+1. Open the Azure portal and navigate to [Advisor](https://aka.ms/azureadvisordashboard).

+> If you have no reviews, the **Reviews** menu item in the left navigation is hidden.

+| `gpt-35-turbo` (0613) | East US2 <br> North Central US <br> Sweden Central | 4,096 | Sep 2021 |

+| `gpt-35-turbo` (1106) | East US2 <br> North Central US <br> Sweden Central | Input: 16,385<br> Output: 4,096 | Sep 2021|

+| `gpt-35-turbo` (0125) | East US2 <br> North Central US <br> Sweden Central | 16,385 | Sep 2021 |

+## April 2024

+### Fine-tuning is now supported in East US 2

+Fine-tuning is now available in East US 2 with support for:

+- `gpt-35-turbo` (0613)

+- `gpt-35-turbo` (1106)

+- `gpt-35-turbo` (0125)

+Check the [models page](concepts/models.md#fine-tuning-models), for the latest information on model availability and fine-tuning support in each region.

+# Quickstart: Create real-time diarization

+ > The evaluation process may take up lots of tokens, so it's recommended to use a model which can support >=16k tokens.

+This article uses the Azure Marketplace offer for Open/WebSphere Liberty to accelerate your journey to AKS. The offer automatically provisions a number of Azure resources including an Azure Container Registry (ACR) instance, an AKS cluster, an Azure App Gateway Ingress Controller (AGIC) instance, the Liberty Operators, and optionally a container image including Liberty and your application. To see the offer, visit the [Azure portal](https://aka.ms/liberty-aks). If you prefer manual step-by-step guidance for running Liberty on AKS that doesn't utilize the automation enabled by the offer, see [Manually deploy a Java application with Open Liberty or WebSphere Liberty on an Azure Kubernetes Service (AKS) cluster](/azure/developer/java/ee/howto-deploy-java-liberty-app-manual).

+* Prepare a local machine with a Unix-like operating system installed (for example, Ubuntu, macOS, Windows Subsystem for Linux).

+* This article requires at least version 2.31.0 of Azure CLI.

+* Install a Java SE implementation, version 17 or later. (for example, [Eclipse Open J9](https://www.eclipse.org/openj9/)).

+* Install [Maven](https://maven.apache.org/download.cgi) 3.5.0 or higher.

+* Install [Docker](https://docs.docker.com/get-docker/) for your OS.

+* The second network rule allows access to port 1194 via UDP. If you're deploying to Microsoft Azure operated by 21Vianet, see the [Azure operated by 21Vianet required network rules](./outbound-rules-control-egress.md#microsoft-azure-operated-by-21vianet-required-network-rules). Both these rules will only allow traffic destined to the Azure Region CIDR in this article, which is East US.

+1. Integrate a database:

+ ```Python

+

+ from azure.cosmos.aio import CosmosClient

+ from azure.cosmos import exceptions

+ from azure.cosmos.partition_key import PartitionKey

+ from configs.credential import HOST, MASTER_KEY, DATABASE_ID

+ def get_database_client():

+ # Initialize the Cosmos client

+ client = CosmosClient(HOST, MASTER_KEY)

+ # Create or get a reference to a database

+ try:

+ database = client.create_database_if_not_exists(id=DATABASE_ID)

+ print(f'Database "{DATABASE_ID}" created or retrieved successfully.')

+ except exceptions.CosmosResourceExistsError:

+ database = client.get_database_client(DATABASE_ID)

+ print('Database with id \'{0}\' was found'.format(DATABASE_ID))

+ return database

+ def get_container_client(container_id):

+ database = get_database_client()

+ # Create or get a reference to a container

+ try:

+ container = database.create_container(id=container_id, partition_key=PartitionKey(path='/partitionKey'))

+ print('Container with id \'{0}\' created'.format(container_id))

+ except exceptions.CosmosResourceExistsError:

+ container = database.get_container_client(container_id)

+ print('Container with id \'{0}\' was found'.format(container_id))

+ return container

+ async def create_item(container_id, item):

+ async with CosmosClient(HOST, credential=MASTER_KEY) as client:

+ database = client.get_database_client(DATABASE_ID)

+ container = database.get_container_client(container_id)

+ await container.upsert_item(body=item)

+ async def get_items(container_id):

+ items = []

+ try:

+ async with CosmosClient(HOST, credential=MASTER_KEY) as client:

+ database = client.get_database_client(DATABASE_ID)

+ container = database.get_container_client(container_id)

+ async for item in container.read_all_items():

+ items.append(item)

+ except Exception as e:

+ print(f"An error occurred: {e}")

+ return items

+ ```

+1. In the new folder, run the following command to create a new .NET background service project:

+1. Add references to the `Microsoft.Extensions.Configuration.AzureAppConfiguration` NuGet package by running the following command:

+1. Run the following command to build the app.

+1. Wait a few moments for the refresh interval time window to pass. You will see the console outputs changed.

+1. Wait for a few moments to allow the event to be processed. You will see the updated configuration.

+1. In the new folder, run the following command to create a new .NET console app project:

+1. Run the following command to restore packages for your project:

+1. Open *Program.cs*, and add the following statements:

+1. Use App Configuration by calling the `AddAzureAppConfiguration` method in the `Program.cs` file.

+ > When no parameter is passed to the `UseFeatureFlags` method, it loads *all* feature flags with *no label* in your App Configuration store. The default refresh interval of feature flags is 30 seconds. You can customize this behavior via the `FeatureFlagOptions` parameter. For example, the following code snippet loads only feature flags that start with *TestApp:* in their *key name* and have the label *dev*. The code also changes the refresh interval time to 5 minutes. Note that this refresh interval time is separate from that for regular key-values.

+1. Refresh the browser a few times. When the refresh interval time window passes, the page will show with updated content.

+1. Add a new file, *Startup.cs*, with the following code. It defines a class named `Startup` that implements the `FunctionsStartup` abstract class. An assembly attribute is used to specify the type name used during Azure Functions startup.

+1. Update the `ConfigureAppConfiguration` method, and add Azure App Configuration provider as an extra configuration source by calling `AddAzureAppConfiguration()`.

+1. Update the `Configure` method to make Azure App Configuration services and feature manager available through dependency injection.

+1. Open *Function1.cs*, and add the following namespaces.

+1. Update the `Run` method to change the value of the displayed message depending on the state of the feature flag.

+1. Refresh the browser a few times. When the refresh interval time window passes, the page will change to indicate the feature flag `Beta` is turned on, as shown in the image below.

+ Title: Quickstart for adding feature flags to .NET background service

+description: A quickstart for adding feature flags to .NET background services and managing them in Azure App Configuration

+ms.devlang: csharp

+ .NET

+#Customer intent: As a .NET background service developer, I want to use feature flags to control feature availability quickly and confidently.

+# Quickstart: Add feature flags to a .NET background service

+In this quickstart, you incorporate the feature management capability from Azure App Configuration into a .NET background service. You use App Configuration to centrally store and manage your feature flags.

+## Prerequisites

+Feature management support extends the dynamic configuration feature in App Configuration. The example in this quickstart builds on the .NET background service app introduced in the dynamic configuration tutorial. Before you continue, finish the following tutorial to create a .NET background service app with dynamic configuration first.

+- [Tutorial: Use dynamic configuration in a .NET background service](./enable-dynamic-configuration-dotnet-background-service.md)

+## Add a feature flag

+Add a feature flag called *Beta* to the App Configuration store and leave **Label** and **Description** with their default values. For more information about how to add feature flags to a store using the Azure portal or the CLI, go to [Create a feature flag](./manage-feature-flags.md).

+> [!div class="mx-imgBorder"]

+> 

+## Use the feature flag

+1. Add references to the `Microsoft.FeatureManagement` NuGet package by running the following command:

+ ```dotnetcli

+ dotnet add package Microsoft.FeatureManagement

+ ```

+1. Run the following command to restore packages for your project:

+ ```dotnetcli

+ dotnet restore

+ ```

+1. Open *Program.cs* and add the following statement:

+ ```csharp

+ using Microsoft.FeatureManagement;

+ ```

+1. Add a call to the `UseFeatureFlags` method inside the `AddAzureAppConfiguration` call and register feature management services.

+ ```csharp

+ // Existing code in Program.cs

+ // ... ...

+ builder.Configuration.AddAzureAppConfiguration(options =>

+ {

+ options.Connect(Environment.GetEnvironmentVariable("ConnectionString"));

+ // Use feature flags

+ options.UseFeatureFlags();

+ // Register the refresher so that the Worker service can consume it through dependency injection

+ builder.Services.AddSingleton(options.GetRefresher());

+ });

+ // Register feature management services

+ builder.Services.AddFeatureManagement();

+ // The rest of existing code in Program.cs

+ // ... ...

+ ```

+ > [!TIP]

+ > When no parameter is passed to the `UseFeatureFlags` method, it loads *all* feature flags with *no label* in your App Configuration store. The default refresh interval of feature flags is 30 seconds. You can customize this behavior via the `FeatureFlagOptions` parameter. For example, the following code snippet loads only feature flags that start with *TestApp:* in their *key name* and have the label *dev*. The code also changes the refresh interval time to 5 minutes. Note that this refresh interval time is separate from that for regular key-values.

+ >

+ > ```csharp

+ > options.UseFeatureFlags(featureFlagOptions =>

+ > {

+ > featureFlagOptions.Select("TestApp:*", "dev");

+ > featureFlagOptions.CacheExpirationInterval = TimeSpan.FromMinutes(5);

+ > });

+ > ```

+1. Open *Worker.cs* and add the following statement:

+ ```csharp

+ using Microsoft.FeatureManagement;

+ ```

+1. Update the constructor of the `Worker` service to obtain instances of `IConfigurationRefresher` and `IFeatureManager` through dependency injection.

+ ```csharp

+ public class Worker : BackgroundService

+ {

+ private readonly ILogger<Worker> _logger;

+ private readonly IConfigurationRefresher _refresher;

+ private readonly IFeatureManager _featureManager;

+ public Worker(ILogger<Worker> logger, IConfigurationRefresher refresher, IFeatureManager featureManager)

+ {

+ _logger = logger ?? throw new ArgumentNullException(nameof(logger));

+ _refresher = refresher ?? throw new ArgumentNullException(nameof(refresher));

+ _featureManager = featureManager ?? throw new ArgumentNullException(nameof(featureManager));

+ }

+ // ... ...

+ }

+ ```

+1. Update the `ExecuteAsync` method to log a message depending on the state of the feature flag.

+ The `TryRefreshAsync` method is called at the beginning of every iteration of the task execution to refresh the feature flag. It will be a no-op if the refresh interval time window isn't reached. The `await` operator is not used so that the feature flags are refreshed without blocking the current iteration of the task execution. In that case, later iterations of the task execution will get updated value.

+ ```csharp

+ protected override async Task ExecuteAsync(CancellationToken stoppingToken)

+ {

+ while (!stoppingToken.IsCancellationRequested)

+ {

+ // Intentionally not await TryRefreshAsync to avoid blocking the execution.

+ _refresher.TryRefreshAsync(stoppingToken);

+ if (_logger.IsEnabled(LogLevel.Information))

+ {

+ if (await _featureManager.IsEnabledAsync("Beta"))

+ {

+ _logger.LogInformation("[{time}]: Worker is running with Beta feature.", DateTimeOffset.Now);

+ }

+ else

+ {

+ _logger.LogInformation("[{time}]: Worker is running.", DateTimeOffset.Now);

+ }

+ }

+

+ await Task.Delay(TimeSpan.FromSeconds(30), stoppingToken);

+ }

+ }

+ ```

+## Build and run the app locally

+1. Run the following command to build the app:

+ ```dotnetcli

+ dotnet build

+ ```

+1. After the build successfully completes, run the following command to run the app locally:

+ ```dotnetcli

+ dotnet run

+ ```

+1. You should see the following outputs in the console.

+ 

+1. Sign in to the [Azure portal](https://portal.azure.com). Select **All resources**, and select the App Configuration store that you created previously.

+1. Select **Feature manager** and locate the **Beta** feature flag. Enable the flag by selecting the checkbox under **Enabled**.

+1. Wait a few moments for the refresh interval time window to pass. You will see the updated log message.

+ 

+## Clean up resources

+## Next steps

+To enable feature management capability for other types of apps, continue to the following tutorials.

+> [!div class="nextstepaction"]

+> [Use feature flags in .NET console apps](./quickstart-feature-flag-dotnet.md)

+> [!div class="nextstepaction"]

+> [Use feature flags in ASP.NET Core apps](./quickstart-feature-flag-aspnet-core.md)

+To learn more about managing feature flags in Azure App Configuration, continue to the following tutorial.

+> [!div class="nextstepaction"]

+> [Manage feature flags in Azure App Configuration](./manage-feature-flags.md)

+In this quickstart, you incorporate Azure App Configuration into a .NET console app to create an end-to-end implementation of feature management. You can use App Configuration to centrally store all your feature flags and control their states.

+In this quickstart, you incorporate Azure App Configuration into a Spring Boot web app to create an end-to-end implementation of feature management. You can use App Configuration to centrally store all your feature flags and control their states.

+1. Copy the URL of the HTTP trigger from the **Output** panel. The URL that calls your HTTP-triggered function should be in this format: `https://<functionappname>.azurewebsites.net/api/orchestrators/HelloOrchestrator`

+1. Copy the URL of the HTTP trigger from the **Output** panel. The URL that calls your HTTP-triggered function should be in this format: `https://<functionappname>.azurewebsites.net/api/orchestrators/helloOrchestrator`

+1. Copy the URL of the HTTP trigger from the **Output** panel. The URL that calls your HTTP-triggered function should be in this format: `https://<functionappname>.azurewebsites.net/api/orchestrators/HelloOrchestrator`

+1. Copy the URL of the HTTP trigger from the **Output** panel. The URL that calls your HTTP-triggered function must be in this format: `https://<functionappname>.azurewebsites.net/api/orchestrators/HelloOrchestrator`

+1. Copy the URL of the HTTP trigger from the **Output** panel. The URL that calls your HTTP-triggered function must be in this format: `https://<functionappname>.azurewebsites.net/api/orchestrators/hello_orchestrator`

+1. Copy the URL of the HTTP trigger from the **Output** panel. The URL that calls your HTTP-triggered function should be in this format: `https://<functionappname>.azurewebsites.net/api/orchestrators/HelloOrchestrator`

+1. Copy the URL of the HTTP trigger from the **Output** panel. The URL that calls your HTTP-triggered function should be in this format: `https://<functionappname>.azurewebsites.net/api/orchestrators/helloOrchestrator`

+Enables your function app to run from a package file, which can be locally mounted or deployed to an external URL.

+Valid values are either a URL that resolves to the location of an external deployment package file, or `1`. When set to `1`, the package must be in the `d:\home\data\SitePackages` folder. When you use zip deployment with `WEBSITE_RUN_FROM_PACKAGE` enabled, the package is automatically uploaded to this location. In preview, this setting was named `WEBSITE_RUN_FROM_ZIP`. For more information, see [Run your functions from a package file](run-functions-from-deployment-package.md).

+When you deploy from an external package URL, you must also manually sync triggers. For more information, see [Trigger syncing](functions-deployment-technologies.md#trigger-syncing).

+https://<APP_NAME>.azurewebsites.net/api/<FUNCTION_NAME>

+https://<APP_NAME>.azurewebsites.net/api/products/electronics/357

+This configuration allows the function code to support two parameters in the address, _category_ and _ID_. For more information on how route parameters are tokenized in a URL, see [Routing in ASP.NET Core](/aspnet/core/fundamentals/routing#route-constraint-reference).

+|**connection**|**Connection**|The name of an app setting that has the mobile app's URL. The function uses this URL to construct the required REST operations against your mobile app. Create an app setting in your function app that contains the mobile app's URL, then specify the name of the app setting in the `connection` property in your input binding. The URL looks like `https://<appname>.azurewebsites.net`.

+|**connection**|**MobileAppUriSetting**|The name of an app setting that has the mobile app's URL. The function uses this URL to construct the required REST operations against your mobile app. Create an app setting in your function app that contains the mobile app's URL, then specify the name of the app setting in the `connection` property in your input binding. The URL looks like `https://<appname>.azurewebsites.net`.

+> [!IMPORTANT]

+> Class based model of SignalR Service bindings in C# isolated worker doesn't optimize how you write SignalR triggers due to the limitation of C# worker model. For more information about class based model, see [Class based model](../azure-signalr/signalr-concept-serverless-development-config.md#class-based-model).

+SignalR Service trigger binding for C# in-process model has two programming models. Class based model and traditional model. Class based model provides a consistent SignalR server-side programming experience. Traditional model provides more flexibility and is similar to other function bindings.

+The trigger input type is declared as either `InvocationContext` or a custom type. If you choose `InvocationContext`, you get full access to the request content. For a custom type, the runtime tries to parse the JSON request body to set the object properties.

+|Hub| The hub name that the message belongs to.|

+|ConnectionId| The connection ID of the client that sends the message.|

+|UserId| The user identity of the client that sends the message.|

+Then, the `arg1` contains the content of `message1`, and `arg2` contains the content of `message2`.

+`ParameterNames` and attribute `[SignalRParameter]` **cannot** be used at the same time, or you'll get an exception.

+When using SignalR Service trigger, the URL can be simple and formatted as follows:

+The `Function_App_URL` can be found on Function App's Overview page and the `API_KEY` is generated by Azure Function. You can get the `API_KEY` from `signalr_extension` in the **App keys** blade of Function App.

+| Send SignalR Service messages and manage groups |[Output binding](./functions-bindings-signalr-service-output.md) |

+The extension NuGet package you install depends on the C# mode you're using in your function app:

+## Install bundle

+## Add dependency

+Isolated worker process defines an input binding by using a `BlobInputAttribute` attribute, which takes the following parameters:

+Binding to `string`, or `Byte[]` is only recommended when the blob size is small. This is recommended because the entire blob contents are loaded into memory. For most blobs, use a `Stream` or `BlobClient` type. For more information, see [Concurrency and memory usage](./functions-bindings-storage-blob-trigger.md#memory-usage-and-concurrency).

+Binding to `string`, or `Byte[]` is only recommended when the blob size is small. This is recommended because the entire blob contents are loaded into memory. For most blobs, use a `Stream` or `BlobClient` type. For more information, see [Concurrency and memory usage](./functions-bindings-storage-blob-trigger.md#memory-usage-and-concurrency).

+Binding to `string`, or `Byte[]` is only recommended when the blob size is small. This is recommended because the entire blob contents are loaded into memory. For most blobs, use a `Stream` or `BlobClient` type. For more information, see [Concurrency and memory usage](./functions-bindings-storage-blob-trigger.md#memory-usage-and-concurrency).

+## Memory usage and concurrency

+When you bind to an [output type](#usage) that doesn't support steaming, such as `string`, or `Byte[]`, the runtime must load the entire blob into memory more than one time during processing. This can result in higher-than expected memory usage when processing blobs. When possible, use a stream-supporting type. Type support depends on the C# mode and extension version. For more information, see [Binding types](./functions-bindings-storage-blob.md#binding-types).

+At this time, the runtime must load the entire blob into memory more than one time during processing. This can result in higher-than expected memory usage when processing blobs.

+Memory usage can be further impacted when multiple function instances are concurrently processing blob data. If you are having memory issues using a Blob trigger, consider reducing the number of concurrent executions permitted. Of course, reducing the concurrency can have the side effect of increasing the backlog of blobs waiting to be processed. The memory limits of your function app depends on the plan. For more information, see [Service limits](functions-scale.md#service-limits).

+

+The way that you can control the number of concurrent executions depends on the version of the Storage extension you are using.

+### [Extension 5.x and higher](#tab/extensionv5)

+When using version 5.0.0 of the Storage extension or a later version, you control trigger concurrency by using the `maxDegreeOfParallelism` setting in the [blobs configuration in host.json](functions-bindings-storage-blob.md#hostjson-settings).

+### [Pre-extension 5.x](#tab/extensionv4)

+Because the blob trigger uses a queue internally, the maximum number of concurrent function invocations is controlled by the [queues configuration in host.json](functions-bindings-storage-queue.md#host-json).

+Limits apply separately to each function that uses a blob trigger.

+description: Use the continuous deployment features of Azure App Service when publishing to Azure Functions.

+You can use Azure Functions to deploy your code continuously by using [source control integration](functions-deployment-technologies.md#source-control). Source control integration enables a workflow in which a code update triggers build, packaging, and deployment from your project to Azure.

+Continuous deployment is a good option for projects where you integrate multiple and frequent contributions. When you use continuous deployment, you maintain a single source of truth for your code, which allows teams to easily collaborate.

+Steps in this article show you how to configure continuous code deployments to your function app in Azure by using the Deployment Center in the Azure portal. You can also configure continuous integration using the Azure CLI.

+Functions supports these sources for continuous deployment to your app:

+### [Azure Repos](#tab/azure-repos)

+Maintain your project code in [Azure Repos](https://azure.microsoft.com/services/devops/repos/), one of the services in Azure DevOps. Supports both Git and Team Foundation Version Control. Used with the [Azure Pipelines build provider](functions-continuous-deployment.md?tabs=azure-repos%2azure-pipelines#build-providers)). For more information, see [What is Azure Repos?](/azure/devops/repos/get-started/what-is-repos)

+### [GitHub](#tab/github)

+Maintain your project code in [GitHub](https://github.com). Supported by all [build providers](functions-continuous-deployment.md?tabs=github%2Cgithub-actions#build-providers). For more information, see [GitHub docs](https://docs.github.com/en/get-started).

+GitHub is the only continuous deployment source supported for apps running on Linux in a [Consumption plan](./consumption-plan.md), which includes serverless Python apps.

+### [Bitbucket](#tab/bitbucket)

+Maintain your project code in [Bitbucket](https://bitbucket.org/). Requires the [App Service build provider](functions-continuous-deployment.md?tabs=bitbucket%2Capp-service#build-providers).

+### [Local Git](#tab/local-git)

+Maintain your project code in a dedicated Git server hosted in the same App Service plan with your function app. Requires the [App Service build provider](functions-continuous-deployment.md?tabs=local-git%2Capp-service#build-providers). For more information, see [Local Git deployment to Azure App Service](../app-service/deploy-local-git.md).

+

+You can also connect your function app to an external Git repository, but this requires a manual synchronization. For more information about deployment options, see [Deployment technologies in Azure Functions](functions-deployment-technologies.md).

+>[!NOTE]

+>Continuous deployment options covered in this article are specific to code-only deployments. For containerized function app deployments, see [Enable continuous deployment of containers to Azure](functions-how-to-custom-container.md#enable-continuous-deployment-to-azure).

+## Requirements

+## Build providers

+Building your code project is part of the deployment process. The specific build process depends on your specific language stack, operating system, and hosting plan. Builds can be done locally or remotely, again depending on your specific hosting. For more information, see [Remote build](functions-deployment-technologies.md#remote-build).

+Functions supports these build providers:

+### [Azure Pipelines](#tab/azure-pipelines)

+Azure Pipelines is one of the services in Azure DevOps and the default build provider for Azure Repos projects. You can also use Pipelines to build projects from GitHub. In Pipelines, there's an `AzureFunctionApp` task designed specifically for deploying to Azure Functions. This task provides you with control over how the project gets built, packaged, and deployed.

+### [GitHub Actions](#tab/github-actions)

+GitHub Actions is the default build provider for GitHub projects. GitHub Actions provides you with control over how the project gets built, packaged, and deployed.

+### [App Service (Kudu) service](#tab/app-service)

+The App Service platform maintains a native deployment service ([Project Kudu](https://github.com/projectkudu/kudu/wiki)) to support local Git deployment, some container deployments, and other deployment sources not supported by either Pipelines or GitHub Actions. Remote builds, packaging, and other maintainence tasks are performed in a subdomain of `scm.azurewebsites.net` dedicated to your app, such as `https://myfunctionapp.scm.azurewebsites.net`. This build service can only be used when the `scm` site is accessible to your app. For more information, see [Secure the scm endpoint](security-concepts.md#secure-the-scm-endpoint).

+Your options for which of these build providers you can use depend on the specific code deployment source.

+## <a name="credentials"></a>Deployment center

+The [Azure portal](https://portal.azure.com) provides a **Deployment center** for your function apps, which makes it easier to configure continuous deployment. The way that you configure continuous deployment depends both on the specific source control in which your code resides and the [build provider](#build-providers) you choose.

+In the [Azure portal](https://portal.azure.com), browse to your function app page and select **Deployment Center** under **Deployment** in the left pane.

+Select the **Source** repository type where your project code is being maintained from one of these supported options:

+### [Azure Repos](#tab/azure-repos/azure-pipelines)

+Deployments from Azure Repos that use Azure Pipelines are defined in the [Azure DevOps portal](https://go.microsoft.com/fwlink/?linkid=2245703) and not from your function app. For a step-by-step guide for creating a Pipelines-based deployment from Azure Repos, see [Continuous delivery with Azure Pipelines](functions-how-to-azure-devops.md).

+### [GitHub](#tab/github/azure-pipelines)

+Deployments from GitHub that use Azure Pipelines are defined in the [Azure DevOps portal](https://go.microsoft.com/fwlink/?linkid=2245703) and not from your function app. For a step-by-step guide for creating a Pipelines-based deployment from GitHub, see [Continuous delivery with Azure Pipelines](functions-how-to-azure-devops.md).

+### [Bitbucket](#tab/bitbucket/azure-pipelines)

+You can't deploy from Bitbucket using Azure Pipelines. Instead choose the [App Service build provider](functions-continuous-deployment.md?tabs=bitbucket%2Capp-service#build-providers).

+### [Local Git](#tab/local-git/azure-pipelines)

+You can't deploy from local git using Azure Pipelines. Instead choose the [App Service build provider](functions-continuous-deployment.md?tabs=local-git%2Capp-service#build-providers).

+### [Azure Repos](#tab/azure-repos/github-actions)

+You can't deploy from Azure Repos using GitHub Actions. Choose a different [build provider](#build-providers).

+### [GitHub](#tab/github/github-actions)

+To learn more about GitHub Action deployments, including other ways to generate the workflow configuration file, see [Continuous delivery by using GitHub Actions](functions-how-to-github-actions.md).

+### [Bitbucket](#tab/bitbucket/github-actions)

+You can't deploy from Bitbucket using GitHub Actions. Instead choose the [App Service build provider](functions-continuous-deployment.md?tabs=bitbucket%2Capp-service#build-providers).

+### [Local Git](#tab/local-git/github-actions)

+You can't deploy from local git using GitHub Actions. Instead choose the [App Service build provider](functions-continuous-deployment.md?tabs=local-git%2Capp-service#build-providers).

+### [Azure Repos](#tab/azure-repos/app-service)

+1. Navigate to your function app in the [Azure portal](https://portal.azure.com) and select **Deployment Center**.

+1. For **Source** select **Azure Repos**. If **App Service build service** provider isn't the default, select **Change provider** choose **App Service build service** and select **OK**.

+1. Select values for **Organization**, **Project**, **Repository**, and **Branch**. Only organizations that belong to your Azure account are displayed.

+1. Select **Save** to create the webhook in your repository.

+### [GitHub](#tab/github/app-service)

+1. Navigate to your function app in the [Azure portal](https://portal.azure.com) and select **Deployment Center**.

+1. For **Source** select **GitHub**. If **App Service build service** provider isn't the default, select **Change provider** choose **App Service build service** and select **OK**.

+1. If you haven't already authorized GitHub access, select **Authorize**. Provide your GitHub credentials and select **Sign in**. If you need to authorize a different GitHub account, select **Change Account** and sign in with another account.

+1. Select values for **Organization**, **Repository**, and **Branch**. The values are based on the location of your code.

+1. Review all details and select **Save**. A webhook is placed in your chosen repository.

+When a new commit is pushed to the selected branch, the service pulls your code, builds your application, and deploys it to your function app.

+### [Bitbucket](#tab/bitbucket/app-service)

+1. Navigate to your function app in the [Azure portal](https://portal.azure.com) and select **Deployment Center**.

+1. For **Source** select **Bitbucket**.

+1. If you haven't already authorized Bitbucket access, select **Authorize** and then **Grant access**. If requested, provide your Bitbucket credentials and select **Sign in**. If you need to authorize a different Bitbucket account, select **Change Account** and sign in with another account.

+1. Select values for **Organization**, **Repository**, and **Branch**. The values are based on the location of your code.

+1. Review all details and select **Save**. A webhook is placed in your chosen repository.

+When a new commit is pushed to the selected branch, the service pulls your code, builds your application, and deploys it to your function app.

+### [Local Git](#tab/local-git/app-service)

+1. Navigate to your function app in the [Azure portal](https://portal.azure.com) and select **Deployment Center**.

+1. For **Source** select **Local Git** and select **Save**.

+1. A local repository is created in your existing App Service plan, which is accessed from the `scm` domain. Copy the **Git clone URI** and use it to create a clone of this new repository on your local computer.

+When a new commit is pushed to the local git repository, the service pulls your code, builds your application, and deploys it to your function app.

+After deployment completes, all code from the specified source is deployed to your app. At that point, changes in the deployment source trigger a deployment of those changes to your function app in Azure.

+## Considerations

+You should keep these considerations in mind when planning for a continuous deployment strategy:

+By default, your HTTP trigger function is configured to accept any HTTP method. You can also use the default URL, `https://<yourapp>.azurewebsites.net/api/<funcname>?code=<functionkey>`. In this section, you modify the function to respond only to GET requests with `/api/hello`.

+ `https://<APP_NAME>.azurewebsites.net/api/HttpExample?name=Functions`

+In this article, you create a function app running in a Linux container and deploy it to an Azure Container Apps environment from a container registry. By deploying to Container Apps, you're able to integrate your function apps into cloud-native microservices. For more information, see [Azure Container Apps hosting of Azure Functions](functions-container-apps-hosting.md).

+This article shows you how to create functions running in a Linux container and deploy the container to a Container Apps environment.

+1. If you haven't done so already, sign in to Azure.

+In the [`az functionapp create`](/cli/azure/functionapp#az-functionapp-create) command, the `--environment` parameter specifies the Container Apps environment and the `--image` parameter specifies the image to use for the function app. In this example, replace `<STORAGE_NAME>` with the name you used in the previous section for the storage account. Also, replace `<APP_NAME>` with a globally unique name appropriate to you, `<LOGIN_SERVER>` with your fully qualified Container Registry server, `<REGISTRY_NAME>` with your registry name for the account, and `<ADMIN_PASSWORD>` with the password to your admin account.

+In the [`az functionapp create`](/cli/azure/functionapp#az-functionapp-create) command, the `--environment` parameter specifies the Container Apps environment and the `--image` parameter specifies the image to use for the function app. In this example, replace `<STORAGE_NAME>` with the name you used in the previous section for the storage account. Also, replace `<APP_NAME>` with a globally unique name appropriate to you and `<DOCKER_ID>` with your Docker Hub account ID. If you're using a private registry, you also need to supply `--registry-username`, `--registry-password`, and `--registry-server`.

