+>If you're unable to create Azure AD B2C tenant, [review your user settings page](tenant-management-check-tenant-creation-permission.md) to ensure that tenant creation isn't switched off. If tenant creation is switched on, ask your _Global Administrator_ to assign you a _Tenant Creator_ role.

+A domain name is an important part of the identifier for resources in many Azure Active Directory (Azure AD) deployments. It's part of a user name or email address for a user, part of the address for a group, and is sometimes part of the app ID URI for an application. A resource in Azure AD can include a domain name that's owned by the Azure AD organization (sometimes called a tenant) that contains the resource. [Global Administrators](../roles/permissions-reference.md#global-administrator) and [Domain name administrators](../roles/permissions-reference.md#domain-name-administrator) can manage domains in Azure AD.

+1. Select the **+ Create a resource** button found on the upper left-hand corner of the Azure portal.

+2. Select **Storage**, then **Storage account - blob, file, table, queue**.

+6. Select **Create**.

+2. Under **Blob Service**, select **Containers**.

+3. Select **+ Container** on the top of the page.

+7. In the **Upload blob** pane, under **Files**, select the folder icon and browse to the file **hello_world.txt** on your local machine, select the file, then select **Upload**.

+1. In the Azure portal, navigate to **Virtual Machines**, go to your Linux virtual machine, then from the **Overview** page select **Connect**. Copy the string to connect to your VM.

+Alternatively, you could also store the token in a variable and pass it to the second command as shown:

+```bash

+# Run the first curl command and capture its output in a variable

+access_token=$(curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fstorage.azure.com%2F' -H Metadata:true | jq -r '.access_token')

+# Run the second curl command with the access token

+curl "https://<STORAGE ACCOUNT>.blob.core.windows.net/<CONTAINER NAME>/<FILE NAME>" \

+ -H "x-ms-version: 2017-11-09" \

+ -H "Authorization: Bearer $access_token"

+```

+#### Delete a configuration

+Follows these steps to delete a configuration on the **Configurations** page.

+1. In the source tenant, select **Azure Active Directory** > **Cross-tenant synchronization (Preview)**.

+1. On the **Configurations** page, add a check mark next to the configuration you want to delete.

+1. Select **Delete** and then **OK** to delete the configuration.

+ :::image type="content" source="./media/cross-tenant-synchronization-configure/configurations-delete.png" alt-text="Screenshot of the Configurations page showing how to delete a configuration." lightbox="./media/cross-tenant-synchronization-configure/configurations-delete.png":::

+```powershell

+Virtual network integration depends on a dedicated subnet. When you create a subnet, the Azure subnet consumes five IPs from the start. One address is used from the integration subnet for each App Service plan instance. If you scale your app to four instances, then four addresses are used.

+When you scale up or down in size, the required address space is doubled for a short period of time. The scale operation affects the real, available supported instances for a given subnet size. Platform upgrades need free IP addresses to ensure upgrade can happen without interruptions to outbound traffic. Finally, after scale up, down or in operations complete, there might be a short period of time before IP addresses are released.

+Because subnet size can't be changed after assignment, use a subnet that's large enough to accommodate whatever scale your app might reach. You should also reserve IP addresses for platform upgrades. To avoid any issues with subnet capacity, use a `/26` with 64 addresses. When you're creating subnets in Azure portal as part of integrating with the virtual network, a minimum size of /27 is required. If the subnet already exists before integrating through the portal, you can use a /28 subnet.

+description: This article shows you how to create a new Immersive Reader resource with a custom subdomain and then configure Azure AD in your Azure tenant.

+In this article, we provide a script that creates an Immersive Reader resource and configure Azure Active Directory (Azure AD) authentication. Each time an Immersive Reader resource is created, whether with this script or in the portal, it must also be configured with Azure AD permissions.

+The script is designed to be flexible. It first looks for existing Immersive Reader and Azure AD resources in your subscription, and creates them only as necessary if they don't already exist. If it's your first time creating an Immersive Reader resource, the script does everything you need. If you want to use it just to configure Azure AD for an existing Immersive Reader resource that was created in the portal, it does that too.

+It can also be used to create and configure multiple Immersive Reader resources.

+## Permissions

+The listed **Owner** of your Azure subscription has all the required permissions to create an Immersive Reader resource and configure Azure AD authentication.

+If you aren't an owner, the following scope-specific permissions are required:

+* **Contributor**. You need to have at least a Contributor role associated with the Azure subscription:

+ :::image type="content" source="media/contributor-role.png" alt-text="Screenshot of contributor built-in role description.":::

+* **Application Developer**. You need to have at least an Application Developer role associated in Azure AD:

+ :::image type="content" source="media/application-developer-role.png" alt-text="{alt-text}":::

+For more information, _see_ [Azure AD built-in roles](../../active-directory/roles/permissions-reference.md#application-developer)

+1. Run the function `Create-ImmersiveReaderResource`, supplying the '<PARAMETER_VALUES>' placeholders with your own values as appropriate.

+ The full command looks something like the following. Here we have put each parameter on its own line for clarity, so you can see the whole command. __Do not copy or use this command as-is.__ Copy and use the command with your own values. This example has dummy values for the '<PARAMETER_VALUES>'. Yours may be different, as you come up with your own names for these values.

+ | ResourceName | Must be alphanumeric, and may contain '-', as long as the '-' isn't the first or last character. Length may not exceed 63 characters.|

+ | ResourceSubdomain |A custom subdomain is needed for your Immersive Reader resource. The subdomain is used by the SDK when calling the Immersive Reader service to launch the Reader. The subdomain must be globally unique. The subdomain must be alphanumeric, and may contain '-', as long as the '-' isn't the first or last character. Length may not exceed 63 characters. This parameter is optional if the resource already exists. |

+ | ResourceGroupName |Resources are created in resource groups within subscriptions. Supply the name of an existing resource group. If the resource group doesn't already exist, a new one with this name is created. |

+ | AADAppDisplayName |The Azure Active Directory application display name. If an existing Azure AD application isn't found, a new one with this name is created. This parameter is optional if the Azure AD application already exists. |

+ | AADAppIdentifierUri |The URI for the Azure AD application. If an existing Azure AD application isn't found, a new one with this URI is created. For example, `api://MyOrganizationImmersiveReaderAADApp`. Here we're using the default Azure AD URI scheme prefix of `api://` for compatibility with the [Azure AD policy of using verified domains](../../active-directory/develop/reference-breaking-changes.md#appid-uri-in-single-tenant-applications-will-require-use-of-default-scheme-or-verified-domains). |

+ | AADAppClientSecretExpiration |The date or datetime after which your Azure AD Application Client Secret (password) will expire (for example, '2020-12-31T11:59:59+00:00' or '2020-12-31'). This function creates a client secret for you. To manage Azure AD application client secrets after you've created this resource, visit https://portal.azure.com and go to Home -> Azure Active Directory -> App Registrations -> (your app) `[AADAppDisplayName]` -> Certificates and Secrets section -> Client Secrets section (as shown in the "Manage your Azure AD application secrets" screenshot).|

+* Windows Server 2022 (including Server Core)

+ | **Version** | 6 (LTS) | This tutorial uses .NET 6.0 running [in the same process as the Functions host](./functions-dotnet-class-library.md). |

+ | **[Plan](./functions-scale.md)** | Functions Premium | Hosting plan that defines how resources are allocated to your function app. By default, when you select **Premium**, a new App Service plan is created. The default **Sku and size** is **EP1**, where *EP* stands for _elastic premium_. For more information, see the list of [Premium SKUs](./functions-premium-plan.md#available-instance-skus).<br/><br/>When you run JavaScript functions on a Premium plan, choose an instance that has fewer vCPUs. For more information, see [Choose single-core Premium plans](./functions-reference-node.md#considerations-for-javascript-functions). |

+1. Select **Next: Storage**. On the **Storage** page, enter the following settings.

+ | **Enable public access** | Off | Deny public network access will block all incoming traffic except that comes from private endpoints.|

+| Feb 2023 | **Windows** <ul><li>Reliability improvements in fluentbit buffering to handle larger text files</li></ul> | 1.13.1.0 | Coming soon |

+1. The `Az Powershell` module to pull workspace agent configuration information. Make sure `Az.Accounts` and `Az.OperationalInsights` modules are installed.

+2. The Data Collection rules can only target the Azure AD tenant scope, i.e. all DCRs associated to the tenant (via Monitored Object) will apply to all Windows client machines within that tenant with the agent installed using this client installer. **Granular targeting using DCRs is not supported** for Windows client devices yet

+"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/microsoft.insights/components/{resourceName}"

+Add the JVM arg `-javaagent:"path/to/applicationinsights-agent-3.4.11.jar"` somewhere before `-jar`, for example:

+java -javaagent:"path/to/applicationinsights-agent-3.4.11.jar" -jar <myapp.jar>

+If you're using the *exec* form, add the parameter `-javaagent:"path/to/applicationinsights-agent-3.4.11.jar"` to the parameter list somewhere before the `"-jar"` parameter, for example:

+ENTRYPOINT ["java", "-javaagent:path/to/applicationinsights-agent-3.4.11.jar", "-jar", "<myapp.jar>"]

+If you're using the *shell* form, add the JVM arg `-javaagent:"path/to/applicationinsights-agent-3.4.11.jar"` somewhere before `-jar`, for example:

+ENTRYPOINT java -javaagent:"path/to/applicationinsights-agent-3.4.11.jar" -jar <myapp.jar>

+ <version>3.4.11</version>

+JAVA_OPTS="$JAVA_OPTS -javaagent:path/to/applicationinsights-agent-3.4.11.jar"

+CATALINA_OPTS="$CATALINA_OPTS -javaagent:path/to/applicationinsights-agent-3.4.11.jar"

+If the file `<tomcat>/bin/setenv.sh` already exists, modify that file and add `-javaagent:path/to/applicationinsights-agent-3.4.11.jar` to `CATALINA_OPTS`.

+set CATALINA_OPTS=%CATALINA_OPTS% -javaagent:path/to/applicationinsights-agent-3.4.11.jar

+set "CATALINA_OPTS=%CATALINA_OPTS% -javaagent:path/to/applicationinsights-agent-3.4.11.jar"

+If the file `<tomcat>/bin/setenv.bat` already exists, modify that file and add `-javaagent:path/to/applicationinsights-agent-3.4.11.jar` to `CATALINA_OPTS`.

+Locate the file `<tomcat>/bin/tomcat8w.exe`. Run that executable and add `-javaagent:path/to/applicationinsights-agent-3.4.11.jar` to the `Java Options` under the `Java` tab.

+Add `-javaagent:path/to/applicationinsights-agent-3.4.11.jar` to the existing `JAVA_OPTS` environment variable in the file `JBOSS_HOME/bin/standalone.conf` (Linux) or `JBOSS_HOME/bin/standalone.conf.bat` (Windows):

+ JAVA_OPTS="-javaagent:path/to/applicationinsights-agent-3.4.11.jar -Xms1303m -Xmx1303m ..."

+Add `-javaagent:path/to/applicationinsights-agent-3.4.11.jar` to the existing `jvm-options` in `JBOSS_HOME/domain/configuration/host.xml`:

+ <option value="-javaagent:path/to/applicationinsights-agent-3.4.11.jar"/>

+-javaagent:path/to/applicationinsights-agent-3.4.11.jar

+Add `-javaagent:path/to/applicationinsights-agent-3.4.11.jar` to the existing `jvm-options` in `glassfish/domains/domain1/config/domain.xml`:

+ -javaagent:path/to/applicationinsights-agent-3.4.11.jar>

+ -javaagent:path/to/applicationinsights-agent-3.4.11.jar

+-javaagent:path/to/applicationinsights-agent-3.4.11.jar

+By default, Application Insights Java 3.x expects the configuration file to be named `applicationinsights.json`, and to be located in the same directory as `applicationinsights-agent-3.4.11.jar`.

+If you specify a relative path, it will be resolved relative to the directory where `applicationinsights-agent-3.4.11.jar` is located.

+If you specify a relative path, it's resolved relative to the directory where `applicationinsights-agent-3.4.11.jar` is located.

+ <version>3.4.11</version>

+`applicationinsights-agent-3.4.11.jar` is located.

+-javaagent:path/to/applicationinsights-agent-3.4.11.jar

+Download the [applicationinsights-agent-3.4.11.jar](https://github.com/microsoft/ApplicationInsights-Java/releases/download/3.4.11/applicationinsights-agent-3.4.11.jar) file.

+Point the JVM to the jar file by adding `-javaagent:"path/to/applicationinsights-agent-3.4.11.jar"` to your application's JVM args.

+- Create a configuration file named `applicationinsights.json`, and place it in the same directory as `applicationinsights-agent-3.4.11.jar` with the following content:

+ <version>3.4.11</version>

+| Configuration access endpoint | The endpoint used to access the configuration service to fetch associated data collection rules (DCRs) for Azure Monitor Agent.<br>Example: `<unique-dce-identifier>.<regionname>-1.handler.control`. |

+| Logs ingestion endpoint | The endpoint used to ingest logs to Log Analytics workspaces.<br>Example: `<unique-dce-identifier>.<regionname>-1.ingest`. |

+Date list was last updated: 04/02/2023.

+|CarnegieInferenceCount |Yes |Inference Count |Count |Total |Inference Count of Carnegie Frontdoor Service |Region, Modality, Category, Language, SeverityLevel, UseCustomList |

+|ApiRequestRouter |Yes |Job Router API Requests |Count |Count |Count of all requests against the Communication Services Job Router endpoint. |OperationName, StatusCode, StatusCodeSubClass, ApiVersion |

+|APIRequestSMS |Yes |SMS API Requests |Count |Count |Count of all requests against the Communication Services SMS endpoint. |Operation, StatusCode, StatusCodeClass, ErrorCode, NumberType, Country, OptAction |

+|PipelineFailedRuns |Yes |Failed pipeline runs metrics |Count |Total |Failed pipeline runs metrics |FailureType, Name |

+|PipelineSucceededRuns |Yes |Succeeded pipeline runs metrics |Count |Total |Succeeded pipeline runs metrics |FailureType, Name |

+|TriggerCancelledRuns |Yes |Cancelled trigger runs metrics |Count |Total |Cancelled trigger runs metrics |Name, FailureType |

+|TriggerFailedRuns |Yes |Failed trigger runs metrics |Count |Total |Failed trigger runs metrics |Name, FailureType |

+|TriggerSucceededRuns |Yes |Succeeded trigger runs metrics |Count |Total |Succeeded trigger runs metrics |Name, FailureType |

+## Microsoft.DocumentDB/mongoClusters

+<!-- Data source : naam-->

+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|

+||||||||

+|CommittedMemoryPercent |No |Committed Memory percent |Percent |Average |Percentage of Commit Memory Limit allocated by applications on node |ServerName |

+|CpuPercent |No |CPU percent |Percent |Average |Percent CPU utilization on node |ServerName |

+|IOPS |Yes |IOPS |Count |Average |Disk IO operations per second on node |ServerName |

+|MemoryPercent |No |Memory percent |Percent |Average |Percent memory utilization on node |ServerName |

+|StoragePercent |No |Storage percent |Percent |Average |Percent of available storage used on node |ServerName |

+|StorageUsed |No |Storage used |Bytes |Average |Quantity of available storage used on node |ServerName |

+|ApiCallReceived_Count |Yes |Request Received |Count |Count |Number of requests received via Log Ingestion API or from the agent |InputStreamId, ResponseCode |

+|RowsDropped_Count |Yes |Rows Dropped |Count |Total |Number of rows dropped while running transformation. |InputStreamId |

+|RowsReceived_Count |Yes |Rows Received |Count |Total |Total number of rows recevied for transformation. |InputStreamId |

+|TransformationRuntime_DurationMs |Yes |Transformation Runtime Duration |MilliSeconds |Average |Total time taken to transform given set of records, measured in milliseconds. |InputStreamId |

+## microsoft.kubernetesconfiguration/extensions

+<!-- Data source : naam-->

+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|

+||||||||

+|AuthAttempt |Yes |Authentication Attempts |Count |Total |Authentication attempts rate (per minute) |3gppGen, PccpId, SiteId |

+|AuthFailure |Yes |Authentication Failures |Count |Total |Authentication failure rate (per minute) |3gppGen, PccpId, SiteId, Result |

+|AuthSuccess |Yes |Authentication Successes |Count |Total |Authentication success rate (per minute) |3gppGen, PccpId, SiteId |

+|ConnectedNodebs |Yes |Connected NodeBs |Count |Total |Number of connected gNodeBs or eNodeBs |3gppGen, PccpId, SiteId |

+|DeRegistrationAttempt |Yes |DeRegistration Attempts |Count |Total |UE deregistration attempts rate (per minute) |3gppGen, PccpId, SiteId |

