Updates from: 04/21/2021 03:28:21
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-domain-services Faqs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-domain-services/faqs.md
This page answers frequently asked questions about Azure Active Directory Domain
* [Can I add domain controllers to an Azure AD Domain Services managed domain?](#can-i-add-domain-controllers-to-an-azure-ad-domain-services-managed-domain) * [Can guest users be invited to my directory use Azure AD Domain Services?](#can-guest-users-be-invited-to-my-directory-use-azure-ad-domain-services) * [Can I move an existing Azure AD Domain Services managed domain to a different subscription, resource group, region, or virtual network?](#can-i-move-an-existing-azure-ad-domain-services-managed-domain-to-a-different-subscription-resource-group-region-or-virtual-network)
+* [Can I rename an existing Azure AD Domain Services domain name?](#can-i-rename-an-existing-azure-ad-domain-services-domain-name)
* [Does Azure AD Domain Services include high availability options?](#does-azure-ad-domain-services-include-high-availability-options) ### Can I create multiple managed domains for a single Azure AD directory?
No. Guest users invited to your Azure AD directory using the [Azure AD B2B](../a
### Can I move an existing Azure AD Domain Services managed domain to a different subscription, resource group, region, or virtual network? No. After you create an Azure AD Domain Services managed domain, you can't then move the managed domain to a different resource group, virtual network, subscription, etc. Take care to select the most appropriate subscription, resource group, region, and virtual network when you deploy the managed domain.
+### Can I rename an existing Azure AD Domain Services domain name?
+No. After you create an Azure AD Domain Services managed domain, you can't change the DNS domain name. Choose the DNS domain name carefully when you create the managed domain. For considerations when you choose the DNS domain name, see the [tutorial to create and configure an Azure AD Domain Services managed domain](tutorial-create-instance.md#create-a-managed-domain).
+ ### Does Azure AD Domain Services include high availability options? Yes. Each Azure AD Domain Services managed domain includes two domain controllers. You don't manage or connect to these domain controllers, they're part of the managed service. If you deploy Azure AD Domain Services into a region that supports Availability Zones, the domain controllers are distributed across zones. In regions that don't support Availability Zones, the domain controllers are distributed across Availability Sets. You have no configuration options or management control over this distribution. For more information, see [Availability options for virtual machines in Azure](../virtual-machines/availability.md).
active-directory Concept Sspr Howitworks https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/concept-sspr-howitworks.md
When you don't require registration, users aren't prompted during sign-in, but t
To make sure that authentication methods are correct when they're needed to reset or change their password, you can require users confirm their info registered information after a certain period of time. This option is only available if you enable the **Require users to register when signing in** option.
-Valid values to prompt a user to confirm their registered methods are from *0* to *730* days. Setting this value to *0* means that users are never asked to confirm their authentication information.
+Valid values to prompt a user to confirm their registered methods are from *0* to *730* days. Setting this value to *0* means that users are never asked to confirm their authentication information. When using the combined registration experience users will be required to confirm their identity before reconfirming their information.
## Authentication methods
active-directory Howto Authentication Passwordless Security Key https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/howto-authentication-passwordless-security-key.md
If you'd like to share feedback or encounter issues with this feature, share via
Administrator provisioning and de-provisioning of security keys is not available.
-**Note:** FIDO2 Cached logon fails on hybrid Azure AD joined machine specific to win10 20H2 version (when LOS to DC unavailable). This is currently under investigation with Engineering.
+### Cached logon on Hybrid Azure AD joined devices
+
+Cached logon with FIDO2 keys fails on hybrid Azure AD joined devices on Windows 10, version 20H2. As a result, users will not be able to login when line of sight to the on-premises domain controller is unavailable. This is currently under investigation.
### UPN changes
active-directory Howto Mfa Mfasettings https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/howto-mfa-mfasettings.md
Previously updated : 03/16/2021 Last updated : 04/13/2021
The remember Multi-Factor Authentication feature sets a persistent cookie on the
The **Don't ask again for X days** option isn't shown on non-browser applications, regardless of whether the app supports modern authentication. These apps use _refresh tokens_ that provide new access tokens every hour. When a refresh token is validated, Azure AD checks that the last multi-factor authentication occurred within the specified number of days.
-The feature reduces the number of authentications on web apps, which normally prompt every time. The feature can increase the number of authentications for modern authentication clients that normally prompt every 90 days, if a lower duration is configured. May also increase the number of authentications when combined with Conditional Access policies.
+The feature reduces the number of authentications on web apps, which normally prompt every time. The feature can increase the number of authentications for modern authentication clients that normally prompt every 180 days, if a lower duration is configured. May also increase the number of authentications when combined with Conditional Access policies.
> [!IMPORTANT] > The **remember Multi-Factor Authentication** feature isn't compatible with the **keep me signed in** feature of AD FS, when users perform multi-factor authentication for AD FS through Azure Multi-Factor Authentication Server or a third-party multi-factor authentication solution.
active-directory Howto Mfa Nps Extension Rdg https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/howto-mfa-nps-extension-rdg.md
Once an account has been enabled for MFA, you cannot sign in to resources govern
Follow the steps in [What does Azure AD Multi-Factor Authentication mean for me?](../user-help/multi-factor-authentication-end-user-first-time.md) to understand and properly configure your devices for MFA with your user account. > [!IMPORTANT]
-> The sign in behavior for Remote Desktop Gateway doesn't provide the option to enter a verification code with Azure AD Multi-Factor Authentication. A user account must be configured for phone verification or the Microsoft Authenticator App with push notifications.
+> The sign-in behavior for Remote Desktop Gateway doesn't provide the option to enter a verification code with Azure AD Multi-Factor Authentication. A user account must be configured for phone verification or the Microsoft Authenticator App with push notifications.
>
-> If one of these two authentication methods isn't configured for a user, they won't be able to complete the Azure AD Multi-Factor Authentication challenge and sign in to the Remote Desktop Gateway.
+> If neither phone verification or the Microsoft Authenticator App with push notifications is configured for a user, the user won't be able to complete the Azure AD Multi-Factor Authentication challenge and sign in to Remote Desktop Gateway.
+>
+> The SMS text method doesn't work with Remote Desktop Gateway because it doesn't provide the option to enter a verification code.
## Install and configure NPS extension
The image below from Microsoft Message Analyzer shows network traffic filtered o
[Remote Desktop Gateway and Azure Multi-Factor Authentication Server using RADIUS](howto-mfaserver-nps-rdg.md)
-[Integrate your on-premises directories with Azure Active Directory](../hybrid/whatis-hybrid-identity.md)
+[Integrate your on-premises directories with Azure Active Directory](../hybrid/whatis-hybrid-identity.md)
active-directory Howto Registration Mfa Sspr Combined https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/howto-registration-mfa-sspr-combined.md
Before combined registration, users registered authentication methods for Azure AD Multi-Factor Authentication and self-service password reset (SSPR) separately. People were confused that similar methods were used for Azure AD Multi-Factor Authentication and SSPR but they had to register for both features. Now, with combined registration, users can register once and get the benefits of both Azure AD Multi-Factor Authentication and SSPR. > [!NOTE]
-> Starting on August 15th 2020, all new Azure AD tenants will be automatically enabled for combined registration.
+> Starting on August 15th 2020, all new Azure AD tenants will be automatically enabled for combined registration. Tenants created after this date will be unable to utilize the legacy registration workflows.
To make sure you understand the functionality and effects before you enable the new experience, see the [Combined security information registration concepts](concept-registration-mfa-sspr-combined.md).
active-directory Howto Conditional Access Policy Registration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/conditional-access/howto-conditional-access-policy-registration.md
Previously updated : 03/29/2021 Last updated : 04/20/2021
For [guest users](../external-identities/what-is-b2b.md) who need to register fo
[Determine impact using Conditional Access report-only mode](howto-conditional-access-insights-reporting.md) [Simulate sign in behavior using the Conditional Access What If tool](troubleshoot-conditional-access-what-if.md)+
+[Require users to reconfirm authentication information](../authentication/concept-sspr-howitworks.md#reconfirm-authentication-information)
active-directory Howto Create Service Principal Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/howto-create-service-principal-portal.md
If you choose not to use a certificate, you can create a new application secret.
![Copy the secret value because you can't retrieve this later](./media/howto-create-service-principal-portal/copy-secret.png) ## Configure access policies on resources
-Keep in mind, you might need to configure additional permissions on resources that your application needs to access. For example, you must also [update a key vault's access policies](../../key-vault/general/secure-your-key-vault.md#data-plane-and-access-policies) to give your application access to keys, secrets, or certificates.
+Keep in mind, you might need to configure additional permissions on resources that your application needs to access. For example, you must also [update a key vault's access policies](../../key-vault/general/security-overview.md#privileged-access) to give your application access to keys, secrets, or certificates.
1. In the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>, navigate to your key vault and select **Access policies**. 1. Select **Add access policy**, then select the key, secret, and certificate permissions you want to grant your application. Select the service principal you created previously.
active-directory Howto Vm Sign In Azure Ad Windows https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/devices/howto-vm-sign-in-azure-ad-windows.md
Azure Cloud Shell is a free, interactive shell that you can use to run the steps
If you choose to install and use the CLI locally, this article requires that you are running the Azure CLI version 2.0.31 or later. Run az --version to find the version. If you need to install or upgrade, see the article [Install Azure CLI](/cli/azure/install-azure-cli).
-1. Create a resource group with [az group create](/cli/azure/group#az-group-create).
-1. Create a VM with [az vm create](/cli/azure/vm#az-vm-create) using a supported distribution in a supported region.
+1. Create a resource group with [az group create](/cli/azure/group#az_group_create).
+1. Create a VM with [az vm create](/cli/azure/vm#az_vm_create) using a supported distribution in a supported region.
1. Install the Azure AD login VM extension. The following example deploys a VM named myVM that uses Win2019Datacenter, into a resource group named myResourceGroup, in the southcentralus region. In the following examples, you can provide your own resource group and VM names as needed.
az vm create \
It takes a few minutes to create the VM and supporting resources.
-Finally, install the Azure AD login VM extension to enable Azure AD login for Windows VM. VM extensions are small applications that provide post-deployment configuration and automation tasks on Azure virtual machines. Use [az vm extension](/cli/azure/vm/extension#az-vm-extension-set) set to install the AADLoginForWindows extension on the VM named `myVM` in the `myResourceGroup` resource group:
+Finally, install the Azure AD login VM extension to enable Azure AD login for Windows VM. VM extensions are small applications that provide post-deployment configuration and automation tasks on Azure virtual machines. Use [az vm extension](/cli/azure/vm/extension#az_vm_extension_set) set to install the AADLoginForWindows extension on the VM named `myVM` in the `myResourceGroup` resource group:
> [!NOTE] > You can install AADLoginForWindows extension on an existing Windows Server 2019 or Windows 10 1809 and later VM to enable it for Azure AD authentication. An example of AZ CLI is shown below.
After a few moments, the security principal is assigned the role at the selected
### Using the Azure Cloud Shell experience
-The following example uses [az role assignment create](/cli/azure/role/assignment#az-role-assignment-create) to assign the Virtual Machine Administrator Login role to the VM for your current Azure user. The username of your active Azure account is obtained with [az account show](/cli/azure/account#az-account-show), and the scope is set to the VM created in a previous step with [az vm show](/cli/azure/vm#az-vm-show). The scope could also be assigned at a resource group or subscription level, and normal Azure RBAC inheritance permissions apply. For more information, see [Log in to a Linux virtual machine in Azure using Azure Active Directory authentication](../../virtual-machines/linux/login-using-aad.md).
+The following example uses [az role assignment create](/cli/azure/role/assignment#az_role_assignment_create) to assign the Virtual Machine Administrator Login role to the VM for your current Azure user. The username of your active Azure account is obtained with [az account show](/cli/azure/account#az_account_show), and the scope is set to the VM created in a previous step with [az vm show](/cli/azure/vm#az_vm_show). The scope could also be assigned at a resource group or subscription level, and normal Azure RBAC inheritance permissions apply. For more information, see [Log in to a Linux virtual machine in Azure using Azure Active Directory authentication](../../virtual-machines/linux/login-using-aad.md).
``` AzureCLI $username=$(az account show --query user.name --output tsv)
az role assignment create \
``` > [!NOTE]
-> If your AAD domain and logon username domain do not match, you must specify the object ID of your user account with the `--assignee-object-id`, not just the username for `--assignee`. You can obtain the object ID for your user account with [az ad user list](/cli/azure/ad/user#az-ad-user-list).
+> If your AAD domain and logon username domain do not match, you must specify the object ID of your user account with the `--assignee-object-id`, not just the username for `--assignee`. You can obtain the object ID for your user account with [az ad user list](/cli/azure/ad/user#az_ad_user_list).
For more information on how to use Azure RBAC to manage access to your Azure subscription resources, see the following articles:
active-directory Domains Admin Takeover https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/enterprise-users/domains-admin-takeover.md
documentationcenter: ''
+ Previously updated : 12/02/2020 Last updated : 04/18/2021
active-directory Domains Verify Custom Subdomain https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/enterprise-users/domains-verify-custom-subdomain.md
+ Previously updated : 11/15/2020 Last updated : 04/18/2021
active-directory Conditional Access https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/conditional-access.md
The resource tenant is always responsible for Azure AD Multi-Factor Authenticati
6. Fabrikam must have sufficient premium Azure AD licenses that support Azure AD Multi-Factor Authentication. The user from Contoso then consumes this license from Fabrikam. See [billing model for Azure AD external identities](./external-identities-pricing.md) for information on the B2B licensing. >[!NOTE]
->Azure AD Multi-Factor Authentication is done at resource tenancy to ensure predictability. When the guest user signs in, they'll see the resource tenant sign-in page displayed in the background, and their own home tenant sign-in page and company logo in the foreground, as shown in the following example.
->
->![Sign-in page example](./media/conditional-access-b2b/resource-tenant-mfa.png)
-
+>Azure AD Multi-Factor Authentication is done at resource tenancy to ensure predictability. When the guest user signs in, they'll see the resource tenant sign-in page displayed in the background, and their own home tenant sign-in page and company logo in the foreground.
### Set up Azure AD Multi-Factor Authentication for B2B users
active-directory Active Directory Access Create New Tenant https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/active-directory-access-create-new-tenant.md
- # Quickstart: Create a new tenant in Azure Active Directory+ You can do all of your administrative tasks using the Azure Active Directory (Azure AD) portal, including creating a new tenant for your organization. In this quickstart, you'll learn how to get to the Azure portal and Azure Active Directory, and you'll learn how to create a basic tenant for your organization.
In this quickstart, you'll learn how to get to the Azure portal and Azure Active
If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/) before you begin. ## Create a new tenant for your organization+ After you sign in to the Azure portal, you can create a new tenant for your organization. Your new tenant represents your organization and helps you to manage a specific instance of Microsoft cloud services for your internal and external users. ### To create a new tenant
Your new tenant is created with the domain contoso.onmicrosoft.com.
## Your user account in the new tenant
-When you create a new AAD tenant, you become the first user of that tenant. As the first user, you're automatically assigned the [Global Admin](https://docs.microsoft.com/azure/active-directory/roles/permissions-reference#global-administrator) role. Check out your user account by navigating to the [**Users**](https://portal.azure.com/#blade/Microsoft_AAD_IAM/UsersManagementMenuBlade/MsGraphUsers) page.
+When you create a new Azure AD tenant, you become the first user of that tenant. As the first user, you're automatically assigned the [Global Admin](https://docs.microsoft.com/azure/active-directory/roles/permissions-reference#global-administrator) role. Check out your user account by navigating to the [**Users**](https://portal.azure.com/#blade/Microsoft_AAD_IAM/UsersManagementMenuBlade/MsGraphUsers) page.
By default, you're also listed as the [technical contact](https://docs.microsoft.com/microsoft-365/admin/manage/change-address-contact-and-more?view=o365-worldwide#what-do-these-fields-mean) for the tenant. Technical contact information is something you can change in [**Properties**](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Properties).
+> [!WARNING]
+> Ensure your directory has at least two accounts with global administrator privileges assigned to them. This will help in the case that one global administrator is locked out. For more detail see the article, [Manage emergency access accounts in Azure AD](../roles/security-emergency-access.md).
+ ## Clean up resources+ If you're not going to continue to use this application, you can delete the tenant using the following steps: - Ensure that you're signed in to the directory that you want to delete through the **Directory + subscription** filter in the Azure portal. Switch to the target directory if needed.
If you're not going to continue to use this application, you can delete the tena
<kbd>![Overview page, with highlighted Delete directory button](media/active-directory-access-create-new-tenant/azure-ad-delete-new-tenant.png)</kbd> ## Next steps+ - Change or add additional domain names, see [How to add a custom domain name to Azure Active Directory](add-custom-domain.md) - Add users, see [Add or delete a new user](add-users-azure-active-directory.md)
active-directory Active Directory How To Find Tenant https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/active-directory-how-to-find-tenant.md
Last updated 10/30/2020 -+
For more information, see the Microsoft 365 [tenant id get](https://pnp.github.i
- To learn how to associate or add a subscription to a tenant, see [Associate or add an Azure subscription to your Azure Active Directory tenant](active-directory-how-subscriptions-associated-directory.md). -- To learn how to find the object ID, see [Find the user object ID](/partner-center/find-ids-and-domain-names#find-the-user-object-id).
+- To learn how to find the object ID, see [Find the user object ID](/partner-center/find-ids-and-domain-names#find-the-user-object-id).
active-directory Auth Ssh https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/auth-ssh.md
SSH with Azure AD
* [OAuth 2.0 device code flow - Microsoft identity platform ](../develop/v2-oauth2-device-code.md)
-* [Integrate with Azure Active Directory (akamai.com)](https://learn.akamai.com/webhelp/enterprise-application-access/enterprise-application-access/GUID-6B16172C-86CC-48E8-B30D-8E678BF3325F.html)
+* [Integrate with Azure Active Directory (akamai.com)](https://learn.akamai.com/en-us/webhelp/enterprise-application-access/enterprise-application-access/GUID-6B16172C-86CC-48E8-B30D-8E678BF3325F.html)
active-directory Concept Fundamentals Security Defaults https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/concept-fundamentals-security-defaults.md
Previously updated : 05/13/2020 Last updated : 04/20/2021
# What are security defaults?
-Managing security can be difficult with common identity-related attacks like password spray, replay, and phishing becoming more and more popular. Security defaults make it easier to help protect your organization from these attacks with preconfigured security settings:
+Managing security can be difficult with common identity-related attacks like password spray, replay, and phishing becoming more popular. Security defaults make it easier to help protect your organization from these attacks with preconfigured security settings:
- Requiring all users to register for Azure AD Multi-Factor Authentication. - Requiring administrators to perform multi-factor authentication.
More details on why security defaults are being made available can be found in A
## Availability
-Microsoft is making security defaults available to everyone. The goal is to ensure that all organizations have a basic level of security enabled at no extra cost. You turn on security defaults in the Azure portal. If your tenant was created on or after October 22, 2019, it is possible security defaults are already enabled in your tenant. In an effort to protect all of our users, security defaults is being rolled out to all new tenants created.
+Microsoft is making security defaults available to everyone. The goal is to ensure that all organizations have a basic level of security enabled at no extra cost. You turn on security defaults in the Azure portal. If your tenant was created on or after October 22, 2019, it is possible security defaults are already enabled in your tenant. To protect all of our users, security defaults is being rolled out to all new tenants created.
### Who's it for?
Microsoft is making security defaults available to everyone. The goal is to ensu
- If you are an organization currently using Conditional Access policies to bring signals together, to make decisions, and enforce organizational policies, security defaults are probably not right for you. - If you are an organization with Azure Active Directory Premium licenses, security defaults are probably not right for you.-- If your organization has complex security requirements you should consider Conditional Access.
+- If your organization has complex security requirements, you should consider Conditional Access.
## Policies enforced
After registration with Azure AD Multi-Factor Authentication is finished, the fo
- User administrator - Authentication administrator
+> [!WARNING]
+> Ensure your directory has at least two accounts with global administrator privileges assigned to them. This will help in the case that one global administrator is locked out. For more detail see the article, [Manage emergency access accounts in Azure AD](../roles/security-emergency-access.md).
+ ### Protecting all users We tend to think that administrator accounts are the only accounts that need extra layers of authentication. Administrators have broad access to sensitive information and can make changes to subscription-wide settings. But attackers frequently target end users.
One common method to improve protection for all users is to require a stronger f
### Blocking legacy authentication
-To give your users easy access to your cloud apps, Azure AD supports a variety of authentication protocols, including legacy authentication. *Legacy authentication* is a term that refers to an authentication request made by:
+To give your users easy access to your cloud apps, Azure AD supports various authentication protocols, including legacy authentication. *Legacy authentication* is a term that refers to an authentication request made by:
- Clients that don't use modern authentication (for example, an Office 2010 client). - Any client that uses older mail protocols such as IMAP, SMTP, or POP3.
-Today, the majority of compromising sign-in attempts come from legacy authentication. Legacy authentication does not support Multi-Factor Authentication. Even if you have a Multi-Factor Authentication policy enabled on your directory, an attacker can authenticate by using an older protocol and bypass Multi-Factor Authentication.
+Today, most compromising sign-in attempts come from legacy authentication. Legacy authentication does not support Multi-Factor Authentication. Even if you have a Multi-Factor Authentication policy enabled on your directory, an attacker can authenticate by using an older protocol and bypass Multi-Factor Authentication.
After security defaults are enabled in your tenant, all authentication requests made by an older protocol will be blocked. Security defaults blocks Exchange Active Sync basic authentication.
After security defaults are enabled in your tenant, all authentication requests
### Protecting privileged actions
-Organizations use a variety of Azure services managed through the Azure Resource Manager API, including:
+Organizations use various Azure services managed through the Azure Resource Manager API, including:
- Azure portal - Azure PowerShell - Azure CLI
-Using Azure Resource Manager to manage your services is a highly privileged action. Azure Resource Manager can alter tenant-wide configurations, such as service settings and subscription billing. Single-factor authentication is vulnerable to a variety of attacks like phishing and password spray.
+Using Azure Resource Manager to manage your services is a highly privileged action. Azure Resource Manager can alter tenant-wide configurations, such as service settings and subscription billing. Single-factor authentication is vulnerable to various attacks like phishing and password spray.
It's important to verify the identity of users who want to access Azure Resource Manager and update configurations. You verify their identity by requiring additional authentication before you allow access.
active-directory Users Default Permissions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/users-default-permissions.md
Users can perform the following actions on owned groups.
| microsoft.directory/groups/appRoleAssignments/update | Update groups.appRoleAssignments property in Azure Active Directory. | | microsoft.directory/groups/basic/update | Update basic properties on groups in Azure Active Directory. | | microsoft.directory/groups/delete | Delete groups in Azure Active Directory. |
-| microsoft.directory/groups/dynamicMembershipRule/update | Update groups.dynamicMembershipRule property in Azure Active Directory. |
| microsoft.directory/groups/members/update | Update groups.members property in Azure Active Directory. | | microsoft.directory/groups/owners/update | Update groups.owners property in Azure Active Directory. | | microsoft.directory/groups/restore | Restore groups in Azure Active Directory. |
Users can perform the following actions on owned groups.
* To learn more about how to assign Azure AD administrator roles, see [Assign a user to administrator roles in Azure Active Directory](active-directory-users-assign-role-azure-portal.md) * To learn more about how resource access is controlled in Microsoft Azure, see [Understanding resource access in Azure](../../role-based-access-control/rbac-and-directory-admin-roles.md) * For more information on how Azure Active Directory relates to your Azure subscription, see [How Azure subscriptions are associated with Azure Active Directory](active-directory-how-subscriptions-associated-directory.md)
-* [Manage users](add-users-azure-active-directory.md)
+* [Manage users](add-users-azure-active-directory.md)
active-directory Entitlement Management Logs And Reporting https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/entitlement-management-logs-and-reporting.md
Last updated 12/23/2020 -++ #Customer intent: As an administrator, I want to extend data retention in entitlement management past the default period by using Azure Monitor.
$bResponse.Results |ft
``` ## Next steps:-- [Create interactive reports with Azure Monitor workbooks](../../azure-monitor/visualize/workbooks-overview.md)
+- [Create interactive reports with Azure Monitor workbooks](../../azure-monitor/visualize/workbooks-overview.md)
active-directory F5 Bigip Deployment Guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/f5-bigip-deployment-guide.md
Last updated 10/12/2020 -++ # Tutorial to deploy F5 BIG-IP Virtual Edition VM in Azure IaaS for secure hybrid access
Get-AzVmSnapshot -ResourceGroupName '<E.g.contoso-RG>' -VmName '<E.g.BIG-IP-VM>'
## Next steps
-Select a [deployment scenario](f5-aad-integration.md) and start your implementation.
+Select a [deployment scenario](f5-aad-integration.md) and start your implementation.
active-directory Sso Options https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/sso-options.md
With password-based sign-on, users sign on to the application with a username an
Password-based single sign-on uses the existing authentication process provided by the application. When you enable password single sign-on for an application, Azure AD collects and securely stores user names and passwords for the application. User credentials are stored in an encrypted state in the directory.
+Additionaly, Administrator can enable Azure AD conditional access policies or multi-factor authentication for password-based SSO.
+ Choose password-based single sign-on when: - An application doesn't support SAML single sign-on protocol. - An application authenticates with a username and password instead of access tokens and headers.
->[!NOTE]
->You cannot apply conditional access policies or multi-factor authentication for password-based SSO.
- Password-based single sign-on is supported for any cloud-based application that has an HTML-based sign-in page. The user can use any of the following browsers: - Internet Explorer 11 on Windows 7 or later
To learn more about header-based authentication, see [Header-based SSO](applicat
## Next steps * [Quickstart Series on Application Management](view-applications-portal.md) * [Plan a single sign-on deployment](plan-sso-deployment.md)
-* [Single sign-on with on-premises apps](application-proxy-config-sso-how-to.md)
+* [Single sign-on with on-premises apps](application-proxy-config-sso-how-to.md)
active-directory How To Assign App Role Managed Identity Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/how-to-assign-app-role-managed-identity-powershell.md
na
Last updated 12/10/2020 -++ # Assign a managed identity access to an application role using PowerShell
New-AzureADServiceAppRoleAssignment `
## Next steps - [Managed identity for Azure resources overview](overview.md)-- To enable managed identity on an Azure VM, see [Configure managed identities for Azure resources on an Azure VM using PowerShell](qs-configure-powershell-windows-vm.md).
+- To enable managed identity on an Azure VM, see [Configure managed identities for Azure resources on an Azure VM using PowerShell](qs-configure-powershell-windows-vm.md).
active-directory How To Manage Ua Identity Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-cli.md
If you don't already have an Azure account, [sign up for a free account](https:/
To create a user-assigned managed identity, your account needs the [Managed Identity Contributor](../../role-based-access-control/built-in-roles.md#managed-identity-contributor) role assignment.
-Use the [az identity create](/cli/azure/identity#az-identity-create) command to create a user-assigned managed identity. The `-g` parameter specifies the resource group where to create the user-assigned managed identity, and the `-n` parameter specifies its name. Replace the `<RESOURCE GROUP>` and `<USER ASSIGNED IDENTITY NAME>` parameter values with your own values:
+Use the [az identity create](/cli/azure/identity#az_identity_create) command to create a user-assigned managed identity. The `-g` parameter specifies the resource group where to create the user-assigned managed identity, and the `-n` parameter specifies its name. Replace the `<RESOURCE GROUP>` and `<USER ASSIGNED IDENTITY NAME>` parameter values with your own values:
[!INCLUDE [ua-character-limit](~/includes/managed-identity-ua-character-limits.md)]
az identity create -g <RESOURCE GROUP> -n <USER ASSIGNED IDENTITY NAME>
To list/read a user-assigned managed identity, your account needs the [Managed Identity Operator](../../role-based-access-control/built-in-roles.md#managed-identity-operator) or [Managed Identity Contributor](../../role-based-access-control/built-in-roles.md#managed-identity-contributor) role assignment.
-To list user-assigned managed identities, use the [az identity list](/cli/azure/identity#az-identity-list) command. Replace the `<RESOURCE GROUP>` with your own value:
+To list user-assigned managed identities, use the [az identity list](/cli/azure/identity#az_identity_list) command. Replace the `<RESOURCE GROUP>` with your own value:
```azurecli-interactive az identity list -g <RESOURCE GROUP>
In the json response, user-assigned managed identities have `"Microsoft.ManagedI
To delete a user-assigned managed identity, your account needs the [Managed Identity Contributor](../../role-based-access-control/built-in-roles.md#managed-identity-contributor) role assignment.
-To delete a user-assigned managed identity, use the [az identity delete](/cli/azure/identity#az-identity-delete) command. The -n parameter specifies its name and the -g parameter specifies the resource group where the user-assigned managed identity was created. Replace the `<USER ASSIGNED IDENTITY NAME>` and `<RESOURCE GROUP>` parameters values with your own values:
+To delete a user-assigned managed identity, use the [az identity delete](/cli/azure/identity#az_identity_delete) command. The -n parameter specifies its name and the -g parameter specifies the resource group where the user-assigned managed identity was created. Replace the `<USER ASSIGNED IDENTITY NAME>` and `<RESOURCE GROUP>` parameters values with your own values:
```azurecli-interactive az identity delete -n <USER ASSIGNED IDENTITY NAME> -g <RESOURCE GROUP>
active-directory How To Manage Ua Identity Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-powershell.md
na
Last updated 12/02/2020 -++ # Create, list, or delete a user-assigned managed identity using Azure PowerShell
active-directory How To Use Vm Sign In https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/how-to-use-vm-sign-in.md
Last updated 01/29/2021 -+ # How to use managed identities for Azure resources on an Azure VM for sign-in
If you receive one of these errors, return to the Azure VM in the [Azure portal]
## Next steps -- To enable managed identities for Azure resources on an Azure VM, see [Configure managed identities for Azure resources on an Azure VM using PowerShell](qs-configure-powershell-windows-vm.md), or [Configure managed identities for Azure resources on an Azure VM using Azure CLI](qs-configure-cli-windows-vm.md)
+- To enable managed identities for Azure resources on an Azure VM, see [Configure managed identities for Azure resources on an Azure VM using PowerShell](qs-configure-powershell-windows-vm.md), or [Configure managed identities for Azure resources on an Azure VM using Azure CLI](qs-configure-cli-windows-vm.md)
active-directory Howto Assign Access Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/howto-assign-access-cli.md
If you don't already have an Azure account, [sign up for a free account](https:/
After you've enabled managed identity on an Azure resource, such as an [Azure virtual machine](qs-configure-cli-windows-vm.md) or [Azure virtual machine scale set](qs-configure-cli-windows-vmss.md):
-1. In this example, we are giving an Azure virtual machine access to a storage account. First we use [az resource list](/cli/azure/resource/#az-resource-list) to get the service principal for the virtual machine named myVM:
+1. In this example, we are giving an Azure virtual machine access to a storage account. First we use [az resource list](/cli/azure/resource/#az_resource_list) to get the service principal for the virtual machine named myVM:
```azurecli-interactive spID=$(az resource list -n myVM --query [*].identity.principalId --out tsv)
After you've enabled managed identity on an Azure resource, such as an [Azure vi
spID=$(az resource list -n DevTestVMSS --query [*].identity.principalId --out tsv) ```
-1. Once you have the service principal ID, use [az role assignment create](/cli/azure/role/assignment#az-role-assignment-create) to give the virtual machine or virtual machine scale set "Reader" access to a storage account called "myStorageAcct":
+1. Once you have the service principal ID, use [az role assignment create](/cli/azure/role/assignment#az_role_assignment_create) to give the virtual machine or virtual machine scale set "Reader" access to a storage account called "myStorageAcct":
```azurecli-interactive az role assignment create --assignee $spID --role 'Reader' --scope /subscriptions/<mySubscriptionID>/resourceGroups/<myResourceGroup>/providers/Microsoft.Storage/storageAccounts/myStorageAcct
active-directory Howto Assign Access Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/howto-assign-access-powershell.md
na
Last updated 12/15/2020 -++ # Assign a managed identity access to a resource using PowerShell
active-directory Msi Tutorial Linux Vm Access Arm https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/msi-tutorial-linux-vm-access-arm.md
In this tutorial, you learn how to:
- You also need a Linux Virtual machine. If you need to create a virtual machine for this tutorial, you can follow the article titled [Create a Linux virtual machine with the Azure portal](../../virtual-machines/linux/quick-create-portal.md#create-virtual-machine) - To run the example scripts, you have two options: - Use the [Azure Cloud Shell](../../cloud-shell/overview.md), which you can open using the **Try It** button on the top right corner of code blocks.
- - Run scripts locally by installing the latest version of the [Azure CLI](/cli/azure/install-azure-cli), then sign in to Azure using [az login](/cli/azure/reference-index#az-login).
+ - Run scripts locally by installing the latest version of the [Azure CLI](/cli/azure/install-azure-cli), then sign in to Azure using [az login](/cli/azure/reference-index#az_login).
## Create a user-assigned managed identity
-Create a user-assigned managed identity using [az identity create](/cli/azure/identity#az-identity-create). The `-g` parameter specifies the resource group where the user-assigned managed identity is created, and the `-n` parameter specifies its name. Be sure to replace the `<RESOURCE GROUP>` and `<UAMI NAME>` parameter values with your own values:
+Create a user-assigned managed identity using [az identity create](/cli/azure/identity#az_identity_create). The `-g` parameter specifies the resource group where the user-assigned managed identity is created, and the `-n` parameter specifies its name. Be sure to replace the `<RESOURCE GROUP>` and `<UAMI NAME>` parameter values with your own values:
[!INCLUDE [ua-character-limit](~/includes/managed-identity-ua-character-limits.md)]
active-directory Qs Configure Cli Windows Vm https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/qs-configure-cli-windows-vm.md
In this section, you learn how to enable and disable the system-assigned managed
To create an Azure VM with the system-assigned managed identity enabled, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) role assignment. No additional Azure AD directory role assignments are required.
-1. Create a [resource group](../../azure-resource-manager/management/overview.md#terminology) for containment and deployment of your VM and its related resources, using [az group create](/cli/azure/group/#az-group-create). You can skip this step if you already have resource group you would like to use instead:
+1. Create a [resource group](../../azure-resource-manager/management/overview.md#terminology) for containment and deployment of your VM and its related resources, using [az group create](/cli/azure/group/#az_group_create). You can skip this step if you already have resource group you would like to use instead:
```azurecli-interactive az group create --name myResourceGroup --location westus ```
-1. Create a VM using [az vm create](/cli/azure/vm/#az-vm-create). The following example creates a VM named *myVM* with a system-assigned managed identity, as requested by the `--assign-identity` parameter. The `--admin-username` and `--admin-password` parameters specify the administrative user name and password account for virtual machine sign-in. Update these values as appropriate for your environment:
+1. Create a VM using [az vm create](/cli/azure/vm/#az_vm_create). The following example creates a VM named *myVM* with a system-assigned managed identity, as requested by the `--assign-identity` parameter. The `--admin-username` and `--admin-password` parameters specify the administrative user name and password account for virtual machine sign-in. Update these values as appropriate for your environment:
```azurecli-interactive az vm create --resource-group myResourceGroup --name myVM --image win2016datacenter --generate-ssh-keys --assign-identity --admin-username azureuser --admin-password myPassword12
To create an Azure VM with the system-assigned managed identity enabled, your ac
To enable system-assigned managed identity on a VM, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) role assignment. No additional Azure AD directory role assignments are required.
-1. If you're using the Azure CLI in a local console, first sign in to Azure using [az login](/cli/azure/reference-index#az-login). Use an account that is associated with the Azure subscription that contains the VM.
+1. If you're using the Azure CLI in a local console, first sign in to Azure using [az login](/cli/azure/reference-index#az_login). Use an account that is associated with the Azure subscription that contains the VM.
```azurecli-interactive az login
In this section, you will learn how to add and remove a user-assigned managed id
To assign a user-assigned identity to a VM during its creation, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) and [Managed Identity Operator](../../role-based-access-control/built-in-roles.md#managed-identity-operator) role assignments. No additional Azure AD directory role assignments are required.
-1. You can skip this step if you already have a resource group you would like to use. Create a [resource group](~/articles/azure-resource-manager/management/overview.md#terminology) for containment and deployment of your user-assigned managed identity, using [az group create](/cli/azure/group/#az-group-create). Be sure to replace the `<RESOURCE GROUP>` and `<LOCATION>` parameter values with your own values. :
+1. You can skip this step if you already have a resource group you would like to use. Create a [resource group](~/articles/azure-resource-manager/management/overview.md#terminology) for containment and deployment of your user-assigned managed identity, using [az group create](/cli/azure/group/#az_group_create). Be sure to replace the `<RESOURCE GROUP>` and `<LOCATION>` parameter values with your own values. :
```azurecli-interactive az group create --name <RESOURCE GROUP> --location <LOCATION> ```
-2. Create a user-assigned managed identity using [az identity create](/cli/azure/identity#az-identity-create). The `-g` parameter specifies the resource group where the user-assigned managed identity is created, and the `-n` parameter specifies its name.
+2. Create a user-assigned managed identity using [az identity create](/cli/azure/identity#az_identity_create). The `-g` parameter specifies the resource group where the user-assigned managed identity is created, and the `-n` parameter specifies its name.
[!INCLUDE [ua-character-limit](~/includes/managed-identity-ua-character-limits.md)]
To assign a user-assigned identity to a VM during its creation, your account nee
} ```
-3. Create a VM using [az vm create](/cli/azure/vm/#az-vm-create). The following example creates a VM associated with the new user-assigned identity, as specified by the `--assign-identity` parameter. Be sure to replace the `<RESOURCE GROUP>`, `<VM NAME>`, `<USER NAME>`, `<PASSWORD>`, and `<USER ASSIGNED IDENTITY NAME>` parameter values with your own values.
+3. Create a VM using [az vm create](/cli/azure/vm/#az_vm_create). The following example creates a VM associated with the new user-assigned identity, as specified by the `--assign-identity` parameter. Be sure to replace the `<RESOURCE GROUP>`, `<VM NAME>`, `<USER NAME>`, `<PASSWORD>`, and `<USER ASSIGNED IDENTITY NAME>` parameter values with your own values.
```azurecli-interactive az vm create --resource-group <RESOURCE GROUP> --name <VM NAME> --image UbuntuLTS --admin-username <USER NAME> --admin-password <PASSWORD> --assign-identity <USER ASSIGNED IDENTITY NAME>
To assign a user-assigned identity to a VM during its creation, your account nee
To assign a user-assigned identity to a VM, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) and [Managed Identity Operator](../../role-based-access-control/built-in-roles.md#managed-identity-operator) role assignments. No additional Azure AD directory role assignments are required.
-1. Create a user-assigned identity using [az identity create](/cli/azure/identity#az-identity-create). The `-g` parameter specifies the resource group where the user-assigned identity is created, and the `-n` parameter specifies its name. Be sure to replace the `<RESOURCE GROUP>` and `<USER ASSIGNED IDENTITY NAME>` parameter values with your own values:
+1. Create a user-assigned identity using [az identity create](/cli/azure/identity#az_identity_create). The `-g` parameter specifies the resource group where the user-assigned identity is created, and the `-n` parameter specifies its name. Be sure to replace the `<RESOURCE GROUP>` and `<USER ASSIGNED IDENTITY NAME>` parameter values with your own values:
> [!IMPORTANT] > Creating user-assigned managed identities with special characters (i.e. underscore) in the name is not currently supported. Please use alphanumeric characters. Check back for updates. For more information, see [FAQs and known issues](known-issues.md)
active-directory Qs Configure Cli Windows Vmss https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/qs-configure-cli-windows-vmss.md
In this section, you learn how to enable and disable the system-assigned managed
To create a virtual machine scale set with the system-assigned managed identity enabled:
-1. Create a [resource group](../../azure-resource-manager/management/overview.md#terminology) for containment and deployment of your virtual machine scale set and its related resources, using [az group create](/cli/azure/group/#az-group-create). You can skip this step if you already have a resource group you would like to use instead:
+1. Create a [resource group](../../azure-resource-manager/management/overview.md#terminology) for containment and deployment of your virtual machine scale set and its related resources, using [az group create](/cli/azure/group/#az_group_create). You can skip this step if you already have a resource group you would like to use instead:
```azurecli-interactive az group create --name myResourceGroup --location westus ```
-1. [Create](/cli/azure/vmss/#az-vmss-create) a virtual machine scale set. The following example creates a virtual machine scale set named *myVMSS* with a system-assigned managed identity, as requested by the `--assign-identity` parameter. The `--admin-username` and `--admin-password` parameters specify the administrative user name and password account for virtual machine sign-in. Update these values as appropriate for your environment:
+1. [Create](/cli/azure/vmss/#az_vmss_create) a virtual machine scale set. The following example creates a virtual machine scale set named *myVMSS* with a system-assigned managed identity, as requested by the `--assign-identity` parameter. The `--admin-username` and `--admin-password` parameters specify the administrative user name and password account for virtual machine sign-in. Update these values as appropriate for your environment:
```azurecli-interactive az vmss create --resource-group myResourceGroup --name myVMSS --image win2016datacenter --upgrade-policy-mode automatic --custom-data cloud-init.txt --admin-username azureuser --admin-password myPassword12 --assign-identity --generate-ssh-keys
To create a virtual machine scale set with the system-assigned managed identity
### Enable system-assigned managed identity on an existing Azure virtual machine scale set
-If you need to [Enable](/cli/azure/vmss/identity/#az-vmss-identity-assign) the system-assigned managed identity on an existing Azure virtual machine scale set:
+If you need to [Enable](/cli/azure/vmss/identity/#az_vmss_identity_assign) the system-assigned managed identity on an existing Azure virtual machine scale set:
```azurecli-interactive az vmss identity assign -g myResourceGroup -n myVMSS
In this section, you learn how to enable and remove a user-assigned managed iden
This section walks you through creation of a virtual machine scale set and assignment of a user-assigned managed identity to the virtual machine scale set. If you already have a virtual machine scale set you want to use, skip this section and proceed to the next.
-1. You can skip this step if you already have a resource group you would like to use. Create a [resource group](~/articles/azure-resource-manager/management/overview.md#terminology) for containment and deployment of your user-assigned managed identity, using [az group create](/cli/azure/group/#az-group-create). Be sure to replace the `<RESOURCE GROUP>` and `<LOCATION>` parameter values with your own values. :
+1. You can skip this step if you already have a resource group you would like to use. Create a [resource group](~/articles/azure-resource-manager/management/overview.md#terminology) for containment and deployment of your user-assigned managed identity, using [az group create](/cli/azure/group/#az_group_create). Be sure to replace the `<RESOURCE GROUP>` and `<LOCATION>` parameter values with your own values. :
```azurecli-interactive az group create --name <RESOURCE GROUP> --location <LOCATION> ```
-2. Create a user-assigned managed identity using [az identity create](/cli/azure/identity#az-identity-create). The `-g` parameter specifies the resource group where the user-assigned managed identity is created, and the `-n` parameter specifies its name. Be sure to replace the `<RESOURCE GROUP>` and `<USER ASSIGNED IDENTITY NAME>` parameter values with your own values:
+2. Create a user-assigned managed identity using [az identity create](/cli/azure/identity#az_identity_create). The `-g` parameter specifies the resource group where the user-assigned managed identity is created, and the `-n` parameter specifies its name. Be sure to replace the `<RESOURCE GROUP>` and `<USER ASSIGNED IDENTITY NAME>` parameter values with your own values:
[!INCLUDE [ua-character-limit](~/includes/managed-identity-ua-character-limits.md)]
This section walks you through creation of a virtual machine scale set and assig
} ```
-3. [Create](/cli/azure/vmss/#az-vmss-create) a virtual machine scale set. The following example creates a virtual machine scale set associated with the new user-assigned managed identity, as specified by the `--assign-identity` parameter. Be sure to replace the `<RESOURCE GROUP>`, `<VMSS NAME>`, `<USER NAME>`, `<PASSWORD>`, and `<USER ASSIGNED IDENTITY>` parameter values with your own values.
+3. [Create](/cli/azure/vmss/#az_vmss_create) a virtual machine scale set. The following example creates a virtual machine scale set associated with the new user-assigned managed identity, as specified by the `--assign-identity` parameter. Be sure to replace the `<RESOURCE GROUP>`, `<VMSS NAME>`, `<USER NAME>`, `<PASSWORD>`, and `<USER ASSIGNED IDENTITY>` parameter values with your own values.
```azurecli-interactive az vmss create --resource-group <RESOURCE GROUP> --name <VMSS NAME> --image UbuntuLTS --admin-username <USER NAME> --admin-password <PASSWORD> --assign-identity <USER ASSIGNED IDENTITY>
This section walks you through creation of a virtual machine scale set and assig
### Assign a user-assigned managed identity to an existing virtual machine scale set
-1. Create a user-assigned managed identity using [az identity create](/cli/azure/identity#az-identity-create). The `-g` parameter specifies the resource group where the user-assigned managed identity is created, and the `-n` parameter specifies its name. Be sure to replace the `<RESOURCE GROUP>` and `<USER ASSIGNED IDENTITY NAME>` parameter values with your own values:
+1. Create a user-assigned managed identity using [az identity create](/cli/azure/identity#az_identity_create). The `-g` parameter specifies the resource group where the user-assigned managed identity is created, and the `-n` parameter specifies its name. Be sure to replace the `<RESOURCE GROUP>` and `<USER ASSIGNED IDENTITY NAME>` parameter values with your own values:
```azurecli-interactive az identity create -g <RESOURCE GROUP> -n <USER ASSIGNED IDENTITY NAME>
This section walks you through creation of a virtual machine scale set and assig
### Remove a user-assigned managed identity from an Azure virtual machine scale set
-To [remove](/cli/azure/vmss/identity#az-vmss-identity-remove) a user-assigned managed identity from a virtual machine scale set use `az vmss identity remove`. If this is the only user-assigned managed identity assigned to the virtual machine scale set, `UserAssigned` will be removed from the identity type value. Be sure to replace the `<RESOURCE GROUP>` and `<VIRTUAL MACHINE SCALE SET NAME>` parameter values with your own values. The `<USER ASSIGNED IDENTITY>` will be the user-assigned managed identity's `name` property, which can be found in the identity section of the virtual machine scale set using `az vmss identity show`:
+To [remove](/cli/azure/vmss/identity#az_vmss_identity_remove) a user-assigned managed identity from a virtual machine scale set use `az vmss identity remove`. If this is the only user-assigned managed identity assigned to the virtual machine scale set, `UserAssigned` will be removed from the identity type value. Be sure to replace the `<RESOURCE GROUP>` and `<VIRTUAL MACHINE SCALE SET NAME>` parameter values with your own values. The `<USER ASSIGNED IDENTITY>` will be the user-assigned managed identity's `name` property, which can be found in the identity section of the virtual machine scale set using `az vmss identity show`:
```azurecli-interactive az vmss identity remove -g <RESOURCE GROUP> -n <VIRTUAL MACHINE SCALE SET NAME> --identities <USER ASSIGNED IDENTITY>
active-directory Qs Configure Powershell Windows Vm https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/qs-configure-powershell-windows-vm.md
na
Last updated 08/19/2020 -++ # Configure managed identities for Azure resources on an Azure VM using PowerShell
active-directory Qs Configure Powershell Windows Vmss https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/qs-configure-powershell-windows-vmss.md
na
Last updated 12/15/2020 -++ # Configure managed identities for Azure resources on virtual machine scale sets using PowerShell
active-directory Qs Configure Rest Vm https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/qs-configure-rest-vm.md
In this section, you learn how to enable and disable system-assigned managed ide
To create an Azure VM with the system-assigned managed identity enabled, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) role assignment. No additional Azure AD directory role assignments are required.
-1. Create a [resource group](../../azure-resource-manager/management/overview.md#terminology) for containment and deployment of your VM and its related resources, using [az group create](/cli/azure/group/#az-group-create). You can skip this step if you already have resource group you would like to use instead:
+1. Create a [resource group](../../azure-resource-manager/management/overview.md#terminology) for containment and deployment of your VM and its related resources, using [az group create](/cli/azure/group/#az_group_create). You can skip this step if you already have resource group you would like to use instead:
```azurecli-interactive az group create --name myResourceGroup --location westus ```
-2. Create a [network interface](/cli/azure/network/nic#az-network-nic-create) for your VM:
+2. Create a [network interface](/cli/azure/network/nic#az_network_nic_create) for your VM:
```azurecli-interactive az network nic create -g myResourceGroup --vnet-name myVnet --subnet mySubnet -n myNic
To assign a user-assigned identity to a VM, your account needs the [Virtual Mach
az account get-access-token ```
-2. Create a [network interface](/cli/azure/network/nic#az-network-nic-create) for your VM:
+2. Create a [network interface](/cli/azure/network/nic#az_network_nic_create) for your VM:
```azurecli-interactive az network nic create -g myResourceGroup --vnet-name myVnet --subnet mySubnet -n myNic
active-directory Qs Configure Rest Vmss https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/qs-configure-rest-vmss.md
In this section, you learn how to enable and disable system-assigned managed ide
To create a virtual machine scale set with system-assigned managed identity enabled, you need create a virtual machine scale set and retrieve an access token to use CURL to call the Resource Manager endpoint with the system-assigned managed identity type value.
-1. Create a [resource group](../../azure-resource-manager/management/overview.md#terminology) for containment and deployment of your virtual machine scale set and its related resources, using [az group create](/cli/azure/group/#az-group-create). You can skip this step if you already have resource group you would like to use instead:
+1. Create a [resource group](../../azure-resource-manager/management/overview.md#terminology) for containment and deployment of your virtual machine scale set and its related resources, using [az group create](/cli/azure/group/#az_group_create). You can skip this step if you already have resource group you would like to use instead:
```azurecli-interactive az group create --name myResourceGroup --location westus ```
-2. Create a [network interface](/cli/azure/network/nic#az-network-nic-create) for your virtual machine scale set:
+2. Create a [network interface](/cli/azure/network/nic#az_network_nic_create) for your virtual machine scale set:
```azurecli-interactive az network nic create -g myResourceGroup --vnet-name myVnet --subnet mySubnet -n myNic
In this section, you learn how to add and remove user-assigned managed identity
az account get-access-token ```
-2. Create a [network interface](/cli/azure/network/nic#az-network-nic-create) for your virtual machine scale set:
+2. Create a [network interface](/cli/azure/network/nic#az_network_nic_create) for your virtual machine scale set:
```azurecli-interactive az network nic create -g myResourceGroup --vnet-name myVnet --subnet mySubnet -n myNic
active-directory Services Support Managed Identities https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/services-support-managed-identities.md
Refer to the following list to configure managed identity for Azure Policy (in r
- [Azure portal](../../governance/policy/tutorials/create-and-manage.md#assign-a-policy) - [PowerShell](../../governance/policy/how-to/remediate-resources.md#create-managed-identity-with-powershell)-- [Azure CLI](/cli/azure/policy/assignment#az-policy-assignment-create)
+- [Azure CLI](/cli/azure/policy/assignment#az_policy_assignment_create)
- [Azure Resource Manager templates](/azure/templates/microsoft.authorization/policyassignments) - [REST](/rest/api/policy/policyassignments/create)
active-directory Tutorial Linux Vm Access Cosmos Db https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-cosmos-db.md
This tutorial shows you how to use a system-assigned managed identity for a Linu
- To perform the required resource creation and role management, your account needs "Owner" permissions at the appropriate scope (your subscription or resource group). If you need assistance with role assignment, see [Assign Azure roles to manage access to your Azure subscription resources](../../role-based-access-control/role-assignments-portal.md). - To run the example scripts, you have two options: - Use the [Azure Cloud Shell](../../cloud-shell/overview.md), which you can open using the **Try It** button on the top right corner of code blocks.
- - Run scripts locally by installing the latest version of the [Azure CLI](/cli/azure/install-azure-cli), then sign in to Azure using [az login](/cli/azure/reference-index#az-login). Use an account associated with the Azure subscription in which you'd like to create resources.
+ - Run scripts locally by installing the latest version of the [Azure CLI](/cli/azure/install-azure-cli), then sign in to Azure using [az login](/cli/azure/reference-index#az_login). Use an account associated with the Azure subscription in which you'd like to create resources.
## Create a Cosmos DB account
active-directory Tutorial Windows Vm Access Cosmos Db https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-cosmos-db.md
na
Last updated 12/10/2020 -++ # Tutorial: Use a Windows VM system-assigned managed identity to access Azure Cosmos DB
This CLI command returns details about the collection:
In this tutorial, you learned how to use a Windows VM system-assigned identity to access Cosmos DB. To learn more about Cosmos DB see: > [!div class="nextstepaction"]
->[Azure Cosmos DB overview](../../cosmos-db/introduction.md)
+>[Azure Cosmos DB overview](../../cosmos-db/introduction.md)
active-directory Tutorial Windows Vm Access Storage Sas https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-storage-sas.md
na
Last updated 12/15/2020 -++ # Tutorial: Use a Windows VM system-assigned managed identity to access Azure Storage via a SAS credential
Name : testblob
In this tutorial, you learned how to use a Windows VM's system-assigned managed identity to access Azure Storage using a SAS credential. To learn more about Azure Storage SAS see: > [!div class="nextstepaction"]
->[Using shared access signatures (SAS)](../../storage/common/storage-sas-overview.md)
+>[Using shared access signatures (SAS)](../../storage/common/storage-sas-overview.md)
active-directory Tutorial Windows Vm Ua Arm https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/tutorial-windows-vm-ua-arm.md
na
Last updated 12/02/2020 -++ # Tutorial: Use a user-assigned managed identity on a Windows VM to access Azure Resource Manager
active-directory Permissions Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/permissions-reference.md
Previously updated : 04/06/2021 Last updated : 04/20/2021
Manages [Customer Lockbox requests](/office365/admin/manage/customer-lockbox-req
## Desktop Analytics Administrator
-Users in this role can manage the Desktop Analytics and Office Customization & Policy services. For Desktop Analytics, this includes the ability to view asset inventory, create deployment plans, view deployment and health status. For Office Customization & Policy service, this role enables users to manage Office policies.
+Users in this role can manage the Desktop Analytics service. This includes the ability to view asset inventory, create deployment plans, and view deployment and health status.
> [!div class="mx-tableFixed"] > | Actions | Description |
Users in this role can manage the Desktop Analytics and Office Customization & P
> | microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health | > | microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets | > | microsoft.office365.desktopAnalytics/allEntities/allTasks | Manage all aspects of Desktop Analytics |
-> | microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Service Health in the Microsoft 365 admin center |
-> | microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Microsoft 365 service requests |
-> | microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
## Directory Readers
active-directory Eletive Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/eletive-provisioning-tutorial.md
+
+ Title: 'Tutorial: Configure Eletive for automatic user provisioning with Azure Active Directory | Microsoft Docs'
+description: Learn how to automatically provision and de-provision user accounts from Azure AD to Eletive.
+
+documentationcenter: ''
+
+writer: Zhchia
++
+ms.assetid: 8a775422-e6d7-4cd5-b8d1-cc8a2db24c4f
+++
+ na
+ms.devlang: na
+ Last updated : 04/16/2021+++
+# Tutorial: Configure Eletive for automatic user provisioning
+
+This tutorial describes the steps you need to perform in both Eletive and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Eletive](https://app.eletive.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../manage-apps/user-provisioning.md).
++
+## Capabilities Supported
+> [!div class="checklist"]
+> * Create users in Eletive
+> * Remove users in Eletive when they do not require access anymore
+> * Keep user attributes synchronized between Azure AD and Eletive
+> * Single sign-on to Eletive (recommended)
+
+## Prerequisites
+
+The scenario outlined in this tutorial assumes that you already have the following prerequisites:
+
+* [An Azure AD tenant](https://docs.microsoft.com/azure/active-directory/develop/quickstart-create-new-tenant)
+* A user account in Azure AD with [permission](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
+* A user account in Eletive with administration access.
+
+## Step 1. Plan your provisioning deployment
+1. Learn about [how the provisioning service works](https://docs.microsoft.com/azure/active-directory/manage-apps/user-provisioning).
+2. Determine who will be in [scope for provisioning](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+3. Determine what data to [map between Azure AD and Eletive](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes).
+
+## Step 2. Configure Eletive to support provisioning with Azure AD
+
+1. Log in to [Eletive](https://app.eletive.com/). Navigate to **Settings** -> **Features**.
+
+ ![Features](media/eletive-provisioning-tutorial/settings.png)
+
+2. Enable **Integrations** and **SCIM 2.0**.
+
+ ![Integrations](media/eletive-provisioning-tutorial/scim.png)
+
+3. Navigate to **Settings** -> **Integrations**.
+
+4. Click on **User Provisioning**.
+
+ ![Tab](media/eletive-provisioning-tutorial/user.png)
+
+5. Click on **Connect**.
+
+ ![Button](media/eletive-provisioning-tutorial/connect.png)
+
+6. Copy and save the SCIM 2.0 URL and Bearer token. These values will be entered in the Tenant URL and Secret Token field in the Provisioning tab of your Eletive application in the Azure portal.
++
+## Step 3. Add Eletive from the Azure AD application gallery
+
+Add Eletive from the Azure AD application gallery to start managing provisioning to Eletive. If you have previously setup Eletive for SSO, you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](https://docs.microsoft.com/azure/active-directory/manage-apps/add-gallery-app).
+
+## Step 4. Define who will be in scope for provisioning
+
+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+
+* When assigning users and groups to Eletive, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps) to add roles.
+
+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control the scope by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
++
+## Step 5. Configure automatic user provisioning to Eletive
+
+This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups in TestApp based on user and/or group assignments in Azure AD.
+
+### To configure automatic user provisioning for Eletive in Azure AD:
+
+1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**.
+
+ ![Enterprise applications blade](common/enterprise-applications.png)
+
+2. In the applications list, select **Eletive**.
+
+ ![The Eletive link in the Applications list](common/all-applications.png)
+
+3. Select the **Provisioning** tab.
+
+ ![Provisioning tab](common/provisioning.png)
+
+4. Set the **Provisioning Mode** to **Automatic**.
+
+ ![Provisioning tab automatic](common/provisioning-automatic.png)
+
+5. Under the **Admin Credentials** section, input your Eletive Tenant URL and Secret Token. Click **Test Connection** to ensure Azure AD can connect to Eletive. If the connection fails, ensure your Eletive account has Admin permissions and try again.
+
+ ![Token](common/provisioning-testconnection-tenanturltoken.png)
+
+6. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.
+
+ ![Notification Email](common/provisioning-notification-email.png)
+
+7. Select **Save**.
+
+8. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Eletive**.
+
+9. Review the user attributes that are synchronized from Azure AD to Eletive in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Eletive for update operations. If you choose to change the [matching target attribute](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes), you will need to ensure that the Eletive API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
+
+ |Attribute|Type|Supported for Filtering|
+ ||||
+ |userName|String|&check;|
+ |emails[type eq "work"].value|String|
+ |externalId|String|
+ |name.givenName|String|
+ |name.familyName|String|
+ |preferredLanguage|String|
+ |userType|String|
+ |urn:ietf:params:scim:schemas:extension:eletive:2.0:User:participateInSurvey|String|
+
+10. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../manage-apps/define-conditional-rules-for-provisioning-user-accounts.md).
+
+11. To enable the Azure AD provisioning service for Eletive, change the **Provisioning Status** to **On** in the **Settings** section.
+
+ ![Provisioning Status Toggled On](common/provisioning-toggle-on.png)
+
+12. Define the users and/or groups that you would like to provision to Eletive by choosing the desired values in **Scope** in the **Settings** section.
+
+ ![Provisioning Scope](common/provisioning-scope.png)
+
+13. When you are ready to provision, click **Save**.
+
+ ![Saving Provisioning Configuration](common/provisioning-configuration-save.png)
+
+This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.
+
+## Step 6. Monitor your deployment
+Once you've configured provisioning, use the following resources to monitor your deployment:
+
+1. Use the [provisioning logs](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs) to determine which users have been provisioned successfully or unsuccessfully
+2. Check the [progress bar](https://docs.microsoft.com/azure/active-directory/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user) to see the status of the provisioning cycle and how close it is to completion
+3. If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](https://docs.microsoft.com/azure/active-directory/manage-apps/application-provisioning-quarantine-status).
+
+## More resources
+
+* [Managing user account provisioning for Enterprise Apps](../manage-apps/configure-automatic-user-provisioning-portal.md)
+* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+
+## Next steps
+
+* [Learn how to review logs and get reports on provisioning activity](../manage-apps/check-status-user-account-provisioning.md)
active-directory Hoxhunt Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/hoxhunt-provisioning-tutorial.md
Once you've configured provisioning, use the following resources to monitor your
* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it is to completion * If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).
+## Change Log
+* 04/20/2021 - Added support for "preferredLanguage" and enterprise extension attribute "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:division".
+ ## Additional resources * [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)
active-directory Zscaler Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/zscaler-provisioning-tutorial.md
Before configuring and enabling automatic user provisioning, you should decide w
This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups in Zscaler based on user and/or group assignments in Azure AD. +
+> [!NOTE]
+> Open a [support ticket](https://help.zscaler.com/) to create a domain on Zscaler.
+ > [!TIP] > You may also choose to enable SAML-based single sign-on for Zscaler, following the instructions provided in the [Zscaler single sign-on tutorial](zscaler-tutorial.md). Single sign-on can be configured independently of automatic user provisioning, though these two features compliment each other.
For more information on how to read the Azure AD provisioning logs, see [Reporti
<!--Image references--> [1]: ./media/zscaler-provisioning-tutorial/tutorial-general-01.png [2]: ./media/zscaler-provisioning-tutorial/tutorial-general-02.png
-[3]: ./media/zscaler-provisioning-tutorial/tutorial-general-03.png
+[3]: ./media/zscaler-provisioning-tutorial/tutorial-general-03.png
active-directory Multi Factor Authentication End User Signin https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/user-help/multi-factor-authentication-end-user-signin.md
Title: Sign-in using authentication with a work or school account - Azure AD
+ Title: Sign in using authentication with a work or school account - Azure AD
description: Learn how to sign in to your work or school account using the various two-factor verification methods.
advisor Advisor Alerts Arm https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/advisor/advisor-alerts-arm.md
Title: Create Azure Advisor alerts for new recommendations using Resource Manager template description: Learn how to set up an alert for new recommendations from Azure Advisor using an Azure Resource Manager template (ARM template). -+ Last updated 06/29/2020
aks Api Server Authorized Ip Ranges https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/api-server-authorized-ip-ranges.md
For more information, see [Security concepts for applications and clusters in AK
<!-- LINKS - internal --> [az-aks-update]: /cli/azure/ext/aks-preview/aks#ext-aks-preview-az-aks-update
-[az-aks-create]: /cli/azure/aks#az-aks-create
+[az-aks-create]: /cli/azure/aks#az_aks_create
[az-aks-show]: /cli/azure/aks#az_aks_show
-[az-network-public-ip-list]: /cli/azure/network/public-ip#az-network-public-ip-list
+[az-network-public-ip-list]: /cli/azure/network/public-ip#az_network_public_ip_list
[concepts-clusters-workloads]: concepts-clusters-workloads.md [concepts-security]: concepts-security.md [install-azure-cli]: /cli/azure/install-azure-cli
aks Availability Zones https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/availability-zones.md
This article detailed how to create an AKS cluster that uses availability zones.
<!-- LINKS - internal --> [install-azure-cli]: /cli/azure/install-azure-cli
-[az-feature-register]: /cli/azure/feature#az-feature-register
-[az-feature-list]: /cli/azure/feature#az-feature-list
-[az-provider-register]: /cli/azure/provider#az-provider-register
-[az-aks-create]: /cli/azure/aks#az-aks-create
+[az-feature-register]: /cli/azure/feature#az_feature_register
+[az-feature-list]: /cli/azure/feature#az_feature_list
+[az-provider-register]: /cli/azure/provider#az_provider_register
+[az-aks-create]: /cli/azure/aks#az_aks_create
[az-overview]: ../availability-zones/az-overview.md [best-practices-bc-dr]: operator-best-practices-multi-region.md [aks-support-policies]: support-policies.md [aks-faq]: faq.md [standard-lb-limitations]: load-balancer-standard.md#limitations
-[az-extension-add]: /cli/azure/extension#az-extension-add
-[az-extension-update]: /cli/azure/extension#az-extension-update
+[az-extension-add]: /cli/azure/extension#az_extension_add
+[az-extension-update]: /cli/azure/extension#az_extension_update
[az-aks-nodepool-add]: /cli/azure/ext/aks-preview/aks/nodepool#ext-aks-preview-az-aks-nodepool-add
-[az-aks-get-credentials]: /cli/azure/aks#az-aks-get-credentials
+[az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials
[vmss-zone-balancing]: ../virtual-machine-scale-sets/virtual-machine-scale-sets-use-availability-zones.md#zone-balancing <!-- LINKS - external -->
aks Azure Ad Integration Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/azure-ad-integration-cli.md
For best practices on identity and resource control, see [Best practices for aut
[complete-script]: https://github.com/Azure-Samples/azure-cli-samples/tree/master/aks/azure-ad-integration/azure-ad-integration.sh <!-- LINKS - internal -->
-[az-aks-create]: /cli/azure/aks#az-aks-create
-[az-aks-get-credentials]: /cli/azure/aks#az-aks-get-credentials
-[az-group-create]: /cli/azure/group#az-group-create
+[az-aks-create]: /cli/azure/aks#az_aks_create
+[az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials
+[az-group-create]: /cli/azure/group#az_group_create
[open-id-connect]: ../active-directory/develop/v2-protocols-oidc.md
-[az-ad-user-show]: /cli/azure/ad/user#az-ad-user-show
-[az-ad-app-create]: /cli/azure/ad/app#az-ad-app-create
-[az-ad-app-update]: /cli/azure/ad/app#az-ad-app-update
-[az-ad-sp-create]: /cli/azure/ad/sp#az-ad-sp-create
-[az-ad-app-permission-add]: /cli/azure/ad/app/permission#az-ad-app-permission-add
-[az-ad-app-permission-grant]: /cli/azure/ad/app/permission#az-ad-app-permission-grant
-[az-ad-app-permission-admin-consent]: /cli/azure/ad/app/permission#az-ad-app-permission-admin-consent
-[az-ad-app-show]: /cli/azure/ad/app#az-ad-app-show
-[az-group-create]: /cli/azure/group#az-group-create
-[az-account-show]: /cli/azure/account#az-account-show
-[az-ad-signed-in-user-show]: /cli/azure/ad/signed-in-user#az-ad-signed-in-user-show
+[az-ad-user-show]: /cli/azure/ad/user#az_ad_user_show
+[az-ad-app-create]: /cli/azure/ad/app#az_ad_app_create
+[az-ad-app-update]: /cli/azure/ad/app#az_ad_app_update
+[az-ad-sp-create]: /cli/azure/ad/sp#az_ad_sp_create
+[az-ad-app-permission-add]: /cli/azure/ad/app/permission#az_ad_app_permission_add
+[az-ad-app-permission-grant]: /cli/azure/ad/app/permission#az_ad_app_permission_grant
+[az-ad-app-permission-admin-consent]: /cli/azure/ad/app/permission#az_ad_app_permission_admin_consent
+[az-ad-app-show]: /cli/azure/ad/app#az_ad_app_show
+[az-group-create]: /cli/azure/group#az_group_create
+[az-account-show]: /cli/azure/account#az_account_show
+[az-ad-signed-in-user-show]: /cli/azure/ad/signed-in-user#az_ad_signed_in_user_show
[install-azure-cli]: /cli/azure/install-azure-cli
-[az-ad-sp-credential-reset]: /cli/azure/ad/sp/credential#az-ad-sp-credential-reset
+[az-ad-sp-credential-reset]: /cli/azure/ad/sp/credential#az_ad_sp_credential_reset
[rbac-authorization]: concepts-identity.md#kubernetes-rbac [operator-best-practices-identity]: operator-best-practices-identity.md [azure-ad-rbac]: azure-ad-rbac.md
aks Azure Ad Rbac https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/azure-ad-rbac.md
For best practices on identity and resource control, see [Best practices for aut
[kubectl-run]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#run <!-- LINKS - internal -->
-[az-aks-get-credentials]: /cli/azure/aks#az-aks-get-credentials
+[az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials
[install-azure-cli]: /cli/azure/install-azure-cli [azure-ad-aks-cli]: azure-ad-integration-cli.md
-[az-aks-show]: /cli/azure/aks#az-aks-show
-[az-ad-group-create]: /cli/azure/ad/group#az-ad-group-create
-[az-role-assignment-create]: /cli/azure/role/assignment#az-role-assignment-create
-[az-ad-user-create]: /cli/azure/ad/user#az-ad-user-create
-[az-ad-group-member-add]: /cli/azure/ad/group/member#az-ad-group-member-add
-[az-ad-group-show]: /cli/azure/ad/group#az-ad-group-show
+[az-aks-show]: /cli/azure/aks#az_aks_show
+[az-ad-group-create]: /cli/azure/ad/group#az_ad_group_create
+[az-role-assignment-create]: /cli/azure/role/assignment#az_role_assignment_create
+[az-ad-user-create]: /cli/azure/ad/user#az_ad_user_create
+[az-ad-group-member-add]: /cli/azure/ad/group/member#az_ad_group_member_add
+[az-ad-group-show]: /cli/azure/ad/group#az_ad_group_show
[rbac-authorization]: concepts-identity.md#kubernetes-rbac [operator-best-practices-identity]: operator-best-practices-identity.md
aks Azure Disk Csi https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/azure-disk-csi.md
$ kubectl exec -it busybox-azuredisk-0 -- cat c:\mnt\azuredisk\data.txt # on Win
[azure-disk-volume]: azure-disk-volume.md [azure-files-pvc]: azure-files-dynamic-pv.md [premium-storage]: ../virtual-machines/disks-types.md
-[az-disk-list]: /cli/azure/disk#az-disk-list
-[az-snapshot-create]: /cli/azure/snapshot#az-snapshot-create
-[az-disk-create]: /cli/azure/disk#az-disk-create
-[az-disk-show]: /cli/azure/disk#az-disk-show
+[az-disk-list]: /cli/azure/disk#az_disk_list
+[az-snapshot-create]: /cli/azure/snapshot#az_snapshot_create
+[az-disk-create]: /cli/azure/disk#az_disk_create
+[az-disk-show]: /cli/azure/disk#az_disk_show
[aks-quickstart-cli]: kubernetes-walkthrough.md [aks-quickstart-portal]: kubernetes-walkthrough-portal.md [install-azure-cli]: /cli/azure/install-azure-cli [operator-best-practices-storage]: operator-best-practices-storage.md [concepts-storage]: concepts-storage.md [storage-class-concepts]: concepts-storage.md#storage-classes
-[az-extension-add]: /cli/azure/extension#az-extension-add
-[az-extension-update]: /cli/azure/extension#az-extension-update
-[az-feature-register]: /cli/azure/feature#az-feature-register
-[az-feature-list]: /cli/azure/feature#az-feature-list
-[az-provider-register]: /cli/azure/provider#az-provider-register
+[az-extension-add]: /cli/azure/extension#az_extension_add
+[az-extension-update]: /cli/azure/extension#az_extension_update
+[az-feature-register]: /cli/azure/feature#az_feature_register
+[az-feature-list]: /cli/azure/feature#az_feature_list
+[az-provider-register]: /cli/azure/provider#az_provider_register
aks Azure Disk Customer Managed Keys https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/azure-disk-customer-managed-keys.md
Review [best practices for AKS cluster security][best-practices-security]
<!-- LINKS - external --> <!-- LINKS - internal -->
-[az-extension-add]: /cli/azure/extension#az-extension-add
-[az-extension-update]: /cli/azure/extension#az-extension-update
+[az-extension-add]: /cli/azure/extension#az_extension_add
+[az-extension-update]: /cli/azure/extension#az_extension_update
[best-practices-security]: ./operator-best-practices-cluster-security.md [byok-azure-portal]: ../storage/common/customer-managed-keys-configure-key-vault.md [customer-managed-keys-windows]: ../virtual-machines/disk-encryption.md#customer-managed-keys
aks Azure Disk Volume https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/azure-disk-volume.md
For more information about AKS clusters interact with Azure disks, see the [Kube
[managed-disk-pricing-performance]: https://azure.microsoft.com/pricing/details/managed-disks/ <!-- LINKS - internal -->
-[az-disk-list]: /cli/azure/disk#az-disk-list
-[az-disk-create]: /cli/azure/disk#az-disk-create
-[az-group-list]: /cli/azure/group#az-group-list
-[az-resource-show]: /cli/azure/resource#az-resource-show
+[az-disk-list]: /cli/azure/disk#az_disk_list
+[az-disk-create]: /cli/azure/disk#az_disk_create
+[az-group-list]: /cli/azure/group#az_group_list
+[az-resource-show]: /cli/azure/resource#az_resource_show
[aks-quickstart-cli]: kubernetes-walkthrough.md [aks-quickstart-portal]: kubernetes-walkthrough-portal.md
-[az-aks-show]: /cli/azure/aks#az-aks-show
+[az-aks-show]: /cli/azure/aks#az_aks_show
[install-azure-cli]: /cli/azure/install-azure-cli [azure-files-volume]: azure-files-volume.md [operator-best-practices-storage]: operator-best-practices-storage.md
aks Azure Disks Dynamic Pv https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/azure-disks-dynamic-pv.md
Learn more about Kubernetes persistent volumes using Azure disks.