+At this point, your functions are running in a Container Apps environment, with the required application settings already added. When needed, you can add other settings in your functions app in the standard way for Functions. For more information, see [Use application settings](functions-how-to-use-azure-function-app-settings.md#settings).

+`https://myacafunctionapp.kindtree-796af82b.eastus.azurecontainerapps.io/api/httpexample?name=functions`

+`https://myacafunctionapp.kindtree-796af82b.eastus.azurecontainerapps.io/api/httpexample`

+| [In-portal editing](#portal-editing)² |Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

+² In-portal editing is disabled when code is deployed to your function app from outside the portal. For more information, including language support details for in-portal editing, see [Language support details](supported-languages.md#language-support-details).

+When you change any of your triggers, the Functions infrastructure must be aware of the changes. Synchronization happens automatically for many deployment technologies. However, in some cases, you must manually sync your triggers.

+You must manually sync triggers when using these deploymention options:

+You can sync triggers in one of three ways:

+When you deploy using an external package URL, you need to manually restart your function app to fully sync your deployment when the package changes without changing the URL, which includes initial deployment.

+When your function app is secured by inbound network restrictions, the sync triggers endpoint can only be called from a client inside the virtual network.

+Azure Functions can automatically perform builds on the code it receives after zip deployments. These builds differ depending on whether your app is running on Windows or Linux.

+All function apps running on Windows have a small management app, the `scm` site provided by [Kudu](https://github.com/projectkudu/kudu). This site handles much of the deployment and build logic for Azure Functions.

+>__When to use it:__ External package URL is the only supported deployment method for Azure Functions running on Linux in the Consumption plan, if the user doesn't want a [remote build](#remote-build) to occur. Whenever you deploy the package file that a function app references, you must [manually sync triggers](#trigger-syncing), including the initial deployment. When you change the contents of the package file and not the URL itself, you must also restart your function app to sync triggers.

+You can enable continuous integration between your function app and a source code repository. With source control enabled, an update to code in the connected source repository triggers deployment of the latest code from the repository. For more information, see the [Continuous deployment for Azure Functions](functions-continuous-deployment.md).

+>__How to use it:__ The easiest way to set up publishing from source control is from the Deployment Center in the Functions area of the portal. For more information, see [Continuous deployment for Azure Functions](functions-continuous-deployment.md).

+>__When to use it:__ Using source control is the best practice for teams that collaborate on their function apps. Source control is a good deployment option that enables more sophisticated deployment pipelines. Source control is usually enabled on a staging slot, which can be swapped into production after validation of updates from the repository. For more information, see [Azure Functions deployment slots](functions-deployment-slots.md).

+| C#¹ | | | | | |

+| JavaScript (Node.js) |Γ£ö|Γ£ö|Γ£ö| |Γ£ö|Γ£ö|

+| Python² | | | |Γ£ö |Γ£ö |Γ£ö |

+¹ In-portal editing is only supported for C# script files, which run in-process with the host. For more information, see the [Azure Functions C# script (.csx) developer reference](functions-reference-csharp.md).

+When you deploy your function app to Azure, you can deploy to a separate deployment slot instead of directly to production. Deploying to a deployment slot and then swapping into production after verification is the recommended way to configure [continuous deployment](./functions-continuous-deployment.md).

+The way that you deploy to a slot depends on the specific deployment tool you use. For example, when using Azure Functions Core Tools, you include the`--slot` option to indicate the name of a specific slot for the [`func azure functionapp publish`](./functions-core-tools-reference.md#func-azure-functionapp-publish) command.

+For more information on deployment slots, see the [Azure Functions Deployment Slots](functions-deployment-slots.md) documentation for details.

+>You're viewing the C# version of this article. Make sure to select your preferred Functions programming language at the start of the article.

+If you're new to Functions, you might want to first complete the [Visual Studio Code quickstart article](create-first-function-vs-code-csharp.md).

+>You're viewing the Java version of this article. Make sure to select your preferred Functions programming language at the start of the article.

+If you're new to Functions, you might want to first complete the [Visual Studio Code quickstart article](create-first-function-vs-code-java.md).

+>You're viewing the JavaScript version of this article. Make sure to select your preferred Functions programming language at the start of the article.

+If you're new to Functions, you might want to first complete the [Visual Studio Code quickstart article](create-first-function-vs-code-node.md).

+>You're viewing the PowerShell version of this article. Make sure to select your preferred Functions programming language at the start of the article.

+If you're new to Functions, you might want to first complete the [Visual Studio Code quickstart article](create-first-function-vs-code-powershell.md).

+>You're viewing the Python version of this article. Make sure to select your preferred Functions programming language at the start of the article.

+If you're new to Functions, you might want to first complete the [Visual Studio Code quickstart article](create-first-function-vs-code-python.md).

+>You're viewing the TypeScript version of this article. Make sure to select your preferred Functions programming language at the start of the article.

+If you're new to Functions, you might want to first complete the [Visual Studio Code quickstart article](./create-first-function-vs-code-typescript.md).

+You also need these prerequisites to [run and debug your functions locally](#run-functions-locally). They aren't required to just create or publish projects to Azure Functions.

+The Functions extension lets you create the required function app project at the same time you create your first function. Use these steps to create an HTTP-triggered function in a new project. An [HTTP trigger](functions-bindings-http-webhook.md) is the simplest function trigger template to demonstrate.

+1. In the Activity bar, select the Azure icon. In the **Workspace (Local)** area, open the **+** list, and select **Create Function**.

+ :::image type="content" source="./media/functions-create-first-function-vs-code/create-new-project.png" alt-text="Screenshot of create a new project window.":::

+1. When prompted, select **Create new project**. Select the directory location for your project workspace, and then choose **Select**.

+ You can either create a new folder or choose an empty folder for the project workspace, but don't choose a project folder that's already part of a workspace.

+1. When prompted, **Select a language** for your project. If necessary, choose a specific language version.

+ :::image type="content" source="./media/functions-develop-vs-code/select-http-trigger.png" alt-text="Screenshot for selecting HTTP trigger.":::

+ > [!TIP]

+ > You can view additional templates by selecting the **Change template filter** option and setting the value to **Core** or **All**.

+1. For the function name, enter **HttpExample**, select Enter, and then select **Function** authorization.

+ This authorization level requires that you provide a [function key](functions-bindings-http-webhook-trigger.md#authorization-keys) when you call the function endpoint.

+ :::image type="content" source="./media/functions-develop-vs-code/create-function-auth.png" alt-text="Screenshot for creating function authorization.":::

+ :::image type="content" source="./media/functions-develop-vs-code/add-to-workplace.png" alt-text=" Screenshot for selectIng Add to workplace.":::

+1. In the **Do you trust the authors of the files in this folder?** window, select **Yes**.

+ :::image type="content" source="./media/functions-develop-vs-code/select-author-file.png" alt-text="Screenshot to confirm trust in authors of the files.":::

+Visual Studio Code creates a function in your chosen language and in the template for an HTTP-triggered function.

+The project template creates a project in your chosen language and installs the required dependencies. For any language, the new project has these files:

+* **local.settings.json**: Maintains settings used when you're locally running functions. These settings are used only when you're running functions locally. For more information, see [Local settings file](#local-settings).

+ > [!IMPORTANT]

+ > Because the **local.settings.json** file can contain secrets, make sure to exclude the file from your project source control.

+At this point, you're able to [run your HTTP trigger function locally](#run-functions-locally).

+You can add a new function to an existing project based on one of the predefined Functions trigger templates. To add a new function trigger, select F1 to open the command palette, and then find and run the command **Azure Functions: Create Function**. Follow the prompts to choose your trigger type and define the required attributes of the trigger. If your trigger requires an access key or connection string to connect to a service, get that item ready before you create the function trigger.

+This action adds a new C# class library (.cs) file to your project.

+This action adds a new Java (.java) file to your project.

+This action's results depend on the Node.js model version.

+Visual Studio Code creates a new folder in the project. The folder contains a new **function.json** file and the new JavaScript code file.

+This action creates a new folder in the project. The folder contains a new **function.json** file and the new PowerShell code file.

+This action's results depends on the Python model version.

+Visual Studio Code adds new function code either to the **function_app.py** file (default behavior) or to another Python file that you selected.

+Visual Studio Code creates a new folder in the project. The folder contains a new **function.json** file and the new Python code file.

+For example, the way that you define an output binding that writes data to a storage queue depends on your process model:

+1. If necessary, [add a reference to the package that supports your binding extension](#install-binding-extensions).

+1. Update the function method to add an attribute that defines the binding parameter, like `QueueOutput` for a queue output binding. You can use a `MultiResponse` object to return multiple messages or multiple output streams.

+1. If necessary, [add a reference to the package that supports your binding extension](#install-binding-extensions).

+1. Update the function method to add an attribute that defines the binding parameter, such as `Queue` for a Queue binding. You can use an `ICollector<T>` type to represent a collection of messages.

+For example, the way that you define the output binding that writes data to a storage queue depends on your Node.js model version:

+Using the Node.js v4 model, you must manually add a `return:` option in the function definition using the `storageQueue` function on the `output` object, which defines the storage queue to write the `return` output. The output is written when the function completes.

+Before you can publish your Functions project to Azure, you must have a function app and related resources in your Azure subscription to run your code. The function app provides an execution context for your functions. When you publish from Visual Studio Code to a function app in Azure, the project is packaged and deployed to the selected function app in your Azure subscription.

+When you create a function app in Azure, you can choose either a quick function app create path using defaults or an advanced path. This way, you have more control over creating the remote resources.

+1. In the command palette, enter **Azure Functions: Create function app in Azure...(Advanced)**.

+ | Prompt | Selection |

+ | | |

+ | Enter a globally unique name for the new function app. | Type a globally unique name that identifies your new function app and then select Enter. Valid characters for a function app name are `a-z`, `0-9`, and `-`. |

+ | Select a runtime stack. | Choose the language version that you're locally running. |

+ | Select an OS. | Choose either Linux or Windows. Python apps must run on Linux. |

+ | Select a resource group for new resources. | Choose **Create new resource group**, and enter a resource group name such as **myResourceGroup**. You can also select an existing resource group. |

+ | Select a location for new resources. | Select a location in a [region](https://azure.microsoft.com/regions/) near you or near other services that your functions access. |

+ | Select a hosting plan. | Choose **Consumption** for serverless [Consumption plan hosting](consumption-plan.md), where you're charged only when your functions run. |

+ | Select a storage account. | Choose **Create new storage account**, and at the prompt, enter a globally unique name for the new storage account used by your function app. Storage account names must be between 3 and 24 characters long and can contain only numbers and lowercase letters. You can also select an existing account. |

+ | Select an Application Insights resource for your app. | Choose **Create new Application Insights resource**, and at the prompt, enter a name for the instance used to store runtime data from your functions. |

+ A notification appears after your function app is created, and the deployment package is applied. To view the creation and deployment results, including the Azure resources that you created, select **View Output** in this notification.

+To call an HTTP-triggered function from a client, you need the function's URL, which is available after deployment to your function app. This URL includes any required function keys. You can use the extension to get these URLs for your deployed functions. If you just want to run the remote function in Azure, [use the Execute function now](#run-functions-in-azure) functionality of the extension.

+1. Select F1 to open the command palette, and then find and run the command **Azure Functions: Copy Function URL**.

+The function URL is copied to the clipboard, along with any required keys passed by the `code` query parameter. Use an HTTP tool to submit POST requests, or a browser to submit GET requests to the remote function.

+When the extension gets the URL of a function in Azure, the extension uses your Azure account to automatically retrieve the keys needed to start the function. [Learn more about function access keys](security-concepts.md#function-access-keys). Starting non-HTTP triggered functions requires using the admin key.

+We recommend setting up [continuous deployment](functions-continuous-deployment.md) so that your function app in Azure is updated when you update source files in the connected source location. You can also deploy your project files from Visual Studio Code. When you publish from Visual Studio Code, you can take advantage of the [Zip deploy technology](functions-deployment-technologies.md#zip-deploy).

+For HTTP trigger functions, the extension calls the HTTP endpoint. For other kinds of triggers, the extension calls administrator APIs to start the function. The message body of the request sent to the function depends on the trigger type. When a trigger requires test data, you're prompted to enter data in a specific JSON format.

+To execute a function in Azure from Visual Studio Code, follow these steps:

+1. In the command palette, enter **Azure Functions: Execute function now**, and select your Azure subscription.

+1. From the list, choose your function app in Azure. If you don't see your function app, make sure you're signed in to the correct subscription.

+1. From the list, choose the function that you want to run. In **Enter request body**, type the message body of the request, and press Enter to send this request message to your function.

+ The default text in **Enter request body** indicates the body's format. If your function app has no functions, a notification error is shown with this error.

+ When the function executes in Azure and returns a response, Visual Studio Code shows a notification.

+You can also run your function from the **Azure: Functions** area by opening the shortcut menu for the function that you want to run from your function app in your Azure subscription, and then selecting **Execute Function Now...**.

+When you run your functions in Azure from Visual Studio Code, the extension uses your Azure account to automatically retrieve the keys needed to start the function. [Learn more about function access keys](security-concepts.md#function-access-keys). Starting non-HTTP triggered functions requires using the admin key.

+The local runtime is the same runtime that hosts your function app in Azure. Local settings are read from the [local.settings.json file](#local-settings). To run your Functions project locally, you must meet [more requirements](#prerequisites).

+1. In the command palette, enter **Azure Functions: Execute function now** and choose **Local project**.

+When you're developing an application, it's often useful to see logging information in near-real time. You can view a stream of log files being generated by your functions. Turn on logs from the command pallet with the `Azure Functions: Start streaming logs` command. This output is an example of streaming logs for a request to an HTTP-triggered function:

+* If you plan to use GitHub instead of Azure Repos, you also need a GitHub repository. If you don't have a GitHub account, you can [create one for free](https://github.com).

+* An existing function app in Azure that has its source code in a supported repository. If you don't yet have an Azure Functions code project, you can create one by completing the following language-specific article:

+ ### [C\#](#tab/csharp)

+ ### [JavaScript](#tab/javascript)

+ ### [Python](#tab/python)

+ ### [PowerShell](#tab/powershell)

+

+ Remember to upload the local code project to your GitHub or Azure Repos respository after you publish it to your function app.

+1. In your project, navigate to the **Pipelines** page. Then select **New pipeline**.

+1. Select one of these options for **Where is your code?**:

+ + **GitHub**: You might be redirected to GitHub to sign in. If so, enter your GitHub credentials. When this is the first connection to GitHub, the wizard also walks you through the process of connecting DevOps to your GitHub accounts.

+ + **Azure Repos Git**: You are immediately able to choose a repository in your current DevOps project.

+1. Azure Pipelines analyzes your repository and in **Configure your pipeline** provides a list of potential templates. Choose the appropriate **function app** template for your language. If you don't see the correct template select **Show more**.

+1. Select **Save and run**, then select **Commit directly to the main branch**, and then choose **Save and run** again.

+To learn about potential issues with these pipeline tasks, see [Functions not found after deployment](recover-python-functions.md#functions-not-found-after-deployment).

+Please check the generated archive to ensure that the deployed file has the right format.

+To learn about potential issues with these pipeline tasks, see [Functions not found after deployment](recover-python-functions.md#functions-not-found-after-deployment).

+<!For when we support connecting to the container console -->

+The following articles show you how to programmatically create a function app with a Premium plan:

+There are two metrics that are of specific interest to function apps:

+The following table lists the metrics available for the Microsoft.Web/sites resource type. Most of these metrics apply to both function app and web apps, which both run on App Service.

+>[!NOTE]

+>These metrics aren't available when your function app runs on Linux in a [Consumption plan](./consumption-plan.md).

+>[!NOTE]

+>App Service metrics (Microsoft.Web/sites) aren't available when your function app runs on Linux in a [Consumption plan](./consumption-plan.md).

+## Functions not found after deployment

+There are several common build issues that can cause Python functions to not be found by the host after an apparently successful deployment:

+* The agent pool must be running on Ubuntu to guarantee that packages are restored correctly from the build step. Make sure your deployment template requires an Ubuntu environment for build and deployment.

+* When the function app isn't at the root of the source repo, make sure that the `pip install` step references the correct location in which to create the `.python-packages` folder. Keep in mind that this location is case sensitive, such as in this command example:

+ ```

+ pip install --target="./FunctionApp1/.python_packages/lib/site-packages" -r ./FunctionApp1/requirements.txt

+ ```

+* The template must generate a deployment package that can be loaded into `/home/site/wwwroot`. In Azure Pipelines, this is done by the `ArchiveFiles` task.

+| [Microsoft Entra ID (P1 + P2)](../../active-directory/fundamentals/active-directory-whatis.md#what-are-the-azure-ad-licenses) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | &#x2705; |

+## Tenant location

+1. Once the **About Power BI** dialog box opens, notice the **your data is stored in** followed by the Tenant location, which is, in this example, Ireland.

+[Azure Monitor Agent (AMA)](./agents-overview.md) replaces the Log Analytics agent (also known as Microsoft Monitor Agent (MMA) and OMS) for Windows and Linux machines, in Azure and non-Azure environments, including on-premises and third-party clouds. The agent introduces a simplified, flexible method of configuring data dollection using [Data Collection Rules (DCRs)](../essentials/data-collection-rule-overview.md). This article provides guidance on how to implement a successful migration from the Log Analytics agent to Azure Monitor Agent.

+If you're currently using the Log Analytics agent with Azure Monitor or [other supported features and services](#migrate-additional-services-and-features), start planning your migration to Azure Monitor Agent by using the information in this article. If you are using the Log Analytics Agent for SCOM, you need to [migrate to the SCOM Agent](../vm/scom-managed-instance-overview.md).

+Before you begin migrating from the Log Analytics agent to Azure Monitor Agent, review the checklist.

+> - **Verify that Azure Monitor Agent can address all of your needs.**<br>Azure Monitor Agent is General Availablity (GA) for data collection and is used for data collection by various Azure Monitor features and other Azure services. For details, see [Supported services and features](#migrate-additional-services-and-features).

+### Migration services and features

+ 1. Ensure there are no gaps, compare the data ingested by legacy agent data to Azure Monitor Agent. You can do the comparison on any table by using the [join operator](/azure/data-explorer/kusto/query/joinoperator?pivots=azuremonitor) to add the `Category` column from the [Heartbeat](/azure/azure-monitor/reference/tables/heartbeat) table, which indicates `Azure Monitor Agent` for data collected by the Azure Monitor Agent.

+ - Once Azure Monitor Agent is installed for all your requirements, [uninstall the Log Analytics agent](./agent-manage.md#uninstall-agent) from monitored resources. Clean up any configuration files, workspace keys, or certificates that were used previously by the Log Analytics agent. Continue using the legacy Log Analytics for features and solutions that Azure Monitor Agent doesn't support.

+Azure Monitor Agent is GA for data collection. Most services that used Log Analytics agent for data collection have migrated to Azure Monitor Agent.

+| [VM insights, Service Map, and Dependency agent](../vm/vminsights-overview.md) | Migrate to Azure Monitor Agent | GA | [Enable VM Insights](../vm/vminsights-enable-overview.md) |

+| [Change Tracking and Inventory](../../automation/change-tracking/overview-monitoring-agent.md) | Migrate to Azure Monitor Agent | GA | [Migration for Change Tracking and inventory](../../automation/change-tracking/guidance-migration-log-analytics-monitoring-agent.md) |

+| [Network Watcher](../../network-watcher/network-watcher-monitoring-overview.md) | Migrate to new service called Connection Monitor with Azure Monitor Agent | GA | [Monitor network connectivity using connection monitor](../../network-watcher/azure-monitor-agent-with-connection-monitor.md) |

+| Azure Stack HCI Insights | Migrate to Azure Monitor Agent | GA| [Monitor Azure Stack HCI with Insights](/azure-stack/hci/manage/monitor-hci-single) |

+| [Azure Virtual Desktop (AVD) Insights](../../virtual-desktop/insights.md) | Migrate to Azure Monitor Agent |GA | [Azure Virtual Desktop Insights](../../virtual-desktop/insights.md#session-host-data-settings) |

+| [Container Monitoring Solution](../containers/containers.md) | Migrate to new service called Container Insights with Azure Monitor Agent | GA | [Enable Container Insights](../containers/container-insights-transition-solution.md) |

+| [DNS Collector](../../sentinel/connect-dns-ama.md) | Use new Sentinel Connector | GA | [Enable DNS Connector](../../sentinel/connect-dns-ama.md)|

+| [Microsoft Defender for Cloud, Servers, SQL, and Endpoint](../../security-center/security-center-introduction.md) | Migrate to Microsoft Defender for Cloud (No dependency on Log Analytics agents or Azure Monitor Agent) | GA | [Defender for Cloud plan for Log Analytics agent deprecation](../../defender-for-cloud/upcoming-changes.md#defender-for-cloud-plan-and-strategy-for-the-log-analytics-agent-deprecation)|

+| [Update Management](../../automation/update-management/overview.md) | Migrate to Azure Update Manager (No dependency on Log Analytics agents or Azure Monitor Agent) | GA | [Update Manager documentation](../../update-manager/update-manager-faq.md#la-agent-also-known-as-mma-is-retiring-and-will-be-replaced-with-ama-is-it-necessary-to-move-to-update-manager-or-can-i-continue-to-use-automation-update-management-with-ama) |

+| [Automation Hybrid Runbook Worker overview](../../automation/automation-hybrid-runbook-worker.md) | Automation Hybrid Worker Extension (no dependency on Log Analytics agents or Azure Monitor Agent) | GA | [Migrate to Extension based Hybrid Workers](../../automation/extension-based-hybrid-runbook-worker-install.md#migrate-an-existing-agent-based-to-extension-based-hybrid-workers) |

+- ***Microsoft Defender for cloud***: Some features for the new agentless solution are in development. Your migration maybe impacted if you use File Integraty Monitoring (FIM), Endpoint protection discovery recommendations, OS Misconfigurations (Azure Security Benchmark (ASB) recommendations) and Adaptive Application controls.

+To mitigate this, you can either add the column to the previous project clause or use the [columnifexists](/azure/data-explorer/kusto/query/column-ifexists-function) operator.

+- If you can see some metrics for the resource but can't find a specific metric, [check if that metric is available](/azure/azure-monitor/reference/supported-metrics/metrics-index). If so, see the metric description to check if it's only available in specific versions or editions of the resource.

+Review the metric description in [Supported metrics with Azure Monitor](/azure/azure-monitor/reference/supported-metrics/metrics-index) to check if it's only available in specific versions or editions of the resource or this specific type.

+ Check the [alert processing rule documentation](./alerts-processing-rules.md), or the [alert processing rule PowerShell Set-AzAlertProcessingRule](/powershell/module/az.alertsmanagement/set-azalertprocessingrule) command.

+#### Cluster level alerts

+#### Node level alerts

+#### Pod level alerts

+You can view your Prometheus rule groups and their included rules in the Azure portal in one of the following ways:

+* In the [portal home page](https://portal.azure.com/), in the search box, look for **Prometheus Rule Groups**.

+* In the [portal home page](https://portal.azure.com/), select **Monitor** > **Alerts**, then select **Prometheus Rule Groups**.

+ :::image type="content" source="media/prometheus-metrics-rule-groups/prometheus-rule-groups-from-alerts.png" alt-text="Screenshot that shows how to view Prometheus rule groups from the alerts screen.":::

+* In the page of a specific Azure Kubernetes Services resource (AKS), or a specific Azure Monitor Workspace (AMW), select **Monitor** > **Alerts**, then select **Prometheus Rule Groups**, to view a list of rule groups for this specific resource.

+You can select a rule group from the list to view or edit its details.

+## View the resource health states of your Prometheus rule groups

+You can now view the [resource health state](../../service-health/resource-health-overview.md) of your Prometheus rule group in the portal. This can allow you to detect problems in your rule groups, such as incorrect configuration, or query throttling problems

+1. In the [portal](https://portal.azure.com/), go to the overview of your Prometheus rule group you would like to monitors

+1. From the left pane, under **Help**, select **Resource health**.

+ :::image type="content" source="media/prometheus-metrics-rule-groups/prometheus-rule-groups-resource-health.png" alt-text="Screenshot that shows how to view resource health state of a Prometheus rule group.":::

+1. In the rule group resource health screen, you can see the current availability state of the rule group, as well as a history of recent resource health events, up to 30 days back.

+ :::image type="content" source="media/prometheus-metrics-rule-groups/prometheus-rule-groups-resource-health-history.png" alt-text="Screenshot that shows how to view the resource health history of a Prometheus rule group.":::

+* If the rule group is marked as **Available**, it is working as expected.

+* If the rule group is marked as **Degraded**, one or more rules in the group are not working as expected. This can be due to the rule query being throttled, or to other issues that may cause the rule evaluation to fail. Expand the status entry for more information on the detected problem, as well as suggestions for mitigation or for further troubleshooting.

+* If the rule group is marked as **Unavailable**, the entire rule group is not working as expected. This can be due the configuration issue (for example, the Azure Monitor Workspace can't be detected) or due to internal service issues. Expand the status entry for more information on the detected problem, as well as suggestions for mitigation or for further troubleshooting.

+* If the rule group is marked as **Unknown**, the entire rule group is disabled or is in an unknown state.

+

+## Disable and enable rule groups

+To enable or disable a rule, select the rule group in the Azure portal. Select either **Enable** or **Disable** to change its status.

+ "actions": [],

+ "Microsoft.KeyVault/vaults/keys/read",

+Using Azure NetApp Files standard storage with cool access, you can configure inactive data to move from Azure NetApp Files Standard service-level storage (the *hot tier*) to an Azure storage account (the *cool tier*). Enabling cool access moves inactive data blocks from the volume and the volume's snapshots to the cool tier, resulting in cost savings.

+Failover is a manual process. When you need to activate the destination volume (for example, when you want to failover to the destination region), you need to break replication peering and then mount the destination volume. .

+1. To break replication peering, select the destination volume. Select **Replication** under Storage Service.

+- To upgrade a free trial, see [Upgrade your Free Trial or Microsoft Imagine Azure subscription to pay-as-you-go](../../cost-management-billing/manage/upgrade-azure-subscription.md).

+- To change a pay-as-you-go account, see [Change your Azure pay-as-you-go subscription to a different offer](../../cost-management-billing/manage/switch-azure-offer.md).

+### Move resources manually through redeployment

+To move resources that aren't supported by Azure Resource Mover or to move any service manually, see [Azure services relocation guidance overview](/azure/operational-excellence/overview-relocation).

+### Move resources from non availability zone to availability zone support

+To move resources from a region that doesn't support availability zones to one that does, see [Availability zone migration guidance overview for Microsoft Azure products and services](/azure/reliability/availability-zones-migration-overview).

+- To learn more deeply about service relocation and planning recommendations, see [Relocated cloud workloads](/azure/cloud-adoption-framework/relocate/).

+ "connectionToken":"05265228-1e2c-46c5-82a1-6a5bcc3f0143",

+ "negotiateVersion":1,

+ * The `negotiateVersion` value is the negotiation protocol version that you use between the server and the client, see [Transport Protocols](https://github.com/dotnet/aspnetcore/blob/main/src/SignalR/docs/specs/TransportProtocols.md).

+ * `negotiateVersion: 0` only returns `connectionId`, and client should use the value of `connectionId` as `id` in connect requests.

+ * `negotiateVersion: 1` returns `connectionId` and `connectionToken`, and client should use the value of `connectionToken` as `id` in connect requests.

+### Negotiation function

+With [class-based model](#class-based-model) in C#, you don't need the `SignalRConnectionInfo` input binding and can add custom claims much more easily. For more information, see [Negotiation experience in class-based model](#negotiation-experience-in-class-based-model).

+For more information about the `negotiate` function, see [Azure Functions development](#negotiation-function).

+You also need to configure your function endpoint as an upstream endpoint so that service triggers the function when there's message from a client. For more information about how to configure upstream endpoints, see [Upstream endpoints](concept-upstream.md).

+The class-based model is dedicated for C#.

+# [Isolated worker model](#tab/isolated-process)

+The class-based model provides better programming experience, which can replace SignalR input and output bindings, with the following features:

+- More flexible negotiation, sending messages and managing groups experience.

+- More managing functionalities are supported, including closing connections, checking whether a connection, user, or group exists.

+- Strongly Typed hub

+- Unified connection string setting in one place.

+The following code demonstrates how to write SignalR bindings in class-based model:

+In the *Functions.cs* file, define your hub, which extends a base class `ServerlessHub`:

+```cs

+[SignalRConnection("AzureSignalRConnectionString")]

+public class Functions : ServerlessHub

+{

+ private const string HubName = nameof(Functions);

+ public Functions(IServiceProvider serviceProvider) : base(serviceProvider)

+ {

+ }

+ [Function("negotiate")]

+ public async Task<HttpResponseData> Negotiate([HttpTrigger(AuthorizationLevel.Anonymous, "post")] HttpRequestData req)

+ {

+ var negotiateResponse = await NegotiateAsync(new() { UserId = req.Headers.GetValues("userId").FirstOrDefault() });

+ var response = req.CreateResponse();

+ response.WriteBytes(negotiateResponse.ToArray());

+ return response;

+ }

+ [Function("Broadcast")]

+ public Task Broadcast(

+ [SignalRTrigger(HubName, "messages", "broadcast", "message")] SignalRInvocationContext invocationContext, string message)

+ {

+ return Clients.All.SendAsync("newMessage", new NewMessage(invocationContext, message));

+ }

+ [Function("JoinGroup")]

+ public Task JoinGroup([SignalRTrigger(HubName, "messages", "JoinGroup", "connectionId", "groupName")] SignalRInvocationContext invocationContext, string connectionId, string groupName)

+ {

+ return Groups.AddToGroupAsync(connectionId, groupName);

+ }

+}

+```

+In the *Program.cs* file, register your serverless hub:

+```cs

+var host = new HostBuilder()

+ .ConfigureFunctionsWorkerDefaults(b => b.Services

+ .AddServerlessHub<Functions>())

+ .Build();

+```

+### Negotiation experience in class-based model

+Instead of using SignalR input binding `[SignalRConnectionInfoInput]`, negotiation in class-based model can be more flexible. Base class `ServerlessHub` has a method `NegotiateAsync`, which allows user to customize negotiation options such as `userId`, `claims`, etc.

+```cs

+Task<BinaryData> NegotiateAsync(NegotiationOptions? options = null)

+```

+### Sending messages and managing experience in class-based model

+You could send messages, manage groups, or manage clients by accessing the members provided by base class `ServerlessHub`.

+- `ServerlessHub.Clients` for sending messages to clients.

+- `ServerlessHub.Groups` for managing connections with groups, such as adding connections to groups, removing connections from groups.

+- `ServerlessHub.UserGroups` for managing users with groups, such as adding users to groups, removing users from groups.

+- `ServerlessHub.ClientManager` for checking connections existence, closing connections, etc.

+### Strongly Typed Hub

+[Strongly typed hub](/aspnet/core/signalr/hubs?#strongly-typed-hubs) allows you to use strongly typed methods when you send messages to clients. To use strongly typed hub in class based model, extract client methods into an interface `T`, and make your hub class derived from `ServerlessHub<T>`.