+|DeRegistrationSuccess |Yes |DeRegistration Successes |Count |Total |UE deregistration success rate (per minute) |3gppGen, PccpId, SiteId |

+|PagingAttempt |Yes |Paging Attempts |Count |Total |Paging attempts rate (per minute) |3gppGen, PccpId, SiteId |

+|PagingFailure |Yes |Paging Failures |Count |Total |Paging failure rate (per minute) |3gppGen, PccpId, SiteId |

+|ProvisionedSubscribers |No |Provisioned Subscribers |Count |Total |Number of provisioned subscribers |PccpId, SiteId |

+|RanSetupFailure |Yes |RAN Setup Failures |Count |Total |RAN setup failure rate (per minute) |3gppGen, PccpId, SiteId, Cause |

+|RanSetupRequest |Yes |RAN Setup Requests |Count |Total |RAN setup reuests rate (per minute) |3gppGen, PccpId, SiteId |

+|RanSetupResponse |Yes |RAN Setup Responses |Count |Total |RAN setup response rate (per minute) |3gppGen, PccpId, SiteId |

+|RegisteredSubscribers |Yes |Registered Subscribers |Count |Total |Number of registered subscribers |3gppGen, PccpId, SiteId |

+|RegisteredSubscribersConnected |Yes |Registered Subscribers Connected |Count |Total |Number of registered and connected subscribers |3gppGen, PccpId, SiteId |

+|RegisteredSubscribersIdle |Yes |Registered Subscribers Idle |Count |Total |Number of registered and idle subscribers |3gppGen, PccpId, SiteId |

+|RegistrationAttempt |Yes |Registration Attempts |Count |Total |Registration attempts rate (per minute) |3gppGen, PccpId, SiteId |

+|RegistrationFailure |Yes |Registration Failures |Count |Total |Registration failure rate (per minute) |3gppGen, PccpId, SiteId, Result |

+|RegistrationSuccess |Yes |Registration Successes |Count |Total |Registration success rate (per minute) |3gppGen, PccpId, SiteId |

+|ServiceRequestAttempt |Yes |Service Request Attempts |Count |Total |Service request attempts rate (per minute) |3gppGen, PccpId, SiteId |

+|ServiceRequestFailure |Yes |Service Request Failures |Count |Total |Service request failure rate (per minute) |3gppGen, PccpId, SiteId, Result, Tai |

+|ServiceRequestSuccess |Yes |Service Request Successes |Count |Total |Service request success rate (per minute) |3gppGen, PccpId, SiteId |

+|SessionEstablishmentAttempt |Yes |Session Establishment Attempts |Count |Total |PDU session establishment attempts rarte (per minute) |3gppGen, PccpId, SiteId |

+|SessionEstablishmentFailure |Yes |Session Establishment Failures |Count |Total |PDU session establishment failure rate (per minute) |3gppGen, PccpId, SiteId |

+|SessionEstablishmentSuccess |Yes |Session Establishment Successes |Count |Total |PDU session establishment success rate (per minute) |3gppGen, PccpId, SiteId |

+|SessionRelease |Yes |Session Releases |Count |Total |Session release rate (per minute) |3gppGen, PccpId, SiteId |

+|UeContextReleaseCommand |Yes |UE Context Release Commands |Count |Total |UE context release command message rate (per minute) |3gppGen, PccpId, SiteId |

+|UeContextReleaseComplete |Yes |UE Context Release Completes |Count |Total |UE context release complete message rate (per minute) |3gppGen, PccpId, SiteId |

+|UeContextReleaseRequest |Yes |UE Context Release Requests |Count |Total |UE context release request message rate (per minute) |3gppGen, PccpId, SiteId |

+|UserPlaneBandwidth |No |User Plane Bandwidth |BitsPerSecond |Total |User plane bandwidth in bits/second. |PcdpId, SiteId, Direction, Interface |

+|UserPlanePacketDropRate |No |User Plane Packet Drop Rate |CountPerSecond |Total |User plane packet drop rate (packets/sec) |PcdpId, SiteId, Cause, Direction, Interface |

+|UserPlanePacketRate |No |User Plane Packet Rate |CountPerSecond |Total |User plane packet rate (packets/sec) |PcdpId, SiteId, Direction, Interface |

+|XnHandoverAttempt |Yes |Xn Handover Attempts |Count |Total |Handover attempts rate (per minute) |3gppGen, PccpId, SiteId |

+|XnHandoverFailure |Yes |Xn Handover Failures |Count |Total |Handover failure rate (per minute) |3gppGen, PccpId, SiteId |

+|XnHandoverSuccess |Yes |Xn Handover Successes |Count |Total |Handover success rate (per minute) |3gppGen, PccpId, SiteId |

+|CacheUtilization |Yes |Cache utilization (deprecated) |Percent |Average |Utilization level in the cluster scope. The metric is deprecated and presented for backward compatibility only, you should use the 'Cache utilization factor' metric instead. |No Dimensions |

+|ExpressRouteGatewayActiveFlows |Yes |Active Flows |Count |Maximum |Number of Active Flows on ExpressRoute Gateway |roleInstance |

+|ExpressRouteGatewayMaxFlowsCreationRate |No |Max Flows Created Per Second |CountPerSecond |Maximum |Maximum Number of Flows Created Per Second on ExpressRoute Gateway |roleInstance, direction |

+|allocated_data_storage |Yes |Data space allocated |Bytes |Average |Data space allocated. Not applicable to hyperscale |No Dimensions |

+|allocated_data_storage_percent |Yes |Data space allocated percent |Percent |Maximum |Data space allocated percent. Not applicable to hyperscale |No Dimensions |

+|app_cpu_billed |Yes |App CPU billed |Count |Total |App CPU billed. Applies to serverless elastic pools. |No Dimensions |

+|app_cpu_percent |Yes |App CPU percentage |Percent |Average |App CPU percentage. Applies to serverless elastic pools. |No Dimensions |

+|app_memory_percent |Yes |App memory percentage |Percent |Average |App memory percentage. Applies to serverless elastic pools. |No Dimensions |

+|storage_limit |Yes |Data max size |Bytes |Average |Data max size. Not applicable to hyperscale |No Dimensions |

+|storage_percent |Yes |Data space used percent |Percent |Average |Data space used percent. Not applicable to hyperscale |No Dimensions |

+|storage_used |Yes |Data space used |Bytes |Average |Data space used. Not applicable to hyperscale |No Dimensions |

+|xtp_storage_percent |Yes |In-Memory OLTP storage percent |Percent |Average |In-Memory OLTP storage percent. Not applicable to hyperscale |No Dimensions |

+|StorageSyncDataSizeByAccessPattern |No |Cache data size by last access time |Bytes |Average |Size of data by last access time |SyncGroupName, ServerName, ServerEndpointName, LastAccessTime |

+|StorageSyncIncrementalTieredDataSizeBytes |Yes |Cloud tiering size of data tiered by last maintenance job |Bytes |Total |Size of data tiered during last maintenance job |SyncGroupName, ServerName, ServerEndpointName, TieringReason |

+|StorageSyncTieredDataSizeBytes |Yes |Cloud tiering size of data tiered |Bytes |Average |Size of data tiered to Azure file share |SyncGroupName, ServerName, ServerEndpointName |

+<!--Gen Date: Sun Apr 02 2023 09:56:30 GMT+0300 (Israel Daylight Time)-->

+Assign the *Monitoring Data Reader* role your app so it can query data from your Azure Monitor workspace.

+--data-urlencode 'resource=https://prometheus.monitor.azure.com'

+|AppEnvSpringAppConsoleLogs |Spring App console logs |Yes |

+|JobRouterOperational |Operational Job Router Logs |Yes |

+## Microsoft.DataProtection/BackupVaults

+<!-- Data source : naam-->

+|Category|Category Display Name|Costs To Export|

+||||

+|AddonAzureBackupJobs |Addon Azure Backup Job Data |Yes |

+|AddonAzureBackupPolicy |Addon Azure Backup Policy Data |Yes |

+|AddonAzureBackupProtectedInstance |Addon Azure Backup Protected Instance Data |Yes |

+|CoreAzureBackup |Core Azure Backup Data |Yes |

+|PostgreSQLFlexDatabaseXacts |PostgreSQL remaining transactions |Yes |

+|PostgreSQLFlexQueryStoreRuntime |PostgreSQL Query Store Runtime |Yes |

+|PostgreSQLFlexQueryStoreWaitStats |PostgreSQL Query Store Wait Statistics |Yes |

+|PostgreSQLFlexSessions |PostgreSQL Sessions data |Yes |

+|PostgreSQLFlexTableStats |PostgreSQL Autovacuum and schema statistics |Yes |

+|ASRReplicatedItems |Azure Site Recovery Replicated Items Details |Yes |

+<!--Gen Date: Sun Apr 02 2023 09:56:30 GMT+0300 (Israel Daylight Time)-->

+ | Kubernetes services | [AKSAudit](/azure/azure-monitor/reference/tables/AKSAudit)<br>[AKSAuditAdmin](/azure/azure-monitor/reference/tables/AKSAuditAdmin)<br>[AKSControlPlane](/azure/azure-monitor/reference/tables/AKSControlPlane) |

+ Title: Migration of custom fields to KQL-based transformations in Azure Monitor

+description: Learn how to migrate custom fields in a Log Analytics workspace in Azure Monitor with KQL-based custom columns using transformations.

+# Tutorial: Replace custom fields in Log Analytics workspace with KQL-based custom columns

+Custom fields is a feature of Azure Monitor that allows you to extract into a separate column data from a different text column of the same table. Creation of new custom fields will be disabled starting March 31st, 2023. Custom fields functionality will be deprecated and existing custom fields will stop functioning on March 31st, 2026.

+There are several advantages to using DCR-based [ingestion-time transformations](../essentials/data-collection-transformations.md) to accomplish the same result:

+- You can apply full set of [string functions](/azure/data-explorer/kusto/query/scalarfunctions#string-functions) to shape your custom columns.

+- You can apply multiple operations to the same data. For example, extract a portion of a value to a separate column and remove the original column.

+- You can use ingestion-time transformations in your ARM templates to deploy custom columns at scale.

+With the introduction of [data collection rules (DCR)](../essentials/data-collection-rule-overview.md), KQL-based transformations are the standard method of table customization, replacing legacy custom fields.

+In this tutorial, you learn how to:

+> [!div class="checklist"]

+> * Locate custom fields that require replacement

+> * Understand the content of the custom fields

+> * Setup ingestion-time transformation to replace custom fields within the table

+## Prerequisites

+- Log Analytics workspace with a table containing custom fields

+- Sufficient account privilege to create and modify data collection rules (DCR)

+## Locate custom fields for replacement

+Start by locating custom fields to replace. If you already know the custom fields you plan to replace, proceed to the next step.

+1. Navigate to the Log Analytics workspace where the table with custom fields is located.

+2. In the side menu, select **Tables**. Select **Manage table** from the context menu for the table.

+ :::image type="content" source="media/custom-fields-migrate/manage-table.png" alt-text="Screenshot showing the manage table option for a table in a Log Analytics workspace" lightbox="media/custom-fields-migrate/manage-table.png":::

+1. Note if any data collection rules (DCRs) are associated with given table.

+

+ - If any DCRs are present in corresponding section, it means that any pre-existing custom fields were either already implemented within these DCRs, or abandoned upon DCR creation. You're going to examine the content of custom fields on the next step of this tutorial and determine whether more updates to DCRs needed.

+ - If there are no data collection rules associated with the table, then all columns in given table with names ending with "_CF" will be custom fields subject to replacement.

+ :::image type="content" source="media/custom-fields-migrate/manage-table-details.png" alt-text="Screenshot showing the properties of a table including data collection rules associated with the table" lightbox="media/custom-fields-migrate/manage-table-details.png":::

+2. Close the table properties dialog and select **Edit schema** from the table context menu. Scroll to the bottom of page where custom columns are listed. These columns end with *_CF*.

+ :::image type="content" source="media/custom-fields-migrate/custom-columns.png" alt-text="Screenshot showing the column listing for a table including any custom columns" lightbox="media/custom-fields-migrate/custom-columns.png":::

+1. Note the names of these columns since you'll determine their content in the next step.

+## Understand custom field content

+Since there is no way to examine the custom field definition directly, you need to query the table to determine the custom field formula.

+1. Select **Logs** in the side menu and run a query to get a sample of data from the table.

+ :::image type="content" source="media/custom-fields-migrate/log-analytics-sample-data.png" alt-text="Screenshot of Log Analytics with query returning sample data" lightbox="media/custom-fields-migrate/log-analytics-sample-data.png":::

+1. Locate the columns noted in the previous step and examine their content.

+ - If the column *is not empty* and *there are DCRs* associated with the table, then custom field logic has been already implemented with transformation. No action is required

+ - If the column *is empty* (or not present in query results) and *there are DCRs* associated with the table, the custom field logic was not implemented with the DCR. Add a transformation to the dataflow in the existing DCR.

+ - If the column *is not empty* and *there are no DCRs* associated with the table, the custom field logic needs to implemented as a transformation in the [workspace DCR](../essentials/data-collection-transformations.md#workspace-transformation-dcr).

+1. Examine the content of the custom field and determine the logic how it's being calculated. Custom fields usually calculate substrings of other columns in the same table. Determine which column the data comes from and the portion of the string it extracts.

+## Create transformation

+You're now ready to create the required KQL snippet and add it to a DCR. This logic is applied to each record as it's ingested into the workspace.

+1. Modify the query for the table using KQL to replicate the custom field logic. If you have multiple custom fields to replace, you may combine their calculation logic into a single statement.

+ - Use [parse](/azure/data-explorer/kusto/query/parseoperator) operator for pattern-based search of a substring within a string.

+ - Use [extract()](/azure/data-explorer/kusto/query/extractfunction) function for regex-based substring search.

+ - String functions as [split()](/azure/data-explorer/kusto/query/splitfunction), [substring()](/azure/data-explorer/kusto/query/substringfunction) and [many others](/azure/data-explorer/kusto/query/scalarfunctions#string-functions) may also be useful.

+ :::image type="content" source="media/custom-fields-migrate/log-analytics-transformation-query.png" alt-text="Screenshot of Log Analytics with query returning data using transformation query" lightbox="media/custom-fields-migrate/log-analytics-transformation-query.png":::

+2. Determine where your new KQL definition of the custom column needs to be placed.

+

+ - For logs collected using [Azure Monitor Agent (AMA)](../agents/agents-overview.md), [edit the DCR](../essentials/data-collection-rule-edit.md) collecting data for the table, adding a transformation. For an example, see [Samples](../essentials/data-collection-transformations.md#samples). The transformation query is defined in the `transformKql` element.

+ - For resource logs collected with [diagnostic settings](../essentials/diagnostic-settings.md), add the transformation to the [workspace default DCR](../essentials/data-collection-transformations.md#workspace-transformation-dcr). The table must [support transformations](../logs/tables-feature-support.md).

+## Frequently Asked Questions

+### How do I migrate custom fields for a text log collected with legacy Log Analytics agent (MMA)?

+Consider migrating to Azure Monitor Agent (AMA). Log Analytics agent is approaching its end of support, and you should migrate to Azure Monitor Agent (AMA). [Text logs collected with AMA](../agents/data-collection-text-log.md) use log parsing logic defined in form of KQL transformations from the start. Custom fields are not required and not supported in text logs collected by Azure Monitor Agent.

+### Is migration of custom fields to KQL mandatory?

+No. You need to migrate your custom fields only if you still want your custom columns populated. If you don't migrate your custom fields, corresponding columns will stop being populated when support of custom fields is ended. Data that has been already processed and stored in the table will not be affected and will remain usable.

+### Will I lose my existing data in corresponding columns if I don't migrate my custom fields in time?

+No. Custom fields are calculated at the time of data ingestion. Deleting the field definition or not migrating them in time will not affect any data previously ingested.

+## Next steps

+- [Read more about transformations in Azure Monitor.](../essentials/data-collection-transformations.md)

+ Title: Custom fields in Azure Monitor (Preview)

+> Creation of new custom fields will be disabled starting March 31, 2023. Custom fields functionality will be deprecated, and existing custom fields will stop functioning by March 31, 2026. You should [migrate to ingestion-time transformations](custom-fields-migrate.md) to keep parsing your log records.

+>

+> Currently, when you add a new custom field, it may take up to 7 days before data starts appearing.

+The retention period of collected data stored in the database depends on the selected pricing plan. For the *Free* tier, collected data is available for seven days. For the *Paid* tier, collected data is available for 31 days by default, but can be extended to 730 days. Data is stored encrypted at rest in Azure storage, to ensure data confidentiality, and the data is replicated within the local region using locally redundant storage (LRS), or zone-redundant storage (ZRS) in [supported regions](../logs/availability-zones.md). The last two weeks of data are also stored in SSD-based cache and this cache is encrypted.