[azure-disk-volume]: azure-disk-volume.md [azure-files-pvc]: azure-files-dynamic-pv.md [premium-storage]: ../virtual-machines/disks-types.md
-[az-disk-list]: /cli/azure/disk#az-disk-list
-[az-snapshot-create]: /cli/azure/snapshot#az-snapshot-create
-[az-disk-create]: /cli/azure/disk#az-disk-create
-[az-disk-show]: /cli/azure/disk#az-disk-show
+[az-disk-list]: /cli/azure/disk#az_disk_list
+[az-snapshot-create]: /cli/azure/snapshot#az_snapshot_create
+[az-disk-create]: /cli/azure/disk#az_disk_create
+[az-disk-show]: /cli/azure/disk#az_disk_show
[aks-quickstart-cli]: kubernetes-walkthrough.md [aks-quickstart-portal]: kubernetes-walkthrough-portal.md [install-azure-cli]: /cli/azure/install-azure-cli [operator-best-practices-storage]: operator-best-practices-storage.md [concepts-storage]: concepts-storage.md [storage-class-concepts]: concepts-storage.md#storage-classes
-[az-feature-register]: /cli/azure/feature#az-feature-register
-[az-feature-list]: /cli/azure/feature#az-feature-list
-[az-provider-register]: /cli/azure/provider#az-provider-register
-[az-extension-add]: /cli/azure/extension#az-extension-add
-[az-extension-update]: /cli/azure/extension#az-extension-update
-[az-feature-register]: /cli/azure/feature#az-feature-register
-[az-feature-list]: /cli/azure/feature#az-feature-list
-[az-provider-register]: /cli/azure/provider#az-provider-register
+[az-feature-register]: /cli/azure/feature#az_feature_register
+[az-feature-list]: /cli/azure/feature#az_feature_list
+[az-provider-register]: /cli/azure/provider#az_provider_register
+[az-extension-add]: /cli/azure/extension#az_extension_add
+[az-extension-update]: /cli/azure/extension#az_extension_update
+[az-feature-register]: /cli/azure/feature#az_feature_register
+[az-feature-list]: /cli/azure/feature#az_feature_list
+[az-provider-register]: /cli/azure/provider#az_provider_register
aks Azure Files Csi https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/azure-files-csi.md
$ kubectl exec -it busybox-azurefile-0 -- cat c:\mnt\azurefile\data.txt # on Win
[azure-disk-volume]: azure-disk-volume.md [azure-files-pvc]: azure-files-dynamic-pv.md [premium-storage]: ../virtual-machines/disks-types.md
-[az-disk-list]: /cli/azure/disk#az-disk-list
-[az-snapshot-create]: /cli/azure/snapshot#az-snapshot-create
-[az-disk-create]: /cli/azure/disk#az-disk-create
-[az-disk-show]: /cli/azure/disk#az-disk-show
+[az-disk-list]: /cli/azure/disk#az_disk_list
+[az-snapshot-create]: /cli/azure/snapshot#az_snapshot_create
+[az-disk-create]: /cli/azure/disk#az_disk_create
+[az-disk-show]: /cli/azure/disk#az_disk_show
[aks-quickstart-cli]: kubernetes-walkthrough.md [aks-quickstart-portal]: kubernetes-walkthrough-portal.md [install-azure-cli]: /cli/azure/install-azure-cli [operator-best-practices-storage]: operator-best-practices-storage.md [concepts-storage]: concepts-storage.md [storage-class-concepts]: concepts-storage.md#storage-classes
-[az-extension-add]: /cli/azure/extension#az-extension-add
-[az-extension-update]: /cli/azure/extension#az-extension-update
-[az-feature-register]: /cli/azure/feature#az-feature-register
-[az-feature-list]: /cli/azure/feature#az-feature-list
-[az-provider-register]: /cli/azure/provider#az-provider-register
+[az-extension-add]: /cli/azure/extension#az_extension_add
+[az-extension-update]: /cli/azure/extension#az_extension_update
+[az-feature-register]: /cli/azure/feature#az_feature_register
+[az-feature-list]: /cli/azure/feature#az_feature_list
+[az-provider-register]: /cli/azure/provider#az_provider_register
[node-resource-group]: faq.md#why-are-two-resource-groups-created-with-aks [storage-skus]: ../storage/common/storage-redundancy.md
aks Azure Files Dynamic Pv https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/azure-files-dynamic-pv.md
Learn more about Kubernetes persistent volumes using Azure Files.
[smb-overview]: /windows/desktop/FileIO/microsoft-smb-protocol-and-cifs-protocol-overview <!-- LINKS - internal -->
-[az-group-create]: /cli/azure/group#az-group-create
-[az-group-list]: /cli/azure/group#az-group-list
-[az-resource-show]: /cli/azure/aks#az-aks-show
-[az-storage-account-create]: /cli/azure/storage/account#az-storage-account-create
-[az-storage-create]: /cli/azure/storage/account#az-storage-account-create
-[az-storage-key-list]: /cli/azure/storage/account/keys#az-storage-account-keys-list
-[az-storage-share-create]: /cli/azure/storage/share#az-storage-share-create
+[az-group-create]: /cli/azure/group#az_group_create
+[az-group-list]: /cli/azure/group#az_group_list
+[az-resource-show]: /cli/azure/aks#az_aks_show
+[az-storage-account-create]: /cli/azure/storage/account#az_storage_account_create
+[az-storage-create]: /cli/azure/storage/account#az_storage_account_create
+[az-storage-key-list]: /cli/azure/storage/account/keys#az_storage_account_keys_list
+[az-storage-share-create]: /cli/azure/storage/share#az_storage_share_create
[mount-options]: #mount-options [aks-quickstart-cli]: kubernetes-walkthrough.md [aks-quickstart-portal]: kubernetes-walkthrough-portal.md [install-azure-cli]: /cli/azure/install-azure-cli
-[az-aks-show]: /cli/azure/aks#az-aks-show
+[az-aks-show]: /cli/azure/aks#az_aks_show
[storage-skus]: ../storage/common/storage-redundancy.md [kubernetes-rbac]: concepts-identity.md#role-based-access-controls-rbac [operator-best-practices-storage]: operator-best-practices-storage.md
aks Azure Files Volume https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/azure-files-volume.md
For storage class parameters, see [Static Provision(bring your own file share)](
[kubernetes-security-context]: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ <!-- LINKS - internal -->
-[az-group-create]: /cli/azure/group#az-group-create
-[az-storage-create]: /cli/azure/storage/account#az-storage-account-create
-[az-storage-key-list]: /cli/azure/storage/account/keys#az-storage-account-keys-list
-[az-storage-share-create]: /cli/azure/storage/share#az-storage-share-create
+[az-group-create]: /cli/azure/group#az_group_create
+[az-storage-create]: /cli/azure/storage/account#az_storage_account_create
+[az-storage-key-list]: /cli/azure/storage/account/keys#az_storage_account_keys_list
+[az-storage-share-create]: /cli/azure/storage/share#az_storage_share_create
[aks-quickstart-cli]: kubernetes-walkthrough.md [aks-quickstart-portal]: kubernetes-walkthrough-portal.md [install-azure-cli]: /cli/azure/install-azure-cli
aks Azure Netapp Files https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/azure-netapp-files.md
For more information on Azure NetApp Files, see [What is Azure NetApp Files][anf
[anf-quickstart]: ../azure-netapp-files/ [anf-regions]: https://azure.microsoft.com/global-infrastructure/services/?products=netapp&regions=all [anf-waitlist]: https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR8cq17Xv9yVBtRCSlcD_gdVUNUpUWEpLNERIM1NOVzA5MzczQ0dQR1ZTSS4u
-[az-aks-show]: /cli/azure/aks#az-aks-show
-[az-netappfiles-account-create]: /cli/azure/netappfiles/account#az-netappfiles-account-create
-[az-netappfiles-pool-create]: /cli/azure/netappfiles/pool#az-netappfiles-pool-create
-[az-netappfiles-volume-create]: /cli/azure/netappfiles/volume#az-netappfiles-volume-create
-[az-netappfiles-volume-show]: /cli/azure/netappfiles/volume#az-netappfiles-volume-show
-[az-network-vnet-subnet-create]: /cli/azure/network/vnet/subnet#az-network-vnet-subnet-create
+[az-aks-show]: /cli/azure/aks#az_aks_show
+[az-netappfiles-account-create]: /cli/azure/netappfiles/account#az_netappfiles_account_create
+[az-netappfiles-pool-create]: /cli/azure/netappfiles/pool#az_netappfiles_pool_create
+[az-netappfiles-volume-create]: /cli/azure/netappfiles/volume#az_netappfiles_volume_create
+[az-netappfiles-volume-show]: /cli/azure/netappfiles/volume#az_netappfiles_volume_show
+[az-network-vnet-subnet-create]: /cli/azure/network/vnet/subnet#az_network_vnet_subnet_create
[install-azure-cli]: /cli/azure/install-azure-cli [kubectl-apply]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#apply [kubectl-describe]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#describe
aks Certificate Rotation https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/certificate-rotation.md
This article showed you how to automatically rotate your cluster's certificates,
[azure-cli-install]: /cli/azure/install-azure-cli
-[az-aks-get-credentials]: /cli/azure/aks#az-aks-get-credentials
-[az-extension-add]: /cli/azure/extension#az-extension-add
-[az-extension-update]: /cli/azure/extension#az-extension-update
+[az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials
+[az-extension-add]: /cli/azure/extension#az_extension_add
+[az-extension-update]: /cli/azure/extension#az_extension_update
[aks-best-practices-security-upgrades]: operator-best-practices-cluster-security.md [dev-spaces]: ../dev-spaces/index.yml [dev-spaces-rotate]: ../dev-spaces/troubleshooting.md#error-using-dev-spaces-after-rotating-aks-certificates
aks Cluster Autoscaler https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/cluster-autoscaler.md
This article showed you how to automatically scale the number of AKS nodes. You
[aks-view-master-logs]: ./view-control-plane-logs.md#enable-resource-logs [autoscaler-profile-properties]: #using-the-autoscaler-profile [azure-cli-install]: /cli/azure/install-azure-cli
-[az-aks-show]: /cli/azure/aks#az-aks-show
-[az-extension-add]: /cli/azure/extension#az-extension-add
-[az-extension-update]: /cli/azure/extension#az-extension-update
-[az-aks-create]: /cli/azure/aks#az-aks-create
-[az-aks-update]: /cli/azure/aks#az-aks-update
-[az-aks-scale]: /cli/azure/aks#az-aks-scale
-[az-feature-register]: /cli/azure/feature#az-feature-register
-[az-feature-list]: /cli/azure/feature#az-feature-list
-[az-provider-register]: /cli/azure/provider#az-provider-register
+[az-aks-show]: /cli/azure/aks#az_aks_show
+[az-extension-add]: /cli/azure/extension#az_extension_add
+[az-extension-update]: /cli/azure/extension#az_extension_update
+[az-aks-create]: /cli/azure/aks#az_aks_create
+[az-aks-update]: /cli/azure/aks#az_aks_update
+[az-aks-scale]: /cli/azure/aks#az_aks_scale
+[az-feature-register]: /cli/azure/feature#az_feature_register
+[az-feature-list]: /cli/azure/feature#az_feature_list
+[az-provider-register]: /cli/azure/provider#az_provider_register
<!-- LINKS - external --> [az-aks-update-preview]: https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview
aks Cluster Configuration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/cluster-configuration.md
As you work with the node resource group, keep in mind that you can't:
<!-- LINKS - internal --> [azure-cli-install]: /cli/azure/install-azure-cli
-[az-feature-register]: /cli/azure/feature#az-feature-register
-[az-feature-list]: /cli/azure/feature#az-feature-list
-[az-provider-register]: /cli/azure/provider#az-provider-register
-[az-extension-add]: /cli/azure/extension#az-extension-add
-[az-extension-update]: /cli/azure/extension#az-extension-update
-[az-feature-register]: /cli/azure/feature#az-feature-register
-[az-feature-list]: /cli/azure/feature#az-feature-list
-[az-provider-register]: /cli/azure/provider#az-provider-register
+[az-feature-register]: /cli/azure/feature#az_feature_register
+[az-feature-list]: /cli/azure/feature#az_feature_list
+[az-provider-register]: /cli/azure/provider#az_provider_register
+[az-extension-add]: /cli/azure/extension#az_extension_add
+[az-extension-update]: /cli/azure/extension#az_extension_update
+[az-feature-register]: /cli/azure/feature#az_feature_register
+[az-feature-list]: /cli/azure/feature#az_feature_list
+[az-provider-register]: /cli/azure/provider#az_provider_register
aks Cluster Container Registry Integration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/cluster-container-registry-integration.md
nginx0-deployment-669dfc4d4b-xdpd6 1/1 Running 0 20s
* Learn more about [ACR Health](../container-registry/container-registry-check-health.md) <!-- LINKS - external -->
-[AKS AKS CLI]: /cli/azure/aks#az-aks-create
+[AKS AKS CLI]: /cli/azure/aks#az_aks_create
[Image Pull secret]: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
aks Concepts Identity https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/concepts-identity.md
For more information on core Kubernetes and AKS concepts, see the following arti
<!-- LINKS - Internal --> [openid-connect]: ../active-directory/develop/v2-protocols-oidc.md
-[az-aks-get-credentials]: /cli/azure/aks#az-aks-get-credentials
+[az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials
[azure-rbac]: ../role-based-access-control/overview.md [aks-aad]: managed-aad.md [aks-concepts-clusters-workloads]: concepts-clusters-workloads.md
aks Configure Azure Cni https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/configure-azure-cni.md Binary files differ
aks Configure Kubenet https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/configure-kubenet.md
With an AKS cluster deployed into your existing virtual network subnet, you can
<!-- LINKS - Internal --> [install-azure-cli]: /cli/azure/install-azure-cli [aks-network-concepts]: concepts-network.md
-[az-group-create]: /cli/azure/group#az-group-create
-[az-network-vnet-create]: /cli/azure/network/vnet#az-network-vnet-create
-[az-ad-sp-create-for-rbac]: /cli/azure/ad/sp#az-ad-sp-create-for-rbac
-[az-network-vnet-show]: /cli/azure/network/vnet#az-network-vnet-show
-[az-network-vnet-subnet-show]: /cli/azure/network/vnet/subnet#az-network-vnet-subnet-show
-[az-role-assignment-create]: /cli/azure/role/assignment#az-role-assignment-create
-[az-aks-create]: /cli/azure/aks#az-aks-create
+[az-group-create]: /cli/azure/group#az_group_create
+[az-network-vnet-create]: /cli/azure/network/vnet#az_network_vnet_create
+[az-ad-sp-create-for-rbac]: /cli/azure/ad/sp#az_ad_sp_create_for_rbac
+[az-network-vnet-show]: /cli/azure/network/vnet#az_network_vnet_show
+[az-network-vnet-subnet-show]: /cli/azure/network/vnet/subnet#az_network_vnet_subnet_show
+[az-role-assignment-create]: /cli/azure/role/assignment#az_role_assignment_create
+[az-aks-create]: /cli/azure/aks#az_aks_create
[byo-subnet-route-table]: #bring-your-own-subnet-and-route-table-with-kubenet [develop-helm]: quickstart-helm.md [use-helm]: kubernetes-helm.md
aks Control Kubeconfig Access https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/control-kubeconfig-access.md
For enhanced security on access to AKS clusters, [integrate Azure Active Directo
[aks-quickstart-cli]: kubernetes-walkthrough.md [aks-quickstart-portal]: kubernetes-walkthrough-portal.md [azure-cli-install]: /cli/azure/install-azure-cli
-[az-aks-get-credentials]: /cli/azure/aks#az-aks-get-credentials
+[az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials
[azure-rbac]: ../role-based-access-control/overview.md [api-cluster-admin]: /rest/api/aks/managedclusters/listclusteradmincredentials [api-cluster-user]: /rest/api/aks/managedclusters/listclusterusercredentials
-[az-aks-show]: /cli/azure/aks#az-aks-show
-[az-account-show]: /cli/azure/account#az-account-show
-[az-ad-user-show]: /cli/azure/ad/user#az-ad-user-show
-[az-role-assignment-create]: /cli/azure/role/assignment#az-role-assignment-create
-[az-role-assignment-delete]: /cli/azure/role/assignment#az-role-assignment-delete
+[az-aks-show]: /cli/azure/aks#az_aks_show
+[az-account-show]: /cli/azure/account#az_account_show
+[az-ad-user-show]: /cli/azure/ad/user#az_ad_user_show
+[az-role-assignment-create]: /cli/azure/role/assignment#az_role_assignment_create
+[az-role-assignment-delete]: /cli/azure/role/assignment#az_role_assignment_delete
[aad-integration]: ./azure-ad-integration-cli.md
-[az-ad-group-show]: /cli/azure/ad/group#az-ad-group-show
+[az-ad-group-show]: /cli/azure/ad/group#az_ad_group_show
aks Csi Storage Drivers https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/csi-storage-drivers.md
$ echo $(kubectl get CSINode <NODE NAME> -o jsonpath="{.spec.drivers[1].allocata
[azure-disk-volume]: azure-disk-volume.md [azure-files-pvc]: azure-files-dynamic-pv.md [premium-storage]: ../virtual-machines/disks-types.md
-[az-disk-list]: /cli/azure/disk#az-disk-list
-[az-snapshot-create]: /cli/azure/snapshot#az-snapshot-create
-[az-disk-create]: /cli/azure/disk#az-disk-create
-[az-disk-show]: /cli/azure/disk#az-disk-show
+[az-disk-list]: /cli/azure/disk#az_disk_list
+[az-snapshot-create]: /cli/azure/snapshot#az_snapshot_create
+[az-disk-create]: /cli/azure/disk#az_disk_create
+[az-disk-show]: /cli/azure/disk#az_disk_show
[aks-quickstart-cli]: kubernetes-walkthrough.md [aks-quickstart-portal]: kubernetes-walkthrough-portal.md [install-azure-cli]: /cli/azure/install-azure-cli [operator-best-practices-storage]: operator-best-practices-storage.md [concepts-storage]: concepts-storage.md [storage-class-concepts]: concepts-storage.md#storage-classes
-[az-extension-add]: /cli/azure/extension#az-extension-add
-[az-extension-update]: /cli/azure/extension#az-extension-update
-[az-feature-register]: /cli/azure/feature#az-feature-register
-[az-feature-list]: /cli/azure/feature#az-feature-list
-[az-provider-register]: /cli/azure/provider#az-provider-register
+[az-extension-add]: /cli/azure/extension#az_extension_add
+[az-extension-update]: /cli/azure/extension#az_extension_update
+[az-feature-register]: /cli/azure/feature#az_feature_register
+[az-feature-list]: /cli/azure/feature#az_feature_list
+[az-provider-register]: /cli/azure/provider#az_provider_register
aks Custom Node Configuration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/custom-node-configuration.md
az aks nodepool add --name mynodepool1 --cluster-name myAKSCluster --resource-gr
[aks-view-master-logs]: ./view-control-plane-logs.md#enable-resource-logs [autoscaler-profile-properties]: #using-the-autoscaler-profile [azure-cli-install]: /cli/azure/install-azure-cli
-[az-aks-show]: /cli/azure/aks#az-aks-show
-[az-extension-add]: /cli/azure/extension#az-extension-add
-[az-extension-update]: /cli/azure/extension#az-extension-update
-[az-aks-create]: /cli/azure/aks#az-aks-create
-[az-aks-update]: /cli/azure/aks#az-aks-update
-[az-aks-scale]: /cli/azure/aks#az-aks-scale
-[az-feature-register]: /cli/azure/feature#az-feature-register
-[az-feature-list]: /cli/azure/feature#az-feature-list
-[az-provider-register]: /cli/azure/provider#az-provider-register
+[az-aks-show]: /cli/azure/aks#az_aks_show
+[az-extension-add]: /cli/azure/extension#az_extension_add
+[az-extension-update]: /cli/azure/extension#az_extension_update
+[az-aks-create]: /cli/azure/aks#az_aks_create
+[az-aks-update]: /cli/azure/aks#az_aks_update
+[az-aks-scale]: /cli/azure/aks#az_aks_scale
+[az-feature-register]: /cli/azure/feature#az_feature_register
+[az-feature-list]: /cli/azure/feature#az_feature_list
+[az-provider-register]: /cli/azure/provider#az_provider_register
[upgrade-cluster]: upgrade-cluster.md [use-multiple-node-pools]: use-multiple-node-pools.md [max-surge]: upgrade-cluster.md#customize-node-surge-upgrade
aks Egress Outboundtype https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/egress-outboundtype.md
See [Azure networking UDR overview](../virtual-network/virtual-networks-udr-over
See [how to create, change, or delete a route table](../virtual-network/manage-route-table.md). <!-- LINKS - internal -->
-[az-aks-get-credentials]: /cli/azure/aks#az-aks-get-credentials
+[az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials
[byo-route-table]: configure-kubenet.md#bring-your-own-subnet-and-route-table-with-kubenet
aks Egress https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/egress.md
$ curl -s checkip.dyndns.org
To avoid maintaining multiple public IP addresses on the Azure Load Balancer, you can instead use an ingress controller. Ingress controllers provide additional benefits such as SSL/TLS termination, support for URI rewrites, and upstream SSL/TLS encryption. For more information, see [Create a basic ingress controller in AKS][ingress-aks-cluster]. <!-- LINKS - internal -->
-[az-network-public-ip-create]: /cli/azure/network/public-ip#az-network-public-ip-create
-[az-network-public-ip-list]: /cli/azure/network/public-ip#az-network-public-ip-list
-[az-aks-show]: /cli/azure/aks#az-aks-show
+[az-network-public-ip-create]: /cli/azure/network/public-ip#az_network_public_ip_create
+[az-network-public-ip-list]: /cli/azure/network/public-ip#az_network_public_ip_list
+[az-aks-show]: /cli/azure/aks#az_aks_show
[azure-cli-install]: /cli/azure/install-azure-cli [ingress-aks-cluster]: ./ingress-basic.md [outbound-connections]: ../load-balancer/load-balancer-outbound-connections.md#scenarios
-[public-ip-create]: /cli/azure/network/public-ip#az-network-public-ip-create
+[public-ip-create]: /cli/azure/network/public-ip#az_network_public_ip_create
[aks-quickstart-cli]: kubernetes-walkthrough.md [aks-quickstart-portal]: kubernetes-walkthrough-portal.md [install-azure-cli]: /cli/azure/install-azure-cli
aks Enable Host Encryption https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/enable-host-encryption.md
Title: Enable host-based encryption on Azure Kubernetes Service (AKS)
description: Learn how to configure a host-based encryption in an Azure Kubernetes Service (AKS) cluster Previously updated : 03/03/2021 Last updated : 03/03/2021 +
Read more about [host-based encryption](../virtual-machines/disk-encryption.md#e
<!-- LINKS - external --> <!-- LINKS - internal -->
-[az-extension-add]: /cli/azure/extension#az-extension-add
-[az-extension-update]: /cli/azure/extension#az-extension-update
+[az-extension-add]: /cli/azure/extension#az_extension_add
+[az-extension-update]: /cli/azure/extension#az_extension_update
[best-practices-security]: ./operator-best-practices-cluster-security.md [supported-regions]: ../virtual-machines/disk-encryption.md#supported-regions [supported-sizes]: ../virtual-machines/disk-encryption.md#supported-vm-sizes [azure-cli-install]: /cli/azure/install-azure-cli
-[az-feature-register]: /cli/azure/feature#az-feature-register
-[az-feature-list]: /cli/azure/feature#az-feature-list
-[az-provider-register]: /cli/azure/provider#az-provider-register
+[az-feature-register]: /cli/azure/feature#az_feature_register
+[az-feature-list]: /cli/azure/feature#az_feature_list
+[az-provider-register]: /cli/azure/provider#az_provider_register
aks Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/faq.md
The issue has been resolved by Kubernetes v1.20, refer [Kubernetes 1.20: Granula
[aks-rbac-aad]: ./azure-ad-integration-cli.md [node-updates-kured]: node-updates-kured.md [aks-preview-cli]: /cli/azure/ext/aks-preview/aks
-[az-aks-create]: /cli/azure/aks#az-aks-create
+[az-aks-create]: /cli/azure/aks#az_aks_create
[aks-rm-template]: /azure/templates/microsoft.containerservice/2019-06-01/managedclusters [aks-cluster-autoscaler]: cluster-autoscaler.md [nodepool-upgrade]: use-multiple-node-pools.md#upgrade-a-node-pool
aks Gpu Cluster https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/gpu-cluster.md
Register the `GPUDedicatedVHDPreview` feature:
az feature register --name GPUDedicatedVHDPreview --namespace Microsoft.ContainerService ```
-It might take several minutes for the status to show as **Registered**. You can check the registration status by using the [az feature list](/cli/azure/feature#az-feature-list) command:
+It might take several minutes for the status to show as **Registered**. You can check the registration status by using the [az feature list](/cli/azure/feature#az_feature_list) command:
```azurecli az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/GPUDedicatedVHDPreview')].{Name:name,State:properties.state}" ```
-When the status shows as registered, refresh the registration of the `Microsoft.ContainerService` resource provider by using the [az provider register](/cli/azure/provider#az-provider-register) command:
+When the status shows as registered, refresh the registration of the `Microsoft.ContainerService` resource provider by using the [az provider register](/cli/azure/provider#az_provider_register) command:
```azurecli az provider register --namespace Microsoft.ContainerService
For more information about running machine learning (ML) workloads on Kubernetes
[nvidia-github]: https://github.com/NVIDIA/k8s-device-plugin <!-- LINKS - internal -->
-[az-group-create]: /cli/azure/group#az-group-create
-[az-aks-create]: /cli/azure/aks#az-aks-create
-[az-aks-get-credentials]: /cli/azure/aks#az-aks-get-credentials
+[az-group-create]: /cli/azure/group#az_group_create
+[az-aks-create]: /cli/azure/aks#az_aks_create
+[az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials
[aks-spark]: spark-job.md [gpu-skus]: ../virtual-machines/sizes-gpu.md [install-azure-cli]: /cli/azure/install-azure-cli
aks Http Application Routing https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/http-application-routing.md
ingress "aks-helloworld" deleted
For information on how to install an HTTPS-secured Ingress controller in AKS, see [HTTPS Ingress on Azure Kubernetes Service (AKS)][ingress-https]. <!-- LINKS - internal -->
-[az-aks-create]: /cli/azure/aks#az-aks-create
-[az-aks-show]: /cli/azure/aks#az-aks-show
+[az-aks-create]: /cli/azure/aks#az_aks_create
+[az-aks-show]: /cli/azure/aks#az_aks_show
[ingress-https]: ./ingress-tls.md
-[az-aks-enable-addons]: /cli/azure/aks#az-aks-enable-addons
-[az aks install-cli]: /cli/azure/aks#az-aks-install-cli
-[az aks get-credentials]: /cli/azure/aks#az-aks-get-credentials
+[az-aks-enable-addons]: /cli/azure/aks#az_aks_enable_addons
+[az aks install-cli]: /cli/azure/aks#az_aks_install_cli
+[az aks get-credentials]: /cli/azure/aks#az_aks_get_credentials
<!-- LINKS - external --> [dns-pricing]: https://azure.microsoft.com/pricing/details/dns/
aks Ingress Own Tls https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/ingress-own-tls.md
You can also:
<!-- LINKS - internal --> [use-helm]: kubernetes-helm.md [azure-cli-install]: /cli/azure/install-azure-cli
-[az-aks-show]: /cli/azure/aks#az-aks-show
-[az-network-public-ip-create]: /cli/azure/network/public-ip#az-network-public-ip-create
+[az-aks-show]: /cli/azure/aks#az_aks_show
+[az-network-public-ip-create]: /cli/azure/network/public-ip#az_network_public_ip_create
[aks-ingress-internal]: ingress-internal-ip.md [aks-ingress-static-tls]: ingress-static-ip.md [aks-ingress-basic]: ingress-basic.md
aks Ingress Static Ip https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/ingress-static-ip.md
You can also:
<!-- LINKS - internal --> [use-helm]: kubernetes-helm.md [azure-cli-install]: /cli/azure/install-azure-cli
-[az-aks-show]: /cli/azure/aks#az-aks-show
-[az-network-public-ip-create]: /cli/azure/network/public-ip#az-network-public-ip-create
+[az-aks-show]: /cli/azure/aks#az_aks_show
+[az-network-public-ip-create]: /cli/azure/network/public-ip#az_network_public_ip_create
[aks-ingress-internal]: ingress-internal-ip.md [aks-ingress-basic]: ingress-basic.md [aks-ingress-tls]: ingress-tls.md
aks Ingress Tls https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/ingress-tls.md
You can also:
- [Create an ingress controller that uses Let's Encrypt to automatically generate TLS certificates with a static public IP address][aks-ingress-static-tls] <!-- LINKS - external -->
-[az-network-dns-record-set-a-add-record]: /cli/azure/network/dns/record-set/#az-network-dns-record-set-a-add-record
+[az-network-dns-record-set-a-add-record]: /cli/azure/network/dns/record-set/#az_network_dns_record_set_a_add_record
[custom-domain]: ../app-service/manage-custom-dns-buy-domain.md#buy-an-app-service-domain [dns-zone]: ../dns/dns-getstarted-cli.md [helm]: https://helm.sh/
You can also:
<!-- LINKS - internal --> [use-helm]: kubernetes-helm.md [azure-cli-install]: /cli/azure/install-azure-cli
-[az-aks-show]: /cli/azure/aks#az-aks-show
-[az-network-public-ip-create]: /cli/azure/network/public-ip#az-network-public-ip-create
+[az-aks-show]: /cli/azure/aks#az_aks_show
+[az-network-public-ip-create]: /cli/azure/network/public-ip#az_network_public_ip_create
[aks-ingress-internal]: ingress-internal-ip.md [aks-ingress-static-tls]: ingress-static-ip.md [aks-ingress-basic]: ingress-basic.md
aks Internal Lb https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/internal-lb.md
Learn more about Kubernetes services at the [Kubernetes services documentation][
<!-- LINKS - Internal --> [advanced-networking]: configure-azure-cni.md
-[az-aks-show]: /cli/azure/aks#az-aks-show
-[az-role-assignment-create]: /cli/azure/role/assignment#az-role-assignment-create
+[az-aks-show]: /cli/azure/aks#az_aks_show
+[az-role-assignment-create]: /cli/azure/role/assignment#az_role_assignment_create
[azure-lb-comparison]: ../load-balancer/skus.md [use-kubenet]: configure-kubenet.md [aks-quickstart-cli]: kubernetes-walkthrough.md
aks Kubernetes Action https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/kubernetes-action.md
For a workflow targeting AKS, the file has three sections:
## Create a service principal
-You can create a [service principal](../active-directory/develop/app-objects-and-service-principals.md#service-principal-object) by using the [az ad sp create-for-rbac](/cli/azure/ad/sp#az-ad-sp-create-for-rbac) command in the [Azure CLI](/cli/azure/). You can run this command using [Azure Cloud Shell](https://shell.azure.com/) in the Azure portal or by selecting the **Try it** button.
+You can create a [service principal](../active-directory/develop/app-objects-and-service-principals.md#service-principal-object) by using the [az ad sp create-for-rbac](/cli/azure/ad/sp#az_ad_sp_create_for_rbac) command in the [Azure CLI](/cli/azure/). You can run this command using [Azure Cloud Shell](https://shell.azure.com/) in the Azure portal or by selecting the **Try it** button.
```azurecli-interactive az ad sp create-for-rbac --name "myApp" --role contributor --scopes /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP> --sdk-auth
aks Kubernetes Dashboard https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/kubernetes-dashboard.md
For more information about the Kubernetes dashboard, see the [Kubernetes Web UI
[aad-cluster]: ./azure-ad-integration-cli.md [aks-quickstart]: ./kubernetes-walkthrough.md [aks-service-accounts]: ./concepts-identity.md#kubernetes-service-accounts
-[az-account-get-access-token]: /cli/azure/account#az-account-get-access-token
-[az-aks-browse]: /cli/azure/aks#az-aks-browse
-[az-aks-get-credentials]: /cli/azure/aks#az-aks-get-credentials
+[az-account-get-access-token]: /cli/azure/account#az_account_get-access-token
+[az-aks-browse]: /cli/azure/aks#az_aks_browse
+[az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials
[install-azure-cli]: /cli/azure/install-azure-cli [kubernetes-portal]: ./kubernetes-portal.md
aks Kubernetes Service Principal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/kubernetes-service-principal.md
For information on how to update the credentials, see [Update or rotate the cred
<!-- LINKS - internal --> [aad-service-principal]:../active-directory/develop/app-objects-and-service-principals.md [acr-intro]: ../container-registry/container-registry-intro.md
-[az-ad-sp-create]: /cli/azure/ad/sp#az-ad-sp-create-for-rbac
+[az-ad-sp-create]: /cli/azure/ad/sp#az_ad_sp_create_for_rbac
[az-ad-sp-delete]: /cli/azure/ad/sp#az_ad_sp_delete [azure-load-balancer-overview]: ../load-balancer/load-balancer-overview.md [install-azure-cli]: /cli/azure/install-azure-cli [service-principal]:../active-directory/develop/app-objects-and-service-principals.md [user-defined-routes]: ../load-balancer/load-balancer-overview.md
-[az-ad-app-list]: /cli/azure/ad/app#az-ad-app-list
-[az-ad-app-delete]: /cli/azure/ad/app#az-ad-app-delete
-[az-aks-create]: /cli/azure/aks#az-aks-create
-[az-aks-update]: /cli/azure/aks#az-aks-update
+[az-ad-app-list]: /cli/azure/ad/app#az_ad_app_list
+[az-ad-app-delete]: /cli/azure/ad/app#az_ad_app_delete
+[az-aks-create]: /cli/azure/aks#az_aks_create
+[az-aks-update]: /cli/azure/aks#az_aks_update
[rbac-network-contributor]: ../role-based-access-control/built-in-roles.md#network-contributor [rbac-custom-role]: ../role-based-access-control/custom-roles.md [rbac-storage-contributor]: ../role-based-access-control/built-in-roles.md#storage-account-contributor
-[az-role-assignment-create]: /cli/azure/role/assignment#az-role-assignment-create
+[az-role-assignment-create]: /cli/azure/role/assignment#az_role_assignment_create
[aks-to-acr]: cluster-container-registry-integration.md [update-credentials]: update-credentials.md [azure-ad-permissions]: ../active-directory/fundamentals/users-default-permissions.md
aks Kubernetes Walkthrough Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/kubernetes-walkthrough-portal.md
To learn more about AKS by walking through a complete example, including buildin
<!-- LINKS - internal --> [kubernetes-concepts]: concepts-clusters-workloads.md
-[az-aks-get-credentials]: /cli/azure/aks#az-aks-get-credentials
-[az-aks-delete]: /cli/azure/aks#az-aks-delete
+[az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials
+[az-aks-delete]: /cli/azure/aks#az_aks_delete
[aks-monitor]: ../azure-monitor/containers/container-insights-overview.md [aks-network]: ./concepts-network.md [aks-tutorial]: ./tutorial-kubernetes-prepare-app.md
aks Kubernetes Walkthrough Rm Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/kubernetes-walkthrough-rm-template.md
To learn more about AKS, and walk through a complete code to deployment example,
[kubernetes-concepts]: concepts-clusters-workloads.md [aks-monitor]: ../azure-monitor/containers/container-insights-onboard.md [aks-tutorial]: ./tutorial-kubernetes-prepare-app.md
-[az-aks-browse]: /cli/azure/aks#az-aks-browse
-[az-aks-create]: /cli/azure/aks#az-aks-create
-[az-aks-get-credentials]: /cli/azure/aks#az-aks-get-credentials
-[az-aks-install-cli]: /cli/azure/aks#az-aks-install-cli
-[az-group-create]: /cli/azure/group#az-group-create
-[az-group-delete]: /cli/azure/group#az-group-delete
+[az-aks-browse]: /cli/azure/aks#az_aks_browse
+[az-aks-create]: /cli/azure/aks#az_aks_create
+[az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials
+[az-aks-install-cli]: /cli/azure/aks#az_aks_install_cli
+[az-group-create]: /cli/azure/group#az_group_create
+[az-group-delete]: /cli/azure/group#az_group_delete
[azure-cli-install]: /cli/azure/install-azure-cli [sp-delete]: kubernetes-service-principal.md#additional-considerations [azure-portal]: https://portal.azure.com
To learn more about AKS, and walk through a complete code to deployment example,
[kubernetes-service]: concepts-network.md#services [kubernetes-dashboard]: kubernetes-dashboard.md [ssh-keys]: ../virtual-machines/linux/create-ssh-keys-detailed.md
-[az-ad-sp-create-for-rbac]: /cli/azure/ad/sp#az-ad-sp-create-for-rbac
+[az-ad-sp-create-for-rbac]: /cli/azure/ad/sp#az_ad_sp_create_for_rbac
aks Limit Egress Traffic https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/limit-egress-traffic.md
If you want to restrict how pods communicate between themselves and East-West tr
[install-azure-cli]: /cli/azure/install-azure-cli [network-policy]: use-network-policies.md [azure-firewall]: ../firewall/overview.md
-[az-feature-register]: /cli/azure/feature#az-feature-register
-[az-feature-list]: /cli/azure/feature#az-feature-list
-[az-provider-register]: /cli/azure/provider#az-provider-register
+[az-feature-register]: /cli/azure/feature#az_feature_register
+[az-feature-list]: /cli/azure/feature#az_feature_list
+[az-provider-register]: /cli/azure/provider#az_provider_register
[aks-upgrade]: upgrade-cluster.md [aks-support-policies]: support-policies.md [aks-faq]: faq.md
aks Load Balancer Standard https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/load-balancer-standard.md
Learn more about using Internal Load Balancer for Inbound traffic at the [AKS In
[aks-quickstart-cli]: kubernetes-walkthrough.md [aks-quickstart-portal]: kubernetes-walkthrough-portal.md [aks-sp]: kubernetes-service-principal.md#delegate-access-to-other-azure-resources
-[az-aks-show]: /cli/azure/aks#az-aks-show
-[az-aks-create]: /cli/azure/aks#az-aks-create
-[az-aks-get-credentials]: /cli/azure/aks#az-aks-get-credentials
-[az-aks-install-cli]: /cli/azure/aks#az-aks-install-cli
-[az-extension-add]: /cli/azure/extension#az-extension-add
-[az-feature-list]: /cli/azure/feature#az-feature-list
-[az-feature-register]: /cli/azure/feature#az-feature-register
-[az-group-create]: /cli/azure/group#az-group-create
-[az-provider-register]: /cli/azure/provider#az-provider-register
-[az-network-lb-outbound-rule-list]: /cli/azure/network/lb/outbound-rule#az-network-lb-outbound-rule-list
-[az-network-public-ip-show]: /cli/azure/network/public-ip#az-network-public-ip-show
-[az-network-public-ip-prefix-show]: /cli/azure/network/public-ip/prefix#az-network-public-ip-prefix-show
-[az-role-assignment-create]: /cli/azure/role/assignment#az-role-assignment-create
+[az-aks-show]: /cli/azure/aks#az_aks_show
+[az-aks-create]: /cli/azure/aks#az_aks_create
+[az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials
+[az-aks-install-cli]: /cli/azure/aks#az_aks_install_cli
+[az-extension-add]: /cli/azure/extension#az_extension_add
+[az-feature-list]: /cli/azure/feature#az_feature_list
+[az-feature-register]: /cli/azure/feature#az_feature_register
+[az-group-create]: /cli/azure/group#az_group_create
+[az-provider-register]: /cli/azure/provider#az_provider_register
+[az-network-lb-outbound-rule-list]: /cli/azure/network/lb/outbound-rule#az_network_lb_outbound_rule_list
+[az-network-public-ip-show]: /cli/azure/network/public-ip#az_network_public_ip_show
+[az-network-public-ip-prefix-show]: /cli/azure/network/public-ip/prefix#az_network_public_ip_prefix_show
+[az-role-assignment-create]: /cli/azure/role/assignment#az_role_assignment_create
[azure-lb]: ../load-balancer/load-balancer-overview.md [azure-lb-comparison]: ../load-balancer/skus.md [azure-lb-outbound-rules]: ../load-balancer/load-balancer-outbound-connections.md#outboundrules
Learn more about using Internal Load Balancer for Inbound traffic at the [AKS In
[internal-lb-yaml]: internal-lb.md#create-an-internal-load-balancer [kubernetes-concepts]: concepts-clusters-workloads.md [use-kubenet]: configure-kubenet.md
-[az-extension-add]: /cli/azure/extension#az-extension-add
-[az-extension-update]: /cli/azure/extension#az-extension-update
+[az-extension-add]: /cli/azure/extension#az_extension_add
+[az-extension-update]: /cli/azure/extension#az_extension_update
[requirements]: #requirements-for-customizing-allocated-outbound-ports-and-idle-timeout [use-multiple-node-pools]: use-multiple-node-pools.md [troubleshoot-snat]: #troubleshooting-snat
aks Manage Azure Rbac https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/manage-azure-rbac.md
az group delete -n MyResourceGroup
<!-- LINKS - Internal --> [aks-support-policies]: support-policies.md [aks-faq]: faq.md
-[az-extension-add]: /cli/azure/extension#az-extension-add
-[az-extension-update]: /cli/azure/extension#az-extension-update
-[az-feature-list]: /cli/azure/feature#az-feature-list
-[az-feature-register]: /cli/azure/feature#az-feature-register
-[az-aks-install-cli]: /cli/azure/aks#az-aks-install-cli
-[az-provider-register]: /cli/azure/provider#az-provider-register
+[az-extension-add]: /cli/azure/extension#az_extension_add
+[az-extension-update]: /cli/azure/extension#az_extension_update
+[az-feature-list]: /cli/azure/feature#az_feature_list
+[az-feature-register]: /cli/azure/feature#az_feature_register
+[az-aks-install-cli]: /cli/azure/aks#az_aks_install_cli
+[az-provider-register]: /cli/azure/provider#az_provider_register
aks Managed Aad https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/managed-aad.md
Make sure the admin of the security group has given your account an *Active* ass
[azure-rbac-integration]: manage-azure-rbac.md [aks-concepts-identity]: concepts-identity.md [azure-ad-rbac]: azure-ad-rbac.md
-[az-aks-create]: /cli/azure/aks#az-aks-create
-[az-aks-get-credentials]: /cli/azure/aks#az-aks-get-credentials
-[az-group-create]: /cli/azure/group#az-group-create
+[az-aks-create]: /cli/azure/aks#az_aks_create
+[az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials
+[az-group-create]: /cli/azure/group#az_group_create
[open-id-connect]:../active-directory/develop/v2-protocols-oidc.md
-[az-ad-user-show]: /cli/azure/ad/user#az-ad-user-show
+[az-ad-user-show]: /cli/azure/ad/user#az_ad_user_show
[rbac-authorization]: concepts-identity.md#role-based-access-controls-rbac [operator-best-practices-identity]: operator-best-practices-identity.md [azure-ad-rbac]: azure-ad-rbac.md
aks Node Image Upgrade https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/node-image-upgrade.md
az aks nodepool show \
[github-schedule]: node-upgrade-github-actions.md [use-multiple-node-pools]: use-multiple-node-pools.md [max-surge]: upgrade-cluster.md#customize-node-surge-upgrade
-[az-extension-add]: /cli/azure/extension#az-extension-add
-[az-extension-update]: /cli/azure/extension#az-extension-update
+[az-extension-add]: /cli/azure/extension#az_extension_add
+[az-extension-update]: /cli/azure/extension#az_extension_update
aks Operator Best Practices Cluster Security https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/operator-best-practices-cluster-security.md
This article focused on how to secure your AKS cluster. To implement some of the
[kubectl-get]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#get <!-- INTERNAL LINKS -->
-[az-aks-get-upgrades]: /cli/azure/aks#az-aks-get-upgrades
-[az-aks-upgrade]: /cli/azure/aks#az-aks-upgrade
+[az-aks-get-upgrades]: /cli/azure/aks#az_aks_get_upgrades
+[az-aks-upgrade]: /cli/azure/aks#az_aks_upgrade
[aks-supported-versions]: supported-kubernetes-versions.md [aks-upgrade]: upgrade-cluster.md [aks-best-practices-identity]: concepts-identity.md
aks Planned Maintenance https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/planned-maintenance.md
az aks maintenanceconfiguration delete -g MyResourceGroup --cluster-name myAKSCl
[aks-quickstart-portal]: kubernetes-walkthrough-portal.md [aks-support-policies]: support-policies.md [aks-faq]: faq.md
-[az-extension-add]: /cli/azure/extension#az-extension-add
-[az-extension-update]: /cli/azure/extension#az-extension-update
-[az-feature-list]: /cli/azure/feature#az-feature-list
-[az-feature-register]: /cli/azure/feature#az-feature-register
-[az-aks-install-cli]: /cli/azure/aks#az-aks-install-cli
-[az-provider-register]: /cli/azure/provider#az-provider-register
+[az-extension-add]: /cli/azure/extension#az_extension_add
+[az-extension-update]: /cli/azure/extension#az_extension_update
+[az-feature-list]: /cli/azure/feature#az_feature_list
+[az-feature-register]: /cli/azure/feature#az_feature_register
+[az-aks-install-cli]: /cli/azure/aks#az_aks_install_cli
+[az-provider-register]: /cli/azure/provider#az_provider_register
[aks-upgrade]: upgrade-cluster.md
aks Private Clusters https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/private-clusters.md
As mentioned, virtual network peering is one way to access your private cluster.
* In the case of maintenance on the control plane, your [AKS IP](./limit-egress-traffic.md) might change. In this case you must update the A record pointing to the API server private IP on your custom DNS server and restart any custom pods or deployments using hostNetwork. <!-- LINKS - internal -->
-[az-provider-register]: /cli/azure/provider#az-provider-register
-[az-feature-list]: /cli/azure/feature#az-feature-list
-[az-extension-add]: /cli/azure/extension#az-extension-add
-[az-extension-update]: /cli/azure/extension#az-extension-update
+[az-provider-register]: /cli/azure/provider#az_provider_register
+[az-feature-list]: /cli/azure/feature#az_feature_list
+[az-extension-add]: /cli/azure/extension#az_extension_add
+[az-extension-update]: /cli/azure/extension#az_extension_update
[private-link-service]: ../private-link/private-link-service-overview.md#limitations [virtual-network-peering]: ../virtual-network/virtual-network-peering-overview.md [azure-bastion]: ../bastion/tutorial-create-host-portal.md
aks Quickstart Helm https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/quickstart-helm.md
For more information about using Helm, see the Helm documentation.
> [!div class="nextstepaction"] > [Helm documentation][helm-documentation]
-[az-acr-create]: /cli/azure/acr#az-acr-create
-[az-acr-build]: /cli/azure/acr#az-acr-build
-[az-group-delete]: /cli/azure/group#az-group-delete
-[az aks get-credentials]: /cli/azure/aks#az-aks-get-credentials
-[az aks install-cli]: /cli/azure/aks#az-aks-install-cli
+[az-acr-create]: /cli/azure/acr#az_acr_create
+[az-acr-build]: /cli/azure/acr#az_acr_build
+[az-group-delete]: /cli/azure/group#az_group_delete
+[az aks get-credentials]: /cli/azure/aks#az_aks_get_credentials
+[az aks install-cli]: /cli/azure/aks#az_aks_install_cli
[example-nodejs]: https://github.com/Azure/dev-spaces/tree/master/samples/nodejs/getting-started/webfrontend [kubectl]: https://kubernetes.io/docs/user-guide/kubectl/ [helm]: https://helm.sh/
aks Rdp https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/rdp.md
If you need additional troubleshooting data, you can [view the Kubernetes master
<!-- INTERNAL LINKS --> [aks-windows-cli]: windows-container-cli.md
-[az-aks-install-cli]: /cli/azure/aks#az-aks-install-cli
-[az-aks-get-credentials]: /cli/azure/aks#az-aks-get-credentials
-[az-vm-delete]: /cli/azure/vm#az-vm-delete
+[az-aks-install-cli]: /cli/azure/aks#az_aks_install_cli
+[az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials
+[az-vm-delete]: /cli/azure/vm#az_vm_delete
[azure-monitor-containers]: ../azure-monitor/containers/container-insights-overview.md [install-azure-cli]: /cli/azure/install-azure-cli [ssh-steps]: ssh.md
aks Reduce Latency Ppg https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/reduce-latency-ppg.md
az group delete --name myResourceGroup --yes --no-wait
[azure-ad-rbac]: azure-ad-rbac.md [aks-tutorial-prepare-app]: ./tutorial-kubernetes-prepare-app.md [azure-cli-install]: /cli/azure/install-azure-cli
-[az-aks-get-upgrades]: /cli/azure/aks#az-aks-get-upgrades
-[az-aks-upgrade]: /cli/azure/aks#az-aks-upgrade
-[az-aks-show]: /cli/azure/aks#az-aks-show
+[az-aks-get-upgrades]: /cli/azure/aks#az_aks_get_upgrades
+[az-aks-upgrade]: /cli/azure/aks#az_aks_upgrade
+[az-aks-show]: /cli/azure/aks#az_aks_show
[nodepool-upgrade]: use-multiple-node-pools.md#upgrade-a-node-pool
-[az-extension-add]: /cli/azure/extension#az-extension-add
-[az-extension-update]: /cli/azure/extension#az-extension-update
+[az-extension-add]: /cli/azure/extension#az_extension_add
+[az-extension-update]: /cli/azure/extension#az_extension_update
[proximity-placement-groups]: ../virtual-machines/co-location.md#proximity-placement-groups
-[az-aks-create]: /cli/azure/aks#az-aks-create
+[az-aks-create]: /cli/azure/aks#az_aks_create
[system-pool]: ./use-system-pools.md
-[az-aks-nodepool-add]: /cli/azure/aks/nodepool#az-aks-nodepool-add
-[az-aks-create]: /cli/azure/aks#az-aks-create
-[az-group-create]: /cli/azure/group#az-group-create
-[az-group-delete]: /cli/azure/group#az-group-delete
+[az-aks-nodepool-add]: /cli/azure/aks/nodepool#az_aks_nodepool_add
+[az-aks-create]: /cli/azure/aks#az_aks_create
+[az-group-create]: /cli/azure/group#az_group_create
+[az-group-delete]: /cli/azure/group#az_group_delete
aks Scale Cluster https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/scale-cluster.md
In this article, you manually scaled an AKS cluster to increase or decrease the
<!-- LINKS - internal --> [aks-tutorial]: ./tutorial-kubernetes-prepare-app.md
-[az-aks-show]: /cli/azure/aks#az-aks-show
-[az-aks-scale]: /cli/azure/aks#az-aks-scale
+[az-aks-show]: /cli/azure/aks#az_aks_show
+[az-aks-scale]: /cli/azure/aks#az_aks_scale
[cluster-autoscaler]: cluster-autoscaler.md
-[az-aks-nodepool-scale]: /cli/azure/aks/nodepool#az-aks-nodepool-scale
+[az-aks-nodepool-scale]: /cli/azure/aks/nodepool#az_aks_nodepool_scale
aks Security Baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/security-baseline.md
Last updated 03/30/2021 -+ # Important: This content is machine generated; do not modify this topic directly. Contact mbaldwin for more information.
aks Servicemesh Osm About https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/servicemesh-osm-about.md
-
Title: Open Service Mesh (Preview)
-description: Open Service Mesh (OSM) in Azure Kubernetes Service (AKS)
-- Previously updated : 3/12/2021--
-zone_pivot_groups: client-operating-system
--
-# Open Service Mesh AKS add-on (Preview)
-
-## Overview
-
-[Open Service Mesh (OSM)](https://docs.openservicemesh.io/) is a lightweight, extensible, Cloud Native service mesh that allows users to uniformly manage, secure, and get out-of-the-box observability features for highly dynamic microservice environments.
-
-OSM runs an Envoy-based control plane on Kubernetes, can be configured with [SMI](https://smi-spec.io/) APIs, and works by injecting an Envoy proxy as a sidecar container next to each instance of your application. The Envoy proxy contains and executes rules around access control policies, implements routing configuration, and captures metrics. The control plane continually configures proxies to ensure policies and routing rules are up to date and ensures proxies are healthy.
--
-## Capabilities and Features
-
-OSM provides the following set of capabilities and features to provide a cloud native service mesh for your Azure Kubernetes Service (AKS) clusters:
--- Secure service to service communication by enabling mTLS--- Easily onboard applications onto the mesh by enabling automatic sidecar injection of Envoy proxy--- Easily and transparent configurations for traffic shifting on deployments--- Ability to define and execute fine grained access control policies for services--- Observability and insights into application metrics for debugging and monitoring services--- Integration with external certificate management services/solutions with a pluggable interface-
-## Scenarios
-
-OSM can assist your AKS deployments with the following scenarios:
--- Provide encrypted communications between service endpoints deployed in the cluster--- Traffic authorization of both HTTP/HTTPS and TCP traffic in the mesh--- Configuration of weighted traffic controls between two or more services for A/B or canary deployments--- Collection and viewing of KPIs from application traffic-
-## OSM Service Quotas and Limits (Preview)
-
-OSM preview limitations for service quotas and limits can be found on the AKS [Quotas and regional limits page](https://docs.microsoft.com/azure/aks/quotas-skus-regions).
----------
-> [!WARNING]
-> Do not attempt to install OSM from the binary using `osm install`. This will result in a installation of OSM that is not integrated as an add-on for AKS.
-
-### Register the `AKS-OpenServiceMesh` preview feature
-
-To create an AKS cluster that can use the Open Service Mesh add-on, you must enable the `AKS-OpenServiceMesh` feature flag on your subscription.
-
-Register the `AKS-OpenServiceMesh` feature flag by using the [az feature register][az-feature-register] command, as shown in the following example:
-
-```azurecli-interactive
-az feature register --namespace "Microsoft.ContainerService" --name "AKS-OpenServiceMesh"
-```
-
-It takes a few minutes for the status to show _Registered_. Verify the registration status by using the [az feature list][az-feature-list] command:
-
-```azurecli-interactive
-az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/AKS-OpenServiceMesh')].{Name:name,State:properties.state}"
-```
-
-When ready, refresh the registration of the _Microsoft.ContainerService_ resource provider by using the [az provider register][az-provider-register] command:
-
-```azurecli-interactive
-az provider register --namespace Microsoft.ContainerService
-```
--
-## Install Open Service Mesh (OSM) Azure Kubernetes Service (AKS) add-on for a new AKS cluster
-
-For a new AKS cluster deployment scenario, you will start with a brand new deployment of an AKS cluster enabling the OSM add-on at the cluster create operation.
-
-### Create a resource group
-
-In Azure, you allocate related resources to a resource group. Create a resource group by using [az group create](/cli/azure/group#az-group-create). The following example creates a resource group named _myOsmAksGroup_ in the _eastus2_ location (region):
-
-```azurecli-interactive
-az group create --name <myosmaksgroup> --location <eastus2>
-```
-
-### Deploy an AKS cluster with the OSM add-on enabled
-
-You'll now deploy a new AKS cluster with the OSM add-on enabled.
-
-> [!NOTE]
-> Please be aware the following AKS deployment command utilizes OS ephemeral disks. You can find more information here about [Ephemeral OS disks for AKS](https://docs.microsoft.com/azure/aks/cluster-configuration#ephemeral-os)
-
-```azurecli-interactive
-az aks create -n osm-addon-cluster -g <myosmaksgroup> --kubernetes-version 1.19.6 --node-osdisk-type Ephemeral --node-osdisk-size 30 --network-plugin azure --enable-managed-identity -a open-service-mesh
-```
-
-#### Get AKS Cluster Access Credentials
-
-Get access credentials for the new managed Kubernetes cluster.
-
-```azurecli-interactive
-az aks get-credentials -n <myosmakscluster> -g <myosmaksgroup>
-```
-
-## Enable Open Service Mesh (OSM) Azure Kubernetes Service (AKS) add-on for an existing AKS cluster
-
-For an existing AKS cluster scenario, you will enable the OSM add-on to an existing AKS cluster that has already been deployed.
-
-### Enable the OSM add-on to existing AKS cluster
-
-To enable the AKS OSM add-on, you will need to run the `az aks enable-addons --addons` command passing the parameter `open-service-mesh`
-
-```azurecli-interactive
-az aks enable-addons --addons open-service-mesh -g <resource group name> -n <AKS cluster name>
-```
-
-You should see output similar to the output shown below to confirm the AKS OSM add-on has been installed.
-
-```json
-{- Finished ..
- "aadProfile": null,
- "addonProfiles": {
- "KubeDashboard": {
- "config": null,
- "enabled": false,
- "identity": null
- },
- "openServiceMesh": {
- "config": {},
- "enabled": true,
- "identity": {
-...
-```
-
-## Validate the AKS OSM add-on installation
-
-There are several commands to run to check all of the components of the AKS OSM add-on are enabled and running:
-
-First we can query the add-on profiles of the cluster to check the enabled state of the add-ons installed. The following command should return "true".
-
-```azurecli-interactive
-az aks list -g <resource group name> -o json | jq -r '.[].addonProfiles.openServiceMesh.enabled'
-```
-
-The following `kubectl` commands will report the status of the osm-controller.
-
-```azurecli-interactive
-kubectl get deployments -n kube-system --selector app=osm-controller
-kubectl get pods -n kube-system --selector app=osm-controller
-kubectl get services -n kube-system --selector app=osm-controller
-```
-
-## Accessing the AKS OSM add-on
-
-Currently you can access and configure the OSM controller configuration via the configmap. To view the OSM controller configuration settings, query the osm-config configmap via `kubectl` to view its configuration settings.
-
-```azurecli-interactive
-kubectl get configmap -n kube-system osm-config -o json | jq '.data'
-```
-
-Output of the OSM configmap should look like the following:
-
-```json
-{
- "egress": "true",
- "enable_debug_server": "true",
- "enable_privileged_init_container": "false",
- "envoy_log_level": "error",
- "outbound_ip_range_exclusion_list": "169.254.169.254/32,168.63.129.16/32,<YOUR_API_SERVER_PUBLIC_IP>/32",
- "permissive_traffic_policy_mode": "true",
- "prometheus_scraping": "false",
- "service_cert_validity_duration": "24h",
- "use_https_ingress": "false"
-}
-```
-
-Notice the **permissive_traffic_policy_mode** is configured to **true**. Permissive traffic policy mode in OSM is a mode where the [SMI](https://smi-spec.io/) traffic policy enforcement is bypassed. In this mode, OSM automatically discovers services that are a part of the service mesh and programs traffic policy rules on each Envoy proxy sidecar to be able to communicate with these services.
-
-> [!WARNING]
-> Before proceeding please verify that your permissive traffic policy mode is set to true, if not please change it to **true** using the command below
-
-```OSM Permissive Mode to True
-kubectl patch ConfigMap -n kube-system osm-config --type merge --patch '{"data":{"permissive_traffic_policy_mode":"true"}}'
-```
-
-## Deploy a new application to be managed by the Open Service Mesh (OSM) Azure Kubernetes Service (AKS) add-on
-
-### Before you begin
-
-The steps detailed in this walkthrough assume that you've created an AKS cluster (Kubernetes `1.19+` and above, with Kubernetes RBAC enabled), have established a `kubectl` connection with the cluster (If you need help with any of these items, then see the [AKS quickstart](./kubernetes-walkthrough.md), and have installed the AKS OSM add-on.
-
-You must have the following resources installed:
--- The Azure CLI, version 2.20.0 or later-- The `aks-preview` extension version 0.5.5 or later-- OSM version v0.8.0 or later-- apt-get install jq-
-### Create namespaces for the application
-
-In this walkthrough, we will be using the OSM bookstore application that has the following Kubernetes
--- bookbuyer-- bookthief-- bookstore-- bookwarehouse-
-Create namespaces for each of these application components.
-
-```azurecli-interactive
-for i in bookstore bookbuyer bookthief bookwarehouse; do kubectl create ns $i; done
-```
-
-You should see the following output:
-
-```Output
-namespace/bookstore created
-namespace/bookbuyer created
-namespace/bookthief created
-namespace/bookwarehouse created
-```
-
-### Onboard the namespaces to be managed by OSM
-
-When you add the namespaces to the OSM mesh, this will allow the OSM controller to automatically inject the Envoy sidecar proxy containers with your application. Run the following command to onboard the OSM bookstore application namespaces.
-
-```azurecli-interactive
-osm namespace add bookstore bookbuyer bookthief bookwarehouse
-```
-
-You should see the following output:
-
-```Output
-Namespace [bookstore] successfully added to mesh [osm]
-Namespace [bookbuyer] successfully added to mesh [osm]
-Namespace [bookthief] successfully added to mesh [osm]
-Namespace [bookwarehouse] successfully added to mesh [osm]
-```
-
-### Deploy the Bookstore application to the AKS cluster
-
-```azurecli-interactive
-kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/release-v0.8/docs/example/manifests/apps/bookbuyer.yaml
-```
-
-```azurecli-interactive
-kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/release-v0.8/docs/example/manifests/apps/bookthief.yaml
-```
-
-```azurecli-interactive
-kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/release-v0.8/docs/example/manifests/apps/bookstore.yaml
-```
-
-```azurecli-interactive
-kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/release-v0.8/docs/example/manifests/apps/bookwarehouse.yaml
-```
-
-All of the deployment outputs are summarized below.
-
-```Output
-serviceaccount/bookbuyer created
-service/bookbuyer created
-deployment.apps/bookbuyer created
-
-serviceaccount/bookthief created
-service/bookthief created
-deployment.apps/bookthief created
-
-service/bookstore created
-serviceaccount/bookstore created
-deployment.apps/bookstore created
-
-serviceaccount/bookwarehouse created
-service/bookwarehouse created
-deployment.apps/bookwarehouse created
-```
-
-### Checkpoint: What got installed?
-
-The example Bookstore application is a multi-tiered app that consists of four services, being the bookbuyer, bookthief, bookstore, and bookwarehouse. Both the bookbuyer and bookthief service communicate to the bookstore service to retrieve books from the bookstore service. The bookstore service retrieves books out of the bookwarehouse service to supply the bookbuyer and bookthief. This is a simple multi-tiered application that works well in showing how a service mesh can be used to protect and authorize communications between the applications services. As we continue through the walkthrough, we will be enabling and disabling Service Mesh Interface (SMI) policies to both allow and disallow the services to communicate via OSM. Below is an architecture diagram of what got installed for the bookstore application.
-
-![OSM bookbuyer app architecture](./media/aks-osm-addon/osm-bookstore-app-arch.png)
-
-### Verify the Bookstore application running inside the AKS cluster
-
-As of now we have deployed the bookstore mulit-container application, but it is only accessible from within the AKS cluster. Later tutorials will assist you in exposing the application outside the cluster via an ingress controller. For now we will be utilizing port forwarding to access the bookbuyer application inside the AKS cluster to verify it is buying books from the bookstore service.
-
-To verify that the application is running inside the cluster, we will use a port forward to view both the bookbuyer and bookthief components UI.
-
-First let's get the bookbuyer pod's name
-
-```azurecli-interactive
-kubectl get pod -n bookbuyer
-```
-
-You should see output similar to the following. Your bookbuyer pod will have a unique name appended.
-
-```Output
-NAME READY STATUS RESTARTS AGE
-bookbuyer-7676c7fcfb-mtnrz 2/2 Running 0 7m8s
-```
-
-Once we have the pod's name, we can now use the port-forward command to set up a tunnel from our local system to the application inside the AKS cluster. Run the following command to set up the port forward for the local system port 8080. Again use your specified bookbuyer pod name.
-
-> [!NOTE]
-> For all port forwarding commands it is best to use an additional terminal so that you can continue to work through this walkthrough and not disconnect the tunnel. It is also best that you establish the port forward tunnel outside of the Azure Cloud Shell.
-
-```Bash
-kubectl port-forward bookbuyer-7676c7fcfb-mtnrz -n bookbuyer 8080:14001
-```
-
-You should see output similar to this.
-
-```Output
-Forwarding from 127.0.0.1:8080 -> 14001
-Forwarding from [::1]:8080 -> 14001
-```
-
-While the port forwarding session is in place, navigate to the following url from a browser `http://localhost:8080`. You should now be able to see the bookbuyer application UI in the browser similar to the image below.
-
-![OSM bookbuyer app UI image](./media/aks-osm-addon/osm-bookbuyer-service-ui.png)
-
-You will also notice that the total books bought number continues to increment to the bookstore v1 service. The bookstore v2 service has not been deployed yet. We will deploy the bookstore v2 service when we demonstrate the SMI traffic split policies.
-
-You can also check the same for the bookthief service.
-
-```azurecli-interactive
-kubectl get pod -n bookthief
-```
-
-You should see output similar to the following. Your bookthief pod will have a unique name appended.
-
-```Output
-NAME READY STATUS RESTARTS AGE
-bookthief-59549fb69c-cr8vl 2/2 Running 0 15m54s
-```
-
-Port forward to bookthief pod.
-
-```Bash
-kubectl port-forward bookthief-59549fb69c-cr8vl -n bookthief 8080:14001
-```
-
-Navigate to the following url from a browser `http://localhost:8080`. You should see the bookthief is currently stealing books from the bookstore service! Later on we will implement a traffic policy to stop the bookthief.
-
-![OSM bookthief app UI image](./media/aks-osm-addon/osm-bookthief-service-ui.png)
-
-### Disable OSM Permissive Traffic Mode for the mesh
-
-As mentioned earlier when viewing the OSM cluster configuration, the OSM configuration defaults to enabling permissive traffic mode policy. In this mode traffic policy enforcement is bypassed and OSM automatically discovers services that are a part of the service mesh and programs traffic policy rules on each Envoy proxy sidecar to be able to communicate with these services.
-
-We will now disable the permissive traffic mode policy and OSM will need explicit [SMI](https://smi-spec.io/) policies deployed to the cluster to allow communications in the mesh from each service. To disable permissive traffic mode, run the following command to update the configmap property changing the value from `true` to `false`.
-
-```azurecli-interactive
-kubectl patch ConfigMap -n kube-system osm-config --type merge --patch '{"data":{"permissive_traffic_policy_mode":"false"}}'
-```
-
-You should see output similar to the following. Your bookthief pod will have a unique name appended.
-
-```Output
-configmap/osm-config patched
-```
-
-To verify permissive traffic mode has been disabled, port forward back into either the bookbuyer or bookthief pod to view their UI in the browser and see if the books bought or books stolen is no longer incrementing. Ensure to refresh the browser. If the incrementing has stopped, the policy was applied correctly. You have successfully stopped the bookthief from stealing books, but neither the bookbuyer can purchase from the bookstore nor the bookstore can retrieve books from the bookwarehouse. Next we will implement [SMI](https://smi-spec.io/) policies to allow only the services in the mesh you'd like to communicate to do so.
-
-### Apply Service Mesh Interface (SMI) traffic access policies
-
-Now that we have disabled all communications in the mesh, let's allow our bookbuyer service to communicate to our bookstore service for purchasing books, and allow our bookstore service to communicate to our bookwarehouse service to retrieving books to sell.
-
-Deploy the following [SMI](https://smi-spec.io/) policies.
-
-```azurecli-interactive
-kubectl apply -f - <<EOF
-
-apiVersion: access.smi-spec.io/v1alpha3
-kind: TrafficTarget
-metadata:
- name: bookbuyer-access-bookstore
- namespace: bookstore
-spec:
- destination:
- kind: ServiceAccount
- name: bookstore
- namespace: bookstore
- rules:
- - kind: HTTPRouteGroup
- name: bookstore-service-routes
- matches:
- - buy-a-book
- - books-bought
- sources:
- - kind: ServiceAccount
- name: bookbuyer
- namespace: bookbuyer
-
-apiVersion: specs.smi-spec.io/v1alpha4
-kind: HTTPRouteGroup
-metadata:
- name: bookstore-service-routes
- namespace: bookstore
-spec:
- matches:
- - name: books-bought
- pathRegex: /books-bought
- methods:
- - GET
- headers:
- - "user-agent": ".*-http-client/*.*"
- - "client-app": "bookbuyer"
- - name: buy-a-book
- pathRegex: ".*a-book.*new"
- methods:
- - GET
- - name: update-books-bought
- pathRegex: /update-books-bought
- methods:
- - POST
-
-kind: TrafficTarget
-apiVersion: access.smi-spec.io/v1alpha3
-metadata:
- name: bookstore-access-bookwarehouse
- namespace: bookwarehouse
-spec:
- destination:
- kind: ServiceAccount
- name: bookwarehouse
- namespace: bookwarehouse
- rules:
- - kind: HTTPRouteGroup
- name: bookwarehouse-service-routes
- matches:
- - restock-books
- sources:
- - kind: ServiceAccount
- name: bookstore
- namespace: bookstore
- - kind: ServiceAccount
- name: bookstore-v2
- namespace: bookstore
-
-apiVersion: specs.smi-spec.io/v1alpha4
-kind: HTTPRouteGroup
-metadata:
- name: bookwarehouse-service-routes
- namespace: bookwarehouse
-spec:
- matches:
- - name: restock-books
- methods:
- - POST
- headers:
- - host: bookwarehouse.bookwarehouse
-EOF
-```
-
-You should see output similar to the following.
-
-```Output
-traffictarget.access.smi-spec.io/bookbuyer-access-bookstore-v1 created
-httproutegroup.specs.smi-spec.io/bookstore-service-routes created
-traffictarget.access.smi-spec.io/bookstore-access-bookwarehouse created
-httproutegroup.specs.smi-spec.io/bookwarehouse-service-routes created
-```
-
-You can now set up a port forwarding session on either the bookbuyer or bookstore pods and see that both the books bought and books sold metrics are back incrementing. You can also do the same for the bookthief pod to verify it is still no longer able to steal books.
-
-### Apply Service Mesh Interface (SMI) traffic split policies
-
-For our final demonstration, we will create an [SMI](https://smi-spec.io/) traffic split policy to configure the weight of communications from one service to multiple services as a backend. The traffic split functionality allows you to progressively move connections to one service over to another by weighting the traffic on a scale of 0 to 100.
-
-The below graphic is a diagram of the [SMI](https://smi-spec.io/) Traffic Split policy to be deployed. We will deploy an additional Bookstore version 2 and then split the incoming traffic from the bookbuyer, weighting 25% of the traffic to the bookstore v1 service and 75% to the bookstore v2 service.
-
-![OSM bookbuyer traffic split diagram](./media/aks-osm-addon/osm-bookbuyer-traffic-split-diagram.png)
-
-Deploy the bookstore v2 service.
-
-```azurecli-interactive
-kubectl apply -f - <<EOF
-
-apiVersion: v1
-kind: Service
-metadata:
- name: bookstore-v2
- namespace: bookstore
- labels:
- app: bookstore-v2
-spec:
- ports:
- - port: 14001
- name: bookstore-port
- selector:
- app: bookstore-v2
-
-# Deploy bookstore-v2 Service Account
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: bookstore-v2
- namespace: bookstore
-
-# Deploy bookstore-v2 Deployment
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: bookstore-v2
- namespace: bookstore
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: bookstore-v2
- template:
- metadata:
- labels:
- app: bookstore-v2
- spec:
- serviceAccountName: bookstore-v2
- containers:
- - name: bookstore
- image: openservicemesh/bookstore:v0.8.0
- imagePullPolicy: Always
- ports:
- - containerPort: 14001
- name: web
- command: ["/bookstore"]
- args: ["--path", "./", "--port", "14001"]
- env:
- - name: BOOKWAREHOUSE_NAMESPACE
- value: bookwarehouse
- - name: IDENTITY
- value: bookstore-v2
-
-kind: TrafficTarget
-apiVersion: access.smi-spec.io/v1alpha3
-metadata:
- name: bookbuyer-access-bookstore-v2
- namespace: bookstore
-spec:
- destination:
- kind: ServiceAccount
- name: bookstore-v2
- namespace: bookstore
- rules:
- - kind: HTTPRouteGroup
- name: bookstore-service-routes
- matches:
- - buy-a-book
- - books-bought
- sources:
- - kind: ServiceAccount
- name: bookbuyer
- namespace: bookbuyer
-EOF
-```
-
-You should see the following output.
-
-```Output
-service/bookstore-v2 configured
-serviceaccount/bookstore-v2 created
-deployment.apps/bookstore-v2 created
-traffictarget.access.smi-spec.io/bookstore-v2 created
-```
-
-Now deploy the traffic split policy to split the bookbuyer traffic between the two bookstore v1 and v2 service.
-
-```azurecli-interactive
-kubectl apply -f - <<EOF
-apiVersion: split.smi-spec.io/v1alpha2
-kind: TrafficSplit
-metadata:
- name: bookstore-split
- namespace: bookstore
-spec:
- service: bookstore.bookstore
- backends:
- - service: bookstore
- weight: 25
- - service: bookstore-v2
- weight: 75
-EOF
-```
-
-You should see the following output.