+The following code is an interface sample for client methods.

+```cs

+public interface IChatClient

+{

+ Task newMessage(NewMessage message);

+}

+```

+Then you can use the strongly typed methods as follows:

+```cs

+[SignalRConnection("AzureSignalRConnectionString")]

+public class Functions : ServerlessHub<IChatClient>

+{

+ private const string HubName = nameof(Functions);

+ public Functions(IServiceProvider serviceProvider) : base(serviceProvider)

+ {

+ }

+ [Function("Broadcast")]

+ public Task Broadcast(

+ [SignalRTrigger(HubName, "messages", "broadcast", "message")] SignalRInvocationContext invocationContext, string message)

+ {

+ return Clients.All.newMessage(new NewMessage(invocationContext, message));

+ }

+}

+```

+> [!NOTE]

+> You can get a complete project sample from [GitHub](https://github.com/aspnet/AzureSignalR-samples/tree/main/samples/DotnetIsolated-ClassBased/).

+### Unified connection string setting in one place

+You might have noticed the `SignalRConnection` attribute used on serverless hub classes. It looks like this:

+```cs

+[SignalRConnection("AzureSignalRConnectionString")]

+public class Functions : ServerlessHub<IChatClient>

+```

+It allows you to customize where the SignalR Service bindings look for connection string. If it's absent, the default value `AzureSignalRConnectionString` is used.

+> [!IMPORTANT]

+> `SignalRConnection` attribute doesn't change the connection string setting of SignalR triggers, even though you use SignalR triggers inside the serverless hub. You should specify the connection string setting for each SignalR trigger if you want to customize it.

+# [In-process model](#tab/in-process)

+The class-based model provides a consistent SignalR server-side programming experience, with the following features:

+- Less configuration work: The class name is used as `HubName`, the method name is used as `Event`, and the `Category` is decided automatically according to method name.

+- Convenient output and negotiation experience.

+### Negotiation experience in class-based model

+Instead of using SignalR input binding `[SignalR]`, negotiation in class-based model can be more flexible. Base class `ServerlessHub` has a method.

+SignalR client SDKs already contain the logic required to perform the negotiation handshake. Pass the negotiation endpoint's URL, minus the `negotiate` segment, to the SDK's `HubConnectionBuilder`. Here's an example in JavaScript:

+However, there are a couple of special considerations for apps that use the SignalR Service bindings. If the client runs in a browser, CORS must be enabled. And if the app requires authentication, you can integrate the negotiation endpoint with App Service Authentication.

+The JavaScript/TypeScript client makes HTTP request to the negotiation function to initiate the connection negotiation. When the client application is hosted on a different domain than the Azure Function app, cross-origin resource sharing (CORS) must be enabled on the function app, or the browser will block the requests.

+CORS with Access-Control-Allow-Credentials must be enabled for the SignalR client to call the negotiation function. To enable it, select the checkbox.

+Azure Functions has built-in authentication, supporting popular providers such as Facebook, Twitter, Microsoft Account, Google, and Microsoft Entra ID. This feature can be integrated with the `SignalRConnectionInfo` binding to create connections to Azure SignalR Service that is authenticated to a user ID. Your application can send messages using the `SignalR` output binding that are targeted to that user ID.

+Once configured, authenticated HTTP requests include `x-ms-client-principal-name` and `x-ms-client-principal-id` headers containing the authenticated identity's username and user ID, respectively.

+You can use these headers in your `SignalRConnectionInfo` binding configuration to create authenticated connections. Here's an example C# negotiation function that uses the `x-ms-client-principal-id` header.

+In this article, you learn how to develop and configure serverless SignalR Service applications using Azure Functions. Try creating an application yourself using one of the quick starts or tutorials on the [SignalR Service overview page](index.yml).

+|Germany|

+|Japan|

+|Germany|

+|Japan|

+|Germany|

+|Japan|

+Pricing for all countries/regions is subject to change as pricing is market-based and depends on third-party suppliers of telephony services. Additionally, pricing may include requisite taxes and fees. All prices shown below are in USD.

+In this quick start, you learn how to provision the Azure Managed Domain to Email Communication Service in Azure Communication Services.

+- An Azure Communication Services Email Resource created and ready to add the domains. See [Get started with Creating Email Communication Resource](../../quickstarts/email/create-email-communication-resource.md).

+## Azure Managed Domains compared to Custom Domains

+Before provisioning an Azure Managed Domain, review the following table to decide which domain type best meets your needs.

+|**Cons:** | - Sender domain is not personalized and cannot be changed<br/>- Sender usernames can't be personalized<br/>- Very limited sending volume<br />- User Engagement Tracking can't be enabled <br /> | - Requires verification of domain records <br /> - Longer setup for verification |

+1. Open the Overview page of the Email Communications Service resource that you created in [Get started with Creating Email Communication Resource](../../quickstarts/email/create-email-communication-resource.md).

+2. Create an Azure Managed Domain using one of the following options.

+ - (Option 1) Click the **1-click add** button under **Add a free Azure subdomain**. Continue to **step 3**.

+

+4. Once the domain is created, you see a list view with the new domain.

+5. Click the name of the provisioned domain to open the overview page for the domain resource type.

+Azure Communication Services automatically configures the required email authentication protocols for the email as described in [Email Authentication best practices](../../concepts/email/email-authentication-best-practice.md).

+* [Quickstart: How to connect a verified email domain](../../quickstarts/email/connect-email-communication-resource.md)

+## Related articles

+* Familiarize yourself with the [Email client library](../../concepts/email/sdk-features.md)

+* Learn how to send emails with custom verified domains in [Quickstart: How to add custom verified email domains](../../quickstarts/email/add-custom-verified-domains.md)

+ Title: How to add custom verified email domains

+description: Learn about adding custom email domains in Azure Communication Services.

+# Quickstart: How to add custom verified email domains

+In this quick start, you learn how to provision a custom verified email domain in Azure Communication Services.

+- An Azure account with an active subscription. See [Create an account for free](https://azure.microsoft.com/free/dotnet/).

+- An Azure Communication Services Email Resource created and ready to add the domains. See [Get started with Creating Email Communication Resource](../../quickstarts/email/create-email-communication-resource.md).

+## Azure Managed Domains compared to Custom Domains

+Before provisioning a custom email domain, review the following table to decide which domain type best meets your needs.

+|**Cons:** | - Sender domain isn't personalized and can't be changed<br/>- Sender usernames can't be personalized<br/>- Limited sending volume<br />- User Engagement Tracking can't be enabled<br /> | - Requires verification of domain records<br /> - Longer setup for verification |

+## Provision a custom domain

+* Verify the custom domain ownership by adding a TXT record in your Domain Name System (DNS).

+* Configure the sender authentication by adding Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) records.

+In this section, you verify the custom domain ownership by adding a TXT record in your DNS.

+1. Open the Overview page of the Email Communication Service resource that you created in [Get started with Creating Email Communication Resource](../../quickstarts/email/create-email-communication-resource.md).

+2. Create a custom domain using one of the following options.

+ - (Option 1) Click the **Setup** button under **Setup a custom domain**. Continue to **step 3**.

+3. Click **Add a custom Domain**.

+4. Enter your domain name in the text box.

+5. Re-enter your domain name in the next text box.

+6. Click **Confirm**.

+7. Make sure the domain name you entered is correct and both text boxes are the same. If needed, click **Edit** to correct the domain name before confirming.

+8. Click **Add**.

+9. Azure Communication Services creates a custom domain configuration for your domain.

+10. To verify domain ownership, click **Verify Domain**.

+11. To resume the verification later, click **Close** and resume. Then to continue verification from Provision Domains, click **Configure**.

+12. When you select either **Verify Domain** or **Configure**, it opens the **Verify Domain via TXT record** dialog box.

+ :::image type="content" source="./media/email-domains-custom-verify.png" alt-text="Screenshot that shows the Configure link that you need to click to verify domain ownership." lightbox="media/email-domains-custom-verify-expanded.png":::

+13. Add the preceding TXT record to your domain's registrar or DNS hosting provider. Refer to the [TXT records](#txt-records) section for information about adding a TXT record for your DNS provider.

+

+ Once you complete this step, click **Next**.

+

+14. Verify that the TXT record was successfully created in your DNS, then click **Done**.

+15. DNS changes require 15 to 30 minutes to take effect. Click **Close**.

+16. Once you verify your domain, you can add your SPF and DKIM records to authenticate your domains.

+To configure sender authentication for your domains, you need to add more Domain Name Service (DNS) records. This section describes how Azure Communication Services offer records for you to add to your DNS. However, depending on whether the domain you're registering is a root domain or a subdomain, you need to add the records to the respective zone or make changes to the automatically generated records.

+This section shows how to add SPF and DKIM records for the custom domain **sales.us.notification.azurecommtest.net**. The following examples describe four different methods for adding these records to the DNS, depending on the level of the zone where you're adding the records.

+The records generated by the portal assume that you are adding these records to the DNS in this zone **sales.us.notification.azurecommtest.net**.

+### Add SPF and DKIM Records

+In this section, you configure the sender authentication by adding Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) records.

+1. Open **Provision Domains** and confirm that **Domain Status** is in the `Verified` state.

+2. To add SPF and DKIM information, click **Configure**.

+3. Add the following TXT record and CNAME records to your domain's registrar or DNS hosting provider. Refer to the [adding DNS records in popular domain registrars table](#cname-records) for information about adding a TXT and CNAME record for your DNS provider.

+

+4. When you're done adding TXT and CNAME information, click **Next** to continue.

+4. Verify that TXT and CNAME records were successfully created in your DNS. Then click **Done**.

+5. DNS changes take effect in 15 to 30 minutes. Click **Close** and wait for verification to complete.

+6. Check the verification status at the **Provision Domains** page.

+7. Once you verify sender authentication configurations, your email domain is ready to send emails using the custom domain.

+## Change MailFrom and FROM display names for custom domains

+You can optionally configure your `MailFrom` address to be something other than the default `DoNotReply` and add more than one sender username to your domain. For more information about how to configure your sender address, see [Quickstart: How to add multiple sender addresses](add-multiple-senders.md).

+## Add DNS records in popular domain registrars

+The following links provide instructions about how to add a TXT record using popular domain registrars.

+The following links provide more information about how to add a CNAME record using popular domain registrars. Make sure to use your values from the configuration window rather than the examples in the documentation link.

+* [How to send an email using Azure Communication Services](../../quickstarts/email/send-email.md)

+## Related articles

+* Familiarize yourself with the [Email client library](../../concepts/email/sdk-features.md)

+ Title: How to add and remove multiple email sender addresses.

+description: Learn about how to add multiple email sender addresses in Email Communication Service.

+# Quickstart: How to add and remove Multiple Sender Addresses to Email Communication Service

+In this quick start, you learn about how to add and remove multiple email sender addresses in Azure Communication Services.

+- An Azure Communication Services Email Resource created and ready to add the domains. See [Get started with Creating Email Communication Resource](../../quickstarts/email/create-email-communication-resource.md).

+- A custom domain with higher than default sending limits provisioned and ready. See [Quickstart: How to add custom verified email domains](../../quickstarts/email/add-custom-verified-domains.md).

+## Create multiple sender usernames

+An email domain that is provisioned to send email has a default MailFrom address, formatted as `donotreply@xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.azurecomm.net`. If you configure a custom domain such as `notification.azuremails.net`, then the default MailFrom address has `donotreply@notification.azurecommtest.net` added. You can configure and add more MailFrom addresses and FROM display names to use values that are easier to read.

+> Sender usernames cannot be enabled for Azure Managed Domains or custom domains with default sending limits. For more information, see [Service limits for Azure Communication Services](../../concepts/service-limits.md#rate-limits).

+1. Open the Overview page of the Email Communication Service resource that you created in [Get started with Creating Email Communication Resource](../../quickstarts/email/create-email-communication-resource.md).

+2. Click **Provision Domains** on the left navigation panel to see list of provisioned domains.

+3. Click on the one of the provisioned domains to open the Domain Overview page.

+4. Click the **MailFrom Addresses** link in left navigation to see the default `donotreply` in MailFrom addresses list.

+5. Click **Add**.

+

+7. Click **Save** to see the updated list with newly added MailFrom address in the overview page.

+1. Open the Domains overview page.

+2. Click on **MailFrom addresses** link in left navigation to see the MailFrom addresses list.

+ :::image type="content" source="../../quickstarts/email/media/email-mailfrom-overview-updated.png" alt-text="Screenshot that shows MailFrom addresses." lightbox="../../quickstarts/email/media/email-mailfrom-overview-updated-expanded.png":::

+3. Select the MailFrom address that needs to be removed and click **Delete**.

+ :::image type="content" source="../../quickstarts/email/media/email-domains-mailfrom-delete.png" alt-text="Screenshot that shows MailFrom addresses list with deletion.":::

+4. Review the updated list of MailFrom addresses in the overview page.

+* [Quickstart: Create and manage Email Communication Service resources](../../quickstarts/email/create-email-communication-resource.md)

+* [Quickstart: How to connect a verified email domain](../../quickstarts/email/connect-email-communication-resource.md)

+## Related articles

+* Familiarize yourself with the [Email client library](../../concepts/email/sdk-features.md)

+* Learn how to send emails with custom verified domains in [Quickstart: How to add custom verified email domains](../../quickstarts/email/add-custom-verified-domains.md)

+ Title: How to connect a verified email domain

+description: Learn about how to connect verified email domains in Azure Communication Services.

+# Quickstart: How to connect a verified email domain

+In this quick start, you learn how to connect a verified domain in Azure Communication Services to send email.

+* [What is Email Communication Resource for Azure Communication Services](../../concepts/email/prepare-email-communication-resource.md)

+## Related articles

+ Title: Quickstart - Create and manage Email Communication Service resource in Azure Communication Services

+description: In this quickstart, you'll learn how to create and manage your first Azure Email Communication Service resource.

+# Quickstart: Create and manage Email Communication Service resources

+Get started with Email by provisioning your first Email Communication Service resource. Provision Email Communication Service resources through the [Azure portal](https://portal.azure.com/) or with the .NET management client library. The management client library and the Azure portal enable you to create, configure, update, and delete your resources and interface with [Azure Resource Manager](../../../azure-resource-manager/management/overview.md), Azure's deployment and management service. All functions available in the client libraries are available in the Azure portal.

+1. Open the [Azure portal](https://portal.azure.com/) to create a new resource.

+2. Search for **Email Communication Services**.

+3. Select **Email Communication Services** and press **Create**

+4. Complete the required information on the basics tab:

+5. Wait for the validation to pass, then click **Create**.

+6. Wait for the Deployment to complete, then click **Go to Resource**. This opens the Email Communication Service Overview.

+* [Quickstart: How to connect a verified email domain](../../quickstarts/email/connect-email-communication-resource.md)

+## Related articles

+- Learn how to send emails with custom verified domains in [Quickstart: How to add custom verified email domains](../../quickstarts/email/add-custom-verified-domains.md)

+- Learn how to send emails with Azure Managed Domains in [Quickstart: How to add Azure Managed Domains to email](../../quickstarts/email/add-azure-managed-domains.md)

+ Title: How to enable user engagement tracking for an email domain with Azure Communication Services resource.

+description: Learn about how to enable user engagement tracking for an email domain with Azure Communication Services resource.

+# Quickstart: How to enable user engagement tracking for an email domain

+To gain insights into your customer email engagements, enable user engagement tracking. Only emails sent from Azure Communication Services verified email domains that are enabled for user engagement analysis can receive engagement tracking metrics.

+In this quick start, you learn how to enable user engagement tracking for a verified email domain in Azure Communication Services.

+1. Go the overview page of the Email Communications Service resource that you created in [Quickstart: Create and manage an Email Communication Service resource](./create-email-communication-resource.md).

+2. In the left navigation panel, click **Provision Domains** to open a list of provisioned domains.

+3. Click on the name of the custom domain that you would like to update.

+ When you click the custom domain name, it opens the Domain Overview page. The first time you open this page, User interaction tracking is **Off** by default.

+4. Click **Turn On** to enable engagement tracking.

+5. A confirmation dialog box opens. Click **Turn On** to confirm that you want to enable engagement tracking.

+**Your email domain is now ready to send emails with user engagement tracking. Note that user engagement tracking applies to HTML content and does not function if you submit the payload in plaintext.**

+You can now subscribe to Email User Engagement operational logs, which provide information about **open** and **click** user engagement metrics for messages sent from the email service.

+> User Engagement Tracking cannot be enabled for Azure Managed Domains or custom domains with default sending limits. For more information, see [Service limits for Azure Communication Services](../../concepts/service-limits.md#rate-limits).

+> If you plan to enable open/click tracking for your email links, ensure that you are correctly formatting the email content in HTML. Specifically, make sure that your tracking content is properly encapsulated within the payload, as follows:

+ <a href="https://www.contoso.com">Contoso Inc.</a>

+## Related articles

+- [Quickstart: How to connect Email Communication Service with an Azure Communication Services resource](../../quickstarts/email/connect-email-communication-resource.md)

+description: Learn how to look up operator information for any phone number using Azure Communication Services.

+- Changes to environment variables may not take effect in programs that are already running. If you notice your environment variables aren't working as expected, try closing and reopening any programs you're using to run and edit code.

+- The data returned by this endpoint is subject to various international laws and regulations, therefore the accuracy of the results depends on several factors. These factors include whether the number was ported, the country code, and the approval status of the caller. Based on these factors, operator information may not be available for some phone numbers or may reflect the original operator of the phone number, not the current operator.

+> * Look up number formatting

+ Title: 'Tutorial: Connect to an Azure Cache for Redis service in Azure Container Apps (preview)'

+# Tutorial: Connect to an Azure Cache for Redis service in Azure Container Apps (preview)

+This tutorial shows you how to connect both dev and production grade Azure Cache for Redis service to your container app.

+A best practice for many scenarios is to create and configure a Microsoft Entra service principal with *pull* permissions to your registry. Take note of the *service principal ID* and *service principal password*. You use these credentials to access the registry when you deploy the container.

+* *Pull*: Deploy containers from a registry to orchestration systems including Kubernetes, DC/OS, and Docker Swarm. You can also pull from container registries to related Azure services such as [App Service](../app-service/index.yml), [Batch](../batch/index.yml), [Service Fabric](../service-fabric/index.yml), and others.

+If you are not an Azure customer, you may use the 30-day Free Trial without an Azure subscription. No commitment follows the end of your trial period.

+> [!div class="nextstepaction"]

+> [30-day Free Trial without an Azure subscription](https://azure.microsoft.com/try/cosmosdb/)

+Alternatively, you may use the Azure Cosmos DB lifetime free tier with the first 1000 [RU/s](request-units.md) of throughput and 25 GB of storage free.

+> [!div class="nextstepaction"]

+> [Azure Cosmos DB lifetime free tier](free-tier.md)

+Azure Cosmos DB for MongoDB vCore empowers generative AI applications with an integrated **vector database**. This enables efficient indexing and querying of data by characteristics for advanced use cases such as generative AI, without the complexity of external integrations. Unlike MongoDB Atlas and similar platforms, Azure Cosmos DB for MongoDB vCore keeps all original data and vector data within the database, ensuring simplicity and security. Even our free tier offers this capability, making sophisticated AI features accessible without additional cost.

+- Simple operators: `=` `+` `-` `*` `/` `%` `|` `^` `&` `==` `!=` `===` `!==` `<` `>` `<=` `>=` `||` `&&` `<<` `>>` `>>>` `~`

+- Literals, including the object literal: `{}`

+- Control flow: `if` `for` `while`

+The following table presents various SQL queries and the corresponding JavaScript queries. As with SQL queries, properties (for example, `item.id`) are case-sensitive.

+| [`ContainerProxy`](/python/api/azure-cosmos/azure.cosmos.container.containerproxy) | This class is primarily used to perform read, update, and delete operations on either the container or the items stored within the container. |

+ Title: Transactional batch operations in Azure Cosmos DB using the .NET, Java or Python SDK

+description: Learn how to use TransactionalBatch in the Azure Cosmos DB .NET, Java SDK or Python SDK to perform a group of point operations that either succeed or fail.

+# Transactional batch operations in Azure Cosmos DB

+Transactional batch describes a group of point operations that need to either succeed or fail together with the same partition key in a container. Operations are defined, added to the batch, and the batch is executed. If all operations succeed in the order they're described within the transactional batch operation, the transaction will be committed. However, if any operation fails, the entire transaction is rolled back.

+### [Python](#tab/python)

+Get or create a container instance:

+```python

+container = database.create_container_if_not_exists(id="batch_container",

+ partition_key=PartitionKey(path='/road_bikes'))

+```

+In Python, Transactional Batch operations look very similar to the singular operations apis, and are tuples containing (operation_type_string, args_tuple, batch_operation_kwargs_dictionary). Below are sample items that will be used to demonstrate batch operations functionality:

+```python

+create_demo_item = {

+ "id": "68719520766",

+ "category": "road-bikes",

+ "name": "Chropen Road Bike"

+}

+# for demo, assume that this item already exists in the container.

+# the item id will be used for read operation in the batch

+read_demo_item1 = {

+ "id": "68719519884",

+ "category": "road-bikes",

+ "name": "Tronosuros Tire",

+ "productId": "68719520766"

+}

+# for demo, assume that this item already exists in the container.

+# the item id will be used for read operation in the batch

+read_demo_item2 = {

+ "id": "68719519886",

+ "category": "road-bikes",

+ "name": "Tronosuros Tire",

+ "productId": "68719520766"

+}

+# for demo, assume that this item already exists in the container.

+# the item id will be used for read operation in the batch

+read_demo_item3 = {

+ "id": "68719519887",

+ "category": "road-bikes",

+ "name": "Tronosuros Tire",

+ "productId": "68719520766"

+}

+# for demo, we'll upsert the item with id 68719519885

+upsert_demo_item = {

+ "id": "68719519885",

+ "category": "road-bikes",

+ "name": "Tronosuros Tire Upserted",

+ "productId": "68719520768"

+}

+# for replace demo, we'll replace the read_demo_item2 with this item

+replace_demo_item = {

+ "id": "68719519886",

+ "category": "road-bikes",

+ "name": "Tronosuros Tire replaced",

+ "productId": "68719520769"

+}

+# for replace with etag match demo, we'll replace the read_demo_item3 with this item

+# The use of etags and if-match/if-none-match options allows users to run conditional replace operations

+# based on the etag value passed. When using if-match, the request will only succeed if the item's latest etag

+# matches the passed in value. For more on optimistic concurrency control, see the link below:

+# https://learn.microsoft.com/azure/cosmos-db/nosql/database-transactions-optimistic-concurrency

+replace_demo_item_if_match_operation = {

+ "id": "68719519887",

+ "category": "road-bikes",

+ "name": "Tronosuros Tireh",

+ "wasReplaced": "Replaced based on etag match"

+ "productId": "68719520769"

+}

+```

+Prepare the operations to be added to the batch:

+```python

+create_item_operation = ("create", (create_demo_item,), {})

+read_item_operation = ("read", ("68719519884",), {})

+delete_item_operation = ("delete", ("68719519885",), {})

+upsert_item_operation = ("upsert", (upsert_demo_item,), {})

+replace_item_operation = ("replace", ("68719519886", replace_demo_item), {})

+replace_item_if_match_operation = ("replace",

+ ("68719519887", replace_demo_item_if_match_operation),

+ {"if_match_etag": container.client_connection.last_response_headers.get("etag")})

+```

+Add the operations to the batch:

+```python

+batch_operations = [

+ create_item_operation,

+ read_item_operation,

+ delete_item_operation,

+ upsert_item_operation,

+ replace_item_operation,

+ replace_item_if_match_operation

+ ]

+```

+Finally, execute the batch:

+```python

+try:

+ # Run that list of operations

+ batch_results = container.execute_item_batch(batch_operations=batch_operations, partition_key="road_bikes")

+ # Batch results are returned as a list of item operation results - or raise a CosmosBatchOperationError if

+ # one of the operations failed within your batch request.

+ print("\nResults for the batch operations: {}\n".format(batch_results))

+except exceptions.CosmosBatchOperationError as e:

+ error_operation_index = e.error_index

+ error_operation_response = e.operation_responses[error_operation_index]

+ error_operation = batch_operations[error_operation_index]

+ print("\nError operation: {}, error operation response: {}\n".format(error_operation, error_operation_response))

+ # [END handle_batch_error]

+```

+> **Note for using patch operation and replace_if_match_etag operation in the batch** <br>

+The batch operation kwargs dictionary is limited, and only takes a total of three different key values. In the case of wanting to use conditional patching within the batch, the use of filter_predicate key is available for the patch operation, or in case of wanting to use etags with any of the operations, the use of the if_match_etag/if_none_match_etag keys is available as well.<br>

+>```python

+> batch_operations = [

+> ("replace", (item_id, item_body), {"if_match_etag": etag}),

+> ("patch", (item_id, operations), {"filter_predicate": filter_predicate, "if_none_match_etag": etag}),

+> ]

+>```

+> [!IMPORTANT]

+> If there's a failure, the failed operation will have a status code of its corresponding error. All the other operations will have a 424 status code (failed dependency). If the operation fails because it tries to create an item that already exists, a status code of 409 (conflict) is returned. The status code enables one to identify the cause of transaction failure.

+When the Transactional Batch is executed, all operations in the Transactional Batch are grouped, serialized into a single payload, and sent as a single request to the Azure Cosmos DB service.

+* The Azure Cosmos DB request size limit constrains the size of the Transactional Batch payload to not exceed 2 MB, and the maximum execution time is 5 seconds.

+* There's a current limit of 100 operations per Transactional Batch to ensure the performance is as expected and within SLAs.

+| East US 2 | :heavy_check_mark: | :heavy_check_mark: | Central US |

+| West Europe | :heavy_check_mark: | :heavy_check_mark: | North Europe |

+- Python 4.6.0: [v4.6.0](https://pypi.org/project/azure-cosmos/4.6.0/) or later

+#### [Python SDK](#tab/python)

+Priority-based execution feature is a preview feature available in Python SDK v4.6.0 or later. It should be enabled at the account level before using it in the Python SDK.

+The request priority can be specified as "Low" or "High" as below:

+```python

+item1_read = container.read_item("item1", "pk1", priority="High")

+item2_read = container.read_item("item2", "pk2", priority="Low")

+query = list(container.query_items("Select * from c", partition_key="pk1", priority="High"))

+```

+- [Open Source Vector Databases](mongodb/vcore/vector-search-ai.md)

+This article helps you create an [Enterprise Agreement (EA)](https://azure.microsoft.com/pricing/enterprise-agreement/) subscription for yourself or for someone else in your current Microsoft Entra directory/tenant. You can create another subscription to avoid hitting subscription quota limits, to create separate environments for security, or to isolate data for compliance reasons.

+A user with Enterprise Administrator or Account Owner permissions can use the following steps to create a new EA subscription for themselves or for another user. If the subscription is for another user, the user is sent a notification that they must approve.

+1. Select the **Billing account** where the new subscription gets created.

+1. Select the **Enrollment account** where the subscription gets created.

+1. Select an **Offer type**, select **Enterprise Dev/Test** if the subscription is for development or testing workloads. Otherwise, select **Microsoft Azure Enterprise**.

+1. Select your **Subscription directory**. It's the Microsoft Entra ID where the new subscription gets created.

+1. Verify that the subscription information is correct, then select **Create**. You get a notification that the subscription is getting created.

+If you're set up as the enterprise administrator, then go to the Azure portal and sign in with your work, school, or Microsoft account.

+If you're set up as the enterprise administrator, you don't need to receive the activation email. You can sign in to the Azure portal and activate the enrollment.

+After a new account is added to the enrollment, the account owner is sent an account ownership email that gets used to confirm ownership.

+1. On the Add an account page, type a friendly name to identify the account used for reporting.

+1. After the activation process completes, copy and paste the following link to your browser. The page opens and creates a subscription that gets associated with your enrollment.

+When your transfer an MSDN subscription to an enrollment, it gets converted to an [Enterprise Dev/Test subscription](https://azure.microsoft.com/pricing/offers/ms-azr-0148p/). After conversion, the subscription loses any existing monetary credit. So, we recommended that you use all your credit before you transfer it to your Enterprise Agreement.

+EA customers can set budgets for each department and account under an enrollment. Budgets in Cost Management help you plan for and drive organizational accountability. They help you inform others about their spending to proactively manage costs, and to monitor how spending progresses over time. You can configure alerts based on your actual cost or forecasted cost to ensure that your spending is within your organizational spend limit. When the budget thresholds are exceeded, only notifications are triggered. None of your resources are affected and your consumption isn't stopped. You can use budgets to compare and track spending as you analyze costs. For more information about how to create budgets, see [Tutorial: Create and manage budgets](../costs/tutorial-acm-create-budgets.md).

+An Azure EA account is an organizational unit in the Azure portal. In the Azure portal, it's an _account_. Its use is to administer subscriptions and for reporting. To access and use Azure services, you need to create an account or have one created for you. For more information about accounts, see [Add an account](#add-an-account-and-account-owner).

+As an EA admin, you can allow account owners in your organization to create subscriptions based on the EA Dev/Test offer. To do so, select the **Dev/Test** option in the Edit account window. After you select the Dev/Test option, let the account owner know so that they can create EA Dev/Test subscriptions needed for their teams of Dev/Test subscribers. The offer enables active Visual Studio subscribers to run development and testing workloads on Azure at special Dev/Test rates. It provides access to the full gallery of Dev/Test images including Windows 8.1 and Windows 10.

+New subscriptions can take up to 24 hours to appear in the subscriptions list. After you create a subscription, you can:

+Notifications allow enterprise administrators to enroll their team members to receive usage notifications and user management notifications without giving them billing account access in the Azure portal.

+Notification contacts are shown in the Azure portal in on the Notifications page under Settings. Managing your notification contacts makes sure that the right people in your organization get Azure EA notifications.

+> [!NOTE]

+> Invoices are only sent to the person set to receive invoices for the enrollment, the **Bill to contact**. The bill-to contact can send others a copy of the invoice, if needed.

+1. Add the work or school account to the Azure portal with the needed roles.

+1. If you get errors, the account might not be valid in Microsoft Entra ID. Azure uses User Principal Name (UPN), which isn't always identical to the email address.

+An organizational unit used to administer subscriptions and for reporting.

+The person who manages departments, department owners, accounts, and account owners on Azure. They can manage enterprise administrators, view usage data, and billed quantities. They also manage unbilled charges across all accounts and subscriptions associated with the enterprise enrollment.

+For organizations that set up Microsoft Entra ID with federation to the cloud and all accounts are on a single tenant.

+An indefinite extended term takes place after the Enterprise Agreement end date. It enables Azure EA customers who are opted in to the extended term to continue to use Azure services indefinitely at the end of their Enterprise Agreement.

+The Azure EA customer is opted out of the extended term, and the Azure EA enrollment reached the Enterprise Agreement end date. The enrollment expires, and all associated services are disabled.

