry_exporter]. Using autoinstrumentation on top of the manual instrumentation could cause duplicate telemetry and increase your cost. In order to use App Service OpenTelemetry autoinstrumentation, first remove manual instrumentation of OpenTelemetry from your code.

+### Missing telemetry

+If you're missing telemetry, follow these steps to confirm that autoinstrumentation is enabled correctly.

+#### Step 1: Check the Application Insights blade on your App Service resource

+Confirm that autoinstrumentation is enabled in the Application Insights blade on your App Service Resource:

+#### Step 2: Confirm that your App Settings are correct

+Confirm that the `ApplicationInsightsAgent_EXTENSION_VERSION` app setting is set to a value of `~3` and that your `APPLICATIONINSIGHTS_CONNECTION_STRING` points to the appropriate Application Insights resource.

+#### Step 3: Check autoinstrumentation diagnostics and status logs

+Navigate to */var/log/applicationinsights/* and open status_*.json.

+Confirm that `AgentInitializedSuccessfully` is set to true and `IKey` to have a valid iKey.

+Here's an example JSON file:

+```json

+ "AgentInitializedSuccessfully":true,

+

+ "AppType":"python",

+

+ "MachineName":"c89d3a6d0357",

+

+ "PID":"47",

+

+ "IKey":"00000000-0000-0000-0000-000000000000",

+

+ "SdkVersion":"1.0.0"

+```

+The `applicationinsights-extension.log` file in the same folder may show other helpful diagnostics.

+### Django apps

+If your app uses Django and is either failing to start or using incorrect settings, make sure to set the `DJANGO_SETTINGS_MODULE` environment variable. See the [Django Instrumentation](#django-instrumentation) section for details.

+For the latest updates and bug fixes, [consult the release notes](web-app-extension-release-notes.md). -->

+## Next steps

+* [Enable Azure diagnostics](../agents/diagnostics-extension-to-application-insights.md) to be sent to Application Insights

+* [Monitor service health metrics](../data-platform.md) to make sure your service is available and responsive

+* [Receive alert notifications](../alerts/alerts-overview.md) whenever operational events happen or metrics cross a threshold

+* [Availability overview](availability-overview.md)

+[application_insights_sampling]: ./sampling.md

+[azure_core_tracing_opentelemetry_plugin]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/core/azure-core-tracing-opentelemetry

+[azure_monitor_opentelemetry_exporter]: /python/api/overview/azure/monitor-opentelemetry-exporter-readme

+[django_settings_module_docs]: https://docs.djangoproject.com/en/4.2/topics/settings/#envvar-DJANGO_SETTINGS_MODULE

+[ot_env_vars]: https://opentelemetry.io/docs/reference/specification/sdk-environment-variables/

+[ot_instrumentation_django]: https://github.com/open-telemetry/opentelemetry-python-contrib/tree/main/instrumentation/opentelemetry-instrumentation-django

+[ot_instrumentation_django_version]: https://github.com/open-telemetry/opentelemetry-python-contrib/blob/main/instrumentation/opentelemetry-instrumentation-django/src/opentelemetry/instrumentation/django/package.py#L16

+[ot_instrumentation_fastapi]: https://github.com/open-telemetry/opentelemetry-python-contrib/tree/main/instrumentation/opentelemetry-instrumentation-fastapi

+[ot_instrumentation_fastapi_version]: https://github.com/open-telemetry/opentelemetry-python-contrib/blob/main/instrumentation/opentelemetry-instrumentation-fastapi/src/opentelemetry/instrumentation/fastapi/package.py#L16

+[ot_instrumentation_flask]: https://github.com/open-telemetry/opentelemetry-python-contrib/tree/main/instrumentation/opentelemetry-instrumentation-flask

+[ot_instrumentation_flask_version]: https://github.com/open-telemetry/opentelemetry-python-contrib/blob/main/instrumentation/opentelemetry-instrumentation-flask/src/opentelemetry/instrumentation/flask/package.py#L16

+[ot_instrumentation_psycopg2]: https://github.com/open-telemetry/opentelemetry-python-contrib/tree/main/instrumentation/opentelemetry-instrumentation-psycopg2

+[ot_instrumentation_psycopg2_version]: https://github.com/open-telemetry/opentelemetry-python-contrib/blob/main/instrumentation/opentelemetry-instrumentation-psycopg2/src/opentelemetry/instrumentation/psycopg2/package.py#L16

+[ot_instrumentation_requests]: https://github.com/open-telemetry/opentelemetry-python-contrib/tree/main/instrumentation/opentelemetry-instrumentation-requests

+[ot_instrumentation_requests_version]: https://github.com/open-telemetry/opentelemetry-python-contrib/blob/main/instrumentation/opentelemetry-instrumentation-requests/src/opentelemetry/instrumentation/requests/package.py#L16

+[ot_instrumentation_urllib]: https://github.com/open-telemetry/opentelemetry-python-contrib/tree/main/instrumentation/opentelemetry-instrumentation-urllib3

+[ot_instrumentation_urllib3]: https://github.com/open-telemetry/opentelemetry-python-contrib/tree/main/instrumentation/opentelemetry-instrumentation-urllib3

+[ot_instrumentation_urllib3_version]: https://github.com/open-telemetry/opentelemetry-python-contrib/blob/main/instrumentation/opentelemetry-instrumentation-urllib3/src/opentelemetry/instrumentation/urllib3/package.py#L16

+[opentelemetry_resource]: https://opentelemetry.io/docs/specs/otel/resource/sdk/

+[opentelemetry_spec_resource_attributes_env_var]: https://opentelemetry-python.readthedocs.io/en/latest/sdk/environment_variables.html?highlight=OTEL_RESOURCE_ATTRIBUTES%20#opentelemetry-sdk-environment-variables

+[opentelemetry_spec_service_name_env_var]: https://opentelemetry-python.readthedocs.io/en/latest/sdk/environment_variables.html?highlight=OTEL_RESOURCE_ATTRIBUTES%20#opentelemetry.sdk.environment_variables.OTEL_SERVICE_NAME

+[python_logging_docs]: https://docs.python.org/3/library/logging.html

+[pypi_django]: https://pypi.org/project/Django/

+[pypi_fastapi]: https://pypi.org/project/fastapi/

+[pypi_flask]: https://pypi.org/project/Flask/

+[pypi_psycopg2]: https://pypi.org/project/psycopg2/

+[pypi_requests]: https://pypi.org/project/requests/

+[pypi_urllib]: https://docs.python.org/3/library/urllib.html

+[pypi_urllib3]: https://pypi.org/project/urllib3/

+ - [Python](./azure-web-apps-python.md)

+ This approach is much more customizable, but it requires the following approaches: SDK for [.NET Core](./asp-net-core.md), [.NET](./asp-net.md), [Node.js](./nodejs.md), [Python](./opentelemetry-enable.md?tabs=python), and a standalone agent for [Java](./opentelemetry-enable.md?tabs=java). This method also means you must manage the updates to the latest version of the packages yourself.

+Learn how to enable autoinstrumentation application monitoring for your [.NET Core](./azure-web-apps-net-core.md), [.NET](./azure-web-apps-net.md), [Java](./azure-web-apps-java.md), [Nodejs](./azure-web-apps-nodejs.md), or [Python](./azure-web-apps-python.md) application running on App Service.

+|Azure App Service on Linux - Publish as Code | :x: | [ :white_check_mark: :link: ](azure-web-apps-net-core.md?tabs=linux) ┬╣ | [ :white_check_mark: :link: ](azure-web-apps-java.md) ┬╣ | [ :white_check_mark: :link: ](azure-web-apps-nodejs.md?tabs=linux) | [ :white_check_mark: :link: ](azure-web-apps-python.md?tabs=linux) ┬▓ |

+|Azure Functions - basic | [ :white_check_mark: :link: ](monitor-functions.md) ┬╣ | [ :white_check_mark: :link: ](monitor-functions.md) ┬╣ | [ :white_check_mark: :link: ](monitor-functions.md) ┬╣ | [ :white_check_mark: :link: ](monitor-functions.md) ┬╣ | [ :white_check_mark: :link: ](monitor-functions.md#distributed-tracing-for-python-function-apps) ┬╣ |

+|Azure Functions - dependencies | :x: | :x: | [ :white_check_mark: :link: ](monitor-functions.md) | :x: | :x: |

+When using supported Software Development Kits (SDKs), you can enable SDK injection in configuration to automatically inject JavaScript (Web) SDK Loader Script onto each page.

+To collect telemetry from services such as Requests, urllib3, httpx, PsycoPG2, and more, use the [Azure Monitor OpenTelemetry Distro](./opentelemetry-enable.md?tabs=python). Tracked incoming requests coming into your Python application hosted in Azure Functions will not be automatically correlated with telemetry being tracked within it. You can manually achieve trace correlation by extract the TraceContext directly as shown below:

+<!-- TODO: Remove after Azure Functions implements this automatically -->

+```python

+import azure.functions as func

+from azure.monitor.opentelemetry import configure_azure_monitor

+from opentelemetry import trace

+from opentelemetry.propagate import extract

+# Configure Azure monitor collection telemetry pipeline

+configure_azure_monitor()

+def main(req: func.HttpRequest, context) -> func.HttpResponse:

+ ...

+ # Store current TraceContext in dictionary format

+ carrier = {

+ "traceparent": context.trace_context.Traceparent,

+ "tracestate": context.trace_context.Tracestate,

+ }

+ tracer = trace.get_tracer(__name__)

+ # Start a span using the current context

+ with tracer.start_as_current_span(

+ "http_trigger_span",

+ context=extract(carrier),

+ ):

+ ...

+```

+ Title: Recommended alert rules for Kubernetes clusters

+description: Describes how to enable recommended metric alerts rules for a Kubernetes cluster in Azure Monitor.

+# Recommended alert rules for Kubernetes clusters

+[Alerts](../alerts/alerts-overview.md) in Azure Monitor proactively identify issues related to the health and performance of your Azure resources. This article describes how to enable and edit a set of recommended metric alert rules that are predefined for your Kubernetes clusters.

+## Types of alert rules

+There are two types of metric alert rules used with Kubernetes clusters.

+| Alert rule type | Description |

+|:|:|

+| [Prometheus metric alert rules (preview)](../alerts/alerts-types.md#prometheus-alerts) | Use metric data collected from your Kubernetes cluster in a [Azure Monitor managed service for Prometheus](../essentials/prometheus-metrics-overview.md). These rules require [Prometheus to be enabled on your cluster](./kubernetes-monitoring-enable.md#enable-prometheus-and-grafana) and are stored in a [Prometheus rule group](../essentials/prometheus-rule-groups.md). |

+| [Platform metric alert rules](../alerts/alerts-types.md#metric-alerts) | Use metrics that are automatically collected from your AKS cluster and are stored as [Azure Monitor alert rules](../alerts/alerts-overview.md). |

+## Enable recommended alert rules

+Use one of the following methods to enable the recommended alert rules for your cluster. You can enable both Prometheus and platform metric alert rules for the same cluster.

+### [Azure portal](#tab/portal)

+Using the Azure portal, the Prometheus rule group will be created in the same region as the cluster.

+1. From the **Alerts** menu for your cluster, select **Set up recommendations**.

+ :::image type="content" source="media/kubernetes-metric-alerts/setup-recommendations.png" lightbox="media/kubernetes-metric-alerts/setup-recommendations.png" alt-text="Screenshot of AKS cluster showing Set up recommendations button.":::

+2. The available Prometheus and platform alert rules are displayed with the Prometheus rules organized by pod, cluster, and node level. Toggle a group of Prometheus rules to enable that set of rules. Expand the group to see the individual rules. You can leave the defaults or disable individual rules and edit their name and severity.

+ :::image type="content" source="media/kubernetes-metric-alerts/recommended-alert-rules-enable-prometheus.png" lightbox="media/kubernetes-metric-alerts/recommended-alert-rules-enable-prometheus.png" alt-text="Screenshot of enabling Prometheus alert rule.":::

+3. Toggle a platform metric rule to enable that rule. You can expand the rule to modify its details such as the name, severity, and threshold.

+ :::image type="content" source="media/kubernetes-metric-alerts/recommended-alert-rules-enable-platform.png" lightbox="media/kubernetes-metric-alerts/recommended-alert-rules-enable-platform.png" alt-text="Screenshot of enabling platform metric alert rule.":::

+4. Either select one or more notification methods to create a new action group, or select an existing action group with the notification details for this set of alert rules.

+5. Click **Save** to save the rule group.

+### [Azure Resource Manager](#tab/arm)

+Using an ARM template, you can specify the region for the Prometheus rule group, but you should create it in the same region as the cluster.

+Download the required files for the template you're working with and deploy using the parameters in the tables below. For examples of different methods, see [Deploy the sample templates](../resource-manager-samples.md#deploy-the-sample-templates).

+### ARM

+- Template file: [https://aka.ms/azureprometheus-recommendedmetricalerts](https://aka.ms/azureprometheus-recommendedmetricalerts)

+- Parameters:

+ | Parameter | Description |

+ |:|:|

+ | clusterResourceId | Resource ID of the cluster. |

+ | actionGroupResourceId | Resource ID of action group that defines responses to alerts. |

+ | azureMonitorWorkspaceResourceId | Resource ID of the Azure Monitor workspace receiving the cluster's Prometheus metrics. |

+ | location | Region to store the alert rule group. |

+### Bicep

+See the [README](https://github.com/Azure/prometheus-collector/blob/main/AddonBicepTemplate/README.md) for further details.

+- Template file: [https://aka.ms/azureprometheus-recommendedmetricalertsbicep](https://aka.ms/azureprometheus-recommendedmetricalertsbicep)

+- Parameters:

+ | Parameter | Description |

+ |:|:|

+ | aksResourceId | Resource ID of the cluster. |

+ | actionGroupResourceId | Resource ID of action group that defines responses to alerts. |

+ | monitorWorkspaceName | Name of the Azure Monitor workspace receiving the cluster's Prometheus metrics. |

+ | location | Region to store the alert rule group. |

+

+## Edit recommended alert rules

+Once the rule group has been created, you can't use the same page in the portal to edit the rules. For Prometheus metrics, you must edit the rule group to modify any rules in it, including enabling any rules that weren't already enabled. For platform metrics, you can edit each alert rule.

+### [Azure portal](#tab/portal)

+1. From the **Alerts** menu for your cluster, select **Set up recommendations**. Any rules or rule groups that have already been created will be labeled as **Already created**.

+2. Expand the rule or rule group. Click on **View rule group** for Prometheus and **View alert rule** for platform metrics.

+ :::image type="content" source="media/kubernetes-metric-alerts/recommended-alert-rules-already-enabled.png" lightbox="media/kubernetes-metric-alerts/recommended-alert-rules-already-enabled.png" alt-text="Screenshot of view rule group option.":::

+3. For Prometheus rule groups:

+ 1. select **Rules** to view the alert rules in the group.

+ 2. Click the **Edit** icon next a rule that you want to modify. Use the guidance in [Create an alert rule](../essentials/prometheus-rule-groups.md#configure-the-rules-in-the-group) to modify the rule.

+ :::image type="content" source="media/kubernetes-metric-alerts/edit-prometheus-rule.png" lightbox="media/kubernetes-metric-alerts/edit-prometheus-rule.png" alt-text="Screenshot of option to edit Prometheus alert rules.":::

+ 3. When you're done editing rules in the group, click **Save** to save the rule group.

+4. For platform metrics:

+ 1. click **Edit** to open the details for the alert rule. Use the guidance in [Create an alert rule](../alerts/alerts-create-metric-alert-rule.md#configure-the-alert-rule-conditions) to modify the rule.

+ :::image type="content" source="media/kubernetes-metric-alerts/edit-platform-metric-rule.png" lightbox="media/kubernetes-metric-alerts/edit-platform-metric-rule.png" alt-text="Screenshot of option to edit platform metric rule.":::

+### [Azure Resource Manager](#tab/arm)

+Edit the query and threshold or configure an action group for your alert rules in the ARM template described in [Enable recommended alert rules](#enable-recommended-alert-rules) and redeploy it by using any deployment method.

+## Disable alert rule group

+Disable the rule group to stop receiving alerts from the rules in it.

+### [Azure portal](#tab/portal)

+1. View the Prometheus alert rule group or platform metric alert rule as described in [Edit recommended alert rules](#edit-recommended-alert-rules).

+2. From the **Overview** menu, select **Disable**.

+ :::image type="content" source="media/kubernetes-metric-alerts/disable-prometheus-rule-group.png" lightbox="media/kubernetes-metric-alerts/disable-prometheus-rule-group.png" alt-text="Screenshot of option to disable a rule group.":::

+### [ARM template](#tab/arm)

+Set the **enabled** flag to false for the rule group in the ARM template described in [Enable recommended alert rules](#enable-recommended-alert-rules) and redeploy it by using any deployment method.

+## Recommended alert rule details

+The following tables list the details of each recommended alert rule. Source code for each is available in [GitHub](https://aka.ms/azureprometheus-recommendedmetricalerts) along with [troubleshooting guides](https://aka.ms/aks-alerts/community-runbooks) from the Prometheus community.

+### Prometheus community alert rules

+**Cluster level alerts**

+| Alert name | Description | Default threshold | Timeframe (minutes) |

+|:|:|::|::|

+| KubeCPUQuotaOvercommit | The CPU resource quota allocated to namespaces exceeds the available CPU resources on the cluster's nodes by more than 50% for the last 5 minutes. | >1.5 | 5 |

+| KubeMemoryQuotaOvercommit | The memory resource quota allocated to namespaces exceeds the available memory resources on the cluster's nodes by more than 50% for the last 5 minutes. | >1.5 | 5 |

+| Number of OOM killed containers is greater than 0 | One or more containers within pods have been killed due to out-of-memory (OOM) events for the last 5 minutes. | >0 | 5 |

+| KubeClientErrors | The rate of client errors (HTTP status codes starting with 5xx) in Kubernetes API requests exceeds 1% of the total API request rate for the last 15 minutes. | >0.01 | 15 |

+| KubePersistentVolumeFillingUp | The persistent volume is filling up and is expected to run out of available space evaluated on the available space ratio, used space, and predicted linear trend of available space over the last 6 hours. These conditions are evaluated over the last 60 minutes. | N/A | 60 |

+| KubePersistentVolumeInodesFillingUp | Less than 3% of the inodes within a persistent volume are available for the last 15 minutes. | <0.03 | 15 |

+| KubePersistentVolumeErrors | One or more persistent volumes are in a failed or pending phase for the last 5 minutes. | >0 | 5 |

+| KubeContainerWaiting | One or more containers within Kubernetes pods are in a waiting state for the last 60 minutes. | >0 | 60 |

+| KubeDaemonSetNotScheduled | One or more pods are not scheduled on any node for the last 15 minutes. | >0 | 15 |

+| KubeDaemonSetMisScheduled | One or more pods are misscheduled within the cluster for the last 15 minutes. | >0 | 15 |

+| KubeQuotaAlmostFull | The utilization of Kubernetes resource quotas is between 90% and 100% of the hard limits for the last 15 minutes. | >0.9 <1 | 15 |

+**Node level alerts**

+| Alert name | Description | Default threshold | Timeframe (minutes) |

+|:|:|::|::|

+| KubeNodeUnreachable | A node has been unreachable for the last 15 minutes. | 1 | 15 |

+| KubeNodeReadinessFlapping | The readiness status of a node has changed more than 2 times for the last 15 minutes. | 2 | 15 |

+**Pod level alerts**

+| Alert name | Description | Default threshold | Timeframe (minutes) |

+|:|:|::|::|

+| Average PV usage is greater than 80% | The average usage of Persistent Volumes (PVs) on pod exceeds 80% for the last 15 minutes. | >0.8 | 15 |

+| KubeDeploymentReplicasMismatch | There is a mismatch between the desired number of replicas and the number of available replicas for the last 10 minutes. | N/A | 10 |

+| KubeStatefulSetReplicasMismatch | The number of ready replicas in the StatefulSet does not match the total number of replicas in the StatefulSet for the last 15 minutes. | N/A | 15 |

+| KubeHpaReplicasMismatch | The Horizontal Pod Autoscaler in the cluster has not matched the desired number of replicas for the last 15 minutes. | N/A | 15 |

+| KubeHpaMaxedOut | The Horizontal Pod Autoscaler (HPA) in the cluster has been running at the maximum replicas for the last 15 minutes. | N/A | 15 |

+| KubePodCrashLooping | One or more pods is in a CrashLoopBackOff condition, where the pod continuously crashes after startup and fails to recover successfully for the last 15 minutes. | >=1 | 15 |

+| KubeJobStale | At least one Job instance did not complete successfully for the last 6 hours. | >0 | 360 |

+| Pod container restarted in last 1 hour | One or more containers within pods in the Kubernetes cluster have been restarted at least once within the last hour. | >0 | 15 |

+| Ready state of pods is less than 80% | The percentage of pods in a ready state falls below 80% for any deployment or daemonset in the Kubernetes cluster for the last 5 minutes. | <0.8 | 5 |

+| Number of pods in failed state are greater than 0. | One or more pods is in a failed state for the last 5 minutes. | >0 | 5 |

+| KubePodNotReadyByController | One or more pods are not in a ready state (i.e., in the "Pending" or "Unknown" phase) for the last 15 minutes. | >0 | 15 |

+| KubeStatefulSetGenerationMismatch | The observed generation of a Kubernetes StatefulSet does not match its metadata generation for the last 15 minutes. | N/A | 15 |

+| KubeJobFailed | One or more Kubernetes jobs have failed within the last 15 minutes. | >0 | 15 |

+| Average CPU usage per container is greater than 95% | The average CPU usage per container exceeds 95% for the last 5 minutes. | >0.95 | 5 |

+| Average Memory usage per container is greater than 95% | The average memory usage per container exceeds 95% for the last 5 minutes. | >0.95 | 10 |

+| KubeletPodStartUpLatencyHigh | The 99th percentile of the pod startup latency exceeds 60 seconds for the last 10 minutes. | >60 | 10 |

+### Platform metric alert rules

+| Alert name | Description | Default threshold | Timeframe (minutes) |

+|:|:|::|::|

+| Node cpu percentage is greater than 95% | The node CPU percentage is greater than 95% for the last 5 minutes. | 95 | 5 |

+| Node memory working set percentage is greater than 100% | The node memory working set percentage is greater than 95% for the last 5 minutes. | 100 | 5 |

+## Legacy Container insights metric alerts (preview)

+Metric rules in Container insights will be retired on May 31, 2024 (this was previously announced as March 14, 2026). These rules haven't been available for creation using the portal since August 15, 2023. These rules were in public preview but will be retired without reaching general availability since the new recommended metric alerts described in this article are now available.