-
-```Output
-trafficsplit.split.smi-spec.io/bookstore-split created
-```
-
-Set up a port forward tunnel to the bookbuyer pod and you should now see books being purchased from the bookstore v2 service. If you continue to watch the increment of purchases you should notice a faster increment of purchases happening through the bookstore v2 service.
-
-![OSM bookbuyer books boough UI](./media/aks-osm-addon/osm-bookbuyer-traffic-split-ui.png)
-
-## Manage existing deployed applications to be managed by the Open Service Mesh (OSM) Azure Kubernetes Service (AKS) add-on
-
-### Before you begin
-
-The steps detailed in this walkthrough assume that you have previously enabled the OSM AKS add-on for your AKS cluster. If not, review the section [Enable Open Service Mesh (OSM) Azure Kubernetes Service (AKS) add-on for an existing AKS cluster](#enable-open-service-mesh-osm-azure-kubernetes-service-aks-add-on-for-an-existing-aks-cluster) before proceeding. Also, your AKS cluster needs to be version Kubernetes `1.19+` and above, have Kubernetes RBAC enabled, and have established a `kubectl` connection with the cluster (If you need help with any of these items, then see the [AKS quickstart](./kubernetes-walkthrough.md), and have installed the AKS OSM add-on.
-
-You must have the following resources installed:
--- The Azure CLI, version 2.20.0 or later-- The `aks-preview` extension version 0.5.5 or later-- OSM version v0.8.0 or later-- apt-get install jq-
-### Verify the Open Service Mesh (OSM) Permissive Traffic Mode Policy
-
-The OSM Permissive Traffic Policy mode is a mode where the [SMI](https://smi-spec.io/) traffic policy enforcement is bypassed. In this mode, OSM automatically discovers services that are a part of the service mesh and programs traffic policy rules on each Envoy proxy sidecar to be able to communicate with these services.
-
-To verify the current permissive traffic mode of OSM for your cluster, run the following command:
-
-```azurecli-interactive
-kubectl get configmap -n kube-system osm-config -o json | jq '.data'
-```
-
-Output of the OSM configmap should look like the following:
-
-```Output
-{
- "egress": "true",
- "enable_debug_server": "true",
- "envoy_log_level": "error",
- "permissive_traffic_policy_mode": "true",
- "prometheus_scraping": "false",
- "service_cert_validity_duration": "24h",
- "use_https_ingress": "false"
-}
-```
-
-If the **permissive_traffic_policy_mode** is configured to **true**, you can safely onboard your namespaces without any disruption to your service-to-service communications. If the **permissive_traffic_policy_mode** is configured to **false**, You will need to ensure you have the correct [SMI](https://smi-spec.io/) traffic access policy manifests deployed as well as ensuring you have a service account representing each service deployed in the namespace. Please follow the guidance for [Onboard existing deployed applications with Open Service Mesh (OSM) Permissive Traffic Policy configured as False](#onboard-existing-deployed-applications-with-open-service-mesh-osm-permissive-traffic-policy-configured-as-false)
-
-### Onboard existing deployed applications with Open Service Mesh (OSM) Permissive Traffic Policy configured as True
-
-The first thing we'll do is add the deployed application namespace(s) to OSM to manage.
-
-```azurecli-interactive
-osm namespace add bookstore
-```
-
-You should see the following output:
-
-```Output
-Namespace [bookstore] successfully added to mesh [osm]
-```
-
-Next we will take a look at the current pod deployment in the namespace. Run the following command to view the pods in the designated namespace.
-
-```azurecli-interactive
-kubectl get pod -n bookbuyer
-```
-
-You should see the following similar output:
-
-```Output
-NAME READY STATUS RESTARTS AGE
-bookbuyer-78666dcff8-wh6wl 1/1 Running 0 43s
-```
-
-Notice the **READY** column showing **1/1**, meaning that the application pod has only one container. Next we will need to restart your application deployments so that OSM can inject the Envoy sidecar proxy container with your application pod. Let's get a list of deployments in the namespace.
-
-```azurecli-interactive
-kubectl get deployment -n bookbuyer
-```
-
-You should see the following output:
-
-```Output
-NAME READY UP-TO-DATE AVAILABLE AGE
-bookbuyer 1/1 1 1 23h
-```
-
-Now we will restart the deployment to inject the Envoy sidecar proxy container with your application pod. Run the following command.
-
-```azurecli-interactive
-kubectl rollout restart deployment bookbuyer -n bookbuyer
-```
-
-You should see the following output:
-
-```Output
-deployment.apps/bookbuyer restarted
-```
-
-If we take a look at the pods in the namespace again:
-
-```azurecli-interactive
-kubectl get pod -n bookbuyer
-```
-
-You will now notice that the **READY** column is now showing **2/2** containers being ready for your pod. The second container is the Envoy sidecar proxy.
-
-```Output
-NAME READY STATUS RESTARTS AGE
-bookbuyer-84446dd5bd-j4tlr 2/2 Running 0 3m30s
-```
-
-We can further inspect the pod to view the Envoy proxy by running the describe command to view the configuration.
-
-```azurecli-interactive
-kubectl describe pod bookbuyer-84446dd5bd-j4tlr -n bookbuyer
-```
-
-```Output
-Containers:
- bookbuyer:
- Container ID: containerd://b7503b866f915711002292ea53970bd994e788e33fb718f1c4f8f12cd4a88198
- Image: openservicemesh/bookbuyer:v0.8.0
- Image ID: docker.io/openservicemesh/bookbuyer@sha256:813874bd2dc9c5a259b9657995348cf0822b905e29c4e86f21fdefa0ef21dcee
- Port: <none>
- Host Port: <none>
- Command:
- /bookbuyer
- State: Running
- Started: Tue, 23 Mar 2021 10:52:53 -0400
- Ready: True
- Restart Count: 0
- Environment:
- BOOKSTORE_NAMESPACE: bookstore
- BOOKSTORE_SVC: bookstore
- Mounts:
- /var/run/secrets/kubernetes.io/serviceaccount from bookbuyer-token-zft2r (ro)
- envoy:
- Container ID: containerd://f5f1cb5db8d5304e23cc984eb08146ea162a3e82d4262c4472c28d5579c25e10
- Image: envoyproxy/envoy-alpine:v1.17.1
- Image ID: docker.io/envoyproxy/envoy-alpine@sha256:511e76b9b73fccd98af2fbfb75c34833343d1999469229fdfb191abd2bbe3dfb
- Ports: 15000/TCP, 15003/TCP, 15010/TCP
- Host Ports: 0/TCP, 0/TCP, 0/TCP
-```
-
-Verify your application is still functional after the Envoy sidecar proxy injection.
-
-### Onboard existing deployed applications with Open Service Mesh (OSM) Permissive Traffic Policy configured as False
-
-When the OSM configuration for the permissive traffic policy is set to `false`, OSM will require explicit [SMI](https://smi-spec.io/) traffic access policies deployed for the service-to-service communication to happen within your cluster. Currently, OSM also uses Kubernetes service accounts as part of authorizing service-to-service communications as well. To ensure your existing deployed applications will communicate when managed by the OSM mesh, we will need to verify the existence of a service account to utilize, update the application deployment with the service account information, apply the [SMI](https://smi-spec.io/) traffic access policies.
-
-#### Verify Kubernetes Service Accounts
-
-Verify if you have a kubernetes service account in the namespace your application is deployed to.
-
-```azurecli-interactive
-kubectl get serviceaccounts -n bookbuyer
-```
-
-In the following there is a service account named `bookbuyer` in the bookbuyer namespace.
-
-```Output
-NAME SECRETS AGE
-bookbuyer 1 25h
-default 1 25h
-```
-
-If you do not have a service account listed other than the default account, you will need to create one for your application. Use the following command as an example to create a service account in the application's deployed namespace.
-
-```azurecli-interactive
-kubectl create serviceaccount myserviceaccount -n bookbuyer
-```
-
-```Output
-serviceaccount/myserviceaccount created
-```
-
-#### View your application's current deployment specification
-
-If you had to create a service account from the earlier section, chances are your application deployment is not configured with a specific `serviceAccountName` in the deployment spec. We can view your application's deployment spec with the following commands:
-
-```azurecli-interactive
-kubectl get deployment -n bookbuyer
-```
-
-A list of deployments will be listed in the output.
-
-```Output
-NAME READY UP-TO-DATE AVAILABLE AGE
-bookbuyer 1/1 1 1 25h
-```
-
-We will now describe the deployment as a check to see if there is a service account listed in the Pod Template section.
-
-```azurecli-interactive
-kubectl describe deployment bookbuyer -n bookbuyer
-```
-
-In this particular deployment you can see that there is a service account associated with the deployment listed under the Pod Template section. This deployment is using the service account bookbuyer. If you do not see the **Serivce Account:** property, your deployment is not configured to use a service account.
-
-```Output
-Pod Template:
- Labels: app=bookbuyer
- version=v1
- Annotations: kubectl.kubernetes.io/restartedAt: 2021-03-23T10:52:49-04:00
- Service Account: bookbuyer
- Containers:
- bookbuyer:
- Image: openservicemesh/bookbuyer:v0.8.0
-
-```
-
-There are several techniques to update your deployment to add a kubernetes service account. Review the Kubernetes documentation on [Updating a Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#updating-a-deployment) inline, or [Configure Service Accounts for Pods](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/). Once you have updated your deployment spec with the service account, redeploy (kubectl apply -f your-deployment.yaml) your deployment to the cluster.
-
-#### Deploy the necessary Service Mesh Interface (SMI) Policies
-
-The last step to allowing authorized traffic to flow in the mesh is to deploy the necessary [SMI](https://smi-spec.io/) traffic access policies for your application. The amount of configuration you can achieve with [SMI](https://smi-spec.io/) traffic access policies is beyond the scope of this walkthrough, but we will detail some of the common components of the specification and show how to configure both a simple TrafficTarget and HTTPRouteGroup policy to enable service-to-service communication for your application.
-
-The [SMI](https://smi-spec.io/) [**Traffic Access Control**](https://github.com/servicemeshinterface/smi-spec/blob/main/apis/traffic-access/v1alpha3/traffic-access.md#traffic-access-control) specification allows users to define the access control policy for their applications. We will focus on the **TrafficTarget** and **HTTPRoutGroup** api resources.
-
-The TrafficTarget resource consists of three main configuration settings destination, rules, and sources. An example TrafficTarget is shown below.
-
-```TrafficTarget Example spec
-apiVersion: access.smi-spec.io/v1alpha3
-kind: TrafficTarget
-metadata:
- name: bookbuyer-access-bookstore-v1
- namespace: bookstore
-spec:
- destination:
- kind: ServiceAccount
- name: bookstore
- namespace: bookstore
- rules:
- - kind: HTTPRouteGroup
- name: bookstore-service-routes
- matches:
- - buy-a-book
- - books-bought
- sources:
- - kind: ServiceAccount
- name: bookbuyer
- namespace: bookbuyer
-```
-
-In the above TrafficTarget spec, the `destination` denotes the service account that is configured for the destination source service. Remember the service account that was added to the deployment earlier will be used to authorize access to the deployment it is attached to. The `rules` section , in this particular example, defines the type of HTTP traffic that is allowed over the connection. You can configure fine grain regex patterns for the HTTP headers to be specific on what traffic is allowed via HTTP. The `sources` section is the service originating communications. This spec reads bookbuyer needs to communicate to the bookstore.
-
-The HTTPRouteGroup resource consists of one or an array of matches of HTTP header information and is a requirement for the TrafficTarget spec. In the example below, you can see that the HTTPRouteGroup is authorizing three HTTP actions, two GET and one POST.
-
-```HTTPRouteGroup Example Spec
-apiVersion: specs.smi-spec.io/v1alpha4
-kind: HTTPRouteGroup
-metadata:
- name: bookstore-service-routes
- namespace: bookstore
-spec:
- matches:
- - name: books-bought
- pathRegex: /books-bought
- methods:
- - GET
- headers:
- - "user-agent": ".*-http-client/*.*"
- - "client-app": "bookbuyer"
- - name: buy-a-book
- pathRegex: ".*a-book.*new"
- methods:
- - GET
- - name: update-books-bought
- pathRegex: /update-books-bought
- methods:
- - POST
-```
-
-If you are not familiar with the type of HTTP traffic your front-end application makes to other tiers of the application, since the TrafficTarget spec requires a rule, you can create the equivalent of an allow all rule using the below spec for HTTPRouteGroup.
-
-```HTTPRouteGroup Allow All Example
-apiVersion: specs.smi-spec.io/v1alpha4
-kind: HTTPRouteGroup
-metadata:
- name: allow-all
- namespace: yournamespace
-spec:
- matches:
- - name: allow-all
- pathRegex: '.*'
- methods: ["GET","PUT","POST","DELETE","PATCH"]
-```
-
-Once you configure your TrafficTarget and HTTPRouteGroup spec, you can put them together as one YAML and deploy. Below is the bookstore example configuration.
-
-```Bookstore Example TrafficTarget and HTTPRouteGroup configuration
-kubectl apply -f - <<EOF
-
-apiVersion: access.smi-spec.io/v1alpha3
-kind: TrafficTarget
-metadata:
- name: bookbuyer-access-bookstore-v1
- namespace: bookstore
-spec:
- destination:
- kind: ServiceAccount
- name: bookstore
- namespace: bookstore
- rules:
- - kind: HTTPRouteGroup
- name: bookstore-service-routes
- matches:
- - buy-a-book
- - books-bought
- sources:
- - kind: ServiceAccount
- name: bookbuyer
- namespace: bookbuyer
-
-apiVersion: specs.smi-spec.io/v1alpha4
-kind: HTTPRouteGroup
-metadata:
- name: bookstore-service-routes
- namespace: bookstore
-spec:
- matches:
- - name: books-bought
- pathRegex: /books-bought
- methods:
- - GET
- headers:
- - "user-agent": ".*-http-client/*.*"
- - "client-app": "bookbuyer"
- - name: buy-a-book
- pathRegex: ".*a-book.*new"
- methods:
- - GET
- - name: update-books-bought
- pathRegex: /update-books-bought
- methods:
- - POST
-EOF
-```
-
-Visit the [SMI](https://smi-spec.io/) site for more detailed information on the specification.
-
-### Manage the application's namespace with OSM
-
-Next we will configure OSM to manage the namespace and restart the deployments to get the Envoy sidecar proxy injected with the application.
-
-Run the following command to configure the `azure-vote` namespace to be managed my OSM.
-
-```azurecli-interactive
-osm namespace add azure-vote
-```
-
-```Output
-Namespace [azure-vote] successfully added to mesh [osm]
-```
-
-Next restart both the `azure-vote-front` and `azure-vote-back` deployments with the following commands.
-
-```azurecli-interactive
-kubectl rollout restart deployment azure-vote-front -n azure-vote
-kubectl rollout restart deployment azure-vote-back -n azure-vote
-```
-
-```Output
-deployment.apps/azure-vote-front restarted
-deployment.apps/azure-vote-back restarted
-```
-
-If we view the pods for the `azure-vote` namespace, we will see the **READY** stage of both the `azure-vote-front` and `azure-vote-back` as 2/2, meaning the Envoy sidecar proxy has been injected alongside the application.
-
-## Tutorial: Deploy an application managed by Open Service Mesh (OSM) with NGINX ingress
-
-Open Service Mesh (OSM) is a lightweight, extensible, Cloud Native service mesh that allows users to uniformly manage, secure, and get out-of-the-box observability features for highly dynamic microservice environments.
-
-In this tutorial, you will:
-
-> [!div class="checklist"]
->
-> - View the current OSM cluster configuration
-> - Create the namespace(s) for OSM to manage deployed applications in the namespace(s)
-> - Onboard the namespaces to be managed by OSM
-> - Deploy the sample application
-> - Verify the application running inside the AKS cluster
-> - Create a NGINX ingress controller used for the appliction
-> - Expose a service via the Azure Application Gateway ingress to the internet
-
-### Before you begin
-
-The steps detailed in this article assume that you've created an AKS cluster (Kubernetes `1.19+` and above, with Kubernetes RBAC enabled), have established a `kubectl` connection with the cluster (If you need help with any of these items, then see the [AKS quickstart](./kubernetes-walkthrough.md), and have installed the AKS OSM add-on.
-
-You must have the following resources installed:
--- The Azure CLI, version 2.20.0 or later-- The `aks-preview` extension version 0.5.5 or later-- OSM version v0.8.0 or later-- apt-get install jq-
-### View and verify the current OSM cluster configuration
-
-Once the OSM add-on for AKS has been enabled on the AKS cluster, you can view the current configuration parameters in the osm-config Kubernetes ConfigMap. Run the following command to view the ConfigMap properties:
-
-```azurecli-interactive
-kubectl get configmap -n kube-system osm-config -o json | jq '.data'
-```
-
-Output shows the current OSM configuration for the cluster.
-
-```json
-{
- "egress": "true",
- "enable_debug_server": "true",
- "enable_privileged_init_container": "false",
- "envoy_log_level": "error",
- "outbound_ip_range_exclusion_list": "169.254.169.254,168.63.129.16,20.193.57.43",
- "permissive_traffic_policy_mode": "false",
- "prometheus_scraping": "false",
- "service_cert_validity_duration": "24h",
- "use_https_ingress": "false"
-}
-```
-
-Notice the **permissive_traffic_policy_mode** is configured to **true**. Permissive traffic policy mode in OSM is a mode where the [SMI](https://smi-spec.io/) traffic policy enforcement is bypassed. In this mode, OSM automatically discovers services that are a part of the service mesh and programs traffic policy rules on each Envoy proxy sidecar to be able to communicate with these services.
-
-### Create namespaces for the application
-
-In this tutorial we will be using the OSM bookstore application that has the following application components:
--- bookbuyer-- bookthief-- bookstore-- bookwarehouse-
-Create namespaces for each of these application components.
-
-```azurecli-interactive
-for i in bookstore bookbuyer bookthief bookwarehouse; do kubectl create ns $i; done
-```
-
-You should see the following output:
-
-```Output
-namespace/bookstore created
-namespace/bookbuyer created
-namespace/bookthief created
-namespace/bookwarehouse created
-```
-
-### Onboard the namespaces to be managed by OSM
-
-Adding the namespaces to the OSM mesh will allow the OSM controller to automatically inject the Envoy sidecar proxy containers with your application. Run the following command to onboard the OSM bookstore application namespaces.
-
-```azurecli-interactive
-osm namespace add bookstore bookbuyer bookthief bookwarehouse
-```
-
-You should see the following output:
-
-```Output
-Namespace [bookstore] successfully added to mesh [osm]
-Namespace [bookbuyer] successfully added to mesh [osm]
-Namespace [bookthief] successfully added to mesh [osm]
-Namespace [bookwarehouse] successfully added to mesh [osm]
-```
-
-### Deploy the Bookstore application to the AKS cluster
-
-```azurecli-interactive
-kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/release-v0.8/docs/example/manifests/apps/bookbuyer.yaml
-```
-
-```azurecli-interactive
-kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/release-v0.8/docs/example/manifests/apps/bookthief.yaml
-```
-
-```azurecli-interactive
-kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/release-v0.8/docs/example/manifests/apps/bookstore.yaml
-```
-
-```azurecli-interactive
-kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/release-v0.8/docs/example/manifests/apps/bookwarehouse.yaml
-```
-
-All of the deployment outputs are summarized below.
-
-```Output
-serviceaccount/bookbuyer created
-service/bookbuyer created
-deployment.apps/bookbuyer created
-
-serviceaccount/bookthief created
-service/bookthief created
-deployment.apps/bookthief created
-
-service/bookstore created
-serviceaccount/bookstore created
-deployment.apps/bookstore created
-
-serviceaccount/bookwarehouse created
-service/bookwarehouse created
-deployment.apps/bookwarehouse created
-```
-
-### Update the Bookbuyer Service
-
-Update the bookbuyer service to the correct inbound port configuration with the following service manifest.
-
-```azurecli-interactive
-kubectl apply -f - <<EOF
-apiVersion: v1
-kind: Service
-metadata:
- name: bookbuyer
- namespace: bookbuyer
- labels:
- app: bookbuyer
-spec:
- ports:
- - port: 14001
- name: inbound-port
- selector:
- app: bookbuyer
-EOF
-```
-
-### Verify the Bookstore application running inside the AKS cluster
-
-As of now we have deployed the bookstore mulit-container application, but it is only accessible from within the AKS cluster. Later we will add the Azure Application Gateway ingress controller to expose the application outside the AKS cluster. To verify that the application is running inside the cluster, we will use a port forward to view the bookbuyer component UI.
-
-First let's get the bookbuyer pod's name
-
-```azurecli-interactive
-kubectl get pod -n bookbuyer
-```
-
-You should see output similar to the following. Your bookbuyer pod will have a unique name appended.
-
-```Output
-NAME READY STATUS RESTARTS AGE
-bookbuyer-7676c7fcfb-mtnrz 2/2 Running 0 7m8s
-```
-
-Once we have the pod's name, we can now use the port-forward command to set up a tunnel from our local system to the application inside the AKS cluster. Run the following command to set up the port forward for the local system port 8080. Again use your specified bookbuyer pod name.
-
-```azurecli-interactive
-kubectl port-forward bookbuyer-7676c7fcfb-mtnrz -n bookbuyer 8080:14001
-```
-
-You should see output similar to this.
-
-```Output
-Forwarding from 127.0.0.1:8080 -> 14001
-Forwarding from [::1]:8080 -> 14001
-```
-
-While the port forwarding session is in place, navigate to the following url from a browser `http://localhost:8080`. You should now be able to see the bookbuyer application UI in the browser similar to the image below.
-
-![OSM bookbuyer app for NGINX UI image](./media/aks-osm-addon/osm-agic-bookbuyer-img.png)
-
-### Create an NGINX ingress controller in Azure Kubernetes Service (AKS)
-
-An ingress controller is a piece of software that provides reverse proxy, configurable traffic routing, and TLS termination for Kubernetes services. Kubernetes ingress resources are used to configure the ingress rules and routes for individual Kubernetes services. Using an ingress controller and ingress rules, a single IP address can be used to route traffic to multiple services in a Kubernetes cluster.
-
-We will utilize the ingress controller to expose the application managed by OSM to the internet. To create the ingress controller, use Helm to install nginx-ingress. For added redundancy, two replicas of the NGINX ingress controllers are deployed with the `--set controller.replicaCount` parameter. To fully benefit from running replicas of the ingress controller, make sure there's more than one node in your AKS cluster.
-
-The ingress controller also needs to be scheduled on a Linux node. Windows Server nodes shouldn't run the ingress controller. A node selector is specified using the `--set nodeSelector` parameter to tell the Kubernetes scheduler to run the NGINX ingress controller on a Linux-based node.
-
-> [!TIP]
-> The following example creates a Kubernetes namespace for the ingress resources named _ingress-basic_. Specify a namespace for your own environment as needed.
-
-```azurecli-interactive
-# Create a namespace for your ingress resources
-kubectl create namespace ingress-basic
-
-# Add the ingress-nginx repository
-helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
-
-# Update the helm repo(s)
-helm repo update
-
-# Use Helm to deploy an NGINX ingress controller in the ingress-basic namespace
-helm install nginx-ingress ingress-nginx/ingress-nginx \
- --namespace ingress-basic \
- --set controller.replicaCount=1 \
- --set controller.nodeSelector."beta\.kubernetes\.io/os"=linux \
- --set defaultBackend.nodeSelector."beta\.kubernetes\.io/os"=linux \
- --set controller.admissionWebhooks.patch.nodeSelector."beta\.kubernetes\.io/os"=linux
-```
-
-When the Kubernetes load balancer service is created for the NGINX ingress controller, a dynamic public IP address is assigned, as shown in the following example output:
-
-```Output
-$ kubectl --namespace ingress-basic get services -o wide -w nginx-ingress-ingress-nginx-controller
-
-NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
-nginx-ingress-ingress-nginx-controller LoadBalancer 10.0.74.133 EXTERNAL_IP 80:32486/TCP,443:30953/TCP 44s app.kubernetes.io/component=controller,app.kubernetes.io/instance=nginx-ingress,app.kubernetes.io/name=ingress-nginx
-```
-
-No ingress rules have been created yet, so the NGINX ingress controller's default 404 page is displayed if you browse to the internal IP address. Ingress rules are configured in the following steps.
-
-### Expose the bookbuyer service to the internet
-
-```azurecli-interactive
-kubectl apply -f - <<EOF
-
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
- name: bookbuyer-ingress
- namespace: bookbuyer
- annotations:
- kubernetes.io/ingress.class: nginx
-
-spec:
-
- rules:
- - host: bookbuyer.contoso.com
- http:
- paths:
- - path: /
- backend:
- serviceName: bookbuyer
- servicePort: 14001
-
- backend:
- serviceName: bookbuyer
- servicePort: 14001
-EOF
-```
-
-You should see the following output:
-
-```Output
-Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
-ingress.extensions/bookbuyer-ingress created
-```
-
-### View the NGINX logs
-
-```azurecli-interactive
-POD=$(kubectl get pods -n ingress-basic | grep 'nginx-ingress' | awk '{print $1}')
-
-kubectl logs $POD -n ingress-basic -f
-```
-
-Output shows the NGINX ingress controller status when ingress rule has been applied successfully:
-
-```Output
-I0321 <date> 6 event.go:282] Event(v1.ObjectReference{Kind:"Pod", Namespace:"ingress-basic", Name:"nginx-ingress-ingress-nginx-controller-54cf6c8bf4-jdvrw", UID:"3ebbe5e5-50ef-481d-954d-4b82a499ebe1", APIVersion:"v1", ResourceVersion:"3272", FieldPath:""}): type: 'Normal' reason: 'RELOAD' NGINX reload triggered due to a change in configuration
-I0321 <date> 6 event.go:282] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"bookbuyer", Name:"bookbuyer-ingress", UID:"e1018efc-8116-493c-9999-294b4566819e", APIVersion:"networking.k8s.io/v1beta1", ResourceVersion:"5460", FieldPath:""}): type: 'Normal' reason: 'Sync' Scheduled for sync
-I0321 <date> 6 controller.go:146] "Configuration changes detected, backend reload required"
-I0321 <date> 6 controller.go:163] "Backend successfully reloaded"
-I0321 <date> 6 event.go:282] Event(v1.ObjectReference{Kind:"Pod", Namespace:"ingress-basic", Name:"nginx-ingress-ingress-nginx-controller-54cf6c8bf4-jdvrw", UID:"3ebbe5e5-50ef-481d-954d-4b82a499ebe1", APIVersion:"v1", ResourceVersion:"3272", FieldPath:""}): type: 'Normal' reason: 'RELOAD' NGINX reload triggered due to a change in configuration
-```
-
-### View the NGINX services and bookbuyer service externally
-
-```azurecli-interactive
-kubectl get services -n ingress-basic
-```
-
-```Output
-NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
-nginx-ingress-ingress-nginx-controller LoadBalancer 10.0.100.23 20.193.1.74 80:31742/TCP,443:32683/TCP 4m15s
-nginx-ingress-ingress-nginx-controller-admission ClusterIP 10.0.163.98 <none> 443/TCP 4m15s
-```
-
-Since the host name in the ingress manifest is a psuedo name used for testing, the DNS name will not be available on the internet. We can alternatively use the curl program and past the hostname header to the NGINX public IP address and receive a 200 code successfully connecting us to the bookbuyer service.
-
-```azurecli-interactive
-curl -H 'Host: bookbuyer.contoso.com' http://EXTERNAL-IP/
-```
-
-You should see the following output:
-
-```Output
-<!doctype html>
-<html itemscope="" itemtype="http://schema.org/WebPage" lang="en">
- <head>
- <meta content="Bookbuyer" name="description">
- <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
- <title>Bookbuyer</title>
- <style>
- #navbar {
- width: 100%;
- height: 50px;
- display: table;
- border-spacing: 0;
- white-space: nowrap;
- line-height: normal;
- background-color: #0078D4;
- background-position: left top;
- background-repeat-x: repeat;
- background-image: none;
- color: white;
- font: 2.2em "Fira Sans", sans-serif;
- }
- #main {
- padding: 10pt 10pt 10pt 10pt;
- font: 1.8em "Fira Sans", sans-serif;
- }
- li {
- padding: 10pt 10pt 10pt 10pt;
- font: 1.2em "Consolas", sans-serif;
- }
- </style>
- <script>
- setTimeout(function(){window.location.reload(1);}, 1500);
- </script>
- </head>
- <body bgcolor="#fff">
- <div id="navbar">
- &#128214; Bookbuyer
- </div>
- <div id="main">
- <ul>
- <li>Total books bought: <strong>1833</strong>
- <ul>
- <li>from bookstore V1: <strong>277</strong>
- <li>from bookstore V2: <strong>1556</strong>
- </ul>
- </li>
- </ul>
- </div>
-
- <br/><br/><br/><br/>
- <br/><br/><br/><br/>
- <br/><br/><br/><br/>
-
- Current Time: <strong>Fri, 26 Mar 2021 15:02:53 UTC</strong>
- </body>
-</html>
-```
-
-## Tutorial: Deploy an application managed by Open Service Mesh (OSM) using Azure Application Gateway ingress AKS add-on
-
-Open Service Mesh (OSM) is a lightweight, extensible, Cloud Native service mesh that allows users to uniformly manage, secure, and get out-of-the-box observability features for highly dynamic microservice environments.
-
-In this tutorial, you will:
-
-> [!div class="checklist"]
->
-> - View the current OSM cluster configuration
-> - Create the namespace(s) for OSM to manage deployed applications in the namespace(s)
-> - Onboard the namespaces to be managed by OSM
-> - Deploy the sample application
-> - Verify the application running inside the AKS cluster
-> - Create an Azure Application Gateway to be used as the ingress controller for the appliction
-> - Expose a service via the Azure Application Gateway ingress to the internet
-
-### Before you begin
-
-The steps detailed in this article assume that you've created an AKS cluster (Kubernetes `1.19+` and above, with Kubernetes RBAC enabled), have established a `kubectl` connection with the cluster (If you need help with any of these items, then see the [AKS quickstart](./kubernetes-walkthrough.md), have installed the AKS OSM add-on, and will be creating a new Azure Application Gateway for ingress.
-
-You must have the following resources installed:
--- The Azure CLI, version 2.20.0 or later-- The `aks-preview` extension version 0.5.5 or later-- AKS cluster version 1.19+ using Azure CNI networking (Attached to an Azure Vnet)-- OSM version v0.8.0 or later-- apt-get install jq-
-### View and verify the current OSM cluster configuration
-
-Once the OSM add-on for AKS has been enabled on the AKS cluster, you can view the current configuration parameters in the osm-config Kubernetes ConfigMap. Run the following command to view the ConfigMap properties:
-
-```azurecli-interactive
-kubectl get configmap -n kube-system osm-config -o json | jq '.data'
-```
-
-Output shows the current OSM configuration for the cluster.
-
-```json
-{
- "egress": "true",
- "enable_debug_server": "true",
- "enable_privileged_init_container": "false",
- "envoy_log_level": "error",
- "outbound_ip_range_exclusion_list": "169.254.169.254,168.63.129.16,20.193.57.43",
- "permissive_traffic_policy_mode": "false",
- "prometheus_scraping": "false",
- "service_cert_validity_duration": "24h",
- "use_https_ingress": "false"
-}
-```
-
-Notice the **permissive_traffic_policy_mode** is configured to **true**. Permissive traffic policy mode in OSM is a mode where the [SMI](https://smi-spec.io/) traffic policy enforcement is bypassed. In this mode, OSM automatically discovers services that are a part of the service mesh and programs traffic policy rules on each Envoy proxy sidecar to be able to communicate with these services.
-
-### Create namespaces for the application
-
-In this tutorial we will be using the OSM bookstore application that has the following application components:
--- bookbuyer-- bookthief-- bookstore-- bookwarehouse-
-Create namespaces for each of these application components.
-
-```azurecli-interactive
-for i in bookstore bookbuyer bookthief bookwarehouse; do kubectl create ns $i; done
-```
-
-You should see the following output:
-
-```Output
-namespace/bookstore created
-namespace/bookbuyer created
-namespace/bookthief created
-namespace/bookwarehouse created
-```
-
-### Onboard the namespaces to be managed by OSM
-
-When you add the namespaces to the OSM mesh, this will allow the OSM controller to automatically inject the Envoy sidecar proxy containers with your application. Run the following command to onboard the OSM bookstore application namespaces.
-
-```azurecli-interactive
-osm namespace add bookstore bookbuyer bookthief bookwarehouse
-```
-
-You should see the following output:
-
-```Output
-Namespace [bookstore] successfully added to mesh [osm]
-Namespace [bookbuyer] successfully added to mesh [osm]
-Namespace [bookthief] successfully added to mesh [osm]
-Namespace [bookwarehouse] successfully added to mesh [osm]
-```
-
-### Deploy the Bookstore application to the AKS cluster
-
-```azurecli-interactive
-kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/release-v0.8/docs/example/manifests/apps/bookbuyer.yaml
-```
-
-```azurecli-interactive
-kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/release-v0.8/docs/example/manifests/apps/bookthief.yaml
-```
-
-```azurecli-interactive
-kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/release-v0.8/docs/example/manifests/apps/bookstore.yaml
-```
-
-```azurecli-interactive
-kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/release-v0.8/docs/example/manifests/apps/bookwarehouse.yaml
-```
-
-All of the deployment outputs are summarized below.
-
-```Output
-serviceaccount/bookbuyer created
-service/bookbuyer created
-deployment.apps/bookbuyer created
-
-serviceaccount/bookthief created
-service/bookthief created
-deployment.apps/bookthief created
-
-service/bookstore created
-serviceaccount/bookstore created
-deployment.apps/bookstore created
-
-serviceaccount/bookwarehouse created
-service/bookwarehouse created
-deployment.apps/bookwarehouse created
-```
-
-### Update the Bookbuyer Service
-
-Update the bookbuyer service to the correct inbound port configuration with the following service manifest.
-
-```azurecli-interactive
-kubectl apply -f - <<EOF
-apiVersion: v1
-kind: Service
-metadata:
- name: bookbuyer
- namespace: bookbuyer
- labels:
- app: bookbuyer
-spec:
- ports:
- - port: 14001
- name: inbound-port
- selector:
- app: bookbuyer
-EOF
-```
-
-### Verify the Bookstore application running inside the AKS cluster
-
-As of now we have deployed the bookstore multi-container application, but it is only accessible from within the AKS cluster. Later we will add the Azure Application Gateway ingress controller to expose the application outside the AKS cluster. To verify that the application is running inside the cluster, we will use a port forward to view the bookbuyer component UI.
-
-First let's get the bookbuyer pod's name
-
-```azurecli-interactive
-kubectl get pod -n bookbuyer
-```
-
-You should see output similar to the following. Your bookbuyer pod will have a unique name appended.
-
-```Output
-NAME READY STATUS RESTARTS AGE
-bookbuyer-7676c7fcfb-mtnrz 2/2 Running 0 7m8s
-```
-
-Once we have the pod's name, we can now use the port-forward command to set up a tunnel from our local system to the application inside the AKS cluster. Run the following command to set up the port forward for the local system port 8080. Again use your specific bookbuyer pod name.
-
-```azurecli-interactive
-kubectl port-forward bookbuyer-7676c7fcfb-mtnrz -n bookbuyer 8080:14001
-```
-
-You should see output similar to this.
-
-```Output
-Forwarding from 127.0.0.1:8080 -> 14001
-Forwarding from [::1]:8080 -> 14001
-```
-
-While the port forwarding session is in place, navigate to the following url from a browser `http://localhost:8080`. You should now be able to see the bookbuyer application UI in the browser similar to the image below.
-
-![OSM bookbuyer app for App Gateway UI image](./media/aks-osm-addon/osm-agic-bookbuyer-img.png)
-
-### Create an Azure Application Gateway to expose the bookbuyer application outside the AKS cluster
-
-> [!NOTE]
-> The following directions will create a new instance of the Azure Application Gateway to be used for ingress. If you have an existing Azure Application Gateway you wish to use, skip to the section for enabling the Application Gateway Ingress Controller add-on.
-
-#### Deploy a new Application Gateway
-
-> [!NOTE]
-> We are referencing existing documentation for enabling the Application Gateway Ingress Controller add-on for an existing AKS cluster. Some modifications have been made to suit the OSM materials. More detailed documentation on the subject can be found [here](https://docs.microsoft.com/azure/application-gateway/tutorial-ingress-controller-add-on-existing).
-
-You'll now deploy a new Application Gateway, to simulate having an existing Application Gateway that you want to use to load balance traffic to your AKS cluster, _myCluster_. The name of the Application Gateway will be _myApplicationGateway_, but you will need to first create a public IP resource, named _myPublicIp_, and a new virtual network called _myVnet_ with address space 11.0.0.0/8, and a subnet with address space 11.1.0.0/16 called _mySubnet_, and deploy your Application Gateway in _mySubnet_ using _myPublicIp_.
-
-When using an AKS cluster and Application Gateway in separate virtual networks, the address spaces of the two virtual networks must not overlap. The default address space that an AKS cluster deploys in is 10.0.0.0/8, so we set the Application Gateway virtual network address prefix to 11.0.0.0/8.
-
-```azurecli-interactive
-az group create --name myResourceGroup --location eastus2
-az network public-ip create -n myPublicIp -g MyResourceGroup --allocation-method Static --sku Standard
-az network vnet create -n myVnet -g myResourceGroup --address-prefix 11.0.0.0/8 --subnet-name mySubnet --subnet-prefix 11.1.0.0/16
-az network application-gateway create -n myApplicationGateway -l eastus2 -g myResourceGroup --sku Standard_v2 --public-ip-address myPublicIp --vnet-name myVnet --subnet mySubnet
-```
-
-> [!NOTE]
-> Application Gateway Ingress Controller (AGIC) add-on **only** supports Application Gateway v2 SKUs (Standard and WAF), and **not** the Application Gateway v1 SKUs.
-
-#### Enable the AGIC add-on for an existing AKS cluster through Azure CLI
-
-If you'd like to continue using Azure CLI, you can continue to enable the AGIC add-on in the AKS cluster you created, _myCluster_, and specify the AGIC add-on to use the existing Application Gateway you created, _myApplicationGateway_.
-
-```azurecli-interactive
-appgwId=$(az network application-gateway show -n myApplicationGateway -g myResourceGroup -o tsv --query "id")
-az aks enable-addons -n myCluster -g myResourceGroup -a ingress-appgw --appgw-id $appgwId
-```
-
-You can verify the Azure Application Gateway AKS add-on has been enabled by the following command.
-
-```azurecli-interactive
-az aks list -g osm-aks-rg -o json | jq -r .[].addonProfiles.ingressApplicationGateway.enabled
-```
-
-This command should show the output as `true`.
-
-#### Peer the two virtual networks together
-
-Since we deployed the AKS cluster in its own virtual network and the Application Gateway in another virtual network, you'll need to peer the two virtual networks together in order for traffic to flow from the Application Gateway to the pods in the cluster. Peering the two virtual networks requires running the Azure CLI command two separate times, to ensure that the connection is bi-directional. The first command will create a peering connection from the Application Gateway virtual network to the AKS virtual network; the second command will create a peering connection in the other direction.
-
-```azurecli-interactive
-nodeResourceGroup=$(az aks show -n myCluster -g myResourceGroup -o tsv --query "nodeResourceGroup")
-aksVnetName=$(az network vnet list -g $nodeResourceGroup -o tsv --query "[0].name")
-
-aksVnetId=$(az network vnet show -n $aksVnetName -g $nodeResourceGroup -o tsv --query "id")
-az network vnet peering create -n AppGWtoAKSVnetPeering -g myResourceGroup --vnet-name myVnet --remote-vnet $aksVnetId --allow-vnet-access
-
-appGWVnetId=$(az network vnet show -n myVnet -g myResourceGroup -o tsv --query "id")
-az network vnet peering create -n AKStoAppGWVnetPeering -g $nodeResourceGroup --vnet-name $aksVnetName --remote-vnet $appGWVnetId --allow-vnet-access
-```
-
-### Expose the bookbuyer service to the internet
-
-Apply the following ingress manifest to the AKS cluster to expose the bookbuyer service to the internet via the Azure Application Gateway.
-
-```azurecli-interactive
-kubectl apply -f - <<EOF
-
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
- name: bookbuyer-ingress
- namespace: bookbuyer
- annotations:
- kubernetes.io/ingress.class: azure/application-gateway
-
-spec:
-
- rules:
- - host: bookbuyer.contoso.com
- http:
- paths:
- - path: /
- backend:
- serviceName: bookbuyer
- servicePort: 14001
-
- backend:
- serviceName: bookbuyer
- servicePort: 14001
-EOF
-```
-
-You should see the following output
-
-```Output
-Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
-ingress.extensions/bookbuyer-ingress created
-```
-
-Since the host name in the ingress manifest is a pseudo name used for testing, the DNS name will not be available on the internet. We can alternatively use the curl program and past the hostname header to the Azure Application Gateway public IP address and receive a 200 code successfully connecting us to the bookbuyer service.
-
-```azurecli-interactive
-appGWPIP=$(az network public-ip show -g MyResourceGroup -n myPublicIp -o tsv --query "ipAddress")
-curl -H 'Host: bookbuyer.contoso.com' http://$appGWPIP/
-```
-
-You should see the following output
-
-```Output
-<!doctype html>
-<html itemscope="" itemtype="http://schema.org/WebPage" lang="en">
- <head>
- <meta content="Bookbuyer" name="description">
- <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
- <title>Bookbuyer</title>
- <style>
- #navbar {
- width: 100%;
- height: 50px;
- display: table;
- border-spacing: 0;
- white-space: nowrap;
- line-height: normal;
- background-color: #0078D4;
- background-position: left top;
- background-repeat-x: repeat;
- background-image: none;
- color: white;
- font: 2.2em "Fira Sans", sans-serif;
- }
- #main {
- padding: 10pt 10pt 10pt 10pt;
- font: 1.8em "Fira Sans", sans-serif;
- }
- li {
- padding: 10pt 10pt 10pt 10pt;
- font: 1.2em "Consolas", sans-serif;
- }
- </style>
- <script>
- setTimeout(function(){window.location.reload(1);}, 1500);
- </script>
- </head>
- <body bgcolor="#fff">
- <div id="navbar">
- &#128214; Bookbuyer
- </div>
- <div id="main">
- <ul>
- <li>Total books bought: <strong>5969</strong>
- <ul>
- <li>from bookstore V1: <strong>277</strong>
- <li>from bookstore V2: <strong>5692</strong>
- </ul>
- </li>
- </ul>
- </div>
-
- <br/><br/><br/><br/>
- <br/><br/><br/><br/>
- <br/><br/><br/><br/>
-
- Current Time: <strong>Fri, 26 Mar 2021 16:34:30 UTC</strong>
- </body>
-</html>
-```
-
-### Troubleshooting
--- [AGIC Troubleshooting Documentation](https://docs.microsoft.com/azure/application-gateway/ingress-controller-troubleshoot)-- [Additional troubleshooting tools are available on AGIC's GitHub repo](https://github.com/Azure/application-gateway-kubernetes-ingress/blob/master/docs/troubleshootings/troubleshooting-installing-a-simple-application.md)-
-## Open Service Mesh (OSM) Monitoring and Observability using Azure Monitor and Applications Insights
-
-Both Azure Monitor and Azure Application Insights helps you maximize the availability and performance of your applications and services by delivering a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments.
-
-The OSM AKS add-on will have deep integrations into both of these Azure services, and provide a seemless Azure experience for viewing and responding to critical KPIs provided by OSM metrics. For more information on how to enable and configure these services for the OSM AKS add-on, visit the [Azure Monitor for OSM](https://aka.ms/azmon/osmpreview) page for more information.
-
-## Tutorial: Manually deploy Prometheus, Grafana, and Jaeger to view Open Service Mesh (OSM) metrics for observability
-
-> [!WARNING]
-> The installation of Prometheus, Grafana and Jaeger are provided as general guidance to show how these tools can be utilized to view OSM metric data. The installation guidance is not to be utilized for a production setup. Please refer to each tool's documentation on how best to suit thier installations to your needs. Most notable will be the lack of persistent storage, meaning that all data is lost once a Prometheus Grafana, and/or Jaeger pod(s) are terminated.
-
-Open Service Mesh (OSM) generates detailed metrics related to all traffic within the mesh. These metrics provide insights into the behavior of applications in the mesh helping users to troubleshoot, maintain, and analyze their applications.
-
-As of today OSM collects metrics directly from the sidecar proxies (Envoy). OSM provides rich metrics for incoming and outgoing traffic for all services in the mesh. With these metrics, the user can get information about the overall volume of traffic, errors within traffic and the response time for requests.
-
-OSM uses Prometheus to gather and store consistent traffic metrics and statistics for all applications running in the mesh. Prometheus is an open-source monitoring and alerting toolkit, which is commonly used on (but not limited to) Kubernetes and Service Mesh environments.
-
-Each application that is part of the mesh runs in a Pod that contains an Envoy sidecar that exposes metrics (proxy metrics) in the Prometheus format. Furthermore, every Pod that is a part of the mesh has Prometheus annotations, which makes it possible for the Prometheus server to scrape the application dynamically. This mechanism automatically enables scraping of metrics whenever a new namespace/pod/service is added to the mesh.
-
-OSM metrics can be viewed with Grafana, which is an open-source visualization and analytics software. It allows you to query, visualize, alert on, and explore your metrics.
-
-In this tutorial, you will:
-
-> [!div class="checklist"]
->
-> - Create and deploy a Prometheus instance
-> - Configure OSM to allow Prometheus scraping
-> - Update the Prometheus Configmap
-> - Create and deploy a Grafana instance
-> - Configure Grafana with the Prometheus datasource
-> - Import OSM dashboard for Grafana
-> - Create and deploy a Jaeger instance
-> - Configure Jaeger tracing for OSM
-
-### Deploy and configure a Prometheus instance for OSM
-
-We will use Helm to deploy the Prometheus instance. Run the following commands to install Prometheus via Helm:
-
-```azurecli-interactive
-helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
-helm repo update
-helm install stable prometheus-community/prometheus
-```
-
-You should see similar output below if the installation was successful. Make note of the Prometheus server port and cluster DNS name. This information will be used later for to configure Prometheus as a data source for Grafana.
-
-```Output
-NAME: stable
-LAST DEPLOYED: Fri Mar 26 13:34:51 2021
-NAMESPACE: default
-STATUS: deployed
-REVISION: 1
-TEST SUITE: None
-NOTES:
-The Prometheus server can be accessed via port 80 on the following DNS name from within your cluster:
-stable-prometheus-server.default.svc.cluster.local
--
-Get the Prometheus server URL by running these commands in the same shell:
- export POD_NAME=$(kubectl get pods --namespace default -l "app=prometheus,component=server" -o jsonpath="{.items[0].metadata.name}")
- kubectl --namespace default port-forward $POD_NAME 9090
--
-The Prometheus alertmanager can be accessed via port 80 on the following DNS name from within your cluster:
-stable-prometheus-alertmanager.default.svc.cluster.local
--
-Get the Alertmanager URL by running these commands in the same shell:
- export POD_NAME=$(kubectl get pods --namespace default -l "app=prometheus,component=alertmanager" -o jsonpath="{.items[0].metadata.name}")
- kubectl --namespace default port-forward $POD_NAME 9093
-#################################################################################
-###### WARNING: Pod Security Policy has been moved to a global property. #####
-###### use .Values.podSecurityPolicy.enabled with pod-based #####
-###### annotations #####
-###### (e.g. .Values.nodeExporter.podSecurityPolicy.annotations) #####
-#################################################################################
--
-The Prometheus PushGateway can be accessed via port 9091 on the following DNS name from within your cluster:
-stable-prometheus-pushgateway.default.svc.cluster.local
--
-Get the PushGateway URL by running these commands in the same shell:
- export POD_NAME=$(kubectl get pods --namespace default -l "app=prometheus,component=pushgateway" -o jsonpath="{.items[0].metadata.name}")
- kubectl --namespace default port-forward $POD_NAME 9091
-
-For more information on running Prometheus, visit:
-https://prometheus.io/
-```
-
-#### Configure OSM to allow Prometheus scraping
-
-To ensure that the OSM components are configured for Prometheus scrapes, we'll want to check the **prometheus_scraping** configuration located in the osm-config config file. View the configuration with the following command:
-
-```azurecli-interactive
-kubectl get configmap -n kube-system osm-config -o json | jq '.data.prometheus_scraping'
-```
-
-The output of the previous command should return `true` if OSM is configured for Prometheus scraping. If the returned value is `false`, we will need to update the configuration to be `true`. Run the following command to turn **on** OSM Prometheus scraping:
-
-```azurecli-interactive
-kubectl patch ConfigMap -n kube-system osm-config --type merge --patch '{"data":{"prometheus_scraping":"true"}}'
-```
-
-You should see the following output.
-
-```Output
-configmap/osm-config patched
-```
-
-#### Update the Prometheus Configmap
-
-The default installation of Prometheus will contain two Kubernetes configmaps. You can view the list of Prometheus configmaps with the following command.
-
-```azurecli-interactive
-kubectl get configmap | grep prometheus
-```
-
-```Output
-stable-prometheus-alertmanager 1 4h34m
-stable-prometheus-server 5 4h34m
-```
-
-We will need to replace the prometheus.yml configuration located in the **stable-prometheus-server** configmap with the following OSM configuration. There are several file editing techniques to accomplish this task. A simple and safe way is to export the configmap, create a copy of it for backup, then edit it with an editor such as Visual Studio code.
-
-> [!NOTE]
-> If you do not have Visual Studio Code installed you can go download and install it [here](https://code.visualstudio.com/Download).
-
-Let's first export out the **stable-prometheus-server** configmap and then make a copy for backup.
-
-```azurecli-interactive
-kubectl get configmap stable-prometheus-server -o yaml > cm-stable-prometheus-server.yml
-cp cm-stable-prometheus-server.yml cm-stable-prometheus-server.yml.copy
-```
-
-Next let's open the file using Visual Studio Code to edit.
-
-```azurecli-interactive
-code cm-stable-prometheus-server.yml
-```
-
-Once you have the configmap opened in the Visual Studio Code editor, replace the prometheus.yml file with the OSM configuration below and save the file.
-
-> [!WARNING]
-> It is extremely important that you ensure you keep the indention structure of the yaml file. Any changes to the yaml file structure could result in the configmap not being able to be re-applied.
-
-```OSM Prometheus Configmap Configuration
-prometheus.yml: |
- global:
- scrape_interval: 10s
- scrape_timeout: 10s
- evaluation_interval: 1m
-
- scrape_configs:
- - job_name: 'kubernetes-apiservers'
- kubernetes_sd_configs:
- - role: endpoints
- scheme: https
- tls_config:
- ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
- # TODO need to remove this when the CA and SAN match
- insecure_skip_verify: true
- bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
- metric_relabel_configs:
- - source_labels: [__name__]
- regex: '(apiserver_watch_events_total|apiserver_admission_webhook_rejection_count)'
- action: keep
- relabel_configs:
- - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
- action: keep
- regex: default;kubernetes;https
-
- - job_name: 'kubernetes-nodes'
- scheme: https
- tls_config:
- ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
- bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
- kubernetes_sd_configs:
- - role: node
- relabel_configs:
- - action: labelmap
- regex: __meta_kubernetes_node_label_(.+)
- - target_label: __address__
- replacement: kubernetes.default.svc:443
- - source_labels: [__meta_kubernetes_node_name]
- regex: (.+)
- target_label: __metrics_path__
- replacement: /api/v1/nodes/${1}/proxy/metrics
-
- - job_name: 'kubernetes-pods'
- kubernetes_sd_configs:
- - role: pod
- metric_relabel_configs:
- - source_labels: [__name__]
- regex: '(envoy_server_live|envoy_cluster_upstream_rq_xx|envoy_cluster_upstream_cx_active|envoy_cluster_upstream_cx_tx_bytes_total|envoy_cluster_upstream_cx_rx_bytes_total|envoy_cluster_upstream_cx_destroy_remote_with_active_rq|envoy_cluster_upstream_cx_connect_timeout|envoy_cluster_upstream_cx_destroy_local_with_active_rq|envoy_cluster_upstream_rq_pending_failure_eject|envoy_cluster_upstream_rq_pending_overflow|envoy_cluster_upstream_rq_timeout|envoy_cluster_upstream_rq_rx_reset|^osm.*)'
- action: keep
- relabel_configs:
- - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
- action: keep
- regex: true
- - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
- action: replace
- target_label: __metrics_path__
- regex: (.+)
- - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
- action: replace
- regex: ([^:]+)(?::\d+)?;(\d+)
- replacement: $1:$2
- target_label: __address__
- - source_labels: [__meta_kubernetes_namespace]
- action: replace
- target_label: source_namespace
- - source_labels: [__meta_kubernetes_pod_name]
- action: replace
- target_label: source_pod_name
- - regex: '(__meta_kubernetes_pod_label_app)'
- action: labelmap
- replacement: source_service
- - regex: '(__meta_kubernetes_pod_label_osm_envoy_uid|__meta_kubernetes_pod_label_pod_template_hash|__meta_kubernetes_pod_label_version)'
- action: drop
- # for non-ReplicaSets (DaemonSet, StatefulSet)
- # __meta_kubernetes_pod_controller_kind=DaemonSet
- # __meta_kubernetes_pod_controller_name=foo
- # =>
- # workload_kind=DaemonSet
- # workload_name=foo
- - source_labels: [__meta_kubernetes_pod_controller_kind]
- action: replace
- target_label: source_workload_kind
- - source_labels: [__meta_kubernetes_pod_controller_name]
- action: replace
- target_label: source_workload_name
- # for ReplicaSets
- # __meta_kubernetes_pod_controller_kind=ReplicaSet
- # __meta_kubernetes_pod_controller_name=foo-bar-123
- # =>
- # workload_kind=Deployment
- # workload_name=foo-bar
- # deplyment=foo
- - source_labels: [__meta_kubernetes_pod_controller_kind]
- action: replace
- regex: ^ReplicaSet$
- target_label: source_workload_kind
- replacement: Deployment
- - source_labels:
- - __meta_kubernetes_pod_controller_kind
- - __meta_kubernetes_pod_controller_name
- action: replace
- regex: ^ReplicaSet;(.*)-[^-]+$
- target_label: source_workload_name
-
- - job_name: 'smi-metrics'
- kubernetes_sd_configs:
- - role: pod
- relabel_configs:
- - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
- action: keep
- regex: true
- - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
- action: replace
- target_label: __metrics_path__
- regex: (.+)
- - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
- action: replace
- regex: ([^:]+)(?::\d+)?;(\d+)
- replacement: $1:$2
- target_label: __address__
- metric_relabel_configs:
- - source_labels: [__name__]
- regex: 'envoy_.*osm_request_(total|duration_ms_(bucket|count|sum))'
- action: keep
- - source_labels: [__name__]
- action: replace
- regex: envoy_response_code_(\d{3})_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_total
- target_label: response_code
- - source_labels: [__name__]
- action: replace
- regex: envoy_response_code_\d{3}_source_namespace_(.*)_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_total
- target_label: source_namespace
- - source_labels: [__name__]
- action: replace
- regex: envoy_response_code_\d{3}_source_namespace_.*_source_kind_(.*)_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_total
- target_label: source_kind
- - source_labels: [__name__]
- action: replace
- regex: envoy_response_code_\d{3}_source_namespace_.*_source_kind_.*_source_name_(.*)_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_total
- target_label: source_name
- - source_labels: [__name__]
- action: replace
- regex: envoy_response_code_\d{3}_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_(.*)_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_total
- target_label: source_pod
- - source_labels: [__name__]
- action: replace
- regex: envoy_response_code_\d{3}_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_(.*)_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_total
- target_label: destination_namespace
- - source_labels: [__name__]
- action: replace
- regex: envoy_response_code_\d{3}_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_(.*)_destination_name_.*_destination_pod_.*_osm_request_total
- target_label: destination_kind
- - source_labels: [__name__]
- action: replace
- regex: envoy_response_code_\d{3}_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_(.*)_destination_pod_.*_osm_request_total
- target_label: destination_name
- - source_labels: [__name__]
- action: replace
- regex: envoy_response_code_\d{3}_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_(.*)_osm_request_total
- target_label: destination_pod
- - source_labels: [__name__]
- action: replace
- regex: .*(osm_request_total)
- target_label: __name__
-
- - source_labels: [__name__]
- action: replace
- regex: envoy_source_namespace_(.*)_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_duration_ms_(bucket|sum|count)
- target_label: source_namespace
- - source_labels: [__name__]
- action: replace
- regex: envoy_source_namespace_.*_source_kind_(.*)_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_duration_ms_(bucket|sum|count)
- target_label: source_kind
- - source_labels: [__name__]
- action: replace
- regex: envoy_source_namespace_.*_source_kind_.*_source_name_(.*)_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_duration_ms_(bucket|sum|count)
- target_label: source_name
- - source_labels: [__name__]
- action: replace
- regex: envoy_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_(.*)_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_duration_ms_(bucket|sum|count)
- target_label: source_pod
- - source_labels: [__name__]
- action: replace
- regex: envoy_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_(.*)_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_duration_ms_(bucket|sum|count)
- target_label: destination_namespace
- - source_labels: [__name__]
- action: replace
- regex: envoy_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_(.*)_destination_name_.*_destination_pod_.*_osm_request_duration_ms_(bucket|sum|count)
- target_label: destination_kind
- - source_labels: [__name__]
- action: replace
- regex: envoy_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_(.*)_destination_pod_.*_osm_request_duration_ms_(bucket|sum|count)
- target_label: destination_name
- - source_labels: [__name__]
- action: replace
- regex: envoy_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_(.*)_osm_request_duration_ms_(bucket|sum|count)
- target_label: destination_pod
- - source_labels: [__name__]
- action: replace
- regex: .*(osm_request_duration_ms_(bucket|sum|count))
- target_label: __name__
-
- - job_name: 'kubernetes-cadvisor'
- scheme: https
- tls_config:
- ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
- bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
- kubernetes_sd_configs:
- - role: node
- metric_relabel_configs:
- - source_labels: [__name__]
- regex: '(container_cpu_usage_seconds_total|container_memory_rss)'
- action: keep
- relabel_configs:
- - action: labelmap
- regex: __meta_kubernetes_node_label_(.+)
- - target_label: __address__
- replacement: kubernetes.default.svc:443
- - source_labels: [__meta_kubernetes_node_name]
- regex: (.+)
- target_label: __metrics_path__
- replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor
-```
-
-Apply the updated configmap yaml file with the following command.
-
-```azurecli-interactive
-kubectl apply -f cm-stable-prometheus-server.yml
-```
-
-```Output
-configmap/stable-prometheus-server configured
-```
-
-> [!NOTE]
-> You may receive a message about a missing kubernetes annotation needed. This can be ignored for now.
-
-#### Verify Prometheus is configured to scrape the OSM mesh and API endpoints
-
-To verify that Prometheus is correctly configured to scrape the OSM mesh and API endpoints, we will port forward to the Prometheus pod and view the target configuration. Run the following commands.
-
-```azurecli-interactive
-PROM_POD_NAME=$(kubectl get pods -l "app=prometheus,component=server" -o jsonpath="{.items[0].metadata.name}")
-kubectl --namespace <promNamespace> port-forward $PROM_POD_NAME 9090
-```
-
-Open a browser up to `http://localhost:9090/targets`
-
-If you scroll down you should see all the SMI metric endpoints state being **UP** as well as other OSM metrics defined as pictured below.
-
-![OSM Prometheus Target Metrics UI image](./media/aks-osm-addon/osm-prometheus-smi-metrics-target-scrape.png)
-
-### Deploy and configure a Grafana Instance for OSM
-
-We will use Helm to deploy the Grafana instance. Run the following commands to install Grafana via Helm:
-
-```
-helm repo add grafana https://grafana.github.io/helm-charts
-helm repo update
-helm install osm-grafana grafana/grafana
-```
-
-Next we'll retrieve the default Grafana password to log into the Grafana site.
-
-```azurecli-interactive
-kubectl get secret --namespace default osm-grafana -o jsonpath="{.data.admin-password}" | base64 --decode ; echo
-```
-
-Make note of the Grafana password.
-
-Next we will retrieve the Grafana pod to port forward to the Grafana dashboard to login.
-
-```azurecli-interactive
-GRAF_POD_NAME=$(kubectl get pods -l "app.kubernetes.io/name=grafana" -o jsonpath="{.items[0].metadata.name}")
-kubectl port-forward $GRAF_POD_NAME 3000
-```
-
-Open a browser up to `http://localhost:3000`
-
-At the login screen pictured below, enter **admin** as the username and use the Grafana password captured earlier.
-
-![OSM Grafana Login Page UI image](./media/aks-osm-addon/osm-grafana-ui-login.png)
-
-#### Configure the Grafana Prometheus data source
-
-Once you have successfully logged into Grafana, the next step is to add Prometheus as data sources for Grafana. To do so, navigate on the configuration icon on the left menu and select Data Sources as shown below.
-
-![OSM Grafana Datasources Page UI image](./media/aks-osm-addon/osm-grafana-ui-datasources.png)
-
-Click the **Add data source** button and select Prometheus under time series databases.
-
-![OSM Grafana Datasources Selection Page UI image](./media/aks-osm-addon/osm-grafana-ui-datasources-select-prometheus.png)
-
-On the **Configure your Prometheus data source below** page, enter the Kubernetes cluster FQDN for the Prometheus service for the HTTP URL setting. The default FQDN should be `stable-prometheus-server.default.svc.cluster.local`. Once you have entered that Prometheus service endpoint, scroll to the bottom of the page and select **Save & Test**. You should receive a green checkbox indicating the data source is working.
-
-#### Importing OSM Dashboards
-
-OSM Dashboards are available both through:
--- [Our repository](https://github.com/grafana/grafana), and are importable as json blobs through the web admin portal-- or [online at Grafana.com](https://grafana.com/grafana/dashboards/14145)-
-To import a dashboard, look for the `+` sign on the left menu and select `import`.
-You can directly import dashboard by their ID on `Grafana.com`. For example, our `OSM Mesh Details` dashboard uses ID `14145`, you can use the ID directly on the form and select `import`:
-
-![OSM Grafana Dashboard Import Page UI image](./media/aks-osm-addon/osm-grafana-dashboard-import.png)
-
-As soon as you select import, it will bring you automatically to your imported dashboard.
-
-![OSM Grafana Dashboard Mesh Details Page UI image](./media/aks-osm-addon/osm-grafana-mesh-dashboard-details.png)
-
-### Deploy and configure a Jaeger Operator on Kubernetes for OSM
-
-[Jaeger](https://www.jaegertracing.io/) is an open-source tracing system used for monitoring and troubleshooting distributed systems. It can be deployed with OSM as a new instance or you may bring your own instance. The following instructions deploy a new instance of Jaeger to the `jaeger` namespace on the AKS cluster.
-
-#### Deploy Jaeger to the AKS cluster
-
-Apply the following manifest to install Jaeger:
-
-```azurecli-interactive
-kubectl apply -f - <<EOF
-
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: jaeger
- namespace: jaeger
- labels:
- app: jaeger
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: jaeger
- template:
- metadata:
- labels:
- app: jaeger
- spec:
- containers:
- - name: jaeger
- image: jaegertracing/all-in-one
- args:
- - --collector.zipkin.host-port=9411
- imagePullPolicy: IfNotPresent
- ports:
- - containerPort: 9411
- resources:
- limits:
- cpu: 500m
- memory: 512M
- requests:
- cpu: 100m
- memory: 256M
-
-kind: Service
-apiVersion: v1
-metadata:
- name: jaeger
- namespace: jaeger
- labels:
- app: jaeger
-spec:
- selector:
- app: jaeger
- ports:
- - protocol: TCP
- # Service port and target port are the same
- port: 9411
- type: ClusterIP
-EOF
-```
-
-```Output
-deployment.apps/jaeger created
-service/jaeger created
-```
-
-#### Enable Tracing for the OSM add-on
-
-Next we will need to enable tracing for the OSM add-on.
-
-> [!NOTE]
-> As of now the tracing properties are not visable in the osm-config configmap at this time. This will be made visable in a new release of the OSM AKS add-on.
-
-Run the following command to enable tracing for the OSM add-on:
-
-```azurecli-interactive
-kubectl patch configmap osm-config -n kube-system -p '{"data":{"tracing_enable":"true", "tracing_address":"jaeger.jaeger.svc.cluster.local", "tracing_port":"9411", "tracing_endpoint":"/api/v2/spans"}}' --type=merge
-```
-
-```Output
-configmap/osm-config patched
-```
-
-#### View the Jaeger UI with port forwarding
-
-Jaeger's UI is running on port 16686. To view the web UI, you can use kubectl port-forward:
-
-```azurecli-interactive
-JAEGER_POD=$(kubectl get pods -n jaeger --no-headers --selector app=jaeger | awk 'NR==1{print $1}')
-kubectl port-forward -n jaeger $JAEGER_POD 16686:16686
-http://localhost:16686/
-```
-
-In the browser, you should see a Service dropdown, which allows you to select from the various applications deployed by the bookstore demo. Select a service to view all spans from it. For example, if you select bookbuyer with a Lookback of one hour, you can see its interactions with bookstore-v1 and bookstore-v2 sorted by time.
-
-![OSM Jaeger Tracing Page UI image](./media/aks-osm-addon/osm-jaeger-trace-view-ui.png)
-
-Select any item to view it in further detail. Select multiple items to compare traces. For example, you can compare the bookbuyer's interactions with bookstore and bookstore-v2 at a particular moment in time.
-
-You can also select the System Architecture tab to view a graph of how the various applications have been interacting/communicating. This provides an idea of how traffic is flowing between the applications.
-
-![OSM Jaeger System Architecture UI image](./media/aks-osm-addon/osm-jaeger-sys-arc-view-ui.png)
-
-## Open Service Mesh (OSM) AKS add-on Troubleshooting Guides
-
-When you deploy the OSM AKS add-on, you might occasionally experience a problem. The following guides will assist you on how to troubleshoot errors and resolve common problems.
-
-### Verifying and Troubleshooting OSM components
-
-#### Check OSM Controller Deployment
-
-```azurecli-interactive
-kubectl get deployment -n kube-system --selector app=osm-controller
-```
-
-A healthy OSM Controller would look like this:
-
-```Output
-NAME READY UP-TO-DATE AVAILABLE AGE
-osm-controller 1/1 1 1 59m
-```
-
-#### Check the OSM Controller Pod
-
-```azurecli-interactive
-kubectl get pods -n kube-system --selector app=osm-controller
-```
-
-A healthy OSM Pod would look like this:
-
-```Output
-NAME READY STATUS RESTARTS AGE
-osm-controller-b5bd66db-wglzl 0/1 Evicted 0 61m
-osm-controller-b5bd66db-wvl9w 1/1 Running 0 31m
-```
-
-Even though we had one controller evicted at some point, we have another one that is READY 1/1 and Running with 0 restarts. If the column READY is anything other than 1/1 the service mesh would be in a broken state.
-Column READY with 0/1 indicates the control plane container is crashing - we need to get logs. See Get OSM Controller Logs from Azure Support Center section below. Column READY with a number higher than 1 after the / would indicate that there are sidecars installed. OSM Controller would most likely not work with any sidecars attached to it.
-
-> [!NOTE]
-> As of version v0.8.2 the OSM Controller is not in HA mode and will run in a deployed with replica count of 1 - single pod. The pod does have health probes and will be restarted by the kubelet if needed.
-
-#### Check OSM Controller Service
-
-```azurecli-interactive
-kubectl get service -n kube-system osm-controller
-```
-
-A healthy OSM Controller service would look like this:
-
-```Output
-NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
-osm-controller ClusterIP 10.0.31.254 <none> 15128/TCP,9092/TCP 67m
-```
-
-> [!NOTE]
-> The CLUSTER-IP would be different. The service NAME and PORT(S) must be the same as the example above.
-
-#### Check OSM Controller Endpoints
-
-```azurecli-interactive
-kubectl get endpoints -n kube-system osm-controller
-```
-
-A healthy OSM Controller endpoint(s) would look like this:
-
-```Output
-NAME ENDPOINTS AGE
-osm-controller 10.240.1.115:9092,10.240.1.115:15128 69m
-```
-
-#### Check OSM Injector Deployment
-
-```azurecli-interactive
-kubectl get pod -n kube-system --selector app=osm-injector
-```
-
-A healthy OSM Injector deployment would look like this:
-
-```Output
-NAME READY STATUS RESTARTS AGE
-osm-injector-5986c57765-vlsdk 1/1 Running 0 73m
-```
-
-#### Check OSM Injector Pod
-
-```azurecli-interactive
-kubectl get pod -n kube-system --selector app=osm-injector
-```
-
-A healthy OSM Injector pod would look like this:
-
-```Output
-NAME READY STATUS RESTARTS AGE
-osm-injector-5986c57765-vlsdk 1/1 Running 0 73m
-```
-
-#### Check OSM Injector Service
-
-```azurecli-interactive
-kubectl get service -n kube-system osm-injector
-```
-
-A healthy OSM Injector service would look like this:
-
-```Output
-NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
-osm-injector ClusterIP 10.0.39.54 <none> 9090/TCP 75m
-```
-
-#### Check OSM Endpoints
-
-```azurecli-interactive
-kubectl get endpoints -n kube-system osm-injector
-```
-
-A healthy OSM endpoint would look like this:
-
-```Output
-NAME ENDPOINTS AGE
-osm-injector 10.240.1.172:9090 75m
-```
-
-#### Check Validating and Mutating webhooks
-
-```azurecli-interactive
-kubectl get ValidatingWebhookConfiguration --selector app=osm-controller
-```
-
-A healthy OSM Validating Webhook would look like this:
-
-```Output
-NAME WEBHOOKS AGE
-aks-osm-webhook-osm 1 81m
-```
-
-```azurecli-interactive
-kubectl get MutatingWebhookConfiguration --selector app=osm-injector
-```
-
-A healthy OSM Mutating Webhook would look like this:
-
-```Output
-NAME WEBHOOKS AGE
-aks-osm-webhook-osm 1 102m
-```
-
-#### Check for the service and the CA bundle of the Validating webhook
-
-```azurecli-interactive
-kubectl get ValidatingWebhookConfiguration aks-osm-webhook-osm -o json | jq '.webhooks[0].clientConfig.service'
-```
-
-A well configured Validating Webhook Configuration would look exactly like this:
-
-```json
-{
- "name": "osm-config-validator",
- "namespace": "kube-system",
- "path": "/validate-webhook",
- "port": 9093
-}
-```
-
-#### Check for the service and the CA bundle of the Mutating webhook
-
-```azurecli-interactive
-kubectl get MutatingWebhookConfiguration aks-osm-webhook-osm -o json | jq '.webhooks[0].clientConfig.service'
-```
-
-A well configured Mutating Webhook Configuration would look exactly like this:
-
-```json
-{
- "name": "osm-injector",
- "namespace": "kube-system",
- "path": "/mutate-pod-creation",
- "port": 9090
-}
-```
-
-#### Check whether OSM Controller has given the Validating (or Mutating) Webhook a CA Bundle
-
-> [!NOTE]
-> As of v0.8.2 It is important to know that AKS RP installs the Validating Webhook, AKS Reconciler ensures it exists, but OSM Controller is the one that fills the CA Bundle.
-
-```azurecli-interactive
-kubectl get ValidatingWebhookConfiguration aks-osm-webhook-osm -o json | jq -r '.webhooks[0].clientConfig.caBundle' | wc -c
-```
-
-```azurecli-interactive
-kubectl get MutatingWebhookConfiguration aks-osm-webhook-osm -o json | jq -r '.webhooks[0].clientConfig.caBundle' | wc -c
-```
-
-```Example Output
-1845
-```
-
-This number indicates the number of bytes, or the size of the CA Bundle. If this is empty, 0, or some number under 1000 it would indicate that the CA Bundle is not correctly provisioned. Without a correct CA Bundle, the Validating Webhook would be erroring out and prohibiting the user from making changes to the osm-config ConfigMap in the kube-system namespace.
-
-A sample error when the CA Bundle is incorrect:
--- An attempt to change the osm-config ConfigMap:-
-```azurecli-interactive
-kubectl patch ConfigMap osm-config -n kube-system --type merge --patch '{"data":{"config_resync_interval":"2m"}}'
-```
--- Error:-
-```
-Error from server (InternalError): Internal error occurred: failed calling webhook "osm-config-webhook.k8s.io": Post https://osm-config-validator.kube-system.svc:9093/validate-webhook?timeout=30s: x509: certificate signed by unknown authority
-```
-
-Work around for when the **Validating** Webhook Configuration has a bad certificate:
--- Option 1 - Restart OSM Controller - this will restart the OSM Controller. On start, it will overwrite the CA Bundle of both the Mutating and Validating webhooks.-
-```azurecli-interactive
-kubectl rollout restart deployment -n kube-system osm-controller
-```
--- Option 2 - Option 2. Delete the Validating Webhook - removing the Validating Webhook makes mutations of the `osm-config` ConfigMap no longer validated. Any patch will go through. The AKS Reconciler will at some point ensure the Validating Webhook exists and will recreate it. The OSM Controller may have to be restarted to quickly rewrite the CA Bundle.-
-```azurecli-interactive
-kubectl delete ValidatingWebhookConfiguration aks-osm-webhook-osm
-```
--- Option 3 - Delete and Patch: The following command will delete the validating webhook, allowing us to add any values, and will immediately try to apply a patch. Most likely the AKS Reconciler will not have enough time to reconcile and restore the Validating Webhook giving us the opportunity to apply a change as a last resort:-
-```azurecli-interactive
-kubectl delete ValidatingWebhookConfiguration aks-osm-webhook-osm; kubectl patch ConfigMap osm-config -n kube-system --type merge --patch '{"data":{"config_resync_interval":"15s"}}'
-```
-
-#### Check the `osm-config` **ConfigMap**
-
-> [!NOTE]
-> The OSM Controller does not require for the `osm-config` ConfigMap to be present in the kube-system namespace. The controller has reasonable default values for the config and can operate without it.