+* To create a volume using customer-managed keys, you must select the *Standard* network features. You can't use customer-managed key volumes with volume configured using Basic network features. Follow instructions in to [Set the Network Features option](configure-network-features.md#set-the-network-features-option) in the volume creation page.

+* Switching from user-assigned identity to the system-assigned identity isn't currently supported.

+1. After selecting **Save** button, you'll receive a notification communicating the status of the operation. If the operation was not successful, an error message displays. Refer to [error messages and troubleshooting](#error-messages-and-troubleshooting) for assistance in resolving the error.

+ - [Multiple backups per day for Azure VMs is now generally available](#multiple-backups-per-day-for-azure-vms-is-now-generally-available)

+Azure Backup now enables you to create a backup policy to take multiple backups a day. With this capability, you can also define the duration in which your backup jobs would trigger and align your backup schedule with the working hours when there are frequent updates to Azure Virtual Machines.

+For more information, see [Back up an Azure VM using Enhanced policy](backup-azure-vms-enhanced-policy.md).

+ :::image type="content" source="../media/how-to/copy-model-1.png" alt-text="Screenshot illustrating the copy model dialog window.":::

+ > [!Note]

+ >

+ > A dropdown list displays the list of workspaces available to use. Otherwise, select **Create a new workspace**.

+ >

+ > If selected workspace contains a project for the same language pair, it can be selected from the Project dropdown list, otherwise, select **Create a new project** to create one.

+1. Select **Copy model**.

+1. A notification panel shows the copy progress. The process should complete fairly quickly:

+ :::image type="content" source="../media/how-to/copy-model-2.png" alt-text="Screenshot illustrating notification that the copy model is in process.":::

+ :::image type="content" source="../media/how-to/copy-model-3.png" alt-text="Screenshot illustrating the copy complete dialog window.":::

+ The price is based on number of messages sent to the recipient and amount of data transferred to each recipient which includes headers, message content (including text and images), and attachments. Messages can be sent to one or more recipients.

+Your Azure account has a set of limitation on the number of email messages that you can send. For all the developers email sending is limited to 30 mails per minute, 100 mails in an hour. This sandbox setup is to help developers to start building the application and gradually you can request to increase the sending volume as soon as the application is ready to go live. Submit a support request to increase your sending limit.

+|Send Email|Per Subscription|1|30|

+|Send Email|Per Subscription|60|100|

+|Get Email Status|Per Subscription|1|60|

+|Get Email Status|Per Subscription|60|200|

+## Access your email operation ID

+When troubleshooting send email or email message status requests, you may be asked to provide an `operation ID`. This can be accessed in the response:

+var emailSendOperation = await emailClient.SendAsync(

+ wait: WaitUntil.Completed,

+ senderAddress: sender,

+ recipientAddress: recipient,

+ subject: subject,

+ htmlContent: htmlContent);

+/// Get the OperationId so that it can be used for tracking the message for troubleshooting

+Console.WriteLine($"Email operation id = {emailSendOperation.Id}");

+ :::image type="content" source="./media/email-domains-custom-verified.png" alt-text="Screenshot that shows the custom domain is verified." lightbox="media/email-domains-custom-verified-expanded.png":::

+ :::image type="content" source="./media/email-domains-connected.png" alt-text="Screenshot that shows one of the verified email domains is now connected." lightbox="media/email-domains-connected-expanded.png":::

+Billing in Azure Container apps is based on your [plan type](plans.md).

+| Plan type | Description |

+|--|--|

+| [Consumption](#consumption-plan) | Serverless environment where you're only billed for the resources your apps use when they're running. |

+| [Consumption + Dedicated workload profiles plan structure](#consumption-dedicated) | A fully managed environment that supports both Consumption-based apps and Dedicated workload profiles that offer customized compute options for your apps. You're billed for each node in each [workload profile](workload-profiles-overview.md).

+Charges apply to resources allocated to each running replica. |

+## Consumption plan

+Azure Container Apps consumption plan billing consists of two types of charges:

+### Resource consumption charges

+#### No replicas are running

+#### Minimum number of replicas are running

+Idle usage charges may apply when a revision is running under a specific set of circumstances. To be eligible for idle charges, a revision must be:

+- Configured with a [minimum replica count](scale-app.md) greater than zero

+- Scaled to the minimum replica count

+When a replica is idle, resource consumption charges are calculated at the reduced idle rates. When a replica isn't idle, the active rates apply.

+#### More than the minimum number of replicas are running

+### Request charges

+<a id="consumption-dedicated"></a>

+## Consumption + Dedicated workload profiles plan structure (preview)

+Azure Container Apps Consumption + Dedicated plan structure consists of two plans withing a single environment, each with their own billing model.

+The billing for apps running in the Consumption plan within the Consumption + Dedicated plan structure is the same as the Consumption plan.

+The billing for apps running in the Dedicated plan within the Consumption + Dedicated plan structure is as follows:

+- **Dedicated workload profiles**: You're billed on a per-second basis for vCPU-seconds and GiB-seconds resources in all the workload profile instances in use. As profiles scale out, extra costs apply for the extra instances; as profiles scale in, billing is reduced.

+- **Dedicated plan management**: You're billed a fixed cost for the Dedicated management plan when using Dedicated workload profiles. This cost is the same regardless of how many Dedicated workload profiles in use.

+For instance, you are not billed any charges for Dedicated unless you use a Dedicated workload profile in your environment.

+

+For pricing details in your account's currency, see [Azure Container Apps Pricing](https://azure.microsoft.com/pricing/details/container-apps/).

+For best results, maximize the use of your allocated resources by calculating the needs of your container apps. Often you can run multiple apps on a single instance of a workload profile.

+- Changes to the `template` configuration section trigger a new [container app revision](application-lifecycle-management.md).

+| `resources.cpu` | The number of CPUs allocated to the container. | With the Consumption plan, values must adhere to the following rules:<br><br>ΓÇó greater than zero<br>ΓÇó less than or equal to 2<br>ΓÇó can be any decimal number (with a max of two decimal places)<br><br> For example, `1.25` is valid, but `1.555` is invalid.<br> The default is 0.25 CPU per container.<br><br>When using the Consumption workload profile in the Consumption + Dedicated plan structure, the same rules apply except CPU must be less than or equal to 4.<br><br>When using a Dedicated workload profile in the Consumption + Dedicated plan structure, the maximum CPU must be less than or equal to the number of cores available in the profile. |

+| `resources.memory` | The amount of RAM allocated to the container. | With the Consumption plan, values must adhere to the following rules:<br><br>ΓÇó greater than zero<br>ΓÇó less than or equal to `4Gi`<br>ΓÇó can be any decimal number (with a max of two decimal places)<br><br>For example, `1.25Gi` is valid, but `1.555Gi` is invalid.<br>The default is `0.5Gi` per container.<br><br>When using the Consumption workload profile in the Consumption + Dedicated plan structure, the same rules apply except memory must be less than or equal to `8Gi`.<br><br>When using a dedicated workload profile in the Consumption + Dedicated plan structure, the maximum memory must be less than or equal to the amount of memory available in the profile. |

+In the Consumption plan, the total CPU and memory allocations requested for all the containers in a container app must add up to one of the following combinations.

+Alternatively, the Consumption workload profile in the Consumption + Dedicated plan structure, the total CPU and memory allocations requested for all the containers in a container app must add up to one of the following combinations.

+| vCPUs (cores) | Memory |

+|||

+| `0.25` | `0.5Gi` |

+| `0.5` | `1.0Gi` |

+| `0.75` | `1.5Gi` |

+| `1.0` | `2.0Gi` |

+| `1.25` | `2.5Gi` |

+| `1.5` | `3.0Gi` |

+| `1.75` | `3.5Gi` |

+| `2.0` | `4.0Gi` |

+| `2.25` | `4.5Gi` |

+| `2.5` | `5.0Gi` |

+| `2.75` | `5.5Gi` |

+| `3.0` | `6.0Gi` |

+| `3.25` | `6.5Gi` |

+| `3.5` | `7.0Gi` |

+| `3.75` | `7.5Gi` |

+| `4.0` | `8.0Gi` |

+When you use a Dedicated workload profile in the Consumption + Dedicated plan structure, the total CPU and memory allocations requested for all the containers in a container app must be less than or equal to the cores and memory available in the profile.

+Azure Container Apps has two different pricing structures.

+- If you're using the Consumption only plan, or only the Consumption workload profile in the Consumption + Dedicated plan structure then billing is relevant only to individual container apps and their resource usage. There's no cost associated with the Container Apps environment.

+- If you're using any Dedicated workload profiles in the Consumption + Dedicated plan structure, there's a fixed cost for the Dedicated plan management. This cost is for the entire environment regardless of how many Dedicated workload profiles you're using.

+# Securing a custom VNET in Azure Container Apps with Network Security Groups

+You can lock down a network via NSGs with more restrictive rules than the default NSG rules to control all inbound and outbound traffic for the Container Apps environment at the subscription level.

+In the workload profiles architecture, user-defined routes (UDRs) and securing outbound traffic with a firewall are supported. Learn more in the [networking concepts document](./networking.md#user-defined-routes-udrpreview).

+In the Consumption only architecture, custom user-defined routes (UDRs) and ExpressRoutes aren't supported.

+> The subnet associated with a Container App Environment on the Consumption only architecture requires a CIDR prefix of `/23` or larger. On the workload profiles architecture (preview), a `/27` or larger is required.

+### Outbound with service tags

+The following service tags are required when using NSGs on the Consumption only architecture:

+The following service tags are required when using NSGs on the workload profiles architecture:

+>[!Note]

+> If you are using Azure Container Registry (ACR) with NSGs configured on your virtual network, create a private endpoint on your ACR to allow Container Apps to pull images through the virtual network.

+| Protocol | Port | Service Tag | Description

+|--|--|--|--|

+| TCP | `443` | `MicrosoftContainerRegistry` | This is the service tag for container registry for microsoft containers. |

+| TCP | `443` | `AzureFrontDoor.FirstParty` | This is a dependency of the `MicrosoftContainerRegistry` service tag. |

+The following IP rules are required when using NSGs on both the Consumption only architecture and the workload profiles architecture:

+- If you're running HTTP servers, you might need to add ports `80` and `443`.

+- **None**: You can disable the storage of log data. When disabled, you can still view real-time container logs via the **Logs stream** feature in your container app. For more information, see [Log streaming](log-streaming.md).

+> [!NOTE]

+> Azure Monitor is not currently supported in the Consumption + Dedicated plan structure.

+1. If you have selected **Azure Monitor** as your logs destination, you must configure **Diagnostic settings**. The **Diagnostic settings** item appears below the **Logging options** menu item.

+Azure Container Apps run in the context of an [environment](environment.md), which is supported by a virtual network (VNet). By default, your Container App Environment is created with a VNet that is automatically generated for you. Generated VNets are inaccessible to you as they're created in Microsoft's tenant. This VNet is publicly accessible over the internet, can only reach internet accessible endpoints, and supports a limited subset of networking capabilities such as ingress IP restrictions and container app level ingress controls.

+Use the Custom VNet configuration to provide your own VNet if you need more Azure networking features such as:

+- Integration with Application Gateway

+- Network Security Groups

+- Communicating with resources behind private endpoints in your virtual network

+The features available depend on your architecture selection.

+## Architecture Selection

+There are two architectures in Container Apps: the Consumption only architecture supports only the [Consumption plan (GA)](./plans.md) and the workload profiles architecture that supports both the [Consumption + Dedicated plan structure (preview)](./plans.md). The two architectures share many of the same networking characteristics. However, there are some key differences.

+| Architecture Type | Description |

+|--|-|

+| Workload profiles architecture (preview) | Supports UDR and egress through NAT Gateway. The minimum required subnet size is /27. |

+| Consumption only architecture | Doesn't support user defined routes (UDRs) and egress through NAT Gateway. The minimum required subnet size is /23. |

+## Accessibility Levels

+In Container Apps, you can configure whether your container app allows public ingress or only ingress from within your VNet at the environment level.

+||-|

+| [Internal](vnet-custom-internal.md) | When set to internal, the environment has no public endpoint. Internal environments are deployed with a virtual IP (VIP) mapped to an internal IP address. The internal endpoint is an Azure internal load balancer (ILB) and IP addresses are issued from the custom VNet's list of private IP addresses. |

+## Custom VNet configuration

+As you create a custom VNet, keep in mind the following situations:

+- When you provide your own VNet, you need to provide a subnet that is dedicated to the Container App environment you deploy. This subnet isn't available to other services.

+- Network addresses are assigned from a subnet range you define as the environment is created.

+ - You can restrict inbound requests to the environment exclusively to the VNet by deploying the environment as [internal](vnet-custom-internal.md).

+> Moving VNets among different resource groups or subscriptions is not supported if the VNet is in use by a Container Apps environment.

+| Outbound public IP | Used as the "from" IP for outbound connections that leave the virtual network. These connections aren't routed down a VPN. Outbound IPs aren't guaranteed and may change over time. Using a NAT gateway or other proxy for outbound traffic from a Container App environment is only supported on the workload profile architecture. |

+## Subnet

+Virtual network integration depends on a dedicated subnet. How IP addresses are allocated in a subnet and what subnet sizes are supported depends on which plan you're using in Azure Container Apps. Selecting an appropriately sized subnet for the scale of your Container Apps is important as subnet sizes can't be modified post creation in Azure.

+- Consumption only architecture:

+ - /23 is the minimum subnet size required for virtual network integration.

+ - Container Apps reserves a minimum of 60 IPs for infrastructure in your VNet, and the amount may increase up to 256 addresses as your container environment scales.

+ - As your app scales, a new IP address is allocated for each new replica.

+- Workload profiles architecture:

+ - /27 is the minimum subnet size required for virtual network integration.

+ - The subnet you're integrating your container app with must be delegated to `Microsoft.App/environments`.

+ - 11 IP addresses are automatically reserved for integration with the subnet. When your apps are running on workload profiles, the number of IP addresses required for infrastructure integration doesn't vary based on the scale of your container apps.

+ - More IP addresses are allocated depending on your Container App's workload profile:

+ - When you're using Consumption workload profiles for your container app, IP address assignment behaves the same as when running on the Consumption only architecture. As your app scales, a new IP address is allocated for each new replica.

+ - When you're using the Dedicated workload profile for your container app, each node has 1 IP address assigned.

+As a Container Apps environment is created, you provide resource IDs for a single subnet.

+If you're using the CLI, the parameter to define the subnet resource ID is `infrastructure-subnet-resource-id`. The subnet hosts infrastructure components and user app containers.

+### Subnet Address Range Restrictions

+Subnet address ranges can't overlap with the following ranges reserved by AKS:

+In addition, Container Apps on the workload profiles architecture reserve the following addresses:

+- 100.100.0.0/17

+- 100.100.128.0/19

+- 100.100.160.0/19

+- 100.100.192.0/19

+User Defined Routes (UDR) and controlled egress through NAT Gateway are supported in the workload profiles architecture, which is in preview. In the Consumption only architecture, these features aren't supported.

+### User defined routes (UDR) - preview

+You can use UDR on the workload profiles architecture to restrict outbound traffic from your container app through Azure Firewall or other network appliances. Configuring UDR is done outside of the Container Apps environment scope.

+Important notes for configuring UDR with Azure Firewall:

+- You need to allow the `MicrosoftContainerRegistry` and its dependency `AzureFrontDoor.FirstParty` service tags to your Azure Firewall. Alternatively, you can add the following FQDNs: *mcr.microsoft.com* and **.data.mcr.microsoft.com*.

+- If you're using Azure Container Registry (ACR), you need to add the `AzureContainerRegistry` service tag and the **.blob.core.windows.net* FQDN in the Azure Firewall.

+- If you're using [Docker Hub registry](https://docs.docker.com/desktop/allow-list/) and want to access it through the firewall, you need to add the following FQDNs to your firewall: *hub.docker.com*, *registry-1.docker.io*, and *production.cloudflare.docker.com*.

+- External environments aren't supported.

+Azure creates a default route table for your virtual networks upon create. By implementing a user-defined route table, you can control how traffic is routed within your virtual network. For example, you can create a UDR that routes all traffic to the firewall. For a guide on how to setup UDR with Container Apps to restrict outbound traffic with Azure Firewall, visit the [how to for Container Apps and Azure Firewall](./user-defined-routes.md).

+### NAT gateway integration - preview

+You can use NAT Gateway to simplify outbound connectivity for your outbound internet traffic in your virtual network on the workload profiles architecture. NAT Gateway is used to provide a static public IP address, so when you configure NAT Gateway on your Container Apps subnet, all outbound traffic from your container app is routed through the NAT Gateway's static public IP address.

+### Lock down your Container App environment

+With the workload profiles architecture (preview), you can fully secure your ingress/egress networking traffic. To do so, you should use the following features:

+- Create your internal container app environment on the workload profiles architecture. For steps, see [here](./workload-profiles-manage-cli.md).