+If you already enabled these legacy alert rules, you should disable them and enable the new experience.

+### Disable metric alert rules

+1. From the **Insights** menu for your cluster, select **Recommended alerts (preview)**.

+2. Change the status for each alert rule to **Disabled**.

+## Next steps

+- Read about the [different alert rule types in Azure Monitor](../alerts/alerts-types.md).

+- Read about [alerting rule groups in Azure Monitor managed service for Prometheus](../essentials/prometheus-rule-groups.md).

+You might want to edit a query that you've already saved. You might want to change the query itself or modify any of its properties. After you open an existing query in Log Analytics and make changes, you can save the edited query with the same properties or modify any properties before saving.

+| Microsoft.CognitiveServices/accounts | [listKeys](/rest/api/aiservices/accountmanagement/accounts/list-keys) |

+Returns an object representing a resource's runtime state. The output and behavior of the `reference` function highly relies on how each resource provider (RP) implements its PUT and GET responses.

+You can use inline parameters and a location parameters file in the same deployment operation. For more information, see [Parameter precedence](./parameter-files.md#parameter-precedence).

+You can use inline parameters and a location parameters file in the same deployment operation. For more information, see [Parameter precedence](./parameter-files.md#parameter-precedence).

+### Azure CLI

+With Azure CLI version 2.53.0 or later, and [Bicep CLI version 0.22.X or higher](./install.md), you can deploy a Bicep file by utilizing a Bicep parameter file. With the `using` statement within the Bicep parameters file, there's no need to provide the `--template-file` switch when specifying a Bicep parameter file for the `--parameters` switch.

+You can use inline parameters and a location parameters file in the same deployment operation. For example:

+# [Bicep parameters file](#tab/Bicep)

+```azurecli

+az deployment group create \

+ --name ExampleDeployment \

+ --resource-group ExampleGroup \

+ --parameters storage.bicepparam \

+ --parameters storageAccountType=Standard_LRS

+```

+# [JSON parameters file](#tab/JSON)

+```azurecli

+az deployment group create \

+ --name ExampleDeployment \

+ --resource-group ExampleGroup \

+ --template-file storage.bicep \

+ --parameters storage.parameters.json \

+ --parameters storageAccountType=Standard_LRS

+```

+### Azure PowerShell

+You can use inline parameters and a location parameters file in the same deployment operation. For example:

+# [Bicep parameters file](#tab/Bicep)

+```azurepowershell

+New-AzResourceGroupDeployment `

+ -Name ExampleDeployment `

+ -ResourceGroupName ExampleResourceGroup `

+ -TemplateFile C:\MyTemplates\storage.bicep `

+ -TemplateParameterFile C:\MyTemplates\storage.bicepparam `

+ -storageAccountType Standard_LRS

+```

+# [JSON parameters file](#tab/JSON)

+```azurepowershell

+New-AzResourceGroupDeployment `

+ -Name ExampleDeployment `

+ -ResourceGroupName ExampleResourceGroup `

+ -TemplateFile C:\MyTemplates\storage.bicep `

+ -TemplateParameterFile C:\MyTemplates\storage.parameters.json `

+ -storageAccountType Standard_LRS

+```

+You can use inline parameters and a local parameters file in the same deployment operation. For example, you can specify some values in the local parameters file and add other values inline during deployment. If you provide values for a parameter in both the local parameters file and inline, the inline value takes precedence.

+It's possible to use an external JSON parameters file, by providing the URI to the file. External Bicep parameters file is not currently supported. When you use an external parameters file, you can't pass other values either inline or from a local file. All inline parameters are ignored. Provide all parameter values in the external file.

+- To learn about providing parameter values at deployment, see [Deploy with Azure CLI](./deploy-cli.md), and [Deploy with Azure PowerShell](./deploy-powershell.md).

+| Microsoft.CognitiveServices/accounts | [listKeys](/rest/api/aiservices/accountmanagement/accounts/list-keys) |

+Returns an object representing a resource's runtime state. The output and behavior of the `reference` function highly relies on how each resource provider (RP) implements its PUT and GET responses. To return an array of objects representing a resource collections's runtime states, see [references](#references).

+>This document focuses on the VMware Horizon product, formerly known as Horizon 7. Horizon is a different solution than Horizon Cloud on Azure, although there are some shared components. Key advantages of the Azure VMware Solution include both a more straightforward sizing method and the integration of Software-Defined Data Center (SDDC) private cloud management into the Azure portal.

+With Horizon's introduction on Azure VMware Solution, there are now two Virtual Desktop Infrastructure (VDI) solutions on the Azure platform:

+* VMware Horizon on Azure VMware Solution

+* VMware Horizon Cloud (Desktop-as-a-Service Model)

+Every cloud has its own network connectivity scheme. Combine that with VMware NSX, the Azure VMware Solution network connectivity presents unique requirements for deploying Horizon that is different from on-premises.

+Each Azure VMware Solution private cloud and SDDC can handle 4,000 desktop or application sessions, assuming:

+The connection from Azure Virtual Network to the Azure private clouds / SDDCs should be configured with ExpressRoute Connections (FastPath enabled). The following diagram shows a basic Horizon pod deployment.

+With the Horizon infrastructure virtual machines (VMs) deployed in Azure Virtual Network, you can reach the 12,000 sessions per Horizon pod. The connection between each private cloud and SDDC to the Azure Virtual Network is an ExpressRoute Connection (FastPath enabled). No east-west traffic between private clouds is needed.

+> * Create a Windows VM to access the Azure VMware Solution vCenter Server

+ The URLs and user credentials for private cloud vCenter Server and NSX Manager are displayed.

+1. In the Windows VM, open a browser and navigate to the vCenter Server and NSX Manager URLs in two tabs.

+1. In the second tab of the browser, sign in to NSX Manager with the 'cloudadmin' user credentials from earlier.

+ :::image type="content" source="media/tutorial-access-private-cloud/ss9-nsx-manager-login.png" alt-text="Screenshot of the NSX Manager sign in page."lightbox="media/tutorial-access-private-cloud/ss9-nsx-manager-login.png" border="true":::

+ :::image type="content" source="media/tutorial-access-private-cloud/ss10-nsx-manager-home.png" alt-text="Screenshot of the NSX Manager Overview."lightbox="media/tutorial-access-private-cloud/ss10-nsx-manager-home.png" border="true":::

+> * Login to NSX Manager from your VM

+>- If you're protecting a VM with an enhanced policy, it incurs additional snapshot costs. [Learn more](backup-instant-restore-capability.md#cost-impact).

+>- Once you enable a VM backup with Enhanced policy, Azure Backup doesn't allow to change the policy type to *Standard*.

+ - **Policy sub-type**: Select **Enhanced** type.

+- A block that has been uploaded via [Put Block](/rest/api/storageservices/put-block) or [Put Block from URL](/rest/api/storageservices/put-block-from-url), but not committed via [`Put Block List`](/rest/api/storageservices/put-block-list), isn't part of a blob and so isn't restored as part of a restore operation.

+- Blob backup is also supported when the storage account has private endpoints.

+### Can I create a private endpoint for an existing Recovery Services vault?<br>

+No, private endpoints can be created for new Recovery Services Vaults only. So the vault must not have ever had any items protected to it. In fact, no attempts to protect any items to the vault can be made before creating private endpoints.

+### <a name="az"></a>Does Azure Bastion support availability zones?

+Some regions support the ability to deploy Azure Bastion in an availability zone (or multiple, for zone redundancy).

+To deploy zonally, you can select the availability zones you want to deploy under instance details when you deploy Bastion using manually specified settings. You can't change zonal availability after Bastion is deployed.

+If you aren't able to select a zone, you might have selected an Azure region that doesn't yet support availability zones.

+For more information about availability zones, see [Availability Zones](https://learn.microsoft.com/azure/reliability/availability-zones-overview?tabs=azure-cli).

+Azure Bastion is deployed within virtual networks or peered virtual networks, and is associated to an Azure region. You're responsible for deploying Azure Bastion to a Disaster Recovery (DR) site virtual network. If there's an Azure region failure, perform a failover operation for your VMs to the DR region. Then, use the Azure Bastion host that's deployed in the DR region to connect to the VMs that are now deployed there.

+No. Some organizations have company policies that require a password reset when a user logs into a local account for the first time. When using shareable links, the user can't change the password, even though a "Reset Password" button might appear.

+### <a name="keyboard-focus"></a>How do I take back keyboard or mouse focus from an instance?

+description: Learn how to deploy Azure Bastion by using settings that you specify in the Azure portal. Use these steps when you want to specify features and settings.

+In this tutorial, you deploy Bastion by using the Standard SKU. You adjust host scaling (instance count), which the Standard SKU supports. If you use a lower SKU for the deployment, you can't adjust host scaling. You can also select an availability zone, depending on the region to which you want to deploy.

+| **Availability zone** | Select value(s) from the dropdown list, if desired.|

+ * **Availability zone**: Select the zone(s) from the dropdown, if desired. Only certain regions are supported. For more information, see the [What are availability zones?](https://learn.microsoft.com/azure/reliability/availability-zones-overview?tabs=azure-cli) article.

+zone_pivot_groups: acs-plat-web-ios-android-windows

+> Container groups with GPU resources don't support availability zones at this time.

+<tr><td><code>$indexOfArray</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$binarySize</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$setField</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+> [!NOTE]

+> This limited-time offer expired on March 1, 2024. You can still purchase Azure Reserved VM Instances at regular discounted prices. For more information about reservation discount, see [How the Azure reservation discount is applied to virtual machines](../manage/understand-vm-reservation-charges.md).

+> [!NOTE]

+> This limited-time offer expired on March 1, 2024. You can still purchase Azure Reserved VM Instances at regular discounted prices. For more information about reservation discount, see [How the Azure reservation discount is applied to virtual machines](../manage/understand-vm-reservation-charges.md).

+> [!NOTE]

+> Mapping Data Flows only supports Basic authentication.

+> [!IMPORTANT]

+> Azure Data Box now supports access tier assignment at the blob level. The steps contained within this tutorial reflect the updated data copy process and are specific to block blobs.

+>

+>For help with determining the appropriate access tier for your block blob data, refer to the [Determine appropriate access tiers for block blobs](#determine-appropriate-access-tiers-for-block-blobs) section. Follow the steps containined within the [Copy data to Data Box](#copy-data-to-data-box) section to copy your data to the appropriate access tier.

+>

+> The information contained within this section applies to orders placed after April 1, 2024.

+1. You complete the [Tutorial: Set up Azure Data Box](data-box-deploy-set-up.md).

+2. You receive your Data Box and the order status in the portal is **Delivered**.

+3. You have a host computer that has the data that you want to copy over to Data Box. Your host computer must:

+ - Be connected to a high-speed network. We strongly recommend that you have at least one 10-GbE connection. If a 10-GbE connection isn't available, a 1-GbE data link can be used but the copy speeds are impacted.

+* Three shares for each associated storage account for GPv1 and GPv2.

+* One share for premium storage.

+* One share for a blob storage account, containing one folder for each of the four access tiers.

+The following table identifies the names of the Data Box shares to which you can connect, and the type of data uploaded to your target storage account. It also identifies the hierarchy of shares and directories into which you copy your source data.

+| Storage type | Share name | First-level entity | Second-level entity | Third-level entity |

+|--|-|||--|

+| Block blob | \<storageAccountName\>_BlockBlob | <\accessTier\> | <\containerName\> | <\blockBlob\> |

+| Page blob | <\storageAccountName\>_PageBlob | <\containerName\> | <\pageBlob\> | |

+| File storage | <\storageAccountName\>_AzFile | <\fileShareName\> | <\file\> | |

+You can't copy files directly to the *root* folder of any Data Box share. Instead, create folders within the Data Box share depending on your use case.

+Block blobs support the assignment of access tiers at the file level. Before you copy files to the block blob share, the recommended best-practice is to add new subfolders within the appropriate access tier. Then, after creating new subfolders, continue adding files to each subfolder as appropriate.

+A new container is created for any folder residing at the root of the block blob share. Any file within the folder is copied to the storage account's default access tier as a block blob.

+For more information about blob access tiers, see [Access tiers for blob data](../storage/blobs/access-tiers-overview.md). For more detailed information about access tier best practices, see [Best practices for using blob access tiers](../storage/blobs/access-tiers-best-practices.md).

+The following table shows the UNC path to the shares on your Data Box and the corresponding Azure Storage path URL to which data is uploaded. The final Azure Storage path URL can be derived from the UNC share path.

+| Azure Storage types | Data Box shares |

+||--|

+| Azure Block blobs | <li>UNC path to shares: `\\<DeviceIPAddress>\<storageaccountname_BlockBlob>\<accessTier>\<ContainerName>\myBlob.txt`</li><li>Azure Storage URL: `https://<storageaccountname>.blob.core.windows.net/<ContainerName>/myBlob.txt`</li> |

+| Azure Page blobs | <li>UNC path to shares: `\\<DeviceIPAddress>\<storageaccountname_PageBlob>\<ContainerName>\myBlob.vhd`</li><li>Azure Storage URL: `https://<storageaccountname>.blob.core.windows.net/<ContainerName>/myBlob.vhd`</li> |

+| Azure Files | <li>UNC path to shares: `\\<DeviceIPAddress>\<storageaccountname_AzFile>\<ShareName>\myFile.txt`</li><li>Azure Storage URL: `https://<storageaccountname>.file.core.windows.net/<ShareName>/myFile.txt`</li> |

+If you're using a Linux host computer, perform the following steps to configure Data Box to allow access to NFS clients.

+1. Supply the IP addresses of the allowed clients that can access the share. In the local web UI, go to **Connect and copy** page. Under **NFS settings**, select **NFS client access**.

+2. Supply the IP address of the NFS client and select **Add**. You can configure access for multiple NFS clients by repeating this step. Select **OK**.

+ Use the following example to connect to a Data Box share using NFS. In the example, the Data Box device IP is `10.161.23.130`. The share `Mystoracct_Blob` is mounted on the ubuntuVM, and the mount point is `/home/databoxubuntuhost/databox`.

+ For Mac clients, you need to add an extra option as follows:

+

+ > [!IMPORTANT]

+ > You can't copy files directly to the storage account's *root* folder. Within a block blob storage account's root folder, you'll find a folder corresponding to each of the available access tiers.

+ >

+ > To copy your data to Azure Data Box, you must first select the folder corresponding to one of the access tiers. Next, create a sub-folder within that tier's folder to store your data. Finally, copy your data to the newly created sub-folder. Your new sub-folder represents the container created within the storage account during ingestion. Your data is uploaded to this container as blobs.

+ <!--**Always create a folder for the files that you intend to copy under the share and then copy the files to that folder**. The folder created under block blob and page blob shares represents a container to which data is uploaded as blobs. You cannot copy files directly to *root* folder in the storage account.-->

+## Determine appropriate access tiers for block blobs

+> [!IMPORTANT]

+> The information contained within this section applies to orders placed after April 1^st, 2024.

+Azure Storage allows you to store block blob data in multiple access tiers within the same storage account. This ability allows data to be organized and stored more efficiently based on how often it's accessed. The following table contains information and recommendations about Azure Storage access tiers.

+| Tier | Recommendation | Best practice |

+||-||

+| Hot | Useful for online data accessed or modified frequently. This tier has the highest storage costs, but the lowest access costs. | Data in this tier should be in regular and active use. |

+| Cool | Useful for online data accessed or modified infrequently. This tier has lower storage costs and higher access costs than the hot tier. | Data in this tier should be stored for at least 30 days. |

+| Cold | Useful for online data accessed or modified rarely but still requiring fast retrieval. This tier has lower storage costs and higher access costs than the cool tier.| Data in this tier should be stored for a minimum of 90 days. |

+| Archive | Useful for offline data rarely accessed and having lower latency requirements. | Data in this tier should be stored for a minimum of 180 days. Data removed from the archive tier within 180 days is subject to an early deletion charge. |

+For more information about blob access tiers, see [Access tiers for blob data](../storage/blobs/access-tiers-overview.md). For more detailed best practices, see [Best practices for using blob access tiers](../storage/blobs/access-tiers-best-practices.md).

+You can transfer your block blob data to the appropriate access tier by copying it to the corresponding folder within Data Box. This process is discussed in greater detail within the [Copy data to Azure Data Box](#copy-data-to-data-box) section.

+After you connect to one or more Data Box shares, the next step is to copy data. Before you begin the data copy, consider the following limitations:

+* Make sure that you copy your data to the share that corresponds to the required data format. For instance, copy block blob data to the share for block blobs. Copy VHDs to the page blob share. If the data format doesn't match the appropriate share type, the data upload to Azure fails during a later step.

+* When copying data to the *AzFile* or *PageBlob* shares, first create a folder at the share's root, then copy files to that folder.

+* When copying data to the *BlockBlob* share, create a subfolder within the desired access tier, then copy data to the newly created subfolder. The subfolder represents a container into which data is uploaded as blobs. You can't copy files directly to a share's *root* folder.

+* Simultaneous uploads by Data Box and another non-Data Box application could potentially result in upload job failures and data corruption.

+* When copying data to the block blob share, create a subfolder within the desired access tier, then copy data to the newly created subfolder. The subfolder represents a container to which your data is uploaded as blobs. You can't copy files directly to the *root* folder in the storage account.

+ For example, if copying `SampleFile.txt` and `Samplefile.Txt`, the case is preserved in the name when copied to Data Box. However, because they're considered the same file, the last file uploaded overwrites the first file.

+> Make sure that you maintain a copy of the source data until you can confirm that your data has been copied into Azure Storage.

+ where *j* specifies the number of parallelization, *X* = number of parallel copies

+Notifications are displayed during the copy prowess to identify errors.

+> * Data Box data copy prerequisites

+> * Connecting to Data Box

+> * Determining appropriate access tiers for block blobs

+> * Copying data to Data Box

+> [!IMPORTANT]

+> Azure Data Box now supports access tier assignment at the blob level. The steps contained within this tutorial reflect the updated data copy process and are specific to block blobs.

+>

+>For help with determining the appropriate access tier for your block blob data, refer to the [Determine appropriate access tiers for block blobs](#determine-appropriate-access-tiers-for-block-blobs) section. Follow the steps containined within the [Copy data to Data Box](#copy-data-to-data-box) section to copy your data to the appropriate access tier.

+>

+> The information contained within this section applies to orders placed after April 1, 2024.

+1. You complete the [Tutorial: Set up Azure Data Box](data-box-deploy-set-up.md).

+2. You receive your Data Box and the order status in the portal is **Delivered**.

+3. You review the [system requirements for Data Box Blob storage](data-box-system-requirements-rest.md) and are familiar with supported versions of APIs, SDKs, and tools.

+4. You have access to a host computer that has the data that you want to copy over to Data Box. Your host computer must:

+ * Be connected to a high-speed network. We strongly recommend that you have at least one 10-GbE connection. If a 10-GbE connection isn't available, a 1-GbE data link can be used but the copy speeds are impacted.

+5. [Download AzCopy V10](../storage/common/storage-use-azcopy-v10.md) on your host computer. AzCopy is used to copy data to Azure Data Box Blob storage from your host computer.

+* Configure partner software and verify the connection

+* Import the certificate on the client or remote host.

+* Add the device IP and blob service endpoint to the client or remote host.

+* Configure partner software and verify the connection.