-
-Check for the existence:
-
-```azurecli-interactive
-kubectl get ConfigMap -n kube-system osm-config
-```
-
-Check the content of the osm-config ConfigMap
-
-```azurecli-interactive
-kubectl get ConfigMap -n kube-system osm-config -o json | jq '.data'
-```
-
-```json
-{
- "egress": "true",
- "enable_debug_server": "true",
- "enable_privileged_init_container": "false",
- "envoy_log_level": "error",
- "outbound_ip_range_exclusion_list": "169.254.169.254,168.63.129.16,20.193.20.233",
- "permissive_traffic_policy_mode": "true",
- "prometheus_scraping": "false",
- "service_cert_validity_duration": "24h",
- "use_https_ingress": "false"
-}
-```
-
-`osm-config` ConfigMap values:
-
-| Key | Type | Allowed Values | Default Value | Function |
-| -- | | - | -- | |
-| egress | bool | true, false | `"false"` | Enables egress in the mesh. |
-| enable_debug_server | bool | true, false | `"true"` | Enables a debug endpoint on the osm-controller pod to list information regarding the mesh such as proxy connections, certificates, and SMI policies. |
-| enable_privileged_init_container | bool | true, false | `"false"` | Enables privileged init containers for pods in mesh. When false, init containers only have NET_ADMIN. |
-| envoy_log_level | string | trace, debug, info, warning, warn, error, critical, off | `"error"` | Sets the logging verbosity of Envoy proxy sidecar, only applicable to newly created pods joining the mesh. To update the log level for existing pods, restart the deployment with `kubectl rollout restart`. |
-| outbound_ip_range_exclusion_list | string | comma-separated list of IP ranges of the form a.b.c.d/x | `-` | Global list of IP address ranges to exclude from outbound traffic interception by the sidecar proxy. |
-| permissive_traffic_policy_mode | bool | true, false | `"false"` | Setting to `true`, enables allow-all mode in the mesh i.e. no traffic policy enforcement in the mesh. If set to `false`, enables deny-all traffic policy in mesh i.e. an `SMI Traffic Target` is necessary for services to communicate. |
-| prometheus_scraping | bool | true, false | `"true"` | Enables Prometheus metrics scraping on sidecar proxies. |
-| service_cert_validity_duration | string | 24h, 1h30m (any time duration) | `"24h"` | Sets the service certificate validity duration, represented as a sequence of decimal numbers each with optional fraction and a unit suffix. |
-| tracing_enable | bool | true, false | `"false"` | Enables Jaeger tracing for the mesh. |
-| tracing_address | string | jaeger.mesh-namespace.svc.cluster.local | `jaeger.kube-system.svc.cluster.local` | Address of the Jaeger deployment, if tracing is enabled. |
-| tracing_endpoint | string | /api/v2/spans | /api/v2/spans | Endpoint for tracing data, if tracing enabled. |
-| tracing_port | int | any non-zero integer value | `"9411"` | Port on which tracing is enabled. |
-| use_https_ingress | bool | true, false | `"false"` | Enables HTTPS ingress on the mesh. |
-| config_resync_interval | string | under 1 minute disables this | 0 (disabled) | When a value above 1m (60s) is provided, OSM Controller will send all available config to each connected Envoy at the given interval |
-
-#### Check Namespaces
-
-> [!NOTE]
-> The kube-system namespace will never participate in a service mesh and will never be labeled and/or annotated with the key/values below.
-
-We use the `osm namespace add` command to join namespaces to a given service mesh.
-When a k8s namespace is part of the mesh (or for it to be part of the mesh) the following must be true:
-
-View the annotations with
-
-```azurecli-interactive
-kubectl get namespace bookbuyer -o json | jq '.metadata.annotations'
-```
-
-The following annotation must be present:
-
-```Output
-{
- "openservicemesh.io/sidecar-injection": "enabled"
-}
-```
-
-View the labels with
-
-```azurecli-interactive
-kubectl get namespace bookbuyer -o json | jq '.metadata.labels'
-```
-
-The following label must be present:
-
-```Output
-{
- "openservicemesh.io/monitored-by": "osm"
-}
-```
-
-If a namespace is not annotated with `"openservicemesh.io/sidecar-injection": "enabled"` or not labeled with `"openservicemesh.io/monitored-by": "osm"` the OSM Injector will not add Envoy sidecars.
-
-> Note: After `osm namespace add` is called only **new** pods will be injected with an Envoy sidecar. Existing pods must be restarted with `kubectl rollout restart deployment ...`
-
-#### Verify the SMI CRDs:
-
-Check whether the cluster has the required CRDs:
-
-```azurecli-interactive
-kubectl get crds
-```
-
-We must have the following installed on the cluster:
--- httproutegroups.specs.smi-spec.io-- tcproutes.specs.smi-spec.io-- trafficsplits.split.smi-spec.io-- traffictargets.access.smi-spec.io-- udproutes.specs.smi-spec.io-
-Get the versions of the CRDs installed with this command:
-
-```azurecli-interactive
-for x in $(kubectl get crds --no-headers | awk '{print $1}' | grep 'smi-spec.io'); do
- kubectl get crd $x -o json | jq -r '(.metadata.name, "-" , .spec.versions[].name, "\n")'
-done
-```
-
-Expected output:
-
-```Output
-httproutegroups.specs.smi-spec.io
--
-v1alpha4
-v1alpha3
-v1alpha2
-v1alpha1
--
-tcproutes.specs.smi-spec.io
--
-v1alpha4
-v1alpha3
-v1alpha2
-v1alpha1
--
-trafficsplits.split.smi-spec.io
--
-v1alpha2
--
-traffictargets.access.smi-spec.io
--
-v1alpha3
-v1alpha2
-v1alpha1
--
-udproutes.specs.smi-spec.io
--
-v1alpha4
-v1alpha3
-v1alpha2
-v1alpha1
-```
-
-OSM Controller v0.8.2 requires the following versions:
--- traffictargets.access.smi-spec.io - [v1alpha3](https://github.com/servicemeshinterface/smi-spec/blob/v0.6.0/apis/traffic-access/v1alpha3/traffic-access.md)-- httproutegroups.specs.smi-spec.io - [v1alpha4](https://github.com/servicemeshinterface/smi-spec/blob/v0.6.0/apis/traffic-specs/v1alpha4/traffic-specs.md#httproutegroup)-- tcproutes.specs.smi-spec.io - [v1alpha4](https://github.com/servicemeshinterface/smi-spec/blob/v0.6.0/apis/traffic-specs/v1alpha4/traffic-specs.md#tcproute)-- udproutes.specs.smi-spec.io - Not supported-- trafficsplits.split.smi-spec.io - [v1alpha2](https://github.com/servicemeshinterface/smi-spec/blob/v0.6.0/apis/traffic-split/v1alpha2/traffic-split.md)-- \*.metrics.smi-spec.io - [v1alpha1](https://github.com/servicemeshinterface/smi-spec/blob/v0.6.0/apis/traffic-metrics/v1alpha1/traffic-metrics.md)-
-If CRDs are missing use the following commands to install these on the cluster:
-
-```azurecli-interactive
-kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/v0.8.2/charts/osm/crds/access.yaml
-```
-
-```azurecli-interactive
-kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/v0.8.2/charts/osm/crds/specs.yaml
-```
-
-```azurecli-interactive
-kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/v0.8.2/charts/osm/crds/split.yaml
-```
-
-## Disable Open Service Mesh (OSM) add-on for your AKS cluster
-
-To disable the OSM add-on, run the following command:
-
-```azurecli-interactive
-az aks disable-addons -n <AKS-cluster-name> -g <AKS-resource-group-name> -a open-service-mesh
-```
-
-<!-- LINKS - internal -->
-
-[kubernetes-service]: concepts-network.md#services
-[az-feature-register]: /cli/azure/feature?view=azure-cli-latest&preserve-view=true#az_feature_register
-[az-feature-list]: /cli/azure/feature?view=azure-cli-latest&preserve-view=true#az_feature_list
-[az-provider-register]: /cli/azure/provider?view=azure-cli-latest&preserve-view=true#az_provider_register
+
+ Title: Open Service Mesh (Preview)
+description: Open Service Mesh (OSM) in Azure Kubernetes Service (AKS)
++ Last updated : 3/12/2021++
+zone_pivot_groups: client-operating-system
++
+# Open Service Mesh AKS add-on (Preview)
+
+## Overview
+
+[Open Service Mesh (OSM)](https://docs.openservicemesh.io/) is a lightweight, extensible, Cloud Native service mesh that allows users to uniformly manage, secure, and get out-of-the-box observability features for highly dynamic microservice environments.
+
+OSM runs an Envoy-based control plane on Kubernetes, can be configured with [SMI](https://smi-spec.io/) APIs, and works by injecting an Envoy proxy as a sidecar container next to each instance of your application. The Envoy proxy contains and executes rules around access control policies, implements routing configuration, and captures metrics. The control plane continually configures proxies to ensure policies and routing rules are up to date and ensures proxies are healthy.
++
+## Capabilities and Features
+
+OSM provides the following set of capabilities and features to provide a cloud native service mesh for your Azure Kubernetes Service (AKS) clusters:
+
+- Secure service to service communication by enabling mTLS
+
+- Easily onboard applications onto the mesh by enabling automatic sidecar injection of Envoy proxy
+
+- Easily and transparent configurations for traffic shifting on deployments
+
+- Ability to define and execute fine grained access control policies for services
+
+- Observability and insights into application metrics for debugging and monitoring services
+
+- Integration with external certificate management services/solutions with a pluggable interface
+
+## Scenarios
+
+OSM can assist your AKS deployments with the following scenarios:
+
+- Provide encrypted communications between service endpoints deployed in the cluster
+
+- Traffic authorization of both HTTP/HTTPS and TCP traffic in the mesh
+
+- Configuration of weighted traffic controls between two or more services for A/B or canary deployments
+
+- Collection and viewing of KPIs from application traffic
+
+## OSM Service Quotas and Limits (Preview)
+
+OSM preview limitations for service quotas and limits can be found on the AKS [Quotas and regional limits page](https://docs.microsoft.com/azure/aks/quotas-skus-regions).
++++++++++
+> [!WARNING]
+> Do not attempt to install OSM from the binary using `osm install`. This will result in a installation of OSM that is not integrated as an add-on for AKS.
+
+### Register the `AKS-OpenServiceMesh` preview feature
+
+To create an AKS cluster that can use the Open Service Mesh add-on, you must enable the `AKS-OpenServiceMesh` feature flag on your subscription.
+
+Register the `AKS-OpenServiceMesh` feature flag by using the [az feature register][az-feature-register] command, as shown in the following example:
+
+```azurecli-interactive
+az feature register --namespace "Microsoft.ContainerService" --name "AKS-OpenServiceMesh"
+```
+
+It takes a few minutes for the status to show _Registered_. Verify the registration status by using the [az feature list][az-feature-list] command:
+
+```azurecli-interactive
+az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/AKS-OpenServiceMesh')].{Name:name,State:properties.state}"
+```
+
+When ready, refresh the registration of the _Microsoft.ContainerService_ resource provider by using the [az provider register][az-provider-register] command:
+
+```azurecli-interactive
+az provider register --namespace Microsoft.ContainerService
+```
++
+## Install Open Service Mesh (OSM) Azure Kubernetes Service (AKS) add-on for a new AKS cluster
+
+For a new AKS cluster deployment scenario, you will start with a brand new deployment of an AKS cluster enabling the OSM add-on at the cluster create operation.
+
+### Create a resource group
+
+In Azure, you allocate related resources to a resource group. Create a resource group by using [az group create](/cli/azure/group#az_group_create). The following example creates a resource group named _myOsmAksGroup_ in the _eastus2_ location (region):
+
+```azurecli-interactive
+az group create --name <myosmaksgroup> --location <eastus2>
+```
+
+### Deploy an AKS cluster with the OSM add-on enabled
+
+You'll now deploy a new AKS cluster with the OSM add-on enabled.
+
+> [!NOTE]
+> Please be aware the following AKS deployment command utilizes OS ephemeral disks. You can find more information here about [Ephemeral OS disks for AKS](https://docs.microsoft.com/azure/aks/cluster-configuration#ephemeral-os)
+
+```azurecli-interactive
+az aks create -n osm-addon-cluster -g <myosmaksgroup> --kubernetes-version 1.19.6 --node-osdisk-type Ephemeral --node-osdisk-size 30 --network-plugin azure --enable-managed-identity -a open-service-mesh
+```
+
+#### Get AKS Cluster Access Credentials
+
+Get access credentials for the new managed Kubernetes cluster.
+
+```azurecli-interactive
+az aks get-credentials -n <myosmakscluster> -g <myosmaksgroup>
+```
+
+## Enable Open Service Mesh (OSM) Azure Kubernetes Service (AKS) add-on for an existing AKS cluster
+
+For an existing AKS cluster scenario, you will enable the OSM add-on to an existing AKS cluster that has already been deployed.
+
+### Enable the OSM add-on to existing AKS cluster
+
+To enable the AKS OSM add-on, you will need to run the `az aks enable-addons --addons` command passing the parameter `open-service-mesh`
+
+```azurecli-interactive
+az aks enable-addons --addons open-service-mesh -g <resource group name> -n <AKS cluster name>
+```
+
+You should see output similar to the output shown below to confirm the AKS OSM add-on has been installed.
+
+```json
+{- Finished ..
+ "aadProfile": null,
+ "addonProfiles": {
+ "KubeDashboard": {
+ "config": null,
+ "enabled": false,
+ "identity": null
+ },
+ "openServiceMesh": {
+ "config": {},
+ "enabled": true,
+ "identity": {
+...
+```
+
+## Validate the AKS OSM add-on installation
+
+There are several commands to run to check all of the components of the AKS OSM add-on are enabled and running:
+
+First we can query the add-on profiles of the cluster to check the enabled state of the add-ons installed. The following command should return "true".
+
+```azurecli-interactive
+az aks list -g <resource group name> -o json | jq -r '.[].addonProfiles.openServiceMesh.enabled'
+```
+
+The following `kubectl` commands will report the status of the osm-controller.
+
+```azurecli-interactive
+kubectl get deployments -n kube-system --selector app=osm-controller
+kubectl get pods -n kube-system --selector app=osm-controller
+kubectl get services -n kube-system --selector app=osm-controller
+```
+
+## Accessing the AKS OSM add-on
+
+Currently you can access and configure the OSM controller configuration via the configmap. To view the OSM controller configuration settings, query the osm-config configmap via `kubectl` to view its configuration settings.
+
+```azurecli-interactive
+kubectl get configmap -n kube-system osm-config -o json | jq '.data'
+```
+
+Output of the OSM configmap should look like the following:
+
+```json
+{
+ "egress": "true",
+ "enable_debug_server": "true",
+ "enable_privileged_init_container": "false",
+ "envoy_log_level": "error",
+ "outbound_ip_range_exclusion_list": "169.254.169.254/32,168.63.129.16/32,<YOUR_API_SERVER_PUBLIC_IP>/32",
+ "permissive_traffic_policy_mode": "true",
+ "prometheus_scraping": "false",
+ "service_cert_validity_duration": "24h",
+ "use_https_ingress": "false"
+}
+```
+
+Notice the **permissive_traffic_policy_mode** is configured to **true**. Permissive traffic policy mode in OSM is a mode where the [SMI](https://smi-spec.io/) traffic policy enforcement is bypassed. In this mode, OSM automatically discovers services that are a part of the service mesh and programs traffic policy rules on each Envoy proxy sidecar to be able to communicate with these services.
+
+> [!WARNING]
+> Before proceeding please verify that your permissive traffic policy mode is set to true, if not please change it to **true** using the command below
+
+```OSM Permissive Mode to True
+kubectl patch ConfigMap -n kube-system osm-config --type merge --patch '{"data":{"permissive_traffic_policy_mode":"true"}}'
+```
+
+## Deploy a new application to be managed by the Open Service Mesh (OSM) Azure Kubernetes Service (AKS) add-on
+
+### Before you begin
+
+The steps detailed in this walkthrough assume that you've created an AKS cluster (Kubernetes `1.19+` and above, with Kubernetes RBAC enabled), have established a `kubectl` connection with the cluster (If you need help with any of these items, then see the [AKS quickstart](./kubernetes-walkthrough.md), and have installed the AKS OSM add-on.
+
+You must have the following resources installed:
+
+- The Azure CLI, version 2.20.0 or later
+- The `aks-preview` extension version 0.5.5 or later
+- OSM version v0.8.0 or later
+- apt-get install jq
+
+### Create namespaces for the application
+
+In this walkthrough, we will be using the OSM bookstore application that has the following Kubernetes
+
+- bookbuyer
+- bookthief
+- bookstore
+- bookwarehouse
+
+Create namespaces for each of these application components.
+
+```azurecli-interactive
+for i in bookstore bookbuyer bookthief bookwarehouse; do kubectl create ns $i; done
+```
+
+You should see the following output:
+
+```Output
+namespace/bookstore created
+namespace/bookbuyer created
+namespace/bookthief created
+namespace/bookwarehouse created
+```
+
+### Onboard the namespaces to be managed by OSM
+
+When you add the namespaces to the OSM mesh, this will allow the OSM controller to automatically inject the Envoy sidecar proxy containers with your application. Run the following command to onboard the OSM bookstore application namespaces.
+
+```azurecli-interactive
+osm namespace add bookstore bookbuyer bookthief bookwarehouse
+```
+
+You should see the following output:
+
+```Output
+Namespace [bookstore] successfully added to mesh [osm]
+Namespace [bookbuyer] successfully added to mesh [osm]
+Namespace [bookthief] successfully added to mesh [osm]
+Namespace [bookwarehouse] successfully added to mesh [osm]
+```
+
+### Deploy the Bookstore application to the AKS cluster
+
+```azurecli-interactive
+kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/release-v0.8/docs/example/manifests/apps/bookbuyer.yaml
+```
+
+```azurecli-interactive
+kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/release-v0.8/docs/example/manifests/apps/bookthief.yaml
+```
+
+```azurecli-interactive
+kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/release-v0.8/docs/example/manifests/apps/bookstore.yaml
+```
+
+```azurecli-interactive
+kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/release-v0.8/docs/example/manifests/apps/bookwarehouse.yaml
+```
+
+All of the deployment outputs are summarized below.
+
+```Output
+serviceaccount/bookbuyer created
+service/bookbuyer created
+deployment.apps/bookbuyer created
+
+serviceaccount/bookthief created
+service/bookthief created
+deployment.apps/bookthief created
+
+service/bookstore created
+serviceaccount/bookstore created
+deployment.apps/bookstore created
+
+serviceaccount/bookwarehouse created
+service/bookwarehouse created
+deployment.apps/bookwarehouse created
+```
+
+### Checkpoint: What got installed?
+
+The example Bookstore application is a multi-tiered app that consists of four services, being the bookbuyer, bookthief, bookstore, and bookwarehouse. Both the bookbuyer and bookthief service communicate to the bookstore service to retrieve books from the bookstore service. The bookstore service retrieves books out of the bookwarehouse service to supply the bookbuyer and bookthief. This is a simple multi-tiered application that works well in showing how a service mesh can be used to protect and authorize communications between the applications services. As we continue through the walkthrough, we will be enabling and disabling Service Mesh Interface (SMI) policies to both allow and disallow the services to communicate via OSM. Below is an architecture diagram of what got installed for the bookstore application.
+
+![OSM bookbuyer app architecture](./media/aks-osm-addon/osm-bookstore-app-arch.png)
+
+### Verify the Bookstore application running inside the AKS cluster
+
+As of now we have deployed the bookstore mulit-container application, but it is only accessible from within the AKS cluster. Later tutorials will assist you in exposing the application outside the cluster via an ingress controller. For now we will be utilizing port forwarding to access the bookbuyer application inside the AKS cluster to verify it is buying books from the bookstore service.
+
+To verify that the application is running inside the cluster, we will use a port forward to view both the bookbuyer and bookthief components UI.
+
+First let's get the bookbuyer pod's name
+
+```azurecli-interactive
+kubectl get pod -n bookbuyer
+```
+
+You should see output similar to the following. Your bookbuyer pod will have a unique name appended.
+
+```Output
+NAME READY STATUS RESTARTS AGE
+bookbuyer-7676c7fcfb-mtnrz 2/2 Running 0 7m8s
+```
+
+Once we have the pod's name, we can now use the port-forward command to set up a tunnel from our local system to the application inside the AKS cluster. Run the following command to set up the port forward for the local system port 8080. Again use your specified bookbuyer pod name.
+
+> [!NOTE]
+> For all port forwarding commands it is best to use an additional terminal so that you can continue to work through this walkthrough and not disconnect the tunnel. It is also best that you establish the port forward tunnel outside of the Azure Cloud Shell.
+
+```Bash
+kubectl port-forward bookbuyer-7676c7fcfb-mtnrz -n bookbuyer 8080:14001
+```
+
+You should see output similar to this.
+
+```Output
+Forwarding from 127.0.0.1:8080 -> 14001
+Forwarding from [::1]:8080 -> 14001
+```
+
+While the port forwarding session is in place, navigate to the following url from a browser `http://localhost:8080`. You should now be able to see the bookbuyer application UI in the browser similar to the image below.
+
+![OSM bookbuyer app UI image](./media/aks-osm-addon/osm-bookbuyer-service-ui.png)
+
+You will also notice that the total books bought number continues to increment to the bookstore v1 service. The bookstore v2 service has not been deployed yet. We will deploy the bookstore v2 service when we demonstrate the SMI traffic split policies.
+
+You can also check the same for the bookthief service.
+
+```azurecli-interactive
+kubectl get pod -n bookthief
+```
+
+You should see output similar to the following. Your bookthief pod will have a unique name appended.
+
+```Output
+NAME READY STATUS RESTARTS AGE
+bookthief-59549fb69c-cr8vl 2/2 Running 0 15m54s
+```
+
+Port forward to bookthief pod.
+
+```Bash
+kubectl port-forward bookthief-59549fb69c-cr8vl -n bookthief 8080:14001
+```
+
+Navigate to the following url from a browser `http://localhost:8080`. You should see the bookthief is currently stealing books from the bookstore service! Later on we will implement a traffic policy to stop the bookthief.
+
+![OSM bookthief app UI image](./media/aks-osm-addon/osm-bookthief-service-ui.png)
+
+### Disable OSM Permissive Traffic Mode for the mesh
+
+As mentioned earlier when viewing the OSM cluster configuration, the OSM configuration defaults to enabling permissive traffic mode policy. In this mode traffic policy enforcement is bypassed and OSM automatically discovers services that are a part of the service mesh and programs traffic policy rules on each Envoy proxy sidecar to be able to communicate with these services.
+
+We will now disable the permissive traffic mode policy and OSM will need explicit [SMI](https://smi-spec.io/) policies deployed to the cluster to allow communications in the mesh from each service. To disable permissive traffic mode, run the following command to update the configmap property changing the value from `true` to `false`.
+
+```azurecli-interactive
+kubectl patch ConfigMap -n kube-system osm-config --type merge --patch '{"data":{"permissive_traffic_policy_mode":"false"}}'
+```
+
+You should see output similar to the following. Your bookthief pod will have a unique name appended.
+
+```Output
+configmap/osm-config patched
+```
+
+To verify permissive traffic mode has been disabled, port forward back into either the bookbuyer or bookthief pod to view their UI in the browser and see if the books bought or books stolen is no longer incrementing. Ensure to refresh the browser. If the incrementing has stopped, the policy was applied correctly. You have successfully stopped the bookthief from stealing books, but neither the bookbuyer can purchase from the bookstore nor the bookstore can retrieve books from the bookwarehouse. Next we will implement [SMI](https://smi-spec.io/) policies to allow only the services in the mesh you'd like to communicate to do so.
+
+### Apply Service Mesh Interface (SMI) traffic access policies
+
+Now that we have disabled all communications in the mesh, let's allow our bookbuyer service to communicate to our bookstore service for purchasing books, and allow our bookstore service to communicate to our bookwarehouse service to retrieving books to sell.
+
+Deploy the following [SMI](https://smi-spec.io/) policies.
+
+```azurecli-interactive
+kubectl apply -f - <<EOF
+
+apiVersion: access.smi-spec.io/v1alpha3
+kind: TrafficTarget
+metadata:
+ name: bookbuyer-access-bookstore
+ namespace: bookstore
+spec:
+ destination:
+ kind: ServiceAccount
+ name: bookstore
+ namespace: bookstore
+ rules:
+ - kind: HTTPRouteGroup
+ name: bookstore-service-routes
+ matches:
+ - buy-a-book
+ - books-bought
+ sources:
+ - kind: ServiceAccount
+ name: bookbuyer
+ namespace: bookbuyer
+
+apiVersion: specs.smi-spec.io/v1alpha4
+kind: HTTPRouteGroup
+metadata:
+ name: bookstore-service-routes
+ namespace: bookstore
+spec:
+ matches:
+ - name: books-bought
+ pathRegex: /books-bought
+ methods:
+ - GET
+ headers:
+ - "user-agent": ".*-http-client/*.*"
+ - "client-app": "bookbuyer"
+ - name: buy-a-book
+ pathRegex: ".*a-book.*new"
+ methods:
+ - GET
+ - name: update-books-bought
+ pathRegex: /update-books-bought
+ methods:
+ - POST
+
+kind: TrafficTarget
+apiVersion: access.smi-spec.io/v1alpha3
+metadata:
+ name: bookstore-access-bookwarehouse
+ namespace: bookwarehouse
+spec:
+ destination:
+ kind: ServiceAccount
+ name: bookwarehouse
+ namespace: bookwarehouse
+ rules:
+ - kind: HTTPRouteGroup
+ name: bookwarehouse-service-routes
+ matches:
+ - restock-books
+ sources:
+ - kind: ServiceAccount
+ name: bookstore
+ namespace: bookstore
+ - kind: ServiceAccount
+ name: bookstore-v2
+ namespace: bookstore
+
+apiVersion: specs.smi-spec.io/v1alpha4
+kind: HTTPRouteGroup
+metadata:
+ name: bookwarehouse-service-routes
+ namespace: bookwarehouse
+spec:
+ matches:
+ - name: restock-books
+ methods:
+ - POST
+ headers:
+ - host: bookwarehouse.bookwarehouse
+EOF
+```
+
+You should see output similar to the following.
+
+```Output
+traffictarget.access.smi-spec.io/bookbuyer-access-bookstore-v1 created
+httproutegroup.specs.smi-spec.io/bookstore-service-routes created
+traffictarget.access.smi-spec.io/bookstore-access-bookwarehouse created
+httproutegroup.specs.smi-spec.io/bookwarehouse-service-routes created
+```
+
+You can now set up a port forwarding session on either the bookbuyer or bookstore pods and see that both the books bought and books sold metrics are back incrementing. You can also do the same for the bookthief pod to verify it is still no longer able to steal books.
+
+### Apply Service Mesh Interface (SMI) traffic split policies
+
+For our final demonstration, we will create an [SMI](https://smi-spec.io/) traffic split policy to configure the weight of communications from one service to multiple services as a backend. The traffic split functionality allows you to progressively move connections to one service over to another by weighting the traffic on a scale of 0 to 100.
+
+The below graphic is a diagram of the [SMI](https://smi-spec.io/) Traffic Split policy to be deployed. We will deploy an additional Bookstore version 2 and then split the incoming traffic from the bookbuyer, weighting 25% of the traffic to the bookstore v1 service and 75% to the bookstore v2 service.
+
+![OSM bookbuyer traffic split diagram](./media/aks-osm-addon/osm-bookbuyer-traffic-split-diagram.png)
+
+Deploy the bookstore v2 service.
+
+```azurecli-interactive
+kubectl apply -f - <<EOF
+
+apiVersion: v1
+kind: Service
+metadata:
+ name: bookstore-v2
+ namespace: bookstore
+ labels:
+ app: bookstore-v2
+spec:
+ ports:
+ - port: 14001
+ name: bookstore-port
+ selector:
+ app: bookstore-v2
+
+# Deploy bookstore-v2 Service Account
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: bookstore-v2
+ namespace: bookstore
+
+# Deploy bookstore-v2 Deployment
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: bookstore-v2
+ namespace: bookstore
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: bookstore-v2
+ template:
+ metadata:
+ labels:
+ app: bookstore-v2
+ spec:
+ serviceAccountName: bookstore-v2
+ containers:
+ - name: bookstore
+ image: openservicemesh/bookstore:v0.8.0
+ imagePullPolicy: Always
+ ports:
+ - containerPort: 14001
+ name: web
+ command: ["/bookstore"]
+ args: ["--path", "./", "--port", "14001"]
+ env:
+ - name: BOOKWAREHOUSE_NAMESPACE
+ value: bookwarehouse
+ - name: IDENTITY
+ value: bookstore-v2
+
+kind: TrafficTarget
+apiVersion: access.smi-spec.io/v1alpha3
+metadata:
+ name: bookbuyer-access-bookstore-v2
+ namespace: bookstore
+spec:
+ destination:
+ kind: ServiceAccount
+ name: bookstore-v2
+ namespace: bookstore
+ rules:
+ - kind: HTTPRouteGroup
+ name: bookstore-service-routes
+ matches:
+ - buy-a-book
+ - books-bought
+ sources:
+ - kind: ServiceAccount
+ name: bookbuyer
+ namespace: bookbuyer
+EOF
+```
+
+You should see the following output.
+
+```Output
+service/bookstore-v2 configured
+serviceaccount/bookstore-v2 created
+deployment.apps/bookstore-v2 created
+traffictarget.access.smi-spec.io/bookstore-v2 created
+```
+
+Now deploy the traffic split policy to split the bookbuyer traffic between the two bookstore v1 and v2 service.
+
+```azurecli-interactive
+kubectl apply -f - <<EOF
+apiVersion: split.smi-spec.io/v1alpha2
+kind: TrafficSplit
+metadata:
+ name: bookstore-split
+ namespace: bookstore
+spec:
+ service: bookstore.bookstore
+ backends:
+ - service: bookstore
+ weight: 25
+ - service: bookstore-v2
+ weight: 75
+EOF
+```
+
+You should see the following output.
+
+```Output
+trafficsplit.split.smi-spec.io/bookstore-split created
+```
+
+Set up a port forward tunnel to the bookbuyer pod and you should now see books being purchased from the bookstore v2 service. If you continue to watch the increment of purchases you should notice a faster increment of purchases happening through the bookstore v2 service.
+
+![OSM bookbuyer books boough UI](./media/aks-osm-addon/osm-bookbuyer-traffic-split-ui.png)
+
+## Manage existing deployed applications to be managed by the Open Service Mesh (OSM) Azure Kubernetes Service (AKS) add-on
+
+### Before you begin
+
+The steps detailed in this walkthrough assume that you have previously enabled the OSM AKS add-on for your AKS cluster. If not, review the section [Enable Open Service Mesh (OSM) Azure Kubernetes Service (AKS) add-on for an existing AKS cluster](#enable-open-service-mesh-osm-azure-kubernetes-service-aks-add-on-for-an-existing-aks-cluster) before proceeding. Also, your AKS cluster needs to be version Kubernetes `1.19+` and above, have Kubernetes RBAC enabled, and have established a `kubectl` connection with the cluster (If you need help with any of these items, then see the [AKS quickstart](./kubernetes-walkthrough.md), and have installed the AKS OSM add-on.
+
+You must have the following resources installed:
+
+- The Azure CLI, version 2.20.0 or later
+- The `aks-preview` extension version 0.5.5 or later
+- OSM version v0.8.0 or later
+- apt-get install jq
+
+### Verify the Open Service Mesh (OSM) Permissive Traffic Mode Policy
+
+The OSM Permissive Traffic Policy mode is a mode where the [SMI](https://smi-spec.io/) traffic policy enforcement is bypassed. In this mode, OSM automatically discovers services that are a part of the service mesh and programs traffic policy rules on each Envoy proxy sidecar to be able to communicate with these services.
+
+To verify the current permissive traffic mode of OSM for your cluster, run the following command:
+
+```azurecli-interactive
+kubectl get configmap -n kube-system osm-config -o json | jq '.data'
+```
+
+Output of the OSM configmap should look like the following:
+
+```Output
+{
+ "egress": "true",
+ "enable_debug_server": "true",
+ "envoy_log_level": "error",
+ "permissive_traffic_policy_mode": "true",
+ "prometheus_scraping": "false",
+ "service_cert_validity_duration": "24h",
+ "use_https_ingress": "false"
+}
+```
+
+If the **permissive_traffic_policy_mode** is configured to **true**, you can safely onboard your namespaces without any disruption to your service-to-service communications. If the **permissive_traffic_policy_mode** is configured to **false**, You will need to ensure you have the correct [SMI](https://smi-spec.io/) traffic access policy manifests deployed as well as ensuring you have a service account representing each service deployed in the namespace. Please follow the guidance for [Onboard existing deployed applications with Open Service Mesh (OSM) Permissive Traffic Policy configured as False](#onboard-existing-deployed-applications-with-open-service-mesh-osm-permissive-traffic-policy-configured-as-false)
+
+### Onboard existing deployed applications with Open Service Mesh (OSM) Permissive Traffic Policy configured as True
+
+The first thing we'll do is add the deployed application namespace(s) to OSM to manage.
+
+```azurecli-interactive
+osm namespace add bookstore
+```
+
+You should see the following output:
+
+```Output
+Namespace [bookstore] successfully added to mesh [osm]
+```
+
+Next we will take a look at the current pod deployment in the namespace. Run the following command to view the pods in the designated namespace.
+
+```azurecli-interactive
+kubectl get pod -n bookbuyer
+```
+
+You should see the following similar output:
+
+```Output
+NAME READY STATUS RESTARTS AGE
+bookbuyer-78666dcff8-wh6wl 1/1 Running 0 43s
+```
+
+Notice the **READY** column showing **1/1**, meaning that the application pod has only one container. Next we will need to restart your application deployments so that OSM can inject the Envoy sidecar proxy container with your application pod. Let's get a list of deployments in the namespace.
+
+```azurecli-interactive
+kubectl get deployment -n bookbuyer
+```
+
+You should see the following output:
+
+```Output
+NAME READY UP-TO-DATE AVAILABLE AGE
+bookbuyer 1/1 1 1 23h
+```
+
+Now we will restart the deployment to inject the Envoy sidecar proxy container with your application pod. Run the following command.
+
+```azurecli-interactive
+kubectl rollout restart deployment bookbuyer -n bookbuyer
+```
+
+You should see the following output:
+
+```Output
+deployment.apps/bookbuyer restarted
+```
+
+If we take a look at the pods in the namespace again:
+
+```azurecli-interactive
+kubectl get pod -n bookbuyer
+```
+
+You will now notice that the **READY** column is now showing **2/2** containers being ready for your pod. The second container is the Envoy sidecar proxy.
+
+```Output
+NAME READY STATUS RESTARTS AGE
+bookbuyer-84446dd5bd-j4tlr 2/2 Running 0 3m30s
+```
+
+We can further inspect the pod to view the Envoy proxy by running the describe command to view the configuration.
+
+```azurecli-interactive
+kubectl describe pod bookbuyer-84446dd5bd-j4tlr -n bookbuyer
+```
+
+```Output
+Containers:
+ bookbuyer:
+ Container ID: containerd://b7503b866f915711002292ea53970bd994e788e33fb718f1c4f8f12cd4a88198
+ Image: openservicemesh/bookbuyer:v0.8.0
+ Image ID: docker.io/openservicemesh/bookbuyer@sha256:813874bd2dc9c5a259b9657995348cf0822b905e29c4e86f21fdefa0ef21dcee
+ Port: <none>
+ Host Port: <none>
+ Command:
+ /bookbuyer
+ State: Running
+ Started: Tue, 23 Mar 2021 10:52:53 -0400
+ Ready: True
+ Restart Count: 0
+ Environment:
+ BOOKSTORE_NAMESPACE: bookstore
+ BOOKSTORE_SVC: bookstore
+ Mounts:
+ /var/run/secrets/kubernetes.io/serviceaccount from bookbuyer-token-zft2r (ro)
+ envoy:
+ Container ID: containerd://f5f1cb5db8d5304e23cc984eb08146ea162a3e82d4262c4472c28d5579c25e10
+ Image: envoyproxy/envoy-alpine:v1.17.1
+ Image ID: docker.io/envoyproxy/envoy-alpine@sha256:511e76b9b73fccd98af2fbfb75c34833343d1999469229fdfb191abd2bbe3dfb
+ Ports: 15000/TCP, 15003/TCP, 15010/TCP
+ Host Ports: 0/TCP, 0/TCP, 0/TCP
+```
+
+Verify your application is still functional after the Envoy sidecar proxy injection.
+
+### Onboard existing deployed applications with Open Service Mesh (OSM) Permissive Traffic Policy configured as False
+
+When the OSM configuration for the permissive traffic policy is set to `false`, OSM will require explicit [SMI](https://smi-spec.io/) traffic access policies deployed for the service-to-service communication to happen within your cluster. Currently, OSM also uses Kubernetes service accounts as part of authorizing service-to-service communications as well. To ensure your existing deployed applications will communicate when managed by the OSM mesh, we will need to verify the existence of a service account to utilize, update the application deployment with the service account information, apply the [SMI](https://smi-spec.io/) traffic access policies.
+
+#### Verify Kubernetes Service Accounts
+
+Verify if you have a kubernetes service account in the namespace your application is deployed to.
+
+```azurecli-interactive
+kubectl get serviceaccounts -n bookbuyer
+```
+
+In the following there is a service account named `bookbuyer` in the bookbuyer namespace.
+
+```Output
+NAME SECRETS AGE
+bookbuyer 1 25h
+default 1 25h
+```
+
+If you do not have a service account listed other than the default account, you will need to create one for your application. Use the following command as an example to create a service account in the application's deployed namespace.
+
+```azurecli-interactive
+kubectl create serviceaccount myserviceaccount -n bookbuyer
+```
+
+```Output
+serviceaccount/myserviceaccount created
+```
+
+#### View your application's current deployment specification
+
+If you had to create a service account from the earlier section, chances are your application deployment is not configured with a specific `serviceAccountName` in the deployment spec. We can view your application's deployment spec with the following commands:
+
+```azurecli-interactive
+kubectl get deployment -n bookbuyer
+```
+
+A list of deployments will be listed in the output.
+
+```Output
+NAME READY UP-TO-DATE AVAILABLE AGE
+bookbuyer 1/1 1 1 25h
+```
+
+We will now describe the deployment as a check to see if there is a service account listed in the Pod Template section.
+
+```azurecli-interactive
+kubectl describe deployment bookbuyer -n bookbuyer
+```
+
+In this particular deployment you can see that there is a service account associated with the deployment listed under the Pod Template section. This deployment is using the service account bookbuyer. If you do not see the **Serivce Account:** property, your deployment is not configured to use a service account.
+
+```Output
+Pod Template:
+ Labels: app=bookbuyer
+ version=v1
+ Annotations: kubectl.kubernetes.io/restartedAt: 2021-03-23T10:52:49-04:00
+ Service Account: bookbuyer
+ Containers:
+ bookbuyer:
+ Image: openservicemesh/bookbuyer:v0.8.0
+
+```
+
+There are several techniques to update your deployment to add a kubernetes service account. Review the Kubernetes documentation on [Updating a Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#updating-a-deployment) inline, or [Configure Service Accounts for Pods](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/). Once you have updated your deployment spec with the service account, redeploy (kubectl apply -f your-deployment.yaml) your deployment to the cluster.
+
+#### Deploy the necessary Service Mesh Interface (SMI) Policies
+
+The last step to allowing authorized traffic to flow in the mesh is to deploy the necessary [SMI](https://smi-spec.io/) traffic access policies for your application. The amount of configuration you can achieve with [SMI](https://smi-spec.io/) traffic access policies is beyond the scope of this walkthrough, but we will detail some of the common components of the specification and show how to configure both a simple TrafficTarget and HTTPRouteGroup policy to enable service-to-service communication for your application.
+
+The [SMI](https://smi-spec.io/) [**Traffic Access Control**](https://github.com/servicemeshinterface/smi-spec/blob/main/apis/traffic-access/v1alpha3/traffic-access.md#traffic-access-control) specification allows users to define the access control policy for their applications. We will focus on the **TrafficTarget** and **HTTPRoutGroup** api resources.
+
+The TrafficTarget resource consists of three main configuration settings destination, rules, and sources. An example TrafficTarget is shown below.
+
+```TrafficTarget Example spec
+apiVersion: access.smi-spec.io/v1alpha3
+kind: TrafficTarget
+metadata:
+ name: bookbuyer-access-bookstore-v1
+ namespace: bookstore
+spec:
+ destination:
+ kind: ServiceAccount
+ name: bookstore
+ namespace: bookstore
+ rules:
+ - kind: HTTPRouteGroup
+ name: bookstore-service-routes
+ matches:
+ - buy-a-book
+ - books-bought
+ sources:
+ - kind: ServiceAccount
+ name: bookbuyer
+ namespace: bookbuyer
+```
+
+In the above TrafficTarget spec, the `destination` denotes the service account that is configured for the destination source service. Remember the service account that was added to the deployment earlier will be used to authorize access to the deployment it is attached to. The `rules` section , in this particular example, defines the type of HTTP traffic that is allowed over the connection. You can configure fine grain regex patterns for the HTTP headers to be specific on what traffic is allowed via HTTP. The `sources` section is the service originating communications. This spec reads bookbuyer needs to communicate to the bookstore.
+
+The HTTPRouteGroup resource consists of one or an array of matches of HTTP header information and is a requirement for the TrafficTarget spec. In the example below, you can see that the HTTPRouteGroup is authorizing three HTTP actions, two GET and one POST.
+
+```HTTPRouteGroup Example Spec
+apiVersion: specs.smi-spec.io/v1alpha4
+kind: HTTPRouteGroup
+metadata:
+ name: bookstore-service-routes
+ namespace: bookstore
+spec:
+ matches:
+ - name: books-bought
+ pathRegex: /books-bought
+ methods:
+ - GET
+ headers:
+ - "user-agent": ".*-http-client/*.*"
+ - "client-app": "bookbuyer"
+ - name: buy-a-book
+ pathRegex: ".*a-book.*new"
+ methods:
+ - GET
+ - name: update-books-bought
+ pathRegex: /update-books-bought
+ methods:
+ - POST
+```
+
+If you are not familiar with the type of HTTP traffic your front-end application makes to other tiers of the application, since the TrafficTarget spec requires a rule, you can create the equivalent of an allow all rule using the below spec for HTTPRouteGroup.
+
+```HTTPRouteGroup Allow All Example
+apiVersion: specs.smi-spec.io/v1alpha4
+kind: HTTPRouteGroup
+metadata:
+ name: allow-all
+ namespace: yournamespace
+spec:
+ matches:
+ - name: allow-all
+ pathRegex: '.*'
+ methods: ["GET","PUT","POST","DELETE","PATCH"]
+```
+
+Once you configure your TrafficTarget and HTTPRouteGroup spec, you can put them together as one YAML and deploy. Below is the bookstore example configuration.
+
+```Bookstore Example TrafficTarget and HTTPRouteGroup configuration
+kubectl apply -f - <<EOF
+
+apiVersion: access.smi-spec.io/v1alpha3
+kind: TrafficTarget
+metadata:
+ name: bookbuyer-access-bookstore-v1
+ namespace: bookstore
+spec:
+ destination:
+ kind: ServiceAccount
+ name: bookstore
+ namespace: bookstore
+ rules:
+ - kind: HTTPRouteGroup
+ name: bookstore-service-routes
+ matches:
+ - buy-a-book
+ - books-bought
+ sources:
+ - kind: ServiceAccount
+ name: bookbuyer
+ namespace: bookbuyer
+
+apiVersion: specs.smi-spec.io/v1alpha4
+kind: HTTPRouteGroup
+metadata:
+ name: bookstore-service-routes
+ namespace: bookstore
+spec:
+ matches:
+ - name: books-bought
+ pathRegex: /books-bought
+ methods:
+ - GET
+ headers:
+ - "user-agent": ".*-http-client/*.*"
+ - "client-app": "bookbuyer"
+ - name: buy-a-book
+ pathRegex: ".*a-book.*new"
+ methods:
+ - GET
+ - name: update-books-bought
+ pathRegex: /update-books-bought
+ methods:
+ - POST
+EOF
+```
+
+Visit the [SMI](https://smi-spec.io/) site for more detailed information on the specification.
+
+### Manage the application's namespace with OSM
+
+Next we will configure OSM to manage the namespace and restart the deployments to get the Envoy sidecar proxy injected with the application.
+
+Run the following command to configure the `azure-vote` namespace to be managed my OSM.
+
+```azurecli-interactive
+osm namespace add azure-vote
+```
+
+```Output
+Namespace [azure-vote] successfully added to mesh [osm]
+```
+
+Next restart both the `azure-vote-front` and `azure-vote-back` deployments with the following commands.
+
+```azurecli-interactive
+kubectl rollout restart deployment azure-vote-front -n azure-vote
+kubectl rollout restart deployment azure-vote-back -n azure-vote
+```
+
+```Output
+deployment.apps/azure-vote-front restarted
+deployment.apps/azure-vote-back restarted
+```
+
+If we view the pods for the `azure-vote` namespace, we will see the **READY** stage of both the `azure-vote-front` and `azure-vote-back` as 2/2, meaning the Envoy sidecar proxy has been injected alongside the application.
+
+## Tutorial: Deploy an application managed by Open Service Mesh (OSM) with NGINX ingress
+
+Open Service Mesh (OSM) is a lightweight, extensible, Cloud Native service mesh that allows users to uniformly manage, secure, and get out-of-the-box observability features for highly dynamic microservice environments.
+
+In this tutorial, you will:
+
+> [!div class="checklist"]
+>
+> - View the current OSM cluster configuration
+> - Create the namespace(s) for OSM to manage deployed applications in the namespace(s)
+> - Onboard the namespaces to be managed by OSM
+> - Deploy the sample application
+> - Verify the application running inside the AKS cluster
+> - Create a NGINX ingress controller used for the appliction
+> - Expose a service via the Azure Application Gateway ingress to the internet
+
+### Before you begin
+
+The steps detailed in this article assume that you've created an AKS cluster (Kubernetes `1.19+` and above, with Kubernetes RBAC enabled), have established a `kubectl` connection with the cluster (If you need help with any of these items, then see the [AKS quickstart](./kubernetes-walkthrough.md), and have installed the AKS OSM add-on.
+
+You must have the following resources installed:
+
+- The Azure CLI, version 2.20.0 or later
+- The `aks-preview` extension version 0.5.5 or later
+- OSM version v0.8.0 or later
+- apt-get install jq
+
+### View and verify the current OSM cluster configuration
+
+Once the OSM add-on for AKS has been enabled on the AKS cluster, you can view the current configuration parameters in the osm-config Kubernetes ConfigMap. Run the following command to view the ConfigMap properties:
+
+```azurecli-interactive
+kubectl get configmap -n kube-system osm-config -o json | jq '.data'
+```
+
+Output shows the current OSM configuration for the cluster.
+
+```json
+{
+ "egress": "true",
+ "enable_debug_server": "true",
+ "enable_privileged_init_container": "false",
+ "envoy_log_level": "error",
+ "outbound_ip_range_exclusion_list": "169.254.169.254,168.63.129.16,20.193.57.43",
+ "permissive_traffic_policy_mode": "false",
+ "prometheus_scraping": "false",
+ "service_cert_validity_duration": "24h",
+ "use_https_ingress": "false"
+}
+```
+
+Notice the **permissive_traffic_policy_mode** is configured to **true**. Permissive traffic policy mode in OSM is a mode where the [SMI](https://smi-spec.io/) traffic policy enforcement is bypassed. In this mode, OSM automatically discovers services that are a part of the service mesh and programs traffic policy rules on each Envoy proxy sidecar to be able to communicate with these services.
+
+### Create namespaces for the application
+
+In this tutorial we will be using the OSM bookstore application that has the following application components:
+
+- bookbuyer
+- bookthief
+- bookstore
+- bookwarehouse
+
+Create namespaces for each of these application components.
+
+```azurecli-interactive
+for i in bookstore bookbuyer bookthief bookwarehouse; do kubectl create ns $i; done
+```
+
+You should see the following output:
+
+```Output
+namespace/bookstore created
+namespace/bookbuyer created
+namespace/bookthief created
+namespace/bookwarehouse created
+```
+
+### Onboard the namespaces to be managed by OSM
+
+Adding the namespaces to the OSM mesh will allow the OSM controller to automatically inject the Envoy sidecar proxy containers with your application. Run the following command to onboard the OSM bookstore application namespaces.
+
+```azurecli-interactive
+osm namespace add bookstore bookbuyer bookthief bookwarehouse
+```
+
+You should see the following output:
+
+```Output
+Namespace [bookstore] successfully added to mesh [osm]
+Namespace [bookbuyer] successfully added to mesh [osm]
+Namespace [bookthief] successfully added to mesh [osm]
+Namespace [bookwarehouse] successfully added to mesh [osm]
+```
+
+### Deploy the Bookstore application to the AKS cluster
+
+```azurecli-interactive
+kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/release-v0.8/docs/example/manifests/apps/bookbuyer.yaml
+```
+
+```azurecli-interactive
+kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/release-v0.8/docs/example/manifests/apps/bookthief.yaml
+```
+
+```azurecli-interactive
+kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/release-v0.8/docs/example/manifests/apps/bookstore.yaml
+```
+
+```azurecli-interactive
+kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/release-v0.8/docs/example/manifests/apps/bookwarehouse.yaml
+```
+
+All of the deployment outputs are summarized below.
+
+```Output
+serviceaccount/bookbuyer created
+service/bookbuyer created
+deployment.apps/bookbuyer created
+
+serviceaccount/bookthief created
+service/bookthief created
+deployment.apps/bookthief created
+
+service/bookstore created
+serviceaccount/bookstore created
+deployment.apps/bookstore created
+
+serviceaccount/bookwarehouse created
+service/bookwarehouse created
+deployment.apps/bookwarehouse created
+```
+
+### Update the Bookbuyer Service
+
+Update the bookbuyer service to the correct inbound port configuration with the following service manifest.
+
+```azurecli-interactive
+kubectl apply -f - <<EOF
+apiVersion: v1
+kind: Service
+metadata:
+ name: bookbuyer
+ namespace: bookbuyer
+ labels:
+ app: bookbuyer
+spec:
+ ports:
+ - port: 14001
+ name: inbound-port
+ selector:
+ app: bookbuyer
+EOF
+```
+
+### Verify the Bookstore application running inside the AKS cluster
+
+As of now we have deployed the bookstore mulit-container application, but it is only accessible from within the AKS cluster. Later we will add the Azure Application Gateway ingress controller to expose the application outside the AKS cluster. To verify that the application is running inside the cluster, we will use a port forward to view the bookbuyer component UI.
+
+First let's get the bookbuyer pod's name
+
+```azurecli-interactive
+kubectl get pod -n bookbuyer
+```
+
+You should see output similar to the following. Your bookbuyer pod will have a unique name appended.
+
+```Output
+NAME READY STATUS RESTARTS AGE
+bookbuyer-7676c7fcfb-mtnrz 2/2 Running 0 7m8s
+```
+
+Once we have the pod's name, we can now use the port-forward command to set up a tunnel from our local system to the application inside the AKS cluster. Run the following command to set up the port forward for the local system port 8080. Again use your specified bookbuyer pod name.
+
+```azurecli-interactive
+kubectl port-forward bookbuyer-7676c7fcfb-mtnrz -n bookbuyer 8080:14001
+```
+
+You should see output similar to this.
+
+```Output
+Forwarding from 127.0.0.1:8080 -> 14001
+Forwarding from [::1]:8080 -> 14001
+```
+
+While the port forwarding session is in place, navigate to the following url from a browser `http://localhost:8080`. You should now be able to see the bookbuyer application UI in the browser similar to the image below.
+
+![OSM bookbuyer app for NGINX UI image](./media/aks-osm-addon/osm-agic-bookbuyer-img.png)
+
+### Create an NGINX ingress controller in Azure Kubernetes Service (AKS)
+
+An ingress controller is a piece of software that provides reverse proxy, configurable traffic routing, and TLS termination for Kubernetes services. Kubernetes ingress resources are used to configure the ingress rules and routes for individual Kubernetes services. Using an ingress controller and ingress rules, a single IP address can be used to route traffic to multiple services in a Kubernetes cluster.
+
+We will utilize the ingress controller to expose the application managed by OSM to the internet. To create the ingress controller, use Helm to install nginx-ingress. For added redundancy, two replicas of the NGINX ingress controllers are deployed with the `--set controller.replicaCount` parameter. To fully benefit from running replicas of the ingress controller, make sure there's more than one node in your AKS cluster.
+
+The ingress controller also needs to be scheduled on a Linux node. Windows Server nodes shouldn't run the ingress controller. A node selector is specified using the `--set nodeSelector` parameter to tell the Kubernetes scheduler to run the NGINX ingress controller on a Linux-based node.
+
+> [!TIP]
+> The following example creates a Kubernetes namespace for the ingress resources named _ingress-basic_. Specify a namespace for your own environment as needed.
+
+```azurecli-interactive
+# Create a namespace for your ingress resources
+kubectl create namespace ingress-basic
+
+# Add the ingress-nginx repository
+helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
+
+# Update the helm repo(s)
+helm repo update
+
+# Use Helm to deploy an NGINX ingress controller in the ingress-basic namespace
+helm install nginx-ingress ingress-nginx/ingress-nginx \
+ --namespace ingress-basic \
+ --set controller.replicaCount=1 \
+ --set controller.nodeSelector."beta\.kubernetes\.io/os"=linux \
+ --set defaultBackend.nodeSelector."beta\.kubernetes\.io/os"=linux \
+ --set controller.admissionWebhooks.patch.nodeSelector."beta\.kubernetes\.io/os"=linux
+```
+
+When the Kubernetes load balancer service is created for the NGINX ingress controller, a dynamic public IP address is assigned, as shown in the following example output:
+
+```Output
+$ kubectl --namespace ingress-basic get services -o wide -w nginx-ingress-ingress-nginx-controller
+
+NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
+nginx-ingress-ingress-nginx-controller LoadBalancer 10.0.74.133 EXTERNAL_IP 80:32486/TCP,443:30953/TCP 44s app.kubernetes.io/component=controller,app.kubernetes.io/instance=nginx-ingress,app.kubernetes.io/name=ingress-nginx
+```
+
+No ingress rules have been created yet, so the NGINX ingress controller's default 404 page is displayed if you browse to the internal IP address. Ingress rules are configured in the following steps.
+
+### Expose the bookbuyer service to the internet
+
+```azurecli-interactive
+kubectl apply -f - <<EOF
+
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+ name: bookbuyer-ingress
+ namespace: bookbuyer
+ annotations:
+ kubernetes.io/ingress.class: nginx
+
+spec:
+
+ rules:
+ - host: bookbuyer.contoso.com
+ http:
+ paths:
+ - path: /
+ backend:
+ serviceName: bookbuyer
+ servicePort: 14001
+
+ backend:
+ serviceName: bookbuyer
+ servicePort: 14001
+EOF
+```
+
+You should see the following output:
+
+```Output
+Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
+ingress.extensions/bookbuyer-ingress created
+```
+
+### View the NGINX logs
+
+```azurecli-interactive
+POD=$(kubectl get pods -n ingress-basic | grep 'nginx-ingress' | awk '{print $1}')
+
+kubectl logs $POD -n ingress-basic -f
+```
+
+Output shows the NGINX ingress controller status when ingress rule has been applied successfully:
+
+```Output
+I0321 <date> 6 event.go:282] Event(v1.ObjectReference{Kind:"Pod", Namespace:"ingress-basic", Name:"nginx-ingress-ingress-nginx-controller-54cf6c8bf4-jdvrw", UID:"3ebbe5e5-50ef-481d-954d-4b82a499ebe1", APIVersion:"v1", ResourceVersion:"3272", FieldPath:""}): type: 'Normal' reason: 'RELOAD' NGINX reload triggered due to a change in configuration
+I0321 <date> 6 event.go:282] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"bookbuyer", Name:"bookbuyer-ingress", UID:"e1018efc-8116-493c-9999-294b4566819e", APIVersion:"networking.k8s.io/v1beta1", ResourceVersion:"5460", FieldPath:""}): type: 'Normal' reason: 'Sync' Scheduled for sync
+I0321 <date> 6 controller.go:146] "Configuration changes detected, backend reload required"
+I0321 <date> 6 controller.go:163] "Backend successfully reloaded"
+I0321 <date> 6 event.go:282] Event(v1.ObjectReference{Kind:"Pod", Namespace:"ingress-basic", Name:"nginx-ingress-ingress-nginx-controller-54cf6c8bf4-jdvrw", UID:"3ebbe5e5-50ef-481d-954d-4b82a499ebe1", APIVersion:"v1", ResourceVersion:"3272", FieldPath:""}): type: 'Normal' reason: 'RELOAD' NGINX reload triggered due to a change in configuration
+```
+
+### View the NGINX services and bookbuyer service externally
+
+```azurecli-interactive
+kubectl get services -n ingress-basic
+```
+
+```Output
+NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
+nginx-ingress-ingress-nginx-controller LoadBalancer 10.0.100.23 20.193.1.74 80:31742/TCP,443:32683/TCP 4m15s
+nginx-ingress-ingress-nginx-controller-admission ClusterIP 10.0.163.98 <none> 443/TCP 4m15s
+```
+
+Since the host name in the ingress manifest is a psuedo name used for testing, the DNS name will not be available on the internet. We can alternatively use the curl program and past the hostname header to the NGINX public IP address and receive a 200 code successfully connecting us to the bookbuyer service.
+
+```azurecli-interactive
+curl -H 'Host: bookbuyer.contoso.com' http://EXTERNAL-IP/
+```
+
+You should see the following output:
+
+```Output
+<!doctype html>
+<html itemscope="" itemtype="http://schema.org/WebPage" lang="en">
+ <head>
+ <meta content="Bookbuyer" name="description">
+ <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
+ <title>Bookbuyer</title>
+ <style>
+ #navbar {
+ width: 100%;
+ height: 50px;
+ display: table;
+ border-spacing: 0;
+ white-space: nowrap;
+ line-height: normal;
+ background-color: #0078D4;
+ background-position: left top;
+ background-repeat-x: repeat;
+ background-image: none;
+ color: white;
+ font: 2.2em "Fira Sans", sans-serif;
+ }
+ #main {
+ padding: 10pt 10pt 10pt 10pt;
+ font: 1.8em "Fira Sans", sans-serif;
+ }
+ li {
+ padding: 10pt 10pt 10pt 10pt;
+ font: 1.2em "Consolas", sans-serif;
+ }
+ </style>
+ <script>
+ setTimeout(function(){window.location.reload(1);}, 1500);
+ </script>
+ </head>
+ <body bgcolor="#fff">
+ <div id="navbar">
+ &#128214; Bookbuyer
+ </div>
+ <div id="main">
+ <ul>
+ <li>Total books bought: <strong>1833</strong>
+ <ul>
+ <li>from bookstore V1: <strong>277</strong>
+ <li>from bookstore V2: <strong>1556</strong>
+ </ul>
+ </li>
+ </ul>
+ </div>
+
+ <br/><br/><br/><br/>
+ <br/><br/><br/><br/>
+ <br/><br/><br/><br/>
+
+ Current Time: <strong>Fri, 26 Mar 2021 15:02:53 UTC</strong>
+ </body>
+</html>
+```
+
+## Tutorial: Deploy an application managed by Open Service Mesh (OSM) using Azure Application Gateway ingress AKS add-on
+
+Open Service Mesh (OSM) is a lightweight, extensible, Cloud Native service mesh that allows users to uniformly manage, secure, and get out-of-the-box observability features for highly dynamic microservice environments.
+
+In this tutorial, you will:
+
+> [!div class="checklist"]
+>
+> - View the current OSM cluster configuration
+> - Create the namespace(s) for OSM to manage deployed applications in the namespace(s)
+> - Onboard the namespaces to be managed by OSM
+> - Deploy the sample application
+> - Verify the application running inside the AKS cluster
+> - Create an Azure Application Gateway to be used as the ingress controller for the appliction
+> - Expose a service via the Azure Application Gateway ingress to the internet
+
+### Before you begin
+
+The steps detailed in this article assume that you've created an AKS cluster (Kubernetes `1.19+` and above, with Kubernetes RBAC enabled), have established a `kubectl` connection with the cluster (If you need help with any of these items, then see the [AKS quickstart](./kubernetes-walkthrough.md), have installed the AKS OSM add-on, and will be creating a new Azure Application Gateway for ingress.
+
+You must have the following resources installed:
+
+- The Azure CLI, version 2.20.0 or later
+- The `aks-preview` extension version 0.5.5 or later
+- AKS cluster version 1.19+ using Azure CNI networking (Attached to an Azure Vnet)
+- OSM version v0.8.0 or later
+- apt-get install jq
+
+### View and verify the current OSM cluster configuration
+
+Once the OSM add-on for AKS has been enabled on the AKS cluster, you can view the current configuration parameters in the osm-config Kubernetes ConfigMap. Run the following command to view the ConfigMap properties:
+
+```azurecli-interactive
+kubectl get configmap -n kube-system osm-config -o json | jq '.data'
+```
+
+Output shows the current OSM configuration for the cluster.
+
+```json
+{
+ "egress": "true",
+ "enable_debug_server": "true",
+ "enable_privileged_init_container": "false",
+ "envoy_log_level": "error",
+ "outbound_ip_range_exclusion_list": "169.254.169.254,168.63.129.16,20.193.57.43",
+ "permissive_traffic_policy_mode": "false",
+ "prometheus_scraping": "false",
+ "service_cert_validity_duration": "24h",
+ "use_https_ingress": "false"
+}
+```
+
+Notice the **permissive_traffic_policy_mode** is configured to **true**. Permissive traffic policy mode in OSM is a mode where the [SMI](https://smi-spec.io/) traffic policy enforcement is bypassed. In this mode, OSM automatically discovers services that are a part of the service mesh and programs traffic policy rules on each Envoy proxy sidecar to be able to communicate with these services.
+
+### Create namespaces for the application
+
+In this tutorial we will be using the OSM bookstore application that has the following application components:
+
+- bookbuyer
+- bookthief
+- bookstore
+- bookwarehouse
+
+Create namespaces for each of these application components.
+
+```azurecli-interactive
+for i in bookstore bookbuyer bookthief bookwarehouse; do kubectl create ns $i; done
+```
+
+You should see the following output:
+
+```Output
+namespace/bookstore created
+namespace/bookbuyer created
+namespace/bookthief created
+namespace/bookwarehouse created
+```
+
+### Onboard the namespaces to be managed by OSM
+
+When you add the namespaces to the OSM mesh, this will allow the OSM controller to automatically inject the Envoy sidecar proxy containers with your application. Run the following command to onboard the OSM bookstore application namespaces.
+
+```azurecli-interactive
+osm namespace add bookstore bookbuyer bookthief bookwarehouse
+```
+
+You should see the following output:
+
+```Output
+Namespace [bookstore] successfully added to mesh [osm]
+Namespace [bookbuyer] successfully added to mesh [osm]
+Namespace [bookthief] successfully added to mesh [osm]
+Namespace [bookwarehouse] successfully added to mesh [osm]
+```
+
+### Deploy the Bookstore application to the AKS cluster
+
+```azurecli-interactive
+kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/release-v0.8/docs/example/manifests/apps/bookbuyer.yaml
+```
+
+```azurecli-interactive
+kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/release-v0.8/docs/example/manifests/apps/bookthief.yaml
+```
+
+```azurecli-interactive
+kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/release-v0.8/docs/example/manifests/apps/bookstore.yaml
+```
+
+```azurecli-interactive
+kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/release-v0.8/docs/example/manifests/apps/bookwarehouse.yaml
+```
+
+All of the deployment outputs are summarized below.
+
+```Output
+serviceaccount/bookbuyer created
+service/bookbuyer created
+deployment.apps/bookbuyer created
+
+serviceaccount/bookthief created
+service/bookthief created
+deployment.apps/bookthief created
+
+service/bookstore created
+serviceaccount/bookstore created
+deployment.apps/bookstore created
+
+serviceaccount/bookwarehouse created
+service/bookwarehouse created
+deployment.apps/bookwarehouse created
+```
+
+### Update the Bookbuyer Service
+
+Update the bookbuyer service to the correct inbound port configuration with the following service manifest.
+
+```azurecli-interactive
+kubectl apply -f - <<EOF
+apiVersion: v1
+kind: Service
+metadata:
+ name: bookbuyer
+ namespace: bookbuyer
+ labels:
+ app: bookbuyer
+spec:
+ ports:
+ - port: 14001
+ name: inbound-port
+ selector:
+ app: bookbuyer
+EOF
+```
+
+### Verify the Bookstore application running inside the AKS cluster
+
+As of now we have deployed the bookstore multi-container application, but it is only accessible from within the AKS cluster. Later we will add the Azure Application Gateway ingress controller to expose the application outside the AKS cluster. To verify that the application is running inside the cluster, we will use a port forward to view the bookbuyer component UI.
+
+First let's get the bookbuyer pod's name
+
+```azurecli-interactive
+kubectl get pod -n bookbuyer
+```
+
+You should see output similar to the following. Your bookbuyer pod will have a unique name appended.
+
+```Output
+NAME READY STATUS RESTARTS AGE
+bookbuyer-7676c7fcfb-mtnrz 2/2 Running 0 7m8s
+```
+
+Once we have the pod's name, we can now use the port-forward command to set up a tunnel from our local system to the application inside the AKS cluster. Run the following command to set up the port forward for the local system port 8080. Again use your specific bookbuyer pod name.
+
+```azurecli-interactive
+kubectl port-forward bookbuyer-7676c7fcfb-mtnrz -n bookbuyer 8080:14001
+```
+
+You should see output similar to this.
+
+```Output
+Forwarding from 127.0.0.1:8080 -> 14001
+Forwarding from [::1]:8080 -> 14001
+```
+
+While the port forwarding session is in place, navigate to the following url from a browser `http://localhost:8080`. You should now be able to see the bookbuyer application UI in the browser similar to the image below.
+
+![OSM bookbuyer app for App Gateway UI image](./media/aks-osm-addon/osm-agic-bookbuyer-img.png)
+
+### Create an Azure Application Gateway to expose the bookbuyer application outside the AKS cluster
+
+> [!NOTE]
+> The following directions will create a new instance of the Azure Application Gateway to be used for ingress. If you have an existing Azure Application Gateway you wish to use, skip to the section for enabling the Application Gateway Ingress Controller add-on.
+
+#### Deploy a new Application Gateway
+
+> [!NOTE]
+> We are referencing existing documentation for enabling the Application Gateway Ingress Controller add-on for an existing AKS cluster. Some modifications have been made to suit the OSM materials. More detailed documentation on the subject can be found [here](https://docs.microsoft.com/azure/application-gateway/tutorial-ingress-controller-add-on-existing).
+
+You'll now deploy a new Application Gateway, to simulate having an existing Application Gateway that you want to use to load balance traffic to your AKS cluster, _myCluster_. The name of the Application Gateway will be _myApplicationGateway_, but you will need to first create a public IP resource, named _myPublicIp_, and a new virtual network called _myVnet_ with address space 11.0.0.0/8, and a subnet with address space 11.1.0.0/16 called _mySubnet_, and deploy your Application Gateway in _mySubnet_ using _myPublicIp_.
+
+When using an AKS cluster and Application Gateway in separate virtual networks, the address spaces of the two virtual networks must not overlap. The default address space that an AKS cluster deploys in is 10.0.0.0/8, so we set the Application Gateway virtual network address prefix to 11.0.0.0/8.
+
+```azurecli-interactive
+az group create --name myResourceGroup --location eastus2
+az network public-ip create -n myPublicIp -g MyResourceGroup --allocation-method Static --sku Standard
+az network vnet create -n myVnet -g myResourceGroup --address-prefix 11.0.0.0/8 --subnet-name mySubnet --subnet-prefix 11.1.0.0/16
+az network application-gateway create -n myApplicationGateway -l eastus2 -g myResourceGroup --sku Standard_v2 --public-ip-address myPublicIp --vnet-name myVnet --subnet mySubnet
+```
+
+> [!NOTE]
+> Application Gateway Ingress Controller (AGIC) add-on **only** supports Application Gateway v2 SKUs (Standard and WAF), and **not** the Application Gateway v1 SKUs.
+
+#### Enable the AGIC add-on for an existing AKS cluster through Azure CLI
+
+If you'd like to continue using Azure CLI, you can continue to enable the AGIC add-on in the AKS cluster you created, _myCluster_, and specify the AGIC add-on to use the existing Application Gateway you created, _myApplicationGateway_.
+
+```azurecli-interactive
+appgwId=$(az network application-gateway show -n myApplicationGateway -g myResourceGroup -o tsv --query "id")
+az aks enable-addons -n myCluster -g myResourceGroup -a ingress-appgw --appgw-id $appgwId
+```
+
+You can verify the Azure Application Gateway AKS add-on has been enabled by the following command.
+
+```azurecli-interactive
+az aks list -g osm-aks-rg -o json | jq -r .[].addonProfiles.ingressApplicationGateway.enabled
+```
+
+This command should show the output as `true`.
+
+#### Peer the two virtual networks together
+
+Since we deployed the AKS cluster in its own virtual network and the Application Gateway in another virtual network, you'll need to peer the two virtual networks together in order for traffic to flow from the Application Gateway to the pods in the cluster. Peering the two virtual networks requires running the Azure CLI command two separate times, to ensure that the connection is bi-directional. The first command will create a peering connection from the Application Gateway virtual network to the AKS virtual network; the second command will create a peering connection in the other direction.
+
+```azurecli-interactive
+nodeResourceGroup=$(az aks show -n myCluster -g myResourceGroup -o tsv --query "nodeResourceGroup")
+aksVnetName=$(az network vnet list -g $nodeResourceGroup -o tsv --query "[0].name")
+
+aksVnetId=$(az network vnet show -n $aksVnetName -g $nodeResourceGroup -o tsv --query "id")
+az network vnet peering create -n AppGWtoAKSVnetPeering -g myResourceGroup --vnet-name myVnet --remote-vnet $aksVnetId --allow-vnet-access
+
+appGWVnetId=$(az network vnet show -n myVnet -g myResourceGroup -o tsv --query "id")
+az network vnet peering create -n AKStoAppGWVnetPeering -g $nodeResourceGroup --vnet-name $aksVnetName --remote-vnet $appGWVnetId --allow-vnet-access
+```
+
+### Expose the bookbuyer service to the internet
+
+Apply the following ingress manifest to the AKS cluster to expose the bookbuyer service to the internet via the Azure Application Gateway.
+
+```azurecli-interactive
+kubectl apply -f - <<EOF
+
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+ name: bookbuyer-ingress
+ namespace: bookbuyer
+ annotations:
+ kubernetes.io/ingress.class: azure/application-gateway
+
+spec:
+
+ rules:
+ - host: bookbuyer.contoso.com
+ http:
+ paths:
+ - path: /
+ backend:
+ serviceName: bookbuyer
+ servicePort: 14001
+
+ backend:
+ serviceName: bookbuyer
+ servicePort: 14001
+EOF
+```
+
+You should see the following output
+
+```Output
+Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
+ingress.extensions/bookbuyer-ingress created
+```
+
+Since the host name in the ingress manifest is a pseudo name used for testing, the DNS name will not be available on the internet. We can alternatively use the curl program and past the hostname header to the Azure Application Gateway public IP address and receive a 200 code successfully connecting us to the bookbuyer service.