+- Integrate your Container Apps with an Application Gateway. For steps, see [here](./waf-app-gateway.md).

+- Configure UDR to route all traffic through Azure Firewall. For steps, see [here](./user-defined-routes.md).

+- **Custom DNS**: If your VNet uses a custom DNS server instead of the default Azure-provided DNS server, configure your DNS server to forward unresolved DNS queries to `168.63.129.16`. [Azure recursive resolvers](../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md#name-resolution-that-uses-your-own-dns-server) uses this IP address to resolve requests. If you don't use the Azure recursive resolvers, the Container Apps environment can't function.

+- **VNet-scope ingress**: If you plan to use VNet-scope [ingress](ingress-overview.md) in an internal Container Apps environment, configure your domains in one of the following ways:

+When you deploy an internal or an external environment into your own network, a new resource group prefixed with `MC_` is created in the Azure subscription where your environment is hosted. This resource group contains infrastructure components managed by the Azure Container Apps platform, and shouldn't be modified. The resource group contains Public IP addresses used specifically for outbound connectivity from your environment and a load balancer. The resource group name can be configured during container app environment creation. In addition to the [Azure Container Apps billing](./billing.md), you're billed for:

+- [**Use the Azure CLI extension, Azure portal or ARM templates**](get-started.md) to manage your applications.

+- [**Enable HTTPS or TCP ingress**](ingress.md) without having to manage other Azure infrastructure.

+- [**Build microservices with Dapr**](microservices.md) and [access its rich set of APIs](./dapr-overview.md).

+- [**Use specialized hardware**](plans.md) for access to increased compute resources.

+ Title: Azure Container Apps plan types

+description: Compare different plains available in Azure Container Apps

+# Azure Container Apps plan types

+Azure Container Apps features two different plan types.

+| Plan type | Description | In Preview |

+|--|--|--|

+| [Consumption](#consumption-plan) | Serverless environment with support for scale-to-zero and pay only for resources your apps use. | No |

+| [Consumption + Dedicated plan structures (preview)](#consumption-dedicated) | Fully managed environment with support for scale-to-zero and pay only for resources your apps use. Optionally, run apps with customized hardware and increased cost predictability using Dedicated workload profiles. | Yes |

+## Consumption plan

+The Consumption plan features a serverless architecture that allows your applications to scale in and out on demand. Applications can scale to zero, and you only pay for running apps.

+Use the Consumption plan when you don't have specific hardware requirements for your container app.

+<a id="consumption-dedicated"></a>

+## Consumption + Dedicated plan structure (preview)

+The Consumption + Dedicated plan structure consists of a serverless plan that allows your applications to scale in and out on demand. Applications can scale to zero, and you only pay for running apps. It also consists of a fully managed plan you can optionally use that provides dedicated, customized hardware to run your apps on.

+You can select from general purpose and memory optimized [workflow profiles](workload-profiles-overview.md) that provide larger amounts of CPU and memory. You pay per node, versus per app, and workload profile can scale in and out as demand changes.

+Use the Consumption + Dedicated plan structure when you need any of the following in a single environment:

+- **Consumption usage**: Use of the Consumption plan to run apps that need to scale to zero that don't have specific hardware requirements.

+- **Secure outbound traffic**: You can create environments with no public inbound access, and customize the outbound network path from environments to use firewalls or other network appliances.

+Use the Dedicated plan within the Consumption + Dedicated plan structure when you need any of the following features:

+- **Environment isolation**: Use of the Dedicated workload profiles provides apps with dedicated hardware with a single tenant guarantee.

+- **Customized compute**: Select from many types and sizes of Dedicated workload profiles based on your apps requirements. You can deploy many apps to each workload profile. Each workload profile can scale independently as more apps are added or removed or as apps scale their replicas up or down.

+- **Cost control**: Traditional serverless compute options optimize for scale in response to events and may not provide cost control options. With Dedicated workload profiles, you can set minimum and maximum scaling to help you better control costs.

+ The Consumption + Dedicated plan structure can be more cost effective when you're running higher scale deployments with steady throughput.

+> [!NOTE]

+> When configuring your cluster with a user defined route for egress, you must explicitly send egress traffic to a network virtual appliance such as Azure Firewall.

+## Next steps

+Deploy an app with:

+- [Consumption plan](quickstart-portal.md)

+- [Consumption + Dedicated plan structure](workload-profiles-manage-cli.md)

+The *Is Configurable* column in the following tables denotes a feature maximum may be increased through a [support request](https://azure.microsoft.com/support/create-ticket/). For more information, see [how to request a limit increase](faq.yml#how-can-i-request-a-quota-increase-).

+| Feature | Scope | Default | Is Configurable | Remarks |

+| Container Apps | Environment | Unlimited | n/a | |

+## Consumption plan

+| Feature | Scope | Default | Is Configurable | Remarks |

+|--|--|--|--|--|

+| Cores | Replica | 2 | No | Maximum number of cores available to a revision replica. |

+## Consumption + Dedicated plan structure

+### Consumption workload profile

+| Feature | Scope | Default | Is Configurable | Remarks |

+|--|--|--|--|--|

+| Cores | Replica | 4 | No | Maximum number of cores available to a revision replica. |

+| Cores | Environment | 100 | Yes | Maximum number of cores the Consumption workload profile in a Consumption + Dedicated plan structure environment can accommodate. Calculated by the sum of cores requested by each active replica of all revisions in an environment. |

+### Dedicated workload profiles

+| Feature | Scope | Default | Is Configurable | Remarks |

+|--|--|--|--|--|

+| Cores | Replica | Up to maximum cores a workload profile supports | No | Maximum number of cores available to a revision replica. |

+| Cores | Environment | 100 | Yes | Maximum number of cores all Dedicated workload profiles in a Consumption + Dedicated plan structure environment can accommodate. Calculated by the sum of cores available in each node of all workload profile in a Consumption + Dedicated plan structure environment. |

+For more information regarding quotas, see the [Quotas roadmap](https://github.com/microsoft/azure-container-apps/issues/503) in the Azure Container Apps GitHub repository.

+# Session Affinity in Azure Container Apps (preview)

+>

+> This feature is in public preview.

+ Title: Container Apps outbound traffic control with Azure Firewall

+description: Use Azure Firewall to route outbound traffic from Container Apps to the internet, private IP addresses, and Azure services.

+# Control outbound traffic with user defined routes (preview)

+>[!Note]

+> This feature is in preview and is only supported for the workload profiles architecture. User defined routes only work with an internal Azure Container Apps environment.

+This article shows you how to use user defined routes (UDR) with [Azure Firewall](../firewall/overview.md) to lock down outbound traffic from your Container Apps to back-end Azure resources or other network resources.

+Azure creates a default route table for your virtual networks on create. By implementing a user-defined route table, you can control how traffic is routed within your virtual network. In this guide, you'll setup UDR on the Container Apps virtual network to restrict outbound traffic with Azure Firewall.

+You can also use a NAT gateway or any other 3rd party appliances instead of Azure Firewall.

+For more information on networking concepts in Container Apps, see [Networking Architecture in Azure Container Apps](./networking.md).

+## Prerequisites

+* An **internal** container app environment on the workload profiles architecture that's integrated with a custom virtual network. When you create an internal container app environment, your container app environment has no public IP addresses, and all traffic is routed through the virtual network. For more information, see the [guide for how to create a container app environment on the workload profiles architecture](./workload-profiles-manage-cli.md). Ensure that you're creating an **internal** environment.

+* In your container app, have a container that supports `curl` commands. You can use `curl` to verify the container app is deployed correctly. The *helloworld* container from the sample container image already supports `curl` commands.

+## Create the firewall subnet

+A subnet called **AzureFirewallSubnet** is required in order to deploy a firewall into the integrated virtual network.

+1. In the [Azure portal](https://portal.azure.com), navigate to the virtual network that's integrated with your app.

+1. From the menu on the left, select **Subnets**, then select **+ Subnet**.

+1. Enter the following values:

+ | Setting | Action |

+ | | - |

+ | **Name** | Enter **AzureFirewallSubnet**. |

+ | **Subnet address range** | Use the default or specify a [subnet range /26 or larger](../firewall/firewall-faq.yml#why-does-azure-firewall-need-a--26-subnet-size).

+1. Select **Save**

+## Deploy the firewall

+1. On the Azure portal menu or the **Home** page, select **Create a resource**.

+1. Search for *Firewall*.

+1. Select **Firewall**.

+1. Select **Create**.

+1. On the *Create a Firewall* page, configure the firewall with the following settings.

+ | Setting | Action |

+ |--|--|

+ | **Resource group** | Enter the same resource group as the integrated virtual network. |

+ | **Name** | Enter a name of your choice |

+ | **Region** | Select the same region as the integrated virtual network. |

+ | **Firewall policy** | Create one by selecting **Add new**. |

+ | **Virtual network** | Select the integrated virtual network. |

+ | **Public IP address** | Select an existing address or create one by selecting **Add new**. |

+1. Select **Review + create**. After validation finishes, select **Create**. The validation step may take a few minutes to complete.

+1. Once the deployment completes, select **Go to Resource**.

+1. In the firewall's **Overview** page, copy the **Firewall private IP**. This IP address is used as the next hop address when creating the routing rule for the virtual network.

+## Route all traffic to the firewall

+Your virtual networks in Azure have default route tables in place upon create. By implementing a user-defined route table, you can control how traffic is routed within your virtual network. In the following steps, you create a UDR to route all traffic to your Azure Firewall.

+1. On the Azure portal menu or the *Home* page, select **Create a resource**.

+1. Search for **Route tables**.

+1. Select **Route Tables**.

+1. Select **Create**.

+1. Enter the following values:

+ | Setting | Action |

+ | | - |

+ | **Region** | Select the region as your virtual network. |

+ | **Name** | Enter a name. |

+ | **Propagate gateway routes** | Select **No** |

+1. Select **Review + create**. After validation finishes, select **Create**.

+1. Once the deployment completes, select **Go to Resource**.

+1. From the menu on the left, select **Routes**, then select **Add** to create a new route table

+1. Configure the route table with the following settings:

+ | Setting | Action |

+ |--|--|

+ | **Address prefix** | Enter *0.0.0.0/0* |

+ | **Next hop type** | Select *Virtual appliance* |

+ | **Next hop address** | Enter the *Firewall Private IP* you saved in [Deploy the firewall](#deploy-the-firewall).

+1. Select **Add** to create the route.

+1. From the menu on the left, select **Subnets**, then select **Associate** to associate your route table with the subnet your Container App is integrated with.

+1. Configure the *Associate subnet* with the following values:

+ | Setting | Action |

+ |--|--|

+ | **Address prefix** | Select the virtual network your container app is integrated with |

+ | **Next hop type** | Select the subnet your container app is integrated with |

+1. Select **OK**.

+## Configure firewall policies

+Now, all outbound traffic from your container app is routed to the firewall. Currently, the firewall still allows all outbound traffic through. In order to manage what outbound traffic is allowed or denied, you need to configure firewall policies.

+1. In your *Azure Firewall* resource on the *Overview* page, select **Firewall policy**

+1. From the menu on the left of the firewall policy page, select **Application Rules**.

+1. Select **Add a rule collection**.

+1. Enter the following values for the **Rule Collection**:

+ | Setting | Action |

+ | | - |

+ | **Name** | Enter a collection name |

+ | **Rule collection type** | Select *Application* |

+ | **Priority** | Enter the priority such as 110 |

+ | **Rule collection action** | Select *Allow* |

+ | **Rule collection group** | Select *DefaultApplicationRuleCollectionGroup* |

+1. Under **Rules**, enter the following values

+ | Setting | Action |

+ | | - |

+ | **Name** | Enter a name for the rule |

+ | **Source type** | Select *IP Address* |

+ | **Source** | Enter **\*** |

+ | **Protocol** | Enter *http:80,https:443* |

+ | **Destination Type** | Select **FQDN**. |

+ | **Destination** | Enter `mcr.microsoft.com`,`*.data.mcr.microsoft.com`. If you're using ACR, add your *ACR address* and `*.blob.core.windows.net`. |

+ | **Action** | Select *Allow* |

+ >[!Note]

+ > If you are using [Docker Hub registry](https://docs.docker.com/desktop/allow-list/) and want to access it through your firewall, you will need to add the following FQDNs to your rules destination list above: *hub.docker.com*, *registry-1.docker.io*, and *production.cloudflare.docker.com*.

+1. Select **Add**.

+## Verify your firewall is blocking outbound traffic

+To verify your firewall configuration is set up correctly, you can use the `curl` command from your app's debugging console.

+1. Navigate to your Container App that is configured with Azure Firewall.

+1. From the menu on the left, select **Console**, then select your container that supports the `curl` command. If you're using the helloworld container from the sample container image quickstart, you can run the `curl` command.

+1. In the **Choose start up command** menu, select **/bin/sh**, and select **Connect**.

+1. In the console, run `curl -s https://mcr.microsoft.com`. You should see a successful response as you added `mcr.microsoft.com` to the allowlist for your firewall policies.

+1. Run `curl -s https://<fqdn-address>` for a URL that doesn't match any of your destination rules such as `example.com`. The example command would be `curl -s https://example.com`. You should get no response, which indicates that your firewall has blocked the request.

+## Next steps

+> [!div class="nextstepaction"]

+> [Authentication in Azure Container Apps](authentication.md)

+ Title: Protect Azure Container Apps with Application Gateway and Web Application Firewall (WAF)

+description: Learn how to protect Azure Container Apps with Application Gateway Web Application Firewall (WAF)

+zone_pivot_groups: azure-cli-or-portal

+# Protect Azure Container Apps with Web Application Firewall on Application Gateway

+When you host your apps or microservices in Azure Container Apps, you may not always want to publish them directly to the internet. Instead, you may want to expose them through a reverse proxy.

+A reverse proxy is a service that sits in front of one or more services, intercepting and directing incoming traffic to the appropriate destination.

+Reverse proxies allow you to place services in front of your apps that supports cross-cutting functionality including:

+- Routing

+- Caching

+- Rate limiting

+- Security layers

+- Load balancing

+- Request filtering

+This article demonstrates how to protect your container apps using a [Web Application Firewall (WAF) on Azure Application Gateway](../web-application-firewall/ag/ag-overview.md) with an internal Container Apps environment.

+For more information on networking concepts in Container Apps, see [Networking Architecture in Azure Container Apps](./networking.md).

+## Prerequisites

+- Have a container app that is on an internal environment and integrated with a custom virtual network. For more information on how to create a custom virtual network integrated app, see [provide a virtual network to an internal Azure Container Apps environment](./vnet-custom-internal.md).

+- If you must use TLS/SSL encryption to the application gateway, a valid public certificate that's used to bind to your application gateway is required.

+## Retrieve your container app's domain

+In the following steps, you retrieve the values of the **default domain** and the **static IP** which you use to set up your Private DNS Zone.

+1. From the resource group's *Overview* window in the portal, select your container app.

+1. On the *Overview* window for your container app resource, select the link for **Container Apps Environment**

+1. On the *Overview* window for your container app environment resource, select **JSON View** in the upper right-hand corner of the page to view the JSON representation of the container apps environment.

+1. Copy the values for the **defaultDomain** and **staticIp** properties and paste them into a text editor. You'll create a private DNS zone using these values for the default domain in the next section.

+## Create and configure an Azure Private DNS zone

+1. On the Azure portal menu or the **Home** page, select **Create a resource**.

+1. Search for *Private DNS Zone*, and select **Private DNS Zone** from the search results.

+1. Select the **Create** button.

+1. Enter the following values:

+ | Setting | Action |

+ |||

+ | Subscription | Select your Azure subscription. |

+ | Resource group | Select the resource group of your container app. |

+ | Name | Enter the **defaultDomain** property of the Container Apps Environment from the previous section. |

+ | Resource group location | Leave as the default. A value isn't needed as Private DNS Zones are global. |

+1. Select **Review + create**. After validation finishes, select **Create**.

+1. After the private DNS zone is created, select **Go to resource**.

+1. In the *Overview* window, select **+Record set**, to add a new record set.

+1. In the *Add record set* window, enter the following values:

+ | Setting | Action |

+ |||

+ | Name | Enter **\***. |

+ | Type | Select **A-Address Record**. |

+ | TTL | Keep the default values. |

+ | TTL unit | Keep the default values. |

+ | IP address | Enter the **staticIp** property of the Container Apps Environment from the previous section. |

+1. Select **OK** to create the record set.

+1. Select **+Record set** again, to add a second record set.

+1. In the *Add record set* window, enter the following values:

+ | Setting | Action |

+ |||

+ | Name | Enter **@**. |

+ | Type | Select **A-Address Record**. |

+ | TTL | Keep the default values. |

+ | TTL unit | Keep the default values. |

+ | IP address | Enter the **staticIp** property of the Container Apps Environment from the previous section. |

+1. Select **OK** to create the record set.