+Enrollments where all associated accounts and services were transferred to a new enrollment appear with a transferred status.

+ Title: Azure billing meter ID updates

+description: Learn about how Azure billing meter ID updates might affect your Azure consumption and billing.

+# Azure billing meter ID updates

+On March 1, 2024, some Azure billing meters were updated for improved meter ID metadata. More updates are underway. A billing meter is used to determine the cost of using a specific service or resource in Azure. It helps calculate the amount you're charged based on the quantity of the resource consumed. The billing meter varies depending on the type of service or resource used.

+The meter ID updates result in having only individual unique meters. A unique meter means that every Azure service, resource, and region has its own billing meter ID that precisely reflects its consumption and price. The change ensures that you see the correct meter ID on your invoice, and that youΓÇÖre charged the correct price for each service or resource consumed.

+*The meter ID changes donΓÇÖt affect prices*. However, you might notice some changes in how your Azure consumption is shown on your invoice, price sheet, API, usage details file, and Cost Management + Billing experiences.

+HereΓÇÖs an example showing updated meter information.

+| Service Name | Product Name | Region | Feature | Meter Type | Meter ID (new) | Meter ID (previous) |

+||||||||

+| Virtual Machines | Virtual Machines DSv3 Series Windows | CH West | Low Priority | 1 Compute Hour | 59f7c6d9-3658-5693-8925-4aae24068de8 | 0ce7683b-0630-4103-a9a7-75a68fbf6140 |

+## Download updated meters

+The following download links are CSV files of the latest meter IDs with their corresponding service and old IDs, product, and region released to date. More meter ID changes will occur over time. When new files are available, we update this page to add their download links.

+- [March 1, 2024 updated meters](https://download.microsoft.com/download/5/f/8/5f8d3499-eaab-4e8b-8d1d-7835923c238f/20240301_new_meterIds.csv)

+- [April 1, 2024 updated meters](https://download.microsoft.com/download/5/f/8/5f8d3499-eaab-4e8b-8d1d-7835923c238f/20240401_new_meterIds.csv)

+## Recommendations

+We recommend you review the list of updated meters and familiarize yourself with the new meter IDs and names that apply to your Azure consumption. You should check reports that you have for analysis, budgets, and any saved views to see if they use the updated meters. If so, you might need to update them accordingly for the new meter IDs and names. If you donΓÇÖt use any meters in the updated meters list, the changes donΓÇÖt affect you.

+## See also

+To learn how to create and manage budgets and save and share customized views, see the following articles:

+- [Tutorial - Create and manage budgets](../costs/tutorial-acm-create-budgets.md)

+- [Save and share customized views](../costs/save-share-views.md)

+- If you want to learn more about how to manage your billing account and subscriptions, see the [Cost Management + Billing documentation](../index.yml).

+Microsoft copilot templates empower organizations to build agriculture copilots. Our copilot templates enable seamless retrieval of data stored in Azure Data Manager for Agriculture so that farming-related context and insights can be queried in a conversational context.

+Customers and partners can deliver insights to users around disease, yield, harvest windows, and more, by using actual planning and observational data. Although Azure Data Manager for Agriculture isn't required to operationalize copilot templates for agriculture, it enables customers to more easily integrate generative AI scenarios for their users.

+Our copilot templates make generative AI in agriculture a reality.

+### [Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/f738efb8-005f-680d-3d43-b3db762d6243)

+**Description**: By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service resource.

+**Severity**: Medium

+### [Azure AI Services resources should have key access disabled (disable local authentication)](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/13b10b36-aa99-4db6-b00c-dcf87c4761e6)

+**Description**: Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. [Learn more](https://aka.ms/AI/auth).

+**Severity**: Medium

+### [Public network access should be disabled for Cognitive Services accounts](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/684a5b6d-a270-61ce-306e-5cea400dc3a7)

+**Description**: This policy audits any Cognitive Services account in your environment with public network access enabled. Public network access should be disabled so that only connections from private endpoints are allowed.

+(Related policy: [Public network access should be disabled for Cognitive Services accounts](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2f0725b4dd-7e76-479c-a735-68e7ee23d5ca)).

+**Severity**: Medium

+| Date | Update |

+| - | - |

+| April 2 | [Update to recommendations to align with Azure AI Services resources](#update-to-recommendations-to-align-with-azure-ai-services-resources) |

+| April 2 | [Deprecation of Cognitive Services recommendation](#deprecation-of-cognitive-services-recommendation) |

+| April 2 | [Containers multicloud recommendations (GA)](#containers-multicloud-recommendations-ga) |

+### Update to recommendations to align with Azure AI Services resources

+April 2, 2024

+The following recommendations have been updated to align with the Azure AI Services category (formerly known as Cognitive Services and Cognitive search) to comply with the new Azure AI Services naming format and align with the relevant resources.

+| Old recommendation | Updated recommendation |

+| - | - |

+| Cognitive Services accounts should restrict network access | [Azure AI Services resources should restrict network access](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/f738efb8-005f-680d-3d43-b3db762d6243) |

+| Cognitive Services accounts should have local authentication methods disabled | [Azure AI Services resources should have key access disabled (disable local authentication)](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/13b10b36-aa99-4db6-b00c-dcf87c4761e6) |

+| Diagnostic logs in Search services should be enabled | [Diagnostic logs in Azure AI services resources should be enabled](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/dea5192e-1bb3-101b-b70c-4646546f5e1e) |

+

+See the [list of security recommendations](recommendations-reference.md).

+### Deprecation of Cognitive Services recommendation

+April 2, 2024

+The recommendation [`Public network access should be disabled for Cognitive Services accounts`](https://ms.portal.azure.com/?feature.msaljs=true#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/684a5b6d-a270-61ce-306e-5cea400dc3a7) is deprecated. The related policy definition [`Cognitive Services accounts should disable public network access`](https://ms.portal.azure.com/?feature.msaljs=true#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) has been removed from the regulatory compliance dashboard.

+This recommendation is already being covered by another networking recommendation for Azure AI Services, [`Cognitive Services accounts should restrict network access`](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/f738efb8-005f-680d-3d43-b3db762d6243/showSecurityCenterCommandBar~/false).

+See the [list of security recommendations](recommendations-reference.md).

+As part of Defender for Containers multicloud general availability, the following recommendations are announced GA as well:

+| **Recommendation** | **Description** | **Assessment Key** |

+| **Recommendation** | **Description** | **Assessment Key** |

+| **Recommendation** | **Description** | **Assessment Key** |

+The recommendations affect the secure score calculation.

+We're announcing the general availability (GA) of the Windows container images support for scanning by Defender for Containers.

+We're announcing that continuous export now includes attack path data. This feature allows you to stream security data to Log Analytics in Azure Monitor, to Azure Event Hubs, or to another Security Information and Event Management (SIEM), Security Orchestration Automated Response (SOAR), or IT classic deployment model solution.

+Until now agentless scanning covered CMK encrypted VMs in AWS and GCP. With this release we're completing support for Azure as well. The capability employs a unique scanning approach for CMK in Azure:

+- Defender for Cloud doesn't handle the key or decryption process. Key handling and decryption are seamlessly handled by Azure Compute and is transparent to Defender for Cloud's agentless scanning service.

+- The original key isn't replicated during the process. Purging it eradicates the data on both your production VM and Defender for CloudΓÇÖs temporary snapshot.

+During public preview this capability isn't automatically enabled. If you're using Defender for Servers P2 or Defender CSPM and your environment has VMs with CMK encrypted disks, you can now have them scanned for vulnerabilities, secrets and malware following these [enablement steps](enable-agentless-scanning-vms.md#agentless-vulnerability-assessment-on-azure).

+We're announcing new endpoint detection and response recommendations that discover and assesses the configuration of supported endpoint detection and response solutions. If issues are found, these recommendations offer remediation steps.

+The following new agentless endpoint protection recommendations are now available if you have Defender for Servers Plan 2 or the Defender CSPM plan enabled on your subscription with the agentless machine scanning feature enabled. The recommendations support Azure and multicloud machines. On-premises machines aren't supported.

+| [Deprecating of virtual machine recommendation](#deprecating-of-virtual-machine-recommendation) | April 2, 2024 | April 30, 2024 |

+## Deprecating of virtual machine recommendation

+**Announcement date: April 2, 2024**

+**Estimated date of change: April 30, 2024**

+The recommendation [Virtual machines should be migrated to new Azure Resource Manager resources](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/12018f4f-3d10-999b-e4c4-86ec25be08a1) is set to be deprecated. There should be no effect on customers as these resources no longer exist.

+ Title: Data retention and sharing across Microsoft Defender for IoT

+# Data retention and sharing across Microsoft Defender for IoT

+Microsoft Defender for IoT sensors learn a baseline of your network traffic during the initial learning period after deployment. This learned baseline is stored indefinitely on your sensors.

+## Data sharing

+Defender for IoT shares data, including customer data, among the following Microsoft products also licensed by the customer:

+- Microsoft Security Exposure Management

+| Amsterdam Metro | Amsterdam<br>Amsterdam2 | Equinix AM5<br>Digital Reality AMS8 | 1 | West Europe | &check; | Megaport<br>Equinix¹<br>Colt¹<br>Console Connect¹<br>Digital Reality¹ |

+| Singapore Metro | Singapore<br>Singapore2 | Equinix SG1<br>Global Switch Tai Seng | 2 | Southeast Asia | &check; | Megaport¹<br>Equinix¹<br>Console Connect¹ |

+The load balancer is used for egress through an HDInsight on AKS assigned public IP. When you configure the outbound type of load balancer on your cluster pool, you can expect egress out of the load balancer created by the HDInsight on AKS.

+> Changing the outbound type after cluster pool creation is not supported.

+If userDefinedRouting is set, HDInsight on AKS won't automatically configure egress paths. The egress setup must be done by the user.

+You must deploy the HDInsight on AKS cluster into an existing virtual network with a subnet that has been previously configured, and you must establish explicit egress.

+This architecture requires explicitly sending egress traffic to an appliance like a firewall, gateway, or proxy, so a public IP assigned to the standard load balancer or appliance can handle the Network Address Translation (NAT).

+HDInsight on AKS doesn't configure outbound public IP address or outbound rules, unlike the Outbound with load balancer type clusters as described in the above section. Your UDR is the only source for egress traffic.

+For inbound traffic, you are required to choose based on the requirements to choose a private cluster (for securing traffic on AKS control plane / API server) and select the private ingress option available on each of the cluster shape to use public or internal load balancer based traffic.

+With the following steps you will understand how to lock down the outbound traffic from your HDInsight on AKS service to back-end Azure resources or other network resources with Azure Firewall. This configuration helps prevent data exfiltration or the risk of malicious program implantation.

+Azure Firewall lets you control outbound traffic at a much more granular level and filter traffic based on real-time threat intelligence from Microsoft Cyber Security. You can centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks.

+Following is an example of setting up firewall rules, and testing your outbound connections

+ :::image type="content" source="./media/control-egress traffic-from-hdinsight-on-aks-clusters/create-route-table.png" alt-text="Screenshot showing how to create route table." lightbox="./media/control-egress traffic-from-hdinsight-on-aks-clusters/create-route-table.png":::

+

+When you provision a private AKS cluster, AKS by default creates a private FQDN with a private DNS zone and an additional public FQDN with a corresponding A record in Azure public DNS. The agent nodes continue to use the record in the private DNS zone to resolve the private IP address of the private endpoint for communication to the API server.

+As HDInsight on AKS will automatically insert the record to the private DNS zone in the HDInsight on AKS created managed group, for private ingress.

+This example uses [Apache Flink](../flink/flink-overview.md) to sink [HDInsight for Apache Kafka](/azure/hdinsight/kafka/apache-kafka-introduction) messages into [Azure Cosmos DB for Apache Cassandra](/azure/cosmos-db/cassandra/introduction).

+* [Apache Flink 1.17.0 on HDInsight on AKS](../flink/flink-create-cluster-portal.md)

+Refer GitHub readme to download maven, and clone this repository using `Azure-Samples/azure-cosmos-db-cassandra-java-getting-started.git` from

+[Azure Samples ](https://github.com/Azure-Samples/azure-cosmos-db-cassandra-java-getting-started).

+Go to maven project folder **azure-cosmos-db-cassandra-java-getting-started-main** and update the changes required for this example.

+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">

+ <modelVersion>4.0.0</modelVersion>

+

+ <groupId>com.azure.cosmosdb.cassandra</groupId>

+ <artifactId>cosmosdb-cassandra-examples</artifactId>

+ <version>1.0-SNAPSHOT</version>

+ <dependencies>

+ <dependency>

+ <groupId>org.apache.flink</groupId>

+ <artifactId>flink-java</artifactId>

+ <version>1.17.0</version>

+ </dependency>

+ <!-- https://mvnrepository.com/artifact/org.apache.flink/flink-streaming-java -->

+ <dependency>

+ <groupId>org.apache.flink</groupId>

+ <artifactId>flink-streaming-java</artifactId>

+ <version>1.17.0</version>

+ </dependency>

+ <!-- https://mvnrepository.com/artifact/org.apache.flink/flink-clients -->

+ <dependency>

+ <groupId>org.apache.flink</groupId>

+ <artifactId>flink-clients</artifactId>

+ <version>1.17.0</version>

+ </dependency>

+ <dependency>

+ <groupId>org.apache.flink</groupId>

+ <artifactId>flink-connector-files</artifactId>

+ <version>1.17.0</version>

+ </dependency>

+ <dependency>

+ <groupId>org.apache.flink</groupId>

+ <artifactId>flink-connector-kafka</artifactId>

+ <version>1.17.0</version>

+ </dependency>

+ <dependency>

+ <groupId>com.datastax.cassandra</groupId>

+ <artifactId>cassandra-driver-core</artifactId>

+ <version>3.3.0</version>

+ </dependency>

+ <dependency>

+ <groupId>com.datastax.cassandra</groupId>

+ <artifactId>cassandra-driver-mapping</artifactId>

+ <version>3.1.4</version>

+ </dependency>

+ <dependency>

+ <groupId>com.datastax.cassandra</groupId>

+ <artifactId>cassandra-driver-extras</artifactId>

+ <version>3.1.4</version>

+ </dependency>

+ <dependency>

+ <groupId>org.slf4j</groupId>

+ <artifactId>slf4j-api</artifactId>

+ <version>1.7.5</version>

+ </dependency>

+ <dependency>

+ <groupId>org.slf4j</groupId>

+ <artifactId>slf4j-log4j12</artifactId>

+ <version>1.7.5</version>

+ </dependency>

+ </dependencies>

+

+ <build>

+ <plugins>

+ <plugin>

+ <artifactId>maven-assembly-plugin</artifactId>

+ <configuration>

+ <descriptorRefs>

+ <descriptorRef>jar-with-dependencies</descriptorRef>

+ </descriptorRefs>

+ <finalName>cosmosdb-cassandra-examples</finalName>

+ <appendAssemblyId>false</appendAssemblyId>

+ </configuration>

+ <executions>

+ <execution>

+ <id>make-assembly</id>

+ <phase>package</phase>

+ <goals>

+ <goal>single</goal>

+ </goals>

+ </execution>

+ </executions>

+ </plugin>

+ <plugin>

+ <groupId>org.apache.maven.plugins</groupId>

+ <artifactId>maven-compiler-plugin</artifactId>

+ <configuration>

+ <source>1.8</source>

+ <target>1.8</target>

+ </configuration>

+ </plugin>

+ </plugins>

+ </build>

+

+Run **mvn clean install** from azure-cosmos-db-cassandra-java-getting-started-main folder to build the project. This command generates cosmosdb-cassandra-examples.jar under target folder.

+Run CassandraDemo class to sink Kafka topic into Cosmos DB for Apache Cassandra.

+Check job on Flink Web UI on HDInsight on AKS Cluster.

+Produce message into Kafka topic.

+* Apache, Apache Kafka, Kafka, Apache Flink, Flink, Apache Cassandra, Cassandra, and associated open source project names are [trademarks](../trademarks.md) of the [Apache Software Foundation](https://www.apache.org/) (ASF).

+description: How to enter Apache Flink® SQL & DStream CLI client using webssh on HDInsight on AKS clusters with Azure portal.

+This example guides how to enter the Apache Flink CLI client on HDInsight on AKS clusters using SSH on Azure portal, we cover both SQL and Flink DataStream.

+| [HDInsight 5.0](./hdinsight-5x-component-versioning.md) |Ubuntu 18.0.4 LTS |March 11, 2022 | [Basic](hdinsight-component-versioning.md#support-options-for-hdinsight-versions) | March 31, 2025 | March 31, 2025| Yes |

+| [HDInsight 4.0](hdinsight-40-component-versioning.md) |Ubuntu 18.0.4 LTS |September 24, 2018 | [Basic](hdinsight-component-versioning.md#support-options-for-hdinsight-versions) | March 31, 2025 | March 31, 2025 |Yes |

+ Title: Bulk delete resources from the Azure API for FHIR service in Azure Health Data Services

+description: Learn how to bulk delete resources from the Azure API for FHIR service in Azure Health Data Services.

+# Bulk delete in Azure API for FHIR

+## Related content

+[Supported FHIR features](fhir-features-supported.md)

+[FHIR REST API capabilities for Azure Health Data Services FHIR service](fhir-rest-api-capabilities.md)

+ Title: Bulk delete resources from the FHIR service in Azure Health Data Services

+description: Learn how to bulk delete resources from the FHIR service in Azure Health Data Services.

+# Bulk delete in the FHIR service

+## Related content

+[Supported FHIR features](fhir-features-supported.md)

+[FHIR REST API capabilities for Azure Health Data Services FHIR service](fhir-rest-api-capabilities.md)

+- [Manage medical imaging data with the DICOM service and Azure Data Lake Storage](./dicom/dicom-data-lake.md)

+- [Deploy the DICOM service with Azure Data Lake Storage](./dicom/deploy-dicom-services-in-azure-data-lake.md)

+ Title: Industrial IoT solutions with Azure IoT Central

+description: This article introduces common Industrial IoT solutions that you can implement using Azure IoT Central

+# Industrial IoT (IIoT) solutions with Azure IoT Central

+By using the Azure IoT platform, IoT Central lets you evaluate solutions that are scalable and secure. To set up a sample to evaluate a solution, see the [Ingest Industrial Data with Azure IoT Central and Calculate OEE](https://github.com/Azure-Samples/iotc-solution-builder) sample.

+> [!TIP]

+> Azure IoT Operations Preview is a new collection of services that includes native support for OPC UA, MQTT, and other industrial protocols. You can use Azure IoT Operations to connect and manage your industrial assets. To learn more, see [Azure IoT Operations Preview](../../iot-operations/get-started/overview-iot-operations.md).

+Now that you've learned about IIoT solutions with Azure IoT Central, the suggested next step is to learn about [Azure IoT Operations](../../iot-operations/get-started/overview-iot-operations.md).

+description: Learn how to use common and standard MQTT tools to test connectivity to Azure IoT MQ in a nonproduction environment.

+This article shows different ways to test connectivity to Azure IoT MQ Preview with MQTT clients in a nonproduction environment.

+By default, Azure IoT MQ Preview:

+- Deploys a [TLS-enabled listener](howto-configure-brokerlistener.md) on port 8883 with *ClusterIp* as the service type. *ClusterIp* means that the broker is accessible only from within the Kubernetes cluster. To access the broker from outside the cluster, you must configure a service of type *LoadBalancer* or *NodePort*.

+- Accepts [Kubernetes service accounts for authentication](howto-configure-authentication.md) for connections from within the cluster. To connect from outside the cluster, you must configure a different authentication method.

+> [!CAUTION]

+> For production scenarios, you should use TLS and service accounts authentication to secure your IoT solution. For more information, see:

+> - [Configure TLS with automatic certificate management to secure MQTT communication in Azure IoT MQ Preview](./howto-configure-tls-auto.md)

+> - [Configure authentication in Azure IoT MQ Preview](./howto-configure-authentication.md)

+> - [Expose Kubernetes services to external devices](/azure/aks/hybrid/aks-edge-howto-expose-service) using port forwarding or a virtual switch with Azure Kubernetes Services Edge Essentials.

+Before you begin, [install or deploy IoT Operations](../get-started/quickstart-deploy.md). Use the following options to test connectivity to IoT MQ with MQTT clients in a nonproduction environment.

+1. Create a file named `client.yaml` with the following configuration:

+ ```yaml

+ apiVersion: v1

+ kind: Pod

+ metadata:

+ name: mqtt-client

+ # Namespace must match IoT MQ BrokerListener's namespace

+ # Otherwise use the long hostname: aio-mq-dmqtt-frontend.azure-iot-operations.svc.cluster.local

+ namespace: azure-iot-operations

+ spec:

+ # Use the "mqtt-client" service account which comes with default deployment

+ # Otherwise create it with `kubectl create serviceaccount mqtt-client -n azure-iot-operations`

+ serviceAccountName: mqtt-client

+ containers:

+ # Mosquitto and mqttui on Alpine

+ - image: alpine

+ name: mqtt-client

+ command: ["sh", "-c"]

+ args: ["apk add mosquitto-clients mqttui && sleep infinity"]

+ volumeMounts:

+ - name: mq-sat

+ mountPath: /var/run/secrets/tokens

+ - name: trust-bundle

+ mountPath: /var/run/certs

+ volumes:

+ - name: mq-sat

+ projected:

+ sources:

+ - serviceAccountToken:

+ path: mq-sat

+ audience: aio-mq # Must match audience in BrokerAuthentication

+ expirationSeconds: 86400

+ - name: trust-bundle

+ configMap:

+ name: aio-ca-trust-bundle-test-only # Default root CA cert

+ ```

+ kubectl exec --stdin --tty mqtt-client --namespace azure-iot-operations -- sh

+ mosquitto_pub --host aio-mq-dmqtt-frontend --port 8883 --message "hello" --topic "world" --username '$sat' --pw $(cat /var/run/secrets/tokens/mq-sat) --debug --cafile /var/run/certs/ca.crt

+ ```

+ The output should look similar to the following:

+ ```Output

+ mosquitto_sub --host aio-mq-dmqtt-frontend --port 8883 --topic "world" --username '$sat' --pw $(cat /var/run/secrets/tokens/mq-sat) --debug --cafile /var/run/certs/ca.crt

+ ```

+ The output should look similar to the following:

+ ```Output

+1. You can also use mqttui to connect to the broker using the service account token. The `--insecure` flag is required because mqttui doesn't support TLS certificate chain verification with a custom root CA cert.

+ > [!CAUTION]

+ > Using `--insecure` is not recommended for production scenarios. Only use it for testing or development purposes.

+ mqttui --broker mqtts://aio-mq-dmqtt-frontend:8883 --username '$sat' --password $(cat /var/run/secrets/tokens/mq-sat) --insecure

+Since the broker uses TLS, the client must trust the broker's TLS certificate chain. You need to configure the client to trust the root CA certificate used by the broker.

+To use the default root CA certificate, download it from the `aio-ca-trust-bundle-test-only` ConfigMap:

+Use the downloaded `ca.crt` file to configure your client to trust the broker's TLS certificate chain.

+> [!CAUTION]

+> Turning off authentication should only be used for testing purposes with a test cluster that's not accessible from the internet.

+k3d cluster create --port '8883:8883@loadbalancer'

+But for this method to work with IoT MQ, you must configure it to use a load balancer instead of cluster IP. There are two ways to do this: create a load balancer or patch the existing default BrokerListener resource service type to load balancer.

+#### Option 1: Create a load balancer

+1. Create a file named `loadbalancer.yaml` with the following configuration:

+ ```yaml

+ apiVersion: v1

+ kind: Service

+ metadata:

+ name: iotmq-public-svc

+ spec:

+ type: LoadBalancer

+ ports:

+ - name: mqtt1

+ port: 8883

+ targetPort: 8883

+ selector:

+ app: broker

+ app.kubernetes.io/instance: broker

+ app.kubernetes.io/managed-by: dmqtt-operator

+ app.kubernetes.io/name: dmqtt

+ tier: frontend

+ ```

+1. Apply the configuration to create a load balancer service:

+ ```bash

+ kubectl apply -f loadbalancer.yaml

+ ```

+#### Option 2: Patch the default load balancer

+ kubectl patch brokerlistener listener --namespace azure-iot-operations --type='json' --patch='[{"op": "replace", "path": "/spec/serviceType", "value": "loadBalancer"}]'

+1. Wait for the service to be updated.

+ kubectl get service aio-mq-dmqtt-frontend --namespace azure-iot-operations

+ Output should look similar to the following:

+ ```Output

+ NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE

+ aio-mq-dmqtt-frontend LoadBalancer 10.43.107.11 XXX.XX.X.X 8883:30366/TCP 14h

+1. You can use the external IP address to connect to IoT MQ over the internet. Make sure to use the external IP address instead of `localhost`.

+ mosquitto_pub --qos 1 --debug -h XXX.XX.X.X --message hello --topic world --username client1 --pw password --cafile ca.crt

+> [!TIP]

+> You can use the external IP address to connect to IoT MQ from outside the cluster. If you used the K3d command with port forwarding option, you can use `localhost` to connect to IoT MQ. For example, to connect with mosquitto client:

+>

+> ```bash

+> mosquitto_pub --qos 1 --debug -h localhost --message hello --topic world --username client1 --pw password --cafile ca.crt --insecure

+> ```

+>

+> In this example, the mosquitto client uses username and password to authenticate with the broker along with the root CA cert to verify the broker's TLS certificate chain. Here, the `--insecure` flag is required because the default TLS certificate issued to the load balancer is only valid for the load balancer's default service name (aio-mq-dmqtt-frontend) and assigned IPs, not localhost.

+>

+> Never expose IoT MQ port to the internet without authentication and TLS. Doing so is dangerous and can lead to unauthorized access to your IoT devices and bring unsolicited traffic to your cluster.

+>

+> For information on how to add localhost to the certificate's subject alternative name (SAN) to avoid using the insecure flag, see [Configure server certificate parameters](howto-configure-tls-auto.md#optional-configure-server-certificate-parameters).

+ kubectl port-forward --namespace azure-iot-operations service/aio-mq-dmqtt-frontend 8883:mqtts-8883

+To learn more, see [Use Port Forwarding to Access Applications in a Cluster](https://kubernetes.io/docs/tasks/access-application-cluster/port-forward-access-application-cluster/) for minikube and [Expose Kubernetes services to external devices](/azure/aks/hybrid/aks-edge-howto-expose-service) for Azure Kubernetes Services Edge Essentials.

+1. Wait for the service to be updated.

+ kubectl get service my-unique-service-name --namespace azure-iot-operations

+ ```

+ Output should look similar to the following:

+ ```Output

+ mosquitto_pub --qos 1 --debug -h localhost --message hello --topic world