+
+```azurecli-interactive
+appGWPIP=$(az network public-ip show -g MyResourceGroup -n myPublicIp -o tsv --query "ipAddress")
+curl -H 'Host: bookbuyer.contoso.com' http://$appGWPIP/
+```
+
+You should see the following output
+
+```Output
+<!doctype html>
+<html itemscope="" itemtype="http://schema.org/WebPage" lang="en">
+ <head>
+ <meta content="Bookbuyer" name="description">
+ <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
+ <title>Bookbuyer</title>
+ <style>
+ #navbar {
+ width: 100%;
+ height: 50px;
+ display: table;
+ border-spacing: 0;
+ white-space: nowrap;
+ line-height: normal;
+ background-color: #0078D4;
+ background-position: left top;
+ background-repeat-x: repeat;
+ background-image: none;
+ color: white;
+ font: 2.2em "Fira Sans", sans-serif;
+ }
+ #main {
+ padding: 10pt 10pt 10pt 10pt;
+ font: 1.8em "Fira Sans", sans-serif;
+ }
+ li {
+ padding: 10pt 10pt 10pt 10pt;
+ font: 1.2em "Consolas", sans-serif;
+ }
+ </style>
+ <script>
+ setTimeout(function(){window.location.reload(1);}, 1500);
+ </script>
+ </head>
+ <body bgcolor="#fff">
+ <div id="navbar">
+ &#128214; Bookbuyer
+ </div>
+ <div id="main">
+ <ul>
+ <li>Total books bought: <strong>5969</strong>
+ <ul>
+ <li>from bookstore V1: <strong>277</strong>
+ <li>from bookstore V2: <strong>5692</strong>
+ </ul>
+ </li>
+ </ul>
+ </div>
+
+ <br/><br/><br/><br/>
+ <br/><br/><br/><br/>
+ <br/><br/><br/><br/>
+
+ Current Time: <strong>Fri, 26 Mar 2021 16:34:30 UTC</strong>
+ </body>
+</html>
+```
+
+### Troubleshooting
+
+- [AGIC Troubleshooting Documentation](https://docs.microsoft.com/azure/application-gateway/ingress-controller-troubleshoot)
+- [Additional troubleshooting tools are available on AGIC's GitHub repo](https://github.com/Azure/application-gateway-kubernetes-ingress/blob/master/docs/troubleshootings/troubleshooting-installing-a-simple-application.md)
+
+## Open Service Mesh (OSM) Monitoring and Observability using Azure Monitor and Applications Insights
+
+Both Azure Monitor and Azure Application Insights helps you maximize the availability and performance of your applications and services by delivering a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments.
+
+The OSM AKS add-on will have deep integrations into both of these Azure services, and provide a seemless Azure experience for viewing and responding to critical KPIs provided by OSM metrics. For more information on how to enable and configure these services for the OSM AKS add-on, visit the [Azure Monitor for OSM](https://aka.ms/azmon/osmpreview) page for more information.
+
+## Tutorial: Manually deploy Prometheus, Grafana, and Jaeger to view Open Service Mesh (OSM) metrics for observability
+
+> [!WARNING]
+> The installation of Prometheus, Grafana and Jaeger are provided as general guidance to show how these tools can be utilized to view OSM metric data. The installation guidance is not to be utilized for a production setup. Please refer to each tool's documentation on how best to suit thier installations to your needs. Most notable will be the lack of persistent storage, meaning that all data is lost once a Prometheus Grafana, and/or Jaeger pod(s) are terminated.
+
+Open Service Mesh (OSM) generates detailed metrics related to all traffic within the mesh. These metrics provide insights into the behavior of applications in the mesh helping users to troubleshoot, maintain, and analyze their applications.
+
+As of today OSM collects metrics directly from the sidecar proxies (Envoy). OSM provides rich metrics for incoming and outgoing traffic for all services in the mesh. With these metrics, the user can get information about the overall volume of traffic, errors within traffic and the response time for requests.
+
+OSM uses Prometheus to gather and store consistent traffic metrics and statistics for all applications running in the mesh. Prometheus is an open-source monitoring and alerting toolkit, which is commonly used on (but not limited to) Kubernetes and Service Mesh environments.
+
+Each application that is part of the mesh runs in a Pod that contains an Envoy sidecar that exposes metrics (proxy metrics) in the Prometheus format. Furthermore, every Pod that is a part of the mesh has Prometheus annotations, which makes it possible for the Prometheus server to scrape the application dynamically. This mechanism automatically enables scraping of metrics whenever a new namespace/pod/service is added to the mesh.
+
+OSM metrics can be viewed with Grafana, which is an open-source visualization and analytics software. It allows you to query, visualize, alert on, and explore your metrics.
+
+In this tutorial, you will:
+
+> [!div class="checklist"]
+>
+> - Create and deploy a Prometheus instance
+> - Configure OSM to allow Prometheus scraping
+> - Update the Prometheus Configmap
+> - Create and deploy a Grafana instance
+> - Configure Grafana with the Prometheus datasource
+> - Import OSM dashboard for Grafana
+> - Create and deploy a Jaeger instance
+> - Configure Jaeger tracing for OSM
+
+### Deploy and configure a Prometheus instance for OSM
+
+We will use Helm to deploy the Prometheus instance. Run the following commands to install Prometheus via Helm:
+
+```azurecli-interactive
+helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
+helm repo update
+helm install stable prometheus-community/prometheus
+```
+
+You should see similar output below if the installation was successful. Make note of the Prometheus server port and cluster DNS name. This information will be used later for to configure Prometheus as a data source for Grafana.
+
+```Output
+NAME: stable
+LAST DEPLOYED: Fri Mar 26 13:34:51 2021
+NAMESPACE: default
+STATUS: deployed
+REVISION: 1
+TEST SUITE: None
+NOTES:
+The Prometheus server can be accessed via port 80 on the following DNS name from within your cluster:
+stable-prometheus-server.default.svc.cluster.local
++
+Get the Prometheus server URL by running these commands in the same shell:
+ export POD_NAME=$(kubectl get pods --namespace default -l "app=prometheus,component=server" -o jsonpath="{.items[0].metadata.name}")
+ kubectl --namespace default port-forward $POD_NAME 9090
++
+The Prometheus alertmanager can be accessed via port 80 on the following DNS name from within your cluster:
+stable-prometheus-alertmanager.default.svc.cluster.local
++
+Get the Alertmanager URL by running these commands in the same shell:
+ export POD_NAME=$(kubectl get pods --namespace default -l "app=prometheus,component=alertmanager" -o jsonpath="{.items[0].metadata.name}")
+ kubectl --namespace default port-forward $POD_NAME 9093
+#################################################################################
+###### WARNING: Pod Security Policy has been moved to a global property. #####
+###### use .Values.podSecurityPolicy.enabled with pod-based #####
+###### annotations #####
+###### (e.g. .Values.nodeExporter.podSecurityPolicy.annotations) #####
+#################################################################################
++
+The Prometheus PushGateway can be accessed via port 9091 on the following DNS name from within your cluster:
+stable-prometheus-pushgateway.default.svc.cluster.local
++
+Get the PushGateway URL by running these commands in the same shell:
+ export POD_NAME=$(kubectl get pods --namespace default -l "app=prometheus,component=pushgateway" -o jsonpath="{.items[0].metadata.name}")
+ kubectl --namespace default port-forward $POD_NAME 9091
+
+For more information on running Prometheus, visit:
+https://prometheus.io/
+```
+
+#### Configure OSM to allow Prometheus scraping
+
+To ensure that the OSM components are configured for Prometheus scrapes, we'll want to check the **prometheus_scraping** configuration located in the osm-config config file. View the configuration with the following command:
+
+```azurecli-interactive
+kubectl get configmap -n kube-system osm-config -o json | jq '.data.prometheus_scraping'
+```
+
+The output of the previous command should return `true` if OSM is configured for Prometheus scraping. If the returned value is `false`, we will need to update the configuration to be `true`. Run the following command to turn **on** OSM Prometheus scraping:
+
+```azurecli-interactive
+kubectl patch ConfigMap -n kube-system osm-config --type merge --patch '{"data":{"prometheus_scraping":"true"}}'
+```
+
+You should see the following output.
+
+```Output
+configmap/osm-config patched
+```
+
+#### Update the Prometheus Configmap
+
+The default installation of Prometheus will contain two Kubernetes configmaps. You can view the list of Prometheus configmaps with the following command.
+
+```azurecli-interactive
+kubectl get configmap | grep prometheus
+```
+
+```Output
+stable-prometheus-alertmanager 1 4h34m
+stable-prometheus-server 5 4h34m
+```
+
+We will need to replace the prometheus.yml configuration located in the **stable-prometheus-server** configmap with the following OSM configuration. There are several file editing techniques to accomplish this task. A simple and safe way is to export the configmap, create a copy of it for backup, then edit it with an editor such as Visual Studio code.
+
+> [!NOTE]
+> If you do not have Visual Studio Code installed you can go download and install it [here](https://code.visualstudio.com/Download).
+
+Let's first export out the **stable-prometheus-server** configmap and then make a copy for backup.
+
+```azurecli-interactive
+kubectl get configmap stable-prometheus-server -o yaml > cm-stable-prometheus-server.yml
+cp cm-stable-prometheus-server.yml cm-stable-prometheus-server.yml.copy
+```
+
+Next let's open the file using Visual Studio Code to edit.
+
+```azurecli-interactive
+code cm-stable-prometheus-server.yml
+```
+
+Once you have the configmap opened in the Visual Studio Code editor, replace the prometheus.yml file with the OSM configuration below and save the file.
+
+> [!WARNING]
+> It is extremely important that you ensure you keep the indention structure of the yaml file. Any changes to the yaml file structure could result in the configmap not being able to be re-applied.
+
+```OSM Prometheus Configmap Configuration
+prometheus.yml: |
+ global:
+ scrape_interval: 10s
+ scrape_timeout: 10s
+ evaluation_interval: 1m
+
+ scrape_configs:
+ - job_name: 'kubernetes-apiservers'
+ kubernetes_sd_configs:
+ - role: endpoints
+ scheme: https
+ tls_config:
+ ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+ # TODO need to remove this when the CA and SAN match
+ insecure_skip_verify: true
+ bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+ metric_relabel_configs:
+ - source_labels: [__name__]
+ regex: '(apiserver_watch_events_total|apiserver_admission_webhook_rejection_count)'
+ action: keep
+ relabel_configs:
+ - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
+ action: keep
+ regex: default;kubernetes;https
+
+ - job_name: 'kubernetes-nodes'
+ scheme: https
+ tls_config:
+ ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+ bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+ kubernetes_sd_configs:
+ - role: node
+ relabel_configs:
+ - action: labelmap
+ regex: __meta_kubernetes_node_label_(.+)
+ - target_label: __address__
+ replacement: kubernetes.default.svc:443
+ - source_labels: [__meta_kubernetes_node_name]
+ regex: (.+)
+ target_label: __metrics_path__
+ replacement: /api/v1/nodes/${1}/proxy/metrics
+
+ - job_name: 'kubernetes-pods'
+ kubernetes_sd_configs:
+ - role: pod
+ metric_relabel_configs:
+ - source_labels: [__name__]
+ regex: '(envoy_server_live|envoy_cluster_upstream_rq_xx|envoy_cluster_upstream_cx_active|envoy_cluster_upstream_cx_tx_bytes_total|envoy_cluster_upstream_cx_rx_bytes_total|envoy_cluster_upstream_cx_destroy_remote_with_active_rq|envoy_cluster_upstream_cx_connect_timeout|envoy_cluster_upstream_cx_destroy_local_with_active_rq|envoy_cluster_upstream_rq_pending_failure_eject|envoy_cluster_upstream_rq_pending_overflow|envoy_cluster_upstream_rq_timeout|envoy_cluster_upstream_rq_rx_reset|^osm.*)'
+ action: keep
+ relabel_configs:
+ - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
+ action: keep
+ regex: true
+ - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
+ action: replace
+ target_label: __metrics_path__
+ regex: (.+)
+ - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
+ action: replace
+ regex: ([^:]+)(?::\d+)?;(\d+)
+ replacement: $1:$2
+ target_label: __address__
+ - source_labels: [__meta_kubernetes_namespace]
+ action: replace
+ target_label: source_namespace
+ - source_labels: [__meta_kubernetes_pod_name]
+ action: replace
+ target_label: source_pod_name
+ - regex: '(__meta_kubernetes_pod_label_app)'
+ action: labelmap
+ replacement: source_service
+ - regex: '(__meta_kubernetes_pod_label_osm_envoy_uid|__meta_kubernetes_pod_label_pod_template_hash|__meta_kubernetes_pod_label_version)'
+ action: drop
+ # for non-ReplicaSets (DaemonSet, StatefulSet)
+ # __meta_kubernetes_pod_controller_kind=DaemonSet
+ # __meta_kubernetes_pod_controller_name=foo
+ # =>
+ # workload_kind=DaemonSet
+ # workload_name=foo
+ - source_labels: [__meta_kubernetes_pod_controller_kind]
+ action: replace
+ target_label: source_workload_kind
+ - source_labels: [__meta_kubernetes_pod_controller_name]
+ action: replace
+ target_label: source_workload_name
+ # for ReplicaSets
+ # __meta_kubernetes_pod_controller_kind=ReplicaSet
+ # __meta_kubernetes_pod_controller_name=foo-bar-123
+ # =>
+ # workload_kind=Deployment
+ # workload_name=foo-bar
+ # deplyment=foo
+ - source_labels: [__meta_kubernetes_pod_controller_kind]
+ action: replace
+ regex: ^ReplicaSet$
+ target_label: source_workload_kind
+ replacement: Deployment
+ - source_labels:
+ - __meta_kubernetes_pod_controller_kind
+ - __meta_kubernetes_pod_controller_name
+ action: replace
+ regex: ^ReplicaSet;(.*)-[^-]+$
+ target_label: source_workload_name
+
+ - job_name: 'smi-metrics'
+ kubernetes_sd_configs:
+ - role: pod
+ relabel_configs:
+ - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
+ action: keep
+ regex: true
+ - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
+ action: replace
+ target_label: __metrics_path__
+ regex: (.+)
+ - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
+ action: replace
+ regex: ([^:]+)(?::\d+)?;(\d+)
+ replacement: $1:$2
+ target_label: __address__
+ metric_relabel_configs:
+ - source_labels: [__name__]
+ regex: 'envoy_.*osm_request_(total|duration_ms_(bucket|count|sum))'
+ action: keep
+ - source_labels: [__name__]
+ action: replace
+ regex: envoy_response_code_(\d{3})_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_total
+ target_label: response_code
+ - source_labels: [__name__]
+ action: replace
+ regex: envoy_response_code_\d{3}_source_namespace_(.*)_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_total
+ target_label: source_namespace
+ - source_labels: [__name__]
+ action: replace
+ regex: envoy_response_code_\d{3}_source_namespace_.*_source_kind_(.*)_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_total
+ target_label: source_kind
+ - source_labels: [__name__]
+ action: replace
+ regex: envoy_response_code_\d{3}_source_namespace_.*_source_kind_.*_source_name_(.*)_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_total
+ target_label: source_name
+ - source_labels: [__name__]
+ action: replace
+ regex: envoy_response_code_\d{3}_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_(.*)_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_total
+ target_label: source_pod
+ - source_labels: [__name__]
+ action: replace
+ regex: envoy_response_code_\d{3}_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_(.*)_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_total
+ target_label: destination_namespace
+ - source_labels: [__name__]
+ action: replace
+ regex: envoy_response_code_\d{3}_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_(.*)_destination_name_.*_destination_pod_.*_osm_request_total
+ target_label: destination_kind
+ - source_labels: [__name__]
+ action: replace
+ regex: envoy_response_code_\d{3}_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_(.*)_destination_pod_.*_osm_request_total
+ target_label: destination_name
+ - source_labels: [__name__]
+ action: replace
+ regex: envoy_response_code_\d{3}_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_(.*)_osm_request_total
+ target_label: destination_pod
+ - source_labels: [__name__]
+ action: replace
+ regex: .*(osm_request_total)
+ target_label: __name__
+
+ - source_labels: [__name__]
+ action: replace
+ regex: envoy_source_namespace_(.*)_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_duration_ms_(bucket|sum|count)
+ target_label: source_namespace
+ - source_labels: [__name__]
+ action: replace
+ regex: envoy_source_namespace_.*_source_kind_(.*)_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_duration_ms_(bucket|sum|count)
+ target_label: source_kind
+ - source_labels: [__name__]
+ action: replace
+ regex: envoy_source_namespace_.*_source_kind_.*_source_name_(.*)_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_duration_ms_(bucket|sum|count)
+ target_label: source_name
+ - source_labels: [__name__]
+ action: replace
+ regex: envoy_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_(.*)_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_duration_ms_(bucket|sum|count)
+ target_label: source_pod
+ - source_labels: [__name__]
+ action: replace
+ regex: envoy_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_(.*)_destination_kind_.*_destination_name_.*_destination_pod_.*_osm_request_duration_ms_(bucket|sum|count)
+ target_label: destination_namespace
+ - source_labels: [__name__]
+ action: replace
+ regex: envoy_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_(.*)_destination_name_.*_destination_pod_.*_osm_request_duration_ms_(bucket|sum|count)
+ target_label: destination_kind
+ - source_labels: [__name__]
+ action: replace
+ regex: envoy_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_(.*)_destination_pod_.*_osm_request_duration_ms_(bucket|sum|count)
+ target_label: destination_name
+ - source_labels: [__name__]
+ action: replace
+ regex: envoy_source_namespace_.*_source_kind_.*_source_name_.*_source_pod_.*_destination_namespace_.*_destination_kind_.*_destination_name_.*_destination_pod_(.*)_osm_request_duration_ms_(bucket|sum|count)
+ target_label: destination_pod
+ - source_labels: [__name__]
+ action: replace
+ regex: .*(osm_request_duration_ms_(bucket|sum|count))
+ target_label: __name__
+
+ - job_name: 'kubernetes-cadvisor'
+ scheme: https
+ tls_config:
+ ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+ bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+ kubernetes_sd_configs:
+ - role: node
+ metric_relabel_configs:
+ - source_labels: [__name__]
+ regex: '(container_cpu_usage_seconds_total|container_memory_rss)'
+ action: keep
+ relabel_configs:
+ - action: labelmap
+ regex: __meta_kubernetes_node_label_(.+)
+ - target_label: __address__
+ replacement: kubernetes.default.svc:443
+ - source_labels: [__meta_kubernetes_node_name]
+ regex: (.+)
+ target_label: __metrics_path__
+ replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor
+```
+
+Apply the updated configmap yaml file with the following command.
+
+```azurecli-interactive
+kubectl apply -f cm-stable-prometheus-server.yml
+```
+
+```Output
+configmap/stable-prometheus-server configured
+```
+
+> [!NOTE]
+> You may receive a message about a missing kubernetes annotation needed. This can be ignored for now.
+
+#### Verify Prometheus is configured to scrape the OSM mesh and API endpoints
+
+To verify that Prometheus is correctly configured to scrape the OSM mesh and API endpoints, we will port forward to the Prometheus pod and view the target configuration. Run the following commands.
+
+```azurecli-interactive
+PROM_POD_NAME=$(kubectl get pods -l "app=prometheus,component=server" -o jsonpath="{.items[0].metadata.name}")
+kubectl --namespace <promNamespace> port-forward $PROM_POD_NAME 9090
+```
+
+Open a browser up to `http://localhost:9090/targets`
+
+If you scroll down you should see all the SMI metric endpoints state being **UP** as well as other OSM metrics defined as pictured below.
+
+![OSM Prometheus Target Metrics UI image](./media/aks-osm-addon/osm-prometheus-smi-metrics-target-scrape.png)
+
+### Deploy and configure a Grafana Instance for OSM
+
+We will use Helm to deploy the Grafana instance. Run the following commands to install Grafana via Helm:
+
+```
+helm repo add grafana https://grafana.github.io/helm-charts
+helm repo update
+helm install osm-grafana grafana/grafana
+```
+
+Next we'll retrieve the default Grafana password to log into the Grafana site.
+
+```azurecli-interactive
+kubectl get secret --namespace default osm-grafana -o jsonpath="{.data.admin-password}" | base64 --decode ; echo
+```
+
+Make note of the Grafana password.
+
+Next we will retrieve the Grafana pod to port forward to the Grafana dashboard to login.
+
+```azurecli-interactive
+GRAF_POD_NAME=$(kubectl get pods -l "app.kubernetes.io/name=grafana" -o jsonpath="{.items[0].metadata.name}")
+kubectl port-forward $GRAF_POD_NAME 3000
+```
+
+Open a browser up to `http://localhost:3000`
+
+At the login screen pictured below, enter **admin** as the username and use the Grafana password captured earlier.
+
+![OSM Grafana Login Page UI image](./media/aks-osm-addon/osm-grafana-ui-login.png)
+
+#### Configure the Grafana Prometheus data source
+
+Once you have successfully logged into Grafana, the next step is to add Prometheus as data sources for Grafana. To do so, navigate on the configuration icon on the left menu and select Data Sources as shown below.
+
+![OSM Grafana Datasources Page UI image](./media/aks-osm-addon/osm-grafana-ui-datasources.png)
+
+Click the **Add data source** button and select Prometheus under time series databases.
+
+![OSM Grafana Datasources Selection Page UI image](./media/aks-osm-addon/osm-grafana-ui-datasources-select-prometheus.png)
+
+On the **Configure your Prometheus data source below** page, enter the Kubernetes cluster FQDN for the Prometheus service for the HTTP URL setting. The default FQDN should be `stable-prometheus-server.default.svc.cluster.local`. Once you have entered that Prometheus service endpoint, scroll to the bottom of the page and select **Save & Test**. You should receive a green checkbox indicating the data source is working.
+
+#### Importing OSM Dashboards
+
+OSM Dashboards are available both through:
+
+- [Our repository](https://github.com/grafana/grafana), and are importable as json blobs through the web admin portal
+- or [online at Grafana.com](https://grafana.com/grafana/dashboards/14145)
+
+To import a dashboard, look for the `+` sign on the left menu and select `import`.
+You can directly import dashboard by their ID on `Grafana.com`. For example, our `OSM Mesh Details` dashboard uses ID `14145`, you can use the ID directly on the form and select `import`:
+
+![OSM Grafana Dashboard Import Page UI image](./media/aks-osm-addon/osm-grafana-dashboard-import.png)
+
+As soon as you select import, it will bring you automatically to your imported dashboard.
+
+![OSM Grafana Dashboard Mesh Details Page UI image](./media/aks-osm-addon/osm-grafana-mesh-dashboard-details.png)
+
+### Deploy and configure a Jaeger Operator on Kubernetes for OSM
+
+[Jaeger](https://www.jaegertracing.io/) is an open-source tracing system used for monitoring and troubleshooting distributed systems. It can be deployed with OSM as a new instance or you may bring your own instance. The following instructions deploy a new instance of Jaeger to the `jaeger` namespace on the AKS cluster.
+
+#### Deploy Jaeger to the AKS cluster
+
+Apply the following manifest to install Jaeger:
+
+```azurecli-interactive
+kubectl apply -f - <<EOF
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: jaeger
+ namespace: jaeger
+ labels:
+ app: jaeger
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: jaeger
+ template:
+ metadata:
+ labels:
+ app: jaeger
+ spec:
+ containers:
+ - name: jaeger
+ image: jaegertracing/all-in-one
+ args:
+ - --collector.zipkin.host-port=9411
+ imagePullPolicy: IfNotPresent
+ ports:
+ - containerPort: 9411
+ resources:
+ limits:
+ cpu: 500m
+ memory: 512M
+ requests:
+ cpu: 100m
+ memory: 256M
+
+kind: Service
+apiVersion: v1
+metadata:
+ name: jaeger
+ namespace: jaeger
+ labels:
+ app: jaeger
+spec:
+ selector:
+ app: jaeger
+ ports:
+ - protocol: TCP
+ # Service port and target port are the same
+ port: 9411
+ type: ClusterIP
+EOF
+```
+
+```Output
+deployment.apps/jaeger created
+service/jaeger created
+```
+
+#### Enable Tracing for the OSM add-on
+
+Next we will need to enable tracing for the OSM add-on.
+
+> [!NOTE]
+> As of now the tracing properties are not visable in the osm-config configmap at this time. This will be made visable in a new release of the OSM AKS add-on.
+
+Run the following command to enable tracing for the OSM add-on:
+
+```azurecli-interactive
+kubectl patch configmap osm-config -n kube-system -p '{"data":{"tracing_enable":"true", "tracing_address":"jaeger.jaeger.svc.cluster.local", "tracing_port":"9411", "tracing_endpoint":"/api/v2/spans"}}' --type=merge
+```
+
+```Output
+configmap/osm-config patched
+```
+
+#### View the Jaeger UI with port forwarding
+
+Jaeger's UI is running on port 16686. To view the web UI, you can use kubectl port-forward:
+
+```azurecli-interactive
+JAEGER_POD=$(kubectl get pods -n jaeger --no-headers --selector app=jaeger | awk 'NR==1{print $1}')
+kubectl port-forward -n jaeger $JAEGER_POD 16686:16686
+http://localhost:16686/
+```
+
+In the browser, you should see a Service dropdown, which allows you to select from the various applications deployed by the bookstore demo. Select a service to view all spans from it. For example, if you select bookbuyer with a Lookback of one hour, you can see its interactions with bookstore-v1 and bookstore-v2 sorted by time.
+
+![OSM Jaeger Tracing Page UI image](./media/aks-osm-addon/osm-jaeger-trace-view-ui.png)
+
+Select any item to view it in further detail. Select multiple items to compare traces. For example, you can compare the bookbuyer's interactions with bookstore and bookstore-v2 at a particular moment in time.
+
+You can also select the System Architecture tab to view a graph of how the various applications have been interacting/communicating. This provides an idea of how traffic is flowing between the applications.
+
+![OSM Jaeger System Architecture UI image](./media/aks-osm-addon/osm-jaeger-sys-arc-view-ui.png)
+
+## Open Service Mesh (OSM) AKS add-on Troubleshooting Guides
+
+When you deploy the OSM AKS add-on, you might occasionally experience a problem. The following guides will assist you on how to troubleshoot errors and resolve common problems.
+
+### Verifying and Troubleshooting OSM components
+
+#### Check OSM Controller Deployment
+
+```azurecli-interactive
+kubectl get deployment -n kube-system --selector app=osm-controller
+```
+
+A healthy OSM Controller would look like this:
+
+```Output
+NAME READY UP-TO-DATE AVAILABLE AGE
+osm-controller 1/1 1 1 59m
+```
+
+#### Check the OSM Controller Pod
+
+```azurecli-interactive
+kubectl get pods -n kube-system --selector app=osm-controller
+```
+
+A healthy OSM Pod would look like this:
+
+```Output
+NAME READY STATUS RESTARTS AGE
+osm-controller-b5bd66db-wglzl 0/1 Evicted 0 61m
+osm-controller-b5bd66db-wvl9w 1/1 Running 0 31m
+```
+
+Even though we had one controller evicted at some point, we have another one that is READY 1/1 and Running with 0 restarts. If the column READY is anything other than 1/1 the service mesh would be in a broken state.
+Column READY with 0/1 indicates the control plane container is crashing - we need to get logs. See Get OSM Controller Logs from Azure Support Center section below. Column READY with a number higher than 1 after the / would indicate that there are sidecars installed. OSM Controller would most likely not work with any sidecars attached to it.
+
+> [!NOTE]
+> As of version v0.8.2 the OSM Controller is not in HA mode and will run in a deployed with replica count of 1 - single pod. The pod does have health probes and will be restarted by the kubelet if needed.
+
+#### Check OSM Controller Service
+
+```azurecli-interactive
+kubectl get service -n kube-system osm-controller
+```
+
+A healthy OSM Controller service would look like this:
+
+```Output
+NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
+osm-controller ClusterIP 10.0.31.254 <none> 15128/TCP,9092/TCP 67m
+```
+
+> [!NOTE]
+> The CLUSTER-IP would be different. The service NAME and PORT(S) must be the same as the example above.
+
+#### Check OSM Controller Endpoints
+
+```azurecli-interactive
+kubectl get endpoints -n kube-system osm-controller
+```
+
+A healthy OSM Controller endpoint(s) would look like this:
+
+```Output
+NAME ENDPOINTS AGE
+osm-controller 10.240.1.115:9092,10.240.1.115:15128 69m
+```
+
+#### Check OSM Injector Deployment
+
+```azurecli-interactive
+kubectl get pod -n kube-system --selector app=osm-injector
+```
+
+A healthy OSM Injector deployment would look like this:
+
+```Output
+NAME READY STATUS RESTARTS AGE
+osm-injector-5986c57765-vlsdk 1/1 Running 0 73m
+```
+
+#### Check OSM Injector Pod
+
+```azurecli-interactive
+kubectl get pod -n kube-system --selector app=osm-injector
+```
+
+A healthy OSM Injector pod would look like this:
+
+```Output
+NAME READY STATUS RESTARTS AGE
+osm-injector-5986c57765-vlsdk 1/1 Running 0 73m
+```
+
+#### Check OSM Injector Service
+
+```azurecli-interactive
+kubectl get service -n kube-system osm-injector
+```
+
+A healthy OSM Injector service would look like this:
+
+```Output
+NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
+osm-injector ClusterIP 10.0.39.54 <none> 9090/TCP 75m
+```
+
+#### Check OSM Endpoints
+
+```azurecli-interactive
+kubectl get endpoints -n kube-system osm-injector
+```
+
+A healthy OSM endpoint would look like this:
+
+```Output
+NAME ENDPOINTS AGE
+osm-injector 10.240.1.172:9090 75m
+```
+
+#### Check Validating and Mutating webhooks
+
+```azurecli-interactive
+kubectl get ValidatingWebhookConfiguration --selector app=osm-controller
+```
+
+A healthy OSM Validating Webhook would look like this:
+
+```Output
+NAME WEBHOOKS AGE
+aks-osm-webhook-osm 1 81m
+```
+
+```azurecli-interactive
+kubectl get MutatingWebhookConfiguration --selector app=osm-injector
+```
+
+A healthy OSM Mutating Webhook would look like this:
+
+```Output
+NAME WEBHOOKS AGE
+aks-osm-webhook-osm 1 102m
+```
+
+#### Check for the service and the CA bundle of the Validating webhook
+
+```azurecli-interactive
+kubectl get ValidatingWebhookConfiguration aks-osm-webhook-osm -o json | jq '.webhooks[0].clientConfig.service'
+```
+
+A well configured Validating Webhook Configuration would look exactly like this:
+
+```json
+{
+ "name": "osm-config-validator",
+ "namespace": "kube-system",
+ "path": "/validate-webhook",
+ "port": 9093
+}
+```
+
+#### Check for the service and the CA bundle of the Mutating webhook
+
+```azurecli-interactive
+kubectl get MutatingWebhookConfiguration aks-osm-webhook-osm -o json | jq '.webhooks[0].clientConfig.service'
+```
+
+A well configured Mutating Webhook Configuration would look exactly like this:
+
+```json
+{
+ "name": "osm-injector",
+ "namespace": "kube-system",
+ "path": "/mutate-pod-creation",
+ "port": 9090
+}
+```
+
+#### Check whether OSM Controller has given the Validating (or Mutating) Webhook a CA Bundle
+
+> [!NOTE]
+> As of v0.8.2 It is important to know that AKS RP installs the Validating Webhook, AKS Reconciler ensures it exists, but OSM Controller is the one that fills the CA Bundle.
+
+```azurecli-interactive
+kubectl get ValidatingWebhookConfiguration aks-osm-webhook-osm -o json | jq -r '.webhooks[0].clientConfig.caBundle' | wc -c
+```
+
+```azurecli-interactive
+kubectl get MutatingWebhookConfiguration aks-osm-webhook-osm -o json | jq -r '.webhooks[0].clientConfig.caBundle' | wc -c
+```
+
+```Example Output
+1845
+```
+
+This number indicates the number of bytes, or the size of the CA Bundle. If this is empty, 0, or some number under 1000 it would indicate that the CA Bundle is not correctly provisioned. Without a correct CA Bundle, the Validating Webhook would be erroring out and prohibiting the user from making changes to the osm-config ConfigMap in the kube-system namespace.
+
+A sample error when the CA Bundle is incorrect:
+
+- An attempt to change the osm-config ConfigMap:
+
+```azurecli-interactive
+kubectl patch ConfigMap osm-config -n kube-system --type merge --patch '{"data":{"config_resync_interval":"2m"}}'
+```
+
+- Error:
+
+```
+Error from server (InternalError): Internal error occurred: failed calling webhook "osm-config-webhook.k8s.io": Post https://osm-config-validator.kube-system.svc:9093/validate-webhook?timeout=30s: x509: certificate signed by unknown authority
+```
+
+Work around for when the **Validating** Webhook Configuration has a bad certificate:
+
+- Option 1 - Restart OSM Controller - this will restart the OSM Controller. On start, it will overwrite the CA Bundle of both the Mutating and Validating webhooks.
+
+```azurecli-interactive
+kubectl rollout restart deployment -n kube-system osm-controller
+```
+
+- Option 2 - Option 2. Delete the Validating Webhook - removing the Validating Webhook makes mutations of the `osm-config` ConfigMap no longer validated. Any patch will go through. The AKS Reconciler will at some point ensure the Validating Webhook exists and will recreate it. The OSM Controller may have to be restarted to quickly rewrite the CA Bundle.
+
+```azurecli-interactive
+kubectl delete ValidatingWebhookConfiguration aks-osm-webhook-osm
+```
+
+- Option 3 - Delete and Patch: The following command will delete the validating webhook, allowing us to add any values, and will immediately try to apply a patch. Most likely the AKS Reconciler will not have enough time to reconcile and restore the Validating Webhook giving us the opportunity to apply a change as a last resort:
+
+```azurecli-interactive
+kubectl delete ValidatingWebhookConfiguration aks-osm-webhook-osm; kubectl patch ConfigMap osm-config -n kube-system --type merge --patch '{"data":{"config_resync_interval":"15s"}}'
+```
+
+#### Check the `osm-config` **ConfigMap**
+
+> [!NOTE]
+> The OSM Controller does not require for the `osm-config` ConfigMap to be present in the kube-system namespace. The controller has reasonable default values for the config and can operate without it.
+
+Check for the existence:
+
+```azurecli-interactive
+kubectl get ConfigMap -n kube-system osm-config
+```
+
+Check the content of the osm-config ConfigMap
+
+```azurecli-interactive
+kubectl get ConfigMap -n kube-system osm-config -o json | jq '.data'
+```
+
+```json
+{
+ "egress": "true",
+ "enable_debug_server": "true",
+ "enable_privileged_init_container": "false",
+ "envoy_log_level": "error",
+ "outbound_ip_range_exclusion_list": "169.254.169.254,168.63.129.16,20.193.20.233",
+ "permissive_traffic_policy_mode": "true",
+ "prometheus_scraping": "false",
+ "service_cert_validity_duration": "24h",
+ "use_https_ingress": "false"
+}
+```
+
+`osm-config` ConfigMap values:
+
+| Key | Type | Allowed Values | Default Value | Function |
+| -- | | - | -- | |
+| egress | bool | true, false | `"false"` | Enables egress in the mesh. |
+| enable_debug_server | bool | true, false | `"true"` | Enables a debug endpoint on the osm-controller pod to list information regarding the mesh such as proxy connections, certificates, and SMI policies. |
+| enable_privileged_init_container | bool | true, false | `"false"` | Enables privileged init containers for pods in mesh. When false, init containers only have NET_ADMIN. |
+| envoy_log_level | string | trace, debug, info, warning, warn, error, critical, off | `"error"` | Sets the logging verbosity of Envoy proxy sidecar, only applicable to newly created pods joining the mesh. To update the log level for existing pods, restart the deployment with `kubectl rollout restart`. |
+| outbound_ip_range_exclusion_list | string | comma-separated list of IP ranges of the form a.b.c.d/x | `-` | Global list of IP address ranges to exclude from outbound traffic interception by the sidecar proxy. |
+| permissive_traffic_policy_mode | bool | true, false | `"false"` | Setting to `true`, enables allow-all mode in the mesh i.e. no traffic policy enforcement in the mesh. If set to `false`, enables deny-all traffic policy in mesh i.e. an `SMI Traffic Target` is necessary for services to communicate. |
+| prometheus_scraping | bool | true, false | `"true"` | Enables Prometheus metrics scraping on sidecar proxies. |
+| service_cert_validity_duration | string | 24h, 1h30m (any time duration) | `"24h"` | Sets the service certificate validity duration, represented as a sequence of decimal numbers each with optional fraction and a unit suffix. |
+| tracing_enable | bool | true, false | `"false"` | Enables Jaeger tracing for the mesh. |
+| tracing_address | string | jaeger.mesh-namespace.svc.cluster.local | `jaeger.kube-system.svc.cluster.local` | Address of the Jaeger deployment, if tracing is enabled. |
+| tracing_endpoint | string | /api/v2/spans | /api/v2/spans | Endpoint for tracing data, if tracing enabled. |
+| tracing_port | int | any non-zero integer value | `"9411"` | Port on which tracing is enabled. |
+| use_https_ingress | bool | true, false | `"false"` | Enables HTTPS ingress on the mesh. |
+| config_resync_interval | string | under 1 minute disables this | 0 (disabled) | When a value above 1m (60s) is provided, OSM Controller will send all available config to each connected Envoy at the given interval |
+
+#### Check Namespaces
+
+> [!NOTE]
+> The kube-system namespace will never participate in a service mesh and will never be labeled and/or annotated with the key/values below.
+
+We use the `osm namespace add` command to join namespaces to a given service mesh.
+When a k8s namespace is part of the mesh (or for it to be part of the mesh) the following must be true:
+
+View the annotations with
+
+```azurecli-interactive
+kubectl get namespace bookbuyer -o json | jq '.metadata.annotations'
+```
+
+The following annotation must be present:
+
+```Output
+{
+ "openservicemesh.io/sidecar-injection": "enabled"
+}
+```
+
+View the labels with
+
+```azurecli-interactive
+kubectl get namespace bookbuyer -o json | jq '.metadata.labels'
+```
+
+The following label must be present:
+
+```Output
+{
+ "openservicemesh.io/monitored-by": "osm"
+}
+```
+
+If a namespace is not annotated with `"openservicemesh.io/sidecar-injection": "enabled"` or not labeled with `"openservicemesh.io/monitored-by": "osm"` the OSM Injector will not add Envoy sidecars.
+
+> Note: After `osm namespace add` is called only **new** pods will be injected with an Envoy sidecar. Existing pods must be restarted with `kubectl rollout restart deployment ...`
+
+#### Verify the SMI CRDs:
+
+Check whether the cluster has the required CRDs:
+
+```azurecli-interactive
+kubectl get crds
+```
+
+We must have the following installed on the cluster:
+
+- httproutegroups.specs.smi-spec.io
+- tcproutes.specs.smi-spec.io
+- trafficsplits.split.smi-spec.io
+- traffictargets.access.smi-spec.io
+- udproutes.specs.smi-spec.io
+
+Get the versions of the CRDs installed with this command:
+
+```azurecli-interactive
+for x in $(kubectl get crds --no-headers | awk '{print $1}' | grep 'smi-spec.io'); do
+ kubectl get crd $x -o json | jq -r '(.metadata.name, "-" , .spec.versions[].name, "\n")'
+done
+```
+
+Expected output:
+
+```Output
+httproutegroups.specs.smi-spec.io
+-
+v1alpha4
+v1alpha3
+v1alpha2
+v1alpha1
++
+tcproutes.specs.smi-spec.io
+-
+v1alpha4
+v1alpha3
+v1alpha2
+v1alpha1
++
+trafficsplits.split.smi-spec.io
+-
+v1alpha2
++
+traffictargets.access.smi-spec.io
+-
+v1alpha3
+v1alpha2
+v1alpha1
++
+udproutes.specs.smi-spec.io
+-
+v1alpha4
+v1alpha3
+v1alpha2
+v1alpha1
+```
+
+OSM Controller v0.8.2 requires the following versions:
+
+- traffictargets.access.smi-spec.io - [v1alpha3](https://github.com/servicemeshinterface/smi-spec/blob/v0.6.0/apis/traffic-access/v1alpha3/traffic-access.md)
+- httproutegroups.specs.smi-spec.io - [v1alpha4](https://github.com/servicemeshinterface/smi-spec/blob/v0.6.0/apis/traffic-specs/v1alpha4/traffic-specs.md#httproutegroup)
+- tcproutes.specs.smi-spec.io - [v1alpha4](https://github.com/servicemeshinterface/smi-spec/blob/v0.6.0/apis/traffic-specs/v1alpha4/traffic-specs.md#tcproute)
+- udproutes.specs.smi-spec.io - Not supported
+- trafficsplits.split.smi-spec.io - [v1alpha2](https://github.com/servicemeshinterface/smi-spec/blob/v0.6.0/apis/traffic-split/v1alpha2/traffic-split.md)
+- \*.metrics.smi-spec.io - [v1alpha1](https://github.com/servicemeshinterface/smi-spec/blob/v0.6.0/apis/traffic-metrics/v1alpha1/traffic-metrics.md)
+
+If CRDs are missing use the following commands to install these on the cluster:
+
+```azurecli-interactive
+kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/v0.8.2/charts/osm/crds/access.yaml
+```
+
+```azurecli-interactive
+kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/v0.8.2/charts/osm/crds/specs.yaml
+```
+
+```azurecli-interactive
+kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm/v0.8.2/charts/osm/crds/split.yaml
+```
+
+## Disable Open Service Mesh (OSM) add-on for your AKS cluster
+
+To disable the OSM add-on, run the following command:
+
+```azurecli-interactive
+az aks disable-addons -n <AKS-cluster-name> -g <AKS-resource-group-name> -a open-service-mesh
+```
+
+<!-- LINKS - internal -->
+
+[kubernetes-service]: concepts-network.md#services
+[az-feature-register]: /cli/azure/feature?view=azure-cli-latest&preserve-view=true#az_feature_register
+[az-feature-list]: /cli/azure/feature?view=azure-cli-latest&preserve-view=true#az_feature_list
+[az-provider-register]: /cli/azure/provider?view=azure-cli-latest&preserve-view=true#az_provider_register
aks Spot Node Pool https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/spot-node-pool.md
In this article, you learned how to add a spot node pool to an AKS cluster. For
[aks-support-policies]: support-policies.md [aks-faq]: faq.md [azure-cli-install]: /cli/azure/install-azure-cli
-[az-aks-nodepool-add]: /cli/azure/aks/nodepool#az-aks-nodepool-add
+[az-aks-nodepool-add]: /cli/azure/aks/nodepool#az_aks_nodepool_add
[cluster-autoscaler]: cluster-autoscaler.md [eviction-policy]: ../virtual-machine-scale-sets/use-spot.md#eviction-policy [kubernetes-concepts]: concepts-clusters-workloads.md
aks Ssh https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/ssh.md
If you need additional troubleshooting data, you can [view the kubelet logs][vie
[kubectl-get]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#get <!-- INTERNAL LINKS -->
-[az-aks-show]: /cli/azure/aks#az-aks-show
-[az-vm-list]: /cli/azure/vm#az-vm-list
-[az-vm-user-update]: /cli/azure/vm/user#az-vm-user-update
-[az-vm-list-ip-addresses]: /cli/azure/vm#az-vm-list-ip-addresses
+[az-aks-show]: /cli/azure/aks#az_aks_show
+[az-vm-list]: /cli/azure/vm#az_vm_list
+[az-vm-user-update]: /cli/azure/vm/user#az_vm_user_update
+[az-vm-list-ip-addresses]: /cli/azure/vm#az_vm_list_ip_addresses
[view-kubelet-logs]: kubelet-logs.md [view-master-logs]: ./view-control-plane-logs.md [aks-quickstart-cli]: kubernetes-walkthrough.md
If you need additional troubleshooting data, you can [view the kubelet logs][vie
[aks-windows-rdp]: rdp.md [ssh-nix]: ../virtual-machines/linux/mac-create-ssh-keys.md [ssh-windows]: ../virtual-machines/linux/ssh-from-windows.md
-[az-vmss-list]: /cli/azure/vmss#az-vmss-list
-[az-vmss-extension-set]: /cli/azure/vmss/extension#az-vmss-extension-set
-[az-vmss-update-instances]: /cli/azure/vmss#az-vmss-update-instances
+[az-vmss-list]: /cli/azure/vmss#az_vmss_list
+[az-vmss-extension-set]: /cli/azure/vmss/extension#az_vmss_extension_set
+[az-vmss-update-instances]: /cli/azure/vmss#az_vmss_update_instances
aks Start Stop Cluster https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/start-stop-cluster.md
If the `provisioningState` shows `Starting` that means your cluster hasn't fully
[aks-quickstart-cli]: kubernetes-walkthrough.md [aks-quickstart-portal]: kubernetes-walkthrough-portal.md [install-azure-cli]: /cli/azure/install-azure-cli
-[az-extension-add]: /cli/azure/extension#az-extension-add
-[az-extension-update]: /cli/azure/extension#az-extension-update
-[az-feature-register]: /cli/azure/feature#az-feature-register
-[az-feature-list]: /cli/azure/feature#az-feature-list
-[az-provider-register]: /cli/azure/provider#az-provider-register
+[az-extension-add]: /cli/azure/extension#az_extension_add
+[az-extension-update]: /cli/azure/extension#az_extension_update
+[az-feature-register]: /cli/azure/feature#az_feature_register
+[az-feature-list]: /cli/azure/feature#az_feature_list
+[az-provider-register]: /cli/azure/provider#az_provider_register
[az-aks-show]: /cli/azure/aks#az_aks_show
aks Static Ip https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/static-ip.md
For additional control over the network traffic to your applications, you may wa
<!-- LINKS - Internal --> [aks-faq-resource-group]: faq.md#why-are-two-resource-groups-created-with-aks
-[az-network-public-ip-create]: /cli/azure/network/public-ip#az-network-public-ip-create
-[az-network-public-ip-list]: /cli/azure/network/public-ip#az-network-public-ip-list
-[az-aks-show]: /cli/azure/aks#az-aks-show
+[az-network-public-ip-create]: /cli/azure/network/public-ip#az_network_public_ip_create
+[az-network-public-ip-list]: /cli/azure/network/public-ip#az_network_public_ip_list
+[az-aks-show]: /cli/azure/aks#az_aks_show
[aks-ingress-basic]: ingress-basic.md [aks-static-ingress]: ingress-static-ip.md [aks-quickstart-cli]: kubernetes-walkthrough.md
aks Supported Kubernetes Versions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/supported-kubernetes-versions.md
For new **minor** versions of Kubernetes:
* AKS uses [Azure Advisor](https://docs.microsoft.com/azure/advisor/advisor-overview) to alert users if a new version will cause issues in their cluster because of deprecated APIs. Azure Advisor is also used to alert the user if they are currently out of support. * AKS publishes a [service health notification](../service-health/service-health-overview.md) available to all users with AKS and portal access, and sends an email to the subscription administrators with the planned version removal dates.
- ````
- To find out who is your subscription administrators or to change it, please refer to [manage Azure subscriptions](../cost-management-billing/manage/add-change-subscription-administrator.md#assign-a-subscription-administrator).
- ````
+ > [!NOTE]
+ > To find out who is your subscription administrators or to change it, please refer to [manage Azure subscriptions](../cost-management-billing/manage/add-change-subscription-administrator.md#assign-a-subscription-administrator).
+
* Users have **30 days** from version removal to upgrade to a supported minor version release to continue receiving support. For new **patch** versions of Kubernetes:
For information on how to upgrade your cluster, see [Upgrade an Azure Kubernetes
<!-- LINKS - Internal --> [aks-upgrade]: upgrade-cluster.md
-[az-aks-get-versions]: /cli/azure/aks#az-aks-get-versions
+[az-aks-get-versions]: /cli/azure/aks#az_aks_get_versions
[preview-terms]: https://azure.microsoft.com/support/legal/preview-supplemental-terms/
aks Tutorial Kubernetes Deploy Cluster https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/tutorial-kubernetes-deploy-cluster.md
Advance to the next tutorial to learn how to deploy an application to the cluste
[aks-tutorial-deploy-app]: ./tutorial-kubernetes-deploy-application.md [aks-tutorial-prepare-acr]: ./tutorial-kubernetes-prepare-acr.md [aks-tutorial-prepare-app]: ./tutorial-kubernetes-prepare-app.md
-[az ad sp create-for-rbac]: /cli/azure/ad/sp#az-ad-sp-create-for-rbac
-[az acr show]: /cli/azure/acr#az-acr-show
-[az role assignment create]: /cli/azure/role/assignment#az-role-assignment-create
-[az aks create]: /cli/azure/aks#az-aks-create
-[az aks install-cli]: /cli/azure/aks#az-aks-install-cli
-[az aks get-credentials]: /cli/azure/aks#az-aks-get-credentials
+[az ad sp create-for-rbac]: /cli/azure/ad/sp#az_ad_sp_create_for_rbac
+[az acr show]: /cli/azure/acr#az_acr_show
+[az role assignment create]: /cli/azure/role/assignment#az_role_assignment_create
+[az aks create]: /cli/azure/aks#az_aks_create
+[az aks install-cli]: /cli/azure/aks#az_aks_install_cli
+[az aks get-credentials]: /cli/azure/aks#az_aks_get_credentials
[azure-cli-install]: /cli/azure/install-azure-cli [container-registry-integration]: ./cluster-container-registry-integration.md [quotas-skus-regions]: quotas-skus-regions.md
aks Tutorial Kubernetes Prepare Acr https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/tutorial-kubernetes-prepare-acr.md
Advance to the next tutorial to learn how to deploy a Kubernetes cluster in Azur
<!-- LINKS - internal --> [az-acr-create]: /cli/azure/acr [az-acr-list]: /cli/azure/acr
-[az-acr-login]: /cli/azure/acr#az-acr-login
-[az-acr-list]: /cli/azure/acr#az-acr-list
+[az-acr-login]: /cli/azure/acr#az_acr_login
+[az-acr-list]: /cli/azure/acr#az_acr_list
[az-acr-repository-list]: /cli/azure/acr/repository [az-acr-repository-show-tags]: /cli/azure/acr/repository
-[az-group-create]: /cli/azure/group#az-group-create
+[az-group-create]: /cli/azure/group#az_group_create
[azure-cli-install]: /cli/azure/install-azure-cli [aks-tutorial-deploy-cluster]: ./tutorial-kubernetes-deploy-cluster.md [aks-tutorial-prepare-app]: ./tutorial-kubernetes-prepare-app.md
aks Tutorial Kubernetes Scale https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/tutorial-kubernetes-scale.md
Advance to the next tutorial to learn how to update application in Kubernetes.
<!-- LINKS - internal --> [aks-tutorial-prepare-app]: ./tutorial-kubernetes-prepare-app.md [aks-tutorial-update-app]: ./tutorial-kubernetes-app-update.md
-[az-aks-scale]: /cli/azure/aks#az-aks-scale
+[az-aks-scale]: /cli/azure/aks#az_aks_scale
[azure-cli-install]: /cli/azure/install-azure-cli
-[az-aks-show]: /cli/azure/aks#az-aks-show
+[az-aks-show]: /cli/azure/aks#az_aks_show
aks Tutorial Kubernetes Upgrade Cluster https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/tutorial-kubernetes-upgrade-cluster.md
For more information on AKS, see [AKS overview][aks-intro]. For guidance on a cr
<!-- LINKS - internal --> [aks-intro]: ./intro-kubernetes.md [aks-tutorial-prepare-app]: ./tutorial-kubernetes-prepare-app.md
-[az aks show]: /cli/azure/aks#az-aks-show
-[az aks get-upgrades]: /cli/azure/aks#az-aks-get-upgrades
-[az aks upgrade]: /cli/azure/aks#az-aks-upgrade
+[az aks show]: /cli/azure/aks#az_aks_show
+[az aks get-upgrades]: /cli/azure/aks#az_aks_get_upgrades
+[az aks upgrade]: /cli/azure/aks#az_aks_upgrade
[azure-cli-install]: /cli/azure/install-azure-cli
-[az-group-delete]: /cli/azure/group#az-group-delete
+[az-group-delete]: /cli/azure/group#az_group_delete
[sp-delete]: kubernetes-service-principal.md#additional-considerations [aks-solution-guidance]: /azure/architecture/reference-architectures/containers/aks-start-here?WT.mc_id=AKSDOCSPAGE
aks Update Credentials https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/update-credentials.md
In this article, the service principal for the AKS cluster itself and the AAD In
<!-- LINKS - internal --> [install-azure-cli]: /cli/azure/install-azure-cli
-[az-aks-show]: /cli/azure/aks#az-aks-show
-[az-aks-update-credentials]: /cli/azure/aks#az-aks-update-credentials
+[az-aks-show]: /cli/azure/aks#az_aks_show
+[az-aks-update-credentials]: /cli/azure/aks#az_aks_update_credentials
[best-practices-identity]: operator-best-practices-identity.md [aad-integration]: ./azure-ad-integration-cli.md [create-aad-app]: ./azure-ad-integration-cli.md#create-azure-ad-server-component
-[az-ad-sp-create]: /cli/azure/ad/sp#az-ad-sp-create-for-rbac
-[az-ad-sp-credential-list]: /cli/azure/ad/sp/credential#az-ad-sp-credential-list
-[az-ad-sp-credential-reset]: /cli/azure/ad/sp/credential#az-ad-sp-credential-reset
+[az-ad-sp-create]: /cli/azure/ad/sp#az_ad_sp_create_for_rbac
+[az-ad-sp-credential-list]: /cli/azure/ad/sp/credential#az_ad_sp_credential_list
+[az-ad-sp-credential-reset]: /cli/azure/ad/sp/credential#az_ad_sp_credential_reset
[node-image-upgrade]: ./node-image-upgrade.md
aks Upgrade Cluster https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/upgrade-cluster.md
This article showed you how to upgrade an existing AKS cluster. To learn more ab
<!-- LINKS - internal --> [aks-tutorial-prepare-app]: ./tutorial-kubernetes-prepare-app.md [azure-cli-install]: /cli/azure/install-azure-cli
-[az-aks-get-upgrades]: /cli/azure/aks#az-aks-get-upgrades
-[az-aks-upgrade]: /cli/azure/aks#az-aks-upgrade
-[az-aks-show]: /cli/azure/aks#az-aks-show
-[az-extension-add]: /cli/azure/extension#az-extension-add
-[az-extension-update]: /cli/azure/extension#az-extension-update
-[az-feature-list]: /cli/azure/feature#az-feature-list
-[az-feature-register]: /cli/azure/feature#az-feature-register
-[az-provider-register]: /cli/azure/provider#az-provider-register
+[az-aks-get-upgrades]: /cli/azure/aks#az_aks_get_upgrades
+[az-aks-upgrade]: /cli/azure/aks#az_aks_upgrade
+[az-aks-show]: /cli/azure/aks#az_aks_show
+[az-extension-add]: /cli/azure/extension#az_extension_add
+[az-extension-update]: /cli/azure/extension#az_extension_update
+[az-feature-list]: /cli/azure/feature#az_feature_list
+[az-feature-register]: /cli/azure/feature#az_feature_register
+[az-provider-register]: /cli/azure/provider#az_provider_register
[nodepool-upgrade]: use-multiple-node-pools.md#upgrade-a-node-pool [upgrade-cluster]: #upgrade-an-aks-cluster
aks Uptime Sla https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/uptime-sla.md
Configure your cluster to [limit egress traffic](limit-egress-traffic.md).
[nodepool-upgrade]: use-multiple-node-pools.md#upgrade-a-node-pool [faq]: ./faq.md [availability-zones]: ./availability-zones.md
-[az-aks-create]: /cli/azure/aks?#az-aks-create
+[az-aks-create]: /cli/azure/aks?#az_aks_create
[limit-egress-traffic]: ./limit-egress-traffic.md
-[az-extension-add]: /cli/azure/extension#az-extension-add
-[az-extension-update]: /cli/azure/extension#az-extension-update
+[az-extension-add]: /cli/azure/extension#az_extension_add
+[az-extension-update]: /cli/azure/extension#az_extension_update
[az-aks-update]: /cli/azure/aks#az_aks_update
-[az-group-delete]: /cli/azure/group#az-group-delete
+[az-group-delete]: /cli/azure/group#az_group_delete
[private-clusters]: private-clusters.md
aks Use Azure Ad Pod Identity https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/use-azure-ad-pod-identity.md
az identity delete -g ${IDENTITY_RESOURCE_GROUP} -n ${IDENTITY_NAME}
For more information on managed identities, see [Managed identities for Azure resources][az-managed-identities]. <!-- LINKS - external -->
-[az-aks-create]: /cli/azure/aks#az-aks-create
-[az-aks-get-credentials]: /cli/azure/aks#az-aks-get-credentials
-[az-extension-add]: /cli/azure/extension#az-extension-add
-[az-extension-update]: /cli/azure/extension#az-extension-update
-[az-group-create]: /cli/azure/group#az-group-create
+[az-aks-create]: /cli/azure/aks#az_aks_create
+[az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials
+[az-extension-add]: /cli/azure/extension#az_extension_add
+[az-extension-update]: /cli/azure/extension#az_extension_update
+[az-group-create]: /cli/azure/group#az_group_create
[az-identity-create]: /cli/azure/identity#az_identity_create [az-managed-identities]: ../active-directory/managed-identities-azure-resources/overview.md [az-role-assignment-create]: /cli/azure/role/assignment#az_role_assignment_create
aks Use Azure Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/use-azure-policy.md
For more information about how Azure Policy works:
[azure-policy-addon]: ../governance/policy/concepts/policy-for-kubernetes.md#install-azure-policy-add-on-for-aks [azure-policy-addon-remove]: ../governance/policy/concepts/policy-for-kubernetes.md#remove-the-add-on-from-aks [azure-policy-assign-policy]: ../governance/policy/concepts/policy-for-kubernetes.md#assign-a-built-in-policy-definition
-[az-aks-get-credentials]: /cli/azure/aks#az-aks-get-credentials
+[az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials
[kubernetes-policy-reference]: ../governance/policy/concepts/policy-for-kubernetes.md
aks Use Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/use-managed-identity.md
A successful cluster creation using your own managed identities contains this us
<!-- LINKS - external --> [aks-arm-template]: /azure/templates/microsoft.containerservice/managedclusters
-[az-identity-create]: /cli/azure/identity#az-identity-create
-[az-identity-list]: /cli/azure/identity#az-identity-list
+[az-identity-create]: /cli/azure/identity#az_identity_create
+[az-identity-list]: /cli/azure/identity#az_identity_list
aks Use Network Policies https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/use-network-policies.md
To learn more about policies, see [Kubernetes network policies][kubernetes-netwo
<!-- LINKS - internal --> [install-azure-cli]: /cli/azure/install-azure-cli [use-advanced-networking]: configure-azure-cni.md
-[az-aks-get-credentials]: /cli/azure/aks#az-aks-get-credentials
+[az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials
[concepts-network]: concepts-network.md
-[az-feature-register]: /cli/azure/feature#az-feature-register
-[az-feature-list]: /cli/azure/feature#az-feature-list
-[az-provider-register]: /cli/azure/provider#az-provider-register
+[az-feature-register]: /cli/azure/feature#az_feature_register
+[az-feature-list]: /cli/azure/feature#az_feature_list
+[az-provider-register]: /cli/azure/provider#az_provider_register
[windows-server-password]: /windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements#reference
-[az-extension-add]: /cli/azure/extension#az-extension-add
-[az-extension-update]: /cli/azure/extension#az-extension-update
+[az-extension-add]: /cli/azure/extension#az_extension_add
+[az-extension-update]: /cli/azure/extension#az_extension_update
[dsr]: ../load-balancer/load-balancer-multivip-overview.md#rule-type-2-backend-port-reuse-by-using-floating-ip
aks Use Pod Security Policies https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/use-pod-security-policies.md
For more information about limiting pod network traffic, see [Secure traffic bet
[aks-quickstart-portal]: kubernetes-walkthrough-portal.md [install-azure-cli]: /cli/azure/install-azure-cli [network-policies]: use-network-policies.md
-[az-feature-register]: /cli/azure/feature#az-feature-register
-[az-feature-list]: /cli/azure/feature#az-feature-list
-[az-provider-register]: /cli/azure/provider#az-provider-register
-[az-aks-get-credentials]: /cli/azure/aks#az-aks-get-credentials
+[az-feature-register]: /cli/azure/feature#az_feature_register
+[az-feature-list]: /cli/azure/feature#az_feature_list
+[az-provider-register]: /cli/azure/provider#az_provider_register
+[az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials
[az-aks-update]: /cli/azure/ext/aks-preview/aks#ext-aks-preview-az-aks-update
-[az-extension-add]: /cli/azure/extension#az-extension-add
+[az-extension-add]: /cli/azure/extension#az_extension_add
[aks-support-policies]: support-policies.md [aks-faq]: faq.md
-[az-extension-add]: /cli/azure/extension#az-extension-add
-[az-extension-update]: /cli/azure/extension#az-extension-update
+[az-extension-add]: /cli/azure/extension#az_extension_add
+[az-extension-update]: /cli/azure/extension#az_extension_update
[policy-samples]: ./policy-reference.md#microsoftcontainerservice [azure-policy-add-on]: ../governance/policy/concepts/policy-for-kubernetes.md
aks Use System Pools https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/use-system-pools.md
In this article, you learned how to create and manage system node pools in an AK
<!-- INTERNAL LINKS --> [aks-taints]: use-multiple-node-pools.md#setting-nodepool-taints [aks-windows]: windows-container-cli.md
-[az-aks-get-credentials]: /cli/azure/aks#az-aks-get-credentials
-[az-aks-create]: /cli/azure/aks#az-aks-create
-[az-aks-nodepool-add]: /cli/azure/aks/nodepool#az-aks-nodepool-add
-[az-aks-nodepool-list]: /cli/azure/aks/nodepool#az-aks-nodepool-list
-[az-aks-nodepool-update]: /cli/azure/aks/nodepool#az-aks-nodepool-update
-[az-aks-nodepool-upgrade]: /cli/azure/aks/nodepool#az-aks-nodepool-upgrade
-[az-aks-nodepool-scale]: /cli/azure/aks/nodepool#az-aks-nodepool-scale
-[az-aks-nodepool-delete]: /cli/azure/aks/nodepool#az-aks-nodepool-delete
-[az-extension-add]: /cli/azure/extension#az-extension-add
-[az-extension-update]: /cli/azure/extension#az-extension-update
-[az-group-create]: /cli/azure/group#az-group-create
-[az-group-delete]: /cli/azure/group#az-group-delete
-[az-group-deployment-create]: /cli/azure/group/deployment#az-group-deployment-create
+[az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials
+[az-aks-create]: /cli/azure/aks#az_aks_create
+[az-aks-nodepool-add]: /cli/azure/aks/nodepool#az_aks_nodepool_add
+[az-aks-nodepool-list]: /cli/azure/aks/nodepool#az_aks_nodepool_list
+[az-aks-nodepool-update]: /cli/azure/aks/nodepool#az_aks_nodepool_update
+[az-aks-nodepool-upgrade]: /cli/azure/aks/nodepool#az_aks_nodepool_upgrade
+[az-aks-nodepool-scale]: /cli/azure/aks/nodepool#az_aks_nodepool_scale
+[az-aks-nodepool-delete]: /cli/azure/aks/nodepool#az_aks_nodepool_delete
+[az-extension-add]: /cli/azure/extension#az_extension_add
+[az-extension-update]: /cli/azure/extension#az_extension_update
+[az-group-create]: /cli/azure/group#az_group_create
+[az-group-delete]: /cli/azure/group#az_group_delete
+[az-group-deployment-create]: /cli/azure/group/deployment#az_group_deployment_create
[gpu-cluster]: gpu-cluster.md [install-azure-cli]: /cli/azure/install-azure-cli [operator-best-practices-advanced-scheduler]: operator-best-practices-advanced-scheduler.md
aks Use Ultra Disks https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/use-ultra-disks.md
Events:
[azure-disk-volume]: azure-disk-volume.md [azure-files-pvc]: azure-files-dynamic-pv.md [premium-storage]: ../virtual-machines/disks-types.md
-[az-disk-list]: /cli/azure/disk#az-disk-list
-[az-snapshot-create]: /cli/azure/snapshot#az-snapshot-create
-[az-disk-create]: /cli/azure/disk#az-disk-create
-[az-disk-show]: /cli/azure/disk#az-disk-show
+[az-disk-list]: /cli/azure/disk#az_disk_list
+[az-snapshot-create]: /cli/azure/snapshot#az_snapshot_create
+[az-disk-create]: /cli/azure/disk#az_disk_create
+[az-disk-show]: /cli/azure/disk#az_disk_show
[aks-quickstart-cli]: kubernetes-walkthrough.md [aks-quickstart-portal]: kubernetes-walkthrough-portal.md [install-azure-cli]: /cli/azure/install-azure-cli [operator-best-practices-storage]: operator-best-practices-storage.md [concepts-storage]: concepts-storage.md [storage-class-concepts]: concepts-storage.md#storage-classes
-[az-extension-add]: /cli/azure/extension#az-extension-add
-[az-extension-update]: /cli/azure/extension#az-extension-update
-[az-feature-register]: /cli/azure/feature#az-feature-register
-[az-feature-list]: /cli/azure/feature#az-feature-list
-[az-provider-register]: /cli/azure/provider#az-provider-register
+[az-extension-add]: /cli/azure/extension#az_extension_add
+[az-extension-update]: /cli/azure/extension#az_extension_update
+[az-feature-register]: /cli/azure/feature#az_feature_register
+[az-feature-list]: /cli/azure/feature#az_feature_list
+[az-provider-register]: /cli/azure/provider#az_provider_register
aks View Control Plane Logs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/view-control-plane-logs.md
In this article, you learned how to enable and review the logs for the Kubernete
[analyze-log-analytics]: ../azure-monitor/logs/log-analytics-tutorial.md [kubelet-logs]: kubelet-logs.md [aks-ssh]: ssh.md
-[az-feature-register]: /cli/azure/feature#az-feature-register
-[az-feature-list]: /cli/azure/feature#az-feature-list
-[az-provider-register]: /cli/azure/provider#az-provider-register
+[az-feature-register]: /cli/azure/feature#az_feature_register
+[az-feature-list]: /cli/azure/feature#az_feature_list
+[az-provider-register]: /cli/azure/provider#az_provider_register
[log-schema-azureactivity]: /azure/azure-monitor/reference/tables/azureactivity [log-schema-azurediagnostics]: /azure/azure-monitor/reference/tables/azurediagnostics [log-schema-azuremetrics]: /azure/azure-monitor/reference/tables/azuremetrics
aks Virtual Nodes Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/virtual-nodes-cli.md
Virtual nodes are often one component of a scaling solution in AKS. For more inf
<!-- LINKS - internal --> [azure-cli-install]: /cli/azure/install-azure-cli
-[az-group-create]: /cli/azure/group#az-group-create
-[az-network-vnet-create]: /cli/azure/network/vnet#az-network-vnet-create
-[az-network-vnet-subnet-create]: /cli/azure/network/vnet/subnet#az-network-vnet-subnet-create
-[az-ad-sp-create-for-rbac]: /cli/azure/ad/sp#az-ad-sp-create-for-rbac
-[az-network-vnet-show]: /cli/azure/network/vnet#az-network-vnet-show
-[az-role-assignment-create]: /cli/azure/role/assignment#az-role-assignment-create
-[az-network-vnet-subnet-show]: /cli/azure/network/vnet/subnet#az-network-vnet-subnet-show
-[az-aks-create]: /cli/azure/aks#az-aks-create
-[az-aks-enable-addons]: /cli/azure/aks#az-aks-enable-addons
-[az-extension-add]: /cli/azure/extension#az-extension-add
-[az-aks-get-credentials]: /cli/azure/aks#az-aks-get-credentials
-[az aks disable-addons]: /cli/azure/aks#az-aks-disable-addons
+[az-group-create]: /cli/azure/group#az_group_create
+[az-network-vnet-create]: /cli/azure/network/vnet#az_network_vnet_create
+[az-network-vnet-subnet-create]: /cli/azure/network/vnet/subnet#az_network_vnet_subnet_create
+[az-ad-sp-create-for-rbac]: /cli/azure/ad/sp#az_ad_sp_create_for_rbac
+[az-network-vnet-show]: /cli/azure/network/vnet#az_network_vnet_show
+[az-role-assignment-create]: /cli/azure/role/assignment#az_role_assignment_create
+[az-network-vnet-subnet-show]: /cli/azure/network/vnet/subnet#az_network_vnet_subnet_show
+[az-aks-create]: /cli/azure/aks#az_aks_create
+[az-aks-enable-addons]: /cli/azure/aks#az_aks_enable_addons
+[az-extension-add]: /cli/azure/extension#az_extension_add
+[az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials
+[az aks disable-addons]: /cli/azure/aks#az_aks_disable_addons
[aks-hpa]: tutorial-kubernetes-scale.md [aks-cluster-autoscaler]: ./cluster-autoscaler.md [aks-basic-ingress]: ingress-basic.md
-[az-provider-list]: /cli/azure/provider#az-provider-list
-[az-provider-register]: /cli/azure/provider#az-provider-register
+[az-provider-list]: /cli/azure/provider#az_provider_list
+[az-provider-register]: /cli/azure/provider#az_provider_register
[virtual-nodes-aks]: virtual-nodes.md [virtual-nodes-networking-aci]: ../container-instances/container-instances-virtual-network-concepts.md
aks Virtual Nodes Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/virtual-nodes-portal.md
Virtual nodes are one component of a scaling solution in AKS. For more informati
<!-- LINKS - internal --> [aks-network]: ./configure-azure-cni.md
-[az-aks-get-credentials]: /cli/azure/aks#az-aks-get-credentials
+[az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials
[aks-hpa]: tutorial-kubernetes-scale.md [aks-cluster-autoscaler]: cluster-autoscaler.md [aks-basic-ingress]: ingress-basic.md
-[az-provider-list]: /cli/azure/provider#az-provider-list
-[az-provider-register]: /cli/azure/provider#az-provider-register
+[az-provider-list]: /cli/azure/provider#az_provider_list
+[az-provider-register]: /cli/azure/provider#az_provider_register
aks Windows Container Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/windows-container-cli.md
To learn more about AKS, and walk through a complete code to deployment example,
[kubernetes-concepts]: concepts-clusters-workloads.md [aks-monitor]: ../azure-monitor/containers/container-insights-onboard.md [aks-tutorial]: ./tutorial-kubernetes-prepare-app.md
-[az-aks-browse]: /cli/azure/aks#az-aks-browse
-[az-aks-create]: /cli/azure/aks#az-aks-create
-[az-aks-get-credentials]: /cli/azure/aks#az-aks-get-credentials
-[az-aks-install-cli]: /cli/azure/aks#az-aks-install-cli
-[az-extension-add]: /cli/azure/extension#az-extension-add
-[az-feature-list]: /cli/azure/feature#az-feature-list
-[az-feature-register]: /cli/azure/feature#az-feature-register
-[az-group-create]: /cli/azure/group#az-group-create
-[az-group-delete]: /cli/azure/group#az-group-delete
-[az-provider-register]: /cli/azure/provider#az-provider-register
+[az-aks-browse]: /cli/azure/aks#az_aks_browse
+[az-aks-create]: /cli/azure/aks#az_aks_create
+[az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials
+[az-aks-install-cli]: /cli/azure/aks#az_aks_install_cli
+[az-extension-add]: /cli/azure/extension#az_extension_add
+[az-feature-list]: /cli/azure/feature#az_feature_list
+[az-feature-register]: /cli/azure/feature#az_feature_register
+[az-group-create]: /cli/azure/group#az_group_create
+[az-group-delete]: /cli/azure/group#az_group_delete
+[az-provider-register]: /cli/azure/provider#az_provider_register
[azure-cli-install]: /cli/azure/install-azure-cli [azure-cni-about]: concepts-network.md#azure-cni-advanced-networking [sp-delete]: kubernetes-service-principal.md#additional-considerations
To learn more about AKS, and walk through a complete code to deployment example,
[use-advanced-networking]: configure-azure-cni.md [aks-support-policies]: support-policies.md [aks-faq]: faq.md
-[az-extension-add]: /cli/azure/extension#az-extension-add
-[az-extension-update]: /cli/azure/extension#az-extension-update
+[az-extension-add]: /cli/azure/extension#az_extension_add
+[az-extension-update]: /cli/azure/extension#az_extension_update
[windows-server-password]: /windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements#reference
analysis-services Analysis Services Create Powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/analysis-services/analysis-services-create-powershell.md
Last updated 08/31/2020 -+ - references_regions - devx-track-azurepowershell - mode-api
analysis-services Analysis Services Create Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/analysis-services/analysis-services-create-template.md
tags: - azure-resource-manager-+ - subject-armqs - references_regions - mode-arm
analysis-services Analysis Services Gateway Install https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/analysis-services/analysis-services-gateway-install.md
Last updated 07/29/2020 -++ # Install and configure an on-premises data gateway
That's it. If you need to open ports or do any troubleshooting, be sure to check
* [Manage Analysis Services](analysis-services-manage.md) * [Get data from Azure Analysis Services](analysis-services-connect.md)
-* [Use gateway for data sources on an Azure Virtual Network](analysis-services-vnet-gateway.md)
+* [Use gateway for data sources on an Azure Virtual Network](analysis-services-vnet-gateway.md)
analysis-services Analysis Services Logging https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/analysis-services/analysis-services-logging.md
Last updated 05/19/2020 -++ # Setup diagnostic logging
Set-AzDiagnosticSetting -ResourceId $account.ResourceId`
Learn more about [Azure Monitor resource logging](../azure-monitor/essentials/platform-logs-overview.md).
-See [Set-AzDiagnosticSetting](/powershell/module/az.monitor/set-azdiagnosticsetting) in PowerShell help.