+1. Select the **Virtual network links** window from the menu on the left side of the page.

+1. Select **+Add** to create a new link with the following values:

+ | Setting | Action |

+ |||

+ | Link name | Enter **my-custom-vnet-pdns-link**. |

+ | I know the resource ID of virtual network | Leave it unchecked. |

+ | Virtual network | Select the virtual network your container app is integrated with. |

+ | Enable auto registration | Leave it unchecked. |

+1. Select **OK** to create the virtual network link.

+## Create and configure Azure Application Gateway

+### Basics tab

+1. Enter the following values in the *Project details* section.

+ | Setting | Action |

+ |||

+ | Subscription | Select your Azure subscription. |

+ | Resource group | Select the resource group for your container app. |

+ | Application gateway name | Enter **my-container-apps-agw**. |

+ | Region | Select the location where your Container App was provisioned. |

+ | Tier | Select **WAF V2**. You can use **Standard V2** if you don't need WAF. |

+ | Enable autoscaling | Leave as default. For production environments, autoscaling is recommended. See [Autoscaling Azure Application Gateway](../application-gateway/application-gateway-autoscaling-zone-redundant.md). |

+ | Availability zone | Select **None**. For production environments, [Availability Zones](/azure/reliability/availability-zones-overview#availability-zones) are recommended for higher availability. |

+ | HTTP2 | Keep the default value. |

+ | WAF Policy | Select **Create new** and enter **my-waf-policy** for the WAF Policy. Select **OK**. If you chose **Standard V2** for the tier, skip this step. |

+ | Virtual network | Select the virtual network that your container app is integrated with. |

+ | Subnet | Select **Manage subnet configuration**. If you already have a subnet you wish to use, use that instead, and skip to [the Frontends section](#frontends-tab). |

+

+1. From within the *Subnets* window of *my-custom-vnet*, select **+Subnet** and enter the following values:

+ | Setting | Action |

+ |||

+ | Name | Enter **appgateway-subnet**. |

+ | Subnet address range | Keep the default values. |

+1. For the remainder of the settings, keep the default values.

+1. Select **Save** to create the new subnet.

+1. Close the *Subnets* window to return to the *Create application gateway* window.

+1. Select the following values:

+ | Setting | Action |

+ |||

+ | Subnet | Select the **appgateway-subnet** you created. |

+

+1. Select **Next: Frontends**, to proceed.

+### Frontends tab

+1. On the *Frontends* tab, enter the following values:

+ | Setting | Action |

+ |||

+ | Frontend IP address type | Select **Public**. |

+ | Public IP address | Select **Add new**. Enter **my-frontend** for the name of your frontend and select **OK** |

+ > [!NOTE]

+ > For the Application Gateway v2 SKU, there must be a **Public** frontend IP. You can have both a public and a private frontend IP configuration, but a private-only frontend IP configuration with no public IP is currently not supported in the v2 SKU. To learn more, [read here](../virtual-network/ip-services/configure-public-ip-application-gateway.md).

+1. Select **Next: Backends**.

+### Backends tab

+The backend pool is used to route requests to the appropriate backend servers. Backend pools can be composed of any combination of the following resources:

+- NICs

+- Virtual Machine Scale Sets

+- Public IP addresses

+- Internal IP addresses

+- Fully qualified domain names (FQDN)

+- Multi-tenant back-ends like Azure App Service and Container Apps

+In this example, you create a backend pool that targets your container app.

+1. Select **Add a backend pool**.

+1. Open a new tab and navigate to your container app.

+1. In the *Overview* window of the Container App, find the **Application Url** and copy it.

+1. Return to the *Backends* tab, and enter the following values in the **Add a backend pool** window:

+ | Setting | Action |

+ |||

+ | Name | Enter **my-agw-backend-pool**. |

+ | Add backend pool without targets | Select **No**. |

+ | Target type | Select **IP address or FQDN**. |

+ | Target | Enter the **Container App Application Url** you copied and remove the *https://* prefix. This location is the FQDN of your container app. |

+1. Select **Add**.

+1. On the *Backends* tab, select **Next: Configuration**.

+### Configuration tab

+On the *Configuration* tab, you connect the frontend and backend pool you created using a routing rule.

+1. Select **Add a routing rule**. Enter the following values:

+ | Setting | Action |

+ |||

+ | Name | Enter **my-agw-routing-rule**. |

+ | Priority | Enter **1**. |

+1. Under Listener tab, enter the following values:

+ | Setting | Action |

+ |||

+ | Listener name | Enter **my-agw-listener**. |

+ | Frontend IP | Select **Public**. |

+ | Protocol | Select **HTTPS**. If you don't have a certificate you want to use, you can select **HTTP** |

+ | Port | Enter **443**. If you chose **HTTP** for your protocol, enter **80** and skip to the default/custom domain section. |

+ | Choose a Certificate | Select **Upload a certificate**. If your certificate is stored in key vault, you can select **Choose a certificate from Key Vault**. |

+ | Cert name | Enter a name for your certificate. |

+ | PFX certificate file | Select your valid public certificate. |

+ | Password | Enter your certificate password. |

+ If you want to use the default domain, enter the following values:

+ | Setting | Action |

+ |||

+ | Listener Type | Select **Basic** |

+ | Error page url | Leave as **No** |

+ Alternatively, if you want to use a custom domain, enter the following values:

+ | Setting | Action |

+ |||

+ | Listener Type | Select **Multi site** |

+ | Host type | Select **Single** |

+ | Host Names | Enter the Custom Domain you wish to use. |

+ | Error page url | Leave as **No** |

+1. Select the **Backend targets** tab and enter the following values:

+1. Toggle to the *Backend targets* tab and enter the following values:

+ | Setting | Action |

+ |||

+ | Target type | Select **my-agw-backend-pool** that you created earlier. |

+ | Backend settings | Select **Add new**. |

+1. In the *Add Backend setting* window, enter the following values:

+ | Setting | Action |

+ |||

+ | Backend settings name | Enter **my-agw-backend-setting**. |

+ | Backend protocol | Select **HTTPS**. |

+ | Backend port | Enter **443**. |

+ | Use well known CA certificate | Select **Yes**. |

+ | Override with new host name | Select **Yes**. |

+ | Host name override | Select **Pick host name from backend target**. |

+ | Create custom probes | Select **No**. |

+1. Select **Add**, to add the backend settings.

+1. In the *Add a routing rule* window, select **Add** again.

+1. Select **Next: Tags**.

+1. Select **Next: Review + create**, and then select **Create**.

+## Add private link to your Application Gateway

+This step is required for internal only container app environments as it allows your Application Gateway to communicate with your Container App on the backend through the virtual network.

+1. Once the Application Gateway is created, select **Go to resource**.

+1. From the menu on the left, select **Private link**, then select **Add**.

+1. Enter the following values:

+ | Setting | Action |

+ |||

+ | Name | Enter **my-agw-private-link. |

+ | Private link subnet | Select the subnet you wish to create the private link with. |

+ | Frontend IP Configuration | Select the frontend IP for your Application Gateway. |

+1. Under **Private IP address settings** select **Add**.

+1. Select **Add** at the bottom of the window.

+## Verify the container app

+# [Default domain](#tab/default-domain)

+1. Find the public IP address for the application gateway on its *Overview* page, or you can search for the address. To search, select *All resources* and enter **my-container-apps-agw-pip** in the search box. Then, select the IP in the search results.

+1. Navigate to the public IP address of the application gateway.

+1. Your request is automatically routed to the container app, which verifies the application gateway was successfully created.

+# [Custom domain](#tab/custom-domain)

+1. Find the public IP address for the application gateway on its *Overview* page, or you can search for the address.

+ To search, select *All resources* and enter **my-container-apps-agw-pip** in the search box. Then, select the IP in the search results.

+1. Next, you need to update your DNS records via your domain provider's website. Open a new browser window to add the DNS records. Set the A record type to point to the IP address of the application gateway.

+1. In your browser, enter your domain. Make sure you use the https protocol.

+1. Your request is automatically routed to the container app, which verifies that the application gateway is successfully created.

+## Clean up resources

+When you no longer need the resources that you created, delete the resource group. When you delete the resource group, you also remove all the related resources.

+To delete the resource group:

+1. On the Azure portal menu, select **Resource groups** or search for and select *Resource groups*.

+1. On the *Resource groups* page, search for and select **my-container-apps**.

+1. On the *Resource group page*, select **Delete resource group**.

+1. Enter **my-container-apps** under *TYPE THE RESOURCE GROUP NAME* and then select **Delete**

+## Next steps

+> [!div class="nextstepaction"]

+> [Azure Firewall in Azure Container Apps](user-defined-routes.md)

+ Title: Create a Consumption + Dedicated workload profiles environment (preview)

+description: Learn to create an environment with a specialized hardware profile.

+# Manage workload profiles in a Consumption + Dedicated workload profiles plan structure (preview)

+## Supported regions

+The following regions support workload profiles during preview:

+- North Central US

+- North Europe

+- West Europe

+- East US

+<a id="create"></a>

+## Create a container app in a profile

+At a high level, when you create a container app into a workload profile, you go through the following steps:

+- Select a workload profile

+- Create or provide a VNet

+- Create a subnet with a `Microsoft.App/environments` delegation

+- Create a new environment

+- Create a container app associated with the workload profile in the environment

+Use the following commands to create an environment with a workload profile.

+1. Create a VNet

+ ```bash

+ az network vnet create \

+ --address-prefixes 13.0.0.0/23 \

+ --resource-group "<RESOURCE_GROUP>" \

+ --location "<LOCATION>" \

+ --name "<VNET_NAME>"

+ ```

+1. Create a subnet

+ ```bash

+ az network vnet subnet create \

+ --address-prefixes 13.0.0.0/23 \

+ --delegations Microsoft.App/environments \

+ --name "<SUBNET_NAME>" \

+ --resource-group "<RESOURCE_GROUP>" \

+ --vnet-name "<VNET_NAME>" \

+ --query "id"

+ ```

+ Copy the ID value and paste into the next command.

+ You can specify as small as a `/27` CIDR (32 IPs-8 reserved) for the subnet. Some things to consider if you're going to specify a `/27` CIDR:

+ - There are 11 IP addresses reserved for Container Apps infrastructure. Therefore, a `/27` CIDR has a maximum of 21 IP available addresses.

+ - IP addresses are allocated differently between Consumption and Dedicated profiles:

+ | Consumption | Consumption + Dedicated |

+ |||

+ | Every replica requires one IP. Users can't have apps with more than 21 replicas across all apps. Zero downtime deployment requires double the IPs since the old revision is running until the new revision is successfully deployed. | Every instance (VM node) requires a single IP. You can have up to 21 instances across all workload profiles, and hundreds or more replicas running on these workload profiles. |

+1. Create *Consumption + Dedicated* environment with workload profile support

+ >[!Note]

+ > In Container Apps, you can configure whether your Container Apps will allow public ingress or only ingress from within your VNet at the environment level. In order to restrict ingress to just your VNet, you will need to set the `--internal-only` flag.

+ # [External environment](#tab/external-env)

+ ```bash

+ az containerapp env create \

+ --enable-workload-profiles \

+ --resource-group "<RESOURCE_GROUP>" \

+ --name "<NAME>" \

+ --location "<LOCATION>" \

+ --infrastructure-subnet-resource-id "<SUBNET_ID>"

+ ```

+ # [Internal environment](#tab/internal-env)

+ ```bash

+ az containerapp env create \

+ --enable-workload-profiles \

+ --resource-group "<RESOURCE_GROUP>" \

+ --name "<NAME>" \

+ --location "<LOCATION>" \

+ --infrastructure-subnet-resource-id "<SUBNET_ID>"

+ --internal--only

+ ```

+

+ ```bash

+ az containerapp env create \

+ --enable-workload-profiles \

+ --resource-group "<RESOURCE_GROUP>" \

+ --name "<NAME>" \

+ --location "<LOCATION>" \

+ --infrastructure-subnet-resource-id "<SUBNET_ID>"

+ ```

+ This command can take up to 10 minutes to complete.

+1. Check status of environment. Here, you're looking to see if the environment is created successfully.

+ ```bash

+ az containerapp env show \

+ --name "<ENVIRONMENT_NAME>" \

+ --resource-group "<RESOURCE_GROUP>"

+ ```

+ The `provisioningState` needs to report `Succeeded` before moving on to the next command.

+1. Create a new container app.

+ ```azurecli

+ az containerapp create \

+ --resource-group "<RESOURCE_GROUP>" \

+ --name "<CONTAINER_APP_NAME>" \

+ --target-port 80 \

+ --ingress external \

+ --image mcr.microsoft.com/azuredocs/containerapps-helloworld:latest \

+ --environment "<ENVIRONMENT_NAME>" \

+ --workload-profile-name "consumption"

+ ```

+ This command deploys the application to the built in Consumption workload profile. If you want to create an app in a dedicated workload profile, you first need to [add the profile to the environment](#add-profiles).

+ This command creates the new application in the environment using a specific workload profile.

+## Add profiles

+Add a new workload profile to an existing environment.

+```azurecli

+az containerapp env workload-profile set \

+ --resource-group <RESOURCE_GROUP> \

+ --name <ENVIRONMENT_NAME> \

+ --workload-profile-type <WORKLOAD_PROFILE_TYPE> \

+ --workload-profile-name <WORKLOAD_PROFILE_NAME> \

+ --min-nodes <MIN_NODES> \

+ --max-nodes <MAX_NODES>

+```

+The value you select for the `<WORKLOAD_PROFILE_NAME>` placeholder is the workload profile "friendly name".

+Using friendly names allow you to add multiple profiles of the same type to an environment. The friendly name is what you use as you deploy and maintain a container app in a workload profile.

+## Edit profiles

+You can modify the minimum and maximum number of nodes used by a workload profile via the `set` command.

+```azurecli

+az containerapp env workload-profile set \

+ --resource-group <RESOURCE_GROUP> \

+ --name <ENV_NAME> \

+ --workload-profile-type <WORKLOAD_PROFILE_TYPE> \

+ --workload-profile-name <WORKLOAD_PROFILE_NAME> \

+ --min-nodes <MIN_NODES> \

+ --max-nodes <MAX_NODES>

+```

+## Delete a profile

+Use the following command to delete a workload profile.

+```azurecli

+az containerapp env workload-profile delete \

+ --resource-group "<RESOURCE_GROUP>" \

+ --name <ENVIRONMENT_NAME> \

+ --workload-profile-name <WORKLOAD_PROFILE_NAME>

+```

+> [!NOTE]

+> The *Consumption* workload profile canΓÇÖt be deleted.

+## Inspect profiles

+The following commands allow you to list available profiles in your region and ones used in a specific environment.

+### List available workload profiles

+Use the `list-supported` command to list the supported workload profiles for your region.

+The following Azure CLI command displays the results in a table

+```azurecli

+az containerapp env workload-profile list-supported \

+ --location <LOCATION>  \

+ --query "[].{Name: name, Cores: properties.cores, MemoryGiB: properties.memoryGiB, Category: properties.category}" \

+ -o table

+```

+The response resembles a table similar to the below example:

+```output

+Name Cores MemoryGiB Category

+-- - --

+D4 4 16 GeneralPurpose

+D8 8 32 GeneralPurpose

+D16 16 64 GeneralPurpose

+E4 4 32 MemoryOptimized

+E8 8 64 MemoryOptimized

+E16 16 128 MemoryOptimized

+Consumption 4 8 Consumption

+```

+Select a workload profile and use the *Name* field when you run `az containerapp env workload-profile set` for the `--workload-profile-type` option.

+### Show a workload profile

+Display details about a workload profile.

+```azurecli

+az containerapp env workload-profile show \

+ --resource-group <RESOURCE_GROUP> \

+ --name <ENVIRONMENT_NAME> \

+ --workload-profile-name <WORKLOAD_PROFILE_NAME>

+```

+## Next steps

+> [!div class="nextstepaction"]

+> [Workload profiles overview](./workload-profiles-overview.md)

+ Title: Workload profiles in Consumption + Dedicated plan structure environments in Azure Container Apps

+description: Learn how to select a workload profile for your container app

+# Workload profiles in Consumption + Dedicated plan structure environments in Azure Container Apps (preview)

+Under the [Consumption + Dedicated plan structure](./plans.md#consumption-dedicated), you can use different workload profiles in your environment. Workload profiles determine the amount of compute and memory resources available to container apps deployed in an environment.

+Profiles are configured to fit the different needs of your applications.