+ ```

+ The output should look similar to the following:

+ ```Output

+- 03:06 - <a href="https://learn-video.azurefd.net/vod/player?id=8e203b99-41ff-4454-9cbd-58856708f1c6?#time=0h3m06s" target="_blank">Step-by-step</a>

+- 32:54 - <a href="https://learn-video.azurefd.net/vod/player?id=8e203b99-41ff-4454-9cbd-58856708f1c6#time=0h32m45s" target="_blank">Recovery</a>

+- 40:55 - <a href="https://learn-video.azurefd.net/vod/player?id=8e203b99-41ff-4454-9cbd-58856708f1c6#time=0h40m55s" target="_blank">Advanced Scenarios</a>

+- 57:54 - <a href="https://learn-video.azurefd.net/vod/player?id=8e203b99-41ff-4454-9cbd-58856708f1c6#time=0h57m54s" target="_blank">Resources</a>

+> If the Virtual Machine Scale Set behind the Load Balancer is a **Service Fabric Cluster**, migration with this script will take more time, is higher risk to your application, and will cause downtime. Review [Service Fabric Cluster Load Balancer upgrade guidance](https://aka.ms/sfc-lb-upgrade) for migration options.

+| [Use Docker images that Azure Machine Learning manages](#scenario-use-docker-images-that-azure-machine-learning-manages) | Not applicable | Microsoft Artifact Registry | If the container registry for your workspace is behind the virtual network, configure the workspace to use a compute cluster to build images. For more information, see [Secure an Azure Machine Learning workspace with virtual networks](how-to-secure-workspace-vnet.md#enable-azure-container-registry-acr). |

+Azure Machine Learning provides Docker images that you can use to train models or perform inference. These images are hosted on Microsoft Artifact Registry.

+If you provide your own Docker images, such as on a container registry that you provide, you don't need the outbound communication with Artifact Registry.

+In this article, you learn how you can progressively update and deploy MLflow models to Online Endpoints without causing service disruption. You use blue-green deployment, also known as a safe rollout strategy, to introduce a new version of a web service to production. This strategy will allow you to roll out your new version of the web service to a small subset of users or requests before rolling it out completely.

+- If you are not running in Azure Machine Learning compute, configure the MLflow tracking URI or MLflow's registry URI to point to the workspace you are working on. Learn how to [configure MLflow for Azure Machine Learning](how-to-use-mlflow-configure-tracking.md).

+1. Configure the MLflow client and the deployment client:

+ mlflow_client = mlflow.MLflowClient()

+ We can configure the properties of this endpoint using a configuration file. We configure the authentication mode of the endpoint to be "key" in the following example:

+ This functionality is not available in the MLflow SDK. Go to [Azure Machine Learning studio](https://ml.azure.com), navigate to the endpoint, and retrieve the secret key from there.

+So far, the endpoint is empty. There are no deployments on it. Let's create the first one by deploying the same model we were working on before. We will call this deployment "default", representing our "blue deployment".

+When teams collaborate on Azure Machine Learning, they might face varying requirements to configure and organize resources. Machine learning teams might look for flexibility in how to organize workspaces for collaboration, or how to size compute clusters for the requirements of their use cases. In these scenarios, productivity could benefit if application teams can manage their own infrastructure.

+As a platform administrator, you can use policies to lay out guardrails for teams to manage their own resources. [Azure Policy](../governance/policy/index.yml) helps audit and govern resource state. This article explains how you can use audit controls and governance practices for Azure Machine Learning.

+Azure Policy provides a set of policies that you can use for common scenarios with Azure Machine Learning. You can assign these policy definitions to your existing subscription or use them as the basis to create your own custom definitions.

+1. For __Type__, select __Built-in__. For __Category__, select __Machine Learning__.

+From here, you can select policy definitions to view them. While viewing a definition, you can use the __Assign__ link to assign the policy to a specific scope, and configure the parameters for the policy. For more information, see [Create a policy assignment to identify non-compliant resources using Azure portal](../governance/policy/assign-policy-portal.md).

+You can also assign policies by using [Azure PowerShell](../governance/policy/assign-policy-powershell.md), [Azure CLI](../governance/policy/assign-policy-azurecli.md), or [templates](../governance/policy/assign-policy-template.md).

+To control who can access your Azure Machine Learning workspace, use [Microsoft Entra Conditional Access](../active-directory/conditional-access/overview.md). To use Conditional Access for Azure Machine Learning workspaces, [assign the Conditional Access policy](../active-directory/conditional-access/concept-conditional-access-cloud-apps.md) to the app named __Azure Machine Learning__. The app ID is __0736f41a-0425-bdb5-1563eff02385__.

+Landing zones are an architectural pattern that accounts for scale, governance, security, and productivity when setting up Azure environments. A data landing zone is an administator-configured environment that an application team uses to host a data and analytics workload.

+The purpose of the landing zone is to ensure that all infrastructure configuration work is done when a team starts in the Azure environment. For instance, security controls are set up in compliance with organizational standards and network connectivity is set up.

+Using the landing zones pattern, machine learning teams can deploy and manage their own resources on a self-service basis. By using Azure policy as an administrator, you can audit and manage Azure resources for compliance.

+Azure Machine Learning integrates with [data landing zones](https://github.com/Azure/data-landing-zone) in the [Cloud Adoption Framework data management and analytics scenario](/azure/cloud-adoption-framework/scenarios/data-management/). This reference implementation provides an optimized environment to migrate machine learning workloads onto Azure Machine Learning and includes preconfigured policies.

+### Compute instance should have idle shutdown

+This policy controls whether an Azure Machine Learning compute instance should have idle shutdown enabled. Idle shutdown automatically stops the compute instance when it's idle for a specified period of time. This policy is useful for cost savings and to ensure that resources aren't being used unnecessarily.

+Controls whether Azure Machine Learning compute instances should be audited to make sure they're running the latest available software updates. This policy is useful to ensure that compute instances are running the latest software updates to maintain security and performance. For more information, see [Vulnerability management for Azure Machine Learning](concept-vulnerability-management.md#compute-instance).

+Controls whether a workspace should be encrypted with a customer-managed key, or with a Microsoft-managed key to encrypt metrics and metadata. For more information on using customer-managed key, see the [Azure Cosmos DB](concept-data-encryption.md#azure-cosmos-db) section of the data encryption article.

+### Configure workspaces to disable public network access

+To configure this policy, set the effect parameter to __Audit__ or __Deny__, or __Disabled__. If set to __Audit__, you can create a workspace without enabling V1LegacyMode and a warning event is created in the activity log.

+### Workspaces should use private link

+Controls whether a workspace should use Azure Private Link to communicate with Azure Virtual Network. For more information on using private link, see [Configure a private endpoint for an Azure Machine Learning workspace](how-to-configure-private-link.md).

+### Workspaces should use user-assigned managed identity

+Controls whether a workspace is created using a system-assigned managed identity (default) or a user-assigned managed identity. The managed identity for the workspace is used to access associated resources such as Azure Storage, Azure Container Registry, Azure Key Vault, and Azure Application Insights. For more information, see [Set up authentication between Azure Machine Learning and other services](how-to-identity-based-service-authentication.md).

+### Configure computes to modify/disable local authentication

+This policy modifies any Azure Machine Learning compute cluster or instance creation request to disable local authentication (SSH).

+### Configure workspace to use private DNS zones

+This policy configures a workspace to use a private DNS zone, overriding the default DNS resolution for a private endpoint.

+Configures a workspace to disable network access from the public internet. This helps protect the workspaces against data leakage risks. You can instead access your workspace by creating private endpoints. For more information, see [Configure a private endpoint for an Azure Machine Learning workspace](how-to-configure-private-link.md).

+## Related content

+* The [Cloud Adoption Framework scenario for data management and analytics](/azure/cloud-adoption-framework/scenarios/data-management/) outlines considerations in running data and analytics workloads in the cloud

+* [Cloud Adoption Framework data landing zones](https://github.com/Azure/data-landing-zone) provide a reference implementation for managing data and analytics workloads in Azure

+* [Learn how to use policy to integrate Azure Private Link with Azure Private DNS zones](/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale)

+Batch endpoints provide a convenient way to deploy models that run inference over large volumes of data. These endpoints simplify the process of hosting your models for batch scoring, so that your focus is on machine learning, rather than the infrastructure.

+Use batch endpoints for model deployment when:

+- You have expensive models that require a longer time to run inference.

+- You need to perform inference over large amounts of data that is distributed in multiple files.

+- You don't have low latency requirements.

+- You can take advantage of parallelization.

+In this article, you use a batch endpoint to deploy a machine learning model that solves the classic MNIST (Modified National Institute of Standards and Technology) digit recognition problem. Your deployed model then performs batch inferencing over large amounts of dataΓÇöin this case, image files. You begin by creating a batch deployment of a model that was created using Torch. This deployment becomes the default one in the endpoint. Later, you [create a second deployment](#add-deployments-to-an-endpoint) of a mode that was created with TensorFlow (Keras), test the second deployment, and then set it as the endpoint's default deployment.

+To follow along with the code samples and files needed to run the commands in this article locally, see the __[Clone the examples repository](#clone-the-examples-repository)__ section. The code samples and files are contained in the [azureml-examples](https://github.com/azure/azureml-examples) repository.

+## Prerequisites

+## Clone the examples repository

+## Prepare your system

+### Connect to your workspace

+# [Azure CLI](#tab/cli)

+First, connect to the Azure Machine Learning workspace where you'll work.

+If you haven't already set the defaults for the Azure CLI, save your default settings. To avoid passing in the values for your subscription, workspace, resource group, and location multiple times, run this code:

+az account set --subscription <subscription>

+az configure --defaults workspace=<workspace> group=<resource-group> location=<location>

+# [Python](#tab/python)

+The workspace is the top-level resource for Azure Machine Learning, providing a centralized place to work with all the artifacts you create when you use Azure Machine Learning. In this section, you connect to the workspace in which you'll perform deployment tasks.

+1. Import the required libraries:

+ ```python

+ from azure.ai.ml import MLClient, Input, load_component

+ from azure.ai.ml.entities import BatchEndpoint, ModelBatchDeployment, ModelBatchDeploymentSettings, PipelineComponentBatchDeployment, Model, AmlCompute, Data, BatchRetrySettings, CodeConfiguration, Environment, Data

+ from azure.ai.ml.constants import AssetTypes, BatchDeploymentOutputAction

+ from azure.ai.ml.dsl import pipeline

+ from azure.identity import DefaultAzureCredential

+ ```

+ > [!NOTE]

+ > Classes `ModelBatchDeployment` and `PipelineComponentBatchDeployment` were introduced in version 1.7.0 of the SDK.

+2. Configure workspace details and get a handle to the workspace:

+ ```python

+ subscription_id = "<subscription>"

+ resource_group = "<resource-group>"

+ workspace = "<workspace>"

+

+ ml_client = MLClient(DefaultAzureCredential(), subscription_id, resource_group, workspace)

+ ```

+# [Studio](#tab/azure-studio)

+Open the [Azure Machine Learning studio portal](https://ml.azure.com) and sign in using your credentials.

+Batch endpoints run on compute clusters and support both [Azure Machine Learning compute clusters (AmlCompute)](./how-to-create-attach-compute-cluster.md) and [Kubernetes clusters](./how-to-attach-kubernetes-anywhere.md). Clusters are a shared resource, therefore, one cluster can host one or many batch deployments (along with other workloads, if desired).

+Create a compute named `batch-cluster`, as shown in the following code. You can adjust as needed and reference your compute using `azureml:<your-compute-name>`.

+# [Studio](#tab/azure-studio)

+Follow the steps in the tutorial [Create an Azure Machine Learning compute cluster](./how-to-create-attach-compute-cluster.md?tabs=studio) to create a compute cluster.

+> You're not charged for the compute at this point, as the cluster remains at 0 nodes until a batch endpoint is invoked and a batch scoring job is submitted. For more information about compute costs, see [Manage and optimize cost for AmlCompute](./how-to-manage-optimize-cost.md#use-azure-machine-learning-compute-cluster-amlcompute).

+A __batch endpoint__ is an HTTPS endpoint that clients can call to trigger a _batch scoring job_. A __batch scoring job__ is a job that scores multiple inputs. A __batch deployment__ is a set of compute resources hosting the model that does the actual batch scoring (or batch inferencing). One batch endpoint can have multiple batch deployments. For more information on batch endpoints, see [What are batch endpoints?](concept-endpoints-batch.md).

+> One of the batch deployments serves as the default deployment for the endpoint. When the endpoint is invoked, the default deployment does the actual batch scoring. For more information on batch endpoints and deployments, see [batch endpoints and batch deployment](concept-endpoints-batch.md).

+1. Name the endpoint. The __endpoint's name must be unique within an Azure region__, since the name is included in the endpoint's URI. For example, there can be only one batch endpoint with the name `mybatchendpoint` in `westus2`.

+ Place the endpoint's name in a variable so you can easily reference it later.

+ Place the endpoint's name in a variable so you can easily reference it later.

+ # [Studio](#tab/azure-studio)

+ You provide the endpoint's name later, at the point when you create the deployment.

+1. Configure the batch endpoint

+ The following YAML file defines a batch endpoint. You can use this file with the CLI command for [batch endpoint creation](#create-a-batch-endpoint).

+ _endpoint.yml_

+ | `name` | The name of the batch endpoint. Needs to be unique at the Azure region level. |

+ | `tags` | The tags to include in the endpoint. This property is optional. |

+ The following table describes the key properties of the endpoint. For more information on batch endpoint definition, see [BatchEndpoint Class](/python/api/azure-ai-ml/azure.ai.ml.entities.batchendpoint).

+ # [Studio](#tab/azure-studio)

+ You create the endpoint later, at the point when you create the deployment.

+ Run the following code to create a batch endpoint.

+ # [Studio](#tab/azure-studio)

+ You create the endpoint later, at the point when you create the deployment.

+A model deployment is a set of resources required for hosting the model that does the actual inferencing. To create a batch model deployment, you need the following items:

+* A registered model in the workspace

+* The code to score the model

+* An environment with the model's dependencies installed

+* The pre-created compute and resource settings

+1. Begin by registering the model to be deployedΓÇöa Torch model for the popular digit recognition problem (MNIST). Batch Deployments can only deploy models that are registered in the workspace. You can skip this step if the model you want to deploy is already registered.

+ > Models are associated with the deployment, rather than with the endpoint. This means that a single endpoint can serve different models (or model versions) under the same endpoint, provided that the different models (or model versions) are deployed in different deployments.

+ # [Studio](#tab/azure-studio)

+1. Now it's time to create a scoring script. Batch deployments require a scoring script that indicates how a given model should be executed and how input data must be processed. Batch endpoints support scripts created in Python. In this case, you deploy a model that reads image files representing digits and outputs the corresponding digit. The scoring script is as follows:

+ > For MLflow models, Azure Machine Learning automatically generates the scoring script, so you're not required to provide one. If your model is an MLflow model, you can skip this step. For more information about how batch endpoints work with MLflow models, see the article [Using MLflow models in batch deployments](how-to-mlflow-batch.md).

+ > If you're deploying an Automated machine learning (AutoML) model under a batch endpoint, note that the scoring script that AutoML provides only works for online endpoints and is not designed for batch execution. For information on how to create a scoring script for your batch deployment, see [Author scoring scripts for batch deployments](how-to-batch-scoring-script.md).

+ _deployment-torch/code/batch_driver.py_

+1. Create an environment where your batch deployment will run. The environment should include the packages `azureml-core` and `azureml-dataset-runtime[fuse]`, which are required by batch endpoints, plus any dependency your code requires for running. In this case, the dependencies have been captured in a `conda.yaml` file:

+ _deployment-torch/environment/conda.yaml_

+ Specify the environment as follows:

+ Get a reference to the environment:

+ # [Studio](#tab/azure-studio)

+ In the [Azure Machine Learning studio](https://ml.azure.com), follow these steps:

+ 1. For __Select environment source__, select __Use existing docker image with optional conda file__.

+ 1. For __Container registry image path__, enter `mcr.microsoft.com/azureml/openmpi4.1.0-ubuntu20.04`.

+ 1. Select **Next** to go to the "Customize" section.

+ 1. Copy the content of the file _deployment-torch/environment/conda.yaml_ from the GitHub repo into the portal.

+ 1. Select __Next__ until you get to the "Review page".

+ 1. Select __Create__ and wait until the environment is ready for use.

+ > Curated environments are not supported in batch deployments. You need to specify your own environment. You can always use the base image of a curated environment as yours to simplify the process.

+ _deployment-torch/deployment.yml_

+ The following table describes the key properties of the batch deployment. For the full batch deployment YAML schema, see [CLI (v2) batch deployment YAML schema](./reference-yaml-deployment-batch.md).

+ | `model` | The model to be used for batch scoring. The example defines a model inline using `path`. This definition allows model files to be automatically uploaded and registered with an autogenerated name and version. See the [Model schema](./reference-yaml-model.md#yaml-syntax) for more options. As a best practice for production scenarios, you should create the model separately and reference it here. To reference an existing model, use the `azureml:<model-name>:<model-version>` syntax. |

+ | `code_configuration.scoring_script` | The Python file in the `code_configuration.code` directory. This file must have an `init()` function and a `run()` function. Use the `init()` function for any costly or common preparation (for example, to load the model in memory). `init()` will be called only once at the start of the process. Use `run(mini_batch)` to score each entry; the value of `mini_batch` is a list of file paths. The `run()` function should return a pandas DataFrame or an array. Each returned element indicates one successful run of input element in the `mini_batch`. For more information on how to author a scoring script, see [Understanding the scoring script](how-to-batch-scoring-script.md#understanding-the-scoring-script). |

+ | `environment` | The environment to score the model. The example defines an environment inline using `conda_file` and `image`. The `conda_file` dependencies will be installed on top of the `image`. The environment will be automatically registered with an autogenerated name and version. See the [Environment schema](./reference-yaml-environment.md#yaml-syntax) for more options. As a best practice for production scenarios, you should create the environment separately and reference it here. To reference an existing environment, use the `azureml:<environment-name>:<environment-version>` syntax. |

+ | `compute` | The compute to run batch scoring. The example uses the `batch-cluster` created at the beginning and references it using the `azureml:<compute-name>` syntax. |

+ | `settings.output_action` | [Optional] How the output should be organized in the output file. `append_row` will merge all `run()` returned output results into one single file named `output_file_name`. `summary_only` won't merge the output results and will only calculate `error_threshold`. |

+ | `settings.error_threshold` | [Optional] The number of input file scoring failures that should be ignored. If the error count for the entire input goes above this value, the batch scoring job will be terminated. The example uses `-1`, which indicates that any number of failures is allowed without terminating the batch scoring job. |

+ The [BatchDeployment Class](/python/api/azure-ai-ml/azure.ai.ml.entities.batchdeployment) allows you to configure the following key properties of a batch deployment:

+ | `code_configuration` | The configuration about how to run inference for the model (optional for MLflow models). |

+ | `code_configuration.code` | Path to the source code directory for scoring the model. |

+ | `code_configuration.scoring_script` | Relative path to the scoring file in the source code directory. |

+ | `compute` | Name of the compute target on which to execute the batch scoring jobs. |

+ | `settings` | The model deployment inference configuration. |

+ | `settings.max_concurrency_per_instance` | The maximum number of parallel `scoring_script` runs per instance.|

+ | `settings.mini_batch_size` | The number of files the `code_configuration.scoring_script` can process in one `run`() call.|

+ | `settings.retry_settingsmax_retries` | The maximum number of retries for a failed or timed-out mini batch (default is 3). |

+ | `settings.retry_settingstimeout` | The timeout in seconds for scoring a mini batch (default is 30). |

+ | `settings.output_action` | How the output should be organized in the output file. Allowed values are `append_row` or `summary_only`. Default is `append_row`. |

+ # [Studio](#tab/azure-studio)

+ In the studio, follow these steps:

+ 1. Select __Next__ to go to the "Model" section.

+ 1. Select the model __mnist-classifier-torch__.

+ 1. Select __Next__ to go to the "Deployment" page.

+ 1. Give the deployment a name.

+ 1. For __Output action__, ensure __Append row__ is selected.

+ 1. For __Output file name__, ensure the batch scoring output file is the one you need. Default is `predictions.csv`.

+ 1. For __Mini batch size__, adjust the size of the files that will be included on each mini-batch. This size will control the amount of data your scoring script receives per batch.

+ 1. For __Scoring timeout (seconds)__, ensure you're giving enough time for your deployment to score a given batch of files. If you increase the number of files, you usually have to increase the timeout value too. More expensive models (like those based on deep learning), may require high values in this field.

+ 1. For __Max concurrency per instance__, configure the number of executors you want to have for each compute instance you get in the deployment. A higher number here guarantees a higher degree of parallelization but it also increases the memory pressure on the compute instance. Tune this value altogether with __Mini batch size__.

+ 1. Once done, select __Next__ to go to the "Code + environment" page.

+ 1. For "Select a scoring script for inferencing", browse to find and select the scoring script file *deployment-torch/code/batch_driver.py*.

+ 1. In the "Select environment" section, select the environment you created previously _torch-batch-env_.

+ 1. Select __Next__ to go to the "Compute" page.

+ 1. Select the compute cluster you created in a previous step.

+ 1. For __Instance count__, enter the number of compute instances you want for the deployment. In this case, use 2.

+ Run the following code to create a batch deployment under the batch endpoint, and set it as the default deployment.

+ > The `--set-default` parameter sets the newly created deployment as the default deployment of the endpoint. It's a convenient way to create a new default deployment of the endpoint, especially for the first deployment creation. As a best practice for production scenarios, you might want to create a new deployment without setting it as default. Verify that the deployment works as you expect, and then update the default deployment later. For more information on implementing this process, see the [Deploy a new model](#add-deployments-to-an-endpoint) section.

+ Using the `MLClient` created earlier, create the deployment in the workspace. This command starts the deployment creation and returns a confirmation response while the deployment creation continues.

+ Once the deployment is completed, set the new deployment as the default deployment in the endpoint:

+ # [Studio](#tab/azure-studio)

+ :::image type="content" source="./media/how-to-use-batch-model-deployments/review-batch-wizard.png" alt-text="Screenshot of batch endpoints deployment review screen." lightbox="media/how-to-use-batch-model-deployments/review-batch-wizard.png":::

+ Use `show` to check the endpoint and deployment details. To check a batch deployment, run the following code:

+ # [Studio](#tab/azure-studio)

+ After creating the batch endpoint, the endpoint's details page opens up. You can also find this page by following these steps:

+ 1. Select the batch endpoint you want to view.

+ 1. The endpoint's **Details** page shows the details of the endpoint along with all the deployments available in the endpoint.

+ :::image type="content" source="./media/how-to-use-batch-model-deployments/batch-endpoint-details.png" alt-text="Screenshot of the check batch endpoints and deployment details.":::

+Invoking a batch endpoint triggers a batch scoring job. The job `name` is returned from the invoke response and can be used to track the batch scoring progress. When running models for scoring in batch endpoints, you need to specify the path to the input data so that the endpoints can find the data you want to score. The following example shows how to start a new job over a sample data of the MNIST dataset stored in an Azure Storage Account.

+You can run and invoke a batch endpoint using Azure CLI, Azure Machine Learning SDK, or REST endpoints. For more details about these options, see [Create jobs and input data for batch endpoints](how-to-access-data-batch-endpoints-jobs.md).

+> __How does parallelization work?__

+> Batch deployments distribute work at the file level, which means that a folder containing 100 files with mini-batches of 10 files will generate 10 batches of 10 files each. Notice that this happens regardless of the size of the files involved. If your files are too big to be processed in large mini-batches, we suggest that you either split the files into smaller files to achieve a higher level of parallelism or you decrease the number of files per mini-batch. Currently, batch deployments can't account for skews in a file's size distribution.

+# [Studio](#tab/azure-studio)

+ :::image type="content" source="./media/how-to-use-batch-model-deployments/create-batch-job.png" alt-text="Screenshot of the create job option to start batch scoring." lightbox="media/how-to-use-batch-model-deployments/create-batch-job.png":::

+1. For __Deployment__, select the deployment to execute.

+ :::image type="content" source="./media/how-to-use-batch-model-deployments/job-setting-batch-scoring.png" alt-text="Screenshot of using the deployment to submit a batch job." lightbox="media/how-to-use-batch-model-deployments/job-setting-batch-scoring.png":::

+1. Select __Next__ to go to the "Select data source" page.

+1. For the "Data source type", select __Datastore__.

+1. For the "Datastore", select __workspaceblobstore__ from the dropdown menu.

+1. For "Path", enter the full URL `https://azuremlexampledata.blob.core.windows.net/data/mnist/sample`.

+ > [!TIP]

+ > This path works only because the given path has public access enabled. In general, you need to register the data source as a __Datastore__. See [Accessing data from batch endpoints jobs](how-to-access-data-batch-endpoints-jobs.md) for details.

+ :::image type="content" source="./media/how-to-use-batch-model-deployments/select-datastore-job.png" alt-text="Screenshot of selecting datastore as an input option." lightbox="media/how-to-use-batch-model-deployments/select-datastore-job.png":::

+1. Select __Next__.

+1. Select __Create__ to start the job.

+Batch endpoints support reading files or folders that are located in different locations. To learn more about the supported types and how to specify them, see [Accessing data from batch endpoints jobs](how-to-access-data-batch-endpoints-jobs.md).

+# [Studio](#tab/azure-studio)

+1. Select the __Jobs__ tab.

+ :::image type="content" source="media/how-to-use-batch-model-deployments/summary-jobs.png" alt-text="Screenshot of summary of jobs submitted to a batch endpoint." lightbox="media/how-to-use-batch-model-deployments/summary-jobs.png":::

+1. From the displayed list of the jobs created for the selected endpoint, select the last job that is running.

+1. You're now redirected to the job monitoring page.

+The job outputs are stored in cloud storage, either in the workspace's default blob storage, or the storage you specified. To learn how to change the defaults, see [Configure the output location](#configure-the-output-location). The following steps allow you to view the scoring results in Azure Storage Explorer when the job is completed:

+1. Run the following code to open the batch scoring job in Azure Machine Learning studio. The job studio link is also included in the response of `invoke`, as the value of `interactionEndpoints.Studio.endpoint`.

+By default, the batch scoring results are stored in the workspace's default blob store within a folder named by job name (a system-generated GUID). You can configure where to store the scoring outputs when you invoke the batch endpoint.

+Use `params_override` to configure any folder in an Azure Machine Learning registered data store. Only registered data stores are supported as output paths. In this example you use the default data store:

+Once you've identified the data store you want to use, configure the output as follows:

+# [Studio](#tab/azure-studio)

+ :::image type="content" source="./media/how-to-use-batch-model-deployments/create-batch-job.png" alt-text="Screenshot of the create job option to start batch scoring." lightbox="media/how-to-use-batch-model-deployments/create-batch-job.png":::

+1. For __Deployment__, select the deployment you want to execute.

+1. Select the option __Override deployment settings__.

+ :::image type="content" source="./media/how-to-use-batch-model-deployments/overwrite-setting.png" alt-text="Screenshot of the overwrite setting when starting a batch job.":::

+1. Select __Next__.

+1. On the "Select data source" page, select the data input you want to use.

+1. Select __Next__.

+1. On the "Configure output location" page, select the option __Enable output configuration__.

+ :::image type="content" source="./media/how-to-use-batch-model-deployments/configure-output-location.png" alt-text="Screenshot of optionally configuring output location." lightbox="media/how-to-use-batch-model-deployments/configure-output-location.png":::

+> Unlike inputs, outputs can be stored only in Azure Machine Learning data stores that run on blob storage accounts.

+## Overwrite deployment configuration for each job

+When you invoke a batch endpoint, some settings can be overwritten to make best use of the compute resources and to improve performance. The following settings can be configured on a per-job basis:

+* __Instance count__: use this setting to overwrite the number of instances to request from the compute cluster. For example, for larger volume of data inputs, you may want to use more instances to speed up the end to end batch scoring.

+* __Mini-batch size__: use this setting to overwrite the number of files to include in each mini-batch. The number of mini batches is decided by the total input file counts and mini-batch size. A smaller mini-batch size generates more mini batches. Mini batches can be run in parallel, but there might be extra scheduling and invocation overhead.

+* Other settings, such as __max retries__, __timeout__, and __error threshold__ can be overwritten. These settings might impact the end-to-end batch scoring time for different workloads.

+# [Studio](#tab/azure-studio)

+1. For __Deployment__, select the deployment you want to execute.

+1. Select the option __Override deployment settings__.

+1. Configure the job parameters. Only the current job execution will be affected by this configuration.

+1. On the "Select data source" page, select the data input you want to use.

+1. Select __Next__.

+1. On the "Configure output location" page, select the option __Enable output configuration__.

+1. Configure the __Blob datastore__ where the outputs should be placed.

+## Add deployments to an endpoint

+Once you have a batch endpoint with a deployment, you can continue to refine your model and add new deployments. Batch endpoints will continue serving the default deployment while you develop and deploy new models under the same endpoint. Deployments don't affect one another.

+In this example, you add a second deployment that uses a __model built with Keras and TensorFlow__ to solve the same MNIST problem.

+### Add a second deployment

+1. Create an environment where your batch deployment will run. Include in the environment any dependency your code requires for running. You also need to add the library `azureml-core`, as it's required for batch deployments to work. The following environment definition has the required libraries to run a model with TensorFlow.

+ The environment definition is included in the deployment definition itself as an anonymous environment.

+ Get a reference to the environment:

+ # [Studio](#tab/azure-studio)

+ 1. For __Select environment source__, select __Use existing docker image with optional conda file__.

+ 1. For __Container registry image path__, enter `mcr.microsoft.com/azureml/openmpi4.1.0-ubuntu20.04`.

+ 1. Select **Next** to go to the "Customize" section.

+ 1. Copy the content of the file _deployment-keras/environment/conda.yaml_ from the GitHub repo into the portal.

+ 1. Select __Next__ until you get to the "Review page".

+ 1. Select __Create__ and wait until the environment is ready for use.

+ # [Studio](#tab/azure-studio)

+ :::image type="content" source="./media/how-to-use-batch-model-deployments/add-deployment-option.png" alt-text="Screenshot of add new deployment option.":::

+ 1. Select __Next__ to go to the "Model" page.

+ 1. From the model list, select the model `mnist` and select __Next__.

+ 1. Undo the selection for the option: __Make this new deployment the default for batch jobs__.

+ 1. For __Output action__, ensure __Append row__ is selected.

+ 1. For __Output file name__, ensure the batch scoring output file is the one you need. Default is `predictions.csv`.

+ 1. For __Mini batch size__, adjust the size of the files that will be included in each mini-batch. This will control the amount of data your scoring script receives for each batch.

+ 1. For __Scoring timeout (seconds)__, ensure you're giving enough time for your deployment to score a given batch of files. If you increase the number of files, you usually have to increase the timeout value too. More expensive models (like those based on deep learning), may require high values in this field.

+ 1. For __Max concurrency per instance__, configure the number of executors you want to have for each compute instance you get in the deployment. A higher number here guarantees a higher degree of parallelization but it also increases the memory pressure on the compute instance. Tune this value altogether with __Mini batch size__.

+ 1. Select __Next__ to go to the "Code + environment" page.

+ 1. For __Select a scoring script for inferencing__, browse to select the scoring script file *deployment-keras/code/batch_driver.py*.

+ 1. For __Select environment__, select the environment you created in a previous step.

+ 1. On the __Compute__ page, select the compute cluster you created in a previous step.

+ 1. For __Instance count__, enter the number of compute instances you want for the deployment. In this case, use 2.

+ > The `--set-default` parameter is missing in this case. As a best practice for production scenarios, create a new deployment without setting it as default. Then verify it, and update the default deployment later.

+ Using the `MLClient` created earlier, create the deployment in the workspace. This command starts the deployment creation and returns a confirmation response while the deployment creation continues.

+ # [Studio](#tab/azure-studio)

+To test the new non-default deployment, you need to know the name of the deployment you want to run.

+Notice `--deployment-name` is used to specify the deployment to execute. This parameter allows you to `invoke` a non-default deployment without updating the default deployment of the batch endpoint.

+Notice `deployment_name` is used to specify the deployment to execute. This parameter allows you to `invoke` a non-default deployment without updating the default deployment of the batch endpoint.

+# [Studio](#tab/azure-studio)

+1. For __Deployment__, select the deployment you want to execute. In this case, `mnist-keras`.

+Although you can invoke a specific deployment inside an endpoint, you'll typically want to invoke the endpoint itself and let the endpoint decide which deployment to useΓÇöthe default deployment. You can change the default deployment (and consequently, change the model serving the deployment) without changing your contract with the user invoking the endpoint. Use the following code to update the default deployment:

+# [Studio](#tab/azure-studio)

+ :::image type="content" source="./media/how-to-use-batch-model-deployments/update-default-deployment.png" alt-text="Screenshot of updating default deployment.":::

+1. For __Select default deployment__, select the name of the deployment you want to set as the default.

+If you won't be using the old batch deployment, delete it by running the following code. `--yes` is used to confirm the deletion.

+Run the following code to delete the batch endpoint and all its underlying deployments. Batch scoring jobs won't be deleted.

+If you won't be using the old batch deployment, delete it by running the following code.

+Run the following code to delete the batch endpoint and all its underlying deployments. Batch scoring jobs won't be deleted.

+# [Studio](#tab/azure-studio)

+## Related content

+> Some evaluation process may take up lots of tokens, so it's recommended to use a model which can support >=16k tokens.

+After the evaluation run completed, similarly, you can check the result of evaluation in the **"Outputs"** tab of the batch run detail panel. You need to select the new evaluation run to view its result.

+The creation of a copilot that use Large Language Models (LLMs) typically involves grounding the model in reality using source datasets. However, to ensure that the LLMs provide the most accurate and useful responses to customer queries, a "Golden Dataset" is necessary.

+>

+> `requirements.txt` didn't support local wheel file, you need build them in your image and update customize base image in `flow.dag.yaml`. Learn more [how to build custom base image](how-to-customize-environment-runtime.md#customize-environment-with-docker-context-for-runtime)

+### Lack authorization to perform action "Microsoft.MachineLearningService/workspaces/datastores/read"

+If your flow contains Index Look Up tool, after deploying the flow, the endpoint needs to access workspace datastore to read MLIndex yaml file or FAISS folder containing chunks and embeddings. Hence, you need to manually grant the endpoint identity permission to do so.

+You can either grant the endpoint identity **AzureML Data Scientist** on workspace scope, or a custom role which contains "MachineLearningService/workspace/datastore/reader" action.

+- (Recommended) You can find the container image uri in your custom environment detail page, and set it as the flow base image in the flow.dag.yaml file. When you deploy the flow in UI, you just select **Use environment of current flow definition**, and the backend service will create the customized environment based on this base image and `requirement.txt` for your deployment. Learn more about [the environment specified in the flow definition](#use-environment-of-current-flow-definition).

+ :::image type="content" source="./media/how-to-deploy-for-real-time-inference/custom-environment-image-uri.png" alt-text="Screenshot of custom environment detail page. " lightbox = "./media/how-to-deploy-for-real-time-inference/custom-environment-image-uri.png":::

+ :::image type="content" source="./media/how-to-deploy-for-real-time-inference/flow-environment-image.png" alt-text="Screenshot of specifying base image in raw yaml file of the flow. " lightbox = "./media/how-to-deploy-for-real-time-inference/flow-environment-image.png":::

+- You can fix this error by adding `inference_config` in your custom environment definition. Learn more about [how to use customized environment](#use-customized-environment).

+- [Troubleshoot prompt flow deployments.](how-to-troubleshoot-prompt-flow-deployment.md)

+- [Troubleshoot prompt flow deployments.](how-to-troubleshoot-prompt-flow-deployment.md)

+ Title: Troubleshoot prompt flow deployments

+description: This article provides instructions on how to troubleshoot your prompt flow deployments.

+# Troubleshoot prompt flow deployments

+This article provides instructions on how to troubleshoot your deployments from prompt flow.

+## Lack authorization to perform action "Microsoft.MachineLearningService/workspaces/datastores/read"

+If your flow contains Index Look Up tool, after deploying the flow, the endpoint needs to access workspace datastore to read MLIndex yaml file or FAISS folder containing chunks and embeddings. Hence, you need to manually grant the endpoint identity permission to do so.

+You can either grant the endpoint identity **AzureML Data Scientist** on workspace scope, or a custom role that contains "MachineLearningService/workspace/datastore/reader" action.

+## Upstream request timeout issue when consuming the endpoint

+If you use CLI or SDK to deploy the flow, you may encounter timeout error. By default the `request_timeout_ms` is 5000. You can specify at max to 5 minutes, which is 300,000 ms. Following is example showing how to specify request time-out in the deployment yaml file. To learn more, see [deployment schema](../reference-yaml-deployment-managed-online.md).

+```yaml

+request_settings:

+ request_timeout_ms: 300000

+```

+## OpenAI API hits authentication error

+If you regenerate your Azure OpenAI key and manually update the connection used in prompt flow, you may encounter errors like "Unauthorized. Access token is missing, invalid, audience is incorrect or have expired." when invoking an existing endpoint created before key regenerating.

+This is because the connections used in the endpoints/deployments won't be automatically updated. Any change for key or secrets in deployments should be done by manual update, which aims to avoid impacting online production deployment due to unintentional offline operation.

+- If the endpoint was deployed in the studio UI, you can just redeploy the flow to the existing endpoint using the same deployment name.

+- If the endpoint was deployed using SDK or CLI, you need to make some modification to the deployment definition such as adding a dummy environment variable, and then use `az ml online-deployment update` to update your deployment.

+## Vulnerability issues in prompt flow deployments

+For prompt flow runtime related vulnerabilities, following are approaches, which can help mitigate:

+- Update the dependency packages in your requirements.txt in your flow folder.

+- If you're using customized base image for your flow, you need to update the prompt flow runtime to latest version and rebuild your base image, then redeploy the flow.

+

+For any other vulnerabilities of managed online deployments, Azure Machine Learning fixes the issues in a monthly manner.

+## "MissingDriverProgram Error" or "Could not find driver program in the request"

+If you deploy your flow and encounter the following error, it might be related to the deployment environment.

+```text

+'error':

+{

+ 'code': 'BadRequest',

+ 'message': 'The request is invalid.',

+ 'details':

+ {'code': 'MissingDriverProgram',

+ 'message': 'Could not find driver program in the request.',

+ 'details': [],

+ 'additionalInfo': []

+ }

+}

+```

+```text

+Could not find driver program in the request

+```

+There are two ways to fix this error.

+- (Recommended) You can find the container image uri in your custom environment detail page, and set it as the flow base image in the flow.dag.yaml file. When you deploy the flow in UI, you just select **Use environment of current flow definition**, and the backend service will create the customized environment based on this base image and `requirement.txt` for your deployment. Learn more about [the environment specified in the flow definition](how-to-deploy-for-real-time-inference.md#use-environment-of-current-flow-definition).

+ :::image type="content" source="./media/how-to-deploy-for-real-time-inference/custom-environment-image-uri.png" alt-text="Screenshot of custom environment detail page. " lightbox = "./media/how-to-deploy-for-real-time-inference/custom-environment-image-uri.png":::

+ :::image type="content" source="./media/how-to-deploy-for-real-time-inference/flow-environment-image.png" alt-text="Screenshot of specifying base image in raw yaml file of the flow. " lightbox = "./media/how-to-deploy-for-real-time-inference/flow-environment-image.png":::

+- You can fix this error by adding `inference_config` in your custom environment definition.

+ Following is an example of customized environment definition.

+```yaml

+$schema: https://azuremlschemas.azureedge.net/latest/environment.schema.json

+name: pf-customized-test

+build:

+ path: ./image_build

+ dockerfile_path: Dockerfile

+description: promptflow customized runtime

+inference_config:

+ liveness_route:

+ port: 8080

+ path: /health

+ readiness_route:

+ port: 8080

+ path: /health

+ scoring_route:

+ port: 8080

+ path: /score

+```

+## Model response taking too long

+Sometimes, you might notice that the deployment is taking too long to respond. There are several potential factors for this to occur.

+- The model used in the flow isn't powerful enough (example: use GPT 3.5 instead of text-ada)

+- Index query isn't optimized and taking too long

+- Flow has many steps to process

+Consider optimizing the endpoint with above considerations to improve the performance of the model.

+## Unable to fetch deployment schema

+After you deploy the endpoint and want to test it in the **Test tab** in the endpoint detail page, if the **Test tab** shows **Unable to fetch deployment schema**, you can try the following two methods to mitigate this issue:

+- Make sure you have granted the correct permission to the endpoint identity. Learn more about [how to grant permission to the endpoint identity](how-to-deploy-for-real-time-inference.md#grant-permissions-to-the-endpoint).

+- It might be because you ran your flow in an old version runtime and then deployed the flow, the deployment used the environment of the runtime that was in old version as well. To update the runtime, follow [Update a runtime on the UI](./how-to-create-manage-runtime.md#update-a-runtime-on-the-ui) and rerun the flow in the latest runtime and then deploy the flow again.

+## Access denied to list workspace secret

+If you encounter an error like "Access denied to list workspace secret", check whether you have granted the correct permission to the endpoint identity. Learn more about [how to grant permission to the endpoint identity](how-to-deploy-for-real-time-inference.md#grant-permissions-to-the-endpoint).

+## Next steps

+- Learn more about [managed online endpoint schema](../reference-yaml-endpoint-online.md) and [managed online deployment schema](../reference-yaml-deployment-managed-online.md).

+- Learn more about how to [troubleshoot managed online endpoints](../how-to-troubleshoot-online-endpoints.md).

+ **Network Requirements** | Access to the following endpoints: <br/><br/>*.docker.io <br/></br>*.docker.com <br/><br/>api.snapcraft.io <br/><br/> https://dc.services.visualstudio.com/v2/track <br/><br/> [Azure Arc-enabled Kubernetes network requirements](../azure-arc/kubernetes/network-requirements.md) <br/><br/>[Azure CLI endpoints for proxy bypass](/cli/azure/azure-cli-endpoints)

+ **Network Requirements** | Access to the following endpoints: <br/><br/> https://dc.services.visualstudio.com/v2/track <br/><br/> [Azure CLI endpoints for proxy bypass](/cli/azure/azure-cli-endpoints)

+[Azure Bastion](../../bastion/bastion-overview.md) is a service that you can deploy to let you connect to a virtual machine using your browser and the Azure portal, or via the native SSH or RDP client already installed on your local computer. The Azure Bastion service is a fully platform-managed PaaS service that you deploy inside your virtual network. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly from the Azure portal over TLS. When you connect via Azure Bastion, your virtual machines don't need a public IP address, agent, or special client software. There are a variety of different SKU/tiers available for Azure Bastion. The tier you select affects the features that are available. For more information, see [About Bastion configuration settings](../../bastion/configuration-settings.md).

+[Azure Key Vault](relocation-key-vault.md)| ✅ | ✅| ❌ |

+[Azure Site Recovery (Recovery Services vaults)](../site-recovery/move-vaults-across-regions.md?toc=/azure/operational-excellence/toc.json)| ✅ | ✅| ❌ |

+[Azure API Management](../api-management/api-management-howto-migrate.md?toc=/azure/operational-excellence/toc.json)| ✅ | ✅| ❌ |

+[Azure App Service](../app-service/manage-move-across-regions.md?toc=/azure/operational-excellence/toc.json)|❌ | ✅| ❌ |

+[Azure Backup (Recovery Services vault)](../backup/azure-backup-move-vaults-across-regions.md?toc=/azure/operational-excellence/toc.json)| ✅ | ✅| ❌ |

+[Azure Batch](../batch/account-move.md?toc=/azure/operational-excellence/toc.json)|✅ | ✅| ❌ |

+[Azure Cache for Redis](../azure-cache-for-redis/cache-moving-resources.md?toc=/azure/operational-excellence/toc.json)|❌ | ✅| ❌ |

+[Azure Container Registry](../container-registry/manual-regional-move.md)|✅ | ✅| ❌ |

+[Azure Cosmos DB](../cosmos-db/how-to-move-regions.md?toc=/azure/operational-excellence/toc.json)|✅ | ✅| ❌ |

+[Azure Database for MariaDB Server](../mariadb/howto-move-regions-portal.md?toc=/azure/operational-excellence/toc.json)|✅ | ✅| ❌ |

+[Azure Database for MySQL Server](../mysql/howto-move-regions-portal.md?toc=/azure/operational-excellence/toc.json)✅ | ✅| ❌ |

+[Azure Functions](../azure-functions/functions-move-across-regions.md?toc=/azure/operational-excellence/toc.json)|❌ | ✅| ❌ |

+[Azure Logic apps](../logic-apps/move-logic-app-resources.md?toc=/azure/operational-excellence/toc.json)|❌ | ✅| ❌ |

+[Azure Monitor - Log Analytics](./relocation-log-analytics.md)| ❌ | ✅| ❌ |

+[Azure Stream Analytics - Stream Analytics jobs](../stream-analytics/copy-job.md?toc=/azure/operational-excellence/toc.json)| ✅ | ✅| ❌ |

+[Azure Stream Analytics - Stream Analytics cluster](../stream-analytics/move-cluster.md?toc=/azure/operational-excellence/toc.json)|✅ | ✅| ❌ |

+[Azure IoT Hub](/azure/iot-hub/iot-hub-how-to-clone?toc=/azure/operational-excellence/toc.json)| ✅ | ✅| ❌ |

+[Power BI](/power-bi/admin/service-admin-region-move?toc=/azure/operational-excellence/toc.json)| ❌ | ✅| ❌ |

+- Identify all resources dependencies. Depending on how you've deployed Event Hubs, the following services *may* need deployment in the target region:

+ - Event Hubs Namespace

+ - [Event Hubs Cluster](./relocation-event-hub-cluster.md)

+- Identify all dependent resources. Event Hubs is a messaging system that lets applications publish and subscribe for messages. Consider whether or not your application at target requires messaging support for the same set of dependent services that it had at the source target.

+## Considerations for Service Endpoints

+The virtual network service endpoints for Azure Event Hubs restrict access to a specified virtual network. The endpoints can also restrict access to a list of IPv4 (internet protocol version 4) address ranges. Any user connecting to the Event Hubs from outside those sources is denied access. If Service endpoints were configured in the source region for the Event Hubs resource, the same would need to be done in the target one.

+For a successful recreation of the Event Hubs to the target region, the VNet and Subnet must be created beforehand. In case the move of these two resources is being carried out with the Azure Resource Mover tool, the service endpoints wonΓÇÖt be configured automatically. Hence, they need to be configured manually, which can be done through the [Azure portal](/azure/key-vault/general/quick-create-portal), the [Azure CLI](/azure/key-vault/general/quick-create-cli), or [Azure PowerShell](/azure/key-vault/general/quick-create-powershell).

+## Considerations for Private Endpoint

+Azure Private Link provides private connectivity from a virtual network to [Azure platform as a service (PaaS), customer-owned, or Microsoft partner services](/azure/private-link/private-endpoint-overview). Private Link simplifies the network architecture and secures the connection between endpoints in Azure by eliminating data exposure to the public internet.

+For a successful recreation of the Event Hubs in the target region, the VNet and Subnet must be created before the actual recreation occurs.

+## Modify the template

+Modify the template by changing the Event Hubs namespace name and region.

+# [portal](#tab/azure-portal)

+1. Select **Template deployment**.

+1. In the Azure portal, select **Create**.

+1. Select **Build your own template in the editor**.

+1. Select **Load file**, and then follow the instructions to load the **template.json** file that you downloaded in the last section.

+1. In the **template.json** file, name the Event Hubs namespace by setting the default value of the namespace name. This example sets the default value of the Event Hubs namespace name to `namespace-name`.