+3. Under **Device credentials**, go to **API access** to device. Select **Download**. This action downloads a **\<your order name>.cer** certificate file. **Save** this file and install it on the client or host computer you use to connect to the device.

+Accessing Data Box Blob storage over HTTPS requires a TLS/SSL certificate for the device. The way in which this certificate is made available to the client application varies from application to application and across operating systems and distributions. Some applications can access the certificate after it's imported into the system's certificate store, while other applications don't make use of that mechanism.

+Specific information for some applications is mentioned in this section. For more information on other applications, see the documentation for the application and the operating system used.

+2. For **Store location**, select **Local Machine**, and then select **Next**.

+3. Select **Place all certificates in the following store**, and then select **Browse**. Navigate to the root store of your remote host, and then select **Next**.

+4. Select **Finish**. A message that tells you that the import was successful appears.

+## Determine appropriate access tiers for block blobs

+> [!IMPORTANT]

+> The information contained within this section applies to orders placed after April 1^st, 2024.

+Azure Storage allows you to store block blob data in multiple access tiers within the same storage account. This ability allows data to be organized and stored more efficiently based on how often it's accessed. The following table contains information and recommendations about Azure Storage access tiers.

+| Tier | Recommendation | Best practice |

+||-||

+| Hot | Useful for online data accessed or modified frequently. This tier has the highest storage costs, but the lowest access costs. | Data in this tier should be in regular and active use. |

+| Cool | Useful for online data accessed or modified infrequently. This tier has lower storage costs and higher access costs than the hot tier. | Data in this tier should be stored for at least 30 days. |

+| Cold | Useful for online data accessed or modified rarely but still requiring fast retrieval. This tier has lower storage costs and higher access costs than the cool tier.| Data in this tier should be stored for a minimum of 90 days. |

+| Archive | Useful for offline data rarely accessed and having lower latency requirements. | Data in this tier should be stored for a minimum of 180 days. Data removed from the archive tier within 180 days is subject to an early deletion charge. |

+For more information about blob access tiers, see [Access tiers for blob data](../storage/blobs/access-tiers-overview.md). For more detailed best practices, see [Best practices for using blob access tiers](../storage/blobs/access-tiers-best-practices.md).

+You can transfer your block blob data to the appropriate access tier by copying it to the corresponding folder within Data Box. This process is discussed in greater detail within the [Copy data to Azure Data Box](#copy-data-to-data-box) section.

+After connecting to one or more Data Box shares, the next step is to copy data. Before you begin the data copy, consider the following limitations:

+* Simultaneous uploads by Data Box and another non-Data Box application could potentially result in upload job failures and data corruption.

+> Make sure that you maintain a copy of the source data until you can confirm that your data has been copied into Azure Storage.

+In this tutorial, AzCopy is used to copy data to Data Box Blob storage. If you prefer a GUI-based tool, you can also use Azure Storage Explorer or other partner software to copy the data.

+5. Press **Enter** when done to create the blob container, or **Esc** to cancel. After the blob container is successfully created, it's displayed under the **Blob Containers** folder for the selected storage account.

+### Upload the contents of a folder to Data Box Blob storage

+Use AzCopy to upload all files within a folder to Blob storage on Windows or Linux. To upload all blobs in a folder, enter the following AzCopy command:

+ --destination https://data-box-storage-account-name.blob.device-serial-no.microsoftdatabox.com/container-name/ \

+AzCopy /Source:C:\myfolder /Dest:https://data-box-storage-account-name.blob.device-serial-no.microsoftdatabox.com/container-name/ /DestKey:<key> /S

+Replace `<key>` with your account key. You can retrieve your account key within the Azure portal by navigating to your storage account. Select **Settings > Access keys**, choose a key, then copy and paste the value into the AzCopy command.

+If the specified destination container doesn't exist, AzCopy creates it and uploads the file into it. Update the source path to your data directory, and replace `data-box-storage-account-name` in the destination URL with the name of the storage account associated with your Data Box.

+To upload the contents of the specified directory to Blob storage recursively, specify the `--recursive` option for Linux or the `/S` option for Windows. When you run AzCopy with one of these options, all subfolders and their files are uploaded as well.

+You can also use AzCopy to upload files based on their last-modified time. To upload only updated or new files, add the `--exclude-older` parameter for Linux or the `/XO` parameter for Windows parameter to the AzCopy command.

+If you only want to copy the resources within your local source that don't exist within the destination, specify both the `--exclude-older` and `--exclude-newer` parameters for Linux, or the `/XO` and `/XN` parameters for Windows in the AzCopy command. AzCopy uploads updated data only, as determined by its time stamp.

+--destination https://data-box-storage-account-name.blob.device-serial-no.microsoftdatabox.com/container-name/ \

+AzCopy /Source:C:\myfolder /Dest:https://data-box-storage-account-name.blob.device-serial-no.microsoftdatabox.com/container-name/ /DestKey:<key> /S /XO

+The next step is to prepare your device to ship.

+> * Prerequisites for copy data to Azure Data Box Blob storage using REST APIs

+> * Connecting to Data Box Blob storage via *http* or *https*

+> * Determining appropriate access tiers for block blobs

+> [!IMPORTANT]

+> Azure Data Box now supports access tier assignment at the blob level. The steps contained within this tutorial reflect the updated data copy process and are specific to block blobs.

+>

+>For help with determining the appropriate access tier for your block blob data, refer to the [Determine appropriate access tiers for block blobs](#determine-appropriate-access-tiers-for-block-blobs) section. Follow the steps containined within the [Copy data to Azure Data Box](#copy-data-to-azure-data-box) section to copy your data to the appropriate access tier.

+>

+> The information contained within this section applies to orders placed after April 1, 2024.

+> * Determine appropriate access tiers for block blobs

+3. You have a host computer that has the data that you want to copy over to Data Box. Your host computer must:

+ * Be connected to a high-speed network. We strongly recommend that you have at least one 10-GbE connection. If a 10-GbE connection isn't available, use a 1-GbE data link but the copy speeds are impacted.

+* One share for a blob storage account, containing one folder for each of the four access tiers.

+The following table identifies the names of the Data Box shares to which you can connect, and the type of data uploaded to your target storage account. It also identifies the hierarchy of shares and directories into which you copy your source data.

+| Storage type | Share name | First-level entity | Second-level entity | Third-level entity |

+|--|-|||--|

+| Block blob | \<storageAccountName\>_BlockBlob | <\accessTier\> | <\containerName\> | <\blockBlob\> |

+| Page blob | <\storageAccountName\>_PageBlob | <\containerName\> | <\pageBlob\> | |

+| File storage | <\storageAccountName\>_AzFile | <\fileShareName\> | <\file\> | |

+You can't copy files directly to the *root* folder of any Data Box share. Instead, create folders within the Data Box share depending on your use case.

+Block blobs support the assignment of access tiers at the file level. When copying files to the block blob share, the recommended best-practice is to add new subfolders within the appropriate access tier. After creating new subfolders, continue adding files to each subfolder as appropriate.

+A new container is created for any folder residing at the root of the block blob share. Any file within that folder is copied to the storage account's default access tier as a block blob.

+For more information about blob access tiers, see [Access tiers for blob data](../storage/blobs/access-tiers-overview.md). For more detailed information about access tier best practices, see [Best practices for using blob access tiers](../storage/blobs/access-tiers-best-practices.md).

+The following table shows the UNC path to the shares on your Data Box and the corresponding Azure Storage path URL to which data is uploaded. The final Azure Storage path URL can be derived from the UNC share path.

+| Azure Storage types | Data Box shares |

+||--|

+| Azure Block blobs | <li>UNC path to shares: `\\<DeviceIPAddress>\<storageaccountname_BlockBlob>\<accessTier>\<ContainerName>\myBlob.txt`</li><li>Azure Storage URL: `https://<storageaccountname>.blob.core.windows.net/<ContainerName>/myBlob.txt`</li> |

+| Azure Page blobs | <li>UNC path to shares: `\\<DeviceIPAddress>\<storageaccountname_PageBlob>\<ContainerName>\myBlob.vhd`</li><li>Azure Storage URL: `https://<storageaccountname>.blob.core.windows.net/<ContainerName>/myBlob.vhd`</li> |

+| Azure Files | <li>UNC path to shares: `\\<DeviceIPAddress>\<storageaccountname_AzFile>\<ShareName>\myFile.txt`</li><li>Azure Storage URL: `https://<storageaccountname>.file.core.windows.net/<ShareName>/myFile.txt`</li> |

+3. The following example uses a sample storage account named *utsac1*. To access the shares associated with your storage account from your host computer, open a command window. At the command prompt, type:

+ `net use \\<DeviceIPAddress>\<share name> /u:<IP address of the device>\<user name for the share>`

+ - Azure Block blob - `\\<DeviceIPAddress>\utsac1_BlockBlob`

+ - Azure Page blob - `\\<DeviceIPAddress>\utsac1_PageBlob`

+ - Azure Files - `\\<DeviceIPAddress>\utsac1_AzFile`

+ C:\Users\Databoxuser>net use \\<DeviceIPAddress>\utSAC1_202006051000_BlockBlob /u:<DeviceIPAddress>\testuser1

+ Enter the password for 'testuser1' to connect to '<DeviceIPAddress>': "ab1c2def$3g45%6h7i&j8kl9012345"

+5. Press Windows + R. In the **Run** window, specify the `\\<DeviceIPAddress>`. Select **OK** to open File Explorer.

+ > [!IMPORTANT]

+ > You can't copy files directly to the storage account's *root* folder. Within a block blob storage account's root folder, you'll find a folder corresponding to each of the available access tiers.

+ >

+ > To copy your data to Azure Data Box, you must first select the folder corresponding to one of the access tiers. Next, create a sub-folder within that tier's folder to store your data. Finally, copy your data to the newly created sub-folder. Your new sub-folder represents the container created within the storage account during ingestion. Your data is uploaded to this container as blobs.

+If using a Linux client, use the following command to mount the SMB share. The `vers` parameter value identifies the version of SMB that your Linux host supports. Insert the appropriate version into the sample command provided. To see a list of SMB versions supported by Data Box, see [Supported file systems for Linux clients](./data-box-system-requirements.md#supported-file-transfer-protocols-for-clients).

+## Determine appropriate access tiers for block blobs

+> [!IMPORTANT]

+> The information contained within this section applies to orders placed after April 1^st, 2024.

+Azure Storage allows you to store block blob data in multiple access tiers within the same storage account. This ability allows data to be organized and stored more efficiently based on how often it's accessed. The following table contains information and recommendations about Azure Storage access tiers.

+| Tier | Recommendation | Best practice |

+||-||

+| Hot | Useful for online data accessed or modified frequently. This tier has the highest storage costs, but the lowest access costs. | Data in this tier should be in regular and active use. |

+| Cool | Useful for online data accessed or modified infrequently. This tier has lower storage costs and higher access costs than the hot tier. | Data in this tier should be stored for at least 30 days. |

+| Cold | Useful for online data accessed or modified rarely but still requiring fast retrieval. This tier has lower storage costs and higher access costs than the cool tier.| Data in this tier should be stored for a minimum of 90 days. |

+| Archive | Useful for offline data rarely accessed and having lower latency requirements. | Data in this tier should be stored for a minimum of 180 days. Data removed from the archive tier within 180 days is subject to an early deletion charge. |

+For more information about blob access tiers, see [Access tiers for blob data](../storage/blobs/access-tiers-overview.md). For more detailed best practices, see [Best practices for using blob access tiers](../storage/blobs/access-tiers-best-practices.md).

+You can transfer your block blob data to the appropriate access tier by copying it to the corresponding folder within Data Box. This process is discussed in greater detail within the [Copy data to Azure Data Box](#copy-data-to-azure-data-box) section.

+After connecting to one or more Data Box shares, the next step is to copy data. Before you begin the data copy, consider the following limitations:

+* Make sure that you copy your data to the share that corresponds to the required data format. For instance, copy block blob data to the share for block blobs. Copy VHDs to the page blob share. If the data format doesn't match the appropriate share type, the data upload to Azure fails during a later step.

+* When copying data to the *AzFile* or *PageBlob* shares, first create a folder at the share's root, then copy files to that folder.

+* When copying data to the *BlockBlob* share, create a subfolder within the desired access tier, then copy data to the newly created subfolder. The subfolder represents a container into which data is uploaded as blobs. You can't copy files directly to a share's *root* folder.

+* Simultaneous uploads by Data Box and another non-Data Box application could potentially result in upload job failures and data corruption.

+> Make sure that you maintain a copy of the source data until you can confirm that your data has been copied into Azure Storage.

+|Attribute |Description |

+|-||

+|/e |Copies subdirectories including empty directories. |

+|/r: |Specifies the number of retries on failed copies. |

+|/w: |Specifies the wait time between retries, in seconds. |

+|/is |Includes the same files. |

+|/nfl |Specifies that file names aren't logged. |

+|/ndl |Specifies that directory names aren't logged. |

+|/np |Specifies that the progress of the copying operation (the number of files or directories copied so far) won't be displayed. Displaying the progress significantly lowers the performance. |

+|/MT | Use multithreading, recommended 32 or 64 threads. This option not used with encrypted files. You might need to separate encrypted and unencrypted files. However, single threaded copy significantly lowers the performance. |

+|/fft | Use to reduce the time stamp granularity for any file system. |

+|/B | Copies files in Backup mode. |

+|/z | Copies files in Restart mode; use this switch if the environment is unstable. This option reduces throughput due to additional logging. |

+| /zb | Uses Restart mode. If access is denied, this option uses Backup mode. This option reduces throughput due to checkpointing. |

+|/efsraw | Copies all encrypted files in EFS raw mode. Use only with encrypted files. |

+| Platform | Mostly small files < 512 KB | Mostly medium files 512 KB - 1 MB | Mostly large files > 1 MB |

+|-|--|--||

+| Data Box | 2 Robocopy sessions <br> 16 threads per session | 3 Robocopy sessions <br> 16 threads per session | 2 Robocopy sessions <br> 24 threads per session |

+Notifications are displayed during the copy process to identify errors.

+ `\\<Device IP address>\ShareName`

+2. To retrieve the share access credentials, go to the **Connect & copy** page within the local web UI of the Data Box.

+1. When using an NFS host, use the following command to mount the NFS shares on your Data Box:

+1. When ordering the Data Box device, select *managed disks* as your storage destination.

+2. Connect to Data Box via SMB or NFS shares.

+3. Copy data via SMB or NFS tools.

+Complete the following configuration prerequisites for the Data Box service and device before you deploy the device:

+# [Portal](#tab/portal)

+Open up a Windows PowerShell command window and sign in to Azure with the [az sign in](/cli/azure/reference-index#az-login) command:

+The output confirms a successful sign-in:

+Before you can use the Azure Data Box CLI commands, you need to install the extension. Azure CLI extensions give you access to experimental and prerelease commands before shipping as part of the core CLI. For more information about extensions, see [Use extensions with Azure CLI](/cli/azure/azure-cli-extensions-overview).

+If the extension is installed successfully, the following output is displayed:

+You can use [Azure Cloud Shell](https://shell.azure.com/), an Azure hosted interactive shell environment, through your browser to run CLI commands. Azure Cloud Shell supports Bash or Windows PowerShell with Azure services. The Azure CLI is preinstalled and configured to use with your account. Select the Cloud Shell button on the menu in the upper-right section of the Azure portal:

+You need to have Windows PowerShell version 6.2.4 or higher installed. To find out what version of PowerShell is installed, run: `$PSVersionTable`.

+The following sample output confirms that version 6.2.3 is installed:

+You need to install the Azure PowerShell modules to use Azure PowerShell to order an Azure Data Box. To install the Azure PowerShell modules:

+1. Install the [Az PowerShell module](/powershell/azure/new-azureps-module-az).

+The following sample output confirms a successful sign-in:

+To order a device, perform the following steps:

+1. Write down your settings for your Data Box order. These settings include your personal/business information, subscription name, device information, and shipping information. These settings are used as parameters when running the CLI command to create the Data Box order. The following table shows the parameter settings used for `az databox job create`:

+ |phone| The phone number of the person or business receiving the order.| "14255551234" |

+ |location| The nearest Azure region used to ship the device.| "US West"|

+ |street-address1| The street address to which the order is shipped. | "15700 NE 39th St" |

+ |city| The city to which the device is shipped. | "Redmond" |

+ |state-or-province| The state to which the device is shipped.| "WA" |

+ |country| The country to which the device is shipped. | "United States" |

+ The following sample command illustrates the command's usage:

+ The following sample output confirms successful job creation:

+ "id": "/subscriptions/[GUID]/resourceGroups/myresourcegroup/providers/Microsoft.DataBox/jobs/mydataboxtest3",

+3. Unless the default output is modified, all Azure CLI commands return a json response. You can change the output format by using the global parameter `--output <output-format>`. Changing the format to "table" improves output readability.

+ The following example contains the same command, but with the modified `--output` parameter value to alter the formatted response:

+ The following sample response illustrates the modified output format:

+1. Before creating the import order, fetch your storage account and save the object in a variable.

+2. Write down your settings for your Data Box order. These settings include your personal/business information, subscription name, device information, and shipping information. These settings are used as parameters when running the PowerShell cmdlet to create the Data Box order. The following table shows the parameter settings used for [New-AzDataBoxJob](/powershell/module/az.databox/New-AzDataBoxJob).

+ |PhoneNumber [Required]| The phone number of the person or business receiving the order.| "14255551234"

+ |Location [Required]| The nearest Azure region to you that ships your device.| "WestUS"|

+ |StreetAddress1 [Required]| The street address to where the order is shipped. | "15700 NE 39th St" |

+ |City [Required]| The city to which the device is shipped. | "Redmond" |

+ |StateOrProvinceCode [Required]| The state to which the device is shipped.| "WA" |

+ |CountryCode [Required]| The country to which the device is shipped. | "United States" |

+3. Use the [New-AzDataBoxJob](/powershell/module/az.databox/New-AzDataBoxJob) cmdlet to create your Azure Data Box order as shown in the following example.

+ The following sample output confirms job creation:

+If the device isn't available, you receive a notification. If the device is available, Microsoft identifies the device and prepares it for shipment. The following actions occur during device preparation:

+* The device password is generated. This password is used to unlock the device.

+* The device is locked to prevent unauthorized access at any point.

+When the device preparation is complete, the portal shows the order in a **Processed** state.

+Microsoft then prepares and dispatches your device via a regional carrier. You receive a tracking number after the device is shipped. The portal shows the order in **Dispatched** state.

+ The following example contains the same command, but with the `output` parameter value set to "table":

+ The following sample response shows the modified output format:

+> List order can be supported at subscription level, making the `resource group` parameter optional rather than required.

+When ordering multiple devices, you can run [`az databox job list`](/cli/azure/databox/job#az-databox-job-list) to view all your Azure Data Box orders. The command lists all orders that belong to a specific resource group. Also displayed in the output: order name, shipping status, Azure region, delivery type, order status. Canceled orders are also included in the list.

+ The following example shows the command with the output format specified as "table":

+ The following sample response displays the output with modified formatting:

+ The following example can be used to retrieve details about a specific order:

+ Get-AzDataBoxJob -ResourceGroupName "myResourceGroup" -Name "myDataBoxOrderPSTest"

+ The following example output indicates that the command was completed successfully:

+To view all your Azure Data Box orders, run the [`Get-AzDataBoxJob`](/powershell/module/az.databox/Get-AzDataBoxJob) cmdlet. The cmdlet lists all orders that belong to a specific resource group. The resulting output also contains additional data such as order name, shipping status, Azure region, delivery type, order status, and the time stamp associated with each order. Canceled orders are also included in the list.

+The following example can be used to retrieve details about all orders associated to a specific Azure resource group:

+Get-AzDataBoxJob -ResourceGroupName <String>

+The following example output indicates that the command was completed successfully:

+# [Portal](#tab/portal)

+To cancel and delete an order using the Azure portal, select **Overview** from within the command bar. To cancel the order, select the **Cancel** option. To delete a canceled order, select the **Delete** option.

+Use the [`az databox job cancel`](/cli/azure/databox/job#az-databox-job-cancel) command to cancel a Data Box order. You're required to specify your reason for canceling the order.

+ The following table provides parameter information for the `az databox job cancel` command:

+ |yes| Don't prompt for confirmation. | --yes (-y)|

+ The following sample command can be used to cancel a specific Data Box order:

+ az databox job cancel --resource-group "myresourcegroup" --name "mydataboxtest3" --reason "Our migration plan was modified and we are ordering a device using a different cost center."

+ The following example output indicates that the command was completed successfully:

+After you cancel an Azure Data Box order, use the [`az databox job delete`](/cli/azure/databox/job#az-databox-job-delete) command to delete the order.

+ |yes| Don't prompt for confirmation. | --yes (-y)|

+The following example can be used to delete a specific Data Box order after being canceled:

+ az databox job delete --resource-group "myresourcegroup" --name "mydataboxtest3" --yes --verbose

+ The following example output indicates that the command was completed successfully:

+You can cancel an Azure Data Box order using the [Stop-AzDataBoxJob](/powershell/module/az.databox/stop-azdataboxjob) cmdlet. You're required to specify your reason for canceling the order.