+| Profile type | Description | Potential use |

+|--|--|--|

+| Consumption | Automatically added to any new environment. | Apps that don't require specific hardware requirements |

+| Dedicated General purpose | Balance of memory and compute resources | Apps needing larger amounts of CPU and/or memory |

+| Dedicated Memory optimized | Increased memory resources | Apps needing large in-memory data, in-memory machine learning models, or other high memory requirements |

+A Consumption workload profile is automatically added to all Consumption + Dedicated plan structure environment you create. You can optionally add dedicated workload profiles of any type or size as you create an environment or after it's created.

+For each Dedicated workload profile in your environment, you can:

+- Select the type and size

+- Deploy multiple apps into the profile

+- Use autoscaling to add and remove nodes based on the needs of the apps

+- Limit scaling of the profile to for better cost control and predicatibilty

+You can configure each of your apps to run on any of the workload profiles defined in your Container Apps environment. This configuration is ideal for deploying a microservice solution where each app can run on the appropriate compute infrastructure.

+## Supported regions

+The following regions support workload profiles during preview:

+- North Central US

+- North Europe

+- West Europe

+- East US

+## Profile types

+There are different types and sizes of workload profiles available by region. By default each Consumption + Dedicated plan structure includes a Consumption profile, but you can also add any of the following profiles:

+| Display name | Name | Cores | MemoryGiB | Category | Allocation |

+|||||||

+| Consumption | consumption |4 | 8 | Consumption | per replica |

+| Dedicated-D4 | D4 | 4 | 16 | General purpose | per node |

+| Dedicated-D8 | D8 | 8 | 32 | General purpose | per node |

+| Dedicated-D16 | D16 | 16 | 64 | General purpose | per node |

+| Dedicated-E4 | E4 | 4 | 32 | Memory optimized | per node |

+| Dedicated-E8 | E8 | 8 | 64 | Memory optimized | per node |

+| Dedicated-E16 | E16 | 16 | 128 | Memory optimized | per node |

+Select a workload profile and use the *Name* field when you run `az containerapp env workload-profile set` for the `--workload-profile-type` option.

+The availability of different workload profiles varies by region.

+## Resource consumption

+You can constrain the memory and CPU usage of each app inside a workload profile, and you can run multiple apps inside a single instance of a workload profile. However, the total amount of resources available to a container app is less than what's allocated to a profile. The difference between allocated and available resources is what's reserved for the Azure Container Apps runtime.

+## Scaling

+When demand for new apps or more replicas of an existing app exceeds the profile's current resources, profile instances may be added. Inversely, if the number of apps or replicas goes down, profile instances may be removed. You have control over the constraints on the minimum and maximum number of profile instances. Azure calculates [billing](billing.md#consumption-dedicated) largely based on the number of running profile instances.

+## Next steps

+> [!div class="nextstepaction"]

+> [Manage workload profiles with the CLI](workload-profiles-manage-cli.md)

+- [Azure Command-Line Interface (CLI)](/cli/azure/) or Azure Portal access. Changing capabilities via ARM is not supported.

+| Internet exposed SQL on VM has a user account with commonly used username and allows code execution on the VM (Preview) | SQL on VM is reachable from the internet, has a local user account with a commonly used username (which is prone to brute force attacks), and has vulnerabilities allowing code execution and lateral movement to the underlying VM. <br/> Prerequisite: [Enable Microsoft Defender for SQL servers on machines](defender-for-sql-usage.md) |

+| Internet exposed SQL on VM has a user account with commonly used username and known vulnerabilities (Preview) | SQL on VM is reachable from the internet, has a local user account with a commonly used username (which is prone to brute force attacks), and has known vulnerabilities (CVEs). <br/> Prerequisite: [Enable Microsoft Defender for SQL servers on machines](defender-for-sql-usage.md) |

+| SQL on VM has a user account with commonly used username and allows code execution on the VM (Preview) | SQL on VM has a local user account with a commonly used username (which is prone to brute force attacks), and has vulnerabilities allowing code execution and lateral movement to the underlying VM. <br/> Prerequisite: [Enable Microsoft Defender for SQL servers on machines](defender-for-sql-usage.md)|

+| SQL on VM has a user account with commonly used username and known vulnerabilities (Preview) | SQL on VM has a local user account with a commonly used username (which is prone to brute force attacks), and has known vulnerabilities (CVEs). <br/> Prerequisite: [Enable Microsoft Defender for SQL servers on machines](defender-for-sql-usage.md)|

+| Internet exposed database server allows basic (user/password) authentication method (Preview) | Azure SQL database can be accessed through the internet and allows user/password authentication which exposes the DB to brute force attacks. |

+| Internet exposed AWS S3 Bucket with sensitive data is publicly accessible (Preview) | An S3 bucket with sensitive data is reachable from the internet and allows public read access without authorization required. <br/> Prerequisite: [Enable data-aware security for S3 buckets in Defender for CSPM](data-security-posture-enable.md), or [leverage Microsoft Purview Data Catalog to protect sensitive data](information-protection.md). |

+|Internet exposed SQL on EC2 instance has a user account with commonly used username and allows code execution on the underlying compute (Preview) | Internet exposed SQL on EC2 instance has a user account with commonly used username and allows code execution on the underlying compute. <br/> Prerequisite:ΓÇ»[Enable Microsoft Defender for SQL servers on machines](defender-for-sql-usage.md). |

+|Internet exposed SQL on EC2 instance has a user account with commonly used username and known vulnerabilities (Preview) | SQL on EC2 instance is reachable from the internet, has a local user account with a commonly used username (which is prone to brute force attacks), and has known vulnerabilities (CVEs). <br/> Prerequisite:ΓÇ»[Enable Microsoft Defender for SQL servers on machines](defender-for-sql-usage.md) |

+|SQL on EC2 instance has a user account with commonly used username and allows code execution on the underlying compute (Preview) | SQL on EC2 instance has a local user account with commonly used username (which is prone to brute force attacks), and has vulnerabilities allowing code execution and lateral movement to the underlying compute. <br/> Prerequisite:ΓÇ»[Enable Microsoft Defender for SQL servers on machines](defender-for-sql-usage.md) |

+| SQL on EC2 instance has a user account with commonly used username and known vulnerabilities (Preview) |SQL on EC2 instance [EC2Name] has a local user account with commonly used username (which is prone to brute force attacks), and has known vulnerabilities (CVEs). <br/> Prerequisite:ΓÇ»[Enable Microsoft Defender for SQL servers on machines](defender-for-sql-usage.md) |

+|Internet exposed EC2 instance has high severity vulnerabilities and a hosted database installed (Preview) | An attacker with network access to the DB machine can exploit the vulnerabilities and gain remote code execution.

+| Internet exposed database server allows basic (user/password) authentication method (Preview) | AWS RDS database can be accessed through the internet and allows user/password authentication which exposes the DB to brute force attacks. |

+| Allows basic authentication (Preview) | Indicates that a resource allows basic (local user/password or key-based) authentication | Azure SQL Server, RDS Instance |

+| Contains sensitive data (Preview) <br/> <br/> Prerequisite: [Enable data-aware security for storage accounts in Defender for CSPM](data-security-posture-enable.md), or [leverage Microsoft Purview Data Catalog to protect sensitive data](information-protection.md). | Indicates that a resource contains sensitive data. | Azure Storage Account, Azure Storage Account Container, AWS S3 bucket, Azure SQL Server, Azure SQL Database, Azure Data Lake Storage Gen2, Azure Database for PostgreSQL, Azure Database for MySQL, Azure Synapse Analytics, Azure Cosmos DB accounts |

+| Moves data to (Preview) | Indicates that a resource transfers its data to another resource | Storage account container, AWS S3, AWS RDS instance, AWS RDS cluster |

+| Gets data from (Preview) | Indicates that a resource gets its data from another resource | Storage account container, AWS S3, AWS RDS instance, AWS RDS cluster |

+# Agentless scanning for machines

+|Release state:| GA |

+> Make sure to replace `<device-id>` with the name(s) you gave your device in each of the following queries.

+- **Device fleet failure**: Run this query to retrieve the latest information about checks that failed across the device fleet:

+- **Specific device failure** - Run this query to retrieve the latest information about checks that failed on a specific device:

+Defender for IoT will now monitor your newly added resource groups, and surface relevant security recommendations and alerts as part of your IoT solution.

+ Title: Components common to Microsoft Dev Box and Azure Deployment Environments

+description: Discover the components that are shared by Azure Deployment Environments and Microsoft Dev Box.

+ Title: Key concepts and roles

+description: Learn the key concepts, role definitions, and terminology for Azure Deployment Environments.

+# Key concepts for Azure Deployment Environments Preview

+ Title: Usage scenarios for Azure Deployment Environments

+description: Learn how Azure Deployment Environments can be integrated into CI/CD pipelines, create sandboxes, and hackathon environments.

+## Training, hands-on labs, and hackathons

+description: Learn how to add and configure a catalog item to use in your dev center projects. Catalog items contain an IaC template that defines the environment.

+# Add and configure a catalog item in Azure Deployment Environments

+description: Learn how to add and configure a catalog in your Azure Deployment Environments dev center to provide deployment templates for your development teams. Catalogs are specialized repositories stored in GitHub or Azure DevOps.

+# Add and configure a catalog from GitHub or Azure DevOps

+ Title: Provide user access to projects for developers

+description: Learn how to configure access to projects for developers by using the Deployment Environments User built-in role.

+# Provide access for developers to projects in Deployment Environments

+description: Learn how to define dev center level permissions and deployment settings for the environments that developers can deploy.

+# Configure environment types for a dev center

+description: Learn how to configure a managed identity to deploy environments in your Azure Deployment Environments dev center.

+# Configure a managed identity for a dev center

+ Title: Provide administrative access to projects

+description: Learn how to configure administrative access for dev managers by using the DevCenter Project Admin built-in role.

+# Provide access for dev managers to Deployment Environments projects

+description: Learn how to add, update, and delete project environment types in Azure Deployment Environments. Define project-level deployment settings and permissions.

+description: Learn how to create and access an environment in an Azure Deployment Environments project by using the Azure CLI.

+description: Learn how to install the Azure CLI and the Azure Deployment Environments CLI extension so you can create Deployment Environments resources from the command line.

+description: Learn how to manage your Azure Deployment Environments deployment environment in the developer portal or by using the Azure CLI.

+description: Enable developer teams to spin up app infrastructure with project-based templates, minimize setup time & maximize security, compliance, and cost efficiency.

+ Title: Create and access an environment in the developer portal

+description: Learn how to create and access an environment in an Azure Deployment Environments project through the developer portal.

+# Quickstart: Create and access Azure Deployment Environments by using the developer portal

+description: Learn how to create and configure a dev center in Azure Deployment Environments. In the quickstart, you create a dev center, attach an identity, attach a catalog, and create environment types.

+# Quickstart: Create and configure a dev center for Azure Deployment Environments

+description: Learn how to create a project in Azure Deployment Environments and associate the project with a dev center.

+ Title: Components common to Azure Deployment Environments and Microsoft Dev Box

+ Title: Microsoft Dev Box key concepts

+description: Learn key concepts and terminology for Microsoft Dev Box.

+# Key concepts for Microsoft Dev Box Preview

+This article describes the key concepts and components of Microsoft Dev Box.

+description: Learn how to create an Azure Compute Gallery repository for managing and sharing Dev Box images.

+# Configure Azure Compute Gallery for Microsoft Dev Box

+ Title: Configure network connections

+description: Learn how to create, delete, attach, and remove Microsoft Dev Box Preview network connections.

+#Customer intent: As a dev infrastructure manager, I want to be able to manage network connections so that I can enable dev boxes to connect to my existing networks and deploy them in the desired region.

+# Connect dev boxes to resources by configuring network connections

+Network connections allow dev boxes to connect to existing virtual networks. They also determine the region into which dev boxes are deployed.

+When you're planning network connectivity for your dev boxes, you must:

+- Ensure that you have sufficient permissions to create and configure network connections.

+- Ensure that you have at least one virtual network and subnet available for your dev boxes.

+- Identify the region or location that's closest to your dev box users. Deploying dev boxes into a region that's close to users gives them a better experience.

+- Determine whether dev boxes should connect to your existing networks by using Azure Active Directory (Azure AD) join or hybrid Azure AD join.

+## Permissions

+To manage a network connection, you need the following permissions:

+|Action|Permissions required|

+|--|--|

+|Create and configure a virtual network and subnet|Network Contributor permissions on an existing virtual network (Owner or Contributor), or permission to create a new virtual network and subnet.|

+|Create or delete a network connection|Owner or Contributor permissions on an Azure subscription or on a specific resource group.|

+|Add or remove a network connection |Write permission on the dev center.|

+## Create a virtual network and subnet

+To create a network connection, you need an existing virtual network and subnet. If you don't have a virtual network and subnet available, use the following steps to create them:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In the search box, enter **virtual network**. In the list of results, select **Virtual Network**.

+1. On the **Virtual Network** page, select **Create**.

+1. On the **Create virtual network** pane, on the **Basics** tab, enter the following values:

+ | Setting | Value |

+ | - | -- |

+ | **Subscription** | Select your subscription. |

+ | **Resource group** | Select an existing resource group. Or create a new one by selecting **Create new**, entering **rg-name**, and then selecting **OK**. |

+ | **Name** | Enter **VNet-name**. |

+ | **Region** | Select the region for the virtual network and dev boxes. |

+ :::image type="content" source="./media/how-to-manage-network-connection/example-basics-tab.png" alt-text="Screenshot of the Basics tab on the pane for creating a virtual network in the Azure portal." border="true":::

+ > [!Important]

+ > The region that you select for the virtual network is the where the dev boxes will be deployed.

+1. On the **IP Addresses** tab, accept the default settings.

+1. On the **Security** tab, accept the default settings.

+1. On the **Review + create** tab, review the settings.

+1. Select **Create**.

+## Allow access to Dev Box endpoints from your network

+An organization can control network ingress and egress by using a firewall, network security groups, and even Microsoft Defender.

+If your organization routes egress traffic through a firewall, you need to open certain ports to allow the Microsoft Dev Box Preview service to function. For more information, see [Network requirements](/windows-365/enterprise/requirements-network).

+## Plan a network connection

+The following sections show you how to create and configure a network connection in Microsoft Dev Box Preview.

+

+### Types of Active Directory join

+The Dev Box service requires a configured and working Active Directory join, which defines how dev boxes join your domain and access resources. There are two choices:

+- **Azure AD join**: If your organization uses Azure AD, you can use an Azure AD join (sometimes called a native Azure AD join). Dev box users sign in to Azure AD-joined dev boxes by using their Azure AD account and access resources based on the permissions assigned to that account. Azure AD join enables access to cloud-based and on-premises apps and resources.

+ For more information, see [Plan your Azure Active Directory join deployment](../active-directory/devices/azureadjoin-plan.md).

+- **Hybrid Azure AD join**: If your organization has an on-premises Active Directory implementation, you can still benefit from some of the functionality in Azure AD by using hybrid Azure AD-joined dev boxes. These dev boxes are joined to your on-premises Active Directory instance and registered with Azure AD.

+ Hybrid Azure AD-joined dev boxes require network line of sight to your on-premises domain controllers periodically. Without this connection, devices become unusable.

+ For more information, see [Plan your hybrid Azure Active Directory join deployment](../active-directory/devices/hybrid-azuread-join-plan.md).

+### Create a network connection

+Follow the steps on the relevant tab to create your network connection.

+#### [**Azure AD join**](#tab/AzureADJoin/)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In the search box, enter **network connections**. In the list of results, select **Network connections**.

+1. On the **Network Connections** page, select **Create**.

+ :::image type="content" source="./media/how-to-manage-network-connection/network-connections-empty.png" alt-text="Screenshot that shows the Create button on the page for network connections.":::

+1. On the **Create a network connection** pane, on the **Basics** tab, enter the following values:

+ |Name|Value|

+ |-|-|

+ |**Domain join type**|Select **Azure active directory join**.|

+ |**Subscription**|Select the subscription in which you want to create the network connection.|

+ |**ResourceGroup**|Select an existing resource group, or select **Create new** and then enter a name for the new resource group.|

+ |**Name**|Enter a descriptive name for the network connection.|

+ |**Virtual network**|Select the virtual network that you want the network connection to use.|

+ |**Subnet**|Select the subnet that you want the network connection to use.|

+ :::image type="content" source="./media/how-to-manage-network-connection/create-native-network-connection-full-blank.png" alt-text="Screenshot that shows the Basics tab on the pane for creating a network connection, with the option for Azure Active Directory join selected.":::

+1. Select **Review + Create**.

+1. On the **Review** tab, select **Create**.

+1. When the deployment is complete, select **Go to resource**. Confirm that the connection appears on the **Network connections** page.

+#### [**Hybrid Azure AD join**](#tab/HybridAzureADJoin/)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In the search box, enter **network connections**. In the list of results, select **Network connections**.

+1. On the **Network Connections** page, select **Create**.