+ ```json

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "namespaces_name": {

+ "defaultValue": "namespace-name",

+ "type": "String"

+ },

+ },

+ ```

+1. Edit the **location** property in the **template.json** file to the target region. This example sets the target region to `centralus`.

+ ```json

+ "resources": [

+ {

+ "type": "Microsoft.KeyVault/vaults",

+ "apiVersion": "2023-07-01",

+ "name": "[parameters('vaults_name')]",

+ "location": "centralus",

+

+ },

+

+ ]

+ "resources": [

+ {

+ "type": "Microsoft.EventHub/namespaces",

+ "apiVersion": "2023-01-01-preview",

+ "name": "[parameters('namespaces_name')]",

+ "location": "centralus",

+

+ },

+ {

+ "type": "Microsoft.EventHub/namespaces/authorizationrules",

+ "apiVersion": "2023-01-01-preview",

+ "name": "[concat(parameters('namespaces_name'), '/RootManageSharedAccessKey')]",

+ "location": "centralus",

+ "dependsOn": [

+ "[resourceId('Microsoft.EventHub/namespaces', parameters('namespaces_name'))]"

+ ],

+ "properties": {

+ "rights": [

+ "Listen",

+ "Manage",

+ "Send"

+ ]

+ }

+ },

+ {

+ "type": "Microsoft.EventHub/namespaces/networkrulesets",

+ "apiVersion": "2023-01-01-preview",

+ "name": "[concat(parameters('namespaces_name'), '/default')]",

+ "location": "centralus",

+ "dependsOn": [

+ "[resourceId('Microsoft.EventHub/namespaces', parameters('namespaces_name'))]"

+ ],

+ "properties": {

+ "publicNetworkAccess": "Enabled",

+ "defaultAction": "Deny",

+ "virtualNetworkRules": [

+ {

+ "subnet": {

+ "id": "[concat(parameters('virtualNetworks_vnet_akv_externalid'), '/subnets/default')]"

+ },

+ "ignoreMissingVnetServiceEndpoint": false

+ }

+ ],

+ "ipRules": [],

+ "trustedServiceAccessEnabled": false

+ }

+ },

+ {

+ "type": "Microsoft.EventHub/namespaces/privateEndpointConnections",

+ "apiVersion": "2023-01-01-preview",

+ "name": "[concat(parameters('namespaces_peterheesbus_name'), '/81263915-15d5-4f14-8d65-25866d745a66')]",

+ "location": "centralus",

+ "dependsOn": [

+ "[resourceId('Microsoft.EventHub/namespaces', parameters('namespaces_peterheesbus_name'))]"

+ ],

+ "properties": {

+ "provisioningState": "Succeeded",

+ "privateEndpoint": {

+ "id": "[parameters('privateEndpoints_pvs_eventhub_externalid')]"

+ },

+ "privateLinkServiceConnectionState": {

+ "status": "Approved",

+ "description": "Auto-Approved"

+ }

+ }

+ }

+ ```

+ To obtain region location codes, see [Azure Locations](https://azure.microsoft.com/global-infrastructure/locations/). The code for a region is the region name with no spaces, **Central US** = **centralus**.

+1. Remove resources of type private endpoint in the template.

+ ```json

+ {

+ "type": "Microsoft.EventHub/namespaces/privateEndpointConnections",

+

+ }

+ ```

+1. If you configured a service endpoint in your Event Hubs, in the `networkrulesets` section, under `virtualNetworkRules`, add the rule for the target subnet. Ensure that the `ignoreMissingVnetServiceEndpoint`_ flag is set to `False`, so that the IaC fails to deploy the Event Hubs in case the service endpoint isnΓÇÖt configured in the target region.

+ \_parameter.json_

+ ```json

+ {

+ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+

+ "target_vnet_externalid": {

+ "value": "virtualnetwork-externalid"

+ },

+ "target_subnet_name": {

+ "value": "subnet-name"

+ }

+ }

+ }

+ ```

+ \_template.json

+ ```json

+ {

+ "type": "Microsoft.EventHub/namespaces/networkrulesets",

+ "apiVersion": "2023-01-01-preview",

+ "name": "[concat(parameters('namespaces_name'), '/default')]",

+ "location": "centralus",

+ "dependsOn": [

+ "[resourceId('Microsoft.EventHub/namespaces', parameters('namespaces_name'))]"

+ ],

+ "properties": {

+ "publicNetworkAccess": "Enabled",

+ "defaultAction": "Deny",

+ "virtualNetworkRules": [

+ {

+ "subnet": {

+ "id": "[concat(parameters('target_vnet_externalid), concat('/subnets/', parameters('target_subnet_name')]"

+ },

+ "ignoreMissingVnetServiceEndpoint": false

+ }

+ ],

+ "ipRules": [],

+ "trustedServiceAccessEnabled": false

+ }

+ },

+ ```

+1. Select **Save** to save the template.

+# [PowerShell](#tab/azure-powershell)

+1. In the **template.json** file, name the Event Hubs namespace by setting the default value of the namespace name. This example sets the default value of the Event Hubs namespace name to `namespace-name`.

+ ```json

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "namespaces_name": {

+ "defaultValue": "namespace-name",

+ "type": "String"

+ },

+

+ },

+ ```

+2. Edit the **location** property in the **template.json** file to the target region. This example sets the target region to `centralus`.

+ ```json

+ "resources": [

+ {

+ "type": "Microsoft.KeyVault/vaults",

+ "apiVersion": "2023-07-01",

+ "name": "[parameters('vaults_name')]",

+ "location": "centralus",

+

+ },

+

+ ]

+ "resources": [

+ {

+ "type": "Microsoft.EventHub/namespaces",

+ "apiVersion": "2023-01-01-preview",

+ "name": "[parameters('namespaces_name')]",

+ "location": "centralus",

+

+ },

+ {

+ "type": "Microsoft.EventHub/namespaces/authorizationrules",

+ "apiVersion": "2023-01-01-preview",

+ "name": "[concat(parameters('namespaces_name'), '/RootManageSharedAccessKey')]",

+ "location": "centralus",

+ "dependsOn": [

+ "[resourceId('Microsoft.EventHub/namespaces', parameters('namespaces_name'))]"

+ ],

+ "properties": {

+ "rights": [

+ "Listen",

+ "Manage",

+ "Send"

+ ]

+ }

+ },

+ {

+ "type": "Microsoft.EventHub/namespaces/networkrulesets",

+ "apiVersion": "2023-01-01-preview",

+ "name": "[concat(parameters('namespaces_name'), '/default')]",

+ "location": "centralus",

+ "dependsOn": [

+ "[resourceId('Microsoft.EventHub/namespaces', parameters('namespaces_name'))]"

+ ],

+ "properties": {

+ "publicNetworkAccess": "Enabled",

+ "defaultAction": "Deny",

+ "virtualNetworkRules": [

+ {

+ "subnet": {

+ "id": "[concat(parameters('virtualNetworks_vnet_akv_externalid'), '/subnets/default')]"

+ },

+ "ignoreMissingVnetServiceEndpoint": false

+ }

+ ],

+ "ipRules": [],

+ "trustedServiceAccessEnabled": false

+ }

+ },

+ {

+ "type": "Microsoft.EventHub/namespaces/privateEndpointConnections",

+ "apiVersion": "2023-01-01-preview",

+ "name": "[concat(parameters('namespaces_peterheesbus_name'), '/81263915-15d5-4f14-8d65-25866d745a66')]",

+ "location": "centralus",

+ "dependsOn": [

+ "[resourceId('Microsoft.EventHub/namespaces', parameters('namespaces_peterheesbus_name'))]"

+ ],

+ "properties": {

+ "provisioningState": "Succeeded",

+ "privateEndpoint": {

+ "id": "[parameters('privateEndpoints_pvs_eventhub_externalid')]"

+ },

+ "privateLinkServiceConnectionState": {

+ "status": "Approved",

+ "description": "Auto-Approved"

+ }

+ }

+ }

+ ```

+ You can obtain region codes by running the [Get-AzLocation](/powershell/module/az.resources/get-azlocation) command.

+ ```azurepowershell-interactive

+ Get-AzLocation | format-table

+ ```

+3. Remove resources of typ private endpoint in the template.

+ ```json

+ {

+ "type": "Microsoft.EventHub/namespaces/privateEndpointConnections",

+

+ }

+ ```

+4. If you configured a service endpoint in your Event Hubs, in the `networkrulesets` section, under `virtualNetworkRules`, add the rule for the target subnet. Ensure that the `ignoreMissingVnetServiceEndpoint` flag is set to False, so that the IaC fails to deploy the Event Hubs in case the service endpoint isnΓÇÖt configured in the target region.

+ \_parameter.json_

+ ```json

+ {

+ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ ...

+ "target_vnet_externalid": {

+ "value": "virtualnetwork-externalid"

+ },

+ "target_subnet_name": {

+ "value": "subnet-name"

+ }

+ }

+ }

+ ```

+ \_template.json

+ ```json

+ {

+ "type": "Microsoft.EventHub/namespaces/networkrulesets",

+ "apiVersion": "2023-01-01-preview",

+ "name": "[concat(parameters('namespaces_name'), '/default')]",

+ "location": "centralus",

+ "dependsOn": [

+ "[resourceId('Microsoft.EventHub/namespaces', parameters('namespaces_name'))]"

+ ],

+ "properties": {

+ "publicNetworkAccess": "Enabled",

+ "defaultAction": "Deny",

+ "virtualNetworkRules": [

+ {

+ "subnet": {

+ "id": "[concat(parameters('target_vnet_externalid), concat('/subnets/', parameters('target_subnet_name')]"