+The following example can be used to delete a specific Data Box order after being canceled:

+Stop-AzDataBoxJob -ResourceGroupName myResourceGroup \

+ -Name "myDataBoxOrderPSTest" \

+ -Reason "I entered erroneous information and need to cancel and re-order."

+ The following example output indicates that the command was completed successfully:

+After canceling an Azure Data Box order, you can delete it using the [`Remove-AzDataBoxJob`](/powershell/module/az.databox/remove-azdataboxjob) cmdlet.

+The following table shows parameter information for `Remove-AzDataBoxJob`:

+The following example can be used to delete a specific Data Box order after canceling:

+Remove-AzDataBoxJob -ResourceGroup "myresourcegroup" \

+ -Name "mydataboxtest3"

+The following example output indicates that the command was completed successfully:

+In this tutorial, you learned about Azure Data Box topics such as:

+> * Ordering Data Box

+> * Tracking the Data Box order

+> * Canceling the Data Box order

+-->

+> [!IMPORTANT]

+> Azure Data Box now supports access tier assignment at the blob level. The steps contained within this tutorial reflect the updated data copy process and are specific to block blobs.

+>

+>For help with determining the appropriate access tier for your block blob data, refer to the [Determine appropriate access tiers for block blobs](#determine-appropriate-access-tiers-for-block-blobs) section. Follow the steps containined within the [Copy data to disks](#copy-data-to-disks) section to copy your data to the appropriate access tier.

+>

+> The information contained within this section applies to orders placed after April 1, 2024.

+> [!CAUTION]

+> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly.

+> * Determine appropriate access tiers for block blobs

+- The intended storage type for your data matches the [Supported storage types](data-box-disk-system-requirements.md#supported-storage-types-for-upload).

+## Determine appropriate access tiers for block blobs

+> [!IMPORTANT]

+> The information contained within this section applies to orders placed after April 1^st, 2024.

+Azure Storage allows you to store block blob data in multiple access tiers within the same storage account. This ability allows data to be organized and stored more efficiently based on how often it's accessed. The following table contains information and recommendations about Azure Storage access tiers.

+| Tier | Recommendation | Best practice |

+|-|-||

+| **Hot** | Useful for online data accessed or modified frequently. This tier has the highest storage costs, but the lowest access costs. | Data in this tier should be in regular and active use. |

+| **Cool** | Useful for online data accessed or modified infrequently. This tier has lower storage costs and higher access costs than the hot tier. | Data in this tier should be stored for at least 30 days. |

+| **Cold** | Useful for online data accessed or modified rarely but still requiring fast retrieval. This tier has lower storage costs and higher access costs than the cool tier.| Data in this tier should be stored for a minimum of 90 days. |

+| **Archive** | Useful for offline data rarely accessed and having lower latency requirements. | Data in this tier should be stored for a minimum of 180 days. Data removed from the archive tier within 180 days is subject to an early deletion charge. |

+For more information about blob access tiers, see [Access tiers for blob data](../storage/blobs/access-tiers-overview.md). For more detailed best practices, see [Best practices for using blob access tiers](../storage/blobs/access-tiers-best-practices.md).

+You can transfer your block blob data to the appropriate access tier by copying it to the corresponding folder within Data Box Disk. This process is discussed in greater detail within the [Copy data to disks](#copy-data-to-disks) section.

+- It is your responsibility to copy local data to the share which corresponds to the appropriate data format. For instance, copy block blob data to the *BlockBlob* share. Copy VHDs to the *PageBlob* share. If the local data format doesn't match the appropriate folder for the chosen storage type, the data upload to Azure fails in a later step.

+- You can't copy data directly to a share's *root* folder. Instead, create a folder within the appropriate share and copy your data into it.

+ - Folders located at the *PageBlob* share's *root* correspond to containers within your storage account. A new container will be created for any folder whose name does not match an existing container within your storage account.

+ - Folders located at the *AzFile* share's *root* correspond to Azure file shares. A new file share will be created for any folder whose name does not match an existing file share within your storage account.

+ - The *BlockBlob* share's *root* level contains one folder corresponding to each access tier. When copying data to the *BlockBlob* share, create a subfolder within the top-level folder corresponding to the desired access tier. As with the *PageBlob* share, a new containers will be created for any folder whose name doesn't match an existing container. Data within the container will be copied to the tier corresponding to the subfolder's top-level parent.

+

+ A container will also be created for any folder residing at the *BlockBlob* share's *root*, though the data it will be copied to the container's default access tier. To ensure that your data is copied to the desired access tier, don't create folders at the *root* level.

+ > [!IMPORTANT]

+ > Data uploaded to the archive tier remains offline and needs to be rehydrated before reading or modifying. Data copied to the archive tier must remain for at least 180 days or be subject to an early deletion charge. Archive tier is not supported for ZRS, GZRS, or RA-GZRS accounts.

+

+ > If you specified managed disks as one of the storage destinations during order creation, the following section is applicable.

+ |Storage account |GPv1 or GPv2 | NA | BlockBlob<ul><li>Archive</li><li>Cold</li><li>Cool</li><li>Hot</li></ul>PageBlob<br>AzureFile |

+ |Storage account |Blob storage account| NA | BlockBlob<ul><li>Archive</li><li>Cold</li><li>Cool</li><li>Hot</li></ul> |

+ |Storage account<br>Managed disks |GPv1 or GPv2 | GPv1 or GPv2 | BlockBlob<ul><li>Archive</li><li>Cold</li><li>Cool</li><li>Hot</li></ul>PageBlob<br/>AzureFile<br/>ManagedDisk<ul><li>PremiumSSD</li><li>StandardSSD</li><li>StandardHDD</li></ul>|

+ |Storage account <br> Managed disks |Blob storage account | GPv1 or GPv2 |BlockBlob<ul><li>Archive</li><li>Cold</li><li>Cool</li><li>Hot</li></ul>ManagedDisk<ul> <li>PremiumSSD</li><li>StandardSSD</li><li>StandardHDD</li></ul> |

+1. Copy VHD or VHDX data to the *PageBlob* folder. All files copied to the *PageBlob* folder are copied into a default `$root` container within the Azure Storage account. A container is created in the Azure storage account for each subfolder within the *PageBlob* folder.

+ Copy data to be placed in Azure file shares to a subfolder within the *AzureFile* folder. All files copied to the *AzureFile* folder are copied as files to a default container of type `databox-format-[GUID]`, for example, `databox-azurefile-7ee19cfb3304122d940461783e97bf7b4290a1d7`.

+ You can't copy files directly to the *BlockBlob*'s *root* folder. Within the root folder, you'll find a sub-folder corresponding to each of the available access tiers. To copy your blob data, you must first select the folder corresponding to one of the access tiers. Next, create a sub-folder within that tier's folder to store your data. Finally, copy your data to the newly created sub-folder. Your new sub-folder represents the container created within the storage account during ingestion. Your data is uploaded to this container as blobs. As with the *AzureFile* share, a new blob storage container will be created for each sub-folder located at the *BlockBlob*'s *root* folder. The data within these folders will be saved according to the storage account's default access tier.

+ Before you begin to copy data, you need to move any files and folders that exist in the root directory to a different folder.

+| Azure Files | 4 TiB |

+This quickstart describes the process of deploying Azure Data Box Disk using the Azure portal. Follow the steps in this article to create an order; receive, unpack, and connect disks; and copy data to the device for upload to Azure.

+For detailed step-by-step deployment and tracking instructions, refer to the [Order Azure Data Box Disk](data-box-disk-deploy-ordered.md) tutorial.

+If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F&preserve-view=true).

+This guide describes the process of deploying Azure Data Box Disk using the Azure portal, and helps answer the following questions.

+- Ensure that your subscription is enabled for Azure Data Box service. If necessary, [sign up for the service](https://aka.ms/azuredataboxfromdiskdocs) to enable it on our subscription.

+This step takes approximately 5 minutes.

+1. Create a new **Azure Data Box** resource in the Azure portal.

+Data Box Disks are mailed in a UPS Express Box. Open the box and check that the box has:

+1. The drive contains *PageBlob*, *BlockBlob*, *AzureFile*, *ManagedDisk*, and *DataBoxDiskImport* folders. Within the *BlockBlob* root folder, you'll find a sub-folder corresponding to each of the available access tiers.

+ Drag and drop data such as VHD/VHDX to *PageBlob* folder, and appropriate data to *AzureFile*. Copy any VHDs that you want to upload as managed disks to a folder under *ManagedDisk*.

+ To copy your blob data, you must first select the sub-folder within the *BlockBlob* share which corresponds to one of the access tiers. Next, create a sub-folder within that tier's folder to store your data. Finally, copy your data to the newly created sub-folder. Your new sub-folder represents a container created within the storage account during ingestion. Your data is uploaded to this container as blobs.

+ To copy files to the *AzureFile* share, first create a folder to contain your files, then copy your data to the newly created folder. A file share is created for a sub-folder under *AzureFile*. Any files copied directly to the *AzureFile* folder fail and are uploaded as block blobs with the storage account's default access tier.

+ All files under *PageBlob* folders are copied into a default container `$root` under the Azure Storage account. Just as with the *AzureFile* share, a container is created in the Azure storage account for each sub-folder within the *PageBlob* folder.

+ > - Ensure that files do not exceed ~4.75 TiB for block blobs, ~8 TiB for page blobs, and ~4 TiB for Azure Files.

+> [!IMPORTANT]

+> Azure Data Box now supports access tier assignment at the blob level. The steps contained within this tutorial reflect the updated data copy process and are specific to block blobs.

+>

+> The information contained within this section applies to orders placed after April 1, 2024.

+In each case, make sure that the share names, folder names, and data size follow guidelines described in the [Azure Storage and Data Box Heavy service limits](data-box-heavy-limits.md).

+1. You complete the [Tutorial: Set up Azure Data Box Heavy](data-box-deploy-set-up.md).

+2. You receive your Data Box Heavy and that the order status in the portal is **Delivered**.

+3. You have a host computer that has the data that you want to copy over to Data Box Heavy. Your host computer must:

+- One share for a blob storage account, containing one folder for each of the four access tiers.

+The following table identifies the names of the Data Box shares to which you can connect, and the type of data uploaded to your target storage account. It also identifies the hierarchy of shares and directories into which you copy your source data.

+| Storage type | Share name | First-level entity | Second-level entity | Third-level entity |

+|--|-|||--|

+| Block blob | \<storageAccountName\>_BlockBlob | <\accessTier\> | <\containerName\> | <\blockBlob\> |

+| Page blob | <\storageAccountName\>_PageBlob | <\containerName\> | <\pageBlob\> | |

+| File storage | <\storageAccountName\>_AzFile | <\fileShareName\> | <\file\> | |

+You can't copy files directly to the *root* folder of any Data Box share. Instead, create folders within the Data Box share depending on your use case.

+Block blobs support the assignment of access tiers at the file level. When copying files to the block blob share, the recommended best-practice is to add new subfolders within the appropriate access tier. After creating new subfolders, continue adding files to each subfolder as appropriate.

+A new container is created for any folder residing at the root of the block blob share. Any file within that folder is copied to the storage account's default access tier as a block blob.

+For more information about blob access tiers, see [Access tiers for blob data](../storage/blobs/access-tiers-overview.md). For more detailed information about access tier best practices, see [Best practices for using blob access tiers](../storage/blobs/access-tiers-best-practices.md).

+The following table shows the UNC path to the shares on your Data Box and the corresponding Azure Storage path URL to which data is uploaded. The final Azure Storage path URL can be derived from the UNC share path.

+| Azure Storage types | Data Box shares |

+||--|

+| Azure Block blobs | <li>UNC path to shares: `\\<DeviceIPAddress>\<storageaccountname_BlockBlob>\<accessTier>\<ContainerName>\myBlob.txt`</li><li>Azure Storage URL: `https://<storageaccountname>.blob.core.windows.net/<ContainerName>/myBlob.txt`</li> |

+| Azure Page blobs | <li>UNC path to shares: `\\<DeviceIPAddress>\<storageaccountname_PageBlob>\<ContainerName>\myBlob.vhd`</li><li>Azure Storage URL: `https://<storageaccountname>.blob.core.windows.net/<ContainerName>/myBlob.vhd`</li> |

+| Azure Files | <li>UNC path to shares: `\\<DeviceIPAddress>\<storageaccountname_AzFile>\<ShareName>\myFile.txt`</li><li>Azure Storage URL: `https://<storageaccountname>.file.core.windows.net/<ShareName>/myFile.txt`</li> |

+For more information about blob access tiers, see [Access tiers for blob data](../storage/blobs/access-tiers-overview.md). For more detailed information about access tier best practices, see [Best practices for using blob access tiers](../storage/blobs/access-tiers-best-practices.md).

+4. Enter the password for the share when prompted. The following sample can be used to connect to *BlockBlob* share on the Data Box having in IP address of *10.100.10.100*.

+ net use \\10.100.10.100\databoxe2etest_BlockBlob /u:databoxe2etest

+5. Press Windows + R. In the **Run** window, specify the `\\<device IP address>`. Click **OK** to open File Explorer.

+ You should now see the shares as folders. Note that in this example the *BlockBlob* share is being used. Accordingly, the four folders representing the four available access tiers are present. These folders are not available in other shares.

+ **Always create a folder for the files that you intend to copy under the share and then copy the files to that folder**. You cannot copy files directly to the *root* folder in the storage account. Any folders created under the *PageBlob* share represents containers into which data is uploaded as blobs. Similarly, any sub-folders created within the folders representing access tiers in the *BlockBlob* share also represents a blob storage container. Folders created within the *AzFile* share represent file shares.

+ Folders created at the *root* of the *BlockBlob* share will be created as blob containers. The access tier of these container will be inherited from the storage account.

+- In the **Rules** tab, select the three dots (...) at the end of the rule's row, and select **Delete**.

+- **Improved coverage** - If a machine doesn't have an antivirus solution enabled, the agentless detector scans that machine to detect malicious activity.

+- **Detect potential threats** - The agentless scanner scans all files and folders including any files or folders that are excluded from the agent-based antivirus scans, without having an effect on the performance of the machine.

+Alternately, you can also use the [EICAR](https://www.eicar.org/download-anti-malware-testfile/) test string to perform this test: Create a text file, paste the EICAR line, and save the file as an executable file to your machine's local drive.

+- **Predefined sensitive information types**: Defender for Cloud uses the built-in sensitive information types in [Microsoft Purview](/microsoft-365/compliance/sensitive-information-type-learn-about). This ensures consistent classification across services and workloads. Some of these types are enabled by default in Defender for Cloud. You can [modify these defaults](data-sensitivity-settings.md). Of these built-in sensitive information types, there's a subset supported by sensitive data discovery. You can view a [reference list](sensitive-info-types.md) of this subset, which also lists which information types are supported by default.

+Defender EASM applies MicrosoftΓÇÖs crawling technology to discover assets that are related to your known online infrastructure, and actively scans these assets to discover new connections over time. Attack Surface Insights are generated by applying vulnerability and infrastructure data to showcase the key areas of concern for your organization, such as:

+- Analyze and prioritize risks and threats

+- Pinpoint attacker-exposed weaknesses, anywhere and on-demand

+- To export to a Log Analytics workspace:

+ - If it *has the SecurityCenterFree solution*, you must have a minimum of Read permissions for the workspace solution: `Microsoft.OperationsManagement/solutions/read`.

+ - If it *doesn't have the SecurityCenterFree solution*, you must have write permissions for the workspace solution: `Microsoft.OperationsManagement/solutions/action`.

+The FIM registry hive defaults provide a convenient way to monitor recursive changes within common security areas. For example, an adversary might configure a script to execute in LOCAL_SYSTEM context by configuring an execution at startup or shutdown. To monitor changes of this type, enable the built-in check.

+> Recursive checks apply only to recommended security hives and not to custom registry paths.

+File Integrity Monitoring data resides within the Azure Log Analytics/ConfigurationChange table set.

+Reports can be exported to CSV for archival and/or channeled to a Power BI report.

+File Integrity Monitoring (FIM) examines operating system files, Windows registries, application software, and Linux system files for changes that might indicate an attack.

+## April 2024

+|Date | Update |

+|--|--|

+| April 2| [Containers multicloud recommendations (GA)](#containers-multicloud-recommendations-ga) |

+### Containers multicloud recommendations (GA)

+April 2, 2024

+As part of Defender for Containers multicloud general availability, following recommendations are announced GA as well:

+- For Azure

+| **Recommendation** | **Description** | **Assessment Key** |

+| | | |

+| Azure registry container images should have vulnerabilities resolved| Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. | c0b7cfc6-3172-465a-b378-53c7ff2cc0d5 |

+| Azure running container images should have vulnerabilities resolved| Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. | c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5 |

+- For GCP

+| **Recommendation** | **Description** | **Assessment Key** |

+| | | |

+| GCP registry container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) - Microsoft Azure | Scans your GCP registries container images for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. | c27441ae-775c-45be-8ffa-655de37362ce |

+| GCP running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) - Microsoft Azure | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Google Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. | 5cc3a2c1-8397-456f-8792-fe9d0d4c9145 |

+- For AWS

+| **Recommendation** | **Description** | **Assessment Key** |

+| | | |

+| AWS registry container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) | Scans your GCP registries container images for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. Scans your AWS registries container images for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. | c27441ae-775c-45be-8ffa-655de37362ce |

+| AWS running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Elastic Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. | 682b2595-d045-4cff-b5aa-46624eb2dd8f |

+Please note that those recommendations would affect the secure score calculation.

+

+| March 31 | [Windows container images scanning is now generally available (GA)](#windows-container-images-scanning-is-now-generally-available-ga) |

+### Windows container images scanning is now generally available (GA)

+March 31, 2024

+We are announcing the general availability (GA) of the Windows container images support for scanning by Defender for Containers.

+We are announcing new endpoint detection and response recommendations that discover and assesses the configuration of supported endpoint detection and response solutions. If issues are found, these recommendations offer remediation steps.

+The following new agentless endpoint protection recommendations are now available if you have Defender for Servers Plan 2 or the Defender CSPM plan enabled on your subscription with the agentless machine scanning feature enabled. The recommendations support Azure and multicloud machines. On-premises machines are not supported.

+## Next steps

+- If you're experiencing problems with deleting the AWS or GCP connector, check if you have a lock. An error in the Azure activity log might hint at the presence of a lock.

+1. This pane includes a list of the container vulnerabilities. Select each vulnerability to [resolve the vulnerability](#remediate-vulnerabilities).

+ - **Connect Azure VMs to a different workspace** - From the dropdown list, select the workspace to store collected data. The dropdown list includes all workspaces across all of your subscriptions. You can use this option to collect data from virtual machines running in different subscriptions and store it all in your selected workspace.

+Insights provide you with news, suggested reading, and high priority alerts that are relevant in your environment.

+You need to upload a new activation file to your sensor if you want to switch sensor management modes, such as moving from a locally managed sensor to a cloud-connected sensor, or if you're [updating from a recent software version](update-ot-software.md?tabs=portal#update-ot-sensors). Uploading a new activation file to your sensor includes deleting your sensor from the Azure portal and onboarding it again.

+|<a name="endpoint"></a> **Download endpoint details** | OT sensors only.<br><br>Available from the **Sites and sensors** toolbar **More actions** menu. <br><br>Download the list of endpoints that must be enabled as secure endpoints from OT network sensors. Make sure that HTTPS traffic is enabled over port 443 to the listed endpoints for your sensor to connect to Azure. Outbound allow rules are defined once for all OT sensors onboarded to the same subscription.<br><br>To enable this option, select a sensor with a supported software version, or a site with one or more sensors with supported versions. |

+You only need to update your activation file if you're [updating an OT sensor from a recent version](update-ot-software.md?tabs=portal#update-ot-sensors) or switching the sensor management mode, such as moving from locally managed to cloud-connected.

+In addition to migration steps, this new connectivity model requires that you open a new firewall rule. For more information, see:

+ Title: Configure Azure Developer CLI templates for use with ADE

+description: Understand how ADE and AZD work together to provision application infrastructure and deploy application code to the new infrastructure.

+# Customer intent: As a platform engineer, I want to use ADE and AZD together to provision application infrastructure and deploy application code to the new infrastructure.

+# Configure Azure Developer CLI with Azure Deployment Environments

+In this article, you create a new environment from an existing Azure Developer CLI (AZD) compatible template by using AZD. You learn how to configure Azure Deployment Environments (ADE) and AZD to work together to provision application infrastructure and deploy application code to the new infrastructure.

+To learn the key concepts of how AZD and ADE work together, see [Use Azure Developer CLI with Azure Deployment Environments](concept-azure-developer-cli-with-deployment-environments.md).

+## Prerequisites

+- Create and configure a dev center with a project, environment types, and catalog. Use the following article as guidance:

+ - [Quickstart: Create and configure a dev center for Azure Deployment Environments](/azure/deployment-environments/quickstart-create-and-configure-devcenter).