+ :::image type="content" source="./media/how-to-manage-network-connection/network-connections-empty.png" alt-text="Screenshot that shows the Create button on the page that lists network connections.":::

+1. On the **Create a network connection** pane, on the **Basics** tab, enter the following values:

+ |Name|Value|

+ |-|-|

+ |**Domain join type**|Select **Hybrid Azure active directory join**.|

+ |**Subscription**|Select the subscription in which you want to create the network connection.|

+ |**ResourceGroup**|Select an existing resource group, or select **Create new** and then enter a name for the new resource group.|

+ |**Name**|Enter a descriptive name for the network connection.|

+ |**Virtual network**|Select the virtual network that you want the network connection to use.|

+ |**Subnet**|Select the subnet that you want the network connection to use.|

+ |**AD DNS domain name**| Enter the DNS name of the Active Directory domain that you want to use for connecting and provisioning Cloud PCs. For example: `corp.contoso.com`. |

+ |**Organizational unit**| Enter the organizational unit (OU). An OU is a container within an Active Directory domain that can hold users, groups, and computers. |

+ |**AD username UPN**| Enter the username, in user principal name (UPN) format, that you want to use for connecting Cloud PCs to your Active Directory domain. For example: `svcDomainJoin@corp.contoso.com`. This service account must have permission to join computers to the domain and the target OU (if one is set). |

+ |**AD domain password**| Enter the password for the user. |

+ :::image type="content" source="./media/how-to-manage-network-connection/create-hybrid-network-connection-full-blank.png" alt-text="Screenshot that shows the Basics tab on the pane for creating a network connection, with the option for hybrid Azure Active Directory join selected.":::

+1. Select **Review + Create**.

+1. On the **Review** tab, select **Create**.

+1. When the deployment is complete, select **Go to resource**. Confirm that the connection appears on the **Network connections** page.

+## Attach a network connection to a dev center

+You need to attach a network connection to a dev center before you can use it in projects to create dev box pools.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In the search box, enter **dev centers**. In the list of results, select **Dev centers**.

+1. Select the dev center that you created, and then select **Networking**.

+1. Select **+ Add**.

+1. On the **Add network connection** pane, select the network connection that you created earlier, and then select **Add**.

+ :::image type="content" source="./media/how-to-manage-network-connection/add-network-connection.png" alt-text="Screenshot that shows the pane for adding a network connection.":::

+After you attach a network connection, the Azure portal runs several health checks on the network. You can view the status of the checks on the resource overview page.

+You can add network connections that pass all health checks to a dev center and use them to create dev box pools. Dev boxes within dev box pools are created and domain joined in the location of the virtual network that's assigned to the network connection.

+To resolve any errors, see [Troubleshoot Azure network connections](/windows-365/enterprise/troubleshoot-azure-network-connection).

+## Remove a network connection from a dev center

+You can remove a network connection from a dev center if you no longer want to use it to connect to network resources. Network connections can't be removed if one or more dev box pools are using them.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In the search box, enter **dev centers**. In the list of results, select **Dev centers**.

+1. Select the dev center that you created, and then select **Networking**.

+1. Select the network connection that you want to remove, and then select **Remove**.

+ :::image type="content" source="./media/how-to-manage-network-connection/remove-network-connection.png" alt-text="Screenshot that shows the Remove button on the network connection page.":::

+1. Read the warning message, and then select **OK**.

+The network connection is no longer available for use in the dev center.

+## Next steps

+- [Manage a dev box definition](how-to-manage-dev-box-definitions.md)

+- [Manage a dev box pool](how-to-manage-dev-box-pools.md)

+- [Manage a dev box project](how-to-manage-dev-box-projects.md)

+ Title: Set a dev box auto-stop schedule

+description: Learn how to configure an auto-stop schedule to automatically shutdown dev boxes in a pool at a specified time.

+# Auto-stop your Dev Boxes on schedule

+To save on costs, you can enable an Auto-stop schedule on a dev box pool. Microsoft Dev Box Preview will attempt to shut down all dev boxes in that pool at the time specified in the schedule. You can configure one stop time in one timezone for each pool.

+## Permissions

+To manage a dev box schedule, you need the following permissions:

+|Action|Permission required|

+|--|--|

+|Configure a schedule|Owner, Contributor, or DevCenter Project Admin.|

+## Manage an auto-stop schedule in the Azure portal

+You can enable, modify, and disable auto-stop schedules using the Azure portal.

+### Create an auto-stop schedule

+You can create an auto-stop schedule while creating a new dev box pool, or by modifying an already existing dev box pool. The following steps show you how to use the Azure portal to create and configure an auto-stop schedule.

+### Add an auto-stop schedule to an existing pool

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In the search box, type *Projects* and then select **Projects** from the list.

+ :::image type="content" source="./media/how-to-manage-stop-schedule/discover-projects.png" alt-text="Screenshot showing a search for projects from the Azure portal search box.":::

+1. Open the project associated with the pool you want to edit.

+

+ :::image type="content" source="./media/how-to-manage-stop-schedule/projects-grid.png" alt-text="Screenshot of the list of existing projects.":::

+1. Select the pool you wish to modify, and then select edit. You might need to scroll to locate edit.

+ :::image type="content" source="./media/how-to-manage-stop-schedule/dev-box-edit-pool.png" alt-text="Screenshot of the edit dev box pool button.":::

+1. In **Enable Auto-stop**, select **Yes**.

+ |Name|Value|

+ |-|-|

+ |**Enable Auto-stop**|Select **Yes** to enable an Auto-stop schedule after the pool has been created.|

+ |**Stop time**| Select a time to shutdown all the dev boxes in the pool. All Dev Boxes in this pool will be shut down at this time, everyday.|

+ |**Time zone**| Select the time zone that the stop time is in.|

+

+ :::image type="content" source="./media/how-to-manage-stop-schedule/dev-box-save-pool.png" alt-text="Screenshot of the edit dev box pool page showing the Auto-stop options.":::

+1. Select **Save**.

+### Add an Auto-stop schedule as you create a pool

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In the search box, type *Projects* and then select **Projects** from the list.

+ :::image type="content" source="./media/how-to-manage-stop-schedule/discover-projects.png" alt-text="Screenshot showing a search for projects from the Azure portal search box.":::

+1. Open the project with which you want to associate the new dev box pool.

+

+ :::image type="content" source="./media/how-to-manage-stop-schedule/projects-grid.png" alt-text="Screenshot of the list of existing projects.":::

+1. Select **Dev box pools** and then select **+ Create**.

+

+ :::image type="content" source="./media/how-to-manage-stop-schedule/dev-box-pool-grid-empty.png" alt-text="Screenshot of the list of dev box pools within a project. The list is empty.":::

+1. On the **Create a dev box pool** page, enter the following values:

+ |Name|Value|

+ |-|-|

+ |**Name**|Enter a name for the pool. The pool name is visible to developers to select when they're creating dev boxes, and must be unique within a project.|

+ |**Dev box definition**|Select an existing dev box definition. The definition determines the base image and size for the dev boxes created within this pool.|

+ |**Network connection**|Select an existing network connection. The network connection determines the region of the dev boxes created within this pool.|

+ |**Dev Box Creator Privileges**|Select Local Administrator or Standard User.|

+ |**Enable Auto-stop**|Yes is the default. Select No to disable an Auto-stop schedule. You can configure an Auto-stop schedule after the pool has been created.|

+ |**Stop time**| Select a time to shutdown all the dev boxes in the pool. All Dev Boxes in this pool will be shut down at this time, everyday.|

+ |**Time zone**| Select the time zone that the stop time is in.|

+ |**Licensing**| Select this check box to confirm that your organization has Azure Hybrid Benefit licenses that you want to apply to the dev boxes in this pool. |

+ :::image type="content" source="./media/how-to-manage-stop-schedule/dev-box-pool-create.png" alt-text="Screenshot of the Create dev box pool dialog.":::

+1. Select **Add**.

+

+1. Verify that the new dev box pool appears in the list. You may need to refresh the screen.

+

+### Delete an auto-stop schedule

+To delete an auto-stop schedule, first navigate to your pool:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In the search box, type *Projects* and then select **Projects** from the list.

+ :::image type="content" source="./media/how-to-manage-stop-schedule/discover-projects.png" alt-text="Screenshot showing a search for projects from the Azure portal search box.":::

+1. Open the project associated with the pool you want to edit.

+

+ :::image type="content" source="./media/how-to-manage-stop-schedule/projects-grid.png" alt-text="Screenshot of the list of existing projects.":::

+1. Select the pool you wish to modify, and then select edit. You might need to scroll to locate edit.

+ :::image type="content" source="./media/how-to-manage-stop-schedule/dev-box-edit-pool.png" alt-text="Screenshot of the edit dev box pool button.":::

+1. In **Enable Auto-stop**, select **No**.

+

+ :::image type="content" source="./media/how-to-manage-stop-schedule/dev-box-disable-stop.png" alt-text="Screenshot of the edit dev box pool page showing Auto-stop disabled.":::

+1. Select **Save**. Dev boxes in this pool won't automatically shut down.

+## Manage an auto-stop schedule at the CLI

+You can also manage auto-stop schedules using Azure CLI.

+### Create an auto-stop schedule

+```az devcenter admin schedule create -n default --pool {poolName} --project {projectName} --time 23:15 --time-zone "America/Los_Angeles" --schedule-type stopdevbox --frequency daily --state enabled```

+|Parameter|Description|

+|--|--|

+|poolName|Name of your pool|

+|project|Name of your Project|

+|time| Local time when Dev Boxes should be shut down|

+|time-zone|Standard timezone string to determine local time|

+### Delete an auto-stop schedule

+```az devcenter admin schedule delete -n default --pool {poolName} --project {projectName}```

+|Parameter|Description|

+|--|--|

+|poolName|Name of your pool|

+|project|Name of your Project|

+## Next steps

+- [Manage a dev box definition](./how-to-manage-dev-box-definitions.md)

+- [Manage a dev box using the developer portal](./how-to-create-dev-boxes-developer-portal.md)

+ Title: Create & configure a dev box by using the developer portal

+description: Learn how to create, delete, and connect to Microsoft Dev Box Preview dev boxes by using the developer portal.

+# Manage a dev box by using the developer portal

+You can preconfigure a dev box to manage all of your tools, services, source code, and prebuilt binaries that are specific to your project. Microsoft Dev Box Preview provides an environment that's ready to build on, so you can run your app in minutes.

+## Permissions

+As a dev box developer, you can:

+- Create, view, and delete dev boxes that you create.

+- View pools within a project.

+- Connect to dev boxes.

+## Create a dev box

+Create a dev box through the developer portal. You can create as many dev boxes as you need, but there are common ways to split up your workload.

+You could create a dev box for your front-end work and a separate dev box for your back-end work. You could also create multiple dev boxes for your back end.

+For example, say you're working on a bug. You could use a separate dev box for the bug fix to work on the specific task and troubleshoot the issue without poisoning your primary machine.

+To create a dev box:

+## Connect to a dev box

+After you create your dev box, you can connect to it through a Remote Desktop app or through a browser.

+For most cases, use the Remote Desktop app when you're accessing a dev box. Remote Desktop provides the highest performance and best user experience for heavy workloads. For more information, see [Tutorial: Use a Remote Desktop client to connect to a dev box](./tutorial-connect-to-dev-box-with-remote-desktop-app.md).

+Use the browser for lighter workloads. When you access your dev box via your phone or laptop, you can use the browser. The browser is useful for tasks such as a quick bug fix or a review of a GitHub pull request. For more information, see the [steps for using a browser to connect to a dev box](./quickstart-create-dev-box.md#connect-to-a-dev-box).

+## Delete a dev box

+When you no longer need a dev box, you can delete it.

+There are many reasons why you might not need a dev box anymore. Maybe you finished testing, or you finished working on a specific project within your product.

+You can delete dev boxes after you finish your tasks. Say you finished fixing your bug and merged your pull request. Now, you can delete your dev box and create new dev boxes to work on new items.

+> [!NOTE]

+> Ensure that neither you nor your team members need the dev box before deleting. You can't retrieve dev boxes after deletion.

+## Next steps

+- [Use a remote desktop client to connect to a dev box](./tutorial-connect-to-dev-box-with-remote-desktop-app.md)

+- [Use a browser to connect to a dev box](./quickstart-create-dev-box.md#connect-to-a-dev-box)

+ Title: Provide user access to dev box projects

+description: Learn how to provide user-level access to projects for developers so that they can create and manage dev boxes.

+# Provide user-level access to projects for developers

+ Title: Install the Microsoft Dev Box Azure CLI extension

+description: Learn how to install the Azure CLI and the Microsoft Dev Box CLI extension so you can create Dev Box resources from the command line.

+# Configure Microsoft Dev Box from the command-line with the Azure CLI extension

+ Title: Create, update, delete dev box definitions

+description: Microsoft Dev Box dev box definitions define a source image, compute size, and storage size for your dev boxes with. Learn how to manage dev box definitions.

+description: Microsoft Dev Box dev box pools are collections of dev boxes that you manage together. Learn how to create, configure, and delete dev box pools.

+To allow developers to create their own dev boxes, you need to set up dev box pools that define the dev box specifications and network connections for new dev boxes. Developers can then create dev boxes from the dev box pools they have access to through their project memberships.

+ Title: Manage a dev box project

+description: Microsoft Dev Box projects give developers access to create their dev boxes. Learn how to create and delete dev box projects.

+description: Microsoft Dev Box dev centers help you manage dev box resources, grouping projects with similar settings. Learn how to create, delete, and manage dev centers.

+# Manage a Microsoft Dev Box dev center

+ Title: Provide administrative access to Microsoft Dev Box projects

+description: Learn how to manage multiple Dev Box projects by assigning admin permissions and delegating project administration.

+# Provide administrative access to Dev Box projects for project admins

+ Title: What is Microsoft Dev Box?

+description: Learn how Microsoft Dev Box Preview gives self-service access to high-performance, preconfigured, and ready-to-code cloud-based workstations.

+ Title: 'Quickstart: Configure Microsoft Dev Box'

+description: In this quickstart, you learn how to configure the Microsoft Dev Box Preview service to provide dev boxes for users.

+description: In this quickstart, you learn how to create a dev box and connect to it through a browser.

+In this quickstart, you created a dev box through the developer portal and connected to it by using a browser. To learn how to connect to a dev box by using a Remote Desktop app, see [Tutorial: Use a Remote Desktop client to connect to a dev box](./tutorial-connect-to-dev-box-with-remote-desktop-app.md).

+ Title: 'Tutorial: Use a Remote Desktop client to connect to a dev box'

+description: In this tutorial, you learn how to download a Remote Desktop client and connect to your dev box. You also learn how to configure a dev box to use multiple monitors during a remote desktop session.

+# Tutorial: Use a Remote Desktop client to connect to a dev box

+After you configure the Microsoft Dev Box Preview service and create dev boxes, you can connect to them by using a browser or by using a Remote Desktop client.

+Remote Desktop apps let you use and control a dev box from almost any device. For your desktop or laptop, you can choose to download the Remote Desktop client for Windows Desktop or Microsoft Remote Desktop for Mac. You can also download a Remote Desktop app for your mobile device: Microsoft Remote Desktop for iOS or Microsoft Remote Desktop for Android.

+In this tutorial, you learn how to:

+> [!div class="checklist"]

+> * Download a remote desktop client.

+> * Connect to an existing dev box.

+> * Configure the remote desktop client for multiple monitors.

+## Prerequisites

+To complete this tutorial, you must first:

+- [Configure Microsoft Dev Box Preview](./quickstart-configure-dev-box-service.md).

+- [Create a dev box](./quickstart-create-dev-box.md#create-a-dev-box) on the [developer portal](https://aka.ms/devbox-portal).

+## Download the client and connect to your dev box

+Remote Desktop clients are available for many operating systems and devices. In this tutorial, you can view the steps for Windows or the steps for a non-Windows operating system by selecting the relevant tab.

+# [Windows](#tab/windows)

+### Download the Remote Desktop client for Windows

+To download and set up the Remote Desktop client for Windows:

+1. Sign in to the [developer portal](https://aka.ms/devbox-portal).

+1. Select **Open in RDP client** for the dev box that you want to connect.

+ :::image type="content" source="./media/tutorial-connect-to-dev-box-with-remote-desktop-app/windows-open-rdp-client.png" alt-text="Screenshot of the card for a user's dev boxes with the option for opening in an RDP client.":::

+1. Select **Download Windows Desktop** to download the client.

+ :::image type="content" source="./media/tutorial-connect-to-dev-box-with-remote-desktop-app/download-windows-desktop.png" alt-text="Screenshot of the option to download the Windows Desktop client.":::

+1. Open the remote desktop MSI file and follow the prompts to install the remote desktop app. After the client is installed, you'll use the developer portal to connect to your dev box.