+ },

+ "ignoreMissingVnetServiceEndpoint": false

+ }

+ ],

+ "ipRules": [],

+ "trustedServiceAccessEnabled": false

+ }

+ },

+ ```

+1. Select **Save** to save the template.

+1. In the Azure portal, select **Create a resource**.

+1. In **Search the Marketplace**, type **template deployment**, and select **Template deployment (deploy using custom templates)**.

+1. Select **Build your own template in the editor**.

+1. Select **Load file**, and then follow the instructions to load the **template.json** file that you modified in the last section.

+1. On the **Custom deployment** page, follow these steps:

+ 3. If Event Hubs in your namespace uses a Storage account for capturing events, specify the resource group name and the storage account for `StorageAccounts_<original storage account name>_external` field.

+ 6. On the **Review + create** page, review settings, and then select **Create**.

+1. Network configuration settings (private endpoints) need to be re-configured in the new Event Hubs.

+For instructions on moving an Event Hubs cluster from one region to another region, see [Relocate Event Hubs to another region](relocation-event-hub-cluster.md) article.

+## Prerequisites

+ - Compute - tenant compute resources (such as VMs, and Nexus Azure Kubernetes Services (AKS) clusters)

+- Configure external networks between the Customer Edge (CE) and Provider Edge (PE) (or Telco Edge) devices that allow connectivity with the provider edge. Configuring access to external services like firewalls and services hosted on Azure (tenant not platform) is outside of the scope of this article.

+- Configure a jumpbox to connect routing domains. Configuring a jumpbox is outside of the scope of this article.

+- Configure network elements on PEs/Telco Edge that aren't controlled by Nexus Network Fabric, such as Express Route Circuits configuration for tenant workloads connectivity to Azure (optional for hybrid setups) or connectivity via the operator's core network.

+export subscriptionId="<SUBSCRIPTION-ID>"

+export rgManagedFabric="<RG-MANAGED-FABRIC>"

+export nnfId="<NETWORK-FABRIC-ID>"

+export rgFabric="<RG-FABRIC>"

+export l3Isd="<ISD-NAME>"

+export region="<REGION>"

+--nf-id "/subscriptions/$subscriptionId/resourceGroups/$rgManagedFabric/providers/Microsoft.ManagedNetworkFabric/networkFabrics/$nnfId" \

+--redistribute-connected-subnets "True" \

+--redistribute-static-routes "True" \

+--subscription "$subscriptionId"

+To view the new L3ISD isolation domain, enter the following command:

+```azurecli

+export subscriptionId="<SUBSCRIPTION-ID>"

+export rgFabric="<RG-FABRIC>"

+export l3Isd="<ISD-NAME>"

+

+az networkfabric l3domain show --resource-name $l3Isd -g $rgFabric --subscription $subscriptionId

+```

+export subscriptionId="<SUBSCRIPTION-ID>"

+export rgFabric="<RG-FABRIC>"

+export l3Isd="<ISD-NAME>"

+# Disable ISD to create internal networks, wait for 5 minutes and check the status is Disabled

+az networkfabric l3domain update-admin-state ΓÇôresource-name "$l3Isd" \

+--resource-group "$rgFabric" \

+--subscription "$subscriptionId" \

+az networkfabric l3domain show ΓÇôresource-name "$l3Isd" \

+--resource-group "$rgFabric" \

+--subscription "$subscriptionId"

+With the ISD disabled, you can add, modify, or remove the internal network. When you're finished making changes, re-enable ISD as described in [Enable isolation domain](#enable-isolation-domain).

+export subscriptionId="<SUBSCRIPTION-ID>"

+export intnwDefCni="<DEFAULT-CNI-NAME>"

+export l3Isd="<ISD-NAME>"

+export rgFabric="<RG-FABRIC>"

+export ipv4ListenRangePrefix="<DEFAULT-CNI-IPV4-PREFIX>/<PREFIX-LEN>"

+az networkfabric internalnetwork create ΓÇôresource-name "$intnwDefCni" \

+--resource-group "$rgFabric" \

+--subscription "$subscriptionId" \

+--l3domain "$l3Isd" \

+--connected-ipv4-subnets "[{prefix:$ipv4ListenRangePrefix}]" \

+{peerASN:$peerAsn,allowAS:0,defaultRouteOriginate:True,ipv4ListenRangePrefixes:['$ipv4ListenRangePrefix']}"

+## Create internal networks for User Plane Function (N3, N6) and Access and Mobility Management Function (N2) interfaces

+When you're creating User Plane Function (UPF) internal networks, dual stack IPv4/IPv6 is supported. You don't need to configure the Border Gateway Protocol (BGP) fabric-side Autonomous System Number (ASN) because ASN is included in network fabric resource creation. Use the following commands to create these internal networks.

+> [!NOTE]

+> Create the number of internal networks as described in the [Prerequisites](#prerequisites) section.

+export subscriptionId="<SUBSCRIPTION-ID>"

+export intnwName="<INTNW-NAME>"

+export l3Isd="<ISD-NAME>" // N2, N3, N6

+export rgFabric="<RG-FABRIC>"

+export ipv4ListenRangePrefix="<IPV4-PREFIX>/<PREFIX-LEN>"

+export ipv6ListenRangePrefix="<IPV6-PREFIX>/<PREFIX-LEN>"

+az networkfabric internalnetwork create ΓÇôresource-name "$intnwName" \

+--resource-group "$rgFabric" \

+--subscription "$subscriptionId" \

+--l3domain "$l3Isd" \

+--connected-ipv4-subnets "[{prefix:$ipv4ListenRangePrefix}]" \

+--connected-ipv6-subnets "[{prefix:'$ipv6ListenRangePrefix'}]" \ //optional

+--bgp-configuration

+"{peerASN:$peerAsn,allowAS:0,defaultRouteOriginate:True,ipv4ListenRangePrefixes:[$ipv4ListenRangePrefix],ipv6ListenRangePrefixes:['$ipv6ListenRangePrefix']}"

+To view the list of internal networks created, enter the following commands:

+```azurecli

+export subscriptionId="<SUBSCRIPTION-ID>"

+export rgFabric="<RG-FABRIC>"

+export l3Isd="<ISD-NAME>"

+

+az networkfabric internalnetwork list -o table --subscription $subscriptionId -g $rgFabric --l3domain $l3Isd

+```

+To view the details of a specific internal network, enter the following commands:

+```azurecli

+export subscriptionId="<SUBSCRIPTION-ID>"

+export rgFabric="<RG-FABRIC>"

+export l3Isd="<ISD-NAME>"

+export intnwName="<INTNW-NAME>"

+

+az networkfabric internalnetwork show --resource-name $intnwName -g $rgFabric --l3domain $l3Isd

+```

+export subscriptionId="<SUBSCRIPTION-ID>"

+export rgFabric="<RG-FABRIC>"

+export l3Isd="<ISD-NAME>"

+az networkfabric l3domain update-admin-state ΓÇôresource-name "$l3Isd" \

+--resource-group "$rgFabric" \

+--subscription "$subscriptionId" \

+az networkfabric l3domain show ΓÇôresource-name "$l3Isd" \

+--resource-group "$rgFabric" \

+--subscription "$subscriptionId"

+To configure BGP and Bidirectional Forwarding Detection (BFD) routing for internal networks, use the default settings. See the [Nexus documentation](../operator-nexus/howto-configure-isolation-domain.md) for parameter descriptions.

+Before deploying the NAKS cluster, you must create network cloud (NC) L3 networking resources that map to network fabric (NF) resources.

+You must create L3 network NC resources for the default CNI interface, including the ISD/VLAN/IP prefix of a corresponding internal network. Attach these resources directly to VMs to perform VLAN tagging at the Network Interface Card (NIC) Virtual Function (VF) level instead of the application level (access ports from application perspective) and/or if IP addresses are allocated by Nexus (using IP Address Management (ipam) functionality).

+

+An L3 network is used for the default CNI interface. Other interfaces that require multiple VLANs per single interface must be trunk interfaces.

+Export subscriptionId="<SUBSCRIPTION-ID>"

+export rgManagedUndercloudCluster="<RG-MANAGED-UNDERCLOUD-CLUSTER>"

+export undercloudCustLocationName="<UNDERCLOUD-CUST-LOCATION-NAME>"

+export rgFabric="<RG-FABRIC>"

+export rgCompute="<RG-COMPUTE>"

+export l3Name="<L3-NET-NAME>"

+export l3Isd="<ISD-NAME>"

+export region="<REGION>"

+export ipAllocationType="IPV4" // DualStack, IPV4, IPV6

+export ipv4ConnectedPrefix="<DEFAULT-CNI-IPV4-PREFIX>/<PREFIX-LEN>" // if IPV4 or DualStack

+export ipv6ConnectedPrefix="<DEFAULT-CNI-IPV6-PREFIX>/<PREFIX-LEN>" // if IPV6 or DualStack

+--l3-isolation-domain-id

+"/subscriptions/$subscriptionId/resourceGroups/$rgFabric/providers/Microsoft.ManagedNetworkFabric/l3IsolationDomains/$l3Isd" \

+--extended-location name="/subscriptions/$subscriptionId/resourceGroups/$rgManagedUndercloudCluster/providers/Microsoft.ExtendedLocation/customLocations/$undercloudCustLocationName" type="CustomLocation" \

+--interface-name "vlan-$vlan"

+```

+To view the L3 network created, enter the following commands:

+```azurecli

+export subscriptionId="<SUBSCRIPTION-ID>"

+export rgCompute="<RG-COMPUTE>"

+export l3Name="<L3-NET-NAME>"

+

+az networkcloud l3network show -n $l3Name -g $rgCompute --subscription $subscriptionId

+You must create a trunked network for the Access and Management Mobility Function (AMF) (N2) and UPF (N3, N6).

+--isolation-domain-ids

+ "/subscriptions/$subscriptionId/resourceGroups/$rgFabric/providers/Microsoft.ManagedNetworkFabric/l3IsolationDomains/$l3IsdUlb" \

+To view the trunked network resource created, enter the following command:

+```azurecli

+export subscriptionId="<SUBSCRIPTION-ID>"

+export rgCompute="<RG-COMPUTE>"

+export trunkName="<TRUNK-NAME>"

+

+az networkcloud trunkednetwork show -n $trunkName -g $rgCompute --subscription $subscriptionId

+```

+### Network Function Manager-based Cloud Services Networks endpoints

+Add the following egress points for Network Function Manager (NFM) based deployment support (HybridNetwork Resource Provider (RP), CustomLocation RP reachability, ACR, Arc):

+- .azurecr.io / port 80

+- .azurecr.io / port 443

+- .mecdevice.azure.com / port 443

+- eastus-prod.mecdevice.azure.com / port 443

+- .microsoftmetrics.com / port 443

+- crprivatemobilenetwork.azurecr.io / port 443

+- .guestconfiguration.azure.com / port 443

+- .kubernetesconfiguration.azure.com / port 443

+- eastus.obo.arc.azure.com / port 8084

+- .windows.net / port 80

+- .windows.net / port 443

+- .k8connecthelm.azureedge.net / port 80

+- .k8connecthelm.azureedge.net / port 443

+- .k8sconnectcsp.azureedge.net / port 80

+- .k8sconnectcsp.azureedge.net / port 443

+- .arc.azure.net / port 80

+- .arc.azure.net / port 443

+For python packages installation (part of the fed-kube_addons pod-node_config command list used for NAKS), add the following endpoints:

+- pypi.org / port 443

+- files.pythonhosted.org / port 443

+> Additional Azure Detat Explorer (ADX) endpoints may need to be included in the allowlist if there is a requirement to inject data into ADX.

+- .ghcr.io / port 80

+- .ghcr.io / port 443

+- .k8s.gcr.io / port 80

+- .k8s.gcr.io / port 443

+- .k8s.io / port 80

+- .k8s.io / port 443

+- .docker.io / port 80

+- .docker.io / port 443

+- .docker.com / port 80

+- .docker.com / port 443

+- .pkg.dev / port 80

+- .pkg.dev / port 443

+- .ubuntu.com / port 80

+- .ubuntu.com / port 443

+> [!NOTE]

+> Adjust the `additional-egress-endpoints` list based on the description and lists provided in the previous sections.

+After you create the CSN, verify the `egress-endpoints` using the following commands at the command line:

+```azurecli

+export subscriptionId="<SUBSCRIPTION-ID>"

+export rgCompute="<RG-COMPUTE>"

+export csnName="<CSN-NAME>"

+

+az networkcloud cloudservicesnetwork show -n $csnName -g $rgCompute --subscription $subscriptionId

+```

+Nexus related resource providers must deploy self-managed resource groups used to deploy the necessary resources created by customers. When Nexus AKS clusters are provisioned, they must be Arc-enabled. The Network Cloud resource provider creates its own managed resource group and deploys it in an Azure Arc Kubernetes cluster resource. Following this deployment, this cluster resource is linked to the NAKS cluster resource.

+> After the NAKS cluster deploys, and the managed resource group is created, you may need to grant privileges to all a user/entra group/service principal access to the managed resource group. This action is contingent upon the subscription level Identity Access Management (IAM) settings.

+To verify the list of created Nexus clusters, enter the following command:

+```azurecli

+export subscriptionId="<SUBSCRIPTION-ID>"

+

+az networkcloud kubernetescluster list -o table --subscription $subscriptionId

+```

+To verify the details of a created cluster, enter the following command:

+```azurecli

+export subscriptionId="<SUBSCRIPTION-ID>"

+export rgCompute="<RG-COMPUTE>"

+export naksName="<NAKS-NAME>"

+

+az networkcloud kubernetescluster show -n $naksName -g $rgCompute --subscription $subscriptionId

+```

+After the cluster is created, you can enable the NFM extension and set a custom location so the cluster can be deployed via AOSM or NFM.

+- Directly from the IP address/port (from a jumpbox that has connectivity to the Tenant NAKS API server)

+- Using the Azure CLI and connectedk8s proxy option as described under the link to access clusters directly. The Service Principal's or user's EntraID/AAD group (used with Azure CLI) must be provided during the NAKS cluster provisioning. Additionally, you must have a custom role assigned to the managed resource group created by the Network Cloud RP. One of the following actions must be enabled in this role:

+## Azure Edge services

+Azure Operator 5G Core is a telecommunications workload that enables you to offer services to consumer and enterprise end-users. The Azure Operator 5G Core workloads run on a Network Functions Virtualization Infrastructure (NFVI) layer and may depend on other NFVI services.

+### Edge NFVI functions (running on Azure Operator Nexus)

+> [!NOTE]

+> The Edge NFVI related services may be updated occasionally. For more information about these services, see the specific service's documentation.

+- **Azure Operator Nexus** - Azure Operator Nexus is a carrier-grade, next-generation hybrid cloud platform for telecommunication operators. Azure Operator Nexus is purpose-built for operators' network-intensive workloads and mission-critical applications.

+

+- Any other hardware and services Azure Operator Nexus may depend on.

+- **Azure Arc** - Provides a unified management and governance platform for Azure Operator 5G Core applications and services across Azure and on-premises environments.

+- **Azure Monitor** - Provides a comprehensive solution for monitoring the performance and health of Azure Operator 5G Core applications and services across Azure and on-premises environments.

+- **EntraID** - Provides identity and access management for Azure Operator 5G Core users and administrators across Azure and on-premises environments.

+- **Azure Key Vault** - Provides a secure and centralized store for managing encryption keys and secrets for Azure Operator 5G Core across Azure and on-premises environments.

+> [feedback forum](https://aka.ms/pgfeedback)

+**Upgrade the major version of a flexible server.**

+az postgres flexible-server upgrade --version {16, 15, 14, 13, 12}

+ [--ids]

+ [--name] [-n]

+ [--resource-group] [-g]

+ [--subscription]

+ [--version] [-v]

+ [--yes] [-y]

+

+### Example

+**Upgrade server 'testsvr' to PostgreSQL major version 16**

+az postgres flexible-server upgrade -g testgroup -n testsvr -v 16 -y

+- [feedback forum](https://aka.ms/pgfeedback)

+> |  Foundational |  Mainstream |

+> | Azure Application Gateway | Azure API Management |

+> | Azure Backup | Azure App Configuration |

+> | Azure Cosmos DB | Azure App Service |

+> | Azure Event Hubs | Microsoft Entra Domain Services |

+> | Azure Key Vault | Azure Batch |

+> | Azure Load Balancer | Azure Cache for Redis |

+> | Azure Public IP | Azure AI Search |

+> | Azure Service Bus | Azure Container Registry |

+> | Azure Site Recovery | Azure Data Explorer |

+> | Azure SQL | Azure Data Factory |

+> | Azure Storage: Disk Storage | Azure Database for MySQL |

+> | Azure Storage Accounts | Azure Database for PostgreSQL |

+> | Azure Storage: Blob Storage | Azure DDoS Protection |

+> | Azure Storage Data Lake Storage | Azure Event Grid |

+> | Azure Virtual Machines | Azure Firewall |

+> | Virtual Machines: Bs-series | Azure HDInsight |

+> | Virtual Machines: Dv2 and DSv2-series | Azure IoT Hub |

+> | Virtual Machines: Dv3 and DSv3-series | Azure Kubernetes Service (AKS) |

+> | Virtual Machines: ESv3 abd ESv3-series | Azure Logic Apps |

+> | Azure Virtual Network | Azure Media Services |

+> | Azure VPN Gateway | Azure Monitor: Application Insights |

+> | | Azure Monitor: Log Analytics |

+> | | Azure Network Watcher |

+> | | Azure Private Link |

+> | | Azure Virtual WAN |

+> | | Premium Blob Storage |

+> | | Virtual Machines: Ddsv4-series |

+> | | Virtual Machines: Ddv4-series |

+> | | Virtual Machines: Dsv4-series |

+> | | Virtual Machines: Dv4-series |

+> | | Virtual Machines: Edsv4-series |

+> | | Virtual Machines: Edv4-series |

+> | | Virtual Machines: Esv4-series |

+> | | Virtual Machines: Ev4-series |

+> | | Virtual Machines: Fsv2-series |

+> | | Virtual Machines: M-series |

+> |  Foundational |

+> |-|

+# Move Azure VMs to an availability zone in another region with Azure Resource Mover

+In this article, learn how to move Azure VMs (and related network/storage resources) to an availability zone in a different Azure region, using [Azure Resource Mover](overview.md). To use migration methods other than Resource Mover, see [Migrate Virtual Machines and Virtual Machine Scale Sets to availability zone support](../reliability/migrate-vm.md).

+#Customer intent: As an Azure admin, I want to relocate Azure resources to a different Azure region with Azure Resource Mover

+# Move resources across regions (from resource group) with Azure Resource Mover

+In this article, learn how to move resources in a specific resource group to a different Azure region with [Azure Resource Mover](overview.md). In the resource group, you select the resources you want to move.

+To move services and resources manually or to move services and resources that aren't supported by Azure Resource Mover, see [Azure services relocation guidance](/azure/operational-excellence/overview-relocation).

+## Related content

+- [Azure services relocation guidance](/azure/operational-excellence/overview-relocation)

+- [Cloud Adoption Framework - Relocate cloud workloads](/azure/cloud-adoption-framework/relocate/)

+- [Learn about](about-move-process.md) the move process with Resource Mover.

+To move over services and resource not supported by Resource Mover or to move any service and resource by manual methods, see:

+- [Availability zone migration guidance overview for Microsoft Azure products and services](../reliability/availability-zones-migration-overview.md).

+- [Azure services relocation guidance overview](/azure/operational-excellence/overview-relocation)

+> | [Environment](#environment-attributes) | Attribute is associated with the environment of the request, such as the network origin of the request or the current date and time.</br> | `@Environment` |

+The following table lists the status of condition features:

+| Use [environment attributes](conditions-format.md#environment-attributes) in a condition | GA | April 2024 |

+ - **Environment** indicates that the attribute is associated with the network environment over which the resource is accessed such as a private link, or the current date and time.

+### When a VNet peering is created between my hub VNet and spoke VNet, does this cause a BGP soft reset between Azure Route Server and its peered NVAs?

+Yes. If a VNet peering is created between your hub VNet and spoke VNet, Azure Route Server will perform a BGP soft reset by sending route refresh requests to all its peered NVAs. If the NVAs do not support BGP route refresh, then Azure Route Server will perform a BGP hard reset with the peered NVAs, which may cause connectivity disruption for traffic traversing the NVAs.

+[2235581]:https://launchpad.support.sap.com/#/notes/2235581

+[2684254]:https://launchpad.support.sap.com/#/notes/2684254

+[sles-for-sap-bp12]:https://documentation.suse.com/sbp/sap-12/

+[sles-for-sap-bp15]:https://documentation.suse.com/sbp/sap-15/

+- SAP Note [2205917] has recommended OS settings for SUSE Linux Enterprise Server 12 (SLES 12) for SAP Applications.

+- SAP Note [2684254] has recommended OS settings for SUSE Linux Enterprise Server 15 (SLES 15) for SAP Applications.

+- SAP Note [2235581] has SAP HANA supported Operating systems

+- [SUSE Linux Enterprise Server for SAP Applications 15 best practices guides][sles-for-sap-bp15] and [SUSE Linux Enterprise Server for SAP Applications 12 best practices guides][sles-for-sap-bp12]:

+> [!NOTE]

+> A dead-letter subqueue exists for a queue or a topic subscription only when you have the [dead-letter feature](service-bus-dead-letter-queues.md) enabled for the queue or subscription.

+ Title: Azure Service Bus premium messaging tier

+# Service Bus premium messaging tier

+| Criteria | Premium | Standard |

+| | | |

+| Throughout | High throughput |Variable throughput |

+| Performance | Predictable performance |Variable latency |

+| Pricing | Fixed pricing |Pay as you go variable pricing |

+| Scale | Ability to scale workload up and down |N/A |

+| Message size | Message size up to 100 MB. For more information, see [Large message support](#large-messages-support). |Message size up to 256 KB |

+- Supported only when using the AMQP protocol. Not supported when using SBMP or HTTP protocols, in the premium tier, the maximum message size for these protocols is 1 MB.

+- While 100-MB message payloads are supported, it's recommended to keep the message payloads as small as possible to ensure reliable performance from the Service Bus namespace.

+Azure Service Bus Premium provides encryption of data at rest with Azure Storage Service Encryption (Azure SSE). Service Bus Premium uses Azure Storage to store the data. All the data that's stored with Azure Storage is encrypted using Microsoft-managed keys. If you use your own key (also referred to as customer managed key (CMD) or customer-managed key), the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key is encrypted using the customer-managed key. This feature enables you to create, rotate, disable, and revoke access to customer-managed keys that are used for encrypting Microsoft-managed keys. Enabling the CMK feature is a one time setup process on your namespace. For more information, see [Encrypting Azure Service Bus data at rest](configure-customer-managed-key.md).

+- Partitioning is available at entity creation for all queues and topics in basic or standard SKUs. A namespace can have both partitioned and nonpartitioned entities. Partitioning is available at namespace creation for the premium tier, and all queues and topics in that namespace will be partitioned. Any previously migrated partitioned entities in premium namespaces continue to work as expected.

+The Service Bus Geo-disaster recovery feature is designed to make it easier to recover from a disaster of this magnitude and abandon a failed Azure region for good without having to change your application configurations. Abandoning an Azure region typically involves several services and this feature primarily aims at helping to preserve the integrity of the composite application configuration. The feature is globally available for the Service Bus premium tier.

+See the following article: [Automatically update messaging units](automate-update-messaging-units.md).

+ Title: How Service Connector helps Azure Kubernetes Service (AKS) connect to other Azure services

+description: Learn how to use Service Connector in Azure Kubernetes Service (AKS).

+# How to use Service Connector in Azure Kubernetes Service (AKS)

+Azure Kubernetes Service (AKS) is one of the compute services supported by Service Connector. This article aims to help you understand:

+* What operations are made on the cluster when creating a service connection.

+* How to use the kubernetes resources Service Connector creates.

+* How to troubleshoot and view logs of Service Connector in an AKS cluster.

+## Prerequisites

+* This guide assumes that you already know the [basic concepts of Service Connector](concept-service-connector-internals.md).

+## What operations Service Connector makes on the cluster

+Depending on the different target services and authentication types selected when creating a service connection, Service Connector makes different operations on the AKS cluster. The following lists the possible operations made by Service Connector.

+### Add the Service Connector kubernetes extension

+A kubernetes extension named `sc-extension` is added to the cluster the first time a service connection is created. Later on, the extension helps create kubernetes resources in user's cluster, whenever a service connection request comes to Service Connector. You can find the extension in your AKS cluster in the Azure portal, in the Extensions + applications menu.

+The extension is also where the cluster connections metadata are stored. Uninstalling the extension makes all the connections in the cluster unavailable. The extension operator is hosted in the cluster namespace `sc-system`.

+### Create kubernetes resources

+Service Connector creates some kubernetes resources to the namespace the user specified when creating a service connection. The kubernetes resources store the connection information, which is needed by the user's workload definitions or application code to talk to target services. Depending on different authentication types, different kubernetes resources are created. For the `Connection String` and `Service Principal` auth types, a kubernetes secret is created. For the `Workload Identity` auth type, a kubernetes service account is also created in addition to a kubernetes secret.

+You can find the kubernetes resources created by Service Connector for each service connection on the Azure portal in your kubernetes resource, in the Service Connector menu.

+Deleting a service connection doesn't delete the associated Kubernetes resource. If necessary, remove your resource manually, using for example the kubectl delete command.

+### Enable the `azureKeyvaultSecretsProvider` addon

+If target service is Azure Key Vault and the Secret Store CSI Driver is enabled when creating a service connection, Service Connector enables the `azureKeyvaultSecretsProvider` add-on for the cluster.

+Follow the [Connect to Azure Key Vault using CSI driver tutorial](./tutorial-python-aks-keyvault-csi-driver.md)to set up a connection to Azure Key Vault using Secret Store CSI driver.

+### Enable workload identity and OpenID Connect (OIDC) issuer

+If the authentication type is `Workload Identity` when creating a service connection, Service Connector enables workload identity and OIDC issuer for the cluster.

+When the authentication type is `Workload Identity`, a user-assigned managed identity is needed to create the federated identity credential. Learn more from [what are workload identities](/entr)to set up a connection to Azure Storage using workload identity.

+## How to use the Service Connector created kubernetes resources

+Different kubernetes resources are created when the target service type and authentication type are different. The following sections show how to use the Service Connector created kubernetes resources in your cluster workloads definition and application codes.

+#### Kubernetes secret

+A kubernetes secret is created when the authentication type is `Connection String` or `Service Principal`. Your cluster workload definition can reference the secret directly. The following snnipet is an example.

+```yaml

+apiVersion: batch/v1

+kind: Job

+metadata:

+ namespace: default

+ name: sc-sample-job

+spec:

+ template:

+ spec:

+ containers:

+ - name: raw-linux

+ image: alpine

+ command: ['printenv']

+ envFrom:

+ - secretRef:

+ name: <SecretCreatedByServiceConnector>

+ restartPolicy: OnFailure

+```

+Then, your application codes can consume the connection string in the secret from environment variable. You can check the [sample code](./how-to-integrate-storage-blob.md) to learn more about the environment variable names and how to use them in your application codes to authenticate to different target services.

+#### Kubernetes service account

+Both a kubernetes service account and a secret are created when the authentication type is `Workload Identity`. Your cluster workload definition can reference the service account and secret to authenticate through workload identity. The following snipet provides an example.

+```yaml

+apiVersion: batch/v1

+kind: Job

+metadata:

+ namespace: default

+ name: sc-sample-job

+ labels:

+ azure.workload.identity/use: "true"

+spec:

+ template:

+ spec:

+ serviceAccountName: <ServiceAccountCreatedByServiceConnector>

+ containers:

+ - name: raw-linux

+ image: alpine

+ command: ['printenv']

+ envFrom:

+ - secretRef:

+ name: <SecretCreatedByServiceConnector>

+ restartPolicy: OnFailure

+```

+You may check the tutorial to learn [how to connect to Azure Storage using workload identity](tutorial-python-aks-storage-workload-identity.md).

+## How to troubleshoot and view logs

+If an error happens and couldn't be mitigated by retrying when creating a service connection, the following methods can help gather more information for troubleshooting.

+### Check Service Connector kubernetes extension

+Service Connector kubernetes extension is built on top of [Azure Arc-enabled Kubernetes cluster extensions](../azure-arc/kubernetes/extensions.md). Use the following commands to investigate if there are any errors during the extension installation or updating.

+1. Install the `k8s-extension` Azure CLI extension.

+```azurecli

+az extension add --name k8s-extension

+```

+1. Get the Service Connector extension status. Check the `statuses` property in the command output to see if there are any errors.

+```azurecli

+az k8s-extension show \

+ --resource-group MyClusterResourceGroup \

+ --cluster-name MyCluster \

+ --cluster-type managedClusters \

+ --name sc-extension

+```

+### Check kubernetes cluster logs

+If there's an error during the extension installation, and the error message in the `statuses` property doesn't provide enough information about what happened, you can further check the kubernetes logs with the followings steps.

+1. Connect to your AKS cluster.

+ ```azurecli

+ az aks get-credentials \

+ --resource-group MyClusterResourceGroup \

+ --name MyCluster

+ ```

+1. Service Connector extension is installed in the namespace `sc-system` through helm chart, check the namespace and the helm release by following commands.

+ - Check the namespace exists.

+ ```Bash

+ kubectl get ns

+ ```

+ - Check the helm release status.

+ ```Bash

+ helm list -n sc-system

+ ```

+1. During the extension installation or updating, a kubernetes job called `sc-job` creates the kubernetes resources for the service connection. The job execution failure usually causes the extension failure. Check the job status by running the following commands. If `sc-job` doesn't exist in `sc-system` namespace, it should have been executed successfully. This job is designed to be automatically deleted after successful execution.

+ - Check the job exists.

+ ```Bash

+ kubectl get job -n sc-system

+ ```

+ - Get the job status.

+ ```Bash

+ kubectl describe job/sc-job -n sc-system

+ ```

+ - View the job logs.

+ ```Bash

+ kubectl logs job/sc-job -n sc-system

+ ```

+## Next steps

+Learn how to integrate different target services and read about their configuration settings and authentication methods.

+> [!div class="nextstepaction"]

+> [Learn about how to integrate storage blob](./how-to-integrate-storage-blob.md)

+ Title: Quickstart - Create a service connection in Azure Kubernetes Service (AKS) with the Azure CLI

+description: Quickstart showing how to create a service connection in Azure Kubernetes Service (AKS) with the Azure CLI

+ms.devlang: azurecli

+# Quickstart: Create a service connection in AKS cluster with the Azure CLI

+This quickstart shows you how to connect Azure Kubernetes Service (AKS) to other Cloud resources using Azure CLI and Service Connector. Service Connector lets you quickly connect compute services to cloud services, while managing your connection's authentication and networking settings.

+* This quickstart requires version 2.30.0 or higher of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.

+* This quickstart assumes that you already have an AKS cluster. If you don't have one yet, [create an AKS cluster](../aks/learn/quick-kubernetes-deploy-cli.md).

+* This quickstart assumes that you already have an Azure Storage account. If you don't have one yet, [create an Azure Storage account](../storage/common/storage-account-create.md).

+## Initial set-up

+1. If you're using Service Connector for the first time, start by running the command [az provider register](/cli/azure/provider#az-provider-register) to register the Service Connector resource provider.

+ ```azurecli

+ az provider register -n Microsoft.ServiceLinker

+ ```

+ > [!TIP]

+ > You can check if the resource provider has already been registered by running the command `az provider show -n "Microsoft.ServiceLinker" --query registrationState`. If the output is `Registered`, then Service Connector has already been registered.

+1. Optionally, use the Azure CLI command to get a list of supported target services for AKS cluster.

+ ```azurecli

+ az aks connection list-support-types --output table

+ ```

+## Create a service connection

+### [Using an access key](#tab/Using-access-key)

+Run the following Azure CLI command to create a service connection to an Azure Blob Storage with an access key, providing the following information.

+```azurecli

+az aks connection create storage-blob --secret

+```

+Provide the following information as prompted:

+* **Source compute service resource group name:** the resource group name of the AKS cluster.

+* **AKS cluster name:** the name of your AKS cluster that connects to the target service.

+* **Target service resource group name:** the resource group name of the Blob Storage.

+* **Storage account name:** the account name of your Blob Storage.

+> [!NOTE]

+> If you don't have a Blob Storage, you can run `az aks connection create storage-blob --new --secret` to provision a new one and directly get connected to your aks cluster.

+### [Using a workload identity](#tab/Using-Managed-Identity)

+> [!IMPORTANT]

+> Using Managed Identity requires you have the permission to [Azure AD role assignment](../active-directory/managed-identities-azure-resources/howto-assign-access-portal.md). If you don't have the permission, your connection creation will fail. You can ask your subscription owner for the permission or use an access key to create the connection.

+Use the Azure CLI command to create a service connection to a Blob Storage with a workload identity, providing the following information:

+* **Source compute service resource group name:** the resource group name of the AKS cluster.

+* **AKS cluster name:** the name of your AKS cluster that connects to the target service.

+* **Target service resource group name:** the resource group name of the Blob Storage.

+* **Storage account name:** the account name of your Blob Storage.

+* **User-assigned identity subscription ID:** the subscription ID of the user assigned identity that used to create workload identity

+* **User-assigned identity client ID:** the client ID of the user assigned identity used to create workload identity

+```azurecli

+az aks connection create storage-blob \

+ --workload-identity client-id="<your-user-assigned-identity-client-id>" subs-id="<your-user-assigned-identity-subscription-id>"

+```

+> [!NOTE]

+> If you don't have a Blob Storage, you can run `az aks connection create storage-blob --new --workload-identity client-id="<your-user-assigned-identity-client-id>" subs-id="<your-user-assigned-identity-subscription-id>"` to provision a new one and get connected to your function app straightaway.

+## View connections

+Use the Azure CLI [az aks connection list](/cli/azure/functionapp/connection#az-functionapp-connection-list) command to list connections to your AKS Cluster, providing the following information:

+* **Source compute service resource group name:** the resource group name of the AKS cluster.

+* **AKS cluster name:** the name of your AKS cluster that connects to the target service.

+```azurecli

+az aks connection list \

+ -g "<your-aks-cluster-resource-group>" \

+ -n "<your-aks-cluster-name>" \

+ --output table

+```

+## Next steps

+Go to the following tutorials to start connecting AKS cluster to Azure services with Service Connector.

+> [!div class="nextstepaction"]

+> [Tutorial: Connect to Azure Key Vault using CSI driver](./tutorial-python-aks-keyvault-csi-driver.md)

+> [!div class="nextstepaction"]

+> [Tutorial: Connect to Azure Storage using workload identity](./tutorial-python-aks-storage-workload-identity.md)

+ Title: Quickstart - Create a service connection in Azure Kubernetes Service (AKS) from the Azure portal

+description: Quickstart showing how to create a service connection in Azure Kubernetes Service (AKS) from the Azure portal

+# Quickstart: Create a service connection in an AKS cluster from the Azure portal

+Get started with Service Connector by using the Azure portal to create a new service connection in an Azure Kubernetes Service (AKS) cluster.

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free).

+- An AKS cluster in a [region supported by Service Connector](./concept-region-support.md). If you don't have one yet, [create an AKS cluster](../aks/learn/quick-kubernetes-deploy-cli.md).

+## Sign in to Azure

+Sign in to the Azure portal at [https://portal.azure.com/](https://portal.azure.com/) with your Azure account.

+## Create a new service connection in AKS cluster

+1. To create a new service connection in AKS cluster, select the **Search resources, services and docs (G +/)** search bar at the top of the Azure portal, type *AKS*, and select **Kubernetes services**.

+ :::image type="content" source="./media/aks-quickstart/select-aks-cluster.png" alt-text="Screenshot of the Azure portal, selecting AKS cluster.":::

+1. Select the AKS cluster you want to connect to a target resource.

+1. Select **Service Connector** from the left table of contents. Then select **Create**.

+ :::image type="content" source="./media/aks-quickstart/select-service-connector.png" alt-text="Screenshot of the Azure portal, selecting Service Connector and creating new connection.":::

+1. Select or enter the following settings.

+ | Setting | Example | Description |

+ ||-|-|

+ | **Kubernetes namespace**| *default* | The namespace where you need the connection in the cluster. |

+ | **Service type** | Storage - Blob | The target service type. If you don't have a Microsoft Blob Storage, you can [create one](../storage/blobs/storage-quickstart-blobs-portal.md) or use another service type. |

+ | **Connection name** | *my_connection* | The connection name that identifies the connection between your AKS cluster and target service. Use the connection name provided by Service Connector or choose your own connection name. |

+ | **Subscription** | My subscription | The subscription for your target service (the service you want to connect to). The default value is the subscription for this AKS cluster. |

+ | **Storage account** | *my_storage_account* | The target storage account you want to connect to. Target service instances to choose from vary according to the selected service type. |

+ | **Client type** | *python* | The code language or framework you use to connect to the target service. |

+1. Select **Next: Authentication** to choose an authentication method.

+ ### [Workload identity](#tab/UMI)

+ Select **Workload identity** to authenticate through [Microsoft Entra workload identity](/entra/workload-id/workload-identities-overview) to one or more instances of an Azure service. Then select a user-assigned managed identity to enable workload identity.

+ ### [Connection string](#tab/CS)

+

+ Select **Connection string** to generate or configure one or multiple key-value pairs with pure secrets or tokens.

+

+ ### [Service principal](#tab/SP)

+

+ Select **Service principal** to use a service principal that defines the access policy and permissions for the user/application.

+

+1. Select **Next: Networking** to configure the network access to your target service and select **Configure firewall rules to enable access to your target service**.

+1. Select **Next: Review + Create** to review the provided information. Then select **Create** to create the service connection. This operation may take a minute to complete.

+## View service connections in AKS cluster

+1. The **Service Connector** tab displays existing connections in this cluster.

+1. Select **Network View** to see all the service connections in a network topology view.

+ :::image type="content" source="./media/aks-quickstart/list-and-view.png" alt-text="Screenshot of the Azure portal, listing and viewing the connections.":::

+## Next steps

+Follow the following tutorials to start connecting to Azure services on AKS cluster with Service Connector.

+> [!div class="nextstepaction"]

+> [Tutorial: Connect to Azure Key Vault using CSI driver](./tutorial-python-aks-keyvault-csi-driver.md)

+> [!div class="nextstepaction"]

+> [Tutorial: Connect to Azure Storage using workload identity](./tutorial-python-aks-storage-workload-identity.md)

+ Title: 'Tutorial: Use the Azure Key Vault provider for Secrets Store CSI Driver in an AKS cluster with Service Connector'

+description: Learn how to connect to Azure Key Vault using CSI driver in an AKS cluster with the help of Service Connector.

+# Tutorial: Use the Azure Key Vault provider for Secrets Store CSI Driver in an Azure Kubernetes Service (AKS) cluster

+Learn how to connect to Azure Key Vault using CSI driver in an Azure Kubernetes Service (AKS) cluster with the help of Service Connector. In this tutorial, you complete the following tasks:

+> [!div class="checklist"]

+>

+> * Create an AKS cluster and an Azure Key Vault.

+> * Create a connection between the AKS cluster and the Azure Key Vault with Service Connector.

+> * Create a `SecretProviderClass` CRD and a `pod` consuming the CSI provider to test the connection.

+> * Clean up resources.

+## Prerequisites

+* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/).

+* [Install](/cli/azure/install-azure-cli) the Azure CLI, and sign in to Azure CLI by using the [az login](/cli/azure/reference-index#az-login) command.

+* Install [Docker](https://docs.docker.com/get-docker/)and [kubectl](https://kubernetes.io/docs/tasks/tools/), to manage container image and Kubernetes resources.

+* A basic understanding of container and AKS. Get started from [preparing an application for AKS](../aks/tutorial-kubernetes-prepare-app.md).

+## Create Azure resources

+1. Create a resource group for this tutorial.