+## Attach Microsoft quick start catalog

+Microsoft provides a quick start catalog that contains a set of AZD compatible templates that you can use to create environments. You can attach the quick start catalog to your dev center at creation or add it later. The quick start catalog contains a set of templates that you can use to create environments.

+## Examine an AZD compatible template

+You can use an existing AZD compatible template to create a new environment, or you can add an azure.yaml file to your repository. In this section, you examine an existing AZD compatible template.

+AZD provisioning for environments relies on curated templates from the catalog. Templates in the catalog might assign tags to provisioned Azure resources for you to associate your app services with in the azure.yaml file, or specify the resources explicitly. In this example, resources are specified explicitly.

+For more information on tagging resources, see [Tagging resources for Azure Deployment Environments](/azure/developer/azure-developer-cli/ade-integration#tagging-resources-for-azure-deployment-environments).

+1. In the [Azure portal](https://portal.azure.com), navigate to your dev center.

+1. In the left menu under **Environment configuration**, select **Catalogs**, and then copy the quick start catalog **Clone URL**.

+ :::image type="content" source="media/how-to-configure-azure-developer-cli-deployment-environments/catalog-url.png" alt-text="Screenshot of Azure portal showing the catalogs attached to a dev center, with clone URL highlighted." lightbox="media/how-to-configure-azure-developer-cli-deployment-environments/catalog-url.png":::

+1. To view the quick start catalog in GitHub, paste the **Clone URL** into the address bar and press Enter.

+1. In the GitHub repository, navigate to the **Environment-Definitions/ARMTemplates/Function-App-with-Cosmos_AZD-template** folder.

+1. Open the **environment.yaml** file. At the end of the file, you see the allowed repositories that contain sample application source code.

+ :::image type="content" source="media/how-to-configure-azure-developer-cli-deployment-environments/application-source-templates.png" alt-text="Screenshot of GitHub repository, showing the environment.yaml file with source templates highlighted." lightbox="media/how-to-configure-azure-developer-cli-deployment-environments/application-source-templates.png":::

+1. Copy the **https://github.com/azure-samples/todo-python-mongo-swa-func** repository URL, and then navigate to the repository in GitHub.

+1. In the root of the repository, open the **azure.yaml** file.

+1. In the azure.yaml file, in the **services** section, you see the **web** and **API** services that are defined in the template.

+> [!NOTE]

+> Not all AZD compatible catalogs use the linked templates structure shown in the example. You can use a single catalog for all your environments by including the azure.yaml file. Using multiple catalogs and code repositories allows you more flexibility in configuring secure access for platform engineers and developers.

+If you're working with your own catalog & environment definition, you can create an azure.yaml file in the root of your repository. Use the azure.yaml file to define the services that you want to deploy to the environment.

+## Create an environment from an existing template

+Use an existing AZD compatible template to create a new environment.

+### Prepare to work with AZD

+When you work with AZD for the first time, there are some one-time setup tasks you need to complete. These tasks include installing the Azure Developer CLI, signing in to your Azure account, and enabling AZD support for Azure Deployment Environments.

+#### Install the Azure Developer CLI extension for Visual Studio Code

+When you install AZD, the AZD tools are installed within an AZD scope rather than globally, and are removed if AZD is uninstalled. You can install AZD in Visual Studio Code or from the command line.

+# [Visual Studio Code](#tab/visual-studio-code)

+To enable Azure Developer CLI features in Visual Studio Code, install the Azure Developer CLI extension, version v0.8.0-alpha.1-beta.3173884. Select the **Extensions** icon in the Activity bar, search for **Azure Developer CLI**, and then select **Install**.

+# [Azure Developer CLI](#tab/azure-developer-cli)

+```bash

+powershell -ex AllSigned -c "Invoke-RestMethod 'https://aka.ms/install-azd.ps1' | Invoke-Expression"

+```

+#### Sign in with Azure Developer CLI

+Access your Azure resources by logging in. When you initiate a log in, a browser window opens and prompts you to log in to Azure. After you sign in, the terminal displays a message that you're signed in to Azure.

+Sign in to AZD using the command palette:

+# [Visual Studio Code](#tab/visual-studio-code)

+The output of commands issued from the command palette is displayed in an **azd dev** terminal like the following example:

+# [Azure Developer CLI](#tab/azure-developer-cli)

+Sign in to Azure at the CLI using the following command:

+```bash

+ azd auth login

+```

+#### Enable AZD support for ADE

+When `platform.type` is set to `devcenter`, all AZD remote environment state and provisioning uses dev center components. AZD uses one of the infrastructure templates defined in your dev center catalog for resource provisioning. In this configuration, the *infra* folder in your local templates isnΓÇÖt used.

+# [Visual Studio Code](#tab/visual-studio-code)

+# [Azure Developer CLI](#tab/azure-developer-cli)

+```bash

+ azd config set platform.type devcenter

+```

+### Create a new environment

+Now you're ready to create an environment to work in. You begin with an existing template. ADE defines the infrastructure for your application, and the AZD template provides sample application code.

+# [Visual Studio Code](#tab/visual-studio-code)

+1. In Visual Studio Code, open an empty folder.

+1. Open the command palette, enter *Azure Developer CLI init*, and then from the list, select **Azure Developer CLI (azd): init**.

+

+ :::image type="content" source="media/how-to-create-environment-with-azure-developer/command-palette-azure-developer-initialize.png" alt-text="Screenshot of the Visual Studio Code command palette with Azure Developer CLI (azd): init highlighted." lightbox="media/how-to-create-environment-with-azure-developer/command-palette-azure-developer-initialize.png":::

+

+1. In the list of templates, select **Function-App-with-Cosmos_AZD-template**.

+ :::image type="content" source="media/how-to-configure-azure-developer-cli-deployment-environments/command-palette-functionapp-template.png" alt-text="Screenshot of the Visual Studio Code command palette with a list of templates, Function App highlighted." lightbox="media/how-to-configure-azure-developer-cli-deployment-environments/command-palette-functionapp-template.png":::

+

+1. In the AZD terminal, enter an environment name.

+ :::image type="content" source="media/how-to-configure-azure-developer-cli-deployment-environments/enter-environment-name.png" alt-text="Screenshot of the Azure Developer terminal, showing prompt for a new environment name." lightbox="media/how-to-configure-azure-developer-cli-deployment-environments/enter-environment-name.png":::

+1. Select a project.

+ :::image type="content" source="media/how-to-configure-azure-developer-cli-deployment-environments/initialize-select-project.png" alt-text="Screenshot of the Azure Developer terminal, showing prompt to select a project." lightbox="media/how-to-configure-azure-developer-cli-deployment-environments/initialize-select-project.png":::

+1. Select an environment definition.

+ :::image type="content" source="media/how-to-configure-azure-developer-cli-deployment-environments/initialize-select-environment-definition.png" alt-text="Screenshot of the Azure Developer terminal, showing prompt to select an environment definition." lightbox="media/how-to-configure-azure-developer-cli-deployment-environments/initialize-select-environment-definition.png":::

+

+ AZD creates the project resources, including an *azure.yaml* file in the root of your project.

+# [Azure Developer CLI](#tab/azure-developer-cli)

+1. At the CLI, navigate to an empty folder.

+1. To list the templates available, in the AZD terminal, run the following command:

+ ```bash

+ azd template list

+

+ ```

+ Multiple templates are available. You can select the template that best fits your needs, depending on the application you want to build and the language you want to use.

+ :::image type="content" source="media/how-to-configure-azure-developer-cli-deployment-environments/developer-cli-template-list.png" alt-text="Screenshot of the Azure Developer terminal, showing the templates available." lightbox="media/how-to-configure-azure-developer-cli-deployment-environments/developer-cli-template-list.png":::

+1. Run the following command to initialize your application and supply information when prompted:

+ ```bash

+ azd init

+ ```

+1. In the AZD terminal, enter an environment name.

+ :::image type="content" source="media/how-to-configure-azure-developer-cli-deployment-environments/enter-environment-name.png" alt-text="Screenshot of the Azure Developer terminal, showing prompt for a new environment name." lightbox="media/how-to-configure-azure-developer-cli-deployment-environments/enter-environment-name.png":::

+1. Select a project.

+ :::image type="content" source="media/how-to-configure-azure-developer-cli-deployment-environments/initialize-select-project.png" alt-text="Screenshot of the Azure Developer terminal, showing prompt to select a project." lightbox="media/how-to-configure-azure-developer-cli-deployment-environments/initialize-select-project.png":::

+1. Select an environment definition.

+ :::image type="content" source="media/how-to-configure-azure-developer-cli-deployment-environments/initialize-select-environment-definition.png" alt-text="Screenshot of the Azure Developer terminal, showing prompt to select an environment definition." lightbox="media/how-to-configure-azure-developer-cli-deployment-environments/initialize-select-environment-definition.png":::

+

+ AZD creates the project resources, including an *azure.yaml* file in the root of your project.

+## Configure your devcenter

+You can define AZD settings for your dev centers so that you don't need to specify them each time you update an environment. In this example, you define the names of the catalog, dev center, and project that you're using for your environment.

+1. In Visual Studio Code, navigate to the *azure.yaml* file in the root of your project.

+

+1. In the azure.yaml file, add the following settings:

+ ```yaml

+ platform:

+ type: devcenter

+ config:

+ catalog: MS-cat

+ name: Contoso-DevCenter

+ project: Contoso-Dev-project

+ ```

+ :::image type="content" source="media/how-to-configure-azure-developer-cli-deployment-environments/azure-yaml-dev-center-settings.png" alt-text="Screenshot of the azure.yaml file with dev center settings highlighted." lightbox="media/how-to-configure-azure-developer-cli-deployment-environments/azure-yaml-dev-center-settings.png":::

+To learn more about the settings you can configure, see [Configure dev center settings](/azure/developer/azure-developer-cli/ade-integration#configure-dev-center-settings).

+## Provision your environment

+You can use AZD to provision and deploy resources to your deployment environments using commands like `azd up` or `azd provision`.

+To learn more about provisioning your environment, see [Create an environment by using the Azure Developer CLI](how-to-create-environment-with-azure-developer.md#provision-infrastructure-to-azure-deployment-environment).

+To how common AZD commands work with ADE, see [Work with Azure Deployment Environments](/azure/developer/azure-developer-cli/ade-integration?branch=main#work-with-azure-deployment-evironments).

+## Related content

+- [Add and configure an environment definition](./configure-environment-definition.md)

+- [Create an environment by using the Azure Developer CLI](./how-to-create-environment-with-azure-developer.md)

+To learn how to set up AZD to work with Azure Deployment Environments, see [Use Azure Developer CLI with Azure Deployment Environments](/azure/deployment-environments/concept-azure-developer-cli-with-deployment-environments).

+1. In Visual Studio Code, open the folder that contains your application code.

+- [Install or update the Azure Developer CLI](/azure/developer/azure-developer-cli/install-azd)

+Events published to Event Grid namespaces land on a topic, which is a namespace subresource that logically contains all events. Namespace topics allows you to create subscriptions with flexible consumption modes to push events to a particular destination or [pull events](pull-delivery-overview.md) at your pace.

+ Title: Design and architect Azure ExpressRoute for resiliency

+description: Learn how to design and architect Azure ExpressRoute for resiliency to ensure high availability and reliability in your network connections between on-premises and Azure.

+# Design and architect Azure ExpressRoute for resiliency

+Azure ExpressRoute is an essential hybrid connectivity service widely used for its low latency, resilience, high throughput private connectivity between their on-premises network and Azure workloads. It offers the ability to achieve reliability, resiliency, and disaster recovery in network connections between on-premises and Azure to ensure availability of business and mission-critical workloads. This capability also extends access to Azure resources in a scalable, and cost-effective way.

+Network connections that are highly reliable, resilient, and available are fundamental to a well-structured system. Reliability consists of two principles: *resiliency* and *availability*. The goal of resiliency is to prevent failures and, in the event they do occur, to restore your applications to a fully operational state. The objective of availability is to provide consistent access to your application or workloads. It's important to proactively plan for reliability based on your business needs and application requirements.

+Users of ExpressRoute rely on the availability and performance of edge sites, WAN, and availability zones to maintain their connectivity to Azure. However, these components or sites might experience failures due to various reasons, such as equipment malfunctioning, network disruptions, weather conditions, or natural disasters. Therefore, it's a joint responsibility between users and their cloud provider, when planning for reliability, resiliency, and availability.

+## Site resiliency for ExpressRoute

+There are three ExpressRoute resiliency architectures that can be utilized to ensure high availability and resiliency in your network connections between on-premises and Azure. These architecture designs include:

+* [Maximum resiliency](#maximum-resiliency)

+* [High resiliency](#high-resiliency)

+* [Standard resiliency](#standard-resiliency)

+### Maximum resiliency

+The maximum resiliency architecture in ExpressRoute is structured to eliminate any single point of failure within the Microsoft network path. This set up is achieved by configuring a pair of circuits across two distinct locations for site diversity with ExpressRoute. The objective of maximum resiliency is to enhance reliability, resiliency, and availability, as a result ensuring the highest level of resilience for business and/or mission-critical workloads. For such operations, we recommend that you configure maximum resiliency. This architectural design is recommended as part of the [Well Architected Framework](/azure/well-architected/service-guides/azure-expressroute#reliability) under the reliability pillar. The ExpressRoute engineering team developed a [guided portal experience](expressroute-howto-circuit-portal-resource-manager.md?pivots=expressroute-preview) to assist you in configuring maximum resiliency.

+### High resiliency

+High resiliency, also referred to as multi-site or site resiliency, enables the use of multiple sites within the same metropolitan (Metro) area to connect your on-premises network through ExpressRoute to Azure. High resiliency offers site diversity by splitting a single circuit across two sites. The first connection is established at one site and the second connection at a different site. The objective of multi-site resiliency is to mitigate the effect of edge-sites isolation and failures by introducing capabilities to enable site diversity. Site diversity is achieved by using a single circuit across paired sites within a metropolitan city, which offers resiliency to failures between edge and region. High resiliency provides a higher level of site resiliency than standard resiliency, but not as much as maximum resiliency. High resiliency is priced the same as standard resiliency, with latency parity across two sites. This architecture can be used for business and mission-critical workloads within a region. For more information, see [ExpressRoute Metro](metro.md)

+### Standard resiliency

+Standard resiliency in ExpressRoute is a single circuit with two connections configured at a single site. Built-in redundancy (Active-Active) is configured to facilitate failover across the two connections of the circuit. Microsoft guarantees an availability [service level agreements (SLA)](https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1) for Microsoft Enterprise Edge (MSEE) to the gateway for this configuration. Today, ExpressRoute offers two connections at a single peering location. If a failure happens at this site, users might experience loss of connectivity to their Azure workloads. This configuration is also known as *single-homed* as it represents users with an ExpressRoute circuit configured with only one peering location. This configuration is considered the *least* resilient and **not recommended** for business or mission-critical workloads because it doesn't provide site resiliency.

+## Zonal resiliency for ExpressRoute

+[Azure regions](/azure/cloud-adoption-framework/ready/azure-setup-guide/regions) are an integral part of your ExpressRoute design and resiliency strategy. These regions are geographical locations of data centers that host Azure services. Regions are interconnected through a dedicated low-latency network and are designed to be highly available, fault-tolerant, and scalable.

+Azure offers several features to ensure regional resiliency. One such feature is [availability zones](../reliability/availability-zones-overview.md). Availability zones protect applications and data from data center failures by spanning across multiple physical locations within a region. Regions and availability zones are central to your application design and resiliency strategy. By utilizing availability zones, you can achieve higher availability and resilience in your deployments. For more information, see [Regions & availability zones](../reliability/overview.md#regions-and-availability-zones).

+We recommend deploying your [ExpressRoute Virtual Network Gateways](expressroute-about-virtual-network-gateways.md) as zone redundant across availability zones within a region. These availability zones are separate physical locations with independent infrastructure (power, cooling, and networking). The purpose is to protect your on-premises network connectivity to Azure from zone level failures. [Zone-redundant ExpressRoute gateways](../vpn-gateway/about-zone-redundant-vnet-gateways.md?toc=%2Fazure%2Fexpressroute%2Ftoc.json) provide resiliency, scalability, and higher availability for accessing mission-critical services on Azure.

+Equipment failures or disasters in regional and zonal data centers can affect ExpressRoute gateway deployments in virtual networks. If gateways aren't deployed as zone-redundant, such failures within an Azure data center can affect the ability for users to access their Azure workloads.

+If you have an existing non-zone redundant ExpressRoute gateways, there's now the ability to [migrate to an availability zone enabled gateway](gateway-migration.md).

+## Recommendations

+The following are recommendations to ensure high availability, resiliency, and reliability in your ExpressRoute network architecture:

+* [ExpressRoute circuit recommendations](#expressroute-circuit-recommendations)

+* [ExpressRoute Gateway recommendations](#expressroute-gateway-recommendations)

+* [Disaster recovery and high availability recommendations](#disaster-recovery-and-high-availability-recommendations)

+* [Monitoring and alerting recommendations](#monitoring-and-alerting-recommendations)

+### ExpressRoute circuit recommendations

+#### Plan for ExpressRoute circuit or ExpressRoute Direct

+During the initial planning phase, it's crucial to determine whether to configure an [ExpressRoute circuit](expressroute-circuit-peerings.md) or an [ExpressRoute Direct](expressroute-erdirect-about.md) connection. An ExpressRoute circuit allows a private dedicated connection into Azure with the assistance of a connectivity provider. ExpressRoute Direct enables the extension of an on-premises network directly into the Microsoft network at a peering location. It's also necessary to identify the bandwidth requirement and the circuit SKU type requirement to meet your business needs.

+#### Evaluate the resiliency of multi-site redundant ExpressRoute circuits

+After deploying multi-site redundant ExpressRoute circuits with [maximum resiliency](expressroute-howto-circuit-portal-resource-manager.md), it's essential to ensure that on-premises routes are advertised over the redundant circuits to fully utilize the benefits of multi-site redundancy. To evaluate the resiliency and test the failover of redundant circuits and routes Learn more here.

+#### Plan for active-active configuration

+To improve resiliency and availability, Microsoft recommends operating both connections of an ExpressRoute circuit in [active-active mode](designing-for-high-availability-with-expressroute.md#active-active-connections). By allowing two connections to operate in this mode, Microsoft load balances the network traffic across the connections on a per-flow basis.

+#### Physical layer diversity

+For better resiliency, plan to establish multiple paths between the on-premises edge and the peering locations (provider/Microsoft edge locations). This configuration can be achieved by utilizing different services providers or by routing through another peering location from the on-premises network. For high availability, it's essential to maintain the redundancy of the ExpressRoute circuit throughout the end-to-end network architecture. This includes maintaining redundancy within your on-premises network and redundancy within your service provider. Ensuring redundancy in these parts of your architecture means you shouldn't have a single point of failure.

+#### Ensure BFD (Bidirectional Forwarding Detection) is enabled and configured

+Enabling Bidirectional Forwarding Detection (BFD) over ExpressRoute can accelerate the link failure detection between the MSEE devices and the routers on which your ExpressRoute circuit is configured. Microsoft recommends configuring the Customer Premises Edge (CPE) devices with BFD. ExpressRoute can be configured over your edge routing devices or your Partner Edge routing devices. BFD is enabled by default on the MSEE devices on the Microsoft side.

+### ExpressRoute Gateway recommendations

+#### Plan for Virtual Network Gateway

+Create [zone-redundant Virtual Network Gateways](../vpn-gateway/about-zone-redundant-vnet-gateways.md) for greater resiliency and plan for Virtual Network Gateways in different regions for disaster recovery and high availability. When utilizing zone-redundant gateways, you can benefit from zone-resiliency for accessing your mission-critical and scalable services on Azure.

+#### Migrate to zone-redundant ExpressRoute gateways

+The [guided gateway migration](gateway-migration.md) experience facilitates your migration from a Non-Az-Enabled SKU to an Az-Enabled SKU gateway. This feature allows for the creation of an additional virtual network gateway within the same gateway subnet. During the migration process, Azure transfers the control plane and data path configurations from your existing gateway to the new one.

+### Disaster recovery and high availability recommendations

+#### Use VPN Gateway as a backup for ExpressRoute

+Microsoft recommends the use of site-to-site VPN as a failover when an ExpressRoute circuit becomes unavailable. ExpressRoute is designed for high availability and there's no single point of failure within the Microsoft network. However, there can be instances where an ExpressRoute circuit becomes unavailable due to various reasons such as regional service degradation or natural disasters. A site-to-site VPN can be configured as a secure failover path for ExpressRoute. If the ExpressRoute circuit becomes unavailable, the traffic is automatically route through the site-to-site VPN, ensuring that your connection to the Azure network remains. For more information, see [using site-to-site VPN as a backup for Azure ExpressRoute](use-s2s-vpn-as-backup-for-expressroute-privatepeering.md).