+### Connect to your dev box

+To open the Remote Desktop client:

+1. Sign in to the [developer portal](https://aka.ms/devbox-portal).

+1. Select **Open in RDP client** for the dev box that you want to connect.

+ :::image type="content" source="./media/tutorial-connect-to-dev-box-with-remote-desktop-app/windows-open-rdp-client.png" alt-text="Screenshot of the option to open a dev box in an RDP client.":::

+1. Select **Open Windows Desktop** to connect to your dev box in the Remote Desktop client.

+ :::image type="content" source="./media/tutorial-connect-to-dev-box-with-remote-desktop-app/open-windows-desktop.png" alt-text="Screenshot of the option to open the Windows desktop client in the connection dialog.":::

+# [Non-Windows](#tab/non-Windows)

+### Download the Remote Desktop client

+To use a non-Windows Remote Desktop client to connect to your dev box:

+1. Sign in to the [developer portal](https://aka.ms/devbox-portal).

+1. Under **Quick actions**, select **Configure Remote Desktop**.

+ :::image type="content" source="./media/tutorial-connect-to-dev-box-with-remote-desktop-app/configure-remote-desktop-non-windows.png" alt-text="Screenshot of the button for configuring Remote Desktop in the area for quick actions.":::

+1. In the **Configure Remote Desktop** dialog, select **Download** to download the client.

+ :::image type="content" source="./media/tutorial-connect-to-dev-box-with-remote-desktop-app/download-non-windows-rdp-client.png" alt-text="Screenshot of the download button in the dialog for configuring Remote Desktop.":::

+1. Copy the subscription feed URL. After the Remote Desktop client is installed, you'll connect to your dev box by using this URL.

+ :::image type="content" source="./media/tutorial-connect-to-dev-box-with-remote-desktop-app/copy-subscription-url-non-windows.png" alt-text="Screenshot of the subscription feed URL in the Configure Remote Desktop dialog.":::

+### Connect to your dev box

+1. Open the Remote Desktop client, select **Add Workspace**, and paste the subscription feed URL in the box.

+ :::image type="content" source="./media/tutorial-connect-to-dev-box-with-remote-desktop-app/non-windows-rdp-subscription-feed.png" alt-text="Screenshot of the dialog for adding a workspace URL.":::

+1. Your dev box appears in the Remote Desktop client's **Workspaces** area. Double-click it to connect.

+ :::image type="content" source="./media/tutorial-connect-to-dev-box-with-remote-desktop-app/non-windows-rdp-connect-dev-box.png" alt-text="Screenshot of a dev box in a non-Windows Remote Desktop client workspace.":::

+## Configure Remote Desktop to use multiple monitors

+Microsoft Remote Desktop for Windows and Microsoft Remote Desktop for Mac both support up to 16 monitors. Use the following steps to configure Remote Desktop to use multiple monitors.

+# [Windows](#tab/windows)

+1. Open Remote Desktop.

+

+1. Right-click the dev box you want to configure, and then select **Settings**.

+

+1. On the settings pane, turn off **Use default settings**.

+

+ :::image type="content" source="media/tutorial-connect-to-dev-box-with-remote-desktop-app/turn-off-default-settings.png" alt-text="Screenshot showing the Use default settings slider.":::

+

+1. In **Display Settings**, in the **Display configuration** list, select the displays to use:

+

+ |Value |Description |

+ |||

+ |All displays |Remote desktop uses all available displays. |

+ |Single display |Remote desktop uses a single display. |

+ |Select displays |Remote Desktop uses only the monitors you select. |

+ :::image type="content" source="media/tutorial-connect-to-dev-box-with-remote-desktop-app/remote-desktop-select-display.png" alt-text="Screenshot showing the remote desktop display settings. ":::

+1. Close the settings pane, and then select your dev box to begin the remote desktop session.

+# [Non-Windows](#tab/non-Windows)

+1. Open Remote Desktop.

+

+1. Select **PCs**.

+1. On the Connections menu, select **Edit PC**.

+

+1. Select **Display**.

+

+1. On the Display tab, select **Use all monitors**, and then select **Save**.

+ :::image type="content" source="media/tutorial-connect-to-dev-box-with-remote-desktop-app/remote-desktop-for-mac.png" alt-text="Screenshot showing the Edit PC dialog box with the display configuration options.":::

+1. Select your dev box to begin the remote desktop session.

+

+## Clean up resources

+Dev boxes incur costs whenever they're running. When you finish using your dev box, shut down or stop it to avoid incurring unnecessary costs.

+You can stop a dev box from the developer portal:

+1. Sign in to the [developer portal](https://aka.ms/devbox-portal).

+1. For the dev box that you want to stop, select the **Actions** menu, and then select **Stop**.

+ :::image type="content" source="./media/tutorial-connect-to-dev-box-with-remote-desktop-app/stop-dev-box.png" alt-text="Screenshot of the menu command to stop a dev box.":::

+The dev box might take a few moments to stop.

+## Next steps

+To learn about managing Microsoft Dev Box Preview, see:

+- [Provide access to project admins](./how-to-project-admin.md)

+- [Provide access to dev box users](./how-to-dev-box-user.md)

+ Example shown below allow-lists extensions dblink, dict_xsyn, pg_buffercache on server mypostgreserver

+Shared_Preload_Libraries is a server configuration parameter determining which libraries are to be loaded when PostgreSQL starts. Any libraries which use shared memory must be loaded via this parameter. If your extension needs to be added to shared preload libraries this action can be done:

+ :::image type="content" source="./media/concepts-extensions/shared-libraries.png" alt-text=" Screenshot showing Azure Database for PostgreSQL -setting shared preload libraries parameter setting for extensions installation.":::

+Azure Database for PostgreSQL supports a subset of key extensions as listed below. This information is also available by running `SHOW azure.extensions;`. Extensions not listed in this document aren't supported on Azure Database for PostgreSQL - Flexible Server. You can't create or load your own extension in Azure Database for PostgreSQL.

+The following extensions are available in Azure Database for PostgreSQL - Flexible Servers, which have Postgres version 14.

+> |[tablefunc](https://www.postgresql.org/docs/11/tablefunc.html) | 1.0 | functions that manipulate whole tables, including crosstab|

+The following extensions are available in Azure Database for PostgreSQL - Flexible Servers that have Postgres version 13.

+> |[tablefunc](https://www.postgresql.org/docs/11/tablefunc.html) | 1.0 | functions that manipulate whole tables, including crosstab|

+The following extensions are available in Azure Database for PostgreSQL - Flexible Servers that have Postgres version 12.

+> |[tablefunc](https://www.postgresql.org/docs/11/tablefunc.html) | 1.0 | functions that manipulate whole tables, including crosstab|

+The following extensions are available in Azure Database for PostgreSQL - Flexible Servers that have Postgres version 11.

+To run vacuum every day at 10:00 am (GMT) in database 'testcron' under azure_pg_admin role account

+ Title: How to request quota increase for Azure Database PostgreSQL Flexible Server resources

+description: Learn how to request a quota increase for Azure Database for PostgreSQL Flexible Server. You will also learn how to enable a subscription to access a region..

+# Request quota increases for Azure Database PostgreSQL Flexible Server

+The resources in Azure Database for PostgreSQL Flexible Server have default quotas/limits. However, there may be a case where your workload needs more quota than the default value. In such case, you must reach out to the Azure PostgreSQL DB team to request a quota increase. This article explains how to request a quota increase for Azure Database for PostgreSQL FLexible Server resources.

+## Create a new support request

+To request a quota increase, you must create a new support request with your workload details. The Azure Database for PostgreSQL Flexible Server team will then process your request and approve or deny it. Use the following steps to create a new support request from the Azure portal:

+1. Sign into the Azure portal.

+2. From the left-hand menu, select **Help + support** and then select **Create a support request**.

+3. In the **Problem Description** tab, fill the following details:

+ * For **Summary**, Provide a short description of your request such as your workload, why the default values arenΓÇÖt sufficient along with any error messages you're observing.

+ * For **Issue type**, select **Service and subscription limits (quotas)**

+ * For **Subscription**, select the subscription for which you want to increase the quota.

+ * For **Quota type**, select **Azure Database for PostgreSQL Flexible Server**

+ :::image type="content" source="./media/how-to-create-support-request-quota-increase/create-quota-increase-request.png" alt-text="Create a new Azure Flexible Server request for quota increase":::

+4. In the **Additional Details** tab, enter the details corresponding to your quota request. The Information provided on this tab will be used to further assess your issue and help the support engineer troubleshoot the problem.

+

+5. Fill the following details in this form:

+ * In **Request details** click **Enter details** and select the relevant **Quota Type**

+ provide the requested information for your specific quota request like Location, Series, New Quota.

+ * **File upload**: Upload the diagnostic files or any other files that you think are relevant to the support request. To learn more on the file upload guidance, see the [Azure support](../../azure-portal/supportability/how-to-manage-azure-support-request.md#upload-files) article.

+ * **Allow collection of advanced ΓÇïdiagnostic information?ΓÇï**: Choose Yes or NO

+ * **Severity**: Choose one of the available severity levels based on the business impact.

+ * **Preferred contact method**: You can either choose to be contacted over **Email** or by **Phone**.

+6. Fill out the remaining details such as your availability, support language, contact information, email, and phone number on the form.

+7. Select **Next: Review+Create**. Validate the information provided and select **Create** to create a support request.

+The Azure Database for PostgreSQL Flexible Server DB support team process all quota requests in 24-48 hours.

+## Next steps

+- Learn how to [create a PostgreSQL server in the portal](how-to-manage-server-portal.md).

+- Learn about [service limits](concepts-limits.md).

+For example, you might have a virtual network security appliance on your virtual network. You want to make sure that all traffic to and from your virtual network goes through that virtual security appliance. You can do this by configuring [User Defined Routes](../../virtual-network/virtual-networks-udr-overview.md#custom-routes) (UDRs) in Azure.

+[Forced tunneling](../../vpn-gateway/vpn-gateway-about-forced-tunneling.md) is a mechanism you can use to ensure that your services are not allowed to initiate a connection to devices on the internet. Note that this is different from accepting incoming connections and then responding to them. Front-end web servers need to respond to requests from internet hosts, and so internet-sourced traffic is allowed inbound to these web servers and the web servers are allowed to respond.

+Azure Firewall is a cloud-native and intelligent network firewall security service that provides threat protection for your cloud workloads running in Azure. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. It provides both east-west and north-south traffic inspection.

+You might want to connect your entire corporate network, or portions of it, to a virtual network. This is common in hybrid IT scenarios, where organizations extend their on-premises datacenter into Azure. In many cases, organizations host parts of a service in Azure, and parts on-premises. For example,they might do so when a solution includes front-end web servers in Azure and back-end databases on-premises. These types of "cross-premises" connections also make management of Azure located resources more secure, and enable scenarios such as extending Active Directory domain controllers into Azure.

+One way to accomplish this is to use a site-to-site VPN. The difference between a site-to-site VPN and a point-to-site VPN is that the latter connects a single device to a virtual network. A site-to-site VPN connects an entire network (such as your on-premises network) to a virtual network. Site-to-site VPNs to a virtual network use the highly secure IPsec tunnel mode VPN protocol.

+A better option might be to create a site-to-site VPN that connects between two virtual networks. This method uses the same IPSec tunnel mode protocol as the cross-premises site-to-site VPN connection mentioned above.

+* [Azure DNS private zones](../../dns/private-dns-privatednszone.md) allows you to configure private DNS names for Azure resources rather than the automatically assigned names without the need to add a custom DNS solution.

+* [Perimeter networks for security zones](network-best-practices.md#deploy-perimeter-networks-for-security-zones)

+You can also use Microsoft Power BI, a powerful data visualization tool, to view and analyze these logs.

+Azure SQL Database and Azure Synapse Analytics provide a relational database service for your internet-based applications. Let's look at services that help protect your applications and data when using Azure SQL Database and Azure Synapse Analytics in a PaaS deployment:

+- Supports connections from SQL Server Management Studio that use Active Directory Universal Authentication, which includes [Multi-Factor Authentication (MFA)](../../active-directory/authentication/concept-mfa-howitworks.md). MFA includes strong authentication with a range of easy verification options. Verification options are phone call, text message, smart cards with pin, or mobile app notification. For more information, see [Universal Authentication with SQL Database and Azure Synapse Analytics](/azure/azure-sql/database/authentication-mfa-ssms-overview).

+- [Securing PaaS web and mobile applications using Azure App Services](paas-applications-using-app-services.md)

+[Develop secure applications on Azure](../develop/secure-develop.md) is a general guide to the security questions and controls you should consider at each phase of the software development lifecycle when developing applications for the cloud.

+Use two-factor authentication. Two-factor authentication is the current standard for authentication and authorization because it avoids the security weaknesses inherent in username and password types of authentication. Access to both the Azure management (portal/remote PowerShell) interfaces and customer-facing services should be designed and configured to use Azure AD Multi-Factor Authentication.

+| Repudiation | Non-repudiation | Enable Azure monitoring and diagnostics. |

+| Information disclosure | Confidentiality | Encrypt sensitive data at rest by using service certificates. |

+| Elevation of privilege | Authorization | Use Privileged Identity Management. |

+**Detail**: Use [Microsoft Defender for Cloud to monitor your App Service environments](../../security-center/asset-inventory.md). When Defender for Cloud identifies potential security vulnerabilities, it creates recommendations that guide you through the process of configuring the needed controls.

+Fuzz testing is a method for finding program failures (code errors) by supplying malformed input data to program interfaces (entry points) that parse and consume this data.

+- Web Application Firewall

+See [Develop secure applications on Azure](../develop/secure-dev-overview.md) for security questions and controls you should consider at each phase of the software development lifecycle when developing applications for the cloud.

+One of the benefits of using Azure for application testing and deployment is that you can quickly get environments created. You don't have to worry about requisitioning, acquiring, and "racking and stacking" your own on-premises hardware.

+Quickly creating environments is great but you still need to make sure you perform your normal security due diligence. One of the things you likely want to do is penetration test the applications you deploy in Azure.

+We don't perform penetration testing of your application for you, but we do understand that you want and need to perform testing on your own applications. That's a good thing, because when you enhance the security of your applications you help make the entire Azure ecosystem more secure.

+* [Fuzz testing](https://www.microsoft.com/research/blog/a-brief-introduction-to-fuzzing-and-why-its-an-important-tool-for-developers/) of your endpoints

+One type of pen test that you can't perform is any kind of [Denial of Service (DoS)](https://en.wikipedia.org/wiki/Denial-of-service_attack) attack. This test includes initiating a DoS attack itself, or performing related tests that might determine, demonstrate, or simulate any type of DoS attack.

+> - [RedWolf](https://www.redwolfsecurity.com/services/#cloud-ddos) a self-service or guided DDoS testing provider with real-time control.

+>

+The Azure DNS servers are located at multiple datacenter facilities. The Azure DNS implementation incorporates a hierarchy of secondary and primary DNS servers to publicly resolve Azure customer domain names. The domain names usually resolve to a CloudApp.net address, which wraps the virtual IP (VIP) address for the customer's service. Unique to Azure, the VIP that corresponds to internal dedicated IP (DIP) address of the tenant translation is done by the Microsoft load balancers responsible for that VIP.

+- Networks are implemented with "need plus one" (N+1) redundancy architectures or better.

+- **Machine config or infrastructure rules**: By default, all communication is blocked. Exceptions exist that allow a VM to send and receive Dynamic Host Configuration Protocol (DHCP) communications and DNS information, and send traffic to the "public" internet outbound to other VMs within the FC cluster and OS Activation server. Because the VMs' allowed list of outgoing destinations does not include Azure router subnets and other Microsoft properties, the rules act as a layer of defense for them.

+- **Role configuration file rules**: Defines the inbound ACLs based on the tenants' service model. For example, if a tenant has a web front end on port 80 on a certain VM, port 80 is opened to all IP addresses. If the VM has a worker role running, the worker role is opened only to the VM within the same tenant.

+- To learn how to enhance your security solutions by integrating with Microsoft products, see [Integrate with Microsoft's Zero Trust solutions](/security/zero-trust/integrate/overview)

+# Using IDENTITY to create surrogate keys using dedicated SQL pool in Azure Synapse Analytics

+* **Publisher**: The organization that created the image. Examples: Canonical, RedHat, SUSE

+* **Offer**: The name of a group of related images created by a publisher. Examples: UbuntuServer, RHEL, sles-12-sp5

+* **SKU**: An instance of an offer, such as a major release of a distribution. Examples: 18.04-LTS, 7_9, gen2

+[...]

+```azurecli-interactive

+ ```azurecli-interactive

+ ```azurecli-interactive

+ ```azurecli-interactive

+ ```azurecli-interactive

+```azurecli-interactive

+```azurecli-interactive

+```azurecli-interactive

+```azurecli-interactive

+```azurecli-interactive