+ ```azurecli

+ az group create \

+ --name MyResourceGroup \

+ --location eastus

+ ```

+1. Create an AKS cluster with the following command, or referring to the [tutorial](../aks/learn/quick-kubernetes-deploy-cli.md). This is the cluster where we create the service connection, pod definition and deploy the sample application to.

+ ```azurecli

+ az aks create \

+ --resource-group MyResourceGroup \

+ --name MyAKSCluster \

+ --enable-managed-identity \

+ --node-count 1

+ ```

+1. Connect to the cluster with the following command.

+ ```azurecli

+ az aks get-credentials \

+ --resource-group MyResourceGroup \

+ --name MyAKSCluster

+ ```

+1. Create an Azure Key Vault with the following command, or referring to the [tutorial](../key-vault/general/quick-create-cli.md). This is the target service that is connected to the AKS cluster and the CSI driver synchronize secrets from.

+ ```azurecli

+ az keyvault create \

+ --resource-group MyResourceGroup \

+ --name MyKeyVault \

+ --location EastUS

+ ```

+1. Create a secret in the Key Vault with the following command.

+ ```azurecli

+ az keyvault secret set \

+ --vault-name MyKeyVault \

+ --name ExampleSecret \

+ --value MyAKSExampleSecret

+ ```

+## Create a service connection with Service Connector

+Create a service connection between an AKS cluster and an Azure Key Vault using the Azure portal or the Azure CLI.

+### [Portal](#tab/azure-portal)

+1. Open your **Kubernetes service** in the Azure portal and select **Service Connector** from the left menu.

+1. Select **Create** and fill in the settings as shown below. Leave the other settings with their default values.

+ | Setting | Choice | Description |

+ ||--|-|

+ | **Kubernetes namespace**| *default* | The namespace where you need the connection in the cluster. |

+ | **Service type** | *Key Vault (enable CSI)* | Choose Key Vault as the target service type and check the option to enable CSI. |

+ | **Connection name** | *keyvault_conn* | Use the connection name provided by Service Connector or choose your own connection name. |

+ | **Subscription** | `<MySubscription>` | The subscription for your Azure Key Vault target service. |

+ | **Key vault** | `<MyKeyVault>` | The target key vault you want to connect to. |

+ | **Client type** | *Python* | The code language or framework you use to connect to the target service. |

+1. Once the connection has been created, the Service Connector page displays information about the new connection.

+ :::image type="content" source="./media/aks-tutorial/kubernetes-resources.png" alt-text="Screenshot of the Azure portal, viewing kubernetes resources created by Service Connector.":::

+### [Azure CLI](#tab/azure-cli)

+Run the following Azure CLI command to create a service connection to an Azure Key Vault.

+```azurecli

+az aks connection create keyvault --enable-csi

+```

+Provide the following information as prompted:

+* **Source compute service resource group name:** the resource group name of the AKS cluster.

+* **AKS cluster name:** the name of your AKS cluster that connects to the target service.

+* **Target service resource group name:** the resource group name of the Azure Key Vault.

+* **Key vault name:** the Azure Key Vault that is connected.

+## Test the connection

+1. Clone the sample repository:

+ ```Bash

+ git clone https://github.com/Azure-Samples/serviceconnector-aks-samples.git

+ ```

+1. Go to the repository's sample folder for Azure Key Vault:

+ ```Bash

+ cd serviceconnector-aks-samples/azure-keyvault-csi-provider

+ ```

+1. Replace the placeholders in the `secret_provider_class.yaml` file in the `azure-keyvault-csi-provider` folder.

+ * Replace `<AZURE_KEYVAULT_NAME>` with the name of the key vault we created and connected. You may get the value from Azure portal of Service Connector.

+ * Replace `<AZURE_KEYVAULT_TENANTID>` with the tenant ID of the key vault. You may get the value from Azure portal of Service Connector.

+ * Replace `<AZURE_KEYVAULT_CLIENTID>` with identity client ID of the `azureKeyvaultSecretsProvider` addon. You may get the value from Azure portal of Service Connector.

+ * Replace `<KEYVAULT_SECRET_NAME>` with the key vault secret name we created, for example, `ExampleSecret`

+1. Deploy the Kubernetes resources to your cluster with the `kubectl apply` command. Install `kubectl` locally using the [az aks install-cli](/cli/azure/aks#az_aks_install_cli) command if it isn't installed.

+ 1. Deploy the `SecretProviderClass` CRD.

+ ```Bash

+ kubectl apply -f secret_provider_class.yaml

+ ```

+ 1. Deploy the `pod`. The command creates a pod named `sc-demo-keyvault-csi` in the default namespace of your AKS cluster.

+ ```Bash

+ kubectl apply -f pod.yaml

+ ```

+1. Check the deployment is successful by viewing the pod with `kubectl`.

+ ```Bash

+ kubectl get pod/sc-demo-keyvault-csi

+ ```

+1. After the pod starts, the mounted content at the volume path specified in your deployment YAML is available. Use the following commands to validate your secrets and print a test secret.

+ * Show secrets held in the secrets store using the following command.

+ ```Bash

+ kubectl exec sc-demo-keyvault-csi -- ls /mnt/secrets-store/

+ ```

+ * Display a secret in the store using the following command. This example command shows the test secret `ExampleSecret`.

+ ```Bash

+ kubectl exec sc-demo-keyvault-csi -- cat /mnt/secrets-store/ExampleSecret

+ ```

+## Clean up resources

+If you don't need to reuse the resources you've created in this tutorial, delete all the resources you created by deleting your resource group.

+```azurecli

+az group delete \

+ --resource-group MyResourceGroup

+```

+## Next steps

+Read the following articles to learn more about Service Connector concepts and how it helps AKS connect to services.

+> [!div class="nextstepaction"]

+> [Learn about Service Connector concepts](./concept-service-connector-internals.md)

+> [!div class="nextstepaction"]

+> [Use Service Connector to connect an AKS cluster to other cloud services](./how-to-use-service-connector-in-aks.md)

+ Title: 'Tutorial: Connect to Azure storage account in Azure Kubernetes Service (AKS) with Service Connector using workload identity'

+description: Learn how to connect to an Azure storage account using workload identity with the help of Service Connector

+# Tutorial: Connect to Azure storage account in Azure Kubernetes Service (AKS) with Service Connector using workload identity

+Learn how to create a pod in an AKS cluster, which talks to an Azure storage account using workload identity with the help of Service Connector. In this tutorial, you complete the following tasks:

+> [!div class="checklist"]

+>

+> * Create an AKS cluster and an Azure storage account.

+> * Create a connection between the AKS cluster and the Azure storage account with Service Connector.

+> * Clone a sample application that will talk to the Azure storage account from an AKS cluster.

+> * Deploy the application to a pod in AKS cluster and test the connection.

+> * Clean up resources.

+## Prerequisites

+* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/).

+* [Install](/cli/azure/install-azure-cli) the Azure CLI, and sign in to Azure CLI by using the [az login](/cli/azure/reference-index#az-login) command.

+* Install [Docker](https://docs.docker.com/get-docker/)and [kubectl](https://kubernetes.io/docs/tasks/tools/), to manage container image and Kubernetes resources.

+* A basic understanding of container and AKS. Get started from [preparing an application for AKS](../aks/tutorial-kubernetes-prepare-app.md).

+* A basic understanding of [workload identity](/entra/workload-id/workload-identities-overview).

+## Create Azure resources

+1. Create a resource group for this tutorial.

+```azurecli

+az group create \

+ --name MyResourceGroup \

+ --location eastus

+```

+1. Create an AKS cluster with the following command, or referring to the [tutorial](../aks/learn/quick-kubernetes-deploy-cli.md). We create the service connection, pod definition and deploy the sample application to this cluster.

+ ```azurecli

+ az aks create \

+ --resource-group MyResourceGroup \

+ --name MyAKSCluster \

+ --enable-managed-identity \

+ --node-count 1

+ ```

+1. connect to the cluster with the following command.

+ ```azurecli

+ az aks get-credentials \

+ --resource-group MyResourceGroup \

+ --name MyAKSCluster

+ ```

+1. Create an Azure storage account with the following command, or referring to the [tutorial](../storage/common/storage-account-create.md). This is the target service that is connected to the AKS cluster and sample application interacts with.

+```azurecli

+az storage account create \

+ --resource-group MyResourceGroup \

+ --name MyStorageAccount \

+ --location eastus \

+ --sku Standard_LRS

+```

+1. Create an Azure container registry with the following command, or referring to the [tutorial](../container-registry/container-registry-get-started-portal.md). The registry hosts the container image of the sample application, which will be consumed by the AKS pod definition.

+```azurecli

+az acr create \

+ --resource-group MyResourceGroup \

+ --name MyRegistry \

+ --sku Standard

+```

+And enable anonymous pull so that AKS cluster can consume the images in the registry.

+```azurecli

+az acr update \

+ --resource-group MyResourceGroup \

+ --name MyRegistry \

+ --anonymous-pull-enabled

+```

+1. Create a user-assigned managed identity with the following command, or referring to the [tutorial](/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities). The user-assigned managed identity is used in service connection creation to enable workload identity for AKS workloads.

+```azurecli

+az identity create \

+ --resource-group MyResourceGroup \

+ --name MyIdentity

+```

+## Create service connection with Service Connector

+Create a service connection between an AKS cluster and an Azure storage account using the Azure portal or the Azure CLI.

+### [Portal](#tab/azure-portal)

+1. Open your **Kubernetes service** in the Azure portal and select **Service Connector** from the left menu.

+1. Select **Create** and fill in the settings as shown below. Leave the other settings with their default values.

+ Basics tab:

+ | Setting | Choice | Description |

+ ||-|-|

+ | **Kubernetes namespace**| *default* | The namespace where you need the connection in the cluster. |

+ | **Service type** | *Storage - Blob* | The target service type. |

+ | **Connection name** | *storage_conn* | Use the connection name provided by Service Connector or choose your own connection name. |

+ | **Subscription** | `<MySubscription>` | The subscription for your Azure Blob Storage target service. |

+ | **Storage account** | `<MyStorageAccount>` | The target storage account you want to connect to. |

+ | **Client type** | *Python* | The code language or framework you use to connect to the target service. |

+ Authentication tab:

+ | Authentication Setting | Choice | Description |

+ |||-|

+ | **Authentication type** | *Workload Identity* | Service Connector authentication type. |

+ | **User assigned managed identity** | `<MyIdentity>` | A user assigned managed identity is needed to enable workload identity. |

+1. Once the connection has been created, the Service Connector page displays information about the new connection.

+### [Azure CLI](#tab/azure-cli)

+Run the following Azure CLI command to create a service connection to the Azure storage account, providing the following information:

+```azurecli

+az aks connection create storage-blob \

+ --workload-identity <user-identity-resource-id>

+```

+Provide the following information as prompted:

+* **Source compute service resource group name:** the resource group name of the AKS cluster.

+* **AKS cluster name:** the name of your AKS cluster that connects to the target service.

+* **Target service resource group name:** the resource group name of the Azure storage account.

+* **Storage account name:** the Azure storage account that is connected.

+* **User-assigned identity subscription ID:** the subscription ID of the user-assigned identity used to create workload identity.

+* **User-assigned identity client ID:** the client ID of the user-assigned identity used to create workload identity.

+## Clone sample application

+1. Clone the sample repository:

+ ```Bash

+ git clone https://github.com/Azure-Samples/serviceconnector-aks-samples.git

+ ```

+1. Go to the repository's sample folder for Azure storage:

+ ```Bash

+ cd serviceconnector-aks-samples/azure-storage-workload-identity

+ ```

+## Build and push container image

+1. Build and push the images to your container registry using the Azure CLI [`az acr build`](/cli/azure/acr#az_acr_build) command.

+```azurecli

+az acr build --registry <MyRegistry> --image sc-demo-storage-identity:latest ./

+```

+1. View the images in your container registry using the [`az acr repository list`](/cli/azure/acr/repository#az_acr_repository_list) command.

+```azurecli

+az acr repository list --name <MyRegistry> --output table

+```

+## Run application and test connection

+1. Replace the placeholders in the `pod.yaml` file in the `azure-storage-identity` folder.

+ * Replace `<YourContainerImage>` with the image name we build in last step, for example, `<MyRegistry>.azurecr.io/sc-demo-storage-identity:latest`.

+ * Replace `<ServiceAccountCreatedByServiceConnector>` with the service account created by Service Connector after the connection creation. You may check the service account name in the Azure portal of Service Connector.

+ * Replace `<SecretCreatedByServiceConnector>` with the secret created by Service Connector after the connection creation. You may check the secret name in the Azure portal of Service Connector.

+1. Deploy the pod to your cluster with `kubectl apply` command. Install `kubectl` locally using the [az aks install-cli](/cli/azure/aks#az_aks_install_cli) command if it isn't installed. The command creates a pod named `sc-demo-storage-identity` in the default namespace of your AKS cluster.

+ ```Bash

+ kubectl apply -f pod.yaml

+ ```

+1. Check the deployment is successful by viewing the pod with `kubectl`.

+ ```Bash

+ kubectl get pod/sc-demo-storage-identity.

+ ```

+1. Check connection is established by viewing the logs with `kubectl`.

+ ```Bash

+ kubectl logs pod/sc-demo-storage-identity

+ ```

+## Clean up resources

+If you don't need to reuse the resources you've created in this tutorial, delete all the resources you created by deleting your resource group.

+```azurecli

+az group delete \

+ --resource-group MyResourceGroup

+```

+## Next steps

+Read the following articles to learn more about Service Connector concepts and how it helps AKS connect to services.

+> [!div class="nextstepaction"]

+> [Learn about Service Connector concepts](./concept-service-connector-internals.md)

+> [!div class="nextstepaction"]

+> [Use Service Connector to connect an AKS cluster to other cloud services](./how-to-use-service-connector-in-aks.md)

+# Quickstart: Build your first static site with Azure Static Web Apps

+1. Select <kbd>F1</kbd> to open the Visual Studio Code command palette.

+1. Enter **Create static web app** in the command box.

+1. Select *Azure Static Web Apps: Create static web app...*.

+1. Select your Azure subscription.

+1. Enter **my-first-static-web-app** for the application name.

+1. Select the region closest to you.

+1. Enter the settings values that match your framework choice.

+ | Framework | Select **Custom** |

+ | Location of application code | Enter `/src` |

+ | Build location | Enter `/src` |

+ | Framework | Select **Angular** |

+ | Location of application code | Enter `/` |

+ | Build location | Enter `dist/angular-basic` |

+ | Framework | Select **Blazor** |

+ | Location of application code | Enter `Client` |

+ | Build location | Enter `wwwroot` |

+ | Framework | Select **React** |

+ | Location of application code | Enter `/` |

+ | Build location | Enter `build` |

+ | Framework | Select **Vue.js** |

+ | Location of application code | Enter `/` |

+ | Build location | Enter `dist` |

+1. Once the app is created, a confirmation notification is shown in Visual Studio Code.

+ If GitHub presents you with a button labeled **Enable Actions on this repository**, select the button to allow the build action to run on your repository.

+1. To view the website in the browser, right-click the project in the Static Web Apps extension, and select **Browse Site**.

+Azure attribute-based access control (Azure ABAC) is generally available (GA) for controlling access to Azure Blob Storage, Azure Data Lake Storage Gen2, and Azure Queues using `request`, `resource`, `environment`, and `principal` attributes in both the standard and premium storage account performance tiers. Currently, the container metadata resource attribute and the list blob include request attribute are in PREVIEW.

+The following table shows the current status of ABAC by storage resource type and attribute type. Exceptions for specific attributes are also shown.

+| Resource types | Attribute types | Attributes | Availability |

+|||||

+| Blobs<br/>Data Lake Storage Gen2<br/>Queues | Request<br/>Resource<br/>Environment<br/>Principal | All attributes except those noted in this table | GA |

+| Data Lake Storage Gen2 | Resource | [Snapshot](storage-auth-abac-attributes.md#snapshot) | Preview |

+| Blobs<br/>Data Lake Storage Gen2 | Resource | [Container metadata](storage-auth-abac-attributes.md#container-metadata) | Preview |

+| Blobs | Request | [List blob include](storage-auth-abac-attributes.md#list-blob-include) | Preview |

+See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+> - [List blob include](storage-auth-abac-attributes.md#list-blob-include)

+[Distributed File Systems Namespaces](/windows-server/storage/dfs-namespaces/dfs-overview), commonly referred to as DFS Namespaces or DFS-N, is a Windows Server server role that's widely used to simplify the deployment and maintenance of SMB file shares in production. DFS Namespaces is a storage namespace virtualization technology, which means that it enables you to provide a layer of indirection between the UNC path of your file shares and the actual file shares themselves. DFS Namespaces works with SMB file shares, agnostic of where those file shares are hosted. It can be used with SMB shares hosted on an on-premises Windows File Server with or without Azure File Sync, Azure file shares directly, SMB file shares hosted in Azure NetApp Files or other third-party offerings, and even with file shares hosted in other clouds.

+You can see an example of how to use DFS Namespaces with your Azure Files deployment in the following video overview. Note that Azure Active Directory is now Microsoft Entra ID. For more information, see [New name for Azure AD](https://aka.ms/azureadnewname).

+If you already have a DFS Namespace in place, no special steps are required to use it with Azure Files and File Sync. If you're accessing your Azure file share from on-premises, normal networking considerations apply. See [Azure Files networking considerations](./storage-files-networking-overview.md) for more information.

+- **Domain-based namespace**: A namespace hosted as part of your Windows Server AD domain. Namespaces hosted as part of AD will have a UNC path containing the name of your domain, for example, `\\contoso.com\shares\myshare`, if your domain is `contoso.com`. Domain-based namespaces support larger scale limits and built-in redundancy through AD. Domain-based namespaces can't be a clustered resource on a failover cluster.

+- An SMB file share hosted in a domain-joined environment, such as an Azure file share hosted within a domain-joined storage account, or a file share hosted on a domain-joined Windows File Server using Azure File Sync. For more on domain-joining your storage account, see [Identity-based authentication](storage-files-active-directory-overview.md). Windows File Servers are domain-joined the same way regardless of whether you're using Azure File Sync.

+- The SMB file shares you want to use with DFS Namespaces must be reachable from your on-premises networks. This is primarily a concern for Azure file shares, however, it technically applies to any file share hosted in the cloud. For more information, see [Networking considerations for direct access](storage-files-networking-overview.md).

+If you're already using DFS Namespaces, or wish to set up DFS Namespaces on your domain controller, you may safely skip these steps.

+To install the DFS Namespaces server role, open the Server Manager on your server. Select **Manage**, and then select **Add Roles and Features**. The resulting wizard guides you through the installation of the necessary Windows components to run and manage DFS Namespaces.

+In the **Installation Type** section of the installation wizard, select the **Role-based or feature-based installation** radio button and select **Next**. On the **Server Selection** section, select the desired server(s) on which you want to install the DFS Namespaces server role, and select **Next**.

+In the **Server Roles** section, select and check the **DFS Namespaces** role from role list. You can find this under **File and Storage Services** > **File and ISCSI Services**. When you select the DFS Namespaces server role, it might also add any required supporting server roles or features that you don't already have installed.

+An important use for DFS Namespaces is to take over an existing server name for the purposes of refactoring the physical layout of the file shares. For example, you may wish to consolidate file shares from multiple old file servers together on a single file server during a modernization migration. Traditionally, end-user familiarity and document-linking limit your ability to consolidate file shares from disparate file servers together on one host. However, the DFS Namespaces root consolidation feature allows you to stand up a single server to multiple server names and route to the appropriate share name.

+Although useful for various data center migration scenarios, root consolidation is especially useful for adopting cloud-native Azure file shares because:

+- Azure file shares must be accessed via the fully qualified domain name (FQDN) of the storage account. For example, an Azure file share called `share` in storage account `storageaccount` is always accessed through the `\\storageaccount.file.core.windows.net\share` UNC path. This can be confusing to end users who expect a short name (ex. `\\MyServer\share`) or a name that is a subdomain of the organization's domain name (for example `\\MyServer.contoso.com\share`).

+Root consolidation may only be used with standalone namespaces. If you already have an existing domain-based namespace for your file shares, you don't need to create a root consolidated namespace.

+Enable root consolidation by setting the following registry keys from an elevated PowerShell session (or using PowerShell remoting).

+In order for DFS Namespaces to respond to existing file server names, create alias (CNAME) records for your existing file servers that point at the DFS Namespaces server name. The exact procedure for updating your DNS records may depend on what servers your organization is using and if your organization is using custom tooling to automate the management of DNS. The following steps are for the DNS server included with Windows Server and automatically used by Windows AD.

+On a Windows DNS server, open the DNS management console. You can find this by selecting the **Start** button and typing **DNS**. Navigate to the forward lookup zone for your domain. For example, if your domain is `contoso.com`, the forward lookup zone can be found under **Forward Lookup Zones** > **`contoso.com`** in the management console. The exact hierarchy shown in this dialog depends on the DNS configuration for your network.

+The basic unit of management for DFS Namespaces is the namespace. The namespace root, or name, is the starting point of the namespace, such that in the UNC path `\\contoso.com\Public\`, the namespace root is `Public`.

+If you're using DFS Namespaces to take over an existing server name with root consolidation, the name of the namespace should be the name of server name you want to take over, prepended with the `#` character. For example, if you want to take over an existing server named `MyServer`, you would create a DFS-N namespace called `#MyServer`. The PowerShell section below takes care of prepending the `#`, but if you create via the DFS Management console, you'll need to prepend as appropriate.

+To create a new namespace, open the **DFS Management** console. You can find this by selecting the **Start** button and typing **DFS Management**. The resulting management console has two sections called **Namespaces** and **Replication**, which refer to DFS Namespaces and DFS Replication (DFS-R) respectively. Azure File Sync provides a modern replication and synchronization mechanism that may be used in place of DFS-R if replication is also desired.

+Select the **Namespaces** section, and select the **New Namespace** button (you may also right-click on the **Namespaces** section). The resulting **New Namespace Wizard** walks you through creating a namespace.

+The first section in the wizard requires you to pick the DFS Namespace server to host the namespace. Multiple servers can host a namespace, but you'll need to set up DFS Namespaces with one server at a time. Enter the name of the desired DFS Namespace server and select **Next**. In the **Namespace Name and Settings** section, enter the desired name of your namespace and select **Next**.

+The **Namespace Type** section allows you to choose between a **Domain-based namespace** and a **Stand-alone namespace**. If you intend to use DFS Namespaces to preserve an existing file server/NAS device name, you should select the standalone namespace option. For any other scenario, select a domain-based namespace. Refer to [namespace types](#namespace-types) for more information on choosing between namespace types.

+You can think of DFS Namespaces folders as analogous to file shares.

+In the textbox labeled **Name** provide the name of the folder. Select **Add...** to add folder targets for this folder. The resulting **Add Folder Target** dialog provides a textbox labeled **Path to folder target** where you can provide the UNC path to the desired folder. Select **OK** on the **Add Folder Target** dialog. If you are adding a UNC path to an Azure file share, you might receive a message reporting that the server `storageaccount.file.core.windows.net` can't be contacted. This is expected; select **Yes** to continue. Finally, select **OK** on the **New Folder** dialog to create the folder and folder targets.

+Now that you've created a namespace, a folder, and a folder target, you should be able to mount your file share through DFS Namespaces. If you're using a domain-based namespace, the full path for your share should be `\\<domain-name>\<namespace>\<share>`. If you are using a standalone namespace, the full path for your share should be `\\<DFS-server>\<namespace>\<share>`. If you're using a standalone namespace with root consolidation, you can access directly through your old server name, such as `\\<old-server>\<share>`.

+To help you set up identity-based authentication for some common use cases, we published two videos with step-by-step guidance for the following scenarios. Note that Azure Active Directory is now Microsoft Entra ID. For more info, see [New name for Azure AD](https://aka.ms/azureadnewname).

+> If you're returning to this article, use the navigation on the right side to jump to the migration phase where you left off.

+ The video references dedicated documentation for the following topics. Note that Azure Active Directory is now Microsoft Entra ID. For more information, see [New name for Azure AD](https://aka.ms/azureadnewname).

+ The video references dedicated documentation for the following topics. Note that Azure Active Directory is now Microsoft Entra ID. For more information, see [New name for Azure AD](https://aka.ms/azureadnewname).

+We recommend reading [Planning for an Azure Files deployment](storage-files-planning.md) prior to reading this guide.

+Directly accessing an Azure file share often requires additional thought with respect to networking:

+Configuring public and private endpoints for Azure Files is done on the top-level management object for Azure Files, the Azure storage account. A storage account is a management construct that represents a shared pool of storage in which you can deploy multiple Azure file shares, as well as the storage resources for other Azure storage services, such as blob containers or queues.

+ This video is a guide and demo for how to securely expose Azure file shares directly to information workers and apps in five simple steps. The sections below provide links and additional context to the documentation referenced in the video. Note that Azure Active Directory is now Microsoft Entra ID. For more information, see [New name for Azure AD](https://aka.ms/azureadnewname).

+- SMB file shares are accessible from anywhere in the world via the storage account's public endpoint with SMB 3.x with encryption. This means that authenticated requests, such as requests authorized by a user's logon identity, can originate securely from inside or outside of the Azure region. If SMB 2.1 or SMB 3.x without encryption is desired, two conditions must be met:

+In addition to the default public endpoint for a storage account, Azure Files provides the option to have one or more private endpoints. A private endpoint is an endpoint that is only accessible within an Azure virtual network. When you create a private endpoint for your storage account, your storage account gets a private IP address from within the address space of your virtual network, much like how an on-premises file server or NAS device receives an IP address within the dedicated address space of your on-premises network.

+> [!NOTE]

+> [!NOTE]

+> This article uses the storage account DNS suffix for the Azure Public regions, `core.windows.net`. This commentary also applies to Azure Sovereign clouds such as the Azure US Government cloud and the Microsoft Azure operated by 21Vianet cloud - just substitute the appropriate suffixes for your environment.

+The Trusting Signing service has a few Trusted Signing specific roles (in addition to the standard Azure roles). Use [Azure role-based access control (RBAC)](../role-based-access-control/overview.md) to assign user and group roles for the Trusted Signing specific roles. In this tutorial, you review the different Trusted Signing supported roles and assign roles to your Trusted Signing account on the Azure portal.

+3. To assign these roles, select on the **Add** drop down and select **Add role assignment**. Follow the [Assign roles in Azure](../role-based-access-control/role-assignments-portal.md) guide to assign the relevant roles to your identities.

+* [What is Azure role-based access control (RBAC)?](../role-based-access-control/overview.md)

+Azure Backup enabled support on Azure VMs using Ultra Disks and Premium SSD v2 that offers high throughput, high IOPS, and low latency. Azure VM Backup support allows you to ensure business continuity for your virtual machines and to recover from any disasters or ransomware attacks. Enabling backup on VMs using Ultra Disks and Premium SSD v2 is available in all regions where creation of Ultra disks and Premium SSD v2 are supported. To learn more, refer to the [documentation](../backup/backup-support-matrix-iaas.md#vm-storage-support) and enable backup on your Azure VMs.

+[HBv4-series](hbv4-series.md) VMs are optimized for various HPC workloads such as computational fluid dynamics, finite element analysis, frontend , rendering, molecular dynamics, computational geoscience, weather simulation, and financial risk analysis. HBv4 VMs feature up to 176 AMD EPYCΓäó 9V33X (GenoaX) CPU cores with AMD's 3D-V Cache, 768 GB of RAM, and no simultaneous multithreading. HBv4-series VMs also provide 780 GB/s of DDR5 memory bandwidth and 2304 MB L3 cache per VM, to 12 GB/s (reads) and 7 GB/s (writes) of block device SSD performance, and clock frequencies up to 3.7 GHz.

+[HBv3-series](hbv3-series.md) VMs are optimized for HPC applications such as fluid dynamics, explicit and implicit finite element analysis, weather modeling, seismic processing, reservoir simulation, and RTL simulation. HBv3 VMs feature up to 120 AMD EPYCΓäó 7003-series (MilanX) CPU cores, 448 GB of RAM, and no hyperthreading. HBv3-series VMs also provide 350 GB/sec of memory bandwidth, up to 32 MB of L3 cache per core, up to 7 GB/s of block device SSD performance, and clock frequencies up to 3.5 GHz.

+[HX-series](hx-series.md) VMs are optimized for workloads that require significant memory capacity with twice the memory capacity as HBv4. For example, workloads such as silicon design can use HX-series VMs to enable EDA customers targeting the most advanced manufacturing processes to run their most memory-intensive workloads. HX VMs feature up to 176 AMD EPYCΓäó 9V33X (GenoaX) CPU cores, 1408 GB of RAM, and no simultaneous multithreading. HX-series VMs also provide 780 GB/s of DDR5 memory bandwidth and 2304 MB L3 cache per VM, up to 12 GB/s (reads) and 7 GB/s (writes) of block device SSD performance, and clock frequencies up to 3.7 GHz.

+Azure Files backup storage can scale up to 100 (TiB), with support for LRS, GRS, and GZRS redundancy options.

+Examples of explicit outbound connectivity for virtual machines are:

+| **PowerPlatformPlex** | This tag represents the IP addresses used by the infrastructure to host Power Platform extension execution on behalf of the customer. | Both | Yes | Yes |

+ 1. Add a static route to the virtual hub's route table with next hop Virtual Network Connection. Existing routes in the route table are preserved with the following sample script.

+ $routeTable = Get-AzVHubRouteTable -ResourceGroupName "[Resource group name]" -VirtualHubName "[Virtual hub name]" -Name "defaultRouteTable"

+ $routeTable.Routes.add($Route2)

+ 1. Verify the route table has the new routes:

+ ```azurepowershell-interactive

+ $routeTable.Routes

+ ```

+

+ ```azurepowershell-interactive

+ Update-AzVHubRouteTable -ResourceGroupName "[resource group name]"-VirtualHubName [ΓÇ£Hub NameΓÇ¥] -Name "defaultRouteTable" -Route @($routeTable.Routes)

+ ```

+ 1. Update the route in the virtual network connection to specify the next hop as an IP address. This sample script adds a new route to the VNET connection (preserving any existing routes).

+ ```azurepowershell-interactive

+ $hubVNetConnection.RoutingConfiguration.VnetRoutes.StaticRoutes.add($newroute)

+ Update-AzVirtualHubVnetConnection -ResourceGroupName $rgname -VirtualHubName "[Hub Name]" -Name "[Virtual hub connection name]" -RoutingConfiguration $hubVNetConnection.RoutingConfiguration

+ ```

+| **Tunnel Flow Count** | Number of distinct 3-tuple (protocol, local IP address, remote IP address) flows created per link connection.|

+* VPN gateway - migrating your existing virtual network gateways to zone-redundant or zonal gateways is currently not supported. You can, however, delete your existing gateway and re-create a zone-redundant or zonal gateway.

+* ExpressRoute gateway - migrating your existing ExpressRoute virtual network gateway to a zone-redundant or zonal gateway is currently in public preview. For more information, see [Migrate to an availability zone enabled ExpressRoute virtual network gateway](../expressroute/gateway-migration.md).