+#### Enable high availability and disaster recovery

+To maximize availability, both the customer and service provider segments on your ExpressRoute circuit should be architected for availability & resiliency. For Disaster Recovery, plan for scenarios such as regional service outages due to natural calamities. Implement a robust disaster recovery design for multiple circuits configured through different peering locations in different regions. To learn more, see: [Designing for disaster recovery](designing-for-disaster-recovery-with-expressroute-privatepeering.md).

+#### Plan for geo-redundancy

+For disaster recovery planning, we recommend setting up ExpressRoute circuits in multiple peering locations and regions. ExpressRoute circuits can be created in the same metropolitan area or different metropolitan areas, and different service providers can be used for diverse paths through each circuit. Geo-redundant ExpressRoute circuits are utilized to create a robust backend network connectivity for disaster recovery. To learn more, see [Designing for high availability](designing-for-high-availability-with-expressroute.md).

+#### Virtual network peering for connectivity between virtual networks

+Virtual Network (VNet) Peering provides a more efficient and direct method, enabling Azure services to communicate across virtual networks without the need of a virtual network gateway, extra hops, or transit over the public internet. To establish connectivity between virtual networks, VNet peering should be implemented for the best performance possible. For more information, seeΓÇ»[About Virtual Network Peering](../virtual-network/virtual-network-peering-overview.md) andΓÇ»[Manage VNet peering](../virtual-network/virtual-network-manage-peering.md).

+### Monitoring and alerting recommendations

+#### Configure monitoring & alerting for ExpressRoute circuits

+As a baseline, we recommend configuring [Network Insights](expressroute-network-insights.md) within Azure Monitor to view all ExpressRoute circuit metrics, including ExpressRoute Direct and Global Reach. Within the circuits card you can visualize topologies and dependencies for peerings, connections, and gateways. The insights available for circuits include availability, throughput, and packet drops.

+#### Configure service health alerts for ExpressRoute circuit maintenance notifications

+ExpressRoute uses [Azure Service Health](../service-health/overview.md) to notify you of planned and upcoming [ExpressRoute circuit maintenance](maintenance-alerts.md). With Service Health, you can view planned and past maintenance in the Azure portal along with configuring alerts and notifications that best suit your needs. In Service Health, you can see Planned & Past maintenance. You can also set alerts within Service Health to be notified of upcoming maintenance.

+#### Configure connection monitor for ExpressRoute

+[Connection Monitor](how-to-configure-connection-monitor.md) is a cloud-based network monitoring solution that monitors connectivity between Azure cloud deployments and on-premises locations (Branch offices, etc.). Connection Monitor is an agent-based solution.

+#### Configure gateway health monitoring & alerting

+[Setup monitoring](expressroute-monitoring-metrics-alerts.md#expressroute-gateways) using Azure Monitor for ExpressRoute Gateway availability, performance, and scalability. When you deploy an ExpressRoute gateway, Azure manages the compute and functions of your gateway. There are multiple [gateway metrics](expressroute-monitoring-metrics-alerts.md#expressroute-virtual-network-gateway-metrics) available to you to better understand the performance of your gateway.

+ | SKU | Select the SKU for the ExpressRoute circuit. You can specify **Local** to get the local SKU, **Standard** to get the standard SKU or **Premium** for the premium add-on. You can change between Local, Standard, and Premium. |

+ Complete the same information for the second ExpressRoute circuit. When selecting an ExpressRoute location for the second circuit, you're provided with distances information from the first ExpressRoute location. This information can help you select the second ExpressRoute location.

+ **High Resiliency**

+ For high resiliency, select one of the supported ExpressRoute Metro service providers and the corresponding **Peering location**. For example, **Megaport** as the *Provider* and **Amsterdam Metro** as the *Peering location*. For more information, see [ExpressRoute Metro](metro.md).

+ | SKU | Select the SKU for the ExpressRoute circuit. You can specify **Local** to get the local SKU, **Standard** to get the standard SKU or **Premium** for the premium add-on. You can change between Local, Standard, and Premium. |

+Microsoft offers multiple ExpressRoute peering locations in many geopolitical regions. For maximum resiliency, Microsoft recommends that you establish connection to two ExpressRoute circuits in two peering locations. If ExpressRoute Metro is available with your service provider and in your preferred peering location, you can achieve a higher level of resiliency compared to a standard ExpressRoute circuit. For non-production and non-critical workloads, you can achieve standard resiliency by connecting to a single ExpressRoute circuit that offers redundant connections within a single peering location. The Azure portal provides a guided experience to help you create a resilient ExpressRoute configuration. For Azure PowerShell, CLI, ARM template, Terraform, and Bicep, maximum resiliency can be achieved by creating a second ExpressRoute circuit in a different ExpressRoute location and establishing a connection to it. For more information, see [Create maximum resiliency with ExpressRoute](expressroute-howto-circuit-portal-resource-manager.md?pivots=expressroute-preview).

+ Title: About ExpressRoute Metro (preview)

+description: This article provides an overview of ExpressRoute Metro and how it works.

+# About ExpressRoute Metro (preview)

+> [!IMPORTANT]

+> ExpresRoute Metro is currently in PREVIEW.

+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+ExpressRoute facilitates the creation of private connections between your on-premises networks and Azure workloads in a designated peering locations. These locations are colocation facilities housing Microsoft Enterprise Edge (MSEE) devices, serving as the gateway to Microsoft's network.

+Within the peering location, two types of connections can be established:

+* **ExpressRoute circuit** - an ExpressRoute circuit consist of two logical connections between your on-premises network and Azure. These connections are made through a pair of physical links provided by an ExpressRoute partner, such as AT&T, Verizon, Equinix, among others.

+* **ExpressRoute Direct** - ExpressRoute Direct is a dedicated and private connection between your on-premises network and Azure, eliminating the need for partner provider involvement. It enables the direct connection of your routers to the Microsoft global network using dual 10G or 100G Ports.

+The standard ExpressRoute configuration is set up with a pair of links to enhance the reliability of your ExpressRoute connection. This setup is designed to provide redundancy and improves the availability of your ExpressRoute connections during hardware failures, maintenance events, or other unforeseen incidents within the peering locations. However, you should note that these redundant connections don't provide resilience against certain events. These events could disrupt or isolate the edge location where the MSEE devices are located. Such disruptions could potentially lead to a complete loss of connectivity from your on-premises networks to your cloud services.

+## ExpressRoute Metro

+ExpressRoute Metro (preview) is a high-resiliency configuration designed to provide multi-site redundancy. This configuration allows you to benefit from a dual-homed setup that facilitates diverse connections to two distinct ExpressRoute peering locations within a city. The high resiliency configuration benefits from the redundancy across the two peering locations to offer higher availability and resilience for your connectivity from your on-premises to resources in Azure.

+Key features of ExpressRoute Metro include:

+* Dual-homed connections to two distinct ExpressRoute peering locations within the same city.

+* Increased availability and resiliency for your ExpressRoute circuits.

+* Seamless connectivity from your on-premises environment to Azure resources through an ExpressRoute circuit with the assistance of a connectivity provider or with ExpressRoute Direct (Dual 10G or 100G ports)

+The following diagram allows for a comparison between the standard ExpressRoute circuit and a ExpressRoute Metro circuit.

+## ExpressRoute Metro locations

+| Metro location | Peering locations | Location address | Zone | Local Azure Region | ER Direct | Service Provider |

+|--|--|--|--|--|--|--|

+| Amsterdam Metro | Amsterdam<br>Amsterdam2 | Equinix AM5<br>Equinix AMS8 | 1 | West Europe | &check; | Megaport<br>Equinix¹<br>Colt¹<br>Console Connect¹<br>Digital Reality¹ |

+| Singapore Metro | Singapore<br>Singapore2 | Equinix SG1<br>Global Switch Tai Seng | 2 | West Europe | &check; | Megaport¹<br>Equinix¹<br>Console Connect¹ |

+| Zurich Metro | Zurich<br>Zurich2 | Interxion ZUR2<br>Equinix ZH5 | 1 | Switzerland North | &check; | Colt¹<br>Digital Reality¹ |

+<sup>1<sup> These service providers will be available in the future.

+> [!NOTE]

+> The naming convention for Metro sites will utilize `City` and `City2` to denote the two unique peering locations within the same metropolitan region. As an illustration, Amsterdam and Amsterdam2 are indicative of the two separate peering locations within the metropolitan area of Amsterdam. In the Azure portal, these locations will be referred to as `Amsterdam Metro`.

+## Configure ExpressRoute Metro

+### Create an ExpressRoute Metro circuit

+You can create an ExpressRoute Metro circuit in the Azure portal in any of the three metropolitan areas. Within the portal, specify one of the Metro peering locations and the corresponding service provider supported in that location. For more information, see [Create an ExpressRoute circuit](expressroute-howto-circuit-portal-resource-manager.md?pivots=expressroute-preview).

+### Create a Metro ExpressRoute Direct

+1. A Metro ExpressRoute Direct port can be created in the Azure portal. Within the portal, specify one of the Metro peering locations. For more information, see [Create an ExpressRoute Direct](how-to-expressroute-direct-portal.md).

+ :::image type="content" source="./media/metro/create-metro-direct.png" alt-text="Screenshot of creating Metro ExpressRoute Direct ports.":::

+1. One you provisioned the Metro ExpressRoute Direct ports, you can download the LOA (Letter of Authorization), obtain the Meet-Me-Room details, and extend your physical cross-connects.

+ :::image type="content" source="./media/metro/generate-letter-of-authorization.png" alt-text="Screenshot of generating letter of authorization.":::

+## Next steps

+* Review [ExpressRoute partners and peering locations](expressroute-locations.md) to understand the available ExpressRoute partners and peering locations.

+* Review [ExpressRoute pricing](https://azure.microsoft.com/pricing/details/expressroute/) to understand the costs associated with ExpressRoute.

+* Review [Design architecture for ExpressRoute resiliency](design-architecture-for-resiliency.md) to understand the design considerations for ExpressRoute.

+ For each WAF policy associated to the Front Door (classic) profile select an action. You can make a copy of the WAF policy that matches the tier you're migrating the Front Door profile to or you can use an existing compatible WAF policy. You may also change the WAF policy name from the default provided name. Once completed, select **Apply** to save your Front Door WAF settings.

+description: HDInsight on AKS provides a feature to manage and submit Apache Flink jobs directly through the Azure portal.

+ | savepoint.directory | Savepoint directory for job. It's recommended that users should create a new directory for job savepoint in storage account. | `abfs://<container>@<account>/<deployment-ID>/savepoints` | No |

+- **Stop:** Stop job didn't require any parameter, user can stop the job by selecting the action.

+See following URL for rest API, users need to replace subscription, resource group, cluster pool, cluster name, and HDInsight on AKS API version in this before using it.

+ | savepoint.directory | Savepoint directory for job. It's recommended that users should create a new directory for job savepoint in storage account. | `abfs://<container>@<account>/<deployment-ID>/savepoints`| No |

+ | savePointName | Save point name to start the job. It's optional property, by default start operation take last successful savepoint. | No |

+ | savePointName | Save point name to start the job. It's optional property, by default start operation will take last successful savepoint.| | No |

+|UnderProvisioningDiagnoser.time.ms |Time in milliseconds for which cluster needs to under provisioned for a scale up to trigger |180000 |Hadoop/Spark load based autoscaling |-|

+|OverProvisioningDiagnoser.time.ms |Time in milliseconds for which cluster needs to be overprovisioned for a scale down to trigger |180000 |Hadoop/Spark load based autoscaling |-|

+1. Use `Connect-AzAccount` to connect to Azure, specifying the Basic Load Balancer's subscription ID if you have more than one subscription.

+ PS C:\> Connect-AzAccount -Subscription <SubscriptionId>

+''

+We have also written a more complex query which assesses the readiness of each Basic Load Balancer for migration on most of the criteria this module checks during [validation](#example-validate-a-scenario). The Resource Graph query can be found in our [GitHub project](https://github.com/Azure/AzLoadBalancerMigration/blob/main/AzureBasicLoadBalancerUpgrade/utilities/migration_graph_query.txt) or opened in the [Azure Resource Graph Explorer](https://portal.azure.com/?#blade/HubsExtension/ArgQueryBlade/query/resources%0A%7C%20where%20type%20%3D%3D%20%27microsoft.network%2Floadbalancers%27%20and%20sku.name%20%3D%3D%20%27Basic%27%0A%7C%20project%20fes%20%3D%20properties.frontendIPConfigurations%2C%20bes%20%3D%20properties.backendAddressPools%2C%5B%27id%27%5D%2C%5B%27tags%27%5D%2CsubscriptionId%2CresourceGroup%2Cname%0A%7C%20extend%20backendPoolCount%20%3D%20array_length%28bes%29%0A%7C%20extend%20internalOrExternal%20%3D%20iff%28isnotempty%28fes%29%2Ciff%28isnotempty%28fes%5B0%5D.properties.privateIPAddress%29%2C%27Internal%27%2C%27External%27%29%2C%27None%27%29%0A%20%20%20%20%7C%20join%20kind%3Dleftouter%20hint.strategy%3Dshuffle%20%28%0A%20%20%20%20%20%20%20%20resources%0A%20%20%20%20%20%20%20%20%7C%20where%20type%20%3D%3D%20%27microsoft.network%2Fpublicipaddresses%27%0A%20%20%20%20%20%20%20%20%7C%20where%20properties.publicIPAddressVersion%20%3D%3D%20%27IPv6%27%0A%20%20%20%20%20%20%20%20%7C%20extend%20publicIPv6LBId%20%3D%20tostring%28split%28properties.ipConfiguration.id%2C%27%2FfrontendIPConfigurations%2F%27%29%5B0%5D%29%0A%20%20%20%20%20%20%20%20%7C%20distinct%20publicIPv6LBId%0A%20%20%20%20%29%20on%20%24left.id%20%3D%3D%20%24right.publicIPv6LBId%0A%20%20%20%20%7C%20join%20kind%20%3D%20leftouter%20hint.strategy%3Dshuffle%20%28%0A%20%20%20%20%20%20%20%20resources%20%0A%20%20%20%20%20%20%20%20%7C%20where%20type%20%3D%3D%20%27microsoft.network%2Fnetworkinterfaces%27%20and%20isnotempty%28properties.virtualMachine.id%29%0A%20%20%20%20%20%20%20%20%7C%20extend%20vmNICHasNSG%20%3D%20isnotnull%28properties.networkSecurityGroup.id%29%0A%20%20%20%20%20%20%20%20%7C%20extend%20vmNICSubnetIds%20%3D%20tostring%28extract_all%28%27%28%2Fsubscriptions%2F%5Ba-f0-9-%5D%2B%3F%2FresourceGroups%2F%5Ba-zA-Z0-9-_%5D%2B%3F%2Fproviders%2FMicrosoft.Network%2FvirtualNetworks%2F%5Ba-zA-Z0-9-_%5D%2B%3F%2Fsubnets%2F%5Ba-zA-Z0-9-_%5D%2A%29%27%2Ctostring%28properties.ipConfigurations%29%29%29%0A%20%20%20%20%20%20%20%20%7C%20mv-expand%20ipConfigs%20%3D%20properties.ipConfigurations%0A%20%20%20%20%20%20%20%20%7C%20extend%20vmPublicIPId%20%3D%20extract%28%27%2Fsubscriptions%2F%5Ba-f0-9-%5D%2B%3F%2FresourceGroups%2F%5Ba-zA-Z0-9-_%5D%2B%3F%2Fproviders%2FMicrosoft.Network%2FpublicIPAddresses%2F%5Ba-zA-Z0-9-_%5D%2A%27%2C0%2Ctostring%28ipConfigs%29%29%0A%20%20%20%20%20%20%20%20%7C%20where%20isnotempty%28ipConfigs.properties.loadBalancerBackendAddressPools%29%20%0A%20%20%20%20%20%20%20%20%7C%20mv-expand%20bes%20%3D%20ipConfigs.properties.loadBalancerBackendAddressPools%0A%20%20%20%20%20%20%20%20%7C%20extend%20nicLoadBalancerId%20%3D%20tostring%28split%28bes.id%2C%27%2FbackendAddressPools%2F%27%29%5B0%5D%29%0A%20%20%20%20%20%20%20%20%7C%20summarize%20vmNICsNSGStatus%20%3D%20make_set%28vmNICHasNSG%29%20by%20nicLoadBalancerId%2CvmPublicIPId%2CvmNICSubnetIds%0A%20%20%20%20%20%20%20%20%7C%20extend%20allVMNicsHaveNSGs%20%3D%20set_has_element%28vmNICsNSGStatus%2CFalse%29%0A%20%20%20%20%20%20%20%20%7C%20summarize%20publicIpCount%20%3D%20dcount%28vmPublicIPId%29%20by%20nicLoadBalancerId%2C%20allVMNicsHaveNSGs%2C%20vmNICSubnetIds%0A%20%20%20%20%20%20%20%20%29%20on%20%24left.id%20%3D%3D%20%24right.nicLoadBalancerId%0A%20%20%20%20%20%20%20%20%7C%20join%20kind%20%3D%20leftouter%20%28%0A%20%20%20%20%20%20%20%20%20%20%20%20resources%0A%20%20%20%20%20%20%20%20%20%20%20%20%7C%20where%20type%20%3D%3D%20%27microsoft.compute%2Fvirtualmachinescalesets%27%0A%20%20%20%20%20%20%20%20%20%20%20%20%7C%20extend%20vmssSubnetIds%20%3D%20tostring%28extract_all%28%27%28%2Fsubscriptions%2F%5Ba-f0-9-%5D%2B%3F%2FresourceGroups%2F%5Ba-zA-Z0-9-_%5D%2B%3F%2Fproviders%2FMicrosoft.Network%2FvirtualNetworks%2F%5Ba-zA-Z0-9-_%5D%2B%3F%2Fsubnets%2F%5Ba-zA-Z0-9-_%5D%2A%29%27%2Ctostring%28properties.virtualMachineProfile.networkProfile.networkInterfaceConfigurations%29%29%29%0A%20%20%20%20%20%20%20%20%20%20%20%20%7C%20mv-expand%20nicConfigs%20%3D%20properties.virtualMachineProfile.networkProfile.networkInterfaceConfigurations%0A%20%20%20%20%20%20%20%20%20%20%20%20%7C%20extend%20vmssNicHasNSG%20%3D%20isnotnull%28properties.networkSecurityGroup.id%29%0A%20%20%20%20%20%20%20%20%20%20%20%20%7C%20mv-expand%20ipConfigs%20%3D%20nicConfigs.properties.ipConfigurations%0A%20%20%20%20%20%20%20%20%20%20%20%20%7C%20extend%20vmssHasPublicIPConfig%20%3D%20iff%28tostring%28ipConfigs%29%20matches%20regex%20%40%27publicIPAddressVersion%27%2Ctrue%2Cfalse%29%0A%20%20%20%20%20%20%20%20%20%20%20%20%7C%20where%20isnotempty%28ipConfigs.properties.loadBalancerBackendAddressPools%29%0A%20%20%20%20%20%20%20%20%20%20%20%20%7C%20mv-expand%20bes%20%3D%20ipConfigs.properties.loadBalancerBackendAddressPools%0A%20%20%20%20%20%20%20%20%20%20%20%20%7C%20extend%20vmssLoadBalancerId%20%3D%20tostring%28split%28bes.id%2C%27%2FbackendAddressPools%2F%27%29%5B0%5D%29%0A%20%20%20%20%20%20%20%20%20%20%20%20%7C%20summarize%20vmssNICsNSGStatus%20%3D%20make_set%28vmssNicHasNSG%29%20by%20vmssLoadBalancerId%2C%20vmssHasPublicIPConfig%2C%20vmssSubnetIds%0A%20%20%20%20%20%20%20%20%20%20%20%20%7C%20extend%20allVMSSNicsHaveNSGs%20%3D%20set_has_element%28vmssNICsNSGStatus%2CFalse%29%0A%20%20%20%20%20%20%20%20%20%20%20%20%7C%20distinct%20vmssLoadBalancerId%2C%20vmssHasPublicIPConfig%2C%20allVMSSNicsHaveNSGs%2C%20vmssSubnetIds%0A%20%20%20%20%20%20%20%20%29%20on%20%24left.id%20%3D%3D%20%24right.vmssLoadBalancerId%0A%7C%20extend%20subnetIds%20%3D%20set_difference%28todynamic%28coalesce%28vmNICSubnetIds%2CvmssSubnetIds%29%29%2Cdynamic%28%5B%5D%29%29%20%2F%2F%20return%20only%20unique%20subnet%20ids%0A%7C%20mv-expand%20subnetId%20%3D%20subnetIds%0A%7C%20extend%20subnetId%20%3D%20tostring%28subnetId%29%0A%7C%20project-away%20vmNICSubnetIds%2C%20vmssSubnetIds%2C%20subnetIds%0A%7C%20extend%20backendType%20%3D%20iff%28isnotempty%28bes%29%2Ciff%28isnotempty%28nicLoadBalancerId%29%2C%27VMs%27%2Ciff%28isnotempty%28vmssLoadBalancerId%29%2C%27VMSS%27%2C%27Empty%27%29%29%2C%27Empty%27%29%0A%7C%20extend%20lbHasIPv6PublicIP%20%3D%20iff%28isnotempty%28publicIPv6LBId%29%2Ctrue%2Cfalse%29%0A%7C%20project-away%20fes%2C%20bes%2C%20nicLoadBalancerId%2C%20vmssLoadBalancerId%2C%20publicIPv6LBId%2C%20subnetId%0A%7C%20extend%20vmsHavePublicIPs%20%3D%20iff%28publicIpCount%20%3E%200%2Ctrue%2Cfalse%29%0A%7C%20extend%20vmssHasPublicIPs%20%3D%20iff%28isnotempty%28vmssHasPublicIPConfig%29%2CvmssHasPublicIPConfig%2Cfalse%29%0A%7C%20extend%20warnings%20%3D%20dynamic%28%5B%5D%29%0A%7C%20extend%20errors%20%3D%20dynamic%28%5B%5D%29%0A%7C%20extend%20warnings%20%3D%20iff%28vmssHasPublicIPs%2Carray_concat%28warnings%2Cdynamic%28%5B%27VMSS%20instances%20have%20Public%20IPs%3A%20VMSS%20Public%20IPs%20will%20change%20during%20migration%27%2C%27VMSS%20instances%20have%20Public%20IPs%3A%20NSGs%20will%20be%20required%20for%20internet%20access%20through%20VMSS%20instance%20public%20IPs%20once%20upgraded%20to%20Standard%20SKU%27%5D%29%29%2Cwarnings%29%0A%7C%20extend%20warnings%20%3D%20iff%28vmsHavePublicIPs%2Carray_concat%28warnings%2Cdynamic%28%5B%27VMs%20have%20Public%20IPs%3A%20NSGs%20will%20be%20required%20for%20internet%20access%20through%20VM%20public%20IPs%20once%20upgraded%20to%20Standard%20SKU%27%5D%29%29%2Cwarnings%29%0A%7C%20extend%20warnings%20%3D%20iff%28%28backendType%20%3D%3D%20%27VMs%27%20and%20internalOrExternal%20%3D%3D%20%27Internal%27%20and%20not%28vmsHavePublicIPs%29%29%2Carray_concat%28warnings%2Cdynamic%28%5B%27Internal%20Load%20Balancer%3A%20LB%20is%20internal%20and%20VMs%20do%20not%20have%20Public%20IPs.%20Unless%20internet%20traffic%20is%20already%20%20being%20routed%20through%20an%20NVA%2C%20VMs%20will%20have%20no%20internet%20connectivity%20post-migration%20without%20additional%20action.%27%5D%29%29%2Cwarnings%29%0A%7C%20extend%20warnings%20%3D%20iff%28%28backendType%20%3D%3D%20%27VMSS%27%20and%20internalOrExternal%20%3D%3D%20%27Internal%27%20and%20not%28vmssHasPublicIPs%29%29%2Carray_concat%28warnings%2Cdynamic%28%5B%27Internal%20Load%20Balancer%3A%20LB%20is%20internal%20and%20VMSS%20instances%20do%20not%20have%20Public%20IPs.%20Unless%20internet%20traffic%20is%20already%20being%20routed%20through%20an%20NVA%2C%20VMSS%20instances%20will%20have%20no%20internet%20connectivity%20post-migration%20without%20additional%20action.%27%5D%29%29%2Cwarnings%29%0A%7C%20extend%20warnings%20%3D%20iff%28%28internalOrExternal%20%3D%3D%20%27External%27%20and%20backendPoolCount%20%3E%201%29%2Carray_concat%28warnings%2Cdynamic%28%5B%27External%20Load%20Balancer%3A%20LB%20is%20external%20and%20has%20multiple%20backend%20pools.%20Outbound%20rules%20will%20not%20be%20created%20automatically.%27%5D%29%29%2Cwarnings%29%0A%7C%20extend%20warnings%20%3D%20iff%28%28backendType%20%3D%3D%20%27VMs%27%20and%20%28vmsHavePublicIPs%20or%20internalOrExternal%20%3D%3D%20%27External%27%29%20and%20not%28allVMNicsHaveNSGs%29%29%2Carray_concat%28warnings%2Cdynamic%28%5B%27VMs%20Missing%20NSGs%3A%20Not%20all%20VM%20NICs%20or%20subnets%20have%20associated%20NSGs.%20An%20NSG%20will%20be%20created%20to%20allow%20load%20balanced%20traffic%2C%20but%20it%20is%20preferred%20that%20you%20create%20and%20associate%20an%20NSG%20before%20starting%20the%20migration.%27%5D%29%29%2Cwarnings%29%0A%7C%20extend%20warnings%20%3D%20iff%28%28backendType%20%3D%3D%20%27VMSS%27%20and%20%28vmssHasPublicIPs%20or%20internalOrExternal%20%3D%3D%20%27External%27%29%20and%20not%28allVMSSNicsHaveNSGs%29%29%2Carray_concat%28warnings%2Cdynamic%28%5B%27VMSS%20Missing%20NSGs%3A%20Not%20all%20VMSS%20NICs%20or%20subnets%20have%20associated%20NSGs.%20An%20NSG%20will%20be%20created%20to%20allow%20load%20balanced%20traffic%2C%20but%20it%20is%20preferred%20that%20you%20create%20and%20associate%20an%20NSG%20before%20starting%20the%20migration.%27%5D%29%29%2Cwarnings%29%0A%7C%20extend%20warnings%20%3D%20iff%28%28bag_keys%28tags%29%20contains%20%27resourceType%27%20and%20tags%5B%27resourceType%27%5D%20%3D%3D%20%27Service%20Fabric%27%29%2Carray_concat%28warnings%2Cdynamic%28%5B%27Service%20Fabric%20LB%3A%20LB%20appears%20to%20be%20in%20front%20of%20a%20Service%20Fabric%20Cluster.%20Unmanaged%20SF%20clusters%20may%20take%20an%20hour%20or%20more%20to%20migrate%3B%20managed%20are%20not%20supported%27%5D%29%29%2Cwarnings%29%0A%7C%20extend%20warningCount%20%3D%20array_length%28warnings%29%0A%7C%20extend%20errors%20%3D%20iff%28%28internalOrExternal%20%3D%3D%20%27External%27%20and%20lbHasIPv6PublicIP%29%2Carray_concat%28errors%2Cdynamic%28%5B%27External%20Load%20Balancer%20has%20IPv6%3A%20LB%20is%20external%20and%20has%20an%20IPv6%20Public%20IP.%20Basic%20SKU%20IPv6%20public%20IPs%20cannot%20be%20upgraded%20to%20Standard%20SKU%27%5D%29%29%2Cerrors%29%0A%7C%20extend%20errors%20%3D%20iff%28%28id%20matches%20regex%20%40%27%2F%28kubernetes%7Ckubernetes-internal%29%5E%27%20or%20%28bag_keys%28tags%29%20contains%20%27aks-managed-cluster-name%27%29%29%2Carray_concat%28errors%2Cdynamic%28%5B%27AKS%20Load%20Balancer%3A%20Load%20balancer%20appears%20to%20be%20in%20front%20of%20a%20Kubernetes%20cluster%2C%20which%20is%20not%20supported%20for%20migration%27%5D%29%29%2Cerrors%29%0A%7C%20extend%20errorCount%20%3D%20array_length%28errors%29%0A%7C%20project%20id%2CinternalOrExternal%2Cwarnings%2Cerrors%2CwarningCount%2CerrorCount%2CsubscriptionId%2CresourceGroup%2Cname%0A%7C%20sort%20by%20errorCount%2CwarningCount%0A%7C%20project-away%20errorCount%2CwarningCount).