+See [Set-AzDiagnosticSetting](/powershell/module/az.monitor/set-azdiagnosticsetting) in PowerShell help.
analysis-services Analysis Services Scale Out https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/analysis-services/analysis-services-scale-out.md
Last updated 09/10/2020 -++ # Azure Analysis Services scale-out
You can change the pricing tier on a server with multiple replicas. The same pri
## Related information [Monitor server metrics](analysis-services-monitor.md)
-[Manage Azure Analysis Services](analysis-services-manage.md)
+[Manage Azure Analysis Services](analysis-services-manage.md)
analysis-services Analysis Services Server Admins https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/analysis-services/analysis-services-server-admins.md
Last updated 2/4/2021 -++ # Manage server administrators
analysis-services Analysis Services Service Principal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/analysis-services/analysis-services-service-principal.md
Last updated 07/07/2020 -++
db.Model.SaveChanges();
[Refresh with Logic Apps](analysis-services-refresh-logic-app.md) [Refresh with Azure Automation](analysis-services-refresh-azure-automation.md) [Add a service principal to the server administrator role](analysis-services-addservprinc-admins.md)
-[Automate Power BI Premium workspace and dataset tasks with service principals](/power-bi/admin/service-premium-service-principal)
+[Automate Power BI Premium workspace and dataset tasks with service principals](/power-bi/admin/service-premium-service-principal)
analysis-services Move Between Regions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/analysis-services/move-between-regions.md
-
+ Title: Move Azure Analysis Services to a different region | Microsoft Docs description: Describes how to move an Azure Analysis Services resource to a different region.
Last updated 12/01/2020 -+ #Customer intent: As an Azure service administrator, I want to move Analysis Services server resources to different Azure region.
Remove-AzAnalysisServicesServer -Name "myserver" -ResourceGroupName "myResourceG
> [!NOTE]
-> After completing a region move, it's recommended your new target server use a storage container in the same region for backups, rather than the storage container in the source server region.
+> After completing a region move, it's recommended your new target server use a storage container in the same region for backups, rather than the storage container in the source server region.
api-management Api Management Cross Domain Policies https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-cross-domain-policies.md
The `cors` policy adds cross-origin resource sharing (CORS) support to an operat
CORS allows a browser and a server to interact and determine whether or not to allow specific cross-origin requests (i.e. XMLHttpRequests calls made from JavaScript on a web page to other domains). This allows for more flexibility than only allowing same-origin requests, but is more secure than allowing all cross-origin requests.
-You need to apply the CORS policy to enable the interactive console in the developer portal. Refer to the [developer portal documentation](./api-management-howto-developer-portal.md#cors) for details.
+You need to apply the CORS policy to enable the interactive console in the developer portal. Refer to the [developer portal documentation](./developer-portal-faq.md#cors) for details.
### Policy statement
api-management Api Management Howto Developer Portal Customize https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-howto-developer-portal-customize.md
Follow the steps below to access the managed version of the portal.
1. In the [Azure portal](https://portal.azure.com), navigate to your API Management instance. 1. Select the **Developer portal** button in the top navigation bar. A new browser tab with an administrative version of the portal will open. +
+## Developer portal architectural concepts
+
+The portal components can be logically divided into two categories: *code* and *content*.
+
+### Code
+
+Code is maintained in the API Management developer portal [GitHub repository](https://github.com/Azure/api-management-developer-portal) and includes:
+
+- **Widgets** - represent visual elements and combine HTML, JavaScript, styling ability, settings, and content mapping. Examples are an image, a text paragraph, a form, a list of APIs etc.
+- **Styling definitions** - specify how widgets can be styled
+- **Engine** - which generates static webpages from portal content and is written in JavaScript
+- **Visual editor** - allows for in-browser customization and authoring experience
+
+### Content
+
+Content is divided into two subcategories: *portal content* and *API Management content*.
+
+*Portal content* is specific to the portal and includes:
+
+- **Pages** - for example, landing page, API tutorials, blog posts
+- **Media** - images, animations, and other file-based content
+- **Layouts** - templates, which are matched against a URL and define how pages are displayed
+- **Styles** - values for styling definitions, such as fonts, colors, borders
+- **Settings** - configurations such as favicon, website metadata
+
+ Portal content, except for media, is expressed as JSON documents.
+
+*API Management content* includes entities such as APIs, Operations, Products, Subscriptions.
## Understand the portal's administrative interface ### Default content
After you publish the portal, you can access it at the same URL as the administr
## Apply the CORS policy on APIs
-To let the visitors of your portal test the APIs through the built-in interactive console, enable CORS (cross-origin resource sharing) on your APIs. For details, see the [Azure API Management developer portal overview](api-management-howto-developer-portal.md#cors).
+To let the visitors of your portal test the APIs through the built-in interactive console, enable CORS (cross-origin resource sharing) on your APIs. For details, see the [Azure API Management developer portal FAQ](developer-portal-faq.md#cors).
## Next steps
api-management Api Management Howto Developer Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-howto-developer-portal.md
description: Learn about the developer portal in API Management - a customizable
documentationcenter: API Management - - Previously updated : 10/15/2020 Last updated : 04/15/2021
Developer portal is an automatically generated, fully customizable website with the documentation of your APIs. It is where API consumers can discover your APIs, learn how to use them, request access, and try them out.
-This article describes the differences between self-hosted and managed versions of the developer portal in API Management. It also provides answers to frequently asked questions.
+As introduced in this article, you can customize and extend the developer portal for your specific scenarios.
![API Management developer portal](media/api-management-howto-developer-portal/cover.png)
The developer portal can be customized and styled through the built-in, drag-and
Your API Management service includes a built-in, always up-to-date, **managed** developer portal. You can access it from the Azure portal interface.
-If you need to extend it with custom logic, which isn't supported out-of-the-box, you can modify its codebase. The portal's codebase is [available in a GitHub repository][1]. For example, you could implement a new widget, which integrates with a third-party support system. When you implement new functionality, you can choose one of the following options:
+If you need to extend it with custom logic, which isn't supported out-of-the-box, you can modify its codebase. The portal's codebase is [available in a GitHub repository](https://github.com/Azure/api-management-developer-portal). For example, you could implement a new widget, which integrates with a third-party support system. When you implement new functionality, you can choose one of the following options:
-- **Self-host** the resulting portal outside of your API Management service. When you self-host the portal, you become its maintainer and you are responsible for its upgrades. Azure Support's assistance is limited only to the basic setup of self-hosted portals, as documented in the [Wiki section of the repository][2].
+- **Self-host** the resulting portal outside of your API Management service. When you self-host the portal, you become its maintainer and you are responsible for its upgrades. Azure Support's assistance is limited only to the [basic setup of self-hosted portals](developer-portal-self-host.md).
- Open a pull request for the API Management team to merge new functionality to the **managed** portal's codebase.
-For extensibility details and instructions, refer to the [GitHub repository][1] and [the tutorials on implementing a widget][3]. The [tutorial for customizing the managed portal](api-management-howto-developer-portal-customize.md) walks you through the portal's administrative panel, which is common for **managed** and **self-hosted** versions.
+For extensibility details and instructions, refer to the [GitHub repository](https://github.com/Azure/api-management-developer-portal) and the tutorial to [implement a widget](developer-portal-implement-widgets.md). The tutorial to [customize the managed portal](api-management-howto-developer-portal-customize.md) walks you through the portal's administrative panel, which is common for **managed** and **self-hosted** versions.
-## <a name="faq"></a> Frequently asked questions
-
-In this section, we answer common questions about the developer portal, which are of general nature. For questions specific to the self-hosted version, refer to [the wiki section of the GitHub repository](https://github.com/Azure/api-management-developer-portal/wiki).
-
-### <a id="preview-to-ga"></a> How can I migrate from the preview version of the portal?
-
-When you first launched the preview version of developer portal, you provisioned the preview version of its default content in your API Management service. The default content has been significantly modified in the generally available version. For example, the preview version of default content doesn't include OAuth buttons in the log-in pages, it uses different widgets for displaying APIs, and relies on limited capabilities for structuring developer portal pages. Even though there are differences in the content, the portal's engine (including underlying widgets) is automatically updated every time you publish your developer portal.
-
-If you heavily customized your portal based on the preview version of content, you may continue to use it as is and place new widgets manually on portal's pages. Otherwise, we recommend replacing your portal's content with the new default content.
-
-To reset the content in a managed portal, select **Reset content** in the **Operations** menu section. This operation will remove all the content of the portal and provision new default content. You will lose all developer portal customizations and changes. **You can't undo this action**.
-
-![Reset portal content](media/api-management-howto-developer-portal/reset-content.png)
-
-If you're using the self-hosted version, run `scripts.v2/cleanup.bat` and `scripts.v2/generate.bat` scripts from the GitHub repository to remove existing content and provision new content. Make sure to upgrade your portal's code to the latest release from the GitHub repository beforehand.
-
-If you first accessed the portal after the general availability announcement in November 2019, it should already feature the new default content and no further action is required.
-
-### Functionality I need isn't supported in the portal
-
-You can open a feature request in the [GitHub repository][1] or [implement the missing functionality yourself][3]. See the **Extensibility** section above for more details.
-
-### <a id="automate"></a> How can I automate portal deployments?
-
-You can programmatically access and manage the developer portal's content through the REST API, regardless if you're using a managed or a self-hosted version.
-
-The API is documented in [the GitHub repository's wiki section][2]. It can be used for automating migrations of portal content between environments - for example, from a test environment to the production environment. You can learn more about this process [in this documentation article](https://aka.ms/apimdocs/migrateportal) on GitHub.
-
-### How do I move from the managed to the self-hosted version?
-
-See the detailed article in [the Wiki section of the developer portal repository on GitHub][2].
-
-### Can I have multiple developer portals in one API Management service?
-
-You can have one managed portal and multiple self-hosted portals. The content of all portals is stored in the same API Management service, so they will be identical. If you want to differentiate portals' appearance and functionality, you can self-host them with your own custom widgets that dynamically customize pages on runtime, for example based on the URL.
-
-### Does the portal support Azure Resource Manager templates and/or is it compatible with API Management DevOps Resource Kit?
-
-No.
-
-### Is the portal's content saved with the backup/restore functionality in API Management?
-
-No.
-
-### Do I need to enable additional VNet connectivity for the managed portal dependencies?
-
-In most cases - no.
-
-If your API Management service is in an internal VNet, your developer portal is only accessible from within the network. The management endpoint's host name must resolve to the internal VIP of the service from the machine you use to access the portal's administrative interface. Make sure the management endpoint is registered in the DNS. In case of misconfiguration, you will see an error: `Unable to start the portal. See if settings are specified correctly in the configuration (...)`.
-
-If your API Management service is in an internal VNet and you're accessing it through Application Gateway from the Internet, make sure to enable connectivity to the developer portal and the management endpoints of API Management. You may need to disable Web Application Firewall rules. See [this documentation article](api-management-howto-integrate-internal-vnet-appgateway.md) for more details.
-
-### I have assigned a custom API Management domain and the published portal doesn't work
-
-After you update the domain, you need to [republish the portal](api-management-howto-developer-portal-customize.md#publish) for the changes to take effect.
-
-### I have added an identity provider and I can't see it in the portal
-
-After you configure an identity provider (for example, Azure AD, Azure AD B2C), you need to [republish the portal](api-management-howto-developer-portal-customize.md#publish) for the changes to take effect. Make sure your developer portal pages include the OAuth buttons widget.
-
-### I have set up delegation and the portal doesn't use it
-
-After you set up delegation, you need to [republish the portal](api-management-howto-developer-portal-customize.md#publish) for the changes to take effect.
-
-### My other API Management configuration changes haven't been propagated in the developer portal
-
-Most configuration changes (for example, VNet, sign-in, product terms) require [republishing the portal](api-management-howto-developer-portal-customize.md#publish).
-
-### <a name="cors"></a> I'm getting a CORS error when using the interactive console
-
-The interactive console makes a client-side API request from the browser. Resolve the CORS problem by adding [a CORS policy](api-management-cross-domain-policies.md#CORS) on your API(s).
-
-You can check the status of the CORS policy in the **Portal overview** section of your API Management service in the Azure portal. A warning box indicates an absent or misconfigured policy.
-
-![Screenshot that shows where you can check the status of your CORS policy.](media/api-management-howto-developer-portal/cors-azure-portal.png)
-
-Automatically apply the CORS policy by clicking on the **Enable CORS** button.
-
-You can also enable CORS manually.
-
-1. Select the **Manually apply it on the global level** link to see the generated policy code.
-2. Navigate to **All APIs** in the **APIs** section of your API Management service in the Azure portal.
-3. Select the **</>** icon in the **Inbound processing** section.
-4. Insert the policy in the **<inbound>** section of the XML file. Make sure the **<origin>** value matches your developer portal's domain.
-
-> [!NOTE]
->
-> If you apply the CORS policy in the Product scope, instead of the API(s) scope, and your API uses subscription key authentication through a header, your console won't work.
->
-> The browser automatically issues an OPTIONS HTTP request, which doesn't contain a header with the subscription key. Because of the missing subscription key, API Management can't associate the OPTIONS call with a Product, so it can't apply the CORS policy.
->
-> As a workaround you can pass the subscription key in a query parameter.
-
-> [!NOTE]
->
-> Only one CORS policy is executed. If you specified multiple CORS policies (for example, on the API level and on the all-APIs level), your interactive console may not work as expected.
-
-### What permissions do I need to edit the developer portal?
-
-If you're seeing the `Oops. Something went wrong. Please try again later.` error when you open the portal in the administrative mode, you may be lacking the required permissions (Azure RBAC).
-
-The legacy portals required the permission `Microsoft.ApiManagement/service/getssotoken/action` at the service scope (`/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<apim-service-name>`) to allow the user administrator access to the portals. The new portal requires the permission `Microsoft.ApiManagement/service/users/token/action` at the scope `/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<apim-service-name>/users/1`.
-
-You can use the following PowerShell script to create a role with the required permission. Remember to change the `<subscription-id>` parameter.
-
-```powershell
-#New Portals Admin Role
-Import-Module Az
-Connect-AzAccount
-$contributorRole = Get-AzRoleDefinition "API Management Service Contributor"
-$customRole = $contributorRole
-$customRole.Id = $null
-$customRole.Name = "APIM New Portal Admin"
-$customRole.Description = "This role gives the user ability to log in to the new Developer portal as administrator"
-$customRole.Actions = "Microsoft.ApiManagement/service/users/token/action"
-$customRole.IsCustom = $true
-$customRole.AssignableScopes.Clear()
-$customRole.AssignableScopes.Add('/subscriptions/<subscription-id>')
-New-AzRoleDefinition -Role $customRole
-```
-
-Once the role is created, it can be granted to any user from the **Access Control (IAM)** section in the Azure portal. Assigning this role to a user will assign the permission at the service scope. The user will be able to generate SAS tokens on behalf of *any* user in the service. At the minimum, this role needs to be assigned to the administrator of the service. The following PowerShell command demonstrates how to assign the role to a user `user1` at the lowest scope to avoid granting unnecessary permissions to the user:
-
-```powershell
-New-AzRoleAssignment -SignInName "user1@contoso.com" -RoleDefinitionName "APIM New Portal Admin" -Scope "/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<apim-service-name>/users/1"
-```
-
-After the permissions have been granted to a user, the user must sign out and sign in again to the Azure portal for the new permissions to take effect.
-
-### I'm seeing the `Unable to start the portal. See if settings are specified correctly (...)` error
-
-This error is shown when a `GET` call to `https://<management-endpoint-hostname>/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.ApiManagement/service/xxx/contentTypes/document/contentItems/configuration?api-version=2018-06-01-preview` fails. The call is issued from the browser by the administrative interface of the portal.
-
-If your API Management service is in a VNet - refer to the VNet connectivity question above.
-
-The call failure may also be caused by an TLS/SSL certificate, which is assigned to a custom domain and is not trusted by the browser. As a mitigation, you can remove the management endpoint custom domain - API Management will fall back to the default endpoint with a trusted certificate.
-
-### What's the browser support for the portal?
-
-| Browser | Supported |
-|--|--|
-| Apple Safari | Yes<sup>1</sup> |
-| Google Chrome | Yes<sup>1</sup> |
-| Microsoft Edge | Yes<sup>1</sup> |
-| Microsoft Internet Explorer | No |
-| Mozilla Firefox | Yes<sup>1</sup> |
-
- <small><sup>1</sup> Supported in the two latest production versions.</small>
## Next steps Learn more about the new developer portal: - [Access and customize the managed developer portal](api-management-howto-developer-portal-customize.md)-- [Set up self-hosted version of the portal][2]-- [Implement your own widget][3]
+- [Set up self-hosted version of the portal](developer-portal-self-host.md)
+- [Implement your own widget](developer-portal-implement-widgets.md)
Browse other resources: -- [GitHub repository with the source code][1]-
-[1]: https://aka.ms/apimdevportal
-[2]: https://github.com/Azure/api-management-developer-portal/wiki
-[3]: https://aka.ms/apimdevportal/extend
+- [GitHub repository with the source code](https://github.com/Azure/api-management-developer-portal)
+- [Frequently asked questions about the developer portal](developer-portal-faq.md)
api-management Api Management Howto Disaster Recovery Backup Restore https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-howto-disaster-recovery-backup-restore.md
Restore is a long running operation that may take up to 30 or more minutes to co
- [Managed Identity](api-management-howto-use-managed-service-identity.md) configuration. - [Azure Monitor Diagnostic](api-management-howto-use-azure-monitor.md) Configuration. - [Protocols and Cipher](api-management-howto-manage-protocols-ciphers.md) settings.-- [Developer portal](api-management-howto-developer-portal.md#is-the-portals-content-saved-with-the-backuprestore-functionality-in-api-management) content.
+- [Developer portal](developer-portal-faq.md#is-the-portals-content-saved-with-the-backuprestore-functionality-in-api-management) content.
The frequency with which you perform service backups affect your recovery point objective. To minimize it, we recommend implementing regular backups and performing on-demand backups after you make changes to your API Management service.
api-management Api Management Howto Mutual Certificates https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-howto-mutual-certificates.md
API Management provides two options to manage certificates used to secure access
Using key vault certificates is recommended because it helps improve API Management security: * Certificates stored in key vaults can be reused across services
-* Granular [access policies](../key-vault/general/secure-your-key-vault.md#data-plane-and-access-policies) can be applied to certificates stored in key vaults
+* Granular [access policies](../key-vault/general/security-overview.md#privileged-access) can be applied to certificates stored in key vaults
* Certificates updated in the key vault are automatically rotated in API Management. After update in the key vault, a certificate in API Management is updated within 4 hours. You can also manually refresh the certificate using the Azure portal or via the management REST API. ## Prerequisites
api-management Api Management Howto Properties https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-howto-properties.md
Secret values can be stored either as encrypted strings in API Management (custo
Using key vault secrets is recommended because it helps improve API Management security: * Secrets stored in key vaults can be reused across services
-* Granular [access policies](../key-vault/general/secure-your-key-vault.md#data-plane-and-access-policies) can be applied to secrets
+* Granular [access policies](../key-vault/general/security-overview.md#privileged-access) can be applied to secrets
* Secrets updated in the key vault are automatically rotated in API Management. After update in the key vault, a named value in API Management is updated within 4 hours. You can also manually refresh the secret using the Azure portal or via the management REST API. ### Prerequisites for key vault integration
api-management Automate Portal Deployments https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/automate-portal-deployments.md
+
+ Title: Automate developer portal deployments
+
+description: Learn how to automatically migrate self-hosted developer portal content between two API Management services.
++ Last updated : 04/15/2021++++
+# Automate developer portal deployments
+
+The API Management developer portal supports programmatic access to content. It allows you to import data to or export from an API Management service through the [content management REST API](/rest/api/apimanagement/). The REST API access works for both managed and self-hosted portals.
+
+## Automated migration script
+
+You can use the API to automate migration of content between two API Management services - for example, a service in the test environment and a service in the production environment. The `scripts.v3/migrate.js` script in the API Management developer portal [GitHub repo](https://github.com/Azure/api-management-developer-portal/blob/master/scripts.v3/migrate.js) simplifies this automation process.
+
+> [!WARNING]
+> The script removes contents of the developer portal in your destination API Management service. If you're concerned about it, make sure you perform a backup.
+
+> [!NOTE]
+> If you're using a self-hosted portal with an explicitly defined custom storage account to host media files (i.e., you define the `blobStorageUrl` setting in the `config.design.json` configuration file), you need to use the original `scripts/migrate.js` [script](https://github.com/Azure/api-management-developer-portal/blob/master/scripts.v2/migrate.js). The original script doesn't work for managed or self-hosted portals with the media storage account managed by API Management. In that case, use the script from the `/scripts.v3` folder instead.
+
+The script performs the following steps:
+
+1. Capture the portal content and media from the source API Management service.
+1. Remove the portal content and media from the destination API Management service.
+1. Upload the portal content and media to the destination API Management service.
+1. Optionally and for managed portals only - automatically publish the portal.
+
+After the script is successfully executed, the target API Management service should contain the same portal content as the source service and you'll be able to see it as an administrator.
+
+* If you're using a managed portal, you can set the script to auto-publish the destination portal to make the migrated version automatically available to the visitors.
+* If you're using a self-hosted portal, you need to publish the destination portal manually. Follow the publishing and hosting instructions in the tutorial to [set up a self-hosted developer portal](developer-portal-self-host.md).
+
+## Next steps
+
+Learn more about the developer portal:
+
+- [Azure API Management developer portal overview](api-management-howto-developer-portal.md)
+- [Self-host the developer portal](developer-portal-self-host.md)
api-management Developer Portal Alternative Processes Self Host https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/developer-portal-alternative-processes-self-host.md
+
+ Title: Alternatives for self-hosting developer portal
+
+description: Learn about alternative approaches you can use when you self-host a developer portal in Azure API Management.
++ Last updated : 03/25/2021++++
+# Alternative approaches to self-host developer portal
+
+There are several alternative approaches you can explore when you [self-host a developer portal](developer-portal-self-host.md):
+
+* Use production builds of the designer and the publisher.
+
+* Use an Azure Function App to publish your portal.
+
+* Front the files of your portal with a Content Delivery Network (CDN) to reduce page loading times.
+
+This article provides information on each of these approaches.
+
+If you have not already done so, set up a [local environment](developer-portal-self-host.md#step-1-set-up-local-environment) for the latest release of the developer portal.
+
+## Build for production
+
+If you want to host the development environment of the portal online for collaboration purposes, use production builds of the designer and the publisher. Production builds bundle the files, exclude source maps, etc.
+
+Create a bundle in the `./dist/designer` directory by running the command:
+
+```sh
+npm run build-designer
+```
+
+The result is a single page application, so you can still deploy it to a static web host, such as the Azure Blob Storage Static Website.
+
+Similarly, place a compiled and optimized publisher in the `./dist/publisher` folder:
+
+```sh
+npm run build-publisher
+```
+
+## Use Function App to publish the portal
+
+Run the publishing step in the cloud as an alternative to executing it locally.
+
+To implement publishing with an Azure Function App, you need the following prerequisites:
+
+- [Create an Azure Function](../azure-functions/functions-create-first-azure-function.md). The Function needs to be a JavaScript language Function.
+- Install Azure Functions Core Tools:
+ ```console
+ npm install ΓÇôg azure-function-core-tools
+ ```
+
+### Step 1: Configure output storage
+
+Uploading the content directly to the hosting website ("$web" container of output storage), instead of a local folder. Configure this change in the `./src/config.publish.json` file:
+
+```json
+{
+ ...
+ "outputBlobStorageContainer": "$web",
+ "outputBlobStorageConnectionString": "DefaultEndpointsProtocol=...",
+ ...
+}
+```
+
+### Step 2: Build and deploy the Function App
+
+There is a sample HTTP Trigger Function in the `./examples` folder. To build it and place it in `./dist/function`, run the following command:
+
+```sh
+npm run build-function
+```
+
+Then, sign in to the Azure CLI and deploy it:
+
+```sh
+az login
+cd ./dist/function
+func azure functionapp publish <function app name>
+```
+
+Once it is deployed, you can invoke it with an HTTP call:
+
+```sh
+curl -X POST https://<function app name>.azurewebsites.net/api/publish
+```
+
+## Hosting and CDN
+
+In [self-host a developer portal](developer-portal-self-host.md) we suggested using an Azure storage account to host your website. However, you can publish the files through any solution, including services of hosting providers.
+
+You can also front the files with a Content Delivery Network (CDN) to reduce page loading times. We recommend using [Azure CDN](https://azure.microsoft.com/services/cdn/).
+
+## Next steps
+
+Learn more about the developer portal:
+
+- [Azure API Management developer portal overview](api-management-howto-developer-portal.md)
api-management Developer Portal Deprecated Migration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/developer-portal-deprecated-migration.md
description: Learn how to migrate from the legacy developer portal to the new de
documentationcenter: API Management - - Previously updated : 10/15/2020 Last updated : 04/15/2021
This article describes the steps you need to take to migrate from the deprecated
## Improvements in new developer portal
-The new developer portal addresses many limitations of the deprecated portal. It features a [visual drag-and-drop editor for editing content](api-management-howto-developer-portal-customize.md) and a dedicated panel for designers to style the website. Pages, customizations, and configuration are saved as Azure Resource Manager resources in your API Management service, which lets you [automate portal deployments](api-management-howto-developer-portal.md#automate). Lastly, the portal's codebase is open-source, so [you can extend it with custom functionality](api-management-howto-developer-portal.md#managed-vs-self-hosted).
+The new developer portal addresses many limitations of the deprecated portal. It features a [visual drag-and-drop editor for editing content](api-management-howto-developer-portal-customize.md) and a dedicated panel for designers to style the website. Pages, customizations, and configuration are saved as Azure Resource Manager resources in your API Management service, which lets you [automate portal deployments](automate-portal-deployments.md). Lastly, the portal's codebase is open-source, so [you can extend it with custom functionality](api-management-howto-developer-portal.md#managed-vs-self-hosted).
## How to migrate to new developer portal The new developer portal is incompatible with the deprecated portal and automated migration isn't possible. You need to manually recreate the content (pages, text, media files) and customize the look of the new portal. Precise steps will vary depending on the customizations and complexity of your portal. Refer to [the developer portal tutorial](api-management-howto-developer-portal-customize.md) for guidance. Remaining configuration, like the list of APIs, products, users, identity providers, is automatically shared across both portals. > [!IMPORTANT]
-> If you've launched the new developer portal before, but you haven't made any changes, [reset the default content](api-management-howto-developer-portal.md#preview-to-ga) to update it to the latest version.
+> If you've launched the new developer portal before, but you haven't made any changes, reset the default content to update it to the latest version.
When you migrate from the deprecated portal, keep in mind the following changes: - If you expose your developer portal via a custom domain, [assign a domain](configure-custom-domain.md) to the new developer portal. Use the **Developer portal** option from the dropdown in the Azure portal.-- [Apply a CORS policy](api-management-howto-developer-portal.md#cors) on your APIs to enable the interactive test console.
+- [Apply a CORS policy](developer-portal-faq.md#cors) on your APIs to enable the interactive test console.
- If you inject custom CSS to style the portal, you need to [replicate the styling using the built-in design panel](api-management-howto-developer-portal-customize.md). CSS injection isn't allowed in the new portal. - You can inject custom JavaScript only in the [self-hosted version of the new portal](api-management-howto-developer-portal.md#managed-vs-self-hosted). - If your API Management is in a virtual network and is exposed to the Internet via Application Gateway, [refer to this documentation article](api-management-howto-integrate-internal-vnet-appgateway.md) for precise configuration steps. You need to:
api-management Developer Portal Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/developer-portal-faq.md
+
+ Title: Developer portal - Frequently asked questions
+
+description: Frequently asked questions about the developer portal in API Management. The developer portal is a customizable website where API consumers can explore your APIs.
+
+documentationcenter: API Management
++++ Last updated : 04/15/2021+++
+# API Management developer portal - frequently asked questions
+
+## What if I need functionality that isn't supported in the portal?
+
+You can open a feature request in the [GitHub repository](https://github.com/Azure/api-management-developer-portal) or [implement the missing functionality yourself](developer-portal-implement-widgets.md). Learn more about developer portal [extensibility](api-management-howto-developer-portal.md#managed-vs-self-hosted).
++
+## Can I have multiple developer portals in one API Management service?
+
+You can have one managed portal and multiple self-hosted portals. The content of all portals is stored in the same API Management service, so they will be identical. If you want to differentiate portals' appearance and functionality, you can self-host them with your own custom widgets that dynamically customize pages on runtime, for example based on the URL.
+
+## Does the portal support Azure Resource Manager templates and/or is it compatible with API Management DevOps Resource Kit?
+
+No.
+
+## Is the portal's content saved with the backup/restore functionality in API Management?
+
+No.
+
+## Do I need to enable additional VNet connectivity for the managed portal dependencies?
+
+In most cases - no.
+
+If your API Management service is in an internal VNet, your developer portal is only accessible from within the network. The management endpoint's host name must resolve to the internal VIP of the service from the machine you use to access the portal's administrative interface. Make sure the management endpoint is registered in the DNS. In case of misconfiguration, you will see an error: `Unable to start the portal. See if settings are specified correctly in the configuration (...)`.
+
+If your API Management service is in an internal VNet and you're accessing it through Application Gateway from the internet, make sure to enable connectivity to the developer portal and the management endpoints of API Management. You may need to disable Web Application Firewall rules. See [this documentation article](api-management-howto-integrate-internal-vnet-appgateway.md) for more details.
+
+## I assigned a custom API Management domain and the published portal doesn't work
+
+After you update the domain, you need to [republish the portal](api-management-howto-developer-portal-customize.md#publish) for the changes to take effect.
+
+## I added an identity provider and I can't see it in the portal
+
+After you configure an identity provider (for example, Azure AD, Azure AD B2C), you need to [republish the portal](api-management-howto-developer-portal-customize.md#publish) for the changes to take effect. Make sure your developer portal pages include the OAuth buttons widget.
+
+## I set up delegation and the portal doesn't use it
+
+After you set up delegation, you need to [republish the portal](api-management-howto-developer-portal-customize.md#publish) for the changes to take effect.
+
+## My other API Management configuration changes haven't been propagated in the developer portal
+
+Most configuration changes (for example, VNet, sign-in, product terms) require [republishing the portal](api-management-howto-developer-portal-customize.md#publish).
+
+## <a name="cors"></a> I'm getting a CORS error when using the interactive console
+
+The interactive console makes a client-side API request from the browser. Resolve the CORS problem by adding [a CORS policy](api-management-cross-domain-policies.md#CORS) on your API(s).
+
+You can check the status of the CORS policy in the **Portal overview** section of your API Management service in the Azure portal. A warning box indicates an absent or misconfigured policy.
+
+> [!NOTE]
+>
+> Only one CORS policy is executed. If you specified multiple CORS policies (for example, on the API level and on the all-APIs level), your interactive console may not work as expected.
+
+![Screenshot that shows where you can check the status of your CORS policy.](media/developer-portal-faq/cors-azure-portal.png)
+
+Automatically apply the CORS policy by clicking on the **Enable CORS** button.
+
+You can also enable CORS manually.
+
+1. Select the **Manually apply it on the global level** link to see the generated policy code.
+2. Navigate to **All APIs** in the **APIs** section of your API Management service in the Azure portal.
+3. Select the **</>** icon in the **Inbound processing** section.
+4. Insert the policy in the **<inbound>** section of the XML file. Make sure the **<origin>** value matches your developer portal's domain.
+
+> [!NOTE]
+>
+> If you apply the CORS policy in the Product scope, instead of the API(s) scope, and your API uses subscription key authentication through a header, your console won't work.
+>
+> The browser automatically issues an `OPTIONS` HTTP request, which doesn't contain a header with the subscription key. Because of the missing subscription key, API Management can't associate the `OPTIONS` call with a Product, so it can't apply the CORS policy.
+>
+> As a workaround you can pass the subscription key in a query parameter.
+
+## What is the CORS proxy feature and when should I use it?
+
+Select the **Use CORS proxy** option in the configuration of the API operation details widget to route the interactive console's API calls through the portal's backend in your API Management service. In this configuration, you no longer need to apply a CORS policy for your APIs, and connectivity to the gateway endpoint from the local machine isn't required. If the APIs are exposed through a self-hosted gateway or your service is in a virtual network, the connectivity from the API Management's backend service to the gateway is required. If you use the self-hosted portal, specify the portal's backend endpoint using the `backendUrl` option in the configuration files. Otherwise, the self-hosted portal won't be aware of the location of the backend service.
+
+## What permissions do I need to edit the developer portal?
+
+If you're seeing the `Oops. Something went wrong. Please try again later.` error when you open the portal in the administrative mode, you may be lacking the required permissions (Azure RBAC).
+
+The legacy portals required the permission `Microsoft.ApiManagement/service/getssotoken/action` at the service scope (`/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<apim-service-name>`) to allow the user administrator access to the portals. The new portal requires the permission `Microsoft.ApiManagement/service/users/token/action` at the scope `/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<apim-service-name>/users/1`.
+
+You can use the following PowerShell script to create a role with the required permission. Remember to change the `<subscription-id>` parameter.
+
+```powershell
+#New Portals Admin Role
+Import-Module Az
+Connect-AzAccount
+$contributorRole = Get-AzRoleDefinition "API Management Service Contributor"
+$customRole = $contributorRole
+$customRole.Id = $null
+$customRole.Name = "APIM New Portal Admin"
+$customRole.Description = "This role gives the user ability to log in to the new Developer portal as administrator"
+$customRole.Actions = "Microsoft.ApiManagement/service/users/token/action"
+$customRole.IsCustom = $true
+$customRole.AssignableScopes.Clear()
+$customRole.AssignableScopes.Add('/subscriptions/<subscription-id>')
+New-AzRoleDefinition -Role $customRole
+```
+
+Once the role is created, it can be granted to any user from the **Access Control (IAM)** section in the Azure portal. Assigning this role to a user will assign the permission at the service scope. The user will be able to generate SAS tokens on behalf of *any* user in the service. At the minimum, this role needs to be assigned to the administrator of the service. The following PowerShell command demonstrates how to assign the role to a user `user1` at the lowest scope to avoid granting unnecessary permissions to the user:
+
+```powershell
+New-AzRoleAssignment -SignInName "user1@contoso.com" -RoleDefinitionName "APIM New Portal Admin" -Scope "/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<apim-service-name>/users/1"
+```
+
+After the permissions have been granted to a user, the user must sign out and sign in again to the Azure portal for the new permissions to take effect.
+
+## I'm seeing the `Unable to start the portal. See if settings are specified correctly (...)` error
+
+This error is shown when a `GET` call to `https://<management-endpoint-hostname>/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.ApiManagement/service/xxx/contentTypes/document/contentItems/configuration?api-version=2018-06-01-preview` fails. The call is issued from the browser by the administrative interface of the portal.
+
+If your API Management service is in a VNet, refer to the [VNet connectivity question](#do-i-need-to-enable-additional-vnet-connectivity-for-the-managed-portal-dependencies).
+
+The call failure may also be caused by an TLS/SSL certificate, which is assigned to a custom domain and is not trusted by the browser. As a mitigation, you can remove the management endpoint custom domain API Management will fall back to the default endpoint with a trusted certificate.
+
+## What's the browser support for the portal?
+
+| Browser | Supported |
+|--|--|
+| Apple Safari | Yes<sup>1</sup> |
+| Google Chrome | Yes<sup>1</sup> |
+| Microsoft Edge | Yes<sup>1</sup> |
+| Microsoft Internet Explorer | No |
+| Mozilla Firefox | Yes<sup>1</sup> |
+
+ <small><sup>1</sup> Supported in the two latest production versions.</small>
+
+## Local development of my self-hosted portal is no longer working
+
+If your local version of the developer portal cannot save or retrieve information from the storage account or API Management instance, the SAS tokens may have expired. You can fix that by generating new tokens. For instructions, refer to the tutorial to [self-host the developer portal](developer-portal-self-host.md#step-2-configure-json-files-static-website-and-cors-settings).
+
+## How can I remove the developer portal content provisioned to my API Management service?
+
+Provide the required parameters in the `scripts.v3/cleanup.bat` script in the developer portal [GitHub repository](https://github.com/Azure/api-management-developer-portal), and run the script
+
+```sh
+cd scripts.v3
+.\cleanup.bat
+cd ..
+```
+
+## How do I enable single sign-on (SSO) authentication to self-hosted developer portal?
+
+Among other authentication methods, the developer portal supports single sign-on (SSO). To authenticate with this method, you need to make a call to `/signin-sso` with the token in the query parameter:
+
+```html
+https://contoso.com/signin-sso?token=[user-specific token]
+```
+### Generate user tokens
+You can generate *user-specific tokens* (including admin tokens) using the [Get Shared Access Token](/rest/api/apimanagement/2019-12-01/user/getsharedaccesstoken) operation of the [API Management REST API](/rest/api/apimanagement/apimanagementrest/api-management-rest).
+
+> [!NOTE]
+> The token must be URL-encoded.
+
+## Next steps
+
+Learn more about the new developer portal:
+
+- [Access and customize the managed developer portal](api-management-howto-developer-portal-customize.md)
+- [Set up self-hosted version of the portal](developer-portal-self-host.md)
+- [Implement your own widget](developer-portal-implement-widgets.md)
+
+Browse other resources:
+
+- [GitHub repository with the source code](https://github.com/Azure/api-management-developer-portal)
+
api-management Developer Portal Implement Widgets https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/developer-portal-implement-widgets.md
+
+ Title: Implement widgets in the developer portal
+
+description: Learn how to implement widgets that consume data from external APIs and display it on the API Management developer portal.
++ Last updated : 04/15/2021++++
+# Implement widgets in the developer portal
+
+In this tutorial, you implement a widget that consumes data from an external API and displays it on the API Management developer portal.
+
+The widget will retrieve session descriptions from the sample [Conference API](https://conferenceapi.azurewebsites.net/?format=json). The session identifier will be set through a designated widget editor.
+
+To help you in the development process, refer to the completed widget located in the `examples` folder of the API Management developer portal [GitHub repository](https://github.com/Azure/api-management-developer-portal/): `/examples/widgets/conference-session`.
++
+## Prerequisites
+
+* Set up a [local environment](developer-portal-self-host.md#step-1-set-up-local-environment) for the latest release of the developer portal.
+
+* You should understand the [Paperbits widget anatomy](https://paperbits.io/wiki/widget-anatomy).
++
+## Copy the scaffold
+
+Use a `widget` scaffold from the `/scaffolds` folder as a starting point to build the new widget.
+
+1. Copy the folder `/scaffolds/widget` to `/community/widgets`.
+1. Rename the folder to `conference-session`.
+
+## Rename exported module classes
+
+Rename the exported module classes by replacing the `Widget` prefix with `ConferenceSession` in these files:
+
+- `widget.design.module.ts`
+
+- `widget.publish.module.ts`
+
+- `widget.runtime.module.ts`
+
+For example, in the `widget.design.module.ts` file, change `WidgetDesignModule` to `ConferenceSessionDesignModule`:
+
+```typescript
+export class WidgetDesignModule implements IInjectorModule {
+```
+to
+
+```typescript
+export class ConferenceSessionDesignModule implements IInjectorModule {
+```
+
+
+## Register the widget
+
+Register the widget's modules in the portal's root modules by adding the following lines in the respective files:
+
+1. `src/apim.design.module.ts` - a module that registers design-time dependencies.
+
+ ```typescript
+ import { ConferenceSessionDesignModule } from "../community/widgets/conference-session/widget.design.module";
+
+ ...
+ injector.bindModule(new ConferenceSessionDesignModule());
+ ```
+1. `src/apim.publish.module.ts` - a module that registers publish-time dependencies.
+
+ ```typescript
+ import { ConferenceSessionPublishModule } from "../community/widgets/conference-session/widget.publish.module";
+
+ ...
+
+ injector.bindModule(new ConferenceSessionPublishModule());
+ ```
+
+1. `src/apim.runtime.module.ts` - runtime dependencies.
+
+ ```typescript
+ import { ConferenceSessionRuntimeModule } from "../community/widgets/conference-session/widget.runtime.module";
+
+ ...
+
+ injector.bindModule(new ConferenceSessionRuntimeModule());
+ ```
+
+## Place the widget in the portal
+
+Now you're ready to plug in the duplicated scaffold and use it in developer portal.
+
+1. Run the `npm start` command.
+
+1. When the application loads, place the new widget on a page. You can find it under the name `Your widget` in the `Community` category in the widget selector.
+
+ :::image type="content" source="media/developer-portal-implement-widgets/widget-selector.png" alt-text="Screenshot of widget selector":::
+
+1. Save the page by pressing **Ctrl**+**S** (or **Γîÿ**+**S** on macOS).
+
+ > [!NOTE]
+ > In design-time, you can still interact with the website by holding the **Ctrl** (or **Γîÿ**) key.
+
+## Add custom properties
+
+For the widget to fetch session descriptions, it needs to be aware of the session identifier. Add the `Session ID` property to the respective interfaces and classes:
+
+In order for the widget to fetch the session description, it needs to be aware of the session identifier. Add the session ID property to the respective interfaces and classes:
+
+1. `widgetContract.ts` - data contract (data layer) defining how the widget configuration is persisted.
+
+ ```typescript
+ export interface WidgetContract extends Contract {
+ sessionNumber: string;
+ }
+ ```
+
+1. `widgetModel.ts` - model (business layer) - a primary representation of the widget in the system. It's updated by editors and rendered by the presentation layer.
+
+ ```typescript
+ export class WidgetModel {
+ public sessionNumber: string;
+ }
+ ```
+
+1. `ko/widgetViewModel.ts` - viewmodel (presentation layer) - a UI framework-specific object that developer portal renders with the HTML template.
+
+ > [!NOTE]
+ > You don't need to change anything in this file.
+
+## Configure binders
+
+Enable the flow of the `sessionNumber` from the data source to the widget presentation. Edit the `ModelBinder` and `ViewModelBinder` entities:
+
+1. `widgetModelBinder.ts` helps to prepare the model using data described in the contract.
+
+ ```typescript
+ export class WidgetModelBinder implements IModelBinder<WidgetModel> {
+ public async contractToModel(contract: WidgetContract): Promise<WidgetModel> {
+ model.sessionNumber = contract.sessionNumber || "107"; // 107 is the default session id
+ ...
+ }
+
+ public modelToContract(model: WidgetModel): Contract {
+ const contract: WidgetContract = {
+ sessionNumber: model.sessionNumber
+ ...
+ };
+ ...
+ }
+ }
+ ```
+
+1. `ko/widgetViewModelBinder.ts` knows how developer portal needs to present the model (as a viewmodel) in a specific UI framework.
+
+ ```typescript
+ ...
+ public async updateViewModel(model: WidgetModel, viewModel: WidgetViewModel): Promise<void> {
+ viewModel.runtimeConfig(JSON.stringify({
+ sessionNumber: model.sessionNumber
+ }));
+ }
+ }
+ ...
+ ```
+
+## Adjust design-time widget template
+
+The components of each scope run independently. They have separate dependency injection containers, their own configuration, lifecycle, etc. They may even be powered by different UI frameworks (in this example it is Knockout JS).
+
+From the design-time perspective, any runtime component is just an HTML tag with certain attributes and/or content. Configuration if necessary is passed with plain markup. In simple cases, like in this example, the parameter is passed in the attribute. If the configuration is more complex, you could use an identifier of the required setting(s) fetched by a designated configuration provider (for example, `ISettingsProvider`).
+
+1. Update the `ko/widgetView.html` file:
+
+ ```html
+ <widget-runtime data-bind="attr: { params: runtimeConfig }"></widget-runtime>
+ ```
+
+ When developer portal runs the `attr` binding in *design-time* or *publish-time*, the resulting HTML is:
+
+ ```html
+ <widget-runtime params="{ sessionNumber: 107 }"></widget-runtime>
+ ```
+
+ Then, in runtime, `widget-runtime` component will read `sessionNumber` and use it in the initialization code (see below).
+
+1. Update the `widgetHandlers.ts` file to assign the session ID on creation:
+
+ ```typescript
+ ...
+ createModel: async () => {
+ var model = new ConferenceSessionModel();
+ model.sessionNumber = "107";
+ return model;
+ }
+ ...
+ ```
+
+## Revise runtime view model
+
+Runtime components are the code running in the website itself. For example, in the API Management developer portal, they are all the scripts behind dynamic components (for example, *API details*, *API console*), handling operations such as code sample generation, sending requests, etc.
+
+Your runtime component's view model needs to have the following methods and properties:
+
+- The `sessionNumber` property (marked with `Param` decorator) used as a component input parameter passed from outside (the markup generated in design-time; see the previous step).
+- The `sessionDescription` property bound to the widget template (see `widget-runtime.html` later in this article).
+- The `initialize` method (with `OnMounted` decorator) invoked after the widget is created and all its parameters are assigned. It's a good place to read the `sessionNumber` and invoke the API using the `HttpClient`. The `HttpClient` is a dependency injected by the IoC (Inversion of Control) container.
+
+- First, developer portal creates the widget and assigns all its parameters. Then it invokes the `initialize` method.
+
+ ```typescript
+ ...
+ import * as ko from "knockout";
+ import { Component, RuntimeComponent, OnMounted, OnDestroyed, Param } from "@paperbits/common/ko/decorators";
+ import { HttpClient, HttpRequest } from "@paperbits/common/http";
+ ...
+
+ export class WidgetRuntime {
+ public readonly sessionDescription: ko.Observable<string>;
+
+ constructor(private readonly httpClient: HttpClient) {
+ ...
+ this.sessionNumber = ko.observable();
+ this.sessionDescription = ko.observable();
+ ...
+ }
+
+ @Param()
+ public readonly sessionNumber: ko.Observable<string>;
+
+ @OnMounted()
+ public async initialize(): Promise<void> {
+ ...
+ const sessionNumber = this.sessionNumber();
+
+ const request: HttpRequest = {
+ url: `https://conferenceapi.azurewebsites.net/session/${sessionNumber}`,
+ method: "GET"
+ };
+
+ const response = await this.httpClient.send<string>(request);
+ const sessionDescription = response.toText();
+
+ this.sessionDescription(sessionDescription);
+ ...
+ }
+ ...
+ }
+ ```
+
+## Tweak the widget template
+
+Update your widget to display the session description.
+
+Use a paragraph tag and a `markdown` (or `text`) binding in the `ko/runtime/widget-runtime.html` file to render the description:
+
+```html
+<p data-bind="markdown: sessionDescription"></p>
+```
+
+## Add the widget editor
+
+The widget is now configured to fetch the description of the session `107`. You specified `107` in the code as the default session. To check that you did everything right, run `npm start` and confirm that developer portal shows the description on the page.
+
+Now, carry out these steps to allow the user to set up the session ID through a widget editor:
+
+1. Update the `ko/widgetEditorViewModel.ts` file:
+
+ ```typescript
+ export class WidgetEditor implements WidgetEditor<WidgetModel> {
+ public readonly sessionNumber: ko.Observable<string>;
+
+ constructor() {
+ this.sessionNumber = ko.observable();
+ }
+
+ @Param()
+ public model: WidgetModel;
+
+ @Event()
+ public onChange: (model: WidgetModel) => void;
+
+ @OnMounted()
+ public async initialize(): Promise<void> {
+ this.sessionNumber(this.model.sessionNumber);
+ this.sessionNumber.subscribe(this.applyChanges);
+ }
+
+ private applyChanges(): void {
+ this.model.sessionNumber = this.sessionNumber();
+ this.onChange(this.model);
+ }
+ }
+ ```
+
+ The editor view model uses the same approach that you've seen previously, but there is a new property `onChange`, decorated with `@Event()`. It wires the callback to notify the listeners (in this case - a content editor) of changes to the model.
+
+1. Update the `ko/widgetEditorView.html` file:
+
+ ```html
+ <input type="text" class="form-control" data-bind="textInput: sessionNumber" />
+ ```
+
+1. Run `npm start` again. You should be able to change `sessionNumber` in the widget editor. Change the ID to `108`, save the changes, and refresh the browser's tab. If you're experiencing problems, you may need to add the widget onto the page again.
+
+ :::image type="content" source="media/developer-portal-implement-widgets/widget-editor.png" alt-text="Screenshot of widget editor":::
+
+## Rename the widget
+
+Change the widget name in the `constants.ts` file:
+
+```typescript
+...
+export const widgetName = "conference-session";
+export const widgetDisplayName = "Conference session";
+...
+```
+
+> [!NOTE]
+> If you're contributing the widget to the repository, the `widgetName` needs to be the same as its folder name and needs to be derived from the display name (lowercase and spaces replaced with dashes). The category should remain `Community`.
+
+## Next steps
++
+Learn more about the developer portal:
+
+- [Azure API Management developer portal overview](api-management-howto-developer-portal.md)
+
+- [Contribute widgets](developer-portal-widget-contribution-guidelines.md) - we welcome and encourage community contributions.
+
+- See [Use community widgets](developer-portal-use-community-widgets.md) to learn how to use widgets contributed by the community.
api-management Developer Portal Integrate Application Insights https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/developer-portal-integrate-application-insights.md
+
+ Title: Integrate Application Insights to developer portal
+
+description: Learn how to integrate Application Insights into your managed or self-hosted developer portal.
++ Last updated : 03/25/2021++++
+# Integrate Application Insights to developer portal
+
+A popular feature of Azure Monitor is Application Insights. It's an extensible Application Performance Management (APM) service for developers and DevOps professionals. Use it to monitor your developer portal and detect performance anomalies. Application Insights includes powerful analytics tools to help you learn what users actually do while visiting your developer portal.
+
+## Add Application Insights to your portal
+
+Follow these steps to plug Application Insights into your managed or self-hosted developer portal.
+
+> [!IMPORTANT]
+> Steps 1 and 2 are not required for managed portals. If you have a managed portal, skip to step 4.
+
+1. Set up a [local environment](developer-portal-self-host.md#step-1-set-up-local-environment) for the latest release of the developer portal.
+
+1. Install the **npm** package to add [Paperbits for Azure](https://github.com/paperbits/paperbits-azure):
+
+ ```console
+ npm install @paperbits/azure --save
+ ```
+
+1. In the `startup.publish.ts` file in the `src` folder, import and register the Application Insights module:
+
+ ```typescript
+ import { AppInsightsPublishModule } from "@paperbits/azure";
+ ...
+ injector.bindModule(new AppInsightsPublishModule());
+ ```
+
+1. Retrieve the portal's configuration:
+
+ ```http
+ GET /contentTypes/document/contentItems/configuration
+ ```
+
+ ```json
+ {
+ "nodes": [
+ {
+ "site": {
+ "title": "Microsoft Azure API Management - developer portal",
+ "description": "Discover APIs, learn how to use them, try them out interactively, and sign up to acquire keys.",
+ "keywords": "Azure, API Management, API, developer",
+ "faviconSourceId": null,
+ "author": "Microsoft Azure API Management"
+ }
+ }
+ ]
+ }
+ ```
+
+1. Extend the site configuration from the previous step with Application Insights configuration:
+
+ ```http
+ PUT /contentTypes/document/contentItems/configuration
+ ```
+
+ ```json
+ {
+ "nodes": [
+ {
+ "site": { ... },
+ "integration": {
+ "appInsights": {
+ "instrumentationKey": "xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxx"
+ }
+ }
+ }
+ ]
+ }
+ ```
+
+## Next steps
+
+Learn more about the developer portal:
+
+- [Azure API Management developer portal overview](api-management-howto-developer-portal.md)
+- [Automate portal deployments](automate-portal-deployments.md)
+- [Self-host the developer portal](developer-portal-self-host.md)
api-management Developer Portal Integrate Google Tag Manager https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/developer-portal-integrate-google-tag-manager.md
+
+ Title: Integrate Google Tag Manager to developer portal
+
+description: Learn how to plug Google Tag Manager into your managed or self-hosted developer portal in Azure API Management.
++ Last updated : 03/25/2021++++
+# Integrate Google Tag Manager to API Management developer portal
+
+[Google Tag Manager](https://developers.google.com/tag-manager) is a tag management system created by Google. You can use it to manage JavaScript and HTML tags used for tracking and analytics on websites. For example, you can use Google Tag Manager to integrate Google Analytics, heatmaps, or chatbots like LiveChat.
+
+Follow the steps in this article to plug Google Tag Manager into your managed or self-hosted developer portal in Azure API Management.
+
+## Add Google Tag Manager to your portal
+
+Follow these steps to plug Google Tag Manager into your managed or self-hosted developer portal.
+
+> [!IMPORTANT]
+> Steps 1 and 2 are not required for managed portals. If you have a managed portal, skip to step 4.
+
+1. Set up a [local environment](developer-portal-self-host.md#step-1-set-up-local-environment) for the latest release of the developer portal.
+
+1. Install the **npm** package to add [Paperbits for Google Tag Manager](https://github.com/paperbits/paperbits-gtm):
+
+ ```sh
+ npm install @paperbits/gtm --save
+ ```
+
+1. In the `startup.publish.ts` file in the `src` folder, import and register the GTM module:
+
+ ```typescript
+ import { GoogleTagManagerPublishModule } from "@paperbits/gtm/gtm.publish.module";
+ ...
+ injector.bindModule(new GoogleTagManagerPublishModule());
+ ```
+1. Retrieve the portal's configuration:
+
+ ```http
+ GET /contentTypes/document/contentItems/configuration
+ ```
+
+ ```json
+ {
+ "nodes": [
+ {
+ "site": {
+ "title": "Microsoft Azure API Management - developer portal",
+ "description": "Discover APIs, learn how to use them, try them out interactively, and sign up to acquire keys.",
+ "keywords": "Azure, API Management, API, developer",
+ "faviconSourceId": null,
+ "author": "Microsoft Azure API Management"
+ }
+ }
+ ]
+ }
+ ```
+
+1. Extend the site configuration from the previous step with Google Tag Manager configuration:
+
+ ```http
+ PUT /contentTypes/document/contentItems/configuration
+ ```
+
+ ```json
+ {
+ "nodes": [
+ {
+ "site": { ... },
+ "integration": {
+ "googleTagManager": {
+ "containerId": "GTM-..."
+ }
+ }
+ }
+ ]
+ }
+ ```
+
+## Next steps
+
+- [Automate portal deployments](automate-portal-deployments.md)
+- [Self-host the developer portal](developer-portal-self-host.md)
api-management Developer Portal Self Host https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/developer-portal-self-host.md
+
+ Title: Self-host the developer portal
+
+description: Learn how to self-host the API Management developer portal.
++ Last updated : 04/15/2021++++
+# Self-host the API Management developer portal
+
+This tutorial describes how to self-host the [API Management developer portal](api-management-howto-developer-portal.md). Self-hosting gives you flexibility to extend the developer portal with custom logic and widgets that dynamically customize pages on runtime. You can self-host multiple portals for your API Management instance, with different features. When you self-host a portal, you become its maintainer and you are responsible for its upgrades.
+
+The following steps show how to set up your local development environment, carry out changes in the developer portal, and publish and deploy them to an Azure storage account.
+
+If you have already uploaded or modified media files in the managed portal, see [Move from managed to self-hosted](#move-from-managed-to-self-hosted-developer-portal), later in this article.
++
+## Prerequisites
+
+To set up a local development environment, you need to have:
+
+- An API Management service instance. If you don't have one, see [Quickstart - Create an Azure API Management instance](get-started-create-service-instance.md).
+- An Azure storage account with [the static websites feature](../storage/blobs/storage-blob-static-website.md) enabled. See [Create a storage account](../storage/common/storage-account-create.md).
+- Git on your machine. Install it by following [this Git tutorial](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git).
+- Node.js (LTS version, `v10.15.0` or later) and npm on your machine. See [Downloading and installing Node.js and npm](https://docs.npmjs.com/downloading-and-installing-node-js-and-npm).
+- Azure CLI. Follow [the Azure CLI installation steps](/cli/azure/install-azure-cli-windows).
+
+## Step 1: Set up local environment
+
+To set up your local environment, you'll have to clone the repository, switch to the latest release of the developer portal, and install npm packages.
+
+1. Clone the [api-management-developer-portal](https://github.com/Azure/api-management-developer-portal.git) repo from GitHub:
+
+ ```console
+ git clone https://github.com/Azure/api-management-developer-portal.git
+ ```
+1. Go to your local copy of the repo:
+
+ ```console
+ cd api-management-developer-portal
+ ```
+
+1. Check out the latest release of the portal.
+
+ Before you run the following code, check the current release tag in the [Releases section of the repository](https://github.com/Azure/api-management-developer-portal/releases) and replace `<current-release-tag>` value with the latest release tag.
+
+ ```console
+ git checkout <current-release-tag>
+ ```
+
+1. Install any available npm packages:
+
+ ```console
+ npm install
+ ```
+
+> [!TIP]
+> Always use the [latest portal release](https://github.com/Azure/api-management-developer-portal/releases) and keep your forked portal up-to-date. The Software Engineers use the `master` branch of this repository for daily development purposes. It has unstable versions of the software.
+
+## Step 2: Configure JSON files, static website, and CORS settings
+
+The developer portal requires API Management's REST API to manage the content.
+
+### config.design.json file
+
+Go to the `src` folder and open the `config.design.json` file.
+
+```json
+{
+ "environment": "development",
+ "managementApiUrl": "https://<service-name>.management.azure-api.net",
+ "managementApiAccessToken": "SharedAccessSignature ...",
+ "backendUrl": "https://<service-name>.developer.azure-api.net",
+ "useHipCaptcha": false
+}
+```
+
+Configure the file:
+
+1. In the `managementApiUrl` value, replace `<service-name>` with the name of your API Management instance. If you configured a [custom domain](configure-custom-domain.md), use it instead (for example, `https://management.contoso.com`).
+
+ ```json
+ {
+ ...
+ "managementApiUrl": "https://contoso-api.management.azure-api.net"
+ ...
+ ```
+
+1. [Manually create a SAS token](/rest/api/apimanagement/apimanagementrest/azure-api-management-rest-api-authentication#ManuallyCreateToken) to enable the direct REST API access to your API Management instance.
+
+1. Copy the generated token and paste it as the `managementApiAccessToken` value.
+
+1. In the `backendUrl` value, replace `<service-name>` with the name of your API Management instance. If you configured a [custom domain](configure-custom-domain.md), use it instead (for example, `https://portal.contoso.com`).
+
+ ```json
+ {
+ ...
+ "backendUrl": "https://contoso-api.developer.azure-api.net"
+ ...
+ ```
+
+1. If you'd like to enable CAPTCHA in your developer portal, see [Enable CAPTCHA](#enable-captcha).
+
+### config.publish.json file
+
+Go to the `src` folder and open the `config.publish.json` file.
+
+```json
+{
+ "environment": "publishing",
+ "managementApiUrl": "https://<service-name>.management.azure-api.net",
+ "managementApiAccessToken": "SharedAccessSignature...",
+ "useHipCaptcha": false
+}
+```
+
+Configure the file:
+
+1. Copy and paste the `managementApiUrl` and `managementApiAccessToken` values from the previous configuration file.
+
+1. If you'd like to enable CAPTCHA in your developer portal, see [Enable CAPTCHA](#enable-captcha).
+
+### config.runtime.json file
+
+Go to the `src` folder and open the `config.runtime.json` file.
+
+```json
+{
+ "environment": "runtime",
+ "managementApiUrl": "https://<service-name>.management.azure-api.net",
+ "backendUrl": "https://<service-name>.developer.azure-api.net"
+}
+```
+
+Configure the file:
+
+1. Copy and paste the `managementApiUrl` value from the previous configuration file.
+
+1. In the `backendUrl` value, replace `<service-name>` with the name of your API Management instance. If you configured a [custom domain](configure-custom-domain.md), use it instead (for example. `https://portal.contoso.com`).
+
+ ```json
+ {
+ ...
+ "backendUrl": "https://contoso-api.developer.azure-api.net"
+ ...
+ ```
+
+### Configure the static website
+
+Configure the **Static website** feature in your storage account by providing routes to the index and error pages:
+
+1. Go to your storage account in the Azure portal and select **Static website** from the menu on the left.
+
+1. On the **Static website** page, select **Enabled**.
+
+1. In the **Index document name** field, enter *https://docsupdatetracker.net/index.html*.
+
+1. In the **Error document path** field, enter *404/https://docsupdatetracker.net/index.html*.
+
+1. Select **Save**.
+
+### Configure the CORS settings
+
+Configure the Cross-Origin Resource Sharing (CORS) settings:
+
+1. Go to your storage account in the Azure portal and select **CORS** from the menu on the left.
+
+1. In the **Blob service** tab, configure the following rules:
+
+ | Rule | Value |
+ | - | -- |
+ | Allowed origins | * |
+ | Allowed methods | Select all the HTTP verbs. |
+ | Allowed headers | * |
+ | Exposed headers | * |
+ | Max age | 0 |
+
+1. Select **Save**.
+
+## Step 3: Run the portal
+
+Now you can build and run a local portal instance in the development mode. In development mode, all the optimizations are turned off and the source maps are turned on.
+
+Run the following command:
+
+```console
+npm start
+```
+
+After a short time, the default browser automatically opens with your local developer portal instance. The default address is `http://localhost:8080`, but the port can change if `8080` is already occupied. Any changes to the codebase of the project will trigger a rebuild and refresh your browser window.
+
+## Step 4: Edit through the visual editor
+
+Use the visual editor to carry out these tasks:
+
+- Customize your portal
+- Author content
+- Organize the structure of the website
+- Stylize its appearance
+
+See [Tutorial: Access and customize the developer portal](api-management-howto-developer-portal-customize.md). It covers the basics of the administrative user interface and lists recommended changes to the default content. Save all changes in the local environment, and press **Ctrl+C** to close it.
+
+## Step 5: Publish locally
+
+The portal data originates in the form of strong-typed objects. The following command translates them into static files and places the output in the `./dist/website` directory:
+
+```console
+npm run publish
+```
+
+## Step 6: Upload static files to a blob
+
+Use Azure CLI to upload the locally generated static files to a blob, and make sure your visitors can get to them:
+
+1. Open Windows Command Prompt, PowerShell, or other command shell.
+
+1. Run the following Azure CLI command.
+
+ Replace `<account-connection-string>` with the connection string of your storage account. You can get it from the **Access keys** section of your storage account.
+
+ ```azurecli
+ az storage blob upload-batch --source dist/website \
+ --destination '$web' \
+ --connection-string <account-connection-string>
+ ```
++
+## Step 7: Go to your website
+
+Your website is now live under the hostname specified in your Azure Storage properties (**Primary endpoint** in **Static websites**).
+
+## Step 8: Change API Management notification templates
+
+Replace the developer portal URL in the API Management notification templates to point to your self-hosted portal. See [How to configure notifications and email templates in Azure API Management](api-management-howto-configure-notifications.md).
+
+In particular, carry out the following changes to the default templates:
+
+> [!NOTE]
+> The values in the following **Updated** sections assume that you're hosting the portal at **https:\//portal.contoso.com/**.
+
+### Email change confirmation
+
+Update the developer portal URL in the **Email change confirmation** notification template:
+
+**Original content**
+
+```html
+<a id="confirmUrl" href="$ConfirmUrl" style="text-decoration:none">
+ <strong>$ConfirmUrl</strong></a>
+```
+
+**Updated**
+
+```html
+<a id="confirmUrl" href="https://portal.contoso.com/signup?$ConfirmQuery" style="text-decoration:none">
+ <strong>https://portal.contoso.com/signup?$ConfirmQuery</strong></a>
+```
+
+### New developer account confirmation
+
+Update the developer portal URL in the **New developer account confirmation** notification template:
+
+**Original content**
+
+```html
+<a id="confirmUrl" href="$ConfirmUrl" style="text-decoration:none">
+ <strong>$ConfirmUrl</strong></a>
+```
+
+**Updated**
+
+```html
+<a id="confirmUrl" href="https://portal.contoso.com/signup?$ConfirmQuery" style="text-decoration:none">
+ <strong>https://portal.contoso.com/signup?$ConfirmQuery</strong></a>
+```
+
+### Invite user
+
+Update the developer portal URL in the **Invite user** notification template:
+
+**Original content**
+
+```html
+<a href="$ConfirmUrl">$ConfirmUrl</a>
+```
+
+**Updated**
+
+```html
+<a href="https://portal.contoso.com/confirm-v2/identities/basic/invite?$ConfirmQuery">https://portal.contoso.com/confirm-v2/identities/basic/invite?$ConfirmQuery</a>
+```
+
+### New subscription activated
+
+Update the developer portal URL in the **New subscription activated** notification template:
+
+**Original content**
+
+```html
+Thank you for subscribing to the <a href="http://$DevPortalUrl/products/$ProdId"><strong>$ProdName</strong></a> and welcome to the $OrganizationName developer community. We are delighted to have you as part of the team and are looking forward to the amazing applications you will build using our API!
+```
+
+**Updated**
+
+```html
+Thank you for subscribing to the <a href="https://portal.contoso.com/product#product=$ProdId"><strong>$ProdName</strong></a> and welcome to the $OrganizationName developer community. We are delighted to have you as part of the team and are looking forward to the amazing applications you will build using our API!
+```
+
+**Original content**
+
+```html
+Visit the developer <a href="http://$DevPortalUrl/developer">profile area</a> to manage your subscription and subscription keys
+```
+
+**Updated**
+
+```html
+Visit the developer <a href="https://portal.contoso.com/profile">profile area</a> to manage your subscription and subscription keys
+```
+
+**Original content**
+
+```html
+<a href="http://$DevPortalUrl/docs/services?product=$ProdId">Learn about the API</a>
+```
+
+**Updated**
+
+```html
+<a href="https://portal.contoso.com/product#product=$ProdId">Learn about the API</a>
+```
+
+**Original content**
+
+```html
+<p style="font-size:12pt;font-family:'Segoe UI'">
+ <strong>
+ <a href="http://$DevPortalUrl/applications">Feature your app in the app gallery</a>
+ </strong>
+</p>
+<p style="font-size:12pt;font-family:'Segoe UI'">You can publish your application on our gallery for increased visibility to potential new users.</p>
+<p style="font-size:12pt;font-family:'Segoe UI'">
+ <strong>
+ <a href="http://$DevPortalUrl/issues">Stay in touch</a>
+ </strong>
+</p>
+<p style="font-size:12pt;font-family:'Segoe UI'">
+ If you have an issue, a question, a suggestion, a request, or if you just want to tell us something, go to the <a href="http://$DevPortalUrl/issues">Issues</a> page on the developer portal and create a new topic.
+</p>
+```
+
+**Updated**
+
+```html
+<!--Remove the entire block of HTML code above.-->
+```
+
+### Password change confirmation
+
+Update the developer portal URL in the **Password change confirmation** notification template:
+
+**Original content**
+
+```html
+<a href="$DevPortalUrl">$DevPortalUrl</a>
+```
+
+**Updated**
+
+```html
+<a href="https://portal.contoso.com/confirm-password?$ConfirmQuery">https://portal.contoso.com/confirm-password?$ConfirmQuery</a>
+```
+
+### All templates
+
+Update the developer portal URL in any template that has a link in the footer:
+
+**Original content**
+
+```html
+<a href="$DevPortalUrl">$DevPortalUrl</a>
+```
+
+**Updated**
+
+```html
+<a href="https://portal.contoso.com/">https://portal.contoso.com/</a>
+```
+
+## Move from managed to self-hosted developer portal
+
+Over time, your business requirements may change. You can end up in a situation where the managed version of the API Management developer portal no longer satisfies your needs. For example, a new requirement may force you to build a custom widget that integrates with a third-party data provider. Unlike the manged version, the self-hosted version of the portal offers you full flexibility and extensibility.
+
+### Transition process
+
+You can transition from the managed version to a self-hosted version within the same API Management service instance. The process preserves the modifications that you've carried out in the managed version of the portal. Make sure you back up the portal's content beforehand. You can find the backup script in the `scripts` folder of the API Management developer portal [GitHub repo](https://github.com/Azure/api-management-developer-portal).
+
+The conversion process is almost identical to setting up a generic self-hosted portal, as shown in previous steps in this article. There is one exception in the configuration step. The storage account in the `config.design.json` file needs to be the same as the storage account of the managed version of the portal. See [Tutorial: Use a Linux VM system-assigned identity to access Azure Storage via a SAS credential](../active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-storage-sas.md#get-a-sas-credential-from-azure-resource-manager-to-make-storage-calls) for instructions on how to retrieve the SAS URL.
+
+> [!TIP]
+> We recommend using a separate storage account in the `config.publish.json` file. This approach gives you more control and simplifies the management of the hosting service of your portal.
+
+## Enable CAPTCHA
+
+When setting up the self-hosted portal, you may have disabled CAPTCHA through the `useHipCaptcha` setting. Communication with CAPTCHA happens through an endpoint, which lets Cross-Origin Resource Sharing (CORS) happen for only the managed developer portal hostname. If your developer portal is self-hosted, it uses a different hostname and CAPTCHA won't allow the communication.
+
+### Update the JSON config files
+
+To enable the CAPTCHA in your self-hosted portal:
+
+1. Assign a custom domain (for example, `api.contoso.com`) to the **Developer portal** endpoint of your API Management service.
+
+ This domain applies to the managed version of your portal and the CAPTCHA endpoint. For steps, see [Configure a custom domain name for your Azure API Management instance](configure-custom-domain.md).
+
+1. Go to the `src` folder in the [local environment](#step-1-set-up-local-environment) for your self-hosted portal.
+
+1. Update the configuration `json` files:
+
+ | File | New value | Note |
+ | - | | - |
+ | `config.design.json`| `"backendUrl": "https://<custom-domain>"` | Replace `<custom-domain>` with the custom domain you set up in the first step. |
+ | | `"useHipCaptcha": true` | Change the value to `true` |
+ | `config.publish.json`| `"backendUrl": "https://<custom-domain>"` | Replace `<custom-domain>` with the custom domain you set up in the first step. |
+ | | `"useHipCaptcha": true` | Change the value to `true` |
+ | `config.runtime.json` | `"backendUrl": "https://<custom-domain>"` | Replace `<custom-domain>` with the custom domain you set up in the first step. |
+
+1. [Publish](#step-5-publish-locally) the portal.
+
+1. [Upload](#step-6-upload-static-files-to-a-blob) and host the newly published portal.
+
+1. Expose the self-hosted portal through a custom domain.
+
+The portal domain's first and second levels need to match the domain set up in the first step. For example, `portal.contoso.com`. The exact steps depend on your hosting platform of choice. If you used an Azure storage account, you can refer to [Map a custom domain to an Azure Blob Storage endpoint](../storage/blobs/storage-custom-domain-name.md) for instructions.
+
+## Next steps
+
+- Learn about [Alternative approaches to self-hosting](developer-portal-alternative-processes-self-host.md)
api-management Developer Portal Testing https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/developer-portal-testing.md
+
+ Title: Test the self-hosted developer portal
+
+description: Learn how to set up unit tests and end-to-end tests for your self-hosted API Management portal.
++ Last updated : 03/25/2021++++
+# Test the self-hosted developer portal
+
+This article explains how to set up unit tests and end-to-end tests for your [self-hosted portal](developer-portal-self-host.md).
+
+## Unit tests
+
+A unit test is an approach to validate small pieces of functionality. It's done in isolation from other parts of the application.
+
+### Example scenario
+
+In this scenario, you're testing a password input control. It only accepts passwords containing at least:
+
+- One letter
+
+- One number
+
+- One special character
+
+So, the test to validate these requirements looks like this:
+
+```typescript
+const passwordInput = new PasswordInput();
+
+passwordInput.value = "";
+expect(passwordInput.isValid).to.equal(false);
+
+passwordInput.value = "password";
+expect(passwordInput.isValid).to.equal(false);
+
+passwordInput.value = "p@ssw0rd";
+expect(passwordInput.isValid.to.equal(true);
+```
+
+### Project structure
+
+It's common to keep a unit test next to the component it's supposed to validate.
+
+```console
+component.ts
+component.spec.ts
+```
+
+### Mock HTTP requests
+
+There are cases when you expect a component to make HTTP requests. The component should react properly to different kind of responses. To simulate specific HTTP responses, use `MockHttpClient`. It implements the `HttpClient` interface used by many other components of the project.
+
+```typescript
+const httpClient = new MockHttpClient();
+
+httpClient.mock()
+ .get("/users/jane")
+ .reply(200, {
+ firstName: "Jane",
+ lastName: "Doe"
+ });
+```
+
+## End-to-end tests
+
+An end-to-end test executes a particular user scenario taking exact steps that you expect the user to carry out. In a web application like te Azure API Management developer portal, the user scrolls through the content and selects options to achieve certain results.
+
+To replicate user navigation, you can use browser manipulation helper libraries like [Puppeteer](https://github.com/puppeteer/puppeteer). It lets you simulate user actions and automate assumed scenarios. Puppeteer also automatically takes screenshots of pages or components at any stage of the test. Compare them later with previous results to catch deviations and potential regressions.
+
+### Example scenario
+
+In this scenario, you need to validate a user sign-in flow. This scenario would require the following steps:
+
+1. Open browser and navigate to the sign-in page.
+
+1. Enter the email address.
+
+1. Enter the password.
+
+1. Select **Sign-in**.
+
+1. Verify that user got redirected to Home page.
+
+1. Verify that the page includes the **Profile** menu item. It's one of the possible indicators that you successfully signed in.
+
+To run the test automatically, create a script with exactly the same steps:
+
+```typescript
+// 1. Open browser and navigate to the sign-in page.