+You can train the model by providing a model and a labeled image directory as inputs to [Train PyTorch Model](train-pytorch-model.md). The trained model can then be used to predict values for the new input examples using [Score Image Model](score-image-model.md).

+5. Connect the output of **ResNet** component, training and validation image dataset component to the [Train PyTorch Model](train-pytorch-model.md).

+| Untrained model | UntrainedModelDirectory | An untrained ResNet model that can be connected to Train PyTorch Model. |

+See the [set of components available](component-reference.md) to Azure Machine Learning.

+[!notebook-python[] (~/azureml-examples-main/sdk/python/jobs/pipelines/2e_image_classification_keras_minist_convnet/image_classification_keras_minist_convnet.ipynb?name=define-input)]

+ > By default, MLflow will use the first text column available in the input data to generate embeddings from. Use the environment variable `AZUREML_BI_TEXT_COLUMN` with the name of an existing column in the input dataset to change the column if needed. Leave it blank if the default behavior works for you.

+ > [!Note]

+ > - Don't install any other components, such as the **Microsoft Monitoring Agent (MMA)** or **Replication appliance**, on the same server hosting the Azure Migrate appliance. If you install the MMA agent, you can face problems like **"Multiple custom attributes of the same type found"**. It's recommended to have a dedicated server to deploy the appliance.

+ > - Federal Information Processing Standards (FIPS) mode is not supported for appliance deployment.

+This article describes the key components of the NAT gateway resource that enable it to provide highly secure, scalable, and resilient outbound connectivity. Some of these components can be configured in your subscription through the Azure portal, Azure CLI, Azure PowerShell, Resource Manager templates, or appropriate alternatives.

+* When NAT gateway is attached to a subnet, it assumes the default route to the internet. Only one NAT gateway can serve as the default route to the internet for a subnet.

+A NAT gateway can be associated with static public IP addresses or public IP prefixes for providing outbound connectivity. NAT Gateway supports IPv4 addresses. A NAT gateway can use public IP addresses or prefixes in any combination up to a total of 16 IP addresses. If you assign a public IP prefix, the entire public IP prefix is used. You can use a public IP prefix directly or distribute the public IP addresses of the prefix across multiple NAT gateway resources. NAT gateway grooms all traffic to the range of IP addresses of the prefix.

+A TCP reset packet is sent only upon detecting traffic on the dropped connection flow. This operation means a TCP reset packet may not be sent right away after a connection flow drops.

+| TCP half open | During connection establishment where one connection endpoint is waiting for acknowledgment from the other endpoint, a 30-second timer is activated. If no traffic is detected, the connection closes. Once the connection closes, the source port is available for reuse to the same destination endpoint. | 30 seconds |

+Each NAT gateway can provide up to a total of 50 Gbps of throughput. Data throughput rate limiting is split between outbound and inbound (response) data. Data throughput is rate limited at 25 Gbps for outbound and 25 Gbps for inbound (response) data per NAT gateway resource. You can split your deployments into multiple subnets and assign each subnet or group of subnets to a NAT gateway to scale out.

+The total number of connections that a NAT gateway can support at any given time is up to 2 million. If NAT gateway exceeds 2 million connections, you will see a decline in your datapath availability and new connections will fail.

+- Public IPs with DDoS protection enabled aren't supported with NAT gateway. For more information, see [DDoS limitations](/azure/ddos-protection/ddos-protection-sku-comparison#limitations).

+| `redistributeStaticRoutes` |Advertise Static Routes can have value of true/False. Default Value is False | False | |

+## Use Cases for Private Link with Azure Database for PostgreSQL flexible server

+For more information on configuring client certificates with PostgreSQL JDBC driver see this [documentation](https://jdbc.postgresql.org/documentation/ssl/)

+## Testing SSL\TLS Connectivity

+Before trying to access your SSL enabled server from client application, make sure you can get to it via psql. You should see output like the following if you have established a SSL connection.

+*psql (14.5)*

+*SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)*

+*Type "help" for help.*

+| Australia Southeast | :heavy_check_mark: (v3/v4/v5 only) | :x: | :heavy_check_mark: | :heavy_check_mark: |

+## Release: March 2024

+* Public preview of [Major Version Upgrade Support for PostgreSQL 16](concepts-major-version-upgrade.md) for Azure Database for PostgreSQL flexible server.

+### When a VNet peering is created between your hub and spoke VNet, does this cause a BGP soft reset between Azure Route Server and its peered NVAs?

+Yes. If a VNet peering is created between your hub and spoke VNet, Azure Route Server will perform a BGP soft reset by sending route refresh requests to all its peered NVAs. If the NVAs do not support BGP route refresh, then Azure Route Server will perform a BGP hard reset with the peered NVAs, which may cause connectivity disruption for traffic traversing the NVAs.

+- April 1, 2024: Reference the considerations section for sizing HANA shared file system in [NFS v4.1 volumes on Azure NetApp Files for SAP HANA](./hana-vm-operations-netapp.md), [SAP HANA Azure virtual machine Premium SSD storage configurations](./hana-vm-premium-ssd-v1.md), [SAP HANA Azure virtual machine Premium SSD v2 storage configurations](./hana-vm-premium-ssd-v2.md), and [Azure Files NFS for SAP](planning-guide-storage-azure-files.md)

+- February 01, 2024: Added guidance for [SAP front-end printing to Universal Print](./universal-print-sap-frontend.md)

+For all volumes, NFS v4.1 is highly recommended.

+Review carefully the [considerations for sizing **/han#considerations-for-the-hana-shared-file-system), as appropriately sized **/hana/shared** volume contributes to system's stability.

+| VM SKU | RAM | Max. VM I/O<br /> Throughput | /hana/shared² | /root volume | /usr/sap |

+¹ VM type not available by default. Please contact your Microsoft account team

+² Review carefully the [considerations for sizing **/han#considerations-for-the-hana-shared-file-system)

+| VM SKU | RAM | Max. VM I/O<br /> Throughput | /hana/log volume | /hana/log I/O throughput | /hana/log IOPS | /hana/shared¹ | /root volume | /usr/sap |

+¹ Review carefully the [considerations for sizing **/han#considerations-for-the-hana-shared-file-system)

+| VM SKU | RAM | Max. VM I/O<br /> Throughput | /hanADM | /hana/shared³ | /root volume | /usr/sap | comments |

+³ Review carefully the [considerations for sizing **/han#considerations-for-the-hana-shared-file-system)

+| VM SKU | RAM | Max. VM I/O<br /> Throughput | Max VM IOPS | **/hana/log** capacity | **/hana/log** throughput | **/hana/log** IOPS | **/hana/shared**² capacity <br />using default IOPS <br /> and throughput |

+¹ VM type not available by default. Please contact your Microsoft account team

+² Review carefully the [considerations for sizing **/han#considerations-for-the-hana-shared-file-system)

+- /han#considerations-for-the-hana-shared-file-system), as appropriately sized **/hana/shared** volume contributes to system's stability

+The portal doesn't support customer-managed key encryption (CMK), which means that portal experiences like debug sessions can't have CMK-encrypted connection strings or other encrypted metadata. If your search service is configured for [CMK enforcement](search-security-manage-encryption-keys.md#6set-up-policy), debug sessions won't work.

+> Deferred messages aren't expired and automatically moved to a dead-letter queue until a client app attempts to receive them using an API and the sequence number. This behavior is by design. When a client tries to retrieve a deferred message, it's checked for [expired condition](service-bus-dead-letter-queues.md#time-to-live) and moved to a dead-letter queue if it's already expired. An expired message is moved to a deadletter subqueue only when the dead-letter feature is enabled for the entity (queue or subscription).

+Deferral is a feature created specifically for workflow processing scenarios. Workflow frameworks might require certain operations to be processed in a particular order. They might have to postpone processing of some received messages until prescribed prior work that's informed by other messages has been completed.

+A simple illustrative example is an order processing sequence in which a payment notification from an external payment provider appears in a system before the matching purchase order has been propagated from the store front to the fulfillment system. In that case, the fulfillment system might defer processing the payment notification until there's an order with which to associate it. In rendezvous scenarios, where messages from different sources drive a workflow forward, the real-time execution order might indeed be correct, but the messages reflecting the outcomes might arrive out of order.

+Deferred messages remain in the main queue along with all other active messages (unlike dead-letter messages that live in a subqueue), but they can no longer be received using the regular receive operations. Deferred messages can be discovered via [message browsing or peeking](message-browsing.md) if an application loses track of them.

+To retrieve a deferred message, its owner is responsible for remembering the **sequence number** as it defers it. Any receiver that knows the sequence number of a deferred message can later receive the message by using receive methods that take the sequence number as a parameter. For more information about sequence numbers, see [Message sequencing and timestamps](message-sequencing.md).

+for (int i = 0; i < 10; i++)

+ // creating the message omitted for brevity

+ await sender.SendMessageAsync(message);

+for (int i = 0; i < 10; i++)

+ tasks.Add(sender.SendMessageAsync(message));

+for (int i = 0; i < 10; i++)

+ await semaphore.WaitAsync();

+ tasks.Add(sender.SendMessageAsync(message).ContinueWith((t)=>semaphore.Release()));

+for (int i = 0; i < 10; i++)

+ sender.SendMessageAsync(message); // DONΓÇÖT DO THIS

+With a low-level AMQP client, Service Bus also accepts "presettled" transfers. A presettled transfer is a fire-and-forget operation for which the outcome, either way, isn't reported back to the client and the message is considered settled when sent. The lack of feedback to the client also means that there's no actionable data available for diagnostics, which means that this mode doesn't qualify for help via Azure support.

+Consider the following scenario where a subscription has five rules: two rules with actions and the other three without actions. In this example, if you send one message that matches all five rules, you get three messages on the subscription. That's two messages for two rules with actions and one message for three rules without actions.

+> [!NOTE]

+> This article applies to non-JMS scenarios. For JMS scenarios, use [message selectors](java-message-service-20-entities.md#message-selectors).

+| 9.1 CU9<br>9.1.2277.9590 | 8.2 CU6<br>8.2.1686.9590 | 8.2 | Less than or equal to version 6.0 | .NET 7, .NET 6, All, <br> >= .NET Framework 4.6.2 | [See supported OS version](#supported-windows-versions-and-support-end-date) | September 30, 2024 |

+| 9.1 CU7<br>9.1.1993.9590 | 8.2 CU6<br>8.2.1686.9590 | 8.2 | Less than or equal to version 6.0 | .NET 7, .NET 6, All, <br> >= .NET Framework 4.6.2 | [See supported OS version](#supported-windows-versions-and-support-end-date) | September 30, 2024 |

+| 9.1 CU6<br>9.1.1851.9590 | 8.2 CU6<br>8.2.1686.9590 | 8.2 | Less than or equal to version 6.0 | .NET 7, .NET 6, All, <br> >= .NET Framework 4.6.2 | [See supported OS version](#supported-windows-versions-and-support-end-date) | September 30, 2024 |

+| 9.1 CU5<br>9.1.1833.9590 | 8.2 CU6<br>8.2.1686.9590 | 8.2 | Less than or equal to version 6.0 | .NET 7, .NET 6, All, <br> >= .NET Framework 4.6.2 | [See supported OS version](#supported-windows-versions-and-support-end-date) | September 30, 2024 |

+| 9.1 CU4<br>9.1.1799.9590 | 8.2 CU6<br>8.2.1686.9590 | 8.2 | Less than or equal to version 6.0 | .NET 7, .NET 6, All, <br> >= .NET Framework 4.6.2 | [See supported OS version](#supported-windows-versions-and-support-end-date) | September 30, 2024 |

+| 9.1 CU3<br>9.1.1653.9590 | 8.2 CU6<br>8.2.1686.9590 | 8.2 | Less than or equal to version 6.0 | .NET 7, .NET 6, All, <br> >= .NET Framework 4.6.2 | [See supported OS version](#supported-windows-versions-and-support-end-date) | September 30, 2024 |

+| 9.1 CU2<br>9.1.1583.9590 | 8.2 CU6<br>8.2.1686.9590 | 8.2 | Less than or equal to version 6.0 | .NET 7, .NET 6, All, <br> >= .NET Framework 4.6.2 | [See supported OS version](#supported-windows-versions-and-support-end-date) | September 30, 2024 |

+| 9.1 CU1<br>9.1.1436.9590 | 8.2 CU6<br>8.2.1686.9590 | 8.2 | Less than or equal to version 6.0 | .NET 6.0 (GA), >= .NET Core 3.1, <br>All >= .NET Framework 4.5 | [See supported OS version](#supported-windows-versions-and-support-end-date) | September 30, 2024 |

+| 9.1 RTO<br>9.1.1390.9590 | 8.2 CU6<br>8.2.1686.9590 | 8.2 | Less than or equal to version 6.0 | .NET 6.0 (GA), >= .NET Core 3.1, <br>All >= .NET Framework 4.5 | [See supported OS version](#supported-windows-versions-and-support-end-date) | September 30, 2024 |

+| | [List blob include](#list-blob-include) | Information that can be included with listing operations, such as metadata, snapshots, or versions |

+| | [Container metadata](#container-metadata) | Metadata key/value pair associated with a container |

+### Container metadata

+> [!div class="mx-tdCol2BreakAll"]

+> | Property | Value |

+> | | |

+> | **Display name** | Container metadata |

+> | **Description** | Metadata key/value pair associated with a container.<br/>Use when you want to check specific metadata for a container. *Currently in preview.* |

+> | **Attribute** | `Microsoft.Storage/storageAccounts/blobServices/containers/metadata` |

+> | **Attribute source** | [Resource](../../role-based-access-control/conditions-format.md#resource-attributes) |

+> | **Attribute type** | [String](../../role-based-access-control/conditions-format.md#string-comparison-operators) |

+> | **Examples** | `@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/metadata:testKey] StringEquals 'testValue'`<br/>[Example: Read blobs in a container with specific metadata](storage-auth-abac-examples.md#example-read-blobs-in-container-with-specific-metadata)<br/>[Example: Write or delete blobs in container with specific metadata](storage-auth-abac-examples.md#example-write-or-delete-blobs-in-container-with-specific-metadata) |

+### List blob include

+> [!div class="mx-tdCol2BreakAll"]

+> | Property | Value |

+> | | |

+> | **Display name** | List blob include |

+> | **Description** | Information that can be included with a [List Blobs](/rest/api/storageservices/list-blobs) operation, such as metadata, snapshots, or versions.<br/>Use when you want to allow or restrict values for the `include` parameter when calling the [List Blobs](/rest/api/storageservices/list-blobs) operation.<br/>*Currently in preview. Available only for storage accounts where hierarchical namespace is not enabled.* |

+> | **Attribute** | `Microsoft.Storage/storageAccounts/blobServices/containers/blobs:include` |

+> | **Attribute source** | [Request](../../role-based-access-control/conditions-format.md#request-attributes) |

+> | **Attribute type** | [String](../../role-based-access-control/conditions-format.md#string-comparison-operators) |

+> | **Examples** | `@Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:include] ForAllOfAnyValues:StringEqualsIgnoreCaseΓÇ»{'metadata',ΓÇ»'snapshots',ΓÇ»'versions'}`<br/>`@Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:include] ForAllOfAllValues:StringNotEquals {'metadata'}`<br/>[Example: Allow list blob operation to include blob metadata, snapshots, or versions](storage-auth-abac-examples.md#example-allow-list-blob-operation-to-include-blob-metadata-snapshots-or-versions)<br/>[Example: Restrict list blob operation to not include blob metadata](storage-auth-abac-examples.md#example-restrict-list-blob-operation-to-not-include-blob-metadata) |

+| [Read blobs in container with specific metadata](#example-read-blobs-in-container-with-specific-metadata) | | | | container metadata |

+| [Write or delete blobs in container with specific metadata](#example-write-or-delete-blobs-in-container-with-specific-metadata) | | | | container metadata |

+| [Allow list blob operation to include blob metadata, snapshots, or versions](#example-allow-list-blob-operation-to-include-blob-metadata-snapshots-or-versions) | | | list blob include | |

+| [Restrict list blob operation to not include blob metadata](#example-restrict-list-blob-operation-to-not-include-blob-metadata) | | | list blob include | |

+## Blob container metadata

+### Example: Read blobs in container with specific metadata

+This condition allows users to read blobs in blob containers with a specific metadata key/value pair.