+const page = await browser.newPage();
+await page.goto("https://contoso.com/signin");
+
+// 2. Enter email.
+await this.page.type("#email", "john.doe@contoso.com");
+
+// 3. Enter password.
+await this.page.type("#password", "p@s$w0rd");
+
+// 4. Click Sign-in.
+await this.page.click("#signin");
+
+// 5. Verify that user got redirected to Home page.
+expect(page.url()).to.equal("https://contoso.com");
+
+// 6. Verify that the page includes the Profile menu item.
+const profileMenuItem = await this.page.$("#profile");
+expect(profileMenuItem).not.equals(null);
+```
+
+> [!NOTE]
+> Strings such as "#email", "#password" and "#signin" are CSS-like selectors that identify HTML elements on the page. See the [Selectors Level 3](https://www.w3.org/TR/selectors-3/) W3C specification to learn more.
+
+### UI component maps
+
+User flows often go through the same pages or components. A good example is the main website menu that is present on every page.
+
+Create a UI component map to avoid configuring and updating the same selectors for every test. For example, you could replace steps 2 through 6 in the preceding example with just two lines:
+
+```typescript
+const signInWidget = new SigninBasicWidget(page);
+await signInWidget.signInWithBasic({ email: "...", password: "..." });
+```
+
+### Test configuration
+
+Certain scenarios may require pre-created data or configuration. For example, you may need to automate user sign-in with social media accounts. It's hard to create that data quickly or easily.
+
+For this purpose, you could add a special configuration file to your test scenario. The test scripts can pick up required data from the file. Depending on the build and test pipeline, the tests can pull the secrets from a named secure store.
+
+Here's an example of a `validate.config.json` that would be stored in the `src` folder of your project.
+
+```json
+{
+ "environment": "validation",
+ "urls": {
+ "home": "https://contoso.com",
+ "signin": "https://contoso.com/signin",
+ "signup": "https://contoso.com/signup/"
+ },
+ "signin": {
+ "firstName": "John",
+ "lastName": "Doe",
+ "credentials": {
+ "basic": {
+ "email": "johndoe@contoso.com",
+ "password": "< password >"
+ },
+ "aadB2C": {
+ "email": "johndoe@contoso.com",
+ "password": "< password >"
+ }
+ }
+ },
+ "signup": {
+ "firstName": "John",
+ "lastName": "Doe",
+ "credentials": {
+ "basic": {
+ "email": "johndoe@contoso.com",
+ "password": "< password >"
+ }
+ }
+ }
+}
+
+```
+
+### Headless vs normal tests
+
+Modern browsers such as Chrome or Microsoft Edge allows you to run automation in both headless mode and normal mode. The browser operates without a graphical user interface in headless mode. It still carries out the same page and Document Object Model (DOM) manipulations. The browser UI usually isn't needed in delivery pipelines. In that case, running tests in headless mode is a great option.
+
+When you develop a test script, it's useful to see what exactly is happening in the browser. That's a good time to use normal mode.
+
+To switch between the modes, change the option `headless` option in the `constants.ts` file. It's in the `tests` folder in your project:
+
+```typescript
+export const LaunchOptions = {
+ headless: false
+};
+```
+
+Another useful option is `slowMo`. It pauses the execution of the test between each action:
+
+```typescript
+export const LaunchOptions = {
+ slowMo: 200 // milliseconds
+};
+```
+
+## Run tests
+
+There are two built-in ways to execute tests in this project:
+
+**npm command**
+
+```console
+npm run test
+```
+
+**Test Explorer**
+
+The Test Explorer extension for VS Code (for example, [Mocha Test Explorer](https://marketplace.visualstudio.com/items?itemName=hbenl.vscode-mocha-test-adapter)) has a convenient UI and an option to run tests automatically on every change of the source code:
++
+## Next steps
+
+Learn more about the developer portal:
+
+- [Azure API Management developer portal overview](api-management-howto-developer-portal.md)
+
+- [Self-host the developer portal](developer-portal-self-host.md)
api-management Developer Portal Use Community Widgets https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/developer-portal-use-community-widgets.md
+
+ Title: Use community widgets in developer portal
+
+description: Learn about community widgets for the API Management developer portal and how to inject and use them in your code.
++ Last updated : 03/25/2021++++
+# Use community widgets in the developer portal
+
+All developers place their community-contributed widgets in the `/community/widgets/` folder of the API Management developer portal [GitHub repository](https://github.com/Azure/api-management-developer-portal). Each has been accepted by the developer portal team. You can use the widgets by injecting them into your [self-hosted version](developer-portal-self-host.md) of the portal. The managed version of the developer portal doesn't currently support community widgets.
+
+> [!NOTE]
+> The developer portal team thoroughly inspects contributed widgets and their dependencies. However, the team canΓÇÖt guarantee itΓÇÖs safe to load the widgets. Use your own judgment when deciding to use a widget contributed by the community. Refer to our [widget contribution guidelines](developer-portal-widget-contribution-guidelines.md#contribution-guidelines) to learn about our preventive measures.
+
+## Inject and use external widgets
+
+1. Set up a [local environment](developer-portal-self-host.md#step-1-set-up-local-environment) for the latest release of the developer portal.
+
+1. Go to the widget's folder in the `/community/widgets` directory. Read the widget's description in the `readme.md` file.
+
+1. Register the widget in the portal's modules:
+
+ 1. `src/apim.design.module.ts` - a module that registers design-time dependencies.
+
+ ```typescript
+ import { WidgetNameDesignModule } from "../community/widgets/<widget-name>/widget.design.module";
+
+ ...
+
+ injector.bindModule(new WidgetNameDesignModule());
+ ```
+
+ 1. `src/apim.publish.module.ts` - a module that registers publish-time dependencies.
+
+ ```typescript
+ import { WidgetNamePublishModule } from "../community/widgets/<widget-name>/widget.publish.module";
+
+ ...
+
+ injector.bindModule(new WidgetNamePublishModule());
+ ```
+
+ 1. `src/apim.runtime.module.ts` - a module that registers run-time dependencies.
+
+ ```typescript
+ import { WidgetNameRuntimeModule } from "../community/widgets/<widget-name>/widget.runtime.module";
+
+ ...
+
+ injector.bindModule(new WidgetNameRuntimeModule());
+ ```
+
+1. Check if the widget has an `npm_dependencies` file.
+
+1. If so, copy the commands from the file and run them in the repository's top directory.
+
+ Doing so will install the widget's dependencies.
+
+1. Run `npm start`.
+
+You can see the widget in the **Community** category in the widget selector.
+++
+## Next steps
++
+Learn more about the developer portal:
+
+- [Azure API Management developer portal overview](api-management-howto-developer-portal.md)
+
+- [Contribute widgets](developer-portal-widget-contribution-guidelines.md)
api-management Developer Portal Widget Contribution Guidelines https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/developer-portal-widget-contribution-guidelines.md
+
+ Title: How to contribute widgets for developer portal
+
+description: Learn about recommended guidelines to follow when you contribute a widget to the API Management developer portal repository.
++ Last updated : 03/25/2021++++
+# How to contribute widgets to the API Management developer portal
+
+If you'd like to contribute a widget to the API Management developer portal [GitHub repository](https://github.com/Azure/api-management-developer-portal), follow this three-step process:
+
+1. Fork the repository.
+
+1. Implement the widget.
+
+1. Open a pull request to include your widget in the official repository.
+
+Your widget will inherit the repository's license. It will be available for [opt-in installation](developer-portal-use-community-widgets.md) in the self-hosted version of the portal. The developer portal team may decide to also include it in the managed version of the portal.
+
+Refer to the [widget implementation](developer-portal-implement-widgets.md) tutorial for an example of how to develop your own widget.
+
+## Contribution guidelines
+
+This guidance is intended to ensure the safety and privacy of our customers and the visitors to their portals. Follow these guidelines to ensure your contribution is accepted:
+
+1. Place your widget in the `community/widgets/<your-widget-name>` folder.
+
+1. Your widget's name must be lowercase and alphanumeric with dashes separating the words. For example, `my-new-widget`.
+
+1. The folder must contain a screenshot of your widget in a published portal.
+
+1. The folder must contain a `readme.md` file, which follows the template from the `/scaffolds/widget/readme.md` file.
+
+1. The folder can contain an `npm_dependencies` file with npm commands to install or manage the widget's dependencies.
+
+ Explicitly specify the version of every dependency. For example:
+
+ ```console
+ npm install azure-storage@2.10.3 axios@0.19.1
+ ```
+
+ Your widget should require minimal dependencies. Every dependency will be carefully inspected by the reviewers. In particular, the core logic of your widget should be open-sourced in your widget's folder. Don't wrap it in an npm package.
+
+1. Changes to any files outside your widget's folder aren't allowed as part of a widget contribution. That includes, but isn't limited to, the `/package.json` file.
+
+1. Injecting tracking scripts or sending customer-authored data to custom services isn't allowed.
+
+ > [!NOTE]
+ > You can only collect customer-authored data through the `Logger` interface.
+
+## Next steps
+
+- For more information about contributions, see the API Management developer portal [GitHub repository](https://github.com/Azure/api-management-developer-portal/).
+
+- See [Implement widgets](developer-portal-implement-widgets.md) to learn how to develop your own widget, step by step.
+
+- See [Use community widgets](developer-portal-use-community-widgets.md) to learn how to use widgets contributed by the community.
api-management Get Started Create Service Instance Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/get-started-create-service-instance-cli.md
This quickstart describes the steps for creating a new API Management instance u
Azure API Management instances, like all Azure resources, must be deployed into a resource group. Resource groups allow you to organize and manage related Azure resources.
-First, create a resource group named *myResourceGroup* in the Central US location with the following [az group create](/cli/azure/group#az-group-create) command:
+First, create a resource group named *myResourceGroup* in the Central US location with the following [az group create](/cli/azure/group#az_group_create) command:
```azurecli-interactive az group create --name myResourceGroup --location centralus
az group create --name myResourceGroup --location centralus
## Create a new service
-Now that you have a resource group, you can create an API Management service instance. Create one by using the [az apim create](/cli/azure/apim#az-apim-create) command and provide a service name and publisher details. The service name must be unique within Azure.
+Now that you have a resource group, you can create an API Management service instance. Create one by using the [az apim create](/cli/azure/apim#az_apim_create) command and provide a service name and publisher details. The service name must be unique within Azure.
In the following example, *myapim* is used for the service name. Update the name to a unique value. Also update the name of the API publisher's organization and the email address to receive notifications.
By default, the command creates the instance in the Developer tier, an economica
> [!TIP] > It can take between 30 and 40 minutes to create and activate an API Management service in this tier. The previous command uses the `--no-wait` option so that the command returns immediately while the service is created.
-Check the status of the deployment by running the [az apim show](/cli/azure/apim#az-apim-show) command:
+Check the status of the deployment by running the [az apim show](/cli/azure/apim#az_apim_show) command:
```azurecli-interactive az apim show --name myapim --resource-group myResourceGroup --output table
When your API Management service instance is online, you're ready to use it. Sta
## Clean up resources
-When no longer needed, you can use the [az group delete](/cli/azure/group#az-group-delete) command to remove the resource group and the API Management service instance.
+When no longer needed, you can use the [az group delete](/cli/azure/group#az_group_delete) command to remove the resource group and the API Management service instance.
```azurecli-interactive az group delete --name myResourceGroup
app-service App Service Authentication How To https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/app-service-authentication-how-to.md
You can view the current version of the platform authentication middleware eithe
##### From the Azure CLI
-Using the Azure CLI, view the current middleware version with the [az webapp auth show](/cli/azure/webapp/auth#az-webapp-auth-show) command.
+Using the Azure CLI, view the current middleware version with the [az webapp auth show](/cli/azure/webapp/auth#az_webapp_auth_show) command.
```azurecli-interactive az webapp auth show --name <my_app_name> \
You can also hit /.auth/version endpoint on an app also to view the current midd
#### Update the current runtime version
-Using the Azure CLI, you can update the `runtimeVersion` setting in the app with the [az webapp auth update](/cli/azure/webapp/auth#az-webapp-auth-update) command.
+Using the Azure CLI, you can update the `runtimeVersion` setting in the app with the [az webapp auth update](/cli/azure/webapp/auth#az_webapp_auth_update) command.
```azurecli-interactive az webapp auth update --name <my_app_name> \
az webapp auth update --name <my_app_name> \
Replace `<my_app_name>` with the name of your app. Also replace `<my_resource_group>` with the name of the resource group for your app. Also, replace `<version>` with a valid version of the 1.x runtime or `~1` for the latest version. You can find the release notes on the different runtime versions [here] (https://github.com/Azure/app-service-announcements) to help determine the version to pin to.
-You can run this command from the [Azure Cloud Shell](../cloud-shell/overview.md) by choosing **Try it** in the preceding code sample. You can also use the [Azure CLI locally](/cli/azure/install-azure-cli) to execute this command after executing [az login](/cli/azure/reference-index#az-login) to sign in.
+You can run this command from the [Azure Cloud Shell](../cloud-shell/overview.md) by choosing **Try it** in the preceding code sample. You can also use the [Azure CLI locally](/cli/azure/install-azure-cli) to execute this command after executing [az login](/cli/azure/reference-index#az_login) to sign in.
## Next steps
app-service App Service Key Vault References https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/app-service-key-vault-references.md
In order to read secrets from Key Vault, you need to have a vault created and gi
> [!NOTE] > Key Vault references currently only support system-assigned managed identities. User-assigned identities cannot be used.
-1. Create an [access policy in Key Vault](../key-vault/general/secure-your-key-vault.md#key-vault-access-policies) for the application identity you created earlier. Enable the "Get" secret permission on this policy. Do not configure the "authorized application" or `applicationId` settings, as this is not compatible with a managed identity.
+1. Create an [access policy in Key Vault](../key-vault/general/security-overview.md#privileged-access) for the application identity you created earlier. Enable the "Get" secret permission on this policy. Do not configure the "authorized application" or `applicationId` settings, as this is not compatible with a managed identity.
### Access network-restricted vaults
app-service App Service Web Tutorial Connect Msi https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/app-service-web-tutorial-connect-msi.md
First enable Azure AD authentication to SQL Database by assigning an Azure AD us
If your Azure AD tenant doesn't have a user yet, create one by following the steps at [Add or delete users using Azure Active Directory](../active-directory/fundamentals/add-users-azure-active-directory.md).
-Find the object ID of the Azure AD user using the [`az ad user list`](/cli/azure/ad/user#az-ad-user-list) and replace *\<user-principal-name>*. The result is saved to a variable.
+Find the object ID of the Azure AD user using the [`az ad user list`](/cli/azure/ad/user#az_ad_user_list) and replace *\<user-principal-name>*. The result is saved to a variable.
```azurecli-interactive azureaduser=$(az ad user list --filter "userPrincipalName eq '<user-principal-name>'" --query [].objectId --output tsv)
azureaduser=$(az ad user list --filter "userPrincipalName eq '<user-principal-na
> To see the list of all user principal names in Azure AD, run `az ad user list --query [].userPrincipalName`. >
-Add this Azure AD user as an Active Directory admin using [`az sql server ad-admin create`](/cli/azure/sql/server/ad-admin#az-sql-server-ad-admin-create) command in the Cloud Shell. In the following command, replace *\<server-name>* with the server name (without the `.database.windows.net` suffix).
+Add this Azure AD user as an Active Directory admin using [`az sql server ad-admin create`](/cli/azure/sql/server/ad-admin#az_sql_server_ad_admin_create) command in the Cloud Shell. In the following command, replace *\<server-name>* with the server name (without the `.database.windows.net` suffix).
```azurecli-interactive az sql server ad-admin create --resource-group myResourceGroup --server-name <server-name> --display-name ADMIN --object-id $azureaduser
Next, you configure your App Service app to connect to SQL Database with a syste
### Enable managed identity on app
-To enable a managed identity for your Azure app, use the [az webapp identity assign](/cli/azure/webapp/identity#az-webapp-identity-assign) command in the Cloud Shell. In the following command, replace *\<app-name>*.
+To enable a managed identity for your Azure app, use the [az webapp identity assign](/cli/azure/webapp/identity#az_webapp_identity_assign) command in the Cloud Shell. In the following command, replace *\<app-name>*.
```azurecli-interactive az webapp identity assign --resource-group myResourceGroup --name <app-name>
app-service App Service Web Tutorial Rest Api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/app-service-web-tutorial-rest-api.md Binary files differ
app-service Configure Connect To Azure Storage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/configure-connect-to-azure-storage.md
This guide shows how to attach Azure Storage to a Linux container App Service. B
Once you've created your [Azure Storage account, file share and directory](#prerequisites), you can now configure your app with Azure Storage.
-To mount an Azure Files Share to a directory in your App Service app, you use the [`az webapp config storage-account add`](/cli/azure/webapp/config/storage-account#az-webapp-config-storage-account-add) command. Storage Type must be AzureFiles.
+To mount an Azure Files Share to a directory in your App Service app, you use the [`az webapp config storage-account add`](/cli/azure/webapp/config/storage-account#az_webapp_config_storage_account_add) command. Storage Type must be AzureFiles.
```azurecli az webapp config storage-account add --resource-group <group-name> --name <app-name> --custom-id <custom-id> --storage-type AzureFiles --share-name <share-name> --account-name <storage-account-name> --access-key "<access-key>" --mount-path <mount-path-directory of form c:<directory name> >
You should do this for any other directories you want to be linked to an Azure F
Once you've created your [Azure Storage account, file share and directory](#prerequisites), you can now configure your app with Azure Storage.
-To mount a storage account to a directory in your App Service app, you use the [`az webapp config storage-account add`](/cli/azure/webapp/config/storage-account#az-webapp-config-storage-account-add) command. Storage Type can be AzureBlob or AzureFiles. AzureFiles is used in this example. The mount path setting corresponds to the folder inside the container that you want to mount to Azure Storage. Setting it to '/' mounts the entire container to Azure Storage.
+To mount a storage account to a directory in your App Service app, you use the [`az webapp config storage-account add`](/cli/azure/webapp/config/storage-account#az_webapp_config_storage_account_add) command. Storage Type can be AzureBlob or AzureFiles. AzureFiles is used in this example. The mount path setting corresponds to the folder inside the container that you want to mount to Azure Storage. Setting it to '/' mounts the entire container to Azure Storage.
> [!CAUTION]
app-service Configure Custom Container https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/configure-custom-container.md
SSH enables secure communication between a container and a client. In order for
Multi-container apps like WordPress need persistent storage to function properly. To enable it, your Docker Compose configuration must point to a storage location *outside* your container. Storage locations inside your container don't persist changes beyond app restart.
-Enable persistent storage by setting the `WEBSITES_ENABLE_APP_SERVICE_STORAGE` app setting, using the [az webapp config appsettings set](/cli/azure/webapp/config/appsettings#az-webapp-config-appsettings-set) command in [Cloud Shell](https://shell.azure.com).
+Enable persistent storage by setting the `WEBSITES_ENABLE_APP_SERVICE_STORAGE` app setting, using the [az webapp config appsettings set](/cli/azure/webapp/config/appsettings#az_webapp_config_appsettings_set) command in [Cloud Shell](https://shell.azure.com).
```azurecli-interactive az webapp config appsettings set --resource-group <group-name> --name <app-name> --settings WEBSITES_ENABLE_APP_SERVICE_STORAGE=TRUE
app-service Configure Encrypt At Rest Using Cmk https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/configure-encrypt-at-rest-using-cmk.md
Adding this application setting causes your web app to restart. After the app ha
Now you can replace the value of the `WEBSITE_RUN_FROM_PACKAGE` application setting with a Key Vault reference to the SAS-encoded URL. This keeps the SAS URL encrypted in Key Vault, which provides an extra layer of security.
-1. Use the following [`az keyvault create`](/cli/azure/keyvault#az-keyvault-create) command to create a Key Vault instance.
+1. Use the following [`az keyvault create`](/cli/azure/keyvault#az_keyvault_create) command to create a Key Vault instance.
```azurecli az keyvault create --name "Contoso-Vault" --resource-group <group-name> --location eastus
Now you can replace the value of the `WEBSITE_RUN_FROM_PACKAGE` application sett
1. Follow [these instructions to grant your app access](app-service-key-vault-references.md#granting-your-app-access-to-key-vault) to your key vault:
-1. Use the following [`az keyvault secret set`](/cli/azure/keyvault/secret#az-keyvault-secret-set) command to add your external URL as a secret in your key vault:
+1. Use the following [`az keyvault secret set`](/cli/azure/keyvault/secret#az_keyvault_secret_set) command to add your external URL as a secret in your key vault:
```azurecli az keyvault secret set --vault-name "Contoso-Vault" --name "external-url" --value "<SAS-URL>" ```
-1. Use the following [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings#az-webapp-config-appsettings-set) command to create the `WEBSITE_RUN_FROM_PACKAGE` application setting with the value as a Key Vault reference to the external URL:
+1. Use the following [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings#az_webapp_config_appsettings_set) command to create the `WEBSITE_RUN_FROM_PACKAGE` application setting with the value as a Key Vault reference to the external URL:
```azurecli az webapp config appsettings set --settings WEBSITE_RUN_FROM_PACKAGE="@Microsoft.KeyVault(SecretUri=https://Contoso-Vault.vault.azure.net/secrets/external-url/<secret-version>"
app-service Configure Language Java https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/configure-language-java.md
Use [FTPS](deploy-ftp.md) to download your JFR file to your local machine. To an
::: zone pivot="platform-windows"
-Enable [application logging](troubleshoot-diagnostic-logs.md#enable-application-logging-windows) through the Azure portal or [Azure CLI](/cli/azure/webapp/log#az-webapp-log-config) to configure App Service to write your application's standard console output and standard console error streams to the local filesystem or Azure Blob Storage. Logging to the local App Service filesystem instance is disabled 12 hours after it is configured. If you need longer retention, configure the application to write output to a Blob storage container. Your Java and Tomcat app logs can be found in the */home/LogFiles/Application/* directory.
+Enable [application logging](troubleshoot-diagnostic-logs.md#enable-application-logging-windows) through the Azure portal or [Azure CLI](/cli/azure/webapp/log#az_webapp_log_config) to configure App Service to write your application's standard console output and standard console error streams to the local filesystem or Azure Blob Storage. Logging to the local App Service filesystem instance is disabled 12 hours after it is configured. If you need longer retention, configure the application to write output to a Blob storage container. Your Java and Tomcat app logs can be found in the */home/LogFiles/Application/* directory.
::: zone-end ::: zone pivot="platform-linux"
-Enable [application logging](troubleshoot-diagnostic-logs.md#enable-application-logging-linuxcontainer) through the Azure portal or [Azure CLI](/cli/azure/webapp/log#az-webapp-log-config) to configure App Service to write your application's standard console output and standard console error streams to the local filesystem or Azure Blob Storage. If you need longer retention, configure the application to write output to a Blob storage container. Your Java and Tomcat app logs can be found in the */home/LogFiles/Application/* directory.
+Enable [application logging](troubleshoot-diagnostic-logs.md#enable-application-logging-linuxcontainer) through the Azure portal or [Azure CLI](/cli/azure/webapp/log#az_webapp_log_config) to configure App Service to write your application's standard console output and standard console error streams to the local filesystem or Azure Blob Storage. If you need longer retention, configure the application to write output to a Blob storage container. Your Java and Tomcat app logs can be found in the */home/LogFiles/Application/* directory.
Azure Blob Storage logging for Linux based App Services can only be configured using [Azure Monitor (preview)](./troubleshoot-diagnostic-logs.md#send-logs-to-azure-monitor-preview)
app-service Configure Language Php https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/configure-language-php.md
getenv("DB_HOST")
The web framework of your choice may use a subdirectory as the site root. For example, [Laravel](https://laravel.com/), uses the *public/* subdirectory as the site root.
-To customize the site root, set the virtual application path for the app by using the [`az resource update`](/cli/azure/resource#az-resource-update) command. The following example sets the site root to the *public/* subdirectory in your repository.
+To customize the site root, set the virtual application path for the app by using the [`az resource update`](/cli/azure/resource#az_resource_update) command. The following example sets the site root to the *public/* subdirectory in your repository.
```azurecli-interactive az resource update --name web --resource-group <group-name> --namespace Microsoft.Web --resource-type config --parent sites/<app-name> --set properties.virtualApplications[0].physicalPath="site\wwwroot\public" --api-version 2015-06-01
When a working PHP app behaves differently in App Service or has errors, try the
> [App Service Linux FAQ](faq-app-service-linux.md) ::: zone-end-
app-service Configure Language Python https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/configure-language-python.md
You can use either the [Azure portal](https://portal.azure.com) or the Azure CLI
- **Azure CLI**: you have two options. - Run commands in the [Azure Cloud Shell](../cloud-shell/overview.md).
- - Run commands locally by installing the latest version of the [Azure CLI](/cli/azure/install-azure-cli), then sign in to Azure using [az login](/cli/azure/reference-index#az-login).
+ - Run commands locally by installing the latest version of the [Azure CLI](/cli/azure/install-azure-cli), then sign in to Azure using [az login](/cli/azure/reference-index#az_login).
> [!NOTE] > Linux is currently the recommended option for running Python apps in App Service. For information on the Windows option, see [Python on the Windows flavor of App Service](/visualstudio/python/managing-python-on-azure-app-service).
app-service Deploy Ci Cd Custom Container https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/deploy-ci-cd-custom-container.md Binary files differ
app-service Deploy Configure Credentials https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/deploy-configure-credentials.md Binary files differ
app-service Deploy Container Github Action https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/deploy-container-github-action.md
A publish profile is an app-level credential. Set up your publish profile as a G
# [Service principal](#tab/service-principal)
-You can create a [service principal](../active-directory/develop/app-objects-and-service-principals.md#service-principal-object) with the [az ad sp create-for-rbac](/cli/azure/ad/sp#az-ad-sp-create-for-rbac) command in the [Azure CLI](/cli/azure/). Run this command with [Azure Cloud Shell](https://shell.azure.com/) in the Azure portal or by selecting the **Try it** button.
+You can create a [service principal](../active-directory/develop/app-objects-and-service-principals.md#service-principal-object) with the [az ad sp create-for-rbac](/cli/azure/ad/sp#az_ad_sp_create_for_rbac) command in the [Azure CLI](/cli/azure/). Run this command with [Azure Cloud Shell](https://shell.azure.com/) in the Azure portal or by selecting the **Try it** button.
```azurecli-interactive az ad sp create-for-rbac --name "myApp" --role contributor \
app-service Deploy Continuous Deployment https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/deploy-continuous-deployment.md
You can customize the GitHub Actions build provider in the following ways:
This optional configuration replaces the default authentication with publishing profiles in the generated workflow file.
-1. Generate a service principal with the [az ad sp create-for-rbac](/cli/azure/ad/sp#az-ad-sp-create-for-rbac) command in the [Azure CLI](/cli/azure/). In the following example, replace *\<subscription-id>*, *\<group-name>*, and *\<app-name>* with your own values:
+1. Generate a service principal with the [az ad sp create-for-rbac](/cli/azure/ad/sp#az_ad_sp_create_for_rbac) command in the [Azure CLI](/cli/azure/). In the following example, replace *\<subscription-id>*, *\<group-name>*, and *\<app-name>* with your own values:
```azurecli-interactive az ad sp create-for-rbac --name "myAppDeployAuth" --role contributor \
app-service Deploy Github Actions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/deploy-github-actions.md
A publish profile is an app-level credential. Set up your publish profile as a G
# [Service principal](#tab/userlevel)
-You can create a [service principal](../active-directory/develop/app-objects-and-service-principals.md#service-principal-object) with the [az ad sp create-for-rbac](/cli/azure/ad/sp#az-ad-sp-create-for-rbac) command in the [Azure CLI](/cli/azure/). Run this command with [Azure Cloud Shell](https://shell.azure.com/) in the Azure portal or by selecting the **Try it** button.
+You can create a [service principal](../active-directory/develop/app-objects-and-service-principals.md#service-principal-object) with the [az ad sp create-for-rbac](/cli/azure/ad/sp#az_ad_sp_create_for_rbac) command in the [Azure CLI](/cli/azure/). Run this command with [Azure Cloud Shell](https://shell.azure.com/) in the Azure portal or by selecting the **Try it** button.
```azurecli-interactive az ad sp create-for-rbac --name "myApp" --role contributor \
app-service Deploy Local Git https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/deploy-local-git.md
If you haven't created an app yet, see [Create a Git enabled app](#create-a-git-
# [Azure CLI](#tab/cli)
-Run [`az webapp deployment source config-local-git`](/cli/azure/webapp/deployment/source#az-webapp-deployment-source-config-local-git). For example:
+Run [`az webapp deployment source config-local-git`](/cli/azure/webapp/deployment/source#az_webapp_deployment_source_config_local_git). For example:
```azurecli-interactive az webapp deployment source config-local-git --name <app-name> --resource-group <group-name>
app-service Deploy Run Package https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/deploy-run-package.md
az webapp config appsettings set --resource-group <group-name> --name <app-name>
## Run the package
-The easiest way to run a package in your App Service is with the Azure CLI [az webapp deployment source config-zip](/cli/azure/webapp/deployment/source#az-webapp-deployment-source-config-zip) command. For example:
+The easiest way to run a package in your App Service is with the Azure CLI [az webapp deployment source config-zip](/cli/azure/webapp/deployment/source#az_webapp_deployment_source_config_zip) command. For example:
```azurecli-interactive az webapp deployment source config-zip --resource-group <group-name> --name <app-name> --src <filename>.zip
app-service Deploy Staging Slots https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/deploy-staging-slots.md
After the setting is saved, the specified percentage of clients is randomly rout
After a client is automatically routed to a specific slot, it's "pinned" to that slot for the life of that client session. On the client browser, you can see which slot your session is pinned to by looking at the `x-ms-routing-name` cookie in your HTTP headers. A request that's routed to the "staging" slot has the cookie `x-ms-routing-name=staging`. A request that's routed to the production slot has the cookie `x-ms-routing-name=self`. > [!NOTE]
- > Next to the Azure portal, you can also use the [`az webapp traffic-routing set`](/cli/azure/webapp/traffic-routing#az-webapp-traffic-routing-set) command in the Azure CLI to set the routing percentages from CI/CD tools like DevOps pipelines or other automation systems.
+ > Next to the Azure portal, you can also use the [`az webapp traffic-routing set`](/cli/azure/webapp/traffic-routing#az_webapp_traffic_routing_set) command in the Azure CLI to set the routing percentages from CI/CD tools like DevOps pipelines or other automation systems.
> ### Route production traffic manually
app-service Deploy Zip https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/deploy-zip.md
The above endpoint does not work for Linux App Services at this time. Consider u
## Deploy ZIP file with Azure CLI
-Deploy the uploaded ZIP file to your web app by using the [az webapp deployment source config-zip](/cli/azure/webapp/deployment/source#az-webapp-deployment-source-config-zip) command.
+Deploy the uploaded ZIP file to your web app by using the [az webapp deployment source config-zip](/cli/azure/webapp/deployment/source#az_webapp_deployment_source_config_zip) command.
The following example deploys the ZIP file you uploaded. When using a local installation of Azure CLI, specify the path to your local ZIP file for `--src`.
app-service Faq App Service Linux https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/faq-app-service-linux.md
Provide the full registry URL, including `http://` or `https://`.
**What is the format for the image name in the private registry option?**
-Add the full image name, including the private registry URL (for example, myacr.azurecr.io/dotnet:latest). Image names that use a custom port [cannot be entered through the portal](https://feedback.azure.com/forums/169385-web-apps/suggestions/31304650). To set `docker-custom-image-name`, use the [`az` command-line tool](/cli/azure/webapp/config/container#az-webapp-config-container-set).
+Add the full image name, including the private registry URL (for example, myacr.azurecr.io/dotnet:latest). Image names that use a custom port [cannot be entered through the portal](https://feedback.azure.com/forums/169385-web-apps/suggestions/31304650). To set `docker-custom-image-name`, use the [`az` command-line tool](/cli/azure/webapp/config/container#az_webapp_config_container_set).
**Can I expose more than one port on my custom container image?**
app-service Overview Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/overview-managed-identity.md
To set up a managed identity using the Azure CLI, you will need to use the `az w
The following steps will walk you through creating a web app and assigning it an identity using the CLI:
-1. If you're using the Azure CLI in a local console, first sign in to Azure using [az login](/cli/azure/reference-index#az-login). Use an account that's associated with the Azure subscription under which you would like to deploy the application:
+1. If you're using the Azure CLI in a local console, first sign in to Azure using [az login](/cli/azure/reference-index#az_login). Use an account that's associated with the Azure subscription under which you would like to deploy the application:
```azurecli-interactive az login
app-service Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/overview.md
App Service can also host web apps natively on Linux for supported application s
### Built-in languages and frameworks
-App Service on Linux supports a number of language specific built-in images. Just deploy your code. Supported languages include: Node.js, Java (JRE 8 & JRE 11), PHP, Python, .NET Core, and Ruby. Run [`az webapp list-runtimes --linux`](/cli/azure/webapp#az-webapp-list-runtimes) to view the latest languages and supported versions. If the runtime your application requires is not supported in the built-in images, you can deploy it with a custom container.
+App Service on Linux supports a number of language specific built-in images. Just deploy your code. Supported languages include: Node.js, Java (JRE 8 & JRE 11), PHP, Python, .NET Core, and Ruby. Run [`az webapp list-runtimes --linux`](/cli/azure/webapp#az_webapp_list_runtimes) to view the latest languages and supported versions. If the runtime your application requires is not supported in the built-in images, you can deploy it with a custom container.
Outdated runtimes are periodically removed from the Web Apps Create and Configuration blades in the Portal. These runtimes are hidden from the Portal when they are deprecated by the maintaining organization or found to have significant vulnerabilities. These options are hidden to guide customers to the latest runtimes where they will be the most successful.
app-service Quickstart Arm Template Uiex https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/quickstart-arm-template-uiex.md
az deployment group create --resource-group myResourceGroup --parameters webAppN
<ul> <li>Create a default <abbr title="A logical container for related Azure resources that you can manage as a unit.">resource group</abbr>.</li> <li>Create a default <abbr title="The plan that specifies the location, size, and features of the web server farm that hosts your app.">App Service plan</abbr>.</li>
-<li><a href="/cli/azure/webapp#az-webapp-create">Create an <abbr title="The representation of your web app, which contains your app code, DNS hostnames, certificates, and related resources.">App Service app</abbr></a> with the specified name.</li>
+<li><a href="/cli/azure/webapp#az_webapp_create">Create an <abbr title="The representation of your web app, which contains your app code, DNS hostnames, certificates, and related resources.">App Service app</abbr></a> with the specified name.</li>
</ul> </details>
When no longer needed, [delete the resource group](../azure-resource-manager/man
- [PHP with MySQL](tutorial-php-mysql-app.md) - [Connect to Azure SQL database with Java](../azure-sql/database/connect-query-java.md?toc=%2fazure%2fjava%2ftoc.json) - [Map custom domain](app-service-web-tutorial-custom-domain-uiex.md)-
app-service Quickstart Dotnetcore Uiex https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/quickstart-dotnetcore-uiex.md
az login
<li>If the <code>az</code> command isn't recognized, be sure you have the Azure CLI installed as described in <a href="#1-prepare-your-environment">Prepare your environment</a>.</li> <li>Replace <code>&lt;app-name&gt;</code> with a name that's unique across all of Azure (<em>valid characters are <code>a-z</code>, <code>0-9</code>, and <code>-</code></em>). A good pattern is to use a combination of your company name and an app identifier.</li> <li>The <code>--sku F1</code> argument creates the web app on the Free pricing tier. Omit this argument to use a faster premium tier, which incurs an hourly cost.</li>
- <li>You can optionally include the argument <code>--location &lt;location-name&gt;</code> where <code>&lt;location-name&gt;</code> is an available Azure region. You can retrieve a list of allowable regions for your Azure account by running the <a href="/cli/azure/appservice#az-appservice-list-locations"><code>az account list-locations</code></a> command.</li>
+ <li>You can optionally include the argument <code>--location &lt;location-name&gt;</code> where <code>&lt;location-name&gt;</code> is an available Azure region. You can retrieve a list of allowable regions for your Azure account by running the <a href="/cli/azure/appservice#az_appservice_list_locations"><code>az account list-locations</code></a> command.</li>
</ul> </details>
az login
<ul> <li>Create a default resource group.</li> <li>Create a default App Service plan.</li>
- <li><a href="/cli/azure/webapp#az-webapp-create">Create an App Service app</a> with the specified name.</li>
+ <li><a href="/cli/azure/webapp#az_webapp_create">Create an App Service app</a> with the specified name.</li>
<li><a href="/azure/app-service/deploy-zip">Zip deploy</a> files from the current working directory to the app.</li> <li>While running, it provides messages about resource creation, logging, and ZIP deployment.</li> </ul>
app-service Quickstart Dotnetcore https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/quickstart-dotnetcore.md
az webapp up --sku F1 --name <app-name> --os-type <os>
- Replace `<app-name>` with a name that's unique across all of Azure (*valid characters are `a-z`, `0-9`, and `-`*). A good pattern is to use a combination of your company name and an app identifier. - The `--sku F1` argument creates the web app on the **Free** [pricing tier][app-service-pricing-tier]. Omit this argument to use a faster premium tier, which incurs an hourly cost. - Replace `<os>` with either `linux` or `windows`. You must use `windows` when targeting *ASP.NET Framework 4.8*.-- You can optionally include the argument `--location <location-name>` where `<location-name>` is an available Azure region. You can retrieve a list of allowable regions for your Azure account by running the [`az account list-locations`](/cli/azure/appservice#az-appservice-list-locations) command.
+- You can optionally include the argument `--location <location-name>` where `<location-name>` is an available Azure region. You can retrieve a list of allowable regions for your Azure account by running the [`az account list-locations`](/cli/azure/appservice#az_appservice_list_locations) command.
The command may take a few minutes to complete. While running, it provides messages about creating the resource group, the App Service plan, and hosting app, configuring logging, then performing ZIP deployment. It then outputs a message with the app's URL:
app-service Quickstart Html Uiex https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/quickstart-html-uiex.md
az webapp up --location westeurope --name <app_name> --html
<li>Replace <code>&lt;app-name&gt;</code> with a name that's unique across all of Azure (<em>valid characters are <code>a-z</code>, <code>0-9</code>, and <code>-</code></em>). A good pattern is to use a combination of your company name and an app identifier.</li> <li>The <code>--sku F1</code> argument creates the web app on the Free pricing tier. Omit this argument to use a faster premium tier, which incurs an hourly cost.</li> <li>The <code>--html</code> argument says to treat all folder content as static content and disable build automation.</li>
-<li>You can optionally include the argument <code>--location &lt;location-name&gt;</code> where <code>&lt;location-name&gt;</code> is an available Azure region. You can retrieve a list of allowable regions for your Azure account by running the <a href="/cli/azure/appservice#az-appservice-list-locations"><code>az account list-locations</code></a> command.</li>
+<li>You can optionally include the argument <code>--location &lt;location-name&gt;</code> where <code>&lt;location-name&gt;</code> is an available Azure region. You can retrieve a list of allowable regions for your Azure account by running the <a href="/cli/azure/appservice#az_appservice_list_locations"><code>az account list-locations</code></a> command.</li>
</ul> </details>
The command may take a few minutes to complete.
<ul> <li>Create a default resource group.</li> <li>Create a default App Service plan.</li>
-<li><a href="/cli/azure/webapp#az-webapp-create">Create an App Service app</a> with the specified name.</li>
+<li><a href="/cli/azure/webapp#az_webapp_create">Create an App Service app</a> with the specified name.</li>
<li><a href="/azure/app-service/deploy-zip">Zip deploy</a> files from the current working directory to the app.</li> <li>While running, it provides messages about resource creation, logging, and ZIP deployment.</li> </ul>
app-service Quickstart Multi Container https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/quickstart-multi-container.md
cd multicontainerwordpress
[!INCLUDE [resource group intro text](../../includes/resource-group.md)]
-In the Cloud Shell, create a resource group with the [`az group create`](/cli/azure/group#az-group-create) command. The following example creates a resource group named *myResourceGroup* in the *South Central US* location. To see all supported locations for App Service on Linux in **Standard** tier, run the [`az appservice list-locations --sku S1 --linux-workers-enabled`](/cli/azure/appservice#az-appservice-list-locations) command.
+In the Cloud Shell, create a resource group with the [`az group create`](/cli/azure/group#az_group_create) command. The following example creates a resource group named *myResourceGroup* in the *South Central US* location. To see all supported locations for App Service on Linux in **Standard** tier, run the [`az appservice list-locations --sku S1 --linux-workers-enabled`](/cli/azure/appservice#az_appservice_list_locations) command.
```azurecli-interactive az group create --name myResourceGroup --location "South Central US"
When the command finishes, a JSON output shows you the resource group properties
## Create an Azure App Service plan
-In the Cloud Shell, create an App Service plan in the resource group with the [`az appservice plan create`](/cli/azure/appservice/plan#az-appservice-plan-create) command.
+In the Cloud Shell, create an App Service plan in the resource group with the [`az appservice plan create`](/cli/azure/appservice/plan#az_appservice_plan_create) command.
The following example creates an App Service plan named `myAppServicePlan` in the **Standard** pricing tier (`--sku S1`) and in a Linux container (`--is-linux`).
When the App Service plan has been created, the Azure CLI shows information simi
> [!NOTE] > Docker Compose on Azure App Services currently has a limit of 4,000 characters at this time.
-In your Cloud Shell terminal, create a multi-container [web app](overview.md#app-service-on-linux) in the `myAppServicePlan` App Service plan with the [az webapp create](/cli/azure/webapp#az-webapp-create) command. Don't forget to replace _\<app_name>_ with a unique app name (valid characters are `a-z`, `0-9`, and `-`).
+In your Cloud Shell terminal, create a multi-container [web app](overview.md#app-service-on-linux) in the `myAppServicePlan` App Service plan with the [az webapp create](/cli/azure/webapp#az_webapp_create) command. Don't forget to replace _\<app_name>_ with a unique app name (valid characters are `a-z`, `0-9`, and `-`).
```azurecli az webapp create --resource-group myResourceGroup --plan myAppServicePlan --name <app_name> --multicontainer-config-type compose --multicontainer-config-file compose-wordpress.yml
app-service Quickstart Php https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/quickstart-php.md
In your terminal window, press **Ctrl+C** to exit the web server.
## Create a web app
-In the Cloud Shell, create a web app in the `myAppServicePlan` App Service plan with the [`az webapp create`](/cli/azure/webapp#az-webapp-create) command.
+In the Cloud Shell, create a web app in the `myAppServicePlan` App Service plan with the [`az webapp create`](/cli/azure/webapp#az_webapp_create) command.
-In the following example, replace `<app-name>` with a globally unique app name (valid characters are `a-z`, `0-9`, and `-`). The runtime is set to `PHP|7.4`. To see all supported runtimes, run [`az webapp list-runtimes`](/cli/azure/webapp#az-webapp-list-runtimes).
+In the following example, replace `<app-name>` with a globally unique app name (valid characters are `a-z`, `0-9`, and `-`). The runtime is set to `PHP|7.4`. To see all supported runtimes, run [`az webapp list-runtimes`](/cli/azure/webapp#az_webapp_list_runtimes).
```azurecli-interactive # Bash
app-service Quickstart Python 1 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/quickstart-python-1.md
az webapp up --sku B1 --name <app-name>
- If the `webapp` command isn't recognized, because that your Azure CLI version is 2.0.80 or higher. If not, [install the latest version](/cli/azure/install-azure-cli). - Replace `<app_name>` with a name that's unique across all of Azure (*valid characters are `a-z`, `0-9`, and `-`*). A good pattern is to use a combination of your company name and an app identifier. - The `--sku B1` argument creates the web app on the Basic pricing tier, which incurs a small hourly cost. Omit this argument to use a faster premium tier.-- You can optionally include the argument `--location <location-name>` where `<location_name>` is an available Azure region. You can retrieve a list of allowable regions for your Azure account by running the [`az account list-locations`](/cli/azure/appservice#az-appservice-list-locations) command.
+- You can optionally include the argument `--location <location-name>` where `<location_name>` is an available Azure region. You can retrieve a list of allowable regions for your Azure account by running the [`az account list-locations`](/cli/azure/appservice#az_appservice_list_locations) command.
- If you see the error, "Could not auto-detect the runtime stack of your app," make sure you're running the command in the *python-docs-hello-world* folder (Flask) or the *python-docs-hello-django* folder (Django) that contains the *requirements.txt* file. (See [Troubleshooting auto-detect issues with az webapp up](https://github.com/Azure/app-service-linux-docs/blob/master/AzWebAppUP/runtime_detection.md) (GitHub).) The command may take a few minutes to complete. While running, it provides messages about creating the resource group, the App Service plan and hosting app, configuring logging, then performing ZIP deployment. It then gives the message, "You can launch the app at http://&lt;app-name&gt;.azurewebsites.net", which is the app's URL on Azure.
app-service Quickstart Python https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/quickstart-python.md
az webapp up --sku B1 --name <app-name>
- If the `webapp` command isn't recognized, because that your Azure CLI version is 2.0.80 or higher. If not, [install the latest version](/cli/azure/install-azure-cli). - Replace `<app_name>` with a name that's unique across all of Azure (*valid characters are `a-z`, `0-9`, and `-`*). A good pattern is to use a combination of your company name and an app identifier. - The `--sku B1` argument creates the web app on the Basic pricing tier, which incurs a small hourly cost. Omit this argument to use a faster premium tier.-- You can optionally include the argument `--location <location-name>` where `<location_name>` is an available Azure region. You can retrieve a list of allowable regions for your Azure account by running the [`az account list-locations`](/cli/azure/appservice#az-appservice-list-locations) command.
+- You can optionally include the argument `--location <location-name>` where `<location_name>` is an available Azure region. You can retrieve a list of allowable regions for your Azure account by running the [`az account list-locations`](/cli/azure/appservice#az_appservice_list_locations) command.
- If you see the error, "Could not auto-detect the runtime stack of your app," make sure you're running the command in the *python-docs-hello-world* folder (Flask) or the *python-docs-hello-django* folder (Django) that contains the *requirements.txt* file. (See [Troubleshooting auto-detect issues with az webapp up](https://github.com/Azure/app-service-linux-docs/blob/master/AzWebAppUP/runtime_detection.md) (GitHub).) The command may take a few minutes to complete. While running, it provides messages about creating the resource group, the App Service plan and hosting app, configuring logging, then performing ZIP deployment. It then gives the message, "You can launch the app at http://&lt;app-name&gt;.azurewebsites.net", which is the app's URL on Azure.
app-service Cli Backup Onetime https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/scripts/cli-backup-onetime.md
This script uses the following commands. Each command in the table links to comm
| Command | Notes | |||
-| [`az group create`](/cli/azure/group#az-group-create) | Creates a resource group in which all resources are stored. |
-| [`az storage account create`](/cli/azure/storage/account#az-storage-account-create) | Creates a storage account. |
-| [`az storage container create`](/cli/azure/storage/container#az-storage-container-create) | Creates an Azure storage container. |
-| [`az storage container generate-sas`](/cli/azure/storage/container#az-storage-container-generate-sas) | Generates an SAS token for an Azure storage container. |
-| [`az appservice plan create`](/cli/azure/appservice/plan#az-appservice-plan-create) | Creates an App Service plan. |
-| [`az webapp create`](/cli/azure/webapp#az-webapp-create) | Creates an App Service app. |
-| [`az webapp config backup create`](/cli/azure/webapp/config/backup#az-webapp-config-backup-create) | Creates a backup for an App Service app. |
-| [`az webapp config backup list`](/cli/azure/webapp/config/backup#az-webapp-config-backup-list) | Gets a list of backups for an App Service app. |
+| [`az group create`](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |
+| [`az storage account create`](/cli/azure/storage/account#az_storage_account_create) | Creates a storage account. |
+| [`az storage container create`](/cli/azure/storage/container#az_storage_container_create) | Creates an Azure storage container. |
+| [`az storage container generate-sas`](/cli/azure/storage/container#az_storage_container_generate_sas) | Generates an SAS token for an Azure storage container. |
+| [`az appservice plan create`](/cli/azure/appservice/plan#az_appservice_plan_create) | Creates an App Service plan. |
+| [`az webapp create`](/cli/azure/webapp#az_webapp_create) | Creates an App Service app. |
+| [`az webapp config backup create`](/cli/azure/webapp/config/backup#az_webapp_config_backup_create) | Creates a backup for an App Service app. |
+| [`az webapp config backup list`](/cli/azure/webapp/config/backup#az_webapp_config_backup_list) | Gets a list of backups for an App Service app. |
## Next steps
app-service Cli Backup Restore https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/scripts/cli-backup-restore.md Binary files differ
app-service Cli Backup Scheduled https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/scripts/cli-backup-scheduled.md
This script uses the following commands. Each command in the table links to comm
| Command | Notes | |||
-| [`az group create`](/cli/azure/group#az-group-create) | Creates a resource group in which all resources are stored. |
-| [`az storage account create`](/cli/azure/storage/account#az-storage-account-create) | Creates a storage account. |
-| [`az storage container create`](/cli/azure/storage/container#az-storage-container-create) | Creates an Azure storage container. |
-| [`az storage container generate-sas`](/cli/azure/storage/container#az-storage-container-generate-sas) | Generates an SAS token for an Azure storage container. |
-| [`az appservice plan create`](/cli/azure/appservice/plan#az-appservice-plan-create) | Creates an App Service plan. |
-| [`az webapp create`](/cli/azure/webapp#az-webapp-create) | Creates an App Service app. |
-| [`az webapp config backup update`](/cli/azure/webapp/config/backup#az-webapp-config-backup-update) | Configures a new backup schedule for an App Service app. |
-| [`az webapp config backup show`](/cli/azure/webapp/config/backup#az-webapp-config-backup-show) | Shows the backup schedule for an App Service app. |
-| [`az webapp config backup list`](/cli/azure/webapp/config/backup#az-webapp-config-backup-list) | Gets a list of backups for an App Service app. |
+| [`az group create`](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |
+| [`az storage account create`](/cli/azure/storage/account#az_storage_account_create) | Creates a storage account. |
+| [`az storage container create`](/cli/azure/storage/container#az_storage_container_create) | Creates an Azure storage container. |
+| [`az storage container generate-sas`](/cli/azure/storage/container#az_storage_container_generate_sas) | Generates an SAS token for an Azure storage container. |
+| [`az appservice plan create`](/cli/azure/appservice/plan#az_appservice_plan_create) | Creates an App Service plan. |
+| [`az webapp create`](/cli/azure/webapp#az_webapp_create) | Creates an App Service app. |
+| [`az webapp config backup update`](/cli/azure/webapp/config/backup#az_webapp_config_backup_update) | Configures a new backup schedule for an App Service app. |
+| [`az webapp config backup show`](/cli/azure/webapp/config/backup#az_webapp_config_backup_show) | Shows the backup schedule for an App Service app. |
+| [`az webapp config backup list`](/cli/azure/webapp/config/backup#az_webapp_config_backup_list) | Gets a list of backups for an App Service app. |
## Next steps
app-service Cli Configure Custom Domain https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/scripts/cli-configure-custom-domain.md Binary files differ
app-service Cli Configure Ssl Certificate https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/scripts/cli-configure-ssl-certificate.md
This script uses the following commands. Each command in the table links to comm
| Command | Notes | |||
-| [`az group create`](/cli/azure/group#az-group-create) | Creates a resource group in which all resources are stored. |
-| [`az appservice plan create`](/cli/azure/appservice/plan#az-appservice-plan-create) | Creates an App Service plan. |
-| [`az webapp create`](/cli/azure/webapp#az-webapp-create) | Creates an App Service app. |
-| [`az webapp config hostname add`](/cli/azure/webapp/config/hostname#az-webapp-config-hostname-add) | Maps a custom domain to an App Service app. |
-| [`az webapp config ssl upload`](/cli/azure/webapp/config/ssl#az-webapp-config-ssl-upload) | Uploads a TLS/SSL certificate to an App Service app. |
-| [`az webapp config ssl bind`](/cli/azure/webapp/config/ssl#az-webapp-config-ssl-bind) | Binds an uploaded TLS/SSL certificate to an App Service app. |
+| [`az group create`](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |
+| [`az appservice plan create`](/cli/azure/appservice/plan#az_appservice_plan_create) | Creates an App Service plan. |
+| [`az webapp create`](/cli/azure/webapp#az_webapp_create) | Creates an App Service app. |
+| [`az webapp config hostname add`](/cli/azure/webapp/config/hostname#az_webapp_config_hostname_add) | Maps a custom domain to an App Service app. |
+| [`az webapp config ssl upload`](/cli/azure/webapp/config/ssl#az_webapp_config_ssl_upload) | Uploads a TLS/SSL certificate to an App Service app. |
+| [`az webapp config ssl bind`](/cli/azure/webapp/config/ssl#az_webapp_config_ssl_bind) | Binds an uploaded TLS/SSL certificate to an App Service app. |
## Next steps
app-service Cli Connect To Documentdb https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/scripts/cli-connect-to-documentdb.md Binary files differ
app-service Cli Connect To Redis https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/scripts/cli-connect-to-redis.md Binary files differ
app-service Cli Connect To Sql https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/scripts/cli-connect-to-sql.md
This script uses the following commands to create a resource group, App Service
| Command | Notes | |||
-| [`az group create`](/cli/azure/group#az-group-create) | Creates a resource group in which all resources are stored. |
-| [`az appservice plan create`](/cli/azure/appservice/plan#az-appservice-plan-create) | Creates an App Service plan. |
-| [`az webapp create`](/cli/azure/webapp#az-webapp-create) | Creates an App Service app. |
-| [`az sql server create`](/cli/azure/sql/server#az-sql-server-create) | Creates a server. |
-| [`az sql db create`](/cli/azure/sql/db#az-sql-db-create) | Creates a new database. |
-| [`az sql db show-connection-string`](/cli/azure/sql/db#az-sql-db-show-connection-string) | Generates a connection string to a database. |
-| [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings#az-webapp-config-appsettings-set) | Creates or updates an app setting for an App Service app. App settings are exposed as environment variables for your app. |
+| [`az group create`](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |
+| [`az appservice plan create`](/cli/azure/appservice/plan#az_appservice_plan_create) | Creates an App Service plan. |
+| [`az webapp create`](/cli/azure/webapp#az_webapp_create) | Creates an App Service app. |
+| [`az sql server create`](/cli/azure/sql/server#az_sql_server_create) | Creates a server. |
+| [`az sql db create`](/cli/azure/sql/db#az_sql_db_create) | Creates a new database. |
+| [`az sql db show-connection-string`](/cli/azure/sql/db#az_sql_db_show-connection_string) | Generates a connection string to a database. |
+| [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings#az_webapp_config_appsettings_set) | Creates or updates an app setting for an App Service app. App settings are exposed as environment variables for your app. |
## Next steps
app-service Cli Connect To Storage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/scripts/cli-connect-to-storage.md Binary files differ
app-service Cli Continuous Deployment Github https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/scripts/cli-continuous-deployment-github.md Binary files differ
app-service Cli Continuous Deployment Vsts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/scripts/cli-continuous-deployment-vsts.md
This script uses the following commands. Each command in the table links to comm
| Command | Notes | |||
-| [`az group create`](/cli/azure/group#az-group-create) | Creates a resource group in which all resources are stored. |
-| [`az appservice plan create`](/cli/azure/appservice/plan#az-appservice-plan-create) | Creates an App Service plan. |
-| [`az webapp create`](/cli/azure/webapp#az-webapp-create) | Creates an App Service app. |
-| [`az webapp deployment source config`](/cli/azure/webapp/deployment/source#az-webapp-deployment-source-config) | Associates an App Service app with a Git or Mercurial repository. |
+| [`az group create`](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |
+| [`az appservice plan create`](/cli/azure/appservice/plan#az_appservice_plan_create) | Creates an App Service plan. |
+| [`az webapp create`](/cli/azure/webapp#az_webapp_create) | Creates an App Service app. |
+| [`az webapp deployment source config`](/cli/azure/webapp/deployment/source#az_webapp_deployment_source_config) | Associates an App Service app with a Git or Mercurial repository. |
## Next steps
app-service Cli Deploy Ftp https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/scripts/cli-deploy-ftp.md
This script uses the following commands. Each command in the table links to comm
| Command | Notes | |||
-| [`az group create`](/cli/azure/group#az-group-create) | Creates a resource group in which all resources are stored. |
-| [`az appservice plan create`](/cli/azure/appservice/plan#az-appservice-plan-create) | Creates an App Service plan. |
-| [`az webapp create`](/cli/azure/webapp#az-webapp-create) | Creates an App Service app. |
-| [`az webapp deployment list-publishing-profiles`](/cli/azure/webapp/deployment#az-webapp-deployment-list-publishing-profiles) | Get the details for available app deployment profiles. |
+| [`az group create`](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |
+| [`az appservice plan create`](/cli/azure/appservice/plan#az_appservice_plan_create) | Creates an App Service plan. |
+| [`az webapp create`](/cli/azure/webapp#az_webapp_create) | Creates an App Service app. |
+| [`az webapp deployment list-publishing-profiles`](/cli/azure/webapp/deployment#az_webapp_deployment_list_publishing_profiles) | Get the details for available app deployment profiles. |
## Next steps
app-service Cli Deploy Github https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/scripts/cli-deploy-github.md
This script uses the following commands. Each command in the table links to comm
| Command | Notes | |||
-| [`az group create`](/cli/azure/group#az-group-create) | Creates a resource group in which all resources are stored. |
-| [`az appservice plan create`](/cli/azure/appservice/plan#az-appservice-plan-create) | Creates an App Service plan. |
-| [`az webapp create`](/cli/azure/webapp#az-webapp-create) | Creates an App Service app. |
-| [`az webapp deployment source config`](/cli/azure/webapp/deployment/source#az-webapp-deployment-source-config) | Associates an App Service app with a Git or Mercurial repository. |
+| [`az group create`](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |
+| [`az appservice plan create`](/cli/azure/appservice/plan#az_appservice_plan_create) | Creates an App Service plan. |
+| [`az webapp create`](/cli/azure/webapp#az_webapp_create) | Creates an App Service app. |
+| [`az webapp deployment source config`](/cli/azure/webapp/deployment/source#az_webapp_deployment_source_config) | Associates an App Service app with a Git or Mercurial repository. |
## Next steps
app-service Cli Deploy Local Git https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/scripts/cli-deploy-local-git.md
This script uses the following commands. Each command in the table links to comm
| Command | Notes | |||
-| [`az group create`](/cli/azure/group#az-group-create) | Creates a resource group in which all resources are stored. |
-| [`az appservice plan create`](/cli/azure/appservice/plan#az-appservice-plan-create) | Creates an App Service plan. |
-| [`az webapp create`](/cli/azure/webapp#az-webapp-create) | Creates an App Service app. |
-| [`az webapp deployment user set`](/cli/azure/webapp/deployment/user#az-webapp-deployment-user-set) | Sets the account-level deployment credentials for App Service. |
-| [`az webapp deployment source config-local-git`](/cli/azure/webapp/deployment/source#az-webapp-deployment-source-config-local-git) | Creates a source control configuration for a local Git repository. |
+| [`az group create`](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |
+| [`az appservice plan create`](/cli/azure/appservice/plan#az_appservice_plan_create) | Creates an App Service plan. |
+| [`az webapp create`](/cli/azure/webapp#az_webapp_create) | Creates an App Service app. |
+| [`az webapp deployment user set`](/cli/azure/webapp/deployment/user#az_webapp_deployment_user_set) | Sets the account-level deployment credentials for App Service. |
+| [`az webapp deployment source config-local-git`](/cli/azure/webapp/deployment/source#az_webapp_deployment_source_config_local_git) | Creates a source control configuration for a local Git repository. |
## Next steps
app-service Cli Deploy Privateendpoint https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/scripts/cli-deploy-privateendpoint.md
az group create --name myResourceGroup --location francecentral
## Create an App Service Plan You need to create an App Service Plan to host your Web App.
-Create an App Service Plan with [az appservice plan create](/cli/azure/appservice/plan#az-appservice-plan-create).
+Create an App Service Plan with [az appservice plan create](/cli/azure/appservice/plan#az_appservice_plan_create).
This example creates App Service Plan named *myAppServicePlan* in the *francecentral* location with *P1V2* sku and only one worker: ```azurecli-interactive
az appservice plan create \
## Create a Web App Now that you have an App Service Plan you can deploy a Web App.
-Create a Web App with [az appservice plan create](/cli/azure/webapp#az-webapp-create.
+Create a Web App with [az appservice plan create](/cli/azure/webapp#az_webapp_create.
This example creates a Web App named *mySiteName* in the Plan named *myAppServicePlan* ```azurecli-interactive
az network vnet create \
## Configure the Subnet
-You need to update the subnet to disable private endpoint network policies. Update a subnet configuration named *mySubnet* with [az network vnet subnet update](https://docs.microsoft.com/cli/azure/network/vnet/subnet#az-network-vnet-subnet-update):
+You need to update the subnet to disable private endpoint network policies. Update a subnet configuration named *mySubnet* with [az network vnet subnet update](https://docs.microsoft.com/cli/azure/network/vnet/subnet#az_network_vnet_subnet_update):
```azurecli-interactive az network vnet subnet update \
app-service Cli Deploy Staging Environment https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/scripts/cli-deploy-staging-environment.md
This script uses the following commands. Each command in the table links to comm
| Command | Notes | |||
-| [`az group create`](/cli/azure/group#az-group-create) | Creates a resource group in which all resources are stored. |
-| [`az appservice plan create`](/cli/azure/appservice/plan#az-appservice-plan-create) | Creates an App Service plan. |
-| [`az webapp create`](/cli/azure/webapp#az-webapp-create) | Creates an App Service app. |
-| [`az webapp deployment slot create`](/cli/azure/webapp/deployment/slot#az-webapp-deployment-slot-create) | Create a deployment slot. |
-| [`az webapp deployment source config`](/cli/azure/webapp/deployment/source#az-webapp-deployment-source-config) | Associates an App Service app with a Git or Mercurial repository. |
-| [`az webapp deployment slot swap`](/cli/azure/webapp/deployment/slot#az-webapp-deployment-slot-swap) | Swap a specified deployment slot into production. |
+| [`az group create`](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |
+| [`az appservice plan create`](/cli/azure/appservice/plan#az_appservice_plan_create) | Creates an App Service plan. |
+| [`az webapp create`](/cli/azure/webapp#az_webapp_create) | Creates an App Service app. |
+| [`az webapp deployment slot create`](/cli/azure/webapp/deployment/slot#az_webapp_deployment_slot_create) | Create a deployment slot. |
+| [`az webapp deployment source config`](/cli/azure/webapp/deployment/source#az_webapp_deployment_source_config) | Associates an App Service app with a Git or Mercurial repository. |
+| [`az webapp deployment slot swap`](/cli/azure/webapp/deployment/slot#az_webapp_deployment_slot_swap) | Swap a specified deployment slot into production. |
## Next steps
app-service Cli Integrate App Service With Application Gateway https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/scripts/cli-integrate-app-service-with-application-gateway.md
This script uses the following commands to create a resource group, App Service
| Command | Notes | |||
-| [`az group create`](/cli/azure/group#az-group-create) | Creates a resource group in which all resources are stored. |
-| [`az network vnet create`](/cli/azure/network/vnet#az-network-vnet-create) | Creates a virtual network. |
-| [`az network public-ip create`](/cli/azure/network/public-ip#az-network-public-ip-create) | Creates a public IP address. |
-| [`az network public-ip show`](/cli/azure/network/public-ip#az-network-public-ip-show) | Show details of a public IP address. |
-| [`az appservice plan create`](/cli/azure/appservice/plan#az-appservice-plan-create) | Creates an App Service plan. |
-| [`az webapp create`](/cli/azure/webapp#az-webapp-create) | Creates an App Service web app. |
-| [`az webapp show`](/cli/azure/webapp#az-webapp-show) | Show details of an App Service web app. |
-| [`az webapp config access-restriction add`](/cli/azure/webapp/config/access-restriction#az-webapp-config-access-restriction-add) | Adds an access restriction to the App Service web app. |
-| [`az network application-gateway create`](/cli/azure/network/application-gateway#az-network-application-gateway-create) | Creates an Application Gateway. |
-| [`az network application-gateway http-settings update`](/cli/azure/network/application-gateway/http-settings#az-network-application-gateway-http-settings-update) | Updates Application Gateway HTTP settings. |
+| [`az group create`](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |
+| [`az network vnet create`](/cli/azure/network/vnet#az_network_vnet_create) | Creates a virtual network. |
+| [`az network public-ip create`](/cli/azure/network/public-ip#az_network_public_ip_create) | Creates a public IP address. |
+| [`az network public-ip show`](/cli/azure/network/public-ip#az_network_public_ip_show) | Show details of a public IP address. |
+| [`az appservice plan create`](/cli/azure/appservice/plan#az_appservice_plan_create) | Creates an App Service plan. |
+| [`az webapp create`](/cli/azure/webapp#az_webapp_create) | Creates an App Service web app. |
+| [`az webapp show`](/cli/azure/webapp#az_webapp_show) | Show details of an App Service web app. |
+| [`az webapp config access-restriction add`](/cli/azure/webapp/config/access-restriction#az_webapp_config_access_restriction_add) | Adds an access restriction to the App Service web app. |
+| [`az network application-gateway create`](/cli/azure/network/application-gateway#az_network_application_gateway_create) | Creates an Application Gateway. |
+| [`az network application-gateway http-settings update`](/cli/azure/network/application-gateway/http-settings#az_network-application-gateway-http_settings_update) | Updates Application Gateway HTTP settings. |
## Next steps
app-service Cli Linux Acr Aspnetcore https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/scripts/cli-linux-acr-aspnetcore.md Binary files differ
app-service Cli Linux Docker Aspnetcore https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/scripts/cli-linux-docker-aspnetcore.md
This script uses the following commands to create a resource group, App Service
| Command | Notes | |||
-| [`az group create`](/cli/azure/group#az-group-create) | Creates a resource group in which all resources are stored. |
-| [`az appservice plan create`](/cli/azure/appservice/plan#az-appservice-plan-create) | Creates an App Service plan. |
-| [`az webapp create`](/cli/azure/webapp#az-webapp-create) | Creates an App Service app. |
-| [`az webapp config container set`](/cli/azure/webapp/config/container#az-webapp-config-container-set) | Sets the Docker container for the App Service app. |
+| [`az group create`](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |
+| [`az appservice plan create`](/cli/azure/appservice/plan#az_appservice_plan_create) | Creates an App Service plan. |
+| [`az webapp create`](/cli/azure/webapp#az_webapp_create) | Creates an App Service app. |
+| [`az webapp config container set`](/cli/azure/webapp/config/container#az_webapp_config_container_set) | Sets the Docker container for the App Service app. |
## Next steps
app-service Cli Monitor https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/scripts/cli-monitor.md
This script uses the following commands to create a resource group, App Service
| Command | Notes | |||
-| [`az group create`](/cli/azure/group#az-group-create) | Creates a resource group in which all resources are stored. |
-| [`az appservice plan create`](/cli/azure/appservice/plan#az-appservice-plan-create) | Creates an App Service plan. |
-| [`az webapp create`](/cli/azure/webapp#az-webapp-create) | Creates an App Service app. |
-| [`az webapp log config`](/cli/azure/webapp/log#az-webapp-log-config) | Configures which logs an App Service app persists. |
-| [`az webapp log download`](/cli/azure/webapp/log#az-webapp-log-download) | Downloads the logs of an App Service app to your local machine. |
+| [`az group create`](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |
+| [`az appservice plan create`](/cli/azure/appservice/plan#az_appservice_plan_create) | Creates an App Service plan. |
+| [`az webapp create`](/cli/azure/webapp#az_webapp_create) | Creates an App Service app. |
+| [`az webapp log config`](/cli/azure/webapp/log#az_webapp_log_config) | Configures which logs an App Service app persists. |
+| [`az webapp log download`](/cli/azure/webapp/log#az_webapp_log_download) | Downloads the logs of an App Service app to your local machine. |
## Next steps
app-service Cli Scale High Availability https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/scripts/cli-scale-high-availability.md
This script uses the following commands to create a resource group, App Service
| Command | Notes | |||
-| [`az group create`](/cli/azure/group#az-group-create) | Creates a resource group in which all resources are stored. |
-| [`az appservice plan create`](/cli/azure/appservice/plan#az-appservice-plan-create) | Creates an App Service plan. |
-| [`az webapp create`](/cli/azure/webapp#az-webapp-create) | Creates an App Service app. |
-| [`az network traffic-manager profile create`](/cli/azure/network/traffic-manager/profile#az-network-traffic-manager-profile-create) | Creates an Azure Traffic Manager profile. |
-| [`az network traffic-manager endpoint create`](/cli/azure/network/traffic-manager/endpoint#az-network-traffic-manager-endpoint-create) | Adds an endpoint to an Azure Traffic Manager Profile. |
+| [`az group create`](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |
+| [`az appservice plan create`](/cli/azure/appservice/plan#az_appservice_plan_create) | Creates an App Service plan. |
+| [`az webapp create`](/cli/azure/webapp#az_webapp_create) | Creates an App Service app. |
+| [`az network traffic-manager profile create`](/cli/azure/network/traffic-manager/profile#az_network_traffic_manager_profile_create) | Creates an Azure Traffic Manager profile. |
+| [`az network traffic-manager endpoint create`](/cli/azure/network/traffic-manager/endpoint#az_network_traffic-manager_endpoint_create) | Adds an endpoint to an Azure Traffic Manager Profile. |
## Next steps
app-service Cli Scale Manual https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/scripts/cli-scale-manual.md
This script uses the following commands to create a resource group, App Service
| Command | Notes | |||
-| [`az group create`](/cli/azure/group#az-group-create) | Creates a resource group in which all resources are stored. |
-| [`az appservice plan create`](/cli/azure/appservice/plan#az-appservice-plan-create) | Creates an App Service plan. |
-| [`az webapp create`](/cli/azure/webapp#az-webapp-create) | Creates an App Service app. |
-| [`az appservice plan update`](/cli/azure/appservice/plan#az-appservice-plan-update) | Updates properties of the App Service plan. |
+| [`az group create`](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |
+| [`az appservice plan create`](/cli/azure/appservice/plan#az_appservice_plan_create) | Creates an App Service plan. |
+| [`az webapp create`](/cli/azure/webapp#az_webapp_create) | Creates an App Service app. |
+| [`az appservice plan update`](/cli/azure/appservice/plan#az_appservice_plan_update) | Updates properties of the App Service plan. |
## Next steps
app-service Tutorial Auth Aad https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/tutorial-auth-aad.md
While the server code has access to request headers, client code can access `GET
### Configure CORS
-In the Cloud Shell, enable CORS to your client's URL by using the [`az webapp cors add`](/cli/azure/webapp/cors#az-webapp-cors-add) command. Replace the _\<back-end-app-name>_ and _\<front-end-app-name>_ placeholders.
+In the Cloud Shell, enable CORS to your client's URL by using the [`az webapp cors add`](/cli/azure/webapp/cors#az_webapp_cors_add) command. Replace the _\<back-end-app-name>_ and _\<front-end-app-name>_ placeholders.
```azurecli-interactive az webapp cors add --resource-group myAuthResourceGroup --name <back-end-app-name> --allowed-origins 'https://<front-end-app-name>.azurewebsites.net'
app-service Tutorial Custom Container https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/tutorial-custom-container.md
The streamed logs looks like this:
::: zone pivot="container-linux"
-Azure App Service uses the Docker container technology to host both built-in images and custom images. To see a list of built-in images, run the Azure CLI command, ['az webapp list-runtimes --linux'](/cli/azure/webapp#az-webapp-list-runtimes). If those images don't satisfy your needs, you can build and deploy a custom image.
+Azure App Service uses the Docker container technology to host both built-in images and custom images. To see a list of built-in images, run the Azure CLI command, ['az webapp list-runtimes --linux'](/cli/azure/webapp#az_webapp_list_runtimes). If those images don't satisfy your needs, you can build and deploy a custom image.
In this tutorial, you learn how to:
ENTRYPOINT ["init.sh"]
In this section and those that follow, you provision resources in Azure to which you push the image and then deploy a container to Azure App Service. You start by creating a resource group in which to collect all these resources.
-Run the [az group create](/cli/azure/group#az-group-create) command to create a resource group:
+Run the [az group create](/cli/azure/group#az_group_create) command to create a resource group:
```azurecli-interactive az group create --name AppSvc-DockerTutorial-rg --location westus2
You can change the `--location` value to specify a region near you.
In this section, you push the image to Azure Container Registry from which App Service can deploy it.
-1. Run the [`az acr create`](/cli/azure/acr#az-acr-create) command to create an Azure Container Registry:
+1. Run the [`az acr create`](/cli/azure/acr#az_acr_create) command to create an Azure Container Registry:
```azurecli-interactive az acr create --name <registry-name> --resource-group AppSvc-DockerTutorial-rg --sku Basic --admin-enabled true
In this section, you push the image to Azure Container Registry from which App S
Replace `<registry-name>` with a suitable name for your registry. The name must contain only letters and numbers and must be unique across all of Azure.
-1. Run the [`az acr show`](/cli/azure/acr#az-acr-show) command to retrieve credentials for the registry:
+1. Run the [`az acr show`](/cli/azure/acr#az_acr_show) command to retrieve credentials for the registry:
```azurecli-interactive az acr credential show --resource-group AppSvc-DockerTutorial-rg --name <registry-name>
In this section, you push the image to Azure Container Registry from which App S
To deploy a container to Azure App Service, you first create a web app on App Service, then connect the web app to the container registry. When the web app starts, App Service automatically pulls the image from the registry.
-1. Create an App Service plan using the [`az appservice plan create`](/cli/azure/appservice/plan#az-appservice-plan-create) command:
+1. Create an App Service plan using the [`az appservice plan create`](/cli/azure/appservice/plan#az_appservice_plan_create) command:
```azurecli-interactive az appservice plan create --name AppSvc-DockerTutorial-plan --resource-group AppSvc-DockerTutorial-rg --is-linux
To deploy a container to Azure App Service, you first create a web app on App Se
An App Service plan corresponds to the virtual machine that hosts the web app. By default, the previous command uses an inexpensive [B1 pricing tier](https://azure.microsoft.com/pricing/details/app-service/linux/) that is free for the first month. You can control the tier with the `--sku` parameter.
-1. Create the web app with the [`az webpp create`](/cli/azure/webapp#az-webapp-create) command:
+1. Create the web app with the [`az webpp create`](/cli/azure/webapp#az_webapp_create) command:
```azurecli-interactive az webapp create --resource-group AppSvc-DockerTutorial-rg --plan AppSvc-DockerTutorial-plan --name <app-name> --deployment-container-image-name <registry-name>.azurecr.io/appsvc-tutorial-custom-image:latest
To deploy a container to Azure App Service, you first create a web app on App Se
Replace `<app-name>` with a name for the web app, which must be unique across all of Azure. Also replace `<registry-name>` with the name of your registry from the previous section.
-1. Use [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings#az-webapp-config-appsettings-set) to set the `WEBSITES_PORT` environment variable as expected by the app code:
+1. Use [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings#az_webapp_config_appsettings_set) to set the `WEBSITES_PORT` environment variable as expected by the app code:
```azurecli-interactive az webapp config appsettings set --resource-group AppSvc-DockerTutorial-rg --name <app-name> --settings WEBSITES_PORT=8000
To deploy a container to Azure App Service, you first create a web app on App Se
For more information on this environment variable, see the [readme in the sample's GitHub repository](https://github.com/Azure-Samples/docker-django-webapp-linux).
-1. Enable [managed identity](./overview-managed-identity.md) for the web app by using the [`az webapp identity assign`](/cli/azure/webapp/identity#az-webapp-identity-assign) command:
+1. Enable [managed identity](./overview-managed-identity.md) for the web app by using the [`az webapp identity assign`](/cli/azure/webapp/identity#az_webapp_identity-assign) command:
```azurecli-interactive az webapp identity assign --resource-group AppSvc-DockerTutorial-rg --name <app-name> --query principalId --output tsv
To deploy a container to Azure App Service, you first create a web app on App Se
Managed identity allows you to grant permissions to the web app to access other Azure resources without needing any specific credentials.
-1. Retrieve your subscription ID with the [`az account show`](/cli/azure/account#az-account-show) command, which you need in the next step:
+1. Retrieve your subscription ID with the [`az account show`](/cli/azure/account#az_account_show) command, which you need in the next step:
```azurecli-interactive az account show --query id --output tsv
For more information about these permissions, see [What is Azure role-based acce
You can complete these steps once the image is pushed to the container registry and the App Service is fully provisioned.
-1. Use the [`az webapp config container set`](/cli/azure/webapp/config/container#az-webapp-config-container-set) command to specify the container registry and the image to deploy for the web app:
+1. Use the [`az webapp config container set`](/cli/azure/webapp/config/container#az_webapp_config_container_set) command to specify the container registry and the image to deploy for the web app:
```azurecli-interactive az webapp config container set --name <app-name> --resource-group AppSvc-DockerTutorial-rg --docker-custom-image-name <registry-name>.azurecr.io/appsvc-tutorial-custom-image:latest --docker-registry-server-url https://<registry-name>.azurecr.io
app-service Tutorial Dotnetcore Sqldb App https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/tutorial-dotnetcore-sqldb-app.md
For SQL Database, this tutorial uses [Azure SQL Database](/azure/sql-database/).
### Create a SQL Database logical server
-In the Cloud Shell, create a SQL Database logical server with the [`az sql server create`](/cli/azure/sql/server#az-sql-server-create) command.
+In the Cloud Shell, create a SQL Database logical server with the [`az sql server create`](/cli/azure/sql/server#az_sql_server_create) command.
Replace the *\<server-name>* placeholder with a *unique* SQL Database name. This name is used as the part of the globally unique SQL Database endpoint, `<server-name>.database.windows.net`. Valid characters are `a`-`z`, `0`-`9`, `-`. Also, replace *\<db-username>* and *\<db-password>* with a username and password of your choice.
When the SQL Database logical server is created, the Azure CLI shows information
### Configure a server firewall rule
-Create an [Azure SQL Database server-level firewall rule](../azure-sql/database/firewall-configure.md) using the [`az sql server firewall create`](/cli/azure/sql/server/firewall-rule#az-sql-server-firewall-rule-create) command. When both starting IP and end IP are set to 0.0.0.0, the firewall is only opened for other Azure resources.
+Create an [Azure SQL Database server-level firewall rule](../azure-sql/database/firewall-configure.md) using the [`az sql server firewall create`](/cli/azure/sql/server/firewall-rule#az_sql_server_firewall_rule_create) command. When both starting IP and end IP are set to 0.0.0.0, the firewall is only opened for other Azure resources.
```azurecli-interactive az sql server firewall-rule create --resource-group myResourceGroup --server <server-name> --name AllowAzureIps --start-ip-address 0.0.0.0 --end-ip-address 0.0.0.0
az sql server firewall-rule create --name AllowLocalClient --server <server-name
### Create a database
-Create a database with an [S0 performance level](../azure-sql/database/service-tiers-dtu.md) in the server using the [`az sql db create`](/cli/azure/sql/db#az-sql-db-create) command.
+Create a database with an [S0 performance level](../azure-sql/database/service-tiers-dtu.md) in the server using the [`az sql db create`](/cli/azure/sql/db#az_sql_db_create) command.
```azurecli-interactive az sql db create --resource-group myResourceGroup --server <server-name> --name coreDB --service-objective S0
az sql db create --resource-group myResourceGroup --server <server-name> --name
### Create connection string
-Get the connection string using the [`az sql db show-connection-string`](/cli/azure/sql/db#az-sql-db-show-connection-string) command.
+Get the connection string using the [`az sql db show-connection-string`](/cli/azure/sql/db#az_sql_db_show_connection_string) command.
```azurecli-interactive az sql db show-connection-string --client ado.net --server <server-name> --name coreDB
In this step, you deploy your SQL Database-connected .NET Core application to Ap
### Configure connection string
-To set connection strings for your Azure app, use the [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings#az-webapp-config-appsettings-set) command in the Cloud Shell. In the following command, replace *\<app-name>*, as well as the *\<connection-string>* parameter with the connection string you created earlier.
+To set connection strings for your Azure app, use the [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings#az_webapp_config_appsettings_set) command in the Cloud Shell. In the following command, replace *\<app-name>*, as well as the *\<connection-string>* parameter with the connection string you created earlier.
```azurecli-interactive az webapp config connection-string set --resource-group myResourceGroup --name <app-name> --settings MyDbConnection="<connection-string>" --connection-string-type SQLAzure
The sample project already follows the guidance at [ASP.NET Core Logging in Azur
- Includes a reference to `Microsoft.Extensions.Logging.AzureAppServices` in *DotNetCoreSqlDb.csproj*. - Calls `loggerFactory.AddAzureWebAppDiagnostics()` in *Program.cs*.
-To set the ASP.NET Core [log level](/aspnet/core/fundamentals/logging#log-level) in App Service to `Information` from the default level `Error`, use the [`az webapp log config`](/cli/azure/webapp/log#az-webapp-log-config) command in the Cloud Shell.
+To set the ASP.NET Core [log level](/aspnet/core/fundamentals/logging#log-level) in App Service to `Information` from the default level `Error`, use the [`az webapp log config`](/cli/azure/webapp/log#az_webapp_log_config) command in the Cloud Shell.
```azurecli-interactive az webapp log config --name <app-name> --resource-group myResourceGroup --application-logging filesystem --level information
az webapp log config --name <app-name> --resource-group myResourceGroup --applic
> [!NOTE] > The project's log level is already set to `Information` in *appsettings.json*.
-To start log streaming, use the [`az webapp log tail`](/cli/azure/webapp/log#az-webapp-log-tail) command in the Cloud Shell.
+To start log streaming, use the [`az webapp log tail`](/cli/azure/webapp/log#az_webapp_log_tail) command in the Cloud Shell.
```azurecli-interactive az webapp log tail --name <app-name> --resource-group myResourceGroup
app-service Tutorial Multi Container App https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/tutorial-multi-container-app.md
cd multicontainerwordpress
[!INCLUDE [resource group intro text](../../includes/resource-group.md)]
-In Cloud Shell, create a resource group with the [`az group create`](/cli/azure/group#az-group-create) command. The following example creates a resource group named *myResourceGroup* in the *South Central US* location. To see all supported locations for App Service on Linux in **Standard** tier, run the [`az appservice list-locations --sku S1 --linux-workers-enabled`](/cli/azure/appservice#az-appservice-list-locations) command.
+In Cloud Shell, create a resource group with the [`az group create`](/cli/azure/group#az_group_create) command. The following example creates a resource group named *myResourceGroup* in the *South Central US* location. To see all supported locations for App Service on Linux in **Standard** tier, run the [`az appservice list-locations --sku S1 --linux-workers-enabled`](/cli/azure/appservice#az_appservice_list_locations) command.
```azurecli-interactive az group create --name myResourceGroup --location "South Central US"
When the command finishes, a JSON output shows you the resource group properties
## Create an Azure App Service plan
-In Cloud Shell, create an App Service plan in the resource group with the [`az appservice plan create`](/cli/azure/appservice/plan#az-appservice-plan-create) command.
+In Cloud Shell, create an App Service plan in the resource group with the [`az appservice plan create`](/cli/azure/appservice/plan#az_appservice_plan_create) command.
<!-- [!INCLUDE [app-service-plan](app-service-plan-linux.md)] -->
When the App Service plan has been created, Cloud Shell shows information simila
## Create a Docker Compose app
-In your Cloud Shell, create a multi-container [web app](overview.md) in the `myAppServicePlan` App Service plan with the [az webapp create](/cli/azure/webapp#az-webapp-create) command. Don't forget to replace _\<app-name>_ with a unique app name.
+In your Cloud Shell, create a multi-container [web app](overview.md) in the `myAppServicePlan` App Service plan with the [az webapp create](/cli/azure/webapp#az_webapp_create) command. Don't forget to replace _\<app-name>_ with a unique app name.
```azurecli-interactive az webapp create --resource-group myResourceGroup --plan myAppServicePlan --name <app-name> --multicontainer-config-type compose --multicontainer-config-file docker-compose-wordpress.yml
It's not recommended to use database containers in a production environment. The
### Create an Azure Database for MySQL server
-Create an Azure Database for MySQL server with the [`az mysql server create`](/cli/azure/mysql/server#az-mysql-server-create) command.
+Create an Azure Database for MySQL server with the [`az mysql server create`](/cli/azure/mysql/server#az_mysql_server_create) command.
In the following command, substitute your MySQL server name where you see the _&lt;mysql-server-name>_ placeholder (valid characters are `a-z`, `0-9`, and `-`). This name is part of the MySQL server's hostname (`<mysql-server-name>.database.windows.net`), it needs to be globally unique.
Creating the server may take a few minutes to complete. When the MySQL server is
### Configure server firewall
-Create a firewall rule for your MySQL server to allow client connections by using the [`az mysql server firewall-rule create`](/cli/azure/mysql/server/firewall-rule#az-mysql-server-firewall-rule-create) command. When both starting IP and end IP are set to 0.0.0.0, the firewall is only opened for other Azure resources.
+Create a firewall rule for your MySQL server to allow client connections by using the [`az mysql server firewall-rule create`](/cli/azure/mysql/server/firewall-rule#az_mysql_server_firewall_rule_create) command. When both starting IP and end IP are set to 0.0.0.0, the firewall is only opened for other Azure resources.
```azurecli-interactive az mysql server firewall-rule create --name allAzureIPs --server <mysql-server-name> --resource-group myResourceGroup --start-ip-address 0.0.0.0 --end-ip-address 0.0.0.0
When the database has been created, Cloud Shell shows information similar to the
To connect the WordPress app to this new MySQL server, you'll configure a few WordPress-specific environment variables, including the SSL CA path defined by `MYSQL_SSL_CA`. The [Baltimore CyberTrust Root](https://www.digicert.com/digicert-root-certificates.htm) from [DigiCert](https://www.digicert.com/) is provided in the [custom image](#use-a-custom-image-for-mysql-ssl-and-other-configurations) below.
-To make these changes, use the [az webapp config appsettings set](/cli/azure/webapp/config/appsettings#az-webapp-config-appsettings-set) command in Cloud Shell. App settings are case-sensitive and space-separated.
+To make these changes, use the [az webapp config appsettings set](/cli/azure/webapp/config/appsettings#az_webapp_config_appsettings_set) command in Cloud Shell. App settings are case-sensitive and space-separated.
```azurecli-interactive az webapp config appsettings set --resource-group myResourceGroup --name <app-name> --settings WORDPRESS_DB_HOST="<mysql-server-name>.mysql.database.azure.com" WORDPRESS_DB_USER="adminuser@<mysql-server-name>" WORDPRESS_DB_PASSWORD="My5up3rStr0ngPaSw0rd!" WORDPRESS_DB_NAME="wordpress" MYSQL_SSL_CA="BaltimoreCyberTrustroot.crt.pem"
Save your changes and exit nano. Use the command `^O` to save and `^X` to exit.
### Update app with new configuration
-In Cloud Shell, reconfigure your multi-container [web app](overview.md) with the [az webapp config container set](/cli/azure/webapp/config/container#az-webapp-config-container-set) command. Don't forget to replace _\<app-name>_ with the name of the web app you created earlier.
+In Cloud Shell, reconfigure your multi-container [web app](overview.md) with the [az webapp config container set](/cli/azure/webapp/config/container#az_webapp_config_container_set) command. Don't forget to replace _\<app-name>_ with the name of the web app you created earlier.
```azurecli-interactive az webapp config container set --resource-group myResourceGroup --name <app-name> --multicontainer-config-type compose --multicontainer-config-file docker-compose-wordpress.yml
Your multi-container is now running in Web App for Containers. However, if you i
### Configure environment variables
-To use persistent storage, you'll enable this setting within App Service. To make this change, use the [az webapp config appsettings set](/cli/azure/webapp/config/appsettings#az-webapp-config-appsettings-set) command in Cloud Shell. App settings are case-sensitive and space-separated.
+To use persistent storage, you'll enable this setting within App Service. To make this change, use the [az webapp config appsettings set](/cli/azure/webapp/config/appsettings#az_webapp_config_appsettings_set) command in Cloud Shell. App settings are case-sensitive and space-separated.
```azurecli-interactive az webapp config appsettings set --resource-group myResourceGroup --name <app-name> --settings WEBSITES_ENABLE_APP_SERVICE_STORAGE=TRUE
### Update app with new configuration
-In Cloud Shell, reconfigure your multi-container [web app](overview.md) with the [az webapp config container set](/cli/azure/webapp/config/container#az-webapp-config-container-set) command. Don't forget to replace _\<app-name>_ with a unique app name.
+In Cloud Shell, reconfigure your multi-container [web app](overview.md) with the [az webapp config container set](/cli/azure/webapp/config/container#az_webapp_config_container_set) command. Don't forget to replace _\<app-name>_ with a unique app name.
```azurecli-interactive az webapp config container set --resource-group myResourceGroup --name <app-name> --multicontainer-config-type compose --multicontainer-config-file docker-compose-wordpress.yml
### Configure environment variables
-To use Redis, you'll enable this setting, `WP_REDIS_HOST`, within App Service. This is a *required setting* for WordPress to communicate with the Redis host. To make this change, use the [az webapp config appsettings set](/cli/azure/webapp/config/appsettings#az-webapp-config-appsettings-set) command in Cloud Shell. App settings are case-sensitive and space-separated.
+To use Redis, you'll enable this setting, `WP_REDIS_HOST`, within App Service. This is a *required setting* for WordPress to communicate with the Redis host. To make this change, use the [az webapp config appsettings set](/cli/azure/webapp/config/appsettings#az_webapp_config_appsettings_set) command in Cloud Shell. App settings are case-sensitive and space-separated.
```azurecli-interactive az webapp config appsettings set --resource-group myResourceGroup --name <app-name> --settings WP_REDIS_HOST="redis"
When the app setting has been created, Cloud Shell shows information similar to
### Update app with new configuration
-In Cloud Shell, reconfigure your multi-container [web app](overview.md) with the [az webapp config container set](/cli/azure/webapp/config/container#az-webapp-config-container-set) command. Don't forget to replace _\<app-name>_ with a unique app name.
+In Cloud Shell, reconfigure your multi-container [web app](overview.md) with the [az webapp config container set](/cli/azure/webapp/config/container#az_webapp_config_container_set) command. Don't forget to replace _\<app-name>_ with a unique app name.
```azurecli-interactive az webapp config container set --resource-group myResourceGroup --name <app-name> --multicontainer-config-type compose --multicontainer-config-file compose-wordpress.yml
app-service Tutorial Nodejs Mongodb App https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/tutorial-nodejs-mongodb-app.md
In this step, you connect your MEAN.js sample application to the Cosmos DB datab
### Retrieve the database key
-To connect to the Cosmos DB database, you need the database key. In the Cloud Shell, use the [`az cosmosdb list-keys`](/cli/azure/cosmosdb#az-cosmosdb-list-keys) command to retrieve the primary key.
+To connect to the Cosmos DB database, you need the database key. In the Cloud Shell, use the [`az cosmosdb list-keys`](/cli/azure/cosmosdb#az_cosmosdb_list_keys) command to retrieve the primary key.
```azurecli-interactive az cosmosdb list-keys --name <cosmosdb-name> --resource-group myResourceGroup
In this step, you deploy your MongoDB-connected Node.js application to Azure App
By default, the MEAN.js project keeps _config/env/local-production.js_ out of the Git repository. So for your Azure app, you use app settings to define your MongoDB connection string.
-To set app settings, use the [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings#az-webapp-config-appsettings-set) command in the Cloud Shell.
+To set app settings, use the [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings#az_webapp_config_appsettings_set) command in the Cloud Shell.
The following example configures a `MONGODB_URI` app setting in your Azure app. Replace the *\<app-name>*, *\<cosmosdb-name>*, and *\<primary-master-key>* placeholders.
If you added any articles earlier, you still can see them. Existing data in your
While your Node.js application runs in Azure App Service, you can get the console logs piped to your terminal. That way, you can get the same diagnostic messages to help you debug application errors.
-To start log streaming, use the [`az webapp log tail`](/cli/azure/webapp/log#az-webapp-log-tail) command in the Cloud Shell.
+To start log streaming, use the [`az webapp log tail`](/cli/azure/webapp/log#az_webapp_log_tail) command in the Cloud Shell.
```azurecli-interactive az webapp log tail --name <app-name> --resource-group myResourceGroup
app-service Tutorial Php Mysql App https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/tutorial-php-mysql-app.md
In this step, you create a MySQL database in [Azure Database for MySQL](../mysql
### Create a MySQL server
-In the Cloud Shell, create a server in Azure Database for MySQL with the [`az mysql server create`](/cli/azure/mysql/server#az-mysql-server-create) command.
+In the Cloud Shell, create a server in Azure Database for MySQL with the [`az mysql server create`](/cli/azure/mysql/server#az_mysql_server_create) command.
In the following command, substitute a unique server name for the *\<mysql-server-name>* placeholder, a user name for the *\<admin-user>*, and a password for the *\<admin-password>* placeholder. The server name is used as part of your MySQL endpoint (`https://<mysql-server-name>.mysql.database.azure.com`), so the name needs to be unique across all servers in Azure. For details on selecting MySQL DB SKU, see [Create an Azure Database for MySQL server](../mysql/quickstart-create-mysql-server-database-using-azure-cli.md#create-an-azure-database-for-mysql-server).
When the MySQL server is created, the Azure CLI shows information similar to the
### Configure server firewall
-In the Cloud Shell, create a firewall rule for your MySQL server to allow client connections by using the [`az mysql server firewall-rule create`](/cli/azure/mysql/server/firewall-rule#az-mysql-server-firewall-rule-create) command. When both starting IP and end IP are set to 0.0.0.0, the firewall is only opened for other Azure resources.
+In the Cloud Shell, create a firewall rule for your MySQL server to allow client connections by using the [`az mysql server firewall-rule create`](/cli/azure/mysql/server/firewall-rule#az_mysql_server_firewall_rule_create) command. When both starting IP and end IP are set to 0.0.0.0, the firewall is only opened for other Azure resources.
```azurecli-interactive az mysql server firewall-rule create --name allAzureIPs --server <mysql-server-name> --resource-group myResourceGroup --start-ip-address 0.0.0.0 --end-ip-address 0.0.0.0
In this step, you deploy the MySQL-connected PHP application to Azure App Servic
### Configure database settings
-In App Service, you set environment variables as _app settings_ by using the [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings#az-webapp-config-appsettings-set) command.
+In App Service, you set environment variables as _app settings_ by using the [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings#az_webapp_config_appsettings_set) command.
The following command configures the app settings `DB_HOST`, `DB_DATABASE`, `DB_USERNAME`, and `DB_PASSWORD`. Replace the placeholders _&lt;app-name>_ and _&lt;mysql-server-name>_.
In the local terminal window, use `php artisan` to generate a new application ke
php artisan key:generate --show ```
-In the Cloud Shell, set the application key in the App Service app by using the [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings#az-webapp-config-appsettings-set) command. Replace the placeholders _&lt;app-name>_ and _&lt;outputofphpartisankey:generate>_.
+In the Cloud Shell, set the application key in the App Service app by using the [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings#az_webapp_config_appsettings_set) command. Replace the placeholders _&lt;app-name>_ and _&lt;outputofphpartisankey:generate>_.
```azurecli-interactive az webapp config appsettings set --name <app-name> --resource-group myResourceGroup --settings APP_KEY="<output_of_php_artisan_key:generate>" APP_DEBUG="true"
az webapp config appsettings set --name <app-name> --resource-group myResourceGr
Set the virtual application path for the app. This step is required because the [Laravel application lifecycle](https://laravel.com/docs/5.4/lifecycle) begins in the _public_ directory instead of the application's root directory. Other PHP frameworks whose lifecycle start in the root directory can work without manual configuration of the virtual application path.
-In the Cloud Shell, set the virtual application path by using the [`az resource update`](/cli/azure/resource#az-resource-update) command. Replace the _&lt;app-name>_ placeholder.
+In the Cloud Shell, set the virtual application path by using the [`az resource update`](/cli/azure/resource#az_resource_update) command. Replace the _&lt;app-name>_ placeholder.
```azurecli-interactive az resource update --name web --resource-group myResourceGroup --namespace Microsoft.Web --resource-type config --parent sites/<app_name> --set properties.virtualApplications[0].physicalPath="site\wwwroot\public" --api-version 2015-06-01
If you added any tasks, they are retained in the database. Updates to the data s
While the PHP application runs in Azure App Service, you can get the console logs piped to your terminal. That way, you can get the same diagnostic messages to help you debug application errors.
-To start log streaming, use the [`az webapp log tail`](/cli/azure/webapp/log#az-webapp-log-tail) command in the Cloud Shell.
+To start log streaming, use the [`az webapp log tail`](/cli/azure/webapp/log#az_webapp_log_tail) command in the Cloud Shell.
```azurecli-interactive az webapp log tail --name <app_name> --resource-group myResourceGroup
app-service Tutorial Python Postgresql App https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/tutorial-python-postgresql-app.md
When the command completes, it outputs a JSON object that contains different con
<!-- not all locations support az postgres up --> > [!TIP]
-> `-l <location-name>`, can be set to any one of the [Azure regions](https://azure.microsoft.com/global-infrastructure/regions/). You can get the regions available to your subscription with the [`az account list-locations`](/cli/azure/account#az-account-list-locations) command. For production apps, put your database and your app in the same location.
+> `-l <location-name>`, can be set to any one of the [Azure regions](https://azure.microsoft.com/global-infrastructure/regions/). You can get the regions available to your subscription with the [`az account list-locations`](/cli/azure/account#az_account_list_locations) command. For production apps, put your database and your app in the same location.
Having issues? [Let us know](https://aka.ms/DjangoCLITutorialHelp).
In this section, you create app host in App Service app, connect this app to the
In the terminal, make sure you're in the *djangoapp* repository folder that contains the app code.
-Create an App Service app (the host process) with the [`az webapp up`](/cli/azure/webapp#az-webapp-up) command:
+Create an App Service app (the host process) with the [`az webapp up`](/cli/azure/webapp#az_webapp_up) command:
```azurecli az webapp up --resource-group DjangoPostgres-tutorial-rg --location westus2 --plan DjangoPostgres-tutorial-plan --sku B1 --name <app-name>
With the code now deployed to App Service, the next step is to connect the app t
The app code expects to find database information in four environment variables named `DBHOST`, `DBNAME`, `DBUSER`, and `DBPASS`.
-To set environment variables in App Service, create "app settings" with the following [az webapp config appsettings set](/cli/azure/webapp/config/appsettings#az-webapp-config-appsettings-set) command.
+To set environment variables in App Service, create "app settings" with the following [az webapp config appsettings set](/cli/azure/webapp/config/appsettings#az_webapp_config_appsettings_set) command.
```azurecli az webapp config appsettings set --settings DBHOST="<postgres-server-name>" DBNAME="pollsdb" DBUSER="<username>" DBPASS="<password>"
app-service Tutorial Ruby Postgres App https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/tutorial-ruby-postgres-app.md
When the command finishes, find the output lines that being with `Ran Database Q
<!-- not all locations support az postgres up --> > [!TIP]
-> `--location <location-name>`, can be set to any one of the [Azure regions](https://azure.microsoft.com/global-infrastructure/regions/). You can get the regions available to your subscription with the [`az account list-locations`](/cli/azure/account#az-account-list-locations) command. For production apps, put your database and your app in the same location.
+> `--location <location-name>`, can be set to any one of the [Azure regions](https://azure.microsoft.com/global-infrastructure/regions/). You can get the regions available to your subscription with the [`az account list-locations`](/cli/azure/account#az_account_list_locations) command. For production apps, put your database and your app in the same location.
## Connect app to Azure Postgres
In this step, you deploy the Postgres-connected Rails application to Azure App S
### Configure database settings
-In App Service, you set environment variables as _app settings_ by using the [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings#az-webapp-config-appsettings-set) command in the Cloud Shell.
+In App Service, you set environment variables as _app settings_ by using the [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings#az_webapp_config_appsettings_set) command in the Cloud Shell.
The following Cloud Shell command configures the app settings `DB_HOST`, `DB_DATABASE`, `DB_USERNAME`, and `DB_PASSWORD`. Replace the placeholders _&lt;appname>_ and _&lt;postgres-server-name>_.
application-gateway Application Gateway Backend Health Troubleshooting https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/application-gateway-backend-health-troubleshooting.md
successfully, Application Gateway resumes forwarding the requests.
### How to check backend health To check the health of your backend pool, you can use the
-**Backend Health** page on the Azure portal. Or, you can use [Azure PowerShell](/powershell/module/az.network/get-azapplicationgatewaybackendhealth), [CLI](/cli/azure/network/application-gateway#az-network-application-gateway-show-backend-health), or [REST API](/rest/api/application-gateway/applicationgateways/backendhealth).
+**Backend Health** page on the Azure portal. Or, you can use [Azure PowerShell](/powershell/module/az.network/get-azapplicationgatewaybackendhealth), [CLI](/cli/azure/network/application-gateway#az_network_application_gateway_show_backend_health), or [REST API](/rest/api/application-gateway/applicationgateways/backendhealth).
The status retrieved by any of these methods can be any one of the following:
application-gateway Redirect Http To Https Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/redirect-http-to-https-cli.md
az network public-ip create \
## Create the application gateway
-You can use [az network application-gateway create](/cli/azure/network/application-gateway#az-network-application-gateway-create) to create the application gateway named *myAppGateway*. When you create an application gateway using the Azure CLI, you specify configuration information, such as capacity, sku, and HTTP settings.
+You can use [az network application-gateway create](/cli/azure/network/application-gateway#az_network_application_gateway_create) to create the application gateway named *myAppGateway*. When you create an application gateway using the Azure CLI, you specify configuration information, such as capacity, sku, and HTTP settings.
The application gateway is assigned to *myAGSubnet* and *myAGPublicIPAddress* that you previously created. In this example, you associate the certificate that you created and its password when you create the application gateway.
az network application-gateway create \
### Add the HTTP port
-You can use [az network application-gateway frontend-port create](/cli/azure/network/application-gateway/frontend-port#az-network-application-gateway-frontend-port-create) to add the HTTP port to the application gateway.
+You can use [az network application-gateway frontend-port create](/cli/azure/network/application-gateway/frontend-port#az_network-application_gateway_frontend_port_create) to add the HTTP port to the application gateway.
```azurecli-interactive az network application-gateway frontend-port create \
az network application-gateway frontend-port create \
### Add the HTTP listener
-You can use [az network application-gateway http-listener create](/cli/azure/network/application-gateway/http-listener#az-network-application-gateway-http-listener-create) to add the listener named *myListener* to the application gateway.
+You can use [az network application-gateway http-listener create](/cli/azure/network/application-gateway/http-listener#az_network_application_gateway_http_listener_create) to add the listener named *myListener* to the application gateway.
```azurecli-interactive az network application-gateway http-listener create \
az network application-gateway http-listener create \
### Add the redirection configuration
-Add the HTTP to HTTPS redirection configuration to the application gateway using [az network application-gateway redirect-config create](/cli/azure/network/application-gateway/redirect-config#az-network-application-gateway-redirect-config-create).
+Add the HTTP to HTTPS redirection configuration to the application gateway using [az network application-gateway redirect-config create](/cli/azure/network/application-gateway/redirect-config#az_network_application_gateway_redirect_config_create).
```azurecli-interactive az network application-gateway redirect-config create \
az network application-gateway redirect-config create \
### Add the routing rule
-Add the routing rule named *rule2* with the redirection configuration to the application gateway using [az network application-gateway rule create](/cli/azure/network/application-gateway/rule#az-network-application-gateway-rule-create).
+Add the routing rule named *rule2* with the redirection configuration to the application gateway using [az network application-gateway rule create](/cli/azure/network/application-gateway/rule#az_network_application_gateway_rule_create).
```azurecli-interactive az network application-gateway rule create \
az network application-gateway rule create \
## Create a virtual machine scale set
-In this example, you create a virtual machine scale set named *myvmss* that provides servers for the backend pool in the application gateway. The virtual machines in the scale set are associated with *myBackendSubnet* and *appGatewayBackendPool*. To create the scale set, you can use [az vmss create](/cli/azure/vmss#az-vmss-create).
+In this example, you create a virtual machine scale set named *myvmss* that provides servers for the backend pool in the application gateway. The virtual machines in the scale set are associated with *myBackendSubnet* and *appGatewayBackendPool*. To create the scale set, you can use [az vmss create](/cli/azure/vmss#az_vmss_create).
```azurecli-interactive az vmss create \
application-gateway Redirect Internal Site Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/redirect-internal-site-cli.md
az group create --name myResourceGroupAG --location eastus
## Create network resources
-Create the virtual network named *myVNet* and the subnet named *myAGSubnet* using [az network vnet create](/cli/azure/network/vnet). You can then add the subnet named *myBackendSubnet* that's needed by the backend pool of servers using [az network vnet subnet create](/cli/azure/network/vnet/subnet). Create the public IP address named *myAGPublicIPAddress* using [az network public-ip create](/cli/azure/network/public-ip#az-network-public-ip-create).
+Create the virtual network named *myVNet* and the subnet named *myAGSubnet* using [az network vnet create](/cli/azure/network/vnet). You can then add the subnet named *myBackendSubnet* that's needed by the backend pool of servers using [az network vnet subnet create](/cli/azure/network/vnet/subnet). Create the public IP address named *myAGPublicIPAddress* using [az network public-ip create](/cli/azure/network/public-ip#az_network_public_ip_create).
```azurecli-interactive az network vnet create \
It may take several minutes for the application gateway to be created. After the
A listener is required to enable the application gateway to route traffic appropriately to the backend pool. In this tutorial, you create two listeners for your two domains. In this example, listeners are created for the domains of *www\.contoso.com* and *www\.contoso.org*.
-Add the backend listeners that are needed to route traffic using [az network application-gateway http-listener create](/cli/azure/network/application-gateway/http-listener#az-network-application-gateway-http-listener-create).
+Add the backend listeners that are needed to route traffic using [az network application-gateway http-listener create](/cli/azure/network/application-gateway/http-listener#az_network_application_gateway_http_listener_create).
```azurecli-interactive az network application-gateway http-listener create \
az network application-gateway http-listener create \
### Add the redirection configuration
-Add the redirection configuration that sends traffic from *www\.consoto.org* to the listener for *www\.contoso.com* in the application gateway using [az network application-gateway redirect-config create](/cli/azure/network/application-gateway/redirect-config#az-network-application-gateway-redirect-config-create).
+Add the redirection configuration that sends traffic from *www\.consoto.org* to the listener for *www\.contoso.com* in the application gateway using [az network application-gateway redirect-config create](/cli/azure/network/application-gateway/redirect-config#az_network_application_gateway_redirect_config_create).
```azurecli-interactive az network application-gateway redirect-config create \
az network application-gateway redirect-config create \
Rules are processed in the order in which they are created, and traffic is directed using the first rule that matches the URL sent to the application gateway. For example, if you have a rule using a basic listener and a rule using a multi-site listener both on the same port, the rule with the multi-site listener must be listed before the rule with the basic listener in order for the multi-site rule to function as expected.
-In this example, you create two new rules and delete the default rule that was created. You can add the rule using [az network application-gateway rule create](/cli/azure/network/application-gateway/rule#az-network-application-gateway-rule-create).
+In this example, you create two new rules and delete the default rule that was created. You can add the rule using [az network application-gateway rule create](/cli/azure/network/application-gateway/rule#az_network_application_gateway_rule_create).
```azurecli-interactive az network application-gateway rule create \
az vmss extension set \
## Create CNAME record in your domain
-After the application gateway is created with its public IP address, you can get the DNS address and use it to create a CNAME record in your domain. You can use [az network public-ip show](/cli/azure/network/public-ip#az-network-public-ip-show) to get the DNS address of the application gateway. Copy the *fqdn* value of the DNSSettings and use it as the value of the CNAME record that you create. The use of A-records is not recommended because the VIP may change when the application gateway is restarted.
+After the application gateway is created with its public IP address, you can get the DNS address and use it to create a CNAME record in your domain. You can use [az network public-ip show](/cli/azure/network/public-ip#az_network_public_ip_show) to get the DNS address of the application gateway. Copy the *fqdn* value of the DNSSettings and use it as the value of the CNAME record that you create. The use of A-records is not recommended because the VIP may change when the application gateway is restarted.
```azurecli-interactive az network public-ip show \
application-gateway Rewrite Http Headers Url https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/rewrite-http-headers-url.md
# Rewrite HTTP headers and URL with Application Gateway
- Application Gateway allows you to rewrite selected content of requests and responses. With this feature, you can translate URLs, query string parameters as well as modify request and response headers. It also allows you to add conditions to ensure that the URL or the specified headers are rewritten only when certain conditions are met. These conditions are based on the request and response information.
+Application Gateway allows you to rewrite selected content of requests and responses. With this feature, you can translate URLs, query string parameters as well as modify request and response headers. It also allows you to add conditions to ensure that the URL or the specified headers are rewritten only when certain conditions are met. These conditions are based on the request and response information.
>[!NOTE] >HTTP header and URL rewrite features are only available for the [Application Gateway v2 SKU](application-gateway-autoscaling-zone-redundant.md)
With URL rewrite capability in Application Gateway, you can:
* Rewrite the host name, path and query string of the request URL
-* Choose to rewrite URL of all requests on a listener or only those requests which match one or more of the conditions you set. These conditions are based on the request and response properties (request, header, response header and server variables).
+* Choose to rewrite the URL of all requests on a listener or only those requests which match one or more of the conditions you set. These conditions are based on the request and response properties (request, header, response header and server variables).
* Choose to route the request (select the backend pool) based on either the original URL or the rewritten URL
Application Gateway supports the following server variables for mutual authentic
| Variable name | Description | | - | |
-| client_certificate | The client certificate in PEM formate for an established SSL connection. |
+| client_certificate | The client certificate in PEM format for an established SSL connection. |
| client_certificate_end_date| The end date of the client certificate. | | client_certificate_fingerprint| The SHA1 fingerprint of the client certificate for an established SSL connection. | | client_certificate_issuer | The "issuer DN" string of the client certificate for an established SSL connection. |
A rewrite rule set contains:
* **Rewrite Condition**: It is an optional configuration. Rewrite conditions evaluate the content of the HTTP(S) requests and responses. The rewrite action will occur if the HTTP(S) request or response matches the rewrite condition. If you associate more than one condition with an action, the action occurs only when all the conditions are met. In other words, the operation is a logical AND operation.
-* **Rewrite type**: There are 3 types of rewrites available:
+* **Rewrite type**: There are 3 types of rewrites available:
* Rewriting request headers
- * Rewriting response headers.
- * Rewriting URL: URL rewrite type has 3 components
+ * Rewriting response headers
+ * Rewriting URL components
* **URL path**: The value to which the path is to be rewritten to. * **URL Query String**: The value to which the query string is to be rewritten to. * **Re-evaluate path map**: Used to determine whether the URL path map is to be re-evaluated or not. If kept unchecked, the original URL path will be used to match the path-pattern in the URL path map. If set to true, the URL path map will be re-evaluated to check the match with the rewritten path. Enabling this switch helps in routing the request to a different backend pool post rewrite.
-## Rewrite configuration common pitfall
+## Rewrite configuration common pitfalls
* Enabling 'Re-evaluate path map' is not allowed for basic request routing rules. This is to prevent infinite evaluation loop for a basic routing rule.
Application Gateway inserts an X-Forwarded-For header into all requests before i
When a back-end application sends a redirection response, you might want to redirect the client to a different URL than the one specified by the back-end application. For example, you might want to do this when an app service is hosted behind an application gateway and requires the client to do a redirection to its relative path. (For example, a redirect from contoso.azurewebsites.net/path1 to contoso.azurewebsites.net/path2.)
-Because App Service is a multitenant service, it uses the host header in the request to route the request to the correct endpoint. App services have a default domain name of *.azurewebsites.net (say contoso.azurewebsites.net) that's different from the application gateway's domain name (say contoso.com). Because the original request from the client has the application gateway's domain name (contoso.com) as the hostname, the application gateway changes the hostname to contoso.azurewebsites.net. It makes this change so that the app service can route the request to the correct endpoint.
+Because App Service is a multitenant service, it uses the host header in the request to route the request to the correct endpoint. App services have a default domain name of \*.azurewebsites.net (say contoso.azurewebsites.net) that's different from the application gateway's domain name (say contoso.com). Because the original request from the client has the application gateway's domain name (contoso.com) as the hostname, the application gateway changes the hostname to contoso.azurewebsites.net. It makes this change so that the app service can route the request to the correct endpoint.
When the app service sends a redirection response, it uses the same hostname in the location header of its response as the one in the request it receives from the application gateway. So the client will make the request directly to `contoso.azurewebsites.net/path2` instead of going through the application gateway (`contoso.com/path2`). Bypassing the application gateway isn't desirable.
You can evaluate an HTTP request or response header for the presence of a header
#### Parameter based path selection
-To accomplish scenarios where you want to choose the backend pool based on the value of a header, part of the URL, or query string in the request, you can use the combination of URL Rewrite capability and path-based routing. For example, if you have a shopping website, and the product category is passed as query string in the URL and you want to route the request to backend based on the query string ,then:
+To accomplish scenarios where you want to choose the backend pool based on the value of a header, part of the URL, or query string in the request, you can use the combination of URL Rewrite capability and path-based routing. For example, if you have a shopping website and the product category is passed as query string in the URL, and you want to route the request to backend based on the query string, then:
**Step1:** Create a path-map as shown in the image below
To accomplish scenarios where you want to choose the backend pool based on the v
**Step 2 (a):** Create a rewrite set which has 3 rewrite rules:
-* The first rule has a condition that checks the *query_string* variable for *category=shoes* and has an action that rewrites the URL path to /*listing1* and has **Re-evaluate path map** enabled
+* The first rule has a condition that checks the *query_string* variable for *category=shoes* and has an action that rewrites the URL path to /*listing1* and has **Re-evaluate path map** enabled
-* The second rule has a condition that checks the *query_string* variable for *category=bags* and has an action that rewrites the URL path to /*listing2* and has **Re-evaluate path map** enabled
+* The second rule has a condition that checks the *query_string* variable for *category=bags* and has an action that rewrites the URL path to /*listing2* and has **Re-evaluate path map** enabled
-* The third rule has a condition that checks the *query_string* variable for *category=accessories* and has an action that rewrites the URL path to /*listing3* and has **Re-evaluate path map** enabled
+* The third rule has a condition that checks the *query_string* variable for *category=accessories* and has an action that rewrites the URL path to /*listing3* and has **Re-evaluate path map** enabled
:::image type="content" source="./media/rewrite-http-headers-url/url-scenario1-2.png" alt-text="URL rewrite scenario 1-2.":::
To accomplish scenarios where you want to choose the backend pool based on the v
Now, if the user requests *contoso.com/listing?category=any*, then it will be matched with the default path since none of the path patterns in the path map (/listing1, /listing2, /listing3) will match. Since you associated the above rewrite set with this path, this rewrite set will be evaluated. As the query string will not match the condition in any of the 3 rewrite rules in this rewrite set, no rewrite action will take place and therefore, the request will be routed unchanged to the backend associated with the default path (which is *GenericList*).
- If the user requests *contoso.com/listing?category=shoes,* then again the default path will be matched. However, in this case the condition in the first rule will match and therefore, the action associated with the condition will be executed which will rewrite the URL path to /*listing1* and re-evaluate the path-map. When the path-map is re-evaluated, the request will now match the path associated with pattern */listing1* and the request will be routed to the backend associated with this pattern, which is ShoesListBackendPool
+If the user requests *contoso.com/listing?category=shoes*, then again the default path will be matched. However, in this case the condition in the first rule will match and therefore, the action associated with the condition will be executed which will rewrite the URL path to /*listing1* and re-evaluate the path-map. When the path-map is re-evaluated, the request will now match the path associated with pattern */listing1* and the request will be routed to the backend associated with this pattern, which is ShoesListBackendPool.
>[!NOTE]
->This scenario can be extended to any header or cookie value, URL path, query string or server variables based on the condition defined and essentially enables you to route requests based on those conditions.
+>This scenario can be extended to any header or cookie value, URL path, query string or server variables based on the conditions defined and essentially enables you to route requests based on those conditions.
#### Rewrite query string parameters based on the URL
For a step-by-step guide to achieve the scenario described above, see [Rewrite U
### URL rewrite vs URL redirect
-In case of URL rewrite, Application Gateway rewrites the URL before the request is sent to the backend. This will not change what users see in the browser because the changes are hidden from the user.
+In the case of a URL rewrite, Application Gateway rewrites the URL before the request is sent to the backend. This will not change what users see in the browser because the changes are hidden from the user.
-In case of URL redirect, Application Gateway sends a redirect response to the client with the new URL. That, in turn, requires the client to resend its request to the new URL provided in the redirect. URL that user sees in the browser will update to the new URL
+In the case of a URL redirect, Application Gateway sends a redirect response to the client with the new URL. That, in turn, requires the client to resend its request to the new URL provided in the redirect. The URL that the user sees in the browser will update to the new URL.
:::image type="content" source="./media/rewrite-http-headers-url/url-rewrite-vs-redirect.png" alt-text="Rewrite vs Redirect.":::
In case of URL redirect, Application Gateway sends a redirect response to the cl
- If a response has more than one header with the same name, then rewriting the value of one of those headers will result in dropping the other headers in the response. This can usually happen with Set-Cookie header since you can have more than one Set-Cookie header in a response. One such scenario is when you are using an app service with an application gateway and have configured cookie-based session affinity on the application gateway. In this case the response will contain two Set-Cookie headers: one used by the app service, for example: `Set-Cookie: ARRAffinity=ba127f1caf6ac822b2347cc18bba0364d699ca1ad44d20e0ec01ea80cda2a735;Path=/;HttpOnly;Domain=sitename.azurewebsites.net` and another for application gateway affinity, for example, `Set-Cookie: ApplicationGatewayAffinity=c1a2bd51lfd396387f96bl9cc3d2c516; Path=/`. Rewriting one of the Set-Cookie headers in this scenario can result in removing the other Set-Cookie header from the response. - Rewrites are not supported when the application gateway is configured to redirect the requests or to show a custom error page.-- Header names can contain any alphanumeric characters and specific symbols as defined in [RFC 7230](https://tools.ietf.org/html/rfc7230#page-27). We don't currently support the underscore (_) special character in Header names.
+- Header names can contain any alphanumeric characters and specific symbols as defined in [RFC 7230](https://tools.ietf.org/html/rfc7230#page-27). We don't currently support the underscore (\_) special character in Header names.
- Connection and upgrade headers cannot be rewritten ## Next steps
application-gateway Create Vmss Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/scripts/create-vmss-cli.md
This script uses the following commands to create the deployment. Each item in t
||| | [az group create](/cli/azure/group) | Creates a resource group in which all resources are stored. | | [az network vnet create](/cli/azure/network/vnet) | Creates a virtual network. |
-| [az network vnet subnet create](/cli/azure/network/vnet/subnet#az-network-vnet-subnet-create) | Creates a subnet in a virtual network. |
+| [az network vnet subnet create](/cli/azure/network/vnet/subnet#az_network_vnet_subnet_create) | Creates a subnet in a virtual network. |
| [az network public-ip create](/cli/azure/network/public-ip) | Creates the public IP address for the application gateway. | | [az network application-gateway create](/cli/azure/network/application-gateway) | Create an application gateway. | | [az vmss create](/cli/azure/vmss) | Creates a virtual machine scale set. |
application-gateway Create Vmss Waf Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/scripts/create-vmss-waf-cli.md
This script uses the following commands to create the deployment. Each item in t
| Command | Notes | |||
-| [az group create](/cli/azure/group#az-group-create) | Creates a resource group in which all resources are stored. |
-| [az network vnet create](/cli/azure/network/vnet#az-network-vnet-create) | Creates a virtual network. |
-| [az network vnet subnet create](/cli/azure/network/vnet/subnet#az-network-vnet-subnet-create) | Creates a subnet in a virtual network. |
+| [az group create](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |
+| [az network vnet create](/cli/azure/network/vnet#az_network_vnet_create) | Creates a virtual network. |
+| [az network vnet subnet create](/cli/azure/network/vnet/subnet#az_network_vnet_subnet_create) | Creates a subnet in a virtual network. |
| [az network public-ip create](/cli/azure/network/public-ip) | Creates the public IP address for the application gateway. | | [az network application-gateway create](/cli/azure/network/application-gateway) | Create an application gateway. |
-| [az vmss create](/cli/azure/vmss#az-vmss-create) | Creates a virtual machine scale set. |
-| [az storage account create](/cli/azure/storage/account#az-storage-account-create) | Creates a storage account. |
-| [az monitor diagnostic-settings create](/cli/azure/monitor/diagnostic-settings#az-monitor-diagnostic-settings-create) | Creates a storage account. |
-| [az network public-ip show](/cli/azure/network/public-ip#az-network-public-ip-show) | Gets the public IP address of the application gateway. |
+| [az vmss create](/cli/azure/vmss#az_vmss_create) | Creates a virtual machine scale set. |
+| [az storage account create](/cli/azure/storage/account#az_storage_account_create) | Creates a storage account. |
+| [az monitor diagnostic-settings create](/cli/azure/monitor/diagnostic-settings#az_monitor_diagnostic_settings_create) | Creates a storage account. |
+| [az network public-ip show](/cli/azure/network/public-ip#az_network_public_ip_show) | Gets the public IP address of the application gateway. |
## Next steps
application-gateway Tutorial Ingress Controller Add On Existing https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/tutorial-ingress-controller-add-on-existing.md
In this tutorial, you learn how to:
## Create a resource group
-In Azure, you allocate related resources to a resource group. Create a resource group by using [az group create](/cli/azure/group#az-group-create). The following example creates a resource group named *myResourceGroup* in the *canadacentral* location (region).
+In Azure, you allocate related resources to a resource group. Create a resource group by using [az group create](/cli/azure/group#az_group_create). The following example creates a resource group named *myResourceGroup* in the *canadacentral* location (region).
```azurecli-interactive az group create --name myResourceGroup --location canadacentral
In the following example, you'll be deploying a new AKS cluster named *myCluster
az aks create -n myCluster -g myResourceGroup --network-plugin azure --enable-managed-identity ```
-To configure additional parameters for the `az aks create` command, visit references [here](/cli/azure/aks#az-aks-create).
+To configure additional parameters for the `az aks create` command, visit references [here](/cli/azure/aks#az_aks_create).
## Deploy a new Application Gateway
application-gateway Tutorial Ingress Controller Add On New https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/tutorial-ingress-controller-add-on-new.md
In this tutorial, you learn how to:
## Create a resource group
-In Azure, you allocate related resources to a resource group. Create a resource group by using [az group create](/cli/azure/group#az-group-create). The following example creates a resource group named *myResourceGroup* in the *canadacentral* location (region):
+In Azure, you allocate related resources to a resource group. Create a resource group by using [az group create](/cli/azure/group#az_group_create). The following example creates a resource group named *myResourceGroup* in the *canadacentral* location (region):
```azurecli-interactive az group create --name myResourceGroup --location canadacentral
Deploying a new AKS cluster with the AGIC add-on enabled without specifying an e
az aks create -n myCluster -g myResourceGroup --network-plugin azure --enable-managed-identity -a ingress-appgw --appgw-name myApplicationGateway --appgw-subnet-cidr "10.2.0.0/16" --generate-ssh-keys ```
-To configure additional parameters for the `az aks create` command, see [these references](/cli/azure/aks#az-aks-create).
+To configure additional parameters for the `az aks create` command, see [these references](/cli/azure/aks#az_aks_create).
> [!NOTE] > The AKS cluster that you created will appear in the resource group that you created, *myResourceGroup*. However, the automatically created Application Gateway instance will be in the node resource group, where the agent pools are. The node resource group by is named *MC_resource-group-name_cluster-name_location* by default, but can be modified.
application-gateway Tutorial Manage Web Traffic Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/tutorial-manage-web-traffic-cli.md
If you prefer, you can complete this procedure using [Azure PowerShell](tutorial
## Create a resource group
-A resource group is a logical container into which Azure resources are deployed and managed. Create a resource group using [az group create](/cli/azure/group#az-group-create).
+A resource group is a logical container into which Azure resources are deployed and managed. Create a resource group using [az group create](/cli/azure/group#az_group_create).
The following example creates a resource group named *myResourceGroupAG* in the *eastus* location.
az network application-gateway create \
## Create a Virtual Machine Scale Set
-In this example, you create a virtual machine scale set that provides servers for the backend pool in the application gateway. The virtual machines in the scale set are associated with *myBackendSubnet* and *appGatewayBackendPool*. To create the scale set, use [az vmss create](/cli/azure/vmss#az-vmss-create).
+In this example, you create a virtual machine scale set that provides servers for the backend pool in the application gateway. The virtual machines in the scale set are associated with *myBackendSubnet* and *appGatewayBackendPool*. To create the scale set, use [az vmss create](/cli/azure/vmss#az_vmss_create).
```azurecli-interactive az vmss create \
application-gateway Tutorial Multiple Sites Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/tutorial-multiple-sites-cli.md
az network public-ip create \
## Create the application gateway
-You can use [az network application-gateway create](/cli/azure/network/application-gateway#az-network-application-gateway-create) to create the application gateway. When you create an application gateway using the Azure CLI, you specify configuration information, such as capacity, sku, and HTTP settings. The application gateway is assigned to *myAGSubnet* and *myAGPublicIPAddress* that you previously created.
+You can use [az network application-gateway create](/cli/azure/network/application-gateway#az_network_application_gateway_create) to create the application gateway. When you create an application gateway using the Azure CLI, you specify configuration information, such as capacity, sku, and HTTP settings. The application gateway is assigned to *myAGSubnet* and *myAGPublicIPAddress* that you previously created.
```azurecli-interactive az network application-gateway create \
It may take several minutes for the application gateway to be created. After the
### Add the backend pools
-Add the backend pools that are needed to contain the backend servers using [az network application-gateway address-pool create](/cli/azure/network/application-gateway/address-pool#az-network-application-gateway-address-pool-create)
+Add the backend pools that are needed to contain the backend servers using [az network application-gateway address-pool create](/cli/azure/network/application-gateway/address-pool#az_network_application_gateway_address-pool_create)
```azurecli-interactive az network application-gateway address-pool create \ --gateway-name myAppGateway \
az network application-gateway address-pool create \
### Add listeners
-Add listeners that are needed to route traffic using [az network application-gateway http-listener create](/cli/azure/network/application-gateway/http-listener#az-network-application-gateway-http-listener-create).
+Add listeners that are needed to route traffic using [az network application-gateway http-listener create](/cli/azure/network/application-gateway/http-listener#az_network_application_gateway_http_listener_create).
>[!NOTE] > With Application Gateway or WAF v2 SKU, you can also configure up to 5 host names per listener and you can use wildcard characters in the host name. See [wildcard host names in listener](multiple-site-overview.md#wildcard-host-names-in-listener-preview) for more information.
az network application-gateway http-listener create \
Rules are processed in the order they're listed. Traffic is directed using the first rule that matches regardless of specificity. For example, if you have a rule using a basic listener and a rule using a multi-site listener both on the same port, the rule with the multi-site listener must be listed before the rule with the basic listener in order for the multi-site rule to function as expected.
-In this example, you create two new rules and delete the default rule created when you deployed the application gateway. You can add the rule using [az network application-gateway rule create](/cli/azure/network/application-gateway/rule#az-network-application-gateway-rule-create).
+In this example, you create two new rules and delete the default rule created when you deployed the application gateway. You can add the rule using [az network application-gateway rule create](/cli/azure/network/application-gateway/rule#az_network_application_gateway_rule_create).
```azurecli-interactive az network application-gateway rule create \
done
## Create a CNAME record in your domain
-After the application gateway is created with its public IP address, you can get the DNS address and use it to create a CNAME record in your domain. You can use [az network public-ip show](/cli/azure/network/public-ip#az-network-public-ip-show) to get the DNS address of the application gateway. Copy the *fqdn* value of the DNSSettings and use it as the value of the CNAME record that you create.
+After the application gateway is created with its public IP address, you can get the DNS address and use it to create a CNAME record in your domain. You can use [az network public-ip show](/cli/azure/network/public-ip#az_network_public_ip_show) to get the DNS address of the application gateway. Copy the *fqdn* value of the DNSSettings and use it as the value of the CNAME record that you create.
```azurecli-interactive az network public-ip show \
application-gateway Tutorial Ssl Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/tutorial-ssl-cli.md
az network application-gateway create \
## Create a virtual machine scale set
-In this example, you create a virtual machine scale set that provides servers for the default backend pool in the application gateway. The virtual machines in the scale set are associated with *myBackendSubnet* and *appGatewayBackendPool*. To create the scale set, you can use [az vmss create](/cli/azure/vmss#az-vmss-create).
+In this example, you create a virtual machine scale set that provides servers for the default backend pool in the application gateway. The virtual machines in the scale set are associated with *myBackendSubnet* and *appGatewayBackendPool*. To create the scale set, you can use [az vmss create](/cli/azure/vmss#az_vmss_create).
```azurecli-interactive az vmss create \
application-gateway Tutorial Url Redirect Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/tutorial-url-redirect-cli.md
done
## Test the application gateway
-To get the public IP address of the application gateway, use [az network public-ip show](/cli/azure/network/public-ip#az-network-public-ip-show). Copy the public IP address, and then paste it into the address bar of your browser. Such as, `http://40.121.222.19`, `http://40.121.222.19:8080/images/test.htm`, `http://40.121.222.19:8080/video/test.htm`, or `http://40.121.222.19:8081/images/test.htm`.
+To get the public IP address of the application gateway, use [az network public-ip show](/cli/azure/network/public-ip#az_network_public_ip_show). Copy the public IP address, and then paste it into the address bar of your browser. Such as, `http://40.121.222.19`, `http://40.121.222.19:8080/images/test.htm`, `http://40.121.222.19:8080/video/test.htm`, or `http://40.121.222.19:8081/images/test.htm`.
```azurecli-interactive az network public-ip show \
azure-app-configuration Howto Integrate Azure Managed Service Identity https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-app-configuration/howto-integrate-azure-managed-service-identity.md
git add .
git commit -m "Initial version" ```
-To enable local Git deployment for your app with the Kudu build server, run [`az webapp deployment source config-local-git`](/cli/azure/webapp/deployment/#az-webapp-deployment-source-config-local-git) in Cloud Shell.
+To enable local Git deployment for your app with the Kudu build server, run [`az webapp deployment source config-local-git`](/cli/azure/webapp/deployment/#az_webapp_deployment_source_config_local_git) in Cloud Shell.
```azurecli-interactive az webapp deployment source config-local-git --name <app_name> --resource-group <group_name>
azure-app-configuration Integrate Kubernetes Deployment Helm https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-app-configuration/integrate-kubernetes-deployment-helm.md
settings:
First, download the configuration from App Configuration to a *myConfig.yaml* file. Use a key filter to only download those keys that start with **settings.**. If in your case the key filter is not sufficient to exclude keys of Key Vault references, you may use the argument **--skip-keyvault** to exclude them. > [!TIP]
-> Learn more about the [export command](/cli/azure/appconfig/kv#az-appconfig-kv-export).
+> Learn more about the [export command](/cli/azure/appconfig/kv#az_appconfig_kv_export).
```azurecli-interactive az appconfig kv export -n myAppConfiguration -d file --path myConfig.yaml --key "settings.*" --separator "." --format yaml
azure-app-configuration Overview Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-app-configuration/overview-managed-identity.md
The following steps will walk you through creating a user-assigned identity and
## Removing an identity
-A system-assigned identity can be removed by disabling the feature by using the [az appconfig identity remove](/cli/azure/appconfig/identity#az-appconfig-identity-remove) command in the Azure CLI. User-assigned identities can be removed individually. Removing a system-assigned identity in this way will also delete it from AAD. System-assigned identities are also automatically removed from AAD when the app resource is deleted.
+A system-assigned identity can be removed by disabling the feature by using the [az appconfig identity remove](/cli/azure/appconfig/identity#az_appconfig_identity_remove) command in the Azure CLI. User-assigned identities can be removed individually. Removing a system-assigned identity in this way will also delete it from AAD. System-assigned identities are also automatically removed from AAD when the app resource is deleted.
## Next steps > [!div class="nextstepaction"] > [Create an ASP.NET Core app with Azure App Configuration](quickstart-aspnet-core-app.md)
-[az appconfig identity assign]: /cli/azure/appconfig/identity#az-appconfig-identity-assign
-[az login]: /cli/azure/reference-index#az-login
+[az appconfig identity assign]: /cli/azure/appconfig/identity#az_appconfig_identity_assign
+[az login]: /cli/azure/reference-index#az_login
azure-app-configuration Cli Create Service https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-app-configuration/scripts/cli-create-service.md
This script uses the following commands to create a new resource group and an Ap
| Command | Notes | |||
-| [az group create](/cli/azure/group#az-group-create) | Creates a resource group in which all resources are stored. |
-| [az appconfig create](/cli/azure/appconfig#az-appconfig-create) | Creates an App Configuration store resource. |
-| [az appconfig credential list](/cli/azure/appconfig/credential#az-appconfig-credential-list) | List access keys for an App Configuration store. |
+| [az group create](/cli/azure/group#az_group_create) | Creates a resource group in which all resources are stored. |
+| [az appconfig create](/cli/azure/appconfig#az_appconfig_create) | Creates an App Configuration store resource. |
+| [az appconfig credential list](/cli/azure/appconfig/credential#az_appconfig_credential_list) | List access keys for an App Configuration store. |
## Next steps
azure-app-configuration Cli Delete Service https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-app-configuration/scripts/cli-delete-service.md
This script uses the following commands to delete an App Configuration store. Ea
| Command | Notes | |||
-| [az appconfig delete](/cli/azure/appconfig#az-appconfig-delete) | Deletes an App Configuration store resource. |
+| [az appconfig delete](/cli/azure/appconfig#az_appconfig_delete) | Deletes an App Configuration store resource. |
## Next steps
azure-app-configuration Cli Export https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-app-configuration/scripts/cli-export.md
This script uses the following commands to export from an App Configuration stor
| Command | Notes | |||
-| [az appconfig kv export](/cli/azure/appconfig/kv#az-appconfig-kv-export) | Exports from an App Configuration store resource. |
+| [az appconfig kv export](/cli/azure/appconfig/kv#az_appconfig_kv_export) | Exports from an App Configuration store resource. |
## Next steps
azure-app-configuration Cli Import https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-app-configuration/scripts/cli-import.md
This script uses the following commands to import to an App Configuration store.
| Command | Notes | |||
-| [az appconfig kv import](/cli/azure/appconfig/kv#az-appconfig-kv-import) | Imports to an App Configuration store resource. |
+| [az appconfig kv import](/cli/azure/appconfig/kv#az_appconfig_kv_import) | Imports to an App Configuration store resource. |
## Next steps
azure-app-configuration Cli Work With Keys https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-app-configuration/scripts/cli-work-with-keys.md
This table lists the commands used in our sample script.
| Command | Notes | |||
-| [az appconfig kv set](/cli/azure/appconfig/kv#az-appconfig-kv-set) | Create or update a key-value pair. |
-| [az appconfig kv list](/cli/azure/appconfig/kv#az-appconfig-kv-list) | List key-value pairs in an App Configuration store. |
-| [az appconfig kv delete](/cli/azure/appconfig/kv#az-appconfig-kv-delete) | Delete a key-value pair. |
+| [az appconfig kv set](/cli/azure/appconfig/kv#az_appconfig_kv_set) | Create or update a key-value pair. |
+| [az appconfig kv list](/cli/azure/appconfig/kv#az_appconfig_kv_list) | List key-value pairs in an App Configuration store. |
+| [az appconfig kv delete](/cli/azure/appconfig/kv#az_appconfig_kv_delete) | Delete a key-value pair. |
## Next steps
azure-app-configuration Use Key Vault References Dotnet Core https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-app-configuration/use-key-vault-references-dotnet-core.md
To add a secret to the vault, you need to take just a few additional steps. In t
## Connect to Key Vault
-1. In this tutorial, you use a service principal for authentication to Key Vault. To create this service principal, use the Azure CLI [az ad sp create-for-rbac](/cli/azure/ad/sp#az-ad-sp-create-for-rbac) command:
+1. In this tutorial, you use a service principal for authentication to Key Vault. To create this service principal, use the Azure CLI [az ad sp create-for-rbac](/cli/azure/ad/sp#az_ad_sp_create_for_rbac) command:
```azurecli az ad sp create-for-rbac -n "http://mySP" --sdk-auth
azure-app-configuration Use Key Vault References Spring Boot https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-app-configuration/use-key-vault-references-spring-boot.md
To add a secret to the vault, you need to take just a few additional steps. In t
## Connect to Key Vault
-1. In this tutorial, you use a service principal for authentication to Key Vault. To create this service principal, use the Azure CLI [az ad sp create-for-rbac](/cli/azure/ad/sp#az-ad-sp-create-for-rbac) command:
+1. In this tutorial, you use a service principal for authentication to Key Vault. To create this service principal, use the Azure CLI [az ad sp create-for-rbac](/cli/azure/ad/sp#az_ad_sp_create_for_rbac) command:
```azurecli az ad sp create-for-rbac -n "http://mySP" --sdk-auth
azure-australia Reference Library https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-australia/reference-library.md
This resource library contains additional links and references that are relevant
* [Azure Key Vault Overview](../key-vault/general/overview.md) * [About keys, secrets, and certificates](../key-vault/general/about-keys-secrets-certificates.md) * [Configure Azure Key Vault firewalls and virtual networks](../key-vault/general/network-security.md)
-* [Secure access to a key vault](../key-vault/general/secure-your-key-vault.md)
+* [Secure access to a key vault](../key-vault/general/security-overview.md)
* [Azure Data Encryption-at-Rest](../security/fundamentals/encryption-atrest.md) * [How to use Azure Key Vault with Azure Windows Virtual Machines in .NET](../key-vault/general/tutorial-net-virtual-machine.md) * [Azure Key Vault managed storage account - PowerShell](../key-vault/general/tutorial-net-virtual-machine.md)
azure-cache-for-redis Cache How To Redis Cli Tool https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-cache-for-redis/cache-how-to-redis-cli-tool.md
If you want to run the command-line tool on another platform, download Azure Cac
You can gather the information needed to access the cache using three methods:
-1. Azure CLI using [az redis list-keys](/cli/azure/redis#az-redis-list-keys)
+1. Azure CLI using [az redis list-keys](/cli/azure/redis#az_redis_list_keys)
2. Azure PowerShell using [Get-AzRedisCacheKey](/powershell/module/az.rediscache/Get-AzRedisCacheKey) 3. Using the Azure portal.
azure-functions Configure Encrypt At Rest Using Cmk https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/configure-encrypt-at-rest-using-cmk.md
Adding this application setting causes your function app to restart. After the a
Now you can replace the value of the `WEBSITE_RUN_FROM_PACKAGE` application setting with a Key Vault reference to the SAS-encoded URL. This keeps the SAS URL encrypted in Key Vault, which provides an extra layer of security.
-1. Use the following [`az keyvault create`](/cli/azure/keyvault#az-keyvault-create) command to create a Key Vault instance.
+1. Use the following [`az keyvault create`](/cli/azure/keyvault#az_keyvault_create) command to create a Key Vault instance.
```azurecli az keyvault create --name "Contoso-Vault" --resource-group <group-name> --location eastus
Now you can replace the value of the `WEBSITE_RUN_FROM_PACKAGE` application sett
1. Follow [these instructions to grant your app access](../app-service/app-service-key-vault-references.md#granting-your-app-access-to-key-vault) to your key vault:
-1. Use the following [`az keyvault secret set`](/cli/azure/keyvault/secret#az-keyvault-secret-set) command to add your external URL as a secret in your key vault:
+1. Use the following [`az keyvault secret set`](/cli/azure/keyvault/secret#az_keyvault_secret_set) command to add your external URL as a secret in your key vault:
```azurecli az keyvault secret set --vault-name "Contoso-Vault" --name "external-url" --value "<SAS-URL>" ```
-1. Use the following [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings#az-webapp-config-appsettings-set) command to create the `WEBSITE_RUN_FROM_PACKAGE` application setting with the value as a Key Vault reference to the external URL:
+1. Use the following [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings#az_webapp_config_appsettings_set) command to create the `WEBSITE_RUN_FROM_PACKAGE` application setting with the value as a Key Vault reference to the external URL:
```azurecli az webapp config appsettings set --settings WEBSITE_RUN_FROM_PACKAGE="@Microsoft.KeyVault(SecretUri=https://Contoso-Vault.vault.azure.net/secrets/external-url/<secret-version>"
azure-functions Create First Function Cli Csharp Ieux https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/create-first-function-cli-csharp-ieux.md
Before you can deploy your function code to Azure, you need to create a <abbr ti
az group create --name AzureFunctionsQuickstart-rg --location westeurope ```
- The [az group create](/cli/azure/group#az-group-create) command creates a resource group. You generally create your resource group and resources in a <abbr title="A geographical reference to a specific Azure datacenter in which resources are allocated.">region</abbr> near you, using an available region returned from the `az account list-locations` command.
+ The [az group create](/cli/azure/group#az_group_create) command creates a resource group. You generally create your resource group and resources in a <abbr title="A geographical reference to a specific Azure datacenter in which resources are allocated.">region</abbr> near you, using an available region returned from the `az account list-locations` command.
# [Azure PowerShell](#tab/azure-powershell)
azure-functions Create First Function Cli Java Uiex https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/create-first-function-cli-java-uiex.md
To create a function app running on Linux instead of Windows, change the `runtim
az login ```
- The [az login](/cli/azure/reference-index#az-login) command signs you into your Azure account.
+ The [az login](/cli/azure/reference-index#az_login) command signs you into your Azure account.
# [Azure PowerShell](#tab/azure-powershell) ```azurepowershell
azure-functions Create First Function Cli Java https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/create-first-function-cli-java.md
A function app and related resources are created in Azure when you first deploy
az login ```
- The [az login](/cli/azure/reference-index#az-login) command signs you into your Azure account.
+ The [az login](/cli/azure/reference-index#az_login) command signs you into your Azure account.
# [Azure PowerShell](#tab/azure-powershell) ```azurepowershell
azure-functions Create First Function Cli Node https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/create-first-function-cli-node.md
Each binding requires a direction, a type, and a unique name. The HTTP trigger h
az functionapp create --resource-group AzureFunctionsQuickstart-rg --consumption-plan-location westeurope --runtime node --runtime-version 12 --functions-version 3 --name <APP_NAME> --storage-account <STORAGE_NAME> ```
- The [az functionapp create](/cli/azure/functionapp#az-functionapp-create) command creates the function app in Azure. If you're using Node.js 10, also change `--runtime-version` to `10`.
+ The [az functionapp create](/cli/azure/functionapp#az_functionapp_create) command creates the function app in Azure. If you're using Node.js 10, also change `--runtime-version` to `10`.
# [Azure PowerShell](#tab/azure-powershell)
azure-functions Create First Function Cli Python Uiex https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/create-first-function-cli-python-uiex.md
Before you can deploy your function code to Azure, you need to create a <abbr ti
az login ```
- The [az login](/cli/azure/reference-index#az-login) command signs you into your Azure account.
+ The [az login](/cli/azure/reference-index#az_login) command signs you into your Azure account.
# [Azure PowerShell](#tab/azure-powershell) ```azurepowershell
Before you can deploy your function code to Azure, you need to create a <abbr ti
az group create --name AzureFunctionsQuickstart-rg --location westeurope ```
- The [az group create](/cli/azure/group#az-group-create) command creates a resource group. You generally create your resource group and resources in a <abbr title="A geographical reference to a specific Azure datacenter in which resources are allocated.">region</abbr> near you, using an available region returned from the `az account list-locations` command.
+ The [az group create](/cli/azure/group#az_group_create) command creates a resource group. You generally create your resource group and resources in a <abbr title="A geographical reference to a specific Azure datacenter in which resources are allocated.">region</abbr> near you, using an available region returned from the `az account list-locations` command.
# [Azure PowerShell](#tab/azure-powershell)
Before you can deploy your function code to Azure, you need to create a <abbr ti
az storage account create --name <STORAGE_NAME> --location westeurope --resource-group AzureFunctionsQuickstart-rg --sku Standard_LRS ```
- The [az storage account create](/cli/azure/storage/account#az-storage-account-create) command creates the storage account.
+ The [az storage account create](/cli/azure/storage/account#az_storage_account_create) command creates the storage account.
# [Azure PowerShell](#tab/azure-powershell)
azure-functions Create First Function Cli Python https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/create-first-function-cli-python.md
Use the following commands to create these items. Both Azure CLI and PowerShell
az login ```
- The [az login](/cli/azure/reference-index#az-login) command signs you into your Azure account.
+ The [az login](/cli/azure/reference-index#az_login) command signs you into your Azure account.
# [Azure PowerShell](#tab/azure-powershell) ```azurepowershell
Use the following commands to create these items. Both Azure CLI and PowerShell
az group create --name AzureFunctionsQuickstart-rg --location westeurope ```
- The [az group create](/cli/azure/group#az-group-create) command creates a resource group. You generally create your resource group and resources in a region near you, using an available region returned from the `az account list-locations` command.
+ The [az group create](/cli/azure/group#az_group_create) command creates a resource group. You generally create your resource group and resources in a region near you, using an available region returned from the `az account list-locations` command.
# [Azure PowerShell](#tab/azure-powershell)
Use the following commands to create these items. Both Azure CLI and PowerShell
az storage account create --name <STORAGE_NAME> --location westeurope --resource-group AzureFunctionsQuickstart-rg --sku Standard_LRS ```
- The [az storage account create](/cli/azure/storage/account#az-storage-account-create) command creates the storage account.
+ The [az storage account create](/cli/azure/storage/account#az_storage_account_create) command creates the storage account.
# [Azure PowerShell](#tab/azure-powershell)
azure-functions