+You must add this condition to any role assignments that include the following action.

+> [!div class="mx-tableFixed"]

+> | Action | Notes |

+> | | |

+> | `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read` | |

+The condition can be added to a role assignment using either the Azure portal or Azure PowerShell. The portal has two tools for building ABAC conditions - the visual editor and the code editor. You can switch between the two editors in the Azure portal to see your conditions in different views. Switch between the **Visual editor** tab and the **Code editor** tabs to view the examples for your preferred portal editor.

+# [Portal: Visual editor](#tab/portal-visual-editor)

+Here are the settings to add this condition using the Azure portal.

+> [!div class="mx-tableFixed"]

+> | Condition #1 | Setting |

+> | | |

+> | Actions | [Read a blob](storage-auth-abac-attributes.md#read-a-blob) |

+> | Attribute source | [Resource](../../role-based-access-control/conditions-format.md#resource-attributes) |

+> | Attribute | [Container metadata](storage-auth-abac-attributes.md#container-metadata) |

+> | Operator | [StringEquals](../../role-based-access-control/conditions-format.md#stringequals) |

+> | Value | {containerName} |

+# [Portal: Code editor](#tab/portal-code-editor)

+To add the condition using the code editor, copy the condition code sample and paste it into the code editor. After entering your code, switch back to the visual editor to validate it.

+**Storage Blob Data Reader**

+```

+(

+ (

+ !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'})

+ )

+ OR

+ (

+ @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/metadata:testKey] StringEquals 'testValue'

+ )

+)

+```

+# [PowerShell](#tab/azure-powershell)

+Here's how to add this condition using Azure PowerShell.

+```azurepowershell

+$condition = "( `

+ ( `

+ !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'}) `

+ ) `

+ OR `

+ ( `

+ @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/metadata:testKey] StringEquals 'testValue' `

+ ) `

+)"

+$testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID

+$testRa.Condition = $condition

+$testRa.ConditionVersion = "2.0"

+Set-AzRoleAssignment -InputObject $testRa -PassThru

+```

+### Example: Write or delete blobs in container with specific metadata

+This condition allows users to write or delete blobs in blob containers with a specific metadata key/value pair.

+You must add this condition to any role assignments that include the following action.

+> [!div class="mx-tableFixed"]

+> | Action | Notes |

+> | | |

+> | `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write` | |

+> | `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete` | |

+The condition can be added to a role assignment using either the Azure portal or Azure PowerShell. The portal has two tools for building ABAC conditions - the visual editor and the code editor. You can switch between the two editors in the Azure portal to see your conditions in different views. Switch between the **Visual editor** tab and the **Code editor** tabs to view the examples for your preferred portal editor.

+# [Portal: Visual editor](#tab/portal-visual-editor)

+Here are the settings to add this condition using the Azure portal.

+> [!div class="mx-tableFixed"]

+> | Condition #1 | Setting |

+> | | |

+> | Actions | [Write to a blob](storage-auth-abac-attributes.md#write-to-a-blob)<br/>[Delete a blob](storage-auth-abac-attributes.md#delete-a-blob) |

+> | Attribute source | [Resource](../../role-based-access-control/conditions-format.md#resource-attributes) |

+> | Attribute | [Container metadata](storage-auth-abac-attributes.md#container-metadata) |

+> | Operator | [StringEquals](../../role-based-access-control/conditions-format.md#stringequals) |

+> | Value | {containerName} |

+# [Portal: Code editor](#tab/portal-code-editor)

+To add the condition using the code editor, copy the condition code sample and paste it into the code editor. After entering your code, switch back to the visual editor to validate it.

+**Storage Blob Data Contributor**

+```

+(

+ (

+ !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'})

+ AND

+ !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete'})

+ )

+ OR

+ (

+ @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/metadata:testKey] StringEquals 'testValue'

+ )

+)

+```

+# [PowerShell](#tab/azure-powershell)

+Here's how to add this condition using Azure PowerShell.

+```azurepowershell

+$condition = "( `

+ ( `

+ !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'}) `

+ AND `

+ !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete'}) `

+ ) `

+ OR `

+ ( `

+ @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/metadata:testKey] StringEquals 'testValue' `

+ ) `

+) `

+$testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID

+$testRa.Condition = $condition

+$testRa.ConditionVersion = "2.0"

+Set-AzRoleAssignment -InputObject $testRa -PassThru

+```

+### Example: Allow list blob operation to include blob metadata, snapshots, or versions

+This condition allows a user to list blobs in a container and include metadata, snapshot, and version information. The [List blobs include](storage-auth-abac-attributes.md#list-blob-include) attribute is available for storage accounts where hierarchical namespace isn't enabled.

+> [!NOTE]

+>[List blobs include](storage-auth-abac-attributes.md#list-blob-include) is a request attribute, and works by allowing or restricting values in the `include` parameter when calling the [List Blobs](/rest/api/storageservices/list-blobs) operation. The values in the `include` parameter are compared against the values specified in the condition using [cross product comparison operators](/azure/role-based-access-control/conditions-format#cross-product-comparison-operators). If the comparison evaluates to true, the `List Blobs` request is allowed. If the comparison evaluates to false, the `List Blobs` request is denied.

+You must add this condition to any role assignments that include the following action.

+> [!div class="mx-tableFixed"]

+> | Action | Notes |

+> | | |

+> | `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read` | |

+The condition can be added to a role assignment using either the Azure portal or Azure PowerShell. The portal has two tools for building ABAC conditions - the visual editor and the code editor. You can switch between the two editors in the Azure portal to see your conditions in different views. Switch between the **Visual editor** tab and the **Code editor** tabs to view the examples for your preferred portal editor.

+# [Portal: Visual editor](#tab/portal-visual-editor)

+Here are the settings to add this condition using the Azure portal.

+> [!div class="mx-tableFixed"]

+> | Condition #1 | Setting |

+> | | |

+> | Actions | [List blobs](storage-auth-abac-attributes.md#list-blobs)|

+> | Attribute source | Request |

+> | Attribute | [List blobs include](storage-auth-abac-attributes.md#list-blob-include) |

+> | Operator | [ForAllOfAnyValues:StringEqualsIgnoreCase](../../role-based-access-control/conditions-format.md#forallofanyvalues) |

+> | Value | {'metadata',ΓÇ»'snapshots',ΓÇ»'versions'} |

+# [Portal: Code editor](#tab/portal-code-editor)

+To add the condition using the code editor, copy the condition code sample and paste it into the code editor. After entering your code, switch back to the visual editor to validate it.

+**Storage Blob Data Reader**

+```

+(

+ (

+ !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND SubOperationMatches{'Blob.List'})

+ )

+ OR

+ (

+ @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:include] ForAllOfAnyValues:StringEqualsIgnoreCase {'metadata', 'snapshots', 'versions'}

+ )

+)

+```

+In this example, the condition restricts the read action when the suboperation is `Blob.List`. This means that a [List Blobs](/rest/api/storageservices/list-blobs) operation is further evaluated against the expression that checks the `include` values, but all other read actions are allowed.

+# [PowerShell](#tab/azure-powershell)

+Currently no example provided.

+### Example: Restrict list blob operation to not include blob metadata

+This condition restricts a user from listing blobs when metadata is included in the request. The [List blobs include](storage-auth-abac-attributes.md#list-blob-include) attribute is available for storage accounts where hierarchical namespace isn't enabled.

+> [!NOTE]

+>[List blobs include](storage-auth-abac-attributes.md#list-blob-include) is a request attribute, and works by allowing or restricting values in the `include` parameter when calling the [List Blobs](/rest/api/storageservices/list-blobs) operation. The values in the `include` parameter are compared against the values specified in the condition using [cross product comparison operators](/azure/role-based-access-control/conditions-format#cross-product-comparison-operators). If the comparison evaluates to true, the `List Blobs` request is allowed. If the comparison evaluates to false, the `List Blobs` request is denied.

+You must add this condition to any role assignments that include the following action.

+> [!div class="mx-tableFixed"]

+> | Action | Notes |

+> | | |

+> | `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read` | |

+The condition can be added to a role assignment using either the Azure portal or Azure PowerShell. The portal has two tools for building ABAC conditions - the visual editor and the code editor. You can switch between the two editors in the Azure portal to see your conditions in different views. Switch between the **Visual editor** tab and the **Code editor** tabs to view the examples for your preferred portal editor.

+# [Portal: Visual editor](#tab/portal-visual-editor)

+Here are the settings to add this condition using the Azure portal.

+> [!div class="mx-tableFixed"]

+> | Condition #1 | Setting |

+> | | |

+> | Actions | [List blobs](storage-auth-abac-attributes.md#list-blobs)|

+> | Attribute source | Request |

+> | Attribute | [List blobs include](storage-auth-abac-attributes.md#list-blob-include) |

+> | Operator | [ForAllOfAllValues:StringNotEquals](../../role-based-access-control/conditions-format.md#forallofallvalues) |

+> | Value | {'metadata'} |

+# [Portal: Code editor](#tab/portal-code-editor)

+To add the condition using the code editor, copy the condition code sample and paste it into the code editor. After entering your code, switch back to the visual editor to validate it.

+**Storage Blob Data Reader**

+```

+(

+ (

+ !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND SubOperationMatches{'Blob.List'})

+ )

+ OR

+ (

+ @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:include] ForAllOfAllValues:StringNotEquals {'metadata'}

+ )

+)

+```

+In this example, the condition restricts the read action when the suboperation is `Blob.List`. This means that a [List Blobs](/rest/api/storageservices/list-blobs) operation is further evaluated against the expression that checks the `include` values, but all other read actions are allowed.

+# [PowerShell](#tab/azure-powershell)

+Currently no example provided.

+If you try to install Azure Container Storage with Ephemeral Disk, specifically with local NVMe on a cluster where the virtual machine (VM) SKU doesn't have NVMe drives, you get the following error message: *Cannot set --storage-pool-option as NVMe as none of the node pools can support ephemeral NVMe disk*.

+If you see this message, you're likely trying to create an Ephemeral Disk storage pool on a cluster where the VM SKU doesn't have NVMe drives.

+## Troubleshoot persistent volume issues

+### Can't create persistent volumes from ephemeral disk storage pools

+Because ephemeral disks (local NVMe and Temp SSD) are ephemeral and not durable, we enforce the use of [Kubernetes Generic Ephemeral Volumes](https://kubernetes.io/docs/concepts/storage/ephemeral-volumes/#generic-ephemeral-volumes). If you try to create a persistent volume claim using an ephemeral disk pool, you'll see the following error: *Error from server (Forbidden): error when creating "eph-pvc.yaml": admission webhook "pvc.acstor.azure.com" denied the request: only generic ephemeral volumes are allowed in unreplicated ephemeralDisk storage pools*.

+If you need a persistent volume, where the volume has a lifecycle independent of any individual pod that's using the volume, Azure Container Storage supports replication for NVMe. You can create a storage pool with replication and create persistent volumes from there. See [Create storage pool with volume replication](use-container-storage-with-local-disk.md#optional-create-storage-pool-with-volume-replication-nvme-only) for guidance. Note that because ephemeral disk storage pools consume all the available NVMe disks, you must delete any existing ephemeral disk storage pools before creating a new storage pool with replication enabled. If you don't need persistence, you can create a generic ephemeral volume.

+> Local disks are ephemeral, meaning that they're created on the local virtual machine (VM) storage and not saved to an Azure storage service. Data will be lost on these disks if you stop/deallocate your VM. You can only create [Kubernetes generic ephemeral volumes](https://kubernetes.io/docs/concepts/storage/ephemeral-volumes/#generic-ephemeral-volumes) from an Ephemeral Disk storage pool. If you want to create a persistent volume, you have to enable [replication for your storage pool](#optional-create-storage-pool-with-volume-replication-nvme-only).

+## Deploy a pod with a generic ephemeral volume

+Create a pod using [Fio](https://github.com/axboe/fio) (Flexible I/O Tester) for benchmarking and workload simulation, that uses a generic ephemeral volume.

+ name: ephemeralvolume

+ volumes:

+ - name: ephemeralvolume

+ ephemeral:

+ volumeClaimTemplate:

+ metadata:

+ labels:

+ type: my-ephemeral-volume

+ spec:

+ accessModes: [ "ReadWriteOnce" ]

+ storageClassName: "acstor-ephemeraldisk-nvme" # replace with the name of your storage class if different

+ resources:

+ requests:

+ storage: 1Gi

+1. Check that the pod is running and that the ephemeral volume claim has been bound successfully to the pod:

+ kubectl describe pvc fiopod-ephemeralvolume

+Applications that use local NVMe can leverage storage replication for improved resiliency. Replication isn't currently supported for temp SSD.

+> [!NOTE]

+> Because Ephemeral Disk storage pools consume all the available NVMe disks, you must delete any existing Ephemeral Disk local NVMe storage pools before creating a new storage pool with replication.

+When the storage pool is created, Azure Container Storage will create a storage class on your behalf, using the naming convention `acstor-<storage-pool-name>`. Now you can [display the available storage classes](#display-the-available-storage-classes) and create a persistent volume claim.

+## Create a persistent volume claim

+A persistent volume claim (PVC) is used to automatically provision storage based on a storage class. Follow these steps to create a PVC using the new storage class.

+1. Use your favorite text editor to create a YAML manifest file such as `code acstor-pvc.yaml`.

+1. Paste in the following code and save the file. The PVC `name` value can be whatever you want.

+ ```yml

+ apiVersion: v1

+ kind: PersistentVolumeClaim

+ metadata:

+ name: ephemeralpvc

+ spec:

+ accessModes:

+ - ReadWriteOnce

+ storageClassName: acstor-ephemeraldisk-nvme # replace with the name of your storage class if different

+ resources:

+ requests:

+ storage: 100Gi

+ ```

+1. Apply the YAML manifest file to create the PVC.

+

+ ```azurecli-interactive

+ kubectl apply -f acstor-pvc.yaml

+ ```

+

+ You should see output similar to:

+

+ ```output

+ persistentvolumeclaim/ephemeralpvc created

+ ```

+

+ You can verify the status of the PVC by running the following command:

+

+ ```azurecli-interactive

+ kubectl describe pvc ephemeralpvc

+ ```

+Once the PVC is created, it's ready for use by a pod.

+## Deploy a pod and attach a persistent volume

+Create a pod using [Fio](https://github.com/axboe/fio) (Flexible I/O Tester) for benchmarking and workload simulation, and specify a mount path for the persistent volume. For **claimName**, use the **name** value that you used when creating the persistent volume claim.

+1. Use your favorite text editor to create a YAML manifest file such as `code acstor-pod.yaml`.

+1. Paste in the following code and save the file.

+ ```yml

+ kind: Pod

+ apiVersion: v1

+ metadata:

+ name: fiopod

+ spec:

+ nodeSelector:

+ acstor.azure.com/io-engine: acstor

+ volumes:

+ - name: ephemeralpv

+ persistentVolumeClaim:

+ claimName: ephemeralpvc

+ containers:

+ - name: fio

+ image: nixery.dev/shell/fio

+ args:

+ - sleep

+ - "1000000"

+ volumeMounts:

+ - mountPath: "/volume"

+ name: ephemeralpv

+ ```

+1. Apply the YAML manifest file to deploy the pod.

+

+ ```azurecli-interactive

+ kubectl apply -f acstor-pod.yaml

+ ```

+

+ You should see output similar to the following:

+

+ ```output

+ pod/fiopod created

+ ```

+1. Check that the pod is running and that the persistent volume claim has been bound successfully to the pod:

+ ```azurecli-interactive

+ kubectl describe pod fiopod

+ kubectl describe pvc ephemeralpvc

+ ```

+1. Check fio testing to see its current status:

+ ```azurecli-interactive

+ kubectl exec -it fiopod -- fio --name=benchtest --size=800m --filename=/volume/test --direct=1 --rw=randrw --ioengine=libaio --bs=4k --iodepth=16 --numjobs=8 --time_based --runtime=60

+ ```

+You've now deployed a pod that's using Ephemeral Disk as its storage, and you can use it for your Kubernetes workloads.

+## Detach and reattach a persistent volume

+To detach a persistent volume, delete the pod that the persistent volume is attached to. Replace `<pod-name>` with the name of the pod, for example **fiopod**.

+```azurecli-interactive

+kubectl delete pods <pod-name>

+```

+To reattach a persistent volume, simply reference the persistent volume claim name in the YAML manifest file as described in [Deploy a pod and attach a persistent volume](#deploy-a-pod-and-attach-a-persistent-volume).

+To check which persistent volume a persistent volume claim is bound to, run `kubectl get pvc <persistent-volume-claim-name>`.

+| Switzerland North | GA |

+| Switzerland West | GA |

+Using Teams in a virtualized environment is different from using Teams in a nonvirtualized environment. For more information about the limitations of Teams in virtualized environments, check out [Teams for Virtualized Desktop Infrastructure](/microsoftteams/teams-for-vdi#known-issues-and-limitations).

+### Client deployment, installation, and set up

+- Media optimizations isn't supported for Teams running as a RemoteApp on macOS endpoints.

+- Teams doesn't support the ability to be on a native Teams call and a Teams call in the Azure Virtual Desktop session simultaneously while connected to a HID device.

+ You can also [install Azure PowerShell locally](/powershell/azure/install-azure-powershell) to run the cmdlets. If you run PowerShell locally, sign in to Azure using the [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount) cmdlet.

+ - You can [install Azure PowerShell](/powershell/azure/install-azure-powershell) to run the cmdlets. Use [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount) cmdlet to sign in to Azure.

+ - You can [install Azure CLI](/cli/azure/install-azure-cli) to run the commands. Use [az login](/cli/azure/reference-index#az-login) command to sign in to Azure.

+ You can also [install Azure PowerShell locally](/powershell/azure/install-azure-powershell) to run the cmdlets. If you run PowerShell locally, sign in to Azure using the [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount) cmdlet.

+ - You can [install Azure PowerShell](/powershell/azure/install-azure-powershell) to run the cmdlets. Use [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount) cmdlet to sign in to Azure.

+ - You can [install Azure CLI](/cli/azure/install-azure-cli) to run the commands. Use [az login](/cli/azure/reference-index#az-login) command to sign in to Azure.